Verify and Correct File Permissions with RPM
Verify and Correct Ownership with RPM
Install the Host Intrusion Prevention System (HIPS) Module
The Installed Operating System Is Vendor Supported
Install Intrusion Detection Software
Ensure Software Patches Installed
Install the Asset Configuration Compliance Module (ACCM)
Install the Policy Auditor (PA) Module
Require Authentication for Emergency Systemd Target
Require Authentication for Single User Mode
Disable the GNOME3 Login Restart and Shutdown Buttons
Set Account Expiration Following Inactivity
Require Encryption for Remote Access in GNOME3
Prevent Login to Accounts With Empty Password
Disable Ctrl-Alt-Del Reboot Key Sequence in GNOME3
Verify No netrc Files Exist
Verify Only Root Has UID 0
Ensure that System Accounts Do Not Run a Shell Upon Login
Restrict Serial Port Root Logins
Restrict Virtual Console Root Logins
Limit the Number of Concurrent Login Sessions Allowed Per User
Ensure that User Home Directories are not Group-Writable or World-Readable
Ensure yum Removes Previous Package Versions
Ensure the Default Bash Umask is Set Correctly
Ensure the Default Umask is Set Correctly in login.defs
Ensure the Default Umask is Set Correctly in /etc/profile
Make the auditd Configuration Immutable
Ensure auditd Collects System Administrator Actions
Record Events that Modify User/Group Information
System Audit Logs Must Have Mode 0750 or Less Permissive
System Audit Logs Must Be Owned By Root
Disable Ctrl-Alt-Del Burst Action
Disable Ctrl-Alt-Del Reboot Activation
Verify that Interactive Boot is Disabled
Assign Expiration Date to Emergency Accounts
Assign Expiration Date to Temporary Accounts
Root Path Must Be Vendor Default
Ensure the Default C Shell Umask is Set Correctly
Verify /boot/grub2/grub.cfg Group Ownership
Verify /boot/grub2/grub.cfg User Ownership
Verify /boot/grub2/grub.cfg Permissions
Set Boot Loader Password in grub2
Verify the UEFI Boot Loader grub.cfg Group Ownership
Verify the UEFI Boot Loader grub.cfg User Ownership
Verify the UEFI Boot Loader grub.cfg Permissions
Set the UEFI Boot Loader Password
Record Events that Modify User/Group Information - /etc/group
Record Events that Modify User/Group Information - /etc/gshadow
Record Events that Modify User/Group Information - /etc/security/opasswd
Ensure Log Files Are Owned By Appropriate Group
Record Events that Modify User/Group Information - /etc/passwd
Ensure Log Files Are Owned By Appropriate User
Record Events that Modify User/Group Information - /etc/shadow
Verify ip6tables Enabled if Using IPv6
System Audit Logs Must Have Mode 0640 or Less Permissive
Disable Kernel Parameter for Accepting Source-Routed Packets on all IPv6 Interfaces
Disable Kernel Parameter for Accepting Source-Routed Packets on IPv6 Interfaces by Default
Disable Kernel Parameter for Accepting Source-Routed Packets on all IPv4 Interfaces
Enable Kernel Parameter to Use Reverse Path Filtering on all IPv4 Interfaces
Disable Kernel Parameter for Accepting Secure ICMP Redirects on all IPv4 Interfaces
Disable Kernel Parameter for Accepting ICMP Redirects by Default on IPv4 Interfaces
Disable Kernel Parameter for Accepting Source-Routed Packets on IPv4 Interfaces by Default
Enable Kernel Parameter to Use Reverse Path Filtering on all IPv4 Interfaces by Default
Configure Kernel Parameter for Accepting Secure Redirects By Default
Enable Kernel Parameter to Ignore ICMP Broadcast Echo Requests on IPv4 Interfaces
Enable Kernel Parameter to Use TCP Syncookies on Network Interfaces
Disable Kernel Parameter for Sending ICMP Redirects on all IPv4 Interfaces
Disable Kernel Parameter for Sending ICMP Redirects on all IPv4 Interfaces by Default
Verify that All World-Writable Directories Have Sticky Bits Set
Ensure All SGID Executables Are Authorized
Ensure All SUID Executables Are Authorized
Ensure No World-Writable Files Exist
Ensure All Files Are Owned by a Group
Verify Group Who Owns group File
Verify Group Who Owns gshadow File
Verify Group Who Owns passwd File
Verify Group Who Owns shadow File
Verify User Who Owns group File
Verify User Who Owns gshadow File
Verify User Who Owns passwd File
Verify User Who Owns shadow File
Verify Permissions on group File
Verify Permissions on gshadow File
Verify Permissions on passwd File
Verify Permissions on shadow File
Verify that System Executables Have Root Ownership
Verify that Shared Library Files Have Root Ownership
Verify that System Executables Have Restrictive Permissions
Verify that Shared Library Files Have Restrictive Permissions
Ensure SELinux State is Enforcing
Disable Network Router Discovery Daemon (rdisc)
Verify Group Who Owns cron.d
Verify Group Who Owns cron.daily
Verify Group Who Owns cron.hourly
Verify Group Who Owns cron.monthly
Verify Group Who Owns cron.weekly
Verify Group Who Owns Crontab
Verify Owner on cron.daily
Verify Owner on cron.hourly
Verify Owner on cron.monthly
Verify Owner on cron.weekly
Verify Permissions on cron.d
Verify Permissions on cron.daily
Verify Permissions on cron.hourly
Verify Permissions on cron.monthly
Verify Permissions on cron.weekly
Verify Permissions on crontab
Verify Group Who Owns /etc/cron.allow file
Verify User Who Owns /etc/cron.allow file
Disable Network File System (nfs)
Verify Group Who Owns SSH Server config file
Verify Owner on SSH Server config file
Verify Permissions on SSH Server config file
Verify /boot/grub2/user.cfg Group Ownership
Verify Permissions on SSH Server Private *_key Key Files
Verify Permissions on SSH Server Public *.pub Key Files
Verify /boot/grub2/user.cfg User Ownership
Set SSH Client Alive Count Max to zero
Verify /boot/grub2/user.cfg Permissions
Set the Boot Loader Admin Username to a Non-Default Value
Set SSH Client Alive Count Max
Verify /boot/efi/EFI/redhat/user.cfg Group Ownership
Set SSH Client Alive Interval
Disable Host-Based Authentication
Verify /boot/efi/EFI/redhat/user.cfg User Ownership
Disable SSH Access via Empty Passwords
Verify /boot/efi/EFI/redhat/user.cfg Permissions
Set the UEFI Boot Loader Admin Username to a Non-Default Value
Disable SSH Support for .rhosts Files
Enable Use of Strict Mode Checking
Enable Encrypted X11 Forwarding
Enable Use of Privilege Separation
Ensure rsyslog Does Not Accept Remote Messages Unless Acting As Log Server
Verify Any Configured IPSec Tunnel Connections
Ensure All World-Writable Directories Are Owned by a System Account
Ensure All World-Writable Directories Are Group Owned by a System Account
Ensure All Files Are Owned by a User
Add nosuid Option to Removable Media Partitions
Ensure SELinux Not Disabled in the kernel arguments
Ensure SELinux Not Disabled in /etc/default/grub
Ensure No Device Files are Unlabeled by SELinux
Ensure No Daemons are Unconfined by SELinux
Restrict Access to Anonymous Users if Possible
Mount Remote Filesystems with Kerberos Security
Mount Remote Filesystems with noexec
Mount Remote Filesystems with nosuid
Restrict NFS Clients to Privileged Ports
Use Kerberos Security on All Exports
Ensure tftp Daemon Uses Secure Mode
Use Only FIPS 140-2 Validated Ciphers
Configure Logind to terminate idle sessions after certain time of inactivity
Ensure dnf Removes Previous Package Versions
System Audit Directories Must Be Group Owned By Root
System Audit Directories Must Be Owned By Root
System Audit Logs Must Be Group Owned By Root
The Kubernetes Audit Logs Directory Must Have Mode 0700
The OAuth Audit Logs Directory Must Have Mode 0700
The OpenShift Audit Logs Directory Must Have Mode 0700
Kubernetes Audit Logs Must Be Owned By Root
OAuth Audit Logs Must Be Owned By Root
OpenShift Audit Logs Must Be Owned By Root
Kubernetes Audit Logs Must Have Mode 0600
OAuth Audit Logs Must Have Mode 0600
OpenShift Audit Logs Must Have Mode 0600
Ensure zypper Removes Previous Package Versions
Ensure apt_get Removes Previous Package Versions
Verify /boot/grub/grub.cfg User Ownership
Verify /boot/grub/grub.cfg Permissions