On Friday, February 17, 2017 5:14:59 PM EST Shawn Wells wrote: > Spent the week at RSA. Someone from a large technology company in Japan > approached asked why SELinux wasn't enabled in the RHEL7 PCI profile. > Sure enough... it's not there: > > https://github.com/OpenSCAP/scap-security-guide/blob/master/RHEL/7/input/pro > files/pci-dss.xml > https://github.com/OpenSCAP/scap-security-guide/blob/master/RHEL/6/input/pr > ofiles/pci-dss.xml > > I vaguely recall the enabled rules are direct PCI mappings (e.g. a > minimum baseline)... but I don't really remember why SELinux isn't > evaluated. Anyone else recall? Wanted to ping the mailing list prior to > making a PR to add it!
PCI defines a minimum set of requirements. It does not say you can't exceed the requirements. I'd say it should include basic hardening such as noexec mount options on tmpfs, selinux enabled, and specific security related sysctls. -Steve _______________________________________________ scap-security-guide mailing list -- [email protected] To unsubscribe send an email to [email protected]
