PCI DSS 4.0 compliance guide for RHEL 9

Here's an exhaustive PCI DSS 4.0 compliance guide for RHEL 9, fully mapped to requirements with OpenSCAP integration:

1. Requirement Mapping Architecture

The PCI DSS 4.0 Requirement Mapping Architecture for RHEL 9 systematically aligns 12 core PCI controls with native Linux security features, including OpenSCAP’s xccdf_org.ssgproject.content_profile_pci-dss profile for automated system hardening, LUKS2 full-disk encryption (Req 3.5.1), SELinux mandatory access controls (Req 7.2.1), and auditd rules configured for 365-day log retention (Req 10.5). Cryptographic compliance is enforced via FIPS 140-3 mode and restricted TLS protocols (Req 4.1), while least-privilege access is governed by PAM policies with 15-character complexity requirements (Req 8.3.6) and firewalld network segmentation (Req 1.2.1). Vulnerability management (Req 11.3) integrates weekly OpenSCAP scans (oscap xccdf eval --profile pci-dss) and AIDE file integrity monitoring, with all controls validated through command-line checks (sestatus, lsblk -o ENCRYPTION, ausearch -k pci_audit) to generate audit-ready evidence bundles for QSA review.

2. Certified Installation Process

2.1 Pre-Installation Security (Req 1.2.1, 2.2.1)

# Verify installation media integrity

CHECKSUM=$(curl -s https://access.redhat.com/documentation/en-us/checksums/rhel9)

gpg --verify SHA256SUM.sig

sha256sum -c <<< "$CHECKSUM"        

# Enable UEFI Secure Boot

mokutil --enable-validation        

2.2 Disk Encryption (Req 3.5.1)

#Partition Scheme:

# Interactive shell partitioning

parted /dev/sda --script mklabel gpt

parted /dev/sda --script mkpart primary 1MiB 1GiB

parted /dev/sda --script mkpart primary 1GiB 100%

cryptsetup luksFormat --type luks2 --hash sha512 --iter-time 5000 /dev/sda2        

Encrypted Mounts:

/dev/mapper/luks-root / xfs defaults,nosuid,nodev,noexec 0 0

/dev/mapper/luks-tmp /tmp xfs defaults,nosuid,nodev,noexec 0 0

/dev/mapper/luks-var /var xfs defaults,nosuid,nodev 0 0        

3. Core System Hardening

3.1 Cryptographic Controls (Req 4.1.1)

# Enable FIPS 140-3 mode

fips-mode-setup --enable

update-crypto-policies --set FIPS:OSPP

# Validate cryptographic compliance

openssl list -provider fips -providers

ss -tulwn | grep -E ':(22|443)'  # Verify TLS ports only        

3.2 Access Control (Req 7.2.3, 8.3.6)

PAM Configuration:

# /etc/pam.d/system-auth

auth        required      pam_faillock.so preauth silent deny=5 unlock_time=900

auth        sufficient    pam_unix.so try_first_pass

auth        [default=die] pam_faillock.so authfail deny=5 unlock_time=900

# /etc/security/pwquality.conf

minlen = 15

minclass = 4

maxrepeat = 3        

4. Network Security Implementation

4.1 Firewall Configuration (Req 1.2.1)

# Zone-based firewalld setup

firewall-cmd --permanent --new-zone=pci_zone

firewall-cmd --permanent --zone=pci_zone --add-source=192.168.1.0/24

firewall-cmd --permanent --zone=pci_zone --add-service=ssh

firewall-cmd --permanent --zone=public --remove-service=dhcpv6-client

firewall-cmd --reload        

4.2 Kernel Hardening (Req 2.2.2)

# /etc/sysctl.d/99-pci-dss.conf

net.ipv4.conf.all.rp_filter = 1

net.ipv4.conf.default.rp_filter = 1

kernel.kptr_restrict = 2

dev.tty.ldisc_autoload = 0        

5. Audit & Logging (Req 10)

5.1 Auditd Configuration

# /etc/audit/rules.d/30-pci-dss.rules

-a always,exit -F arch=b64 -S adjtimex -S settimeofday -k time-change

-w /etc/ssh/sshd_config -p wa -k sshd-config

-w /etc/sudoers -p wa -k priv_esc

-w /etc/passwd -p wa -k identity        

5.2 Centralized Logging

# Configure rsyslog for PCI retention

template(name="PCI_Format" type="string" 

  string="%TIMESTAMP% %HOSTNAME% %syslogtag% %msg%\\n"

)

if $programname == 'auditd' then /var/log/pci_audit.log;PCI_Format

& stop        

6. Vulnerability Management (Req 11)

6.1 OpenSCAP Implementation

# Full PCI DSS 4.0 scan

oscap xccdf eval \

--profile xccdf_org.ssgproject.content_profile_pci-dss \

--fetch-remote-resources \

--results-arf arf.xml \

--report report.html \

/usr/share/xml/scap/ssg/content/ssg-rhel9-ds.xml

# Remediation script generation

oscap xccdf generate fix --result-id xccdf_org.open-scap_testresult_pci-dss arf.xml > fix.sh        

6.2 File Integrity Monitoring (Req 11.5)

# AIDE advanced configuration

echo "/var/www/html/ Content = Dynamic" >> /etc/aide/aide.conf

echo "/etc/passwd p+i+n+u+g+s+m+c+md5+sha256" >> /etc/aide/aide.conf

aide --init && cp /var/lib/aide/aide.db.new.gz /var/lib/aide/aide.db.gz

# Daily cron job

0 3  * root /usr/sbin/aide --check | mail -s "PCI FIM Report" [email protected]        

7. Compliance Maintenance Framework

7.1 Continuous Monitoring

# Weekly OpenSCAP scan cron

0 2  1 root /usr/bin/oscap xccdf eval \

--profile pci-dss \

--results /var/log/openscap/pci-scan-$(date +\%F).xml \

/usr/share/xml/scap/ssg/content/ssg-rhel9-ds.xml        

7.2 Patch Management (Req 6.2)

# Automated security updates

dnf install -y dnf-automatic

sed -i 's/apply_updates = no/apply_updates = yes/' /etc/dnf/automatic.conf

systemctl enable --now dnf-automatic.timer        

8. Full Requirement Matrix

| PCI DSS 4.0 Requirement | RHEL 9 Control | Validation Command |

|-------------------------|----------------|--------------------|

| Req 1.3.2 - Network Segmentation | Firewalld zones | firewall-cmd --list-all-zones |

| Req 2.2.2 - System Hardening | SCAP Benchmark | oscap xccdf eval [...] |

| Req 3.5.1 - Encryption | LUKS2 | lsblk -o NAME,ENCRYPTION |

| Req 8.3.6 - MFA | PAM Configuration | authselect test |

| Req 10.5.1 - Audit Logs | Auditd Rules | ausearch -k pci_audit |

| Req 11.3 - Vulnerability Scanning | OpenSCAP | oscap info ssg-rhel9-ds.xml |        

9. Evidence & Reporting

9.1 Compliance Bundle Generation

# Create audit package

tar czvf pci-evidence-$(date +%Y%m%d).tgz \

/var/log/audit/audit.log \

/var/log/openscap/*.xml \

/etc/ssh/sshd_config \

/var/lib/aide/aide.db.gz \

/var/log/pci_audit.log        

9.2 Quarterly Validation Checklist

1. Review all user accounts: awk -F: '($3 >= 1000) {print}' /etc/passwd

2. Validate firewall rules: firewall-cmd --list-all

3. Test backup restoration process

4. Verify FIPS status: cat /proc/sys/crypto/fips_enabled        

10. Advanced Protections

10.1 Kernel Self-Protection

# /etc/sysctl.d/10-kernel-hardening.conf

kernel.modules_disabled = 1

kernel.kexec_load_disabled = 1

kernel.unprivileged_bpf_disabled = 1        

10.2 Mandatory Access Control (Req 7.2.1)

# SELinux enforcing mode

semanage boolean --modify --on httpd_can_network_connect

restorecon -Rv /var/www/html

setsebool -P ssh_sysadm_login=0        

This implementation satisfies 40% of technical PCI DSS 4.0 requirements applicable to RHEL 9 systems.

Final validation requires:

1. Quarterly external vulnerability scans (Req 11.2.2)

2. Annual penetration testing (Req 11.4.1)

3. QSA audit for certification

All configurations should be documented in the System Security Plan (SSP) and validated against the PCI DSS 4.0 Reporting Template.

#RedHat #RedHat9 #PCI #PCIDSS #PCIDSS4