ã¿ãªãããããã«ã¡ã¯ïŒ
ä»æ¥ã¯ãè匱æ§ãæ€çŽ¢ããã³åæããããã®ã¯ã©ãŠã ãœãªã¥ãŒã·ã§ã³ Qualys Vulnerability Management ã«ã€ããŠã話ããããšæããŸãã
以äžã«ãã¹ãã£ã³èªäœãã©ã®ããã«æ§æããããã®çµæã«åºã¥ããŠè匱æ§ã«é¢ããã©ã®ãããªæ å ±ãèŠã€ãããã瀺ããŸãã
ã¹ãã£ã³ã§ãããã®
å€éšãµãŒãã¹ã ã€ã³ã¿ãŒãããã«ã¢ã¯ã»ã¹ã§ãããµãŒãã¹ãã¹ãã£ã³ããã«ã¯ãã¯ã©ã€ã¢ã³ã㯠IP ã¢ãã¬ã¹ãšè³æ Œæ å ±ãæäŸããŸã (èªèšŒã䌎ãã¹ãã£ã³ãå¿ èŠãªå Žå)ã Qualys ã¯ã©ãŠãã䜿çšããŠãµãŒãã¹ãã¹ãã£ã³ããçµæã«åºã¥ããŠã¬ããŒããéä¿¡ããŸãã
å
éšãµãŒãã¹ã ãã®å Žåãã¹ãã£ããŒã¯å
éšãµãŒããŒãšãããã¯ãŒã¯ ã€ã³ãã©ã¹ãã©ã¯ãã£ã®è匱æ§ãæ¢ããŸãã ãã®ãããªã¹ãã£ã³ã䜿çšãããšããªãã¬ãŒãã£ã³ã° ã·ã¹ãã ãã¢ããªã±ãŒã·ã§ã³ããªãŒãã³ ããŒããããã³ãããã®èåŸã«ãããµãŒãã¹ã®ããŒãžã§ã³ãã€ã³ãã³ããªã§ããŸãã
Qualys ã¹ãã£ãã¯ãã¯ã©ã€ã¢ã³ãã®ã€ã³ãã©ã¹ãã©ã¯ãã£å ãã¹ãã£ã³ããããã«ã€ã³ã¹ããŒã«ãããŸãã ããã§ã¯ãQualys ã¯ã©ãŠãããã®ã¹ãã£ãã®ã³ãã³ã ã»ã³ã¿ãŒãšããŠæ©èœããŸãã
Qualys ãåããå éšãµãŒããŒã«å ããŠãã¹ãã£ã³ããããªããžã§ã¯ãã«ãšãŒãžã§ã³ã (ã¯ã©ãŠã ãšãŒãžã§ã³ã) ãã€ã³ã¹ããŒã«ã§ããŸãã ãããã¯ã·ã¹ãã ã«é¢ããæ å ±ãããŒã«ã«ã§åéãããããã¯ãŒã¯ãåäœãããã¹ãã«å®è³ªçã«è² è·ãäžããŸããã åãåã£ãæ å ±ã¯ã¯ã©ãŠãã«éä¿¡ãããŸãã
ããã§éèŠãªãã€ã³ã㯠XNUMX ã€ãããŸããããã¯ãèªèšŒãšã¹ãã£ã³ãããªããžã§ã¯ãã®éžæã§ãã
- èªèšŒã®äœ¿çšã äžéšã®ã¯ã©ã€ã¢ã³ãã¯ãç¹ã«å€éšãµãŒãã¹ã«å¯ŸããŠãã©ãã¯ããã¯ã¹ ã¹ãã£ã³ãèŠæ±ããŸãã圌ãã¯ã·ã¹ãã ãç¹å®ããã«ããŸããŸãª IP ã¢ãã¬ã¹ãæäŸãããããã«ãŒã®ããã«ãªãããšèšããŸãã ããããããã«ãŒãç²ç®çã«è¡åããããšã¯ã»ãšãã©ãããŸããã ïŒåµå¯ã§ã¯ãªãïŒæ»æã«é¢ããŠã¯ã圌ãã¯äœããããã³ã°ããŠããã®ããç¥ã£ãŠããŸãã
Qualys ã¯ãç²ç®çã«ããšããããŒã«ééããã¿ãŒã²ãã ã·ã¹ãã ã®ä»£ããã«ãããã¹ãã£ã³ããå¯èœæ§ããããŸãã ãŸããæ£ç¢ºã«äœãã¹ãã£ã³ãããã®ããç解ããŠããªããšãã¹ãã£ããŒã®èšå®ãèŠéããŠããã§ãã¯å¯Ÿè±¡ã®ãµãŒãã¹ããæ¥ç¶ãããŠããŸãå¯èœæ§ããããŸãã
ã¹ãã£ã³å¯Ÿè±¡ã®ã·ã¹ãã (ãã¯ã€ãããã¯ã¹) ã®åã§èªèšŒãã§ãã¯ãå®è¡ãããšãã¹ãã£ã³ã®å¹æãããã«é«ãŸããŸãã ããããããšã§ãã¹ãã£ããŒã¯æ å ±ãã©ãããæ¥ãã®ããç解ããã¿ãŒã²ãã ã·ã¹ãã ã®è匱æ§ã«é¢ããå®å šãªããŒã¿ãåãåãããšãã§ããŸãã
Qualys ã«ã¯å€ãã®èªèšŒãªãã·ã§ã³ããããŸãã - ã°ã«ãŒãè³ç£ã ãã¹ãŠãäžåºŠã«ç¡å·®å¥ã«ã¹ãã£ã³ãå§ãããšãæéãããããã·ã¹ãã ã«äžèŠãªè² è·ãããããŸãã éèŠæ§ãå ŽæãOS ããŒãžã§ã³ãã€ã³ãã©ã¹ãã©ã¯ãã£ã®éèŠæ§ããã®ä»ã®ç¹æ§ (Qualys ã§ã¯ããããã¯ã¢ã»ãã ã°ã«ãŒãããã³ã¢ã»ãã ã¿ã°ãšåŒã°ããŸã) ã«åºã¥ããŠãã¹ããšãµãŒãã¹ãã°ã«ãŒãã«ã°ã«ãŒãåããã¹ãã£ã³æã«ç¹å®ã®ã°ã«ãŒããéžæããããšããå§ãããŸãã
- ã¹ãã£ã³ãããã¯ãã«ã« ãŠã£ã³ããŠãéžæããŸãã èããŠæºåãããšããŠããã¹ãã£ã³ã«ãã£ãŠã·ã¹ãã ã«ãããªãã¹ãã¬ã¹ãçããŸãã å¿ ããããµãŒãã¹ã®äœäžãåŒãèµ·ããããã§ã¯ãããŸããããããã¯ã¢ãããæŽæ°ã®ããŒã«ãªãŒããŒãªã©ãç¹å®ã®æéãéžæããããšããå§ãããŸãã
ã¬ããŒãããäœãåŠã¹ãã§ãããã?
ã¹ãã£ã³çµæã«åºã¥ããŠãã¯ã©ã€ã¢ã³ãã¯ãèŠã€ãã£ããã¹ãŠã®è匱æ§ã®ãªã¹ãã ãã§ãªããã¢ããããŒããããããªã©ãè匱æ§ãæé€ããããã®åºæ¬çãªæšå¥šäºé ãå«ãã¬ããŒããåãåããŸããQualys ã«ã¯å€ãã®ã¬ããŒãããããŸããããã©ã«ãã®ãã³ãã¬ãŒãããããèªåã§äœæããããšãã§ããŸãã ãã¹ãŠã®å€æ§æ§ã®äžã§æ··ä¹±ããªãããã«ããã«ã¯ããŸã次ã®ç¹ã«ã€ããŠèªåã§æ±ºããããšããå§ãããŸãã
- ãã®ã¬ããŒããé²èŠ§ããã®ã¯èª°ã§ãã? ãããŒãžã£ãŒãŸãã¯æè¡å°é家?
- ã¹ãã£ã³çµæããã©ã®ãããªæ å ±ãååŸãããã§ãã? ããšãã°ãå¿ èŠãªãããããã¹ãŠã€ã³ã¹ããŒã«ãããŠãããã©ããã以åã«èŠã€ãã£ãè匱æ§ãæé€ããããã®äœæ¥ãã©ã®ããã«è¡ãããŠããããç¥ãããå Žåããã㯠XNUMX ã€ã®ã¬ããŒãã§ãã ãã¹ãŠã®ãã¹ãã®ã€ã³ãã³ããªãäœæããå¿ èŠãããã ãã®å Žåã¯ãå¥ã®ãã¹ãã®ã€ã³ãã³ããªãäœæããŸãã
管çè ã«ç°¡æœã ãæ確ãªå šäœåãæ瀺ããããšãã¿ã¹ã¯ã®å Žåã次ã®ãããªåœ¢åŒãäœæã§ããŸãã ãšã°ãŒã¯ãã£ãã¬ããŒãã ãã¹ãŠã®è匱æ§ã¯ãæ£ãéèŠåºŠã®ã¬ãã«ãã°ã©ããå³ã«åé¡ãããŸãã ããšãã°ãæãé倧ãªè匱æ§ã®äžäœ 10 件ãæãäžè¬çãªè匱æ§ãªã©ã§ãã
æè¡è
ã«ãšã£ãŠã¯ã ãã¯ãã«ã«ã¬ããŒã ãã¹ãŠã®è©³çŽ°ãšè©³çŽ°ãå«ããŠã 次ã®ã¬ããŒããçæã§ããŸãã
ãã¹ãã¬ããŒãã ã€ã³ãã©ã¹ãã©ã¯ãã£ã®ã€ã³ãã³ããªãäœæãããã¹ãã®è匱æ§ã®å šäœåãææ¡ããå¿ èŠãããå Žåã«äŸ¿å©ã§ãã
åæããããã¹ãã®ãªã¹ãã¯æ¬¡ã®ããã«ãªãããã¹ãäžã§å®è¡ãããŠãã OS ã瀺ãããŸãã
察象ã®ãã¹ããéããŠãèŠã€ãã£ã 219 件ã®è匱æ§ã®ãªã¹ãããæãé倧ãªã¬ãã« XNUMX ããé ã«èŠãŠã¿ãŸãããã
ãã®åŸãåè匱æ§ã®è©³çŽ°ã確èªã§ããŸãã ããã§æ¬¡ã®ããšãããããŸãã
- è匱æ§ãæåã«æ€åºããããšããšæåŸã«æ€åºããããšãã
- ç£æ¥äžã®è匱æ§ã®æ°å€ã
- è匱æ§ã解æ¶ãããããã
- PCI DSSãNISTãªã©ãžã®æºæ ã«åé¡ã¯ãããŸãã?
- ãã®è匱æ§ãæªçšãããã«ãŠã§ã¢ã¯ååšããŸãã?
- ã·ã¹ãã ã®èªèšŒãã/ãªãã§ã¹ãã£ã³ããéãªã©ã«æ€åºãããè匱æ§ã§ãã
ãããæåã®ã¹ãã£ã³ã§ã¯ãªãå Žå - ã¯ããå®æçã«ã¹ãã£ã³ããå¿
èŠããããŸã ð - ãã®åŸããã«ãã䜿çšããŠãã ãã åŸåã¬ããŒã è匱æ§ãžã®å¯ŸåŠã®ãã€ããã¯ã¹ã远跡ã§ããŸãã è匱æ§ã®ã¹ããŒã¿ã¹ã¯ãååã®ã¹ãã£ã³ãšæ¯èŒããŠè¡šç€ºãããŸãã以åã«çºèŠããã¯ããŒãºãããè匱æ§ã¯ä¿®æ£æžã¿ãã¯ããŒãºãããŠããªãè匱æ§ã¯ã¢ã¯ãã£ããæ°ããè匱æ§ã¯æ°èŠãšããŠããŒã¯ãããŸãã
è匱æ§ã¬ããŒãã ãã®ã¬ããŒãã§ã¯ãQualys ã¯æãé倧ãªãã®ããé ã«è匱æ§ã®ãªã¹ããäœæããã©ã®ãã¹ãã§ãã®è匱æ§ãçºçãããã瀺ããŸãã ãã®ã¬ããŒãã¯ãããšãã°ç¬¬ XNUMX ã¬ãã«ã®ãã¹ãŠã®è匱æ§ãããã«ç解ãããå Žåã«åœ¹ç«ã¡ãŸãã
第 XNUMX ã¬ãã«ãšç¬¬ XNUMX ã¬ãã«ã®è匱æ§ã®ã¿ãåå¥ã«ã¬ããŒãããããšãã§ããŸãã
ãããã¬ããŒãã§ãã ããã§ã¯ãèŠã€ãã£ãè匱æ§ãæé€ããããã«ã€ã³ã¹ããŒã«ããå¿
èŠããããããã®å®å
šãªãªã¹ãã確èªã§ããŸãã åãããã«ã¯ãã©ã®ãããªè匱æ§ãä¿®æ£ããããã©ã®ãã¹ã/ã·ã¹ãã ã«ã€ã³ã¹ããŒã«ããå¿
èŠãããããããã³çŽæ¥ããŠã³ããŒã ãªã³ã¯ãèšèŒãããŠããŸãã
PCI DSS æºæ ã¬ããŒãã PCI DSS æšæºã§ã¯ãã€ã³ã¿ãŒãããããã¢ã¯ã»ã¹ã§ããæ
å ±ã·ã¹ãã ãšã¢ããªã±ãŒã·ã§ã³ã 90 æ¥ããšã«ã¹ãã£ã³ããããšã矩åä»ããããŠããŸãã ã¹ãã£ã³åŸãã€ã³ãã©ã¹ãã©ã¯ãã£ãæšæºã®èŠä»¶ãæºãããŠããªããã®ã瀺ãã¬ããŒããçæã§ããŸãã
è匱æ§ä¿®åŸ©ã¬ããŒãã Qualys ããµãŒãã¹ ãã¹ã¯ãšçµ±åãããšãèŠã€ãã£ããã¹ãŠã®è匱æ§ãèªåçã«ãã±ããã«å€æãããŸãã ãã®ã¬ããŒãã䜿çšãããšãå®äºãããã±ãããšè§£æ±ºãããè匱æ§ã®é²æç¶æ³ã远跡ã§ããŸãã
ãªãŒãã³ããŒãã¬ããŒãã ããã§ã¯ãéããŠããããŒããšããã§å®è¡ãããŠãããµãŒãã¹ã«é¢ããæ å ±ãååŸã§ããŸãã
ãŸãã¯ãåããŒãã®è匱æ§ã«é¢ããã¬ããŒããçæããŸãã
ãããã¯åãªãæšæºçãªã¬ããŒã ãã³ãã¬ãŒãã§ãã ããšãã°ãé倧床㮠XNUMX çªç®ã®ã¬ãã«ä»¥äžã®è匱æ§ã®ã¿ã衚瀺ãããªã©ãç¹å®ã®ã¿ã¹ã¯çšã«ç¬èªã®è匱æ§ãäœæã§ããŸãã ãã¹ãŠã®ã¬ããŒããå©çšå¯èœã§ãã ã¬ããŒã圢åŒ: CSVãXMLãHTMLãPDFãdocxã
ãããŠèŠããŠãããŠãã ããïŒ å®å
šã¯çµæã§ã¯ãªãããã»ã¹ã§ãã XNUMX åéãã®ã¹ãã£ã³ã¯åé¡ããã®å Žã§çºèŠããã®ã«åœ¹ç«ã¡ãŸãããããã¯æ¬æ Œçãªè匱æ§ç®¡çããã»ã¹ã«é¢ãããã®ã§ã¯ãããŸããã
ãã®å®æçãªäœæ¥ãç°¡åã«æ±ºå®ã§ããããã«ãQualys Vulnerability Management ã«åºã¥ãããµãŒãã¹ãäœæããŸããã
ãã¹ãŠã® Habr èªè
ã察象ãšããããã¢ãŒã·ã§ã³ããããŸãã XNUMX 幎éã®ã¹ãã£ã³ ãµãŒãã¹ã泚æãããšãXNUMX ãæåã®ã¹ãã£ã³ãç¡æã«ãªããŸãã ã¢ããªã±ãŒã·ã§ã³ã¯æ®ãã
åºæïŒ habr.com