AlmaLinux OS 9 v1r1

Released 2024-12-03


View as One Page
STIG IDTitle
ALMA-09-001010AlmaLinux OS 9 must limit the number of concurrent sessions to ten for all accounts and/or account types.
ALMA-09-001120AlmaLinux OS 9 must automatically lock graphical user sessions after 15 minutes of inactivity.
ALMA-09-001230AlmaLinux OS 9 must conceal, via the session lock, information previously visible on the display with a publicly viewable image.
ALMA-09-001340AlmaLinux OS 9 must prevent a user from overriding the session idle-delay setting for the graphical user interface.
ALMA-09-001450AlmaLinux OS 9 must initiate a session lock for graphical user interfaces when the screensaver is activated.
ALMA-09-001560AlmaLinux OS 9 must prevent a user from overriding the session lock-delay setting for the graphical user interface.
ALMA-09-001890AlmaLinux OS 9 must automatically exit interactive command shell user sessions after 10 minutes of inactivity.
ALMA-09-002000AlmaLinux OS 9 must be able to directly initiate a session lock for all connection types using smart card when the smart card is removed.
ALMA-09-002110AlmaLinux OS 9 must prevent a user from overriding the disabling of the graphical user smart card removal action.
ALMA-09-002770AlmaLinux OS 9 must log SSH connection attempts and failures to the server.
ALMA-09-002880All AlmaLinux OS 9 remote access methods must be monitored.
ALMA-09-002990AlmaLinux OS 9 SSH client must be configured to use only encryption ciphers employing FIPS 140-3 validated cryptographic hash algorithms to protect the confidentiality of SSH client connections.
ALMA-09-003100AlmaLinux OS 9 must implement DOD-approved encryption ciphers to protect the confidentiality of SSH client connections.
ALMA-09-003210AlmaLinux OS 9 SSH client must be configured to use only Message Authentication Codes (MACs) employing FIPS 140-3 validated cryptographic hash algorithms.
ALMA-09-003320AlmaLinux OS 9 must implement DOD-approved encryption ciphers to protect the confidentiality of SSH server connections.
ALMA-09-003325AlmaLinux OS 9 SSH server must be configured to use only FIPS 140-3 validated key exchange algorithms.
ALMA-09-003430AlmaLinux OS 9 must implement DOD-approved systemwide cryptographic policies to protect the confidentiality of SSH server connections.
ALMA-09-003540AlmaLinux OS 9 SSH server must be configured to use only Message Authentication Codes (MACs) employing FIPS 140-3 validated cryptographic hash algorithms.
ALMA-09-003650AlmaLinux OS 9 must force a frequent session key renegotiation for SSH connections to the server.
ALMA-09-003760AlmaLinux OS 9 must implement DOD-approved TLS encryption in the GnuTLS package.
ALMA-09-003870AlmaLinux OS 9 IP tunnels must use FIPS 140-3 approved cryptographic algorithms.
ALMA-09-003980AlmaLinux OS 9 must implement DOD-approved encryption in the OpenSSL package.
ALMA-09-004090AlmaLinux OS 9 must implement DOD-approved TLS encryption in the OpenSSL package.
ALMA-09-004310AlmaLinux OS 9 must use the TuxCare FIPS repository.
ALMA-09-004320AlmaLinux OS 9 must use the TuxCare FIPS packages and not the default encryption packages.
ALMA-09-004420AlmaLinux OS 9 must enable FIPS mode.
ALMA-09-004750AlmaLinux OS 9 must automatically expire temporary accounts within 72 hours.
ALMA-09-004970AlmaLinux OS 9 must generate audit records for all account creations, modifications, disabling, and termination events that affect /etc/sudoers.
ALMA-09-005080AlmaLinux OS 9 must generate audit records for all account creations, modifications, disabling, and termination events that affect /etc/group.
ALMA-09-005190AlmaLinux OS 9 must generate audit records for all account creations, modifications, disabling, and termination events that affect /etc/gshadow.
ALMA-09-005300AlmaLinux OS 9 must generate audit records for all account creations, modifications, disabling, and termination events that affect /etc/security/opasswd.
ALMA-09-005410AlmaLinux OS 9 must generate audit records for all account creations, modifications, disabling, and termination events that affect /etc/passwd.
ALMA-09-005960AlmaLinux OS 9 must generate audit records for all account creations, modifications, disabling, and termination events that affect /etc/shadow.
ALMA-09-006070AlmaLinux OS 9 must generate audit records for all account creations, modifications, disabling, and termination events that affect the files within /etc/sudoers.d/
ALMA-09-006180AlmaLinux OS 9 must require authentication to access emergency mode.
ALMA-09-006290AlmaLinux OS 9 must require a boot loader password.
ALMA-09-006400AlmaLinux OS 9 must require a unique superuser's name upon booting into single-user and maintenance modes.
ALMA-09-006510AlmaLinux OS 9 must require authentication to access single-user mode.
ALMA-09-006620The systemd Ctrl-Alt-Delete burst key sequence in AlmaLinux OS 9 must be disabled.
ALMA-09-006730The Ctrl-Alt-Delete key sequence must be disabled on AlmaLinux OS 9.
ALMA-09-006840AlmaLinux OS 9 must have the sudo package installed.
ALMA-09-006950The AlmaLinux OS 9 debug-shell systemd service must be disabled.
ALMA-09-007060AlmaLinux OS 9 must enable kernel parameters to enforce discretionary access control on hardlinks.
ALMA-09-007170AlmaLinux OS 9 must enable kernel parameters to enforce discretionary access control (DAC) on symlinks.
ALMA-09-007280AlmaLinux OS 9 must audit uses of the "execve" system call.
ALMA-09-007500AlmaLinux OS 9 must automatically lock an account when three unsuccessful logon attempts occur.
ALMA-09-007610AlmaLinux OS 9 must automatically lock the root account until the root account is released by an administrator when three unsuccessful logon attempts occur during a 15-minute time period.
ALMA-09-007720AlmaLinux OS 9 must automatically lock an account when three unsuccessful logon attempts occur during a 15-minute time period.
ALMA-09-007830AlmaLinux OS 9 must configure the use of the pam_faillock.so module in the /etc/pam.d/system-auth file.
ALMA-09-007940AlmaLinux OS 9 must configure the use of the pam_faillock.so module in the /etc/pam.d/password-auth file.
ALMA-09-008050AlmaLinux OS 9 must log username information when unsuccessful logon attempts occur.
ALMA-09-008160AlmaLinux OS 9 must maintain an account lock until the locked account is manually released by an administrator; and not automatically after a set time.
ALMA-09-008270AlmaLinux OS 9 must ensure account locks persist across reboots.
ALMA-09-008380AlmaLinux OS 9 must configure the appropriate SELinux context on the nondefault faillock tally directory.
ALMA-09-008490AlmaLinux OS 9 must prevent users from disabling the Standard Mandatory DOD Notice and Consent Banner for graphical user interfaces.
ALMA-09-008600AlmaLinux OS 9 must display the Standard Mandatory DOD Notice and Consent Banner before granting local or remote access to the system via a graphical user logon.
ALMA-09-008710AlmaLinux OS 9 must display the Standard Mandatory DOD Notice and Consent Banner before granting local or remote access to the system via a command line user logon.
ALMA-09-008820AlmaLinux OS 9 must display the Standard Mandatory DOD Notice and Consent Banner before granting local or remote access to the system via an SSH user logon.
ALMA-09-009260AlmaLinux OS 9 must have the s-nail package installed.
ALMA-09-009370AlmaLinux OS 9 SSH daemon must not allow Generic Security Service Application Program Interface (GSSAPI) authentication.
ALMA-09-009480AlmaLinux OS 9 SSH daemon must not allow Kerberos authentication.
ALMA-09-009590AlmaLinux OS 9 must check the GPG signature of software packages originating from external software repositories before installation.
ALMA-09-009700AlmaLinux OS 9 must ensure cryptographic verification of vendor software packages.
ALMA-09-009810AlmaLinux OS 9 must check the GPG signature of locally installed software packages before installation.
ALMA-09-009920AlmaLinux OS 9 must check the GPG signature of repository metadata before package installation.
ALMA-09-010030AlmaLinux OS 9 must have GPG signature verification enabled for all software repositories.
ALMA-09-010140AlmaLinux OS 9 must prevent the loading of a new kernel for later execution.
ALMA-09-010250AlmaLinux OS 9 system commands must be group-owned by root or a system account.
ALMA-09-010360AlmaLinux OS 9 system commands must be owned by root.
ALMA-09-010470AlmaLinux OS 9 system commands must have mode 755 or less permissive.
ALMA-09-010580AlmaLinux OS 9 library directories must be group-owned by root or a system account.
ALMA-09-010690AlmaLinux OS 9 library directories must be owned by root.
ALMA-09-010800AlmaLinux OS 9 library directories must have mode 755 or less permissive.
ALMA-09-010910AlmaLinux OS 9 library files must be group-owned by root or a system account.
ALMA-09-011020AlmaLinux OS 9 library files must be owned by root.
ALMA-09-011130AlmaLinux OS 9 library files must have mode 755 or less permissive.
ALMA-09-011240AlmaLinux OS 9 must disable core dumps for all users.
ALMA-09-011350AlmaLinux OS 9 must disable acquiring, saving, and processing core dumps.
ALMA-09-011460AlmaLinux OS 9 must disable storing core dumps.
ALMA-09-011570AlmaLinux OS 9 must disable core dump backtraces.
ALMA-09-011680AlmaLinux OS 9 must disable the kernel.core_pattern.
ALMA-09-011790AlmaLinux OS 9 cron configuration files directory must be group-owned by root.
ALMA-09-011900AlmaLinux OS 9 cron configuration files directory must be owned by root.
ALMA-09-012010AlmaLinux OS 9 cron configuration directories must have a mode of 0700 or less permissive.
ALMA-09-012120AlmaLinux OS 9 /etc/crontab file must have mode 0600.
ALMA-09-012230AlmaLinux OS 9 must disable the ability of a user to accidentally press Ctrl-Alt-Del and cause a system to shut down or reboot.
ALMA-09-012340AlmaLinux OS 9 must prevent a user from overriding the Ctrl-Alt-Del sequence settings for the graphical user interface.
ALMA-09-012450All AlmaLinux OS 9 local files and directories must have a valid group owner.
ALMA-09-012560All AlmaLinux OS 9 local files and directories must have a valid owner.
ALMA-09-012670AlmaLinux OS 9 /etc/group- file must be group owned by root.
ALMA-09-012780AlmaLinux OS 9 /etc/group- file must be owned by root.
ALMA-09-012890AlmaLinux OS 9 /etc/group- file must have mode 0644 or less permissive to prevent unauthorized access.
ALMA-09-013000AlmaLinux OS 9 /etc/group file must be group owned by root.
ALMA-09-013110AlmaLinux OS 9 /etc/group file must be owned by root.
ALMA-09-013220AlmaLinux OS 9 /etc/group file must have mode 0644 or less permissive to prevent unauthorized access.
ALMA-09-013330The /boot/grub2/grub.cfg file must be group-owned by root.
ALMA-09-013440The /boot/grub2/grub.cfg file must be owned by root.
ALMA-09-013550AlmaLinux OS 9 must disable the ability of systemd to spawn an interactive boot process.
ALMA-09-013660AlmaLinux OS 9 /etc/gshadow- file must be group-owned by root.
ALMA-09-013770AlmaLinux OS 9 /etc/gshadow- file must be owned by root.
ALMA-09-013880AlmaLinux OS 9 /etc/gshadow- file must have mode 0000 or less permissive to prevent unauthorized access.
ALMA-09-013990AlmaLinux OS 9 /etc/gshadow file must be group-owned by root.
ALMA-09-014100AlmaLinux OS 9 /etc/gshadow file must be owned by root.
ALMA-09-014210AlmaLinux OS 9 /etc/gshadow file must have mode 0000 or less permissive to prevent unauthorized access.
ALMA-09-014320The graphical display manager must not be the default target on AlmaLinux OS 9 unless approved.
ALMA-09-014430AlmaLinux OS 9 must disable the user list at logon for graphical user interfaces.
ALMA-09-014540All AlmaLinux OS 9 local interactive user accounts must be assigned a home directory upon creation.
ALMA-09-014650All AlmaLinux OS 9 local interactive user home directories defined in the /etc/passwd file must exist.
ALMA-09-014760All AlmaLinux OS 9 local interactive user home directories must be group-owned by the home directory owner's primary group.
ALMA-09-014870AlmaLinux OS 9 must prevent code from being executed on file systems that contain user home directories.
ALMA-09-014980A separate file system must be used for user home directories (such as /home or an equivalent).
ALMA-09-015090All AlmaLinux OS 9 local interactive users must have a home directory assigned in the /etc/passwd file.
ALMA-09-015200Executable search paths within the initialization files of all local interactive AlmaLinux OS 9 users must only contain paths that resolve to the system default or the users home directory.
ALMA-09-015310All AlmaLinux OS 9 local interactive user home directories must have mode 0750 or less permissive.
ALMA-09-015420AlmaLinux OS 9 must not allow unattended or automatic logon via the graphical user interface.
ALMA-09-015640AlmaLinux OS 9 must enforce a delay of at least four seconds between logon prompts following a failed logon attempt.
ALMA-09-015750AlmaLinux OS 9 must not allow blank or null passwords.
ALMA-09-015860AlmaLinux OS 9 must not have accounts configured with blank or null passwords.
ALMA-09-015970AlmaLinux OS 9 /etc/passwd- file must be group-owned by root.
ALMA-09-016080AlmaLinux OS 9 /etc/passwd- file must be owned by root.
ALMA-09-016190AlmaLinux OS 9 /etc/passwd- file must have mode 0644 or less permissive to prevent unauthorized access.
ALMA-09-016300AlmaLinux OS 9 /etc/passwd file must be group-owned by root.
ALMA-09-016410AlmaLinux OS 9 /etc/passwd file must be owned by root.
ALMA-09-016520AlmaLinux OS 9 /etc/passwd file must have mode 0644 or less permissive to prevent unauthorized access.
ALMA-09-016630AlmaLinux OS 9 /etc/shadow- file must be group-owned by root.
ALMA-09-016740AlmaLinux OS 9 /etc/shadow- file must be owned by root.
ALMA-09-016850AlmaLinux OS 9 /etc/shadow- file must have mode 0000 or less permissive to prevent unauthorized access.
ALMA-09-016960AlmaLinux OS 9 /etc/shadow file must be group-owned by root.
ALMA-09-017070AlmaLinux OS 9 /etc/shadow file must be owned by root.
ALMA-09-017180AlmaLinux OS 9 /etc/shadow file must have mode 0000 to prevent unauthorized access.
ALMA-09-017290AlmaLinux OS 9 must restrict privilege elevation to authorized personnel.
ALMA-09-017400AlmaLinux OS 9 must use the invoking user's password for privilege escalation when using "sudo".
ALMA-09-017510AlmaLinux OS 9 must set the umask value to 077 for all local interactive user accounts.
ALMA-09-017620AlmaLinux OS 9 must define default permissions for all authenticated users in such a way that the user can only read and modify their own files.
ALMA-09-017730AlmaLinux OS 9 must define default permissions for PAM users.
ALMA-09-017840AlmaLinux OS 9 must define default permissions for logon and nonlogon shells.
ALMA-09-017950AlmaLinux OS 9 must not have unauthorized accounts.
ALMA-09-018060AlmaLinux OS 9 must be configured so that the file integrity tool verifies Access Control Lists (ACLs).
ALMA-09-018170AlmaLinux OS 9 must use a file integrity tool that is configured to use FIPS 140-3-approved cryptographic hashes for validating file contents and directories.
ALMA-09-018280AlmaLinux OS 9 must be configured so that the file integrity tool verifies extended attributes.
ALMA-09-018390AlmaLinux OS 9 must prevent the use of dictionary words for passwords.
ALMA-09-018500AlmaLinux OS 9 must not accept router advertisements on all IPv6 interfaces.
ALMA-09-018610AlmaLinux OS 9 must ignore Internet Control Message Protocol (ICMP) redirect messages.
ALMA-09-018720The firewalld service on AlmaLinux OS 9 must be active.
ALMA-09-018830AlmaLinux OS 9 firewall must employ a deny-all, allow-by-exception policy for allowing connections to other systems.
ALMA-09-018940AlmaLinux OS 9 must limit the number of bogus Internet Control Message Protocol (ICMP) response errors logs.
ALMA-09-019050AlmaLinux OS 9 must not respond to Internet Control Message Protocol (ICMP) echoes sent to a broadcast address.
ALMA-09-019160AlmaLinux OS 9 must not enable IP packet forwarding unless the system is a router.
ALMA-09-019270AlmaLinux OS 9 must not have unauthorized IP tunnels configured.
ALMA-09-019380AlmaLinux OS 9 must log packets with impossible addresses.
ALMA-09-019490AlmaLinux OS 9 must be configured to prevent unrestricted mail relaying.
ALMA-09-019600AlmaLinux OS 9 must have the nss-tools package installed.
ALMA-09-019710AlmaLinux OS 9 network interfaces must not be in promiscuous mode.
ALMA-09-019820AlmaLinux OS 9 must use reverse path filtering on all IP interfaces.
ALMA-09-019930AlmaLinux OS 9 must not send Internet Control Message Protocol (ICMP) redirects.
ALMA-09-020040There must be no .shosts files on AlmaLinux OS 9.
ALMA-09-020150There must be no shosts.equiv files on AlmaLinux OS 9.
ALMA-09-020260AlmaLinux OS 9 must not forward source-routed packets.
ALMA-09-020370AlmaLinux OS 9 SSH daemon must not allow compression or must only allow compression after successful authentication.
ALMA-09-020480The AlmaLinux OS 9 SSH server configuration file must be group-owned by root.
ALMA-09-020590The AlmaLinux OS 9 SSH server configuration file must be owned by root.
ALMA-09-020700AlmaLinux OS 9 SSH server configuration files must have mode 0600 or less permissive.
ALMA-09-020810AlmaLinux OS 9 must not allow a noncertificate trusted host SSH logon to the system.
ALMA-09-020920AlmaLinux OS 9 SSH private host key files must have mode 0640 or less permissive.
ALMA-09-021030AlmaLinux OS 9 SSH public host key files must have mode 0644 or less permissive.
ALMA-09-021140AlmaLinux OS 9 SSH daemon must not allow known hosts authentication.
ALMA-09-021250AlmaLinux OS 9 SSH daemon must display the date and time of the last successful account logon upon an SSH logon.
ALMA-09-021360AlmaLinux OS 9 SSH daemon must not allow rhosts authentication.
ALMA-09-021470AlmaLinux OS 9 SSH daemon must disable remote X connections for interactive users.
ALMA-09-021580AlmaLinux OS 9 SSH daemon must prevent remote hosts from connecting to the proxy display.
ALMA-09-021690If the Trivial File Transfer Protocol (TFTP) server is required, the TFTP daemon must be configured to operate in secure mode.
ALMA-09-021800AlmaLinux OS 9 must enable hardening for the Berkeley Packet Filter (BPF) just-in-time (JIT) compiler.
ALMA-09-021910AlmaLinux OS 9 effective dconf policy must match the policy keyfiles.
ALMA-09-022020AlmaLinux OS 9 must be configured so that all system device files are correctly labeled to prevent unauthorized modification.
ALMA-09-022130All AlmaLinux OS 9 local initialization files must have mode 0740 or less permissive.
ALMA-09-022240AlmaLinux OS 9 must have the gnutls-utils package installed.
ALMA-09-022350The kdump service on AlmaLinux OS 9 must be disabled.
ALMA-09-022460AlmaLinux OS 9 must disable the ability of a user to restart the system from the login screen.
ALMA-09-022570AlmaLinux OS 9 must prevent a user from overriding the disable-restart-buttons setting for the graphical user interface.
ALMA-09-022680AlmaLinux OS 9 must prevent special devices on file systems that are used with removable media.
ALMA-09-022790AlmaLinux OS 9 must prevent code from being executed on file systems that are used with removable media.
ALMA-09-022900AlmaLinux OS 9 must prevent files with the setuid and setgid bit set from being executed on file systems that are used with removable media.
ALMA-09-023010AlmaLinux OS 9 must disable the use of user namespaces.
ALMA-09-023120AlmaLinux OS 9 must prevent special devices on file systems that are imported via Network File System (NFS).
ALMA-09-023230AlmaLinux OS 9 must prevent code execution on file systems that are imported via Network File System (NFS).
ALMA-09-023450AlmaLinux OS 9 must prevent files with the setuid and setgid bit set from being executed on file systems that are imported via Network File System (NFS).
ALMA-09-023560AlmaLinux OS 9 must configure a DNS processing mode set be Network Manager.
ALMA-09-023670AlmaLinux OS 9 systems using Domain Name Servers (DNS) resolution must have at least two name servers configured.
ALMA-09-023780AlmaLinux OS 9 must prevent special devices on nonroot local partitions.
ALMA-09-023890The root account must be the only account having unrestricted access to an AlmaLinux OS 9 system.
ALMA-09-024000AlmaLinux OS 9 must be configured so that the cryptographic hashes of system files match vendor values.
ALMA-09-024110AlmaLinux OS 9 must clear the page allocator to prevent use-after-free attacks.
ALMA-09-024220AlmaLinux OS 9 must display the date and time of the last successful account logon upon logon.
ALMA-09-024330AlmaLinux OS 9 security patches and updates must be installed and up to date.
ALMA-09-024440AlmaLinux OS 9 policycoreutils-python-utils package must be installed.
ALMA-09-024550AlmaLinux OS 9 must enable the hardware random number generator entropy gatherer service.
ALMA-09-024660AlmaLinux OS 9 must have the rng-tools package installed.
ALMA-09-024770The SSH daemon must perform strict mode checking of home directory configuration files.
ALMA-09-024990AlmaLinux OS 9 system accounts must not have an interactive login shell.
ALMA-09-025100AlmaLinux OS 9 must use a separate file system for /tmp.
ALMA-09-025210Local AlmaLinux OS 9 initialization files must not execute world-writable programs.
ALMA-09-025320AlmaLinux OS 9 must use a separate file system for /var/log.
ALMA-09-025430AlmaLinux OS 9 must use a separate file system for /var.
ALMA-09-025540AlmaLinux OS 9 must use a separate file system for /var/tmp.
ALMA-09-025650AlmaLinux OS 9 must disable virtual system calls.
ALMA-09-025760AlmaLinux OS 9 must use cron logging.
ALMA-09-025870AlmaLinux OS 9 must be configured so that the rsyslog daemon does not accept log messages from other servers unless the server is being used for log aggregation.
ALMA-09-025980AlmaLinux OS 9 must prevent files with the setuid and setgid bit set from being executed on file systems that contain user home directories.
ALMA-09-026090AlmaLinux OS 9 must prevent device files from being interpreted on file systems that contain user home directories.
ALMA-09-026200AlmaLinux OS 9 must prevent files with the setuid and setgid bit set from being executed on the /boot/efi directory.
ALMA-09-026310AlmaLinux OS 9 must mount /boot with the nodev option.
ALMA-09-026420AlmaLinux OS 9 must prevent files with the setuid and setgid bit set from being executed on the /boot directory.
ALMA-09-026530AlmaLinux OS 9 must mount /dev/shm with the nodev option.
ALMA-09-026640AlmaLinux OS 9 must mount /dev/shm with the noexec option.
ALMA-09-026750AlmaLinux OS 9 must mount /dev/shm with the nosuid option.
ALMA-09-026860AlmaLinux OS 9 must mount /tmp with the nodev option.
ALMA-09-026970AlmaLinux OS 9 must mount /tmp with the noexec option.
ALMA-09-027080AlmaLinux OS 9 must mount /tmp with the nosuid option.
ALMA-09-027190AlmaLinux OS 9 must mount /var/log/audit with the nodev option.
ALMA-09-027300AlmaLinux OS 9 must mount /var/log/audit with the noexec option.
ALMA-09-027410AlmaLinux OS 9 must mount /var/log/audit with the nosuid option.
ALMA-09-027520AlmaLinux OS 9 must mount /var/log with the nodev option.
ALMA-09-027630AlmaLinux OS 9 must mount /var/log with the noexec option.
ALMA-09-027740AlmaLinux OS 9 must mount /var/log with the nosuid option.
ALMA-09-027850AlmaLinux OS 9 must mount /var with the nodev option.
ALMA-09-027960AlmaLinux OS 9 must mount /var/tmp with the nodev option.
ALMA-09-028070AlmaLinux OS 9 must mount /var/tmp with the noexec option.
ALMA-09-028180AlmaLinux OS 9 must mount /var/tmp with the nosuid option.
ALMA-09-028290AlmaLinux OS 9 fapolicy module must be enabled.
ALMA-09-028400AlmaLinux OS 9 fapolicy module must be installed.
ALMA-09-028510AlmaLinux OS 9 must disable remote management of the chrony daemon.
ALMA-09-028620AlmaLinux OS 9 must prevent the chrony daemon from acting as a server.
ALMA-09-028730AlmaLinux OS 9 must not have the iprutils package installed.
ALMA-09-028840AlmaLinux OS 9 must not have the quagga package installed.
ALMA-09-028950AlmaLinux OS 9 must not have the sendmail package installed.
ALMA-09-029060AlmaLinux OS 9 must not have the telnet-server package installed.
ALMA-09-029170AlmaLinux OS 9 must not have a Trivial File Transfer Protocol (TFTP) client package installed.
ALMA-09-029390AlmaLinux OS 9 must not have the cups package installed.
ALMA-09-029500AlmaLinux OS 9 must not have the gssproxy package installed.
ALMA-09-029610AlmaLinux OS 9 must disable the Asynchronous Transfer Mode (ATM) kernel module.
ALMA-09-029720AlmaLinux OS 9 must be configured to disable Bluetooth.
ALMA-09-029830AlmaLinux OS 9 must disable the Controller Area Network (CAN) kernel module.
ALMA-09-029940AlmaLinux OS 9 must disable mounting of cramfs.
ALMA-09-030050AlmaLinux OS 9 must disable the Stream Control Transmission Protocol (SCTP) kernel module.
ALMA-09-030160AlmaLinux OS 9 must disable mounting of squashfs.
ALMA-09-030270AlmaLinux OS 9 must disable the Transparent Inter Process Communication (TIPC) kernel module.
ALMA-09-030380AlmaLinux OS 9 must disable mounting of udf.
ALMA-09-030490Cameras must be disabled or covered when not in use.
ALMA-09-030600AlmaLinux OS 9 must not have the nfs-utils package installed.
ALMA-09-030710AlmaLinux OS 9 must not have the rsh package installed.
ALMA-09-030820AlmaLinux OS 9 must not have the rsh-server package installed.
ALMA-09-030930AlmaLinux OS 9 must not have the tuned package installed.
ALMA-09-031040A graphical display manager must not be installed on AlmaLinux OS 9 unless approved.
ALMA-09-031150AlmaLinux OS 9 must not have the ypserv package installed.
ALMA-09-031260AlmaLinux OS 9 must not have the avahi package installed.
ALMA-09-031370AlmaLinux OS 9 must be configured to disable USB mass storage.
ALMA-09-031700AlmaLinux OS 9 must have the firewalld package installed.
ALMA-09-031920AlmaLinux OS 9 must require users to provide authentication for privilege escalation.
ALMA-09-032030AlmaLinux OS 9 must require users to provide a password for privilege escalation.
ALMA-09-032140AlmaLinux OS 9 must not be configured to bypass password requirements for privilege escalation.
ALMA-09-032250AlmaLinux OS 9 must require reauthentication when using the "sudo" command.
ALMA-09-032470AlmaLinux OS 9 must restrict the use of the "su" command.
ALMA-09-032910Groups must have unique Group IDs (GIDs).
ALMA-09-033020Duplicate User IDs (UIDs) must not exist for interactive users.
ALMA-09-033130All AlmaLinux OS 9 interactive users must have a primary group that exists.
ALMA-09-033240AlmaLinux OS 9 SSHD must accept public key authentication.
ALMA-09-033350AlmaLinux OS 9 must have the opensc package installed.
ALMA-09-033460The pcscd socket on AlmaLinux OS 9 must be active.
ALMA-09-033570AlmaLinux OS 9 must have the pcsc-lite package installed.
ALMA-09-033680AlmaLinux OS 9 must implement certificate status checking for multifactor authentication.
ALMA-09-033790AlmaLinux OS 9 must enable certificate based smart card authentication.
ALMA-09-034010AlmaLinux OS 9 must have the openssl-pkcs11 package installed.
ALMA-09-034120AlmaLinux OS 9 SSHD must not allow blank passwords.
ALMA-09-034340AlmaLinux OS 9 must use the CAC smart card driver.
ALMA-09-034780AlmaLinux OS 9 must not permit direct logons to the root account using remote access via SSH.
ALMA-09-034890AlmaLinux OS 9 must disable the graphical user interface automount function unless required.
ALMA-09-035000AlmaLinux OS 9 must prevent a user from overriding the disabling of the graphical user interface automount function.
ALMA-09-035110AlmaLinux OS 9 must prevent a user from overriding the disabling of the graphical user interface autorun function.
ALMA-09-035210AlmaLinux OS 9 must have the USBGuard package installed.
ALMA-09-035220AlmaLinux OS 9 must have the USBGuard package enabled.
ALMA-09-035440AlmaLinux OS 9 must block unauthorized peripherals before establishing a connection.
ALMA-09-035550AlmaLinux OS 9 must not have the autofs package installed.
ALMA-09-035660AlmaLinux OS 9 must disable account identifiers (individuals, groups, roles, and devices) after 35 days of inactivity.
ALMA-09-035770AlmaLinux OS 9 must enforce password complexity by requiring that at least one lowercase character be used.
ALMA-09-035880AlmaLinux OS 9 must ensure the password complexity module is enabled in the password-auth file.
ALMA-09-035990AlmaLinux OS 9 must ensure the password complexity module in the system-auth file is configured for three retries or less.
ALMA-09-036100AlmaLinux OS 9 must enforce password complexity rules for the root account.
ALMA-09-036210AlmaLinux OS 9 must enforce password complexity by requiring that at least one uppercase character be used.
ALMA-09-036320AlmaLinux OS 9 must enforce password complexity by requiring that at least one special character be used.
ALMA-09-036430AlmaLinux OS 9 passwords for new users must have a minimum of 15 characters.
ALMA-09-036540AlmaLinux OS 9 passwords must be created with a minimum of 15 characters.
ALMA-09-036650AlmaLinux OS 9 must enforce password complexity by requiring that at least one numeric character be used.
ALMA-09-036760AlmaLinux OS 9 must require the change of at least four character classes when passwords are changed.
ALMA-09-036870AlmaLinux OS 9 must require the maximum number of repeating characters be limited to three when passwords are changed.
ALMA-09-036980AlmaLinux OS 9 must require the maximum number of repeating characters of the same character class be limited to four when passwords are changed.
ALMA-09-037090AlmaLinux OS 9 must require the change of at least eight characters when passwords are changed.
ALMA-09-037200AlmaLinux OS 9 PAM must be configured to use a sufficient number of password hashing rounds.
ALMA-09-037310AlmaLinux OS 9 must be configured so that libuser is configured to store only encrypted representations of passwords.
ALMA-09-037420AlmaLinux OS 9 must be configured so that the system's shadow file is configured to store only encrypted representations of passwords.
ALMA-09-037530AlmaLinux OS 9 must be configured so that the Pluggable Authentication Module is configured to store only encrypted representations of passwords.
ALMA-09-037640AlmaLinux OS 9 must be configured so that interactive user account passwords are using strong password hashes.
ALMA-09-037750AlmaLinux OS 9 must not have any File Transfer Protocol (FTP) packages installed.
ALMA-09-037860AlmaLinux OS 9 must not have any telnet packages installed.
ALMA-09-037970Passwords for existing users must have a 60-day maximum password lifetime restriction in /etc/shadow.
ALMA-09-038080Passwords for new users or password changes must have a 60-day maximum password lifetime restriction in /etc/login.defs.
ALMA-09-038190Passwords for existing users must have a 24-hour minimum password lifetime restriction in /etc/shadow.
ALMA-09-038300Passwords for new users or password changes must have a 24-hour minimum password lifetime restriction in /etc/login.defs.
ALMA-09-038630AlmaLinux OS 9 must prohibit the use of cached authenticators after one day.
ALMA-09-038850For PKI-based authentication, AlmaLinux OS 9 must enforce authorized access to the corresponding private key.
ALMA-09-038960AlmaLinux OS 9 must map the authenticated identity to the user or group account for PKI-based authentication.
ALMA-09-039070AlmaLinux OS 9, for PKI-based authentication, must validate certificates by constructing a certification path (which includes status information) to an accepted trust anchor.
ALMA-09-039290AlmaLinux OS 9 must use mechanisms meeting the requirements of applicable federal laws, executive orders, directives, policies, regulations, standards, and guidance for authentication to a cryptographic module.
ALMA-09-039400AlmaLinux OS 9 must prevent system daemons from using Kerberos for authentication.
ALMA-09-039510The libreswan package must be installed.
ALMA-09-039620AlmaLinux OS 9 must have the packages required for encrypting offloaded audit logs installed.
ALMA-09-039840AlmaLinux OS 9 must have the crypto-policies package installed.
ALMA-09-040060AlmaLinux OS 9 must implement a systemwide encryption policy.
ALMA-09-040170AlmaLinux OS 9 must be configured so that all network connections associated with SSH traffic are terminated after 10 minutes of becoming unresponsive.
ALMA-09-040390AlmaLinux OS 9 must enable the Pluggable Authentication Module (PAM) interface for SSHD.
ALMA-09-040500AlmaLinux OS 9 must terminate idle user sessions.
ALMA-09-040720AlmaLinux OS 9 must disable access to network bpf system call from nonprivileged processes.
ALMA-09-040830AlmaLinux OS 9 must restrict exposed kernel pointer addresses access.
ALMA-09-040940AlmaLinux OS 9 must restrict usage of ptrace to descendant processes.
ALMA-09-041050AlmaLinux OS 9 must restrict access to the kernel message buffer.
ALMA-09-041160AlmaLinux OS 9 must prevent kernel profiling by nonprivileged users.
ALMA-09-041270AlmaLinux OS 9 must only allow the use of DOD PKI-established certificate authorities for authentication in the establishment of protected sessions to the operating system.
ALMA-09-041490AlmaLinux OS 9 systemd-journald service must be enabled.
ALMA-09-041600AlmaLinux OS 9 local disk partitions must implement cryptographic mechanisms to prevent unauthorized disclosure or modification of all information that requires at rest protection.
ALMA-09-041930AlmaLinux OS 9 must use a Linux Security Module configured to enforce limits on system services.
ALMA-09-042040AlmaLinux OS 9 must have the policycoreutils package installed.
ALMA-09-042150Any AlmaLinux OS 9 world-writable directories must be owned by root, sys, bin, or an application user.
ALMA-09-042260A sticky bit must be set on all AlmaLinux OS 9 public directories.
ALMA-09-042370AlmaLinux OS 9 must protect against or limit the effects of denial-of-service (DoS) attacks by ensuring rate-limiting measures on impacted network interfaces are implemented.
ALMA-09-042480AlmaLinux OS 9 must be configured to use TCP syncookies.
ALMA-09-042700All AlmaLinux OS 9 networked systems must have the OpenSSH client installed.
ALMA-09-042810All AlmaLinux OS 9 networked systems must implement SSH to protect the confidentiality and integrity of transmitted and received information, including information being prepared for transmission.
ALMA-09-042920All AlmaLinux OS 9 networked systems must have the OpenSSH server installed.
ALMA-09-043030AlmaLinux OS 9 must not allow users to override SSH environment variables.
ALMA-09-043140AlmaLinux OS 9 must implement DOD-approved encryption in the bind package.
ALMA-09-043250AlmaLinux OS 9 wireless network adapters must be disabled.
ALMA-09-043800AlmaLinux OS 9 must not show boot up messages.
ALMA-09-043910AlmaLinux OS 9 /var/log directory must be group-owned by root.
ALMA-09-044020AlmaLinux OS 9 /var/log/messages file must be group-owned by root.
ALMA-09-044130AlmaLinux OS 9 /var/log/messages file must be owned by root.
ALMA-09-044240AlmaLinux OS 9 /var/log/messages file must have mode 0640 or less permissive.
ALMA-09-044350AlmaLinux OS 9 /var/log directory must be owned by root.
ALMA-09-044460AlmaLinux OS 9 /var/log directory must have mode 0755 or less permissive.
ALMA-09-044570AlmaLinux OS 9 must implement nonexecutable data to protect its memory from unauthorized code execution.
ALMA-09-044680AlmaLinux OS 9 must enable mitigations against processor-based vulnerabilities.
ALMA-09-044790AlmaLinux OS 9 must clear SLUB/SLAB objects to prevent use-after-free attacks.
ALMA-09-044900AlmaLinux OS 9 must implement address space layout randomization (ASLR) to protect its memory from unauthorized code execution.
ALMA-09-045120AlmaLinux OS 9 must remove all software components after updated versions have been installed.
ALMA-09-045125AlmaLinux OS 9 must be a supported release.
ALMA-09-045230AlmaLinux OS 9 must enable the SELinux targeted policy.
ALMA-09-045340AlmaLinux OS 9 must have the Advanced Intrusion Detection Environment (AIDE) package installed.
ALMA-09-045450AlmaLinux OS 9 must routinely check the baseline configuration for unauthorized changes and notify the system administrator when anomalies in the operation of any security functions are discovered.
ALMA-09-045670AlmaLinux OS 9 audit system must audit local events.
ALMA-09-045780AlmaLinux OS 9 /etc/audit/auditd.conf file must have 0640 or less permissive to prevent unauthorized access.
ALMA-09-045890AlmaLinux OS 9 must allow only the information system security manager (ISSM) (or individuals or roles appointed by the ISSM) to select which auditable events are to be audited.
ALMA-09-046000Successful/unsuccessful uses of the init command in AlmaLinux OS 9 must generate an audit record.
ALMA-09-046220AlmaLinux OS 9 must generate audit records for any use of the "poweroff" command.
ALMA-09-046330AlmaLinux OS 9 must generate audit records for any use of the "reboot" command.
ALMA-09-046440AlmaLinux must generate audit records for any use of the "shutdown" command.
ALMA-09-046550AlmaLinux OS 9 must enable Linux audit logging for the USBGuard daemon.
ALMA-09-046660AlmaLinux OS 9 must audit all uses of the delete_module, init_module and finit_module system calls.
ALMA-09-046770AlmaLinux OS 9 must generate audit records for all account creations, modifications, disabling, and termination events that affect /var/log/tallylog.
ALMA-09-046880AlmaLinux OS 9 must produce audit records containing information to establish the identity of any individual or process associated with the event.
ALMA-09-047100The audit package must be installed on AlmaLinux OS 9.
ALMA-09-047540AlmaLinux OS 9 must generate audit records for all account creations, modifications, disabling, and termination events that affect /var/log/lastlog.
ALMA-09-047650AlmaLinux OS 9 must generate audit records for any use of the "mount" command.
ALMA-09-047760AlmaLinux OS 9 must generate audit records for any use of the "umount" command.
ALMA-09-047870Successful/unsuccessful uses of the umount2 system call in AlmaLinux OS 9 must generate an audit record.
ALMA-09-047980AlmaLinux OS 9 must enable auditing of processes that start prior to the audit daemon.
ALMA-09-048090AlmaLinux OS 9 must audit all uses of the truncate, ftruncate, creat, open, openat, and open_by_handle_at system calls.
ALMA-09-048200AlmaLinux OS 9 must generate audit records for any use of the "chacl" command.
ALMA-09-048310AlmaLinux OS 9 must generate audit records for any use of the "chage" command.
ALMA-09-048420AlmaLinux OS 9 must generate audit records for any use of the "chcon" command.
ALMA-09-048530AlmaLinux OS 9 must audit all uses of the chmod, fchmod, and fchmodat system calls.
ALMA-09-048640AlmaLinux OS 9 must audit all uses of the chown, fchown, fchownat, and lchown system calls.
ALMA-09-048750AlmaLinux OS 9 must generate audit records for any use of the "chsh" command.
ALMA-09-048860AlmaLinux OS 9 must generate audit records for any use of the "crontab" command.
ALMA-09-048970AlmaLinux OS 9 must audit all uses of the rename, unlink, rmdir, renameat, and unlinkat system calls.
ALMA-09-049080AlmaLinux OS 9 must generate audit records for all account creations, modifications, disabling, and termination events that affect /var/log/faillock.
ALMA-09-049190AlmaLinux OS 9 must generate audit records for any use of the "gpasswd" command.
ALMA-09-049300AlmaLinux OS 9 must audit all uses of the kmod command.
ALMA-09-049410AlmaLinux OS 9 must generate audit records for any use of the "newgrp" command.
ALMA-09-049520AlmaLinux OS 9 must generate audit records for any use of the "passwd" command.
ALMA-09-049630AlmaLinux OS 9 must generate audit records for any use of the "postdrop" command.
ALMA-09-049740AlmaLinux OS 9 must generate audit records for any use of the "postqueue" command.
ALMA-09-049850AlmaLinux OS 9 must generate audit records for any use of the "su" command.
ALMA-09-049960AlmaLinux OS 9 must generate audit records for any use of the "sudo" command.
ALMA-09-050070AlmaLinux OS 9 must generate audit records for any use of the "semanage" command.
ALMA-09-050180AlmaLinux OS 9 must generate audit records for any use of the "setfacl" command.
ALMA-09-050290AlmaLinux OS 9 must generate audit records for any use of the "setfiles" command.
ALMA-09-050400AlmaLinux OS 9 must generate audit records for any use of the "setsebool" command.
ALMA-09-050510AlmaLinux OS 9 must generate audit records for any use of the "ssh-agent" command.
ALMA-09-050620AlmaLinux OS 9 must generate audit records for any use of the "ssh-keysign" command.
ALMA-09-050730AlmaLinux OS 9 must generate audit records for any use of the "sudoedit" command.
ALMA-09-050840AlmaLinux OS 9 must generate audit records for any use of the "pam_timestamp_check" command.
ALMA-09-050950AlmaLinux OS 9 must generate audit records for any use of the "unix_chkpwd" command.
ALMA-09-051060AlmaLinux OS 9 must generate audit records for any use of the "unix_update" command.
ALMA-09-051170AlmaLinux OS 9 must generate audit records for any use of the "userhelper" command.
ALMA-09-051280AlmaLinux OS 9 must generate audit records for any use of the "usermod" command.
ALMA-09-051390AlmaLinux OS 9 must audit all uses of the setxattr, fsetxattr, lsetxattr, removexattr, fremovexattr, and lremovexattr system calls.
ALMA-09-051830AlmaLinux OS 9 must allocate an audit_backlog_limit of sufficient size to capture processes that start prior to the audit daemon.
ALMA-09-051940AlmaLinux OS 9 must use a separate file system for the system audit data path.
ALMA-09-052050AlmaLinux OS 9 must allocate audit record storage capacity to store at least one week's worth of audit records.
ALMA-09-052160AlmaLinux OS 9 audispd-plugins package must be installed.
ALMA-09-052270AlmaLinux OS 9 must label all offloaded audit logs before sending them to the central log server.
ALMA-09-052380AlmaLinux OS 9 must take appropriate action when the internal event queue is full.
ALMA-09-052490AlmaLinux OS 9 must be configured to offload audit records onto a different system from the system being audited via syslog.
ALMA-09-052600AlmaLinux OS 9 must authenticate the remote logging server for offloading audit logs via rsyslog.
ALMA-09-052710AlmaLinux OS 9 must encrypt the transfer of audit records offloaded onto a different system or media from the system being audited via rsyslog.
ALMA-09-052820AlmaLinux OS 9 must encrypt, via the gtls driver, the transfer of audit records offloaded onto a different system or media from the system being audited via rsyslog.
ALMA-09-052930AlmaLinux OS 9 must have the rsyslog package installed.
ALMA-09-053040AlmaLinux OS 9 must be configured to forward audit records via TCP to a different system or media from the system being audited via rsyslog.
ALMA-09-053150The rsyslog service on AlmaLinux OS 9 must be active.
ALMA-09-053260AlmaLinux OS 9 must take action when allocated audit record storage volume reaches 95 percent of the audit record storage capacity.
ALMA-09-053370AlmaLinux OS 9 must take action when allocated audit record storage volume reaches 95 percent of the repository maximum audit record storage capacity.
ALMA-09-053480AlmaLinux OS 9 must take action when allocated audit record storage volume reaches 75 percent of the repository maximum audit record storage capacity.
ALMA-09-053590AlmaLinux OS 9 must notify the system administrator (SA) and information system security officer (ISSO) (at a minimum) when allocated audit record storage volume reaches 75 percent usage.
ALMA-09-053810AlmaLinux OS 9 System Administrator (SA) and/or information system security officer (ISSO) (at a minimum) must be alerted of an audit processing failure event.
ALMA-09-053920AlmaLinux OS 9 must have mail aliases to notify the information system security officer (ISSO) and system administrator (SA) (at a minimum) in the event of an audit processing failure.
ALMA-09-054030AlmaLinux OS 9 audit system must take appropriate action when an error writing to the audit storage volume occurs.
ALMA-09-054140AlmaLinux OS 9 audit system must take appropriate action when the audit storage volume is full.
ALMA-09-054250AlmaLinux OS 9 must take appropriate action when a critical audit processing failure occurs.
ALMA-09-054360AlmaLinux OS 9 audit system must make full use of the audit storage space.
ALMA-09-054470AlmaLinux OS 9 audit system must take appropriate action when the audit files have reached maximum size.
ALMA-09-054580AlmaLinux OS 9 audit system must retain an optimal number of audit records.
ALMA-09-054690AlmaLinux OS 9 must periodically flush audit records to disk to prevent the loss of audit records.
ALMA-09-054910The auditd service must be enabled on AlmaLinux OS 9.
ALMA-09-055130The chronyd service must be enabled.
ALMA-09-055240AlmaLinux OS 9 must have the chrony package installed.
ALMA-09-055350AlmaLinux OS 9 must securely compare internal information system clocks at least every 24 hours.
ALMA-09-055680AlmaLinux OS 9 audit log directory must be owned by root to prevent unauthorized read access.
ALMA-09-055790AlmaLinux OS 9 audit log directory must have 0700 permissions to prevent unauthorized read access.
ALMA-09-055900AlmaLinux OS 9 audit logs must be owned by the root group to prevent unauthorized read access.
ALMA-09-056010AlmaLinux OS 9 audit logs must be owned by root to prevent unauthorized read access.
ALMA-09-056120AlmaLinux OS 9 audit logs must have 0600 permissions to prevent unauthorized read access.
ALMA-09-056230AlmaLinux OS 9 audit tools must be group-owned by root.
ALMA-09-056340AlmaLinux OS 9 audit tools must be owned by root.
ALMA-09-056560AlmaLinux OS 9 audit tools must have a mode of 0755 or less permissive.
ALMA-09-056780AlmaLinux OS 9 audit system must protect logon UIDs from unauthorized change.
ALMA-09-056890AlmaLinux OS 9 must use cryptographic mechanisms to protect the integrity of audit tools.
ALMA-09-057110AlmaLinux OS 9 audit system must protect auditing rules from unauthorized change.