Capacity
A.7.1.1
20
Rule
Severity: High
Verify and Correct File Permissions with RPM
15
Rule
Severity: High
Verify and Correct Ownership with RPM
29
Rule
Severity: Medium
Install the Host Intrusion Prevention System (HIPS) Module
14
Rule
Severity: High
Install Intrusion Detection Software
7
Rule
Severity: Medium
Install the Asset Configuration Compliance Module (ACCM)
17
Rule
Severity: Medium
Limit Password Reuse: password-auth
17
Rule
Severity: Medium
Limit Password Reuse: system-auth
7
Rule
Severity: Medium
Install the Policy Auditor (PA) Module
17
Rule
Severity: High
Encrypt Partitions
18
Rule
Severity: Medium
Ensure PAM Enforces Password Requirements - Minimum Different Categories
20
Rule
Severity: Medium
Ensure PAM Enforces Password Requirements - Minimum Length
19
Rule
Severity: Medium
Ensure PAM Enforces Password Requirements - Authentication Retry Prompts Permitted Per-Session
20
Rule
Severity: Medium
Set PAM''s Password Hashing Algorithm
18
Rule
Severity: Medium
Require Authentication for Emergency Systemd Target
11
Rule
Severity: High
Disable the GNOME3 Login Restart and Shutdown Buttons
11
Rule
Severity: Medium
Disable GNOME3 Automounting
18
Rule
Severity: Medium
Require Authentication for Single User Mode
22
Rule
Severity: Medium
Set Account Expiration Following Inactivity
12
Rule
Severity: Medium
Disable GNOME3 Automount Opening
12
Rule
Severity: Low
Disable GNOME3 Automount running
30
Rule
Severity: Medium
Set Password Maximum Age
28
Rule
Severity: Medium
Set Password Minimum Age
29
Rule
Severity: Medium
Set Password Minimum Length in login.defs
30
Rule
Severity: Medium
Set Password Warning Age
29
Rule
Severity: Medium
Verify All Account Password Hashes are Shadowed
30
Rule
Severity: Low
All GIDs referenced in /etc/passwd must be defined in /etc/group
29
Rule
Severity: High
Prevent Login to Accounts With Empty Password
28
Rule
Severity: Medium
Verify No netrc Files Exist
13
Rule
Severity: High
Disable Ctrl-Alt-Del Reboot Key Sequence in GNOME3
30
Rule
Severity: High
Verify Only Root Has UID 0
29
Rule
Severity: Medium
Direct root Logins Not Allowed
21
Rule
Severity: Medium
Ensure that System Accounts Do Not Run a Shell Upon Login
29
Rule
Severity: Medium
Restrict Serial Port Root Logins
29
Rule
Severity: Medium
Restrict Virtual Console Root Logins
29
Rule
Severity: Medium
Ensure that User Home Directories are not Group-Writable or World-Readable
30
Rule
Severity: Medium
Make the auditd Configuration Immutable
17
Rule
Severity: Medium
Limit Password Reuse
29
Rule
Severity: Medium
Ensure auditd Collects System Administrator Actions
29
Rule
Severity: Medium
Record Events that Modify User/Group Information
29
Rule
Severity: Medium
System Audit Logs Must Have Mode 0750 or Less Permissive
16
Rule
Severity: Medium
Ensure PAM Enforces Password Requirements - Minimum Digit Characters
13
Rule
Severity: Medium
Ensure PAM Enforces Password Requirements - Minimum Different Characters
16
Rule
Severity: Medium
Ensure PAM Enforces Password Requirements - Minimum Lowercase Characters
40
Rule
Severity: Medium
System Audit Logs Must Be Owned By Root
12
Rule
Severity: Medium
Ensure PAM Enforces Password Requirements - Maximum Consecutive Repeating Characters from Same Character Class
12
Rule
Severity: Medium
Set Password Maximum Consecutive Repeating Characters
16
Rule
Severity: Medium
Ensure PAM Enforces Password Requirements - Minimum Special Characters
16
Rule
Severity: Medium
Ensure PAM Enforces Password Requirements - Minimum Uppercase Characters
14
Rule
Severity: Medium
Set Password Hashing Algorithm in /etc/libuser.conf
16
Rule
Severity: Medium
Set Password Hashing Algorithm in /etc/login.defs
13
Rule
Severity: Medium
Set PAM''s Password Hashing Algorithm - password-auth
15
Rule
Severity: High
Disable Ctrl-Alt-Del Burst Action
17
Rule
Severity: High
Disable Ctrl-Alt-Del Reboot Activation
15
Rule
Severity: Medium
Verify that Interactive Boot is Disabled
14
Rule
Severity: Medium
Configure opensc Smart Card Drivers
5
Rule
Severity: Medium
Configure NSS DB To Use opensc
14
Rule
Severity: Medium
Force opensc To Use Defined Smart Card Driver
5
Rule
Severity: Medium
Enable Smart Card Login
11
Rule
Severity: Medium
Assign Expiration Date to Emergency Accounts
16
Rule
Severity: Medium
Assign Expiration Date to Temporary Accounts
9
Rule
Severity: Medium
Set existing passwords a period of inactivity before they been locked
19
Rule
Severity: Medium
Verify /boot/grub2/grub.cfg Group Ownership
19
Rule
Severity: Medium
Verify /boot/grub2/grub.cfg User Ownership
18
Rule
Severity: Medium
Verify /boot/grub2/grub.cfg Permissions
20
Rule
Severity: High
Set Boot Loader Password in grub2
12
Rule
Severity: Medium
Verify the UEFI Boot Loader grub.cfg Group Ownership
12
Rule
Severity: Medium
Verify the UEFI Boot Loader grub.cfg User Ownership
12
Rule
Severity: Medium
Verify the UEFI Boot Loader grub.cfg Permissions
20
Rule
Severity: High
Set the UEFI Boot Loader Password
20
Rule
Severity: Medium
Record Events that Modify User/Group Information - /etc/group
20
Rule
Severity: Medium
Record Events that Modify User/Group Information - /etc/gshadow
29
Rule
Severity: Medium
Ensure Log Files Are Owned By Appropriate Group
20
Rule
Severity: Medium
Record Events that Modify User/Group Information - /etc/security/opasswd
29
Rule
Severity: Medium
Ensure Log Files Are Owned By Appropriate User
20
Rule
Severity: Medium
Record Events that Modify User/Group Information - /etc/passwd
20
Rule
Severity: Medium
Record Events that Modify User/Group Information - /etc/shadow
17
Rule
Severity: Medium
System Audit Logs Must Have Mode 0640 or Less Permissive
30
Rule
Severity: Medium
Verify ip6tables Enabled if Using IPv6
30
Rule
Severity: Medium
Verify iptables Enabled
20
Rule
Severity: Medium
Disable Kernel Parameter for Accepting Source-Routed Packets on all IPv6 Interfaces
22
Rule
Severity: Medium
Disable Kernel Parameter for Accepting Source-Routed Packets on IPv6 Interfaces by Default
20
Rule
Severity: Medium
Disable Kernel Parameter for Accepting Source-Routed Packets on all IPv4 Interfaces
22
Rule
Severity: Medium
Enable Kernel Parameter to Use Reverse Path Filtering on all IPv4 Interfaces
22
Rule
Severity: Medium
Disable Kernel Parameter for Accepting Secure ICMP Redirects on all IPv4 Interfaces
21
Rule
Severity: Medium
Disable Kernel Parameter for Accepting ICMP Redirects by Default on IPv4 Interfaces
20
Rule
Severity: Medium
Disable Kernel Parameter for Accepting Source-Routed Packets on IPv4 Interfaces by Default
20
Rule
Severity: Medium
Enable Kernel Parameter to Use Reverse Path Filtering on all IPv4 Interfaces by Default
20
Rule
Severity: Medium
Configure Kernel Parameter for Accepting Secure Redirects By Default
22
Rule
Severity: Medium
Enable Kernel Parameter to Ignore ICMP Broadcast Echo Requests on IPv4 Interfaces
22
Rule
Severity: Medium
Enable Kernel Parameter to Use TCP Syncookies on Network Interfaces
22
Rule
Severity: Medium
Disable Kernel Parameter for Sending ICMP Redirects on all IPv4 Interfaces
22
Rule
Severity: Medium
Disable Kernel Parameter for Sending ICMP Redirects on all IPv4 Interfaces by Default
30
Rule
Severity: Medium
Verify that All World-Writable Directories Have Sticky Bits Set
18
Rule
Severity: Medium
Ensure All SGID Executables Are Authorized
18
Rule
Severity: Medium
Ensure All SUID Executables Are Authorized
30
Rule
Severity: Medium
Ensure No World-Writable Files Exist
22
Rule
Severity: Medium
Ensure All Files Are Owned by a Group
30
Rule
Severity: Medium
Verify Group Who Owns group File
28
Rule
Severity: Medium
Verify Group Who Owns gshadow File
30
Rule
Severity: Medium
Verify Group Who Owns passwd File
30
Rule
Severity: Medium
Verify Group Who Owns shadow File
30
Rule
Severity: Medium
Verify User Who Owns group File
28
Rule
Severity: Medium
Verify User Who Owns gshadow File
30
Rule
Severity: Medium
Verify User Who Owns passwd File
30
Rule
Severity: Medium
Verify User Who Owns shadow File
30
Rule
Severity: Medium
Verify Permissions on group File
28
Rule
Severity: Medium
Verify Permissions on gshadow File
30
Rule
Severity: Medium
Verify Permissions on passwd File
30
Rule
Severity: Medium
Verify Permissions on shadow File
29
Rule
Severity: Medium
Verify that System Executables Have Root Ownership
29
Rule
Severity: Medium
Verify that Shared Library Files Have Root Ownership
29
Rule
Severity: Medium
Verify that System Executables Have Restrictive Permissions
29
Rule
Severity: Medium
Verify that Shared Library Files Have Restrictive Permissions
23
Rule
Severity: Medium
Disable the Automounter
30
Rule
Severity: High
Ensure SELinux State is Enforcing
15
Rule
Severity: Medium
Disable Network Router Discovery Daemon (rdisc)
20
Rule
Severity: Medium
Verify Group Who Owns cron.d
20
Rule
Severity: Medium
Verify Group Who Owns cron.daily
20
Rule
Severity: Medium
Verify Group Who Owns cron.hourly
20
Rule
Severity: Medium
Verify Group Who Owns cron.monthly
20
Rule
Severity: Medium
Verify Group Who Owns cron.weekly
20
Rule
Severity: Medium
Verify Group Who Owns Crontab
20
Rule
Severity: Medium
Verify Owner on cron.d
20
Rule
Severity: Medium
Verify Owner on cron.daily
20
Rule
Severity: Medium
Verify Owner on cron.hourly
20
Rule
Severity: Medium
Verify Owner on cron.monthly
20
Rule
Severity: Medium
Verify Owner on cron.weekly
20
Rule
Severity: Medium
Verify Owner on crontab
20
Rule
Severity: Medium
Verify Permissions on cron.d
20
Rule
Severity: Medium
Verify Permissions on cron.daily
20
Rule
Severity: Medium
Verify Permissions on cron.hourly
20
Rule
Severity: Medium
Verify Permissions on cron.monthly
20
Rule
Severity: Medium
Verify Permissions on cron.weekly
20
Rule
Severity: Medium
Verify Permissions on crontab
22
Rule
Severity: Medium
Verify Group Who Owns /etc/cron.allow file
22
Rule
Severity: Medium
Verify User Who Owns /etc/cron.allow file
14
Rule
Severity: Unknown
Disable Network File System (nfs)
29
Rule
Severity: Medium
Install the OpenSSH Server Package
18
Rule
Severity: Medium
Verify Group Who Owns SSH Server config file
18
Rule
Severity: Medium
Verify Owner on SSH Server config file
16
Rule
Severity: Medium
Verify /boot/grub2/user.cfg Group Ownership
20
Rule
Severity: Medium
Verify Permissions on SSH Server config file
29
Rule
Severity: Medium
Verify Permissions on SSH Server Private *_key Key Files
16
Rule
Severity: Medium
Verify /boot/grub2/user.cfg User Ownership
29
Rule
Severity: Medium
Verify Permissions on SSH Server Public *.pub Key Files
29
Rule
Severity: Medium
Set SSH Client Alive Count Max to zero
14
Rule
Severity: Medium
Verify /boot/grub2/user.cfg Permissions
29
Rule
Severity: Medium
Set SSH Client Alive Count Max
12
Rule
Severity: High
Set the Boot Loader Admin Username to a Non-Default Value
29
Rule
Severity: Medium
Set SSH Client Alive Interval
6
Rule
Severity: Medium
Verify /boot/efi/EFI/redhat/user.cfg Group Ownership
7
Rule
Severity: Medium
Verify /boot/efi/EFI/redhat/user.cfg User Ownership
30
Rule
Severity: Medium
Disable Host-Based Authentication
29
Rule
Severity: High
Allow Only SSH Protocol 2
7
Rule
Severity: Medium
Verify /boot/efi/EFI/redhat/user.cfg Permissions
30
Rule
Severity: High
Disable SSH Access via Empty Passwords
13
Rule
Severity: Medium
Set the UEFI Boot Loader Admin Username to a Non-Default Value
30
Rule
Severity: Medium
Disable SSH Support for .rhosts Files
30
Rule
Severity: Medium
Disable SSH Root Login
29
Rule
Severity: Medium
Enable Use of Strict Mode Checking
29
Rule
Severity: Unknown
Limit Users' SSH Access
29
Rule
Severity: Medium
Enable Use of Privilege Separation
16
Rule
Severity: Medium
Ensure rsyslog Does Not Accept Remote Messages Unless Acting As Log Server
13
Rule
Severity: Medium
Verify Any Configured IPSec Tunnel Connections
9
Rule
Severity: Medium
Ensure All World-Writable Directories Are Owned by a System Account
11
Rule
Severity: Medium
Ensure All World-Writable Directories Are Group Owned by a System Account
18
Rule
Severity: Medium
Ensure All Files Are Owned by a User
7
Rule
Severity: Unknown
Disable Booting from USB Devices in Boot Firmware
8
Rule
Severity: Unknown
Disable Kernel Support for USB via Bootloader Configuration
19
Rule
Severity: Medium
Disable Modprobe Loading of USB Storage Driver
17
Rule
Severity: Medium
Add nodev Option to Removable Media Partitions
17
Rule
Severity: Medium
Add noexec Option to Removable Media Partitions
16
Rule
Severity: Medium
Add nosuid Option to Removable Media Partitions
6
Rule
Severity: Unknown
Set Daemon Umask
13
Rule
Severity: Medium
Ensure SELinux Not Disabled in the kernel arguments
16
Rule
Severity: Medium
Ensure SELinux Not Disabled in /etc/default/grub
11
Rule
Severity: Medium
Ensure No Device Files are Unlabeled by SELinux
17
Rule
Severity: Medium
Ensure No Daemons are Unconfined by SELinux
18
Rule
Severity: Medium
Configure SELinux Policy
10
Rule
Severity: Medium
Enable the fips_mode SELinux Boolean
6
Rule
Severity: Medium
Restrict Access to Anonymous Users if Possible
13
Rule
Severity: Medium
Mount Remote Filesystems with noexec
13
Rule
Severity: Medium
Mount Remote Filesystems with nosuid
6
Rule
Severity: Unknown
Restrict NFS Clients to Privileged Ports
12
Rule
Severity: High
Disable rlogin Service
8
Rule
Severity: High
Disable rsh Service
12
Rule
Severity: High
Disable telnet Service
11
Rule
Severity: Medium
Ensure tftp Daemon Uses Secure Mode
11
Rule
Severity: High
Ensure Default SNMP Password Is Not Used
14
Rule
Severity: Medium
Enable the OpenSSH Service
11
Rule
Severity: Medium
Use Only FIPS 140-2 Validated Ciphers
11
Rule
Severity: Medium
Use Only FIPS 140-2 Validated MACs
7
Rule
Severity: Medium
Install the SSSD Package
8
Rule
Severity: Medium
Enable the SSSD Service
8
Rule
Severity: Medium
Configure PAM in SSSD Services
11
Rule
Severity: Medium
Configure SSSD's Memory Cache to Expire
17
Rule
Severity: Medium
Configure SSSD to Expire Offline Credentials
9
Rule
Severity: Medium
Configure SSSD to Expire SSH Known Hosts
5
Rule
Severity: Medium
Configure Logind to terminate idle sessions after certain time of inactivity
6
Rule
Severity: Medium
System Audit Directories Must Be Group Owned By Root
6
Rule
Severity: Medium
System Audit Directories Must Be Owned By Root
11
Rule
Severity: Medium
System Audit Logs Must Be Group Owned By Root
1
Rule
Severity: Medium
The Kubernetes Audit Logs Directory Must Have Mode 0700
1
Rule
Severity: Medium
The OAuth Audit Logs Directory Must Have Mode 0700
1
Rule
Severity: Medium
The OpenShift Audit Logs Directory Must Have Mode 0700
1
Rule
Severity: Medium
Kubernetes Audit Logs Must Be Owned By Root
1
Rule
Severity: Medium
OAuth Audit Logs Must Be Owned By Root
1
Rule
Severity: Medium
OpenShift Audit Logs Must Be Owned By Root
1
Rule
Severity: Medium
Kubernetes Audit Logs Must Have Mode 0600
1
Rule
Severity: Medium
OAuth Audit Logs Must Have Mode 0600
1
Rule
Severity: Medium
OpenShift Audit Logs Must Have Mode 0600
1
Rule
Severity: Medium
Disable Kernel Support for USB via Bootloader Configuration
2
Rule
Severity: Medium
Verify /boot/grub/grub.cfg User Ownership
2
Rule
Severity: Medium
Verify /boot/grub/grub.cfg Permissions
Patternfly
PatternFly elements
The content of the drawer really is up to you. It could have form fields, definition lists, text lists, labels, charts, progress bars, etc. Spacing recommendation is 24px margins. You can put tabs in here, and can also make the drawer scrollable.
Modules