Skip to content

PCI-DSS v4.0 Control Baseline for Red Hat Enterprise Linux 7

Rules and Groups employed by this XCCDF Profile

  • Warning Banners for System Accesses

    Each system should expose as little information about itself as possible. <br><br> System banners, which are typically displayed just before a logi...
    Group
  • Verify Group Ownership of System Login Banner for Remote Connections

    To properly set the group owner of /etc/issue.net, run the command:
    $ sudo chgrp root /etc/issue.net
    Rule Medium Severity
  • Verify ownership of System Login Banner for Remote Connections

    To properly set the owner of /etc/issue.net, run the command:
    $ sudo chown root /etc/issue.net 
    Rule Medium Severity
  • Verify permissions on System Login Banner for Remote Connections

    To properly set the permissions of /etc/issue.net, run the command:
    $ sudo chmod 0644 /etc/issue.net
    Rule Medium Severity
  • Protect Accounts by Configuring PAM

    PAM, or Pluggable Authentication Modules, is a system which implements modular authentication for Linux programs. PAM provides a flexible and confi...
    Group
  • Ensure PAM Displays Last Logon/Access Notification

    To configure the system to notify users of last logon/access using <code>pam_lastlog</code>, add or correct the <code>pam_lastlog</code> settings i...
    Rule Low Severity
  • Set Lockouts for Failed Password Attempts

    The <code>pam_faillock</code> PAM module provides the capability to lock out user accounts after a number of failed login attempts. Its documentati...
    Group
  • Limit Password Reuse: password-auth

    Do not allow users to reuse recent passwords. This can be accomplished by using the <code>remember</code> option for the <code>pam_pwhistory</code>...
    Rule Medium Severity
  • Limit Password Reuse: system-auth

    Do not allow users to reuse recent passwords. This can be accomplished by using the <code>remember</code> option for the <code>pam_pwhistory</code>...
    Rule Medium Severity
  • Limit Password Reuse

    Do not allow users to reuse recent passwords. This can be accomplished by using the <code>remember</code> option for the <code>pam_unix</code> or <...
    Rule Medium Severity
  • Lock Accounts After Failed Password Attempts

    This rule configures the system to lock out accounts after a number of incorrect login attempts using <code>pam_faillock.so</code>. pam_faillock.so...
    Rule Medium Severity
  • Set Lockout Time for Failed Password Attempts

    This rule configures the system to lock out accounts during a specified time period after a number of incorrect login attempts using <code>pam_fail...
    Rule Medium Severity
  • Set Password Quality Requirements

    The default <code>pam_pwquality</code> PAM module provides strength checking for passwords. It performs a number of checks, such as making sure pas...
    Group
  • Set Password Quality Requirements with pam_pwquality

    The <code>pam_pwquality</code> PAM module can be configured to meet requirements for a variety of policies. <br><br> For example, to configure <cod...
    Group
  • Ensure PAM Enforces Password Requirements - Minimum Digit Characters

    The pam_pwquality module's <code>dcredit</code> parameter controls requirements for usage of digits in a password. When set to a negative number, a...
    Rule Medium Severity
  • Ensure PAM Enforces Password Requirements - Minimum Lowercase Characters

    The pam_pwquality module's <code>lcredit</code> parameter controls requirements for usage of lowercase letters in a password. When set to a negativ...
    Rule Medium Severity
  • Ensure PAM Enforces Password Requirements - Minimum Length

    The pam_pwquality module's <code>minlen</code> parameter controls requirements for minimum characters required in a password. Add <code>minlen=<xcc...
    Rule Medium Severity
  • Set Password Hashing Algorithm

    The system's default algorithm for storing password hashes in /etc/shadow is SHA-512. This can be configured in several locations.
    Group
  • Set Password Hashing Algorithm in /etc/libuser.conf

    In <code>/etc/libuser.conf</code>, add or correct the following line in its <code>[defaults]</code> section to ensure the system will use the SHA-5...
    Rule Medium Severity
  • Set Password Hashing Algorithm in /etc/login.defs

    In <code>/etc/login.defs</code>, add or correct the following line to ensure the system will use <xccdf-1.2:sub idref="xccdf_org.ssgproject.content...
    Rule Medium Severity

The content of the drawer really is up to you. It could have form fields, definition lists, text lists, labels, charts, progress bars, etc. Spacing recommendation is 24px margins. You can put tabs in here, and can also make the drawer scrollable.

Capacity
Modules