CloudLinux AlmaLinux OS 9 Security Technical Implementation Guide
Rules, Groups, and Values defined within the XCCDF Benchmark
-
AlmaLinux OS 9 must generate audit records for all account creations, modifications, disabling, and termination events that affect /etc/shadow.
Audit records provide a means to investigate events related to a security incident. Insufficient audit coverage will make identifying those responsible challenging or impossible. This auditd polic...Rule Medium Severity -
SRG-OS-000004-GPOS-00004
Group -
SRG-OS-000080-GPOS-00048
Group -
SRG-OS-000080-GPOS-00048
Group -
AlmaLinux OS 9 must require a boot loader password.
Password protection on the boot loader configuration ensures users with physical access cannot trivially alter important bootloader settings. These include which kernel to use, and whether to enter...Rule Medium Severity -
SRG-OS-000080-GPOS-00048
Group -
AlmaLinux OS 9 must require a unique superuser's name upon booting into single-user and maintenance modes.
Having a nondefault grub superuser username makes password-guessing attacks less effective.Rule Medium Severity -
SRG-OS-000080-GPOS-00048
Group -
SRG-OS-000324-GPOS-00125
Group -
SRG-OS-000324-GPOS-00125
Group -
The Ctrl-Alt-Delete key sequence must be disabled on AlmaLinux OS 9.
A locally logged-on user who presses Ctrl-Alt-Delete when at the console can reboot the system. If accidentally pressed, as could happen in the case of a mixed OS environment, this can create the ...Rule High Severity -
SRG-OS-000324-GPOS-00125
Group -
AlmaLinux OS 9 must have the sudo package installed.
"sudo" is a program designed to allow a system administrator to give limited root privileges to users and log root activity. The basic philosophy is to give as few privileges as possible but stil...Rule Medium Severity -
SRG-OS-000324-GPOS-00125
Group -
The AlmaLinux OS 9 debug-shell systemd service must be disabled.
The debug-shell requires no authentication and provides root privileges to anyone who has physical access to the machine. While this feature is disabled by default, masking it adds an additional l...Rule Medium Severity -
SRG-OS-000324-GPOS-00125
Group -
AlmaLinux OS 9 must enable kernel parameters to enforce discretionary access control on hardlinks.
By enabling the fs.protected_hardlinks kernel parameter, users can no longer create soft or hard links to files they do not own. Disallowing such hardlinks mitigates vulnerabilities based on unsec...Rule Medium Severity -
SRG-OS-000324-GPOS-00125
Group -
AlmaLinux OS 9 must enable kernel parameters to enforce discretionary access control (DAC) on symlinks.
By enabling the fs.protected_symlinks kernel parameter, symbolic links are permitted to be followed only when outside a sticky world-writable directory, or when the user identifier (UID) of the lin...Rule Medium Severity -
SRG-OS-000327-GPOS-00127
Group -
SRG-OS-000021-GPOS-00005
Group -
AlmaLinux OS 9 must automatically lock an account when three unsuccessful logon attempts occur.
By limiting the number of failed logon attempts, the risk of unauthorized system access via user password guessing, otherwise known as brute-force attacks, is reduced. Limits are imposed by locking...Rule Medium Severity -
SRG-OS-000021-GPOS-00005
Group -
AlmaLinux OS 9 must automatically lock the root account until the root account is released by an administrator when three unsuccessful logon attempts occur during a 15-minute time period.
By limiting the number of failed logon attempts, the risk of unauthorized system access via user password guessing, otherwise known as brute-force attacks, is reduced. Limits are imposed by locking...Rule Medium Severity -
SRG-OS-000021-GPOS-00005
Group -
SRG-OS-000021-GPOS-00005
Group -
AlmaLinux OS 9 must configure the use of the pam_faillock.so module in the /etc/pam.d/system-auth file.
By limiting the number of failed logon attempts, the risk of unauthorized system access via user password guessing, otherwise known as brute-force attacks, is reduced. Limits are imposed by locking...Rule Medium Severity -
SRG-OS-000021-GPOS-00005
Group -
AlmaLinux OS 9 must configure the use of the pam_faillock.so module in the /etc/pam.d/password-auth file.
By limiting the number of failed logon attempts, the risk of unauthorized system access via user password guessing, otherwise known as brute-force attacks, is reduced. Limits are imposed by locking...Rule Medium Severity -
SRG-OS-000021-GPOS-00005
Group -
AlmaLinux OS 9 must log username information when unsuccessful logon attempts occur.
Without auditing of these events, it may be harder or impossible to identify what an attacker did after an attack. Satisfies: SRG-OS-000021-GPOS-00005, SRG-OS-000470-GPOS-00214Rule Medium Severity -
SRG-OS-000329-GPOS-00128
Group -
AlmaLinux OS 9 must maintain an account lock until the locked account is manually released by an administrator; and not automatically after a set time.
By limiting the number of failed logon attempts, the risk of unauthorized system access via user password guessing, otherwise known as brute-force attacks, is reduced. Limits are imposed by locking...Rule Medium Severity -
SRG-OS-000329-GPOS-00128
Group -
AlmaLinux OS 9 must ensure account locks persist across reboots.
By limiting the number of failed logon attempts, the risk of unauthorized system access via user password guessing, otherwise known as brute-forcing, is reduced. Limits are imposed by locking the a...Rule Medium Severity -
SRG-OS-000329-GPOS-00128
Group -
SRG-OS-000023-GPOS-00006
Group -
SRG-OS-000023-GPOS-00006
Group -
AlmaLinux OS 9 must display the Standard Mandatory DOD Notice and Consent Banner before granting local or remote access to the system via a graphical user logon.
Display of a standardized and approved use notification before granting access to the operating system ensures privacy and security notification verbiage used is consistent with applicable federal ...Rule Medium Severity -
SRG-OS-000023-GPOS-00006
Group -
SRG-OS-000023-GPOS-00006
Group -
SRG-OS-000363-GPOS-00150
Group -
AlmaLinux OS 9 must have the s-nail package installed.
The "s-nail" package provides the mail command required to allow sending email notifications of unauthorized configuration changes to designated personnel.Rule Medium Severity -
SRG-OS-000364-GPOS-00151
Group -
SRG-OS-000364-GPOS-00151
Group -
AlmaLinux OS 9 SSH daemon must not allow Kerberos authentication.
Kerberos authentication for SSH is often implemented using Generic Security Service Application Program Interface (GSSAPI). If Kerberos is enabled through SSH, the SSH daemon provides a means of ac...Rule Medium Severity -
SRG-OS-000366-GPOS-00153
Group -
SRG-OS-000366-GPOS-00153
Group -
AlmaLinux OS 9 must ensure cryptographic verification of vendor software packages.
Changes to any software components can have significant effects on the overall security of the operating system. This requirement ensures the software has not been tampered with and that it has bee...Rule High Severity -
SRG-OS-000366-GPOS-00153
Group
Node 2
The content of the drawer really is up to you. It could have form fields, definition lists, text lists, labels, charts, progress bars, etc. Spacing recommendation is 24px margins. You can put tabs in here, and can also make the drawer scrollable.