DISA CloudLinux AlmaLinux OS 9 STIG v1r1

Audit Details

Name: DISA CloudLinux AlmaLinux OS 9 STIG v1r1

Updated: 3/25/2025

Authority: DISA STIG

Plugin: Unix

Revision: 1.0

Estimated Item Count: 446

File Details

Filename: DISA_STIG_CloudLinux_AlmaLinux_OS_9_v1r1.audit

Size: 1.04 MB

MD5: b4d04911f7fbc41a2390fab71f2da8e8
SHA256: 7a73be71debe01b8d4d26fa66ec6320b16a5d4d150b1e72a391b8f4dbcbd2cc9

Audit Items

DescriptionCategories
ALMA-09-001010 - AlmaLinux OS 9 must limit the number of concurrent sessions to ten for all accounts and/or account types.

ACCESS CONTROL

ALMA-09-001120 - AlmaLinux OS 9 must automatically lock graphical user sessions after 15 minutes of inactivity.

ACCESS CONTROL

ALMA-09-001230 - AlmaLinux OS 9 must conceal, via the session lock, information previously visible on the display with a publicly viewable image.

ACCESS CONTROL

ALMA-09-001340 - AlmaLinux OS 9 must prevent a user from overriding the session idle-delay setting for the graphical user interface.

ACCESS CONTROL

ALMA-09-001450 - AlmaLinux OS 9 must initiate a session lock for graphical user interfaces when the screensaver is activated.

ACCESS CONTROL

ALMA-09-001560 - AlmaLinux OS 9 must prevent a user from overriding the session lock-delay setting for the graphical user interface.

ACCESS CONTROL

ALMA-09-001890 - AlmaLinux OS 9 must automatically exit interactive command shell user sessions after 10 minutes of inactivity.

ACCESS CONTROL, SYSTEM AND COMMUNICATIONS PROTECTION

ALMA-09-002000 - AlmaLinux OS 9 must be able to directly initiate a session lock for all connection types using smart card when the smart card is removed.

ACCESS CONTROL

ALMA-09-002110 - AlmaLinux OS 9 must prevent a user from overriding the disabling of the graphical user smart card removal action.

ACCESS CONTROL

ALMA-09-002770 - AlmaLinux OS 9 must log SSH connection attempts and failures to the server.

ACCESS CONTROL

ALMA-09-002880 - All AlmaLinux OS 9 remote access methods must be monitored.

ACCESS CONTROL

ALMA-09-002990 - AlmaLinux OS 9 SSH client must be configured to use only encryption ciphers employing FIPS 140-3 validated cryptographic hash algorithms to protect the confidentiality of SSH client connections.

ACCESS CONTROL

ALMA-09-003100 - AlmaLinux OS 9 must implement DOD-approved encryption ciphers to protect the confidentiality of SSH client connections.

ACCESS CONTROL

ALMA-09-003210 - AlmaLinux OS 9 SSH client must be configured to use only Message Authentication Codes (MACs) employing FIPS 140-3 validated cryptographic hash algorithms.

ACCESS CONTROL

ALMA-09-003320 - AlmaLinux OS 9 must implement DOD-approved encryption ciphers to protect the confidentiality of SSH server connections.

ACCESS CONTROL

ALMA-09-003325 - AlmaLinux OS 9 SSH server must be configured to use only FIPS 140-3 validated key exchange algorithms.

ACCESS CONTROL

ALMA-09-003430 - AlmaLinux OS 9 must implement DOD-approved systemwide cryptographic policies to protect the confidentiality of SSH server connections.

ACCESS CONTROL

ALMA-09-003540 - AlmaLinux OS 9 SSH server must be configured to use only Message Authentication Codes (MACs) employing FIPS 140-3 validated cryptographic hash algorithms.

ACCESS CONTROL

ALMA-09-003650 - AlmaLinux OS 9 must force a frequent session key renegotiation for SSH connections to the server.

ACCESS CONTROL

ALMA-09-003760 - AlmaLinux OS 9 must implement DOD-approved TLS encryption in the GnuTLS package.

ACCESS CONTROL

ALMA-09-003870 - AlmaLinux OS 9 IP tunnels must use FIPS 140-3 approved cryptographic algorithms.

ACCESS CONTROL

ALMA-09-003980 - AlmaLinux OS 9 must implement DOD-approved encryption in the OpenSSL package.

ACCESS CONTROL

ALMA-09-004090 - AlmaLinux OS 9 must implement DOD-approved TLS encryption in the OpenSSL package.

ACCESS CONTROL

ALMA-09-004310 - AlmaLinux OS 9 must use the TuxCare FIPS repository.

ACCESS CONTROL, MAINTENANCE, SYSTEM AND COMMUNICATIONS PROTECTION

ALMA-09-004320 - AlmaLinux OS 9 must use the TuxCare FIPS packages and not the default encryption packages.

ACCESS CONTROL, MAINTENANCE, SYSTEM AND COMMUNICATIONS PROTECTION

ALMA-09-004420 - AlmaLinux OS 9 must enable FIPS mode.

ACCESS CONTROL, MAINTENANCE, SYSTEM AND COMMUNICATIONS PROTECTION

ALMA-09-004750 - AlmaLinux OS 9 must automatically expire temporary accounts within 72 hours.

ACCESS CONTROL

ALMA-09-004970 - AlmaLinux OS 9 must generate audit records for all account creations, modifications, disabling, and termination events that affect /etc/sudoers.

ACCESS CONTROL, AUDIT AND ACCOUNTABILITY, MAINTENANCE

ALMA-09-005080 - AlmaLinux OS 9 must generate audit records for all account creations, modifications, disabling, and termination events that affect /etc/group.

ACCESS CONTROL, AUDIT AND ACCOUNTABILITY, MAINTENANCE

ALMA-09-005190 - AlmaLinux OS 9 must generate audit records for all account creations, modifications, disabling, and termination events that affect /etc/gshadow.

ACCESS CONTROL, AUDIT AND ACCOUNTABILITY, MAINTENANCE

ALMA-09-005300 - AlmaLinux OS 9 must generate audit records for all account creations, modifications, disabling, and termination events that affect /etc/security/opasswd.

ACCESS CONTROL, AUDIT AND ACCOUNTABILITY, MAINTENANCE

ALMA-09-005410 - AlmaLinux OS 9 must generate audit records for all account creations, modifications, disabling, and termination events that affect /etc/passwd.

ACCESS CONTROL, AUDIT AND ACCOUNTABILITY, MAINTENANCE

ALMA-09-005960 - AlmaLinux OS 9 must generate audit records for all account creations, modifications, disabling, and termination events that affect /etc/shadow.

ACCESS CONTROL, AUDIT AND ACCOUNTABILITY, MAINTENANCE

ALMA-09-006070 - AlmaLinux OS 9 must generate audit records for all account creations, modifications, disabling, and termination events that affect the files within /etc/sudoers.d/

ACCESS CONTROL, AUDIT AND ACCOUNTABILITY, MAINTENANCE

ALMA-09-006180 - AlmaLinux OS 9 must require authentication to access emergency mode.

ACCESS CONTROL

ALMA-09-006290 - AlmaLinux OS 9 must require a boot loader password.

ACCESS CONTROL

ALMA-09-006400 - AlmaLinux OS 9 must require a unique superuser's name upon booting into single-user and maintenance modes.

ACCESS CONTROL

ALMA-09-006510 - AlmaLinux OS 9 must require authentication to access single-user mode.

ACCESS CONTROL

ALMA-09-006620 - The systemd Ctrl-Alt-Delete burst key sequence in AlmaLinux OS 9 must be disabled.

ACCESS CONTROL

ALMA-09-006730 - The Ctrl-Alt-Delete key sequence must be disabled on AlmaLinux OS 9.

ACCESS CONTROL

ALMA-09-006840 - AlmaLinux OS 9 must have the sudo package installed.

ACCESS CONTROL

ALMA-09-006950 - The AlmaLinux OS 9 debug-shell systemd service must be disabled.

ACCESS CONTROL

ALMA-09-007060 - AlmaLinux OS 9 must enable kernel parameters to enforce discretionary access control on hardlinks.

ACCESS CONTROL

ALMA-09-007170 - AlmaLinux OS 9 must enable kernel parameters to enforce discretionary access control (DAC) on symlinks.

ACCESS CONTROL

ALMA-09-007280 - AlmaLinux OS 9 must audit uses of the "execve" system call.

ACCESS CONTROL

ALMA-09-007500 - AlmaLinux OS 9 must automatically lock an account when three unsuccessful logon attempts occur.

ACCESS CONTROL

ALMA-09-007610 - AlmaLinux OS 9 must automatically lock the root account until the root account is released by an administrator when three unsuccessful logon attempts occur during a 15-minute time period.

ACCESS CONTROL

ALMA-09-007720 - AlmaLinux OS 9 must automatically lock an account when three unsuccessful logon attempts occur during a 15-minute time period.

ACCESS CONTROL

ALMA-09-007830 - AlmaLinux OS 9 must configure the use of the pam_faillock.so module in the /etc/pam.d/system-auth file.

ACCESS CONTROL

ALMA-09-007940 - AlmaLinux OS 9 must configure the use of the pam_faillock.so module in the /etc/pam.d/password-auth file.

ACCESS CONTROL