PCI/DSS対応を考慮したVuls設定方法

1. SETTING METHOD IN
CONSIDERATION OF THE PCI/DSS.
(PCI/DSS対応を考慮したVULS設定方
法)
@hogehuga

2. Today’s agenda
The subject of my LT is “Consider Vuls Settings with
the PCI/DSS”.
 We make clear what we do / do not it?
 do
 MUST
 MUST NOT
 RESTRICT
 about
 Vuls Server
 Target Server
 Service

3. Definition of term
 TargetServer
 To the test by using a Vuls.
 VulsServer
 The server to be inspected by Vuls
 vuls user
 User name “vuls” to use Vuls for inspection.
 Administrative user
 The user who can be connected to the “Vuls
server”.

4. Introduction
 To consider to the PCI/DSS, it is necessary to
take care of the following points.
 MUST NOT ASSIGN a special privilege to “vuls” user.
 Limited access, privileged, on a need-to-know basis.
 MUST REMOVE private key; About the “vuls” user of
TargetServer.
 Use SSH by Public key authentication when a VulsServer
access a TargetServer.
 MUST NOT Read/Write Vuls output data by general
user.
 Only privileged user can Read/Write Vuls output data.
 MUST RESTRICTED ACCESS and LOGGING to
Vuls output data.
 “Vuls output” include WEB( VulsRepo and the like)

5. POINT!
 Vuls server
 Login
 To restrict access to the Administrator.
 Logging the login.
 vuls user
 Limited privilege
 After setting the Vuls, sudo privileged is unnecessary.
 Logging the login/switch user to vuls.
 Vuls data (json reported data)
 To restrict access the Administrator/WEB process.
 Logging the access.
 WEB server
 Use Authentication access by Administrator.
 Logging the access.

6. POINT!
 Scanned Server
 vuls user
 Limited privilege by sudo.
 yum, apt-get only
 BSD does not require any sudo privilege
 Remove RSA private key
 Move(copy and delete) privatekey to VulsServer.
 Vuls Server only able to login to vuls.

7. Detail: Vuls server setting
For example…
 Prerequisite
 WEB server runs apache account.
 apache group contain vuls user.
 vuls user’s HOME is /opt/vuls .
 Login
 Only administrator can login the Vuls Server.
 Vuls data protection
 /opt/vuls/ is
 chmod 640 /opt/vuls
 chown vuls:apache /opt/vuls
 /opt/vuls/ssh_keys is
 chmod 600 /opt/vuls/ssh_keys
 chown vuls:vuls /opt/vuls/ssh_keys
 WEB Server
 Use /etc/hosts.allow, /etc/hosts.deny
 If basic authentication, MUST CHANGE every 90days and upper 7words(alphanumeric).

8. Detail: Scanned Server
For example
 Prerequisite
 vuls user’s HOME is /opt/vuls .
 Login
 MUST use key authentication.
 without passphrase , because using the Vuls as system.
 vuls user
 Limited setting to /etc/sudoers
 CentOS/RHEL
 vuls ALL=(root) NOPASSWD: /usr/bin/yum, /bin/echo
 Ubuntu, Debian
 vuls ALL=(root) NOPASSWD: /usr/bin/apt-get, /usr/bin/apt-cache
 Amazon LInux, FreeBSD
 Not required privilege settings.
 Remove the private key
 copy private key to Vuls Server, and remove private key on scanned server.

9. In conclusion
 I’m now going to give a brief summary of what we
have covered…
 Need-to-know basis
 limited privileged, restricted access, remove unnecessary
key.
 Logging, Logging, Logging!
Let’s patching software!
 PCI/DSS 6.2.a
 installation of applicable critical vendor-supplied
security patches within one month of release.
 Check security incident continuius by Vuls.

10. Sponser session.
 Thank you once again for talking the time to
join today’s presentation.
 we says, お疲れ様でした
 .. and sponsor session.