Guide to the Secure Configuration of CentOS Linux 6 (PCI-DSS centric)

This guide presents a catalog of security-relevant configuration settings for CentOS Linux 6. It is a rendering of content structured in the eXtensible Configuration Checklist Description Format (XCCDF) in order to support security automation. The SCAP content is is available in the scap-security-guide package which is developed at https://www.open-scap.org/security-policies/scap-security-guide.

Providing system administrators with such guidance informs them how to securely configure systems under their control in a variety of network roles. Policy makers and baseline creators can use this catalog of settings, with its associated references to higher-level security control catalogs, in order to assist them in security baseline creation. This guide is a catalog, not a checklist, and satisfaction of every item is not likely to be possible or sensible in many operational scenarios. However, the XCCDF format enables granular selection and adjustment of settings, and their association with OVAL and OCIL content provides an automated checking capability. Transformations of this document, and its associated automated checking content, are capable of providing baselines that meet a diverse set of policy objectives. Some example XCCDF Profiles, which are selections of items that form checklists and can be used as baselines, are available with this guide. They can be processed, in an automated fashion, with tools that support the Security Content Automation Protocol (SCAP). The DISA STIG for CentOS Linux 6, which provides required settings for US Department of Defense systems, is one example of a baseline created from this guidance.

This benchmark is a direct port of a SCAP Security Guide benchmark developed for CentOS Linux. It has been modified through an automated process to remove specific dependencies on CentOS Linux and to function with CentOS. The result is a generally useful SCAP Security Guide benchmark with the following caveats:

  • CentOS is not an exact copy of CentOS Linux. There may be configuration differences that produce false positives and/or false negatives. If this occurs please file a bug report.
  • CentOS has its own build system, compiler options, patchsets, and is a community supported, non-commercial operating system. CentOS does not inherit certifications or evaluations from CentOS Linux. As such, some configuration rules (such as those requiring FIPS 140-2 encryption) will continue to fail on CentOS.

Members of the CentOS community are invited to participate in OpenSCAP and SCAP Security Guide development. Bug reports and patches can be sent to GitHub: https://github.com/OpenSCAP/scap-security-guide. The mailing list is at https://fedorahosted.org/mailman/listinfo/scap-security-guide.

Do not attempt to implement any of the settings in this guide without first testing them in a non-operational environment. The creators of this guidance assume no responsibility whatsoever for its use by other parties, and makes no guarantees, expressed or implied, about its quality, reliability, or any other characteristic.
Profile ID(default)

Revision History

Current version: 0.1.36

  • draft (as of 2018-05-16)

Platforms

  • cpe:/o:redhat:enterprise_linux:6
  • cpe:/o:centos:centos:6
  • cpe:/o:redhat:enterprise_linux:6::client
  • cpe:/o:redhat:enterprise_linux:6::computenode

Table of Contents

  1. 2.
    1. 2.1
    2. 2.2
    3. 2.3
    4. 2.4
    5. 2.5
    6. 2.6
  2. 3.
    1. 3.1
    2. 3.2
    3. 3.3
    4. 3.4
    5. 3.5
    6. 3.6
    7. 3.7
  3. 4.
    1. 4.1
    2. 4.2
    3. 4.3
  4. 5.
    1. 5.1
    2. 5.2
    3. 5.3
    4. 5.4
  5. 6.
    1. 6.1
    2. 6.2
    3. 6.3
    4. 6.4
    5. 6.5
    6. 6.6
    7. 6.7
  6. 7.
    1. 7.1
    2. 7.2
    3. 7.3
  7. 8.
    1. 8.1
    2. 8.2
    3. 8.3
    4. 8.4
    5. 8.5
    6. 8.6
    7. 8.7
    8. 8.8
  8. 10.
    1. 10.1
    2. 10.2
    3. 10.3
    4. 10.4
    5. 10.5
    6. 10.6
    7. 10.7
    8. 10.8
  9. 11.
    1. 11.1
    2. 11.2
    3. 11.3
    4. 11.4
    5. 11.5
    6. 11.6
  10. Values
  11. Non PCI-DSS

Checklist

2.   [ref]group

Do not use vendor-supplied defaults for system passwords and other

2.1   [ref]group

Always change vendor-supplied

2.1.1   [ref]group

For wireless environments

2.1.1.a   [ref]group

Interview responsible personnel and examine

2.1.1.b   [ref]group

Interview personnel and examine policies and

2.1.1.c   [ref]group

Examine vendor documentation and login to

2.1.1.d   [ref]group

Examine vendor documentation and observe

2.1.1.e   [ref]group

Examine vendor documentation and observe

2.1.a   [ref]group

Choose a sample of system components, and attempt

2.1.b   [ref]group

For the sample of system components, verify that all

2.1.c   [ref]group

Interview personnel and examine supporting

2.2   [ref]group

Develop configuration standards for

2.2.1   [ref]group

Implement only one primary

2.2.1.a   [ref]group

Select a sample of system components and

2.2.1.b   [ref]group

If virtualization technologies are used, inspect the

2.2.2   [ref]group

Enable only necessary services,

2.2.2.a   [ref]group

Select a sample of system components and

2.2.2.b   [ref]group

Identify any enabled insecure services, daemons,

2.2.3   [ref]group

Implement additional security

2.2.3.a   [ref]group

Inspect configuration settings to verify that security

2.2.4   [ref]group

Configure system security

2.2.4.a   [ref]group

Interview system administrators and/or security

2.2.4.b   [ref]group

Examine the system configuration standards to

2.2.4.c   [ref]group

Select a sample of system components and

2.2.5   [ref]group

Remove all unnecessary

2.2.5.a   [ref]group

Select a sample of system components and

2.2.5.b   [ref]group

. Examine the documentation and security

2.2.5.c   [ref]group

. Examine the documentation and security

2.2.a   [ref]group

2.2.b   [ref]group

Examine policies and interview personnel to

2.2.c   [ref]group

Examine policies and interview personnel to

2.2.d   [ref]group

Verify that system configuration standards include the

2.3   [ref]group

Encrypt all non-console

2.3.a   [ref]group

Observe an administrator log on to each system and

2.3.b   [ref]group

Review services and parameter files on systems to

2.3.c   [ref]group

Observe an administrator log on to each system to

2.3.d   [ref]group

Examine vendor documentation and interview

2.4   [ref]group

Maintain an inventory of system

2.4.a   [ref]group

Examine system inventory to verify that a list of

2.4.b   [ref]group

Interview personnel to verify the documented inventory

2.5   [ref]group

Ensure that security policies and

2.6   [ref]group

Shared hosting providers must

3.   [ref]group

Protect stored cardholder data

3.1   [ref]group

Keep cardholder data storage to a

3.1.a   [ref]group

Examine the data retention and disposal policies,

3.1.b   [ref]group

Interview personnel to verify that:

3.1.c   [ref]group

For a sample of system components that store cardholder

3.2   [ref]group

Do not store sensitive authentication

3.2.1   [ref]group

Do not store the full contents of

3.2.2   [ref]group

Do not store the card verification

3.2.3   [ref]group

Do not store the personal

3.2.a   [ref]group

For issuers and/or companies that support issuing

3.2.b   [ref]group

For issuers and/or companies that support issuing

3.2.c   [ref]group

For all other entities, if sensitive authentication data is

3.2.d   [ref]group

For all other entities, if sensitive authentication data is

3.3   [ref]group

Mask PAN when displayed (the first

3.3.a   [ref]group

Examine written policies and procedures for masking the

3.3.b   [ref]group

Examine system configurations to verify that full PAN is

3.3.c   [ref]group

Examine displays of PAN (for example, on screen, on

3.4   [ref]group

Render PAN unreadable anywhere it

3.4.1   [ref]group

If disk encryption is used (rather

3.4.1.a   [ref]group

If disk encryption is used, inspect the configuration

3.4.1.b   [ref]group

Observe processes and interview personnel to verify

3.4.1.c   [ref]group

Examine the configurations and observe the

3.4.a   [ref]group

Examine documentation about the system used to protect

3.4.b   [ref]group

Examine several tables or files from a sample of data

3.4.c   [ref]group

Examine a sample of removable media (for example,

3.4.d   [ref]group

Examine a sample of audit logs to confirm that the PAN is

3.4.e   [ref]group

If

3.5   [ref]group

Document and implement

3.5.1   [ref]group

Restrict access to cryptographic

3.5.2   [ref]group

Store secret and private keys

3.5.2.a   [ref]group

Examine documented procedures to verify that

3.5.2.b   [ref]group

Examine system configurations and key storage

3.5.2.c   [ref]group

Wherever key-encrypting keys are used, examine

3.5.3   [ref]group

Store cryptographic keys in the

3.6   [ref]group

Fully document and implement all

3.6.1   [ref]group

Generation of strong

3.6.1.a   [ref]group

Verify that key-management procedures specify how

3.6.1.b   [ref]group

Observe the method for generating keys to verify that

3.6.2   [ref]group

Secure cryptographic key

3.6.2.a   [ref]group

Verify that key-management procedures specify how

3.6.2.b   [ref]group

Observe the method for distributing keys to verify that

3.6.3   [ref]group

Secure cryptographic key storage

3.6.3.a   [ref]group

Verify that key-management procedures specify how

3.6.3.b   [ref]group

Observe the method for storing keys to verify that

3.6.4   [ref]group

Cryptographic key changes for

3.6.4.a   [ref]group

Verify that key-management procedures include a

3.6.4.b   [ref]group

Interview personnel to verify that keys are changed at

3.6.5   [ref]group

Retirement or replacement (for

3.6.5.a   [ref]group

Verify that key-management procedures specify

3.6.5.b   [ref]group

Interview personnel to verify the following processes

3.6.6   [ref]group

If manual clear-text cryptographic

3.6.6.a   [ref]group

Verify that manual clear-text key-management

3.6.7   [ref]group

Prevention of unauthorized

3.6.7.a   [ref]group

Verify that key-management procedures specify

3.6.7.b   [ref]group

Interview personnel and/or observe processes to

3.6.8   [ref]group

Requirement for cryptographic

3.6.8.a   [ref]group

Verify that key-management procedures specify

3.6.8.b   [ref]group

Observe documentation or other evidence showing

3.6.b   [ref]group

Examine the key-management procedures and processes

3.7   [ref]group

Ensure that security policies and

4.   [ref]group

Encrypt transmission of cardholder data across open, public networks

4.1   [ref]group

Use strong cryptography and security

4.1.1   [ref]group

Ensure wireless networks transmitting

4.1.a   [ref]group

Identify all locations where cardholder data is

4.1.b   [ref]group

Review documented policies and procedures to verify

4.1.c   [ref]group

Select and observe a sample of inbound and outbound

4.1.d   [ref]group

Examine keys and certificates to verify that only

4.1.e   [ref]group

Examine system configurations to verify that the

4.1.f   [ref]group

Examine system configurations to verify that the proper

4.1.g   [ref]group

For TLS implementations, examine system

4.2   [ref]group

Never send unprotected PANs by end-

4.2.a   [ref]group

If end-user messaging technologies are used to send

4.2.b   [ref]group

Review written policies to verify the existence of a

4.3   [ref]group

Ensure that security policies and

5.   [ref]group

Protect all systems against malware and regularly update anti-virus

5.1   [ref]group

Deploy anti-virus software on all

5.1.1   [ref]group

Ensure that anti-virus programs

5.1.2   [ref]group

For systems considered to be not

5.2   [ref]group

Ensure that all anti-virus mechanisms

5.2.a   [ref]group

Examine policies and procedures to verify that anti-virus

5.2.b   [ref]group

Examine anti-virus configurations, including the master

5.2.c   [ref]group

Examine a sample of system components, including all

5.2.d   [ref]group

Examine anti-virus configurations, including the master

5.3   [ref]group

Ensure that anti-virus mechanisms

5.3.a   [ref]group

Examine anti-virus configurations, including the master

5.3.b   [ref]group

Examine anti-virus configurations, including the master

5.3.c   [ref]group

Interview responsible personnel and observe processes to

5.4   [ref]group

Ensure that security policies and

6.   [ref]group

Develop and maintain secure systems and applications

6.1   [ref]group

Establish a process to identify security

6.1.a   [ref]group

Examine policies and procedures to verify that

6.1.b   [ref]group

Interview responsible personnel and observe

6.2   [ref]group

Ensure that all system components and

6.2.a   [ref]group

Examine policies and procedures related to security-

6.2.b   [ref]group

For a sample of system components and related

6.3   [ref]group

Develop internal and external software

6.3.1   [ref]group

Remove development, test and/or

6.3.2   [ref]group

Review custom code prior to release

6.3.2.a   [ref]group

Examine written software-development procedures

6.3.2.b   [ref]group

Select a sample of recent custom application

6.3.a   [ref]group

Examine written software-development processes to

6.3.b   [ref]group

Examine written software-development processes to

6.3.c   [ref]group

Examine written software-development processes to

6.3.d   [ref]group

Interview software developers to verify that written

6.4   [ref]group

Follow change control processes and

6.4.1   [ref]group

Separate development/test

6.4.1.a   [ref]group

Examine network documentation and network

6.4.1.b   [ref]group

Examine access controls settings to verify that

6.4.2   [ref]group

Separation of duties between

6.4.3   [ref]group

Production data (live PANs) are not

6.4.3.a   [ref]group

Observe testing processes and interview

6.4.3.b   [ref]group

Examine a sample of test data to verify production

6.4.4   [ref]group

Removal of test data and accounts

6.4.4.a   [ref]group

Observe testing processes and interview

6.4.4.b   [ref]group

Examine a sample of data and accounts from

6.4.5   [ref]group

Change control procedures for the

6.4.5.a   [ref]group

Examine documented change control procedures

6.4.5.b   [ref]group

For a sample of system components, interview

6.5   [ref]group

Address common coding vulnerabilities in

6.5.1   [ref]group

Injection flaws, particularly SQL

6.5.10   [ref]group

Broken authentication and session

6.5.2   [ref]group

Buffer overflows

6.5.3   [ref]group

Insecure cryptographic storage

6.5.4   [ref]group

Insecure communications

6.5.5   [ref]group

Improper error handling

6.5.6   [ref]group

Examine software-development policies and

6.5.7   [ref]group

Cross-site scripting (XSS)

6.5.8   [ref]group

Improper access control (such as

6.5.9   [ref]group

Cross-site request forgery (CSRF)

6.5.a   [ref]group

Examine software-development policies and

6.5.b   [ref]group

Interview a sample of developers to verify that they are

6.5.c   [ref]group

Examine records of training to verify that software

6.6   [ref]group

For public-facing web applications,

6.7   [ref]group

Ensure that security policies and

7.   [ref]group

Restrict access to cardholder data by business need to know

7.1   [ref]group

Limit access to system

7.1.1   [ref]group

Define access needs for

7.1.2   [ref]group

Restrict access to privileged

7.1.2.a   [ref]group

Interview personnel responsible for assigning access to

7.1.2.b   [ref]group

Select a sample of user IDs with privileged access and

7.1.3   [ref]group

Assign access based on

7.1.4   [ref]group

Require documented

7.2   [ref]group

Establish an access control

7.2.1   [ref]group

Coverage of all system

7.2.2   [ref]group

Assignment of privileges to

7.2.3   [ref]group

7.3   [ref]group

Ensure that security policies and

8.   [ref]group

Identify and authenticate access to system components

8.1   [ref]group

Define and implement policies and

8.1.1   [ref]group

Assign all users a unique ID

8.1.2   [ref]group

Control addition, deletion, and

8.1.3   [ref]group

Immediately revoke access for

8.1.3.a   [ref]group

Select a sample of users terminated in the past six

8.1.3.b   [ref]group

Verify all physical authentication methods

8.1.4   [ref]group

Remove/disable inactive user

8.1.5   [ref]group

Manage IDs used by vendors to

8.1.5.a   [ref]group

Interview personnel and observe processes for

8.1.5.b   [ref]group

Interview personnel and observe processes to verify

8.1.6   [ref]group

Limit repeated access attempts

8.1.6.a   [ref]group

For a sample of system components, inspect system

8.1.6.b   [ref]group

8.1.7   [ref]group

Set the lockout duration to a

8.1.8   [ref]group

If a session has been idle for

8.1.a   [ref]group

Review procedures and confirm they define processes for

8.1.b   [ref]group

Verify that procedures are implemented for user

8.2   [ref]group

In addition to assigning a unique ID,

8.2.1   [ref]group

Using strong cryptography,

8.2.1.a   [ref]group

Examine vendor documentation and system

8.2.1.b   [ref]group

For a sample of system components, examine

8.2.1.c   [ref]group

For a sample of system components, examine data

8.2.1.d   [ref]group

8.2.2   [ref]group

Verify user identity before

8.2.3   [ref]group

Passwords/phrases must meet

8.2.3.a   [ref]group

For a sample of system components, inspect system

8.2.3.b   [ref]group

8.2.4   [ref]group

Change user

8.2.4.a   [ref]group

For a sample of system components, inspect system

8.2.4.b   [ref]group

8.2.5   [ref]group

Do not allow an individual to

8.2.5.a   [ref]group

For a sample of system components, obtain and

8.2.5.b   [ref]group

8.2.6   [ref]group

Set passwords/phrases for first-

8.3   [ref]group

Incorporate two-factor authentication

8.3.a   [ref]group

Examine system configurations for remote access servers

8.3.b   [ref]group

Observe a sample of personnel (for example, users and

8.4   [ref]group

Document and communicate

8.4.a   [ref]group

Examine

8.4.b   [ref]group

Review authentication policies and procedures that are

8.4.c   [ref]group

Interview a sample of users to verify that they are familiar

8.5   [ref]group

Do not use group, shared, or generic

8.5.1   [ref]group

8.5.a   [ref]group

For a sample of system components, examine user ID lists

8.5.b   [ref]group

Examine authentication policies and procedures to verify

8.5.c   [ref]group

Interview system administrators to verify that group and

8.6   [ref]group

Where other authentication

8.6.a   [ref]group

Examine authentication policies and procedures to verify

8.6.b   [ref]group

Interview security personnel to verify authentication

8.6.c   [ref]group

Examine system configuration settings and/or physical

8.7   [ref]group

All access to any database

8.7.a   [ref]group

Review database and application configuration settings

8.7.b   [ref]group

Examine database and application configuration settings to

8.7.c   [ref]group

Examine database access control settings and database

8.7.d   [ref]group

Examine database access control settings, database

8.8   [ref]group

Ensure that security policies and

10.   [ref]group

Track and monitor all access to network resources and cardholder data

10.1   [ref]group

Implement audit trails to link all

10.2   [ref]group

Implement automated audit trails for

10.2.1   [ref]group

All individual user accesses to

10.2.2   [ref]group

All actions taken by any

10.2.3   [ref]group

Access to all audit trails

10.2.4   [ref]group

Invalid logical access attempts

10.2.5   [ref]group

Use of and changes to

10.2.5.a   [ref]group

Verify use of identification and authentication

10.2.5.b   [ref]group

Verify all elevation of privileges is logged.

10.2.5.c   [ref]group

Verify all changes, additions, or deletions to any account

10.2.6   [ref]group

Initialization, stopping, or

10.2.7   [ref]group

Creation and deletion of system-

10.3   [ref]group

Record at least the following audit

10.3.1   [ref]group

User identification

10.3.2   [ref]group

Type of event

10.3.3   [ref]group

Date and time

10.3.4   [ref]group

Success or failure indication

10.3.5   [ref]group

Origination of event

10.3.6   [ref]group

Identity or name of affected

10.4   [ref]group

Using time-synchronization

10.4.1   [ref]group

Critical systems have the

10.4.1.a   [ref]group

Examine the process for acquiring, distributing and

10.4.1.b   [ref]group

Observe the time-related system-parameter settings for

10.4.2   [ref]group

Time data is protected.

10.4.2.a   [ref]group

Examine system configurations and time-

10.4.2.b   [ref]group

Examine system configurations, time synchronization

10.4.3   [ref]group

Time settings are received from

10.5   [ref]group

Secure audit trails so they cannot

10.5.1   [ref]group

Limit viewing of audit trails to

10.5.2   [ref]group

Protect audit trail files from

10.5.3   [ref]group

Promptly back up audit trail files

10.5.4   [ref]group

Write logs for external-facing

10.5.5   [ref]group

Use file-integrity monitoring or

10.6   [ref]group

Review logs and security events for

10.6.1   [ref]group

Review the following at least

10.6.1.a   [ref]group

Examine security policies and procedures to verify that

10.6.1.b   [ref]group

Observe processes and interview personnel to verify

10.6.2   [ref]group

Review logs of all other system

10.6.2.a   [ref]group

Examine security policies and procedures to verify that

10.6.2.b   [ref]group

10.6.3   [ref]group

Follow up exceptions and

10.6.3.a   [ref]group

Examine security policies and procedures to verify that

10.6.3.b   [ref]group

Observe processes and interview personnel to verify

10.7   [ref]group

Retain audit trail history for at least

10.7.a   [ref]group

Examine security policies and procedures to verify that they

10.7.b   [ref]group

Interview personnel and examine audit logs to verify that

10.7.c   [ref]group

Interview personnel and observe processes to verify that at

10.8   [ref]group

Ensure that security policies and

11.   [ref]group

Regularly test security systems and processes

11.1   [ref]group

Implement processes to test for the

11.1.1   [ref]group

Maintain an inventory of

11.1.2   [ref]group

Implement incident response

11.1.2.a   [ref]group

11.1.2.b   [ref]group

Interview responsible personnel and/or inspect

11.1.a   [ref]group

Examine policies and procedures to verify processes

11.1.b   [ref]group

Verify that the methodology is adequate to detect and

11.1.c   [ref]group

If wireless scanning is utilized, examine output from

11.1.d   [ref]group

If automated monitoring is utilized (for example,

11.2   [ref]group

Run internal and external network

11.2.1   [ref]group

Perform quarterly internal

11.2.1.a   [ref]group

Review the scan reports and verify that four

11.2.1.b   [ref]group

Review the scan reports and verify that the scan

11.2.2   [ref]group

Perform quarterly external

11.2.2.c   [ref]group

Review the scan reports to verify that the scans

11.2.3   [ref]group

Perform internal and external

11.2.3.a   [ref]group

Inspect and correlate change control

11.2.3.b   [ref]group

Review scan reports and verify that the scan

11.2.3.c   [ref]group

Validate that the scan was performed by a qualified

11.3   [ref]group

Implement a methodology for

11.3.1   [ref]group

Perform

11.3.1.a   [ref]group

Examine the scope of work and results from the

11.3.1.b   [ref]group

Verify that the test was performed by a qualified

11.3.2   [ref]group

Perform

11.3.2.a   [ref]group

Examine the scope of work and results from the

11.3.2.b   [ref]group

Verify that the test was performed by a qualified

11.3.3   [ref]group

Exploitable vulnerabilities found

11.3.4   [ref]group

If segmentation is used to isolate

11.3.4.a   [ref]group

Examine segmentation controls and review

11.3.4.b   [ref]group

Examine the results from the most recent

11.4   [ref]group

Use intrusion-detection and/or

11.4.a   [ref]group

Examine system configurations and network diagrams

11.4.b   [ref]group

Examine system configurations and interview

11.4.c   [ref]group

Examine IDS/IPS configurations and vendor

11.5   [ref]group

Deploy a change-detection

11.5.1   [ref]group

Implement a process to respond to

11.5.a   [ref]group

Verify the use of a change-detection mechanism within

11.5.b   [ref]group

Verify the mechanism is configured to alert personnel

11.6   [ref]group

Ensure that security policies and

Values   [ref]group

Group of values used in PCI-DSS profile

Non PCI-DSS   [ref]group

Rules that are not part of PCI-DSS

Red Hat and CentOS Linux are either registered trademarks or trademarks of Red Hat, Inc. in the United States and other countries. All other names are registered trademarks or trademarks of their respective companies.