SlideShare a Scribd company logo

SETTING METHOD IN CONSIDERATION OF THE PCI/DSS

Download as PPTX, PDF
H
hogehuga

The document discusses Vuls settings that should be considered for PCI/DSS compliance. It recommends: 1) The "vuls" user on the Vuls server and target servers should have limited privileges and private keys should be removed; 2) Access to the Vuls server and output data should be restricted only to administrators and logging of access enabled; 3) Target servers should only allow "vuls" user access using public key authentication without passphrases and private keys should be copied and removed from target servers. Proper logging is emphasized throughout to ensure compliance.

Software
Related topics:
PCI DSS Training
1 of 10
Download to read offline
1
2
3
4
5
6
7
8
9
10
SETTING METHOD IN CONSIDERATION OF THE PCI/DSS. (PCI/DSS対応を考慮したVULS設定方 法) @hogehuga
Today’s agenda The subject of my LT is “Consider Vuls Settings with the PCI/DSS”.  We make clear what we do / do not it?  do  MUST  MUST NOT  RESTRICT  about  Vuls Server  Target Server  Service
Definition of term  TargetServer  To the test by using a Vuls.  VulsServer  The server to be inspected by Vuls  vuls user  User name “vuls” to use Vuls for inspection.  Administrative user  The user who can be connected to the “Vuls server”.
Introduction  To consider to the PCI/DSS, it is necessary to take care of the following points.  MUST NOT ASSIGN a special privilege to “vuls” user.  Limited access, privileged, on a need-to-know basis.  MUST REMOVE private key; About the “vuls” user of TargetServer.  Use SSH by Public key authentication when a VulsServer access a TargetServer.  MUST NOT Read/Write Vuls output data by general user.  Only privileged user can Read/Write Vuls output data.  MUST RESTRICTED ACCESS and LOGGING to Vuls output data.  “Vuls output” include WEB( VulsRepo and the like)
POINT!  Vuls server  Login  To restrict access to the Administrator.  Logging the login.  vuls user  Limited privilege  After setting the Vuls, sudo privileged is unnecessary.  Logging the login/switch user to vuls.  Vuls data (json reported data)  To restrict access the Administrator/WEB process.  Logging the access.  WEB server  Use Authentication access by Administrator.  Logging the access.
POINT!  Scanned Server  vuls user  Limited privilege by sudo.  yum, apt-get only  BSD does not require any sudo privilege  Remove RSA private key  Move(copy and delete) privatekey to VulsServer.  Vuls Server only able to login to vuls.
Detail: Vuls server setting For example…  Prerequisite  WEB server runs apache account.  apache group contain vuls user.  vuls user’s HOME is /opt/vuls .  Login  Only administrator can login the Vuls Server.  Vuls data protection  /opt/vuls/ is  chmod 640 /opt/vuls  chown vuls:apache /opt/vuls  /opt/vuls/ssh_keys is  chmod 600 /opt/vuls/ssh_keys  chown vuls:vuls /opt/vuls/ssh_keys  WEB Server  Use /etc/hosts.allow, /etc/hosts.deny  If basic authentication, MUST CHANGE every 90days and upper 7words(alphanumeric).
Detail: Scanned Server For example  Prerequisite  vuls user’s HOME is /opt/vuls .  Login  MUST use key authentication.  without passphrase , because using the Vuls as system.  vuls user  Limited setting to /etc/sudoers  CentOS/RHEL  vuls ALL=(root) NOPASSWD: /usr/bin/yum, /bin/echo  Ubuntu, Debian  vuls ALL=(root) NOPASSWD: /usr/bin/apt-get, /usr/bin/apt-cache  Amazon LInux, FreeBSD  Not required privilege settings.  Remove the private key  copy private key to Vuls Server, and remove private key on scanned server.
In conclusion  I’m now going to give a brief summary of what we have covered…  Need-to-know basis  limited privileged, restricted access, remove unnecessary key.  Logging, Logging, Logging! Let’s patching software!  PCI/DSS 6.2.a  installation of applicable critical vendor-supplied security patches within one month of release.  Check security incident continuius by Vuls.
Sponser session.  Thank you once again for talking the time to join today’s presentation.  we says, お疲れ様でした  .. and sponsor session.

More Related Content

PDF
Future people v mware v sphere install configure manage v5.0 (1)
katedowney
 
PPT
Virtualization s4.1
Navaneethan Naveen
 
PDF
Vsphere 5.1 training at hyderabad
Acutelearn Technologies
 
KEY
RocketJS Nodejs rapid development framework for production web apps
wavome
 
PDF
Vmware es xi 5.0 Training in Hyderabad
Acutelearn Technologies
 
DOCX
Vmware training course
FuturePoint Technologies
 
PPT
Presentation (PPT)
webhostingguy
 
PPTX
Advantages of cPanel-based LiteSpeed Hosting
Lisa Clarke
 
Future people v mware v sphere install configure manage v5.0 (1)
katedowney
 
Virtualization s4.1
Navaneethan Naveen
 
Vsphere 5.1 training at hyderabad
Acutelearn Technologies
 
RocketJS Nodejs rapid development framework for production web apps
wavome
 
Vmware es xi 5.0 Training in Hyderabad
Acutelearn Technologies
 
Vmware training course
FuturePoint Technologies
 
Presentation (PPT)
webhostingguy
 
Advantages of cPanel-based LiteSpeed Hosting
Lisa Clarke
 

What's hot (20)

PPTX
Designing Azure compute and storage infrastructure
William Lee
 
DOC
padmahasa november 2016 resume.Doc
padma hasa
 
DOCX
V mware course contents copy
Rakesh Puppala
 
DOCX
Vmware v sphere 5
INSTITUTEAPEX
 
PDF
Mastering VMware Datacenter Part-1
M.M.Rahman Munna, Linux, VMware and Mail Server Expert
 
PDF
Introduction to MariaDb
BehzadDara
 
PDF
Linux system administration - part-2
M.M.Rahman Munna, Linux, VMware and Mail Server Expert
 
PDF
Mastering VMware Datacenter - 15 Modules
M.M.Rahman Munna, Linux, VMware and Mail Server Expert
 
PDF
Introduction to Flow3
Web Essentials Co., Ltd.
 
PDF
Drupal and Security: What You Need to Know
Acquia
 
PPTX
Always on from the front lines1
SitotpalSarkar
 
PDF
Configuring CQ Security
connectwebex
 
PPT
How to configure esx to pass an audit
Concentrated Technology
 
DOCX
Vm ware course content (1)
Linux Training Chennai
 
DOCX
What Is VMware
Ashraf Ali
 
DOCX
Vmware Training Institute in chennai
THINK IT Training
 
DOC
Vmware interview
sundaresanmani
 
PDF
Protect Your WordPress Website - Setting Up IThemes Security
Red8 Interactive
 
PDF
What Is VMware
Ashraf Ali
 
DOC
Links todwnload
Meenakshi Chandrasekaran
 
Designing Azure compute and storage infrastructure
William Lee
 
padmahasa november 2016 resume.Doc
padma hasa
 
V mware course contents copy
Rakesh Puppala
 
Vmware v sphere 5
INSTITUTEAPEX
 
Mastering VMware Datacenter Part-1
M.M.Rahman Munna, Linux, VMware and Mail Server Expert
 
Introduction to MariaDb
BehzadDara
 
Linux system administration - part-2
M.M.Rahman Munna, Linux, VMware and Mail Server Expert
 
Mastering VMware Datacenter - 15 Modules
M.M.Rahman Munna, Linux, VMware and Mail Server Expert
 
Introduction to Flow3
Web Essentials Co., Ltd.
 
Drupal and Security: What You Need to Know
Acquia
 
Always on from the front lines1
SitotpalSarkar
 
Configuring CQ Security
connectwebex
 
How to configure esx to pass an audit
Concentrated Technology
 
Vm ware course content (1)
Linux Training Chennai
 
What Is VMware
Ashraf Ali
 
Vmware Training Institute in chennai
THINK IT Training
 
Vmware interview
sundaresanmani
 
Protect Your WordPress Website - Setting Up IThemes Security
Red8 Interactive
 
What Is VMware
Ashraf Ali
 
Links todwnload
Meenakshi Chandrasekaran
 
Ad

Viewers also liked (20)

PDF
脆弱性情報はこうしてやってくる
JPCERT Coordination Center
 
PPTX
Vuls×deep security
一輝 長澤
 
PDF
Vulsで危険な脆弱性を最速検知!(The fastest detection of dangerous vulnerability by Vuls! )
Takayuki Ushida
 
PPTX
20170325 institute of-vulnerability_assessment
hogehuga
 
PPTX
Vulsで始めよう!DevSecOps!
Takayuki Ushida
 
PDF
東京オリンピックに向けた、サイバーテロ対策
hogehuga
 
PPT
Securing Your .NET Application
Iron Speed
 
PDF
Maximizing your coaxial (cable tv) v2
Broto Santoso
 
PPT
Real Life Information Security
Pawel Krawczyk
 
PDF
Łukasz Lenart "How secure your web framework is? Based on Apache Struts 2"
Pawel Krawczyk
 
PDF
RootedCON 2015 - Deep inside the Java framework Apache Struts
testpurposes
 
PDF
バックアップの基礎知識
hogehuga
 
PPTX
Cyber Threat Hunting with Phirelight
Hostway|HOSTING
 
PPTX
Go Hack Yourself - 10 Pen Test Tactics for Blue Teamers
jasonjfrank
 
PDF
.Net Hijacking to Defend PowerShell BSidesSF2017
Amanda Rousseau
 
PDF
Queue Size Trade Off with Modulation in 802.15.4 for Wireless Sensor Networks
CSCJournals
 
PDF
hbstudy37 slide
Fujishiro Takuya
 
PDF
●●●の知らないSBCの世界
Fujishiro Takuya
 
PDF
マルウェア流入対策のもうひと工夫~プロが厳選!低予算でもできる効果あるセキュリティ施策~
Tomohiro Nakashima
 
PDF
Passive infrastructure of FTTH networks: an overview
Luc De Heyn
 
脆弱性情報はこうしてやってくる
JPCERT Coordination Center
 
Vuls×deep security
一輝 長澤
 
Vulsで危険な脆弱性を最速検知!(The fastest detection of dangerous vulnerability by Vuls! )
Takayuki Ushida
 
20170325 institute of-vulnerability_assessment
hogehuga
 
Vulsで始めよう!DevSecOps!
Takayuki Ushida
 
東京オリンピックに向けた、サイバーテロ対策
hogehuga
 
Securing Your .NET Application
Iron Speed
 
Maximizing your coaxial (cable tv) v2
Broto Santoso
 
Real Life Information Security
Pawel Krawczyk
 
Łukasz Lenart "How secure your web framework is? Based on Apache Struts 2"
Pawel Krawczyk
 
RootedCON 2015 - Deep inside the Java framework Apache Struts
testpurposes
 
バックアップの基礎知識
hogehuga
 
Cyber Threat Hunting with Phirelight
Hostway|HOSTING
 
Go Hack Yourself - 10 Pen Test Tactics for Blue Teamers
jasonjfrank
 
.Net Hijacking to Defend PowerShell BSidesSF2017
Amanda Rousseau
 
Queue Size Trade Off with Modulation in 802.15.4 for Wireless Sensor Networks
CSCJournals
 
hbstudy37 slide
Fujishiro Takuya
 
●●●の知らないSBCの世界
Fujishiro Takuya
 
マルウェア流入対策のもうひと工夫~プロが厳選!低予算でもできる効果あるセキュリティ施策~
Tomohiro Nakashima
 
Passive infrastructure of FTTH networks: an overview
Luc De Heyn
 
Ad

Similar to SETTING METHOD IN CONSIDERATION OF THE PCI/DSS (20)

PDF
Hardening Apache Web Server by Aswin
Agate Studio
 
PDF
Configuration of Self Signed SSL Certificate For CentOS 8
Kaan Aslandağ
 
PDF
WordPress Security Best Practices 2019 Update
Zero Point Development
 
PPTX
Embrace and Extend - First-Class Activity and 3rd Party Ecosystem for SSIS in...
Sandy Winarko
 
PPTX
Wordpress security issues
Deepu Thomas
 
PPTX
Simple tips to improve Server Security
ResellerClub
 
PPTX
Hands on workshop on word press
Mohammad Shoriful Islam Ronju
 
PPSX
Bo sa nova enterprise_pres_8
home
 
PPTX
Locking down word press
Zachary Russell
 
PDF
Null bhopal Sep 2016: What it Takes to Secure a Web Application
Anant Shrivastava
 
PPTX
AWS Cyber Security Best Practices
DoiT International
 
PDF
Top Ten WordPress Security Tips for 2012
Brad Williams
 
PDF
WordPress Security
Christina Hawkins
 
PDF
Cohesive networks Support Docs: VNS3:turret WAF Guide
Cohesive Networks
 
PPTX
Introduction to the WSO2 Identity Server &Contributing to an OS Project
Michael J Geiser
 
PPT
Securing Word Press Blog
Chetan Gole
 
PPTX
WordPress End-User Security
Dre Armeda
 
PDF
iSCSI Target Support for Ceph
Ceph Community
 
PPTX
Cisco-Wireless-Guest-v10.pptx
AkashMalkood1
 
PPTX
Log in to a Linux VM in Azure using AAD authentication
Takayoshi Tanaka
 
Hardening Apache Web Server by Aswin
Agate Studio
 
Configuration of Self Signed SSL Certificate For CentOS 8
Kaan Aslandağ
 
WordPress Security Best Practices 2019 Update
Zero Point Development
 
Embrace and Extend - First-Class Activity and 3rd Party Ecosystem for SSIS in...
Sandy Winarko
 
Wordpress security issues
Deepu Thomas
 
Simple tips to improve Server Security
ResellerClub
 
Hands on workshop on word press
Mohammad Shoriful Islam Ronju
 
Bo sa nova enterprise_pres_8
home
 
Locking down word press
Zachary Russell
 
Null bhopal Sep 2016: What it Takes to Secure a Web Application
Anant Shrivastava
 
AWS Cyber Security Best Practices
DoiT International
 
Top Ten WordPress Security Tips for 2012
Brad Williams
 
WordPress Security
Christina Hawkins
 
Cohesive networks Support Docs: VNS3:turret WAF Guide
Cohesive Networks
 
Introduction to the WSO2 Identity Server &Contributing to an OS Project
Michael J Geiser
 
Securing Word Press Blog
Chetan Gole
 
WordPress End-User Security
Dre Armeda
 
iSCSI Target Support for Ceph
Ceph Community
 
Cisco-Wireless-Guest-v10.pptx
AkashMalkood1
 
Log in to a Linux VM in Azure using AAD authentication
Takayoshi Tanaka
 

More from hogehuga (20)

PDF
レトロゲーム勉強会:Diablo2の話Diablo II(オリジナル: 2000年-)は再び甦る
hogehuga
 
PPTX
LT大会資料 URL踏むとBSoDになる、心あたたまるお話
hogehuga
 
PPTX
水風呂道
hogehuga
 
PPTX
本当は怖いフリーWiFi(社内怪談LT)
hogehuga
 
PDF
最近のドローン界隈(仮)
hogehuga
 
PPTX
サウナととのいと水風呂ととのい
hogehuga
 
PPTX
Vuls祭り5 ; 脆弱性トリアージの考え方
hogehuga
 
PPTX
SIEMやログ監査で重要な事
hogehuga
 
PPTX
Owasp io t_top10_and_drone
hogehuga
 
PDF
Drone collection2019
hogehuga
 
PPTX
ハラスメントについて
hogehuga
 
PPTX
ハニーポットのログ、毎日アクセスログを見よう
hogehuga
 
PPTX
ドローンの現状とハッキング(概要版)
hogehuga
 
PPTX
Vuls祭りvol3
hogehuga
 
PDF
Honypotのログを見る
hogehuga
 
PDF
ハニーポッターと謎のアクセス
hogehuga
 
PPTX
WEBサイトのセキュリティ対策 -継続的なアップデート-
hogehuga
 
PPTX
20170408 securiy-planning
hogehuga
 
PPTX
Vuls ローカルスキャンモードの活用方法
hogehuga
 
PPTX
(Vulsで)脆弱性対策をもっと楽に!
hogehuga
 
レトロゲーム勉強会:Diablo2の話Diablo II(オリジナル: 2000年-)は再び甦る
hogehuga
 
LT大会資料 URL踏むとBSoDになる、心あたたまるお話
hogehuga
 
水風呂道
hogehuga
 
本当は怖いフリーWiFi(社内怪談LT)
hogehuga
 
最近のドローン界隈(仮)
hogehuga
 
サウナととのいと水風呂ととのい
hogehuga
 
Vuls祭り5 ; 脆弱性トリアージの考え方
hogehuga
 
SIEMやログ監査で重要な事
hogehuga
 
Owasp io t_top10_and_drone
hogehuga
 
Drone collection2019
hogehuga
 
ハラスメントについて
hogehuga
 
ハニーポットのログ、毎日アクセスログを見よう
hogehuga
 
ドローンの現状とハッキング(概要版)
hogehuga
 
Vuls祭りvol3
hogehuga
 
Honypotのログを見る
hogehuga
 
ハニーポッターと謎のアクセス
hogehuga
 
WEBサイトのセキュリティ対策 -継続的なアップデート-
hogehuga
 
20170408 securiy-planning
hogehuga
 
Vuls ローカルスキャンモードの活用方法
hogehuga
 
(Vulsで)脆弱性対策をもっと楽に!
hogehuga
 

Recently uploaded (20)

PPTX
Computer Software and OS of computer science of grade 11.pptx
GauravDahal9
 
PPTX
Transform Your Business with a Software ERP System
Canada Software Company
 
PDF
Wondershare Filmora 15 Crack With Activation Key [2025
ghrom2211g
 
PDF
Adobe Premiere Pro 2025 (v24.5.0.057) Crack free
ghrom2211g
 
PDF
wealthsignaloriginal-com-DS-text-... (1).pdf
skmiani786
 
PPTX
assetexplorer- product-overview - presentation
nonameist3434
 
PPTX
Embracing Complexity in Serverless! GOTO Serverless Bengaluru
SheenBrisals
 
PPTX
L1 - Introduction to python Backend.pptx
MoizAhmed480282
 
PPTX
Oracle E-Business Suite: A Comprehensive Guide for Modern Enterprises
Conacent Consulting
 
PPTX
Agentic AI Use Case- Contract Lifecycle Management (CLM).pptx
mhxyzzp
 
PDF
Odoo Companies in India – Driving Business Transformation.pdf
azhuhardeen1968
 
PDF
medical staffing services at VALiNTRY
Tiyan Grayson
 
PPTX
Reimagine Home Health with the Power of Agentic AI​
AutomationEdge Technologies
 
PDF
Upgrade and Innovation Strategies for SAP ERP Customers
Virendra Rai, PMP
 
PPTX
history of c programming in notes for students .pptx
Vijayakumari829030
 
PDF
SAP S4 Hana Brochure 3 (PTS SYSTEMS AND SOLUTIONS)
pts464036
 
PDF
Design an Analysis of Algorithms II-SECS-1021-03
DilanEscobar1
 
PDF
Design an Analysis of Algorithms I-SECS-1021-03
DilanEscobar1
 
PDF
Softaken Excel to vCard Converter Software.pdf
markwillsonmw004
 
PDF
Raksha Bandhan Grocery Pricing Trends in India 2025.pdf
Actowiz Solustions
 
Computer Software and OS of computer science of grade 11.pptx
GauravDahal9
 
Transform Your Business with a Software ERP System
Canada Software Company
 
Wondershare Filmora 15 Crack With Activation Key [2025
ghrom2211g
 
Adobe Premiere Pro 2025 (v24.5.0.057) Crack free
ghrom2211g
 
wealthsignaloriginal-com-DS-text-... (1).pdf
skmiani786
 
assetexplorer- product-overview - presentation
nonameist3434
 
Embracing Complexity in Serverless! GOTO Serverless Bengaluru
SheenBrisals
 
L1 - Introduction to python Backend.pptx
MoizAhmed480282
 
Oracle E-Business Suite: A Comprehensive Guide for Modern Enterprises
Conacent Consulting
 
Agentic AI Use Case- Contract Lifecycle Management (CLM).pptx
mhxyzzp
 
Odoo Companies in India – Driving Business Transformation.pdf
azhuhardeen1968
 
medical staffing services at VALiNTRY
Tiyan Grayson
 
Reimagine Home Health with the Power of Agentic AI​
AutomationEdge Technologies
 
Upgrade and Innovation Strategies for SAP ERP Customers
Virendra Rai, PMP
 
history of c programming in notes for students .pptx
Vijayakumari829030
 
SAP S4 Hana Brochure 3 (PTS SYSTEMS AND SOLUTIONS)
pts464036
 
Design an Analysis of Algorithms II-SECS-1021-03
DilanEscobar1
 
Design an Analysis of Algorithms I-SECS-1021-03
DilanEscobar1
 
Softaken Excel to vCard Converter Software.pdf
markwillsonmw004
 
Raksha Bandhan Grocery Pricing Trends in India 2025.pdf
Actowiz Solustions
 

SETTING METHOD IN CONSIDERATION OF THE PCI/DSS

  • 1. SETTING METHOD IN CONSIDERATION OF THE PCI/DSS. (PCI/DSS対応を考慮したVULS設定方 法) @hogehuga
  • 2. Today’s agenda The subject of my LT is “Consider Vuls Settings with the PCI/DSS”.  We make clear what we do / do not it?  do  MUST  MUST NOT  RESTRICT  about  Vuls Server  Target Server  Service
  • 3. Definition of term  TargetServer  To the test by using a Vuls.  VulsServer  The server to be inspected by Vuls  vuls user  User name “vuls” to use Vuls for inspection.  Administrative user  The user who can be connected to the “Vuls server”.
  • 4. Introduction  To consider to the PCI/DSS, it is necessary to take care of the following points.  MUST NOT ASSIGN a special privilege to “vuls” user.  Limited access, privileged, on a need-to-know basis.  MUST REMOVE private key; About the “vuls” user of TargetServer.  Use SSH by Public key authentication when a VulsServer access a TargetServer.  MUST NOT Read/Write Vuls output data by general user.  Only privileged user can Read/Write Vuls output data.  MUST RESTRICTED ACCESS and LOGGING to Vuls output data.  “Vuls output” include WEB( VulsRepo and the like)
  • 5. POINT!  Vuls server  Login  To restrict access to the Administrator.  Logging the login.  vuls user  Limited privilege  After setting the Vuls, sudo privileged is unnecessary.  Logging the login/switch user to vuls.  Vuls data (json reported data)  To restrict access the Administrator/WEB process.  Logging the access.  WEB server  Use Authentication access by Administrator.  Logging the access.
  • 6. POINT!  Scanned Server  vuls user  Limited privilege by sudo.  yum, apt-get only  BSD does not require any sudo privilege  Remove RSA private key  Move(copy and delete) privatekey to VulsServer.  Vuls Server only able to login to vuls.
  • 7. Detail: Vuls server setting For example…  Prerequisite  WEB server runs apache account.  apache group contain vuls user.  vuls user’s HOME is /opt/vuls .  Login  Only administrator can login the Vuls Server.  Vuls data protection  /opt/vuls/ is  chmod 640 /opt/vuls  chown vuls:apache /opt/vuls  /opt/vuls/ssh_keys is  chmod 600 /opt/vuls/ssh_keys  chown vuls:vuls /opt/vuls/ssh_keys  WEB Server  Use /etc/hosts.allow, /etc/hosts.deny  If basic authentication, MUST CHANGE every 90days and upper 7words(alphanumeric).
  • 8. Detail: Scanned Server For example  Prerequisite  vuls user’s HOME is /opt/vuls .  Login  MUST use key authentication.  without passphrase , because using the Vuls as system.  vuls user  Limited setting to /etc/sudoers  CentOS/RHEL  vuls ALL=(root) NOPASSWD: /usr/bin/yum, /bin/echo  Ubuntu, Debian  vuls ALL=(root) NOPASSWD: /usr/bin/apt-get, /usr/bin/apt-cache  Amazon LInux, FreeBSD  Not required privilege settings.  Remove the private key  copy private key to Vuls Server, and remove private key on scanned server.
  • 9. In conclusion  I’m now going to give a brief summary of what we have covered…  Need-to-know basis  limited privileged, restricted access, remove unnecessary key.  Logging, Logging, Logging! Let’s patching software!  PCI/DSS 6.2.a  installation of applicable critical vendor-supplied security patches within one month of release.  Check security incident continuius by Vuls.
  • 10. Sponser session.  Thank you once again for talking the time to join today’s presentation.  we says, お疲れ様でした  .. and sponsor session.