Capacity
1
20
Rule
Severity: High
Verify and Correct File Permissions with RPM
26
Rule
Severity: Medium
Install AIDE
20
Rule
Severity: Medium
Configure Periodic Execution of AIDE
15
Rule
Severity: High
Verify and Correct Ownership with RPM
29
Rule
Severity: Medium
Install the Host Intrusion Prevention System (HIPS) Module
22
Rule
Severity: Medium
Build and Test AIDE Database
13
Rule
Severity: Medium
Configure Notification of Post-AIDE Scan Details
27
Rule
Severity: Low
Ensure /var/log Located On Separate Partition
27
Rule
Severity: Low
Ensure /var/log/audit Located On Separate Partition
29
Rule
Severity: Medium
Ensure Users Re-Authenticate for Privilege Escalation - sudo !authenticate
29
Rule
Severity: Medium
Ensure Users Re-Authenticate for Privilege Escalation - sudo NOPASSWD
14
Rule
Severity: High
Install Intrusion Detection Software
29
Rule
Severity: Medium
Ensure Users Re-Authenticate for Privilege Escalation - sudo
20
Rule
Severity: Medium
Modify the System Login Banner
29
Rule
Severity: Low
Ensure PAM Displays Last Logon/Access Notification
17
Rule
Severity: Medium
Limit Password Reuse: password-auth
7
Rule
Severity: Medium
Install the Asset Configuration Compliance Module (ACCM)
7
Rule
Severity: Medium
Install the Policy Auditor (PA) Module
17
Rule
Severity: Medium
Limit Password Reuse: system-auth
18
Rule
Severity: Medium
Ensure PAM Enforces Password Requirements - Minimum Different Categories
20
Rule
Severity: Medium
Ensure PAM Enforces Password Requirements - Minimum Length
19
Rule
Severity: Medium
Ensure PAM Enforces Password Requirements - Authentication Retry Prompts Permitted Per-Session
20
Rule
Severity: Medium
Set PAM''s Password Hashing Algorithm
18
Rule
Severity: Medium
Require Authentication for Emergency Systemd Target
18
Rule
Severity: Medium
Require Authentication for Single User Mode
22
Rule
Severity: Medium
Set Account Expiration Following Inactivity
30
Rule
Severity: Medium
Set Password Maximum Age
12
Rule
Severity: Medium
Require Encryption for Remote Access in GNOME3
13
Rule
Severity: Medium
Enable GNOME3 Screensaver Idle Activation
28
Rule
Severity: Medium
Set Password Minimum Age
29
Rule
Severity: Medium
Set Password Minimum Length in login.defs
10
Rule
Severity: Medium
Ensure Users Cannot Change GNOME3 Screensaver Idle Activation
13
Rule
Severity: Medium
Set GNOME3 Screensaver Inactivity Timeout
12
Rule
Severity: Medium
Set GNOME3 Screensaver Lock Delay After Activation Period
30
Rule
Severity: Medium
Set Password Warning Age
29
Rule
Severity: Medium
Verify All Account Password Hashes are Shadowed
30
Rule
Severity: Low
All GIDs referenced in /etc/passwd must be defined in /etc/group
15
Rule
Severity: Medium
Enable GNOME3 Screensaver Lock After Idle Period
11
Rule
Severity: Medium
Ensure Users Cannot Change GNOME3 Screensaver Lock After Idle Period
13
Rule
Severity: Medium
Implement Blank Screensaver
29
Rule
Severity: High
Prevent Login to Accounts With Empty Password
11
Rule
Severity: Medium
Ensure Users Cannot Change GNOME3 Screensaver Settings
13
Rule
Severity: Medium
Ensure Users Cannot Change GNOME3 Session Idle Settings
28
Rule
Severity: Medium
Verify No netrc Files Exist
30
Rule
Severity: High
Verify Only Root Has UID 0
29
Rule
Severity: Medium
Direct root Logins Not Allowed
21
Rule
Severity: Medium
Ensure that System Accounts Do Not Run a Shell Upon Login
23
Rule
Severity: Medium
Set Interactive Session Timeout
30
Rule
Severity: Medium
Enable auditd Service
30
Rule
Severity: Medium
Make the auditd Configuration Immutable
15
Rule
Severity: Medium
Enable GNOME3 Login Warning Banner
15
Rule
Severity: Medium
Set the GNOME3 Login Warning Banner Text
30
Rule
Severity: Medium
Record Events that Modify the System's Mandatory Access Controls
29
Rule
Severity: Medium
Ensure auditd Collects Information on Exporting to Media (successful)
30
Rule
Severity: Medium
Record Events that Modify the System's Network Environment
17
Rule
Severity: Medium
Limit Password Reuse
15
Rule
Severity: Medium
Lock Accounts After Failed Password Attempts
30
Rule
Severity: Medium
Record Attempts to Alter Process and Session Initiation Information
29
Rule
Severity: Medium
Ensure auditd Collects System Administrator Actions
12
Rule
Severity: Medium
Configure the root Account for Failed Password Attempts
14
Rule
Severity: Medium
Set Interval For Counting Failed Password Attempts
15
Rule
Severity: Medium
Set Lockout Time for Failed Password Attempts
29
Rule
Severity: Medium
Record Events that Modify User/Group Information
29
Rule
Severity: Medium
System Audit Logs Must Have Mode 0750 or Less Permissive
16
Rule
Severity: Medium
Ensure PAM Enforces Password Requirements - Minimum Digit Characters
13
Rule
Severity: Medium
Ensure PAM Enforces Password Requirements - Minimum Different Characters
16
Rule
Severity: Medium
Ensure PAM Enforces Password Requirements - Minimum Lowercase Characters
12
Rule
Severity: Medium
Ensure PAM Enforces Password Requirements - Maximum Consecutive Repeating Characters from Same Character Class
40
Rule
Severity: Medium
System Audit Logs Must Be Owned By Root
29
Rule
Severity: Medium
Record Events that Modify the System's Discretionary Access Controls - chmod
12
Rule
Severity: Medium
Set Password Maximum Consecutive Repeating Characters
29
Rule
Severity: Medium
Record Events that Modify the System's Discretionary Access Controls - chown
16
Rule
Severity: Medium
Ensure PAM Enforces Password Requirements - Minimum Special Characters
29
Rule
Severity: Medium
Record Events that Modify the System's Discretionary Access Controls - fchmod
29
Rule
Severity: Medium
Record Events that Modify the System's Discretionary Access Controls - fchmodat
16
Rule
Severity: Medium
Ensure PAM Enforces Password Requirements - Minimum Uppercase Characters
14
Rule
Severity: Medium
Set Password Hashing Algorithm in /etc/libuser.conf
29
Rule
Severity: Medium
Record Events that Modify the System's Discretionary Access Controls - fchown
16
Rule
Severity: Medium
Set Password Hashing Algorithm in /etc/login.defs
13
Rule
Severity: Medium
Set PAM''s Password Hashing Algorithm - password-auth
29
Rule
Severity: Medium
Record Events that Modify the System's Discretionary Access Controls - fchownat
29
Rule
Severity: Medium
Record Events that Modify the System's Discretionary Access Controls - fremovexattr
29
Rule
Severity: Medium
Record Events that Modify the System's Discretionary Access Controls - fsetxattr
29
Rule
Severity: Medium
Record Events that Modify the System's Discretionary Access Controls - lchown
29
Rule
Severity: Medium
Record Events that Modify the System's Discretionary Access Controls - lremovexattr
29
Rule
Severity: Medium
Record Events that Modify the System's Discretionary Access Controls - lsetxattr
5
Rule
Severity: Medium
Install the screen Package
14
Rule
Severity: Medium
Configure opensc Smart Card Drivers
29
Rule
Severity: Medium
Record Events that Modify the System's Discretionary Access Controls - removexattr
29
Rule
Severity: Medium
Record Events that Modify the System's Discretionary Access Controls - setxattr
5
Rule
Severity: Medium
Configure NSS DB To Use opensc
14
Rule
Severity: Medium
Force opensc To Use Defined Smart Card Driver
23
Rule
Severity: Medium
Ensure auditd Collects File Deletion Events by User
5
Rule
Severity: Medium
Enable Smart Card Login
11
Rule
Severity: Medium
Assign Expiration Date to Emergency Accounts
29
Rule
Severity: Medium
Ensure auditd Collects File Deletion Events by User - rename
29
Rule
Severity: Medium
Ensure auditd Collects File Deletion Events by User - renameat
16
Rule
Severity: Medium
Assign Expiration Date to Temporary Accounts
29
Rule
Severity: Medium
Ensure auditd Collects File Deletion Events by User - rmdir
29
Rule
Severity: Medium
Ensure auditd Collects File Deletion Events by User - unlink
29
Rule
Severity: Medium
Ensure auditd Collects File Deletion Events by User - unlinkat
23
Rule
Severity: Medium
Ensure auditd Collects Unauthorized Access Attempts to Files (unsuccessful)
23
Rule
Severity: Medium
Record Unsuccessful Access Attempts to Files - creat
23
Rule
Severity: Medium
Record Unsuccessful Access Attempts to Files - ftruncate
23
Rule
Severity: Medium
Record Unsuccessful Access Attempts to Files - open
24
Rule
Severity: Medium
Record Unsuccessful Access Attempts to Files - open_by_handle_at
23
Rule
Severity: Medium
Record Unsuccessful Access Attempts to Files - openat
23
Rule
Severity: Medium
Record Unsuccessful Access Attempts to Files - truncate
23
Rule
Severity: Medium
Ensure auditd Collects Information on Kernel Module Loading and Unloading
22
Rule
Severity: Medium
Ensure auditd Collects Information on Kernel Module Unloading - delete_module
23
Rule
Severity: Medium
Ensure auditd Collects Information on Kernel Module Loading and Unloading - finit_module
22
Rule
Severity: Medium
Ensure auditd Collects Information on Kernel Module Loading - init_module
29
Rule
Severity: Medium
Ensure auditd Collects Information on the Use of Privileged Commands
30
Rule
Severity: Medium
Record attempts to alter time through adjtimex
30
Rule
Severity: Medium
Record Attempts to Alter Time Through clock_settime
30
Rule
Severity: Medium
Record attempts to alter time through settimeofday
29
Rule
Severity: Medium
Record Attempts to Alter Time Through stime
29
Rule
Severity: Medium
Record Attempts to Alter the localtime File
19
Rule
Severity: Low
Enable Auditing for Processes Which Start Prior to the Audit Daemon
29
Rule
Severity: Medium
Configure auditd to use audispd's syslog plugin
59
Rule
Severity: Medium
Configure auditd Disk Error Action on Disk Error
59
Rule
Severity: Medium
Configure auditd Disk Full Action when Disk Space Is Full
27
Rule
Severity: Medium
Configure auditd mail_acct Action on Low Disk Space
30
Rule
Severity: Medium
Configure auditd admin_space_left Action on Low Disk Space
28
Rule
Severity: Medium
Configure auditd Max Log File Size
57
Rule
Severity: Medium
Configure auditd max_log_file_action Upon Reaching Maximum Log Size
30
Rule
Severity: Medium
Configure auditd Number of Logs Retained
30
Rule
Severity: Medium
Configure auditd space_left Action on Low Disk Space
20
Rule
Severity: High
Set Boot Loader Password in grub2
12
Rule
Severity: Medium
Shutdown System When Auditing Failures Occur
20
Rule
Severity: Medium
Record Events that Modify User/Group Information - /etc/group
27
Rule
Severity: Medium
Ensure rsyslog is Installed
28
Rule
Severity: Medium
Enable rsyslog Service
20
Rule
Severity: Medium
Record Events that Modify User/Group Information - /etc/gshadow
20
Rule
Severity: Medium
Record Events that Modify User/Group Information - /etc/security/opasswd
20
Rule
Severity: Medium
Record Events that Modify User/Group Information - /etc/passwd
29
Rule
Severity: Medium
Ensure logrotate is Installed
29
Rule
Severity: Medium
Ensure Logrotate Runs Periodically
29
Rule
Severity: Medium
Ensure syslog-ng is Installed
29
Rule
Severity: Medium
Enable syslog-ng Service
20
Rule
Severity: Medium
Record Events that Modify User/Group Information - /etc/shadow
30
Rule
Severity: Unknown
Enable rsyslog to Accept Messages via TCP, if Acting As Log Server
30
Rule
Severity: Unknown
Enable rsyslog to Accept Messages via UDP, if Acting As Log Server
27
Rule
Severity: Medium
Ensure Logs Sent To Remote Host
30
Rule
Severity: Medium
Verify ip6tables Enabled if Using IPv6
17
Rule
Severity: Medium
System Audit Logs Must Have Mode 0640 or Less Permissive
30
Rule
Severity: Medium
Verify iptables Enabled
20
Rule
Severity: Medium
Disable Kernel Parameter for Accepting Source-Routed Packets on all IPv6 Interfaces
19
Rule
Severity: Medium
Disable Kernel Parameter for IPv6 Forwarding
22
Rule
Severity: Medium
Disable Kernel Parameter for Accepting Source-Routed Packets on IPv6 Interfaces by Default
20
Rule
Severity: Medium
Disable Accepting ICMP Redirects for All IPv4 Interfaces
20
Rule
Severity: Medium
Disable Kernel Parameter for Accepting Source-Routed Packets on all IPv4 Interfaces
20
Rule
Severity: Unknown
Enable Kernel Parameter to Log Martian Packets on all IPv4 Interfaces
22
Rule
Severity: Medium
Enable Kernel Parameter to Use Reverse Path Filtering on all IPv4 Interfaces
17
Rule
Severity: Medium
Record Any Attempts to Run chcon
22
Rule
Severity: Medium
Disable Kernel Parameter for Accepting Secure ICMP Redirects on all IPv4 Interfaces
14
Rule
Severity: Medium
Record Any Attempts to Run restorecon
21
Rule
Severity: Medium
Disable Kernel Parameter for Accepting ICMP Redirects by Default on IPv4 Interfaces
14
Rule
Severity: Medium
Record Any Attempts to Run semanage
20
Rule
Severity: Medium
Disable Kernel Parameter for Accepting Source-Routed Packets on IPv4 Interfaces by Default
14
Rule
Severity: Medium
Record Any Attempts to Run setsebool
20
Rule
Severity: Unknown
Enable Kernel Paremeter to Log Martian Packets on all IPv4 Interfaces by Default
20
Rule
Severity: Medium
Enable Kernel Parameter to Use Reverse Path Filtering on all IPv4 Interfaces by Default
20
Rule
Severity: Medium
Configure Kernel Parameter for Accepting Secure Redirects By Default
22
Rule
Severity: Medium
Enable Kernel Parameter to Ignore ICMP Broadcast Echo Requests on IPv4 Interfaces
22
Rule
Severity: Unknown
Enable Kernel Parameter to Ignore Bogus ICMP Error Responses on IPv4 Interfaces
22
Rule
Severity: Medium
Enable Kernel Parameter to Use TCP Syncookies on Network Interfaces
22
Rule
Severity: Medium
Disable Kernel Parameter for Sending ICMP Redirects on all IPv4 Interfaces
22
Rule
Severity: Medium
Disable Kernel Parameter for Sending ICMP Redirects on all IPv4 Interfaces by Default
22
Rule
Severity: Medium
Disable Kernel Parameter for IP Forwarding on IPv4 Interfaces
22
Rule
Severity: Medium
Ensure All Files Are Owned by a Group
11
Rule
Severity: Medium
Record Unsuccessful Creation Attempts to Files - open_by_handle_at O_CREAT
11
Rule
Severity: Medium
Record Unsuccessful Modification Attempts to Files - open_by_handle_at O_TRUNC_WRITE
11
Rule
Severity: Medium
Ensure auditd Unauthorized Access Attempts To open_by_handle_at Are Ordered Correctly
11
Rule
Severity: Medium
Record Unsuccessful Creation Attempts to Files - open O_CREAT
11
Rule
Severity: Medium
Record Unsuccessful Modification Attempts to Files - open O_TRUNC_WRITE
11
Rule
Severity: Medium
Ensure auditd Rules For Unauthorized Attempts To open Are Ordered Correctly
11
Rule
Severity: Medium
Record Unsuccessful Creation Attempts to Files - openat O_CREAT
11
Rule
Severity: Medium
Record Unsuccessful Modification Attempts to Files - openat O_TRUNC_WRITE
11
Rule
Severity: Medium
Ensure auditd Rules For Unauthorized Attempts To openat Are Ordered Correctly
14
Rule
Severity: Medium
Record Unsuccessful Delete Attempts to Files - rename
23
Rule
Severity: Medium
Disable the Automounter
14
Rule
Severity: Medium
Record Unsuccessful Delete Attempts to Files - renameat
21
Rule
Severity: Medium
Disable Core Dumps for All Users
14
Rule
Severity: Medium
Record Unsuccessful Delete Attempts to Files - unlink
14
Rule
Severity: Medium
Record Unsuccessful Delete Attempts to Files - unlinkat
30
Rule
Severity: High
Ensure SELinux State is Enforcing
18
Rule
Severity: Medium
Record Attempts to Alter Logon and Logout Events
20
Rule
Severity: Medium
Record Attempts to Alter Logon and Logout Events - faillock
23
Rule
Severity: Medium
Record Attempts to Alter Logon and Logout Events - lastlog
21
Rule
Severity: Medium
Record Attempts to Alter Logon and Logout Events - tallylog
17
Rule
Severity: Medium
Ensure auditd Collects Information on the Use of Privileged Commands - chage
17
Rule
Severity: Medium
Ensure auditd Collects Information on the Use of Privileged Commands - chsh
17
Rule
Severity: Medium
Ensure auditd Collects Information on the Use of Privileged Commands - crontab
17
Rule
Severity: Medium
Ensure auditd Collects Information on the Use of Privileged Commands - gpasswd
17
Rule
Severity: Medium
Ensure auditd Collects Information on the Use of Privileged Commands - newgrp
17
Rule
Severity: Medium
Ensure auditd Collects Information on the Use of Privileged Commands - pam_timestamp_check
15
Rule
Severity: Medium
Disable Network Router Discovery Daemon (rdisc)
17
Rule
Severity: Medium
Ensure auditd Collects Information on the Use of Privileged Commands - passwd
16
Rule
Severity: Medium
Ensure auditd Collects Information on the Use of Privileged Commands - postdrop
16
Rule
Severity: Medium
Ensure auditd Collects Information on the Use of Privileged Commands - postqueue
11
Rule
Severity: Medium
Ensure auditd Collects Information on the Use of Privileged Commands - pt_chown
17
Rule
Severity: Medium
Ensure auditd Collects Information on the Use of Privileged Commands - ssh-keysign
17
Rule
Severity: Medium
Ensure auditd Collects Information on the Use of Privileged Commands - su
18
Rule
Severity: Medium
Ensure auditd Collects Information on the Use of Privileged Commands - sudo
16
Rule
Severity: Medium
Ensure auditd Collects Information on the Use of Privileged Commands - sudoedit
17
Rule
Severity: Medium
Ensure auditd Collects Information on the Use of Privileged Commands - umount
17
Rule
Severity: Medium
Ensure auditd Collects Information on the Use of Privileged Commands - unix_chkpwd
14
Rule
Severity: Medium
Ensure auditd Collects Information on the Use of Privileged Commands - userhelper
13
Rule
Severity: Medium
Configure auditd admin_space_left on Low Disk Space
14
Rule
Severity: Medium
Configure auditd flush priority
29
Rule
Severity: High
Install the ntp service
27
Rule
Severity: Medium
Configure auditd space_left on Low Disk Space
29
Rule
Severity: Medium
Set SSH Client Alive Count Max to zero
12
Rule
Severity: High
Set the Boot Loader Admin Username to a Non-Default Value
29
Rule
Severity: Medium
Set SSH Client Alive Count Max
29
Rule
Severity: Medium
Set SSH Client Alive Interval
29
Rule
Severity: High
Allow Only SSH Protocol 2
30
Rule
Severity: Medium
Disable SSH Root Login
27
Rule
Severity: Medium
Enable SSH Warning Banner
29
Rule
Severity: High
Enable Encrypted X11 Forwarding
13
Rule
Severity: Medium
Ensure cron Is Logging To Rsyslog
29
Rule
Severity: Medium
Enable SSH Print Last Log
11
Rule
Severity: Medium
Enable logrotate Timer
16
Rule
Severity: Medium
Ensure rsyslog Does Not Accept Remote Messages Unless Acting As Log Server
14
Rule
Severity: Medium
Ensure System is Not Acting as a Network Sniffer
13
Rule
Severity: Medium
Verify Any Configured IPSec Tunnel Connections
19
Rule
Severity: Medium
Disable Modprobe Loading of USB Storage Driver
13
Rule
Severity: Medium
Ensure SELinux Not Disabled in the kernel arguments
16
Rule
Severity: Medium
Ensure SELinux Not Disabled in /etc/default/grub
11
Rule
Severity: Medium
Ensure No Device Files are Unlabeled by SELinux
17
Rule
Severity: Medium
Ensure No Daemons are Unconfined by SELinux
18
Rule
Severity: Medium
Configure SELinux Policy
5
Rule
Severity: Low
Install the psacct package
5
Rule
Severity: Low
Enable Process Accounting (psacct)
5
Rule
Severity: Unknown
Configure Logging
5
Rule
Severity: Low
Configure SMTP Greeting Banner
10
Rule
Severity: Medium
Mount Remote Filesystems with Kerberos Security
12
Rule
Severity: Medium
Use Kerberos Security on All Exports
30
Rule
Severity: Medium
Enable the NTP Daemon
16
Rule
Severity: High
Enable the NTP Daemon
17
Rule
Severity: Medium
Configure Time Service Maxpoll Interval
12
Rule
Severity: Medium
Specify Additional Remote NTP Servers
27
Rule
Severity: Medium
Specify a Remote NTP Server
14
Rule
Severity: Unknown
Specify Additional Remote NTP Servers
12
Rule
Severity: High
Disable rlogin Service
8
Rule
Severity: High
Disable rsh Service
12
Rule
Severity: High
Disable telnet Service
11
Rule
Severity: High
Ensure Default SNMP Password Is Not Used
11
Rule
Severity: Medium
Use Only FIPS 140-2 Validated Ciphers
11
Rule
Severity: Medium
Use Only FIPS 140-2 Validated MACs
7
Rule
Severity: Medium
Install the SSSD Package
8
Rule
Severity: Medium
Enable the SSSD Service
8
Rule
Severity: Medium
Configure PAM in SSSD Services
11
Rule
Severity: Medium
Configure SSSD's Memory Cache to Expire
17
Rule
Severity: Medium
Configure SSSD to Expire Offline Credentials
9
Rule
Severity: Medium
Configure SSSD to Expire SSH Known Hosts
5
Rule
Severity: Medium
Configure Logind to terminate idle sessions after certain time of inactivity
9
Rule
Severity: Medium
Install the tmux Package
6
Rule
Severity: Medium
System Audit Directories Must Be Group Owned By Root
6
Rule
Severity: Medium
System Audit Directories Must Be Owned By Root
11
Rule
Severity: Medium
System Audit Logs Must Be Group Owned By Root
1
Rule
Severity: Medium
The Kubernetes Audit Logs Directory Must Have Mode 0700
1
Rule
Severity: Medium
The OAuth Audit Logs Directory Must Have Mode 0700
1
Rule
Severity: Medium
The OpenShift Audit Logs Directory Must Have Mode 0700
1
Rule
Severity: Medium
Kubernetes Audit Logs Must Be Owned By Root
1
Rule
Severity: Medium
OAuth Audit Logs Must Be Owned By Root
1
Rule
Severity: Medium
OpenShift Audit Logs Must Be Owned By Root
1
Rule
Severity: Medium
Kubernetes Audit Logs Must Have Mode 0600
1
Rule
Severity: Medium
OAuth Audit Logs Must Have Mode 0600
1
Rule
Severity: Medium
OpenShift Audit Logs Must Have Mode 0600
1
Rule
Severity: Medium
Enable Auditing for Processes Which Start Prior to the Audit Daemon
2
Rule
Severity: Medium
Configure the root Account lock for Failed Password Attempts via pam_tally2
2
Rule
Severity: Medium
Set Lockout Time for Failed Password Attempts using pam_tally2
1
Rule
Severity: Medium
Ensure auditd Collects Information on the Use of Privileged Commands - unix2_chkpwd
6
Rule
Severity: High
Enable systemd_timesyncd Service
2
Rule
Severity: High
Install the systemd_timesyncd Service
2
Rule
Severity: Medium
Configure Systemd Timer Execution of AIDE
Patternfly
PatternFly elements
The content of the drawer really is up to you. It could have form fields, definition lists, text lists, labels, charts, progress bars, etc. Spacing recommendation is 24px margins. You can put tabs in here, and can also make the drawer scrollable.
Modules