Policy Definition for PCI templates

Policy Definitions for all PCI templates available in BMC Server Automation are listed below:

Info

For a list of PCI properties included in the server built-in, custom, and local property class, see:

Microsoft Windows Server 2012 (PCIv3)

Click here to expand...

Rule Category

Following table categorizes the percentage of rules as Native and EO based:

Rule Category	% of rules
Native based	60%
EO based	40%

Rule Details

To find details about all rules included in the template, see HTML Definitions for Microsoft Windows Server 2012.

Asset/Part Used

Part name	Part type
Deny logon as a batch job (SeDenyBatchLogonRight)	Extended Object
Deny log on as a service
Deny log on locally (SeDenyInteractiveLogonRight)
Deny log on through Remote Desktop Services
Enable computer and user accounts to be trusted for delegation (SeEnableDelegationPrivilege)
Modify an object label (SeRelabelPrivilege)
MSS: (KeepAliveTime) How often keep-alive packets are sent in milliseconds
MSS: (ScreenSaverGracePeriod) The time in seconds before the screen saver grace period expires (0 recommended)
Named Pipes that can be accessed anonymously
Network access: Remotely accessible registry paths
Network access: Remotely accessible registry paths and sub-paths
Network access Shares that can be accessed anonymously
System settings Optional subsystems
User Rights Policy-SeAssignPrimaryTokenPrivilege
User Rights Policy-SeAuditPrivilege
User Rights Policy-SeBackupPrivilege
User Rights Policy-SeBatchLogonRight
User Rights Policy-SeChangeNotifyPrivilege
User Rights Policy-SeCreateGlobalPrivilege
User Rights Policy-SeCreatePagefilePrivilege
User Rights Policy-SeCreatePermanentPrivilege
User Rights Policy-SeCreateSymbolicLinkPrivilege
User Rights Policy-SeCreateTokenPrivilege
User Rights Policy-SeDebugPrivilege
User Rights Policy-SeImpersonatePrivilege
User Rights Policy-SeIncreaseBasePriorityPrivilege
User Rights Policy-SeIncreaseQuotaPrivilege
User Rights Policy-SeIncreaseWorkingSetPrivilege
User Rights Policy-SeLoadDriverPrivilege
User Rights Policy-SeLockMemoryPrivilege
User Rights Policy-SeMachineAccountPrivilege
User Rights Policy-SeManageVolumePrivilege
User Rights Policy-SeNetworkLogonRight
User Rights Policy-SeProfileSingleProcessPrivilege
User Rights Policy-SeRemoteInteractiveLogonRight
User Rights Policy-SeRemoteShutdownPrivilege
User Rights Policy-SeRestorePrivilege
User Rights Policy-SeSecurityPrivilege
User Rights Policy-SeShutdownPrivilege
User Rights Policy-SeSynchAgentPrivilege
User Rights Policy-SeSystemEnvironmentPrivilege
User Rights Policy-SeSystemProfilePrivilege
User Rights Policy-SeSystemTimePrivilege
User Rights Policy-SeTakeOwnershipPrivilege
User Rights Policy-SeTcbPrivilege
User Rights Policy-SeUndockPrivilege
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ policies\Explorer\NoDriveTypeAutorun	Registry Value
HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Installer\ AlwaysInstallElevated	Registry Value
\Network access: Allow anonymous SID/Name translation	Security Setting
Security Settings\Account Policies\Account Lockout Policy\Account lockout duration
Security Settings\Account Policies\Account Lockout Policy\Account lockout threshold
Security Settings\Account Policies\Password Policy\Enforce password history
Security Settings\Account Policies\Password Policy\Maximum password age
Security Settings\Advanced Audit Policy Configuration\System Audit Policies - Local Group Policy Object\Account Logon\Audit Credential Validation
Security Settings\Advanced Audit Policy Configuration\System Audit Policies - Local Group Policy Object\Account Management\Audit Computer Account Management
Security Settings\Advanced Audit Policy Configuration\System Audit Policies - Local Group Policy Object\Account Management\Audit Other Account Management Events
Security Settings\Advanced Audit Policy Configuration\System Audit Policies - Local Group Policy Object\Account Management\Audit Security Group Management
Security Settings\Advanced Audit Policy Configuration\System Audit Policies - Local Group Policy Object\Account Management\Audit User Account Management
Security Settings\Advanced Audit Policy Configuration\System Audit Policies - Local Group Policy Object\DS Access\Audit directory service access
Security Settings\Advanced Audit Policy Configuration\System Audit Policies - Local Group Policy Object\DS Access\Audit Directory Service Changes
Security Settings\Advanced Audit Policy Configuration\System Audit Policies - Local Group Policy Object\Logon/Logoff\Audit Logoff
Security Settings\Advanced Audit Policy Configuration\System Audit Policies - Local Group Policy Object\Logon/Logoff\Audit Logon
Security Settings\Advanced Audit Policy Configuration\System Audit Policies - Local Group Policy Object\Logon/Logoff\Audit Special Logon
Security Settings\Advanced Audit Policy Configuration\System Audit Policies - Local Group Policy Object\Object Access\Audit Detailed File Share
Security Settings\Advanced Audit Policy Configuration\System Audit Policies - Local Group Policy Object\Object Access\Audit File Share
Security Settings\Advanced Audit Policy Configuration\System Audit Policies - Local Group Policy Object\Object Access\Audit File System
Security Settings\Advanced Audit Policy Configuration\System Audit Policies - Local Group Policy Object\Policy Change\Audit Audit Policy Change
Security Settings\Advanced Audit Policy Configuration\System Audit Policies - Local Group Policy Object\Policy Change\Audit Authentication Policy Change
Security Settings\Advanced Audit Policy Configuration\System Audit Policies - Local Group Policy Object\Privilege Use\Audit Sensitive Privilege Use
Security Settings\Advanced Audit Policy Configuration\System Audit Policies - Local Group Policy Object\System\Audit IPsec Driver
Security Settings\Advanced Audit Policy Configuration\System Audit Policies - Local Group Policy Object\System\Audit Security State Change
Security Settings\Advanced Audit Policy Configuration\System Audit Policies - Local Group Policy Object\System\Audit Security System Extension
Security Settings\Advanced Audit Policy Configuration\System Audit Policies - Local Group Policy Object\System\Audit System Integrity
Security Settings\Local Policies\Security Options
Security Settings\Local Policies\Security Options
Security Settings\Local Policies\Security Options\Accounts: Limit local account use of blank passwords to console logon only
Security Settings\Local Policies\Security Options\Devices: Allowed to format and eject removable media
Security Settings\Local Policies\Security Options\Devices: Allow undock without having to log on
Security Settings\Local Policies\Security Options\Devices: Prevent users from installing printer drivers
Security Settings\Local Policies\Security Options\Devices: Restrict CD-ROM access to locally logged-on user only
Security Settings\Local Policies\Security Options\Domain controller: Allow server operators to schedule tasks
Security Settings\Local Policies\Security Options\Domain controller: LDAP server signing requirements
Security Settings\Local Policies\Security Options\Domain controller: Refuse machine account password changes
Security Settings\Local Policies\Security Options\Domain member: Digitally encrypt or sign secure channel data (always)
Security Settings\Local Policies\Security Options\Domain member: Digitally encrypt secure channel data (when possible)
Security Settings\Local Policies\Security Options\Domain member: Digitally sign secure channel data (when possible)
Security Settings\Local Policies\Security Options\Domain member: Disable machine account password changes
Security Settings\Local Policies\Security Options\Domain member: Maximum machine account password age
Security Settings\Local Policies\Security Options\Domain member: Require strong (Windows 2000 or later) session key
Security Settings\Local Policies\Security Options\Interactive logon: Do not display last user name
Security Settings\Local Policies\Security Options\Interactive logon: Do not require CTRL+ALT+DEL
Security Settings\Local Policies\Security Options\Interactive logon: Machine inactivity limit
Security Settings\Local Policies\Security Options\Interactive logon: Number of previous logons to cache (in case domain controller is not available)
Security Settings\Local Policies\Security Options\Interactive logon: Prompt user to change password before expiration
Security Settings\Local Policies\Security Options\Interactive logon: Require Domain Controller authentication to unlock workstation
Security Settings\Local Policies\Security Options\Interactive logon: Smart card removal behavior
Security Settings\Local Policies\Security Options\Microsoft network client: Digitally sign communications (always)
Security Settings\Local Policies\Security Options\Microsoft network client: Digitally sign communications (if server agrees)
Security Settings\Local Policies\Security Options\Microsoft network client: Send unencrypted password to third-party SMB servers
Security Settings\Local Policies\Security Options\Microsoft network server: Amount of idle time required before suspending session
Security Settings\Local Policies\Security Options\Microsoft network server: Digitally sign communications (always)
Security Settings\Local Policies\Security Options\Microsoft network server: Digitally sign communications (if client agrees)
Security Settings\Local Policies\Security Options\Microsoft network server: Disconnect clients when logon hours expire
Security Settings\Local Policies\Security Options\Network access: Allow anonymous SID/Name translation
Security Settings\Local Policies\Security Options\Network access: Do not allow anonymous enumeration of SAM accounts
Security Settings\Local Policies\Security Options\Network access: Do not allow anonymous enumeration of SAM accounts and shares
Security Settings\Local Policies\Security Options\Network access: Let Everyone permissions apply to anonymous users
Security Settings\Local Policies\Security Options\Network access: Restrict anonymous access to Named Pipes and Shares
Security Settings\Local Policies\Security Options\Network access: Sharing and security model for local accounts
Security Settings\Local Policies\Security Options\Network security: Allow LocalSystem NULL session fallback
Security Settings\Local Policies\Security Options\Network security: Allow Local System to use computer identity for NTLM
Security Settings\Local Policies\Security Options\Network security: Do not store LAN Manager hash value on next password change
Security Settings\Local Policies\Security Options\Network security: LAN Manager authentication level
Security Settings\Local Policies\Security Options\Network security: LDAP client signing requirements
Security Settings\Local Policies\Security Options\Recovery console: Allow automatic administrative logon
Security Settings\Local Policies\Security Options\Recovery console: Allow floppy copy and access to all drives and all folders
Security Settings\Local Policies\Security Options\Shutdown: Allow system to be shut down without having to log on
Security Settings\Local Policies\Security Options\System cryptography: Force strong key protection for user keys stored on the computer
Security Settings\Local Policies\Security Options\System objects: Strengthen default permissions of internal system objects (e.g. Symbolic Links)
Security Settings\Advanced Audit Policy Configuration\System Audit Policies - Local Group Policy Object	Security Settings Category
Security Settings\Advanced Audit Policy Configuration\System Audit Policies - Local Group Policy Object\Account Logon	Security Settings Category

Microsoft Windows Server 2008 (PCIv2)

Click here to expand...

Rule Category

Following table categorizes the percentage of rules as Native and EO based:

Rule Category	% of rules
Native based	60%
EO based	40%

Asset/Part Used

Part name	Part type
2.2.3.44 Network access: Named Pipes that can be accessed anonymously	Extended Object
2.2.3.45 Network access: Remotely accessible registry paths
2.2.3.50 Network security: LAN Manager authentication level
2.2.3.56 Interactive logon: Message text for users attempting to log on
2.2.3.57 Interactive logon: Message title for users attempting to log on
2.2.3.63 Configure system security parameters to prevent misuse: Enable the computer to stop generating 8.3 style filenames
2.2.3.64 Configure system security parameters to prevent misuse: Allow the computer to ignore NetBIOS name release requests except from WINS servers
2.2.3.74 Network access: Remotely accessible registry paths and sub-paths
2.2.3.83 Configure system security parameters to prevent misuse: MSS: (EnableICMPRedirect) Allow ICMP redirects to override OSPF generated routes
2.2.3.84 Configure system security parameters to prevent misuse: MSS: (KeepAliveTime) How often keep-alive packets are sent in milliseconds
2.2.3.85 Configure system security parameters to prevent misuse: MSS: (DisableIPSourceRouting IPv6) IP source routing protection level (protects against packet spoofing)
2.2.3.86 Configure system security parameters to prevent misuse: MSS: (TCPMaxDataRetransmissions) How many times unacknowledged data is retransmitted
2.2.3.87 Configure system security parameters to prevent misuse: MSS: (PerformRouterDiscovery) Allow IRDP to detect and configure Default Gateway addresses (could lead to DoS)
2.2.3.88 Configure system security parameters to prevent misuse: MSS: (TCPMaxDataRetransmissions) IPv6 How many times unacknowledged data is retransmitted
8.5.10 Minimum password length
8.5.13 Account lockout threshold
Audit-Policy
Audit-Policy-10.2.1.11
Audit-Policy-10.2.1.12
Audit-Policy-10.2.1.14
Audit-Policy-10.2.1.15
Audit-Policy-10.2.1.17
Audit-Policy-10.2.1.18
Audit-Policy-10.2.1.19
Audit-Policy-10.2.1.20
Audit-Policy-10.2.1.21
Audit-Policy-10.2.1.22
Audit-Policy-10.2.1.23
Audit-Policy-10.2.1.3
Audit-Policy-10.2.1.5
Audit-Policy-10.2.1.6
Audit-Policy-10.2.1.7
Audit-Policy-10.2.1.8
Audit-Policy-10.2.1.9
Audit-Policy-10.2.2.2
Audit-Policy-10.2.4.2
Audit-Policy-10.2.4.3
Audit-Policy-10.4.2
Service Fax Permissions
Service iphlpsvc Permissions
Service MSFtpsvc Permissions
Service NetMan Permissions
Service RasAuto Permissions
Service RasMan Permissions
Service RpcLocator Permissions
Service SNMPTRAP Permissions
Service TapiSrv Permissions
Service TlntSvr Permissions
Service VSS Permissions
User Rights Policy-2.2.3.1
User Rights Policy-2.2.3.10
User Rights Policy-2.2.3.11
User Rights Policy-2.2.3.12
User Rights Policy-2.2.3.13
User Rights Policy-2.2.3.14
User Rights Policy-2.2.3.15
User Rights Policy-2.2.3.16
User Rights Policy-2.2.3.17
User Rights Policy-2.2.3.18
User Rights Policy-2.2.3.19
User Rights Policy-2.2.3.2
User Rights Policy-2.2.3.20
User Rights Policy-2.2.3.3
User Rights Policy-2.2.3.4
User Rights Policy-2.2.3.5
User Rights Policy-2.2.3.6
User Rights Policy-2.2.3.65
User Rights Policy-2.2.3.66
User Rights Policy-2.2.3.67
User Rights Policy-2.2.3.68
User Rights Policy-2.2.3.69
User Rights Policy-2.2.3.7
User Rights Policy-2.2.3.70
User Rights Policy-2.2.3.77
User Rights Policy-2.2.3.78
User Rights Policy-2.2.3.79
User Rights Policy-2.2.3.8
User Rights Policy-2.2.3.80
User Rights Policy-2.2.3.81
User Rights Policy-2.2.3.82
User Rights Policy-2.2.3.89
User Rights Policy-2.2.3.9
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon	Registry Key
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\windows
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\Security
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\Setup
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\System
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PrivateProfile
HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\WindowsFirewall\PublicProfile
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\StandardProfile\IcmpSettings
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip6\Parameters
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\CredUI\EnableSecureCredentialPrompting	Registry Value
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\CredUI\EnumerateAdministrators
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisableLocalMachineRun
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisableLocalMachineRunOnce
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDriveTypeAutoRun
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoPublishingWizard
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoWebServices
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableCAD
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System\DontDisplayLastUserName
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System\EnableInstallerDetection
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System\EnableSecureUIAPaths
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableUIADesktopToggle
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System\EnableVirtualization
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System\FilterAdministratorToken
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System\LegalNoticeCaption
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System\LegalNoticeText
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System\scforceoption
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System\ShutdownWithoutLogon
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Setup\RecoveryConsole\securitylevel
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Setup\RecoveryConsole\setcommand
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\AllocateCDRoms
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\AllocateDASD
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\AllocateFloppies
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\AutoAdminLogon
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\cachedlogonscount
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\ForceUnlockLogon
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\passwordexpirywarning
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\ScreenSaverGracePeriod
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\scremoveoption
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Conferencing\NoRDS
HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Cryptography\ForceKeyProtection
HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Messenger\Client\CEIP
HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\SearchCompanion\DisableContentFileUpdates
HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\DriverSearching\DontSearchWindowsUpdate
HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\EventLog\Application\MaxSize
HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\EventLog\Application\Retention
HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\EventLog\Security\MaxSize
HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\EventLog\Security\Retention
HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\EventLog\System\MaxSize
HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\EventLog\System\Retention
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Group Policy\ {35378EAC-683F-11D2-A89A-00C04FBBCFA2}\NoBackgroundPolicy
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Group Policy\ {35378EAC-683F-11D2-A89A-00C04FBBCFA2}\NoGPOListChanges
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Group Policy\ {B087BE9D-454F-AF9C-04291E351182}\NoGPOListChanges
HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\ CodeIdentifiers\AuthenticodeEnabled
HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\WindowsUpdate \AU\AUOptions
HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\WindowsUpdate\AU\ NoAUShutdownOption
HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\WindowsUpdate\AU\ RescheduleWaitTimeEnabled
HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\WindowsFirewall\DomainProfile\ AllowLocalIPsecPolicyMerge
HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\WindowsFirewall\DomainProfile\ AllowLocalPolicyMerge
HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\WindowsFirewall\DomainProfile\ DefaultInboundAction
HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\WindowsFirewall\DomainProfile\ DisableNotifications
HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\WindowsFirewall\DomainProfile\ EnableFirewall
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile\ IcmpSettings\AllowInboundEchoRequest
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile\ IcmpSettings\AllowInboundEnchoRequest
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile\ IcmpSettings\AllowInboundMaskRequest
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile\ IcmpSettings\AllowInboundRouterRequest
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile\ IcmpSettings\AllowInboundTimestampRequest
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile\ IcmpSettings\AllowOutboundDestinationUnreachable
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile\ IcmpSettings\AllowOutboundPacketTooBig
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile\ IcmpSettings\AllowOutboundParameterProblem
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile\ IcmpSettings\AllowOutboundSourceQuench
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile\ IcmpSettings\AllowOutboundTimeExceeded
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile\ IcmpSettings\AllowRedirect
HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\WindowsFirewall\PrivateProfile\ AllowLocalIPsecPolicyMerge
HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\WindowsFirewall\PrivateProfile\ AllowLocalPolicyMerge
HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\WindowsFirewall\PrivateProfile\ DefaultInboundAction
HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\WindowsFirewall\PrivateProfile\ DisableNotifications
HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\WindowsFirewall\PrivateProfile\ EnableFirewall
HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\WindowsFirewall\PublicProfile\ AllowLocalIPsecPolicyMerge
HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\WindowsFirewall\PublicProfile\ AllowLocalPolicyMerge
HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\WindowsFirewall\PublicProfile\ DefaultInboundAction
HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\WindowsFirewall\PublicProfile\ DisableNotifications
HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\WindowsFirewall\PublicProfile\ EnableFirewall
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\StandardProfile\ DisableNotifications
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\StandardProfile\ EnableFirewall
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\StandardProfile\IcmpSettings
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\StandardProfile\IcmpSettings \AllowInboundEchoRequest
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\StandardProfile\IcmpSettings\ AllowInboundEnchoRequest
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\StandardProfile\IcmpSettings\ AllowInboundMaskRequest
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\StandardProfile\IcmpSettings\ AllowInboundRouterRequest
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\StandardProfile\IcmpSettings\ AllowInboundTimestampRequest
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\StandardProfile\IcmpSettings\ AllowOutboundDestinationUnreachable
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\StandardProfile\IcmpSettings\ AllowOutboundPacketTooBig
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\StandardProfile\IcmpSettings\ AllowOutboundParameterProblem
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\StandardProfile\IcmpSettings\ AllowOutboundSourceQuench
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\StandardProfile\IcmpSettings\ AllowOutboundTimeExceeded
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\StandardProfile\IcmpSettings\ AllowRedirect
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\StandardProfile\IcmpSettings\ ParameterProblem
HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\Printers\DisableHTTPPrinting
HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\Printers\DisableWebPnPDownload
HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\Rpc\EnableAuthEpResolution
HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\Rpc\RestrictRemoteClients
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services\DisablePasswordSaving
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services\fAllowToGetHelp
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services\fAllowUnsolicited
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services\fDisableCdm
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services\fPromptForPassword
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services\MaxIdleTime
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services\MinEncryptionLevel
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\FileSystem\NtfsDisable8dot3NameCreation
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\crashonauditfail
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\DisableDomainCreds
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\EveryoneIncludesAnonymous
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\ForceGuest
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\LimitBlankPasswordUse
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\LmCompatibilityLevel
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\MSV1_0\NTLMMinClientSec
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\MSV1_0\NTLMMinServerSec
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\NoLMHash
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\RestrictAnonymous
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\RestrictAnonymousSAM
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\scenoapplylegacyauditpolicy
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\SubmitControl
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Print\Providers\LanMan Print Services\Servers\AddPrinterDrivers
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\SecurePipeServers\Winreg\AllowedExactPaths\Machine
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\SecurePipeServers\Winreg\AllowedPaths\Machine
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager\Kernel\ObCaseInsensitive
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager\Memory Management\ClearPageFileAtShutdown
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager\ProtectionMode
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\SafeDllSearchMode
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager\SubSystems\optional
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Eventlog\Security\WarningLevel
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\IPSEC\NoDefaultExempt
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters\autodisconnect
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters\enableforcedlogoff
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters\enablesecuritysignature
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters\NullSessionPipes
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters\NullSessionShares
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters\requiresecuritysignature
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters\restrictnullsessaccess
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanmanWorkstation\Parameters\EnablePlainTextPassword
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanmanWorkstation\Parameters\EnableSecuritySignature
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanmanWorkstation\Parameters\RequireSecuritySignature
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LDAP\LDAPClientIntegrity
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Netbt\Parameters\NoNameReleaseOnDemand
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters\disablepasswordchange
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters\maximumpasswordage
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters\RefusePasswordChange
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters\requiresignorseal
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters\requirestrongkey
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters\sealsecurechannel
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters\signsecurechannel
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\NTDS\Parameters\ldapserverintegrity
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters\DisableIPSourceRouting
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters\EnableICMPRedirect
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters\KeepAliveTime
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters\PerformRouterDiscovery
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters\TcpMaxDataRetransmissions
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tcpip6\Parameters\DisableIPSourceRouting
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tcpip6\Parameters\TcpMaxDataRetransmissions
Registry Value:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Group Policy\ {35378EAC-683F-11D2-A89A-00C04FBBCFA2}\NoGPOListChanges
\Access Credential Manager as a trusted caller	Security Setting
\Force shutdown from a remote system
\Network access: Allow anonymous SID/Name translation
\Synchronize directory service data
Computer Configuration\Administrative Templates\Windows Components\Internet Explorer\Security Features\ MK Protocol Security Restriction\Enforce user logon restrictions
Security Settings\Account Policies
Security Settings\Account Policies
Security Settings\Account Policies
Security Settings\Account Policies
Security Settings\Account Policies\Account Lockout Policy\Account lockout duration
Security Settings\Account Policies\Account Lockout Policy\Account lockout threshold
Security Settings\Account Policies\Account Lockout Policy\Reset account lockout counter after
Security Settings\Account Policies\Password Policy
Security Settings\Account Policies\Password Policy
Security Settings\Account Policies\Password Policy
Security Settings\Account Policies\Password Policy\Enforce password history
Security Settings\Account Policies\Password Policy\Maximum password age
Security Settings\Account Policies\Password Policy\Minimum password age
Security Settings\Account Policies\Password Policy\Minimum password length
Security Settings\Account Policies\Password Policy\Passwords must meet complexity requirements
Security Settings\Local Policies
Security Settings\Local Policies
Security Settings\Local Policies
Security Settings\Local Policies\Access this computer from the network
Security Settings\Local Policies\Act as part of the operating system
Security Settings\Local Policies\Add workstations to domain
Security Settings\Local Policies\Adjust memory quotas for a process
Security Settings\Local Policies\Allow log on locally
Security Settings\Local Policies\Audit Policy\Audit account logon events
Security Settings\Local Policies\Audit Policy\Audit account management
Security Settings\Local Policies\Audit Policy\Audit directory service access
Security Settings\Local Policies\Audit Policy\Audit logon events
Security Settings\Local Policies\Audit Policy\Audit object access
Security Settings\Local Policies\Audit Policy\Audit policy change
Security Settings\Local Policies\Audit Policy\Audit privilege use
Security Settings\Local Policies\Audit Policy\Audit process tracking
Security Settings\Local Policies\Audit Policy\Audit system events
Security Settings\Local Policies\Back up files and directories
Security Settings\Local Policies\Bypass traverse checking
Security Settings\Local Policies\Change the system time
Security Settings\Local Policies\Change the time zone
Security Settings\Local Policies\Create a page file
Security Settings\Local Policies\Create a token object
Security Settings\Local Policies\Create global objects
Security Settings\Local Policies\Create permanent shared objects
Security Settings\Local Policies\Create symbolic links
Security Settings\Local Policies\Debug programs
Security Settings\Local Policies\Deny access to this computer from the network
Security Settings\Local Policies\Deny log on as a batch job
Security Settings\Local Policies\Deny log on locally
Security Settings\Local Policies\Enable computer and user accounts to be trusted for delegation
Security Settings\Local Policies\Force shutdown from a remote system
Security Settings\Local Policies\Generate security audits
Security Settings\Local Policies\Impersonate a client after authentication
Security Settings\Local Policies\Increase a process working set
Security Settings\Local Policies\Increase scheduling priority
Security Settings\Local Policies\Load and unload device drivers
Security Settings\Local Policies\Lock pages in memory
Security Settings\Local Policies\Log on as a batch job
Security Settings\Local Policies\Manage auditing and security log
Security Settings\Local Policies\Modify firmware environment values
Security Settings\Local Policies\Perform volume maintenance tasks
Security Settings\Local Policies\Profile single process
Security Settings\Local Policies\Profile system performance
Security Settings\Local Policies\Remove computer from docking station
Security Settings\Local Policies\Replace a process level token
Security Settings\Local Policies\Restore files and directories
Security Settings\Local Policies\Security Options
Security Settings\Local Policies\Security Options\Accounts: Guest account status
Security Settings\Local Policies\Security Options\Accounts: Limit local account use of blank passwords to console logon only
Security Settings\Local Policies\Security Options\Accounts: Rename administrator account
Security Settings\Local Policies\Security Options\Accounts: Rename guest account
Security Settings\Local Policies\Security Options\Audit: Shut down system immediately if unable to log security audits
Security Settings\Local Policies\Security Options\Devices: Allowed to format and eject removable media
Security Settings\Local Policies\Security Options\Devices: Allow undock without having to log on
Security Settings\Local Policies\Security Options\Devices: Prevent users from installing printer drivers
Security Settings\Local Policies\Security Options\Devices: Restrict CD-ROM access to locally logged-on user only
Security Settings\Local Policies\Security Options\Devices: Restrict floppy access to locally logged-on user only
Security Settings\Local Policies\Security Options\Devices: Unsigned driver installation behavior
Security Settings\Local Policies\Security Options\Domain controller: Allow server operators to schedule tasks
Security Settings\Local Policies\Security Options\Domain controller: LDAP server signing requirements
Security Settings\Local Policies\Security Options\Domain controller: Refuse machine account password changes
Security Settings\Local Policies\Security Options\Domain member: Digitally encrypt or sign secure channel data (always)
Security Settings\Local Policies\Security Options\Domain member: Digitally encrypt secure channel data (when possible)
Security Settings\Local Policies\Security Options\Domain member: Digitally sign secure channel data (when possible)
Security Settings\Local Policies\Security Options\Domain member: Disable machine account password changes
Security Settings\Local Policies\Security Options\Domain member: Maximum machine account password age
Security Settings\Local Policies\Security Options\Domain member: Require strong (Windows 2000 or later) session key
Security Settings\Local Policies\Security Options\Interactive logon: Do not display last user name
Security Settings\Local Policies\Security Options\Interactive logon: Do not require CTRL+ALT+DEL
Security Settings\Local Policies\Security Options\Interactive logon: Message text for users attempting to log on
Security Settings\Local Policies\Security Options\Interactive logon: Message title for users attempting to log on
Security Settings\Local Policies\Security Options\Interactive logon: Number of previous logons to cache (in case domain controller is not available)
Security Settings\Local Policies\Security Options\Interactive logon: Prompt user to change password before expiration
Security Settings\Local Policies\Security Options\Interactive logon: Require Domain Controller authentication to unlock workstation
Security Settings\Local Policies\Security Options\Interactive logon: Require smart card
Security Settings\Local Policies\Security Options\Interactive logon: Smart card removal behavior
Security Settings\Local Policies\Security Options\Microsoft network client: Digitally sign communications (always)
Security Settings\Local Policies\Security Options\Microsoft network client: Digitally sign communications (if server agrees)
Security Settings\Local Policies\Security Options\Microsoft network client: Send unencrypted password to third-party SMB servers
Security Settings\Local Policies\Security Options\Microsoft network server: Amount of idle time required before suspending session
Security Settings\Local Policies\Security Options\Microsoft network server: Digitally sign communications (always)
Security Settings\Local Policies\Security Options\Microsoft network server: Digitally sign communications (if client agrees)
Security Settings\Local Policies\Security Options\Microsoft network server: Disconnect clients when logon hours expire
Security Settings\Local Policies\Security Options\Network access: Allow anonymous SID/Name translation
Security Settings\Local Policies\Security Options\Network access: Do not allow anonymous enumeration of SAM accounts
Security Settings\Local Policies\Security Options\Network access: Do not allow anonymous enumeration of SAM accounts and shares
Security Settings\Local Policies\Security Options\Network access: Let Everyone permissions apply to anonymous users
Security Settings\Local Policies\Security Options\Network access: Named Pipes that can be accessed anonymously
Security Settings\Local Policies\Security Options\Network access: Remotely accessible registry paths
Security Settings\Local Policies\Security Options\Network access: Remotely accessible registry paths and sub-paths
Security Settings\Local Policies\Security Options\Network access: Restrict anonymous access to Named Pipes and Shares
Security Settings\Local Policies\Security Options\Network access: Shares that can be accessed anonymously
Security Settings\Local Policies\Security Options\Network access: Sharing and security model for local accounts
Security Settings\Local Policies\Security Options\Network security: Do not store LAN Manager hash value on next password change
Security Settings\Local Policies\Security Options\Network security: LAN Manager authentication level
Security Settings\Local Policies\Security Options\Network security: LDAP client signing requirements
Security Settings\Local Policies\Security Options\Network security: Minimum session security for NTLM SSP based (including secure RPC) clients
Security Settings\Local Policies\Security Options\Network security: Minimum session security for NTLM SSP based (including secure RPC) servers
Security Settings\Local Policies\Security Options\Recovery console: Allow automatic administrative logon
Security Settings\Local Policies\Security Options\Recovery console: Allow floppy copy and access to all drives and all folders
Security Settings\Local Policies\Security Options\Shutdown: Allow system to be shut down without having to log on
Security Settings\Local Policies\Security Options\Shutdown: Clear virtual memory page file
Security Settings\Local Policies\Security Options\System cryptography: Force strong key protection for user keys stored on the computer
Security Settings\Local Policies\Security Options\System cryptography: Use FIPS compliant algorithms for encryption, hashing, and signing
Security Settings\Local Policies\Security Options\System objects: Default owner for objects created by members of the Administrators group
Security Settings\Local Policies\Security Options\System objects: Require case insensitivity for non-Windows subsystems
Security Settings\Local Policies\Security Options\System objects: Strengthen default permissions of internal system objects (e.g. Symbolic Links)
Security Settings\Local Policies\Security Options\System settings: Optional subsystems
Security Settings\Local Policies\Security Options\System settings: Use Certificate Rules on Windows Executables for Software Restriction Policies
Security Settings\Local Policies\Shut down the system
Security Settings\Local Policies\Synchronize directory service data
Security Settings\Local Policies\Take ownership of files or other objects
Guests	Windows Group
Windows Service List	Windows Service List

RHEL 6.x (PCIv3)

Click here to expand...

Rule Category

Following table categorizes the percentage of rules as Native and EO based:

Rule Category	% of rules
Native based	60%
EO based	40%

Rule Details

To find details about all rules included in the template, see HTML Definitions for RHEL 6.x.

Asset/Part Used

Part name	Part type
echo '??EXCLUDE_DAEMONS_LIST??'\|tr -s ',' '\|'\|tr -d ' '	Command
egrep 'password(.)pam_unix.so(.)remember=(.)' /etc/pam.d/system-auth\|tr '\t' ' ' \| grep -v '^ #' \| egrep ' remember' \| egrep -v 'remember=( \|$)' \| wc -l \| sed 's/ //g'
egrep 'password(.)sufficient(.)pam_unix.so(.)remember(.)' /etc/pam.d/system-auth \| grep -v '^ *#' \| awk -F'remember=' '{print $NF}'\| cut -d ' ' -f1
gconftool-2 --direct --config-source xml:readwrite:/etc/gconf/gconf.xml.mandatory --get /apps/gdm/ simple-greeter/banner_message_enable
gconftool-2 --direct --config-source xml:readwrite:/etc/gconf/gconf.xml.mandatory --get /apps/gdm/ simple-greeter/banner_message_text
mkdir -p ??TARGET.RSCD_DIR??/tmp/prePCI
mkdir -p ??TARGET.RSCD_DIR??/tmp/prePCI/
ps -eZ\|egrep 'initrc'\|egrep -vw '??VAR_EXCLUDE_DAEMONS_LIST_PARAM??'\|tr ':' ' '\|awk '{ print $NF }'
/apps/gdm/simple-greeter/banner_message_text	Configuration File
/etc/audit/auditd.conf
/etc/group
/etc/grub.conf
/etc/inittab
/etc/login.defs
/etc/ntp.conf
/etc/pam.d/su
/etc/pam.d/system-auth
/etc/passwd
/etc/securetty
/etc/selinux/config
/etc/shadow
/etc/ssh/sshd_config
/etc/sysconfig/init
/etc/sysctl.conf
??TARGET.RSCD_DIR??/tmp/prePCI	Directory
/etc/cron.d
/etc/cron.daily
/etc/cron.hourly
/etc/cron.monthly
/etc/cron.weekly
/etc/init
/tmp
1.1.17 Set Sticky Bit on All World-Writable Directories	Extended Object
1.4.6 Check for Unconfined Daemons
3.16.1 Configure Mail Transfer Agent for Local-Only Mode
3.16.2 Configure Mail Transfer Agent for Local-Only Mode
3.16.3 Configure Mail Transfer Agent for Local-Only Mode
3.1 Set Daemon umask
3.3 Disable Avahi Server
3.6.1.1 Configure Network Time Protocol (NTP)
3.6.1.2 Configure Network Time Protocol (NTP)
3.6.1 Configure Network Time Protocol (NTP)
3.6.2 Configure Network Time Protocol (NTP)
4.2.6.2
4.5.1 Install TCP Wrappers
5.1.1 rsyslog package
5.1.3 Configure etc rsyslog.conf
5.1.4.1 Create and Set Permissions on rsyslog Log Files
5.1.4.2 Create and Set Permissions on rsyslog Log Files(Secure group)
5.2.5 Record Events That Modify User Group Information
6.2.1
6.2.11 Use Only Approved Ciphers in Counter Mode
6.2.13.1 Limit Users SSH Access (AllowUsers)
6.2.13.2 Limit Users SSH Access (AllowGroups)
6.2.13.3 Limit Users SSH Access (DenyUsers)
6.2.13.4 Limit Users SSH Access (DenyGroups)
6.3.2 Set Password Creation Requirement Parameters Using pam_cracklib
6.3.3.1 Set Lockout for Failed Password Attempts
6.3.3.2 Set Lockout for Failed Password Attempts
6.3.3.3 Set Lockout for Failed Password Attempts
6.3.3.4 Set Lockout for Failed Password Attempts
6.3.3.5 Set Lockout for Failed Password Attempts
6.3.3.6 Set Lockout for Failed Password Attempts
6.3.3.7 Set Lockout for Failed Password Attempts
6.3.3.8 Set Lockout for Failed Password Attempts
7.4.1 Set Default umask for Users (bashrc)
7.4.2 Set Default umask for Users (profile)
7.5 Lock Inactive User Accounts
8.1.1 Set Warning Banner for Standard Login Services
8.1.8 If a session has been idle for more than 15 minutes require the user to re-authenticate to re-activate the terminal or session
9.1.10 Find World Writable Files
9.1.11 Find Un-owned Files and Directories
9.1.13 Find SUID System Executables
9.1.14 Find SGID System Executables
9.2.10 Check for Presence of User .rhosts Files
9.2.14 Check for Duplicate UIDs
9.2.16 Check for Duplicate User Names
9.2.17 Check for Duplicate Group Names
9.2.8 Check User Dot File Permissions
9.2.9 Check Permissions on User .netrc Files
Kernel Parameters
Running Processes
Unix Services
??TARGET.RSCD_DIR??/tmp/prePCI/parameter_remediation	File
/.forward
/.netrc
/etc/at.allow
/etc/at.deny
/etc/cron.allow
/etc/cron.deny
/etc/crontab
/etc/group
/etc/grub.conf
/etc/gshadow
/etc/inittab
/etc/issue
/etc/issue.net
/etc/motd
/etc/passwd
/etc/securetty
/etc/shadow
/etc/ssh/sshd_config
bind	RPM
dhcp
dovecot
httpd
mcstrans
net-snmp
openldap-clients
openldap-servers
rsh
rsh-server
samba
setroubleshoot
squid
talk
talk-server
telnet
telnet-server
tftp
tftp-server
vsftpd
xinetd
xorg-x11-server-common
ypbind
ypserv

RHEL 5.x (PCIv2)

Click here to expand...

Rule Category

Following table categorizes the percentage of rules as Native and EO based:

Rule Category	% of rules
Native based	60%
EO based	40%

Asset/Part Used

Part name	Part type
/etc/grub.conf	Configuration File
/etc/inittab
/etc/passwd
/etc/cron.d	Directory
/etc/cron.daily
/etc/cron.hourly
/etc/cron.monthly
/etc/cron.weekly
/tmp
/var/tmp
10.2.1.1 Configure etc syslog.conf	Extended Object
10.2.1.2 Keep All Auditing Information
10.2.1.3 Record Events That Modify User Group Information
10.2.1.4 Record Events That Modify the Systems Mandatory Access Controls
10.2.1.5 Configure etc syslog.conf
10.2.1.6 Configure etc rsyslog.conf
10.2.1.7 Install the rsyslog package
10.2.1.7 rsyslog package
10.4.1 Synchronize all critical system clocks and times
10.4.2 Synchronize all critical system clocks and times
10.5.1.1.1 Create and Set Permissions on syslog Log Files
10.5.1.1.2 Create and Set Permissions on syslog Log Files(Secure group)
10.5.1.2.1 Create and Set Permissions on rsyslog Log Files
10.5.1.2.2 Create and Set Permissions on rsyslog Log Files(Secure group)
10.5.1.3 Limit viewing of audit trails to those with a job-related need: Define permission and ownership for boot.log*
10.5.1.4 Limit viewing of audit trails to those with a job-related need: Define permission and ownership for cron*
10.5.1.5 Limit viewing of audit trails to those with a job-related need:Define permission and ownership for maillog*
10.5.1.6 Limit viewing of audit trails to those with a job-related need: Define permission and ownership for logsecure*
10.5.1.7 Limit viewing of audit trails to those with a job-related need: Define permission and ownership for spooler*
10.5.1.8 Limit viewing of audit trails to those with a job-related need: Define permission and ownership for wtmp
2.2.2.1.2 Disable Avahi Server
2.2.2.18 Set Daemon umask
2.2.2.20-IPv4 Service Only via Required Protocol
2.2.2.20-IPv6 Service Only via Required Protocol
2.2.2.20 Service Only via Required Protocol-IPv4
2.2.2.20 Service Only via Required Protocol-IPv6
2.2.2.21 Check Responses TTL Field
2.2.2.22 Prevent Other Programs from Using Avahis Port
2.2.2.23 Disable Publishing
2.2.2.24.1 Restrict Published Information
2.2.2.24 Restrict Published Information
2.2.2.26.1 Configure Network Time Protocol (NTP)
2.2.2.26.2 Configure Network Time Protocol (NTP)
2.2.2.3.2 setroubleshoot package
2.2.2.35.1 Configure Mail Transfer Agent for Local-Only Mode
2.2.2.35.2 Configure Mail Transfer Agent for Local-Only Mode
2.2.2.36 Disable DCCP
2.2.2.37 Disable SCTP
2.2.2.38 Disable RDS
2.2.2.39 Disable TIPC
2.2.2.5 Check for Unconfined Daemons
2.2.2.6 Disable Interactive Boot
2.2.3.1.1.1 Restrict at to Authorized Users
2.2.3.1.1.2 Restrict cron to Authorized Users
2.2.3.10 Do Not Allow Users to Set Environment Options
2.2.3.11 Use Only Approved Ciphers in Counter Mode
2.2.3.12 Set Idle Timeout Interval for User Login
2.2.3.13 Limit Users SSH Access (AllowUsers)
2.2.3.14 Limit Users SSH Access (AllowGroups)
2.2.3.15 Limit Users SSH Access (DenyUsers)
2.2.3.16 Limit Users SSH Access (DenyGroups)
2.2.3.17 Set SSH Banner
2.2.3.18 Verify No Legacy + Entries Exist in the etc passwd File
2.2.3.19 Verify No Legacy + Entries Exist in etc shadow Files
2.2.3.2.1 Configure ExecShield
2.2.3.2.2 Configure ExecShield
2.2.3.20 Verify No Legacy + Entries Exist in etc group Files
2.2.3.21.1 Set Warning Banner for Standard Login Services
2.2.3.21.2.1 Set Warning Banner for Standard Login Services
2.2.3.21.2.2 Set Warning Banner for Standard Login Services
2.2.3.21.2 Set Warning Banner for Standard Login Services
2.2.3.22 Set GNOME Warning Banner
2.2.3.23.1 Disable IP Forwarding
2.2.3.23.2 Disable IP Forwarding
2.2.3.24.1 Disable Send Packet Redirects
2.2.3.24.2 Disable Send Packet Redirects
2.2.3.24.3 Disable Send Packet Redirects
2.2.3.25.1 Disable Source Routed Packet Acceptance
2.2.3.25.2 Disable Source Routed Packet Acceptance
2.2.3.25.3 Disable Source Routed Packet Acceptance
2.2.3.26.1 Disable ICMP Redirect Acceptance
2.2.3.26.2 Disable ICMP Redirect Acceptance
2.2.3.26.3 Disable ICMP Redirect Acceptance
2.2.3.27.1 Disable Secure ICMP Redirect Acceptance
2.2.3.27.2 Disable Secure ICMP Redirect Acceptance
2.2.3.27.3 Disable Secure ICMP Redirect Acceptance
2.2.3.28.1 Log Suspicious Packets
2.2.3.28.2 Log Suspicious Packets
2.2.3.29.1 Enable Ignore Broadcast Requests
2.2.3.29.2 Enable Ignore Broadcast Requests
2.2.3.2 Configure ExecShield
2.2.3.30.1 Enable Bad Error Message Protection
2.2.3.30.2 Enable Bad Error Message Protection
2.2.3.31 Disable System Accounts
2.2.3.32.1 Enable TCP SYN Cookies
2.2.3.32.2 Enable TCP SYN Cookies
2.2.3.33.1 Set Default umask for Users (bashrc)
2.2.3.33.2 Set Default umask for Users (profile)
2.2.3.34 Enable SELinux in etc grub.conf
2.2.3.35 Set the SELinux State
2.2.3.36 Set the SELinux Policy
2.2.3.37 Lock Inactive User Accounts
2.2.3.37 Set Boot Loader UserGroup Owner
2.2.3.38 Configure system security parameters to prevent misuse: Set Permissions on etc grub.conf
2.2.3.3 Set SSH Protocol to 2
2.2.3.40 Require Authentication for Single-User Mode
2.2.3.45 Verify user:group Ownership on etc passwd
2.2.3.46 Verify user:group Ownership on etc shadow
2.2.3.47 Verify user:group Ownership on etc gshadow
2.2.3.48 Verify user:group Ownership on etc group
2.2.3.49 Install TCP Wrappers
2.2.3.4 Disable SSH X11 Forwarding
2.2.3.52 Restrict root Login to System Console
2.2.3.53.1 Restrict Access to the su Command
2.2.3.53.2 Restrict Access to the su Command
2.2.3.54 Set Default Group for root Account
2.2.3.56 Set usergroup owner and permission on crontab
2.2.3.57 Set usergroup owner and permission on cron.hourly
2.2.3.58 Set usergroup owner and permission on cron.daily
2.2.3.59 Set usergroup owner and permission on cron.weekly
2.2.3.5 Set SSH MaxAuthTries to 4
2.2.3.60 Set Usergroup Owner and Permission on cron.monthly
2.2.3.61 Set Usergroup Owner and Permission on cron.d
2.2.3.62 Restrict at Daemon
2.2.3.63 Check for Duplicate User Names
2.2.3.64 Check for Duplicate Group Names
2.2.3.65 Check for Presence of User .forward Files
2.2.3.66 Check for Presence of User .netrc Files
2.2.3.6 Set SSH IgnoreRhosts to Yes
2.2.3.7 Set SSH HostbasedAuthentication to No
2.2.3.8 Disable SSH Root Login
2.2.3.9 Set SSH PermitEmptyPasswords to No
2.2.4.10 Check User Dot File Permissions
2.2.4.11 Ensure root PATH Integrity
2.2.4.1 Check Permissions on User .netrc Files
2.2.4.3 Use pam_deny.so to Deny Services
2.2.4.4 Check for Presence of User .rhosts Files
2.2.4.5 Set Sticky Bit on All World-Writable Directories
2.2.4.6 Find World Writable Files
2.2.4.7 Find SUID System Executables
2.2.4.8 Find SGID System Executables
2.2.4.9 Find Un-owned Files and Directories
8.1 Check for Duplicate UIDs
8.2.2.1 Set Password Change Minimum Number of Days (Defalut)
8.2.2.2 Set Password Change Minimum Number of Days (Users)
8.2.3.1 Set Password Expiring Warning Days (Default)
8.2.3.2 Set Password Expiring Warning Days (Users)
8.5.10 Require a minimum password length of at least seven characters
8.5.11 Set Password Creation Requirement Parameters Using pam_cracklib
8.5.12 Limit Password Reuse
8.5.13 Set Lockout for Failed Password Attempts
8.5.14.1 Set the lockout duration to thirty minutes or until administrator enables the user ID
8.5.14.2 Set the lockout duration to thirty minutes or until administrator enables the user ID
8.5.15 If a session has been idle for more than 15 minutes, require the user to re-enter the password to re-activate the terminal
8.5.5 Remove inactive user accounts at least every 90 days
8.5.9.1 Set Password Expiration Days (Defalut)
8.5.9.2 Set Password Expiration Days (Users)
DHCP Server package
DNS server package
Dovecot package
FTP server package
HTTP Proxy server package
HTTP server package
LDAP package
NIS Client package
NIS Server package
pam_ccreds package
rsh package
rsh-services package
Running Processes
Samba package
SNMP server package
talk package
talk-server package
telnet Clients package
Telnet-Server package
tftp package
tftp-server package
Unix Services
xinetd package
X windows package
/etc/anacrontab	File
/etc/at.allow
/etc/at.deny
/etc/cron.allow
/etc/cron.deny
/etc/crontab
/etc/group
/etc/grub.conf
/etc/gshadow
/etc/inittab
/etc/issue
/etc/motd
/etc/passwd
/etc/shadow
/proc/cpuinfo

IBM AIX 7.1 (PCIv3)

Click here to expand...

Rule Category

Following table categorizes the percentage of rules as Native and EO based:

Rule Category	% of rules
Native based	60%
EO based	40%

Rule Details

To find details about all rules included in the template, see HTML Definitions for AIX 7.1 .

Asset/Part Used

Part name	Part type
/	AIX Package
netsec.options.idprotocol
netsec.options.tcpwrapper.base
netsec.options.tcpwrapper.license
netsec.options.tcpwrapper.man.en_US
netsec.options.tcpwrapper.msg.en_US
cat /etc/rc.tcpip \| tr '\t' ' ' \|tr -s ' ' \| egrep '^ *start +/usr/lib/sendmail +'	Command
cat /etc/rc.tcpip \| tr '\t' ' ' \|tr -s ' ' \| egrep '^ *start +/usr/sbin/aixmibd +'
cat /etc/rc.tcpip \| tr '\t' ' ' \|tr -s ' ' \| egrep '^ *start +/usr/sbin/autoconf6 +'
cat /etc/rc.tcpip \| tr '\t' ' ' \|tr -s ' ' \| egrep '^ *start +/usr/sbin/dhcpcd +'
cat /etc/rc.tcpip \| tr '\t' ' ' \|tr -s ' ' \| egrep '^ *start +/usr/sbin/dhcprd +'
cat /etc/rc.tcpip \| tr '\t' ' ' \|tr -s ' ' \| egrep '^ *start +/usr/sbin/dhcpsd +'
cat /etc/rc.tcpip \| tr '\t' ' ' \|tr -s ' ' \| egrep '^ *start +/usr/sbin/dpid2 +'
cat /etc/rc.tcpip \| tr '\t' ' ' \|tr -s ' ' \| egrep '^ *start +/usr/sbin/gated +'
cat /etc/rc.tcpip \| tr '\t' ' ' \|tr -s ' ' \| egrep '^ *start +/usr/sbin/hostmibd +'
cat /etc/rc.tcpip \| tr '\t' ' ' \|tr -s ' ' \| egrep '^ *start +/usr/sbin/mrouted +'
cat /etc/rc.tcpip \| tr '\t' ' ' \|tr -s ' ' \| egrep '^ *start +/usr/sbin/ndpd-host +'
cat /etc/rc.tcpip \| tr '\t' ' ' \|tr -s ' ' \| egrep '^ *start +/usr/sbin/ndpd-router +'
cat /etc/rc.tcpip \| tr '\t' ' ' \|tr -s ' ' \| egrep '^ *start +/usr/sbin/routed +'
cat /etc/rc.tcpip \| tr '\t' ' ' \|tr -s ' ' \| egrep '^ *start +/usr/sbin/rwhod +'
cat /etc/rc.tcpip \| tr '\t' ' ' \|tr -s ' ' \| egrep '^ *start +/usr/sbin/snmpd +'
cat /etc/rc.tcpip \| tr '\t' ' ' \|tr -s ' ' \| egrep '^ *start +/usr/sbin/snmpmibd +'
cat /etc/rc.tcpip \| tr '\t' ' ' \|tr -s ' ' \| egrep '^ *start +/usr/sbin/timed +'
cut -d: -f 3 /etc/passwd \|sort -n \| uniq -d
echo ??VAR_TUNABLE_PARAMETER?? \| cut -d, -f2
echo ??VAR_TUNABLE_PARAMETER?? \| cut -d, -f4
egrep -v '^ *#' /etc/hosts.equiv \| egrep -v '^$' \| wc -l
lsitab dt
lsitab lpd
lsitab piobe
lsitab qdaemon
lsitab rcnfs
lssec -f /etc/security/login.cfg -s default -a logindisable \| awk -F '=' '{print $2}' \| tr -s ' '
lssec -f /etc/security/login.cfg -s default -a loginreenable \| awk -F '=' '{print $2}' \| tr -s ' '
lssec -f /etc/security/user -s default -a histsize \| awk -F '=' '{print $2}' \| tr -s ' '
lssec -f /etc/security/user -s default -a loginretries \| awk -F '=' '{print $2}' \| tr -s ' '
lssec -f /etc/security/user -s default -a maxage \| awk -F '=' '{print $2}' \| tr -s ' '
lssec -f /etc/security/user -s default -a minalpha \| awk -F '=' '{print $2}' \| tr -s ' '
lssec -f /etc/security/user -s default -a mindigit \| awk -F '=' '{print $2}' \| tr -s ' '
lssec -f /etc/security/user -s default -a minlen \| awk -F '=' '{print $2}' \| tr -s ' '
lssec -f /etc/security/user -s default -a minloweralpha \| awk -F '=' '{print $2}' \| tr -s ' '
lssec -f /etc/security/user -s default -a minother \| awk -F '=' '{print $2}' \| tr -s ' '
lssec -f /etc/security/user -s default -a minspecialchar \| awk -F '=' '{print $2}' \| tr -s ' '
lssec -f /etc/security/user -s default -a minupperalpha \| awk -F '=' '{print $2}' \| tr -s ' '
lssrc -ls inetd\|grep 'active'\|wc -l\|sed 's/ //g'
nfso -x nfs_use_reserved_ports
nfso -x portcheck
no -x bcastping
no -x icmpaddressmask
no -x ip6srcrouteforward
no -x ipforwarding
no -x ipsendredirects
no -x ipsrcrouterecv
no -x nonlocsrcroute
no -x rfc1323
no -x sockthresh
no -x tcp_mssdflt
no -x tcp_recvspace
no -x tcp_sendspace
no -x tcp_tcpsecure
no -x udp_pmtu_discover
ps -ef \| grep 'syslogd'
pwdck -n ALL
/etc/group	Configuration File
/etc/inetd.conf
/etc/passwd
/etc/security/user
/etc/ssh/ssh_banner
/etc/ssh/sshd_config
/etc/security	Directory
/var/spool/cron/crontabs	Directory
2.2.5.1 Remove all unnecessary functionality, such as scripts, drivers, features, subsystems, file systems, and unnecessary web servers: Removal of .rhosts and .netrc files	Extended Object
4.16.2 Unowned Files
Find World Writable Files
Limit Users SSH Access (AllowGroups)
Limit Users SSH Access (AllowUsers)
Limit Users SSH Access (DenyGroups)
Limit Users SSH Access (DenyUsers)
suid and sgid files and programs
Use Only Approved Ciphers in Counter Mode
/etc/group	File
/etc/hosts.equiv
/etc/inetd.conf
/etc/passwd
/etc/ssh/ssh_banner
/etc/ssh/sshd_config
/smit.log
/var/adm/cron/log

IBM AIX 6.1/5.3 (PCIv3)

Click here to expand...

Rule Category

Following table categorizes the percentage of rules as Native and EO based:

Rule Category	% of rules
Native based	60%
EO based	40%

Rule Details

To find details about all rules included in the template, see HTML Definitions for AIX 6.1/5.3.

Asset/Part Used

Part name	Part type
/	AIX Package
netsec.options.idprotocol
netsec.options.tcpwrapper.base
netsec.options.tcpwrapper.license
netsec.options.tcpwrapper.man.en_US
netsec.options.tcpwrapper.msg.en_US
cat /etc/rc.tcpip \| tr '\t' ' ' \|tr -s ' ' \| egrep '^ *start +/usr/lib/sendmail +'	Command
cat /etc/rc.tcpip \| tr '\t' ' ' \|tr -s ' ' \| egrep '^ *start +/usr/sbin/aixmibd +'
cat /etc/rc.tcpip \| tr '\t' ' ' \|tr -s ' ' \| egrep '^ *start +/usr/sbin/autoconf6 +'
cat /etc/rc.tcpip \| tr '\t' ' ' \|tr -s ' ' \| egrep '^ *start +/usr/sbin/dhcpcd +'
cat /etc/rc.tcpip \| tr '\t' ' ' \|tr -s ' ' \| egrep '^ *start +/usr/sbin/dhcprd +'
cat /etc/rc.tcpip \| tr '\t' ' ' \|tr -s ' ' \| egrep '^ *start +/usr/sbin/dhcpsd +'
cat /etc/rc.tcpip \| tr '\t' ' ' \|tr -s ' ' \| egrep '^ *start +/usr/sbin/dpid2 +'
cat /etc/rc.tcpip \| tr '\t' ' ' \|tr -s ' ' \| egrep '^ *start +/usr/sbin/gated +'
cat /etc/rc.tcpip \| tr '\t' ' ' \|tr -s ' ' \| egrep '^ *start +/usr/sbin/hostmibd +'
cat /etc/rc.tcpip \| tr '\t' ' ' \|tr -s ' ' \| egrep '^ *start +/usr/sbin/mrouted +'
cat /etc/rc.tcpip \| tr '\t' ' ' \|tr -s ' ' \| egrep '^ *start +/usr/sbin/ndpd-host +'
cat /etc/rc.tcpip \| tr '\t' ' ' \|tr -s ' ' \| egrep '^ *start +/usr/sbin/ndpd-router +'
cat /etc/rc.tcpip \| tr '\t' ' ' \|tr -s ' ' \| egrep '^ *start +/usr/sbin/routed +'
cat /etc/rc.tcpip \| tr '\t' ' ' \|tr -s ' ' \| egrep '^ *start +/usr/sbin/rwhod +'
cat /etc/rc.tcpip \| tr '\t' ' ' \|tr -s ' ' \| egrep '^ *start +/usr/sbin/snmpd +'
cat /etc/rc.tcpip \| tr '\t' ' ' \|tr -s ' ' \| egrep '^ *start +/usr/sbin/snmpmibd +'
cat /etc/rc.tcpip \| tr '\t' ' ' \|tr -s ' ' \| egrep '^ *start +/usr/sbin/timed +'
cut -d: -f 3 /etc/passwd \|sort -n \| uniq -d
echo ??VAR_TUNABLE_PARAMETER?? \| cut -d, -f2
echo ??VAR_TUNABLE_PARAMETER?? \| cut -d, -f4
egrep -v '^ *#' /etc/hosts.equiv \| egrep -v '^$' \| wc -l
lsitab dt
lsitab lpd
lsitab piobe
lsitab qdaemon
lsitab rcnfs
lssec -f /etc/security/login.cfg -s default -a logindisable \| awk -F '=' '{print $2}' \| tr -s ' '
lssec -f /etc/security/login.cfg -s default -a loginreenable \| awk -F '=' '{print $2}' \| tr -s ' '
lssec -f /etc/security/user -s default -a histsize \| awk -F '=' '{print $2}' \| tr -s ' '
lssec -f /etc/security/user -s default -a loginretries \| awk -F '=' '{print $2}' \| tr -s ' '
lssec -f /etc/security/user -s default -a maxage \| awk -F '=' '{print $2}' \| tr -s ' '
lssec -f /etc/security/user -s default -a minalpha \| awk -F '=' '{print $2}' \| tr -s ' '
lssec -f /etc/security/user -s default -a minlen \| awk -F '=' '{print $2}' \| tr -s ' '
lssec -f /etc/security/user -s default -a minother \| awk -F '=' '{print $2}' \| tr -s ' '
lssrc -ls inetd\|grep 'active'\|wc -l\|sed 's/ //g'
nfso -x nfs_use_reserved_ports
nfso -x portcheck
no -x bcastping
no -x icmpaddressmask
no -x ip6srcrouteforward
no -x ipforwarding
no -x ipsendredirects
no -x ipsrcrouterecv
no -x nonlocsrcroute
no -x rfc1323
no -x sockthresh
no -x tcp_mssdflt
no -x tcp_recvspace
no -x tcp_sendspace
no -x tcp_tcpsecure
no -x udp_pmtu_discover
ps -ef \| grep 'syslogd'
pwdck -n ALL
/etc/group	Configuration File
/etc/inetd.conf
/etc/passwd
/etc/security/user
/etc/ssh/ssh_banner
/etc/ssh/ssh_config
/etc/ssh/sshd_config
/etc/security	Directory
/var/spool/cron/crontabs	Directory
2.16.2	Extended Object
2.16.2 Unowned Files
2.2.5.1 Remove all unnecessary functionality, such as scripts, drivers, features, subsystems, file systems, and unnecessary web servers: Removal of .rhosts and .netrc files
Find World Writable Files
/etc/group	File
/etc/hosts.equiv
/etc/inetd.conf
/etc/passwd
/etc/ssh/ssh_banner
/etc/ssh/ssh_config
/etc/ssh/sshd_config
/smit.log
/var/adm/cron/log

Novell SuSE Linux® Enterprise Server 11 (PCIv3)

Click here to expand...

Rule Category

Following table categorizes the percentage of rules as Native and EO based:

Rule Category	% of rules
Native based	60%
EO based	40%

Rule Details

To find details about all rules included in the template, see HTML Definitions for SuSE 11.

Asset/Part Used

Part name	Part type
/etc/sysctl.conf//net.ipv4.conf.all.accept_redirects	Command
/etc/sysctl.conf//net.ipv4.conf.default.accept_redirects
Directory:??TARGET.RSCD_DIR??/tmp/prePCI
echo '??REQUIRED_SHELL_FEILD_PASSWD_FILE??'\|egrep '??SHELL_FEILD_PASSWD_FILE??'\|wc -l
egrep 'password(.)pam_pwhistory.so(.)remember=(.)' /etc/pam.d/common-password-pc\|tr '\t' ' ' \| grep -v '^ #' \| egrep ' remember' \| egrep -v 'remember=( \|$)' \| wc -l \| sed 's/ //g'
grep 'ntp:ntp' ??NTP_SYSCONFIG_FILE?? \| grep -v ^#
lsmod\|egrep 'dccp'\|wc -l\|tr -d ' '
mkdir -p ??TARGET.RSCD_DIR??/tmp/prePCI
mkdir -p ??TARGET.RSCD_DIR??/tmp/prePCI/
pam-config -q --pwhistory\| awk -F 'remember=' '{print $2}' \| cut -d ' ' -f1
pam-config -q --umask
rm -f ??TARGET.RSCD_DIR??/tmp/prePCI/2.2.4.1.1
useradd -D\|grep INACTIVE\|cut -d'=' -f2
/boot/grub/menu.lst	Configuration File
/etc/audit/auditd.conf
/etc/group
/etc/inittab
/etc/login.defs
/etc/ntp.conf
/etc/pam.d/common-password-pc
/etc/pam.d/su
/etc/passwd
/etc/rsyslog.conf
/etc/securetty
/etc/shadow
/etc/ssh/sshd_config
/etc/sysconfig/boot
/etc/sysconfig/syslog
/etc/sysctl.conf
??TARGET.RSCD_DIR??/tmp/prePCI	Directory
/etc/cron.d
/etc/cron.daily
/etc/cron.hourly
/etc/cron.monthly
/etc/cron.weekly
/etc/init
/etc/modprobe.d
/tmp
10.2.1.3 Record Events That Modify UserGroup Information	Extended Object
10.2.1.4 Record Events That Modify the Systems Mandatory Access Controls
10.5.1.1.1 Create and Set Permissions on rsyslog Log Files
10.5.1.1.2 Create and Set Permissions on rsyslog Log Files(Secure group)
12.1 Verify System File Permissions
2.2.2.26.1 Configure Mail Transfer Agent for Local-Only Mode
2.2.2.26.2 Configure Mail Transfer Agent for Local-Only Mode
2.2.2.26.3 Configure Mail Transfer Agent for Local-Only Mode
2.2.4.10 Use Only Approved Ciphers in Counter Mode
2.2.4.12.1 Limit Users SSH Access (AllowUsers)
2.2.4.12.2 Limit Users SSH Access (AllowGroups)
2.2.4.12.3 Limit Users SSH Access (DenyUsers)
2.2.4.12.4 Limit Users SSH Access (DenyGroups)
2.2.4.17.1 Set Warning Banner for Standard Login Services
2.2.4.48 Check for Duplicate User Names
2.2.4.49 Check for Duplicate Group Names
2.2.5.1 Check Permissions on User .netrc Files
2.2.5.2 Check for Presence of User .rhosts Files
2.2.5.3 Set Sticky Bit on All World-Writable Directories
2.2.5.4 Find World Writable Files
2.2.5.5 Find SUID System Executables
2.2.5.6 Find SGID System Executables
2.2.5.7 Check User Dot File Permissions
2.2.5.8 Find Un-owned Files and Directories
2.2.5.9 Find Un-grouped Files and Directories
8.1.1 Check for Duplicate UIDs
8.1.6.1
8.1.6.1 Limit repeated access attempts by locking out the user ID after not more than six attempts. : Set Lockout for Failed Password Attempts
8.1.6.2
8.1.6.2 Limit repeated access attempts by locking out the user ID after not more than six attempts. : Set Lockout for Failed Password Attempts
8.1.7
8.1.7.1 - Set the lockout duration to a minimum of 30 minutes or until an administrator enables the user ID
8.1.7.2 - Set the lockout duration to a minimum of 30 minutes or until an administrator enables the user ID
8.2.3 Set Password Creation Requirement Parameters Using pam_cracklib
8.2.4.2 Set Password Expiration Days (Users)
Kernel Parameters
Running Processes
Unix Services
??TARGET.RSCD_DIR??/tmp/prePCI/parameter_remediation	File
/.forward
/.netrc
/boot/grub/menu.lst
/etc/at.allow
/etc/at.deny
/etc/cron.allow
/etc/cron.deny
/etc/crontab
/etc/group
/etc/inittab
/etc/issue
/etc/issue.net
/etc/modprobe.conf
/etc/motd
/etc/passwd
/etc/securetty
/etc/shadow
/etc/ssh/sshd_config
biosdevname	RPM
openldap2
openldap2-client
rsh
rsyslog
talk
tcpd
xorg-x11
ypbind

Novell SuSE Linux® Enterprise Server 10 (PCIv3)

Click here to expand...

Rule Category

Following table categorizes the percentage of rules as Native and EO based:

Rule Category	% of rules
Native based	60%
EO based	40%

Rule Details

To find details about all rules included in the template, see HTML Definitions for SuSE 10.

Asset/Part Used

Part name	Part type
/etc/sysctl.conf//net.ipv4.conf.all.accept_redirects	Command
/etc/sysctl.conf//net.ipv4.conf.default.accept_redirects
Directory:??TARGET.RSCD_DIR??/tmp/prePCI
echo '??REQUIRED_SHELL_FEILD_PASSWD_FILE??'\|egrep '??SHELL_FEILD_PASSWD_FILE??'\|wc -l
egrep 'password(.)pam_pwhistory.so(.)remember=(.)' /etc/pam.d/common-password-pc\|tr '\t' ' ' \| grep -v '^ #' \| egrep ' remember' \| egrep -v 'remember=( \|$)' \| wc -l \| sed 's/ //g'
grep 'ntp:ntp' ??NTP_SYSCONFIG_FILE?? \| grep -v ^#
lsmod\|egrep 'dccp'\|wc -l\|tr -d ' '
mkdir -p ??TARGET.RSCD_DIR??/tmp/prePCI
mkdir -p ??TARGET.RSCD_DIR??/tmp/prePCI/
pam-config -q --pwhistory\| awk -F 'remember=' '{print $2}' \| cut -d ' ' -f1
pam-config -q --umask
rm -f ??TARGET.RSCD_DIR??/tmp/prePCI/2.2.4.1.1
useradd -D\|grep INACTIVE\|cut -d'=' -f2
/boot/grub/menu.lst	Configuration File
/etc/audit/auditd.conf
/etc/group
/etc/inittab
/etc/login.defs
/etc/ntp.conf
/etc/pam.d/common-password-pc
/etc/pam.d/su
/etc/passwd
/etc/rsyslog.conf
/etc/securetty
/etc/shadow
/etc/ssh/sshd_config
/etc/sysconfig/boot
/etc/sysconfig/mail
/etc/sysconfig/syslog
/etc/sysctl.conf
/etc/vsftpd/vsftpd.conf
/etc/X11/gdm/gdm.conf
/etc/X11/xdm/kdmrc
/etc/X11/xdm/Xresources
??TARGET.RSCD_DIR??/tmp/prePCI	Directory
/etc/cron.d
/etc/cron.daily
/etc/cron.hourly
/etc/cron.monthly
/etc/cron.weekly
/etc/init
/etc/modprobe.d
/tmp
10.2.1.3 Record Events That Modify UserGroup Information	Extended Object
10.2.1.4 Record Events That Modify the Systems Mandatory Access Controls
10.5.1.1.1 Create and Set Permissions on rsyslog Log Files
10.5.1.1.2 Create and Set Permissions on rsyslog Log Files(Secure group)
12.1 Verify System File Permissions
2.2.2.13.1 Set Default umask For Users
2.2.2.13.2 Set Default umask For Users
2.2.2.26.1 Configure Mail Transfer Agent for Local-Only Mode
2.2.2.26.2 Configure Mail Transfer Agent for Local-Only Mode
2.2.2.26.3 Configure Mail Transfer Agent for Local-Only Mode
2.2.2.39 Set Daemon umask
2.2.4.10 Use Only Approved Ciphers in Counter Mode
2.2.4.12.1 Limit Users SSH Access (AllowUsers)
2.2.4.12.2 Limit Users SSH Access (AllowGroups)
2.2.4.12.3 Limit Users SSH Access (DenyUsers)
2.2.4.12.4 Limit Users SSH Access (DenyGroups)
2.2.4.17.1 Set Warning Banner for Standard Login Services
2.2.4.48 Check for Duplicate User Names
2.2.4.49 Check for Duplicate Group Names
2.2.4.69 Activate AppArmor
2.2.4.70.1 Create Warnings For Network And Physical Access Services
2.2.5.10 Remove .rhosts Support In PAM Configuration Files
2.2.5.1 Check Permissions on User .netrc Files
2.2.5.2 Check for Presence of User .rhosts Files
2.2.5.3 Set Sticky Bit on All World-Writable Directories
2.2.5.4 Find World Writable Files
2.2.5.5 Find SUID System Executables
2.2.5.6 Find SGID System Executables
2.2.5.7 Check User Dot File Permissions
2.2.5.8 Find Un-owned Files and Directories
2.2.5.9 Find Un-grouped Files and Directories
8.1.1 Check for Duplicate UIDs
8.1.7.1 - Set the lockout duration to a minimum of 30 minutes or until an administrator enables the user ID
8.1.7.2 - Set the lockout duration to a minimum of 30 minutes or until an administrator enables the user ID
8.2.4.2 Set Password Expiration Days (Users)
Kernel Parameters
Running Processes
Unix Services
??TARGET.RSCD_DIR??/tmp/prePCI/parameter_remediation	File
/.forward
/.netrc
/boot/grub/menu.lst
/etc/at.allow
/etc/at.deny
/etc/cron.allow
/etc/cron.deny
/etc/crontab
/etc/group
/etc/inittab
/etc/issue
/etc/issue.net
/etc/modprobe.conf
/etc/motd
/etc/passwd
/etc/securetty
/etc/shadow
/etc/ssh/sshd_config
biosdevname	RPM
openldap2
openldap2-client
rsh
rsyslog
talk
tcpd
xorg-x11
ypbind
RPMs	RPM List

Policy Definition for PCI templates

Microsoft Windows Server 2012 (PCIv3)

Rule Category

Rule Details

Asset/Part Used

Microsoft Windows Server 2008 (PCIv2)

Rule Category

Asset/Part Used

RHEL 6.x (PCIv3)

Rule Category

Rule Details

Asset/Part Used

RHEL 5.x (PCIv2)

Rule Category

Asset/Part Used

IBM AIX 7.1 (PCIv3)

Rule Category

Rule Details

Asset/Part Used

IBM AIX 6.1/5.3 (PCIv3)

Rule Category

Rule Details

Asset/Part Used

Novell SuSE Linux® Enterprise Server 11 (PCIv3)

Rule Category

Rule Details

Asset/Part Used

Novell SuSE Linux® Enterprise Server 10 (PCIv3)

Rule Category

Rule Details

Asset/Part Used

On this page