This got me curious, so I did some digging. Per PCI-DSS section 2.2, you need to harden all system components per 'industry standards'. The following were mentioned: CIS, NIST, ISO, and SANS. To me, this means that you need to apply both the PCI and *another* profile to be compliant with the policy.
Also, section 6.5.8 could be linked to SELinux since, of course, you would want strict controls on system components. Finally, section 7.2 practically *requires* SELinux if you store any cardholder information in artifacts on the system. You could potentially waive this if your data is restricted to single data channels but log files could be an issue. Thanks, Trevor On Sat, Feb 18, 2017 at 6:45 AM, 面和毅 <[email protected]> wrote: > Dear Shawn, Steve, Folks, > > At first I want to make it clear that I'm talking about > OpenSCAP/scap-security-guide. > > I pulled latest OpenSCAP/scap-security-guide by git, and did "make > rhel7" on my RHEL7. > Then I was checking scap-security-guide/RHEL/7/ > dist/content/ssg-rhel7-xccdf.xml. > > I found description as below; > > <select idref="selinux" selected="false"/> > > <Profile id="standard"> > <Profile id="pci-dss"> > <Profile id="common"> > <Profile id="cjis-rhel7-server"> > > > <select idref="selinux_state" selected="true"/> > > <Profile id="C2S"> > <Profile id="rht-ccp"> > <Profile id="stig-rhel7-workstation-upstream"> > <Profile id="stig-rhel7-server-gui-upstream"> > <Profile id="stig-rhel7-server-upstream"> > <Profile id="stig-rhevh-upstream"> > <Profile id="ospp-rhel7-server"> > <Profile id="nist-cl-il-al"> > <Profile id="docker-host"> > <Profile id="nist-800-171-cui"> > > So, selinux is not selected above 4(standard, pci-dss, common, > cjis-rhel7-server) profiles. > > I understand PCI-DSS require minimum, but I hope enable SELinux on all > of profile. > > Kind Regards, > > OMO > > 2017-02-18 11:10 GMT+09:00 面和毅 <[email protected]>: > > Hi, Shawn, Steve, Folks, > > > > I know it because he(Yuichi Nakamura, famous person as SELinux developer) > > is my friend, and he told to me about the discussion with you. > > (I told to him about some of openscap profile is not checking SELinux > policy). > > > > In my understanding openscap tool can select many profile from xccdf > file, but > > some of profile was not selected SELinux. For example, > > ------------------------------------------------------------------- > > <Profile id="standard"> > > --snip-- > > <select idref="selinux" selected="false"/> > > <select idref="selinux-booleans" selected="false"/> > > ------------------------------------------------------------------- > > > > I was checking old git repository, then let me check latest git > > repository status. > > > > Kind Regards, > > > > OMO > > > > 2017-02-18 10:26 GMT+09:00 Steve Grubb <[email protected]>: > >> On Friday, February 17, 2017 5:14:59 PM EST Shawn Wells wrote: > >>> Spent the week at RSA. Someone from a large technology company in Japan > >>> approached asked why SELinux wasn't enabled in the RHEL7 PCI profile. > >>> Sure enough... it's not there: > >>> > >>> https://github.com/OpenSCAP/scap-security-guide/blob/ > master/RHEL/7/input/pro > >>> files/pci-dss.xml > >>> https://github.com/OpenSCAP/scap-security-guide/blob/ > master/RHEL/6/input/pr > >>> ofiles/pci-dss.xml > >>> > >>> I vaguely recall the enabled rules are direct PCI mappings (e.g. a > >>> minimum baseline)... but I don't really remember why SELinux isn't > >>> evaluated. Anyone else recall? Wanted to ping the mailing list prior to > >>> making a PR to add it! > >> > >> PCI defines a minimum set of requirements. It does not say you can't > exceed the > >> requirements. I'd say it should include basic hardening such as noexec > mount > >> options on tmpfs, selinux enabled, and specific security related > sysctls. > >> > >> -Steve > >> _______________________________________________ > >> scap-security-guide mailing list -- scap-security-guide@lists. > fedorahosted.org > >> To unsubscribe send an email to scap-security-guide-leave@ > lists.fedorahosted.org > > > > > > > > -- > > Kazuki Omo: [email protected] > > OSS &Security Evangelist > > OSS Business Planning Dept. > > CISSP #366942 > > Tel: +81364015149 > > > > -- > Kazuki Omo: [email protected] > OSS &Security Evangelist > OSS Business Planning Dept. > CISSP #366942 > Tel: +81364015149 > _______________________________________________ > scap-security-guide mailing list -- scap-security-guide@lists. > fedorahosted.org > To unsubscribe send an email to scap-security-guide-leave@ > lists.fedorahosted.org > -- Trevor Vaughan Vice President, Onyx Point, Inc (410) 541-6699 x788 -- This account not approved for unencrypted proprietary information --
_______________________________________________ scap-security-guide mailing list -- [email protected] To unsubscribe send an email to [email protected]
