Capacity
APO13.01
29
Rule
Severity: Medium
Install the Host Intrusion Prevention System (HIPS) Module
5
Rule
Severity: Medium
Install the dracut-fips-aesni Package
27
Rule
Severity: Low
Ensure /home Located On Separate Partition
27
Rule
Severity: Low
Ensure /tmp Located On Separate Partition
27
Rule
Severity: Low
Ensure /var Located On Separate Partition
27
Rule
Severity: Low
Ensure /var/log Located On Separate Partition
5
Rule
Severity: Medium
Install the dracut-fips Package
5
Rule
Severity: High
Enable FIPS Mode in GRUB2
27
Rule
Severity: Low
Ensure /var/log/audit Located On Separate Partition
14
Rule
Severity: High
Install Intrusion Detection Software
7
Rule
Severity: Medium
Install the Asset Configuration Compliance Module (ACCM)
7
Rule
Severity: Medium
Install the Policy Auditor (PA) Module
11
Rule
Severity: Medium
Disable GNOME3 Automounting
12
Rule
Severity: Medium
Disable GNOME3 Automount Opening
12
Rule
Severity: Low
Disable GNOME3 Automount running
20
Rule
Severity: Medium
Ensure the Default Bash Umask is Set Correctly
27
Rule
Severity: Medium
Ensure the Default Umask is Set Correctly in login.defs
27
Rule
Severity: Medium
Ensure the Default Umask is Set Correctly in /etc/profile
30
Rule
Severity: Medium
Enable auditd Service
30
Rule
Severity: Medium
Record Events that Modify the System's Mandatory Access Controls
30
Rule
Severity: Medium
Record Events that Modify the System's Mandatory Access Controls in usr/share
29
Rule
Severity: Medium
Ensure auditd Collects Information on Exporting to Media (successful)
30
Rule
Severity: Medium
Record Events that Modify the System's Network Environment
30
Rule
Severity: Medium
Record Attempts to Alter Process and Session Initiation Information
29
Rule
Severity: Medium
Ensure auditd Collects System Administrator Actions
29
Rule
Severity: Medium
Record Events that Modify User/Group Information
29
Rule
Severity: Medium
Record Events that Modify the System's Discretionary Access Controls - chmod
29
Rule
Severity: Medium
Record Events that Modify the System's Discretionary Access Controls - chown
29
Rule
Severity: Medium
Record Events that Modify the System's Discretionary Access Controls - fchmod
29
Rule
Severity: Medium
Record Events that Modify the System's Discretionary Access Controls - fchmodat
29
Rule
Severity: Medium
Record Events that Modify the System's Discretionary Access Controls - fchown
29
Rule
Severity: Medium
Record Events that Modify the System's Discretionary Access Controls - fchownat
29
Rule
Severity: Medium
Record Events that Modify the System's Discretionary Access Controls - fremovexattr
29
Rule
Severity: Medium
Record Events that Modify the System's Discretionary Access Controls - fsetxattr
29
Rule
Severity: Medium
Record Events that Modify the System's Discretionary Access Controls - lchown
29
Rule
Severity: Medium
Record Events that Modify the System's Discretionary Access Controls - lremovexattr
29
Rule
Severity: Medium
Record Events that Modify the System's Discretionary Access Controls - lsetxattr
29
Rule
Severity: Medium
Record Events that Modify the System's Discretionary Access Controls - removexattr
29
Rule
Severity: Medium
Record Events that Modify the System's Discretionary Access Controls - setxattr
23
Rule
Severity: Medium
Ensure auditd Collects File Deletion Events by User
29
Rule
Severity: Medium
Ensure auditd Collects File Deletion Events by User - rename
29
Rule
Severity: Medium
Ensure auditd Collects File Deletion Events by User - renameat
29
Rule
Severity: Medium
Ensure auditd Collects File Deletion Events by User - rmdir
29
Rule
Severity: Medium
Ensure auditd Collects File Deletion Events by User - unlink
29
Rule
Severity: Medium
Ensure auditd Collects File Deletion Events by User - unlinkat
23
Rule
Severity: Medium
Ensure auditd Collects Unauthorized Access Attempts to Files (unsuccessful)
23
Rule
Severity: Medium
Record Unsuccessful Access Attempts to Files - creat
23
Rule
Severity: Medium
Record Unsuccessful Access Attempts to Files - ftruncate
23
Rule
Severity: Medium
Record Unsuccessful Access Attempts to Files - open
24
Rule
Severity: Medium
Record Unsuccessful Access Attempts to Files - open_by_handle_at
23
Rule
Severity: Medium
Record Unsuccessful Access Attempts to Files - openat
23
Rule
Severity: Medium
Record Unsuccessful Access Attempts to Files - truncate
23
Rule
Severity: Medium
Ensure auditd Collects Information on Kernel Module Loading and Unloading
8
Rule
Severity: Unknown
Root Path Must Be Vendor Default
22
Rule
Severity: Medium
Ensure auditd Collects Information on Kernel Module Unloading - delete_module
23
Rule
Severity: Medium
Ensure auditd Collects Information on Kernel Module Loading and Unloading - finit_module
22
Rule
Severity: Medium
Ensure auditd Collects Information on Kernel Module Loading - init_module
29
Rule
Severity: Medium
Ensure auditd Collects Information on the Use of Privileged Commands
13
Rule
Severity: Medium
Ensure the Default C Shell Umask is Set Correctly
30
Rule
Severity: Medium
Record attempts to alter time through adjtimex
30
Rule
Severity: Medium
Record Attempts to Alter Time Through clock_settime
30
Rule
Severity: Medium
Record attempts to alter time through settimeofday
29
Rule
Severity: Medium
Record Attempts to Alter Time Through stime
29
Rule
Severity: Medium
Record Attempts to Alter the localtime File
19
Rule
Severity: Low
Enable Auditing for Processes Which Start Prior to the Audit Daemon
59
Rule
Severity: Medium
Configure auditd Disk Error Action on Disk Error
59
Rule
Severity: Medium
Configure auditd Disk Full Action when Disk Space Is Full
27
Rule
Severity: Medium
Configure auditd mail_acct Action on Low Disk Space
30
Rule
Severity: Medium
Configure auditd admin_space_left Action on Low Disk Space
57
Rule
Severity: Medium
Configure auditd max_log_file_action Upon Reaching Maximum Log Size
30
Rule
Severity: Medium
Configure auditd space_left Action on Low Disk Space
20
Rule
Severity: Medium
Record Events that Modify User/Group Information - /etc/group
20
Rule
Severity: Medium
Record Events that Modify User/Group Information - /etc/gshadow
20
Rule
Severity: Medium
Record Events that Modify User/Group Information - /etc/security/opasswd
28
Rule
Severity: Medium
Enable rsyslog Service
20
Rule
Severity: Medium
Record Events that Modify User/Group Information - /etc/passwd
20
Rule
Severity: Medium
Record Events that Modify User/Group Information - /etc/shadow
29
Rule
Severity: Medium
Enable syslog-ng Service
27
Rule
Severity: Medium
Ensure Logs Sent To Remote Host
20
Rule
Severity: Medium
Install libreswan Package
30
Rule
Severity: Medium
Verify ip6tables Enabled if Using IPv6
30
Rule
Severity: Medium
Verify iptables Enabled
20
Rule
Severity: Medium
Disable Kernel Parameter for Accepting Source-Routed Packets on all IPv6 Interfaces
19
Rule
Severity: Medium
Disable Kernel Parameter for IPv6 Forwarding
22
Rule
Severity: Medium
Disable Kernel Parameter for Accepting Source-Routed Packets on IPv6 Interfaces by Default
20
Rule
Severity: Medium
Disable Accepting ICMP Redirects for All IPv4 Interfaces
20
Rule
Severity: Medium
Disable Kernel Parameter for Accepting Source-Routed Packets on all IPv4 Interfaces
20
Rule
Severity: Unknown
Enable Kernel Parameter to Log Martian Packets on all IPv4 Interfaces
22
Rule
Severity: Medium
Enable Kernel Parameter to Use Reverse Path Filtering on all IPv4 Interfaces
22
Rule
Severity: Medium
Disable Kernel Parameter for Accepting Secure ICMP Redirects on all IPv4 Interfaces
21
Rule
Severity: Medium
Disable Kernel Parameter for Accepting ICMP Redirects by Default on IPv4 Interfaces
20
Rule
Severity: Medium
Disable Kernel Parameter for Accepting Source-Routed Packets on IPv4 Interfaces by Default
20
Rule
Severity: Unknown
Enable Kernel Paremeter to Log Martian Packets on all IPv4 Interfaces by Default
20
Rule
Severity: Medium
Enable Kernel Parameter to Use Reverse Path Filtering on all IPv4 Interfaces by Default
20
Rule
Severity: Medium
Configure Kernel Parameter for Accepting Secure Redirects By Default
22
Rule
Severity: Medium
Enable Kernel Parameter to Ignore ICMP Broadcast Echo Requests on IPv4 Interfaces
22
Rule
Severity: Unknown
Enable Kernel Parameter to Ignore Bogus ICMP Error Responses on IPv4 Interfaces
22
Rule
Severity: Medium
Enable Kernel Parameter to Use TCP Syncookies on Network Interfaces
22
Rule
Severity: Medium
Disable Kernel Parameter for Sending ICMP Redirects on all IPv4 Interfaces
22
Rule
Severity: Medium
Disable Kernel Parameter for Sending ICMP Redirects on all IPv4 Interfaces by Default
22
Rule
Severity: Medium
Disable Kernel Parameter for IP Forwarding on IPv4 Interfaces
22
Rule
Severity: Medium
Deactivate Wireless Network Interfaces
11
Rule
Severity: Medium
Record Unsuccessful Creation Attempts to Files - open_by_handle_at O_CREAT
11
Rule
Severity: Medium
Record Unsuccessful Modification Attempts to Files - open_by_handle_at O_TRUNC_WRITE
11
Rule
Severity: Medium
Ensure auditd Unauthorized Access Attempts To open_by_handle_at Are Ordered Correctly
11
Rule
Severity: Medium
Record Unsuccessful Creation Attempts to Files - open O_CREAT
11
Rule
Severity: Medium
Record Unsuccessful Modification Attempts to Files - open O_TRUNC_WRITE
11
Rule
Severity: Medium
Ensure auditd Rules For Unauthorized Attempts To open Are Ordered Correctly
11
Rule
Severity: Medium
Record Unsuccessful Creation Attempts to Files - openat O_CREAT
11
Rule
Severity: Medium
Record Unsuccessful Modification Attempts to Files - openat O_TRUNC_WRITE
11
Rule
Severity: Medium
Ensure auditd Rules For Unauthorized Attempts To openat Are Ordered Correctly
23
Rule
Severity: Medium
Disable the Automounter
14
Rule
Severity: Medium
Record Unsuccessful Delete Attempts to Files - rename
27
Rule
Severity: Medium
Add nodev Option to /dev/shm
14
Rule
Severity: Medium
Record Unsuccessful Delete Attempts to Files - renameat
27
Rule
Severity: Medium
Add nosuid Option to /dev/shm
21
Rule
Severity: Medium
Disable Core Dumps for All Users
14
Rule
Severity: Medium
Record Unsuccessful Delete Attempts to Files - unlink
14
Rule
Severity: Medium
Record Unsuccessful Delete Attempts to Files - unlinkat
30
Rule
Severity: High
Ensure SELinux State is Enforcing
18
Rule
Severity: Medium
Record Attempts to Alter Logon and Logout Events
20
Rule
Severity: Medium
Record Attempts to Alter Logon and Logout Events - faillock
23
Rule
Severity: Medium
Record Attempts to Alter Logon and Logout Events - lastlog
21
Rule
Severity: Medium
Record Attempts to Alter Logon and Logout Events - tallylog
13
Rule
Severity: Medium
Disable Automatic Bug Reporting Tool (abrtd)
15
Rule
Severity: Low
Disable Apache Qpid (qpidd)
15
Rule
Severity: Medium
Disable Network Router Discovery Daemon (rdisc)
29
Rule
Severity: High
Uninstall the inet-based telnet server
29
Rule
Severity: High
Uninstall the ssl compliant telnet server
29
Rule
Severity: High
Uninstall the telnet server
13
Rule
Severity: Medium
Configure auditd admin_space_left on Low Disk Space
27
Rule
Severity: Medium
Configure auditd space_left on Low Disk Space
27
Rule
Severity: High
Remove Rsh Trust Files
29
Rule
Severity: Medium
Set SSH Client Alive Count Max to zero
29
Rule
Severity: Medium
Set SSH Client Alive Count Max
29
Rule
Severity: Medium
Set SSH Client Alive Interval
29
Rule
Severity: High
Allow Only SSH Protocol 2
16
Rule
Severity: Medium
Ensure rsyslog Does Not Accept Remote Messages Unless Acting As Log Server
11
Rule
Severity: Medium
Configure Multiple DNS Servers in /etc/resolv.conf
11
Rule
Severity: Medium
Configure the Firewalld Ports
13
Rule
Severity: Medium
Verify Any Configured IPSec Tunnel Connections
10
Rule
Severity: Medium
Disable Bluetooth Service
13
Rule
Severity: Medium
Disable Bluetooth Kernel Module
7
Rule
Severity: Unknown
Disable WiFi or Bluetooth in BIOS
7
Rule
Severity: Unknown
Disable Booting from USB Devices in Boot Firmware
8
Rule
Severity: Unknown
Disable Kernel Support for USB via Bootloader Configuration
19
Rule
Severity: Medium
Disable Modprobe Loading of USB Storage Driver
17
Rule
Severity: Medium
Add noexec Option to /dev/shm
16
Rule
Severity: Medium
Add nosuid Option to /home
17
Rule
Severity: Medium
Add nodev Option to Removable Media Partitions
17
Rule
Severity: Medium
Add noexec Option to Removable Media Partitions
16
Rule
Severity: Medium
Add nosuid Option to Removable Media Partitions
17
Rule
Severity: Medium
Add nodev Option to /tmp
16
Rule
Severity: Medium
Add noexec Option to /tmp
17
Rule
Severity: Medium
Add nosuid Option to /tmp
12
Rule
Severity: Medium
Enable ExecShield via sysctl
13
Rule
Severity: Medium
Ensure SELinux Not Disabled in the kernel arguments
16
Rule
Severity: Medium
Ensure SELinux Not Disabled in /etc/default/grub
18
Rule
Severity: Medium
Configure SELinux Policy
15
Rule
Severity: Medium
Disable KDump Kernel Crash Analyzer (kdump)
5
Rule
Severity: Low
Disable Network Console (netconsole)
13
Rule
Severity: Low
Disable ntpdate Service (ntpdate)
5
Rule
Severity: Low
Disable Portreserve (portreserve)
7
Rule
Severity: Low
Disable Red Hat Network Service (rhnsd)
5
Rule
Severity: Low
Disable Cyrus SASL Authentication Daemon (saslauthd)
8
Rule
Severity: Medium
Enable the LDAP Client For Use in Authconfig
8
Rule
Severity: Medium
Configure LDAP Client to Use TLS For All Transactions
11
Rule
Severity: Medium
Mount Remote Filesystems with nodev
17
Rule
Severity: Low
Uninstall xinetd Package
13
Rule
Severity: Medium
Disable xinetd Service
14
Rule
Severity: High
Uninstall ypserv Package
8
Rule
Severity: Medium
Disable ypbind Service
16
Rule
Severity: High
Uninstall rsh-server Package
9
Rule
Severity: High
Disable rexec Service
12
Rule
Severity: High
Disable rlogin Service
8
Rule
Severity: High
Disable rsh Service
15
Rule
Severity: High
Uninstall telnet-server Package
12
Rule
Severity: High
Disable telnet Service
15
Rule
Severity: High
Uninstall tftp-server Package
6
Rule
Severity: High
Disable tftp Service
11
Rule
Severity: Medium
Ensure tftp Daemon Uses Secure Mode
10
Rule
Severity: Low
Uninstall quagga Package
9
Rule
Severity: Medium
Disable Quagga Service
11
Rule
Severity: Medium
Use Only FIPS 140-2 Validated Ciphers
11
Rule
Severity: Medium
Use Only FIPS 140-2 Validated MACs
7
Rule
Severity: High
Configure SSSD LDAP Backend to Use TLS For All Transactions
18
Rule
Severity: Medium
Remove the X Windows Package Group
14
Rule
Severity: Medium
Disable X Windows Startup By Setting Default Target
5
Rule
Severity: Medium
Configure Logind to terminate idle sessions after certain time of inactivity
1
Rule
Severity: Medium
Enable Auditing for Processes Which Start Prior to the Audit Daemon
1
Rule
Severity: Medium
Disable Kernel Support for USB via Bootloader Configuration
2
Rule
Severity: Medium
Install strongswan Package
2
Rule
Severity: Low
Uninstall tcpd Package
Patternfly
PatternFly elements
The content of the drawer really is up to you. It could have form fields, definition lists, text lists, labels, charts, progress bars, etc. Spacing recommendation is 24px margins. You can put tabs in here, and can also make the drawer scrollable.
Modules