II - Mission Support Classified
Rules and Groups employed by this XCCDF Profile
-
SRG-OS-000033-GPOS-00014
Group -
AlmaLinux OS 9 must enable FIPS mode.
Without confidentiality protection mechanisms, unauthorized individuals may gain access to sensitive information via a remote access session. Remote access is access to DOD nonpublic information s...Rule High Severity -
SRG-OS-000002-GPOS-00002
Group -
AlmaLinux OS 9 must automatically expire temporary accounts within 72 hours.
Temporary accounts are accounts created during a time of need when prompt action requires bypassing the normal account creation authorization process – such as during incident response. If these t...Rule Medium Severity -
SRG-OS-000004-GPOS-00004
Group -
AlmaLinux OS 9 must generate audit records for all account creations, modifications, disabling, and termination events that affect /etc/sudoers.
Audit records provide a means to investigate events related to a security incident. Insufficient audit coverage will make identifying those responsible challenging or impossible. This auditd polic...Rule Medium Severity -
SRG-OS-000004-GPOS-00004
Group -
AlmaLinux OS 9 must generate audit records for all account creations, modifications, disabling, and termination events that affect /etc/group.
Audit records provide a means to investigate events related to a security incident. Insufficient audit coverage will make identifying those responsible challenging or impossible. This auditd polic...Rule Medium Severity -
SRG-OS-000004-GPOS-00004
Group -
AlmaLinux OS 9 must generate audit records for all account creations, modifications, disabling, and termination events that affect /etc/gshadow.
Audit records provide a means to investigate events related to a security incident. Insufficient audit coverage will make identifying those responsible challenging or impossible. This auditd polic...Rule Medium Severity -
SRG-OS-000004-GPOS-00004
Group -
AlmaLinux OS 9 must generate audit records for all account creations, modifications, disabling, and termination events that affect /etc/security/opasswd.
Audit records provide a means to investigate events related to a security incident. Insufficient audit coverage will make identifying those responsible challenging or impossible. This auditd polic...Rule Medium Severity -
SRG-OS-000004-GPOS-00004
Group -
AlmaLinux OS 9 must generate audit records for all account creations, modifications, disabling, and termination events that affect /etc/passwd.
Audit records provide a means to investigate events related to a security incident. Insufficient audit coverage will make identifying those responsible challenging or impossible. This auditd polic...Rule Medium Severity -
SRG-OS-000004-GPOS-00004
Group -
AlmaLinux OS 9 must generate audit records for all account creations, modifications, disabling, and termination events that affect /etc/shadow.
Audit records provide a means to investigate events related to a security incident. Insufficient audit coverage will make identifying those responsible challenging or impossible. This auditd polic...Rule Medium Severity -
SRG-OS-000004-GPOS-00004
Group -
AlmaLinux OS 9 must generate audit records for all account creations, modifications, disabling, and termination events that affect the files within /etc/sudoers.d/
Audit records provide a means to investigate events related to a security incident. Insufficient audit coverage will make identifying those responsible challenging or impossible. This auditd polic...Rule Medium Severity -
SRG-OS-000080-GPOS-00048
Group -
AlmaLinux OS 9 must require authentication to access emergency mode.
This requirement prevents attackers with physical access from easily bypassing security on the machine and gaining root access. Such accesses are further prevented by configuring the bootloader pa...Rule Medium Severity -
SRG-OS-000080-GPOS-00048
Group -
AlmaLinux OS 9 must require a boot loader password.
Password protection on the boot loader configuration ensures users with physical access cannot trivially alter important bootloader settings. These include which kernel to use, and whether to enter...Rule Medium Severity -
SRG-OS-000080-GPOS-00048
Group -
AlmaLinux OS 9 must require a unique superuser's name upon booting into single-user and maintenance modes.
Having a nondefault grub superuser username makes password-guessing attacks less effective.Rule Medium Severity -
SRG-OS-000080-GPOS-00048
Group -
AlmaLinux OS 9 must require authentication to access single-user mode.
This requirement prevents attackers with physical access from easily bypassing security on the machine and gaining root access. Such accesses are further prevented by configuring the bootloader p...Rule Medium Severity -
SRG-OS-000324-GPOS-00125
Group -
The systemd Ctrl-Alt-Delete burst key sequence in AlmaLinux OS 9 must be disabled.
A locally logged-on user who presses Ctrl-Alt-Delete in quick succession when at the console can reboot the system. If accidentally pressed, as could happen in the case of a mixed OS environment, ...Rule High Severity -
SRG-OS-000324-GPOS-00125
Group -
The Ctrl-Alt-Delete key sequence must be disabled on AlmaLinux OS 9.
A locally logged-on user who presses Ctrl-Alt-Delete when at the console can reboot the system. If accidentally pressed, as could happen in the case of a mixed OS environment, this can create the ...Rule High Severity -
SRG-OS-000324-GPOS-00125
Group -
AlmaLinux OS 9 must have the sudo package installed.
"sudo" is a program designed to allow a system administrator to give limited root privileges to users and log root activity. The basic philosophy is to give as few privileges as possible but stil...Rule Medium Severity -
SRG-OS-000324-GPOS-00125
Group -
The AlmaLinux OS 9 debug-shell systemd service must be disabled.
The debug-shell requires no authentication and provides root privileges to anyone who has physical access to the machine. While this feature is disabled by default, masking it adds an additional l...Rule Medium Severity -
SRG-OS-000324-GPOS-00125
Group -
AlmaLinux OS 9 must enable kernel parameters to enforce discretionary access control on hardlinks.
By enabling the fs.protected_hardlinks kernel parameter, users can no longer create soft or hard links to files they do not own. Disallowing such hardlinks mitigates vulnerabilities based on unsec...Rule Medium Severity -
SRG-OS-000324-GPOS-00125
Group -
AlmaLinux OS 9 must enable kernel parameters to enforce discretionary access control (DAC) on symlinks.
By enabling the fs.protected_symlinks kernel parameter, symbolic links are permitted to be followed only when outside a sticky world-writable directory, or when the user identifier (UID) of the lin...Rule Medium Severity -
SRG-OS-000327-GPOS-00127
Group -
AlmaLinux OS 9 must audit uses of the "execve" system call.
Misuse of privileged functions, either intentionally or unintentionally by authorized users, or by unauthorized external entities that have compromised information system accounts, is a serious and...Rule Medium Severity -
SRG-OS-000021-GPOS-00005
Group -
AlmaLinux OS 9 must automatically lock an account when three unsuccessful logon attempts occur.
By limiting the number of failed logon attempts, the risk of unauthorized system access via user password guessing, otherwise known as brute-force attacks, is reduced. Limits are imposed by locking...Rule Medium Severity -
SRG-OS-000021-GPOS-00005
Group -
AlmaLinux OS 9 must automatically lock the root account until the root account is released by an administrator when three unsuccessful logon attempts occur during a 15-minute time period.
By limiting the number of failed logon attempts, the risk of unauthorized system access via user password guessing, otherwise known as brute-force attacks, is reduced. Limits are imposed by locking...Rule Medium Severity -
SRG-OS-000021-GPOS-00005
Group -
AlmaLinux OS 9 must automatically lock an account when three unsuccessful logon attempts occur during a 15-minute time period.
By limiting the number of failed logon attempts, the risk of unauthorized system access via user password guessing, otherwise known as brute-force attacks, is reduced. Limits are imposed by locking...Rule Medium Severity -
SRG-OS-000021-GPOS-00005
Group -
AlmaLinux OS 9 must configure the use of the pam_faillock.so module in the /etc/pam.d/system-auth file.
By limiting the number of failed logon attempts, the risk of unauthorized system access via user password guessing, otherwise known as brute-force attacks, is reduced. Limits are imposed by locking...Rule Medium Severity -
SRG-OS-000021-GPOS-00005
Group -
AlmaLinux OS 9 must configure the use of the pam_faillock.so module in the /etc/pam.d/password-auth file.
By limiting the number of failed logon attempts, the risk of unauthorized system access via user password guessing, otherwise known as brute-force attacks, is reduced. Limits are imposed by locking...Rule Medium Severity
Node 2
The content of the drawer really is up to you. It could have form fields, definition lists, text lists, labels, charts, progress bars, etc. Spacing recommendation is 24px margins. You can put tabs in here, and can also make the drawer scrollable.