CloudLinux AlmaLinux OS 9 Security Technical Implementation Guide
Rules, Groups, and Values defined within the XCCDF Benchmark
-
Duplicate User IDs (UIDs) must not exist for interactive users.
To ensure accountability and prevent unauthenticated access, organizational users must be identified and authenticated to prevent potential misuse and compromise of the system. Organizational user...Rule Medium Severity -
AlmaLinux OS 9 SSHD must accept public key authentication.
Without the use of multifactor authentication, the ease of access to privileged functions is greatly increased. Multifactor authentication requires using two or more factors to achieve authenticat...Rule Medium Severity -
The pcscd socket on AlmaLinux OS 9 must be active.
Using an authentication device, such as a CAC or token that is separate from the information system, ensures that even if the information system is compromised, that compromise will not affect cred...Rule Medium Severity -
AlmaLinux OS 9 must have the openssl-pkcs11 package installed.
The use of PIV credentials facilitates standardization and reduces the risk of unauthorized access. DOD has mandated the use of the CAC to support identity management and personal authentication f...Rule Medium Severity -
AlmaLinux OS 9 must prevent a user from overriding the disabling of the graphical user interface autorun function.
Automatically mounting filesystems and running applications upon insertion of a device facilitates malicious activity. Satisfies: SRG-OS-000378-GPOS-00163, SRG-OS-000114-GPOS-00059Rule Medium Severity -
AlmaLinux OS 9 must have the USBGuard package installed.
The USBGuard-daemon is the main component of the USBGuard software framework. It runs as a service in the background and enforces the USB device authorization policy for all USB devices. The policy...Rule Medium Severity -
AlmaLinux OS 9 must block unauthorized peripherals before establishing a connection.
The USBGuard-daemon is the main component of the USBGuard software framework. It runs as a service in the background and enforces the USB device authorization policy for all USB devices. The policy...Rule Medium Severity -
AlmaLinux OS 9 must disable account identifiers (individuals, groups, roles, and devices) after 35 days of inactivity.
Inactive identifiers pose a risk to systems and applications because attackers may exploit an inactive identifier and potentially obtain undetected access to the system. Automatically disabling in...Rule Medium Severity -
AlmaLinux OS 9 must ensure the password complexity module is enabled in the password-auth file.
Enabling PAM password complexity permits enforcement of strong passwords and consequently makes the system less prone to dictionary attacks.Rule Medium Severity -
AlmaLinux OS 9 must ensure the password complexity module in the system-auth file is configured for three retries or less.
AlmaLinux OS 9 uses "pwquality" as a mechanism to enforce password complexity. This is set in both: /etc/pam.d/password-auth /etc/pam.d/system-auth By limiting the number of attempts to meet the p...Rule Medium Severity -
AlmaLinux OS 9 must enforce password complexity by requiring that at least one uppercase character be used.
Use of a complex password helps to increase the time and resources required to compromise the password. Password complexity, or strength, is a measure of the effectiveness of a password in resistin...Rule Medium Severity -
AlmaLinux OS 9 passwords for new users must have a minimum of 15 characters.
The shorter the password, the lower the number of possible combinations that need to be tested before the password is compromised. Password complexity, or strength, is a measure of the effectivene...Rule Medium Severity -
AlmaLinux OS 9 must enforce password complexity by requiring that at least one numeric character be used.
Use of a complex password helps to increase the time and resources required to compromise the password. Password complexity, or strength, is a measure of the effectiveness of a password in resistin...Rule Medium Severity -
AlmaLinux OS 9 must require the maximum number of repeating characters of the same character class be limited to four when passwords are changed.
Use of a complex password helps to increase the time and resources required to compromise the password. Password complexity, or strength, is a measure of the effectiveness of a password in resistin...Rule Medium Severity -
AlmaLinux OS 9 must require the change of at least eight characters when passwords are changed.
Use of a complex password helps to increase the time and resources required to compromise the password. Password complexity, or strength, is a measure of the effectiveness of a password in resistin...Rule Medium Severity -
AlmaLinux OS 9 PAM must be configured to use a sufficient number of password hashing rounds.
Passwords must be protected at all times, and encryption is the standard method for protecting passwords. If passwords are not encrypted, they can be plainly read (i.e., clear text) and easily comp...Rule High Severity -
AlmaLinux OS 9 must be configured so that the Pluggable Authentication Module is configured to store only encrypted representations of passwords.
Passwords must be protected at all times, and encryption is the standard method for protecting passwords. If passwords are not encrypted, they can be plainly read (i.e., clear text) and easily comp...Rule High Severity -
AlmaLinux OS 9 must not have any File Transfer Protocol (FTP) packages installed.
Passwords must be protected at all times, and encryption is the standard method for protecting passwords. If passwords are not encrypted, they can be plainly read (i.e., clear text) and easily comp...Rule High Severity -
For PKI-based authentication, AlmaLinux OS 9 must enforce authorized access to the corresponding private key.
If the private key is discovered, an attacker can use the key to authenticate as an authorized user and gain access to the network infrastructure. The cornerstone of the PKI is the private key use...Rule Medium Severity -
AlmaLinux OS 9, for PKI-based authentication, must validate certificates by constructing a certification path (which includes status information) to an accepted trust anchor.
Without path validation, an informed trust decision by the relying party cannot be made when presented with any certificate not already explicitly trusted. A trust anchor is an authoritative entit...Rule Medium Severity
Node 2
The content of the drawer really is up to you. It could have form fields, definition lists, text lists, labels, charts, progress bars, etc. Spacing recommendation is 24px margins. You can put tabs in here, and can also make the drawer scrollable.