2. Today’s agenda
The subject of my LT is “Consider Vuls Settings with
the PCI/DSS”.
We make clear what we do / do not it?
do
MUST
MUST NOT
RESTRICT
about
Vuls Server
Target Server
Service
3. Definition of term
TargetServer
To the test by using a Vuls.
VulsServer
The server to be inspected by Vuls
vuls user
User name “vuls” to use Vuls for inspection.
Administrative user
The user who can be connected to the “Vuls
server”.
4. Introduction
To consider to the PCI/DSS, it is necessary to
take care of the following points.
MUST NOT ASSIGN a special privilege to “vuls” user.
Limited access, privileged, on a need-to-know basis.
MUST REMOVE private key; About the “vuls” user of
TargetServer.
Use SSH by Public key authentication when a VulsServer
access a TargetServer.
MUST NOT Read/Write Vuls output data by general
user.
Only privileged user can Read/Write Vuls output data.
MUST RESTRICTED ACCESS and LOGGING to
Vuls output data.
“Vuls output” include WEB( VulsRepo and the like)
5. POINT!
Vuls server
Login
To restrict access to the Administrator.
Logging the login.
vuls user
Limited privilege
After setting the Vuls, sudo privileged is unnecessary.
Logging the login/switch user to vuls.
Vuls data (json reported data)
To restrict access the Administrator/WEB process.
Logging the access.
WEB server
Use Authentication access by Administrator.
Logging the access.
6. POINT!
Scanned Server
vuls user
Limited privilege by sudo.
yum, apt-get only
BSD does not require any sudo privilege
Remove RSA private key
Move(copy and delete) privatekey to VulsServer.
Vuls Server only able to login to vuls.
7. Detail: Vuls server setting
For example…
Prerequisite
WEB server runs apache account.
apache group contain vuls user.
vuls user’s HOME is /opt/vuls .
Login
Only administrator can login the Vuls Server.
Vuls data protection
/opt/vuls/ is
chmod 640 /opt/vuls
chown vuls:apache /opt/vuls
/opt/vuls/ssh_keys is
chmod 600 /opt/vuls/ssh_keys
chown vuls:vuls /opt/vuls/ssh_keys
WEB Server
Use /etc/hosts.allow, /etc/hosts.deny
If basic authentication, MUST CHANGE every 90days and upper 7words(alphanumeric).
8. Detail: Scanned Server
For example
Prerequisite
vuls user’s HOME is /opt/vuls .
Login
MUST use key authentication.
without passphrase , because using the Vuls as system.
vuls user
Limited setting to /etc/sudoers
CentOS/RHEL
vuls ALL=(root) NOPASSWD: /usr/bin/yum, /bin/echo
Ubuntu, Debian
vuls ALL=(root) NOPASSWD: /usr/bin/apt-get, /usr/bin/apt-cache
Amazon LInux, FreeBSD
Not required privilege settings.
Remove the private key
copy private key to Vuls Server, and remove private key on scanned server.
9. In conclusion
I’m now going to give a brief summary of what we
have covered…
Need-to-know basis
limited privileged, restricted access, remove unnecessary
key.
Logging, Logging, Logging!
Let’s patching software!
PCI/DSS 6.2.a
installation of applicable critical vendor-supplied
security patches within one month of release.
Check security incident continuius by Vuls.
10. Sponser session.
Thank you once again for talking the time to
join today’s presentation.
we says, お疲れ様でした
.. and sponsor session.