CloudLinux AlmaLinux OS 9 Security Technical Implementation Guide
Rules, Groups, and Values defined within the XCCDF Benchmark
-
AlmaLinux OS 9 audit log directory must have 0700 permissions to prevent unauthorized read access.
Unauthorized disclosure of audit records can reveal system and configuration data to attackers, thus compromising its confidentiality. Audit information includes all information (e.g., audit recor...Rule Medium Severity -
SRG-OS-000057-GPOS-00027
Group -
AlmaLinux OS 9 audit logs must be owned by the root group to prevent unauthorized read access.
Unauthorized disclosure of audit records can reveal system and configuration data to attackers, thus compromising its confidentiality. Audit information includes all information (e.g., audit recor...Rule Medium Severity -
SRG-OS-000057-GPOS-00027
Group -
AlmaLinux OS 9 audit logs must be owned by root to prevent unauthorized read access.
Unauthorized disclosure of audit records can reveal system and configuration data to attackers, thus compromising its confidentiality. Audit information includes all information (e.g., audit recor...Rule Medium Severity -
SRG-OS-000057-GPOS-00027
Group -
AlmaLinux OS 9 audit logs must have 0600 permissions to prevent unauthorized read access.
Unauthorized disclosure of audit records can reveal system and configuration data to attackers, thus compromising its confidentiality. Audit information includes all information (e.g., audit recor...Rule Medium Severity -
SRG-OS-000256-GPOS-00097
Group -
AlmaLinux OS 9 audit tools must be group-owned by root.
Protecting audit information also includes identifying and protecting the tools used to view and manipulate log data. Therefore, protecting audit tools is necessary to prevent unauthorized operatio...Rule Medium Severity -
SRG-OS-000256-GPOS-00097
Group -
AlmaLinux OS 9 audit tools must be owned by root.
Protecting audit information also includes identifying and protecting the tools used to view and manipulate log data. Therefore, protecting audit tools is necessary to prevent unauthorized operatio...Rule Medium Severity -
SRG-OS-000256-GPOS-00097
Group -
SRG-OS-000058-GPOS-00028
Group -
SRG-OS-000278-GPOS-00108
Group -
SRG-OS-000058-GPOS-00028
Group -
AlmaLinux OS 9 audit system must protect auditing rules from unauthorized change.
Unauthorized disclosure of audit records can reveal system and configuration data to attackers, thus compromising its confidentiality. Audit information includes all information (e.g., audit recor...Rule Medium Severity -
AlmaLinux OS 9 must limit the number of concurrent sessions to ten for all accounts and/or account types.
Operating system management includes the ability to control the number of users and user sessions that use an operating system. Limiting the number of allowed users and sessions per user is helpful...Rule Low Severity -
AlmaLinux OS 9 must automatically lock graphical user sessions after 15 minutes of inactivity.
A session lock is a temporary action taken when a user stops work and moves away from the immediate physical vicinity of the information system but does not log out because of the temporary nature ...Rule Medium Severity -
AlmaLinux OS 9 must prevent a user from overriding the session lock-delay setting for the graphical user interface.
A session time-out lock is a temporary action taken when a user stops work and moves away from the immediate physical vicinity of the information system but does not logout because of the temporary...Rule Medium Severity -
All AlmaLinux OS 9 remote access methods must be monitored.
Remote access services, such as those providing remote access to network devices and information systems, which lack automated monitoring capabilities, increase risk, and make remote user access ma...Rule Medium Severity -
AlmaLinux OS 9 SSH client must be configured to use only encryption ciphers employing FIPS 140-3 validated cryptographic hash algorithms to protect the confidentiality of SSH client connections.
Without cryptographic integrity protections, information can be altered by unauthorized users without detection. Remote access (e.g., RDP) is access to DOD nonpublic information systems by an auth...Rule Medium Severity -
AlmaLinux OS 9 SSH client must be configured to use only Message Authentication Codes (MACs) employing FIPS 140-3 validated cryptographic hash algorithms.
Without cryptographic integrity protections, information can be altered by unauthorized users without detection. Remote access (e.g., RDP) is access to DOD nonpublic information systems by an auth...Rule Medium Severity -
AlmaLinux OS 9 must implement DOD-approved encryption ciphers to protect the confidentiality of SSH server connections.
Without cryptographic integrity protections, information can be altered by unauthorized users without detection. Remote access (e.g., RDP) is access to DOD nonpublic information systems by an auth...Rule Medium Severity -
AlmaLinux OS 9 must implement DOD-approved systemwide cryptographic policies to protect the confidentiality of SSH server connections.
Without cryptographic integrity protections, information can be altered by unauthorized users without detection. Remote access (e.g., RDP) is access to DOD nonpublic information systems by an auth...Rule Medium Severity -
AlmaLinux OS 9 must force a frequent session key renegotiation for SSH connections to the server.
Without confidentiality protection mechanisms, unauthorized individuals may gain access to sensitive information via a remote access session. Remote access is access to DOD nonpublic information s...Rule Medium Severity -
AlmaLinux OS 9 must implement DOD-approved encryption in the OpenSSL package.
Without cryptographic integrity protections, information can be altered by unauthorized users without detection. Remote access (e.g., RDP) is access to DOD nonpublic information systems by an auth...Rule Medium Severity -
AlmaLinux OS 9 must enable FIPS mode.
Without confidentiality protection mechanisms, unauthorized individuals may gain access to sensitive information via a remote access session. Remote access is access to DOD nonpublic information s...Rule High Severity -
AlmaLinux OS 9 must automatically expire temporary accounts within 72 hours.
Temporary accounts are accounts created during a time of need when prompt action requires bypassing the normal account creation authorization process – such as during incident response. If these t...Rule Medium Severity -
AlmaLinux OS 9 must generate audit records for all account creations, modifications, disabling, and termination events that affect /etc/group.
Audit records provide a means to investigate events related to a security incident. Insufficient audit coverage will make identifying those responsible challenging or impossible. This auditd polic...Rule Medium Severity -
AlmaLinux OS 9 must generate audit records for all account creations, modifications, disabling, and termination events that affect /etc/gshadow.
Audit records provide a means to investigate events related to a security incident. Insufficient audit coverage will make identifying those responsible challenging or impossible. This auditd polic...Rule Medium Severity -
AlmaLinux OS 9 must generate audit records for all account creations, modifications, disabling, and termination events that affect /etc/passwd.
Audit records provide a means to investigate events related to a security incident. Insufficient audit coverage will make identifying those responsible challenging or impossible. This auditd polic...Rule Medium Severity -
AlmaLinux OS 9 must generate audit records for all account creations, modifications, disabling, and termination events that affect the files within /etc/sudoers.d/
Audit records provide a means to investigate events related to a security incident. Insufficient audit coverage will make identifying those responsible challenging or impossible. This auditd polic...Rule Medium Severity -
AlmaLinux OS 9 must require authentication to access emergency mode.
This requirement prevents attackers with physical access from easily bypassing security on the machine and gaining root access. Such accesses are further prevented by configuring the bootloader pa...Rule Medium Severity -
AlmaLinux OS 9 must require authentication to access single-user mode.
This requirement prevents attackers with physical access from easily bypassing security on the machine and gaining root access. Such accesses are further prevented by configuring the bootloader p...Rule Medium Severity -
The systemd Ctrl-Alt-Delete burst key sequence in AlmaLinux OS 9 must be disabled.
A locally logged-on user who presses Ctrl-Alt-Delete in quick succession when at the console can reboot the system. If accidentally pressed, as could happen in the case of a mixed OS environment, ...Rule High Severity -
AlmaLinux OS 9 must audit uses of the "execve" system call.
Misuse of privileged functions, either intentionally or unintentionally by authorized users, or by unauthorized external entities that have compromised information system accounts, is a serious and...Rule Medium Severity -
AlmaLinux OS 9 must automatically lock an account when three unsuccessful logon attempts occur during a 15-minute time period.
By limiting the number of failed logon attempts, the risk of unauthorized system access via user password guessing, otherwise known as brute-force attacks, is reduced. Limits are imposed by locking...Rule Medium Severity -
AlmaLinux OS 9 must configure the appropriate SELinux context on the nondefault faillock tally directory.
By limiting the number of failed logon attempts, the risk of unauthorized system access via user password guessing, otherwise known as brute-forcing, is reduced. Limits are imposed by locking the a...Rule Medium Severity -
AlmaLinux OS 9 must prevent users from disabling the Standard Mandatory DOD Notice and Consent Banner for graphical user interfaces.
Display of a standardized and approved use notification before granting access to the operating system ensures privacy and security notification verbiage used is consistent with applicable federal ...Rule Medium Severity -
AlmaLinux OS 9 must display the Standard Mandatory DOD Notice and Consent Banner before granting local or remote access to the system via a command line user logon.
Display of a standardized and approved use notification before granting access to the operating system ensures privacy and security notification verbiage used is consistent with applicable federal ...Rule Medium Severity -
AlmaLinux OS 9 must display the Standard Mandatory DOD Notice and Consent Banner before granting local or remote access to the system via an SSH user logon.
Display of a standardized and approved use notification before granting access to the operating system ensures privacy and security notification verbiage used is consistent with applicable federal ...Rule Medium Severity -
AlmaLinux OS 9 SSH daemon must not allow Generic Security Service Application Program Interface (GSSAPI) authentication.
GSSAPI authentication is used to provide additional authentication mechanisms to applications. Allowing GSSAPI authentication through SSH exposes the system's GSSAPI to remote hosts, increasing the...Rule Medium Severity -
AlmaLinux OS 9 must check the GPG signature of software packages originating from external software repositories before installation.
Changes to any software components can have significant effects on the overall security of the operating system. This requirement ensures the software has not been tampered with and that it has bee...Rule High Severity -
AlmaLinux OS 9 must check the GPG signature of locally installed software packages before installation.
Changes to any software components can have significant effects on the overall security of the operating system. This requirement ensures the software has not been tampered with and that it has bee...Rule High Severity -
AlmaLinux OS 9 system commands must be group-owned by root or a system account.
If AlmaLinux OS 9 allowed any user to make changes to software libraries, then those changes might be implemented without undergoing the appropriate testing and approvals that are part of a robust ...Rule Medium Severity -
AlmaLinux OS 9 system commands must have mode 755 or less permissive.
If AlmaLinux OS 9 allowed any user to make changes to software libraries, then those changes might be implemented without undergoing the appropriate testing and approvals that are part of a robust ...Rule Medium Severity -
AlmaLinux OS 9 library directories must have mode 755 or less permissive.
If AlmaLinux OS 9 allowed any user to make changes to software libraries, then those changes might be implemented without undergoing the appropriate testing and approvals that are part of a robust ...Rule Medium Severity -
AlmaLinux OS 9 must disable acquiring, saving, and processing core dumps.
A core dump includes a memory image taken at the time the operating system terminates an application. The memory image could contain sensitive data and is generally useful only for developers or sy...Rule Medium Severity -
AlmaLinux OS 9 must disable storing core dumps.
A core dump includes a memory image taken at the time the operating system terminates an application. The memory image could contain sensitive data and is generally useful only for developers or sy...Rule Medium Severity -
AlmaLinux OS 9 must disable the kernel.core_pattern.
A core dump includes a memory image taken at the time the operating system terminates an application. The memory image could contain sensitive data and is generally useful only for developers tryin...Rule Medium Severity
Node 2
The content of the drawer really is up to you. It could have form fields, definition lists, text lists, labels, charts, progress bars, etc. Spacing recommendation is 24px margins. You can put tabs in here, and can also make the drawer scrollable.