| 1.1.1.1 Ensure cramfs kernel module is not available | CONFIGURATION MANAGEMENT |
| 1.1.1.9 Ensure usb-storage kernel module is not available | MEDIA PROTECTION |
| 1.1.1.11 Ensure the operating system disables the ability to load the firewire-core kernel module | CONFIGURATION MANAGEMENT |
| 1.1.1.12 Ensure a camera is not installed | CONFIGURATION MANAGEMENT |
| 1.1.2.1.1 Ensure /tmp is a separate partition | CONFIGURATION MANAGEMENT |
| 1.1.2.1.2 Ensure nodev option set on /tmp partition | CONFIGURATION MANAGEMENT |
| 1.1.2.1.3 Ensure nosuid option set on /tmp partition | ACCESS CONTROL, MEDIA PROTECTION |
| 1.1.2.1.4 Ensure noexec option set on /tmp partition | ACCESS CONTROL, MEDIA PROTECTION |
| 1.1.2.2.2 Ensure nodev option set on /dev/shm partition | ACCESS CONTROL, MEDIA PROTECTION |
| 1.1.2.2.3 Ensure nosuid option set on /dev/shm partition | ACCESS CONTROL, MEDIA PROTECTION |
| 1.1.2.2.4 Ensure noexec option set on /dev/shm partition | ACCESS CONTROL, MEDIA PROTECTION |
| 1.1.2.3.4 Ensure a separate file system/partition has been created for non-privileged local interactive user home directories | CONFIGURATION MANAGEMENT |
| 1.1.2.3.5 Ensure file systems that contain user home directories are mounted with the nosuid option | ACCESS CONTROL, MEDIA PROTECTION |
| 1.1.2.3.6 Ensure file systems that contain user home directories are mounted with the "noexec" option | ACCESS CONTROL, MEDIA PROTECTION |
| 1.1.2.4.1 Ensure separate partition exists for /var | ACCESS CONTROL, MEDIA PROTECTION |
| 1.1.2.5.1 Ensure separate partition exists for /var/tmp | ACCESS CONTROL, MEDIA PROTECTION |
| 1.1.2.5.2 Ensure nodev option set on /var/tmp partition | ACCESS CONTROL, MEDIA PROTECTION |
| 1.1.2.5.3 Ensure nosuid option set on /var/tmp partition | ACCESS CONTROL, MEDIA PROTECTION |
| 1.1.2.5.4 Ensure noexec option set on /var/tmp partition | ACCESS CONTROL, MEDIA PROTECTION |
| 1.1.2.6.1 Ensure separate partition exists for /var/log | AUDIT AND ACCOUNTABILITY |
| 1.1.2.6.2 Ensure nodev option set on /var/log partition | ACCESS CONTROL, MEDIA PROTECTION |
| 1.1.2.6.3 Ensure nosuid option set on /var/log partition | ACCESS CONTROL, MEDIA PROTECTION |
| 1.1.2.6.4 Ensure noexec option set on /var/log partition | ACCESS CONTROL, MEDIA PROTECTION |
| 1.1.2.7.1 Ensure separate partition exists for /var/log/audit | AUDIT AND ACCOUNTABILITY |
| 1.1.2.7.2 Ensure nodev option set on /var/log/audit partition | ACCESS CONTROL, MEDIA PROTECTION |
| 1.1.2.7.3 Ensure nosuid option set on /var/log/audit partition | ACCESS CONTROL, MEDIA PROTECTION |
| 1.1.2.7.4 Ensure noexec option set on /var/log/audit partition | ACCESS CONTROL, MEDIA PROTECTION |
| 1.1.2.8.1 Ensure the "/boot" directory is mounted with the "nosuid" option | ACCESS CONTROL, MEDIA PROTECTION |
| 1.1.2.9.1 Ensure the "/boot/efi" directory is mounted with the "nosuid" option | ACCESS CONTROL, MEDIA PROTECTION |
| 1.1.2.10.1 Ensure file systems that are being NFS-imported are mounted with the "nodev" option | ACCESS CONTROL, MEDIA PROTECTION |
| 1.1.2.10.2 Ensure file systems being imported via NFS are mounted with the "nosuid" option | ACCESS CONTROL, MEDIA PROTECTION |
| 1.1.2.10.3 Ensure file systems being imported via NFS are mounted with the "noexec" option | ACCESS CONTROL, MEDIA PROTECTION |
| 1.1.2.11.1 Ensure nodev option set on removable media partitions | ACCESS CONTROL, MEDIA PROTECTION |
| 1.1.2.11.2 Ensure nosuid option set on removable media partitions | ACCESS CONTROL, MEDIA PROTECTION |
| 1.1.2.11.3 Ensure noexec option set on removable media partitions | CONFIGURATION MANAGEMENT |
| 1.1.2.12 Ensure all non-root local partitions are mounted with the "nodev" option | ACCESS CONTROL, MEDIA PROTECTION |
| 1.1.3.1 Ensure all information at rest is encrypted | IDENTIFICATION AND AUTHENTICATION, SYSTEM AND COMMUNICATIONS PROTECTION |
| 1.2.1.2 Ensure gpgcheck is globally activated | RISK ASSESSMENT, SYSTEM AND INFORMATION INTEGRITY |
| 1.2.1.5 Ensure DNF is configured to perform a signature check on local packages | RISK ASSESSMENT, SYSTEM AND INFORMATION INTEGRITY |
| 1.2.1.6 Ensure cryptographic verification of vendor software packages | SYSTEM AND INFORMATION INTEGRITY |
| 1.2.2.2 Ensure vendor packaged system security patches and updates are installed | RISK ASSESSMENT, SYSTEM AND INFORMATION INTEGRITY |
| 1.2.2.3 Ensure Operating System is a vendor-supported release | SYSTEM AND INFORMATION INTEGRITY |
| 1.2.2.4 Ensure the operating system removes all software components after updated versions have been installed | SYSTEM AND INFORMATION INTEGRITY |
| 1.3.1.5 Ensure the SELinux mode is enforcing | ACCESS CONTROL, MEDIA PROTECTION |
| 1.3.1.8 Ensure the operating system has the policycoreutils package installed | ACCESS CONTROL, MEDIA PROTECTION |
| 1.3.1.10 Ensure SELinux prevents nonprivileged users from executing privileged functions | ACCESS CONTROL, MEDIA PROTECTION |
| 1.3.1.11 Ensure SELinux targeted policy is configured | ACCESS CONTROL, MEDIA PROTECTION |
| 1.4.1 Ensure bootloader password is set | ACCESS CONTROL, MEDIA PROTECTION |
| 1.4.3 Ensure the operating system requires authentication for rescue mode | IDENTIFICATION AND AUTHENTICATION |
| 1.4.4 Ensure the operating system requires authentication upon booting into emergency mode | IDENTIFICATION AND AUTHENTICATION |
