Install the dracut-fips-aesni Package
Install the dracut-fips Package
Enable FIPS Mode in GRUB2
Ensure Users Re-Authenticate for Privilege Escalation - sudo !authenticate
Ensure Users Re-Authenticate for Privilege Escalation - sudo NOPASSWD
Ensure Users Re-Authenticate for Privilege Escalation - sudo
Modify the System Login Banner
Ensure PAM Displays Last Logon/Access Notification
Limit Password Reuse: password-auth
Limit Password Reuse: system-auth
Ensure PAM Enforces Password Requirements - Minimum Different Categories
Ensure PAM Enforces Password Requirements - Minimum Length
Ensure PAM Enforces Password Requirements - Authentication Retry Prompts Permitted Per-Session
Set PAM''s Password Hashing Algorithm
Require Authentication for Emergency Systemd Target
Disable GNOME3 Automounting
Require Authentication for Single User Mode
Set Account Expiration Following Inactivity
Disable GNOME3 Automount Opening
Disable GNOME3 Automount running
Disable All GNOME3 Thumbnailers
Enable GNOME3 Screensaver Idle Activation
Ensure Users Cannot Change GNOME3 Screensaver Idle Activation
Set GNOME3 Screensaver Inactivity Timeout
Set GNOME3 Screensaver Lock Delay After Activation Period
Set Password Minimum Length in login.defs
Verify All Account Password Hashes are Shadowed
All GIDs referenced in /etc/passwd must be defined in /etc/group
Enable GNOME3 Screensaver Lock After Idle Period
Ensure Users Cannot Change GNOME3 Screensaver Lock After Idle Period
Implement Blank Screensaver
Prevent Login to Accounts With Empty Password
Ensure Users Cannot Change GNOME3 Screensaver Settings
Ensure Users Cannot Change GNOME3 Session Idle Settings
Verify No netrc Files Exist
Verify Only Root Has UID 0
Direct root Logins Not Allowed
Set Interactive Session Timeout
Enable GNOME3 Login Warning Banner
Set the GNOME3 Login Warning Banner Text
Record Events that Modify the System's Mandatory Access Controls
Record Events that Modify the System's Mandatory Access Controls in usr/share
Ensure auditd Collects Information on Exporting to Media (successful)
Record Events that Modify the System's Network Environment
Record Attempts to Alter Process and Session Initiation Information
Ensure auditd Collects System Administrator Actions
Lock Accounts After Failed Password Attempts
Configure the root Account for Failed Password Attempts
Set Interval For Counting Failed Password Attempts
Set Lockout Time for Failed Password Attempts
Record Events that Modify User/Group Information
Ensure PAM Enforces Password Requirements - Minimum Digit Characters
Ensure PAM Enforces Password Requirements - Minimum Different Characters
Ensure PAM Enforces Password Requirements - Minimum Lowercase Characters
Ensure PAM Enforces Password Requirements - Maximum Consecutive Repeating Characters from Same Character Class
Record Events that Modify the System's Discretionary Access Controls - chmod
Set Password Maximum Consecutive Repeating Characters
Record Events that Modify the System's Discretionary Access Controls - chown
Record Events that Modify the System's Discretionary Access Controls - fchmod
Ensure PAM Enforces Password Requirements - Minimum Special Characters
Ensure PAM Enforces Password Requirements - Minimum Uppercase Characters
Set Password Hashing Algorithm in /etc/libuser.conf
Record Events that Modify the System's Discretionary Access Controls - fchmodat
Set Password Hashing Algorithm in /etc/login.defs
Record Events that Modify the System's Discretionary Access Controls - fchown
Set PAM''s Password Hashing Algorithm - password-auth
Record Events that Modify the System's Discretionary Access Controls - fchownat
Record Events that Modify the System's Discretionary Access Controls - fremovexattr
Verify that Interactive Boot is Disabled
Record Events that Modify the System's Discretionary Access Controls - fsetxattr
Record Events that Modify the System's Discretionary Access Controls - lchown
Record Events that Modify the System's Discretionary Access Controls - lremovexattr
Record Events that Modify the System's Discretionary Access Controls - lsetxattr
Install the screen Package
Configure opensc Smart Card Drivers
Record Events that Modify the System's Discretionary Access Controls - removexattr
Configure NSS DB To Use opensc
Force opensc To Use Defined Smart Card Driver
Record Events that Modify the System's Discretionary Access Controls - setxattr
Ensure auditd Collects File Deletion Events by User
Ensure auditd Collects File Deletion Events by User - rename
Ensure auditd Collects File Deletion Events by User - renameat
Ensure auditd Collects File Deletion Events by User - rmdir
Ensure auditd Collects File Deletion Events by User - unlink
Ensure auditd Collects File Deletion Events by User - unlinkat
Ensure auditd Collects Unauthorized Access Attempts to Files (unsuccessful)
Set existing passwords a period of inactivity before they been locked
Record Unsuccessful Access Attempts to Files - creat
Record Unsuccessful Access Attempts to Files - ftruncate
Record Unsuccessful Access Attempts to Files - open
Record Unsuccessful Access Attempts to Files - open_by_handle_at
Record Unsuccessful Access Attempts to Files - openat
Record Unsuccessful Access Attempts to Files - truncate
Ensure auditd Collects Information on Kernel Module Loading and Unloading
Ensure auditd Collects Information on Kernel Module Unloading - delete_module
Ensure auditd Collects Information on Kernel Module Loading and Unloading - finit_module
Ensure auditd Collects Information on Kernel Module Loading - init_module
Ensure auditd Collects Information on the Use of Privileged Commands
Record attempts to alter time through adjtimex
Record Attempts to Alter Time Through clock_settime
Record attempts to alter time through settimeofday
Record Attempts to Alter Time Through stime
Record Attempts to Alter the localtime File
Enable Auditing for Processes Which Start Prior to the Audit Daemon
Set Boot Loader Password in grub2
Set the UEFI Boot Loader Password
Record Events that Modify User/Group Information - /etc/group
Record Events that Modify User/Group Information - /etc/gshadow
Record Events that Modify User/Group Information - /etc/security/opasswd
Record Events that Modify User/Group Information - /etc/passwd
Record Events that Modify User/Group Information - /etc/shadow
Install libreswan Package
Verify ip6tables Enabled if Using IPv6
Set Default ip6tables Policy for Incoming Packets
Set Default iptables Policy for Incoming Packets
Set Default iptables Policy for Forwarded Packets
Disable IPv6 Networking Support Automatic Loading
Disable IPv6 Addressing on All IPv6 Interfaces
Disable IPv6 Addressing on IPv6 Interfaces by Default
Configure Accepting Router Advertisements on All IPv6 Interfaces
Disable Accepting ICMP Redirects for All IPv6 Interfaces
Disable Kernel Parameter for IPv6 Forwarding
Disable Accepting Router Advertisements on all IPv6 Interfaces by Default
Disable Kernel Parameter for Accepting ICMP Redirects by Default on IPv6 Interfaces
Disable Accepting ICMP Redirects for All IPv4 Interfaces
Disable Kernel Parameter for Accepting Source-Routed Packets on all IPv4 Interfaces
Enable Kernel Parameter to Log Martian Packets on all IPv4 Interfaces
Disable Kernel Parameter for Accepting Secure ICMP Redirects on all IPv4 Interfaces
Disable Kernel Parameter for Accepting ICMP Redirects by Default on IPv4 Interfaces
Disable Kernel Parameter for Accepting Source-Routed Packets on IPv4 Interfaces by Default
Enable Kernel Paremeter to Log Martian Packets on all IPv4 Interfaces by Default
Configure Kernel Parameter for Accepting Secure Redirects By Default
Enable Kernel Parameter to Ignore ICMP Broadcast Echo Requests on IPv4 Interfaces
Enable Kernel Parameter to Ignore Bogus ICMP Error Responses on IPv4 Interfaces
Disable Kernel Parameter for Sending ICMP Redirects on all IPv4 Interfaces
Disable Kernel Parameter for Sending ICMP Redirects on all IPv4 Interfaces by Default
Disable Kernel Parameter for IP Forwarding on IPv4 Interfaces
Deactivate Wireless Network Interfaces
Ensure All Files Are Owned by a Group
Record Unsuccessful Creation Attempts to Files - open_by_handle_at O_CREAT
Record Unsuccessful Modification Attempts to Files - open_by_handle_at O_TRUNC_WRITE
Ensure auditd Unauthorized Access Attempts To open_by_handle_at Are Ordered Correctly
Record Unsuccessful Creation Attempts to Files - open O_CREAT
Record Unsuccessful Modification Attempts to Files - open O_TRUNC_WRITE
Ensure auditd Rules For Unauthorized Attempts To open Are Ordered Correctly
Record Unsuccessful Creation Attempts to Files - openat O_CREAT
Record Unsuccessful Modification Attempts to Files - openat O_TRUNC_WRITE
Ensure auditd Rules For Unauthorized Attempts To openat Are Ordered Correctly
Record Unsuccessful Delete Attempts to Files - rename
Add nodev Option to /dev/shm
Record Unsuccessful Delete Attempts to Files - renameat
Add nosuid Option to /dev/shm
Record Unsuccessful Delete Attempts to Files - unlink
Record Unsuccessful Delete Attempts to Files - unlinkat
Ensure SELinux State is Enforcing
Record Attempts to Alter Logon and Logout Events
Record Attempts to Alter Logon and Logout Events - faillock
Record Attempts to Alter Logon and Logout Events - lastlog
Record Attempts to Alter Logon and Logout Events - tallylog
Disable Avahi Server Software
Disable Automatic Bug Reporting Tool (abrtd)
Disable Apache Qpid (qpidd)
Disable Network Router Discovery Daemon (rdisc)
Uninstall the inet-based telnet server
Uninstall the ssl compliant telnet server
Uninstall the telnet server
Minimize Served Information
Disable Network File System (nfs)
Set SSH Client Alive Count Max to zero
Set SSH Client Alive Count Max
Set the Boot Loader Admin Username to a Non-Default Value
Set SSH Client Alive Interval
Disable Host-Based Authentication
Allow Only SSH Protocol 2
Disable SSH Access via Empty Passwords
Set the UEFI Boot Loader Admin Username to a Non-Default Value
Disable SSH Support for .rhosts Files
Enable SSH Warning Banner
Enable SSH Print Last Log
Disable Zeroconf Networking
Ensure System is Not Acting as a Network Sniffer
Configure the Firewalld Ports
Set Default firewalld Zone for Incoming Packets
Disable Support for RPC IPv6
Disable Bluetooth Service
Disable Bluetooth Kernel Module
Disable WiFi or Bluetooth in BIOS
Ensure All Files Are Owned by a User
Disable Booting from USB Devices in Boot Firmware
Disable Kernel Support for USB via Bootloader Configuration
Disable Mounting of cramfs
Disable Mounting of freevxfs
Disable Mounting of hfsplus
Disable Mounting of jffs2
Disable Mounting of squashfs
Disable Modprobe Loading of USB Storage Driver
Disable Mounting of vFAT filesystems
Add noexec Option to /dev/shm
Add nosuid Option to /home
Add nodev Option to Non-Root Local Partitions
Add nodev Option to Removable Media Partitions
Add noexec Option to Removable Media Partitions
Add nosuid Option to Removable Media Partitions
Add noexec Option to /tmp
Add nosuid Option to /tmp
Bind Mount /var/tmp To /tmp
Ensure SELinux Not Disabled in the kernel arguments
Ensure SELinux Not Disabled in /etc/default/grub
Ensure No Device Files are Unlabeled by SELinux
Ensure No Daemons are Unconfined by SELinux
Check Avahi Responses' TTL Field
Serve Avahi Only via Required Protocol
Prevent Other Programs from Using Avahi's Port
Restrict Information Published by Avahi
Uninstall avahi-autoipd Server Package
Uninstall avahi Server Package
Install the psacct package
Enable IRQ Balance (irqbalance)
Enable Process Accounting (psacct)
Disable Advanced Configuration and Power Interface (acpid)
Disable Certmonger Service (certmonger)
Disable Control Group Config (cgconfig)
Disable Control Group Rules Engine (cgred)
Disable CPU Speed (cpupower)
Disable KDump Kernel Crash Analyzer (kdump)
Disable Software RAID Monitor (mdmonitor)
Disable D-Bus IPC Service (messagebus)
Disable Network Console (netconsole)
Disable ntpdate Service (ntpdate)
Disable Odd Job Daemon (oddjobd)
Disable Portreserve (portreserve)
Disable Quota Netlink (quota_nld)
Disable Red Hat Network Service (rhnsd)
Disable Red Hat Subscription Manager Daemon (rhsmcertd)
Disable Cyrus SASL Authentication Daemon (saslauthd)
Disable SMART Disk Monitoring Service (smartd)
Disable System Statistics Reset Service (sysstat)
Disable DHCP Client in ifcfg
Uninstall DHCP Server Package
Authenticate Zone Transfers
Restrict Access to Anonymous Users if Possible
Set Permissions on the /var/log/httpd/ Directory
Set Permissions on All Configuration Files Inside /etc/httpd/conf.d/
Set Permissions on All Configuration Files Inside /etc/httpd/conf/
Set Permissions on All Configuration Files Inside /etc/httpd/conf.modules.d/
Set httpd ServerSignature Directive to Off
Set httpd ServerTokens Directive to Prod
Enable the LDAP Client For Use in Authconfig
Configure LDAP Client to Use TLS For All Transactions
Configure Certificate Directives for LDAP Use of TLS
Uninstall openldap-servers Package
Uninstall Sendmail Package
Disable Postfix Network Listening
Mount Remote Filesystems with Kerberos Security
Mount Remote Filesystems with nodev
Restrict NFS Clients to Privileged Ports
Use Kerberos Security on All Exports
Uninstall rsh-server Package
Uninstall telnet-server Package
Uninstall tftp-server Package
Ensure tftp Daemon Uses Secure Mode
Disable Printer Browsing Entirely if Possible
Disable Print Server Capabilities
Ensure Default SNMP Password Is Not Used
Use Only FIPS 140-2 Validated Ciphers
Use Only FIPS 140-2 Validated MACs
Configure PAM in SSSD Services
Configure SSSD's Memory Cache to Expire
Configure SSSD to Expire Offline Credentials
Configure SSSD to Expire SSH Known Hosts
Configure SSSD LDAP Backend to Use TLS For All Transactions
Remove the X Windows Package Group
Disable X Windows Startup By Setting Default Target
Configure Logind to terminate idle sessions after certain time of inactivity
Enable Auditing for Processes Which Start Prior to the Audit Daemon
Disable Kernel Support for USB via Bootloader Configuration
Configure the root Account lock for Failed Password Attempts via pam_tally2
Set Lockout Time for Failed Password Attempts using pam_tally2
Install strongswan Package
Uninstall DHCP Client Package
Uninstall 389-ds-base Package