CloudLinux AlmaLinux OS 9 Security Technical Implementation Guide
Rules, Groups, and Values defined within the XCCDF Benchmark
-
AlmaLinux OS 9 must enable the hardware random number generator entropy gatherer service.
The most important characteristic of a random number generator is its randomness, specifically its ability to deliver random numbers that are impossible to predict. Entropy in computer security is ...Rule Medium Severity -
AlmaLinux OS 9 must use a separate file system for /var.
Ensuring that "/var" is mounted on its own partition enables the setting of more restrictive mount options. This helps protect system services such as daemons or other programs which use it. It is ...Rule Medium Severity -
AlmaLinux OS 9 must disable virtual system calls.
System calls are special routines in the Linux kernel, which userspace applications ask to do privileged tasks. Invoking a system call is an expensive operation because the processor must interrupt...Rule Medium Severity -
AlmaLinux OS 9 must prevent device files from being interpreted on file systems that contain user home directories.
The "nodev" mount option causes the system to not interpret character or block special devices. Executing character or block special devices from untrusted file systems increases the opportunity fo...Rule Medium Severity -
AlmaLinux OS 9 must prevent files with the setuid and setgid bit set from being executed on the /boot directory.
The "nosuid" mount option causes the system not to execute "setuid" and "setgid" files with owner privileges. This option must be used for mounting any file system not containing approved "setuid" ...Rule Medium Severity -
AlmaLinux OS 9 must mount /dev/shm with the nosuid option.
The "nosuid" mount option causes the system to not execute "setuid" and "setgid" files with owner privileges. This option must be used for mounting any file system not containing approved "setuid" ...Rule Medium Severity -
AlmaLinux OS 9 must mount /var/log/audit with the nosuid option.
The "nosuid" mount option causes the system to not execute "setuid" and "setgid" files with owner privileges. This option must be used for mounting any file system not containing approved "setuid" ...Rule Medium Severity -
AlmaLinux OS 9 must mount /var/tmp with the nodev option.
The "nodev" mount option causes the system to not interpret character or block special devices. Executing character or block special devices from untrusted file systems increases the opportunity fo...Rule Medium Severity -
AlmaLinux OS 9 must mount /var/tmp with the noexec option.
The "noexec" mount option causes the system to not execute binary files. This option must be used for mounting any file system not containing approved binary files, as they may be incompatible. E...Rule Medium Severity -
AlmaLinux OS 9 must mount /var/tmp with the nosuid option.
The "nosuid" mount option causes the system to not execute "setuid" and "setgid" files with owner privileges. This option must be used for mounting any file system not containing approved "setuid" ...Rule Medium Severity -
AlmaLinux OS 9 fapolicy module must be enabled.
The organization must identify authorized software programs and permit execution of authorized software. The process used to identify software programs that are authorized to execute on organizatio...Rule Medium Severity -
AlmaLinux OS 9 must prevent the chrony daemon from acting as a server.
Being able to determine the system time of a server can be useful information for various attacks from timebomb attacks to location discovery based on time zone. Minimizing the exposure of the ser...Rule Medium Severity -
AlmaLinux OS 9 must not have the quagga package installed.
Quagga is a network routing software suite providing implementations of Open Shortest Path First (OSPF), Routing Information Protocol (RIP), Border Gateway Protocol (BGP) for Unix and Linux platfor...Rule Medium Severity -
AlmaLinux OS 9 must not have the telnet-server package installed.
It is detrimental for operating systems to provide, or install by default, functionality exceeding requirements or mission objectives. These unnecessary capabilities are often overlooked and theref...Rule Medium Severity -
AlmaLinux OS 9 must disable the Asynchronous Transfer Mode (ATM) kernel module.
The ATM is a transport layer protocol designed for digital transmission of multiple types of traffic, including telephony (voice), data, and video signals, in one network without the use of separat...Rule Medium Severity -
AlmaLinux OS 9 must disable the Transparent Inter Process Communication (TIPC) kernel module.
It is detrimental for operating systems to provide, or install by default, functionality exceeding requirements or mission objectives. These unnecessary capabilities or services are often overlooke...Rule Medium Severity -
AlmaLinux OS 9 must not have the tuned package installed.
The tuned package contains a daemon that tunes the system settings dynamically. It does so by monitoring the usage of several system components periodically. Based on that information, components...Rule Medium Severity -
AlmaLinux OS 9 must have the firewalld package installed.
"Firewalld" provides an easy and effective way to block/limit remote access to the system via ports, services, and protocols. Remote access services, such as those providing remote access to netwo...Rule Medium Severity -
AlmaLinux OS 9 must require users to provide authentication for privilege escalation.
Without re-authentication, users may access resources or perform tasks for which they do not have authorization. When operating systems provide the capability to escalate a functional capability,...Rule Medium Severity -
Groups must have unique Group IDs (GIDs).
To ensure accountability and prevent unauthenticated access, organizational users must be identified and authenticated to prevent potential misuse and compromise of the system. Organizational user...Rule Medium Severity -
Duplicate User IDs (UIDs) must not exist for interactive users.
To ensure accountability and prevent unauthenticated access, organizational users must be identified and authenticated to prevent potential misuse and compromise of the system. Organizational user...Rule Medium Severity -
AlmaLinux OS 9 SSHD must accept public key authentication.
Without the use of multifactor authentication, the ease of access to privileged functions is greatly increased. Multifactor authentication requires using two or more factors to achieve authenticat...Rule Medium Severity -
The pcscd socket on AlmaLinux OS 9 must be active.
Using an authentication device, such as a CAC or token that is separate from the information system, ensures that even if the information system is compromised, that compromise will not affect cred...Rule Medium Severity -
AlmaLinux OS 9 must have the openssl-pkcs11 package installed.
The use of PIV credentials facilitates standardization and reduces the risk of unauthorized access. DOD has mandated the use of the CAC to support identity management and personal authentication f...Rule Medium Severity -
AlmaLinux OS 9 must prevent a user from overriding the disabling of the graphical user interface autorun function.
Automatically mounting filesystems and running applications upon insertion of a device facilitates malicious activity. Satisfies: SRG-OS-000378-GPOS-00163, SRG-OS-000114-GPOS-00059Rule Medium Severity -
AlmaLinux OS 9 must have the USBGuard package installed.
The USBGuard-daemon is the main component of the USBGuard software framework. It runs as a service in the background and enforces the USB device authorization policy for all USB devices. The policy...Rule Medium Severity -
AlmaLinux OS 9 must block unauthorized peripherals before establishing a connection.
The USBGuard-daemon is the main component of the USBGuard software framework. It runs as a service in the background and enforces the USB device authorization policy for all USB devices. The policy...Rule Medium Severity -
AlmaLinux OS 9 must disable account identifiers (individuals, groups, roles, and devices) after 35 days of inactivity.
Inactive identifiers pose a risk to systems and applications because attackers may exploit an inactive identifier and potentially obtain undetected access to the system. Automatically disabling in...Rule Medium Severity -
AlmaLinux OS 9 must ensure the password complexity module is enabled in the password-auth file.
Enabling PAM password complexity permits enforcement of strong passwords and consequently makes the system less prone to dictionary attacks.Rule Medium Severity -
AlmaLinux OS 9 must ensure the password complexity module in the system-auth file is configured for three retries or less.
AlmaLinux OS 9 uses "pwquality" as a mechanism to enforce password complexity. This is set in both: /etc/pam.d/password-auth /etc/pam.d/system-auth By limiting the number of attempts to meet the p...Rule Medium Severity -
AlmaLinux OS 9 must enforce password complexity by requiring that at least one uppercase character be used.
Use of a complex password helps to increase the time and resources required to compromise the password. Password complexity, or strength, is a measure of the effectiveness of a password in resistin...Rule Medium Severity -
AlmaLinux OS 9 passwords for new users must have a minimum of 15 characters.
The shorter the password, the lower the number of possible combinations that need to be tested before the password is compromised. Password complexity, or strength, is a measure of the effectivene...Rule Medium Severity -
AlmaLinux OS 9 must enforce password complexity by requiring that at least one numeric character be used.
Use of a complex password helps to increase the time and resources required to compromise the password. Password complexity, or strength, is a measure of the effectiveness of a password in resistin...Rule Medium Severity -
AlmaLinux OS 9 must require the maximum number of repeating characters of the same character class be limited to four when passwords are changed.
Use of a complex password helps to increase the time and resources required to compromise the password. Password complexity, or strength, is a measure of the effectiveness of a password in resistin...Rule Medium Severity -
AlmaLinux OS 9 must require the change of at least eight characters when passwords are changed.
Use of a complex password helps to increase the time and resources required to compromise the password. Password complexity, or strength, is a measure of the effectiveness of a password in resistin...Rule Medium Severity -
AlmaLinux OS 9 PAM must be configured to use a sufficient number of password hashing rounds.
Passwords must be protected at all times, and encryption is the standard method for protecting passwords. If passwords are not encrypted, they can be plainly read (i.e., clear text) and easily comp...Rule High Severity -
AlmaLinux OS 9 must be configured so that the Pluggable Authentication Module is configured to store only encrypted representations of passwords.
Passwords must be protected at all times, and encryption is the standard method for protecting passwords. If passwords are not encrypted, they can be plainly read (i.e., clear text) and easily comp...Rule High Severity -
AlmaLinux OS 9 must not have any File Transfer Protocol (FTP) packages installed.
Passwords must be protected at all times, and encryption is the standard method for protecting passwords. If passwords are not encrypted, they can be plainly read (i.e., clear text) and easily comp...Rule High Severity -
For PKI-based authentication, AlmaLinux OS 9 must enforce authorized access to the corresponding private key.
If the private key is discovered, an attacker can use the key to authenticate as an authorized user and gain access to the network infrastructure. The cornerstone of the PKI is the private key use...Rule Medium Severity -
AlmaLinux OS 9, for PKI-based authentication, must validate certificates by constructing a certification path (which includes status information) to an accepted trust anchor.
Without path validation, an informed trust decision by the relying party cannot be made when presented with any certificate not already explicitly trusted. A trust anchor is an authoritative entit...Rule Medium Severity -
AlmaLinux OS 9 must implement a systemwide encryption policy.
Centralized cryptographic policies simplify applying secure ciphers across an operating system and the applications that run on that operating system. Use of weak or untested encryption algorithms ...Rule Medium Severity -
AlmaLinux OS 9 must terminate idle user sessions.
Terminating an idle session within a short time period reduces the window of opportunity for unauthorized personnel to take control of a management session enabled on the console or console port th...Rule Medium Severity -
AlmaLinux OS 9 must restrict exposed kernel pointer addresses access.
Exposing kernel pointers (through procfs or "seq_printf()") exposes kernel writeable structures, which may contain functions pointers. If a write vulnerability occurs in the kernel, allowing write ...Rule Medium Severity -
AlmaLinux OS 9 must restrict usage of ptrace to descendant processes.
Unrestricted usage of ptrace allows compromised binaries to run ptrace on other processes of the user. Like this, the attacker can steal sensitive information from the target processes (e.g. SSH se...Rule Medium Severity -
AlmaLinux OS 9 local disk partitions must implement cryptographic mechanisms to prevent unauthorized disclosure or modification of all information that requires at rest protection.
AlmaLinux OS 9 systems handling data requiring "data at rest" protections must employ cryptographic mechanisms to prevent unauthorized disclosure and modification of the information at rest. Selec...Rule High Severity -
AlmaLinux OS 9 must use a Linux Security Module configured to enforce limits on system services.
An isolation boundary provides access control and protects the integrity of the hardware, software, and firmware that perform security functions. Security functions are the hardware, software, and...Rule Medium Severity -
Any AlmaLinux OS 9 world-writable directories must be owned by root, sys, bin, or an application user.
If a world-writable directory is not owned by root, sys, bin, or an application user identifier (UID), unauthorized users may be able to modify files created by others. The only authorized public ...Rule Medium Severity -
A sticky bit must be set on all AlmaLinux OS 9 public directories.
Preventing unauthorized information transfers mitigates the risk of information, including encrypted representations of information, produced by the actions of prior users/roles (or the actions of ...Rule Medium Severity -
All AlmaLinux OS 9 networked systems must implement SSH to protect the confidentiality and integrity of transmitted and received information, including information being prepared for transmission.
Without protection of the transmitted information, confidentiality and integrity may be compromised because unprotected communications can be intercepted and either read or altered. This requireme...Rule Medium Severity -
AlmaLinux OS 9 wireless network adapters must be disabled.
This requirement applies to wireless peripheral technologies (e.g., wireless mice, keyboards, displays, etc.) used with AlmaLinux OS 9 systems. Wireless peripherals (e.g., Wi-Fi/Bluetooth/IR keybo...Rule Medium Severity
Node 2
The content of the drawer really is up to you. It could have form fields, definition lists, text lists, labels, charts, progress bars, etc. Spacing recommendation is 24px margins. You can put tabs in here, and can also make the drawer scrollable.