CloudLinux AlmaLinux OS 9 Security Technical Implementation Guide
Rules, Groups, and Values defined within the XCCDF Benchmark
-
SRG-OS-000480-GPOS-00227
Group -
AlmaLinux OS 9 must use a separate file system for /var/tmp.
The "/var/tmp" partition is used as temporary storage by many programs. Placing "/var/tmp" in its own partition enables the setting of more restrictive mount options, which can help protect program...Rule Medium Severity -
SRG-OS-000480-GPOS-00227
Group -
SRG-OS-000480-GPOS-00227
Group -
AlmaLinux OS 9 must use cron logging.
Cron logging can be used to trace the successful or unsuccessful execution of cron jobs. It can also be used to spot intrusions into the use of the cron facility by unauthorized and malicious users.Rule Medium Severity -
SRG-OS-000480-GPOS-00227
Group -
AlmaLinux OS 9 must be configured so that the rsyslog daemon does not accept log messages from other servers unless the server is being used for log aggregation.
Unintentionally running a rsyslog server accepting remote messages puts the system at increased risk. Malicious rsyslog messages sent to the server could exploit vulnerabilities in the server softw...Rule Medium Severity -
SRG-OS-000480-GPOS-00230
Group -
AlmaLinux OS 9 must prevent files with the setuid and setgid bit set from being executed on file systems that contain user home directories.
The "nosuid" mount option causes the system to not execute "setuid" and "setgid" files with owner privileges. This option must be used for mounting any file system not containing approved "setuid...Rule Medium Severity -
SRG-OS-000368-GPOS-00154
Group -
SRG-OS-000368-GPOS-00154
Group -
AlmaLinux OS 9 must prevent files with the setuid and setgid bit set from being executed on the /boot/efi directory.
The "nosuid" mount option causes the system not to execute "setuid" and "setgid" files with owner privileges. This option must be used for mounting any file system not containing approved "setuid" ...Rule Medium Severity -
SRG-OS-000368-GPOS-00154
Group -
AlmaLinux OS 9 must mount /boot with the nodev option.
The only legitimate location for device files is the "/dev" directory located on the root partition. The only exception to this is chroot jails.Rule Medium Severity -
SRG-OS-000368-GPOS-00154
Group -
SRG-OS-000368-GPOS-00154
Group -
AlmaLinux OS 9 must mount /dev/shm with the nodev option.
The "nodev" mount option causes the system to not interpret character or block special devices. Executing character or block special devices from untrusted file systems increases the opportunity fo...Rule Medium Severity -
SRG-OS-000368-GPOS-00154
Group -
AlmaLinux OS 9 must mount /dev/shm with the noexec option.
The "noexec" mount option causes the system to not execute binary files. This option must be used for mounting any file system not containing approved binary files, as they may be incompatible. E...Rule Medium Severity -
SRG-OS-000368-GPOS-00154
Group
Node 2
The content of the drawer really is up to you. It could have form fields, definition lists, text lists, labels, charts, progress bars, etc. Spacing recommendation is 24px margins. You can put tabs in here, and can also make the drawer scrollable.