SETTING METHOD IN CONSIDERATI ON OF THE PCI/DSS. (PCI/DSS対応を考慮したVULS設定方 法) @hogehuga
Today’s agenda The subject of my LT is “Consider Vuls Settings wit h the PCI/DSS”. We make clear what we do / do not it? do MUST MUST NOT RESTRICT about Vuls Server Target Server Service
Definition of term TargetServer To the test by using a Vuls. VulsServer The server to be inspected by Vuls vuls user User name “vuls” to use Vuls for inspection. Administrative user The user who can be connected to the “Vuls se rver”.
Introduction To consider to the PCI/DSS, it is necessary to take care o f the following points. MUST NOT ASSIGN a special privilege to “vuls” user. Limited access, privileged, on a need-to-know basis. MUST REMOVE private key; About the “vuls” user of TargetS erver. Use SSH by Public key authentication when a VulsServer access a T argetServer. MUST NOT Read/Write Vuls output data by general user. Only privileged user can Read/Write Vuls output data. MUST RESTRICTED ACCESS and LOGGING to Vuls output data. “Vuls output” include WEB( VulsRepo and the like)
POINT! Vuls server Login To restrict access to the Administrator. Logging the login. vuls user Limited privilege After setting the Vuls, sudo privileged is unnecessary. Logging the login/switch user to vuls. Vuls data (json reported data) To restrict access the Administrator/WEB process. Logging the access. WEB server Use Authentication access by Administrator. Logging the access.
POINT! Scanned Server vuls user Limited privilege by sudo. yum, apt-get only BSD does not require any sudo privilege Remove RSA private key Move(copy and delete) privatekey to VulsServer. Vuls Server only able to login to vuls.
Detail: Vuls server setting For example… Prerequisite WEB server runs apache account. apache group contain vuls user. vuls user’s HOME is /opt/vuls . Login Only administrator can login the Vuls Server. Vuls data protection /opt/vuls/ is chmod 640 /opt/vuls chown vuls:apache /opt/vuls /opt/vuls/ssh_keys is chmod 600 /opt/vuls/ssh_keys chown vuls:vuls /opt/vuls/ssh_keys WEB Server Use /etc/hosts.allow, /etc/hosts.deny If basic authentication, MUST CHANGE every 90days and upper 7words(alphanumeric).
Detail: Scanned Server For example Prerequisite vuls user’s HOME is /opt/vuls . Login MUST use key authentication. without passphrase , because using the Vuls as system. vuls user Limited setting to /etc/sudoers CentOS/RHEL vuls ALL=(root) NOPASSWD: /usr/bin/yum, /bin/echo Ubuntu, Debian vuls ALL=(root) NOPASSWD: /usr/bin/apt-get, /usr/bin/apt-cache Amazon LInux, FreeBSD Not required privilege settings. Remove the private key copy private key to Vuls Server, and remove private key on scanned server.
In conclusion I’m now going to give a brief summary of what we ha ve covered… Need-to-know basis limited privileged, restricted access, remove unnecessary key. Logging, Logging, Logging! Let’s patching software! PCI/DSS 6.2.a installation of applicable critical vendor-supplied securit y patches within one month of release. Check security incident continuius by Vuls.
Sponser session. Thank you once again for talking the time to join today’s presentation. we says, お疲れ様でした .. and sponsor session.