Skip to content

PCI-DSS v4.0 Control Baseline for Alibaba Cloud Linux 2

Rules and Groups employed by this XCCDF Profile

  • Record attempts to alter time through adjtimex

    If the <code>auditd</code> daemon is configured to use the <code>augenrules</code> program to read audit rules during daemon startup (the default),...
    Rule Medium Severity
  • Record Attempts to Alter Time Through clock_settime

    If the <code>auditd</code> daemon is configured to use the <code>augenrules</code> program to read audit rules during daemon startup (the default),...
    Rule Medium Severity
  • Record attempts to alter time through settimeofday

    If the <code>auditd</code> daemon is configured to use the <code>augenrules</code> program to read audit rules during daemon startup (the default),...
    Rule Medium Severity
  • Record Attempts to Alter Time Through stime

    If the <code>auditd</code> daemon is configured to use the <code>augenrules</code> program to read audit rules during daemon startup (the default),...
    Rule Medium Severity
  • Record Attempts to Alter the localtime File

    If the <code>auditd</code> daemon is configured to use the <code>augenrules</code> program to read audit rules during daemon startup (the default),...
    Rule Medium Severity
  • Configure auditd Data Retention

    The audit system writes data to <code>/var/log/audit/audit.log</code>. By default, <code>auditd</code> rotates 5 logs by size (6MB), retaining a ma...
    Group
  • Configure auditd to use audispd's syslog plugin

    To configure the <code>auditd</code> service to use the <code>syslog</code> plug-in of the <code>audispd</code> audit event multiplexor, set the <c...
    Rule Medium Severity
  • Configure auditd admin_space_left Action on Low Disk Space

    The <code>auditd</code> service can be configured to take an action when disk space is running low but prior to running out of space completely. Ed...
    Rule Medium Severity
  • Configure auditd space_left Action on Low Disk Space

    The <code>auditd</code> service can be configured to take an action when disk space <i>starts</i> to run low. Edit the file <code>/etc/audit/auditd...
    Rule Medium Severity
  • GRUB2 bootloader configuration

    During the boot process, the boot loader is responsible for starting the execution of the kernel and passing options to it. The boot loader allows ...
    Group
  • Non-UEFI GRUB2 bootloader configuration

    Non-UEFI GRUB2 bootloader configuration
    Group
  • Verify /boot/grub2/grub.cfg Group Ownership

    The file <code>/boot/grub2/grub.cfg</code> should be group-owned by the <code>root</code> group to prevent destruction or modification of the file....
    Rule Medium Severity
  • Verify /boot/grub2/grub.cfg User Ownership

    The file <code>/boot/grub2/grub.cfg</code> should be owned by the <code>root</code> user to prevent destruction or modification of the file. To pr...
    Rule Medium Severity
  • Verify /boot/grub2/grub.cfg Permissions

    File permissions for <code>/boot/grub2/grub.cfg</code> should be set to 600. To properly set the permissions of <code>/boot/grub2/grub.cfg</code>,...
    Rule Medium Severity
  • Configure Syslog

    The syslog service has been the default Unix logging mechanism for many years. It has a number of downsides, including inconsistent log format, lac...
    Group
  • Ensure Proper Configuration of Log Files

    The file <code>/etc/rsyslog.conf</code> controls where log message are written. These are controlled by lines called <i>rules</i>, which consist of...
    Group
  • Ensure Log Files Are Owned By Appropriate Group

    The group-owner of all log files written by <code>rsyslog</code> should be <code>root</code>. These log files are determined by the second part of ...
    Rule Medium Severity
  • Ensure Log Files Are Owned By Appropriate User

    The owner of all log files written by <code>rsyslog</code> should be <code>root</code>. These log files are determined by the second part of each...
    Rule Medium Severity
  • Ensure System Log Files Have Correct Permissions

    The file permissions for all log files written by <code>rsyslog</code> should be set to 640, or more restrictive. These log files are determined by...
    Rule Medium Severity
  • Ensure All Logs are Rotated by logrotate

    Edit the file <code>/etc/logrotate.d/syslog</code>. Find the first line, which should look like this (wrapped for clarity): <pre>/var/log/message...
    Group

The content of the drawer really is up to you. It could have form fields, definition lists, text lists, labels, charts, progress bars, etc. Spacing recommendation is 24px margins. You can put tabs in here, and can also make the drawer scrollable.

Capacity
Modules