CloudLinux AlmaLinux OS 9 Security Technical Implementation Guide
Rules, Groups, and Values defined within the XCCDF Benchmark
-
AlmaLinux OS 9 /var/log/messages file must have mode 0640 or less permissive.
Only authorized personnel should be aware of errors and the details of the errors. Error messages are an indicator of an organization's operational state or can identify the AlmaLinux OS 9 system o...Rule Medium Severity -
AlmaLinux OS 9 must clear SLUB/SLAB objects to prevent use-after-free attacks.
Poisoning writes an arbitrary value to freed pages, so any modification or reference to that page after being freed or before being initialized will be detected and prevented. This prevents many ...Rule Medium Severity -
AlmaLinux OS 9 must have the Advanced Intrusion Detection Environment (AIDE) package installed.
Without verification of the security functions, security functions may not operate correctly and the failure may go unnoticed. Security function is defined as the hardware, software, and/or firmwar...Rule Medium Severity -
Successful/unsuccessful uses of the init command in AlmaLinux OS 9 must generate an audit record.
Without generating audit records specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or...Rule Medium Severity -
AlmaLinux OS 9 must enable Linux audit logging for the USBGuard daemon.
Without generating audit records specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or...Rule Medium Severity -
The audit package must be installed on AlmaLinux OS 9.
Without establishing what type of events occurred, the source of events, where events occurred, and the outcome of events, it would be difficult to establish, correlate, and investigate the events ...Rule Medium Severity -
AlmaLinux OS 9 must generate audit records for all account creations, modifications, disabling, and termination events that affect /var/log/lastlog.
Without generating audit records specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or...Rule Medium Severity -
AlmaLinux OS 9 must generate audit records for any use of the "mount" command.
Without generating audit records specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or...Rule Medium Severity -
Successful/unsuccessful uses of the umount2 system call in AlmaLinux OS 9 must generate an audit record.
Without generating audit records specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or...Rule Medium Severity -
AlmaLinux OS 9 must generate audit records for any use of the "chage" command.
Without generating audit records specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or...Rule Medium Severity -
AlmaLinux OS 9 must generate audit records for any use of the "chcon" command.
Without generating audit records specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or...Rule Medium Severity -
AlmaLinux OS 9 must audit all uses of the chmod, fchmod, and fchmodat system calls.
Without generating audit records specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or...Rule Medium Severity -
AlmaLinux OS 9 must audit all uses of the chown, fchown, fchownat, and lchown system calls.
Without generating audit records specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or...Rule Medium Severity -
AlmaLinux OS 9 must generate audit records for any use of the "chsh" command.
Without generating audit records specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or...Rule Medium Severity -
AlmaLinux OS 9 must generate audit records for any use of the "crontab" command.
Without generating audit records specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or...Rule Medium Severity -
AlmaLinux OS 9 must generate audit records for all account creations, modifications, disabling, and termination events that affect /var/log/faillock.
Without generating audit records specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or...Rule Medium Severity -
AlmaLinux OS 9 must audit all uses of the kmod command.
Without generating audit records specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or...Rule Medium Severity -
AlmaLinux OS 9 must generate audit records for any use of the "postdrop" command.
Without generating audit records specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or...Rule Medium Severity -
AlmaLinux OS 9 must generate audit records for any use of the "sudo" command.
Without generating audit record specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or ...Rule Medium Severity -
AlmaLinux OS 9 must generate audit records for any use of the "setfiles" command.
Without generating audit records specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or...Rule Medium Severity -
AlmaLinux OS 9 must generate audit records for any use of the "ssh-keysign" command.
Without generating audit records specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or...Rule Medium Severity -
AlmaLinux OS 9 must generate audit records for any use of the "unix_chkpwd" command.
Without generating audit records specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or...Rule Medium Severity -
AlmaLinux OS 9 must generate audit records for any use of the "userhelper" command.
Without generating audit records specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or...Rule Medium Severity -
AlmaLinux OS 9 must generate audit records for any use of the "usermod" command.
Without generating audit records specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or...Rule Medium Severity -
AlmaLinux OS 9 must allocate an audit_backlog_limit of sufficient size to capture processes that start prior to the audit daemon.
Without the capability to generate audit records, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. If auditi...Rule Low Severity -
AlmaLinux OS 9 audispd-plugins package must be installed.
"audispd-plugins" provides plugins for the real-time interface to the audit subsystem, "audispd". These plugins can do things like relay events to remote machines or analyze events for suspicious b...Rule Medium Severity -
AlmaLinux OS 9 must have the rsyslog package installed.
rsyslogd is a system utility providing support for message logging. Support for both internet and Unix domain sockets enables this utility to support both local and remote logging. Couple this util...Rule Medium Severity -
AlmaLinux OS 9 must take action when allocated audit record storage volume reaches 95 percent of the audit record storage capacity.
If security personnel are not notified immediately when storage volume reaches 75 percent usage, they are unable to plan for audit record storage capacity expansion.Rule Medium Severity -
AlmaLinux OS 9 must take action when allocated audit record storage volume reaches 95 percent of the repository maximum audit record storage capacity.
If security personnel are not notified immediately when storage volume reaches 75 percent usage, they are unable to plan for audit record storage capacity expansion.Rule Medium Severity -
AlmaLinux OS 9 must notify the system administrator (SA) and information system security officer (ISSO) (at a minimum) when allocated audit record storage volume reaches 75 percent usage.
If security personnel are not notified immediately when storage volume reaches 75 percent usage, they are unable to plan for audit record storage capacity expansion.Rule Medium Severity -
AlmaLinux OS 9 System Administrator (SA) and/or information system security officer (ISSO) (at a minimum) must be alerted of an audit processing failure event.
It is critical for the appropriate personnel to be aware if a system is at risk of failing to process audit logs as required. Without this notification, the security personnel may be unaware of an ...Rule Medium Severity -
AlmaLinux OS 9 must have mail aliases to notify the information system security officer (ISSO) and system administrator (SA) (at a minimum) in the event of an audit processing failure.
It is critical for the appropriate personnel to be aware if a system is at risk of failing to process audit logs as required. Without this notification, the security personnel may be unaware of an ...Rule Medium Severity -
AlmaLinux OS 9 audit system must take appropriate action when the audit storage volume is full.
It is critical that when the operating system is at risk of failing to process audit logs as required, it takes action to mitigate the failure. Audit processing failures include software/hardware e...Rule Medium Severity -
AlmaLinux OS 9 audit system must take appropriate action when the audit files have reached maximum size.
It is critical that when the operating system is at risk of failing to process audit logs as required, it takes action to mitigate the failure. Audit processing failures include software/hardware e...Rule Medium Severity -
The auditd service must be enabled on AlmaLinux OS 9.
Without establishing what type of events occurred, the source of events, where events occurred, and the outcome of events, it would be difficult to establish, correlate, and investigate the events ...Rule Medium Severity -
The chronyd service must be enabled.
Inaccurate time stamps make it more difficult to correlate events and can lead to an inaccurate analysis. Determining the correct time a particular event occurred on a system is critical when condu...Rule Medium Severity -
AlmaLinux OS 9 must securely compare internal information system clocks at least every 24 hours.
Inaccurate time stamps make it more difficult to correlate events and can lead to an inaccurate analysis. Determining the correct time a particular event occurred on a system is critical when condu...Rule Medium Severity -
AlmaLinux OS 9 audit tools must have a mode of 0755 or less permissive.
Protecting audit information also includes identifying and protecting the tools used to view and manipulate log data. Therefore, protecting audit tools is necessary to prevent unauthorized operatio...Rule Medium Severity -
AlmaLinux OS 9 audit system must protect logon UIDs from unauthorized change.
If modification of login user identifiers (UIDs) is not prevented, they can be changed by nonprivileged users and make auditing complicated or impossible.Rule Medium Severity -
AlmaLinux OS 9 must use cryptographic mechanisms to protect the integrity of audit tools.
Protecting the integrity of the tools used for auditing purposes is a critical step toward ensuring the integrity of audit information. Audit information includes all information (e.g., audit recor...Rule Medium Severity
Node 2
The content of the drawer really is up to you. It could have form fields, definition lists, text lists, labels, charts, progress bars, etc. Spacing recommendation is 24px margins. You can put tabs in here, and can also make the drawer scrollable.