| V-269121 | | AlmaLinux OS 9 must implement DOD-approved TLS encryption in the GnuTLS package. | Without cryptographic integrity protections, information can be altered by unauthorized users without detection.
Remote access (e.g., RDP) is access ... |
| V-269125 | | AlmaLinux OS 9 must use the TuxCare ESU repository. | FIPS 140-3-validated packages are available from TuxCare.
The TuxCare repositories provide the packages and updates not found in the community reposi... |
| V-269126 | | AlmaLinux OS 9 must use the TuxCare FIPS packages and not the default encryption packages. | FIPS 140-3-validated packages are available from TuxCare here: https://tuxcare.com/fips-for-almalinux/
The original community packages must be replac... |
| V-269127 | | AlmaLinux OS 9 must enable FIPS mode. | Without confidentiality protection mechanisms, unauthorized individuals may gain access to sensitive information via a remote access session.
Remote ... |
| V-269140 | | The systemd Ctrl-Alt-Delete burst key sequence in AlmaLinux OS 9 must be disabled. | A locally logged-on user who presses Ctrl-Alt-Delete in quick succession when at the console can reboot the system.
If accidentally pressed, as could... |
| V-269141 | | The Ctrl-Alt-Delete key sequence must be disabled on AlmaLinux OS 9. | A locally logged-on user who presses Ctrl-Alt-Delete when at the console can reboot the system.
If accidentally pressed, as could happen in the case ... |
| V-269163 | | AlmaLinux OS 9 must check the GPG signature of software packages originating from external software repositories before installation. | Changes to any software components can have significant effects on the overall security of the operating system. This requirement ensures the software... |
| V-269164 | | AlmaLinux OS 9 must ensure cryptographic verification of vendor software packages. | Changes to any software components can have significant effects on the overall security of the operating system. This requirement ensures the software... |
| V-269165 | | AlmaLinux OS 9 must check the GPG signature of locally installed software packages before installation. | Changes to any software components can have significant effects on the overall security of the operating system. This requirement ensures the software... |
| V-269166 | | AlmaLinux OS 9 must check the GPG signature of repository metadata before package installation. | Changes to any software components can have significant effects on the overall security of the operating system. This requirement ensures the software... |
| V-269167 | | AlmaLinux OS 9 must have GPG signature verification enabled for all software repositories. | Changes to any software components can have significant effects on the overall security of the operating system. This requirement ensures the software... |
| V-269216 | | AlmaLinux OS 9 must not allow unattended or automatic logon via the graphical user interface. | Failure to restrict system access to authenticated users negatively impacts operating system security.... |
| V-269398 | | AlmaLinux OS 9 PAM must be configured to use a sufficient number of password hashing rounds. | Passwords must be protected at all times, and encryption is the standard method for protecting passwords. If passwords are not encrypted, they can be ... |
| V-269399 | | AlmaLinux OS 9 must be configured so that libuser is configured to store only encrypted representations of passwords. | Passwords must be protected at all times, and encryption is the standard method for protecting passwords. If passwords are not encrypted, they can be ... |
| V-269400 | | AlmaLinux OS 9 must be configured so that the system's shadow file is configured to store only encrypted representations of passwords. | Passwords must be protected at all times, and encryption is the standard method for protecting passwords. If passwords are not encrypted, they can be ... |
| V-269401 | | AlmaLinux OS 9 must be configured so that the Pluggable Authentication Module is configured to store only encrypted representations of passwords. | Passwords must be protected at all times, and encryption is the standard method for protecting passwords. If passwords are not encrypted, they can be ... |
| V-269402 | | AlmaLinux OS 9 must be configured so that interactive user account passwords are using strong password hashes. | Passwords must be protected at all times, and encryption is the standard method for protecting passwords. If passwords are not encrypted, they can be ... |
| V-269403 | | AlmaLinux OS 9 must not have any File Transfer Protocol (FTP) packages installed. | Passwords must be protected at all times, and encryption is the standard method for protecting passwords. If passwords are not encrypted, they can be ... |
| V-269404 | | AlmaLinux OS 9 must not have any telnet packages installed. | Passwords must be protected at all times, and encryption is the standard method for protecting passwords. If passwords are not encrypted, they can be ... |
| V-269420 | | AlmaLinux OS 9 must enable the Pluggable Authentication Module (PAM) interface for SSHD. | When UsePAM is set to "yes", PAM runs through account and session types properly. This is important when restricted access to services based off of IP... |
| V-269429 | | AlmaLinux OS 9 local disk partitions must implement cryptographic mechanisms to prevent unauthorized disclosure or modification of all information that requires at rest protection. | AlmaLinux OS 9 systems handling data requiring "data at rest" protections must employ cryptographic mechanisms to prevent unauthorized disclosure and ... |
| V-269436 | | All AlmaLinux OS 9 networked systems must have the OpenSSH client installed. | Without protection of the transmitted information, confidentiality and integrity may be compromised because unprotected communications can be intercep... |
| V-269454 | | AlmaLinux OS 9 must be a supported release. | Security flaws with operating systems are discovered daily. Vendors are constantly updating and patching their products to address newly discovered se... |
| V-269103 | | AlmaLinux OS 9 must automatically lock graphical user sessions after 15 minutes of inactivity. | A session lock is a temporary action taken when a user stops work and moves away from the immediate physical vicinity of the information system but do... |
| V-269104 | | AlmaLinux OS 9 must conceal, via the session lock, information previously visible on the display with a publicly viewable image. | Setting the screensaver mode to blank-only conceals the contents of the display from passersby.... |
| V-269105 | | AlmaLinux OS 9 must prevent a user from overriding the session idle-delay setting for the graphical user interface. | A session lock is a temporary action taken when a user stops work and moves away from the immediate physical vicinity of the information system but do... |
| V-269106 | | AlmaLinux OS 9 must initiate a session lock for graphical user interfaces when the screensaver is activated. | A session lock is a temporary action taken when a user stops work and moves away from the immediate physical vicinity of the information system but do... |
| V-269107 | | AlmaLinux OS 9 must prevent a user from overriding the session lock-delay setting for the graphical user interface. | A session time-out lock is a temporary action taken when a user stops work and moves away from the immediate physical vicinity of the information syst... |
| V-269108 | | AlmaLinux OS 9 must automatically exit interactive command shell user sessions after 10 minutes of inactivity. | Terminating an idle interactive command shell user session within a short time period reduces the window of opportunity for unauthorized personnel to ... |
| V-269109 | | AlmaLinux OS 9 must be able to directly initiate a session lock for all connection types using smart card when the smart card is removed. | A session lock is a temporary action taken when a user stops work and moves away from the immediate physical vicinity of the information system but do... |
| V-269110 | | AlmaLinux OS 9 must prevent a user from overriding the disabling of the graphical user smart card removal action. | A session lock is a temporary action taken when a user stops work and moves away from the immediate physical vicinity of the information system but do... |
| V-269111 | | AlmaLinux OS 9 must log SSH connection attempts and failures to the server. | Remote access services, such as those providing remote access to network devices and information systems, which lack automated monitoring capabilities... |
| V-269112 | | All AlmaLinux OS 9 remote access methods must be monitored. | Remote access services, such as those providing remote access to network devices and information systems, which lack automated monitoring capabilities... |
| V-269113 | | AlmaLinux OS 9 SSH client must be configured to use only encryption ciphers employing FIPS 140-3-validated cryptographic hash algorithms to protect the confidentiality of SSH client connections. | Without cryptographic integrity protections, information can be altered by unauthorized users without detection.
Remote access (e.g., RDP) is access ... |
| V-269114 | | AlmaLinux OS 9 must implement DOD-approved encryption ciphers to protect the confidentiality of SSH connections. | Without cryptographic integrity protections, information can be altered by unauthorized users without detection.
Remote access (e.g., RDP) is access ... |
| V-269115 | | AlmaLinux OS 9 SSH client must be configured to use only Message Authentication Codes (MACs) employing FIPS 140-3-validated cryptographic hash algorithms. | Without cryptographic integrity protections, information can be altered by unauthorized users without detection.
Remote access (e.g. RDP) is access t... |
| V-269116 | | The AlmaLinux 9 SSH server must be configured to use only DOD-approved encryption ciphers employing FIPS 140-3-validated cryptographic hash algorithms to protect the confidentiality of SSH server connections. | Without cryptographic integrity protections, information can be altered by unauthorized users without detection.
Remote access (e.g., RDP) is access ... |
| V-269118 | | AlmaLinux OS 9 must implement DOD-approved systemwide cryptographic policies to protect the confidentiality of SSH server connections. | Without cryptographic integrity protections, information can be altered by unauthorized users without detection.
Remote access (e.g., RDP) is access ... |
| V-269119 | | The AlmaLinux OS 9 SSH server must be configured to use only Message Authentication Codes (MACs) employing FIPS 140-3-validated cryptographic hash algorithms to protect the confidentiality of SSH server connections. | Without cryptographic integrity protections, information can be altered by unauthorized users without detection.
Remote access (e.g., RDP) is access ... |
| V-269120 | | AlmaLinux OS 9 must force a frequent session key renegotiation for SSH connections to the server. | Without confidentiality protection mechanisms, unauthorized individuals may gain access to sensitive information via a remote access session.
Remote ... |
| V-269122 | | AlmaLinux OS 9 IP tunnels must use FIPS 140-3 approved cryptographic algorithms. | Overriding the system crypto policy makes the behavior of the Libreswan service violate expectations and makes the system configuration more fragmente... |
| V-269123 | | AlmaLinux OS 9 must implement DOD-approved encryption in the OpenSSL package. | Without cryptographic integrity protections, information can be altered by unauthorized users without detection.
Remote access (e.g., RDP) is access ... |
| V-269124 | | AlmaLinux OS 9 must implement DOD-approved TLS encryption in the OpenSSL package. | Without cryptographic integrity protections, information can be altered by unauthorized users without detection.
Remote access (e.g., RDP) is access ... |
| V-269128 | | AlmaLinux OS 9 must automatically expire temporary accounts within 72 hours. | Temporary accounts are accounts created during a time of need when prompt action requires bypassing the normal account creation authorization process ... |
| V-269129 | | AlmaLinux OS 9 must generate audit records for all account creations, modifications, disabling, and termination events that affect /etc/sudoers. | Audit records provide a means to investigate events related to a security incident. Insufficient audit coverage will make identifying those responsibl... |
| V-269130 | | AlmaLinux OS 9 must generate audit records for all account creations, modifications, disabling, and termination events that affect /etc/group. | Audit records provide a means to investigate events related to a security incident. Insufficient audit coverage will make identifying those responsibl... |
| V-269131 | | AlmaLinux OS 9 must generate audit records for all account creations, modifications, disabling, and termination events that affect /etc/gshadow. | Audit records provide a means to investigate events related to a security incident. Insufficient audit coverage will make identifying those responsibl... |
| V-269132 | | AlmaLinux OS 9 must generate audit records for all account creations, modifications, disabling, and termination events that affect /etc/security/opasswd. | Audit records provide a means to investigate events related to a security incident. Insufficient audit coverage will make identifying those responsibl... |
| V-269133 | | AlmaLinux OS 9 must generate audit records for all account creations, modifications, disabling, and termination events that affect /etc/passwd. | Audit records provide a means to investigate events related to a security incident. Insufficient audit coverage will make identifying those responsibl... |
| V-269134 | | AlmaLinux OS 9 must generate audit records for all account creations, modifications, disabling, and termination events that affect /etc/shadow. | Audit records provide a means to investigate events related to a security incident. Insufficient audit coverage will make identifying those responsibl... |
| V-269135 | | AlmaLinux OS 9 must generate audit records for all account creations, modifications, disabling, and termination events that affect the files within /etc/sudoers.d/ | Audit records provide a means to investigate events related to a security incident. Insufficient audit coverage will make identifying those responsibl... |
| V-269136 | | AlmaLinux OS 9 must require authentication to access emergency mode. | This requirement prevents attackers with physical access from easily bypassing security on the machine and gaining root access.
Such accesses are fur... |
| V-269137 | | AlmaLinux OS 9 must require a boot loader password. | Password protection on the boot loader configuration ensures users with physical access cannot trivially alter important bootloader settings. These in... |
| V-269138 | | AlmaLinux OS 9 must require a unique superuser's name upon booting into single-user and maintenance modes. | Having a nondefault grub superuser username makes password-guessing attacks less effective.... |
| V-269139 | | AlmaLinux OS 9 must require authentication to access single-user mode. | This requirement prevents attackers with physical access from easily bypassing security on the machine and gaining root access.
Such accesses are fu... |
| V-269142 | | AlmaLinux OS 9 must have the sudo package installed. | "sudo" is a program designed to allow a system administrator to give limited root privileges to users and log root activity.
The basic philosophy is... |
| V-269143 | | The AlmaLinux OS 9 debug-shell systemd service must be disabled. | The debug-shell requires no authentication and provides root privileges to anyone who has physical access to the machine.
While this feature is disab... |
| V-269144 | | AlmaLinux OS 9 must enable kernel parameters to enforce discretionary access control on hardlinks. | By enabling the fs.protected_hardlinks kernel parameter, users can no longer create soft or hard links to files they do not own.
Disallowing such har... |
| V-269145 | | AlmaLinux OS 9 must enable kernel parameters to enforce discretionary access control (DAC) on symlinks. | By enabling the fs.protected_symlinks kernel parameter, symbolic links are permitted to be followed only when outside a sticky world-writable director... |
| V-269146 | | AlmaLinux OS 9 must audit uses of the "execve" system call. | Misuse of privileged functions, either intentionally or unintentionally by authorized users, or by unauthorized external entities that have compromise... |
| V-269147 | | AlmaLinux OS 9 must automatically lock an account when three unsuccessful logon attempts occur. | By limiting the number of failed logon attempts, the risk of unauthorized system access via user password guessing, otherwise known as brute-force att... |
| V-269148 | | AlmaLinux OS 9 must automatically lock the root account until the root account is released by an administrator when three unsuccessful logon attempts occur during a 15-minute time period. | By limiting the number of failed logon attempts, the risk of unauthorized system access via user password guessing, otherwise known as brute-force att... |
| V-269149 | | AlmaLinux OS 9 must automatically lock an account when three unsuccessful logon attempts occur during a 15-minute time period. | By limiting the number of failed logon attempts, the risk of unauthorized system access via user password guessing, otherwise known as brute-force att... |
| V-269150 | | AlmaLinux OS 9 must configure the use of the pam_faillock.so module in the /etc/pam.d/system-auth file. | By limiting the number of failed logon attempts, the risk of unauthorized system access via user password guessing, otherwise known as brute-force att... |
| V-269151 | | AlmaLinux OS 9 must configure the use of the pam_faillock.so module in the /etc/pam.d/password-auth file. | By limiting the number of failed logon attempts, the risk of unauthorized system access via user password guessing, otherwise known as brute-force att... |
| V-269152 | | AlmaLinux OS 9 must log username information when unsuccessful logon attempts occur. | Without auditing of these events, it may be harder or impossible to identify what an attacker did after an attack.
Satisfies: SRG-OS-000021-GPOS-0000... |
| V-269153 | | AlmaLinux OS 9 must maintain an account lock until the locked account is manually released by an administrator; and not automatically after a set time. | By limiting the number of failed logon attempts, the risk of unauthorized system access via user password guessing, otherwise known as brute-force att... |
| V-269154 | | AlmaLinux OS 9 must ensure account locks persist across reboots. | By limiting the number of failed logon attempts, the risk of unauthorized system access via user password guessing, otherwise known as brute-forcing, ... |
| V-269155 | | AlmaLinux OS 9 must configure the appropriate SELinux context on the nondefault faillock tally directory. | By limiting the number of failed logon attempts, the risk of unauthorized system access via user password guessing, otherwise known as brute-forcing, ... |
| V-269156 | | AlmaLinux OS 9 must prevent users from disabling the Standard Mandatory DOD Notice and Consent Banner for graphical user interfaces. | Display of a standardized and approved use notification before granting access to the operating system ensures privacy and security notification verbi... |
| V-269157 | | AlmaLinux OS 9 must display the Standard Mandatory DOD Notice and Consent Banner before granting local or remote access to the system via a graphical user logon. | Display of a standardized and approved use notification before granting access to the operating system ensures privacy and security notification verbi... |
| V-269158 | | AlmaLinux OS 9 must display the Standard Mandatory DOD Notice and Consent Banner before granting local or remote access to the system via a command line user logon. | Display of a standardized and approved use notification before granting access to the operating system ensures privacy and security notification verbi... |
| V-269159 | | AlmaLinux OS 9 must display the Standard Mandatory DOD Notice and Consent Banner before granting local or remote access to the system via an SSH user logon. | Display of a standardized and approved use notification before granting access to the operating system ensures privacy and security notification verbi... |
| V-269160 | | AlmaLinux OS 9 must have the s-nail package installed. | The "s-nail" package provides the mail command required to allow sending email notifications of unauthorized configuration changes to designated perso... |
| V-269161 | | AlmaLinux OS 9 SSH daemon must not allow Generic Security Service Application Program Interface (GSSAPI) authentication. | GSSAPI authentication is used to provide additional authentication mechanisms to applications. Allowing GSSAPI authentication through SSH exposes the ... |
| V-269162 | | AlmaLinux OS 9 SSH daemon must not allow Kerberos authentication. | Kerberos authentication for SSH is often implemented using Generic Security Service Application Program Interface (GSSAPI). If Kerberos is enabled thr... |
| V-269168 | | AlmaLinux OS 9 must prevent the loading of a new kernel for later execution. | Changes to any software components can have significant effects on the overall security of the operating system. This requirement ensures the software... |
| V-269169 | | AlmaLinux OS 9 system commands must be group-owned by root or a system account. | If AlmaLinux OS 9 allowed any user to make changes to software libraries, then those changes might be implemented without undergoing the appropriate t... |
| V-269170 | | AlmaLinux OS 9 system commands must be owned by root. | If AlmaLinux OS 9 allowed any user to make changes to software libraries, then those changes might be implemented without undergoing the appropriate t... |
| V-269171 | | AlmaLinux OS 9 system commands must have mode 755 or less permissive. | If AlmaLinux OS 9 allowed any user to make changes to software libraries, then those changes might be implemented without undergoing the appropriate t... |
| V-269172 | | AlmaLinux OS 9 library directories must be group-owned by root or a system account. | If AlmaLinux OS 9 allowed any user to make changes to software libraries, then those changes might be implemented without undergoing the appropriate t... |
| V-269173 | | AlmaLinux OS 9 library directories must be owned by root. | If AlmaLinux OS 9 allowed any user to make changes to software libraries, then those changes might be implemented without undergoing the appropriate t... |
| V-269174 | | AlmaLinux OS 9 library directories must have mode 755 or less permissive. | If AlmaLinux OS 9 allowed any user to make changes to software libraries, then those changes might be implemented without undergoing the appropriate t... |
| V-269175 | | AlmaLinux OS 9 library files must be group-owned by root or a system account. | If AlmaLinux OS 9 allowed any user to make changes to software libraries, then those changes might be implemented without undergoing the appropriate t... |
| V-269176 | | AlmaLinux OS 9 library files must be owned by root. | If AlmaLinux OS 9 allowed any user to make changes to software libraries, then those changes might be implemented without undergoing the appropriate t... |
| V-269177 | | AlmaLinux OS 9 library files must have mode 755 or less permissive. | If AlmaLinux OS 9 allowed any user to make changes to software libraries, then those changes might be implemented without undergoing the appropriate t... |
| V-269178 | | AlmaLinux OS 9 must disable core dumps for all users. | A core dump includes a memory image taken at the time the operating system terminates an application. The memory image could contain sensitive data an... |
| V-269179 | | AlmaLinux OS 9 must disable acquiring, saving, and processing core dumps. | A core dump includes a memory image taken at the time the operating system terminates an application. The memory image could contain sensitive data an... |
| V-269180 | | AlmaLinux OS 9 must disable storing core dumps. | A core dump includes a memory image taken at the time the operating system terminates an application. The memory image could contain sensitive data an... |
| V-269181 | | AlmaLinux OS 9 must disable core dump backtraces. | A core dump includes a memory image taken at the time the operating system terminates an application. The memory image could contain sensitive data an... |
| V-269182 | | AlmaLinux OS 9 must disable the kernel.core_pattern. | A core dump includes a memory image taken at the time the operating system terminates an application. The memory image could contain sensitive data an... |
| V-269183 | | AlmaLinux OS 9 cron configuration files directory must be group-owned by root. | Service configuration files enable or disable features of their respective services that if configured incorrectly can lead to insecure and vulnerable... |
| V-269184 | | AlmaLinux OS 9 cron configuration files directory must be owned by root. | Service configuration files enable or disable features of their respective services that if configured incorrectly can lead to insecure and vulnerable... |
| V-269185 | | AlmaLinux OS 9 cron configuration directories must have a mode of 0700 or less permissive. | Service configuration files enable or disable features of their respective services that if configured incorrectly can lead to insecure and vulnerable... |
| V-269186 | | AlmaLinux OS 9 /etc/crontab file must have mode 0600. | Service configuration files enable or disable features of their respective services that if configured incorrectly can lead to insecure and vulnerable... |
| V-269187 | | AlmaLinux OS 9 must disable the ability of a user to accidentally press Ctrl-Alt-Del and cause a system to shut down or reboot. | A locally logged-in user who presses Ctrl-Alt-Del, when at the console, can reboot the system. If accidentally pressed, as could happen in the case of... |
| V-269188 | | AlmaLinux OS 9 must prevent a user from overriding the Ctrl-Alt-Del sequence settings for the graphical user interface. | A locally logged-in user who presses Ctrl-Alt-Del, when at the console, can reboot the system. If accidentally pressed, as could happen in the case of... |
| V-269189 | | All AlmaLinux OS 9 local files and directories must have a valid group owner. | Files without a valid group owner may be unintentionally inherited if a group is assigned the same Group Identifier (GID) as the GID of the files with... |
| V-269190 | | All AlmaLinux OS 9 local files and directories must have a valid owner. | Unowned files and directories may be unintentionally inherited if a user is assigned the same user identifier "UID" as the UID of the unowned files.... |
| V-269191 | | AlmaLinux OS 9 /etc/group- file must be group owned by root. | The "/etc/group-" file is a backup file of "/etc/group", and as such, contains information regarding groups that are configured on the system. Protect... |
| V-269192 | | AlmaLinux OS 9 /etc/group- file must be owned by root. | The "/etc/group-" file is a backup file of "/etc/group", and as such, contains information regarding groups that are configured on the system. Protect... |
| V-269193 | | AlmaLinux OS 9 /etc/group- file must have mode 0644 or less permissive to prevent unauthorized access. | The "/etc/group-" file is a backup file of "/etc/group", and as such, contains information regarding groups that are configured on the system. Protect... |
| V-269194 | | AlmaLinux OS 9 /etc/group file must be group owned by root. | The "/etc/group" file contains information regarding groups that are configured on the system. Protection of this file is important for system securit... |
| V-269195 | | AlmaLinux OS 9 /etc/group file must be owned by root. | The "/etc/group" file contains information regarding groups that are configured on the system. Protection of this file is important for system securit... |
| V-269196 | | AlmaLinux OS 9 /etc/group file must have mode 0644 or less permissive to prevent unauthorized access. | The "/etc/group" file contains information regarding groups that are configured on the system. Protection of this file is important for system securit... |
| V-269197 | | The /boot/grub2/grub.cfg file must be group-owned by root. | The "root" group is a highly privileged group. Furthermore, the group-owner of this file should not have any access privileges anyway.... |
| V-269198 | | The /boot/grub2/grub.cfg file must be owned by root. | The "/boot/grub2/grub.cfg" file stores sensitive system configuration. Protection of this file is critical for system security.... |
| V-269199 | | AlmaLinux OS 9 must disable the ability of systemd to spawn an interactive boot process. | Using interactive or recovery boot, the console user could disable auditing, firewalls, or other services, weakening system security.... |
| V-269200 | | AlmaLinux OS 9 /etc/gshadow- file must be group-owned by root. | The "/etc/gshadow-" file is a backup of "/etc/gshadow", and as such, contains group password hashes. Protection of this file is critical for system se... |
| V-269201 | | AlmaLinux OS 9 /etc/gshadow- file must be owned by root. | The "/etc/gshadow-" file is a backup of "/etc/gshadow", and as such, contains group password hashes. Protection of this file is critical for system se... |
| V-269202 | | AlmaLinux OS 9 /etc/gshadow- file must have mode 0000 or less permissive to prevent unauthorized access. | The "/etc/gshadow-" file is a backup of "/etc/gshadow", and as such, contains group password hashes. Protection of this file is critical for system se... |
| V-269203 | | AlmaLinux OS 9 /etc/gshadow file must be group-owned by root. | The "/etc/gshadow" file contains group password hashes. Protection of this file is critical for system security.... |
| V-269204 | | AlmaLinux OS 9 /etc/gshadow file must be owned by root. | The "/etc/gshadow" file contains group password hashes. Protection of this file is critical for system security.... |
| V-269205 | | AlmaLinux OS 9 /etc/gshadow file must have mode 0000 or less permissive to prevent unauthorized access. | The "/etc/gshadow" file contains group password hashes. Protection of this file is critical for system security.... |
| V-269206 | | The graphical display manager must not be the default target on AlmaLinux OS 9 unless approved. | Unnecessary service packages must not be installed to decrease the attack surface of the system.
Graphical display managers have a long history of s... |
| V-269207 | | AlmaLinux OS 9 must disable the user list at logon for graphical user interfaces. | Leaving the user list enabled is a security risk since it allows anyone with physical access to the system to enumerate known user accounts without au... |
| V-269208 | | All AlmaLinux OS 9 local interactive user accounts must be assigned a home directory upon creation. | If local interactive users are not assigned a valid home directory, there is no place for the storage and control of files they should own.... |
| V-269209 | | All AlmaLinux OS 9 local interactive user home directories defined in the /etc/passwd file must exist. | If a local interactive user has a home directory defined that does not exist, the user may be given access to the / directory as the current working d... |
| V-269210 | | All AlmaLinux OS 9 local interactive user home directories must be group-owned by the home directory owner's primary group. | If the Group Identifier (GID) of a local interactive users home directory is not the same as the primary GID of the user, this would allow unauthorize... |
| V-269211 | | AlmaLinux OS 9 must prevent code from being executed on file systems that contain user home directories. | The "noexec" mount option causes the system to not execute binary files.
This option must be used for mounting any file system not containing approv... |
| V-269212 | | A separate file system must be used for user home directories (such as /home or an equivalent). | Ensuring that "/home" is mounted on its own partition enables the setting of more restrictive mount options, and also helps ensure that users cannot t... |
| V-269213 | | All AlmaLinux OS 9 local interactive users must have a home directory assigned in the /etc/passwd file. | If local interactive users are not assigned a valid home directory, there is no place for the storage and control of files they should own.... |
| V-269214 | | Executable search paths within the initialization files of all local interactive AlmaLinux OS 9 users must only contain paths that resolve to the system default or the users home directory. | The executable search path (typically the $PATH environment variable) contains a list of directories for the shell to search to find executables. If t... |
| V-269215 | | All AlmaLinux OS 9 local interactive user home directories must have mode 0750 or less permissive. | Excessive permissions on local interactive user home directories may allow unauthorized access to user files by other users.... |
| V-269217 | | AlmaLinux OS 9 must enforce a delay of at least four seconds between logon prompts following a failed logon attempt. | Increasing the time between a failed authentication attempt and prompting to re-enter credentials helps to slow a single-threaded brute force attack.
... |
| V-269218 | | AlmaLinux OS 9 must not allow blank or null passwords. | If an account has an empty password, anyone could log in and run commands with the privileges of that account. Accounts with empty passwords should ne... |
| V-269219 | | AlmaLinux OS 9 must not have accounts configured with blank or null passwords. | If an account has an empty password, anyone could log in and run commands with the privileges of that account. Accounts with empty passwords should ne... |
| V-269220 | | AlmaLinux OS 9 /etc/passwd- file must be group-owned by root. | The "/etc/passwd-" file is a backup file of "/etc/passwd", and as such, contains information about the users that are configured on the system. Protec... |
| V-269221 | | AlmaLinux OS 9 /etc/passwd- file must be owned by root. | The "/etc/passwd-" file is a backup file of "/etc/passwd", and as such, contains information about the users that are configured on the system. Protec... |
| V-269222 | | AlmaLinux OS 9 /etc/passwd- file must have mode 0644 or less permissive to prevent unauthorized access. | The "/etc/passwd-" file is a backup file of "/etc/passwd", and as such, contains information about the users that are configured on the system. Protec... |
| V-269223 | | AlmaLinux OS 9 /etc/passwd file must be group-owned by root. | The "/etc/passwd" file contains information about the users that are configured on the system. Protection of this file is critical for system security... |
| V-269224 | | AlmaLinux OS 9 /etc/passwd file must be owned by root. | The "/etc/passwd" file contains information about the users that are configured on the system. Protection of this file is critical for system security... |
| V-269225 | | AlmaLinux OS 9 /etc/passwd file must have mode 0644 or less permissive to prevent unauthorized access. | If the "/etc/passwd" file is writable by a group-owner or the world the risk of its compromise is increased.
The file contains the list of accounts o... |
| V-269226 | | AlmaLinux OS 9 /etc/shadow- file must be group-owned by root. | The "/etc/shadow-" file is a backup file of "/etc/shadow", and as such, contains the list of local system accounts and password hashes. Protection of ... |
| V-269227 | | AlmaLinux OS 9 /etc/shadow- file must be owned by root. | The "/etc/shadow-" file is a backup file of "/etc/shadow", and as such, contains the list of local system accounts and password hashes. Protection of ... |
| V-269228 | | AlmaLinux OS 9 /etc/shadow- file must have mode 0000 or less permissive to prevent unauthorized access. | The "/etc/shadow-" file is a backup file of "/etc/shadow", and as such, contains the list of local system accounts and password hashes. Protection of ... |
| V-269229 | | AlmaLinux OS 9 /etc/shadow file must be group-owned by root. | The "/etc/shadow" file contains the list of local system accounts and stores password hashes. Protection of this file is critical for system security.... |
| V-269230 | | AlmaLinux OS 9 /etc/shadow file must be owned by root. | The "/etc/shadow" file contains the list of local system accounts and stores password hashes. Protection of this file is critical for system security.... |
| V-269231 | | AlmaLinux OS 9 /etc/shadow file must have mode 0000 to prevent unauthorized access. | The "/etc/shadow" file contains the list of local system accounts and stores password hashes. Protection of this file is critical for system security.... |
| V-269232 | | AlmaLinux OS 9 must restrict privilege elevation to authorized personnel. | If the "sudoers" file is not configured correctly, any user defined on the system can initiate privileged actions on the target system.... |
| V-269233 | | AlmaLinux OS 9 must use the invoking user's password for privilege escalation when using "sudo". | If the rootpw, targetpw, or runaspw flags are defined and not disabled, by default the operating system will prompt the invoking user for the "root" u... |
| V-269234 | | AlmaLinux OS 9 must set the umask value to 077 for all local interactive user accounts. | Setting the most restrictive default permissions ensures that when new accounts are created they do not have unnecessary access.
With a UMASK of 077,... |
| V-269235 | | AlmaLinux OS 9 must define default permissions for all authenticated users in such a way that the user can only read and modify their own files. | Setting the most restrictive default permissions ensures that when new accounts are created they do not have unnecessary access.
With a UMASK of 077,... |
| V-269236 | | AlmaLinux OS 9 must define default permissions for PAM users. | Setting the most restrictive default permissions ensures that when new accounts are created they do not have unnecessary access.
With a UMASK of 077,... |
| V-269237 | | AlmaLinux OS 9 must define default permissions for logon and nonlogon shells. | Setting the most restrictive default permissions ensures that when new accounts are created they do not have unnecessary access.
With a UMASK of 077,... |
| V-269238 | | AlmaLinux OS 9 must not have unauthorized accounts. | Accounts providing no operational purpose provide additional opportunities for system compromise. Unnecessary accounts include user accounts for indiv... |
| V-269239 | | AlmaLinux OS 9 must be configured so that the file integrity tool verifies Access Control Lists (ACLs). | ACLs can provide permissions beyond those permitted through the file mode and must be verified by the file integrity tools.... |
| V-269240 | | AlmaLinux OS 9 must use a file integrity tool that is configured to use FIPS 140-3-approved cryptographic hashes for validating file contents and directories. | File integrity tools use cryptographic hashes for verifying file contents and directories have not been altered. These hashes must be FIPS 140-3 appro... |
| V-269241 | | AlmaLinux OS 9 must be configured so that the file integrity tool verifies extended attributes. | Extended attributes in file systems are used to contain arbitrary data and file metadata with security implications.... |
| V-269242 | | AlmaLinux OS 9 must prevent the use of dictionary words for passwords. | Use of a complex password helps to increase the time and resources required to compromise the password. Password complexity, or strength, is a measure... |
| V-269243 | | AlmaLinux OS 9 must not accept router advertisements on all IPv6 interfaces. | An illicit router advertisement message could result in a man-in-the-middle attack.... |
| V-269244 | | AlmaLinux OS 9 must ignore Internet Control Message Protocol (ICMP) redirect messages. | ICMP redirect messages are used by routers to inform hosts that a more direct route exists for a particular destination. These messages modify the hos... |
| V-269245 | | The firewalld service on AlmaLinux OS 9 must be active. | "Firewalld" provides an easy and effective way to block/limit remote access to the system via ports, services, and protocols.
Remote access services,... |
| V-269246 | | AlmaLinux OS 9 firewall must employ a deny-all, allow-by-exception policy for allowing connections to other systems. | Failure to restrict network connectivity only to authorized systems permits inbound connections from malicious systems. It also permits outbound conne... |
| V-269247 | | AlmaLinux OS 9 must limit the number of bogus Internet Control Message Protocol (ICMP) response errors logs. | Some routers will send responses to broadcast frames that violate RFC-1122, which fills up a log file system with many useless error messages. An atta... |
| V-269248 | | AlmaLinux OS 9 must not respond to Internet Control Message Protocol (ICMP) echoes sent to a broadcast address. | Responding to broadcast (ICMP) echoes facilitates network mapping and provides a vector for amplification attacks.
Ignoring ICMP echo requests (pings... |
| V-269249 | | AlmaLinux OS 9 must not enable IP packet forwarding unless the system is a router. | Routing protocol daemons are typically used on routers to exchange network topology information with other routers. If this capability is used when no... |
| V-269250 | | AlmaLinux OS 9 must not have unauthorized IP tunnels configured. | IP tunneling mechanisms can be used to bypass network filtering. If tunneling is required, it must be documented with the information system security ... |
| V-269251 | | AlmaLinux OS 9 must log packets with impossible addresses. | The presence of "martian" packets (which have impossible addresses) as well as spoofed packets, source-routed packets, and redirects could be a sign o... |
| V-269252 | | AlmaLinux OS 9 must be configured to prevent unrestricted mail relaying. | If unrestricted mail relaying is permitted, unauthorized senders could use this host as a mail relay for the purpose of sending spam or other unauthor... |
| V-269253 | | AlmaLinux OS 9 must have the nss-tools package installed. | Network Security Services (NSS) is a set of libraries designed to support cross-platform development of security-enabled client and server application... |
| V-269254 | | AlmaLinux OS 9 network interfaces must not be in promiscuous mode. | Network interfaces in promiscuous mode allow for the capture of all network traffic visible to the system. If unauthorized individuals can access thes... |
| V-269255 | | AlmaLinux OS 9 must use reverse path filtering on all IP interfaces. | Enabling reverse path filtering drops packets with source addresses that should not have been able to be received on the interface on which they were ... |
| V-269256 | | AlmaLinux OS 9 must not send Internet Control Message Protocol (ICMP) redirects. | ICMP redirect messages are used by routers to inform hosts that a more direct route exists for a particular destination. These messages contain inform... |
| V-269257 | | There must be no .shosts files on AlmaLinux OS 9. | The .shosts files are used to configure host-based authentication for individual users or the system via SSH. Host-based authentication is not suffici... |
| V-269258 | | There must be no shosts.equiv files on AlmaLinux OS 9. | The shosts.equiv files are used to configure host-based authentication for the system via SSH. Host-based authentication is not sufficient for prevent... |
| V-269259 | | Alma Linux OS 9 must not accept IPv4 source-routed packets by default. | Source-routed packets allow the source of the packet to suggest routers forward the packet along a different path than configured on the router, which... |
| V-269260 | | AlmaLinux OS 9 SSH daemon must not allow compression or must only allow compression after successful authentication. | If compression is allowed in an SSH connection prior to authentication, vulnerabilities in the compression software could result in compromise of the ... |
| V-269261 | | The AlmaLinux OS 9 SSH server configuration file must be group-owned by root. | Service configuration files enable or disable features of their respective services, which if configured incorrectly, can lead to insecure and vulnera... |
| V-269262 | | The AlmaLinux OS 9 SSH server configuration file must be owned by root. | Service configuration files enable or disable features of their respective services, which, if configured incorrectly, can lead to insecure and vulner... |
| V-269263 | | AlmaLinux OS 9 SSH server configuration files must have mode 0600 or less permissive. | Service configuration files enable or disable features of their respective services, which if configured incorrectly, can lead to insecure and vulnera... |
| V-269264 | | AlmaLinux OS 9 must not allow a noncertificate trusted host SSH logon to the system. | SSH trust relationships mean a compromise on one host can allow an attacker to move trivially to other hosts.... |
| V-269265 | | AlmaLinux OS 9 SSH private host key files must have mode 0640 or less permissive. | If an unauthorized user obtains the private SSH host key file, the host could be impersonated.... |
| V-269266 | | AlmaLinux OS 9 SSH public host key files must have mode 0644 or less permissive. | If a public host key file is modified by an unauthorized user, the SSH service may be compromised.
Whilst public keys are publicly readable, they sho... |
| V-269267 | | AlmaLinux OS 9 SSH daemon must not allow known hosts authentication. | Configuring the IgnoreUserKnownHosts setting for the SSH daemon provides additional assurance that remote login via SSH will require a password, even ... |
| V-269268 | | AlmaLinux OS 9 SSH daemon must display the date and time of the last successful account logon upon an SSH logon. | Providing users feedback on when account accesses last occurred facilitates user recognition and reporting of unauthorized account use.... |
| V-269269 | | AlmaLinux OS 9 SSH daemon must not allow rhosts authentication. | SSH trust relationships mean a compromise on one host can allow an attacker to move trivially to other hosts.... |
| V-269270 | | AlmaLinux OS 9 SSH daemon must disable remote X connections for interactive users. | When X11 forwarding is enabled, there may be additional exposure to the server and client displays if the sshd proxy display is configured to listen o... |
| V-269271 | | AlmaLinux OS 9 SSH daemon must prevent remote hosts from connecting to the proxy display. | When X11 forwarding is enabled, there may be additional exposure to the server and client displays if the sshd proxy display is configured to listen o... |
| V-269272 | | If the Trivial File Transfer Protocol (TFTP) server is required, the TFTP daemon must be configured to operate in secure mode. | Restricting TFTP to a specific directory prevents remote users from copying, transferring, or overwriting system files. Using the "-s" option causes t... |
| V-269273 | | AlmaLinux OS 9 must enable hardening for the Berkeley Packet Filter (BPF) just-in-time (JIT) compiler. | When hardened, the extended BPF JIT compiler will randomize any kernel addresses in the BPF programs and maps, and will not expose the JIT addresses i... |
| V-269274 | | AlmaLinux OS 9 effective dconf policy must match the policy keyfiles. | Unlike text-based keyfiles, the binary database is impossible to check through most automated and all manual means; therefore, to evaluate dconf confi... |
| V-269275 | | AlmaLinux OS 9 must be configured so that all system device files are correctly labeled to prevent unauthorized modification. | If an unauthorized or modified device is allowed to exist on the system, there is the possibility the system may perform unintended or unauthorized op... |
| V-269276 | | All AlmaLinux OS 9 local initialization files must have mode 0740 or less permissive. | Local initialization files are used to configure the user's shell environment upon logon. Malicious modification of these files could compromise accou... |
| V-269277 | | AlmaLinux OS 9 must have the gnutls-utils package installed. | GnuTLS is a secure communications library implementing the SSL, TLS, and DTLS protocols and technologies around them. It provides a simple C language ... |
| V-269278 | | The kdump service on AlmaLinux OS 9 must be disabled. | Kernel core dumps may contain the full contents of system memory at the time of the crash. Kernel core dumps consume a considerable amount of disk spa... |
| V-269279 | | AlmaLinux OS 9 must disable the ability of a user to restart the system from the login screen. | A user who is at the console can reboot the system at the login screen. If restart or shutdown buttons are pressed at the login screen, this can creat... |
| V-269280 | | AlmaLinux OS 9 must prevent a user from overriding the disable-restart-buttons setting for the graphical user interface. | A user who is at the console can reboot the system at the login screen. If restart or shutdown buttons are pressed at the login screen, this can creat... |
| V-269281 | | AlmaLinux OS 9 must prevent special devices on file systems that are used with removable media. | The "nodev" mount option causes the system not to interpret character or block special devices. Executing character or blocking special devices from u... |
| V-269282 | | AlmaLinux OS 9 must prevent code from being executed on file systems that are used with removable media. | The "noexec" mount option causes the system to not execute binary files. This option must be used for mounting any file system not containing approved... |
| V-269283 | | AlmaLinux OS 9 must prevent files with the setuid and setgid bit set from being executed on file systems that are used with removable media. | The "nosuid" mount option causes the system to not execute "setuid" and "setgid" files with owner privileges. This option must be used for mounting an... |
| V-269284 | | AlmaLinux OS 9 must disable the use of user namespaces. | User namespaces are used primarily for Linux containers. The value "0" disallows the use of user namespaces.... |
| V-269285 | | AlmaLinux OS 9 must prevent special devices on file systems that are imported via Network File System (NFS). | The "nodev" mount option causes the system to not interpret character or block special devices. Executing character or block special devices from untr... |
| V-269286 | | AlmaLinux OS 9 must prevent code execution on file systems that are imported via Network File System (NFS). | The "noexec" mount option causes the system to not execute binary files. This option must be used for mounting any file system not containing approved... |
| V-269287 | | AlmaLinux OS 9 must prevent files with the setuid and setgid bit set from being executed on file systems that are imported via Network File System (NFS). | The "nosuid" mount option causes the system not to execute "setuid" and "setgid" files with owner privileges. This option must be used for mounting an... |
| V-269288 | | AlmaLinux OS 9 must configure a DNS processing mode set be Network Manager. | To ensure that DNS resolver settings are respected, a DNS mode in Network Manager must be configured.... |
| V-269289 | | AlmaLinux OS 9 systems using Domain Name Servers (DNS) resolution must have at least two name servers configured. | To provide availability for name resolution services, multiple redundant name servers are mandated. A failure in name resolution could lead to the fai... |
| V-269290 | | AlmaLinux OS 9 must prevent special devices on nonroot local partitions. | The "nodev" mount option causes the system to not interpret character or block special devices. Executing character or block special devices from untr... |
| V-269291 | | The root account must be the only account having unrestricted access to an AlmaLinux OS 9 system. | An account has root authority if it has a user identifier (UID) of "0". Multiple accounts with a UID of "0" afford more opportunity for potential intr... |
| V-269292 | | AlmaLinux OS 9 must be configured so that the cryptographic hashes of system files match vendor values. | The hashes of important files like system executables should match the information given by the RPM database. Executables with erroneous hashes could ... |
| V-269293 | | AlmaLinux OS 9 must clear the page allocator to prevent use-after-free attacks. | Poisoning writes an arbitrary value to freed pages, so any modification or reference to that page after being freed or before being initialized will b... |
| V-269294 | | AlmaLinux OS 9 must display the date and time of the last successful account logon upon logon. | Users need to be aware of activity that occurs regarding their account. Providing users with information regarding the number of unsuccessful attempts... |
| V-269295 | | AlmaLinux OS 9 security patches and updates must be installed and up to date. | Installing software updates is a fundamental mitigation against the exploitation of publicly known vulnerabilities.
If the most recent security patc... |
| V-269296 | | AlmaLinux OS 9 policycoreutils-python-utils package must be installed. | The policycoreutils-python-utils package is required to operate and manage an SELinux environment and its policies. It provides utilities such as sema... |
| V-269297 | | AlmaLinux OS 9 must enable the hardware random number generator entropy gatherer service. | The most important characteristic of a random number generator is its randomness, specifically its ability to deliver random numbers that are impossib... |
| V-269298 | | AlmaLinux OS 9 must have the rng-tools package installed. | "rng-tools" provides hardware random number generator tools, such as those used in the formation of x509/PKI certificates.... |
| V-269299 | | The SSH daemon must perform strict mode checking of home directory configuration files. | If other users have access to modify user-specific SSH configuration files or read keys, they may be able to log into the system as another user.... |
| V-269300 | | AlmaLinux OS 9 system accounts must not have an interactive login shell. | Ensuring shells are not given to system accounts upon login makes it more difficult for attackers to make use of system accounts.... |
| V-269301 | | AlmaLinux OS 9 must use a separate file system for /tmp. | The "/tmp" partition is used as temporary storage by many programs. Placing "/tmp" in its own partition enables the setting of more restrictive mount ... |
| V-269302 | | Local AlmaLinux OS 9 initialization files must not execute world-writable programs. | If user start-up files execute world-writable programs, especially in unprotected directories, they could be maliciously modified to destroy user file... |
| V-269303 | | AlmaLinux OS 9 must use a separate file system for /var/log. | Placing "/var/log" in its own partition enables better separation between log files and other files in "/var/".... |
| V-269304 | | AlmaLinux OS 9 must use a separate file system for /var. | Ensuring that "/var" is mounted on its own partition enables the setting of more restrictive mount options. This helps protect system services such as... |
| V-269305 | | AlmaLinux OS 9 must use a separate file system for /var/tmp. | The "/var/tmp" partition is used as temporary storage by many programs. Placing "/var/tmp" in its own partition enables the setting of more restrictiv... |
| V-269306 | | AlmaLinux OS 9 must disable virtual system calls. | System calls are special routines in the Linux kernel, which userspace applications ask to do privileged tasks. Invoking a system call is an expensive... |
| V-269307 | | AlmaLinux OS 9 must use cron logging. | Cron logging can be used to trace the successful or unsuccessful execution of cron jobs. It can also be used to spot intrusions into the use of the cr... |
| V-269308 | | AlmaLinux OS 9 must be configured so that the rsyslog daemon does not accept log messages from other servers unless the server is being used for log aggregation. | Unintentionally running a rsyslog server accepting remote messages puts the system at increased risk. Malicious rsyslog messages sent to the server co... |
| V-269309 | | AlmaLinux OS 9 must prevent files with the setuid and setgid bit set from being executed on file systems that contain user home directories. | The "nosuid" mount option causes the system to not execute "setuid" and "setgid" files with owner privileges.
This option must be used for mounting ... |
| V-269310 | | AlmaLinux OS 9 must prevent device files from being interpreted on file systems that contain user home directories. | The "nodev" mount option causes the system to not interpret character or block special devices. Executing character or block special devices from untr... |
| V-269311 | | AlmaLinux OS 9 must prevent files with the setuid and setgid bit set from being executed on the /boot/efi directory. | The "nosuid" mount option causes the system not to execute "setuid" and "setgid" files with owner privileges. This option must be used for mounting an... |
| V-269312 | | AlmaLinux OS 9 must mount /boot with the nodev option. | The only legitimate location for device files is the "/dev" directory located on the root partition. The only exception to this is chroot jails.... |
| V-269313 | | AlmaLinux OS 9 must prevent files with the setuid and setgid bit set from being executed on the /boot directory. | The "nosuid" mount option causes the system not to execute "setuid" and "setgid" files with owner privileges. This option must be used for mounting an... |
| V-269314 | | AlmaLinux OS 9 must mount /dev/shm with the nodev option. | The "nodev" mount option causes the system to not interpret character or block special devices. Executing character or block special devices from untr... |
| V-269315 | | AlmaLinux OS 9 must mount /dev/shm with the noexec option. | The "noexec" mount option causes the system to not execute binary files. This option must be used for mounting any file system not containing approved... |
| V-269316 | | AlmaLinux OS 9 must mount /dev/shm with the nosuid option. | The "nosuid" mount option causes the system to not execute "setuid" and "setgid" files with owner privileges. This option must be used for mounting an... |
| V-269317 | | AlmaLinux OS 9 must mount /tmp with the nodev option. | The "nodev" mount option causes the system to not interpret character or block special devices. Executing character or block special devices from untr... |
| V-269318 | | AlmaLinux OS 9 must mount /tmp with the noexec option. | The "noexec" mount option causes the system to not execute binary files. This option must be used for mounting any file system not containing approved... |
| V-269319 | | AlmaLinux OS 9 must mount /tmp with the nosuid option. | The "nosuid" mount option causes the system to not execute "setuid" and "setgid" files with owner privileges. This option must be used for mounting an... |
| V-269320 | | AlmaLinux OS 9 must mount /var/log/audit with the nodev option. | The "nodev" mount option causes the system to not interpret character or block special devices. Executing character or block special devices from untr... |
| V-269321 | | AlmaLinux OS 9 must mount /var/log/audit with the noexec option. | The "noexec" mount option causes the system to not execute binary files. This option must be used for mounting any file system not containing approved... |
| V-269322 | | AlmaLinux OS 9 must mount /var/log/audit with the nosuid option. | The "nosuid" mount option causes the system to not execute "setuid" and "setgid" files with owner privileges. This option must be used for mounting an... |
| V-269323 | | AlmaLinux OS 9 must mount /var/log with the nodev option. | The "nodev" mount option causes the system to not interpret character or block special devices. Executing character or block special devices from untr... |
| V-269324 | | AlmaLinux OS 9 must mount /var/log with the noexec option. | The "noexec" mount option causes the system to not execute binary files. This option must be used for mounting any file system not containing approved... |
| V-269325 | | AlmaLinux OS 9 must mount /var/log with the nosuid option. | The "nosuid" mount option causes the system to not execute "setuid" and "setgid" files with owner privileges. This option must be used for mounting an... |
| V-269326 | | AlmaLinux OS 9 must mount /var with the nodev option. | The "nodev" mount option causes the system to not interpret character or block special devices. Executing character or block special devices from untr... |
| V-269327 | | AlmaLinux OS 9 must mount /var/tmp with the nodev option. | The "nodev" mount option causes the system to not interpret character or block special devices. Executing character or block special devices from untr... |
| V-269328 | | AlmaLinux OS 9 must mount /var/tmp with the noexec option. | The "noexec" mount option causes the system to not execute binary files. This option must be used for mounting any file system not containing approved... |
| V-269329 | | AlmaLinux OS 9 must mount /var/tmp with the nosuid option. | The "nosuid" mount option causes the system to not execute "setuid" and "setgid" files with owner privileges. This option must be used for mounting an... |
| V-269330 | | AlmaLinux OS 9 fapolicy module must be enabled. | The organization must identify authorized software programs and permit execution of authorized software. The process used to identify software program... |
| V-269331 | | AlmaLinux OS 9 fapolicy module must be installed. | The organization must identify authorized software programs and permit execution of authorized software. The process used to identify software program... |
| V-269332 | | AlmaLinux OS 9 must disable remote management of the chrony daemon. | Not exposing the management interface of the chrony daemon on the network reduces the attack surface.... |
| V-269333 | | AlmaLinux OS 9 must prevent the chrony daemon from acting as a server. | Being able to determine the system time of a server can be useful information for various attacks from timebomb attacks to location discovery based on... |
| V-269334 | | AlmaLinux OS 9 must not have the iprutils package installed. | The iprutils package provides a suite of utilities to manage and configure SCSI devices supported by the ipr SCSI storage device driver.... |
| V-269335 | | AlmaLinux OS 9 must not have the quagga package installed. | Quagga is a network routing software suite providing implementations of Open Shortest Path First (OSPF), Routing Information Protocol (RIP), Border Ga... |
| V-269336 | | AlmaLinux OS 9 must not have the sendmail package installed. | The sendmail software was not developed with security in mind, and its design prevents it from being effectively contained by SELinux. Postfix must be... |
| V-269337 | | AlmaLinux OS 9 must not have the telnet-server package installed. | It is detrimental for operating systems to provide, or install by default, functionality exceeding requirements or mission objectives. These unnecessa... |
| V-269338 | | AlmaLinux OS 9 must not have a Trivial File Transfer Protocol (TFTP) client package installed. | If TFTP is required for operational support (such as transmission of router configurations), its use must be documented with the information systems s... |
| V-269339 | | AlmaLinux OS 9 must not have the cups package installed. | The cups package provides printer drivers as well as a print server, webserver, and discovery mechanisms. Removing the package reduces the potential a... |
| V-269340 | | AlmaLinux OS 9 must not have the gssproxy package installed. | The gssproxy package is a proxy for GSS API credential handling and could expose secrets on some networks. It is not needed for normal function of the... |
| V-269341 | | AlmaLinux OS 9 must disable the Asynchronous Transfer Mode (ATM) kernel module. | The ATM is a transport layer protocol designed for digital transmission of multiple types of traffic, including telephony (voice), data, and video sig... |
| V-269342 | | AlmaLinux OS 9 must be configured to disable Bluetooth. | This requirement applies to wireless peripheral technologies (e.g., wireless mice, keyboards, displays, etc.) used with AlmaLinux OS 9 systems.
Wirel... |
| V-269343 | | AlmaLinux OS 9 must disable the Controller Area Network (CAN) kernel module. | The CAN protocol is a robust vehicle bus standard designed to allow microcontrollers and devices to communicate with each other's applications without... |
| V-269344 | | AlmaLinux OS 9 must disable mounting of cramfs. | Removing support for unneeded filesystem types reduces the local attack surface of the server.
Compressed ROM/RAM file system (or cramfs) is a read-o... |
| V-269345 | | AlmaLinux OS 9 must disable the Stream Control Transmission Protocol (SCTP) kernel module. | The SCTP is a transport layer protocol, designed to support the idea of message-oriented communication, with several streams of messages within one co... |
| V-269346 | | AlmaLinux OS 9 must disable mounting of squashfs. | Removing support for unneeded filesystem types reduces the local attack surface of the server.
A squashfs compressed filesystem image can be mounted ... |
| V-269347 | | AlmaLinux OS 9 must disable the Transparent Inter Process Communication (TIPC) kernel module. | It is detrimental for operating systems to provide, or install by default, functionality exceeding requirements or mission objectives. These unnecessa... |
| V-269348 | | AlmaLinux OS 9 must disable mounting of udf. | Removing support for unneeded filesystem types reduces the local attack surface of the server.
The UDF filesystem is used to write DVDs and so could ... |
| V-269349 | | Cameras must be disabled or covered when not in use. | It is detrimental for operating systems to provide, or install by default, functionality exceeding requirements or mission objectives. These unnecessa... |
| V-269350 | | AlmaLinux OS 9 must not have the nfs-utils package installed. | "nfs-utils" provides a daemon for the kernel Network File System (NFS) server and related tools. This package also contains the "showmount" program. "... |
| V-269351 | | AlmaLinux OS 9 must not have the rsh package installed. | The "rsh" package provides a client for several obsolete and insecure network services. Removing it decreases the risk of accidental (or intentional) ... |
| V-269352 | | AlmaLinux OS 9 must not have the rsh-server package installed. | The "rsh-server" service provides unencrypted remote access service, which does not provide for the confidentiality and integrity of user passwords or... |
| V-269353 | | AlmaLinux OS 9 must not have the tuned package installed. | The tuned package contains a daemon that tunes the system settings dynamically. It does so by monitoring the usage of several system components period... |
| V-269354 | | A graphical display manager must not be installed on AlmaLinux OS 9 unless approved. | Unnecessary service packages must not be installed to decrease the attack surface of the system. Graphical display managers have a long history of sec... |
| V-269355 | | AlmaLinux OS 9 must not have the ypserv package installed. | The NIS service provides an unencrypted authentication service, which does not provide for the confidentiality and integrity of user passwords or the ... |
| V-269356 | | AlmaLinux OS 9 must not have the avahi package installed. | The avahi package provides the zeroconf capability to discover remote services such as printers and announce itself as a service for sharing files and... |
| V-269357 | | AlmaLinux OS 9 must be configured to disable USB mass storage. | USB mass storage permits easy introduction of unknown devices, thereby facilitating malicious activity.
Satisfies: SRG-OS-000095-GPOS-00049, SRG-OS-0... |
| V-269358 | | AlmaLinux OS 9 must have the firewalld package installed. | "Firewalld" provides an easy and effective way to block/limit remote access to the system via ports, services, and protocols.
Remote access services,... |
| V-269359 | | AlmaLinux OS 9 must require users to provide authentication for privilege escalation. | Without re-authentication, users may access resources or perform tasks for which they do not have authorization.
When operating systems provide the ... |
| V-269360 | | AlmaLinux OS 9 must require users to provide a password for privilege escalation. | Without re-authentication, users may access resources or perform tasks for which they do not have authorization.
When operating systems provide the ... |
| V-269361 | | AlmaLinux OS 9 must not be configured to bypass password requirements for privilege escalation. | Without re-authentication, users may access resources or perform tasks for which they do not have authorization.
When operating systems provide the ... |
| V-269362 | | AlmaLinux OS 9 must require reauthentication when using the "sudo" command. | Without re-authentication, users may access resources or perform tasks for which they do not have authorization.
When operating systems provide the ... |
| V-269363 | | AlmaLinux OS 9 must restrict the use of the "su" command. | The "su" program provides a "switch user" capability. It is commonly used to become root but can be used to switch to any user.
Limiting access to su... |
| V-269364 | | Groups must have unique Group IDs (GIDs). | To ensure accountability and prevent unauthenticated access, organizational users must be identified and authenticated to prevent potential misuse and... |
| V-269365 | | Duplicate User IDs (UIDs) must not exist for interactive users. | To ensure accountability and prevent unauthenticated access, organizational users must be identified and authenticated to prevent potential misuse and... |
| V-269366 | | All AlmaLinux OS 9 interactive users must have a primary group that exists. | If a user is assigned the Group Identifier (GID) of a group that does not exist on the system, and a group with the GID is subsequently created, the u... |
| V-269367 | | AlmaLinux OS 9 SSHD must accept public key authentication. | Without the use of multifactor authentication, the ease of access to privileged functions is greatly increased.
Multifactor authentication requires u... |
| V-269368 | | AlmaLinux OS 9 must have the opensc package installed. | Using an authentication device, such as a CAC or token that is separate from the information system, ensures that even if the information system is co... |
| V-269369 | | The pcscd socket on AlmaLinux OS 9 must be active. | Using an authentication device, such as a CAC or token that is separate from the information system, ensures that even if the information system is co... |
| V-269370 | | AlmaLinux OS 9 must have the pcsc-lite package installed. | Using an authentication device, such as a CAC or token that is separate from the information system, ensures that even if the information system is co... |
| V-269371 | | AlmaLinux OS 9 must implement certificate status checking for multifactor authentication. | Using an authentication device, such as a DOD Common Access Card (CAC) or token that is separate from the information system, ensures that even if the... |
| V-269372 | | AlmaLinux OS 9 must enable certificate based smart card authentication. | Using an authentication device, such as a CAC or token that is separate from the information system, ensures that even if the information system is co... |
| V-269373 | | AlmaLinux OS 9 must have the openssl-pkcs11 package installed. | The use of PIV credentials facilitates standardization and reduces the risk of unauthorized access.
DOD has mandated the use of the CAC to support id... |
| V-269374 | | AlmaLinux OS 9 SSHD must not allow blank passwords. | If an account has an empty password, anyone could log on and run commands with the privileges of that account.
Accounts with empty passwords should ... |
| V-269375 | | AlmaLinux OS 9 must use the CAC smart card driver. | Smart card login provides two-factor authentication stronger than that provided by a username and password combination.
Smart cards leverage public ... |
| V-269376 | | AlmaLinux OS 9 must not permit direct logons to the root account using remote access via SSH. | Even though the communications channel may be encrypted, an additional layer of security is gained by extending the policy of not logging directly on ... |
| V-269377 | | AlmaLinux OS 9 must disable the graphical user interface automount function unless required. | Automatically mounting file systems permits easy introduction of unknown devices, thereby facilitating malicious activity.
Satisfies: SRG-OS-000378-G... |
| V-269378 | | AlmaLinux OS 9 must prevent a user from overriding the disabling of the graphical user interface automount function. | Automatically mounting file systems permits easy introduction of unknown devices, thereby facilitating malicious activity.
Satisfies: SRG-OS-000378-G... |
| V-269379 | | AlmaLinux OS 9 must prevent a user from overriding the disabling of the graphical user interface autorun function. | Automatically mounting filesystems and running applications upon insertion of a device facilitates malicious activity.
Satisfies: SRG-OS-000378-GPOS-... |
| V-269380 | | AlmaLinux OS 9 must have the USBGuard package installed. | The USBGuard-daemon is the main component of the USBGuard software framework. It runs as a service in the background and enforces the USB device autho... |
| V-269381 | | AlmaLinux OS 9 must have the USBGuard package enabled. | The USBGuard-daemon is the main component of the USBGuard software framework. It runs as a service in the background and enforces the USB device autho... |
| V-269382 | | AlmaLinux OS 9 must block unauthorized peripherals before establishing a connection. | The USBGuard-daemon is the main component of the USBGuard software framework. It runs as a service in the background and enforces the USB device autho... |
| V-269383 | | AlmaLinux OS 9 must not have the autofs package installed. | Without authenticating devices, unidentified or unknown devices may be introduced, thereby facilitating malicious activity. Bidirectional authenticati... |
| V-269384 | | AlmaLinux OS 9 must disable account identifiers (individuals, groups, roles, and devices) after 35 days of inactivity. | Inactive identifiers pose a risk to systems and applications because attackers may exploit an inactive identifier and potentially obtain undetected ac... |
| V-269385 | | AlmaLinux OS 9 must enforce password complexity by requiring that at least one lowercase character be used. | Use of a complex password helps to increase the time and resources required to compromise the password. Password complexity, or strength, is a measure... |
| V-269386 | | AlmaLinux OS 9 must ensure the password complexity module is enabled in the password-auth file. | Enabling PAM password complexity permits enforcement of strong passwords and consequently makes the system less prone to dictionary attacks.... |
| V-269387 | | AlmaLinux OS 9 must ensure the password complexity module in the system-auth file is configured for three retries or less. | AlmaLinux OS 9 uses "pwquality" as a mechanism to enforce password complexity. This is set in both:
/etc/pam.d/password-auth
/etc/pam.d/system-auth
B... |
| V-269388 | | AlmaLinux OS 9 must enforce password complexity rules for the root account. | Use of a complex password helps to increase the time and resources required to compromise the password. Password complexity, or strength, is a measure... |
| V-269389 | | AlmaLinux OS 9 must enforce password complexity by requiring that at least one uppercase character be used. | Use of a complex password helps to increase the time and resources required to compromise the password. Password complexity, or strength, is a measure... |
| V-269390 | | AlmaLinux OS 9 must enforce password complexity by requiring that at least one special character be used. | Use of a complex password helps to increase the time and resources required to compromise the password. Password complexity, or strength, is a measure... |
| V-269391 | | AlmaLinux OS 9 passwords for new users must have a minimum of 15 characters. | The shorter the password, the lower the number of possible combinations that need to be tested before the password is compromised.
Password complexit... |
| V-269392 | | AlmaLinux OS 9 passwords must be created with a minimum of 15 characters. | The shorter the password, the lower the number of possible combinations that need to be tested before the password is compromised.
Password complexit... |
| V-269393 | | AlmaLinux OS 9 must enforce password complexity by requiring that at least one numeric character be used. | Use of a complex password helps to increase the time and resources required to compromise the password. Password complexity, or strength, is a measure... |
| V-269394 | | AlmaLinux OS 9 must require the change of at least four character classes when passwords are changed. | Use of a complex password helps to increase the time and resources required to compromise the password. Password complexity, or strength, is a measure... |
| V-269395 | | AlmaLinux OS 9 must require the maximum number of repeating characters be limited to three when passwords are changed. | Use of a complex password helps to increase the time and resources required to compromise the password. Password complexity, or strength, is a measure... |
| V-269396 | | AlmaLinux OS 9 must require the maximum number of repeating characters of the same character class be limited to four when passwords are changed. | Use of a complex password helps to increase the time and resources required to compromise the password. Password complexity, or strength, is a measure... |
| V-269397 | | AlmaLinux OS 9 must require the change of at least eight characters when passwords are changed. | Use of a complex password helps to increase the time and resources required to compromise the password. Password complexity, or strength, is a measure... |
| V-269405 | | Passwords for existing users must have a 60-day maximum password lifetime restriction in /etc/shadow. | Any password, no matter how complex, can eventually be cracked. Therefore, Passwords must be changed periodically. If the operating system does not li... |
| V-269406 | | Passwords for new users or password changes must have a 60-day maximum password lifetime restriction in /etc/login.defs. | Any password, no matter how complex, can eventually be cracked. Therefore, passwords must be changed periodically. If the operating system does not li... |
| V-269407 | | Passwords for existing users must have a 24-hour minimum password lifetime restriction in /etc/shadow. | Enforcing a minimum password lifetime helps to prevent repeated password changes to defeat the password reuse or history enforcement requirement. If u... |
| V-269408 | | Passwords for new users or password changes must have a 24-hour minimum password lifetime restriction in /etc/login.defs. | Enforcing a minimum password lifetime helps to prevent repeated password changes to defeat the password reuse or history enforcement requirement. If u... |
| V-269409 | | AlmaLinux OS 9 must prohibit the use of cached authenticators after one day. | Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks. If the in... |
| V-269410 | | For PKI-based authentication, AlmaLinux OS 9 must enforce authorized access to the corresponding private key. | If the private key is discovered, an attacker can use the key to authenticate as an authorized user and gain access to the network infrastructure.
Th... |
| V-269411 | | AlmaLinux OS 9 must map the authenticated identity to the user or group account for PKI-based authentication. | Without mapping the certificate used to authenticate to the user account, the ability to determine the identity of the individual user or group will n... |
| V-269412 | | AlmaLinux OS 9, for PKI-based authentication, must validate certificates by constructing a certification path (which includes status information) to an accepted trust anchor. | Without path validation, an informed trust decision by the relying party cannot be made when presented with any certificate not already explicitly tru... |
| V-269413 | | AlmaLinux 9 cryptographic policy must not be overridden. | Centralized cryptographic policies simplify applying secure ciphers across an operating system and the applications that run on that operating system.... |
| V-269415 | | The libreswan package must be installed. | Providing the ability for remote users or systems to initiate a secure VPN connection protects information when it is transmitted over a wide area net... |
| V-269416 | | AlmaLinux OS 9 must have the packages required for encrypting offloaded audit logs installed. | The rsyslog-gnutls package provides Transport Layer Security (TLS) support for the rsyslog daemon, which enables secure remote logging.... |
| V-269417 | | AlmaLinux OS 9 must have the crypto-policies package installed. | Centralized cryptographic policies simplify applying secure ciphers across an operating system and the applications that run on that operating system.... |
| V-269418 | | AlmaLinux OS 9 must implement a FIPS 140-3-compliant systemwide cryptographic policy. | Centralized cryptographic policies simplify applying secure ciphers across an operating system and the applications that run on that operating system.... |
| V-269419 | | AlmaLinux OS 9 must be configured so that all network connections associated with SSH traffic are terminated after 10 minutes of becoming unresponsive. | Terminating an unresponsive SSH session within a short time period reduces the window of opportunity for unauthorized personnel to take control of a m... |
| V-269421 | | AlmaLinux OS 9 must terminate idle user sessions. | Terminating an idle session within a short time period reduces the window of opportunity for unauthorized personnel to take control of a management se... |
| V-269422 | | AlmaLinux OS 9 must disable access to network bpf system call from nonprivileged processes. | Loading and accessing the packet filters programs and maps using the bpf() system call has the potential of revealing sensitive information about the ... |
| V-269423 | | AlmaLinux OS 9 must restrict exposed kernel pointer addresses access. | Exposing kernel pointers (through procfs or "seq_printf()") exposes kernel writeable structures, which may contain functions pointers. If a write vuln... |
| V-269424 | | AlmaLinux OS 9 must restrict usage of ptrace to descendant processes. | Unrestricted usage of ptrace allows compromised binaries to run ptrace on other processes of the user. Like this, the attacker can steal sensitive inf... |
| V-269425 | | AlmaLinux OS 9 must restrict access to the kernel message buffer. | Restricting access to the kernel message buffer limits access to only root. This prevents attackers from gaining additional system information as a no... |
| V-269426 | | AlmaLinux OS 9 must prevent kernel profiling by nonprivileged users. | Setting the kernel.perf_event_paranoid kernel parameter to "2" prevents attackers from gaining additional system information as a nonprivileged user.
... |
| V-269427 | | AlmaLinux OS 9 must only allow the use of DOD PKI-established certificate authorities for authentication in the establishment of protected sessions to the operating system. | Untrusted Certificate Authorities (CA) can issue certificates, but they may be issued by organizations or individuals that seek to compromise DOD syst... |
| V-269428 | | AlmaLinux OS 9 systemd-journald service must be enabled. | In the event of a system failure, AlmaLinux OS 9 must preserve any information necessary to determine cause of failure and any information necessary t... |
| V-269430 | | AlmaLinux OS 9 must use a Linux Security Module configured to enforce limits on system services. | An isolation boundary provides access control and protects the integrity of the hardware, software, and firmware that perform security functions.
Sec... |
| V-269431 | | AlmaLinux OS 9 must have the policycoreutils package installed. | Policycoreutils contains the policy core utilities that are required for basic operation of an SELinux-enabled system.
These utilities include load_p... |
| V-269432 | | Any AlmaLinux OS 9 world-writable directories must be owned by root, sys, bin, or an application user. | If a world-writable directory is not owned by root, sys, bin, or an application user identifier (UID), unauthorized users may be able to modify files ... |
| V-269433 | | A sticky bit must be set on all AlmaLinux OS 9 public directories. | Preventing unauthorized information transfers mitigates the risk of information, including encrypted representations of information, produced by the a... |
| V-269434 | | AlmaLinux OS 9 must protect against or limit the effects of denial-of-service (DoS) attacks by ensuring rate-limiting measures on impacted network interfaces are implemented. | DoS is a condition when a resource is not available for legitimate users. When this occurs, the organization either cannot accomplish its mission or m... |
| V-269435 | | AlmaLinux OS 9 must be configured to use TCP syncookies. | Denial of Service (DoS) is a condition when a resource is not available for legitimate users. When this occurs, the organization either cannot accompl... |
| V-269437 | | All AlmaLinux OS 9 networked systems must implement SSH to protect the confidentiality and integrity of transmitted and received information, including information being prepared for transmission. | Without protection of the transmitted information, confidentiality and integrity may be compromised because unprotected communications can be intercep... |
| V-269438 | | All AlmaLinux OS 9 networked systems must have the OpenSSH server installed. | Without protection of the transmitted information, confidentiality and integrity may be compromised because unprotected communications can be intercep... |
| V-269439 | | AlmaLinux OS 9 must not allow users to override SSH environment variables. | SSH environment options potentially allow users to bypass access restriction in some configurations.... |
| V-269440 | | AlmaLinux OS 9 must implement DOD-approved encryption in the bind package. | Without cryptographic integrity protections, information can be altered by unauthorized users without detection.
Cryptographic mechanisms used for pr... |
| V-269441 | | AlmaLinux OS 9 wireless network adapters must be disabled. | This requirement applies to wireless peripheral technologies (e.g., wireless mice, keyboards, displays, etc.) used with AlmaLinux OS 9 systems.
Wirel... |
| V-269442 | | AlmaLinux OS 9 must not show boot up messages. | Only authorized personnel should be aware of errors and the details of the errors. Error messages are an indicator of an organization's operational st... |
| V-269443 | | AlmaLinux OS 9 /var/log directory must be group-owned by root. | Only authorized personnel should be aware of errors and the details of the errors. Error messages are an indicator of an organization's operational st... |
| V-269444 | | AlmaLinux OS 9 /var/log/messages file must be group-owned by root. | Only authorized personnel should be aware of errors and the details of the errors. Error messages are an indicator of an organization's operational st... |
| V-269445 | | AlmaLinux OS 9 /var/log/messages file must be owned by root. | Only authorized personnel should be aware of errors and the details of the errors. Error messages are an indicator of an organization's operational st... |
| V-269446 | | AlmaLinux OS 9 /var/log/messages file must have mode 0640 or less permissive. | Only authorized personnel should be aware of errors and the details of the errors. Error messages are an indicator of an organization's operational st... |
| V-269447 | | AlmaLinux OS 9 /var/log directory must be owned by root. | Only authorized personnel should be aware of errors and the details of the errors. Error messages are an indicator of an organization's operational st... |
| V-269448 | | AlmaLinux OS 9 /var/log directory must have mode 0755 or less permissive. | Only authorized personnel should be aware of errors and the details of the errors. Error messages are an indicator of an organization's operational st... |
| V-269449 | | AlmaLinux OS 9 must implement nonexecutable data to protect its memory from unauthorized code execution. | ExecShield uses the segmentation feature on all x86 systems to prevent execution in memory higher than a certain address. It writes an address as a li... |
| V-269450 | | AlmaLinux OS 9 must enable mitigations against processor-based vulnerabilities. | Kernel page-table isolation is a kernel feature that mitigates the Meltdown security vulnerability and hardens the kernel against attempts to bypass k... |
| V-269451 | | AlmaLinux OS 9 must clear memory when it is freed to prevent use-after-free attacks. | Some adversaries launch attacks with the intent of executing code in nonexecutable regions of memory or in memory locations that are prohibited. Secur... |
| V-269452 | | AlmaLinux OS 9 must implement address space layout randomization (ASLR) to protect its memory from unauthorized code execution. | ASLR makes it more difficult for an attacker to predict the location of attack code they have introduced into a process' address space during an attem... |
| V-269453 | | AlmaLinux OS 9 must remove all software components after updated versions have been installed. | Previous versions of software components that are not removed from the information system after updates have been installed may be exploited by some a... |
| V-269455 | | AlmaLinux OS 9 must enable the SELinux targeted policy. | Setting the SELinux policy to "targeted" or a more specialized policy ensures the system will confine processes that are likely to be targeted for exp... |
| V-269456 | | AlmaLinux OS 9 must have the Advanced Intrusion Detection Environment (AIDE) package installed. | Without verification of the security functions, security functions may not operate correctly and the failure may go unnoticed. Security function is de... |
| V-269457 | | AlmaLinux OS 9 must routinely check the baseline configuration for unauthorized changes and notify the system administrator when anomalies in the operation of any security functions are discovered. | Unauthorized changes to the baseline configuration could make the system vulnerable to various attacks or allow unauthorized access to the operating s... |
| V-269458 | | AlmaLinux OS 9 audit system must audit local events. | Without establishing what type of events occurred, the source of events, where events occurred, and the outcome of events, it would be difficult to es... |
| V-269459 | | AlmaLinux OS 9 /etc/audit/auditd.conf file must have 0640 or less permissive to prevent unauthorized access. | Without the capability to restrict which roles and individuals can select which events are audited, unauthorized personnel may be able to prevent the ... |
| V-269460 | | AlmaLinux OS 9 must allow only the information system security manager (ISSM) (or individuals or roles appointed by the ISSM) to select which auditable events are to be audited. | Without the capability to restrict which roles and individuals can select which events are audited, unauthorized personnel may be able to prevent the ... |
| V-269461 | | Successful/unsuccessful uses of the init command in AlmaLinux OS 9 must generate an audit record. | Without generating audit records specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and in... |
| V-269462 | | AlmaLinux OS 9 must generate audit records for any use of the "poweroff" command. | Without generating audit records specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and in... |
| V-269463 | | AlmaLinux OS 9 must generate audit records for any use of the "reboot" command. | Without generating audit records specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and in... |
| V-269464 | | AlmaLinux must generate audit records for any use of the "shutdown" command. | Without generating audit records specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and in... |
| V-269465 | | AlmaLinux OS 9 must enable Linux audit logging for the USBGuard daemon. | Without generating audit records specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and in... |
| V-269466 | | AlmaLinux OS 9 must audit all uses of the delete_module, init_module and finit_module system calls. | Without generating audit records specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and in... |
| V-269467 | | AlmaLinux OS 9 must generate audit records for all account creations, modifications, disabling, and termination events that affect /var/log/tallylog. | Without generating audit records specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and in... |
| V-269468 | | AlmaLinux OS 9 must produce audit records containing information to establish the identity of any individual or process associated with the event. | Without information that establishes the identity of the subjects (i.e., users or processes acting on behalf of users) associated with the events, sec... |
| V-269469 | | The audit package must be installed on AlmaLinux OS 9. | Without establishing what type of events occurred, the source of events, where events occurred, and the outcome of events, it would be difficult to es... |
| V-269470 | | AlmaLinux OS 9 must generate audit records for all account creations, modifications, disabling, and termination events that affect /var/log/lastlog. | Without generating audit records specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and in... |
| V-269471 | | AlmaLinux OS 9 must generate audit records for any use of the "mount" command. | Without generating audit records specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and in... |
| V-269472 | | AlmaLinux OS 9 must generate audit records for any use of the "umount" command. | Without generating audit records specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and in... |
| V-269473 | | Successful/unsuccessful uses of the umount2 system call in AlmaLinux OS 9 must generate an audit record. | Without generating audit records specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and in... |
| V-269474 | | AlmaLinux OS 9 must enable auditing of processes that start prior to the audit daemon. | Without the capability to generate audit records, it would be difficult to establish, correlate, and investigate the events relating to an incident or... |
| V-269475 | | AlmaLinux OS 9 must audit all uses of the truncate, ftruncate, creat, open, openat, and open_by_handle_at system calls. | Without generating audit records specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and in... |
| V-269476 | | AlmaLinux OS 9 must generate audit records for any use of the "chacl" command. | Without generating audit records specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and in... |
| V-269477 | | AlmaLinux OS 9 must generate audit records for any use of the "chage" command. | Without generating audit records specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and in... |
| V-269478 | | AlmaLinux OS 9 must generate audit records for any use of the "chcon" command. | Without generating audit records specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and in... |
| V-269479 | | AlmaLinux OS 9 must audit all uses of the chmod, fchmod, and fchmodat system calls. | Without generating audit records specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and in... |
| V-269480 | | AlmaLinux OS 9 must audit all uses of the chown, fchown, fchownat, and lchown system calls. | Without generating audit records specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and in... |
| V-269481 | | AlmaLinux OS 9 must generate audit records for any use of the "chsh" command. | Without generating audit records specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and in... |
| V-269482 | | AlmaLinux OS 9 must generate audit records for any use of the "crontab" command. | Without generating audit records specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and in... |
| V-269483 | | AlmaLinux OS 9 must audit all uses of the rename, unlink, rmdir, renameat, and unlinkat system calls. | Without generating audit records specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and in... |
| V-269484 | | AlmaLinux OS 9 must generate audit records for all account creations, modifications, disabling, and termination events that affect /var/log/faillock. | Without generating audit records specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and in... |
| V-269485 | | AlmaLinux OS 9 must generate audit records for any use of the "gpasswd" command. | Without generating audit records specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and in... |
| V-269486 | | AlmaLinux OS 9 must audit all uses of the kmod command. | Without generating audit records specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and in... |
| V-269487 | | AlmaLinux OS 9 must generate audit records for any use of the "newgrp" command. | Without generating audit records specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and in... |
| V-269488 | | AlmaLinux OS 9 must generate audit records for any use of the "passwd" command. | Without generating audit records specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and in... |
| V-269489 | | AlmaLinux OS 9 must generate audit records for any use of the "postdrop" command. | Without generating audit records specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and in... |
| V-269490 | | AlmaLinux OS 9 must generate audit records for any use of the "postqueue" command. | Without generating audit records specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and in... |
| V-269491 | | AlmaLinux OS 9 must generate audit records for any use of the "su" command. | Without generating audit record specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and inv... |
| V-269492 | | AlmaLinux OS 9 must generate audit records for any use of the "sudo" command. | Without generating audit record specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and inv... |
| V-269493 | | AlmaLinux OS 9 must generate audit records for any use of the "semanage" command. | Without generating audit records specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and in... |
| V-269494 | | AlmaLinux OS 9 must generate audit records for any use of the "setfacl" command. | Without generating audit records specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and in... |
| V-269495 | | AlmaLinux OS 9 must generate audit records for any use of the "setfiles" command. | Without generating audit records specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and in... |
| V-269496 | | AlmaLinux OS 9 must generate audit records for any use of the "setsebool" command. | Without generating audit records specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and in... |
| V-269497 | | AlmaLinux OS 9 must generate audit records for any use of the "ssh-agent" command. | Without generating audit records specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and in... |
| V-269498 | | AlmaLinux OS 9 must generate audit records for any use of the "ssh-keysign" command. | Without generating audit records specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and in... |
| V-269499 | | AlmaLinux OS 9 must generate audit records for any use of the "sudoedit" command. | Without generating audit records specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and in... |
| V-269500 | | AlmaLinux OS 9 must generate audit records for any use of the "pam_timestamp_check" command. | Without generating audit records specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and in... |
| V-269501 | | AlmaLinux OS 9 must generate audit records for any use of the "unix_chkpwd" command. | Without generating audit records specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and in... |
| V-269502 | | AlmaLinux OS 9 must generate audit records for any use of the "unix_update" command. | Without generating audit records specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and in... |
| V-269503 | | AlmaLinux OS 9 must generate audit records for any use of the "userhelper" command. | Without generating audit records specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and in... |
| V-269504 | | AlmaLinux OS 9 must generate audit records for any use of the "usermod" command. | Without generating audit records specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and in... |
| V-269505 | | AlmaLinux OS 9 must audit all uses of the setxattr, fsetxattr, lsetxattr, removexattr, fremovexattr, and lremovexattr system calls. | Without generating audit records specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and in... |
| V-269508 | | AlmaLinux OS 9 must allocate audit record storage capacity to store at least one week's worth of audit records. | To ensure AlmaLinux OS 9 systems have a sufficient storage capacity in which to write the audit logs, AlmaLinux OS 9 needs to be able to allocate audi... |
| V-269509 | | AlmaLinux OS 9 audispd-plugins package must be installed. | "audispd-plugins" provides plugins for the real-time interface to the audit subsystem, "audispd". These plugins can do things like relay events to rem... |
| V-269510 | | AlmaLinux OS 9 must label all offloaded audit logs before sending them to the central log server. | When audit logs are not labelled before they are sent to a central log server, the audit data will not be able to be analyzed and tied back to the cor... |
| V-269511 | | AlmaLinux OS 9 must take appropriate action when the internal event queue is full. | The audit system should have an action setup in the event the internal event queue becomes full so that no data is lost.... |
| V-269512 | | AlmaLinux OS 9 must be configured to offload audit records onto a different system from the system being audited via syslog. | The auditd service does not include the ability to send audit records to a centralized server for management directly.
However, it can use a plug-in... |
| V-269513 | | AlmaLinux OS 9 must authenticate the remote logging server for offloading audit logs via rsyslog. | Information stored in one location is vulnerable to accidental or incidental deletion or alteration.
Off-loading is a common process in information s... |
| V-269514 | | AlmaLinux OS 9 must encrypt the transfer of audit records offloaded onto a different system or media from the system being audited via rsyslog. | Information stored in one location is vulnerable to accidental or incidental deletion or alteration.
Off-loading is a common process in information s... |
| V-269515 | | AlmaLinux OS 9 must encrypt, via the gtls driver, the transfer of audit records offloaded onto a different system or media from the system being audited via rsyslog. | Information stored in one location is vulnerable to accidental or incidental deletion or alteration.
Off-loading is a common process in information s... |
| V-269516 | | AlmaLinux OS 9 must have the rsyslog package installed. | rsyslogd is a system utility providing support for message logging. Support for both internet and Unix domain sockets enables this utility to support ... |
| V-269518 | | The rsyslog service on AlmaLinux OS 9 must be active. | The "rsyslog" service must be running to provide logging services, which are essential to system administration.... |
| V-269519 | | AlmaLinux OS 9 must take action when allocated audit record storage volume reaches 95 percent of the audit record storage capacity. | If security personnel are not notified immediately when storage volume reaches 75 percent usage, they are unable to plan for audit record storage capa... |
| V-269520 | | AlmaLinux OS 9 must take action when allocated audit record storage volume reaches 95 percent of the repository maximum audit record storage capacity. | If security personnel are not notified immediately when storage volume reaches 75 percent usage, they are unable to plan for audit record storage capa... |
| V-269521 | | AlmaLinux OS 9 must take action when allocated audit record storage volume reaches 75 percent of the repository maximum audit record storage capacity. | If security personnel are not notified immediately when storage volume reaches a maximum of 75 percent utilization, they are unable to plan for audit ... |
| V-269522 | | AlmaLinux OS 9 must notify the system administrator (SA) and information system security officer (ISSO) (at a minimum) when allocated audit record storage volume reaches 75 percent usage. | If security personnel are not notified immediately when storage volume reaches 75 percent usage, they are unable to plan for audit record storage capa... |
| V-269523 | | AlmaLinux OS 9 System Administrator (SA) and/or information system security officer (ISSO) (at a minimum) must be alerted of an audit processing failure event. | It is critical for the appropriate personnel to be aware if a system is at risk of failing to process audit logs as required. Without this notificatio... |
| V-269524 | | AlmaLinux OS 9 must have mail aliases to notify the information system security officer (ISSO) and system administrator (SA) (at a minimum) in the event of an audit processing failure. | It is critical for the appropriate personnel to be aware if a system is at risk of failing to process audit logs as required. Without this notificatio... |
| V-269525 | | AlmaLinux OS 9 audit system must take appropriate action when an error writing to the audit storage volume occurs. | It is critical that when the operating system is at risk of failing to process audit logs as required, it takes action to mitigate the failure. Audit ... |
| V-269526 | | AlmaLinux OS 9 audit system must take appropriate action when the audit storage volume is full. | It is critical that when the operating system is at risk of failing to process audit logs as required, it takes action to mitigate the failure. Audit ... |
| V-269527 | | AlmaLinux OS 9 must take appropriate action when a critical audit processing failure occurs. | It is critical that when the operating system is at risk of failing to process audit logs as required, it takes action to mitigate the failure. Audit ... |
| V-269528 | | AlmaLinux OS 9 audit system must make full use of the audit storage space. | max_log_file (size in megabytes) multiplied by num_logs must make full use of the auditd storage volume (separate to the root partition).
If max_log_... |
| V-269529 | | AlmaLinux OS 9 audit system must take appropriate action when the audit files have reached maximum size. | It is critical that when the operating system is at risk of failing to process audit logs as required, it takes action to mitigate the failure. Audit ... |
| V-269530 | | AlmaLinux OS 9 audit system must retain an optimal number of audit records. | max_log_file (size in megabytes) multiplied by num_logs must make full use of the auditd storage volume (separate to the root partition).
If max_log_... |
| V-269531 | | AlmaLinux OS 9 must periodically flush audit records to disk to prevent the loss of audit records. | If option "freq" is not set to a value that requires audit records being written to disk after a threshold number is reached, then audit records may b... |
| V-269532 | | The auditd service must be enabled on AlmaLinux OS 9. | Without establishing what type of events occurred, the source of events, where events occurred, and the outcome of events, it would be difficult to es... |
| V-269533 | | The chronyd service must be enabled. | Inaccurate time stamps make it more difficult to correlate events and can lead to an inaccurate analysis. Determining the correct time a particular ev... |
| V-269534 | | AlmaLinux OS 9 must have the chrony package installed. | Inaccurate time stamps make it more difficult to correlate events and can lead to an inaccurate analysis. Determining the correct time a particular ev... |
| V-269535 | | AlmaLinux OS 9 must securely compare internal information system clocks at least every 24 hours. | Inaccurate time stamps make it more difficult to correlate events and can lead to an inaccurate analysis. Determining the correct time a particular ev... |
| V-269536 | | AlmaLinux OS 9 audit log directory must be owned by root to prevent unauthorized read access. | Unauthorized disclosure of audit records can reveal system and configuration data to attackers, thus compromising its confidentiality.
Audit informat... |
| V-269537 | | AlmaLinux OS 9 audit log directory must have 0700 permissions to prevent unauthorized read access. | Unauthorized disclosure of audit records can reveal system and configuration data to attackers, thus compromising its confidentiality.
Audit informat... |
| V-269538 | | AlmaLinux OS 9 audit logs must be owned by the root group to prevent unauthorized read access. | Unauthorized disclosure of audit records can reveal system and configuration data to attackers, thus compromising its confidentiality.
Audit informat... |
| V-269539 | | AlmaLinux OS 9 audit logs must be owned by root to prevent unauthorized read access. | Unauthorized disclosure of audit records can reveal system and configuration data to attackers, thus compromising its confidentiality.
Audit informat... |
| V-269540 | | AlmaLinux OS 9 audit logs must have 0600 permissions to prevent unauthorized read access. | Unauthorized disclosure of audit records can reveal system and configuration data to attackers, thus compromising its confidentiality.
Audit informat... |
| V-269541 | | AlmaLinux OS 9 audit tools must be group-owned by root. | Protecting audit information also includes identifying and protecting the tools used to view and manipulate log data. Therefore, protecting audit tool... |
| V-269542 | | AlmaLinux OS 9 audit tools must be owned by root. | Protecting audit information also includes identifying and protecting the tools used to view and manipulate log data. Therefore, protecting audit tool... |
| V-269543 | | AlmaLinux OS 9 audit tools must have a mode of 0755 or less permissive. | Protecting audit information also includes identifying and protecting the tools used to view and manipulate log data. Therefore, protecting audit tool... |
| V-269544 | | AlmaLinux OS 9 audit system must protect logon UIDs from unauthorized change. | If modification of login user identifiers (UIDs) is not prevented, they can be changed by nonprivileged users and make auditing complicated or impossi... |
| V-269545 | | AlmaLinux OS 9 must use cryptographic mechanisms to protect the integrity of audit tools. | Protecting the integrity of the tools used for auditing purposes is a critical step toward ensuring the integrity of audit information. Audit informat... |
| V-269546 | | AlmaLinux OS 9 audit system must protect auditing rules from unauthorized change. | Unauthorized disclosure of audit records can reveal system and configuration data to attackers, thus compromising its confidentiality.
Audit informat... |
| V-272485 | | AlmaLinux OS 9 must have the postfix package installed. | Postfix is a free, open-source mail transfer agent (MTA) that sends and receives emails. It is a server-side application that can be used to set up a ... |
| V-274874 | | AlmaLinux OS 9 must audit any script or executable called by cron as root or by any privileged user. | Any script or executable called by cron as root or by any privileged user must be owned by that user and must have the permissions 755 or more restric... |
| V-269102 | | AlmaLinux OS 9 must limit the number of concurrent sessions to ten for all accounts and/or account types. | Operating system management includes the ability to control the number of users and user sessions that use an operating system. Limiting the number of... |
| V-269506 | | AlmaLinux OS 9 must allocate an audit_backlog_limit of sufficient size to capture processes that start prior to the audit daemon. | Without the capability to generate audit records, it would be difficult to establish, correlate, and investigate the events relating to an incident or... |
| V-269507 | | AlmaLinux OS 9 must use a separate file system for the system audit data path. | Placing "/var/log/audit" in its own partition enables better separation between audit files and other system files, and helps ensure that auditing can... |
| V-269517 | | AlmaLinux OS 9 must be configured to forward audit records via TCP to a different system or media from the system being audited via rsyslog. | Information stored in one location is vulnerable to accidental or incidental deletion or alteration.
Off-loading is a common process in information s... |
