Guide to the Secure Configuration of Red Hat Enterprise Linux 9 16x fail 1x notchecked |
System Settings 12x fail 1x notchecked |
Installing and Maintaining Software 1x fail |
System and Software Integrity |
Software Integrity Checking |
Verify Integrity with AIDE |
Install AIDE | medium | |
Build and Test AIDE Database | medium | |
Configure AIDE to Verify the Audit Tools | medium | |
Configure Periodic Execution of AIDE | medium | |
System Cryptographic Policies |
Configure System Cryptography Policy | high | |
Configure SSH to use System Crypto Policy | medium | |
Disk Partitioning |
Ensure /dev/shm is configured | low | |
Ensure /home Located On Separate Partition | low | |
Ensure /tmp Located On Separate Partition | low | |
Ensure /var Located On Separate Partition | low | |
Ensure /var/log Located On Separate Partition | low | |
Ensure /var/log/audit Located On Separate Partition | low | |
Ensure /var/tmp Located On Separate Partition | medium | |
GNOME Desktop Environment |
Configure GNOME Login Screen |
Disable the GNOME3 Login User List | medium | |
Disable XDMCP in GDM | high | |
GNOME Media Settings |
Disable GNOME3 Automounting | medium | |
Disable GNOME3 Automount Opening | medium | |
Disable GNOME3 Automount running | low | |
Configure GNOME Screen Locking |
Set GNOME3 Screensaver Inactivity Timeout | medium | |
Set GNOME3 Screensaver Lock Delay After Activation Period | medium | |
Ensure Users Cannot Change GNOME3 Screensaver Settings | medium | |
Ensure Users Cannot Change GNOME3 Session Idle Settings | medium | |
Remove the GDM Package Group | medium | |
Make sure that the dconf databases are up-to-date with regards to respective keyfiles | high | |
Sudo 1x fail |
Install sudo Package | medium | |
Ensure Only Users Logged In To Real tty Can Execute Sudo - sudo use_pty | medium | |
Ensure Sudo Logfile Exists - sudo logfile | low | |
Ensure Users Re-Authenticate for Privilege Escalation - sudo | medium | |
Require Re-Authentication When Using the sudo Command | medium | |
Updating Software |
Ensure gpgcheck Enabled In Main dnf Configuration | high | |
Account and Access Control 5x fail |
Warning Banners for System Accesses 1x fail |
Implement a GUI Warning Banner |
Enable GNOME3 Login Warning Banner | medium | |
Set the GNOME3 Login Warning Banner Text | medium | |
Modify the System Login Banner | medium | |
Modify the System Login Banner for Remote Connections | medium | |
Modify the System Message of the Day Banner | medium | |
Verify Group Ownership of System Login Banner | medium | |
Verify Group Ownership of System Login Banner for Remote Connections | medium | |
Verify Group Ownership of Message of the Day Banner | medium | |
Verify ownership of System Login Banner | medium | |
Verify ownership of System Login Banner for Remote Connections | medium | |
Verify ownership of Message of the Day Banner | medium | |
Verify permissions on System Login Banner | medium | |
Verify permissions on System Login Banner for Remote Connections | medium | |
Verify permissions on Message of the Day Banner | medium | |
Protect Accounts by Configuring PAM 1x fail |
Set Lockouts for Failed Password Attempts |
Limit Password Reuse: password-auth | medium | |
Limit Password Reuse: system-auth | medium | |
Lock Accounts After Failed Password Attempts | medium | |
Set Lockout Time for Failed Password Attempts | medium | |
Set Password Quality Requirements 1x fail |
Set Password Quality Requirements with pam_pwquality 1x fail |
Ensure PAM Enforces Password Requirements - Minimum Different Categories | medium | |
Ensure PAM Enforces Password Requirements - Minimum Length | medium | |
Ensure PAM Enforces Password Requirements - Authentication Retry Prompts Permitted Per-Session | medium | |
Set Password Hashing Algorithm |
Set Password Hashing Algorithm in /etc/login.defs | medium | |
Set PAM''s Password Hashing Algorithm - password-auth | medium | |
Set PAM''s Password Hashing Algorithm | medium | |
Protect Accounts by Restricting Password-Based Login 3x fail |
Set Account Expiration Parameters |
Set Account Expiration Following Inactivity | medium | |
Ensure All Accounts on the System Have Unique Names | medium | |
Set Password Expiration Parameters |
Set Password Maximum Age | medium | |
Set Password Minimum Age | medium | |
Set Existing Passwords Maximum Age | medium | |
Set Existing Passwords Minimum Age | medium | |
Set Existing Passwords Warning Age | medium | |
Set Password Warning Age | medium | |
Set existing passwords a period of inactivity before they been locked | medium | |
Verify Proper Storage and Existence of Password
Hashes |
Verify All Account Password Hashes are Shadowed | medium | |
Ensure all users last password change date is in the past | medium | |
All GIDs referenced in /etc/passwd must be defined in /etc/group | low | |
Prevent Login to Accounts With Empty Password | high | |
Ensure There Are No Accounts With Blank or Null Passwords | high | |
Verify No .forward Files Exist | medium | |
Verify No netrc Files Exist | medium | |
Restrict Root Logins 3x fail |
Verify Only Root Has UID 0 | high | |
Verify Root Has A Primary GID 0 | high | |
Ensure the Group Used by pam_wheel Module Exists on System and is Empty | medium | |
Ensure Authentication Required for Single User Mode | medium | |
Ensure that System Accounts Are Locked | medium | |
Ensure that System Accounts Do Not Run a Shell Upon Login | medium | |
Enforce Usage of pam_wheel with Group Parameter for su Authentication | medium | |
Ensure All Accounts on the System Have Unique User IDs | medium | |
Ensure All Groups on the System Have Unique Group ID | medium | |
Secure Session Configuration Files for Login Accounts |
Ensure that No Dangerous Directories Exist in Root's Path |
Ensure that Root's Path Does Not Include World or Group-Writable Directories | medium | |
Ensure that Root's Path Does Not Include Relative Paths or Null Directories | unknown | |
Ensure that Users Have Sensible Umask Values |
Ensure the Default Bash Umask is Set Correctly | medium | |
Ensure the Default Umask is Set Correctly in login.defs | medium | |
Ensure the Default Umask is Set Correctly in /etc/profile | medium | |
Set Interactive Session Timeout | medium | |
User Initialization Files Must Not Run World-Writable Programs | medium | |
All Interactive Users Home Directories Must Exist | medium | |
All Interactive User Home Directories Must Be Group-Owned By The Primary Group | medium | |
All Interactive User Home Directories Must Have mode 0750 Or Less Permissive | medium | |
Enable authselect | medium | |
System Accounting with auditd 1x fail |
Configure auditd Rules for Comprehensive Auditing 1x fail |
Record Events that Modify the System's Discretionary Access Controls |
Record Events that Modify the System's Discretionary Access Controls - chmod | medium | |
Record Events that Modify the System's Discretionary Access Controls - chown | medium | |
Record Events that Modify the System's Discretionary Access Controls - fchmod | medium | |
Record Events that Modify the System's Discretionary Access Controls - fchmodat | medium | |
Record Events that Modify the System's Discretionary Access Controls - fchown | medium | |
Record Events that Modify the System's Discretionary Access Controls - fchownat | medium | |
Record Events that Modify the System's Discretionary Access Controls - fremovexattr | medium | |
Record Events that Modify the System's Discretionary Access Controls - fsetxattr | medium | |
Record Events that Modify the System's Discretionary Access Controls - lchown | medium | |
Record Events that Modify the System's Discretionary Access Controls - lremovexattr | medium | |
Record Events that Modify the System's Discretionary Access Controls - lsetxattr | medium | |
Record Events that Modify the System's Discretionary Access Controls - removexattr | medium | |
Record Events that Modify the System's Discretionary Access Controls - setxattr | medium | |
Record Execution Attempts to Run ACL Privileged Commands |
Record Any Attempts to Run chacl | medium | |
Record Any Attempts to Run setfacl | medium | |
Record Execution Attempts to Run SELinux Privileged Commands |
Record Any Attempts to Run chcon | medium | |
Record File Deletion Events by User |
Ensure auditd Collects File Deletion Events by User - rename | medium | |
Ensure auditd Collects File Deletion Events by User - renameat | medium | |
Ensure auditd Collects File Deletion Events by User - unlink | medium | |
Ensure auditd Collects File Deletion Events by User - unlinkat | medium | |
Record Unauthorized Access Attempts Events to Files (unsuccessful) |
Record Unsuccessful Access Attempts to Files - creat | medium | |
Record Unsuccessful Access Attempts to Files - ftruncate | medium | |
Record Unsuccessful Access Attempts to Files - open | medium | |
Record Unsuccessful Access Attempts to Files - openat | medium | |
Record Unsuccessful Access Attempts to Files - truncate | medium | |
Record Information on Kernel Modules Loading and Unloading |
Ensure auditd Collects Information on Kernel Module Unloading - create_module | medium | |
Ensure auditd Collects Information on Kernel Module Unloading - delete_module | medium | |
Ensure auditd Collects Information on Kernel Module Loading and Unloading - finit_module | medium | |
Ensure auditd Collects Information on Kernel Module Loading - init_module | medium | |
Ensure auditd Collects Information on Kernel Module Loading and Unloading - query_module | medium | |
Record Attempts to Alter Logon and Logout Events |
Record Attempts to Alter Logon and Logout Events - faillock | medium | |
Record Attempts to Alter Logon and Logout Events - lastlog | medium | |
Record Information on the Use of Privileged Commands 1x fail |
Ensure auditd Collects Information on the Use of Privileged Commands | medium | |
Ensure auditd Collects Information on the Use of Privileged Commands - kmod | medium | |
Ensure auditd Collects Information on the Use of Privileged Commands - usermod | medium | |
Records Events that Modify Date and Time Information |
Record attempts to alter time through adjtimex | medium | |
Record Attempts to Alter Time Through clock_settime | medium | |
Record attempts to alter time through settimeofday | medium | |
Record Attempts to Alter Time Through stime | medium | |
Record Attempts to Alter the localtime File | medium | |
Make the auditd Configuration Immutable | medium | |
Record Events that Modify the System's Mandatory Access Controls | medium | |
Record Events that Modify the System's Mandatory Access Controls in usr/share | medium | |
Ensure auditd Collects Information on Exporting to Media (successful) | medium | |
Record Events that Modify the System's Network Environment | medium | |
Record Attempts to Alter Process and Session Initiation Information | medium | |
Record Events When Executables Are Run As Another User | medium | |
Ensure auditd Collects System Administrator Actions | medium | |
Record Events that Modify User/Group Information - /etc/group | medium | |
Record Events that Modify User/Group Information - /etc/gshadow | medium | |
Record Events that Modify User/Group Information - /etc/security/opasswd | medium | |
Record Events that Modify User/Group Information - /etc/passwd | medium | |
Record Events that Modify User/Group Information - /etc/shadow | medium | |
Record Attempts to perform maintenance activities | medium | |
System Audit Logs Must Have Mode 0750 or Less Permissive | medium | |
System Audit Logs Must Be Group Owned By Root | medium | |
Audit Configuration Files Must Be Owned By Group root | medium | |
Audit Configuration Files Must Be Owned By Root | medium | |
System Audit Logs Must Be Owned By Root | medium | |
Audit Configuration Files Permissions are 640 or More Restrictive | medium | |
System Audit Logs Must Have Mode 0640 or Less Permissive | medium | |
Configure auditd Data Retention |
Configure auditd mail_acct Action on Low Disk Space | medium | |
Configure auditd admin_space_left Action on Low Disk Space | medium | |
Configure auditd Max Log File Size | medium | |
Configure auditd max_log_file_action Upon Reaching Maximum Log Size | medium | |
Configure auditd space_left Action on Low Disk Space | medium | |
Ensure the audit Subsystem is Installed | medium | |
Enable auditd Service | medium | |
Enable Auditing for Processes Which Start Prior to the Audit Daemon | low | |
Extend Audit Backlog Limit for the Audit Daemon | low | |
GRUB2 bootloader configuration 1x fail |
Non-UEFI GRUB2 bootloader configuration 1x fail |
Verify /boot/grub2/grub.cfg Group Ownership | medium | |
Verify /boot/grub2/user.cfg Group Ownership | medium | |
Verify /boot/grub2/grub.cfg User Ownership | medium | |
Verify /boot/grub2/user.cfg User Ownership | medium | |
Verify /boot/grub2/grub.cfg Permissions | medium | |
Verify /boot/grub2/user.cfg Permissions | medium | |
Set Boot Loader Password in grub2 | high | |
Configure Syslog |
Ensure Proper Configuration of Log Files |
Ensure Log Files Are Owned By Appropriate Group | medium | |
Ensure Log Files Are Owned By Appropriate User | medium | |
Ensure System Log Files Have Correct Permissions | medium | |
systemd-journald |
Enable systemd-journald Service | medium | |
Ensure journald is configured to compress large log files | medium | |
Ensure journald is configured to send logs to rsyslog | medium | |
Ensure journald is configured to write log files to persistent disk | medium | |
Disable systemd-journal-remote Socket | medium | |
Configure rsyslogd to Accept Remote Messages If Acting as a Log Server |
Ensure rsyslog Does Not Accept Remote Messages Unless Acting As Log Server | medium | |
Ensure rsyslog is Installed | medium | |
Enable rsyslog Service | medium | |
Ensure rsyslog Default File Permissions Configured | medium | |
Network Configuration and Firewalls 4x fail 1x notchecked |
firewalld 3x fail |
Inspect and Activate Default firewalld Rules |
Verify firewalld Enabled | medium | |
Strengthen the Default Ruleset 3x fail |
Configure Firewalld to Restrict Loopback Traffic | medium | |
Configure Firewalld to Trust Loopback Traffic | medium | |
Set Default firewalld Zone for Incoming Packets | medium | |
IPv6 |
Configure IPv6 Settings if Necessary |
Configure Accepting Router Advertisements on All IPv6 Interfaces | medium | |
Disable Accepting ICMP Redirects for All IPv6 Interfaces | medium | |
Disable Kernel Parameter for Accepting Source-Routed Packets on all IPv6 Interfaces | medium | |
Disable Kernel Parameter for IPv6 Forwarding | medium | |
Disable Accepting Router Advertisements on all IPv6 Interfaces by Default | medium | |
Disable Kernel Parameter for Accepting ICMP Redirects by Default on IPv6 Interfaces | medium | |
Disable Kernel Parameter for Accepting Source-Routed Packets on IPv6 Interfaces by Default | medium | |
Kernel Parameters Which Affect Networking |
Network Related Kernel Runtime Parameters for Hosts and Routers |
Disable Accepting ICMP Redirects for All IPv4 Interfaces | medium | |
Disable Kernel Parameter for Accepting Source-Routed Packets on all IPv4 Interfaces | medium | |
Enable Kernel Parameter to Log Martian Packets on all IPv4 Interfaces | unknown | |
Enable Kernel Parameter to Use Reverse Path Filtering on all IPv4 Interfaces | medium | |
Disable Kernel Parameter for Accepting Secure ICMP Redirects on all IPv4 Interfaces | medium | |
Disable Kernel Parameter for Accepting ICMP Redirects by Default on IPv4 Interfaces | medium | |
Disable Kernel Parameter for Accepting Source-Routed Packets on IPv4 Interfaces by Default | medium | |
Enable Kernel Paremeter to Log Martian Packets on all IPv4 Interfaces by Default | unknown | |
Enable Kernel Parameter to Use Reverse Path Filtering on all IPv4 Interfaces by Default | medium | |
Configure Kernel Parameter for Accepting Secure Redirects By Default | medium | |
Enable Kernel Parameter to Ignore ICMP Broadcast Echo Requests on IPv4 Interfaces | medium | |
Enable Kernel Parameter to Ignore Bogus ICMP Error Responses on IPv4 Interfaces | unknown | |
Enable Kernel Parameter to Use TCP Syncookies on Network Interfaces | medium | |
Network Parameters for Hosts Only |
Disable Kernel Parameter for Sending ICMP Redirects on all IPv4 Interfaces | medium | |
Disable Kernel Parameter for Sending ICMP Redirects on all IPv4 Interfaces by Default | medium | |
Disable Kernel Parameter for IP Forwarding on IPv4 Interfaces | medium | |
nftables 1x fail 1x notchecked |
Install nftables Package | medium | |
Verify nftables Service is Disabled | medium | |
Ensure a Table Exists for Nftables | medium | |
Uncommon Network Protocols |
Disable TIPC Support | low | |
Wireless Networking |
Disable Wireless Through Software Configuration |
Deactivate Wireless Network Interfaces | medium | |
File Permissions and Masks |
Verify Permissions on Important Files and
Directories |
Verify Permissions on Files with Local Account Information and Credentials |
Verify Group Who Owns Backup group File | medium | |
Verify Group Who Owns Backup gshadow File | medium | |
Verify Group Who Owns Backup passwd File | medium | |
Verify User Who Owns Backup shadow File | medium | |
Verify Group Who Owns group File | medium | |
Verify Group Who Owns gshadow File | medium | |
Verify Group Who Owns passwd File | medium | |
Verify Group Who Owns shadow File | medium | |
Verify User Who Owns Backup group File | medium | |
Verify User Who Owns Backup gshadow File | medium | |
Verify User Who Owns Backup passwd File | medium | |
Verify Group Who Owns Backup shadow File | medium | |
Verify User Who Owns group File | medium | |
Verify User Who Owns gshadow File | medium | |
Verify User Who Owns passwd File | medium | |
Verify User Who Owns shadow File | medium | |
Verify Permissions on Backup group File | medium | |
Verify Permissions on Backup gshadow File | medium | |
Verify Permissions on Backup passwd File | medium | |
Verify Permissions on Backup shadow File | medium | |
Verify Permissions on group File | medium | |
Verify Permissions on gshadow File | medium | |
Verify Permissions on passwd File | medium | |
Verify Permissions on shadow File | medium | |
Verify File Permissions Within Some Important Directories |
Verify that audit tools are owned by group root | medium | |
Verify that audit tools are owned by root | medium | |
Verify that audit tools Have Mode 0755 or less | medium | |
Verify that All World-Writable Directories Have Sticky Bits Set | medium | |
Ensure No World-Writable Files Exist | medium | |
Ensure All Files Are Owned by a Group | medium | |
Ensure All Files Are Owned by a User | medium | |
Restrict Dynamic Mounting and Unmounting of
Filesystems |
Disable Mounting of squashfs | low | |
Disable Mounting of udf | low | |
Disable Modprobe Loading of USB Storage Driver | medium | |
Restrict Partition Mount Options |
Add nodev Option to /dev/shm | medium | |
Add noexec Option to /dev/shm | medium | |
Add nosuid Option to /dev/shm | medium | |
Add nodev Option to /home | unknown | |
Add nosuid Option to /home | medium | |
Add nodev Option to /tmp | medium | |
Add noexec Option to /tmp | medium | |
Add nosuid Option to /tmp | medium | |
Add nodev Option to /var/log/audit | medium | |
Add noexec Option to /var/log/audit | medium | |
Add nosuid Option to /var/log/audit | medium | |
Add nodev Option to /var/log | medium | |
Add noexec Option to /var/log | medium | |
Add nosuid Option to /var/log | medium | |
Add nodev Option to /var | medium | |
Add nosuid Option to /var | unknown | |
Add nodev Option to /var/tmp | medium | |
Add noexec Option to /var/tmp | medium | |
Add nosuid Option to /var/tmp | medium | |
Restrict Programs from Dangerous Execution Patterns |
Disable Core Dumps |
Disable core dump backtraces | medium | |
Disable storing core dump | medium | |
Enable ExecShield |
Enable Randomized Layout of Virtual Address Space | medium | |
SELinux |
Install libselinux Package | high | |
Uninstall mcstrans Package | low | |
Uninstall setroubleshoot Package | low | |
Ensure SELinux Not Disabled in /etc/default/grub | medium | |
Ensure No Daemons are Unconfined by SELinux | medium | |
Ensure SELinux is Not Disabled | high | |
Configure SELinux Policy | medium | |
Ensure SELinux State is Enforcing | high | |
Services 4x fail |
Avahi Server |
Disable Avahi Server if Possible |
Uninstall avahi Server Package | medium | |
Cron and At Daemons |
Restrict at and cron to Authorized Users if Necessary |
Ensure that /etc/at.deny does not exist | medium | |
Ensure that /etc/cron.deny does not exist | medium | |
Verify Group Who Owns /etc/at.allow file | medium | |
Verify Group Who Owns /etc/cron.allow file | medium | |
Verify User Who Owns /etc/cron.allow file | medium | |
Verify Permissions on /etc/at.allow file | medium | |
Verify Permissions on /etc/cron.allow file | medium | |
Enable cron Service | medium | |
Verify Group Who Owns cron.d | medium | |
Verify Group Who Owns cron.daily | medium | |
Verify Group Who Owns cron.hourly | medium | |
Verify Group Who Owns cron.monthly | medium | |
Verify Group Who Owns cron.weekly | medium | |
Verify Group Who Owns Crontab | medium | |
Verify Owner on cron.d | medium | |
Verify Owner on cron.daily | medium | |
Verify Owner on cron.hourly | medium | |
Verify Owner on cron.monthly | medium | |
Verify Owner on cron.weekly | medium | |
Verify Owner on crontab | medium | |
Verify Permissions on cron.d | medium | |
Verify Permissions on cron.daily | medium | |
Verify Permissions on cron.hourly | medium | |
Verify Permissions on cron.monthly | medium | |
Verify Permissions on cron.weekly | medium | |
Verify Permissions on crontab | medium | |
DHCP |
Disable DHCP Server |
Uninstall DHCP Server Package | medium | |
DNS Server |
Disable DNS Server |
Uninstall bind Package | low | |
Uninstall dnsmasq Package | low | |
FTP Server |
Disable vsftpd if Possible |
Uninstall vsftpd Package | high | |
Remove ftp Package | low | |
Web Server |
Disable Apache if Possible |
Uninstall httpd Package | unknown | |
Disable NGINX if Possible |
Uninstall nginx Package | unknown | |
IMAP and POP3 Server |
Disable Cyrus IMAP |
Uninstall cyrus-imapd Package | unknown | |
Disable Dovecot |
Uninstall dovecot Package | unknown | |
LDAP |
Configure OpenLDAP Clients |
Ensure LDAP client is not installed | low | |
Mail Server Software |
Configure SMTP For Mail Clients |
Disable Postfix Network Listening | medium | |
Ensure Mail Transfer Agent is not Listening on any non-loopback Address | medium | |
NFS and RPC 2x fail |
Disable All NFS Services if Possible 1x fail |
Disable Services Used Only by NFS 1x fail |
Disable rpcbind Service | low | |
Configure NFS Clients 1x fail |
Disable NFS Server Daemons 1x fail |
Disable Network File System (nfs) | unknown | |
Network Time Protocol |
Ensure that chronyd is running under chrony user account | medium | |
A remote time server for Chrony is configured | medium | |
Obsolete Services |
Rlogin, Rsh, and Rexec |
Remove Rsh Trust Files | high | |
Telnet |
Uninstall telnet-server Package | high | |
Remove telnet Clients | low | |
TFTP Server |
Uninstall tftp-server Package | high | |
Remove tftp Daemon | low | |
Uninstall rsync Package | medium | |
Print Support |
Uninstall CUPS Package | unknown | |
Proxy Server |
Disable Squid if Possible |
Uninstall squid Package | unknown | |
Samba(SMB) Microsoft Windows File Sharing Server |
Disable Samba if Possible |
Uninstall Samba Package | unknown | |
SNMP Server |
Disable SNMP Server if Possible |
Uninstall net-snmp Package | unknown | |
SSH Server 2x fail |
Configure OpenSSH Server if Necessary 2x fail |
Set SSH Client Alive Count Max | medium | |
Disable Host-Based Authentication | medium | |
Disable SSH Access via Empty Passwords | high | |
Disable SSH Support for .rhosts Files | medium | |
Disable SSH Root Login | medium | |
Disable SSH TCP Forwarding | medium | |
Disable X11 Forwarding | medium | |
Do Not Allow SSH Environment Options | medium | |
Enable PAM | medium | |
Enable SSH Warning Banner | medium | |
Limit Users' SSH Access | unknown | |
Ensure SSH LoginGraceTime is configured | medium | |
Set SSH Daemon LogLevel to VERBOSE | medium | |
Set SSH authentication attempt limit | medium | |
Set SSH MaxSessions limit | medium | |
Ensure SSH MaxStartups is configured | medium | |
Verify Group Who Owns SSH Server config file | medium | |
Verify Group Ownership on SSH Server Private *_key Key Files | medium | |
Verify Group Ownership on SSH Server Public *.pub Key Files | medium | |
Verify Owner on SSH Server config file | medium | |
Verify Ownership on SSH Server Private *_key Key Files | medium | |
Verify Ownership on SSH Server Public *.pub Key Files | medium | |
Verify Permissions on SSH Server config file | medium | |
Verify Permissions on SSH Server Private *_key Key Files | medium | |
Verify Permissions on SSH Server Public *.pub Key Files | medium | |
X Window System |
Disable X Windows |
Remove the X Windows Package Group | medium | |