| 1.1.2 Ensure /tmp is configured | ACCESS CONTROL, MEDIA PROTECTION |
| 1.1.7 Ensure noexec option set on /dev/shm partition | ACCESS CONTROL, CONFIGURATION MANAGEMENT, MEDIA PROTECTION, SYSTEM AND SERVICES ACQUISITION |
| 1.1.8 Ensure nodev option set on /dev/shm partition | ACCESS CONTROL, MEDIA PROTECTION |
| 1.1.9 Ensure nosuid option set on /dev/shm partition | ACCESS CONTROL, MEDIA PROTECTION |
| 1.1.10 Ensure separate partition exists for /var | ACCESS CONTROL, MEDIA PROTECTION |
| 1.1.16 Ensure separate partition exists for /var/log/audit | AUDIT AND ACCOUNTABILITY |
| 1.1.19 Ensure nosuid is set on users' home directories. | ACCESS CONTROL, MEDIA PROTECTION |
| 1.1.22 Ensure nosuid option set on removable media partitions | ACCESS CONTROL, MEDIA PROTECTION |
| 1.1.23 Ensure noexec option is configured for NFS. | ACCESS CONTROL, MEDIA PROTECTION |
| 1.1.24 Ensure nosuid option is set for NFS | ACCESS CONTROL, MEDIA PROTECTION |
| 1.1.26 Ensure all world-writable directories are group-owned. | ACCESS CONTROL, MEDIA PROTECTION |
| 1.1.27 Disable Automounting | MEDIA PROTECTION |
| 1.1.28 Disable USB Storage | CONFIGURATION MANAGEMENT, SYSTEM AND SERVICES ACQUISITION |
| 1.2.3 Ensure gpgcheck is globally activated | RISK ASSESSMENT, SYSTEM AND INFORMATION INTEGRITY |
| 1.2.4 Ensure software packages have been digitally signed by a Certificate Authority (CA) | RISK ASSESSMENT, SYSTEM AND INFORMATION INTEGRITY |
| 1.2.5 Ensure removal of software components after update | RISK ASSESSMENT, SYSTEM AND INFORMATION INTEGRITY |
| 1.2.6 Ensure the version of the operating system is an active vendor supported release | SYSTEM AND SERVICES ACQUISITION |
| 1.3.1 Ensure AIDE is installed | ACCESS CONTROL, AUDIT AND ACCOUNTABILITY |
| 1.3.2 Ensure filesystem integrity is regularly checked | ACCESS CONTROL, AUDIT AND ACCOUNTABILITY |
| 1.3.3 Ensure AIDE is configured to verify ACLs | ACCESS CONTROL, MEDIA PROTECTION |
| 1.3.4 Ensure AIDE is configured to verify XATTRS | ACCESS CONTROL, MEDIA PROTECTION |
| 1.3.5 Ensure AIDE is configured to use FIPS 140-2 | ACCESS CONTROL, MEDIA PROTECTION |
| 1.4.1 Ensure bootloader password is set | CONFIGURATION MANAGEMENT, SYSTEM AND SERVICES ACQUISITION |
| 1.4.3 Ensure authentication required for single user mode | CONFIGURATION MANAGEMENT, SYSTEM AND SERVICES ACQUISITION |
| 1.4.4 Ensure boot loader does not allow removable media | CONFIGURATION MANAGEMENT, SYSTEM AND SERVICES ACQUISITION |
| 1.4.5 Ensure version 7.2 or newer booted with a BIOS have a unique name for the grub superusers account | SYSTEM AND INFORMATION INTEGRITY |
| 1.4.6 Ensure version 7.2 or newer booted with UEFI have a unique name for the grub superusers account | SYSTEM AND INFORMATION INTEGRITY |
| 1.5.3 Ensure address space layout randomization (ASLR) is enabled | SYSTEM AND INFORMATION INTEGRITY |
| 1.5.5 Ensure number of concurrent sessions is limited | ACCESS CONTROL |
| 1.5.6 Ensure the Ctrl-Alt-Delete key sequence is disabled. | CONFIGURATION MANAGEMENT, SYSTEM AND SERVICES ACQUISITION |
| 1.5.7 Ensure kernel core dumps are disabled. | CONFIGURATION MANAGEMENT, SYSTEM AND SERVICES ACQUISITION |
| 1.5.8 Ensure DNS is servers are configured | CONFIGURATION MANAGEMENT |
| 1.5.9 Ensure NIST FIPS-validated cryptography is configured | ACCESS CONTROL, IDENTIFICATION AND AUTHENTICATION, SYSTEM AND COMMUNICATIONS PROTECTION |
| 1.6.1.3 Ensure SELinux policy is configured | ACCESS CONTROL, MEDIA PROTECTION |
| 1.6.1.5 Ensure the SELinux mode is enforcing | ACCESS CONTROL, MEDIA PROTECTION |
| 1.6.1.9 Ensure non-privileged users are prevented from executing privileged functions | ACCESS CONTROL, AUDIT AND ACCOUNTABILITY |
| 1.6.1.10 Ensure system device files are labeled. | ACCESS CONTROL, MEDIA PROTECTION |
| 1.7.3 Ensure the Standard Mandatory DoD Notice and Consent Banner are configured | CONFIGURATION MANAGEMENT |
| 1.7.8 Ensure the Standard Mandatory DoD Notice and Consent Banner are configured | ACCESS CONTROL |
| 1.8.1 Ensure GDM login banner is configured | CONFIGURATION MANAGEMENT, SYSTEM AND SERVICES ACQUISITION |
| 1.8.2 Ensure Standard Mandatory DoD Notice and Consent Banner displayed via a graphical user logon | CONFIGURATION MANAGEMENT, SYSTEM AND SERVICES ACQUISITION |
| 1.8.3 Ensure GDM session lock is enabled | ACCESS CONTROL |
| 1.8.4 Ensure the graphical user Ctrl-Alt-Delete key sequence is disabled | CONFIGURATION MANAGEMENT, SYSTEM AND SERVICES ACQUISITION |
| 1.8.5 Ensure users must authenticate users using MFA via a graphical user logon | IDENTIFICATION AND AUTHENTICATION |
| 1.8.6 Ensure GNOME Screensaver period of inactivity is configured | ACCESS CONTROL |
| 1.8.7 Ensure screensaver lock-enabled is set | ACCESS CONTROL |
| 1.8.8 Ensure overriding the screensaver lock-delay setting is prevented | ACCESS CONTROL |
| 1.8.9 Ensure session idle-delay settings is enforced | ACCESS CONTROL |
| 1.8.10 Ensure GNOME Idle activation is set | ACCESS CONTROL |
| 1.8.11 Ensure the screensaver idle-activation-enabled setting | ACCESS CONTROL |
