PCI-DSS v4.0 Control Baseline for Red Hat Enterprise Linux 7
Rules and Groups employed by this XCCDF Profile
-
Disable All NFS Services if Possible
If there is not a reason for the system to operate as either an NFS client or an NFS server, follow all instructions in this section to disable subsystems required by NFS.Group -
Disable Services Used Only by NFS
If NFS is not needed, disable the NFS client daemons nfslock, rpcgssd, and rpcidmapd. <br><br> All of these daemons run with elevated privileges, and many listen for network connections. If they ar...Group -
Disable rpcbind Service
The rpcbind utility maps RPC services to the ports on which they listen. RPC processes notify rpcbind when they start, registering the ports they are listening on and the RPC program numbers they e...Rule Low Severity -
Network Time Protocol
The Network Time Protocol is used to manage the system clock over a network. Computer clocks are not very accurate, so time will drift unpredictably on unmanaged systems. Central time protocols can...Group -
The Chrony package is installed
System time should be synchronized between all systems in an environment. This is typically done by establishing an authoritative time server or set of servers and having all systems synchronize th...Rule Medium Severity -
Enable the NTP Daemon
Run the following command to determine the current status of the <code>chronyd</code> service: <pre>$ sudo systemctl is-active chronyd</pre> If the service is running, it should return the follow...Rule Medium Severity -
Enable the NTP Daemon
Thentpdservice can be enabled with the following command:$ sudo systemctl enable ntpd.service
Rule Medium Severity -
Ensure that chronyd is running under chrony user account
chrony is a daemon which implements the Network Time Protocol (NTP). It is designed to synchronize system clocks across a variety of systems and use a source that is highly accurate. More informati...Rule Medium Severity -
A remote time server for Chrony is configured
<code>Chrony</code> is a daemon which implements the Network Time Protocol (NTP). It is designed to synchronize system clocks across a variety of systems and use a source that is highly accurate. M...Rule Medium Severity -
Specify Additional Remote NTP Servers
Additional NTP servers can be specified for time synchronization in the file <code>/etc/ntp.conf</code>. To do so, add additional lines of the following form, substituting the IP address or hostna...Rule Unknown Severity -
Specify a Remote NTP Server
To specify a remote NTP server for time synchronization, edit the file <code>/etc/ntp.conf</code>. Add or correct the following lines, substituting the IP or hostname of a remote NTP server for <em...Rule Medium Severity -
Obsolete Services
This section discusses a number of network-visible services which have historically caused problems for system security, and for which disabling or severely limiting the service has been the best a...Group -
Ensure rsyncd service is disabled
Thersyncdservice can be disabled with the following command:$ sudo systemctl mask --now rsyncd.service
Rule Medium Severity -
Xinetd
The <code>xinetd</code> service acts as a dedicated listener for some network services (mostly, obsolete ones) and can be used to provide access controls and perform some logging. It has been large...Group -
Uninstall xinetd Package
Thexinetdpackage can be removed with the following command:$ sudo yum erase xinetd
Rule Low Severity -
NIS
The Network Information Service (NIS), also known as 'Yellow Pages' (YP), and its successor NIS+ have been made obsolete by Kerberos, LDAP, and other modern centralized authentication services. NIS...Group -
Remove NIS Client
The Network Information Service (NIS), formerly known as Yellow Pages, is a client-server directory service protocol used to distribute system configuration files. The NIS client (<code>ypbind</cod...Rule Unknown Severity -
Uninstall ypserv Package
Theypservpackage can be removed with the following command:$ sudo yum erase ypserv
Rule High Severity -
Rlogin, Rsh, and Rexec
The Berkeley r-commands are legacy services which allow cleartext remote access and have an insecure trust model.Group -
Uninstall rsh-server Package
Thersh-serverpackage can be removed with the following command:$ sudo yum erase rsh-server
Rule High Severity
Node 2
The content of the drawer really is up to you. It could have form fields, definition lists, text lists, labels, charts, progress bars, etc. Spacing recommendation is 24px margins. You can put tabs in here, and can also make the drawer scrollable.
Capacity
Modules