CloudLinux AlmaLinux OS 9 Security Technical Implementation Guide
Rules, Groups, and Values defined within the XCCDF Benchmark
-
AlmaLinux OS 9 must enable the hardware random number generator entropy gatherer service.
The most important characteristic of a random number generator is its randomness, specifically its ability to deliver random numbers that are impossible to predict. Entropy in computer security is ...Rule Medium Severity -
AlmaLinux OS 9 must use a separate file system for /var.
Ensuring that "/var" is mounted on its own partition enables the setting of more restrictive mount options. This helps protect system services such as daemons or other programs which use it. It is ...Rule Medium Severity -
AlmaLinux OS 9 must disable virtual system calls.
System calls are special routines in the Linux kernel, which userspace applications ask to do privileged tasks. Invoking a system call is an expensive operation because the processor must interrupt...Rule Medium Severity -
AlmaLinux OS 9 must prevent device files from being interpreted on file systems that contain user home directories.
The "nodev" mount option causes the system to not interpret character or block special devices. Executing character or block special devices from untrusted file systems increases the opportunity fo...Rule Medium Severity -
AlmaLinux OS 9 must prevent files with the setuid and setgid bit set from being executed on the /boot directory.
The "nosuid" mount option causes the system not to execute "setuid" and "setgid" files with owner privileges. This option must be used for mounting any file system not containing approved "setuid" ...Rule Medium Severity -
AlmaLinux OS 9 must mount /dev/shm with the nosuid option.
The "nosuid" mount option causes the system to not execute "setuid" and "setgid" files with owner privileges. This option must be used for mounting any file system not containing approved "setuid" ...Rule Medium Severity -
AlmaLinux OS 9 must mount /var/log/audit with the nosuid option.
The "nosuid" mount option causes the system to not execute "setuid" and "setgid" files with owner privileges. This option must be used for mounting any file system not containing approved "setuid" ...Rule Medium Severity -
AlmaLinux OS 9 must mount /var/tmp with the nodev option.
The "nodev" mount option causes the system to not interpret character or block special devices. Executing character or block special devices from untrusted file systems increases the opportunity fo...Rule Medium Severity -
AlmaLinux OS 9 must mount /var/tmp with the noexec option.
The "noexec" mount option causes the system to not execute binary files. This option must be used for mounting any file system not containing approved binary files, as they may be incompatible. E...Rule Medium Severity -
AlmaLinux OS 9 must mount /var/tmp with the nosuid option.
The "nosuid" mount option causes the system to not execute "setuid" and "setgid" files with owner privileges. This option must be used for mounting any file system not containing approved "setuid" ...Rule Medium Severity -
AlmaLinux OS 9 fapolicy module must be enabled.
The organization must identify authorized software programs and permit execution of authorized software. The process used to identify software programs that are authorized to execute on organizatio...Rule Medium Severity -
AlmaLinux OS 9 must prevent the chrony daemon from acting as a server.
Being able to determine the system time of a server can be useful information for various attacks from timebomb attacks to location discovery based on time zone. Minimizing the exposure of the ser...Rule Medium Severity -
AlmaLinux OS 9 must not have the quagga package installed.
Quagga is a network routing software suite providing implementations of Open Shortest Path First (OSPF), Routing Information Protocol (RIP), Border Gateway Protocol (BGP) for Unix and Linux platfor...Rule Medium Severity -
AlmaLinux OS 9 must not have the telnet-server package installed.
It is detrimental for operating systems to provide, or install by default, functionality exceeding requirements or mission objectives. These unnecessary capabilities are often overlooked and theref...Rule Medium Severity -
AlmaLinux OS 9 must disable the Asynchronous Transfer Mode (ATM) kernel module.
The ATM is a transport layer protocol designed for digital transmission of multiple types of traffic, including telephony (voice), data, and video signals, in one network without the use of separat...Rule Medium Severity -
AlmaLinux OS 9 must disable the Transparent Inter Process Communication (TIPC) kernel module.
It is detrimental for operating systems to provide, or install by default, functionality exceeding requirements or mission objectives. These unnecessary capabilities or services are often overlooke...Rule Medium Severity -
AlmaLinux OS 9 must not have the tuned package installed.
The tuned package contains a daemon that tunes the system settings dynamically. It does so by monitoring the usage of several system components periodically. Based on that information, components...Rule Medium Severity -
AlmaLinux OS 9 must have the firewalld package installed.
"Firewalld" provides an easy and effective way to block/limit remote access to the system via ports, services, and protocols. Remote access services, such as those providing remote access to netwo...Rule Medium Severity -
AlmaLinux OS 9 must require users to provide authentication for privilege escalation.
Without re-authentication, users may access resources or perform tasks for which they do not have authorization. When operating systems provide the capability to escalate a functional capability,...Rule Medium Severity -
Groups must have unique Group IDs (GIDs).
To ensure accountability and prevent unauthenticated access, organizational users must be identified and authenticated to prevent potential misuse and compromise of the system. Organizational user...Rule Medium Severity
Node 2
The content of the drawer really is up to you. It could have form fields, definition lists, text lists, labels, charts, progress bars, etc. Spacing recommendation is 24px margins. You can put tabs in here, and can also make the drawer scrollable.