CloudLinux AlmaLinux OS 9 Security Technical Implementation Guide
Rules, Groups, and Values defined within the XCCDF Benchmark
-
AlmaLinux OS 9 cron configuration files directory must be group-owned by root.
Service configuration files enable or disable features of their respective services that if configured incorrectly can lead to insecure and vulnerable configurations; therefore, service configurati...Rule Medium Severity -
AlmaLinux OS 9 /etc/crontab file must have mode 0600.
Service configuration files enable or disable features of their respective services that if configured incorrectly can lead to insecure and vulnerable configurations; therefore, service configurati...Rule Medium Severity -
All AlmaLinux OS 9 local files and directories must have a valid group owner.
Files without a valid group owner may be unintentionally inherited if a group is assigned the same Group Identifier (GID) as the GID of the files without a valid group owner.Rule Medium Severity -
AlmaLinux OS 9 /etc/group file must have mode 0644 or less permissive to prevent unauthorized access.
The "/etc/group" file contains information regarding groups that are configured on the system. Protection of this file is important for system security.Rule Medium Severity -
AlmaLinux OS 9 /etc/gshadow- file must be group-owned by root.
The "/etc/gshadow-" file is a backup of "/etc/gshadow", and as such, contains group password hashes. Protection of this file is critical for system security.Rule Medium Severity -
The graphical display manager must not be the default target on AlmaLinux OS 9 unless approved.
Unnecessary service packages must not be installed to decrease the attack surface of the system. Graphical display managers have a long history of security vulnerabilities and must not be used, u...Rule Medium Severity -
AlmaLinux OS 9 must disable the user list at logon for graphical user interfaces.
Leaving the user list enabled is a security risk since it allows anyone with physical access to the system to enumerate known user accounts without authenticated access to the system.Rule Medium Severity -
All AlmaLinux OS 9 local interactive user home directories defined in the /etc/passwd file must exist.
If a local interactive user has a home directory defined that does not exist, the user may be given access to the / directory as the current working directory upon logon. This could create a deni...Rule Medium Severity -
All AlmaLinux OS 9 local interactive user home directories must be group-owned by the home directory owner's primary group.
If the Group Identifier (GID) of a local interactive users home directory is not the same as the primary GID of the user, this would allow unauthorized access to the users files, and users that sha...Rule Medium Severity -
All AlmaLinux OS 9 local interactive users must have a home directory assigned in the /etc/passwd file.
If local interactive users are not assigned a valid home directory, there is no place for the storage and control of files they should own.Rule Medium Severity -
Executable search paths within the initialization files of all local interactive AlmaLinux OS 9 users must only contain paths that resolve to the system default or the users home directory.
The executable search path (typically the $PATH environment variable) contains a list of directories for the shell to search to find executables. If this path includes the current working directory...Rule Medium Severity -
All AlmaLinux OS 9 local interactive user home directories must have mode 0750 or less permissive.
Excessive permissions on local interactive user home directories may allow unauthorized access to user files by other users.Rule Medium Severity -
AlmaLinux OS 9 must enforce a delay of at least four seconds between logon prompts following a failed logon attempt.
Increasing the time between a failed authentication attempt and prompting to re-enter credentials helps to slow a single-threaded brute force attack. Satisfies: SRG-OS-000480-GPOS-00227, SRG-OS-00...Rule Medium Severity -
AlmaLinux OS 9 must not allow blank or null passwords.
If an account has an empty password, anyone could log in and run commands with the privileges of that account. Accounts with empty passwords should never be used in operational environments.Rule Medium Severity -
AlmaLinux OS 9 must not have accounts configured with blank or null passwords.
If an account has an empty password, anyone could log in and run commands with the privileges of that account. Accounts with empty passwords should never be used in operational environments.Rule Medium Severity -
AlmaLinux OS 9 /etc/passwd- file must be group-owned by root.
The "/etc/passwd-" file is a backup file of "/etc/passwd", and as such, contains information about the users that are configured on the system. Protection of this file is critical for system security.Rule Medium Severity -
AlmaLinux OS 9 /etc/passwd- file must be owned by root.
The "/etc/passwd-" file is a backup file of "/etc/passwd", and as such, contains information about the users that are configured on the system. Protection of this file is critical for system security.Rule Medium Severity -
AlmaLinux OS 9 /etc/passwd file must have mode 0644 or less permissive to prevent unauthorized access.
If the "/etc/passwd" file is writable by a group-owner or the world the risk of its compromise is increased. The file contains the list of accounts on the system and associated information, and pr...Rule Medium Severity -
AlmaLinux OS 9 /etc/shadow- file must be owned by root.
The "/etc/shadow-" file is a backup file of "/etc/shadow", and as such, contains the list of local system accounts and password hashes. Protection of this file is critical for system security.Rule Medium Severity -
AlmaLinux OS 9 /etc/shadow file must be group-owned by root.
The "/etc/shadow" file contains the list of local system accounts and stores password hashes. Protection of this file is critical for system security. Failure to give ownership of this file to roo...Rule Medium Severity -
AlmaLinux OS 9 /etc/shadow file must be owned by root.
The "/etc/shadow" file contains the list of local system accounts and stores password hashes. Protection of this file is critical for system security. Failure to give ownership of this file to ro...Rule Medium Severity -
AlmaLinux OS 9 must use the invoking user's password for privilege escalation when using "sudo".
If the rootpw, targetpw, or runaspw flags are defined and not disabled, by default the operating system will prompt the invoking user for the "root" user password.Rule Medium Severity -
AlmaLinux OS 9 must define default permissions for all authenticated users in such a way that the user can only read and modify their own files.
Setting the most restrictive default permissions ensures that when new accounts are created they do not have unnecessary access. With a UMASK of 077, files will be created with 0600 permissions (o...Rule Medium Severity -
AlmaLinux OS 9 must define default permissions for PAM users.
Setting the most restrictive default permissions ensures that when new accounts are created they do not have unnecessary access. With a UMASK of 077, files will be created with 0600 permissions (o...Rule Medium Severity -
AlmaLinux OS 9 must define default permissions for logon and nonlogon shells.
Setting the most restrictive default permissions ensures that when new accounts are created they do not have unnecessary access. With a UMASK of 077, files will be created with 0600 permissions (o...Rule Medium Severity -
AlmaLinux OS 9 must be configured so that the file integrity tool verifies Access Control Lists (ACLs).
ACLs can provide permissions beyond those permitted through the file mode and must be verified by the file integrity tools.Rule Medium Severity -
AlmaLinux OS 9 must use a file integrity tool that is configured to use FIPS 140-3-approved cryptographic hashes for validating file contents and directories.
File integrity tools use cryptographic hashes for verifying file contents and directories have not been altered. These hashes must be FIPS 140-3 approved cryptographic hashes.Rule Medium Severity -
AlmaLinux OS 9 must be configured so that the file integrity tool verifies extended attributes.
Extended attributes in file systems are used to contain arbitrary data and file metadata with security implications.Rule Medium Severity -
AlmaLinux OS 9 must prevent the use of dictionary words for passwords.
Use of a complex password helps to increase the time and resources required to compromise the password. Password complexity, or strength, is a measure of the effectiveness of a password in resistin...Rule Medium Severity -
AlmaLinux OS 9 firewall must employ a deny-all, allow-by-exception policy for allowing connections to other systems.
Failure to restrict network connectivity only to authorized systems permits inbound connections from malicious systems. It also permits outbound connections that may facilitate exfiltration of DOD ...Rule Medium Severity -
AlmaLinux OS 9 must be configured to prevent unrestricted mail relaying.
If unrestricted mail relaying is permitted, unauthorized senders could use this host as a mail relay for the purpose of sending spam or other unauthorized activity.Rule Medium Severity -
AlmaLinux OS 9 network interfaces must not be in promiscuous mode.
Network interfaces in promiscuous mode allow for the capture of all network traffic visible to the system. If unauthorized individuals can access these applications, it may allow them to collect in...Rule Medium Severity -
AlmaLinux OS 9 must use reverse path filtering on all IP interfaces.
Enabling reverse path filtering drops packets with source addresses that should not have been able to be received on the interface on which they were received. It must not be used on systems that a...Rule Medium Severity -
AlmaLinux OS 9 must not send Internet Control Message Protocol (ICMP) redirects.
ICMP redirect messages are used by routers to inform hosts that a more direct route exists for a particular destination. These messages contain information from the system's route table possibly re...Rule Medium Severity -
The AlmaLinux OS 9 SSH server configuration file must be owned by root.
Service configuration files enable or disable features of their respective services, which, if configured incorrectly, can lead to insecure and vulnerable configurations. Therefore, service configu...Rule Medium Severity -
AlmaLinux OS 9 SSH server configuration files must have mode 0600 or less permissive.
Service configuration files enable or disable features of their respective services, which if configured incorrectly, can lead to insecure and vulnerable configurations. Therefore, service configur...Rule Medium Severity -
AlmaLinux OS 9 SSH private host key files must have mode 0640 or less permissive.
If an unauthorized user obtains the private SSH host key file, the host could be impersonated.Rule Medium Severity -
AlmaLinux OS 9 SSH public host key files must have mode 0644 or less permissive.
If a public host key file is modified by an unauthorized user, the SSH service may be compromised. Whilst public keys are publicly readable, they should not be writeable by nonowners.Rule Medium Severity -
AlmaLinux OS 9 SSH daemon must display the date and time of the last successful account logon upon an SSH logon.
Providing users feedback on when account accesses last occurred facilitates user recognition and reporting of unauthorized account use.Rule Medium Severity -
AlmaLinux OS 9 SSH daemon must prevent remote hosts from connecting to the proxy display.
When X11 forwarding is enabled, there may be additional exposure to the server and client displays if the sshd proxy display is configured to listen on the wildcard address. By default, sshd binds ...Rule Medium Severity -
AlmaLinux OS 9 must enable hardening for the Berkeley Packet Filter (BPF) just-in-time (JIT) compiler.
When hardened, the extended BPF JIT compiler will randomize any kernel addresses in the BPF programs and maps, and will not expose the JIT addresses in "/proc/kallsyms".Rule Medium Severity -
AlmaLinux OS 9 effective dconf policy must match the policy keyfiles.
Unlike text-based keyfiles, the binary database is impossible to check through most automated and all manual means; therefore, to evaluate dconf configuration, both have to be true at the same time...Rule Medium Severity -
All AlmaLinux OS 9 local initialization files must have mode 0740 or less permissive.
Local initialization files are used to configure the user's shell environment upon logon. Malicious modification of these files could compromise accounts upon logon. World-readable "dot files" suc...Rule Medium Severity -
The kdump service on AlmaLinux OS 9 must be disabled.
Kernel core dumps may contain the full contents of system memory at the time of the crash. Kernel core dumps consume a considerable amount of disk space and may result in denial of service by exhau...Rule Medium Severity -
AlmaLinux OS 9 must disable the ability of a user to restart the system from the login screen.
A user who is at the console can reboot the system at the login screen. If restart or shutdown buttons are pressed at the login screen, this can create the risk of short-term loss of availability o...Rule Medium Severity -
AlmaLinux OS 9 must prevent a user from overriding the disable-restart-buttons setting for the graphical user interface.
A user who is at the console can reboot the system at the login screen. If restart or shutdown buttons are pressed at the login screen, this can create the risk of short-term loss of availability o...Rule Medium Severity -
AlmaLinux OS 9 must prevent files with the setuid and setgid bit set from being executed on file systems that are used with removable media.
The "nosuid" mount option causes the system to not execute "setuid" and "setgid" files with owner privileges. This option must be used for mounting any file system not containing approved "setuid" ...Rule Medium Severity -
AlmaLinux OS 9 must prevent files with the setuid and setgid bit set from being executed on file systems that are imported via Network File System (NFS).
The "nosuid" mount option causes the system not to execute "setuid" and "setgid" files with owner privileges. This option must be used for mounting any file system not containing approved "setuid" ...Rule Medium Severity -
AlmaLinux OS 9 systems using Domain Name Servers (DNS) resolution must have at least two name servers configured.
To provide availability for name resolution services, multiple redundant name servers are mandated. A failure in name resolution could lead to the failure of security functions requiring name resol...Rule Medium Severity -
AlmaLinux OS 9 security patches and updates must be installed and up to date.
Installing software updates is a fundamental mitigation against the exploitation of publicly known vulnerabilities. If the most recent security patches and updates are not installed, unauthorized...Rule Medium Severity
Node 2
The content of the drawer really is up to you. It could have form fields, definition lists, text lists, labels, charts, progress bars, etc. Spacing recommendation is 24px margins. You can put tabs in here, and can also make the drawer scrollable.