Skip to content
Log In

CloudLinux AlmaLinux OS 9 Security Technical Implementation Guide

Rules, Groups, and Values defined within the XCCDF Benchmark

  • SRG-OS-000027-GPOS-00008

    Group
    Show

  • SRG-OS-000031-GPOS-00012

    Group
    Show

  • SRG-OS-000031-GPOS-00012

    Group
    Show

  • AlmaLinux OS 9 must conceal, via the session lock, information previously visible on the display with a publicly viewable image.

    Setting the screensaver mode to blank-only conceals the contents of the display from passersby.
    Rule Medium Severity
    Show

  • SRG-OS-000031-GPOS-00012

    Group
    Show

  • AlmaLinux OS 9 must prevent a user from overriding the session idle-delay setting for the graphical user interface.

    A session lock is a temporary action taken when a user stops work and moves away from the immediate physical vicinity of the information system but does not log out because of the temporary nature ...
    Rule Medium Severity
    Show

  • SRG-OS-000029-GPOS-00010

    Group
    Show

  • AlmaLinux OS 9 must initiate a session lock for graphical user interfaces when the screensaver is activated.

    A session lock is a temporary action taken when a user stops work and moves away from the immediate physical vicinity of the information system but does not want to logout because of the temporary ...
    Rule Medium Severity
    Show

  • SRG-OS-000029-GPOS-00010

    Group
    Show

  • SRG-OS-000029-GPOS-00010

    Group
    Show

  • AlmaLinux OS 9 must automatically exit interactive command shell user sessions after 10 minutes of inactivity.

    Terminating an idle interactive command shell user session within a short time period reduces the window of opportunity for unauthorized personnel to take control of it when left unattended in a vi...
    Rule Medium Severity
    Show

  • SRG-OS-000028-GPOS-00009

    Group
    Show

  • AlmaLinux OS 9 must be able to directly initiate a session lock for all connection types using smart card when the smart card is removed.

    A session lock is a temporary action taken when a user stops work and moves away from the immediate physical vicinity of the information system but does not want to log out because of the temporary...
    Rule Medium Severity
    Show

  • SRG-OS-000028-GPOS-00009

    Group
    Show

  • AlmaLinux OS 9 must prevent a user from overriding the disabling of the graphical user smart card removal action.

    A session lock is a temporary action taken when a user stops work and moves away from the immediate physical vicinity of the information system but does not want to log out because of the temporary...
    Rule Medium Severity
    Show

  • SRG-OS-000032-GPOS-00013

    Group
    Show

  • AlmaLinux OS 9 must log SSH connection attempts and failures to the server.

    Remote access services, such as those providing remote access to network devices and information systems, which lack automated monitoring capabilities, increase risk, and make remote user access ma...
    Rule Medium Severity
    Show

  • SRG-OS-000032-GPOS-00013

    Group
    Show

  • SRG-OS-000250-GPOS-00093

    Group
    Show

  • SRG-OS-000250-GPOS-00093

    Group
    Show

  • AlmaLinux OS 9 must implement DOD-approved encryption ciphers to protect the confidentiality of SSH client connections.

    Without cryptographic integrity protections, information can be altered by unauthorized users without detection. Remote access (e.g., RDP) is access to DOD nonpublic information systems by an auth...
    Rule Medium Severity
    Show

  • SRG-OS-000250-GPOS-00093

    Group
    Show

  • SRG-OS-000250-GPOS-00093

    Group
    Show

  • SRG-OS-000250-GPOS-00093

    Group
    Show

  • AlmaLinux OS 9 SSH server must be configured to use only FIPS 140-3 validated key exchange algorithms.

    Without cryptographic integrity protections provided by FIPS-validated cryptographic algorithms, information can be viewed and altered by unauthorized users without detection. AlmaLinux OS 9 incor...
    Rule Medium Severity
    Show

  • SRG-OS-000250-GPOS-00093

    Group
    Show

  • SRG-OS-000250-GPOS-00093

    Group
    Show

  • AlmaLinux OS 9 SSH server must be configured to use only Message Authentication Codes (MACs) employing FIPS 140-3 validated cryptographic hash algorithms.

    Without cryptographic integrity protections, information can be altered by unauthorized users without detection. Remote access (e.g., RDP) is access to DOD nonpublic information systems by an auth...
    Rule Medium Severity
    Show

  • SRG-OS-000033-GPOS-00014

    Group
    Show

  • SRG-OS-000250-GPOS-00093

    Group
    Show

  • AlmaLinux OS 9 must implement DOD-approved TLS encryption in the GnuTLS package.

    Without cryptographic integrity protections, information can be altered by unauthorized users without detection. Remote access (e.g., RDP) is access to DOD nonpublic information systems by an auth...
    Rule High Severity
    Show

  • SRG-OS-000033-GPOS-00014

    Group
    Show

  • AlmaLinux OS 9 IP tunnels must use FIPS 140-3 approved cryptographic algorithms.

    Overriding the system crypto policy makes the behavior of the Libreswan service violate expectations and makes the system configuration more fragmented.
    Rule Medium Severity
    Show

  • SRG-OS-000250-GPOS-00093

    Group
    Show

  • SRG-OS-000250-GPOS-00093

    Group
    Show

  • AlmaLinux OS 9 must implement DOD-approved TLS encryption in the OpenSSL package.

    Without cryptographic integrity protections, information can be altered by unauthorized users without detection. Remote access (e.g., RDP) is access to DOD nonpublic information systems by an auth...
    Rule Medium Severity
    Show

  • SRG-OS-000033-GPOS-00014

    Group
    Show

  • AlmaLinux OS 9 must use the TuxCare FIPS repository.

    FIPS 140-3 validated packages are available from TuxCare. The TuxCare repositories provide the packages and updates not found in the community repositories. Satisfies: SRG-OS-000033-GPOS-00014, S...
    Rule High Severity
    Show

  • SRG-OS-000033-GPOS-00014

    Group
    Show

  • AlmaLinux OS 9 must use the TuxCare FIPS packages and not the default encryption packages.

    FIPS 140-3 validated packages are available from TuxCare. The original community packages must be replaced with the versions that have gone through the CMVP. Satisfies: SRG-OS-000033-GPOS-00014, ...
    Rule High Severity
    Show

  • SRG-OS-000033-GPOS-00014

    Group
    Show

  • SRG-OS-000002-GPOS-00002

    Group
    Show

  • SRG-OS-000004-GPOS-00004

    Group
    Show

  • AlmaLinux OS 9 must generate audit records for all account creations, modifications, disabling, and termination events that affect /etc/sudoers.

    Audit records provide a means to investigate events related to a security incident. Insufficient audit coverage will make identifying those responsible challenging or impossible. This auditd polic...
    Rule Medium Severity
    Show

  • SRG-OS-000004-GPOS-00004

    Group
    Show

  • SRG-OS-000004-GPOS-00004

    Group
    Show

  • SRG-OS-000004-GPOS-00004

    Group
    Show

  • AlmaLinux OS 9 must generate audit records for all account creations, modifications, disabling, and termination events that affect /etc/security/opasswd.

    Audit records provide a means to investigate events related to a security incident. Insufficient audit coverage will make identifying those responsible challenging or impossible. This auditd polic...
    Rule Medium Severity
    Show

  • SRG-OS-000004-GPOS-00004

    Group
    Show

  • SRG-OS-000004-GPOS-00004

    Group
    Show

Node 2

siemur/test-space

The content of the drawer really is up to you. It could have form fields, definition lists, text lists, labels, charts, progress bars, etc. Spacing recommendation is 24px margins. You can put tabs in here, and can also make the drawer scrollable.

Capacity
Modules