STIGs Search Compare About

STIGhub

A free tool to search and browse the entire DISA STIG library. Saves up to 75% in security compliance research time.

Navigation

Browse STIGs
Search
Compare Versions

Resources

About
VPAT
DISA STIG Library

Powered by Pylon

© 2026 Beacon Cloud Solutions, Inc. All rights reserved.

← Back to STIGs

Cloud Linux AlmaLinux OS 9 Security Technical Implementation Guide

Version

V1R6

Benchmark ID

CloudLinux_AlmaLinux_OS_9_STIG

Total Checks

439

Tags

linux

CAT I: 33CAT II: 402CAT III: 4

This Security Technical Implementation Guide is published as a tool to improve the security of Department of Defense (DOD) information systems. The requirements are derived from the National Institute of Standards and Technology (NIST) 800-53 and related documents. Comments or proposed revisions to this document should be sent via email to the following address: disa.stig_spt@mail.mil.

Export CKL Export CSV Export JSON

Checks (439)

V-269102LOWAlmaLinux OS 9 must limit the number of concurrent sessions to ten for all accounts and/or account types.V-269103MEDIUMAlmaLinux OS 9 must automatically lock graphical user sessions after 15 minutes of inactivity.V-269104MEDIUMAlmaLinux OS 9 must conceal, via the session lock, information previously visible on the display with a publicly viewable image.V-269105MEDIUMAlmaLinux OS 9 must prevent a user from overriding the session idle-delay setting for the graphical user interface.V-269106MEDIUMAlmaLinux OS 9 must initiate a session lock for graphical user interfaces when the screensaver is activated.V-269107MEDIUMAlmaLinux OS 9 must prevent a user from overriding the session lock-delay setting for the graphical user interface.V-269108MEDIUMAlmaLinux OS 9 must automatically exit interactive command shell user sessions after 10 minutes of inactivity.V-269109MEDIUMAlmaLinux OS 9 must be able to directly initiate a session lock for all connection types using smart card when the smart card is removed.V-269110MEDIUMAlmaLinux OS 9 must prevent a user from overriding the disabling of the graphical user smart card removal action.V-269111MEDIUMAlmaLinux OS 9 must log SSH connection attempts and failures to the server.V-269112MEDIUMAll AlmaLinux OS 9 remote access methods must be monitored.V-269113HIGHAlmaLinux OS 9 SSH client must be configured to use only encryption ciphers employing FIPS 140-3-validated cryptographic hash algorithms to protect the confidentiality of SSH client connections.V-269115HIGHAlmaLinux OS 9 SSH client must be configured to use only Message Authentication Codes (MACs) employing FIPS 140-3-validated cryptographic hash algorithms.V-269116HIGHThe AlmaLinux 9 SSH server must be configured to use only DOD-approved encryption ciphers employing FIPS 140-3-validated cryptographic hash algorithms to protect the confidentiality of SSH server connections.V-269118MEDIUMAlmaLinux OS 9 must implement DOD-approved systemwide cryptographic policies to protect the confidentiality of SSH server connections.V-269119HIGHThe AlmaLinux OS 9 SSH server must be configured to use only Message Authentication Codes (MACs) employing FIPS 140-3-validated cryptographic hash algorithms to protect the confidentiality of SSH server connections.V-269120MEDIUMAlmaLinux OS 9 must force a frequent session key renegotiation for SSH connections to the server.V-269122HIGHAlmaLinux OS 9 IP tunnels must use FIPS 140-3 approved cryptographic algorithms.V-269125HIGHAlmaLinux OS 9 must use the TuxCare ESU repository.V-269126HIGHAlmaLinux OS 9 must use the TuxCare FIPS packages and not the default encryption packages.V-269127HIGHAlmaLinux OS 9 must enable FIPS mode.V-269128MEDIUMAlmaLinux OS 9 must automatically expire temporary accounts within 72 hours.V-269129MEDIUMAlmaLinux OS 9 must generate audit records for all account creations, modifications, disabling, and termination events that affect /etc/sudoers.V-269130MEDIUMAlmaLinux OS 9 must generate audit records for all account creations, modifications, disabling, and termination events that affect /etc/group.V-269131MEDIUMAlmaLinux OS 9 must generate audit records for all account creations, modifications, disabling, and termination events that affect /etc/gshadow.V-269132MEDIUMAlmaLinux OS 9 must generate audit records for all account creations, modifications, disabling, and termination events that affect /etc/security/opasswd.V-269133MEDIUMAlmaLinux OS 9 must generate audit records for all account creations, modifications, disabling, and termination events that affect /etc/passwd.V-269134MEDIUMAlmaLinux OS 9 must generate audit records for all account creations, modifications, disabling, and termination events that affect /etc/shadow.V-269135MEDIUMAlmaLinux OS 9 must generate audit records for all account creations, modifications, disabling, and termination events that affect the files within /etc/sudoers.d/V-269136MEDIUMAlmaLinux OS 9 must require authentication to access emergency mode.V-269137MEDIUMAlmaLinux OS 9 must require a boot loader password.V-269138MEDIUMAlmaLinux OS 9 must require a unique superuser's name upon booting into single-user and maintenance modes.V-269139MEDIUMAlmaLinux OS 9 must require authentication to access single-user mode.V-269140HIGHThe systemd Ctrl-Alt-Delete burst key sequence in AlmaLinux OS 9 must be disabled.V-269141HIGHThe Ctrl-Alt-Delete key sequence must be disabled on AlmaLinux OS 9.V-269142MEDIUMAlmaLinux OS 9 must have the sudo package installed.V-269143MEDIUMThe AlmaLinux OS 9 debug-shell systemd service must be disabled.V-269144MEDIUMAlmaLinux OS 9 must enable kernel parameters to enforce discretionary access control on hardlinks.V-269145MEDIUMAlmaLinux OS 9 must enable kernel parameters to enforce discretionary access control (DAC) on symlinks.V-269146MEDIUMAlmaLinux OS 9 must audit uses of the "execve" system call.V-269147MEDIUMAlmaLinux OS 9 must automatically lock an account when three unsuccessful logon attempts occur.V-269148MEDIUMAlmaLinux OS 9 must automatically lock the root account until the root account is released by an administrator when three unsuccessful logon attempts occur during a 15-minute time period.V-269149MEDIUMAlmaLinux OS 9 must automatically lock an account when three unsuccessful logon attempts occur during a 15-minute time period.V-269150MEDIUMAlmaLinux OS 9 must configure the use of the pam_faillock.so module in the /etc/pam.d/system-auth file.V-269151MEDIUMAlmaLinux OS 9 must configure the use of the pam_faillock.so module in the /etc/pam.d/password-auth file.V-269152MEDIUMAlmaLinux OS 9 must log username information when unsuccessful logon attempts occur.V-269153MEDIUMAlmaLinux OS 9 must maintain an account lock until the locked account is manually released by an administrator; and not automatically after a set time.V-269154MEDIUMAlmaLinux OS 9 must ensure account locks persist across reboots.V-269155MEDIUMAlmaLinux OS 9 must configure the appropriate SELinux context on the nondefault faillock tally directory.V-269156MEDIUMAlmaLinux OS 9 must prevent users from disabling the Standard Mandatory DOD Notice and Consent Banner for graphical user interfaces.V-269157MEDIUMAlmaLinux OS 9 must display the Standard Mandatory DOD Notice and Consent Banner before granting local or remote access to the system via a graphical user logon.V-269158MEDIUMAlmaLinux OS 9 must display the Standard Mandatory DOD Notice and Consent Banner before granting local or remote access to the system via a command line user logon.V-269159MEDIUMAlmaLinux OS 9 must display the Standard Mandatory DOD Notice and Consent Banner before granting local or remote access to the system via an SSH user logon.V-269160MEDIUMAlmaLinux OS 9 must have the s-nail package installed.V-269161MEDIUMAlmaLinux OS 9 SSH daemon must not allow Generic Security Service Application Program Interface (GSSAPI) authentication.V-269162MEDIUMAlmaLinux OS 9 SSH daemon must not allow Kerberos authentication.V-269163HIGHAlmaLinux OS 9 must check the GPG signature of software packages originating from external software repositories before installation.V-269164HIGHAlmaLinux OS 9 must ensure cryptographic verification of vendor software packages.V-269165HIGHAlmaLinux OS 9 must check the GPG signature of locally installed software packages before installation.V-269166HIGHAlmaLinux OS 9 must check the GPG signature of repository metadata before package installation.V-269167HIGHAlmaLinux OS 9 must have GPG signature verification enabled for all software repositories.V-269168MEDIUMAlmaLinux OS 9 must prevent the loading of a new kernel for later execution.V-269169MEDIUMAlmaLinux OS 9 system commands must be group-owned by root or a system account.V-269170MEDIUMAlmaLinux OS 9 system commands must be owned by root.V-269171MEDIUMAlmaLinux OS 9 system commands must have mode 755 or less permissive.V-269172MEDIUMAlmaLinux OS 9 library directories must be group-owned by root or a system account.V-269173MEDIUMAlmaLinux OS 9 library directories must be owned by root.V-269174MEDIUMAlmaLinux OS 9 library directories must have mode 755 or less permissive.V-269175MEDIUMAlmaLinux OS 9 library files must be group-owned by root or a system account.V-269176MEDIUMAlmaLinux OS 9 library files must be owned by root.V-269177MEDIUMAlmaLinux OS 9 library files must have mode 755 or less permissive.V-269178MEDIUMAlmaLinux OS 9 must disable core dumps for all users.V-269179MEDIUMAlmaLinux OS 9 must disable acquiring, saving, and processing core dumps.V-269180MEDIUMAlmaLinux OS 9 must disable storing core dumps.V-269181MEDIUMAlmaLinux OS 9 must disable core dump backtraces.V-269182MEDIUMAlmaLinux OS 9 must disable the kernel.core_pattern.V-269183MEDIUMAlmaLinux OS 9 cron configuration files directory must be group-owned by root.V-269184MEDIUMAlmaLinux OS 9 cron configuration files directory must be owned by root.V-269185MEDIUMAlmaLinux OS 9 cron configuration directories must have a mode of 0700 or less permissive.V-269186MEDIUMAlmaLinux OS 9 /etc/crontab file must have mode 0600.V-269187MEDIUMAlmaLinux OS 9 must disable the ability of a user to accidentally press Ctrl-Alt-Del and cause a system to shut down or reboot.V-269188MEDIUMAlmaLinux OS 9 must prevent a user from overriding the Ctrl-Alt-Del sequence settings for the graphical user interface.V-269189MEDIUMAll AlmaLinux OS 9 local files and directories must have a valid group owner.V-269190MEDIUMAll AlmaLinux OS 9 local files and directories must have a valid owner.V-269191MEDIUMAlmaLinux OS 9 /etc/group- file must be group owned by root.V-269192MEDIUMAlmaLinux OS 9 /etc/group- file must be owned by root.V-269193MEDIUMAlmaLinux OS 9 /etc/group- file must have mode 0644 or less permissive to prevent unauthorized access.V-269194MEDIUMAlmaLinux OS 9 /etc/group file must be group owned by root.V-269195MEDIUMAlmaLinux OS 9 /etc/group file must be owned by root.V-269196MEDIUMAlmaLinux OS 9 /etc/group file must have mode 0644 or less permissive to prevent unauthorized access.V-269197MEDIUMThe /boot/grub2/grub.cfg file must be group-owned by root.V-269198MEDIUMThe /boot/grub2/grub.cfg file must be owned by root.V-269199MEDIUMAlmaLinux OS 9 must disable the ability of systemd to spawn an interactive boot process.V-269200MEDIUMAlmaLinux OS 9 /etc/gshadow- file must be group-owned by root.V-269201MEDIUMAlmaLinux OS 9 /etc/gshadow- file must be owned by root.V-269202MEDIUMAlmaLinux OS 9 /etc/gshadow- file must have mode 0000 or less permissive to prevent unauthorized access.V-269203MEDIUMAlmaLinux OS 9 /etc/gshadow file must be group-owned by root.V-269204MEDIUMAlmaLinux OS 9 /etc/gshadow file must be owned by root.V-269205MEDIUMAlmaLinux OS 9 /etc/gshadow file must have mode 0000 or less permissive to prevent unauthorized access.V-269206MEDIUMThe graphical display manager must not be the default target on AlmaLinux OS 9 unless approved.V-269207MEDIUMAlmaLinux OS 9 must disable the user list at logon for graphical user interfaces.V-269208MEDIUMAll AlmaLinux OS 9 local interactive user accounts must be assigned a home directory upon creation.V-269209MEDIUMAll AlmaLinux OS 9 local interactive user home directories defined in the /etc/passwd file must exist.V-269210MEDIUMAll AlmaLinux OS 9 local interactive user home directories must be group-owned by the home directory owner's primary group.V-269211MEDIUMAlmaLinux OS 9 must prevent code from being executed on file systems that contain user home directories.V-269212MEDIUMA separate file system must be used for user home directories (such as /home or an equivalent).V-269213MEDIUMAll AlmaLinux OS 9 local interactive users must have a home directory assigned in the /etc/passwd file.V-269214MEDIUMExecutable search paths within the initialization files of all local interactive AlmaLinux OS 9 users must only contain paths that resolve to the system default or the users home directory.V-269215MEDIUMAll AlmaLinux OS 9 local interactive user home directories must have mode 0750 or less permissive.V-269216HIGHAlmaLinux OS 9 must not allow unattended or automatic logon via the graphical user interface.V-269217MEDIUMAlmaLinux OS 9 must enforce a delay of at least four seconds between logon prompts following a failed logon attempt.V-269218MEDIUMAlmaLinux OS 9 must not allow blank or null passwords.V-269219MEDIUMAlmaLinux OS 9 must not have accounts configured with blank or null passwords.V-269220MEDIUMAlmaLinux OS 9 /etc/passwd- file must be group-owned by root.V-269221MEDIUMAlmaLinux OS 9 /etc/passwd- file must be owned by root.V-269222MEDIUMAlmaLinux OS 9 /etc/passwd- file must have mode 0644 or less permissive to prevent unauthorized access.V-269223MEDIUMAlmaLinux OS 9 /etc/passwd file must be group-owned by root.V-269224MEDIUMAlmaLinux OS 9 /etc/passwd file must be owned by root.V-269225MEDIUMAlmaLinux OS 9 /etc/passwd file must have mode 0644 or less permissive to prevent unauthorized access.V-269226MEDIUMAlmaLinux OS 9 /etc/shadow- file must be group-owned by root.V-269227MEDIUMAlmaLinux OS 9 /etc/shadow- file must be owned by root.V-269228MEDIUMAlmaLinux OS 9 /etc/shadow- file must have mode 0000 or less permissive to prevent unauthorized access.V-269229MEDIUMAlmaLinux OS 9 /etc/shadow file must be group-owned by root.V-269230MEDIUMAlmaLinux OS 9 /etc/shadow file must be owned by root.V-269231MEDIUMAlmaLinux OS 9 /etc/shadow file must have mode 0000 to prevent unauthorized access.V-269232MEDIUMAlmaLinux OS 9 must restrict privilege elevation to authorized personnel.V-269233MEDIUMAlmaLinux OS 9 must use the invoking user's password for privilege escalation when using "sudo".V-269234MEDIUMAlmaLinux OS 9 must set the umask value to 077 for all local interactive user accounts.V-269235MEDIUMAlmaLinux OS 9 must define default permissions for all authenticated users in such a way that the user can only read and modify their own files.V-269236MEDIUMAlmaLinux OS 9 must define default permissions for PAM users.V-269237MEDIUMAlmaLinux OS 9 must define default permissions for logon and nonlogon shells.V-269238MEDIUMAlmaLinux OS 9 must not have unauthorized accounts.V-269239MEDIUMAlmaLinux OS 9 must be configured so that the file integrity tool verifies Access Control Lists (ACLs).V-269240MEDIUMAlmaLinux OS 9 must use a file integrity tool that is configured to use FIPS 140-3-approved cryptographic hashes for validating file contents and directories.V-269241MEDIUMAlmaLinux OS 9 must be configured so that the file integrity tool verifies extended attributes.V-269242MEDIUMAlmaLinux OS 9 must prevent the use of dictionary words for passwords.V-269243MEDIUMAlmaLinux OS 9 must not accept router advertisements on all IPv6 interfaces.V-269244MEDIUMAlmaLinux OS 9 must ignore Internet Control Message Protocol (ICMP) redirect messages.V-269245MEDIUMThe firewalld service on AlmaLinux OS 9 must be active.V-269246MEDIUMAlmaLinux OS 9 firewall must employ a deny-all, allow-by-exception policy for allowing connections to other systems.V-269247MEDIUMAlmaLinux OS 9 must limit the number of bogus Internet Control Message Protocol (ICMP) response errors logs.V-269248MEDIUMAlmaLinux OS 9 must not respond to Internet Control Message Protocol (ICMP) echoes sent to a broadcast address.V-269249MEDIUMAlmaLinux OS 9 must not enable IP packet forwarding unless the system is a router.V-269250MEDIUMAlmaLinux OS 9 must not have unauthorized IP tunnels configured.V-269251MEDIUMAlmaLinux OS 9 must log packets with impossible addresses.V-269252MEDIUMAlmaLinux OS 9 must be configured to prevent unrestricted mail relaying.V-269253MEDIUMAlmaLinux OS 9 must have the nss-tools package installed.V-269254MEDIUMAlmaLinux OS 9 network interfaces must not be in promiscuous mode.V-269255MEDIUMAlmaLinux OS 9 must use reverse path filtering on all IP interfaces.V-269256MEDIUMAlmaLinux OS 9 must not send Internet Control Message Protocol (ICMP) redirects.V-269257MEDIUMThere must be no .shosts files on AlmaLinux OS 9.V-269258MEDIUMThere must be no shosts.equiv files on AlmaLinux OS 9.V-269259MEDIUMAlma Linux OS 9 must not accept IPv4 source-routed packets by default.V-269260MEDIUMAlmaLinux OS 9 SSH daemon must not allow compression or must only allow compression after successful authentication.V-269261MEDIUMThe AlmaLinux OS 9 SSH server configuration file must be group-owned by root.V-269262MEDIUMThe AlmaLinux OS 9 SSH server configuration file must be owned by root.V-269263MEDIUMAlmaLinux OS 9 SSH server configuration files must have mode 0600 or less permissive.V-269264MEDIUMAlmaLinux OS 9 must not allow a noncertificate trusted host SSH logon to the system.V-269265MEDIUMAlmaLinux OS 9 SSH private host key files must have mode 0640 or less permissive.V-269266MEDIUMAlmaLinux OS 9 SSH public host key files must have mode 0644 or less permissive.V-269267MEDIUMAlmaLinux OS 9 SSH daemon must not allow known hosts authentication.V-269268MEDIUMAlmaLinux OS 9 SSH daemon must display the date and time of the last successful account logon upon an SSH logon.V-269269MEDIUMAlmaLinux OS 9 SSH daemon must not allow rhosts authentication.V-269270MEDIUMAlmaLinux OS 9 SSH daemon must disable remote X connections for interactive users.V-269271MEDIUMAlmaLinux OS 9 SSH daemon must prevent remote hosts from connecting to the proxy display.V-269272MEDIUMIf the Trivial File Transfer Protocol (TFTP) server is required, the TFTP daemon must be configured to operate in secure mode.V-269273MEDIUMAlmaLinux OS 9 must enable hardening for the Berkeley Packet Filter (BPF) just-in-time (JIT) compiler.V-269274MEDIUMAlmaLinux OS 9 effective dconf policy must match the policy keyfiles.V-269275MEDIUMAlmaLinux OS 9 must be configured so that all system device files are correctly labeled to prevent unauthorized modification.V-269276MEDIUMAll AlmaLinux OS 9 local initialization files must have mode 0740 or less permissive.V-269277MEDIUMAlmaLinux OS 9 must have the gnutls-utils package installed.V-269278MEDIUMThe kdump service on AlmaLinux OS 9 must be disabled.V-269279MEDIUMAlmaLinux OS 9 must disable the ability of a user to restart the system from the login screen.V-269280MEDIUMAlmaLinux OS 9 must prevent a user from overriding the disable-restart-buttons setting for the graphical user interface.V-269281MEDIUMAlmaLinux OS 9 must prevent special devices on file systems that are used with removable media.V-269282MEDIUMAlmaLinux OS 9 must prevent code from being executed on file systems that are used with removable media.V-269283MEDIUMAlmaLinux OS 9 must prevent files with the setuid and setgid bit set from being executed on file systems that are used with removable media.V-269284MEDIUMAlmaLinux OS 9 must disable the use of user namespaces.V-269285MEDIUMAlmaLinux OS 9 must prevent special devices on file systems that are imported via Network File System (NFS).V-269286MEDIUMAlmaLinux OS 9 must prevent code execution on file systems that are imported via Network File System (NFS).V-269287MEDIUMAlmaLinux OS 9 must prevent files with the setuid and setgid bit set from being executed on file systems that are imported via Network File System (NFS).V-269288MEDIUMAlmaLinux OS 9 must configure a DNS processing mode set be Network Manager.V-269289MEDIUMAlmaLinux OS 9 systems using Domain Name Servers (DNS) resolution must have at least two name servers configured.V-269290MEDIUMAlmaLinux OS 9 must prevent special devices on nonroot local partitions.V-269291MEDIUMThe root account must be the only account having unrestricted access to an AlmaLinux OS 9 system.V-269292MEDIUMAlmaLinux OS 9 must be configured so that the cryptographic hashes of system files match vendor values.V-269293MEDIUMAlmaLinux OS 9 must clear the page allocator to prevent use-after-free attacks.V-269295MEDIUMAlmaLinux OS 9 security patches and updates must be installed and up to date.V-269296MEDIUMAlmaLinux OS 9 policycoreutils-python-utils package must be installed.V-269297MEDIUMAlmaLinux OS 9 must enable the hardware random number generator entropy gatherer service.V-269298MEDIUMAlmaLinux OS 9 must have the rng-tools package installed.V-269299MEDIUMThe SSH daemon must perform strict mode checking of home directory configuration files.V-269300MEDIUMAlmaLinux OS 9 system accounts must not have an interactive login shell.V-269301MEDIUMAlmaLinux OS 9 must use a separate file system for /tmp.V-269303MEDIUMAlmaLinux OS 9 must use a separate file system for /var/log.V-269304MEDIUMAlmaLinux OS 9 must use a separate file system for /var.V-269305MEDIUMAlmaLinux OS 9 must use a separate file system for /var/tmp.V-269306MEDIUMAlmaLinux OS 9 must disable virtual system calls.V-269307MEDIUMAlmaLinux OS 9 must use cron logging.V-269308MEDIUMAlmaLinux OS 9 must be configured so that the rsyslog daemon does not accept log messages from other servers unless the server is being used for log aggregation.V-269309MEDIUMAlmaLinux OS 9 must prevent files with the setuid and setgid bit set from being executed on file systems that contain user home directories.V-269310MEDIUMAlmaLinux OS 9 must prevent device files from being interpreted on file systems that contain user home directories.V-269311MEDIUMAlmaLinux OS 9 must prevent files with the setuid and setgid bit set from being executed on the /boot/efi directory.V-269312MEDIUMAlmaLinux OS 9 must mount /boot with the nodev option.V-269313MEDIUMAlmaLinux OS 9 must prevent files with the setuid and setgid bit set from being executed on the /boot directory.V-269314MEDIUMAlmaLinux OS 9 must mount /dev/shm with the nodev option.V-269315MEDIUMAlmaLinux OS 9 must mount /dev/shm with the noexec option.V-269316MEDIUMAlmaLinux OS 9 must mount /dev/shm with the nosuid option.V-269317MEDIUMAlmaLinux OS 9 must mount /tmp with the nodev option.V-269318MEDIUMAlmaLinux OS 9 must mount /tmp with the noexec option.V-269319MEDIUMAlmaLinux OS 9 must mount /tmp with the nosuid option.V-269320MEDIUMAlmaLinux OS 9 must mount /var/log/audit with the nodev option.V-269321MEDIUMAlmaLinux OS 9 must mount /var/log/audit with the noexec option.V-269322MEDIUMAlmaLinux OS 9 must mount /var/log/audit with the nosuid option.V-269323MEDIUMAlmaLinux OS 9 must mount /var/log with the nodev option.V-269324MEDIUMAlmaLinux OS 9 must mount /var/log with the noexec option.V-269325MEDIUMAlmaLinux OS 9 must mount /var/log with the nosuid option.V-269326MEDIUMAlmaLinux OS 9 must mount /var with the nodev option.V-269327MEDIUMAlmaLinux OS 9 must mount /var/tmp with the nodev option.V-269328MEDIUMAlmaLinux OS 9 must mount /var/tmp with the noexec option.V-269329MEDIUMAlmaLinux OS 9 must mount /var/tmp with the nosuid option.V-269330MEDIUMAlmaLinux OS 9 fapolicy module must be enabled.V-269331MEDIUMAlmaLinux OS 9 fapolicy module must be installed.V-269332MEDIUMAlmaLinux OS 9 must disable remote management of the chrony daemon.V-269333MEDIUMAlmaLinux OS 9 must prevent the chrony daemon from acting as a server.V-269334MEDIUMAlmaLinux OS 9 must not have the iprutils package installed.V-269335MEDIUMAlmaLinux OS 9 must not have the quagga package installed.V-269336MEDIUMAlmaLinux OS 9 must not have the sendmail package installed.V-269338MEDIUMAlmaLinux OS 9 must not have a Trivial File Transfer Protocol (TFTP) client package installed.V-269339MEDIUMAlmaLinux OS 9 must not have the cups package installed.V-269340MEDIUMAlmaLinux OS 9 must not have the gssproxy package installed.V-269341MEDIUMAlmaLinux OS 9 must disable the Asynchronous Transfer Mode (ATM) kernel module.V-269342MEDIUMAlmaLinux OS 9 must be configured to disable Bluetooth.V-269343MEDIUMAlmaLinux OS 9 must disable the Controller Area Network (CAN) kernel module.V-269344MEDIUMAlmaLinux OS 9 must disable mounting of cramfs.V-269345MEDIUMAlmaLinux OS 9 must disable the Stream Control Transmission Protocol (SCTP) kernel module.V-269346MEDIUMAlmaLinux OS 9 must disable mounting of squashfs.V-269347MEDIUMAlmaLinux OS 9 must disable the Transparent Inter Process Communication (TIPC) kernel module.V-269348MEDIUMAlmaLinux OS 9 must disable mounting of udf.V-269349MEDIUMCameras must be disabled or covered when not in use.V-269350MEDIUMAlmaLinux OS 9 must not have the nfs-utils package installed.V-269351MEDIUMAlmaLinux OS 9 must not have the rsh package installed.V-269352MEDIUMAlmaLinux OS 9 must not install packages from the Extra Packages for Enterprise Linux (EPEL) repository.V-269353MEDIUMAlmaLinux OS 9 must not have the tuned package installed.V-269354MEDIUMA graphical display manager must not be installed on AlmaLinux OS 9 unless approved.V-269355MEDIUMAlmaLinux OS 9 must not have the ypserv package installed.V-269356MEDIUMAlmaLinux OS 9 must not have the avahi package installed.V-269357MEDIUMAlmaLinux OS 9 must be configured to disable USB mass storage.V-269358MEDIUMAlmaLinux OS 9 must have the firewalld package installed.V-269359MEDIUMAlmaLinux OS 9 must require users to provide authentication for privilege escalation.V-269360MEDIUMAlmaLinux OS 9 must require users to provide a password for privilege escalation.V-269361MEDIUMAlmaLinux OS 9 must not be configured to bypass password requirements for privilege escalation.V-269362MEDIUMAlmaLinux OS 9 must require reauthentication when using the "sudo" command.V-269363MEDIUMAlmaLinux OS 9 must restrict the use of the "su" command.V-269364MEDIUMGroups must have unique Group IDs (GIDs).V-269365MEDIUMDuplicate User IDs (UIDs) must not exist for interactive users.V-269366MEDIUMAll AlmaLinux OS 9 interactive users must have a primary group that exists.V-269367MEDIUMAlmaLinux OS 9 SSHD must accept public key authentication.V-269368MEDIUMAlmaLinux OS 9 must have the opensc package installed.V-269369MEDIUMThe pcscd socket on AlmaLinux OS 9 must be active.V-269370MEDIUMAlmaLinux OS 9 must have the pcsc-lite package installed.V-269371MEDIUMAlmaLinux OS 9 must implement certificate status checking for multifactor authentication.V-269372MEDIUMAlmaLinux OS 9 must enable certificate based smart card authentication.V-269373MEDIUMAlmaLinux OS 9 must have the openssl-pkcs11 package installed.V-269374MEDIUMAlmaLinux OS 9 SSHD must not allow blank passwords.V-269375MEDIUMAlmaLinux OS 9 must use the CAC smart card driver.V-269376MEDIUMAlmaLinux OS 9 must not permit direct logons to the root account using remote access via SSH.V-269377MEDIUMAlmaLinux OS 9 must disable the graphical user interface automount function unless required.V-269378MEDIUMAlmaLinux OS 9 must prevent a user from overriding the disabling of the graphical user interface automount function.V-269379MEDIUMAlmaLinux OS 9 must prevent a user from overriding the disabling of the graphical user interface autorun function.V-269380MEDIUMAlmaLinux OS 9 must have the USBGuard package installed.V-269381MEDIUMAlmaLinux OS 9 must have the USBGuard package enabled.V-269382MEDIUMAlmaLinux OS 9 must block unauthorized peripherals before establishing a connection.V-269383MEDIUMAlmaLinux OS 9 must not have the autofs package installed.V-269384MEDIUMAlmaLinux OS 9 must disable account identifiers (individuals, groups, roles, and devices) after 35 days of inactivity.V-269385MEDIUMAlmaLinux OS 9 must enforce password complexity by requiring that at least one lowercase character be used.V-269386MEDIUMAlmaLinux OS 9 must ensure the password complexity module is enabled in the password-auth file.V-269387MEDIUMAlmaLinux OS 9 must ensure the password complexity module in the system-auth file is configured for three retries or less.V-269388MEDIUMAlmaLinux OS 9 must enforce password complexity rules for the root account.V-269389MEDIUMAlmaLinux OS 9 must enforce password complexity by requiring that at least one uppercase character be used.V-269390MEDIUMAlmaLinux OS 9 must enforce password complexity by requiring that at least one special character be used.V-269392MEDIUMAlmaLinux OS 9 passwords must be created with a minimum of 15 characters.V-269393MEDIUMAlmaLinux OS 9 must enforce password complexity by requiring that at least one numeric character be used.V-269394MEDIUMAlmaLinux OS 9 must require the change of at least four character classes when passwords are changed.V-269395MEDIUMAlmaLinux OS 9 must require the maximum number of repeating characters be limited to three when passwords are changed.V-269396MEDIUMAlmaLinux OS 9 must require the maximum number of repeating characters of the same character class be limited to four when passwords are changed.V-269397MEDIUMAlmaLinux OS 9 must require the change of at least eight characters when passwords are changed.V-269398HIGHAlmaLinux OS 9 PAM must be configured to use a sufficient number of password hashing rounds.V-269399HIGHAlmaLinux OS 9 must be configured so that libuser is configured to store only encrypted representations of passwords.V-269400HIGHAlmaLinux OS 9 must be configured so that the system's shadow file is configured to store only encrypted representations of passwords.V-269401HIGHAlmaLinux OS 9 must be configured so that the Pluggable Authentication Module is configured to store only encrypted representations of passwords.V-269402HIGHAlmaLinux OS 9 must be configured so that interactive user account passwords are using strong password hashes.V-269403HIGHAlmaLinux OS 9 must not have any File Transfer Protocol (FTP) packages installed.V-269404HIGHAlmaLinux OS 9 must not have any telnet packages installed.V-269405MEDIUMPasswords for existing users must have a 60-day maximum password lifetime restriction in /etc/shadow.V-269406MEDIUMPasswords for new users or password changes must have a 60-day maximum password lifetime restriction in /etc/login.defs.V-269407MEDIUMPasswords for existing users must have a 24-hour minimum password lifetime restriction in /etc/shadow.V-269408MEDIUMPasswords for new users or password changes must have a 24-hour minimum password lifetime restriction in /etc/login.defs.V-269409MEDIUMAlmaLinux OS 9 must prohibit the use of cached authenticators after one day.V-269410MEDIUMFor PKI-based authentication, AlmaLinux OS 9 must enforce authorized access to the corresponding private key.V-269411MEDIUMAlmaLinux OS 9 must map the authenticated identity to the user or group account for PKI-based authentication.V-269412MEDIUMAlmaLinux OS 9, for PKI-based authentication, must validate certificates by constructing a certification path (which includes status information) to an accepted trust anchor.V-269415MEDIUMThe libreswan package must be installed.V-269416MEDIUMAlmaLinux OS 9 must have the packages required for encrypting offloaded audit logs installed.V-269419MEDIUMAlmaLinux OS 9 must be configured so that all network connections associated with SSH traffic are terminated after 10 minutes of becoming unresponsive.V-269420HIGHAlmaLinux OS 9 must enable the Pluggable Authentication Module (PAM) interface for SSHD.V-269421MEDIUMAlmaLinux OS 9 must terminate idle user sessions.V-269422MEDIUMAlmaLinux OS 9 must disable access to network bpf system call from nonprivileged processes.V-269423MEDIUMAlmaLinux OS 9 must restrict exposed kernel pointer addresses access.V-269424MEDIUMAlmaLinux OS 9 must restrict usage of ptrace to descendant processes.V-269425MEDIUMAlmaLinux OS 9 must restrict access to the kernel message buffer.V-269426MEDIUMAlmaLinux OS 9 must prevent kernel profiling by nonprivileged users.V-269427MEDIUMAlmaLinux OS 9 must only allow the use of DOD PKI-established certificate authorities for authentication in the establishment of protected sessions to the operating system.V-269428MEDIUMAlmaLinux OS 9 systemd-journald service must be enabled.V-269429HIGHAlmaLinux OS 9 local disk partitions must implement cryptographic mechanisms to prevent unauthorized disclosure or modification of all information that requires at rest protection.V-269430MEDIUMAlmaLinux OS 9 must use a Linux Security Module configured to enforce limits on system services.V-269431MEDIUMAlmaLinux OS 9 must have the policycoreutils package installed.V-269432MEDIUMAny AlmaLinux OS 9 world-writable directories must be owned by root, sys, bin, or an application user.V-269433MEDIUMA sticky bit must be set on all AlmaLinux OS 9 public directories.V-269434MEDIUMAlmaLinux OS 9 must protect against or limit the effects of denial-of-service (DoS) attacks by ensuring rate-limiting measures on impacted network interfaces are implemented.V-269435MEDIUMAlmaLinux OS 9 must be configured to use TCP syncookies.V-269436HIGHAll AlmaLinux OS 9 networked systems must have the OpenSSH client installed.V-269437MEDIUMAll AlmaLinux OS 9 networked systems must implement SSH to protect the confidentiality and integrity of transmitted and received information, including information being prepared for transmission.V-269438MEDIUMAll AlmaLinux OS 9 networked systems must have the OpenSSH server installed.V-269439MEDIUMAlmaLinux OS 9 must not allow users to override SSH environment variables.V-269441MEDIUMAlmaLinux OS 9 wireless network adapters must be disabled.V-269442MEDIUMAlmaLinux OS 9 must not show boot up messages.V-269443MEDIUMAlmaLinux OS 9 /var/log directory must be group-owned by root.V-269444MEDIUMAlmaLinux OS 9 /var/log/messages file must be group-owned by root.V-269445MEDIUMAlmaLinux OS 9 /var/log/messages file must be owned by root.V-269446MEDIUMAlmaLinux OS 9 /var/log/messages file must have mode 0640 or less permissive.V-269447MEDIUMAlmaLinux OS 9 /var/log directory must be owned by root.V-269448MEDIUMAlmaLinux OS 9 /var/log directory must have mode 0755 or less permissive.V-269449MEDIUMAlmaLinux OS 9 must implement nonexecutable data to protect its memory from unauthorized code execution.V-269450MEDIUMAlmaLinux OS 9 must enable mitigations against processor-based vulnerabilities.V-269451MEDIUMAlmaLinux OS 9 must clear memory when it is freed to prevent use-after-free attacks.V-269452MEDIUMAlmaLinux OS 9 must implement address space layout randomization (ASLR) to protect its memory from unauthorized code execution.V-269453MEDIUMAlmaLinux OS 9 must remove all software components after updated versions have been installed.V-269454HIGHAlmaLinux OS 9 must be a supported release.V-269455MEDIUMAlmaLinux OS 9 must enable the SELinux targeted policy.V-269456MEDIUMAlmaLinux OS 9 must have the Advanced Intrusion Detection Environment (AIDE) package installed.V-269457MEDIUMAlmaLinux OS 9 must routinely check the baseline configuration for unauthorized changes and notify the system administrator when anomalies in the operation of any security functions are discovered.V-269458MEDIUMAlmaLinux OS 9 audit system must audit local events.V-269459MEDIUMAlmaLinux OS 9 /etc/audit/auditd.conf file must have 0640 or less permissive to prevent unauthorized access.V-269460MEDIUMAlmaLinux OS 9 must allow only the information system security manager (ISSM) (or individuals or roles appointed by the ISSM) to select which auditable events are to be audited.V-269461MEDIUMSuccessful/unsuccessful uses of the init command in AlmaLinux OS 9 must generate an audit record.V-269462MEDIUMAlmaLinux OS 9 must generate audit records for any use of the "poweroff" command.V-269463MEDIUMAlmaLinux OS 9 must generate audit records for any use of the "reboot" command.V-269464MEDIUMAlmaLinux must generate audit records for any use of the "shutdown" command.V-269465MEDIUMAlmaLinux OS 9 must enable Linux audit logging for the USBGuard daemon.V-269466MEDIUMAlmaLinux OS 9 must audit all uses of the delete_module, init_module and finit_module system calls.V-269467MEDIUMAlmaLinux OS 9 must generate audit records for all account creations, modifications, disabling, and termination events that affect /var/log/tallylog.V-269468MEDIUMAlmaLinux OS 9 must produce audit records containing information to establish the identity of any individual or process associated with the event.V-269469MEDIUMThe audit package must be installed on AlmaLinux OS 9.V-269470MEDIUMAlmaLinux OS 9 must generate audit records for all account creations, modifications, disabling, and termination events that affect /var/log/lastlog.V-269471MEDIUMAlmaLinux OS 9 must generate audit records for any use of the "mount" command.V-269472MEDIUMAlmaLinux OS 9 must generate audit records for any use of the "umount" command.V-269473MEDIUMSuccessful/unsuccessful uses of the umount2 system call in AlmaLinux OS 9 must generate an audit record.V-269474MEDIUMAlmaLinux OS 9 must enable auditing of processes that start prior to the audit daemon.V-269475MEDIUMAlmaLinux OS 9 must audit all uses of the truncate, ftruncate, creat, open, openat, and open_by_handle_at system calls.V-269476MEDIUMAlmaLinux OS 9 must generate audit records for any use of the "chacl" command.V-269477MEDIUMAlmaLinux OS 9 must generate audit records for any use of the "chage" command.V-269478MEDIUMAlmaLinux OS 9 must generate audit records for any use of the "chcon" command.V-269479MEDIUMAlmaLinux OS 9 must audit all uses of the chmod, fchmod, and fchmodat system calls.V-269480MEDIUMAlmaLinux OS 9 must audit all uses of the chown, fchown, fchownat, and lchown system calls.V-269481MEDIUMAlmaLinux OS 9 must generate audit records for any use of the "chsh" command.V-269482MEDIUMAlmaLinux OS 9 must generate audit records for any use of the "crontab" command.V-269483MEDIUMAlmaLinux OS 9 must audit all uses of the rename, unlink, rmdir, renameat, and unlinkat system calls.V-269484MEDIUMAlmaLinux OS 9 must generate audit records for all account creations, modifications, disabling, and termination events that affect /var/log/faillock.V-269485MEDIUMAlmaLinux OS 9 must generate audit records for any use of the "gpasswd" command.V-269486MEDIUMAlmaLinux OS 9 must audit all uses of the kmod command.V-269487MEDIUMAlmaLinux OS 9 must generate audit records for any use of the "newgrp" command.V-269488MEDIUMAlmaLinux OS 9 must generate audit records for any use of the "passwd" command.V-269489MEDIUMAlmaLinux OS 9 must generate audit records for any use of the "postdrop" command.V-269490MEDIUMAlmaLinux OS 9 must generate audit records for any use of the "postqueue" command.V-269491MEDIUMAlmaLinux OS 9 must generate audit records for any use of the "su" command.V-269492MEDIUMAlmaLinux OS 9 must generate audit records for any use of the "sudo" command.V-269493MEDIUMAlmaLinux OS 9 must generate audit records for any use of the "semanage" command.V-269494MEDIUMAlmaLinux OS 9 must generate audit records for any use of the "setfacl" command.V-269495MEDIUMAlmaLinux OS 9 must generate audit records for any use of the "setfiles" command.V-269496MEDIUMAlmaLinux OS 9 must generate audit records for any use of the "setsebool" command.V-269497MEDIUMAlmaLinux OS 9 must generate audit records for any use of the "ssh-agent" command.V-269498MEDIUMAlmaLinux OS 9 must generate audit records for any use of the "ssh-keysign" command.V-269499MEDIUMAlmaLinux OS 9 must generate audit records for any use of the "sudoedit" command.V-269500MEDIUMAlmaLinux OS 9 must generate audit records for any use of the "pam_timestamp_check" command.V-269501MEDIUMAlmaLinux OS 9 must generate audit records for any use of the "unix_chkpwd" command.V-269502MEDIUMAlmaLinux OS 9 must generate audit records for any use of the "unix_update" command.V-269503MEDIUMAlmaLinux OS 9 must generate audit records for any use of the "userhelper" command.V-269504MEDIUMAlmaLinux OS 9 must generate audit records for any use of the "usermod" command.V-269505MEDIUMAlmaLinux OS 9 must audit all uses of the setxattr, fsetxattr, lsetxattr, removexattr, fremovexattr, and lremovexattr system calls.V-269506LOWAlmaLinux OS 9 must allocate an audit_backlog_limit of sufficient size to capture processes that start prior to the audit daemon.V-269507LOWAlmaLinux OS 9 must use a separate file system for the system audit data path.V-269508MEDIUMAlmaLinux OS 9 must allocate audit record storage capacity to store at least one week's worth of audit records.V-269509MEDIUMAlmaLinux OS 9 audispd-plugins package must be installed.V-269510MEDIUMAlmaLinux OS 9 must label all offloaded audit logs before sending them to the central log server.V-269511MEDIUMAlmaLinux OS 9 must take appropriate action when the internal event queue is full.V-269512MEDIUMAlmaLinux OS 9 must be configured to offload audit records onto a different system from the system being audited via syslog.V-269513MEDIUMAlmaLinux OS 9 must authenticate the remote logging server for offloading audit logs via rsyslog.V-269514MEDIUMAlmaLinux OS 9 must encrypt the transfer of audit records offloaded onto a different system or media from the system being audited via rsyslog.V-269515MEDIUMAlmaLinux OS 9 must encrypt, via the gtls driver, the transfer of audit records offloaded onto a different system or media from the system being audited via rsyslog.V-269516MEDIUMAlmaLinux OS 9 must have the rsyslog package installed.V-269517LOWAlmaLinux OS 9 must be configured to forward audit records via TCP to a different system or media from the system being audited via rsyslog.V-269518MEDIUMThe rsyslog service on AlmaLinux OS 9 must be active.V-269519MEDIUMAlmaLinux OS 9 must take action when allocated audit record storage volume reaches 95 percent of the audit record storage capacity.V-269520MEDIUMAlmaLinux OS 9 must take action when allocated audit record storage volume reaches 95 percent of the repository maximum audit record storage capacity.V-269521MEDIUMAlmaLinux OS 9 must take action when allocated audit record storage volume reaches 75 percent of the repository maximum audit record storage capacity.V-269522MEDIUMAlmaLinux OS 9 must notify the system administrator (SA) and information system security officer (ISSO) (at a minimum) when allocated audit record storage volume reaches 75 percent usage.V-269523MEDIUMAlmaLinux OS 9 System Administrator (SA) and/or information system security officer (ISSO) (at a minimum) must be alerted of an audit processing failure event.V-269524MEDIUMAlmaLinux OS 9 must have mail aliases to notify the information system security officer (ISSO) and system administrator (SA) (at a minimum) in the event of an audit processing failure.V-269525MEDIUMAlmaLinux OS 9 audit system must take appropriate action when an error writing to the audit storage volume occurs.V-269526MEDIUMAlmaLinux OS 9 audit system must take appropriate action when the audit storage volume is full.V-269527MEDIUMAlmaLinux OS 9 must take appropriate action when a critical audit processing failure occurs.V-269528MEDIUMAlmaLinux OS 9 audit system must make full use of the audit storage space.V-269529MEDIUMAlmaLinux OS 9 audit system must take appropriate action when the audit files have reached maximum size.V-269530MEDIUMAlmaLinux OS 9 audit system must retain an optimal number of audit records.V-269531MEDIUMAlmaLinux OS 9 must periodically flush audit records to disk to prevent the loss of audit records.V-269532MEDIUMThe auditd service must be enabled on AlmaLinux OS 9.V-269533MEDIUMThe chronyd service must be enabled.V-269534MEDIUMAlmaLinux OS 9 must have the chrony package installed.V-269535MEDIUMAlmaLinux OS 9 must securely compare internal information system clocks at least every 24 hours.V-269536MEDIUMAlmaLinux OS 9 audit log directory must be owned by root to prevent unauthorized read access.V-269537MEDIUMAlmaLinux OS 9 audit log directory must have 0700 permissions to prevent unauthorized read access.V-269538MEDIUMAlmaLinux OS 9 audit logs must be owned by the root group to prevent unauthorized read access.V-269539MEDIUMAlmaLinux OS 9 audit logs must be owned by root to prevent unauthorized read access.V-269540MEDIUMAlmaLinux OS 9 audit logs must have 0600 permissions to prevent unauthorized read access.V-269541MEDIUMAlmaLinux OS 9 audit tools must be group-owned by root.V-269542MEDIUMAlmaLinux OS 9 audit tools must be owned by root.V-269543MEDIUMAlmaLinux OS 9 audit tools must have a mode of 0755 or less permissive.V-269544MEDIUMAlmaLinux OS 9 audit system must protect logon UIDs from unauthorized change.V-269545MEDIUMAlmaLinux OS 9 must use cryptographic mechanisms to protect the integrity of audit tools.V-269546MEDIUMAlmaLinux OS 9 audit system must protect auditing rules from unauthorized change.V-272485MEDIUMAlmaLinux OS 9 must have the postfix package installed.V-274874MEDIUMAlmaLinux OS 9 must audit any script or executable called by cron as root or by any privileged user.V-283453HIGHAlmaLinux 9 cryptographic policy must not be overridden.V-283454HIGHAlmaLinux OS 9 must have the crypto-policies package installed.V-283455HIGHAlmaLinux OS 9 must implement a FIPS 140-3-compliant systemwide cryptographic policy.V-283456HIGHAlmaLinux OS 9 must implement DOD-approved encryption in the bind package.V-283675HIGHAlmaLinux OS 9 must implement DOD-approved encryption ciphers to protect the confidentiality of SSH connections.V-283676HIGHAlmaLinux OS 9 must implement DOD-approved encryption in the OpenSSL package.