Difference between revisions of "System-pci"
From Bashlinux
(Redirected page to PCI compliance) |
|||
Line 1: | Line 1: | ||
+ | #REDIRECT [[PCI compliance]] |
||
− | __NOTOC__ |
||
− | = PCI Compliance = |
||
− | The following procedure is to setup CentOS/RHEL 5. |
||
− | |||
− | == How to find vulnerabilities with [[TrustKeeper]] == |
||
− | The original tool used : [[https://verifone.trustkeeper.net]] |
||
− | # Click on "Questionnaires" along left side. |
||
− | # Click on "Network Questionnaire". |
||
− | # Enter in IP addresse(s). |
||
− | # Click on "Vulnerability Scan" along left side. |
||
− | # Click "Directed Scan Request" (This will scan the IP addresses set in #3) |
||
− | |||
− | == How to find vulterabilities with SAINT == |
||
− | Using SAINT scanner is the way to go serious on internal audits. |
||
− | [[http://www.saintcorporation.com/]] |
||
− | |||
− | == How to fix vulnerabilities in one step == |
||
− | The fast easy way is to download the following script and let it do the work |
||
− | # Download the compressed file from [http://repo.bashlinux.com/src/fix-vulnerability.tgz] |
||
− | # Decompress the file |
||
− | # Run the fix-vulnerability.sh script |
||
− | # Done |
||
− | |||
− | <pre><nowiki> |
||
− | wget http://repo.bashlinux.com/src/fix-vulnerability.tgz |
||
− | tar zxvf fix-vulnerability.tgz |
||
− | cd fix-vulnerability/ |
||
− | ./fix-vulnerability.sh |
||
− | </nowiki></pre> |
||
− | |||
− | |||
− | == How to deal with vulnerabilities == |
||
− | A default installation should yields the following results before adjust the system. |
||
− | # ++++ High OpenSSH <4.4 Multiple Vulnerabilities |
||
− | # +++ Med OpenSSH X11 Session Hijacking Vulnerability |
||
− | # +++ Med SSH Protocol Version |
||
− | # +++ Med OpenSSH Duplicate Block Denial of Service Vulnerability |
||
− | # ++ Low SSL Weak Encryption Algorithms |
||
− | # ++ Low Indexable Web Directories |
||
− | # + info TCP/IP Technical Information |
||
− | # + info Discovered HTTP Methods |
||
− | # + info Discovered Web Directories |
||
− | # + info Discovered Web Files |
||
− | |||
− | == How to modify system services in order to pass the PCI compliance == |
||
− | The following services have been modified in order to fix the vulnerabilities on each of them. |
||
− | |||
− | ==== OpenSSH ==== |
||
− | * Version 4.3p2-24 |
||
− | * ''Updated version: 4.3p2-26'' |
||
− | * Edited `/etc/ssh/sshd_config` to check the following values: |
||
− | ** added ''[[AddressFamily]] inet'' |
||
− | ** checked ''Protocol 2'' |
||
− | * Build openssh rpm from fedora srpm |
||
− | ** ''Updated version 4.5 > Required version 4.4'' |
||
− | |||
− | ==== OpenSSL ==== |
||
− | * Create certificats as specified in [[openssl|OpenSSL]] section. |
||
− | * Generate self-signed key to avoid prompt for password when reboot apache |
||
− | |||
− | <pre><nowiki> |
||
− | # scp -r 10.0.0.120:/etc/pki/local /etc/pki/ |
||
− | # cd /etc/pki/local |
||
− | # openssl rsa -in local.uwink.com.key -out local.uwink.com.pem |
||
− | </nowiki></pre> |
||
− | |||
− | * Add certificate and key to `/etc/httpd/conf.d/ssl.conf` file |
||
− | |||
− | <pre><nowiki> |
||
− | ... |
||
− | SSLCertificateFile /etc/pki/local/local.bashlinux.com.crt |
||
− | ... |
||
− | SSLCertificateKeyFile /etc/pki/local/local.bashlinux.com.pem |
||
− | ... |
||
− | </nowiki></pre> |
||
− | |||
− | * Restart http server |
||
− | ** ''key length 1024 > required key length 128'' |
||
− | |||
− | ==== HTTP ==== |
||
− | * Disabled ''[[LoadModule]] autoindex_module modules/mod_autoindex.so'' on `/etc/httpd/conf/httpd.conf` file |
||
− | * Enclose ''mod_autoindex'' variables |
||
− | * Open in line 588 with ''<[[IfModule]] mod_autoindex.c>'' directive |
||
− | * Closed on line 659 with ''</IfModule>'' directive |
||
− | |||
− | == Links == |
||
− | * Saint Documentaion and Vulnerability info |
||
− | [[http://www.saintcorporation.com/demo/saint/documentation.html]] |
Latest revision as of 21:09, 11 June 2015
Redirect to: