...
Each of these checks can be skipped by adding skip-test=TEST-NAME to the default.prf file.
NCSA-IPTABLES
Checks if the default INPUT chain policy is DROP or REJECT, default policy meaning -A rules without any IP, port, or protocol exceptions. If the iptables is flushed, then check the default -P INPUT policy.
(Legacy) Checks if the policy for ICMP packets is ACCEPT.
Checks if the policy for ICMP type 3, 8, and 11 in IPv4, type 2 and 3 in IPv6 is ACCEPT.
NCSA-QUALYS
Checks if the qualys user exists and has a proper shell as defined in QUALYS_ALLOWED_SHELLS on top.
Checks the SSHD config specific to qualys user is compliant with setup specified in Qualys Authenticated Scanning Host setup
If pam_access is enabled in SSHD, checks that qualys from the IP specified by QUALYS_IP has access.
Checks iptables INPUT rule for the IP specified by QUALYS_IP is ACCEPT.
Checks if qualys owns its home directory.
Checks if qualys has an authorized_keys file in its .ssh directory and owns that key.
Checks if qualys user has ever logged in.
NCSA-RSYSLOG
Checks if rsyslog remote destination is set per Syslog Remote Logging Best Practices suggests.