On Friday, February 17, 2017 5:14:59 PM EST Shawn Wells wrote:
Spent the week at RSA. Someone from a large technology company in
Japan
approached asked why SELinux wasn't enabled in the RHEL7 PCI profile.
Sure enough... it's not there:
https://github.com/OpenSCAP/scap-security-guide/blob/master/RHEL/7/input/pro
files/pci-dss.xml
https://github.com/OpenSCAP/scap-security-guide/blob/master/RHEL/6/input/pr
ofiles/pci-dss.xml
I vaguely recall the enabled rules are direct PCI mappings (e.g. a
minimum baseline)... but I don't really remember why SELinux isn't
evaluated. Anyone else recall? Wanted to ping the mailing list prior to
making a PR to add it!
PCI defines a minimum set of requirements. It does not say you can't exceed the
requirements. I'd say it should include basic hardening such as noexec mount
options on tmpfs, selinux enabled, and specific security related sysctls.
-Steve