Capacity
SRG-OS-000480-GPOS-00227
19
Rule
Severity: High
Verify File Hashes with RPM
10
Rule
Severity: Medium
Configure AIDE to Use FIPS 140-2 for Validating Hashes
13
Rule
Severity: Low
Configure AIDE to Verify Access Control Lists (ACLs)
13
Rule
Severity: Low
Configure AIDE to Verify Extended Attributes
29
Rule
Severity: Medium
Install the Host Intrusion Prevention System (HIPS) Module
27
Rule
Severity: Low
Ensure /home Located On Separate Partition
27
Rule
Severity: Low
Ensure /tmp Located On Separate Partition
27
Rule
Severity: Low
Ensure /var Located On Separate Partition
27
Rule
Severity: Low
Ensure /var/log Located On Separate Partition
27
Rule
Severity: Low
Ensure /var/log/audit Located On Separate Partition
15
Rule
Severity: High
The Installed Operating System Is Vendor Supported
9
Rule
Severity: High
Install Virus Scanning Software
29
Rule
Severity: Medium
Ensure gnutls-utils is installed
29
Rule
Severity: Medium
Ensure nss-tools is installed
5
Rule
Severity: Medium
Enable nails Service
21
Rule
Severity: Medium
Ensure Software Patches Installed
8
Rule
Severity: High
Install McAfee Virus Scanning Software
5
Rule
Severity: Medium
Virus Scanning Software Definitions Are Updated
29
Rule
Severity: Low
Ensure PAM Displays Last Logon/Access Notification
7
Rule
Severity: Medium
Install the Asset Configuration Compliance Module (ACCM)
7
Rule
Severity: Medium
Install the Policy Auditor (PA) Module
19
Rule
Severity: Medium
Ensure PAM Enforces Password Requirements - Authentication Retry Prompts Permitted Per-Session
16
Rule
Severity: Medium
Ensure /var/tmp Located On Separate Partition
13
Rule
Severity: Medium
Remove the GDM Package Group
13
Rule
Severity: High
Make sure that the dconf databases are up-to-date with regards to respective keyfiles
11
Rule
Severity: High
Disable the GNOME3 Login Restart and Shutdown Buttons
15
Rule
Severity: Medium
Disable the GNOME3 Login User List
11
Rule
Severity: Medium
Disable GNOME3 Automounting
12
Rule
Severity: Medium
Disable GNOME3 Automount Opening
12
Rule
Severity: Low
Disable GNOME3 Automount running
12
Rule
Severity: Medium
Require Encryption for Remote Access in GNOME3
29
Rule
Severity: High
Prevent Login to Accounts With Empty Password
29
Rule
Severity: High
Ensure There Are No Accounts With Blank or Null Passwords
13
Rule
Severity: High
Disable Ctrl-Alt-Del Reboot Key Sequence in GNOME3
30
Rule
Severity: High
Verify Only Root Has UID 0
21
Rule
Severity: Medium
Ensure that System Accounts Do Not Run a Shell Upon Login
13
Rule
Severity: Medium
The operating system must restrict privilege elevation to authorized personnel
12
Rule
Severity: Medium
Ensure sudo only includes the default configuration directory
13
Rule
Severity: Medium
Ensure invoking users password for privilege escalation when using sudo
12
Rule
Severity: Medium
Install openscap-scanner Package
12
Rule
Severity: Low
Install rng-tools Package
12
Rule
Severity: Medium
Install scap-security-guide Package
19
Rule
Severity: Medium
All Interactive User Home Directories Must Be Group-Owned By The Primary Group
16
Rule
Severity: Medium
All Interactive User Home Directories Must Be Owned By The Primary User
11
Rule
Severity: Medium
Uninstall gssproxy Package
11
Rule
Severity: Medium
Uninstall iprutils Package
11
Rule
Severity: Medium
Uninstall tuned Package
20
Rule
Severity: Medium
Ensure the Default Bash Umask is Set Correctly
27
Rule
Severity: Medium
Ensure the Default Umask is Set Correctly in /etc/profile
11
Rule
Severity: Medium
Ensure PAM password complexity module is enabled in password-auth
11
Rule
Severity: Medium
Ensure PAM password complexity module is enabled in system-auth
15
Rule
Severity: Medium
Disable debug-shell SystemD Service
15
Rule
Severity: High
Disable Ctrl-Alt-Del Burst Action
17
Rule
Severity: High
Disable Ctrl-Alt-Del Reboot Activation
15
Rule
Severity: Medium
Verify that Interactive Boot is Disabled
13
Rule
Severity: Medium
Only Authorized Local User Accounts Exist on Operating System
14
Rule
Severity: Medium
Ensure Home Directories are Created for New Users
12
Rule
Severity: Medium
User Initialization Files Must Be Group-Owned By The Primary Group
15
Rule
Severity: Medium
User Initialization Files Must Not Run World-Writable Programs
12
Rule
Severity: Medium
User Initialization Files Must Be Owned By the Primary User
13
Rule
Severity: Medium
Ensure that Users Path Contains Only Local Directories
13
Rule
Severity: Medium
All Interactive Users Must Have A Home Directory Defined
17
Rule
Severity: Medium
All Interactive Users Home Directories Must Exist
10
Rule
Severity: Medium
All User Files and Directories In The Home Directory Must Be Group-Owned By The Primary Group
10
Rule
Severity: Medium
All User Files and Directories In The Home Directory Must Have a Valid Owner
10
Rule
Severity: Medium
All User Files and Directories In The Home Directory Must Have Mode 0750 Or Less Permissive
13
Rule
Severity: Medium
Ensure All User Initialization Files Have Mode 0740 Or Less Permissive
16
Rule
Severity: Medium
All Interactive User Home Directories Must Have mode 0750 Or Less Permissive
13
Rule
Severity: Medium
Ensure the Default C Shell Umask is Set Correctly
14
Rule
Severity: Medium
Ensure the Default Umask is Set Correctly For Interactive Users
29
Rule
Severity: Medium
Include Local Events in Audit Logs
29
Rule
Severity: Low
Resolve information before writing to audit logs
29
Rule
Severity: Medium
Write Audit Logs to the Disk
19
Rule
Severity: Medium
Verify /boot/grub2/grub.cfg Group Ownership
27
Rule
Severity: Medium
Ensure rsyslog is Installed
28
Rule
Severity: Medium
Enable rsyslog Service
27
Rule
Severity: Medium
Ensure Logs Sent To Remote Host
17
Rule
Severity: Medium
Install firewalld Package
21
Rule
Severity: Medium
Verify firewalld Enabled
20
Rule
Severity: Medium
Install libreswan Package
18
Rule
Severity: Medium
Configure Accepting Router Advertisements on All IPv6 Interfaces
20
Rule
Severity: Medium
Disable Accepting ICMP Redirects for All IPv6 Interfaces
20
Rule
Severity: Medium
Disable Kernel Parameter for Accepting Source-Routed Packets on all IPv6 Interfaces
19
Rule
Severity: Medium
Disable Kernel Parameter for IPv6 Forwarding
19
Rule
Severity: Medium
Disable Accepting Router Advertisements on all IPv6 Interfaces by Default
19
Rule
Severity: Medium
Disable Kernel Parameter for Accepting ICMP Redirects by Default on IPv6 Interfaces
22
Rule
Severity: Medium
Disable Kernel Parameter for Accepting Source-Routed Packets on IPv6 Interfaces by Default
20
Rule
Severity: Medium
Disable Accepting ICMP Redirects for All IPv4 Interfaces
20
Rule
Severity: Medium
Disable Kernel Parameter for Accepting Source-Routed Packets on all IPv4 Interfaces
20
Rule
Severity: Unknown
Enable Kernel Parameter to Log Martian Packets on all IPv4 Interfaces
22
Rule
Severity: Medium
Enable Kernel Parameter to Use Reverse Path Filtering on all IPv4 Interfaces
22
Rule
Severity: Medium
Disable Kernel Parameter for Accepting Secure ICMP Redirects on all IPv4 Interfaces
21
Rule
Severity: Medium
Disable Kernel Parameter for Accepting ICMP Redirects by Default on IPv4 Interfaces
20
Rule
Severity: Medium
Disable Kernel Parameter for Accepting Source-Routed Packets on IPv4 Interfaces by Default
20
Rule
Severity: Unknown
Enable Kernel Paremeter to Log Martian Packets on all IPv4 Interfaces by Default
20
Rule
Severity: Medium
Enable Kernel Parameter to Use Reverse Path Filtering on all IPv4 Interfaces by Default
20
Rule
Severity: Medium
Configure Kernel Parameter for Accepting Secure Redirects By Default
22
Rule
Severity: Medium
Enable Kernel Parameter to Ignore ICMP Broadcast Echo Requests on IPv4 Interfaces
22
Rule
Severity: Unknown
Enable Kernel Parameter to Ignore Bogus ICMP Error Responses on IPv4 Interfaces
22
Rule
Severity: Medium
Enable Kernel Parameter to Use TCP Syncookies on Network Interfaces
22
Rule
Severity: Medium
Disable Kernel Parameter for Sending ICMP Redirects on all IPv4 Interfaces
22
Rule
Severity: Medium
Disable Kernel Parameter for Sending ICMP Redirects on all IPv4 Interfaces by Default
22
Rule
Severity: Medium
Disable Kernel Parameter for IP Forwarding on IPv4 Interfaces
22
Rule
Severity: Medium
Disable SCTP Support
22
Rule
Severity: Medium
Ensure All Files Are Owned by a Group
30
Rule
Severity: Medium
Verify Group Who Owns Backup group File
28
Rule
Severity: Medium
Verify Group Who Owns Backup gshadow File
30
Rule
Severity: Medium
Verify Group Who Owns Backup passwd File
30
Rule
Severity: Medium
Verify User Who Owns Backup shadow File
30
Rule
Severity: Medium
Verify Group Who Owns group File
28
Rule
Severity: Medium
Verify Group Who Owns gshadow File
30
Rule
Severity: Medium
Verify Group Who Owns passwd File
30
Rule
Severity: Medium
Verify Group Who Owns shadow File
30
Rule
Severity: Medium
Verify User Who Owns Backup group File
28
Rule
Severity: Medium
Verify User Who Owns Backup gshadow File
30
Rule
Severity: Medium
Verify User Who Owns Backup passwd File
30
Rule
Severity: Medium
Verify Group Who Owns Backup shadow File
30
Rule
Severity: Medium
Verify User Who Owns group File
28
Rule
Severity: Medium
Verify User Who Owns gshadow File
30
Rule
Severity: Medium
Verify User Who Owns passwd File
30
Rule
Severity: Medium
Verify User Who Owns shadow File
30
Rule
Severity: Medium
Verify Permissions on Backup group File
28
Rule
Severity: Medium
Verify Permissions on Backup gshadow File
30
Rule
Severity: Medium
Verify Permissions on Backup passwd File
30
Rule
Severity: Medium
Verify Permissions on Backup shadow File
30
Rule
Severity: Medium
Verify Permissions on group File
28
Rule
Severity: Medium
Verify Permissions on gshadow File
30
Rule
Severity: Medium
Verify Permissions on passwd File
30
Rule
Severity: Medium
Verify Permissions on shadow File
23
Rule
Severity: Medium
Disable the Automounter
29
Rule
Severity: Medium
Disable core dump backtraces
29
Rule
Severity: Medium
Disable storing core dump
21
Rule
Severity: Medium
Disable Core Dumps for All Users
30
Rule
Severity: Medium
Restrict Exposed Kernel Pointer Addresses Access
30
Rule
Severity: Medium
Enable Randomized Layout of Virtual Address Space
20
Rule
Severity: Medium
Verify Group Who Owns cron.d
20
Rule
Severity: Medium
Verify Group Who Owns cron.daily
20
Rule
Severity: Medium
Verify Group Who Owns cron.hourly
20
Rule
Severity: Medium
Verify Group Who Owns cron.monthly
20
Rule
Severity: Medium
Verify Group Who Owns cron.weekly
20
Rule
Severity: Medium
Verify Group Who Owns Crontab
20
Rule
Severity: Medium
Verify Owner on cron.d
20
Rule
Severity: Medium
Verify Owner on cron.daily
20
Rule
Severity: Medium
Verify Owner on cron.hourly
20
Rule
Severity: Medium
Verify Owner on cron.monthly
20
Rule
Severity: Medium
Verify Owner on cron.weekly
20
Rule
Severity: Medium
Verify Owner on crontab
20
Rule
Severity: Medium
Verify Permissions on cron.d
20
Rule
Severity: Medium
Verify Permissions on cron.daily
20
Rule
Severity: Medium
Verify Permissions on cron.hourly
20
Rule
Severity: Medium
Verify Permissions on cron.monthly
20
Rule
Severity: Medium
Verify Permissions on cron.weekly
20
Rule
Severity: Medium
Verify Permissions on crontab
22
Rule
Severity: Medium
Verify Group Who Owns /etc/cron.allow file
22
Rule
Severity: Medium
Verify User Who Owns /etc/cron.allow file
19
Rule
Severity: Medium
Verify Permissions on /etc/cron.allow file
14
Rule
Severity: Medium
Configure auditd flush priority
12
Rule
Severity: Medium
Disable vsyscalls
18
Rule
Severity: Medium
Verify Group Who Owns SSH Server config file
18
Rule
Severity: Medium
Verify Owner on SSH Server config file
11
Rule
Severity: Medium
Verify /boot/grub2/user.cfg Group Ownership
20
Rule
Severity: Medium
Verify Permissions on SSH Server config file
29
Rule
Severity: Medium
Verify Permissions on SSH Server Private *_key Key Files
29
Rule
Severity: Medium
Verify Permissions on SSH Server Public *.pub Key Files
29
Rule
Severity: High
Allow Only SSH Protocol 2
29
Rule
Severity: Medium
Disable Compression Or Set Compression to delayed
30
Rule
Severity: High
Disable SSH Access via Empty Passwords
29
Rule
Severity: Medium
Disable GSSAPI Authentication
29
Rule
Severity: Medium
Disable Kerberos Authentication
12
Rule
Severity: Medium
Ensure rsyslog-gnutls is installed
30
Rule
Severity: Medium
Disable SSH Support for .rhosts Files
29
Rule
Severity: Medium
Disable SSH Support for Rhosts RSA Authentication
30
Rule
Severity: Medium
Disable SSH Root Login
30
Rule
Severity: Medium
Disable SSH Support for User Known Hosts
30
Rule
Severity: Medium
Disable X11 Forwarding
29
Rule
Severity: Medium
Enable Use of Strict Mode Checking
13
Rule
Severity: Medium
Ensure cron Is Logging To Rsyslog
29
Rule
Severity: High
Enable Encrypted X11 Forwarding
29
Rule
Severity: Medium
Enable SSH Print Last Log
29
Rule
Severity: Medium
Force frequent session key renegotiation
29
Rule
Severity: Medium
Enable Use of Privilege Separation
16
Rule
Severity: Medium
Ensure rsyslog Does Not Accept Remote Messages Unless Acting As Log Server
12
Rule
Severity: Medium
Configure TLS for rsyslog remote logging
12
Rule
Severity: Medium
Configure CA certificate for rsyslog remote logging
11
Rule
Severity: Medium
Configure Multiple DNS Servers in /etc/resolv.conf
5
Rule
Severity: Medium
Disable Client Dynamic DNS Updates
14
Rule
Severity: Medium
Ensure System is Not Acting as a Network Sniffer
14
Rule
Severity: Medium
Set Default firewalld Zone for Incoming Packets
13
Rule
Severity: Medium
Verify Any Configured IPSec Tunnel Connections
18
Rule
Severity: Medium
Install iptables Package
9
Rule
Severity: Medium
Disable Kernel Parameter for IPv4 Forwarding on all IPv4 Interfaces
11
Rule
Severity: Medium
Disable ATM Support
11
Rule
Severity: Medium
Disable CAN Support
14
Rule
Severity: Medium
Ensure All World-Writable Directories Are Owned by root User
9
Rule
Severity: Medium
Ensure All World-Writable Directories Are Owned by a System Account
11
Rule
Severity: Medium
Ensure All World-Writable Directories Are Group Owned by a System Account
18
Rule
Severity: Medium
Ensure All Files Are Owned by a User
19
Rule
Severity: Medium
Disable Modprobe Loading of USB Storage Driver
14
Rule
Severity: Medium
Add nosuid Option to /boot
14
Rule
Severity: Medium
Add noexec Option to /home
16
Rule
Severity: Medium
Add nosuid Option to /home
14
Rule
Severity: Medium
Add nodev Option to Non-Root Local Partitions
17
Rule
Severity: Medium
Add nodev Option to Removable Media Partitions
17
Rule
Severity: Medium
Add noexec Option to Removable Media Partitions
16
Rule
Severity: Medium
Add nosuid Option to Removable Media Partitions
12
Rule
Severity: Medium
Disable Kernel Image Loading
14
Rule
Severity: Medium
Restrict usage of ptrace to descendant processes
11
Rule
Severity: Medium
Enable page allocator poisoning
13
Rule
Severity: Low
Install policycoreutils Package
11
Rule
Severity: Medium
Ensure No Device Files are Unlabeled by SELinux
15
Rule
Severity: Medium
Disable KDump Kernel Crash Analyzer (kdump)
16
Rule
Severity: High
Uninstall vsftpd Package
14
Rule
Severity: Medium
Uninstall Sendmail Package
10
Rule
Severity: Medium
Prevent Unrestricted Mail Relaying
10
Rule
Severity: Medium
Mount Remote Filesystems with Kerberos Security
11
Rule
Severity: Medium
Mount Remote Filesystems with nodev
13
Rule
Severity: Medium
Mount Remote Filesystems with noexec
13
Rule
Severity: Medium
Mount Remote Filesystems with nosuid
12
Rule
Severity: Medium
Use Kerberos Security on All Exports
4
Rule
Severity: Medium
Install tcp_wrappers Package
13
Rule
Severity: High
Remove Host-Based Authentication Files
13
Rule
Severity: High
Remove User Host-Based Authentication Files
15
Rule
Severity: High
Uninstall tftp-server Package
11
Rule
Severity: Medium
Ensure tftp Daemon Uses Secure Mode
10
Rule
Severity: Low
Uninstall quagga Package
9
Rule
Severity: Medium
Disable Quagga Service
11
Rule
Severity: High
Ensure Default SNMP Password Is Not Used
13
Rule
Severity: Medium
Prevent remote hosts from connecting to the proxy display
9
Rule
Severity: Medium
Install sssd-ipa Package
18
Rule
Severity: Medium
Remove the X Windows Package Group
13
Rule
Severity: Medium
Disable graphical user interface
14
Rule
Severity: Medium
Disable X Windows Startup By Setting Default Target
3
Rule
Severity: Medium
OpenSSL uses strong entropy source
7
Rule
Severity: Medium
Enable authselect
5
Rule
Severity: Medium
Configure kernel to trust the CPU random number generator
2
Rule
Severity: Medium
Install iptables-services Package
5
Rule
Severity: Medium
Add nosuid Option to /boot/efi
8
Rule
Severity: Medium
Disable storing core dumps
10
Rule
Severity: Medium
Disable Access to Network bpf() Syscall From Unprivileged Processes
8
Rule
Severity: Medium
Harden the operation of the BPF just-in-time compiler
8
Rule
Severity: Medium
Disable the use of user namespaces
8
Rule
Severity: Medium
Disable acquiring, saving, and processing core dumps
7
Rule
Severity: Medium
Install policycoreutils-python-utils package
8
Rule
Severity: Low
Enable the Hardware RNG Entropy Gatherer Service
6
Rule
Severity: Medium
Install OpenSSH client software
3
Rule
Severity: Medium
SSH client uses strong entropy to seed (for CSH like shells)
3
Rule
Severity: Medium
SSH client uses strong entropy to seed (Bash-like shells)
6
Rule
Severity: Low
SSH server uses strong entropy to seed
5
Rule
Severity: Medium
Configure SSSD to run as user sssd
2
Rule
Severity: Medium
Grant Or Deny System Access To Specific Hosts And Services
1
Rule
Severity: Medium
System Must Avoid Meltdown and Spectre Exploit Vulnerabilities in Modern Processors
2
Rule
Severity: Medium
The PAM configuration should not be changed automatically
2
Rule
Severity: Medium
Remove Default Configuration to Disable Syscall Auditing
3
Rule
Severity: Medium
Install the pam_apparmor Package
5
Rule
Severity: Medium
Ensure AppArmor is Active and Configured
2
Rule
Severity: Medium
Install strongswan Package
2
Rule
Severity: Medium
Disable Kernel Parameter for IPv6 Forwarding by default
19
Rule
Severity: Medium
Verify /boot/grub2/grub.cfg User Ownership
2
Rule
Severity: Medium
NetworkManager DNS Mode Must Be Must Configured
2
Rule
Severity: Medium
Verify Group Who Owns cron.deny
2
Rule
Severity: Medium
Verify Owner on cron.deny
2
Rule
Severity: Medium
Verify /boot/grub/grub.cfg User Ownership
Patternfly
PatternFly elements
The content of the drawer really is up to you. It could have form fields, definition lists, text lists, labels, charts, progress bars, etc. Spacing recommendation is 24px margins. You can put tabs in here, and can also make the drawer scrollable.
Modules