Payment Card Industry DSS compliance for AIX and VIOS
This table contains the settings that implement the PCI DSS version 3.0 compliance standard for AIX® and VIOS.
Implements these PCI DSS standards | Implementation specification | The AIX and VIOS implementation | Location of the script that modifies the value |
---|---|---|---|
1.2 | Protect unauthorized access to unused ports. | Configures the system to shun the hosts for 5 minutes to prevent other systems from accessing unused ports. | /etc/security/pscexpert/bin/ipsecshunhosthls Note: You can enter additional filter rules in the
/etc/security/aixpert/bin/filter.txt file. These rules are integrated by the
ipsecshunhosthls.sh script when you apply the profile. The entries should be in
the following format:
where the possible values for
action are Allow or Deny.
|
1.2 | Protect the host from port scans. | Configures the system to shun vulnerable ports for 5 minutes, which prevents port scans. | /etc/security/pscexpert/bin/ipsecshunports Note: You can enter additional filter rules in the
/etc/security/aixpert/bin/filter.txt file. These rules are integrated by the
ipsecshunhosthls.sh script when you apply the profile. The entries should be in
the following format:
where the possible values for
action are Allow or Deny.
|
1.3.5 | Limit traffic access to cardholder information. | Sets the TCP traffic regulation to its high setting, which enforces denial-of-service mitigation on ports. | /etc/security/pscexpert/bin/tcptr_pscexpert |
1.3.5 | Maintain a secure connection when migrating data. | Enables automated IP Security (IPSec) tunnel creation between Virtual I/O Servers during live partition migration. | /etc/security/pscexpert/bin/cfgsecmig |
1.3.5 | Limit packets from unknown sources. | Allows the packets from the Hardware Management Console. | /etc/security/pscexpert/bin/ipsecpermithostorport |
2.1 | Always change vendor-supplied defaults before installing a system on the network. For example, include passwords, simple network management protocol community strings, and eliminate unnecessary accounts. | Sets the number of weeks that an account with an expired password remains in the system to 8 weeks by setting the maxexpired parameter to a value of 8. | /etc/security/pscexpert/bin/chusrattr |
2.1 | Always change vendor-supplied defaults before installing a system on the network. For example, include passwords, simple network management protocol community strings, and eliminate unnecessary accounts. | Sets the maximum number of times that a character can be repeated in a password to 8 by setting the maxrepeats parameter to a value of 8. This setting indicates that a character in a password can be repeated an unlimited number of times when it conforms to the other password limitations. | /etc/security/pscexpert/bin/chusrattr |
2.1 | Change vendor-supplied defaults before installing a system on the network,
which includes disabling the netstat command. |
Disables the netstat command by commenting out the
corresponding entry in the /etc/inetd.conf file. |
/etc/security/pscexpert/bin/cominetdconf |
2.1.1 | Change the vendor-supplied defaults before installing a system on the network,
which includes disabling the SNMP daemon. |
Stops the SNMP daemon and comments out the corresponding
entry in the /etc/rc.tcpip file that automatically starts the daemon. |
/etc/security/pscexpert/bin/rctcpip |
2.1.1 | Change vendor-supplied defaults before installing a system on the network,
which includes disabling the SNMPMIBD daemon. |
Disables the SNMPMIBD daemon by commenting out the
corresponding entry in the /etc/rc.tcpip file that automatically starts the
daemon. |
/etc/security/pscexpert/bin/rctcpip |
2.1 | Change vendor-supplied defaults before installing a system on the network,
which includes disabling the AIXMIBD daemon. |
Disables the AIXMIBD daemon by commenting out the
corresponding entry in the /etc/rc.tcpip file that automatically starts the
daemon. |
/etc/security/pscexpert/bin/rctcpip |
2.1.1 | Change vendor-supplied defaults before installing a system on the network,
which includes disabling the HOSTMIBD daemon. |
Disables the HOSTMIBD daemon by commenting out the
corresponding entry in the /etc/rc.tcpip file that automatically starts the
daemon. |
/etc/security/pscexpert/bin/rctcpip |
2.2.2 | Disable unnecessary and insecure services, which include the
lpd daemon. |
Stops the lpd daemon and comments out the corresponding entry
in the /etc/rc.tcpip file that automatically starts the daemon. |
/etc/security/pscexpert/bin/comntrows |
2.2.2 | Disable unnecessary and insecure services, which include the Common Desktop Environment (CDE). | Disables the CDE function when the layer four traceroute (LFT) is not configured. | /etc/security/pscexpert/bin/comntrows |
2.2.2 | Disable unnecessary and insecure services, which include the
timed daemon. |
Stops the timed daemon and comments out the corresponding
entry in the /etc/rc.tcpip file that automatically starts the daemon. |
/etc/security/pscexpert/bin/rctcpip |
2.2.2 | Disable unnecessary and insecure services, which include the
rwhod daemon. |
Stops the rwhod daemon and comments out the corresponding
entry in the /etc/rc.tcpip file that automatically starts the daemon. |
/etc/security/pscexpert/bin/rctcpip |
2.2.2 | Disable unnecessary and insecure services, which include the
DPID2 daemon. |
Stops the DPID2 daemon and comments out the corresponding
entry in the /etc/rc.tcpip file that automatically starts the daemon. |
/etc/security/pscexpert/bin/rctcpip |
2.2.2 | Change vendor-supplied defaults before installing a system on the network,
which includes stopping the DHCP server. |
Disables the DHCP server. |
/etc/security/pscexpert/bin/rctcpip |
2.2.2 | Disable unnecessary and insecure services, which include the
DHCP agent. |
Stops and disables the DHCP relay agent and comments out the
corresponding entry in the /etc/rc.tcpip file that automatically starts the
agent. |
/etc/security/pscexpert/bin/rctcpip |
2.2.2 | Disable unnecessary and insecure services, which include the
rshd daemon. |
Stops and disables all instances of the rshd daemon and the
shell service, and comments out the corresponding entries in the
/etc/inetd.conf file that automatically start the instances. |
/etc/security/pscexpert/bin/cominetdconf |
2.2.2 | Disable unnecessary and insecure services, which include the
rlogind daemon. |
Stops and disables all instances of the rlogind daemon and
rlogin service. The AIX Security Expert utility also comments
out the corresponding entries in the /etc/inetd.conf file that automatically
start the instances. |
/etc/security/pscexpert/bin/cominetdconf |
2.2.2 | Disable unnecessary and insecure services, which include the
rexecd daemon. |
Stops and disables all instances of the rexecd daemon. The
AIX Security Expert utility also comments out the
corresponding entry in the /etc/inetd.conf file that automatically starts the
daemon. |
/etc/security/pscexpert/bin/cominetdconf |
2.2.2 | Disable unnecessary and insecure services, which include the
comsat daemon. |
Stops and disables all instances of the comsat daemon. The
AIX Security Expert utility also comments out the
corresponding entry in the /etc/inetd.conf file that automatically starts the
daemon. |
/etc/security/pscexpert/bin/cominetdconf |
2.2.2 | Disable unnecessary and insecure services, which include the
fingerd daemon. |
Stops and disables all instances of the fingerd daemon. The
AIX Security Expert utility also comments out the
corresponding entry in the /etc/inetd.conf file that automatically starts the
daemon. |
/etc/security/pscexpert/bin/cominetdconf |
2.2.2 | Disable unnecessary and insecure services, which include the
systat daemon. |
Stops and disables all instances of the systat daemon. The
AIX Security Expert utility also comments out the
corresponding entry in the /etc/inetd.conf file that automatically starts the
daemon. |
/etc/security/pscexpert/bin/cominetdconf |
2.2.2 | Disable unnecessary and insecure services, which include the
tftp daemon. |
Stops and disables all instances of the tftp daemon. The AIX Security Expert utility also comments out the corresponding
entry in the /etc/inetd.conf file that automatically starts the daemon. |
/etc/security/pscexpert/bin/cominetdconf |
2.2.2 | Disable unnecessary and insecure services, which include the
talkd daemon. |
Stops and disables all instances of the talkd daemon. The AIX Security Expert utility also comments out the corresponding
entry in the /etc/inetd.conf file that automatically starts the daemon. |
/etc/security/pscexpert/bin/cominetdconf |
2.2.2 | Disable unnecessary and insecure services, which include the
rquotad daemon. |
Stops and disables all instances of the rquotad daemon. The
AIX Security Expert utility also comments out the
corresponding entry in the /etc/inetd.conf file that automatically starts the
daemon. |
/etc/security/pscexpert/bin/cominetdconf |
2.2.2 | Disable unnecessary and insecure services, which include the
rstatd daemon. |
Stops and disables all instances of the rstatd daemon. The
AIX Security Expert utility also comments out the
corresponding entry in the /etc/inetd.conf file that automatically starts the
daemon. |
/etc/security/pscexpert/bin/cominetdconf |
2.2.2 | Disable unnecessary and insecure services, which include the
rusersd daemon. |
Stops and disables all instances of the rusersd daemon. The
AIX Security Expert utility also comments out the
corresponding entry in the /etc/inetd.conf file that automatically starts the
daemon. |
/etc/security/pscexpert/bin/cominetdconf |
2.2.2 | Disable unnecessary and insecure services, which include the
rwalld daemon. |
Stops and disables all instances of the rwalld daemon. The
AIX Security Expert utility also comments out the
corresponding entry in the /etc/inetd.conf file that automatically starts the
daemon. |
/etc/security/pscexpert/bin/cominetdconf |
2.2.2 | Disable unnecessary and insecure services, which include the
sprayd daemon. |
Stops and disables all instances of the sprayd daemon. The
AIX Security Expert utility also comments out the
corresponding entry in the /etc/inetd.conf file that automatically starts the
daemon. |
/etc/security/pscexpert/bin/cominetdconf |
2.2.2 | Disable unnecessary and insecure services, which include the
pcnfsd daemon. |
Stops and disables all instances of the pcnfsd daemon. The
AIX Security Expert utility also comments out the
corresponding entry in the /etc/inetd.conf file that automatically starts the
daemon. |
/etc/security/pscexpert/bin/cominetdconf |
2.2.2 | Disable unnecessary and insecure services, which include the TCP
echo service. |
Stops and disables all instances of the echo(tcp) service.
The AIX Security Expert utility also comments out the
corresponding entry in the /etc/inetd.conf file that automatically starts the
service. |
/etc/security/pscexpert/bin/cominetdconf |
2.2.2 | Disable unnecessary and insecure services, which include the TCP
discard service. |
Stops and disables all instances of the discard(tcp) service.
The AIX Security Expert utility also comments out the
corresponding entry in the /etc/inetd.conf file that automatically starts the
service. |
/etc/security/pscexpert/bin/cominetdconf |
2.2.2 | Disable unnecessary and insecure services, which include the TCP
chargen service. |
Stops and disables all instances of the chargen(tcp) service.
The AIX Security Expert utility also comments out the
corresponding entry in the /etc/inetd.conf file that automatically starts the
service. |
/etc/security/pscexpert/bin/cominetdconf |
2.2.2 | Disable unnecessary and insecure services, which include the TCP
daytime service. |
Stops and disables all instances of the daytime(tcp) service.
The AIX Security Expert utility also comments out the
corresponding entry in the /etc/inetd.conf file that automatically starts the
service. |
/etc/security/pscexpert/bin/cominetdconf |
2.2.2 | Disable unnecessary and insecure services, which include the TCP
time service. |
Stops and disables all instances of the timed(tcp) service.
The AIX Security Expert utility also comments out the
corresponding entry in the /etc/inetd.conf file that automatically starts the
service. |
/etc/security/pscexpert/bin/cominetdconf |
2.2.2 | Disable unnecessary and insecure services, which include the UDP
echo service. |
Stops and disables all instances of the echo(udp) service.
The AIX Security Expert utility also comments out the
corresponding entry in the /etc/inetd.conf file that automatically starts the
service. |
/etc/security/pscexpert/bin/cominetdconf |
2.2.2 | Disable unnecessary and insecure services, which include the UDP
discard service. |
Stops and disables all instances of the discard(udp) service.
The AIX Security Expert utility also comments out the
corresponding entry in the /etc/inetd.conf file that automatically starts the
service. |
/etc/security/pscexpert/bin/cominetdconf |
2.2.2 | Disable unnecessary and insecure services, which include the UDP
chargen service. |
Stops and disables all instances of the chargen(udp) service.
The AIX Security Expert utility also comments out the
corresponding entry in the /etc/inetd.conf file that automatically starts the
service. |
/etc/security/pscexpert/bin/cominetdconf |
2.2.2 | Disable unnecessary and insecure services, which include the UDP
daytime service. |
Stops and disables all instances of the daytime(udp) service.
The AIX Security Expert utility also comments out the
corresponding entry in the /etc/inetd.conf file that automatically starts the
service. |
/etc/security/pscexpert/bin/cominetdconf |
2.2.2 | Disable unnecessary and insecure services, which include the UDP
time service. |
Stops and disables all instances of the timed(udp) service.
The AIX Security Expert utility also comments out the
corresponding entry in the /etc/inetd.conf file that automatically starts the
service. |
/etc/security/pscexpert/bin/cominetdconf |
2.2.2 | Disable unnecessary and insecure services, which include
dtspc . |
Stops and disables all instances of the dtspc daemon. The AIX Security Expert also comments out the corresponding entry in
the /etc/inittab file that automatically starts the daemon when the LFT is not
configured and the CDE is disabled in the /etc/inittab file. |
/etc/security/pscexpert/bin/cominetdconf |
2.2.2 | Disable unnecessary and insecure services, which include the
ttdbserver service. |
Stops and disables all instances of the ttdbserver service.
The AIX Security Expert utility also comments out the
corresponding entry in the /etc/inetd.conf file that automatically starts the
service. |
/etc/security/pscexpert/bin/cominetdconf |
2.2.2 | Disable unnecessary and insecure services, which include the
cmsd service. |
Stops and disables all instances of the cmsd service. The AIX Security Expert utility also comments out the corresponding
entry in the /etc/inetd.conf file that automatically starts the
service. |
/etc/security/pscexpert/bin/cominetdconf |
2.2.3 | Disable unnecessary and insecure services, which include the
FTP service. |
Stops and disables all instances of the ftpd daemon. The AIX Security Expert utility also comments out the corresponding
entry in the /etc/inetd.conf file that automatically starts the daemon. |
/etc/security/pscexpert/bin/cominetdconf |
2.2.3 | Disable unnecessary and insecure services, which include the
telnet service. |
Stops and disables all instances of the telnetd daemon. The
AIX Security Expert utility also comments out the
corresponding entry in the /etc/inetd.conf file that automatically starts the
daemon. |
/etc/security/pscexpert/bin/cominetdconf |
2.2.3 | Enable only necessary and secure services, protocols, daemons, and so on, as required for the correct function of the system. Implement security features for any required services, protocols or daemons that are considered to be insecure. | Disables the rlogind , rshd ,
rcp and tftpd commands, which are not secure. |
/etc/security/pscexpert/bin/disrmtcmds |
2.2.3 | Enable only necessary and secure services, protocols, daemons, and so on, as required for the correct function of the system. Implement security features for any required services, protocols or daemons that are considered to be insecure. | Disables the rlogind , rshd , and
tftpd daemons, which are not secure. |
/etc/security/pscexpert/bin/disrmtdmns |
2.2.3 | Implement stateful inspection, or packet filtering, in which only established connections are allowed on the network. | Enables the network clean_partial_conns option by setting its value to 1. | /etc/security/pscexpert/bin/ntwkopts |
2.2.3 | Implement stateful inspection, or packet filtering, in which only established connections are allowed on the network. | Enables TCP security by setting the network tcp_tcpsecure option to a value of 7. This setting provides protection against data, reset (RST), and TCP connection request (SYN) attacks. | /etc/security/pscexpert/bin/ntwkopts |
2.2.3 | Enable only necessary and secure services, protocols, daemons, and so on, as required for the correct function of the system. Implement security features for any required services, protocols or daemons that are considered to be insecure. | Disables the rlogind , rshd , and
tftpd daemons, which are not secure. |
/etc/security/pscexpert/bin/rmrhostsnetrc |
2.2.3 | Enable only necessary and secure services, protocols, daemons, and so on, as required for the correct function of the system. Implement security features for any required services, protocols or daemons that are considered to be insecure. | Disables the logind , rshd , and
tftpdpci_rmetchostsequiv daemons, which are not secure. |
/etc/security/pscexpert/bin/rmetchostsequiv |
2.2.3 | Disable Secure Sockets Layer (SSL) v3 and Transport Layer Security (TLS) v1.0 in applications. |
Disable SSLv3 and TLS v1.0 versions in Courier POP3 server (Pop3d) configuration. |
/etc/security/pscexpert/bin/disableSSL |
3.3.3 | Disable SSL v3 and TLS v1.0 in applications. |
Disable SSLV3 and TLS v1.0 in the Courier IMAP server (imapd). |
/etc/security/pscexpert/bin/disableSSL |
2.2.3 | Disable SSL v3 and TLS v1.0 in applications. | Check the Network Time Protocol (NTP) configuration file for TLS 1.1, or later security adoption. | /etc/security/pscexpert/bin/checkNTP |
2.2.3 | Disable SSL v3 and TLS v1.0 in applications. | Check the File Transfer Protocol Daemon (FTPD) configuration file for TLS 1.1, or later security adoption. | /etc/security/pscexpert/bin/secureFTP |
2.2.3 | Disable SSL v3 and TLS v1.0 in applications. | Check the File Transfer Protocol Client (FTP) configuration file for TLS 1.1, or later security adoption. | /etc/security/pscexpert/bin/secureFTP |
2.2.3 | Disable SSL v3 and TLS v1.0 in applications. | Disable SSLv3 and TLS v1.0 in sendmail configuration. | /etc/security/pscexpert/bin/sendmailPCIConfig |
2.2.3 | Disable SSL v3 and TLS v1.0 in applications. |
Check whether the SSL version on AIX is greater than 1.0.2. |
/etc/security/pscexpert/bin/sslversion |
2.2.4 | Configure system security parameters to prevent misuse. | Removes the Set User ID (SUID) commands by commenting out the corresponding entry in the /etc/inetd.conf file that automatically enables the commands. | /etc/security/pscexpert/bin/rmsuidfrmrcmds |
2.2.4 | Configure system security parameters to prevent misuse. | Enables the lowest security level for the File Permissions Manager. | /etc/security/pscexpert/bin/filepermgr |
2.2.4 | Configure system security parameters to prevent misuse. | Modifies the Network File System protocol with restricted settings that conform to the PCI security requirements. These restricted settings include disabling remote root access and anonymous UID and GID access. | /etc/security/pscexpert/bin/nfsconfig |
2.2.3 | Implement more security features for any required services, protocols, or daemons that are considered to be insecure. | Check if SSH filesets are installed. Start the SSHD daemon if it is not started and configure to start the SSHD daemon at every reboot. | /etc/security/pscexpert/bin/sshstart |
2.2.3 | Implement more security features for any required services, protocols, or daemons that are considered to be insecure. | Uses secured technologies such as Secure Shell (SSH), SSH File Transfer Protocol (S-FTP), Secure Sockets Layer (SSL), or Internet Protocol Security Virtual Private Network (IPsec VPN) to protect insecure services such as NetBIOS, file-sharing, Telnet, and FTP. It also configures the SSH daemon to use only the SSHv2 protocol. | /etc/security/pscexpert/bin/ssh_config_rules |
2.2.3 | The SSH Client must be configured to use only the SSHv2 protocol. | Configures the SSH client to use the SSHv2 protocol. | /etc/security/pscexpert/bin/ssh_config_rules |
2.3 | The SSH daemon must listen only on management network addresses unless it is authorized for uses other than management. | Ensures that the SSH daemon is set up only to listen. | /etc/security/pscexpert/bin/ssh_config_rules |
2.3 | The SSH daemon must be configured to use only FIPS 140-2 approved ciphers | Ensures that the SSH daemon uses only the FIPS 140-2 ciphers. | /etc/security/pscexpert/bin/ssh_config_rules |
2.3 | The SSH daemon must be configured to use only Message Authentication Codes (MACs) that employ FIPS 140-2 approved cryptographic hash algorithms. | Ensures that the MACs are running the approved algorithms. | /etc/security/pscexpert/bin/ssh_config_rules |
2.3 | The SSH client must be configured to use only FIPS 140-2 approved ciphers | Ensures that the SSH client uses only the FIPS 140-2 ciphers. | /etc/security/pscexpert/bin/ssh_config_rules |
2.3 | The SSH client must be configured to use only Message Authentication Codes (MACs) that employ FIPS 140-2 approved cryptographic hash algorithms. | Ensures that the MACs are running the approved algorithms. | /etc/security/pscexpert/bin/ssh_config_rules |
2.3 | The SSH daemon must restrict login ability to specific users or groups. | Restricts login on the system to specific users and groups. | /etc/security/pscexpert/bin/ssh_config_rules |
2.3 | The SSH daemon must complete strict mode checking of home directory configuration files. | Ensures that the home directory configuration files are set to the correct modes. | /etc/security/pscexpert/bin/ssh_config_rules |
5.1.1 | Maintain antivirus software. | Maintains the system integrity by detecting, removing, and protecting against known types of malicious software. | /etc/security/pscexpert/bin/manageITsecurity |
6.5.8 | Remove dot from the path root. | Removes the dots from the PATH environment variable in the following files
that are located in the root home directory:
|
/etc/security/pscexpert/bin/rmdotfrmpathroot |
6.5.8 | Remove dot from the non-root path: | Removes the dots from PATH environment variable in the
following files that are in the user home directory:
|
/etc/security/pscexpert/bin/rmdotfrmpathnroot |
7 | Maintain access on an as needed basis. | Enable role-based access control (RBAC) by creating system operator, system administrator, and information system security officer user roles with the required permissions. | /etc/security/pscexpert/bin/EnableRbac |
7.1.1 | Limit object creation permissions. | Sets the default object creation permissions to 22 by setting the umask parameter to a value of 22. | /etc/security/pscexpert/bin/chusrattr |
7.1.1 | Limit system access. | Ensures that the root ID the only one that is listed in the cron.allow file and removes the cron.deny file from the system. | /etc/security/pscexpert/bin/limitsysacc |
8.1.1 | Assign all users a unique ID before allowing them to access system components or cardholder data. | Identify all users with a unique user name before allowing them to access system components or card holder data. | /etc/security/pscexpert/bin/chuserstanza |
8.1.4 | Disable a user account when not in use. | Disables user accounts after 90 days of inactivity. | /etc/security/pscexpert/bin/disableacctpci |
8.1.6 | Limit repeated access attempts by locking out the user ID after not more than six attempts. | Sets the number of consecutive unsuccessful login attempts that disables an account to 6 attempts for each non-root account by setting the loginentries parameter to a value of 6. | /etc/security/pscexpert/bin/chusrattr |
8.1.6 | Limit repeated access attempts by locking out the user ID after not more than six attempts. | Sets the number of consecutive unsuccessful login attempts that disables a port to 6 attempts by setting the logindisable parameter to a value of 6. |
|
8.1.7 | Set the lockout duration to a minimum of 30 minutes or until administrator enables the user ID. | Sets the duration of time that a port is locked after it is disabled by the logindisable attribute to 30 minutes by setting the loginreenable parameter to a value of 30. |
|
8.1.1 | Limit access to the system by setting the session idle time. | Sets the idle time limit to 15 minutes. If the session is idle for longer than 15 minutes, you must reenter the password. | /etc/security/pscexpert/bin/autologoff |
8.2.1 | Enforce two factor authentication. | Enforce two factor authentication such as SHA-256 or SHA-512. | /etc/security/pscexpert/bin/pwdalgchk |
8.2.3 | Require a minimum password length of at least 7 characters. | Sets the minimum password length to 7 characters by setting the minlen parameter to a value of 7. | /etc/security/pscexpert/bin/chusrattr |
8.2.3 | Use passwords that contain both numeric and alphabetic characters. | Sets the minimum number of alphabetic characters that are required in a password to 1. This setting ensures that the password contains alphabetic characters by setting the minalpha parameter to a value of 1. | /etc/security/pscexpert/bin/chusrattr |
8.2.3 | Use passwords that contain both numeric and alphabetic characters. | Sets the minimum number of non-alphabetic characters that are required in a password to 1. This setting ensures that the password contains non-alphabetic characters by setting the minother parameter to a value of 1. | /etc/security/pscexpert/bin/chusrattr |
8,2.4 | Change user passwords at least every 90 days. | Sets the maximum number of weeks that a password is valid to 13 weeks by setting the maxage parameter to a value of 13. | /etc/security/pscexpert/bin/chusrattr |
8.2.5 | Do not allow an individual to submit a new password that is the same as any of the last four passwords he or she has used. | Sets the number of weeks before a password can be reused to 52 by setting the histexpire parameter to a value of 52. | /etc/security/pscexpert/bin/chusrattr |
8.2.5 | Do not allow an individual to submit a new password that is the same as any of the last four passwords he or she has used. | Sets the number of previous passwords that you cannot reuse to 4 by setting the histsize parameter to a value of 4. | /etc/security/pscexpert/bin/chusrattr |
8.3 | Secure access using multi-factor Authentication (MFA). | Check that the system is configured for multi-factor Authentication (MFA). If not, inform how to configure. | /etc/security/pscexpert/bin/execmds |
8.5 | Remove the guest account. | Removes the guest account and its files. | /etc/security/pscexpert/bin/execmds |
10.2 | Enable auditing on the system. | Enables auditing of the binary files on the system. | /etc/security/pscexpert/bin/pciaudit |
10.4 | Synchronize all clocks using Time Synchronization technology | Examine configuration standards and processes to verify that time-synchronization technology is implemented and kept current per PCI DSS Requirements 6.1 and 6.2. | /etc/security/pscexpert/bin/rctcpip |
12.3.9 | Activation of remote-access technologies for vendors and business partners only when needed by vendors and business partners, with immediate deactivation after use. | Disables the remote root login function by setting its value to false. The system administrator can activate the remote login function as needed, and then deactivate it when the task is complete. |
|
2.2.3 | Limit system access. | Adds the root user capability and user name in the /etc/ftpusers file. | /etc/security/pscexpert/bin/chetcftpusers |
6.5.2 | Prevent launching programs in content space. | Enables the stack execution disable (SED) feature. | /etc/security/pscexpert/bin/sedconfig |
8.2 | Ensure that the password for root is not weak. | Starts a root password integrity check against the root password, thereby ensuring a strong root password. | /etc/security/pscexpert/bin/chuserstanza |