Guide to the Secure Configuration of Red Hat Enterprise Linux 7

with profile RHEL7 Server Baseline for Controlled Unclassified Information in Nonfederal Information Systems and Organizations (NIST 800-171)
From NIST 800-171, Section 2.2: Security requirements for protecting the confidentiality of CUI in nonfederal information systems and organizations have a well-defined structure that consists of: (i) a basic security requirements section; and (ii) a derived security requirements section. The basic security requirements are obtained from FIPS Publication 200, which provides the high-level and fundamental security requirements for federal information and information systems. The derived security requirements, which supplement the basic security requirements, are taken from the security controls in NIST Special Publication 800-53. This profile configures Red Hat Enterprise Linux 7 to the NIST Special Publication 800-53 controls identified for securing Controlled Unclassified Information (CUI).

This guide presents a catalog of security-relevant configuration settings for Red Hat Enterprise Linux 7. It is a rendering of content structured in the eXtensible Configuration Checklist Description Format (XCCDF) in order to support security automation. The SCAP content is is available in the scap-security-guide package which is developed at https://www.open-scap.org/security-policies/scap-security-guide.

Providing system administrators with such guidance informs them how to securely configure systems under their control in a variety of network roles. Policy makers and baseline creators can use this catalog of settings, with its associated references to higher-level security control catalogs, in order to assist them in security baseline creation. This guide is a catalog, not a checklist, and satisfaction of every item is not likely to be possible or sensible in many operational scenarios. However, the XCCDF format enables granular selection and adjustment of settings, and their association with OVAL and OCIL content provides an automated checking capability. Transformations of this document, and its associated automated checking content, are capable of providing baselines that meet a diverse set of policy objectives. Some example XCCDF Profiles, which are selections of items that form checklists and can be used as baselines, are available with this guide. They can be processed, in an automated fashion, with tools that support the Security Content Automation Protocol (SCAP). The DISA STIG for Red Hat Enterprise Linux 7, which provides required settings for US Department of Defense systems, is one example of a baseline created from this guidance.
Do not attempt to implement any of the settings in this guide without first testing them in a non-operational environment. The creators of this guidance assume no responsibility whatsoever for its use by other parties, and makes no guarantees, expressed or implied, about its quality, reliability, or any other characteristic.

Evaluation Characteristics

Target machinedevbox
Benchmark URLoutput/ssg-rhel7-ds.xml
Benchmark IDxccdf_org.ssgproject.content_benchmark_RHEL-7
Profile IDxccdf_org.ssgproject.content_profile_nist-800-171-cui
Started at2016-12-18T19:05:22
Finished at2016-12-18T19:05:31
Performed byshawn

CPE Platforms

  • cpe:/o:redhat:enterprise_linux:7
  • cpe:/o:redhat:enterprise_linux:7::client
  • cpe:/o:redhat:enterprise_linux:7::computenode

Addresses

  • IPv4  127.0.0.1
  • IPv4  10.211.55.16
  • IPv6  0:0:0:0:0:0:0:1
  • IPv6  fdb2:2c26:f4e4:0:21c:42ff:fed7:1f32
  • IPv6  fe80:0:0:0:21c:42ff:fed7:1f32
  • MAC  00:00:00:00:00:00
  • MAC  00:1C:42:D7:1F:32

Compliance and Scoring

The target system did not satisfy the conditions of 60 rules! Please review rule results and consider applying remediation.

Rule results

47 passed
60 failed
33 other

Severity of failed rules

0 other
12 low
44 medium
4 high

Score

Scoring systemScoreMaximumPercent
urn:xccdf:scoring:default56.025871100.000000
56.03%

Rule Overview

Group rules by:
TitleSeverityResult
Guide to the Secure Configuration of Red Hat Enterprise Linux 7 60x fail 33x notchecked
Remediation functions used by the SCAP Security Guide Project
Introduction
General Principles
Encrypt Transmitted Data Whenever Possible
Minimize Software to Minimize Vulnerability
Run Different Network Services on Separate Systems
Configure Security Tools to Improve System Robustness
Least Privilege
How to Use This Guide
Read Sections Completely and in Order
Test in Non-Production Environment
Root Shell Environment Assumed
Formatting Conventions
Reboot Required
System Settings 43x fail 32x notchecked
Installing and Maintaining Software 1x fail
Disk Partitioning
Ensure /tmp Located On Separate Partitionlow
notselected
Ensure /var Located On Separate Partitionlow
notselected
Ensure /var/log Located On Separate Partitionlow
notselected
Ensure /var/log/audit Located On Separate Partitionlow
notselected
Ensure /home Located On Separate Partitionlow
notselected
Encrypt Partitionshigh
notselected
Updating Software
Ensure Red Hat GPG Key Installedhigh
notselected
Ensure gpgcheck Enabled In Main Yum Configurationhigh
notselected
Ensure gpgcheck Enabled For All Yum Package Repositorieshigh
notselected
Ensure Software Patches Installedhigh
notselected
Ensure YUM Removes Previous Package Versionslow
notselected
Ensure gpgcheck Enabled for Local Packageshigh
notselected
System and Software Integrity
Software Integrity Checking
Verify Integrity with AIDE
Install AIDEmedium
notselected
Build and Test AIDE Databasemedium
notselected
Configure Periodic Execution of AIDEmedium
notselected
Configure Notification of Post-AIDE Scan Detailsmedium
notselected
Configure AIDE to Verify Access Control Lists (ACLs)medium
notselected
Configure AIDE to Verify Extended Attributesmedium
notselected
Configure AIDE to Use FIPS 140-2 for Validating Hashesmedium
notselected
Verify Integrity with RPM
Verify and Correct File Permissions with RPMhigh
notselected
Verify File Hashes with RPMhigh
notselected
Endpoint Protection Software
McAfee Endpoint Security Software
McAfee Host-Based Intrusion Detection Software (HBSS)
Install the Host Intrusion Prevention System (HIPS) Modulemedium
notselected
Install the Asset Configuration Compliance Module (ACCM)medium
notselected
Install the Policy Auditor (PA) Modulemedium
notselected
Install the McAfee Runtime Libraries and Linux Agentmedium
notselected
Install McAfee Virus Scanning Softwarehigh
notselected
Enable nails Servicemedium
notselected
Virus Scanning Software Definitions Are Updatedmedium
notselected
Install Intrusion Detection Softwarehigh
notselected
Install Virus Scanning Softwarehigh
notselected
Federal Information Processing Standard (FIPS)
Install the dracut-fips Packagemedium
notselected
Enable FIPS Mode in GRUB2medium
notselected
Operating System Vendor Support and Certification
The Installed Operating System Is Vendor Supported and Certifiedhigh
notselected
GNOME Desktop Environment 1x fail
Disable the GNOME3 Login User Listmedium
pass
Disable the GNOME3 Login Restart and Shutdown Buttonshigh
pass
Enable the GNOME3 Login Smartcard Authenticationmedium
notselected
Configure GNOME Screen Locking
Set GNOME3 Screensaver Inactivity Timeoutmedium
pass
Enable GNOME3 Screensaver Idle Activationmedium
pass
Enable GNOME3 Screensaver Lock After Idle Periodmedium
pass
Set GNOME3 Screensaver Lock Delay After Activation Periodmedium
pass
Implement Blank Screensaverlow
pass
Ensure Users Cannot Change GNOME3 Session Settingslow
pass
GNOME System Settings
Disable Ctrl-Alt-Del Reboot Key Sequence in GNOME3high
pass
Disable User Administration in GNOME3high
pass
Disable Power Settings in GNOME3medium
notselected
Disable Geolocation in GNOME3medium
pass
GNOME Network Settings
Disable WIFI Network Connection Creation in GNOME3medium
pass
Disable WIFI Network Notification in GNOME3medium
pass
GNOME Remote Access Settings
Require Credential Prompting for Remote Access in GNOME3medium
pass
Require Encryption for Remote Access in GNOME3medium
pass
GNOME Media Settings
Disable GNOME3 Automountinglow
pass
Disable All GNOME3 Thumbnailerslow
pass
Configure GNOME3 DConf User Profilehigh
fail
Sudo
Ensure Users Re-Authenticate for Privilege Escalation - sudo NOPASSWDmedium
notselected
Ensure Users Re-Authenticate for Privilege Escalation - sudo !authenticatemedium
notselected
File Permissions and Masks 2x fail 1x notchecked
Restrict Partition Mount Options
Add nodev Option to Non-Root Local Partitionslow
notselected
Add nodev Option to Removable Media Partitionslow
notselected
Add noexec Option to Removable Media Partitionslow
notselected
Add nosuid Option to Removable Media Partitionslow
notselected
Add nodev Option to /tmplow
notselected
Add noexec Option to /tmplow
notselected
Add nosuid Option to /tmplow
notselected
Add nodev Option to /dev/shmlow
notselected
Add noexec Option to /dev/shmlow
notselected
Add nosuid Option to /dev/shmlow
notselected
Bind Mount /var/tmp To /tmplow
notselected
Restrict Dynamic Mounting and Unmounting of Filesystems
Disable Modprobe Loading of USB Storage Drivermedium
notselected
Disable Kernel Support for USB via Bootloader Configurationlow
notselected
Disable Booting from USB Devices in Boot Firmwarelow
notselected
Assign Password to Prevent Changes to Boot Firmware Configurationlow
notselected
Disable the Automountermedium
notselected
Disable Mounting of cramfslow
notselected
Disable Mounting of freevxfslow
notselected
Disable Mounting of jffs2low
notselected
Disable Mounting of hfslow
notselected
Disable Mounting of hfspluslow
notselected
Disable Mounting of squashfslow
notselected
Disable Mounting of udflow
notselected
Verify Permissions on Important Files and Directories
Verify User Who Owns shadow Filemedium
notselected
Verify Group Who Owns shadow Filemedium
notselected
Verify Permissions on shadow Filemedium
notselected
Verify User Who Owns group Filemedium
notselected
Verify Group Who Owns group Filemedium
notselected
Verify Permissions on group Filemedium
notselected
Verify User Who Owns gshadow Filemedium
notselected
Verify Group Who Owns gshadow Filemedium
notselected
Verify Permissions on gshadow Filemedium
notselected
Verify User Who Owns passwd Filemedium
notselected
Verify Group Who Owns passwd Filemedium
notselected
Verify Permissions on passwd Filemedium
notselected
Verify File Permissions Within Some Important Directories
Verify that Shared Library Files Have Restrictive Permissionsmedium
notselected
Verify that Shared Library Files Have Root Ownershipmedium
notselected
Verify that System Executables Have Restrictive Permissionsmedium
notselected
Verify that System Executables Have Root Ownershipmedium
notselected
Verify that All World-Writable Directories Have Sticky Bits Setlow
notselected
Ensure No World-Writable Files Existmedium
notselected
Ensure All SGID Executables Are Authorizedlow
notselected
Ensure All SUID Executables Are Authorizedlow
notselected
Ensure All Files Are Owned by a Usermedium
notselected
Ensure All Files Are Owned by a Groupmedium
notselected
Ensure All World-Writable Directories Are Owned by a System Accountlow
notselected
Restrict Programs from Dangerous Execution Patterns 2x fail 1x notchecked
Daemon Umask
Set Daemon Umasklow
notselected
Disable Core Dumps
Disable Core Dumps for All Userslow
notselected
Disable Core Dumps for SUID programslow
notselected
Enable ExecShield 1x fail
Enable ExecShieldmedium
pass
Enable Randomized Layout of Virtual Address Spacemedium
fail
Enable Execute Disable (XD) or No Execute (NX) Support on x86 Systems 1x notchecked
Install PAE Kernel on Supported 32-bit x86 Systemslow
pass
Enable NX or XD Support in the BIOSlow
notchecked
Restrict Access to Kernel Message Bufferlow
fail
SELinux
SELinux - Booleans
Disable the abrt_anon_write SELinux Booleanmedium
notselected
Disable the abrt_handle_event SELinux Booleanmedium
notselected
Disable the abrt_upload_watch_anon_write SELinux Booleanmedium
notselected
Enable the antivirus_can_scan_system SELinux Booleanmedium
notselected
Disable the antivirus_use_jit SELinux Booleanmedium
notselected
Enable the auditadm_exec_content SELinux Booleanmedium
notselected
Disable the authlogin_nsswitch_use_ldap SELinux Booleanmedium
notselected
Disable the authlogin_radius SELinux Booleanmedium
notselected
Disable the authlogin_yubikey SELinux Booleanmedium
notselected
Disable the awstats_purge_apache_log_files SELinux Booleanmedium
notselected
Disable the boinc_execmem SELinux Booleanmedium
notselected
Disable the cdrecord_read_content SELinux Booleanmedium
notselected
Disable the cluster_can_network_connect SELinux Booleanmedium
notselected
Disable the cluster_manage_all_files SELinux Booleanmedium
notselected
Disable the cluster_use_execmem SELinux Booleanmedium
notselected
Disable the cobbler_anon_write SELinux Booleanmedium
notselected
Disable the cobbler_can_network_connect SELinux Booleanmedium
notselected
Disable the cobbler_use_cifs SELinux Booleanmedium
notselected
Disable the cobbler_use_nfs SELinux Booleanmedium
notselected
Disable the collectd_tcp_network_connect SELinux Booleanmedium
notselected
Disable the condor_tcp_network_connect SELinux Booleanmedium
notselected
Disable the conman_can_network SELinux Booleanmedium
notselected
Disable the cron_can_relabel SELinux Booleanmedium
notselected
Disable the cron_system_cronjob_use_shares SELinux Booleanmedium
notselected
Enable the cron_userdomain_transition SELinux Booleanmedium
notselected
Disable the cups_execmem SELinux Booleanmedium
notselected
Disable the cvs_read_shadow SELinux Booleanmedium
notselected
Disable the daemons_dump_core SELinux Booleanmedium
notselected
Disable the daemons_enable_cluster_mode SELinux Booleanmedium
notselected
Disable the daemons_use_tcp_wrapper SELinux Booleanmedium
notselected
Disable the daemons_use_tty SELinux Booleanmedium
notselected
Enable the dbadm_exec_content SELinux Booleanmedium
notselected
Disable the dbadm_manage_user_files SELinux Booleanmedium
notselected
Disable the dbadm_read_user_files SELinux Booleanmedium
notselected
Disable the deny_execmem SELinux Booleanmedium
notselected
Disable the deny_ptrace SELinux Booleanmedium
notselected
Disable the dhcpc_exec_iptables SELinux Booleanmedium
notselected
Disable the dhcpd_use_ldap SELinux Booleanmedium
notselected
Disable the docker_connect_any SELinux Booleanmedium
notselected
Enable the docker_transition_unconfined SELinux Booleanmedium
notselected
Enable the domain_fd_use SELinux Booleanmedium
notselected
Disable the domain_kernel_load_modules SELinux Booleanmedium
notselected
Disable the entropyd_use_audio SELinux Booleanmedium
notselected
Disable the exim_can_connect_db SELinux Booleanmedium
notselected
Disable the exim_manage_user_files SELinux Booleanmedium
notselected
Disable the exim_read_user_files SELinux Booleanmedium
notselected
Disable the fcron_crond SELinux Booleanmedium
notselected
Disable the fenced_can_network_connect SELinux Booleanmedium
notselected
Disable the fenced_can_ssh SELinux Booleanmedium
notselected
Enable the fips_mode SELinux Booleanmedium
notselected
Disable the ftpd_anon_write SELinux Booleanmedium
notselected
Disable the ftpd_connect_all_unreserved SELinux Booleanmedium
notselected
Disable the ftpd_connect_db SELinux Booleanmedium
notselected
Disable the ftpd_full_access SELinux Booleanmedium
notselected
Disable the ftpd_use_cifs SELinux Booleanmedium
notselected
Disable the ftpd_use_fusefs SELinux Booleanmedium
notselected
Disable the ftpd_use_nfs SELinux Booleanmedium
notselected
Disable the ftpd_use_passive_mode SELinux Booleanmedium
notselected
Disable the ftp_home_dir SELinux Booleanmedium
notselected
Disable the git_cgi_enable_homedirs SELinux Booleanmedium
notselected
Disable the git_cgi_use_cifs SELinux Booleanmedium
notselected
Disable the git_cgi_use_nfs SELinux Booleanmedium
notselected
Disable the gitosis_can_sendmail SELinux Booleanmedium
notselected
Disable the git_session_bind_all_unreserved_ports SELinux Booleanmedium
notselected
Disable the git_session_users SELinux Booleanmedium
notselected
Disable the git_system_enable_homedirs SELinux Booleanmedium
notselected
Disable the git_system_use_cifs SELinux Booleanmedium
notselected
Disable the git_system_use_nfs SELinux Booleanmedium
notselected
Disable the glance_api_can_network SELinux Booleanmedium
notselected
Disable the glance_use_execmem SELinux Booleanmedium
notselected
Disable the glance_use_fusefs SELinux Booleanmedium
notselected
Disable the global_ssp SELinux Booleanmedium
notselected
Disable the gluster_anon_write SELinux Booleanmedium
notselected
Disable the gluster_export_all_ro SELinux Booleanmedium
notselected
Configure the gluster_export_all_rw SELinux Booleanmedium
notselected
Disable the gpg_web_anon_write SELinux Booleanmedium
notselected
Enable the gssd_read_tmp SELinux Booleanmedium
notselected
Disable the guest_exec_content SELinux Booleanmedium
notselected
Disable the haproxy_connect_any SELinux Booleanmedium
notselected
Disable the httpd_anon_write SELinux Booleanmedium
notselected
Configure the httpd_builtin_scripting SELinux Booleanmedium
notselected
Disable the httpd_can_check_spam SELinux Booleanmedium
notselected
Disable the httpd_can_connect_ftp SELinux Booleanmedium
notselected
Disable the httpd_can_connect_ldap SELinux Booleanmedium
notselected
Disable the httpd_can_connect_mythtv SELinux Booleanmedium
notselected
Disable the httpd_can_connect_zabbix SELinux Booleanmedium
notselected
Disable the httpd_can_network_connect_cobbler SELinux Booleanmedium
notselected
Disable the httpd_can_network_connect_db SELinux Booleanmedium
notselected
Disable the httpd_can_network_connect SELinux Booleanmedium
notselected
Disable the httpd_can_network_memcache SELinux Booleanmedium
notselected
Disable the httpd_can_network_relay SELinux Booleanmedium
notselected
Disable the httpd_can_sendmail SELinux Booleanmedium
notselected
Disable the httpd_dbus_avahi SELinux Booleanmedium
notselected
Disable the httpd_dbus_sssd SELinux Booleanmedium
notselected
Disable the httpd_dontaudit_search_dirs SELinux Booleanmedium
notselected
Configure the httpd_enable_cgi SELinux Booleanmedium
notselected
Disable the httpd_enable_ftp_server SELinux Booleanmedium
notselected
Disable the httpd_enable_homedirs SELinux Booleanmedium
notselected
Disable the httpd_execmem SELinux Booleanmedium
notselected
Enable the httpd_graceful_shutdown SELinux Booleanmedium
notselected
Disable the httpd_manage_ipa SELinux Booleanmedium
notselected
Disable the httpd_mod_auth_ntlm_winbind SELinux Booleanmedium
notselected
Disable the httpd_mod_auth_pam SELinux Booleanmedium
notselected
Disable the httpd_read_user_content SELinux Booleanmedium
notselected
Disable the httpd_run_ipa SELinux Booleanmedium
notselected
Disable the httpd_run_preupgrade SELinux Booleanmedium
notselected
Disable the httpd_run_stickshift SELinux Booleanmedium
notselected
Disable the httpd_serve_cobbler_files SELinux Booleanmedium
notselected
Disable the httpd_setrlimit SELinux Booleanmedium
notselected
Disable the httpd_ssi_exec SELinux Booleanmedium
notselected
Disable the httpd_sys_script_anon_write SELinux Booleanmedium
notselected
Disable the httpd_tmp_exec SELinux Booleanmedium
notselected
Disable the httpd_tty_comm SELinux Booleanmedium
notselected
Disable the httpd_unified SELinux Booleanmedium
notselected
Disable the httpd_use_cifs SELinux Booleanmedium
notselected
Disable the httpd_use_fusefs SELinux Booleanmedium
notselected
Disable the httpd_use_gpg SELinux Booleanmedium
notselected
Disable the httpd_use_nfs SELinux Booleanmedium
notselected
Disable the httpd_use_openstack SELinux Booleanmedium
notselected
Disable the httpd_use_sasl SELinux Booleanmedium
notselected
Disable the httpd_verify_dns SELinux Booleanmedium
notselected
Disable the icecast_use_any_tcp_ports SELinux Booleanmedium
notselected
Disable the irc_use_any_tcp_ports SELinux Booleanmedium
notselected
Disable the irssi_use_full_network SELinux Booleanmedium
notselected
Disable the kdumpgui_run_bootloader SELinux Booleanmedium
notselected
Enable the kerberos_enabled SELinux Booleanmedium
notselected
Disable the ksmtuned_use_cifs SELinux Booleanmedium
notselected
Disable the ksmtuned_use_nfs SELinux Booleanmedium
notselected
Enable the logadm_exec_content SELinux Booleanmedium
notselected
Disable the logging_syslogd_can_sendmail SELinux Booleanmedium
notselected
Disable the logging_syslogd_run_nagios_plugins SELinux Booleanmedium
notselected
Enable the logging_syslogd_use_tty SELinux Booleanmedium
notselected
Disable the logrotate_use_nfs SELinux Booleanmedium
notselected
Disable the logwatch_can_network_connect_mail SELinux Booleanmedium
notselected
Disable the lsmd_plugin_connect_any SELinux Booleanmedium
notselected
Disable the mailman_use_fusefs SELinux Booleanmedium
notselected
Disable the mcelog_client SELinux Booleanmedium
notselected
Enable the mcelog_exec_scripts SELinux Booleanmedium
notselected
Disable the mcelog_foreground SELinux Booleanmedium
notselected
Disable the mcelog_server SELinux Booleanmedium
notselected
Disable the minidlna_read_generic_user_content SELinux Booleanmedium
notselected
Disable the mmap_low_allowed SELinux Booleanmedium
notselected
Disable the mock_enable_homedirs SELinux Booleanmedium
notselected
Enable the mount_anyfile SELinux Booleanmedium
notselected
Disable the mozilla_plugin_bind_unreserved_ports SELinux Booleanmedium
notselected
Disable the mozilla_plugin_can_network_connect SELinux Booleanmedium
notselected
Disable the mozilla_plugin_use_bluejeans SELinux Booleanmedium
notselected
Disable the mozilla_plugin_use_gps SELinux Booleanmedium
notselected
Disable the mozilla_plugin_use_spice SELinux Booleanmedium
notselected
Disable the mozilla_read_content SELinux Booleanmedium
notselected
Disable the mpd_enable_homedirs SELinux Booleanmedium
notselected
Disable the mpd_use_cifs SELinux Booleanmedium
notselected
Disable the mpd_use_nfs SELinux Booleanmedium
notselected
Disable the mplayer_execstack SELinux Booleanmedium
notselected
Disable the mysql_connect_any SELinux Booleanmedium
notselected
Disable the nagios_run_pnp4nagios SELinux Booleanmedium
notselected
Disable the nagios_run_sudo SELinux Booleanmedium
notselected
Disable the named_tcp_bind_http_port SELinux Booleanmedium
notselected
Disable the named_write_master_zones SELinux Booleanmedium
notselected
Disable the neutron_can_network SELinux Booleanmedium
notselected
Disable the nfsd_anon_write SELinux Booleanmedium
notselected
Enable the nfs_export_all_ro SELinux Booleanmedium
notselected
Enable the nfs_export_all_rw SELinux Booleanmedium
notselected
Disable the nis_enabled SELinux Booleanmedium
notselected
Enable the nscd_use_shm SELinux Booleanmedium
notselected
Disable the openshift_use_nfs SELinux Booleanmedium
notselected
Disable the openvpn_can_network_connect SELinux Booleanmedium
notselected
Disable the openvpn_enable_homedirs SELinux Booleanmedium
notselected
Disable the openvpn_run_unconfined SELinux Booleanmedium
notselected
Disable the pcp_bind_all_unreserved_ports SELinux Booleanmedium
notselected
Disable the pcp_read_generic_logs SELinux Booleanmedium
notselected
Disable the piranha_lvs_can_network_connect SELinux Booleanmedium
notselected
Disable the polipo_connect_all_unreserved SELinux Booleanmedium
notselected
Disable the polipo_session_bind_all_unreserved_ports SELinux Booleanmedium
notselected
Disable the polipo_session_users SELinux Booleanmedium
notselected
Disable the polipo_use_cifs SELinux Booleanmedium
notselected
Disable the polipo_use_nfs SELinux Booleanmedium
notselected
Disable the polyinstantiation_enabled SELinux Booleanmedium
notselected
Enable the postfix_local_write_mail_spool SELinux Booleanmedium
notselected
Disable the postgresql_can_rsync SELinux Booleanmedium
notselected
Disable the postgresql_selinux_transmit_client_label SELinux Booleanmedium
notselected
Enable the postgresql_selinux_unconfined_dbadm SELinux Booleanmedium
notselected
Enable the postgresql_selinux_users_ddl SELinux Booleanmedium
notselected
Disable the pppd_can_insmod SELinux Booleanmedium
notselected
Disable the pppd_for_user SELinux Booleanmedium
notselected
Disable the privoxy_connect_any SELinux Booleanmedium
notselected
Disable the prosody_bind_http_port SELinux Booleanmedium
notselected
Disable the puppetagent_manage_all_files SELinux Booleanmedium
notselected
Disable the puppetmaster_use_db SELinux Booleanmedium
notselected
Disable the racoon_read_shadow SELinux Booleanmedium
notselected
Disable the rsync_anon_write SELinux Booleanmedium
notselected
Disable the rsync_client SELinux Booleanmedium
notselected
Disable the rsync_export_all_ro SELinux Booleanmedium
notselected
Disable the rsync_full_access SELinux Booleanmedium
notselected
Disable the samba_create_home_dirs SELinux Booleanmedium
notselected
Disable the samba_domain_controller SELinux Booleanmedium
notselected
Disable the samba_enable_home_dirs SELinux Booleanmedium
notselected
Disable the samba_export_all_ro SELinux Booleanmedium
notselected
Disable the samba_export_all_rw SELinux Booleanmedium
notselected
Disable the samba_load_libgfapi SELinux Booleanmedium
notselected
Disable the samba_portmapper SELinux Booleanmedium
notselected
Disable the samba_run_unconfined SELinux Booleanmedium
notselected
Disable the samba_share_fusefs SELinux Booleanmedium
notselected
Disable the samba_share_nfs SELinux Booleanmedium
notselected
Disable the sanlock_use_fusefs SELinux Booleanmedium
notselected
Disable the sanlock_use_nfs SELinux Booleanmedium
notselected
Disable the sanlock_use_samba SELinux Booleanmedium
notselected
Disable the saslauthd_read_shadow SELinux Booleanmedium
notselected
Enable the secadm_exec_content SELinux Booleanmedium
notselected
Disable the secure_mode_insmod SELinux Booleanmedium
notselected
Disable the secure_mode SELinux Booleanmedium
notselected
Disable the secure_mode_policyload SELinux Booleanmedium
notselected
Configure the selinuxuser_direct_dri_enabled SELinux Booleanmedium
notselected
Disable the selinuxuser_execheap SELinux Booleanmedium
notselected
Enable the selinuxuser_execmod SELinux Booleanmedium
notselected
disable the selinuxuser_execstack SELinux Booleanmedium
notselected
Disable the selinuxuser_mysql_connect_enabled SELinux Booleanmedium
notselected
Enable the selinuxuser_ping SELinux Booleanmedium
notselected
Disable the selinuxuser_postgresql_connect_enabled SELinux Booleanmedium
notselected
Disable the selinuxuser_rw_noexattrfile SELinux Booleanmedium
notselected
Disable the selinuxuser_share_music SELinux Booleanmedium
notselected
Disable the selinuxuser_tcp_server SELinux Booleanmedium
notselected
Disable the selinuxuser_udp_server SELinux Booleanmedium
notselected
Disable the selinuxuser_use_ssh_chroot SELinux Booleanmedium
notselected
Disable the sftpd_anon_write SELinux Booleanmedium
notselected
Disable the sftpd_enable_homedirs SELinux Booleanmedium
notselected
Disable the sftpd_full_access SELinux Booleanmedium
notselected
Disable the sftpd_write_ssh_home SELinux Booleanmedium
notselected
Disable the sge_domain_can_network_connect SELinux Booleanmedium
notselected
Disable the sge_use_nfs SELinux Booleanmedium
notselected
Disable the smartmon_3ware SELinux Booleanmedium
notselected
Disable the smbd_anon_write SELinux Booleanmedium
notselected
Disable the spamassassin_can_network SELinux Booleanmedium
notselected
Enable the spamd_enable_home_dirs SELinux Booleanmedium
notselected
Disable the squid_connect_any SELinux Booleanmedium
notselected
Disable the squid_use_tproxy SELinux Booleanmedium
notselected
Disable the ssh_chroot_rw_homedirs SELinux Booleanmedium
notselected
Disable the ssh_keysign SELinux Booleanmedium
notselected
Enable the staff_exec_content SELinux Booleanmedium
notselected
Disable the staff_use_svirt SELinux Booleanmedium
notselected
Disable the swift_can_network SELinux Booleanmedium
notselected
Enable the sysadm_exec_content SELinux Booleanmedium
notselected
Disable the telepathy_connect_all_ports SELinux Booleanmedium
notselected
Disable the telepathy_tcp_connect_generic_network_ports SELinux Booleanmedium
notselected
Disable the tftp_anon_write SELinux Booleanmedium
notselected
Disable the tftp_home_dir SELinux Booleanmedium
notselected
Disable the tmpreaper_use_nfs SELinux Booleanmedium
notselected
Disable the tmpreaper_use_samba SELinux Booleanmedium
notselected
Disable the tor_bind_all_unreserved_ports SELinux Booleanmedium
notselected
Disable the tor_can_network_relay SELinux Booleanmedium
notselected
Enable the unconfined_chrome_sandbox_transition SELinux Booleanmedium
notselected
Enable the unconfined_mozilla_plugin_transition SELinux Booleanmedium
notselected
Disable the unprivuser_use_svirt SELinux Booleanmedium
notselected
Disable the use_ecryptfs_home_dirs SELinux Booleanmedium
notselected
Disable the use_fusefs_home_dirs SELinux Booleanmedium
notselected
Disable the use_lpd_server SELinux Booleanmedium
notselected
Disable the use_nfs_home_dirs SELinux Booleanmedium
notselected
Enable the user_exec_content SELinux Booleanmedium
notselected
Disable the use_samba_home_dirs SELinux Booleanmedium
notselected
Disable the varnishd_connect_any SELinux Booleanmedium
notselected
Disable the virt_read_qemu_ga_data SELinux Booleanmedium
notselected
Disable the virt_rw_qemu_ga_data SELinux Booleanmedium
notselected
Disable the virt_sandbox_use_all_caps SELinux Booleanmedium
notselected
Enable the virt_sandbox_use_audit SELinux Booleanmedium
notselected
Disable the virt_sandbox_use_mknod SELinux Booleanmedium
notselected
Disable the virt_sandbox_use_nfs SELinux Booleanmedium
notselected
Disable the virt_sandbox_use_samba SELinux Booleanmedium
notselected
Disable the virt_sandbox_use_sys_admin SELinux Booleanmedium
notselected
Disable the virt_transition_userdomain SELinux Booleanmedium
notselected
Disable the virt_use_comm SELinux Booleanmedium
notselected
Disable the virt_use_execmem SELinux Booleanmedium
notselected
Disable the virt_use_fusefs SELinux Booleanmedium
notselected
Disable the virt_use_nfs SELinux Booleanmedium
notselected
Disable the virt_use_rawip SELinux Booleanmedium
notselected
Disable the virt_use_samba SELinux Booleanmedium
notselected
Disable the virt_use_sanlock SELinux Booleanmedium
notselected
Disable the virt_use_usb SELinux Booleanmedium
notselected
Disable the virt_use_xserver SELinux Booleanmedium
notselected
Disable the webadm_manage_user_files SELinux Booleanmedium
notselected
Disable the webadm_read_user_files SELinux Booleanmedium
notselected
Disable the wine_mmap_zero_ignore SELinux Booleanmedium
notselected
Disable the xdm_bind_vnc_tcp_port SELinux Booleanmedium
notselected
Disable the xdm_exec_bootloader SELinux Booleanmedium
notselected
Disable the xdm_write_home SELinux Booleanmedium
notselected
Enable the xend_run_blktap SELinux Booleanmedium
notselected
Enable the xend_run_qemu SELinux Booleanmedium
notselected
Disable the xen_use_nfs SELinux Booleanmedium
notselected
Disable the xguest_connect_network SELinux Booleanmedium
notselected
Disable the xguest_exec_content SELinux Booleanmedium
notselected
Disable the xguest_mount_media SELinux Booleanmedium
notselected
Disable the xguest_use_bluetooth SELinux Booleanmedium
notselected
Disable the xserver_clients_write_xshm SELinux Booleanmedium
notselected
Disable the xserver_execmem SELinux Booleanmedium
notselected
Disable the xserver_object_manager SELinux Booleanmedium
notselected
Disable the zabbix_can_network SELinux Booleanmedium
notselected
Disable the zarafa_setrlimit SELinux Booleanmedium
notselected
Disable the zebra_write_config SELinux Booleanmedium
notselected
Disable the zoneminder_anon_write SELinux Booleanmedium
notselected
Disable the zoneminder_run_sudo SELinux Booleanmedium
notselected
Ensure SELinux Not Disabled in /etc/default/grubmedium
pass
Ensure SELinux State is Enforcinghigh
pass
Configure SELinux Policyhigh
pass
Uninstall setroubleshoot Packagelow
notselected
Uninstall mcstrans Packagelow
notselected
Ensure No Daemons are Unconfined by SELinuxmedium
pass
Ensure No Device Files are Unlabeled by SELinuxmedium
pass
Ensure SELinux support is enabled in Dockerhigh
notselected
Account and Access Control 10x fail
Protect Accounts by Restricting Password-Based Login 4x fail
Restrict Root Logins 3x fail
Direct root Logins Not Allowedmedium
fail
Restrict Virtual Console Root Loginsmedium
fail
Restrict Serial Port Root Loginslow
fail
Restrict Web Browser Use for Administrative Accountslow
notselected
Ensure that System Accounts Do Not Run a Shell Upon Loginmedium
notselected
Verify Only Root Has UID 0high
pass
Root Path Must Be Vendor Defaultlow
notselected
Verify Proper Storage and Existence of Password Hashes 1x fail
Prevent Log In to Accounts With Empty Passwordhigh
fail
Verify All Account Password Hashes are Shadowedmedium
notselected
All GIDs referenced in /etc/passwd must be defined in /etc/grouplow
notselected
Verify No netrc Files Existmedium
notselected
Set Password Expiration Parameters
Protect Accounts by Configuring PAM 3x fail
Set Password Quality Requirements
Set Password Quality Requirements with pam_pwquality
Set Password Retry Prompts Permitted Per-Sessionlow
notselected
Set Password Maximum Consecutive Repeating Charactersmedium
notselected
Set Password to Maximum of Consecutive Repeating Characters from Same Character Classmedium
notselected
Set Password Strength Minimum Digit Charactersmedium
notselected
Set Password Minimum Lengthmedium
notselected
Set Password Strength Minimum Uppercase Charactersmedium
notselected
Set Password Strength Minimum Special Charactersmedium
notselected
Set Password Strength Minimum Lowercase Charactersmedium
notselected
Set Password Strength Minimum Different Charactersmedium
notselected
Set Password Strength Minimum Different Categoriesmedium
notselected
Set Lockouts for Failed Password Attempts 3x fail
Set Deny For Failed Password Attemptsmedium
fail
Set Lockout Time For Failed Password Attemptsmedium
fail
Configure the root Account for Failed Password Attemptsmedium
notselected
Set Interval For Counting Failed Password Attemptsmedium
fail
Limit Password Reusemedium
notselected
Set Password Hashing Algorithm
Set PAM's Password Hashing Algorithmmedium
notselected
Set Password Hashing Algorithm in /etc/login.defsmedium
notselected
Set Password Hashing Algorithm in /etc/libuser.confmedium
notselected
Secure Session Configuration Files for Login Accounts 1x fail
Ensure that No Dangerous Directories Exist in Root's Path
Ensure that Root's Path Does Not Include Relative Paths or Null Directorieslow
notselected
Ensure that Root's Path Does Not Include World or Group-Writable Directorieslow
notselected
Ensure that Users Have Sensible Umask Values
Ensure the Default Bash Umask is Set Correctlylow
notselected
Ensure the Default C Shell Umask is Set Correctlylow
notselected
Ensure the Default Umask is Set Correctly in /etc/profilelow
notselected
Set Interactive Session Timeoutmedium
fail
Ensure the Logon Failure Delay is Set Correctly in login.defslow
notselected
Ensure that User Home Directories are not Group-Writable or World-Readablelow
notselected
Protect Physical Console Access 1x fail
Set Boot Loader Password
Verify /boot/grub2/grub.cfg User Ownershipmedium
notselected
Verify /boot/grub2/grub.cfg Group Ownershipmedium
notselected
Verify /boot/grub2/grub.cfg Permissionsmedium
notselected
Set Boot Loader Passwordhigh
notselected
Set the UEFI Boot Loader Passwordmedium
notselected
Configure Screen Locking 1x fail
Configure Console Screen Locking 1x fail
Install the screen Packagemedium
fail
Enable Smart Card Loginmedium
notselected
Require Authentication for Single User Modemedium
pass
Disable debug-shell SystemD Servicemedium
notselected
Disable Ctrl-Alt-Del Reboot Activationhigh
notselected
Verify that Interactive Boot is Disabledmedium
pass
Warning Banners for System Accesses 1x fail
Enable GNOME3 Login Warning Bannermedium
pass
Modify the System Login Bannermedium
fail
Network Configuration and Firewalls 24x fail 1x notchecked
Disable Unused Interfaces
Kernel Parameters Which Affect Networking 12x fail
Network Parameters for Hosts Only 3x fail
Disable Kernel Parameter for Sending ICMP Redirects by Defaultmedium
fail
Disable Kernel Parameter for Sending ICMP Redirects for All Interfacesmedium
fail
Disable Kernel Parameter for IP Forwardingmedium
fail
Network Related Kernel Runtime Parameters for Hosts and Routers 9x fail
Configure Kernel Parameter for Accepting Source-Routed Packets for All Interfacesmedium
pass
Configure Kernel Parameter for Accepting ICMP Redirects for All Interfacesmedium
fail
Configure Kernel Parameter for Accepting Secure Redirects for All Interfacesmedium
fail
Configure Kernel Parameter to Log Martian Packetslow
fail
Configure Kernel Parameter to Log Martian Packets By Defaultlow
fail
Configure Kernel Parameter for Accepting Source-Routed Packets By Defaultmedium
pass
Configure Kernel Parameter for Accepting ICMP Redirects By Defaultmedium
fail
Configure Kernel Parameter for Accepting Secure Redirects By Defaultmedium
fail
Configure Kernel Parameter to Ignore ICMP Broadcast Echo Requestsmedium
fail
Configure Kernel Parameter to Ignore Bogus ICMP Error Responseslow
fail
Configure Kernel Parameter to Use TCP Syncookiesmedium
fail
Configure Kernel Parameter to Use Reverse Path Filtering for All Interfacesmedium
pass
Configure Kernel Parameter to Use Reverse Path Filtering by Defaultmedium
pass
Wireless Networking 1x fail
Disable Wireless Through Software Configuration 1x fail
Disable WiFi or Bluetooth in BIOSlow
notselected
Deactivate Wireless Network Interfaceslow
pass
Disable Bluetooth Servicemedium
pass
Disable Bluetooth Kernel Modulesmedium
fail
IPv6 9x fail 1x notchecked
Disable Support for IPv6 Unless Needed 1x fail 1x notchecked
Disable IPv6 Networking Support Automatic Loadingmedium
fail
Disable Interface Usage of IPv6low
notchecked
Disable Support for RPC IPv6low
pass
Configure IPv6 Settings if Necessary 8x fail
Disable Automatic Configuration 7x fail
Configure Kernel Parameter for Accepting Source-Routed Packets for All Interfacesmedium
fail
Configure Accepting IPv6 Router Advertisementslow
fail
Configure Accepting IPv6 Router Advertisementslow
fail
Configure Accepting IPv6 Redirects By Defaultmedium
fail
Configure Accepting IPv6 Redirects By Defaultmedium
fail
Configure Kernel Parameter for Accepting Source-Routed Packets for Interfaces By Defaultmedium
fail
Disable Kernel Parameter for IPv6 Forwardingmedium
fail
Limit Network-Transmitted Configuration if Using Static IPv6 Addresses
Manually Assign Global IPv6 Addresslow
notselected
Use Privacy Extensions for Addresslow
fail
Manually Assign IPv6 Router Addresslow
notselected
firewalld 2x fail
Inspect and Activate Default firewalld Rules 1x fail
Verify firewalld Enabledmedium
fail
Strengthen the Default Ruleset 1x fail
Set Default firewalld Zone for Incoming Packetsmedium
fail
Transport Layer Security Support
Uncommon Network Protocols
Disable DCCP Supportmedium
notselected
Disable SCTP Supportmedium
notselected
IPSec Support
Install libreswan Packagemedium
notselected
Verify Any Configured IPSec Tunnel Connectionsmedium
notselected
Disable Client Dynamic DNS Updatesmedium
notselected
Disable Zeroconf Networkinglow
notselected
Ensure System is Not Acting as a Network Sniffermedium
notselected
Configure Syslog
Ensure Proper Configuration of Log Files
Ensure Log Files Are Owned By Appropriate Usermedium
notselected
Ensure Log Files Are Owned By Appropriate Groupmedium
notselected
Ensure System Log Files Have Correct Permissionsmedium
notselected
Ensure cron Is Logging To Rsyslogmedium
notselected
Rsyslog Logs Sent To Remote Host
Ensure Logs Sent To Remote Hostlow
notselected
Configure rsyslogd to Accept Remote Messages If Acting as a Log Server
Ensure rsyslog Does Not Accept Remote Messages Unless Acting As Log Serverlow
notselected
Enable rsyslog to Accept Messages via TCP, if Acting As Log Serverlow
notselected
Enable rsyslog to Accept Messages via UDP, if Acting As Log Serverlow
notselected
Ensure All Logs are Rotated by logrotate
Ensure Logrotate Runs Periodicallylow
notselected
Configure Logwatch on the Central Log Server
Configure Logwatch HostLimit Linelow
notselected
Configure Logwatch SplitHosts Linelow
notselected
Ensure rsyslog is Installedmedium
notselected
Enable rsyslog Servicemedium
notselected
Disable Logwatch on Clients if a Logserver Existslow
notselected
System Accounting with auditd 6x fail 30x notchecked
Configure auditd Data Retention
Configure auditd Number of Logs Retainedmedium
notselected
Configure auditd Max Log File Sizemedium
notselected
Configure auditd max_log_file_action Upon Reaching Maximum Log Sizemedium
notselected
Configure auditd space_left Action on Low Disk Spacemedium
notselected
Configure auditd admin_space_left Action on Low Disk Spacemedium
notselected
Configure auditd mail_acct Action on Low Disk Spacemedium
notselected
Configure auditd flush prioritylow
notselected
Configure auditd to use audispd's syslog pluginmedium
notselected
Configure auditd Rules for Comprehensive Auditing 6x fail 30x notchecked
Records Events that Modify Date and Time Information
Record attempts to alter time through adjtimexlow
notselected
Record attempts to alter time through settimeofdaylow
notselected
Record Attempts to Alter Time Through stimelow
notselected
Record Attempts to Alter Time Through clock_settimelow
notselected
Record Attempts to Alter the localtime Filelow
notselected
Record Events that Modify the System's Discretionary Access Controls
Record Events that Modify the System's Discretionary Access Controls - chmodlow
notselected
Record Events that Modify the System's Discretionary Access Controls - chownlow
notselected
Record Events that Modify the System's Discretionary Access Controls - fchmodlow
notselected
Record Events that Modify the System's Discretionary Access Controls - fchmodatlow
notselected
Record Events that Modify the System's Discretionary Access Controls - fchownlow
notselected
Record Events that Modify the System's Discretionary Access Controls - fchownatlow
notselected
Record Events that Modify the System's Discretionary Access Controls - fremovexattrmedium
notselected
Record Events that Modify the System's Discretionary Access Controls - fsetxattrlow
notselected
Record Events that Modify the System's Discretionary Access Controls - lchownlow
notselected
Record Events that Modify the System's Discretionary Access Controls - lremovexattrmedium
notselected
Record Events that Modify the System's Discretionary Access Controls - lsetxattrlow
notselected
Record Events that Modify the System's Discretionary Access Controls - removexattrmedium
notselected
Record Events that Modify the System's Discretionary Access Controls - setxattrlow
notselected
Record Unauthorized Access Attempts Events to Files (unsuccessful)
Ensure auditd Collects Unauthorized Access Attempts to Files (unsuccessful)medium
notselected
Record Unauthorized Access Attempts to Files (unsuccessful) - creatmedium
notselected
Record Unauthorized Access Attempts to Files (unsuccessful) - openmedium
notselected
Record Unauthorized Access Attempts to Files (unsuccessful) - openatmedium
notselected
Record Unauthorized Access Attempts to Files (unsuccessful) - open_by_handle_atmedium
notselected
Record Unauthorized Access Attempts to Files (unsuccessful) - truncatemedium
notselected
Record Unauthorized Access Attempts to Files (unsuccessful) - ftruncatemedium
notselected
Record Execution Attempts to Run SELinux Privileged Commands 4x notchecked
Record Any Attempts to Run semanagemedium
notchecked
Record Any Attempts to Run setseboolmedium
notchecked
Record Any Attempts to Run chconmedium
notchecked
Record Any Attempts to Run restoreconmedium
notchecked
Record Information on the Use of Privileged Commands 1x fail 17x notchecked
Ensure auditd Collects Information on the Use of Privileged Commandsmedium
fail
Ensure auditd Collects Information on the Use of Privileged Commands - passwdmedium
notchecked
Ensure auditd Collects Information on the Use of Privileged Commands - unix_chkpwdmedium
notchecked
Ensure auditd Collects Information on the Use of Privileged Commands - gpasswdmedium
notchecked
Ensure auditd Collects Information on the Use of Privileged Commands - chagemedium
notchecked
Ensure auditd Collects Information on the Use of Privileged Commands - userhelpermedium
notchecked
Ensure auditd Collects Information on the Use of Privileged Commands - sumedium
notchecked
Ensure auditd Collects Information on the Use of Privileged Commands - sudomedium
notchecked
Ensure auditd Collects Information on the Use of Privileged Commands - sudoeditmedium
notchecked
Ensure auditd Collects Information on the Use of Privileged Commands - newgrpmedium
notchecked
Ensure auditd Collects Information on the Use of Privileged Commands - chshmedium
notchecked
Ensure auditd Collects Information on the Use of Privileged Commands - umountmedium
notchecked
Ensure auditd Collects Information on the Use of Privileged Commands - postdropmedium
notchecked
Ensure auditd Collects Information on the Use of Privileged Commands - postqueuemedium
notchecked
Ensure auditd Collects Information on the Use of Privileged Commands - ssh-keysignmedium
notchecked
Ensure auditd Collects Information on the Use of Privileged Commands - pt_chownmedium
notchecked
Ensure auditd Collects Information on the Use of Privileged Commands - crontabmedium
notchecked
Ensure auditd Collects Information on the Use of Privileged Commands - pam_timestamp_checkmedium
notchecked
Record File Deletion Events by User 1x fail 5x notchecked
Ensure auditd Collects File Deletion Events by Usermedium
fail
Ensure auditd Collects File Deletion Events by User - rmdirmedium
notchecked
Ensure auditd Collects File Deletion Events by User - unlinkatmedium
notchecked
Ensure auditd Collects File Deletion Events by User - renamemedium
notchecked
Ensure auditd Collects File Deletion Events by User - renameatmedium
notchecked
Record Information on Kernel Modules Loading and Unloading 1x fail 4x notchecked
Ensure auditd Collects Information on Kernel Module Loading and Unloadingmedium
fail
Ensure auditd Collects Information on Kernel Module Loading and Unloading - init_modulemedium
notchecked
Ensure auditd Collects Information on Kernel Module Loading and Unloading - delete_modulemedium
notselected
Ensure auditd Collects Information on Kernel Module Loading and Unloading - insmodmedium
notchecked
Ensure auditd Collects Information on Kernel Module Loading and Unloading - rmmodmedium
notchecked
Ensure auditd Collects Information on Kernel Module Loading and Unloading - modprobemedium
notchecked
Shutdown System When Auditing Failures Occurmedium
notselected
Record Events that Modify User/Group Informationlow
notselected
Record Events that Modify the System's Network Environmentlow
notselected
System Audit Logs Must Have Mode 0640 or Less Permissivemedium
notselected
System Audit Logs Must Be Owned By Rootmedium
notselected
Record Events that Modify the System's Mandatory Access Controlslow
notselected
Record Attempts to Alter Process and Session Initiation Informationlow
notselected
Ensure auditd Collects Information on Exporting to Media (successful)medium
fail
Ensure auditd Collects System Administrator Actionslow
fail
Make the auditd Configuration Immutablelow
fail
Enable auditd Servicehigh
notselected
Enable Auditing for Processes Which Start Prior to the Audit Daemonmedium
notselected
Services 17x fail 1x notchecked
Obsolete Services
Xinetd
Disable xinetd Servicemedium
notselected
Uninstall xinetd Packagelow
notselected
Install tcp_wrappers Packagemedium
notselected
Telnet
Disable telnet Servicehigh
notselected
Uninstall telnet-server Packagehigh
notselected
Remove telnet Clientslow
notselected
Rlogin, Rsh, and Rexec
Uninstall rsh-server Packagehigh
notselected
Disable rexec Servicehigh
notselected
Disable rsh Servicehigh
notselected
Uninstall rsh Packagelow
notselected
Disable rlogin Servicehigh
notselected
Remove Rsh Trust Fileshigh
notselected
NIS
Uninstall ypserv Packagehigh
notselected
Disable ypbind Servicemedium
notselected
Remove NIS Clientlow
notselected
TFTP Server
Disable tftp Servicemedium
notselected
Uninstall tftp-server Packagehigh
notselected
Remove tftp Daemonhigh
notselected
Ensure tftp Daemon Uses Secure Modemedium
notselected
Chat/Messaging Services
Uninstall talk-server Packagemedium
notselected
Uninstall talk Packagelow
notselected
Base Services
Disable Automatic Bug Reporting Tool (abrtd)low
notselected
Disable Advanced Configuration and Power Interface (acpid)low
notselected
Disable Certmonger Service (certmonger)low
notselected
Disable Control Group Config (cgconfig)low
notselected
Disable Control Group Rules Engine (cgred)low
notselected
Disable CPU Speed (cpupower)low
notselected
Enable IRQ Balance (irqbalance)low
notselected
Disable KDump Kernel Crash Analyzer (kdump)medium
notselected
Disable Software RAID Monitor (mdmonitor)low
notselected
Disable D-Bus IPC Service (messagebus)low
notselected
Disable Network Console (netconsole)low
notselected
Disable ntpdate Service (ntpdate)low
notselected
Disable Odd Job Daemon (oddjobd)low
notselected
Disable Portreserve (portreserve)low
notselected
Enable Process Accounting (psacct)low
notselected
Disable Apache Qpid (qpidd)low
notselected
Disable Quota Netlink (quota_nld)low
notselected
Disable Network Router Discovery Daemon (rdisc)low
notselected
Disable Red Hat Network Service (rhnsd)low
notselected
Disable Red Hat Subscription Manager Daemon (rhsmcertd)low
notselected
Disable Cyrus SASL Authentication Daemon (saslauthd)low
notselected
Disable SMART Disk Monitoring Service (smartd)low
notselected
Disable System Statistics Reset Service (sysstat)low
notselected
Cron and At Daemons
Restrict at and cron to Authorized Users if Necessary
Verify User Who Owns /etc/cron.allow filemedium
notselected
Verify Group Who Owns /etc/cron.allow filemedium
notselected
Enable cron Servicemedium
notselected
Disable anacron Servicelow
notselected
Disable At Service (atd)low
notselected
Docker Service
Enable the Docker servicemedium
notselected
Use direct-lvm with the Device Mapper Storage Driverlow
notselected
SSH Server 17x fail 1x notchecked
Configure OpenSSH Server if Necessary 16x fail 1x notchecked
Strengthen Firewall Configuration if Possible
Enable SSH Server firewalld Firewall exceptionlow
pass
Allow Only SSH Protocol 2high
fail
Limit Users' SSH Accesslow
notchecked
Disable GSSAPI Authenticationmedium
fail
Disable Kerberos Authenticationmedium
fail
Enable Use of Strict Mode Checkingmedium
fail
Enable Use of Privilege Separationmedium
fail
Disable Compression Or Set Compression to delayedmedium
fail
Print Last Loglow
notselected
Set SSH Idle Timeout Intervallow
fail
Set SSH Client Alive Countmedium
fail
Disable SSH Support for .rhosts Filesmedium
pass
Disable SSH Support for User Known Hostsmedium
fail
Disable SSH Support for Rhosts RSA Authenticationmedium
fail
Disable Host-Based Authenticationmedium
pass
Enable Encrypted X11 Fordwardinghigh
pass
Disable SSH Root Loginmedium
fail
Disable SSH Access via Empty Passwordshigh
fail
Enable SSH Warning Bannermedium
fail
Do Not Allow SSH Environment Optionsmedium
fail
Use Only Approved Ciphersmedium
fail
Use Only FIPS Approved MACsmedium
fail
Install the OpenSSH Server Packagemedium
notselected
Enable the OpenSSH Servicemedium
pass
Disable SSH Server If Possible (Unusual)low
notselected
Verify Permissions on SSH Server Public *.pub Key Filesmedium
pass
Verify Permissions on SSH Server Private *_key Key Filesmedium
pass
Remove SSH Server firewalld Firewall exception (Unusual)low
fail
System Security Services Daemon
Install the SSSD Packagemedium
notselected
Enable the SSSD Servicemedium
notselected
Configure SSSD's Memory Cache to Expiremedium
notselected
Configure SSSD to Expire Offline Credentialsmedium
notselected
Configure SSSD to Expire SSH Known Hostsmedium
notselected
X Window System
Disable X Windows
Disable X Windows Startup By Setting Default Targetmedium
notselected
Remove the X Windows Package Groupmedium
notselected
Avahi Server
Disable Avahi Server if Possible
Disable Avahi Server Softwarelow
notselected
Configure Avahi if Necessary
Serve Avahi Only via Required Protocollow
notselected
Check Avahi Responses' TTL Fieldlow
notselected
Prevent Other Programs from Using Avahi's Portlow
notselected
Disable Avahi Publishinglow
notselected
Restrict Information Published by Avahilow
notselected
Print Support
Configure the CUPS Service if Necessary
Disable Printer Browsing Entirely if Possiblelow
notselected
Disable Print Server Capabilitieslow
notselected
Disable the CUPS Servicelow
notselected
DHCP
Disable DHCP Server
Disable DHCP Servicemedium
notselected
Uninstall DHCP Server Packagemedium
notselected
Disable DHCP Server
Minimize Served Information
Do Not Use Dynamic DNSlow
notselected
Deny Decline Messageslow
notselected
Deny BOOTP Querieslow
notselected
Configure Logginglow
notselected
Disable DHCP Client
Disable DHCP Clientlow
notselected
Configure DHCP Client if Necessary
Minimize the DHCP-Configured Options
Network Time Protocol
Enable the NTP Daemonmedium
notselected
Specify a Remote NTP Servermedium
notselected
Specify Additional Remote NTP Serverslow
notselected
Mail Server Software
Configure SMTP For Mail Clients
Disable Postfix Network Listeningmedium
notselected
Configure Operating System to Protect Mail Server
Configure SSL Certificates for Use with SMTP AUTH
Ensure Security of Postfix SSL Certificate
Configure Postfix if Necessary
Configure Postfix Resource Usage to Limit Denial of Service Attacks
Control Mail Relaying
Configure Trusted Networks and Hosts
Enact SMTP Relay Restrictions
Enact SMTP Recipient Restrictions
Require SMTP AUTH Before Relaying from Untrusted Clients
Use TLS for SMTP AUTH
Configure SMTP Greeting Bannermedium
notselected
Enable Postfix Servicelow
notselected
Uninstall Sendmail Packagemedium
notselected
LDAP
Configure OpenLDAP Clients
Configure LDAP Client to Use TLS For All Transactionsmedium
notselected
Configure Certificate Directives for LDAP Use of TLSmedium
notselected
Configure OpenLDAP Server
Install and Protect LDAP Certificate Files
Uninstall openldap-servers Packagelow
notselected
NFS and RPC
Disable All NFS Services if Possible
Disable Services Used Only by NFS
Disable Network File System Lock Service (nfslock)low
notselected
Disable Secure RPC Client Service (rpcgssd)low
notselected
Disable rpcbind Servicelow
notselected
Disable RPC ID Mapping Service (rpcidmapd)low
notselected
Configure All Machines which Use NFS
Make Each Machine a Client or a Server, not Both
Configure NFS Services to Use Fixed Ports (NFSv3 and NFSv2)
Configure lockd to use static TCP portlow
notselected
Configure lockd to use static UDP portlow
notselected
Configure statd to use static portlow
notselected
Configure mountd to use static portlow
notselected
Configure NFS Clients
Disable NFS Server Daemons
Specify UID and GID for Anonymous NFS Connectionslow
notselected
Disable Network File System (nfs)low
notselected
Disable Secure RPC Server Service (rpcsvcgssd)low
notselected
Mount Remote Filesystems with Restrictive Options
Mount Remote Filesystems with nodevmedium
notselected
Mount Remote Filesystems with nosuidmedium
notselected
Mount Remote Filesystems with Kerberos Securitymedium
notselected
Configure NFS Servers
Configure the Exports File Restrictively
Use Access Lists to Enforce Authorization Restrictions
Export Filesystems Read-Only if Possible
Use Root-Squashing on All Exportslow
notselected
Restrict NFS Clients to Privileged Portslow
notselected
Ensure Insecure File Locking is Not Allowedmedium
notselected
Use Kerberos Security on All Exportsmedium
notselected
DNS Server
Disable DNS Server
Disable DNS Serverlow
notselected
Uninstall bind Packagelow
notselected
Isolate DNS from Other Services
Run DNS Software on Dedicated Servers
Run DNS Software in a chroot Jail
Protect DNS Data from Tampering or Attack
Run Separate DNS Servers for External and Internal Queries
Use Views to Partition External and Internal Information
Disable Zone Transfers from the Nameserverlow
notselected
Authenticate Zone Transferslow
notselected
Disable Dynamic Updateslow
notselected
FTP Server