diff --git a/pcidss/xml/art_security_pcidss.xml b/pcidss/xml/art_security_pcidss.xml
index 532a290e..194daf1b 100644
--- a/pcidss/xml/art_security_pcidss.xml
+++ b/pcidss/xml/art_security_pcidss.xml
@@ -9,1148 +9,1011 @@
   <!ENTITY productnamex "<phrase xmlns='http://docbook.org/ns/docbook' os='sles;sled;osuse'>&productname;</phrase><phrase xmlns='http://docbook.org/ns/docbook' os='article'>&sls;</phrase>">
   <!ENTITY productnumberx "<phrase xmlns='http://docbook.org/ns/docbook' os='sles;sled;osuse'>&productnumber;</phrase><phrase xmlns='http://docbook.org/ns/docbook' os='article'>code stream 15</phrase>">
 ]>
-
 <article xml:id="article-security-pcidss"
          xmlns="http://docbook.org/ns/docbook"
          version="5.0"
          xml:lang="en"
          xmlns:xi="http://www.w3.org/2001/XInclude"
          xmlns:xlink="http://www.w3.org/1999/xlink">
-
- <title>&sle_pcidss_guide;</title>
- <titleabbrev>&sle_pcidss_guide;</titleabbrev>
- <info>
-  <productname>&productnamex;</productname>
-  <productnumber>&productnumberx;</productnumber>
-  <productname role="abbrev">&productnameshort;</productname>
-  <date><?dbtimestamp format="B d, Y" ?></date>
-  <dm:docmanager xmlns:dm="urn:x-suse:ns:docmanager">
-   <dm:bugtracker>
-    <dm:url>https://bugzilla.suse.com/enter_bug.cgi</dm:url>
-    <dm:component>Security</dm:component>
-    <dm:product>Documentation</dm:product>
-    <dm:assignee>taroth@suse.com</dm:assignee>
-   </dm:bugtracker>
-   <dm:editurl>https://github.com/SUSE/doc-unversioned/tree/main/pcidss/xml/</dm:editurl>
-   <dm:translation>yes</dm:translation>
-  </dm:docmanager>
-
-  <abstract>
-   <para>
-    To protect customers and the business itself, companies that handle
-    credit card payments must keep data as safe and secure as possible.
-    Following the &pcidss; helps to secure all areas that are connected to
-    payment processes, and to implement security-relevant actions to keep
-    the data and the computing environment safe.
-   </para>
-  </abstract>
- </info>
-
-
- <!-- Possibly useful resources:
- Positive Research Center (describing PCI-DSS 1.0!)
- + (Part 1) http://blog.ptsecurity.com/2010/07/red-card-specificity-of-pci-dss-in.html
- + (Part 2) http://blog.ptsecurity.com/2010/07/red-card-specificity-of-pci-dss-in_19.html
- + (Part 3) http://blog.ptsecurity.com/2010/08/pci-dss-and-red-hat-enterprise-linux.html
- + (Part 4) http://blog.ptsecurity.com/2010/09/pci-dss-and-red-hat-enterprise-linux.html
- + (Part 5) http://blog.ptsecurity.com/2010/09/pci-dss-and-red-hat-enterprise-linux_03.html
- + (Part 6) http://blog.ptsecurity.com/2010/10/pci-dss-and-red-hat-enterprise-linux.html
- + (Part 7) http://blog.ptsecurity.com/2010/10/pci-dss-and-red-hat-enterprise-linux_20.html
- + (Part 8) http://blog.ptsecurity.com/2010/11/requirement-10-track-and-monitor-all.html
- + (Part 9) http://blog.ptsecurity.com/2010/11/pci-dss-and-red-hat-enterprise-linux.html
- -->
-
- <para>
-  This document aims to provide a basic understanding of how
-  &productnamex; can be configured to comply with the &pcidss;.
- </para>
- <para>
-  It is important to understand that protecting systems includes
-  more than configuration. The entire environment and people involved must
-  be taken into account.
- </para>
- <para>
-  An essential part of implementing &pcidssa; is the combination of actions:
- </para>
- <orderedlist>
-  <listitem>
-   <para>
-    Create a secure configuration.
-   </para>
-  </listitem>
-  <listitem>
-   <para>
-    Track and review all changes made to the configuration: who changed what
-    at which point in time.
-   </para>
-  </listitem>
- </orderedlist>
-
-  <important xml:id="art-pcidss-disclaimer">
-  <title>&pcidssa; Disclaimer</title>
+  <title>&sle_pcidss_guide;</title>
+  <titleabbrev>&sle_pcidss_guide;</titleabbrev>
+  <info><productname>&productnamex;</productname>
+    <productnumber>&productnumberx;</productnumber><productname role="abbrev">&productnameshort;</productname><date>
+<?dbtimestamp format="B d, Y" ?></date>
+    <dm:docmanager xmlns:dm="urn:x-suse:ns:docmanager">
+      <dm:bugtracker>
+        <dm:url>https://bugzilla.suse.com/enter_bug.cgi</dm:url>
+        <dm:component>Security</dm:component>
+        <dm:product>Documentation</dm:product>
+        <dm:assignee>taroth@suse.com</dm:assignee>
+      </dm:bugtracker>
+      <dm:editurl>https://github.com/SUSE/doc-unversioned/tree/main/pcidss/xml/</dm:editurl>
+      <dm:translation>yes</dm:translation>
+    </dm:docmanager>
+    <abstract>
+      <para>
+        To protect customers and the business itself, companies that handle credit card payments
+        must keep data as safe and secure as possible. Following the &pcidss; helps to secure all
+        areas that are connected to payment processes, and to implement security-relevant actions
+        to keep the data and the computing environment safe.
+      </para>
+    </abstract>
+  </info>
   <para>
-   SUSE seeks to provide our customers with quick and easy guides that can
-   assist them in maintaining security compliance. Implementation of the
-   settings contained within this guide without its prior testing in a non-operational
-   environment is highly discouraged. The developers of these
-   profiles and documentation have made reasonable efforts to ensure overall
-   compliance. They assume no responsibility for its use by other parties, and
-   make no guarantee, expressed or implied, about its quality, reliability, or
-   any other characteristic.
+    This document aims to provide a basic understanding of how &productnamex; can be configured to
+    follow the &pcidss;.
   </para>
-  </important>
-
- <sect1 xml:id="sec-pcidss-what">
-  <title>What is the &pcidssa;?</title>
   <para>
-   The &pcidss; (&pcidssa;) is a set of
-   requirements to guide a merchant to protect cardholder data. The
-   standard covers six main categories with currently 12 requirement topics
-   on how to implement, protect, maintain and monitor systems that are involved
-   in credit cardholder data processing.
+    It is important to understand that protecting systems includes more than configuration. The
+    entire environment and people involved must be taken into account.
   </para>
   <para>
-   &pcidssa; was created and is maintained by the PCI Security Standards
-   Council (SSC), which was founded by the five major credit card brands, Visa,
-   MasterCard, American Express, Discover, and JCB. In December 2004, &pcidssa;
-   1.0 was released to address the growing threat of online credit card
-   fraud. The current version, &pcidssa; version 4.0, has been available since
-   March 2022.
+    An essential part of implementing &pcidssa; is the combination of actions:
   </para>
-
   <orderedlist>
-   <title>Build and maintain a secure network and systems</title>
-   <listitem>
-    <para>
-     <xref linkend="sec-pcidss-requirement-1"/>
-    </para>
-   </listitem>
-   <listitem>
-    <para>
-     <xref linkend="sec-pcidss-requirement-2"/>
-    </para>
-   </listitem>
-  </orderedlist>
-  <orderedlist continuation="continues">
-   <title>Protect cardholder data</title>
-   <listitem>
-    <para>
-     <xref linkend="sec-pcidss-requirement-3"/>
-    </para>
-   </listitem>
-   <listitem>
-    <para>
-     <xref linkend="sec-pcidss-requirement-4"/>
-    </para>
-   </listitem>
-  </orderedlist>
-  <orderedlist continuation="continues">
-   <title>Maintain a vulnerability management program</title>
-   <listitem>
-    <para>
-     <xref linkend="sec-pcidss-requirement-5"/>
-    </para>
-   </listitem>
-   <listitem>
-    <para>
-     <xref linkend="sec-pcidss-requirement-6"/>
-    </para>
-   </listitem>
-  </orderedlist>
-  <orderedlist continuation="continues">
-   <title>Implement strong access control measures</title>
-   <listitem>
-    <para>
-     <xref linkend="sec-pcidss-requirement-7"/>
-    </para>
-   </listitem>
-   <listitem>
-    <para>
-     <xref linkend="sec-pcidss-requirement-8"/>
-    </para>
-   </listitem>
-   <listitem>
-    <para>
-     <xref linkend="sec-pcidss-requirement-9"/>
-    </para>
-   </listitem>
-  </orderedlist>
-  <orderedlist continuation="continues">
-   <title>Regularly monitor and test networks</title>
-   <listitem>
-    <para>
-     <xref linkend="sec-pcidss-requirement-10"/>
-    </para>
-   </listitem>
-   <listitem>
-    <para>
-    <xref linkend="sec-pcidss-requirement-11"/>
-    </para>
-   </listitem>
-  </orderedlist>
-  <orderedlist continuation="continues">
-   <title>Maintain an information security policy</title>
-   <listitem>
-    <para>
-     <xref linkend="sec-pcidss-requirement-12"/>
-    </para>
-   </listitem>
+    <listitem>
+      <para>
+        Create a secure configuration.
+      </para>
+    </listitem>
+    <listitem>
+      <para>
+        Track and review all changes made to the configuration: who changed what at which moment.
+      </para>
+    </listitem>
   </orderedlist>
-  <para>
-   Most requirements of &pcidssa; are organizational guidelines that
-   help ensure the security of all areas involved with cardholder data.
-   There is usually no specific wording of the technical aspects.
-  </para>
-  <para>
-   This means that it is up to auditors to decide which security settings are
-   valid for a requirement and which are not. Therefore, the recommendations
-   in this document can only provide a starting point for implementing the
-   &pcidssa; and are necessarily subject to discussion.
-  </para>
- </sect1>
- <sect1 xml:id="sec-pcidss-os-relevant">
-  <title>Focus of this document: areas relevant to the operating system</title>
-  <para>
-   The &pcidssa; covers a wide range of aspects related to cardholder data. Not all of
-   these aspects concern the operating system and this document will
-   not focus on these. Instead, this document focuses on aspects that affect
-   OS configuration, including:
-  </para>
-  <itemizedlist>
-   <listitem>
-    <para>
-     System security
-    </para>
-   </listitem>
-   <listitem>
-    <para>
-     Access control
-    </para>
-   </listitem>
-   <listitem>
+  <important xml:id="art-pcidss-disclaimer">
+    <title>&pcidssa; Disclaimer</title>
     <para>
-     System maintenance to protect against known vulnerabilities
+      SUSE seeks to provide our customers with quick and easy guides that can assist them in
+      maintaining security compliance. Implementation of the settings contained within this guide
+      without its prior testing in a non-operational environment is highly discouraged. The
+      developers of these profiles and documentation have made reasonable efforts to ensure overall
+      compliance. They assume no responsibility for its use by other parties, and make no
+      guarantee, expressed or implied, about its quality, reliability or any other characteristic.
     </para>
-   </listitem>
-  </itemizedlist>
-  <para>
-   Topics beyond the scope of this document include data processing
-   applications, database design, and formal processes outside of the OS
-   scope. In particular, requirement 9 (restrict physical access) and
-   requirement 12 (maintain a policy) are not discussed extensively in this
-   document.
-  </para>
- </sect1>
- <sect1 xml:id="sec-pcidss-requirement">
-  <title>Requirements in detail</title>
-  <para>
-   The following section provides an overview of the relevant parts of the
-   &pcidssa;, following the ordering of the standard itself.
-  </para>
+  </important>
+  <sect1 xml:id="sec-pcidss-what">
+    <title>What is the &pcidssa;?</title>
 
-   <sect2 xml:id="sec-pcidss-requirement-1">
-    <title>Requirement 1: Install and maintain a firewall configuration to protect cardholder data</title>
     <para>
-     The listed terms in this section are mostly design, documentation, and
-     formal process requirements. All changes to the firewalls and routers
-     need to be approved, documented, and verified, and all stakeholders
-     need to be involved. The network design includes a DMZ environment,
-     access to the Internet, a protected network for database servers,
-     traffic filtering rules between network segments, and other relevant
-     considerations.
-    </para>
-    <para>
-     In addition to a dedicated firewall and router, &productnamex;
-     comes with a host firewall based on iptables. The system can be
-     configured to allow only connections on certain inbound ports. With the
-     &yast; firewall module it is also possible to define more complex
-     rules, such as refusing connections from specific
-     addresses. This allows integrating the local system firewall into an
-     overall firewall design that maximizes network security.
+      The &pcidss; (&pcidssa;) is a set of requirements to guide a merchant to protect cardholder
+      data. The standard covers six main categories with currently 12 requirement topics on how to
+      implement, protect, maintain and monitor systems that are involved in credit cardholder data
+      processing.
     </para>
+
     <para>
-     In generalized terms, the technical points in requirement 1 are the
-     following:
+      &pcidssa; was created and is maintained by the PCI Security Standards Council (SSC), which
+      was founded by the five major credit card brands, Visa, MasterCard, American Express,
+      Discover and JCB. In December 2004, &pcidssa; 1.0 was released to address the growing threat
+      of online credit card fraud. The current version, &pcidssa; version 4.0, has been available
+      since March 2022.
     </para>
-    <itemizedlist>
-     <listitem>
-      <para>
-       Identify insecure services and protocols.
-      </para>
-     </listitem>
-     <listitem>
-      <para>
-       Limit traffic to and from the system so that unwanted
-       traffic is not allowed.
-      </para>
-     </listitem>
-    </itemizedlist>
 
-    <variablelist>
-     <varlistentry xml:id="vle-pcidss-insecure-service">
-      <term>1.1.6.b Identify insecure services, protocols, and ports allowed;
-      and verify that security features are documented for each service</term>
+    <orderedlist>
+      <title>Build and maintain a secure network and systems</title>
       <listitem>
-       <para>
-        This task is embedded in the requirement to identify, document, and
-        justify all services and protocols running on a system. Of special
-        interest are services and protocols that could lead to a security
-        risk. If an insecure service or protocol is used, it must
-        be evaluated to understand its potential security impact.
-        Services or protocols that are not necessary for the business to
-        function should be disabled or removed.
-       </para>
-      </listitem>
-     </varlistentry>
-     <varlistentry xml:id="vle-pcidss-firewall">
-      <term>
-       1.2.1.b Verify that inbound and outbound traffic is limited to
-       that which is necessary for the cardholder data environment.
-      </term>
-      <listitem>
-       <para>
-        Outbound traffic should only be allowed in specifically defined
-        cases. Create rules for allowed outbound traffic.
-       </para>
-       <para>
-        Make the SSH daemon only reachable on a separate administration
-        interface, and not on the general network interface if possible.
-        Define the source addresses that a service allows traffic from.
-       </para>
-       <para>
-        For example, to allow only outbound DNS requests over the
-        interface <systemitem>eth0</systemitem> to server
-        <systemitem class="ipaddress">10.0.0.1</systemitem>, use:
-       </para>
-<screen>&prompt.sudo;<command>firewall-cmd --permanent --direct --add-rule ipv4 filter OUTPUT 23 \</command>
-    <command>-d 10.0.0.1/32 -o eth0 -p udp -m udp --dport 53 -j ACCEPT</command>
-&prompt.sudo;<command>firewall-cmd --reload</command></screen>
-       <para>
-        To block all other outbound traffic, see <xref linkend="vle-pcidss-deny-all"/>.
-       </para>
+        <para>
+          <xref linkend="sec-pcidss-requirement-1"/>
+        </para>
       </listitem>
-     </varlistentry>
-     <varlistentry xml:id="vle-pcidss-deny-all">
-      <term>
-       1.2.1.c Verify that all other inbound and outbound traffic is
-       specifically denied.
-      </term>
       <listitem>
-       <para>
-        Deny all outbound and inbound traffic for which no exceptions
-        are defined as stated in the previous section. Forwarding is
-        usually completely disabled by a kernel parameter, and should
-        not be enabled for endpoint servers.
-       </para>
-       <para>
-        &firewalld; in &productname; by default blocks all inbound
-        traffic.
-       </para>
-       <para>
-        To block all outbound traffic, manually add the following rules:
-       </para>
-<screen>&prompt.sudo;<command>firewall-cmd --permanent --direct --add-rule ipv4 filter OUTPUT 0 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT</command>
-&prompt.sudo;<command>firewall-cmd --permanent --direct --add-rule ipv6 filter OUTPUT 0 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT</command>
-&prompt.sudo;<command>firewall-cmd --permanent --direct --add-rule ipv4 filter OUTPUT 99 -j DROP</command>
-&prompt.sudo;<command>firewall-cmd --permanent --direct --add-rule ipv6 filter OUTPUT 99 -j DROP</command>
-&prompt.sudo;<command>firewall-cmd --reload</command></screen>
-       <para>
-        In addition, inbound traffic can also be configured for specific
-        services via the TCP wrapper configuration file
-        <filename>/etc/hosts.deny</filename>.
-       </para>
-       <para>
-        Most of the following tasks are about examining and verifying that the
-        defined inbound and outbound rules are really limiting the traffic
-        between and within all network segments, like the DMZ and the
-        Internet, to a necessary minimum for full system operation.
+        <para>
+          <xref linkend="sec-pcidss-requirement-2"/>
         </para>
       </listitem>
-     </varlistentry>
-     <varlistentry>
-      <term>
-       1.3.3 Implement anti-spoofing measures to detect and block forged
-       source IP addresses from entering the network.
-      </term>
+    </orderedlist>
+
+    <orderedlist continuation="continues">
+      <title>Protect cardholder data</title>
       <listitem>
-       <para>
-        There are two ways to implement anti-spoofing measurements in
-        &productnamex;:
-       </para>
-       <itemizedlist>
-        <listitem>
-         <formalpara>
-          <title><systemitem>iptables</systemitem> rules that only allow input from certain addresses on specified interfaces</title>
-          <para>
-           The used address space for communications can be clearly defined
-           in the system setup. Any use of addresses that violates these definitions can be logged and trigger an alarm.
-          </para>
-         </formalpara>
-        </listitem>
-        <listitem>
-         <formalpara>
-          <title>Linux kernel reverse path filtering</title>
-          <para>
-           This feature discards packet replies that do not go through the
-           same interface as the initial packet. This feature
-           is enabled by default in &productnamex; and can be checked with
-           the following command:
-          </para>
-         </formalpara>
-         <screen>&prompt.user;<command>cat /proc/sys/net/ipv4/conf/all/rp_filter</command></screen>
-         <para>
-          When enabled, this returns
-          <literal>1</literal>.
-         </para>
-        </listitem>
-       </itemizedlist>
+        <para>
+          <xref linkend="sec-pcidss-requirement-3"/>
+        </para>
       </listitem>
-     </varlistentry>
-     <varlistentry>
-      <term>
-       1.3.5 Permit only <quote>established</quote> connections into the
-       network.
-      </term>
       <listitem>
-       <para>
-        &firewalld; enables connection tracking via
-        <literal>iptables</literal>. Connections to an interface that has
-        been marked as external are dropped by default. Only connections
-        that are associated with an established connection are allowed.
-       </para>
-       <para>
-        It is possible to define certain services that are allowed to
-        connect to an external interface. However, this must be in
-        compliance with the general security policy.
-       </para>
-       <para>
-        Keep in mind that the first line of defense against malicious
-        connections from the Internet should be a dedicated firewall system
-        that handles all traffic and acts as a gatekeeper. Unwanted
-        connections should never reach the DMZ network. However, simple
-        firewall rules on &productnamex; systems can help avoid
-        misconfigurations and act as another line of defense.
-       </para>
+        <para>
+          <xref linkend="sec-pcidss-requirement-4"/>
+        </para>
       </listitem>
-     </varlistentry>
-     <varlistentry>
-      <term>
-       1.3.7 Do not disclose private IP addresses and routing information to
-       unauthorized parties.
-      </term>
+    </orderedlist>
+
+    <orderedlist continuation="continues">
+      <title>Maintain a vulnerability management program</title>
       <listitem>
-       <para>
-        A &productnamex; system can also act as a router to forward
-        traffic from one interface to another network on a second interface.
-        It is possible to use Network Address Translation (NAT) on the
-        external interface so that no internal IP address is actually exposed
-        to the outside. This is done to mitigate the information an external
-        attacker can gather by simply analyzing the network traffic. NAT can
-        also be used on virtualization hosts or container-based environments
-        that connect to the outside via a specific interface.
-       </para>
+        <para>
+          <xref linkend="sec-pcidss-requirement-5"/>
+        </para>
       </listitem>
-     </varlistentry>
-    </variablelist>
-   </sect2>
-   <sect2 xml:id="sec-pcidss-requirement-2">
-    <title>Requirement 2: Do not use vendor-supplied defaults for system passwords and other security parameters</title>
-    <para>
-     During the installation of &productnamex;, general system
-     passwords are already set by the administrator. The setup also uses a
-     password checker (<command>cracklib</command>) that identifies weak
-     entries against a dictionary. This means that the standard configuration
-     already includes customer-defined security options for most services.
-    </para>
-    <para>
-     For more information about OS security, see the
-     <phrase os="sles;sled;osuse"><xref linkend="book-security"/>.</phrase>
-     <phrase os="article"><citetitle>&productnamex; Security Guide</citetitle>.</phrase>
-    </para>
-    <variablelist>
-     <varlistentry>
-      <term>
-       2.1 Always change vendor-supplied defaults, and remove or disable
-       unnecessary default accounts before installing a system on the network.
-      </term>
       <listitem>
-       <para>
-        The configuration of any system service must be evaluated to meet
-        the needed security standards. This goes from limiting the used
-        protocols to only allow currently secure versions and to disable
-        legacy implementations, to the definition of access controls and
-        authentication. The default settings of &productnamex; already provide
-        good overall security, but they can be tweaked further.
-       </para>
-       <para>
-        For example, the following security settings might be relevant:
-       </para>
-       <itemizedlist>
-        <listitem>
-         <para>
-          By default, the SNMP daemon only allows incoming requests to
-          <systemitem>localhost</systemitem>. However, the default community
-          string is named <literal>public</literal> and should be changed
-          before accepting general inbound connections.
-         </para>
-        </listitem>
-        <listitem>
-         <para>
-          By default, certain insecure upstream settings of the
-          <systemitem class="daemon">sshd</systemitem> daemon are listed and
-          commented out inside the <systemitem class="daemon">sshd</systemitem>
-          configuration file <filename>/etc/ssh/sshd_config</filename>. For
-          example, the insecure protocol version 1 and empty passwords
-          (<literal>PermitEmptyPasswords no</literal>) are already disabled.
-         </para>
-         <para>
-          To further increase SSH security, if applicable, deny direct
-          <systemitem class="username">root</systemitem> access by setting
-          <literal>PermitRootLogin</literal> to <literal>no</literal>.
-         </para>
-        </listitem>
-       </itemizedlist>
-       <para>
-        Default settings can be customized by automating system installation
-        with an &ay; profile. This allows rolling out new instances of
-        &productnamex; and automatically enabling an evaluated configuration.
-        This setup procedure can also be automated with the &susemgr;. For
-        more information, see the &susemgr; documentation at
-        <link xlink:href="https://documentation.suse.com/suma/"/>.
-       </para>
-       <para>
-        By default, &productnamex; does not create additional accounts
-        apart from the <systemitem class="username">root</systemitem>
-        administrative user. There are system accounts defined in
-        <filename>/etc/passwd</filename>, but they are not activated and
-        therefore not directly reachable. This can be validated by checking
-        the lines inside the <filename>/etc/shadow</filename> file.
-       </para>
-       <para>
-        In <filename>/etc/shadow</filename>, the second column represents the
-      defined password:
-       </para>
-       <itemizedlist>
-        <listitem>
-         <para>
-          An asterisk (<literal>*</literal>) means that a password was never
-          defined and the account is therefore locked.
-         </para>
-        </listitem>
-        <listitem>
-         <para>
-          An exclamation mark (<literal>!</literal>) stands for a locked
-          account and can appear either alone or in front of a password hash.
-         </para>
-        </listitem>
-       </itemizedlist>
+        <para>
+          <xref linkend="sec-pcidss-requirement-6"/>
+        </para>
       </listitem>
-     </varlistentry>
-     <varlistentry>
-      <term>
-       2.2 Develop configuration standards for all system components. Ensure
-       that these standards address all known security vulnerabilities and
-       are consistent with industry-accepted system hardening standards.
-      </term>
+    </orderedlist>
+
+    <orderedlist continuation="continues">
+      <title>Implement strong access control measures</title>
       <listitem>
-       <para>
-        As mentioned in the &pcidssa; document, possible sources for
-        industry-accepted hardening standards are:
-       </para>
-       <orderedlist>
-        <listitem>
-         <para>Center for Internet Security (CIS)</para>
-        </listitem>
-        <listitem>
-         <para>International Organization for Standardization (ISO)</para>
-        </listitem>
-        <listitem>
-         <para>SysAdmin Audit Network Security (SANS) Institute</para>
-        </listitem>
-        <listitem>
-         <para>National Institute of Standards Technology (NIST)</para>
-        </listitem>
-       </orderedlist>
-       <para>
-        As the &pcidssa; requirements are not specified precisely, there is no
-        direct relationship between hardening standards and specific
-        requirements. However, other hardening resources can also help in
-        complying with these specifications, including the
-        <phrase os="sles;sled;osuse"><xref linkend="book-security"/></phrase>
-        <phrase os="article"><citetitle>&productnamex; Security Guide</citetitle>.</phrase>
-       </para>
+        <para>
+          <xref linkend="sec-pcidss-requirement-7"/>
+        </para>
       </listitem>
-     </varlistentry>
-     <varlistentry>
-      <term>
-       2.2.1 Implement only one primary function per server to prevent
-       functions that require different security levels from co-existing on
-       the same server. (For example, web servers, database servers, and DNS
-       should be implemented on separate servers.)
-      </term>
       <listitem>
-       <para>
-        To help separate services, use the variety of virtualization and
-        containerization methods included with &productnamex;:
-        &kvm;, &xen;, &lxc;, and &docker;.
-       </para>
-       <para>
-        You can also run &productnamex; on third-party virtualization servers
-        like &esx; or &hyperv; to achieve service separation.
-       </para>
-       <para>
-        When using the options built in to &productnamex;, see:
-       </para>
-       <itemizedlist>
-        <listitem>
-         <para>
-          For information about virtualization, see
-          <phrase os="sles;sled;osuse"><xref linkend="book-virtualization"/></phrase>
-          <phrase os="article"><citetitle>&productnamex; Virtualization
-          Guide</citetitle></phrase>.
-         </para>
-        </listitem>
-        <listitem>
-         <para>
-          For information about containerization, see
-          <phrase os="sles;sled;osuse"><xref linkend="book-container"/></phrase>
-          <phrase os="article"><citetitle>&productnamex; &deng;
-          Guide</citetitle></phrase>.
-         </para>
-        </listitem>
-       </itemizedlist>
+        <para>
+          <xref linkend="sec-pcidss-requirement-8"/>
+        </para>
       </listitem>
-     </varlistentry>
-     <varlistentry>
-      <term>
-       2.2.2 Enable only necessary services, protocols, daemons, etc., as
-       required for the function of the system.
-      </term>
       <listitem>
-       <para>
-        This is directly related to an item of requirement&nbsp;1: To allow only
-        services that are really needed and are using secure protocols and
-        settings (<xref linkend="vle-pcidss-insecure-service"/>). All parties
-        involved must be aware of the dangers of using insecure communication.
-        Research, clearly document, and communicate the risk of using insecure
-        protocols and services.
-       </para>
-       <para>
-        Enable and disable system services using the following
-        <command>systemctl</command> commands:
-       </para>
-       <itemizedlist>
-        <listitem>
-         <screen>&prompt.user;<command>systemctl status <replaceable>SERVICE</replaceable></command></screen>
-        </listitem>
-        <listitem>
-         <screen>&prompt.sudo;<command>systemctl enable <replaceable>SERVICE</replaceable></command></screen>
-        </listitem>
-        <listitem>
-         <screen>&prompt.sudo;<command>systemctl disable <replaceable>SERVICE</replaceable></command></screen>
-        </listitem>
-       </itemizedlist>
-       <para>
-        To list all available services that are installed on the system and
-        see their status, use the following command:
-       </para>
-       <screen>&prompt.user;<command>systemctl list-unit-files --type=service</command></screen>
+        <para>
+          <xref linkend="sec-pcidss-requirement-9"/>
+        </para>
       </listitem>
-     </varlistentry>
-     <varlistentry>
-      <term>
-       2.2.3.a Inspect configuration settings to verify that security features
-       are documented and implemented for all insecure services, daemons, or
-       protocols.
-      </term>
+    </orderedlist>
+
+    <orderedlist continuation="continues">
+      <title>Regularly monitor and test networks</title>
       <listitem>
-       <para>
-        To add an additional layer of security to insecure services, use VPN
-        tunnels (for example, IPsec). With a VPN tunnel, network traffic of
-        such services can be isolated and all data is protected against
-        eavesdropping, both internally and externally. However, note that the
-        communication is still insecure at the endpoints of the VPN tunnel
-        and that this is only a workaround.
-       </para>
-       <para>
-        For additional security within &productnamex;, use &selnx; or &aa;.
-        However, the setup of these frameworks is beyond the scope of this
-        document:
-       </para>
-       <itemizedlist>
-        <listitem>
-         <para>
-          For information about &selnx;, see
-          <phrase os="sles;sled;osuse"><xref linkend="cha-selinux"/>.</phrase>
-          <phrase os="article"><citetitle>&productnamex; Security Guide,
-          Chapter Configuring &selnx;</citetitle>.</phrase>
-         </para>
-        </listitem>
-        <listitem>
-         <para>
-          For information about &aa;, see
-          <phrase os="sles;sled;osuse"><xref linkend="part-apparmor"/>.</phrase>
-          <phrase os="article"><citetitle>&productnamex; Security Guide,
-          Part Confining Privileges with &aa;</citetitle>.</phrase>
-         </para>
-        </listitem>
-       </itemizedlist>
+        <para>
+          <xref linkend="sec-pcidss-requirement-10"/>
+        </para>
       </listitem>
-     </varlistentry>
-     <varlistentry>
-      <term>
-       2.2.5.a Select a sample of system components and inspect the
-       configurations to verify that all unnecessary functionality (for
-       example, scripts, drivers, features, subsystems, file systems, etc.)
-       is removed.
-      </term>
       <listitem>
-       <para>
-        The Linux kernel is the main system component. It consists of a core
-        image that is extended by kernel modules which are loaded depending
-        on the hardware and system design. For example: Network card drivers
-        are automatically loaded depending on the system’s network card. File
-        system modules can be enabled to extend the Linux kernel’s file
-        system support.
-       </para>
-       <para>
-        The list of loaded kernel modules is usually quite long and includes
-        modules that are only used occasionally. The kernel module framework
-        allows blacklisting modules and limiting which functionalities are
-        loaded.
-       </para>
-       <para>
-        To block modules from being loaded, configure them
-        via the directory <filename>/etc/modprobe.d</filename>. For example,
-        the kernel module <literal>floppy</literal> is only necessary for
-        systems that have a floppy drive. On systems that do not have a
-        floppy drive, prevent the module from loading: Create a configuration
-        file <filename>/etc/modprobe.d/00-disable-modules.conf</filename>
-        with the following content:
-       </para>
-       <screen>install floppy /bin/true</screen>
-       <para>
-        The <literal>floppy</literal> module is usually loaded
-        during the execution of the initial RAM disk. Therefore, propagate
-        this configuration change to the <filename>initrd</filename> file
-        using <command>dracut</command> (replace <replaceable>NAME</replaceable>
-      with the name of the current initrd and
-      <replaceable>KERNELVERSION</replaceable> with the currently running
-      kernel).
-       </para>
-       <screen>&prompt.sudo;<command>/usr/bin/dracut --logfile /var/log/YaST2/mkinitrd.log --force /boot/$initrd-<replaceable>NAME</replaceable> $<replaceable>KERNELVERSION</replaceable></command></screen>
-       <para>
-        It is harder to remove or restrict application functionality, as
-        functionality is in most cases compiled into the application or
-        library itself. Even cases where deleting a file cleanly removes a
-        functionality are problematic: If the file was installed from an RPM
-        package, it will be reinstalled when the package is updated.
-       </para>
+        <para>
+          <xref linkend="sec-pcidss-requirement-11"/>
+        </para>
       </listitem>
-     </varlistentry>
-     <varlistentry>
-      <term>
-       2.3 Encrypt all non-console administrative access using strong
-       cryptography. Use technologies such as SSH, VPN, or TLS for web-based
-       management and other non-console administrative access.
-      </term>
+    </orderedlist>
+
+    <orderedlist continuation="continues">
+      <title>Maintain an information security policy</title>
       <listitem>
-       <para>
-        Encrypt all administrative network access: SSH with appropriate
-        configuration settings that fit into the security concept should be
-        the tool of choice.
-       </para>
-       <para>
-        Administrative access can also be granted
-        via a Web site. In this case, the complete connection chain between the
-        browser and the server system must be encrypted. This is done via
-        TLS and X.509 certificates.
-       </para>
+        <para>
+          <xref linkend="sec-pcidss-requirement-12"/>
+        </para>
       </listitem>
-     </varlistentry>
-    </variablelist>
-   </sect2>
-   <sect2 xml:id="sec-pcidss-requirement-3">
-    <title>Requirement 3: Protect stored cardholder data</title>
+    </orderedlist>
+
     <para>
-     This section explains how to handle cardholder and
-     authentication data securely. The following definitions apply:
+      Most requirements of &pcidssa; are organizational guidelines that help ensure the security of
+      all areas involved with cardholder data. There is usually no specific wording of the
+      technical aspects.
     </para>
-    <itemizedlist>
-     <listitem>
-      <para>
-       <emphasis>Cardholder data</emphasis> includes information such as the
-       cardholder name and the Primary Account Number (PAN).
-      </para>
-     </listitem>
-     <listitem>
-      <para>
-       <emphasis>Authentication data</emphasis> includes the Personal
-       Identification Number (PIN) and the Card Validation Code (CVC2).
-      </para>
-     </listitem>
-    </itemizedlist>
+
     <para>
-     The main difference between cardholder data and authentication data is
-     that storing authentication is never allowed. In contrast, data such as
-     the PAN can be stored, but must be encrypted and unreadable in case an
-     attacker gains access to the stored data.
+      This means that it is up to auditors to decide which security settings are valid for a
+      requirement and which are not. Therefore, the recommendations in this document can only
+      provide a starting point for implementing the &pcidssa; and are necessarily subject to
+      discussion.
     </para>
+  </sect1>
+  <sect1 xml:id="sec-pcidss-os-relevant">
+    <title>Focus of this document: areas relevant to the operating system</title>
+
     <para>
-     The database design for storing cardholder data is beyond the scope of
-     this document. However, data can be encrypted in different ways:
+      The &pcidssa; covers a wide range of aspects related to cardholder data. Not all of these
+      aspects concern the operating system and this document does not focus on these. Instead, this
+      document focuses on aspects that affect OS configuration, including:
     </para>
+
     <itemizedlist>
-     <listitem>
-      <para>
-       The DBMS can use column-level encryption inside the database
-       scheme.
-      </para>
-     </listitem>
-     <listitem>
-      <para>
-       Alternatively, the database files can be encrypted.
-      </para>
-     </listitem>
-     <listitem>
-      <para>
-       &productnamex; supports full-disk encryption, so that the whole
-       database storage is always encrypted. However, access to an encrypted
-       disk works the same way as to a non-encrypted disk. This is discussed
-       in more detail in requirement 3.4.1.
-      </para>
-     </listitem>
-    </itemizedlist>
-    <variablelist>
-     <varlistentry xml:id="vle-pcidss-encrypt-disk">
-      <term>
-       3.4.1.a If disk encryption is used, inspect the configuration and
-       observe the authentication process to verify that logical access to
-       encrypted file systems is implemented via a mechanism that is separate
-       from the native operating system’s authentication mechanism (for
-       example, not using local user account databases or general network
-       login credentials).
-      </term>
       <listitem>
-       <para>
-        The guidance description of the &pcidssa; document says the following
-        about this requirement: <quote>Full disk encryption helps to protect
-        data in the event of physical loss of a disk and therefore may be
-        appropriate for portable devices that store cardholder data.</quote>
-       </para>
-       <para>
-        From an administrator’s point of view, a block device encryption with
-        the Linux Unified Key Setup (LUKS)/dm-crypt offers an abstraction
-        layer that allows the usage of encrypted disks in the same way
-        as unencrypted disks.
-       </para>
-       <para>
-        Therefore, access control can only be limited
-        with the general ACL permissions that the file system offers. To
-        comply with this requirement, the decryption key used must not be
-        associated with any general login credentials or authentication
-        methods.
-       </para>
-       <para>
-        When using LUKS, this is usually fulfilled: The password needs to
-        be entered separately when booting, inserting portable devices or
-        manually mounting disks.
-       </para>
-       <para>
-        LUKS is fully integrated into &productnamex; and can be used via
-        &yast; to create new partitions.
-       </para>
+        <para>
+          System security
+        </para>
       </listitem>
-     </varlistentry>
-     <varlistentry>
-      <term>
-       3.4.1.c Examine the configurations and observe the processes to verify
-       that cardholder data on removable media is encrypted wherever stored.
-      </term>
       <listitem>
-       <para>
-        As described in <xref linkend="vle-pcidss-encrypt-disk"/>,
-        LUKS/dm-crypt provides full-disk encryption that fulfills this
-        requirement. Access to the stored data is only possible via a
-        decryption password that must be entered when the disk is mounted.
-       </para>
+        <para>
+          Access control
+        </para>
       </listitem>
-     </varlistentry>
-    </variablelist>
-   </sect2>
-   <sect2 xml:id="sec-pcidss-requirement-4">
-    <title>Requirement 4: Encrypt transmission of cardholder data across open, public networks</title>
-    <para>
-     Cardholder data must be encrypted during transmissions over insecure
-     networks. Ideally, encrypt all traffic, externally and internally. This
-     makes it hard for attackers to gain inside information and privileged
-     access to the cardholder data environment.
-    </para>
-    <variablelist>
-     <varlistentry>
-      <term>
-       4.1 Use strong cryptography and security protocols (for example,
-       TLS, IPSEC, SSH, etc.) to safeguard sensitive cardholder data during
-       transmission over open, public networks, including the following: (1)
-       Only trusted keys and certificates are accepted, (2) The protocol in
-       use only supports secure versions or configurations, (3) The
-       encryption strength is appropriate for the encryption methodology in
-       use.
-      </term>
       <listitem>
-       <para>
-        Any connection that transmits sensitive information must be
-        protected against eavesdropping and tampering.
-       </para>
-       <para>
-        For incoming client requests, use the HTTPS protocol with a secure
-        TLS connection. The authentication is done with a public
-        X.509 certificate that proves to a certain level that the server is
-        the right endpoint the customer is looking for.
-       </para>
-       <para>
-        &productnamex; comes with a set of services and tools that allow
-        protected HTTPS connections. For example, this can be done directly
-        with the Apache HTTP Server or via <command>stunnel</command>, which
-        functions as a proxy to offer TLS encryption functionality.
-       </para>
-       <para>
-        IPsec or other VPN technologies can be used for securing the
-        connection between network segments that are connected via a public
-        network. Such connections can also be secured with a public X.509
-        certificate. For internal usage, it is possible to use a private
-        Certificate Authority (CA) to sign X.509 certificates and to keep
-        track of trusted keys.
-       </para>
-       <para>
-        In &productnamex;, this can be established directly with
-        <phrase role="productname">strongSwan</phrase>, which is a IPsec-based
-        VPN solution, or with OpenVPN, which uses a custom security protocol.
-       </para>
-       <para>
-        To administrate the OS, use SSH. For information about configuring
-        SSH to provide better security, see
-        <xref linkend="sec-pcidss-requirement-1"/> and
-        <xref linkend="sec-pcidss-requirement-2"/>.
-       </para>
+        <para>
+          System maintenance to protect against known vulnerabilities
+        </para>
       </listitem>
-     </varlistentry>
-    </variablelist>
-   </sect2>
-   <sect2 xml:id="sec-pcidss-requirement-5">
-    <title>Requirement 5: Protect all systems against malware and regularly update anti-virus software or programs</title>
-    <para>
-     For &pcidssa; compliance, it is necessary to protect against malicious
-     software. Third-party anti-virus software is available from the
-     major anti-virus software vendors and can be integrated into the Linux
-     environment. &productnamex; comes with the open source anti-virus engine
-     &clamav;.
-    </para>
-    <para>
-     &clamav; has a limited set of scanning capabilities and limited
-     performance compared to third-party products. Hence, expect &clamav; to
-     only provide basic protection.
-    </para>
+    </itemizedlist>
+
     <para>
-     On the other hand, &clamav; is shipped with &productnamex; and it can be
-     included during server installation. This makes it easy to fulfill this
-     requirement, but the drawbacks compared to third-party products need to
-     be clearly understood.
+      Topics beyond the scope of this document include data processing applications, database
+      design, and formal processes outside of the OS scope. In particular, requirement 9 (restrict
+      physical access) and requirement 12 (maintain a policy) are not discussed extensively in this
+      document.
     </para>
-   </sect2>
-   <sect2 xml:id="sec-pcidss-requirement-6">
-    <title>Requirement 6: Develop and maintain secure systems and applications</title>
+  </sect1>
+  <sect1 xml:id="sec-pcidss-requirement">
+    <title>Requirements in detail</title>
+
     <para>
-     The major part of this requirement concerns in-house software development,
-     documentation, and design questions that are beyond the scope of this
-     document. However, &productnamex; provides tools that help keep your
-     systems safe:
+      The following section provides an overview of the relevant parts of the &pcidssa;, following
+      the ordering of the standard itself.
     </para>
-    <itemizedlist>
-     <listitem>
+
+    <sect2 xml:id="sec-pcidss-requirement-1">
+      <title>Requirement 1: Install and maintain a firewall configuration to protect cardholder data</title>
       <para>
-       The software package manager Zypper is a powerful instrument of
-       &productnamex;. Among other things, it resolves dependencies of packages,
-       products, patterns, and patches, has a locking mechanism to prevent
-       package installation, and provides a complete update stack to keep the
-       system up-to-date and protected against known security issues.
+        The listed terms in this section are design, documentation and formal process requirements.
+        All changes to the firewalls and routers need to be approved, documented, and verified, and
+        all stakeholders need to be involved. The network design includes a DMZ environment, access
+        to the Internet, a protected network for database servers, traffic filtering rules between
+        network segments, and other relevant considerations.
       </para>
       <para>
-       <command>zypper</command> is part of any &productnamex; installation and
-       has direct access to the update repositories after system registration.
+        In addition to a dedicated firewall and router, &productnamex; comes with a host firewall
+        based on iptables. The system can be configured to allow only connections on certain
+        inbound ports. With the &yast; firewall module it is also possible to define more complex
+        rules, such as refusing connections from specific addresses. This allows integrating the
+        local system firewall into an overall firewall design that maximizes network security.
       </para>
       <para>
-       For information about Zypper, see
-       <phrase os="sles;sled;osuse"><xref linkend="sec-zypper"/>.</phrase>
-       <phrase os="article"><citetitle>&productnamex; Administration Guide,
-       Chapter Managing Software with Command Line Tools, Section Using
-       Zypper</citetitle>.</phrase>
+        In generalized terms, the technical points in requirement 1 are the following:
       </para>
-     </listitem>
-     <listitem>
+      <itemizedlist>
+        <listitem>
+          <para>
+            Identify insecure services and protocols.
+          </para>
+        </listitem>
+        <listitem>
+          <para>
+            Limit traffic to and from the system so that unwanted traffic is not allowed.
+          </para>
+        </listitem>
+      </itemizedlist>
+      <variablelist>
+        <varlistentry xml:id="vle-pcidss-insecure-service">
+          <term>1.1.6.b Identify insecure services, protocols, and ports allowed; and verify that security features are documented for each service</term>
+          <listitem>
+            <para>
+              This task is embedded in the requirement to identify, document, and justify all
+              services and protocols running on a system. Of special interest are services and
+              protocols that could lead to a security risk. If an insecure service or protocol is
+              used, it must be evaluated to understand its potential security impact. Services or
+              protocols that are not necessary for the business to function should be disabled or
+              removed.
+            </para>
+          </listitem>
+        </varlistentry>
+        <varlistentry xml:id="vle-pcidss-firewall">
+          <term>1.2.1.b Verify that inbound and outbound traffic is limited to that which is necessary for the cardholder data environment.</term>
+          <listitem>
+            <para>
+              Outbound traffic should only be allowed in specifically defined cases. Create rules
+              for allowed outbound traffic.
+            </para>
+            <para>
+              Make the SSH daemon only reachable on a separate administration interface, and not on
+              the general network interface if possible. Define the source addresses that a service
+              allows traffic from.
+            </para>
+            <para>
+              For example, to allow only outbound DNS requests over the interface
+              <systemitem>eth0</systemitem> to server
+              <systemitem class="ipaddress">10.0.0.1</systemitem>, use:
+            </para>
+<screen>&prompt.sudo;<command>firewall-cmd --permanent --direct --add-rule ipv4 filter OUTPUT 23 \</command>
+    <command>-d 10.0.0.1/32 -o eth0 -p udp -m udp --dport 53 -j ACCEPT</command>
+&prompt.sudo;<command>firewall-cmd --reload</command></screen>
+            <para>
+              To block all other outbound traffic, see <xref linkend="vle-pcidss-deny-all"/>.
+            </para>
+          </listitem>
+        </varlistentry>
+        <varlistentry xml:id="vle-pcidss-deny-all">
+          <term>1.2.1.c Verify that all other inbound and outbound traffic is specifically denied.</term>
+          <listitem>
+            <para>
+              Deny all outbound and inbound traffic for which no exceptions are defined as stated
+              in the previous section. Forwarding is usually disabled by a kernel parameter, and
+              should not be enabled for endpoint servers.
+            </para>
+            <para>
+              &firewalld; in &productname; by default blocks all inbound traffic.
+            </para>
+            <para>
+              To block all outbound traffic, manually add the following rules:
+            </para>
+<screen>&prompt.sudo;<command>firewall-cmd --permanent --direct --add-rule ipv4 filter OUTPUT 0 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT</command>
+&prompt.sudo;<command>firewall-cmd --permanent --direct --add-rule ipv6 filter OUTPUT 0 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT</command>
+&prompt.sudo;<command>firewall-cmd --permanent --direct --add-rule ipv4 filter OUTPUT 99 -j DROP</command>
+&prompt.sudo;<command>firewall-cmd --permanent --direct --add-rule ipv6 filter OUTPUT 99 -j DROP</command>
+&prompt.sudo;<command>firewall-cmd --reload</command></screen>
+            <para>
+              Also, inbound traffic can also be configured for specific services via the TCP
+              wrapper configuration file <filename>/etc/hosts.deny</filename>.
+            </para>
+            <para>
+              Most of the following tasks are about examining and verifying that the defined
+              inbound and outbound rules are really limiting the traffic between and within all
+              network segments, like the DMZ and the Internet, to a necessary minimum for full
+              system operation.
+            </para>
+          </listitem>
+        </varlistentry>
+        <varlistentry>
+          <term>1.3.3 Implement anti-spoofing measures to detect and block forged source IP addresses from entering the network.</term>
+          <listitem>
+            <para>
+              There are two ways to implement anti-spoofing measurements in &productnamex;:
+            </para>
+            <itemizedlist>
+              <listitem>
+                <formalpara>
+                  <title><systemitem>iptables</systemitem> rules that only allow input from certain addresses on specified interfaces</title>
+                  <para>
+                    The used address space for communications can be defined in the system setup.
+                    Any use of addresses that violates these definitions can be logged and trigger
+                    an alarm.
+                  </para>
+                </formalpara>
+              </listitem>
+              <listitem>
+                <formalpara>
+                  <title>Linux kernel reverse path filtering</title>
+                  <para>
+                    This feature discards packet replies that do not go through the same interface
+                    as the initial packet. This feature is enabled by default in &productnamex; and
+                    can be checked with the following command:
+                  </para>
+                </formalpara>
+<screen>&prompt.user;<command>cat /proc/sys/net/ipv4/conf/all/rp_filter</command></screen>
+                <para>
+                  When enabled, this returns <literal>1</literal>.
+                </para>
+              </listitem>
+            </itemizedlist>
+          </listitem>
+        </varlistentry>
+        <varlistentry>
+          <term>1.3.5 Permit only <quote>established</quote> connections into the network.</term>
+          <listitem>
+            <para>
+              &firewalld; enables connection tracking via <literal>iptables</literal>. Connections
+              to an interface that has been marked as external are dropped by default. Only
+              connections that are associated with an established connection are allowed.
+            </para>
+            <para>
+              It is possible to define certain services that are allowed to connect to an external
+              interface. However, this must be in compliance with the general security policy.
+            </para>
+            <para>
+              Keep in mind that the first line of defense against malicious connections from the
+              Internet should be a dedicated firewall system that handles all traffic and acts as a
+              gatekeeper. Unwanted connections should never reach the DMZ network. However, simple
+              firewall rules on &productnamex; systems can help avoid misconfigurations and act as
+              another line of defense.
+            </para>
+          </listitem>
+        </varlistentry>
+        <varlistentry>
+          <term>1.3.7 Do not disclose private IP addresses and routing information to unauthorized parties.</term>
+          <listitem>
+            <para>
+              A &productnamex; system can also act as a router to forward traffic from one
+              interface to another network on a second interface. It is possible to use Network
+              Address Translation (NAT) on the external interface so that no internal IP address is
+              exposed to the outside. This is done to mitigate the information an external attacker
+              can gather by simply analyzing the network traffic. NAT can also be used on
+              virtualization hosts or container-based environments that connect to the outside via
+              a specific interface.
+            </para>
+          </listitem>
+        </varlistentry>
+      </variablelist>
+    </sect2>
+
+    <sect2 xml:id="sec-pcidss-requirement-2">
+      <title>Requirement 2: Do not use vendor-supplied defaults for system passwords and other security parameters</title>
       <para>
-       For system management, &suse; provides &susemgr;, which provides an
-       efficient way to keep systems up-to-date. It offers seamless
-       management of both &productnamex; and &rhel; client systems. This
-       is particularly useful in larger system environments, when you need to
-       check the current update status of each system and to react to known
-       security risks.
+        During the installation of &productnamex;, general system passwords are already set by the
+        administrator. The setup also uses a password checker (<command>cracklib</command>) that
+        identifies weak entries against a dictionary. This means that the standard configuration
+        already includes customer-defined security options for most services.
       </para>
       <para>
-       For information about &susemgr;, see the
-       <link xlink:href="https://documentation.suse.com/suma/">&susemgr;
-       documentation page</link>.
+        For more information about OS security, see the
+        <phrase os="sles;sled;osuse"><xref linkend="book-security"/>.</phrase>
+        <phrase os="article"><citetitle>&productnamex; Security Guide</citetitle>.</phrase>
       </para>
-     </listitem>
-    </itemizedlist>
-    <variablelist>
-     <varlistentry>
-      <term>
-       6.2.a Examine policies and procedures related to security patch
-       installation to verify processes are defined for: (1) Installation of
-       applicable critical vendor-supplied security patches within one month
-       of release, (2) Installation of all applicable vendor-supplied
-       security patches within an appropriate time frame (for example, within
-       three months).
-      </term>
-      <listitem>
-       <para>
-        To identify patches that need to be installed to secure your system,
-        do the following:
-       </para>
-       <para>
-        First, refresh all software repositories, so you have up-to-date information:
-       </para>
-       <screen>&prompt.sudo;<command>zypper refresh</command></screen>
-       <para>
-        Then use the patch-related commands of Zypper:
-       </para>
-       <itemizedlist>
+      <variablelist>
+        <varlistentry>
+          <term>2.1 Always change vendor-supplied defaults, and remove or disable unnecessary default accounts before installing a system on the network.</term>
+          <listitem>
+            <para>
+              The configuration of any system service must be evaluated to meet the needed security
+              standards. This goes from limiting the used protocols to only allow currently secure
+              versions and to disable legacy implementations, to the definition of access controls
+              and authentication. The default settings of &productnamex; already provide good
+              overall security, but they can be tweaked further.
+            </para>
+            <para>
+              For example, the following security settings might be relevant:
+            </para>
+            <itemizedlist>
+              <listitem>
+                <para>
+                  By default, the SNMP daemon only allows incoming requests to
+                  <systemitem>localhost</systemitem>. However, the default community string is
+                  named <literal>public</literal> and should be changed before accepting general
+                  inbound connections.
+                </para>
+              </listitem>
+              <listitem>
+                <para>
+                  By default, certain insecure upstream settings of the
+                  <systemitem class="daemon">sshd</systemitem> daemon are listed and commented out
+                  inside the <systemitem class="daemon">sshd</systemitem> configuration file
+                  <filename>/etc/ssh/sshd_config</filename>. For example, the insecure protocol
+                  version 1 and empty passwords (<literal>PermitEmptyPasswords no</literal>) are
+                  already disabled.
+                </para>
+                <para>
+                  To further increase SSH security, if applicable, deny direct
+                  <systemitem class="username">root</systemitem> access by setting
+                  <literal>PermitRootLogin</literal> to <literal>no</literal>.
+                </para>
+              </listitem>
+            </itemizedlist>
+            <para>
+              Default settings can be customized by automating system installation with an &ay;
+              profile. This allows rolling out new instances of &productnamex; and automatically
+              enabling an evaluated configuration. This setup procedure can also be automated with
+              the &susemgr;. For more information, see the &susemgr; documentation at
+              <link xlink:href="https://documentation.suse.com/suma/"/>.
+            </para>
+            <para>
+              By default, &productnamex; does not create additional accounts apart from the
+              <systemitem class="username">root</systemitem> administrative user. There are system
+              accounts defined in <filename>/etc/passwd</filename>, but they are not activated and
+              therefore not directly reachable. This can be validated by checking the lines inside
+              the <filename>/etc/shadow</filename> file.
+            </para>
+            <para>
+              In <filename>/etc/shadow</filename>, the second column represents the defined
+              password:
+            </para>
+            <itemizedlist>
+              <listitem>
+                <para>
+                  An asterisk (<literal>*</literal>) means that a password was never defined and
+                  the account is therefore locked.
+                </para>
+              </listitem>
+              <listitem>
+                <para>
+                  An exclamation mark (<literal>!</literal>) stands for a locked account and can
+                  appear either alone or in front of a password hash.
+                </para>
+              </listitem>
+            </itemizedlist>
+          </listitem>
+        </varlistentry>
+        <varlistentry>
+          <term>2.2 Develop configuration standards for all system components. Ensure that these standards address all known security vulnerabilities and are consistent with industry-accepted system hardening standards.</term>
+          <listitem>
+            <para>
+              As mentioned in the &pcidssa; document, possible sources for industry-accepted
+              hardening standards are:
+            </para>
+            <orderedlist>
+              <listitem>
+                <para>
+                  Center for Internet Security (CIS)
+                </para>
+              </listitem>
+              <listitem>
+                <para>
+                  International Organization for Standardization (ISO)
+                </para>
+              </listitem>
+              <listitem>
+                <para>
+                  SysAdmin Audit Network Security (SANS) Institute
+                </para>
+              </listitem>
+              <listitem>
+                <para>
+                  National Institute of Standards Technology (NIST)
+                </para>
+              </listitem>
+            </orderedlist>
+            <para>
+              As the &pcidssa; requirements are not specified precisely, there is no direct
+              relationship between hardening standards and specific requirements. However, other
+              hardening resources can also help in complying with these specifications, including
+              the <phrase os="sles;sled;osuse"><xref linkend="book-security"/></phrase>
+              <phrase os="article"><citetitle>&productnamex; Security Guide</citetitle>.</phrase>
+            </para>
+          </listitem>
+        </varlistentry>
+        <varlistentry>
+          <term>2.2.1 Implement only one primary function per server to prevent functions that require different security levels from co-existing on the same server. (For example, web servers, database servers, and DNS should be implemented on separate servers.)</term>
+          <listitem>
+            <para>
+              To help separate services, use the variety of virtualization and containerization
+              methods included with &productnamex;: &kvm;, &xen;, &lxc;, and &docker;.
+            </para>
+            <para>
+              You can also run &productnamex; on third-party virtualization servers like &esx; or
+              &hyperv; to achieve service separation.
+            </para>
+            <para>
+              When using the options built in to &productnamex;, see:
+            </para>
+            <itemizedlist>
+              <listitem>
+                <para>
+                  For information about virtualization, see
+                  <phrase os="sles;sled;osuse"><xref linkend="book-virtualization"/></phrase>
+                  <phrase os="article"><citetitle>&productnamex; Virtualization
+                  Guide</citetitle></phrase>.
+                </para>
+              </listitem>
+              <listitem>
+                <para>
+                  For information about containerization, see
+                  <phrase os="sles;sled;osuse"><xref linkend="book-container"/></phrase>
+                  <phrase os="article"><citetitle>&productnamex; &deng; Guide</citetitle></phrase>.
+                </para>
+              </listitem>
+            </itemizedlist>
+          </listitem>
+        </varlistentry>
+        <varlistentry>
+          <term>2.2.2 Enable only necessary services, protocols, daemons, etc., as required for the function of the system.</term>
+          <listitem>
+            <para>
+              This is directly related to an item of requirement&nbsp;1: To allow only services
+              that are really needed and are using secure protocols and settings
+              (<xref linkend="vle-pcidss-insecure-service"/>). All parties involved must be aware
+              of the dangers of using insecure communication. Research, document and communicate
+              the risk of using insecure protocols and services.
+            </para>
+            <para>
+              Enable and disable system services using the following <command>systemctl</command>
+              commands:
+            </para>
+            <itemizedlist>
+              <listitem>
+<screen>&prompt.user;<command>systemctl status <replaceable>SERVICE</replaceable></command></screen>
+              </listitem>
+              <listitem>
+<screen>&prompt.sudo;<command>systemctl enable <replaceable>SERVICE</replaceable></command></screen>
+              </listitem>
+              <listitem>
+<screen>&prompt.sudo;<command>systemctl disable <replaceable>SERVICE</replaceable></command></screen>
+              </listitem>
+            </itemizedlist>
+            <para>
+              To list all available services that are installed on the system and see their status,
+              use the following command:
+            </para>
+<screen>&prompt.user;<command>systemctl list-unit-files --type=service</command></screen>
+          </listitem>
+        </varlistentry>
+        <varlistentry>
+          <term>2.2.3.a Inspect configuration settings to verify that security features are documented and implemented for all insecure services, daemons, or protocols.</term>
+          <listitem>
+            <para>
+              To add an additional layer of security to insecure services, use VPN tunnels (for
+              example, IPsec). With a VPN tunnel, network traffic of such services can be isolated
+              and all data is protected against eavesdropping, both internally and externally.
+              However, note that the communication is still insecure at the endpoints of the VPN
+              tunnel and that this is only a workaround.
+            </para>
+            <para>
+              For additional security within &productnamex;, use &selnx; or &aa;. However, the
+              setup of these frameworks is beyond the scope of this document:
+            </para>
+            <itemizedlist>
+              <listitem>
+                <para>
+                  For information about &selnx;, see
+                  <phrase os="sles;sled;osuse"><xref linkend="cha-selinux"/>.</phrase>
+                  <phrase os="article"><citetitle>&productnamex; Security Guide, Chapter
+                  Configuring &selnx;</citetitle>.</phrase>
+                </para>
+              </listitem>
+              <listitem>
+                <para>
+                  For information about &aa;, see
+                  <phrase os="sles;sled;osuse"><xref linkend="part-apparmor"/>.</phrase>
+                  <phrase os="article"><citetitle>&productnamex; Security Guide, Part Confining
+                  Privileges with &aa;</citetitle>.</phrase>
+                </para>
+              </listitem>
+            </itemizedlist>
+          </listitem>
+        </varlistentry>
+        <varlistentry>
+          <term>2.2.5.a Select a sample of system components and inspect the configurations to verify that all unnecessary functionality (for example, scripts, drivers, features, subsystems, file systems, etc.) is removed.</term>
+          <listitem>
+            <para>
+              The Linux kernel is the main system component. It consists of a core image that is
+              extended by kernel modules which are loaded depending on the hardware and system
+              design. For example: Network card drivers are automatically loaded depending on the
+              system’s network card. File system modules can be enabled to extend the Linux
+              kernel’s file system support.
+            </para>
+            <para>
+              The list of loaded kernel modules is usually long and includes modules that are only
+              used occasionally. The kernel module framework allows blacklisting modules and
+              limiting which functionalities are loaded.
+            </para>
+            <para>
+              To block modules from being loaded, configure them via the directory
+              <filename>/etc/modprobe.d</filename>. For example, the kernel module
+              <literal>floppy</literal> is only necessary for systems that have a floppy drive. On
+              systems that do not have a floppy drive, prevent the module from loading: Create a
+              configuration file <filename>/etc/modprobe.d/00-disable-modules.conf</filename> with
+              the following content:
+            </para>
+<screen>install floppy /bin/true</screen>
+            <para>
+              The <literal>floppy</literal> module is usually loaded during the execution of the
+              initial RAM disk. Therefore, propagate this configuration change to the
+              <filename>initrd</filename> file using <command>dracut</command> (replace
+              <replaceable>NAME</replaceable> with the name of the current initrd and
+              <replaceable>KERNELVERSION</replaceable> with the currently running kernel).
+            </para>
+<screen>&prompt.sudo;<command>/usr/bin/dracut --logfile /var/log/YaST2/mkinitrd.log --force /boot/$initrd-<replaceable>NAME</replaceable> $<replaceable>KERNELVERSION</replaceable></command></screen>
+            <para>
+              It is harder to remove or restrict application functionality, as functionality is in
+              most cases compiled into the application or library itself. Even cases where deleting
+              a file cleanly removes a functionality are problematic: If the file was installed
+              from an RPM package, it is reinstalled when the package is updated.
+            </para>
+          </listitem>
+        </varlistentry>
+        <varlistentry>
+          <term>2.3 Encrypt all non-console administrative access using strong cryptography. Use technologies such as SSH, VPN or TLS for web-based management and other non-console administrative access.</term>
+          <listitem>
+            <para>
+              Encrypt all administrative network access: SSH with appropriate configuration
+              settings that fit into the security concept should be the tool of choice.
+            </para>
+            <para>
+              Administrative access can also be granted via a Web site. In this case, the complete
+              connection chain between the browser and the server system must be encrypted. This is
+              done via TLS and X.509 certificates.
+            </para>
+          </listitem>
+        </varlistentry>
+      </variablelist>
+    </sect2>
+
+    <sect2 xml:id="sec-pcidss-requirement-3">
+      <title>Requirement 3: Protect stored cardholder data</title>
+      <para>
+        This section explains how to handle cardholder and authentication data securely. The
+        following definitions apply:
+      </para>
+      <itemizedlist>
         <listitem>
-         <para>
-          Search for important security fixes that have not yet been
-          installed:
-         </para>
-         <screen>&prompt.user;<command>zypper list-patches --category security --severity important</command></screen>
+          <para>
+            <emphasis>Cardholder data</emphasis> includes information such as the cardholder name
+            and the Primary Account Number (PAN).
+          </para>
         </listitem>
         <listitem>
-         <para>
-          It is also possible to search for CVE or SUSE Bugzilla numbers.
-          By default, only necessary patches are listed by this command. To
-          also show patches that have already been installed, use the
-          parameter <option>--all</option>:
-         </para>
-         <screen>&prompt.user;z<command>ypper list-patches --all --cve=CVE-2016-4957</command></screen>
+          <para>
+            <emphasis>Authentication data</emphasis> includes the Personal Identification Number
+            (PIN) and the Card Validation Code (CVC2).
+          </para>
         </listitem>
+      </itemizedlist>
+      <para>
+        The main difference between cardholder data and authentication data is that storing
+        authentication is never allowed. In contrast, data such as the PAN can be stored, but must
+        be encrypted and unreadable in case an attacker gains access to the stored data.
+      </para>
+      <para>
+        The database design for storing cardholder data is beyond the scope of this document.
+        However, data can be encrypted in different ways:
+      </para>
+      <itemizedlist>
         <listitem>
-         <para>
-          To list details of individual patches, use the
-          <command>patch-info</command> subcommand:
-         </para>
-         <screen>&prompt.user;<command>zypper patch-info SUSE-SLE-Product-SLES-15-SP3-2021-2126</command></screen>
+          <para>
+            The DBMS can use column-level encryption inside the database scheme.
+          </para>
         </listitem>
         <listitem>
-         <para>
-          To install only important security patches, use the
-          <command>patch</command> subcommand:
-         </para>
-         <screen>&prompt.sudo;<command>zypper patch --category security --severity important</command></screen>
+          <para>
+            Alternatively, the database files can be encrypted.
+          </para>
+        </listitem>
+        <listitem>
+          <para>
+            &productnamex; supports full-disk encryption, so that the whole database storage is
+            always encrypted. However, access to an encrypted disk works the same way as a
+            non-encrypted disk. This is discussed in more detail in requirement 3.4.1.
+          </para>
         </listitem>
-       </itemizedlist>
-       <para>
-        To perform updates automatically, the parameter
-        <option>--non-interactive</option>, which is supported by all
-        Zypper subcommands, is helpful.
-       </para>
+      </itemizedlist>
+      <variablelist>
+        <varlistentry xml:id="vle-pcidss-encrypt-disk">
+          <term>3.4.1.a If disk encryption is used, inspect the configuration and observe the authentication process to verify that logical access to encrypted file systems is implemented via a mechanism that is separate from the host operating system’s authentication mechanism (for example, not using local user account databases or general network login credentials).</term>
+          <listitem>
+            <para>
+              The guidance description of the &pcidssa; document says the following about this
+              requirement: <quote>Full disk encryption helps to protect data in the event of
+              physical loss of a disk and therefore may be appropriate for portable devices that
+              store cardholder data.</quote>
+            </para>
+            <para>
+              From an administrator’s point of view, a block device encryption with the Linux
+              Unified Key Setup (LUKS)/dm-crypt offers an abstraction layer that allows the usage
+              of encrypted disks in the same way as unencrypted disks.
+            </para>
+            <para>
+              Therefore, access control can only be limited with the general ACL permissions that
+              the file system offers. To follow this requirement, the decryption key used must not
+              be associated with any general login credentials or authentication methods.
+            </para>
+            <para>
+              When using LUKS, this is usually fulfilled: The password needs to be entered
+              separately when booting, inserting portable devices or manually mounting disks.
+            </para>
+            <para>
+              LUKS is fully integrated into &productnamex; and can be used via &yast; to create new
+              partitions.
+            </para>
+          </listitem>
+        </varlistentry>
+        <varlistentry>
+          <term>3.4.1.c Examine the configurations and observe the processes to verify that cardholder data on removable media is encrypted wherever stored.</term>
+          <listitem>
+            <para>
+              As described in <xref linkend="vle-pcidss-encrypt-disk"/>, LUKS/dm-crypt provides
+              full-disk encryption that fulfills this requirement. Access to the stored data is
+              only possible via a decryption password that must be entered when the disk is
+              mounted.
+            </para>
+          </listitem>
+        </varlistentry>
+      </variablelist>
+    </sect2>
+
+    <sect2 xml:id="sec-pcidss-requirement-4">
+      <title>Requirement 4: Encrypt transmission of cardholder data across open, public networks</title>
       <para>
-       For more information about Zypper, see
-       <phrase os="sles;sled;osuse"><xref linkend="sec-zypper"/>.</phrase>
-       <phrase os="article"><citetitle>&productnamex; Administration Guide,
-       Chapter Managing Software with Command Line Tools, Section Using
-       Zypper</citetitle>.</phrase>
+        Cardholder data must be encrypted during transmissions over insecure networks. Ideally,
+        encrypt all traffic, externally and internally. This makes it hard for attackers to gain
+        inside information and privileged access to the cardholder data environment.
+      </para>
+      <variablelist>
+        <varlistentry>
+          <term>4.1 Use strong cryptography and security protocols (for example, TLS, IPsec, SSH, etc.) to safeguard sensitive cardholder data during transmission over open, public networks, including the following: (1) Only trusted keys and certificates are accepted, (2) The protocol in use only supports secure versions or configurations, (3) The encryption strength is appropriate for the encryption methodology in use.</term>
+          <listitem>
+            <para>
+              Any connection that transmits sensitive information must be protected against
+              eavesdropping and tampering.
+            </para>
+            <para>
+              For incoming client requests, use the HTTPS protocol with a secure TLS connection.
+              The authentication is done with a public X.509 certificate that proves to a certain
+              level that the server is the right endpoint the customer is looking for.
+            </para>
+            <para>
+              &productnamex; comes with a set of services and tools that allow protected HTTPS
+              connections. For example, this can be done directly with the Apache HTTP Server or
+              via <command>stunnel</command>, which functions as a proxy to offer TLS encryption
+              functionality.
+            </para>
+            <para>
+              IPsec or other VPN technologies can be used for securing the connection between
+              network segments that are connected via a public network. Such connections can also
+              be secured with a public X.509 certificate. For internal usage, it is possible to use
+              a private Certificate Authority (CA) to sign X.509 certificates and to keep track of
+              trusted keys.
+            </para>
+            <para>
+              In &productnamex;, this can be established directly with
+              <phrase role="productname">strongSwan</phrase>, which is a IPsec-based VPN solution,
+              or with OpenVPN, which uses a custom security protocol.
+            </para>
+            <para>
+              To administrate the OS, use SSH. For information about configuring SSH to provide
+              better security, see <xref linkend="sec-pcidss-requirement-1"/> and
+              <xref linkend="sec-pcidss-requirement-2"/>.
+            </para>
+          </listitem>
+        </varlistentry>
+      </variablelist>
+    </sect2>
+
+    <sect2 xml:id="sec-pcidss-requirement-5">
+      <title>Requirement 5: Protect all systems against malware and regularly update anti-virus software or programs</title>
+      <para>
+        For &pcidssa; compliance, it is necessary to protect against malicious software.
+        Third-party anti-virus software is available from the major anti-virus software vendors and
+        can be integrated into the Linux environment. &productnamex; comes with the open source
+        anti-virus engine &clamav;.
       </para>
-      </listitem>
-     </varlistentry>
-    </variablelist>
-   </sect2>
-   <sect2 xml:id="sec-pcidss-requirement-7">
-    <title>Requirement 7: Restrict access to cardholder data by business need to know</title>
-    <para>
-     OS access control is a complex topic. Again, this &pcidssa; requirement
-     is not specified precisely and does not specifically state to what
-     degree the restrictions need to be implemented.
-     &productnamex; comes with all general Linux tools to limit and
-     restrict access to certain system areas and components:
-    </para>
-    <itemizedlist>
-     <listitem>
       <para>
-       Access can be controlled via specific users and groups of users by using
-       the traditional Unix permission settings.
+        &clamav; has a limited set of scanning capabilities and limited performance compared to
+        third-party products. Hence, expect &clamav; to only provide basic protection.
       </para>
       <para>
-       For information about managing permissions, see
-       <phrase os="sles;sled;osuse"><xref linkend="cha-security-acls"/>.</phrase>
-       <phrase os="article"><citetitle>&productnamex; Security Guide,
-       Chapter Access Control Lists in Linux</citetitle>.</phrase>
+        On the other hand, &clamav; is shipped with &productnamex; and it can be included during
+        server installation. This makes it easy to fulfill this requirement, but the drawbacks
+        compared to third-party products need to be understood.
       </para>
-     </listitem>
-     <listitem>
+    </sect2>
+
+    <sect2 xml:id="sec-pcidss-requirement-6">
+      <title>Requirement 6: Develop and maintain secure systems and applications</title>
       <para>
-       A more flexible mechanism for file systems are Access Control Lists
-       (ACLs), which offer a more granular approach. &selnx; can be used for
-       maximum system separation and to prevent processes from gaining more
-       resources and access than allowed.
-       &selnx; and &aa; are beyond the scope of this document but should be
-       employed to protect critical systems that are likely to be targeted.
+        The major part of this requirement concerns in-house software development, documentation
+        and design questions that are beyond the scope of this document. However, &productnamex;
+        provides tools that help keep your systems safe:
       </para>
       <itemizedlist>
-       <listitem>
-        <para>
-         For information about &selnx;, see
-         <phrase os="sles;sled;osuse"><xref linkend="cha-selinux"/>.</phrase>
-         <phrase os="article"><citetitle>&productnamex; Security Guide,
-         Chapter Configuring &selnx;</citetitle>.</phrase>
-        </para>
-       </listitem>
-       <listitem>
-        <para>
-         For information about &aa;, see
-         <phrase os="sles;sled;osuse"><xref linkend="part-apparmor"/>.</phrase>
-         <phrase os="article"><citetitle>&productnamex; Security Guide,
-         Part Confining Privileges with &aa;</citetitle>.</phrase>
-        </para>
-       </listitem>
+        <listitem>
+          <para>
+            The software package manager Zypper is a powerful instrument of &productnamex;. Among
+            other things, it resolves dependencies of packages, products, patterns, and patches,
+            has a locking mechanism to prevent package installation, and provides a complete update
+            stack to keep the system up-to-date and protected against known security issues.
+          </para>
+          <para>
+            <command>zypper</command> is part of any &productnamex; installation and has direct
+            access to the update repositories after system registration.
+          </para>
+          <para>
+            For information about Zypper, see
+            <phrase os="sles;sled;osuse"><xref linkend="sec-zypper"/>.</phrase>
+            <phrase os="article"><citetitle>&productnamex; Administration Guide, Chapter Managing
+            Software with Command Line Tools, Section Using Zypper</citetitle>.</phrase>
+          </para>
+        </listitem>
+        <listitem>
+          <para>
+            For system management, &suse; provides &susemgr;, which provides an efficient way to
+            keep systems up-to-date. It offers seamless management of both &productnamex; and
+            &rhel; client systems. This is particularly useful in larger system environments, when
+            you need to check the current update status of each system and to react to known
+            security risks.
+          </para>
+          <para>
+            For information about &susemgr;, see the
+            <link xlink:href="https://documentation.suse.com/suma/">&susemgr; documentation
+            page</link>.
+          </para>
+        </listitem>
       </itemizedlist>
-     </listitem>
-    </itemizedlist>
-    <variablelist>
-     <varlistentry>
-      <term>
-       7.1.2 Restrict access to privileged user IDs to least privileges
-       necessary to perform job responsibilities.
-      </term>
-      <listitem>
-       <para>
-        The standard Unix permissions allow setting Read, Write, and
-        Execution flags for user and group IDs. A general group called
-        <systemitem class="groupname">others</systemitem> or
-        <systemitem class="groupname">world</systemitem> defines the access
-        for users that do not fit into the first two groups. This provides a
-        straightforward way to grant or deny access to file system resources.
-       </para>
-       <para>
-        ACLs provide an extra level of restrictions. It is possible to set
-        read-write access for one user ID and only read access for a second
-        one. The same goes for group IDs.
-       </para>
-       <para>
-        The commands <command>getfacl</command> and
-        <command>setfacl</command> (on &productnamex; shipped with the package
-        <package>acl</package>) allow direct modification of file system
-        resources. For example, to check and set ACL restrictions of the file
-        <filename>/tmp/test.txt</filename> for the user &exampleuserII;:
-       </para>
+      <variablelist>
+        <varlistentry>
+          <term>6.2.a Examine policies and procedures related to security patch installation to verify processes are defined for: (1) Installation of applicable critical vendor-supplied security patches within one month of release, (2) Installation of all applicable vendor-supplied security patches within an appropriate time frame (for example, within three months).</term>
+          <listitem>
+            <para>
+              To identify patches that need to be installed to secure your system, do the
+              following:
+            </para>
+            <para>
+              First, refresh all software repositories, so you have up-to-date information:
+            </para>
+<screen>&prompt.sudo;<command>zypper refresh</command></screen>
+            <para>
+              Then use the patch-related commands of Zypper:
+            </para>
+            <itemizedlist>
+              <listitem>
+                <para>
+                  Search for important security fixes that have not yet been installed:
+                </para>
+<screen>&prompt.user;<command>zypper list-patches --category security --severity important</command></screen>
+              </listitem>
+              <listitem>
+                <para>
+                  It is also possible to search for CVE or SUSE Bugzilla numbers. By default, only
+                  necessary patches are listed by this command. To also show patches that have
+                  already been installed, use the parameter <option>--all</option>:
+                </para>
+<screen>&prompt.user;z<command>ypper list-patches --all --cve=CVE-2016-4957</command></screen>
+              </listitem>
+              <listitem>
+                <para>
+                  To list details of individual patches, use the <command>patch-info</command>
+                  subcommand:
+                </para>
+<screen>&prompt.user;<command>zypper patch-info SUSE-SLE-Product-SLES-15-SP3-2021-2126</command></screen>
+              </listitem>
+              <listitem>
+                <para>
+                  To install only important security patches, use the <command>patch</command>
+                  subcommand:
+                </para>
+<screen>&prompt.sudo;<command>zypper patch --category security --severity important</command></screen>
+              </listitem>
+            </itemizedlist>
+            <para>
+              To perform updates automatically, the parameter <option>--non-interactive</option>,
+              which is supported by all Zypper subcommands, is helpful.
+            </para>
+            <para>
+              For more information about Zypper, see
+              <phrase os="sles;sled;osuse"><xref linkend="sec-zypper"/>.</phrase>
+              <phrase os="article"><citetitle>&productnamex; Administration Guide, Chapter Managing
+              Software with Command Line Tools, Section Using Zypper</citetitle>.</phrase>
+            </para>
+          </listitem>
+        </varlistentry>
+      </variablelist>
+    </sect2>
+
+    <sect2 xml:id="sec-pcidss-requirement-7">
+      <title>Requirement 7: Restrict access to cardholder data by business need to know</title>
+      <para>
+        OS access control is a complex topic. Again, this &pcidssa; requirement is not specified
+        precisely and does not specifically state to what degree the restrictions need to be
+        implemented. &productnamex; comes with all general Linux tools to limit and restrict access
+        to certain system areas and components:
+      </para>
+      <itemizedlist>
+        <listitem>
+          <para>
+            Access can be controlled via specific users and groups of users by using the
+            traditional Unix permission settings.
+          </para>
+          <para>
+            For information about managing permissions, see
+            <phrase os="sles;sled;osuse"><xref linkend="cha-security-acls"/>.</phrase>
+            <phrase os="article"><citetitle>&productnamex; Security Guide, Chapter Access Control
+            Lists in Linux</citetitle>.</phrase>
+          </para>
+        </listitem>
+        <listitem>
+          <para>
+            A more flexible mechanism for file systems are Access Control Lists (ACLs), which offer
+            a more granular approach. &selnx; can be used for maximum system separation and to
+            prevent processes from gaining more resources and access than allowed. &selnx; and &aa;
+            are beyond the scope of this document but should be employed to protect critical
+            systems that are possible targets.
+          </para>
+          <itemizedlist>
+            <listitem>
+              <para>
+                For information about &selnx;, see
+                <phrase os="sles;sled;osuse"><xref linkend="cha-selinux"/>.</phrase>
+                <phrase os="article"><citetitle>&productnamex; Security Guide, Chapter Configuring
+                &selnx;</citetitle>.</phrase>
+              </para>
+            </listitem>
+            <listitem>
+              <para>
+                For information about &aa;, see
+                <phrase os="sles;sled;osuse"><xref linkend="part-apparmor"/>.</phrase>
+                <phrase os="article"><citetitle>&productnamex; Security Guide, Part Confining
+                Privileges with &aa;</citetitle>.</phrase>
+              </para>
+            </listitem>
+          </itemizedlist>
+        </listitem>
+      </itemizedlist>
+      <variablelist>
+        <varlistentry>
+          <term>7.1.2 Restrict access to privileged user IDs to least privileges necessary to perform job responsibilities.</term>
+          <listitem>
+            <para>
+              The standard Unix permissions allow setting Read, Write and Execution flags for user
+              and group IDs. A general group called
+              <systemitem class="groupname">others</systemitem> or
+              <systemitem class="groupname">world</systemitem> defines the access for users that do
+              not fit into the first two groups. This provides a straightforward way to grant or
+              deny access to file system resources.
+            </para>
+            <para>
+              ACLs provide an extra level of restrictions. It is possible to set read-write access
+              for one user ID and only read access for a second one. The same goes for group IDs.
+            </para>
+            <para>
+              The commands <command>getfacl</command> and <command>setfacl</command> (on
+              &productnamex; shipped with the package <package>acl</package>) allow direct
+              modification of file system resources. For example, to check and set ACL restrictions
+              of the file <filename>/tmp/test.txt</filename> for the user &exampleuserII;:
+            </para>
 <screen>
 &prompt.user;<command>getfacl /tmp/test.txt</command>
 # file: /tmp/test.txt
@@ -1172,264 +1035,240 @@ group::r--
 mask::r--
 other::r--
 </screen>
-       <para>
-        Standard Unix permissions include the so-called Sticky Bit. This
-        allows the execution of certain programs with higher privileges than
-        the user who is executing those programs. The best example of this
-        is the <command>passwd</command> tool, which needs to modify
-        <filename>/etc/shadow</filename> to change the user password.
-       </para>
-       <para>
-        For a more gradual approach to explicitly allowing certain operations
-        or behaviors to binaries, use extended capabilities. As an example of
-        a command that uses extended capabilities by default, consider
-        <command>ping</command> (from the package <package>iputils</package>).
-       </para>
-       <para>
-        <command>ping</command> sends ICMP IP packets over the
-        network card. To do so, it needs the
-        <literal>CAP_NET_RAW</literal> capability to be Effective and
-        Permitted (<literal>+ep</literal>):
-       </para>
+            <para>
+              Standard Unix permissions include the so-called Sticky Bit. This allows the execution
+              of certain programs with higher privileges than the user who is executing those
+              programs. The best example of this is the <command>passwd</command> tool, which needs
+              to modify <filename>/etc/shadow</filename> to change the user password.
+            </para>
+            <para>
+              For a more gradual approach to explicitly allowing certain operations or behaviors to
+              binaries, use extended capabilities. As an example of a command that uses extended
+              capabilities by default, consider <command>ping</command> (from the package
+              <package>iputils</package>).
+            </para>
+            <para>
+              <command>ping</command> sends ICMP IP packets over the network card. To do so, it
+              needs the <literal>CAP_NET_RAW</literal> capability to be Effective and Permitted
+              (<literal>+ep</literal>):
+            </para>
 <screen>
 &prompt.sudo;<command>getcap /usr/bin/ping</command>
 /usr/bin/ping = cap_net_raw+ep
 </screen>
-       <para>
-        Login access control to the system can be managed using Pluggable
-        Authentication Modules (PAM). There are several modules
-        available in &productnamex; that allow setups such as
-        logging the login time, multiple authentication mechanisms, and
-        central databases like NIS, LDAP, or &ad;.
-       </para>
+            <para>
+              Login access control to the system can be managed using Pluggable Authentication
+              Modules (PAM). There are several modules available in &productnamex; that allow
+              setups such as logging the login time, multiple authentication mechanisms, and
+              central databases like NIS, LDAP or &ad;.
+            </para>
+            <para>
+              For more information about managing permissions, see
+              <phrase os="sles;sled;osuse"><xref linkend="cha-security-acls"/>.</phrase>
+              <phrase os="article"><citetitle>&productnamex; Security Guide, Chapter Access Control
+              Lists in Linux</citetitle>.</phrase>
+            </para>
+          </listitem>
+        </varlistentry>
+      </variablelist>
+    </sect2>
+
+    <sect2 xml:id="sec-pcidss-requirement-8">
+      <title>Requirement 8: Identify and authenticate access to system components</title>
       <para>
-       For more information about managing permissions, see
-       <phrase os="sles;sled;osuse"><xref linkend="cha-security-acls"/>.</phrase>
-       <phrase os="article"><citetitle>&productnamex; Security Guide,
-       Chapter Access Control Lists in Linux</citetitle>.</phrase>
+        Ideally, use a central database with user information and a unique identifier (UID) to
+        grant or deny access to certain system components. This makes it easy to give
+        administrators special access to a group of servers or a database engineer permission for a
+        certain DBMS system.
       </para>
-      </listitem>
-     </varlistentry>
-    </variablelist>
-   </sect2>
-   <sect2 xml:id="sec-pcidss-requirement-8">
-    <title>Requirement 8: Identify and authenticate access to system components</title>
-    <para>
-     Ideally, use a central database with user information and a unique
-     identifier (UID) to grant or deny access to certain system components.
-     This makes it easy to give administrators special access to a group of
-     servers or a database engineer permission for a certain DBMS system.
-    </para>
-    <para>
-     On a stand-alone server, unique identifiers are managed via the
-     standard Linux user and group IDs. These are listed in
-     <filename>/etc/passwd</filename> and <filename>/etc/group</filename>.
-    </para>
-    <variablelist>
-     <varlistentry xml:id="vle-pcidss-disable-user">
-      <term>
-       8.1.4 Remove/disable inactive user accounts within 90 days.
-      </term>
-      <listitem>
       <para>
-       In this context, there are many advantages to using a centralized
-       infrastructure for user accounts like NIS, LDAP, or &ad;:
+        On a stand-alone server, unique identifiers are managed via the standard Linux user and
+        group IDs. These are listed in <filename>/etc/passwd</filename> and
+        <filename>/etc/group</filename>.
       </para>
-      <itemizedlist>
-       <listitem>
-        <para>
-         It is easy to identify and automatically disable inactive accounts.
-        </para>
-       </listitem>
-       <listitem>
-        <para>
-         User accounts only need to be disabled in one place. After their
-         access is revoked, the user cannot use any service that relies on
-         the centralized account infrastructure.
-        </para>
-       </listitem>
-      </itemizedlist>
+      <variablelist>
+        <varlistentry xml:id="vle-pcidss-disable-user">
+          <term>8.1.4 Remove or disable inactive user accounts within 90 days.</term>
+          <listitem>
+            <para>
+              In this context, there are many advantages to using a centralized infrastructure for
+              user accounts like NIS, LDAP or &ad;:
+            </para>
+            <itemizedlist>
+              <listitem>
+                <para>
+                  It is easy to identify and automatically disable inactive accounts.
+                </para>
+              </listitem>
+              <listitem>
+                <para>
+                  User accounts only need to be disabled in one place. After their access is
+                  revoked, the user cannot use any service that relies on the centralized account
+                  infrastructure.
+                </para>
+              </listitem>
+            </itemizedlist>
+            <para>
+              However, if you are using local accounts, these can be checked for inactivity when a
+              user is logging in. This module checks the last login time recorded in
+              <filename>/var/log/lastlog</filename> and calculates the number of days since. By
+              default, access is denied when the inactivity reaches 90 days.
+            </para>
+            <para>
+              To list the local account's last login time use the command
+              <command>lastlog</command>.
+            </para>
+          </listitem>
+        </varlistentry>
+        <varlistentry xml:id="vle-pcidss-lock-user">
+          <term>8.1.6 Limit repeated access attempts by locking out the user ID after not more than six attempts.</term>
+          <listitem>
+            <para>
+              As stated in <xref linkend="vle-pcidss-disable-user"/>, a centralized account
+              infrastructure has capability. On &productnamex; systems, access attempts can be
+              checked and limited with the <systemitem>pam_tally2</systemitem> PAM module. The
+              module is executed during login time and checks the recorded failed attempts since
+              the last successful login. To check and reset the account status, use the tool
+              <command>pam_tally2</command>.
+            </para>
+          </listitem>
+        </varlistentry>
+        <varlistentry>
+          <term>8.1.7 Set the lockout duration to a minimum of 30 minutes or until an administrator enables the user ID.</term>
+          <listitem>
+            <para>
+              The PAM module <systemitem>pam_tally2</systemitem> described in
+              <xref linkend="vle-pcidss-lock-user"/> can be used to lock an account for a given
+              time after a failed login attempt. The parameter <literal>unlock_time=1800</literal>
+              must be specified in the PAM configuration. By default, only the administrator can
+              reactivate a locked account.
+            </para>
+          </listitem>
+        </varlistentry>
+        <varlistentry xml:id="vle-pcidss-multi-factor-local">
+          <term>8.3.1 Incorporate multi-factor authentication for all non-console access into the CDE for personnel with administrative access.</term>
+          <listitem>
+            <para>
+              To authenticate users for administrative access with multiple factors, use the
+              following methods:
+            </para>
+            <itemizedlist>
+              <listitem>
+                <para>
+                  Use Pluggable Authentication Modules (PAM): This increases flexibility when
+                  adding new methods to the authentication process and when adjusting it.
+                </para>
+                <para>
+                  For third-party one-time password (OTP) products, there is usually also a Linux
+                  PAM module available.
+                </para>
+                <para>
+                  For information about PAM, see
+                  <phrase os="sles;sled;osuse"><xref linkend="cha-pam"/>.</phrase>
+                  <phrase os="article"><citetitle>&productnamex; Security Guide, Chapter
+                  Authentication with PAM</citetitle>.</phrase>
+                </para>
+              </listitem>
+              <listitem>
+                <para>
+                  To add multi-factor authentication for SSH connections, mandate use of public
+                  keys in addition to passwords.
+                </para>
+                <para>
+                  To connect to a system, it is then necessary to prove possession of an
+                  appropriate private key. At the second stage, you then enter a password. This
+                  means attackers need to acquire a private key before they can even try to
+                  brute-force a password prompt.
+                </para>
+              </listitem>
+            </itemizedlist>
+          </listitem>
+        </varlistentry>
+        <varlistentry xml:id="vle-pcidss-multi-factor-remote">
+          <term>8.3.2 Incorporate multi-factor authentication for all remote network access (both user and administrator, and including third-party access for support or maintenance) originating from outside the entity’s network.</term>
+          <listitem>
+            <para>
+              For details, see <xref linkend="vle-pcidss-multi-factor-local"/>.
+            </para>
+          </listitem>
+        </varlistentry>
+      </variablelist>
+    </sect2>
+
+    <sect2 xml:id="sec-pcidss-requirement-9">
+      <title>Requirement 9: Restrict physical access to cardholder data</title>
       <para>
-       However, if you are using local accounts, these can be checked for
-       inactivity when a user is logging in. This module checks the last
-       login time recorded in <filename>/var/log/lastlog</filename> and
-       calculates the number of days since.
-       By default, access is denied when the inactivity reaches 90 days.
+        Physical access to systems that are involved in processing cardholder data is not within
+        the scope of general operating system security. Appropriate facility entry controls must be
+        in place to allow on-site personnel and visitors to access systems directly.
       </para>
+    </sect2>
+
+    <sect2 xml:id="sec-pcidss-requirement-10">
+      <title>Requirement 10: Track and monitor all access to network resources and cardholder data</title>
       <para>
-       To list the local account's last login time use the command
-       <command>lastlog</command>.
+        To track user activities, it is important to have a synchronized time reference. This is
+        done via the NTP protocol, which allows servers to keep their local time in synchronization
+        with a central system. The central NTP server inside the cardholder data environment (CDE)
+        should not rely on external connections to the Internet to update the system time.
+        Alternatively, system time can be updated using DCF77 radio transmissions or a GPS
+        receiver.
       </para>
-      </listitem>
-     </varlistentry>
-     <varlistentry xml:id="vle-pcidss-lock-user">
-      <term>
-       8.1.6 Limit repeated access attempts by locking out the user ID after
-       not more than six attempts.
-      </term>
-      <listitem>
-       <para>
-        As stated in <xref linkend="vle-pcidss-disable-user"/>, a centralized
-        account infrastructure will have this capability. On &productnamex;
-        systems, access attempts can be checked and limited with
-        the <systemitem>pam_tally2</systemitem> PAM module. The module is
-        executed during login time and checks the recorded failed attempts
-        since the last successful login. To check and reset the account
-        status, use the tool <command>pam_tally2</command>.
-       </para>
-      </listitem>
-     </varlistentry>
-     <varlistentry>
-      <term>
-       8.1.7 Set the lockout duration to a minimum of 30 minutes or until an
-       administrator enables the user ID.
-      </term>
-      <listitem>
-       <para>
-        The PAM module <systemitem>pam_tally2</systemitem> described
-        in <xref linkend="vle-pcidss-lock-user"/> can be used to lock an
-        account for a given time after a failed login attempt. The parameter
-        <literal>unlock_time=1800</literal> must be specified in the PAM
-        configuration. By default, only the administrator can
-        reactivate a locked account.
-       </para>
-      </listitem>
-     </varlistentry>
-     <varlistentry xml:id="vle-pcidss-multi-factor-local">
-      <term>
-       8.3.1 Incorporate multi-factor authentication for all non-console access
-       into the CDE for personnel with administrative access.
-      </term>
-      <listitem>
-       <para>
-        To authenticate users for administrative access with multiple
-        factors, use the following methods:
-       </para>
-       <itemizedlist>
-        <listitem>
-         <para>
-          Use Pluggable Authentication Modules (PAM): This increases
-          flexibility when adding new methods to the authentication process
-          and when adjusting it.
-         </para>
-         <para>
-          For third-party one-time password (OTP) products, there is usually
-          also a Linux PAM module available.
-         </para>
-         <para>
-          For information about PAM, see
-          <phrase os="sles;sled;osuse"><xref linkend="cha-pam"/>.</phrase>
-          <phrase os="article"><citetitle>&productnamex; Security Guide,
-          Chapter Authentication with PAM</citetitle>.</phrase>
-         </para>
-        </listitem>
-        <listitem>
-         <para>
-          To add multi-factor authentication for SSH connections, mandate use
-          of public keys in addition to passwords.
-         </para>
-         <para>
-          To connect to a system, it is then necessary to prove possession of
-          an appropriate private key. At the second stage, you then enter a
-          password. This means attackers need to acquire a private key before
-          they can even try to brute-force a password prompt.
-         </para>
-        </listitem>
-       </itemizedlist>
-      </listitem>
-     </varlistentry>
-     <varlistentry xml:id="vle-pcidss-multi-factor-remote">
-      <term>
-       8.3.2 Incorporate multi-factor authentication for all remote network
-       access (both user and administrator, and including third-party access
-       for support or maintenance) originating from outside the entity’s
-       network.
-      </term>
-      <listitem>
-       <para>
-        For details, see <xref linkend="vle-pcidss-multi-factor-local"/>.
-       </para>
-      </listitem>
-     </varlistentry>
-    </variablelist>
-   </sect2>
-   <sect2 xml:id="sec-pcidss-requirement-9">
-    <title>Requirement 9: Restrict physical access to cardholder data</title>
-    <para>
-     Physical access to systems that are involved in processing cardholder
-     data are not within the scope of general operating system security.
-     Appropriate facility entry controls must be in place to
-     allow on-site personnel and visitors to access systems directly.
-    </para>
-   </sect2>
-   <sect2 xml:id="sec-pcidss-requirement-10">
-    <title>Requirement 10: Track and monitor all access to network resources and cardholder data</title>
-    <para>
-     To track user activities, it is important to have a synchronized time
-     reference. This is done via the NTP protocol, which allows servers to keep
-     their local time in synchronization with a central system. The central
-     NTP server
-     inside the cardholder data environment (CDE) should not rely on
-     external connections to the Internet to update the system time.
-     Alternatively, system time can be updated using DCF77 radio
-     transmissions or a GPS receiver.
-    </para>
-    <para>
-     A synchronized time reference makes it easier to correlate events inside
-     recorded log files. This reference can include general system log
-     entries collected by a central system log server or kernel audit
-     messages by the daemon <systemitem class="daemon">audit</systemitem>.
-    </para>
-    <para>
-     For information about auditing, see
-     <phrase os="sles;sled;osuse"><xref linkend="part-audit"/>.</phrase>
-     <phrase os="article"><citetitle>&productnamex;, Security Guide,
-     Part &auditguide;</citetitle>.</phrase>
-    </para>
-    <para>
-     All auditing requirements from this section can be fulfilled by defining
-     centrally stored auditing rules.
-    </para>
-   </sect2>
-   <sect2 xml:id="sec-pcidss-requirement-11">
-    <title>Requirement 11: Regularly test security systems and processes</title>
-    <para>
-     Testing the discussed security mechanisms is also a key requirement for
-     &pcidssa;. Evaluating the configurations and testing logging mechanisms
-     can protect against known security risks and ensure that essential
-     information is available to identify possible security breaches.
-     Testing capabilities should be considered during system
-     design, before installation and deployment.
-    </para>
-    <para>
-     To keep track of system integrity, &productnamex; comes with the Advanced
-     Intrusion Detection Environment (&aide;). &aide; creates a hash value
-     database of all relevant OS files. After initialization, it can be used
-     to verify the integrity of all previously saved files. To employ AIDE,
-     it is best to regularly create database snapshots and save them to a
-     central system on which you can evaluate possible modifications.
-    </para>
-    <para>
-     For more information about &aide;, see
-     <phrase os="sles;sled;osuse"><xref linkend="cha-aide"/>.</phrase>
-     <phrase os="article"><citetitle>&productnamex; Security Guide,
-     Chapter Intrusion Detection with &aide;</citetitle>.</phrase>
-    </para>
-   </sect2>
-   <sect2 xml:id="sec-pcidss-requirement-12">
-    <title>Requirement 12: Maintain a policy that addresses information security for all personnel</title>
-    <para>
-     Any organization that handles valuable information should
-     have a general security policy. All relevant aspects should be
-     included to make it clear for employees and stakeholders what the possible
-     risks are and how to avoid them.
-    </para>
-    <para>
-     All security policies should also be evaluated regularly and adjusted to
-     keep the protection level as high as possible.
-    </para>
-   </sect2>
- </sect1>
- <xi:include href="common_copyright_quick.xml"/>
- <xi:include href="common_license_gfdl1.2.xml"/>
+      <para>
+        A synchronized time reference makes it easier to correlate events inside recorded log
+        files. This reference can include general system log entries collected by a central system
+        log server or kernel audit messages by the daemon
+        <systemitem class="daemon">audit</systemitem>.
+      </para>
+      <para>
+        For information about auditing, see
+        <phrase os="sles;sled;osuse"><xref linkend="part-audit"/>.</phrase>
+        <phrase os="article"><citetitle>&productnamex;, Security Guide, Part
+        &auditguide;</citetitle>.</phrase>
+      </para>
+      <para>
+        All auditing requirements from this section can be fulfilled by defining centrally stored
+        auditing rules.
+      </para>
+    </sect2>
+
+    <sect2 xml:id="sec-pcidss-requirement-11">
+      <title>Requirement 11: Regularly test security systems and processes</title>
+      <para>
+        Testing the discussed security mechanisms is also a key requirement for &pcidssa;.
+        Evaluating the configurations and testing logging mechanisms can protect against known
+        security risks and ensure that essential information is available to identify possible
+        security breaches. Testing capabilities should be considered during system design, before
+        installation and deployment.
+      </para>
+      <para>
+        To keep track of system integrity, &productnamex; comes with the Advanced Intrusion
+        Detection Environment (&aide;). &aide; creates a hash value database of all relevant OS
+        files. After initialization, it can be used to verify the integrity of all previously saved
+        files. To employ AIDE, it is best to regularly create database snapshots and save them to a
+        central system on which you can evaluate possible modifications.
+      </para>
+      <para>
+        For more information about &aide;, see
+        <phrase os="sles;sled;osuse"><xref linkend="cha-aide"/>.</phrase>
+        <phrase os="article"><citetitle>&productnamex; Security Guide, Chapter Intrusion Detection
+        with &aide;</citetitle>.</phrase>
+      </para>
+    </sect2>
+
+    <sect2 xml:id="sec-pcidss-requirement-12">
+      <title>Requirement 12: Maintain a policy that addresses information security for all personnel</title>
+      <para>
+        Any organization that handles valuable information should have a general security policy.
+        All relevant aspects should be included to make it clear for employees and stakeholders
+        what the possible risks are and how to avoid them.
+      </para>
+      <para>
+        All security policies should also be evaluated regularly and adjusted to keep the
+        protection level as high as possible.
+      </para>
+    </sect2>
+  </sect1>
+  <xi:include href="common_copyright_quick.xml"/>
+  <xi:include href="common_license_gfdl1.2.xml"/>
 </article>