Guide to the Secure Configuration of Red Hat Enterprise Linux 6 (PCI-DSS centric)

This guide presents a catalog of security-relevant configuration settings for Red Hat Enterprise Linux 6. It is a rendering of content structured in the eXtensible Configuration Checklist Description Format (XCCDF) in order to support security automation. The SCAP content is is available in the scap-security-guide package which is developed at https://www.open-scap.org/security-policies/scap-security-guide.

Providing system administrators with such guidance informs them how to securely configure systems under their control in a variety of network roles. Policy makers and baseline creators can use this catalog of settings, with its associated references to higher-level security control catalogs, in order to assist them in security baseline creation. This guide is a catalog, not a checklist, and satisfaction of every item is not likely to be possible or sensible in many operational scenarios. However, the XCCDF format enables granular selection and adjustment of settings, and their association with OVAL and OCIL content provides an automated checking capability. Transformations of this document, and its associated automated checking content, are capable of providing baselines that meet a diverse set of policy objectives. Some example XCCDF Profiles, which are selections of items that form checklists and can be used as baselines, are available with this guide. They can be processed, in an automated fashion, with tools that support the Security Content Automation Protocol (SCAP). The DISA STIG, which provides required settings for US Department of Defense systems, is one example of a baseline created from this guidance.
Do not attempt to implement any of the settings in this guide without first testing them in a non-operational environment. The creators of this guidance assume no responsibility whatsoever for its use by other parties, and makes no guarantees, expressed or implied, about its quality, reliability, or any other characteristic.

Profile Information

Profile ID(default)

CPE Platforms

  • cpe:/o:redhat:enterprise_linux:6
  • cpe:/o:redhat:enterprise_linux:6::client
  • cpe:/o:redhat:enterprise_linux:6::computenode

Revision History

Current version: 0.1.44

  • draft (as of 2019-05-03)

Table of Contents

  1. 2.
    1. 2.1
    2. 2.2
    3. 2.3
    4. 2.4
    5. 2.5
    6. 2.6
  2. 3.
    1. 3.1
    2. 3.2
    3. 3.3
    4. 3.4
    5. 3.5
    6. 3.6
    7. 3.7
  3. 4.
    1. 4.1
    2. 4.2
    3. 4.3
  4. 5.
    1. 5.1
    2. 5.2
    3. 5.3
    4. 5.4
  5. 6.
    1. 6.1
    2. 6.2
    3. 6.3
    4. 6.4
    5. 6.5
    6. 6.6
    7. 6.7
  6. 7.
    1. 7.1
    2. 7.2
    3. 7.3
  7. 8.
    1. 8.1
    2. 8.2
    3. 8.3
    4. 8.4
    5. 8.5
    6. 8.6
    7. 8.7
    8. 8.8
  8. 10.
    1. 10.1
    2. 10.2
    3. 10.3
    4. 10.4
    5. 10.5
    6. 10.6
    7. 10.7
    8. 10.8
  9. 11.
    1. 11.1
    2. 11.2
    3. 11.3
    4. 11.4
    5. 11.5
    6. 11.6
  10. Values
  11. Non PCI-DSS

Checklist

Group   Guide to the Secure Configuration of Red Hat Enterprise Linux 6 (PCI-DSS centric)
Group   2.

[ref]   Do not use vendor-supplied defaults for system passwords and other

Group   2.1

[ref]   Always change vendor-supplied

Group   2.1.1

[ref]   For wireless environments

Group   2.1.1.a

[ref]   Interview responsible personnel and examine

Group   2.1.1.b

[ref]   Interview personnel and examine policies and

Group   2.1.1.c

[ref]   Examine vendor documentation and login to

Group   2.1.1.d

[ref]   Examine vendor documentation and observe

Group   2.1.1.e

[ref]   Examine vendor documentation and observe

Group   2.1.a

[ref]   Choose a sample of system components, and attempt

Group   2.1.b

[ref]   For the sample of system components, verify that all

Group   2.1.c

[ref]   Interview personnel and examine supporting

Group   2.2

[ref]   Develop configuration standards for

Group   2.2.1

[ref]   Implement only one primary

Group   2.2.1.a

[ref]   Select a sample of system components and

Group   2.2.1.b

[ref]   If virtualization technologies are used, inspect the

Group   2.2.2

[ref]   Enable only necessary services,

Group   2.2.2.a

[ref]   Select a sample of system components and

Group   2.2.2.b

[ref]   Identify any enabled insecure services, daemons,

Group   2.2.3

[ref]   Implement additional security

Group   2.2.3.a

[ref]   Inspect configuration settings to verify that security

Group   2.2.4

[ref]   Configure system security

Group   2.2.4.a

[ref]   Interview system administrators and/or security

Group   2.2.4.b

[ref]   Examine the system configuration standards to

Group   2.2.4.c

[ref]   Select a sample of system components and

Group   2.2.5

[ref]   Remove all unnecessary

Group   2.2.5.a

[ref]   Select a sample of system components and

Group   2.2.5.b

[ref]   . Examine the documentation and security

Group   2.2.5.c

[ref]   . Examine the documentation and security

Group   2.2.a

[ref]  

Group   2.2.b

[ref]   Examine policies and interview personnel to

Group   2.2.c

[ref]   Examine policies and interview personnel to

Group   2.2.d

[ref]   Verify that system configuration standards include the

Group   2.3

[ref]   Encrypt all non-console

Group   2.3.a

[ref]   Observe an administrator log on to each system and

Group   2.3.b

[ref]   Review services and parameter files on systems to

Group   2.3.c

[ref]   Observe an administrator log on to each system to

Group   2.3.d

[ref]   Examine vendor documentation and interview

Group   2.4

[ref]   Maintain an inventory of system

Group   2.4.a

[ref]   Examine system inventory to verify that a list of

Group   2.4.b

[ref]   Interview personnel to verify the documented inventory

Group   2.5

[ref]   Ensure that security policies and

Group   2.6

[ref]   Shared hosting providers must

Group   3.

[ref]   Protect stored cardholder data

Group   3.1

[ref]   Keep cardholder data storage to a

Group   3.1.a

[ref]   Examine the data retention and disposal policies,

Group   3.1.b

[ref]   Interview personnel to verify that:

Group   3.1.c

[ref]   For a sample of system components that store cardholder

Group   3.2

[ref]   Do not store sensitive authentication

Group   3.2.1

[ref]   Do not store the full contents of

Group   3.2.2

[ref]   Do not store the card verification

Group   3.2.3

[ref]   Do not store the personal

Group   3.2.a

[ref]   For issuers and/or companies that support issuing

Group   3.2.b

[ref]   For issuers and/or companies that support issuing

Group   3.2.c

[ref]   For all other entities, if sensitive authentication data is

Group   3.2.d

[ref]   For all other entities, if sensitive authentication data is

Group   3.3

[ref]   Mask PAN when displayed (the first

Group   3.3.a

[ref]   Examine written policies and procedures for masking the

Group   3.3.b

[ref]   Examine system configurations to verify that full PAN is

Group   3.3.c

[ref]   Examine displays of PAN (for example, on screen, on

Group   3.4

[ref]   Render PAN unreadable anywhere it

Group   3.4.1

[ref]   If disk encryption is used (rather

Group   3.4.1.a

[ref]   If disk encryption is used, inspect the configuration

Group   3.4.1.b

[ref]   Observe processes and interview personnel to verify

Group   3.4.1.c

[ref]   Examine the configurations and observe the

Group   3.4.a

[ref]   Examine documentation about the system used to protect

Group   3.4.b

[ref]   Examine several tables or files from a sample of data

Group   3.4.c

[ref]   Examine a sample of removable media (for example,

Group   3.4.d

[ref]   Examine a sample of audit logs to confirm that the PAN is

Group   3.4.e

[ref]   If

Group   3.5

[ref]   Document and implement

Group   3.5.1

[ref]   Restrict access to cryptographic

Group   3.5.2

[ref]   Store secret and private keys

Group   3.5.2.a

[ref]   Examine documented procedures to verify that

Group   3.5.2.b

[ref]   Examine system configurations and key storage

Group   3.5.2.c

[ref]   Wherever key-encrypting keys are used, examine

Group   3.5.3

[ref]   Store cryptographic keys in the

Group   3.6

[ref]   Fully document and implement all

Group   3.6.1

[ref]   Generation of strong

Group   3.6.1.a

[ref]   Verify that key-management procedures specify how

Group   3.6.1.b

[ref]   Observe the method for generating keys to verify that

Group   3.6.2

[ref]   Secure cryptographic key

Group   3.6.2.a

[ref]   Verify that key-management procedures specify how

Group   3.6.2.b

[ref]   Observe the method for distributing keys to verify that

Group   3.6.3

[ref]   Secure cryptographic key storage

Group   3.6.3.a

[ref]   Verify that key-management procedures specify how

Group   3.6.3.b

[ref]   Observe the method for storing keys to verify that

Group   3.6.4

[ref]   Cryptographic key changes for

Group   3.6.4.a

[ref]   Verify that key-management procedures include a

Group   3.6.4.b

[ref]   Interview personnel to verify that keys are changed at

Group   3.6.5

[ref]   Retirement or replacement (for

Group   3.6.5.a

[ref]   Verify that key-management procedures specify

Group   3.6.5.b

[ref]   Interview personnel to verify the following processes

Group   3.6.6

[ref]   If manual clear-text cryptographic

Group   3.6.6.a

[ref]   Verify that manual clear-text key-management

Group   3.6.7

[ref]   Prevention of unauthorized

Group   3.6.7.a

[ref]   Verify that key-management procedures specify

Group   3.6.7.b

[ref]   Interview personnel and/or observe processes to

Group   3.6.8

[ref]   Requirement for cryptographic

Group   3.6.8.a

[ref]   Verify that key-management procedures specify

Group   3.6.8.b

[ref]   Observe documentation or other evidence showing

Group   3.6.b

[ref]   Examine the key-management procedures and processes

Group   3.7

[ref]   Ensure that security policies and

Group   4.

[ref]   Encrypt transmission of cardholder data across open, public networks

Group   4.1

[ref]   Use strong cryptography and security

Group   4.1.1

[ref]   Ensure wireless networks transmitting

Group   4.1.a

[ref]   Identify all locations where cardholder data is

Group   4.1.b

[ref]   Review documented policies and procedures to verify

Group   4.1.c

[ref]   Select and observe a sample of inbound and outbound

Group   4.1.d

[ref]   Examine keys and certificates to verify that only

Group   4.1.e

[ref]   Examine system configurations to verify that the

Group   4.1.f

[ref]   Examine system configurations to verify that the proper

Group   4.1.g

[ref]   For TLS implementations, examine system

Group   4.2

[ref]   Never send unprotected PANs by end-

Group   4.2.a

[ref]   If end-user messaging technologies are used to send

Group   4.2.b

[ref]   Review written policies to verify the existence of a

Group   4.3

[ref]   Ensure that security policies and

Group   5.

[ref]   Protect all systems against malware and regularly update anti-virus

Group   5.1

[ref]   Deploy anti-virus software on all

Group   5.1.1

[ref]   Ensure that anti-virus programs

Group   5.1.2

[ref]   For systems considered to be not

Group   5.2

[ref]   Ensure that all anti-virus mechanisms

Group   5.2.a

[ref]   Examine policies and procedures to verify that anti-virus

Group   5.2.b

[ref]   Examine anti-virus configurations, including the master

Group   5.2.c

[ref]   Examine a sample of system components, including all

Group   5.2.d

[ref]   Examine anti-virus configurations, including the master

Group   5.3

[ref]   Ensure that anti-virus mechanisms

Group   5.3.a

[ref]   Examine anti-virus configurations, including the master

Group   5.3.b

[ref]   Examine anti-virus configurations, including the master

Group   5.3.c

[ref]   Interview responsible personnel and observe processes to

Group   5.4

[ref]   Ensure that security policies and

Group   6.

[ref]   Develop and maintain secure systems and applications

Group   6.1

[ref]   Establish a process to identify security

Group   6.1.a

[ref]   Examine policies and procedures to verify that

Group   6.1.b

[ref]   Interview responsible personnel and observe

Group   6.2

[ref]   Ensure that all system components and

Group   6.2.a

[ref]   Examine policies and procedures related to security-

Group   6.2.b

[ref]   For a sample of system components and related

Group   6.3

[ref]   Develop internal and external software

Group   6.3.1

[ref]   Remove development, test and/or

Group   6.3.2

[ref]   Review custom code prior to release

Group   6.3.2.a

[ref]   Examine written software-development procedures

Group   6.3.2.b

[ref]   Select a sample of recent custom application

Group   6.3.a

[ref]   Examine written software-development processes to

Group   6.3.b

[ref]   Examine written software-development processes to

Group   6.3.c

[ref]   Examine written software-development processes to

Group   6.3.d

[ref]   Interview software developers to verify that written

Group   6.4

[ref]   Follow change control processes and

Group   6.4.1

[ref]   Separate development/test

Group   6.4.1.a

[ref]   Examine network documentation and network

Group   6.4.1.b

[ref]   Examine access controls settings to verify that

Group   6.4.2

[ref]   Separation of duties between

Group   6.4.3

[ref]   Production data (live PANs) are not

Group   6.4.3.a

[ref]   Observe testing processes and interview

Group   6.4.3.b

[ref]   Examine a sample of test data to verify production

Group   6.4.4

[ref]   Removal of test data and accounts

Group   6.4.4.a

[ref]   Observe testing processes and interview

Group   6.4.4.b

[ref]   Examine a sample of data and accounts from

Group   6.4.5

[ref]   Change control procedures for the

Group   6.4.5.a

[ref]   Examine documented change control procedures

Group   6.4.5.b

[ref]   For a sample of system components, interview

Group   6.5

[ref]   Address common coding vulnerabilities in

Group   6.5.1

[ref]   Injection flaws, particularly SQL

Group   6.5.10

[ref]   Broken authentication and session

Group   6.5.2

[ref]   Buffer overflows

Group   6.5.3

[ref]   Insecure cryptographic storage

Group   6.5.4

[ref]   Insecure communications

Group   6.5.5

[ref]   Improper error handling

Group   6.5.6

[ref]   Examine software-development policies and

Group   6.5.7

[ref]   Cross-site scripting (XSS)

Group   6.5.8

[ref]   Improper access control (such as

Group   6.5.9

[ref]   Cross-site request forgery (CSRF)

Group   6.5.a

[ref]   Examine software-development policies and

Group   6.5.b

[ref]   Interview a sample of developers to verify that they are

Group   6.5.c

[ref]   Examine records of training to verify that software

Group   6.6

[ref]   For public-facing web applications,

Group   6.7

[ref]   Ensure that security policies and

Group   7.

[ref]   Restrict access to cardholder data by business need to know

Group   7.1

[ref]   Limit access to system

Group   7.1.1

[ref]   Define access needs for

Group   7.1.2

[ref]   Restrict access to privileged

Group   7.1.2.a

[ref]   Interview personnel responsible for assigning access to

Group   7.1.2.b

[ref]   Select a sample of user IDs with privileged access and

Group   7.1.3

[ref]   Assign access based on

Group   7.1.4

[ref]   Require documented

Group   7.2

[ref]   Establish an access control

Group   7.2.1

[ref]   Coverage of all system

Group   7.2.2

[ref]   Assignment of privileges to

Group   7.2.3

[ref]  

Group   7.3

[ref]   Ensure that security policies and

Group   8.

[ref]   Identify and authenticate access to system components

Group   8.1

[ref]   Define and implement policies and

Group   8.1.1

[ref]   Assign all users a unique ID

Group   8.1.2

[ref]   Control addition, deletion, and

Group   8.1.3

[ref]   Immediately revoke access for

Group   8.1.3.a

[ref]   Select a sample of users terminated in the past six

Group   8.1.3.b

[ref]   Verify all physical authentication methods

Group   8.1.4

[ref]   Remove/disable inactive user

Group   8.1.5

[ref]   Manage IDs used by vendors to

Group   8.1.5.a

[ref]   Interview personnel and observe processes for

Group   8.1.5.b

[ref]   Interview personnel and observe processes to verify

Group   8.1.6

[ref]   Limit repeated access attempts

Group   8.1.6.a

[ref]   For a sample of system components, inspect system

Group   8.1.6.b

[ref]  

Group   8.1.7

[ref]   Set the lockout duration to a

Group   8.1.8

[ref]   If a session has been idle for

Group   8.1.a

[ref]   Review procedures and confirm they define processes for

Group   8.1.b

[ref]   Verify that procedures are implemented for user

Group   8.2

[ref]   In addition to assigning a unique ID,

Group   8.2.1

[ref]   Using strong cryptography,

Group   8.2.1.a

[ref]   Examine vendor documentation and system

Group   8.2.1.b

[ref]   For a sample of system components, examine

Group   8.2.1.c

[ref]   For a sample of system components, examine data

Group   8.2.1.d

[ref]  

Group   8.2.2

[ref]   Verify user identity before

Group   8.2.3

[ref]   Passwords/phrases must meet

Group   8.2.3.a

[ref]   For a sample of system components, inspect system

Group   8.2.3.b

[ref]  

Group   8.2.4

[ref]   Change user

Group   8.2.4.a

[ref]   For a sample of system components, inspect system

Group   8.2.4.b

[ref]  

Group   8.2.5

[ref]   Do not allow an individual to

Group   8.2.5.a

[ref]   For a sample of system components, obtain and

Group   8.2.5.b

[ref]  

Group   8.2.6

[ref]   Set passwords/phrases for first-

Group   8.3

[ref]   Incorporate two-factor authentication

Group   8.3.a

[ref]   Examine system configurations for remote access servers

Group   8.3.b

[ref]   Observe a sample of personnel (for example, users and

Group   8.4

[ref]   Document and communicate

Group   8.4.a

[ref]   Examine

Group   8.4.b

[ref]   Review authentication policies and procedures that are

Group   8.4.c

[ref]   Interview a sample of users to verify that they are familiar

Group   8.5

[ref]   Do not use group, shared, or generic

Group   8.5.1

[ref]  

Group   8.5.a

[ref]   For a sample of system components, examine user ID lists

Group   8.5.b

[ref]   Examine authentication policies and procedures to verify

Group   8.5.c

[ref]   Interview system administrators to verify that group and

Group   8.6

[ref]   Where other authentication

Group   8.6.a

[ref]   Examine authentication policies and procedures to verify

Group   8.6.b

[ref]   Interview security personnel to verify authentication

Group   8.6.c

[ref]   Examine system configuration settings and/or physical

Group   8.7

[ref]   All access to any database

Group   8.7.a

[ref]   Review database and application configuration settings

Group   8.7.b

[ref]   Examine database and application configuration settings to

Group   8.7.c

[ref]   Examine database access control settings and database

Group   8.7.d

[ref]   Examine database access control settings, database

Group   8.8

[ref]   Ensure that security policies and

Group   10.

[ref]   Track and monitor all access to network resources and cardholder data

Group   10.1

[ref]   Implement audit trails to link all

Group   10.2

[ref]   Implement automated audit trails for

Group   10.2.1

[ref]   All individual user accesses to

Group   10.2.2

[ref]   All actions taken by any

Group   10.2.3

[ref]   Access to all audit trails

Group   10.2.4

[ref]   Invalid logical access attempts

Group   10.2.5

[ref]   Use of and changes to

Group   10.2.5.a

[ref]   Verify use of identification and authentication

Group   10.2.5.b

[ref]   Verify all elevation of privileges is logged.

Group   10.2.5.c

[ref]   Verify all changes, additions, or deletions to any account

Group   10.2.6

[ref]   Initialization, stopping, or

Group   10.2.7

[ref]   Creation and deletion of system-

Group   10.3

[ref]   Record at least the following audit

Group   10.3.1

[ref]   User identification

Group   10.3.2

[ref]   Type of event

Group   10.3.3

[ref]   Date and time

Group   10.3.4

[ref]   Success or failure indication

Group   10.3.5

[ref]   Origination of event

Group   10.3.6

[ref]   Identity or name of affected

Group   10.4

[ref]   Using time-synchronization

Group   10.4.1

[ref]   Critical systems have the

Group   10.4.1.a

[ref]   Examine the process for acquiring, distributing and

Group   10.4.1.b

[ref]   Observe the time-related system-parameter settings for

Group   10.4.2

[ref]   Time data is protected.

Group   10.4.2.a

[ref]   Examine system configurations and time-

Group   10.4.2.b

[ref]   Examine system configurations, time synchronization

Group   10.4.3

[ref]   Time settings are received from

Group   10.5

[ref]   Secure audit trails so they cannot

Group   10.5.1

[ref]   Limit viewing of audit trails to

Group   10.5.2

[ref]   Protect audit trail files from

Group   10.5.3

[ref]   Promptly back up audit trail files

Group   10.5.4

[ref]   Write logs for external-facing

Group   10.5.5

[ref]   Use file-integrity monitoring or

Group   10.6

[ref]   Review logs and security events for

Group   10.6.1

[ref]   Review the following at least

Group   10.6.1.a

[ref]   Examine security policies and procedures to verify that

Group   10.6.1.b

[ref]   Observe processes and interview personnel to verify

Group   10.6.2

[ref]   Review logs of all other system

Group   10.6.2.a

[ref]   Examine security policies and procedures to verify that

Group   10.6.2.b

[ref]  

Group   10.6.3

[ref]   Follow up exceptions and

Group   10.6.3.a

[ref]   Examine security policies and procedures to verify that

Group   10.6.3.b

[ref]   Observe processes and interview personnel to verify

Group   10.7

[ref]   Retain audit trail history for at least

Group   10.7.a

[ref]   Examine security policies and procedures to verify that they

Group   10.7.b

[ref]   Interview personnel and examine audit logs to verify that

Group   10.7.c

[ref]   Interview personnel and observe processes to verify that at

Group   10.8

[ref]   Ensure that security policies and

Group   11.

[ref]   Regularly test security systems and processes

Group   11.1

[ref]   Implement processes to test for the

Group   11.1.1

[ref]   Maintain an inventory of

Group   11.1.2

[ref]   Implement incident response

Group   11.1.2.a

[ref]  

Group   11.1.2.b

[ref]   Interview responsible personnel and/or inspect

Group   11.1.a

[ref]   Examine policies and procedures to verify processes

Group   11.1.b

[ref]   Verify that the methodology is adequate to detect and

Group   11.1.c

[ref]   If wireless scanning is utilized, examine output from

Group   11.1.d

[ref]   If automated monitoring is utilized (for example,

Group   11.2

[ref]   Run internal and external network

Group   11.2.1

[ref]   Perform quarterly internal

Group   11.2.1.a

[ref]   Review the scan reports and verify that four

Group   11.2.1.b

[ref]   Review the scan reports and verify that the scan

Group   11.2.2

[ref]   Perform quarterly external

Group   11.2.2.c

[ref]   Review the scan reports to verify that the scans

Group   11.2.3

[ref]   Perform internal and external

Group   11.2.3.a

[ref]   Inspect and correlate change control

Group   11.2.3.b

[ref]   Review scan reports and verify that the scan

Group   11.2.3.c

[ref]   Validate that the scan was performed by a qualified

Group   11.3

[ref]   Implement a methodology for

Group   11.3.1

[ref]   Perform

Group   11.3.1.a

[ref]   Examine the scope of work and results from the

Group   11.3.1.b

[ref]   Verify that the test was performed by a qualified

Group   11.3.2

[ref]   Perform

Group   11.3.2.a

[ref]   Examine the scope of work and results from the

Group   11.3.2.b

[ref]   Verify that the test was performed by a qualified

Group   11.3.3

[ref]   Exploitable vulnerabilities found

Group   11.3.4

[ref]   If segmentation is used to isolate

Group   11.3.4.a

[ref]   Examine segmentation controls and review

Group   11.3.4.b

[ref]   Examine the results from the most recent

Group   11.4

[ref]   Use intrusion-detection and/or

Group   11.4.a

[ref]   Examine system configurations and network diagrams

Group   11.4.b

[ref]   Examine system configurations and interview

Group   11.4.c

[ref]   Examine IDS/IPS configurations and vendor

Group   11.5

[ref]   Deploy a change-detection

Group   11.5.1

[ref]   Implement a process to respond to

Group   11.5.a

[ref]   Verify the use of a change-detection mechanism within

Group   11.5.b

[ref]   Verify the mechanism is configured to alert personnel

Group   11.6

[ref]   Ensure that security policies and

Group   Values

[ref]   Group of values used in PCI-DSS profile

Group   Non PCI-DSS

[ref]   Rules that are not part of PCI-DSS

Red Hat and Red Hat Enterprise Linux are either registered trademarks or trademarks of Red Hat, Inc. in the United States and other countries. All other names are registered trademarks or trademarks of their respective companies.