| ALMA-09-001010 |
AlmaLinux OS 9 must limit the number of concurrent sessions to ten for all accounts and/or account types. |
| ALMA-09-001120 |
AlmaLinux OS 9 must automatically lock graphical user sessions after 15 minutes of inactivity. |
| ALMA-09-001230 |
AlmaLinux OS 9 must conceal, via the session lock, information previously visible on the display with a publicly viewable image. |
| ALMA-09-001340 |
AlmaLinux OS 9 must prevent a user from overriding the session idle-delay setting for the graphical user interface. |
| ALMA-09-001450 |
AlmaLinux OS 9 must initiate a session lock for graphical user interfaces when the screensaver is activated. |
| ALMA-09-001560 |
AlmaLinux OS 9 must prevent a user from overriding the session lock-delay setting for the graphical user interface. |
| ALMA-09-001890 |
AlmaLinux OS 9 must automatically exit interactive command shell user sessions after 10 minutes of inactivity. |
| ALMA-09-002000 |
AlmaLinux OS 9 must be able to directly initiate a session lock for all connection types using smart card when the smart card is removed. |
| ALMA-09-002110 |
AlmaLinux OS 9 must prevent a user from overriding the disabling of the graphical user smart card removal action. |
| ALMA-09-002770 |
AlmaLinux OS 9 must log SSH connection attempts and failures to the server. |
| ALMA-09-002880 |
All AlmaLinux OS 9 remote access methods must be monitored. |
| ALMA-09-002990 |
AlmaLinux OS 9 SSH client must be configured to use only encryption ciphers employing FIPS 140-3 validated cryptographic hash algorithms to protect the confidentiality of SSH client connections. |
| ALMA-09-003100 |
AlmaLinux OS 9 must implement DOD-approved encryption ciphers to protect the confidentiality of SSH client connections. |
| ALMA-09-003210 |
AlmaLinux OS 9 SSH client must be configured to use only Message Authentication Codes (MACs) employing FIPS 140-3 validated cryptographic hash algorithms. |
| ALMA-09-003320 |
AlmaLinux OS 9 must implement DOD-approved encryption ciphers to protect the confidentiality of SSH server connections. |
| ALMA-09-003325 |
AlmaLinux OS 9 SSH server must be configured to use only FIPS 140-3 validated key exchange algorithms. |
| ALMA-09-003430 |
AlmaLinux OS 9 must implement DOD-approved systemwide cryptographic policies to protect the confidentiality of SSH server connections. |
| ALMA-09-003540 |
AlmaLinux OS 9 SSH server must be configured to use only Message Authentication Codes (MACs) employing FIPS 140-3 validated cryptographic hash algorithms. |
| ALMA-09-003650 |
AlmaLinux OS 9 must force a frequent session key renegotiation for SSH connections to the server. |
| ALMA-09-003760 |
AlmaLinux OS 9 must implement DOD-approved TLS encryption in the GnuTLS package. |
| ALMA-09-003870 |
AlmaLinux OS 9 IP tunnels must use FIPS 140-3 approved cryptographic algorithms. |
| ALMA-09-003980 |
AlmaLinux OS 9 must implement DOD-approved encryption in the OpenSSL package. |
| ALMA-09-004090 |
AlmaLinux OS 9 must implement DOD-approved TLS encryption in the OpenSSL package. |
| ALMA-09-004310 |
AlmaLinux OS 9 must use the TuxCare FIPS repository. |
| ALMA-09-004320 |
AlmaLinux OS 9 must use the TuxCare FIPS packages and not the default encryption packages. |
| ALMA-09-004420 |
AlmaLinux OS 9 must enable FIPS mode. |
| ALMA-09-004750 |
AlmaLinux OS 9 must automatically expire temporary accounts within 72 hours. |
| ALMA-09-004970 |
AlmaLinux OS 9 must generate audit records for all account creations, modifications, disabling, and termination events that affect /etc/sudoers. |
| ALMA-09-005080 |
AlmaLinux OS 9 must generate audit records for all account creations, modifications, disabling, and termination events that affect /etc/group. |
| ALMA-09-005190 |
AlmaLinux OS 9 must generate audit records for all account creations, modifications, disabling, and termination events that affect /etc/gshadow. |
| ALMA-09-005300 |
AlmaLinux OS 9 must generate audit records for all account creations, modifications, disabling, and termination events that affect /etc/security/opasswd. |
| ALMA-09-005410 |
AlmaLinux OS 9 must generate audit records for all account creations, modifications, disabling, and termination events that affect /etc/passwd. |
| ALMA-09-005960 |
AlmaLinux OS 9 must generate audit records for all account creations, modifications, disabling, and termination events that affect /etc/shadow. |
| ALMA-09-006070 |
AlmaLinux OS 9 must generate audit records for all account creations, modifications, disabling, and termination events that affect the files within /etc/sudoers.d/ |
| ALMA-09-006180 |
AlmaLinux OS 9 must require authentication to access emergency mode. |
| ALMA-09-006290 |
AlmaLinux OS 9 must require a boot loader password. |
| ALMA-09-006400 |
AlmaLinux OS 9 must require a unique superuser's name upon booting into single-user and maintenance modes. |
| ALMA-09-006510 |
AlmaLinux OS 9 must require authentication to access single-user mode. |
| ALMA-09-006620 |
The systemd Ctrl-Alt-Delete burst key sequence in AlmaLinux OS 9 must be disabled. |
| ALMA-09-006730 |
The Ctrl-Alt-Delete key sequence must be disabled on AlmaLinux OS 9. |
| ALMA-09-006840 |
AlmaLinux OS 9 must have the sudo package installed. |
| ALMA-09-006950 |
The AlmaLinux OS 9 debug-shell systemd service must be disabled. |
| ALMA-09-007060 |
AlmaLinux OS 9 must enable kernel parameters to enforce discretionary access control on hardlinks. |
| ALMA-09-007170 |
AlmaLinux OS 9 must enable kernel parameters to enforce discretionary access control (DAC) on symlinks. |
| ALMA-09-007280 |
AlmaLinux OS 9 must audit uses of the "execve" system call. |
| ALMA-09-007500 |
AlmaLinux OS 9 must automatically lock an account when three unsuccessful logon attempts occur. |
| ALMA-09-007610 |
AlmaLinux OS 9 must automatically lock the root account until the root account is released by an administrator when three unsuccessful logon attempts occur during a 15-minute time period. |
| ALMA-09-007720 |
AlmaLinux OS 9 must automatically lock an account when three unsuccessful logon attempts occur during a 15-minute time period. |
| ALMA-09-007830 |
AlmaLinux OS 9 must configure the use of the pam_faillock.so module in the /etc/pam.d/system-auth file. |
| ALMA-09-007940 |
AlmaLinux OS 9 must configure the use of the pam_faillock.so module in the /etc/pam.d/password-auth file. |
| ALMA-09-008050 |
AlmaLinux OS 9 must log username information when unsuccessful logon attempts occur. |
| ALMA-09-008160 |
AlmaLinux OS 9 must maintain an account lock until the locked account is manually released by an administrator; and not automatically after a set time. |
| ALMA-09-008270 |
AlmaLinux OS 9 must ensure account locks persist across reboots. |
| ALMA-09-008380 |
AlmaLinux OS 9 must configure the appropriate SELinux context on the nondefault faillock tally directory. |
| ALMA-09-008490 |
AlmaLinux OS 9 must prevent users from disabling the Standard Mandatory DOD Notice and Consent Banner for graphical user interfaces. |
| ALMA-09-008600 |
AlmaLinux OS 9 must display the Standard Mandatory DOD Notice and Consent Banner before granting local or remote access to the system via a graphical user logon. |
| ALMA-09-008710 |
AlmaLinux OS 9 must display the Standard Mandatory DOD Notice and Consent Banner before granting local or remote access to the system via a command line user logon. |
| ALMA-09-008820 |
AlmaLinux OS 9 must display the Standard Mandatory DOD Notice and Consent Banner before granting local or remote access to the system via an SSH user logon. |
| ALMA-09-009260 |
AlmaLinux OS 9 must have the s-nail package installed. |
| ALMA-09-009370 |
AlmaLinux OS 9 SSH daemon must not allow Generic Security Service Application Program Interface (GSSAPI) authentication. |
| ALMA-09-009480 |
AlmaLinux OS 9 SSH daemon must not allow Kerberos authentication. |
| ALMA-09-009590 |
AlmaLinux OS 9 must check the GPG signature of software packages originating from external software repositories before installation. |
| ALMA-09-009700 |
AlmaLinux OS 9 must ensure cryptographic verification of vendor software packages. |
| ALMA-09-009810 |
AlmaLinux OS 9 must check the GPG signature of locally installed software packages before installation. |
| ALMA-09-009920 |
AlmaLinux OS 9 must check the GPG signature of repository metadata before package installation. |
| ALMA-09-010030 |
AlmaLinux OS 9 must have GPG signature verification enabled for all software repositories. |
| ALMA-09-010140 |
AlmaLinux OS 9 must prevent the loading of a new kernel for later execution. |
| ALMA-09-010250 |
AlmaLinux OS 9 system commands must be group-owned by root or a system account. |
| ALMA-09-010360 |
AlmaLinux OS 9 system commands must be owned by root. |
| ALMA-09-010470 |
AlmaLinux OS 9 system commands must have mode 755 or less permissive. |
| ALMA-09-010580 |
AlmaLinux OS 9 library directories must be group-owned by root or a system account. |
| ALMA-09-010690 |
AlmaLinux OS 9 library directories must be owned by root. |
| ALMA-09-010800 |
AlmaLinux OS 9 library directories must have mode 755 or less permissive. |
| ALMA-09-010910 |
AlmaLinux OS 9 library files must be group-owned by root or a system account. |
| ALMA-09-011020 |
AlmaLinux OS 9 library files must be owned by root. |
| ALMA-09-011130 |
AlmaLinux OS 9 library files must have mode 755 or less permissive. |
| ALMA-09-011240 |
AlmaLinux OS 9 must disable core dumps for all users. |
| ALMA-09-011350 |
AlmaLinux OS 9 must disable acquiring, saving, and processing core dumps. |
| ALMA-09-011460 |
AlmaLinux OS 9 must disable storing core dumps. |
| ALMA-09-011570 |
AlmaLinux OS 9 must disable core dump backtraces. |
| ALMA-09-011680 |
AlmaLinux OS 9 must disable the kernel.core_pattern. |
| ALMA-09-011790 |
AlmaLinux OS 9 cron configuration files directory must be group-owned by root. |
| ALMA-09-011900 |
AlmaLinux OS 9 cron configuration files directory must be owned by root. |
| ALMA-09-012010 |
AlmaLinux OS 9 cron configuration directories must have a mode of 0700 or less permissive. |
| ALMA-09-012120 |
AlmaLinux OS 9 /etc/crontab file must have mode 0600. |
| ALMA-09-012230 |
AlmaLinux OS 9 must disable the ability of a user to accidentally press Ctrl-Alt-Del and cause a system to shut down or reboot. |
| ALMA-09-012340 |
AlmaLinux OS 9 must prevent a user from overriding the Ctrl-Alt-Del sequence settings for the graphical user interface. |
| ALMA-09-012450 |
All AlmaLinux OS 9 local files and directories must have a valid group owner. |
| ALMA-09-012560 |
All AlmaLinux OS 9 local files and directories must have a valid owner. |
| ALMA-09-012670 |
AlmaLinux OS 9 /etc/group- file must be group owned by root. |
| ALMA-09-012780 |
AlmaLinux OS 9 /etc/group- file must be owned by root. |
| ALMA-09-012890 |
AlmaLinux OS 9 /etc/group- file must have mode 0644 or less permissive to prevent unauthorized access. |
| ALMA-09-013000 |
AlmaLinux OS 9 /etc/group file must be group owned by root. |
| ALMA-09-013110 |
AlmaLinux OS 9 /etc/group file must be owned by root. |
| ALMA-09-013220 |
AlmaLinux OS 9 /etc/group file must have mode 0644 or less permissive to prevent unauthorized access. |
| ALMA-09-013330 |
The /boot/grub2/grub.cfg file must be group-owned by root. |
| ALMA-09-013440 |
The /boot/grub2/grub.cfg file must be owned by root. |
| ALMA-09-013550 |
AlmaLinux OS 9 must disable the ability of systemd to spawn an interactive boot process. |
| ALMA-09-013660 |
AlmaLinux OS 9 /etc/gshadow- file must be group-owned by root. |
| ALMA-09-013770 |
AlmaLinux OS 9 /etc/gshadow- file must be owned by root. |
| ALMA-09-013880 |
AlmaLinux OS 9 /etc/gshadow- file must have mode 0000 or less permissive to prevent unauthorized access. |
| ALMA-09-013990 |
AlmaLinux OS 9 /etc/gshadow file must be group-owned by root. |
| ALMA-09-014100 |
AlmaLinux OS 9 /etc/gshadow file must be owned by root. |
| ALMA-09-014210 |
AlmaLinux OS 9 /etc/gshadow file must have mode 0000 or less permissive to prevent unauthorized access. |
| ALMA-09-014320 |
The graphical display manager must not be the default target on AlmaLinux OS 9 unless approved.
|
| ALMA-09-014430 |
AlmaLinux OS 9 must disable the user list at logon for graphical user interfaces. |
| ALMA-09-014540 |
All AlmaLinux OS 9 local interactive user accounts must be assigned a home directory upon creation. |
| ALMA-09-014650 |
All AlmaLinux OS 9 local interactive user home directories defined in the /etc/passwd file must exist. |
| ALMA-09-014760 |
All AlmaLinux OS 9 local interactive user home directories must be group-owned by the home directory owner's primary group. |
| ALMA-09-014870 |
AlmaLinux OS 9 must prevent code from being executed on file systems that contain user home directories. |
| ALMA-09-014980 |
A separate file system must be used for user home directories (such as /home or an equivalent). |
| ALMA-09-015090 |
All AlmaLinux OS 9 local interactive users must have a home directory assigned in the /etc/passwd file. |
| ALMA-09-015200 |
Executable search paths within the initialization files of all local interactive AlmaLinux OS 9 users must only contain paths that resolve to the system default or the users home directory. |
| ALMA-09-015310 |
All AlmaLinux OS 9 local interactive user home directories must have mode 0750 or less permissive. |
| ALMA-09-015420 |
AlmaLinux OS 9 must not allow unattended or automatic logon via the graphical user interface. |
| ALMA-09-015640 |
AlmaLinux OS 9 must enforce a delay of at least four seconds between logon prompts following a failed logon attempt. |
| ALMA-09-015750 |
AlmaLinux OS 9 must not allow blank or null passwords. |
| ALMA-09-015860 |
AlmaLinux OS 9 must not have accounts configured with blank or null passwords. |
| ALMA-09-015970 |
AlmaLinux OS 9 /etc/passwd- file must be group-owned by root. |
| ALMA-09-016080 |
AlmaLinux OS 9 /etc/passwd- file must be owned by root. |
| ALMA-09-016190 |
AlmaLinux OS 9 /etc/passwd- file must have mode 0644 or less permissive to prevent unauthorized access. |
| ALMA-09-016300 |
AlmaLinux OS 9 /etc/passwd file must be group-owned by root. |
| ALMA-09-016410 |
AlmaLinux OS 9 /etc/passwd file must be owned by root. |
| ALMA-09-016520 |
AlmaLinux OS 9 /etc/passwd file must have mode 0644 or less permissive to prevent unauthorized access. |
| ALMA-09-016630 |
AlmaLinux OS 9 /etc/shadow- file must be group-owned by root. |
| ALMA-09-016740 |
AlmaLinux OS 9 /etc/shadow- file must be owned by root. |
| ALMA-09-016850 |
AlmaLinux OS 9 /etc/shadow- file must have mode 0000 or less permissive to prevent unauthorized access. |
| ALMA-09-016960 |
AlmaLinux OS 9 /etc/shadow file must be group-owned by root. |
| ALMA-09-017070 |
AlmaLinux OS 9 /etc/shadow file must be owned by root. |
| ALMA-09-017180 |
AlmaLinux OS 9 /etc/shadow file must have mode 0000 to prevent unauthorized access. |
| ALMA-09-017290 |
AlmaLinux OS 9 must restrict privilege elevation to authorized personnel. |
| ALMA-09-017400 |
AlmaLinux OS 9 must use the invoking user's password for privilege escalation when using "sudo". |
| ALMA-09-017510 |
AlmaLinux OS 9 must set the umask value to 077 for all local interactive user accounts. |
| ALMA-09-017620 |
AlmaLinux OS 9 must define default permissions for all authenticated users in such a way that the user can only read and modify their own files. |
| ALMA-09-017730 |
AlmaLinux OS 9 must define default permissions for PAM users. |
| ALMA-09-017840 |
AlmaLinux OS 9 must define default permissions for logon and nonlogon shells. |
| ALMA-09-017950 |
AlmaLinux OS 9 must not have unauthorized accounts. |
| ALMA-09-018060 |
AlmaLinux OS 9 must be configured so that the file integrity tool verifies Access Control Lists (ACLs). |
| ALMA-09-018170 |
AlmaLinux OS 9 must use a file integrity tool that is configured to use FIPS 140-3-approved cryptographic hashes for validating file contents and directories. |
| ALMA-09-018280 |
AlmaLinux OS 9 must be configured so that the file integrity tool verifies extended attributes. |
| ALMA-09-018390 |
AlmaLinux OS 9 must prevent the use of dictionary words for passwords. |
| ALMA-09-018500 |
AlmaLinux OS 9 must not accept router advertisements on all IPv6 interfaces. |
| ALMA-09-018610 |
AlmaLinux OS 9 must ignore Internet Control Message Protocol (ICMP) redirect messages. |
| ALMA-09-018720 |
The firewalld service on AlmaLinux OS 9 must be active. |
| ALMA-09-018830 |
AlmaLinux OS 9 firewall must employ a deny-all, allow-by-exception policy for allowing connections to other systems. |
| ALMA-09-018940 |
AlmaLinux OS 9 must limit the number of bogus Internet Control Message Protocol (ICMP) response errors logs. |
| ALMA-09-019050 |
AlmaLinux OS 9 must not respond to Internet Control Message Protocol (ICMP) echoes sent to a broadcast address. |
| ALMA-09-019160 |
AlmaLinux OS 9 must not enable IP packet forwarding unless the system is a router. |
| ALMA-09-019270 |
AlmaLinux OS 9 must not have unauthorized IP tunnels configured. |
| ALMA-09-019380 |
AlmaLinux OS 9 must log packets with impossible addresses. |
| ALMA-09-019490 |
AlmaLinux OS 9 must be configured to prevent unrestricted mail relaying. |
| ALMA-09-019600 |
AlmaLinux OS 9 must have the nss-tools package installed. |
| ALMA-09-019710 |
AlmaLinux OS 9 network interfaces must not be in promiscuous mode. |
| ALMA-09-019820 |
AlmaLinux OS 9 must use reverse path filtering on all IP interfaces. |
| ALMA-09-019930 |
AlmaLinux OS 9 must not send Internet Control Message Protocol (ICMP) redirects. |
| ALMA-09-020040 |
There must be no .shosts files on AlmaLinux OS 9. |
| ALMA-09-020150 |
There must be no shosts.equiv files on AlmaLinux OS 9. |
| ALMA-09-020260 |
AlmaLinux OS 9 must not forward source-routed packets. |
| ALMA-09-020370 |
AlmaLinux OS 9 SSH daemon must not allow compression or must only allow compression after successful authentication. |
| ALMA-09-020480 |
The AlmaLinux OS 9 SSH server configuration file must be group-owned by root. |
| ALMA-09-020590 |
The AlmaLinux OS 9 SSH server configuration file must be owned by root. |
| ALMA-09-020700 |
AlmaLinux OS 9 SSH server configuration files must have mode 0600 or less permissive. |
| ALMA-09-020810 |
AlmaLinux OS 9 must not allow a noncertificate trusted host SSH logon to the system. |
| ALMA-09-020920 |
AlmaLinux OS 9 SSH private host key files must have mode 0640 or less permissive. |
| ALMA-09-021030 |
AlmaLinux OS 9 SSH public host key files must have mode 0644 or less permissive. |
| ALMA-09-021140 |
AlmaLinux OS 9 SSH daemon must not allow known hosts authentication. |
| ALMA-09-021250 |
AlmaLinux OS 9 SSH daemon must display the date and time of the last successful account logon upon an SSH logon. |
| ALMA-09-021360 |
AlmaLinux OS 9 SSH daemon must not allow rhosts authentication. |
| ALMA-09-021470 |
AlmaLinux OS 9 SSH daemon must disable remote X connections for interactive users. |
| ALMA-09-021580 |
AlmaLinux OS 9 SSH daemon must prevent remote hosts from connecting to the proxy display. |
| ALMA-09-021690 |
If the Trivial File Transfer Protocol (TFTP) server is required, the TFTP daemon must be configured to operate in secure mode. |
| ALMA-09-021800 |
AlmaLinux OS 9 must enable hardening for the Berkeley Packet Filter (BPF) just-in-time (JIT) compiler. |
| ALMA-09-021910 |
AlmaLinux OS 9 effective dconf policy must match the policy keyfiles. |
| ALMA-09-022020 |
AlmaLinux OS 9 must be configured so that all system device files are correctly labeled to prevent unauthorized modification. |
| ALMA-09-022130 |
All AlmaLinux OS 9 local initialization files must have mode 0740 or less permissive. |
| ALMA-09-022240 |
AlmaLinux OS 9 must have the gnutls-utils package installed. |
| ALMA-09-022350 |
The kdump service on AlmaLinux OS 9 must be disabled. |
| ALMA-09-022460 |
AlmaLinux OS 9 must disable the ability of a user to restart the system from the login screen. |
| ALMA-09-022570 |
AlmaLinux OS 9 must prevent a user from overriding the disable-restart-buttons setting for the graphical user interface. |
| ALMA-09-022680 |
AlmaLinux OS 9 must prevent special devices on file systems that are used with removable media. |
| ALMA-09-022790 |
AlmaLinux OS 9 must prevent code from being executed on file systems that are used with removable media. |
| ALMA-09-022900 |
AlmaLinux OS 9 must prevent files with the setuid and setgid bit set from being executed on file systems that are used with removable media. |
| ALMA-09-023010 |
AlmaLinux OS 9 must disable the use of user namespaces. |
| ALMA-09-023120 |
AlmaLinux OS 9 must prevent special devices on file systems that are imported via Network File System (NFS). |
| ALMA-09-023230 |
AlmaLinux OS 9 must prevent code execution on file systems that are imported via Network File System (NFS). |
| ALMA-09-023450 |
AlmaLinux OS 9 must prevent files with the setuid and setgid bit set from being executed on file systems that are imported via Network File System (NFS). |
| ALMA-09-023560 |
AlmaLinux OS 9 must configure a DNS processing mode set be Network Manager. |
| ALMA-09-023670 |
AlmaLinux OS 9 systems using Domain Name Servers (DNS) resolution must have at least two name servers configured. |
| ALMA-09-023780 |
AlmaLinux OS 9 must prevent special devices on nonroot local partitions. |
| ALMA-09-023890 |
The root account must be the only account having unrestricted access to an AlmaLinux OS 9 system. |
| ALMA-09-024000 |
AlmaLinux OS 9 must be configured so that the cryptographic hashes of system files match vendor values. |
| ALMA-09-024110 |
AlmaLinux OS 9 must clear the page allocator to prevent use-after-free attacks. |
| ALMA-09-024220 |
AlmaLinux OS 9 must display the date and time of the last successful account logon upon logon. |
| ALMA-09-024330 |
AlmaLinux OS 9 security patches and updates must be installed and up to date. |
| ALMA-09-024440 |
AlmaLinux OS 9 policycoreutils-python-utils package must be installed. |
| ALMA-09-024550 |
AlmaLinux OS 9 must enable the hardware random number generator entropy gatherer service. |
| ALMA-09-024660 |
AlmaLinux OS 9 must have the rng-tools package installed. |
| ALMA-09-024770 |
The SSH daemon must perform strict mode checking of home directory configuration files. |
| ALMA-09-024990 |
AlmaLinux OS 9 system accounts must not have an interactive login shell. |
| ALMA-09-025100 |
AlmaLinux OS 9 must use a separate file system for /tmp. |
| ALMA-09-025210 |
Local AlmaLinux OS 9 initialization files must not execute world-writable programs. |
| ALMA-09-025320 |
AlmaLinux OS 9 must use a separate file system for /var/log. |
| ALMA-09-025430 |
AlmaLinux OS 9 must use a separate file system for /var. |
| ALMA-09-025540 |
AlmaLinux OS 9 must use a separate file system for /var/tmp. |
| ALMA-09-025650 |
AlmaLinux OS 9 must disable virtual system calls. |
| ALMA-09-025760 |
AlmaLinux OS 9 must use cron logging. |
| ALMA-09-025870 |
AlmaLinux OS 9 must be configured so that the rsyslog daemon does not accept log messages from other servers unless the server is being used for log aggregation. |
| ALMA-09-025980 |
AlmaLinux OS 9 must prevent files with the setuid and setgid bit set from being executed on file systems that contain user home directories. |
| ALMA-09-026090 |
AlmaLinux OS 9 must prevent device files from being interpreted on file systems that contain user home directories. |
| ALMA-09-026200 |
AlmaLinux OS 9 must prevent files with the setuid and setgid bit set from being executed on the /boot/efi directory. |
| ALMA-09-026310 |
AlmaLinux OS 9 must mount /boot with the nodev option. |
| ALMA-09-026420 |
AlmaLinux OS 9 must prevent files with the setuid and setgid bit set from being executed on the /boot directory. |
| ALMA-09-026530 |
AlmaLinux OS 9 must mount /dev/shm with the nodev option. |
| ALMA-09-026640 |
AlmaLinux OS 9 must mount /dev/shm with the noexec option. |
| ALMA-09-026750 |
AlmaLinux OS 9 must mount /dev/shm with the nosuid option. |
| ALMA-09-026860 |
AlmaLinux OS 9 must mount /tmp with the nodev option. |
| ALMA-09-026970 |
AlmaLinux OS 9 must mount /tmp with the noexec option. |
| ALMA-09-027080 |
AlmaLinux OS 9 must mount /tmp with the nosuid option. |
| ALMA-09-027190 |
AlmaLinux OS 9 must mount /var/log/audit with the nodev option. |
| ALMA-09-027300 |
AlmaLinux OS 9 must mount /var/log/audit with the noexec option. |
| ALMA-09-027410 |
AlmaLinux OS 9 must mount /var/log/audit with the nosuid option. |
| ALMA-09-027520 |
AlmaLinux OS 9 must mount /var/log with the nodev option. |
| ALMA-09-027630 |
AlmaLinux OS 9 must mount /var/log with the noexec option. |
| ALMA-09-027740 |
AlmaLinux OS 9 must mount /var/log with the nosuid option. |
| ALMA-09-027850 |
AlmaLinux OS 9 must mount /var with the nodev option. |
| ALMA-09-027960 |
AlmaLinux OS 9 must mount /var/tmp with the nodev option. |
| ALMA-09-028070 |
AlmaLinux OS 9 must mount /var/tmp with the noexec option. |
| ALMA-09-028180 |
AlmaLinux OS 9 must mount /var/tmp with the nosuid option. |
| ALMA-09-028290 |
AlmaLinux OS 9 fapolicy module must be enabled. |
| ALMA-09-028400 |
AlmaLinux OS 9 fapolicy module must be installed. |
| ALMA-09-028510 |
AlmaLinux OS 9 must disable remote management of the chrony daemon. |
| ALMA-09-028620 |
AlmaLinux OS 9 must prevent the chrony daemon from acting as a server. |
| ALMA-09-028730 |
AlmaLinux OS 9 must not have the iprutils package installed. |
| ALMA-09-028840 |
AlmaLinux OS 9 must not have the quagga package installed. |
| ALMA-09-028950 |
AlmaLinux OS 9 must not have the sendmail package installed. |
| ALMA-09-029060 |
AlmaLinux OS 9 must not have the telnet-server package installed. |
| ALMA-09-029170 |
AlmaLinux OS 9 must not have a Trivial File Transfer Protocol (TFTP) client package installed. |
| ALMA-09-029390 |
AlmaLinux OS 9 must not have the cups package installed. |
| ALMA-09-029500 |
AlmaLinux OS 9 must not have the gssproxy package installed. |
| ALMA-09-029610 |
AlmaLinux OS 9 must disable the Asynchronous Transfer Mode (ATM) kernel module.
|
| ALMA-09-029720 |
AlmaLinux OS 9 must be configured to disable Bluetooth. |
| ALMA-09-029830 |
AlmaLinux OS 9 must disable the Controller Area Network (CAN) kernel module.
|
| ALMA-09-029940 |
AlmaLinux OS 9 must disable mounting of cramfs. |
| ALMA-09-030050 |
AlmaLinux OS 9 must disable the Stream Control Transmission Protocol (SCTP) kernel module.
|
| ALMA-09-030160 |
AlmaLinux OS 9 must disable mounting of squashfs. |
| ALMA-09-030270 |
AlmaLinux OS 9 must disable the Transparent Inter Process Communication (TIPC) kernel module. |
| ALMA-09-030380 |
AlmaLinux OS 9 must disable mounting of udf. |
| ALMA-09-030490 |
Cameras must be disabled or covered when not in use. |
| ALMA-09-030600 |
AlmaLinux OS 9 must not have the nfs-utils package installed. |
| ALMA-09-030710 |
AlmaLinux OS 9 must not have the rsh package installed. |
| ALMA-09-030820 |
AlmaLinux OS 9 must not have the rsh-server package installed. |
| ALMA-09-030930 |
AlmaLinux OS 9 must not have the tuned package installed. |
| ALMA-09-031040 |
A graphical display manager must not be installed on AlmaLinux OS 9 unless approved.
|
| ALMA-09-031150 |
AlmaLinux OS 9 must not have the ypserv package installed. |
| ALMA-09-031260 |
AlmaLinux OS 9 must not have the avahi package installed. |
| ALMA-09-031370 |
AlmaLinux OS 9 must be configured to disable USB mass storage. |
| ALMA-09-031700 |
AlmaLinux OS 9 must have the firewalld package installed. |
| ALMA-09-031920 |
AlmaLinux OS 9 must require users to provide authentication for privilege escalation. |
| ALMA-09-032030 |
AlmaLinux OS 9 must require users to provide a password for privilege escalation. |
| ALMA-09-032140 |
AlmaLinux OS 9 must not be configured to bypass password requirements for privilege escalation. |
| ALMA-09-032250 |
AlmaLinux OS 9 must require reauthentication when using the "sudo" command. |
| ALMA-09-032470 |
AlmaLinux OS 9 must restrict the use of the "su" command. |
| ALMA-09-032910 |
Groups must have unique Group IDs (GIDs). |
| ALMA-09-033020 |
Duplicate User IDs (UIDs) must not exist for interactive users. |
| ALMA-09-033130 |
All AlmaLinux OS 9 interactive users must have a primary group that exists.
|
| ALMA-09-033240 |
AlmaLinux OS 9 SSHD must accept public key authentication. |
| ALMA-09-033350 |
AlmaLinux OS 9 must have the opensc package installed. |
| ALMA-09-033460 |
The pcscd socket on AlmaLinux OS 9 must be active. |
| ALMA-09-033570 |
AlmaLinux OS 9 must have the pcsc-lite package installed. |
| ALMA-09-033680 |
AlmaLinux OS 9 must implement certificate status checking for multifactor authentication. |
| ALMA-09-033790 |
AlmaLinux OS 9 must enable certificate based smart card authentication. |
| ALMA-09-034010 |
AlmaLinux OS 9 must have the openssl-pkcs11 package installed. |
| ALMA-09-034120 |
AlmaLinux OS 9 SSHD must not allow blank passwords. |
| ALMA-09-034340 |
AlmaLinux OS 9 must use the CAC smart card driver. |
| ALMA-09-034780 |
AlmaLinux OS 9 must not permit direct logons to the root account using remote access via SSH. |
| ALMA-09-034890 |
AlmaLinux OS 9 must disable the graphical user interface automount function unless required. |
| ALMA-09-035000 |
AlmaLinux OS 9 must prevent a user from overriding the disabling of the graphical user interface automount function. |
| ALMA-09-035110 |
AlmaLinux OS 9 must prevent a user from overriding the disabling of the graphical user interface autorun function. |
| ALMA-09-035210 |
AlmaLinux OS 9 must have the USBGuard package installed. |
| ALMA-09-035220 |
AlmaLinux OS 9 must have the USBGuard package enabled. |
| ALMA-09-035440 |
AlmaLinux OS 9 must block unauthorized peripherals before establishing a connection. |
| ALMA-09-035550 |
AlmaLinux OS 9 must not have the autofs package installed. |
| ALMA-09-035660 |
AlmaLinux OS 9 must disable account identifiers (individuals, groups, roles, and devices) after 35 days of inactivity. |
| ALMA-09-035770 |
AlmaLinux OS 9 must enforce password complexity by requiring that at least one lowercase character be used. |
| ALMA-09-035880 |
AlmaLinux OS 9 must ensure the password complexity module is enabled in the password-auth file. |
| ALMA-09-035990 |
AlmaLinux OS 9 must ensure the password complexity module in the system-auth file is configured for three retries or less. |
| ALMA-09-036100 |
AlmaLinux OS 9 must enforce password complexity rules for the root account. |
| ALMA-09-036210 |
AlmaLinux OS 9 must enforce password complexity by requiring that at least one uppercase character be used. |
| ALMA-09-036320 |
AlmaLinux OS 9 must enforce password complexity by requiring that at least one special character be used. |
| ALMA-09-036430 |
AlmaLinux OS 9 passwords for new users must have a minimum of 15 characters. |
| ALMA-09-036540 |
AlmaLinux OS 9 passwords must be created with a minimum of 15 characters. |
| ALMA-09-036650 |
AlmaLinux OS 9 must enforce password complexity by requiring that at least one numeric character be used. |
| ALMA-09-036760 |
AlmaLinux OS 9 must require the change of at least four character classes when passwords are changed. |
| ALMA-09-036870 |
AlmaLinux OS 9 must require the maximum number of repeating characters be limited to three when passwords are changed. |
| ALMA-09-036980 |
AlmaLinux OS 9 must require the maximum number of repeating characters of the same character class be limited to four when passwords are changed. |
| ALMA-09-037090 |
AlmaLinux OS 9 must require the change of at least eight characters when passwords are changed. |
| ALMA-09-037200 |
AlmaLinux OS 9 PAM must be configured to use a sufficient number of password hashing rounds. |
| ALMA-09-037310 |
AlmaLinux OS 9 must be configured so that libuser is configured to store only encrypted representations of passwords. |
| ALMA-09-037420 |
AlmaLinux OS 9 must be configured so that the system's shadow file is configured to store only encrypted representations of passwords. |
| ALMA-09-037530 |
AlmaLinux OS 9 must be configured so that the Pluggable Authentication Module is configured to store only encrypted representations of passwords. |
| ALMA-09-037640 |
AlmaLinux OS 9 must be configured so that interactive user account passwords are using strong password hashes. |
| ALMA-09-037750 |
AlmaLinux OS 9 must not have any File Transfer Protocol (FTP) packages installed. |
| ALMA-09-037860 |
AlmaLinux OS 9 must not have any telnet packages installed. |
| ALMA-09-037970 |
Passwords for existing users must have a 60-day maximum password lifetime restriction in /etc/shadow. |
| ALMA-09-038080 |
Passwords for new users or password changes must have a 60-day maximum password lifetime restriction in /etc/login.defs. |
| ALMA-09-038190 |
Passwords for existing users must have a 24-hour minimum password lifetime restriction in /etc/shadow. |
| ALMA-09-038300 |
Passwords for new users or password changes must have a 24-hour minimum password lifetime restriction in /etc/login.defs. |
| ALMA-09-038630 |
AlmaLinux OS 9 must prohibit the use of cached authenticators after one day. |
| ALMA-09-038850 |
For PKI-based authentication, AlmaLinux OS 9 must enforce authorized access to the corresponding private key. |
| ALMA-09-038960 |
AlmaLinux OS 9 must map the authenticated identity to the user or group account for PKI-based authentication. |
| ALMA-09-039070 |
AlmaLinux OS 9, for PKI-based authentication, must validate certificates by constructing a certification path (which includes status information) to an accepted trust anchor. |
| ALMA-09-039290 |
AlmaLinux OS 9 must use mechanisms meeting the requirements of applicable federal laws, executive orders, directives, policies, regulations, standards, and guidance for authentication to a cryptographic module. |
| ALMA-09-039400 |
AlmaLinux OS 9 must prevent system daemons from using Kerberos for authentication. |
| ALMA-09-039510 |
The libreswan package must be installed. |
| ALMA-09-039620 |
AlmaLinux OS 9 must have the packages required for encrypting offloaded audit logs installed. |
| ALMA-09-039840 |
AlmaLinux OS 9 must have the crypto-policies package installed. |
| ALMA-09-040060 |
AlmaLinux OS 9 must implement a systemwide encryption policy. |
| ALMA-09-040170 |
AlmaLinux OS 9 must be configured so that all network connections associated with SSH traffic are terminated after 10 minutes of becoming unresponsive. |
| ALMA-09-040390 |
AlmaLinux OS 9 must enable the Pluggable Authentication Module (PAM) interface for SSHD. |
| ALMA-09-040500 |
AlmaLinux OS 9 must terminate idle user sessions. |
| ALMA-09-040720 |
AlmaLinux OS 9 must disable access to network bpf system call from nonprivileged processes. |
| ALMA-09-040830 |
AlmaLinux OS 9 must restrict exposed kernel pointer addresses access. |
| ALMA-09-040940 |
AlmaLinux OS 9 must restrict usage of ptrace to descendant processes. |
| ALMA-09-041050 |
AlmaLinux OS 9 must restrict access to the kernel message buffer. |
| ALMA-09-041160 |
AlmaLinux OS 9 must prevent kernel profiling by nonprivileged users. |
| ALMA-09-041270 |
AlmaLinux OS 9 must only allow the use of DOD PKI-established certificate authorities for authentication in the establishment of protected sessions to the operating system. |
| ALMA-09-041490 |
AlmaLinux OS 9 systemd-journald service must be enabled. |
| ALMA-09-041600 |
AlmaLinux OS 9 local disk partitions must implement cryptographic mechanisms to prevent unauthorized disclosure or modification of all information that requires at rest protection. |
| ALMA-09-041930 |
AlmaLinux OS 9 must use a Linux Security Module configured to enforce limits on system services. |
| ALMA-09-042040 |
AlmaLinux OS 9 must have the policycoreutils package installed. |
| ALMA-09-042150 |
Any AlmaLinux OS 9 world-writable directories must be owned by root, sys, bin, or an application user. |
| ALMA-09-042260 |
A sticky bit must be set on all AlmaLinux OS 9 public directories. |
| ALMA-09-042370 |
AlmaLinux OS 9 must protect against or limit the effects of denial-of-service (DoS) attacks by ensuring rate-limiting measures on impacted network interfaces are implemented. |
| ALMA-09-042480 |
AlmaLinux OS 9 must be configured to use TCP syncookies. |
| ALMA-09-042700 |
All AlmaLinux OS 9 networked systems must have the OpenSSH client installed. |
| ALMA-09-042810 |
All AlmaLinux OS 9 networked systems must implement SSH to protect the confidentiality and integrity of transmitted and received information, including information being prepared for transmission. |
| ALMA-09-042920 |
All AlmaLinux OS 9 networked systems must have the OpenSSH server installed. |
| ALMA-09-043030 |
AlmaLinux OS 9 must not allow users to override SSH environment variables. |
| ALMA-09-043140 |
AlmaLinux OS 9 must implement DOD-approved encryption in the bind package. |
| ALMA-09-043250 |
AlmaLinux OS 9 wireless network adapters must be disabled. |
| ALMA-09-043800 |
AlmaLinux OS 9 must not show boot up messages. |
| ALMA-09-043910 |
AlmaLinux OS 9 /var/log directory must be group-owned by root. |
| ALMA-09-044020 |
AlmaLinux OS 9 /var/log/messages file must be group-owned by root. |
| ALMA-09-044130 |
AlmaLinux OS 9 /var/log/messages file must be owned by root. |
| ALMA-09-044240 |
AlmaLinux OS 9 /var/log/messages file must have mode 0640 or less permissive. |
| ALMA-09-044350 |
AlmaLinux OS 9 /var/log directory must be owned by root. |
| ALMA-09-044460 |
AlmaLinux OS 9 /var/log directory must have mode 0755 or less permissive. |
| ALMA-09-044570 |
AlmaLinux OS 9 must implement nonexecutable data to protect its memory from unauthorized code execution. |
| ALMA-09-044680 |
AlmaLinux OS 9 must enable mitigations against processor-based vulnerabilities. |
| ALMA-09-044790 |
AlmaLinux OS 9 must clear SLUB/SLAB objects to prevent use-after-free attacks. |
| ALMA-09-044900 |
AlmaLinux OS 9 must implement address space layout randomization (ASLR) to protect its memory from unauthorized code execution. |
| ALMA-09-045120 |
AlmaLinux OS 9 must remove all software components after updated versions have been installed. |
| ALMA-09-045125 |
AlmaLinux OS 9 must be a supported release. |
| ALMA-09-045230 |
AlmaLinux OS 9 must enable the SELinux targeted policy. |
| ALMA-09-045340 |
AlmaLinux OS 9 must have the Advanced Intrusion Detection Environment (AIDE) package installed. |
| ALMA-09-045450 |
AlmaLinux OS 9 must routinely check the baseline configuration for unauthorized changes and notify the system administrator when anomalies in the operation of any security functions are discovered. |
| ALMA-09-045670 |
AlmaLinux OS 9 audit system must audit local events. |
| ALMA-09-045780 |
AlmaLinux OS 9 /etc/audit/auditd.conf file must have 0640 or less permissive to prevent unauthorized access. |
| ALMA-09-045890 |
AlmaLinux OS 9 must allow only the information system security manager (ISSM) (or individuals or roles appointed by the ISSM) to select which auditable events are to be audited. |
| ALMA-09-046000 |
Successful/unsuccessful uses of the init command in AlmaLinux OS 9 must generate an audit record. |
| ALMA-09-046220 |
AlmaLinux OS 9 must generate audit records for any use of the "poweroff" command. |
| ALMA-09-046330 |
AlmaLinux OS 9 must generate audit records for any use of the "reboot" command. |
| ALMA-09-046440 |
AlmaLinux must generate audit records for any use of the "shutdown" command. |
| ALMA-09-046550 |
AlmaLinux OS 9 must enable Linux audit logging for the USBGuard daemon. |
| ALMA-09-046660 |
AlmaLinux OS 9 must audit all uses of the delete_module, init_module and finit_module system calls. |
| ALMA-09-046770 |
AlmaLinux OS 9 must generate audit records for all account creations, modifications, disabling, and termination events that affect /var/log/tallylog. |
| ALMA-09-046880 |
AlmaLinux OS 9 must produce audit records containing information to establish the identity of any individual or process associated with the event. |
| ALMA-09-047100 |
The audit package must be installed on AlmaLinux OS 9. |
| ALMA-09-047540 |
AlmaLinux OS 9 must generate audit records for all account creations, modifications, disabling, and termination events that affect /var/log/lastlog. |
| ALMA-09-047650 |
AlmaLinux OS 9 must generate audit records for any use of the "mount" command. |
| ALMA-09-047760 |
AlmaLinux OS 9 must generate audit records for any use of the "umount" command. |
| ALMA-09-047870 |
Successful/unsuccessful uses of the umount2 system call in AlmaLinux OS 9 must generate an audit record. |
| ALMA-09-047980 |
AlmaLinux OS 9 must enable auditing of processes that start prior to the audit daemon. |
| ALMA-09-048090 |
AlmaLinux OS 9 must audit all uses of the truncate, ftruncate, creat, open, openat, and open_by_handle_at system calls. |
| ALMA-09-048200 |
AlmaLinux OS 9 must generate audit records for any use of the "chacl" command. |
| ALMA-09-048310 |
AlmaLinux OS 9 must generate audit records for any use of the "chage" command. |
| ALMA-09-048420 |
AlmaLinux OS 9 must generate audit records for any use of the "chcon" command. |
| ALMA-09-048530 |
AlmaLinux OS 9 must audit all uses of the chmod, fchmod, and fchmodat system calls. |
| ALMA-09-048640 |
AlmaLinux OS 9 must audit all uses of the chown, fchown, fchownat, and lchown system calls. |
| ALMA-09-048750 |
AlmaLinux OS 9 must generate audit records for any use of the "chsh" command. |
| ALMA-09-048860 |
AlmaLinux OS 9 must generate audit records for any use of the "crontab" command. |
| ALMA-09-048970 |
AlmaLinux OS 9 must audit all uses of the rename, unlink, rmdir, renameat, and unlinkat system calls. |
| ALMA-09-049080 |
AlmaLinux OS 9 must generate audit records for all account creations, modifications, disabling, and termination events that affect /var/log/faillock. |
| ALMA-09-049190 |
AlmaLinux OS 9 must generate audit records for any use of the "gpasswd" command. |
| ALMA-09-049300 |
AlmaLinux OS 9 must audit all uses of the kmod command. |
| ALMA-09-049410 |
AlmaLinux OS 9 must generate audit records for any use of the "newgrp" command. |
| ALMA-09-049520 |
AlmaLinux OS 9 must generate audit records for any use of the "passwd" command. |
| ALMA-09-049630 |
AlmaLinux OS 9 must generate audit records for any use of the "postdrop" command. |
| ALMA-09-049740 |
AlmaLinux OS 9 must generate audit records for any use of the "postqueue" command. |
| ALMA-09-049850 |
AlmaLinux OS 9 must generate audit records for any use of the "su" command. |
| ALMA-09-049960 |
AlmaLinux OS 9 must generate audit records for any use of the "sudo" command. |
| ALMA-09-050070 |
AlmaLinux OS 9 must generate audit records for any use of the "semanage" command. |
| ALMA-09-050180 |
AlmaLinux OS 9 must generate audit records for any use of the "setfacl" command. |
| ALMA-09-050290 |
AlmaLinux OS 9 must generate audit records for any use of the "setfiles" command. |
| ALMA-09-050400 |
AlmaLinux OS 9 must generate audit records for any use of the "setsebool" command. |
| ALMA-09-050510 |
AlmaLinux OS 9 must generate audit records for any use of the "ssh-agent" command. |
| ALMA-09-050620 |
AlmaLinux OS 9 must generate audit records for any use of the "ssh-keysign" command. |
| ALMA-09-050730 |
AlmaLinux OS 9 must generate audit records for any use of the "sudoedit" command. |
| ALMA-09-050840 |
AlmaLinux OS 9 must generate audit records for any use of the "pam_timestamp_check" command. |
| ALMA-09-050950 |
AlmaLinux OS 9 must generate audit records for any use of the "unix_chkpwd" command. |
| ALMA-09-051060 |
AlmaLinux OS 9 must generate audit records for any use of the "unix_update" command. |
| ALMA-09-051170 |
AlmaLinux OS 9 must generate audit records for any use of the "userhelper" command. |
| ALMA-09-051280 |
AlmaLinux OS 9 must generate audit records for any use of the "usermod" command. |
| ALMA-09-051390 |
AlmaLinux OS 9 must audit all uses of the setxattr, fsetxattr, lsetxattr, removexattr, fremovexattr, and lremovexattr system calls.
|
| ALMA-09-051830 |
AlmaLinux OS 9 must allocate an audit_backlog_limit of sufficient size to capture processes that start prior to the audit daemon. |
| ALMA-09-051940 |
AlmaLinux OS 9 must use a separate file system for the system audit data path. |
| ALMA-09-052050 |
AlmaLinux OS 9 must allocate audit record storage capacity to store at least one week's worth of audit records. |
| ALMA-09-052160 |
AlmaLinux OS 9 audispd-plugins package must be installed. |
| ALMA-09-052270 |
AlmaLinux OS 9 must label all offloaded audit logs before sending them to the central log server. |
| ALMA-09-052380 |
AlmaLinux OS 9 must take appropriate action when the internal event queue is full. |
| ALMA-09-052490 |
AlmaLinux OS 9 must be configured to offload audit records onto a different system from the system being audited via syslog. |
| ALMA-09-052600 |
AlmaLinux OS 9 must authenticate the remote logging server for offloading audit logs via rsyslog. |
| ALMA-09-052710 |
AlmaLinux OS 9 must encrypt the transfer of audit records offloaded onto a different system or media from the system being audited via rsyslog. |
| ALMA-09-052820 |
AlmaLinux OS 9 must encrypt, via the gtls driver, the transfer of audit records offloaded onto a different system or media from the system being audited via rsyslog. |
| ALMA-09-052930 |
AlmaLinux OS 9 must have the rsyslog package installed. |
| ALMA-09-053040 |
AlmaLinux OS 9 must be configured to forward audit records via TCP to a different system or media from the system being audited via rsyslog. |
| ALMA-09-053150 |
The rsyslog service on AlmaLinux OS 9 must be active. |
| ALMA-09-053260 |
AlmaLinux OS 9 must take action when allocated audit record storage volume reaches 95 percent of the audit record storage capacity. |
| ALMA-09-053370 |
AlmaLinux OS 9 must take action when allocated audit record storage volume reaches 95 percent of the repository maximum audit record storage capacity. |
| ALMA-09-053480 |
AlmaLinux OS 9 must take action when allocated audit record storage volume reaches 75 percent of the repository maximum audit record storage capacity. |
| ALMA-09-053590 |
AlmaLinux OS 9 must notify the system administrator (SA) and information system security officer (ISSO) (at a minimum) when allocated audit record storage volume reaches 75 percent usage. |
| ALMA-09-053810 |
AlmaLinux OS 9 System Administrator (SA) and/or information system security officer (ISSO) (at a minimum) must be alerted of an audit processing failure event. |
| ALMA-09-053920 |
AlmaLinux OS 9 must have mail aliases to notify the information system security officer (ISSO) and system administrator (SA) (at a minimum) in the event of an audit processing failure. |
| ALMA-09-054030 |
AlmaLinux OS 9 audit system must take appropriate action when an error writing to the audit storage volume occurs. |
| ALMA-09-054140 |
AlmaLinux OS 9 audit system must take appropriate action when the audit storage volume is full. |
| ALMA-09-054250 |
AlmaLinux OS 9 must take appropriate action when a critical audit processing failure occurs. |
| ALMA-09-054360 |
AlmaLinux OS 9 audit system must make full use of the audit storage space. |
| ALMA-09-054470 |
AlmaLinux OS 9 audit system must take appropriate action when the audit files have reached maximum size. |
| ALMA-09-054580 |
AlmaLinux OS 9 audit system must retain an optimal number of audit records. |
| ALMA-09-054690 |
AlmaLinux OS 9 must periodically flush audit records to disk to prevent the loss of audit records. |
| ALMA-09-054910 |
The auditd service must be enabled on AlmaLinux OS 9. |
| ALMA-09-055130 |
The chronyd service must be enabled. |
| ALMA-09-055240 |
AlmaLinux OS 9 must have the chrony package installed. |
| ALMA-09-055350 |
AlmaLinux OS 9 must securely compare internal information system clocks at least every 24 hours. |
| ALMA-09-055680 |
AlmaLinux OS 9 audit log directory must be owned by root to prevent unauthorized read access. |
| ALMA-09-055790 |
AlmaLinux OS 9 audit log directory must have 0700 permissions to prevent unauthorized read access. |
| ALMA-09-055900 |
AlmaLinux OS 9 audit logs must be owned by the root group to prevent unauthorized read access. |
| ALMA-09-056010 |
AlmaLinux OS 9 audit logs must be owned by root to prevent unauthorized read access. |
| ALMA-09-056120 |
AlmaLinux OS 9 audit logs must have 0600 permissions to prevent unauthorized read access. |
| ALMA-09-056230 |
AlmaLinux OS 9 audit tools must be group-owned by root. |
| ALMA-09-056340 |
AlmaLinux OS 9 audit tools must be owned by root. |
| ALMA-09-056560 |
AlmaLinux OS 9 audit tools must have a mode of 0755 or less permissive. |
| ALMA-09-056780 |
AlmaLinux OS 9 audit system must protect logon UIDs from unauthorized change. |
| ALMA-09-056890 |
AlmaLinux OS 9 must use cryptographic mechanisms to protect the integrity of audit tools. |
| ALMA-09-057110 |
AlmaLinux OS 9 audit system must protect auditing rules from unauthorized change. |