Update PCI-DSS profile for RHEL

controls/pcidss_4.yml

@@ -2834,6 +2834,7 @@ controls:
         requirement demands manual assessment.
       rules:
         - auditd_audispd_syslog_plugin_activated
+        - package_audispd-plugins_installed
         - package_audit-audispd-plugins_installed
       related_rules:
         - rsyslog_remote_loghost

linux_os/guide/services/ntp/ntpd_specify_multiple_servers/rule.yml

@@ -1,5 +1,7 @@
 documentation_complete: true
 
+prodtype: fedora,ol7,ol8,rhcos4,rhel7,rhel8,rhv4,sle12,sle15
+
 title: 'Specify Additional Remote NTP Servers'
 
 description: |-
@@ -18,6 +20,8 @@ rationale: |-
 severity: unknown
 
 identifiers:
+    cce@rhel7: CCE-86487-6
+    cce@rhel8: CCE-86488-4
     cce@sle12: CCE-91660-1
     cce@sle15: CCE-91297-2
 

linux_os/guide/services/ntp/ntpd_specify_remote_server/rule.yml

@@ -1,5 +1,7 @@
 documentation_complete: true
 
+prodtype: alinux2,fedora,ol7,ol8,rhcos4,rhel7,rhel8,rhv4,sle12,sle15
+
 title: 'Specify a Remote NTP Server'
 
 description: |-
@@ -19,6 +21,7 @@ severity: medium
 
 identifiers:
     cce@rhel7: CCE-83436-6
+    cce@rhel8: CCE-86508-9
     cce@sle12: CCE-91661-9
     cce@sle15: CCE-91298-0
 

linux_os/guide/services/ntp/service_ntp_enabled/rule.yml

@@ -1,5 +1,7 @@
 documentation_complete: true
 
+prodtype: debian10,debian11,debian12,sle12,sle15,ubuntu1604,ubuntu1804,ubuntu2004,ubuntu2204
+
 title: 'Enable the NTP Daemon'
 
 description: |-

linux_os/guide/services/ntp/service_ntpd_enabled/rule.yml

@@ -1,5 +1,7 @@
 documentation_complete: true
 
+prodtype: alinux2,fedora,ol7,ol8,ol9,rhcos4,rhel7,rhel8,rhel9,rhv4,sle12,sle15
+
 title: 'Enable the NTP Daemon'
 
 description: |-
@@ -21,6 +23,7 @@ severity: medium
 
 identifiers:
     cce@rhel7: CCE-84253-4
+    cce@rhel8: CCE-86486-8
     cce@rhel9: CCE-87863-7
     cce@sle12: CCE-91658-5
     cce@sle15: CCE-91295-6

linux_os/guide/system/auditing/package_audispd-plugins_installed/rule.yml

@@ -21,6 +21,7 @@ identifiers:
 
 references:
     ospp: FMT_SMF_EXT.1
+    pcidss4: '10.3.3'
     srg: SRG-OS-000342-GPOS-00133
     stigid@rhel9: RHEL-09-653130
 

linux_os/guide/system/auditing/package_audit-audispd-plugins_installed/rule.yml

@@ -1,5 +1,7 @@
 documentation_complete: true
 
+prodtype: fedora,ol9,rhel9,sle12,sle15,ubuntu2004
+
 title: 'Ensure the default plugins for the audit dispatcher are Installed'
 
 description: 'The audit-audispd-plugins package should be installed.'

linux_os/guide/system/network/network-iptables/iptables_activation/set_ipv6_loopback_traffic/rule.yml

@@ -1,5 +1,7 @@
 documentation_complete: true
 
+prodtype: sle12,sle15,ubuntu2004,ubuntu2204
+
 title: 'Set configuration for IPv6 loopback traffic'
 
 description: |-

linux_os/guide/system/network/network-iptables/iptables_activation/set_loopback_traffic/rule.yml

@@ -1,5 +1,7 @@
 documentation_complete: true
 
+prodtype: alinux2,sle12,sle15,ubuntu2004,ubuntu2204
+
 title: 'Set configuration for loopback traffic'
 
 description: |-

products/rhel7/profiles/pci-dss.profile

@@ -1,116 +1,27 @@
 documentation_complete: true
 
-title: 'PCI-DSS v3.2.1 Control Baseline for Red Hat Enterprise Linux 7'
+metadata:
+    version: '4.0'
+    SMEs:
+        - marcusburghardt
+        - mab879
+        - vojtapolasek
+
+reference: https://docs-prv.pcisecuritystandards.org/PCI%20DSS/Standard/PCI-DSS-v4_0.pdf
+
+title: 'PCI-DSS v4.0 Control Baseline for Red Hat Enterprise Linux 7'
 
 description: |-
-    Ensures PCI-DSS v3.2.1 security configuration settings are applied.
+    Payment Card Industry - Data Security Standard (PCI-DSS) is a set of
+    security standards designed to ensure the secure handling of payment card
+    data, with the goal of preventing data breaches and protecting sensitive
+    financial information.
+
+    This profile ensures Red Hat Enterprise Linux 7 is configured in alignment
+    with PCI-DSS v4.0 requirements.
 
 selections:
-    - var_password_pam_unix_remember=4
-    - var_account_disable_post_pw_expiration=90
-    - var_accounts_passwords_pam_faillock_deny=6
-    - var_accounts_passwords_pam_faillock_unlock_time=1800
-    - sshd_idle_timeout_value=15_minutes
-    - var_password_pam_minlen=7
-    - var_password_pam_minclass=2
-    - var_accounts_maximum_age_login_defs=90
-    - var_auditd_num_logs=5
-    - service_auditd_enabled
-    - grub2_audit_argument
-    - auditd_data_retention_num_logs
-    - auditd_data_retention_max_log_file
-    - auditd_data_retention_max_log_file_action
-    - auditd_data_retention_space_left_action
-    - auditd_data_retention_admin_space_left_action
-    - auditd_data_retention_action_mail_acct
-    - auditd_audispd_syslog_plugin_activated
-    - audit_rules_time_adjtimex
-    - audit_rules_time_settimeofday
-    - audit_rules_time_stime
-    - audit_rules_time_clock_settime
-    - audit_rules_time_watch_localtime
-    - audit_rules_usergroup_modification
-    - audit_rules_networkconfig_modification
-    - file_permissions_var_log_audit
-    - file_ownership_var_log_audit
-    - audit_rules_mac_modification
-    - audit_rules_dac_modification_chmod
-    - audit_rules_dac_modification_chown
-    - audit_rules_dac_modification_fchmod
-    - audit_rules_dac_modification_fchmodat
-    - audit_rules_dac_modification_fchown
-    - audit_rules_dac_modification_fchownat
-    - audit_rules_dac_modification_fremovexattr
-    - audit_rules_dac_modification_fsetxattr
-    - audit_rules_dac_modification_lchown
-    - audit_rules_dac_modification_lremovexattr
-    - audit_rules_dac_modification_lsetxattr
-    - audit_rules_dac_modification_removexattr
-    - audit_rules_dac_modification_setxattr
-    - audit_rules_login_events
-    - var_accounts_passwords_pam_faillock_dir=run
-    - audit_rules_session_events
-    - audit_rules_unsuccessful_file_modification
-    - audit_rules_privileged_commands
-    - audit_rules_media_export
-    - audit_rules_file_deletion_events
-    - audit_rules_sysadmin_actions
-    - audit_rules_kernel_module_loading
-    - audit_rules_immutable
-    - var_multiple_time_servers=rhel
-    - service_chronyd_or_ntpd_enabled
-    - chronyd_or_ntpd_specify_remote_server
-    - chronyd_or_ntpd_specify_multiple_servers
-    - rpm_verify_permissions
-    - rpm_verify_hashes
-    - install_hids
-    - rsyslog_files_permissions
-    - rsyslog_files_ownership
-    - rsyslog_files_groupownership
-    - ensure_logrotate_activated
-    - package_aide_installed
-    - disable_prelink
-    - aide_build_database
-    - aide_periodic_cron_checking
-    - account_unique_name
-    - gid_passwd_group_same
-    - accounts_password_all_shadowed
-    - no_empty_passwords
-    - display_login_attempts
-    - account_disable_post_pw_expiration
-    - accounts_passwords_pam_faillock_deny
-    - accounts_passwords_pam_faillock_unlock_time
-    - dconf_db_up_to_date
-    - dconf_gnome_screensaver_idle_delay
-    - dconf_gnome_screensaver_idle_activation_enabled
-    - dconf_gnome_screensaver_lock_enabled
-    - dconf_gnome_screensaver_mode_blank
-    - sshd_set_idle_timeout
-    - var_sshd_set_keepalive=0
-    - sshd_set_keepalive_0
-    - accounts_password_pam_minlen
-    - accounts_password_pam_dcredit
-    - accounts_password_pam_ucredit
-    - accounts_password_pam_lcredit
-    - accounts_password_pam_unix_remember
-    - accounts_maximum_age_login_defs
-    - ensure_redhat_gpgkey_installed
-    - ensure_gpgcheck_globally_activated
-    - ensure_gpgcheck_never_disabled
-    - security_patches_up_to_date
-    - smartcard_auth
-    - set_password_hashing_algorithm_systemauth
-    - set_password_hashing_algorithm_logindefs
-    - set_password_hashing_algorithm_libuserconf
-    - file_owner_etc_shadow
-    - file_groupowner_etc_shadow
-    - file_permissions_etc_shadow
-    - file_owner_etc_group
-    - file_groupowner_etc_group
-    - file_permissions_etc_group
-    - file_owner_etc_passwd
-    - file_groupowner_etc_passwd
-    - file_permissions_etc_passwd
-    - file_owner_grub2_cfg
-    - file_groupowner_grub2_cfg
-    - package_libreswan_installed
+    - pcidss_4:all
+    # More tests are needed to identify which rule is conflicting with rpm_verify_permissions.
+    # https://github.com/ComplianceAsCode/content/issues/11285
+    - '!rpm_verify_permissions'