Verify and Correct File Permissions with RPM
Configure Periodic Execution of AIDE
Verify and Correct Ownership with RPM
Install the Host Intrusion Prevention System (HIPS) Module
Build and Test AIDE Database
Configure Notification of Post-AIDE Scan Details
Install the dracut-fips-aesni Package
Ensure /home Located On Separate Partition
Ensure /tmp Located On Separate Partition
Ensure /var Located On Separate Partition
Ensure /var/log Located On Separate Partition
Ensure /var/log/audit Located On Separate Partition
Install the dracut-fips Package
Enable FIPS Mode in GRUB2
Ensure Users Re-Authenticate for Privilege Escalation - sudo !authenticate
Ensure Users Re-Authenticate for Privilege Escalation - sudo NOPASSWD
Install Intrusion Detection Software
Ensure Users Re-Authenticate for Privilege Escalation - sudo
Modify the System Login Banner
Ensure PAM Displays Last Logon/Access Notification
Limit Password Reuse: password-auth
Install the Asset Configuration Compliance Module (ACCM)
Limit Password Reuse: system-auth
Ensure PAM Enforces Password Requirements - Minimum Different Categories
Install the Policy Auditor (PA) Module
Ensure PAM Enforces Password Requirements - Minimum Length
Ensure PAM Enforces Password Requirements - Authentication Retry Prompts Permitted Per-Session
Set PAM''s Password Hashing Algorithm
Require Authentication for Emergency Systemd Target
Require Authentication for Single User Mode
Disable the GNOME3 Login Restart and Shutdown Buttons
Set Account Expiration Following Inactivity
Require Encryption for Remote Access in GNOME3
Enable GNOME3 Screensaver Idle Activation
Set Password Minimum Length in login.defs
Ensure Users Cannot Change GNOME3 Screensaver Idle Activation
Set GNOME3 Screensaver Inactivity Timeout
Set GNOME3 Screensaver Lock Delay After Activation Period
Verify All Account Password Hashes are Shadowed
All GIDs referenced in /etc/passwd must be defined in /etc/group
Enable GNOME3 Screensaver Lock After Idle Period
Ensure Users Cannot Change GNOME3 Screensaver Lock After Idle Period
Implement Blank Screensaver
Prevent Login to Accounts With Empty Password
Ensure Users Cannot Change GNOME3 Screensaver Settings
Ensure Users Cannot Change GNOME3 Session Idle Settings
Disable Ctrl-Alt-Del Reboot Key Sequence in GNOME3
Verify No netrc Files Exist
Verify Only Root Has UID 0
Direct root Logins Not Allowed
Ensure that System Accounts Do Not Run a Shell Upon Login
Restrict Serial Port Root Logins
Restrict Virtual Console Root Logins
Limit the Number of Concurrent Login Sessions Allowed Per User
Set Interactive Session Timeout
Ensure that User Home Directories are not Group-Writable or World-Readable
Make the auditd Configuration Immutable
Enable GNOME3 Login Warning Banner
Set the GNOME3 Login Warning Banner Text
Record Events that Modify the System's Mandatory Access Controls
Ensure auditd Collects Information on Exporting to Media (successful)
Record Events that Modify the System's Network Environment
Lock Accounts After Failed Password Attempts
Record Attempts to Alter Process and Session Initiation Information
Ensure auditd Collects System Administrator Actions
Configure the root Account for Failed Password Attempts
Set Interval For Counting Failed Password Attempts
Set Lockout Time for Failed Password Attempts
Record Events that Modify User/Group Information
System Audit Logs Must Have Mode 0750 or Less Permissive
Ensure PAM Enforces Password Requirements - Minimum Digit Characters
Ensure PAM Enforces Password Requirements - Minimum Different Characters
Ensure PAM Enforces Password Requirements - Minimum Lowercase Characters
Ensure PAM Enforces Password Requirements - Maximum Consecutive Repeating Characters from Same Character Class
System Audit Logs Must Be Owned By Root
Record Events that Modify the System's Discretionary Access Controls - chmod
Set Password Maximum Consecutive Repeating Characters
Record Events that Modify the System's Discretionary Access Controls - chown
Ensure PAM Enforces Password Requirements - Minimum Special Characters
Record Events that Modify the System's Discretionary Access Controls - fchmod
Record Events that Modify the System's Discretionary Access Controls - fchmodat
Ensure PAM Enforces Password Requirements - Minimum Uppercase Characters
Set Password Hashing Algorithm in /etc/libuser.conf
Record Events that Modify the System's Discretionary Access Controls - fchown
Set Password Hashing Algorithm in /etc/login.defs
Set PAM''s Password Hashing Algorithm - password-auth
Record Events that Modify the System's Discretionary Access Controls - fchownat
Record Events that Modify the System's Discretionary Access Controls - fremovexattr
Disable Ctrl-Alt-Del Burst Action
Disable Ctrl-Alt-Del Reboot Activation
Record Events that Modify the System's Discretionary Access Controls - fsetxattr
Verify that Interactive Boot is Disabled
Record Events that Modify the System's Discretionary Access Controls - lchown
Record Events that Modify the System's Discretionary Access Controls - lremovexattr
Record Events that Modify the System's Discretionary Access Controls - lsetxattr
Install the screen Package
Configure opensc Smart Card Drivers
Record Events that Modify the System's Discretionary Access Controls - removexattr
Record Events that Modify the System's Discretionary Access Controls - setxattr
Configure NSS DB To Use opensc
Force opensc To Use Defined Smart Card Driver
Ensure auditd Collects File Deletion Events by User
Assign Expiration Date to Emergency Accounts
Ensure auditd Collects File Deletion Events by User - rename
Ensure auditd Collects File Deletion Events by User - renameat
Assign Expiration Date to Temporary Accounts
Ensure auditd Collects File Deletion Events by User - rmdir
Ensure auditd Collects File Deletion Events by User - unlink
Ensure auditd Collects File Deletion Events by User - unlinkat
Ensure auditd Collects Unauthorized Access Attempts to Files (unsuccessful)
Record Unsuccessful Access Attempts to Files - creat
Record Unsuccessful Access Attempts to Files - ftruncate
Record Unsuccessful Access Attempts to Files - open
Record Unsuccessful Access Attempts to Files - open_by_handle_at
Record Unsuccessful Access Attempts to Files - openat
Record Unsuccessful Access Attempts to Files - truncate
Ensure auditd Collects Information on Kernel Module Loading and Unloading
Ensure auditd Collects Information on Kernel Module Unloading - delete_module
Ensure auditd Collects Information on Kernel Module Loading and Unloading - finit_module
Ensure auditd Collects Information on Kernel Module Loading - init_module
Ensure auditd Collects Information on the Use of Privileged Commands
Record attempts to alter time through adjtimex
Record Attempts to Alter Time Through clock_settime
Record attempts to alter time through settimeofday
Record Attempts to Alter Time Through stime
Record Attempts to Alter the localtime File
Enable Auditing for Processes Which Start Prior to the Audit Daemon
Configure auditd to use audispd's syslog plugin
Configure auditd Disk Error Action on Disk Error
Configure auditd Disk Full Action when Disk Space Is Full
Configure auditd mail_acct Action on Low Disk Space
Configure auditd admin_space_left Action on Low Disk Space
Configure auditd Max Log File Size
Configure auditd max_log_file_action Upon Reaching Maximum Log Size
Configure auditd Number of Logs Retained
Configure auditd space_left Action on Low Disk Space
Verify /boot/grub2/grub.cfg Group Ownership
Verify /boot/grub2/grub.cfg User Ownership
Verify /boot/grub2/grub.cfg Permissions
Set Boot Loader Password in grub2
Shutdown System When Auditing Failures Occur
Verify the UEFI Boot Loader grub.cfg Group Ownership
Verify the UEFI Boot Loader grub.cfg User Ownership
Verify the UEFI Boot Loader grub.cfg Permissions
Set the UEFI Boot Loader Password
Record Events that Modify User/Group Information - /etc/group
Ensure rsyslog is Installed
Record Events that Modify User/Group Information - /etc/gshadow
Record Events that Modify User/Group Information - /etc/security/opasswd
Ensure Log Files Are Owned By Appropriate Group
Record Events that Modify User/Group Information - /etc/passwd
Ensure Log Files Are Owned By Appropriate User
Ensure logrotate is Installed
Ensure Logrotate Runs Periodically
Ensure syslog-ng is Installed
Record Events that Modify User/Group Information - /etc/shadow
Enable rsyslog to Accept Messages via TCP, if Acting As Log Server
Enable rsyslog to Accept Messages via UDP, if Acting As Log Server
Ensure Logs Sent To Remote Host
Install libreswan Package
Verify ip6tables Enabled if Using IPv6
System Audit Logs Must Have Mode 0640 or Less Permissive
Disable Kernel Parameter for Accepting Source-Routed Packets on all IPv6 Interfaces
Disable Kernel Parameter for IPv6 Forwarding
Disable Kernel Parameter for Accepting Source-Routed Packets on IPv6 Interfaces by Default
Disable Accepting ICMP Redirects for All IPv4 Interfaces
Disable Kernel Parameter for Accepting Source-Routed Packets on all IPv4 Interfaces
Enable Kernel Parameter to Log Martian Packets on all IPv4 Interfaces
Enable Kernel Parameter to Use Reverse Path Filtering on all IPv4 Interfaces
Record Any Attempts to Run chcon
Disable Kernel Parameter for Accepting Secure ICMP Redirects on all IPv4 Interfaces
Record Any Attempts to Run restorecon
Disable Kernel Parameter for Accepting ICMP Redirects by Default on IPv4 Interfaces
Record Any Attempts to Run semanage
Disable Kernel Parameter for Accepting Source-Routed Packets on IPv4 Interfaces by Default
Record Any Attempts to Run setsebool
Enable Kernel Paremeter to Log Martian Packets on all IPv4 Interfaces by Default
Enable Kernel Parameter to Use Reverse Path Filtering on all IPv4 Interfaces by Default
Configure Kernel Parameter for Accepting Secure Redirects By Default
Enable Kernel Parameter to Ignore ICMP Broadcast Echo Requests on IPv4 Interfaces
Enable Kernel Parameter to Ignore Bogus ICMP Error Responses on IPv4 Interfaces
Enable Kernel Parameter to Use TCP Syncookies on Network Interfaces
Disable Kernel Parameter for Sending ICMP Redirects on all IPv4 Interfaces
Disable Kernel Parameter for Sending ICMP Redirects on all IPv4 Interfaces by Default
Disable Kernel Parameter for IP Forwarding on IPv4 Interfaces
Deactivate Wireless Network Interfaces
Verify that All World-Writable Directories Have Sticky Bits Set
Ensure All SGID Executables Are Authorized
Ensure All SUID Executables Are Authorized
Ensure No World-Writable Files Exist
Ensure All Files Are Owned by a Group
Record Unsuccessful Creation Attempts to Files - open_by_handle_at O_CREAT
Verify Group Who Owns group File
Record Unsuccessful Modification Attempts to Files - open_by_handle_at O_TRUNC_WRITE
Ensure auditd Unauthorized Access Attempts To open_by_handle_at Are Ordered Correctly
Verify Group Who Owns gshadow File
Verify Group Who Owns passwd File
Record Unsuccessful Creation Attempts to Files - open O_CREAT
Verify Group Who Owns shadow File
Verify User Who Owns group File
Record Unsuccessful Modification Attempts to Files - open O_TRUNC_WRITE
Verify User Who Owns gshadow File
Verify User Who Owns passwd File
Ensure auditd Rules For Unauthorized Attempts To open Are Ordered Correctly
Verify User Who Owns shadow File
Verify Permissions on group File
Verify Permissions on gshadow File
Verify Permissions on passwd File
Record Unsuccessful Creation Attempts to Files - openat O_CREAT
Verify Permissions on shadow File
Record Unsuccessful Modification Attempts to Files - openat O_TRUNC_WRITE
Ensure auditd Rules For Unauthorized Attempts To openat Are Ordered Correctly
Verify that System Executables Have Root Ownership
Verify that Shared Library Files Have Root Ownership
Record Unsuccessful Delete Attempts to Files - rename
Verify that System Executables Have Restrictive Permissions
Verify that Shared Library Files Have Restrictive Permissions
Record Unsuccessful Delete Attempts to Files - renameat
Disable Core Dumps for All Users
Record Unsuccessful Delete Attempts to Files - unlink
Record Unsuccessful Delete Attempts to Files - unlinkat
Ensure SELinux State is Enforcing
Record Attempts to Alter Logon and Logout Events
Record Attempts to Alter Logon and Logout Events - faillock
Record Attempts to Alter Logon and Logout Events - lastlog
Record Attempts to Alter Logon and Logout Events - tallylog
Ensure auditd Collects Information on the Use of Privileged Commands - chage
Ensure auditd Collects Information on the Use of Privileged Commands - chsh
Ensure auditd Collects Information on the Use of Privileged Commands - crontab
Ensure auditd Collects Information on the Use of Privileged Commands - gpasswd
Disable Automatic Bug Reporting Tool (abrtd)
Ensure auditd Collects Information on the Use of Privileged Commands - newgrp
Disable Apache Qpid (qpidd)
Ensure auditd Collects Information on the Use of Privileged Commands - pam_timestamp_check
Disable Network Router Discovery Daemon (rdisc)
Ensure auditd Collects Information on the Use of Privileged Commands - passwd
Ensure auditd Collects Information on the Use of Privileged Commands - postdrop
Ensure auditd Collects Information on the Use of Privileged Commands - postqueue
Ensure auditd Collects Information on the Use of Privileged Commands - pt_chown
Verify Group Who Owns cron.d
Verify Group Who Owns cron.daily
Verify Group Who Owns cron.hourly
Verify Group Who Owns cron.monthly
Ensure auditd Collects Information on the Use of Privileged Commands - ssh-keysign
Ensure auditd Collects Information on the Use of Privileged Commands - su
Verify Group Who Owns cron.weekly
Verify Group Who Owns Crontab
Ensure auditd Collects Information on the Use of Privileged Commands - sudo
Ensure auditd Collects Information on the Use of Privileged Commands - sudoedit
Ensure auditd Collects Information on the Use of Privileged Commands - umount
Verify Owner on cron.daily
Verify Owner on cron.hourly
Ensure auditd Collects Information on the Use of Privileged Commands - unix_chkpwd
Verify Owner on cron.monthly
Verify Owner on cron.weekly
Verify Permissions on cron.d
Verify Permissions on cron.daily
Verify Permissions on cron.hourly
Ensure auditd Collects Information on the Use of Privileged Commands - userhelper
Verify Permissions on cron.monthly
Verify Permissions on cron.weekly
Verify Permissions on crontab
Verify Group Who Owns /etc/cron.allow file
Verify User Who Owns /etc/cron.allow file
Uninstall the inet-based telnet server
Uninstall the ssl compliant telnet server
Uninstall the telnet server
Disable Network File System (nfs)
Configure auditd admin_space_left on Low Disk Space
Configure auditd flush priority
Configure auditd space_left on Low Disk Space
Verify Group Who Owns SSH Server config file
Verify Owner on SSH Server config file
Verify Permissions on SSH Server config file
Verify /boot/grub2/user.cfg Group Ownership
Verify Permissions on SSH Server Private *_key Key Files
Verify Permissions on SSH Server Public *.pub Key Files
Verify /boot/grub2/user.cfg User Ownership
Set SSH Client Alive Count Max to zero
Verify /boot/grub2/user.cfg Permissions
Set the Boot Loader Admin Username to a Non-Default Value
Set SSH Client Alive Count Max
Verify /boot/efi/EFI/redhat/user.cfg Group Ownership
Set SSH Client Alive Interval
Disable Host-Based Authentication
Verify /boot/efi/EFI/redhat/user.cfg User Ownership
Allow Only SSH Protocol 2
Disable SSH Access via Empty Passwords
Verify /boot/efi/EFI/redhat/user.cfg Permissions
Set the UEFI Boot Loader Admin Username to a Non-Default Value
Disable SSH Support for .rhosts Files
Enable Use of Strict Mode Checking
Enable SSH Warning Banner
Ensure cron Is Logging To Rsyslog
Enable Encrypted X11 Forwarding
Enable SSH Print Last Log
Enable Use of Privilege Separation
Ensure rsyslog Does Not Accept Remote Messages Unless Acting As Log Server
Configure Multiple DNS Servers in /etc/resolv.conf
Configure the Firewalld Ports
Verify Any Configured IPSec Tunnel Connections
Disable Bluetooth Service
Disable Bluetooth Kernel Module
Disable WiFi or Bluetooth in BIOS
Ensure All World-Writable Directories Are Owned by a System Account
Ensure All World-Writable Directories Are Group Owned by a System Account
Ensure All Files Are Owned by a User
Disable Modprobe Loading of USB Storage Driver
Add nosuid Option to Removable Media Partitions
Enable ExecShield via sysctl
Ensure SELinux Not Disabled in the kernel arguments
Ensure SELinux Not Disabled in /etc/default/grub
Ensure No Device Files are Unlabeled by SELinux
Ensure No Daemons are Unconfined by SELinux
Install the psacct package
Enable Process Accounting (psacct)
Disable KDump Kernel Crash Analyzer (kdump)
Disable Network Console (netconsole)
Disable ntpdate Service (ntpdate)
Disable Portreserve (portreserve)
Disable Red Hat Network Service (rhnsd)
Disable Cyrus SASL Authentication Daemon (saslauthd)
Restrict Access to Anonymous Users if Possible
Enable the LDAP Client For Use in Authconfig
Configure LDAP Client to Use TLS For All Transactions
Configure SMTP Greeting Banner
Mount Remote Filesystems with Kerberos Security
Mount Remote Filesystems with noexec
Mount Remote Filesystems with nosuid
Restrict NFS Clients to Privileged Ports
Use Kerberos Security on All Exports
Configure Time Service Maxpoll Interval
Specify Additional Remote NTP Servers
Specify a Remote NTP Server
Specify Additional Remote NTP Servers
Uninstall rsh-server Package
Uninstall telnet-server Package
Uninstall tftp-server Package
Ensure tftp Daemon Uses Secure Mode
Ensure Default SNMP Password Is Not Used
Use Only FIPS 140-2 Validated Ciphers
Use Only FIPS 140-2 Validated MACs
Configure PAM in SSSD Services
Configure SSSD's Memory Cache to Expire
Configure SSSD to Expire Offline Credentials
Configure SSSD to Expire SSH Known Hosts
Configure SSSD LDAP Backend to Use TLS For All Transactions
Remove the X Windows Package Group
Disable X Windows Startup By Setting Default Target
Configure Logind to terminate idle sessions after certain time of inactivity
System Audit Directories Must Be Group Owned By Root
System Audit Directories Must Be Owned By Root
System Audit Logs Must Be Group Owned By Root
The Kubernetes Audit Logs Directory Must Have Mode 0700
The OAuth Audit Logs Directory Must Have Mode 0700
The OpenShift Audit Logs Directory Must Have Mode 0700
Kubernetes Audit Logs Must Be Owned By Root
OAuth Audit Logs Must Be Owned By Root
OpenShift Audit Logs Must Be Owned By Root
Kubernetes Audit Logs Must Have Mode 0600
OAuth Audit Logs Must Have Mode 0600
OpenShift Audit Logs Must Have Mode 0600
Enable Auditing for Processes Which Start Prior to the Audit Daemon
Configure the root Account lock for Failed Password Attempts via pam_tally2
Set Lockout Time for Failed Password Attempts using pam_tally2
Ensure auditd Collects Information on the Use of Privileged Commands - unix2_chkpwd
Enable systemd_timesyncd Service
Install strongswan Package
Verify /boot/grub/grub.cfg User Ownership
Verify /boot/grub/grub.cfg Permissions
Install the systemd_timesyncd Service
Configure Systemd Timer Execution of AIDE