diff --git a/CMakeLists.txt b/CMakeLists.txt
index aca3f1c8967..699194b97b3 100644
--- a/CMakeLists.txt
+++ b/CMakeLists.txt
@@ -87,6 +87,7 @@ option(SSG_PRODUCT_DEFAULT "If enabled, all default release products will be bui
# project. Note that the example product is always disabled unless explicitly asked for.
option(SSG_PRODUCT_ALINUX2 "If enabled, the Alibaba Cloud Linux 2 SCAP content will be built" ${SSG_PRODUCT_DEFAULT})
option(SSG_PRODUCT_ALINUX3 "If enabled, the Alibaba Cloud Linux 3 SCAP content will be built" ${SSG_PRODUCT_DEFAULT})
+option(SSG_PRODUCT_ALMALINUX9 "If enabled, the AlmaLinux OS 9 SCAP content will be built" ${SSG_PRODUCT_DEFAULT})
option(SSG_PRODUCT_ANOLIS8 "If enabled, the Anolis OS 8 SCAP content will be built" ${SSG_PRODUCT_DEFAULT})
option(SSG_PRODUCT_ANOLIS23 "If enabled, the Anolis OS 23 SCAP content will be built" ${SSG_PRODUCT_DEFAULT})
option(SSG_PRODUCT_CHROMIUM "If enabled, the Chromium SCAP content will be built" ${SSG_PRODUCT_DEFAULT})
@@ -318,6 +319,7 @@ message(STATUS " ")
message(STATUS "Products:")
message(STATUS "Alibaba Cloud Linux 2: ${SSG_PRODUCT_ALINUX2}")
message(STATUS "Alibaba Cloud Linux 3: ${SSG_PRODUCT_ALINUX3}")
+message(STATUS "AlmaLinux OS 9: ${SSG_PRODUCT_ALMALINUX9}")
message(STATUS "Anolis OS 8: ${SSG_PRODUCT_ANOLIS8}")
message(STATUS "Anolis OS 23: ${SSG_PRODUCT_ANOLIS23}")
message(STATUS "Chromium: ${SSG_PRODUCT_CHROMIUM}")
@@ -384,6 +386,9 @@ endif()
if(SSG_PRODUCT_ALINUX3)
add_subdirectory("products/alinux3" "alinux3")
endif()
+if(SSG_PRODUCT_ALMALINUX9)
+ add_subdirectory("products/almalinux9" "almalinux9")
+endif()
if(SSG_PRODUCT_ANOLIS8)
add_subdirectory("products/anolis8" "anolis8")
endif()
diff --git a/build-scripts/verify_references.py b/build-scripts/verify_references.py
index 8d03a795f2e..5ab6c9cbb09 100755
--- a/build-scripts/verify_references.py
+++ b/build-scripts/verify_references.py
@@ -137,7 +137,8 @@ def is_remote_feed(href):
href.startswith("security-oval-com.oracle") or \
href.startswith("oval-com.ubuntu") or \
href.startswith("pub-projects-security-oval-suse") or \
- href.startswith('security-oval-oval-definitions-bookworm')
+ href.startswith('security-oval-oval-definitions-bookworm') or \
+ href.startswith("oval-org.almalinux")
def main():
diff --git a/build_product b/build_product
index d7d7092bae9..89d967124f3 100755
--- a/build_product
+++ b/build_product
@@ -359,6 +359,7 @@ all_cmake_products=(
AL2023
ALINUX2
ALINUX3
+ ALMALINUX9
ANOLIS8
ANOLIS23
CHROMIUM
diff --git a/components/rpm.yml b/components/rpm.yml
index f32f248ad7c..1523ae90b77 100644
--- a/components/rpm.yml
+++ b/components/rpm.yml
@@ -19,6 +19,7 @@ rules:
- ensure_redhat_gpgkey_installed
- ensure_amazon_gpgkey_installed
- ensure_suse_gpgkey_installed
+- ensure_almalinux_gpgkey_installed
- package_dnf-automatic_installed
- package_gnome_software_installed
- rpm_verify_hashes
diff --git a/controls/cis_almalinux9.yml b/controls/cis_almalinux9.yml
new file mode 100644
index 00000000000..4591f52c60b
--- /dev/null
+++ b/controls/cis_almalinux9.yml
@@ -0,0 +1,3076 @@
+---
+policy: 'CIS Benchmark for AlmaLinux OS 9'
+title: 'CIS Benchmark for AlmaLinux OS 9'
+id: cis_almalinux9
+version: '2.0.0'
+source: https://www.cisecurity.org/benchmark/almalinuxos_linux/
+levels:
+ - id: l1_server
+ - id: l2_server
+ inherits_from:
+ - l1_server
+ - id: l1_workstation
+ - id: l2_workstation
+ inherits_from:
+ - l1_workstation
+reference_type: cis
+product: almalinux9
+
+controls:
+ - id: reload_dconf_db
+ title: Reload Dconf database
+ levels:
+ - l1_server
+ - l1_workstation
+ notes: <-
+ This is a helper rule to reload Dconf database correctly.
+ status: automated
+ rules:
+ - dconf_db_up_to_date
+
+ - id: enable_authselect
+ title: Enable Authselect
+ levels:
+ - l1_server
+ - l1_workstation
+ notes: <-
+ We need this in all CIS versions, but the policy doesn't have any section where this would fit better.
+ status: automated
+ rules:
+ - var_authselect_profile=sssd
+ - enable_authselect
+
+ - id: 1.1.1.1
+ title: Ensure cramfs kernel module is not available (Automated)
+ levels:
+ - l1_server
+ - l1_workstation
+ status: automated
+ rules:
+ - kernel_module_cramfs_disabled
+
+ - id: 1.1.1.2
+ title: Ensure freevxfs kernel module is not available (Automated)
+ levels:
+ - l1_server
+ - l1_workstation
+ status: automated
+ rules:
+ - kernel_module_freevxfs_disabled
+
+ - id: 1.1.1.3
+ title: Ensure hfs kernel module is not available (Automated)
+ levels:
+ - l1_server
+ - l1_workstation
+ status: automated
+ rules:
+ - kernel_module_hfs_disabled
+
+ - id: 1.1.1.4
+ title: Ensure hfsplus kernel module is not available (Automated)
+ levels:
+ - l1_server
+ - l1_workstation
+ status: automated
+ rules:
+ - kernel_module_hfsplus_disabled
+
+ - id: 1.1.1.5
+ title: Ensure jffs2 kernel module is not available (Automated)
+ levels:
+ - l1_server
+ - l1_workstation
+ status: automated
+ rules:
+ - kernel_module_jffs2_disabled
+
+ - id: 1.1.1.6
+ title: Ensure squashfs kernel module is not available (Automated)
+ levels:
+ - l2_server
+ - l2_workstation
+ status: automated
+ rules:
+ - kernel_module_squashfs_disabled
+
+ - id: 1.1.1.7
+ title: Ensure udf kernel module is not available (Automated)
+ levels:
+ - l2_server
+ - l2_workstation
+ status: automated
+ rules:
+ - kernel_module_udf_disabled
+
+ - id: 1.1.1.8
+ title: Ensure usb-storage kernel module is not available (Automated)
+ levels:
+ - l1_server
+ - l2_workstation
+ status: automated
+ rules:
+ - kernel_module_usb-storage_disabled
+
+ - id: 1.1.1.9
+ title: Ensure unused filesystems kernel modules are not available (Manual)
+ levels:
+ - l1_server
+ - l2_workstation
+ status: manual
+
+ - id: 1.1.2.1.1
+ title: Ensure /tmp is a separate partition (Automated)
+ levels:
+ - l1_server
+ - l1_workstation
+ status: automated
+ rules:
+ - partition_for_tmp
+
+ - id: 1.1.2.1.2
+ title: Ensure nodev option set on /tmp partition (Automated)
+ levels:
+ - l1_server
+ - l1_workstation
+ status: automated
+ rules:
+ - mount_option_tmp_nodev
+
+ - id: 1.1.2.1.3
+ title: Ensure nosuid option set on /tmp partition (Automated)
+ levels:
+ - l1_server
+ - l1_workstation
+ status: automated
+ rules:
+ - mount_option_tmp_nosuid
+
+ - id: 1.1.2.1.4
+ title: Ensure noexec option set on /tmp partition (Automated)
+ levels:
+ - l1_server
+ - l1_workstation
+ status: automated
+ rules:
+ - mount_option_tmp_noexec
+
+ - id: 1.1.2.2.1
+ title: Ensure /dev/shm is a separate partition (Automated)
+ levels:
+ - l1_server
+ - l1_workstation
+ status: automated
+ rules:
+ - partition_for_dev_shm
+
+ - id: 1.1.2.2.2
+ title: Ensure nodev option set on /dev/shm partition (Automated)
+ levels:
+ - l1_server
+ - l1_workstation
+ status: automated
+ rules:
+ - mount_option_dev_shm_nodev
+
+ - id: 1.1.2.2.3
+ title: Ensure nosuid option set on /dev/shm partition (Automated)
+ levels:
+ - l1_server
+ - l1_workstation
+ status: automated
+ rules:
+ - mount_option_dev_shm_nosuid
+
+ - id: 1.1.2.2.4
+ title: Ensure noexec option set on /dev/shm partition (Automated)
+ levels:
+ - l1_server
+ - l1_workstation
+ status: automated
+ rules:
+ - mount_option_dev_shm_noexec
+
+ - id: 1.1.2.3.1
+ title: Ensure separate partition exists for /home (Automated)
+ levels:
+ - l2_server
+ - l2_workstation
+ status: automated
+ rules:
+ - partition_for_home
+
+ - id: 1.1.2.3.2
+ title: Ensure nodev option set on /home partition (Automated)
+ levels:
+ - l1_server
+ - l1_workstation
+ status: automated
+ rules:
+ - mount_option_home_nodev
+
+ - id: 1.1.2.3.3
+ title: Ensure nosuid option set on /home partition (Automated)
+ levels:
+ - l1_server
+ - l1_workstation
+ status: automated
+ rules:
+ - mount_option_home_nosuid
+
+ - id: 1.1.2.4.1
+ title: Ensure separate partition exists for /var (Automated)
+ levels:
+ - l2_server
+ - l2_workstation
+ status: automated
+ rules:
+ - partition_for_var
+
+ - id: 1.1.2.4.2
+ title: Ensure nodev option set on /var partition (Automated)
+ levels:
+ - l1_server
+ - l1_workstation
+ status: automated
+ rules:
+ - mount_option_var_nodev
+
+ - id: 1.1.2.4.3
+ title: Ensure nosuid option set on /var partition (Automated)
+ levels:
+ - l1_server
+ - l1_workstation
+ status: automated
+ rules:
+ - mount_option_var_nosuid
+
+ - id: 1.1.2.5.1
+ title: Ensure separate partition exists for /var/tmp (Automated)
+ levels:
+ - l2_server
+ - l2_workstation
+ status: automated
+ rules:
+ - partition_for_var_tmp
+
+ - id: 1.1.2.5.2
+ title: Ensure nodev option set on /var/tmp partition (Automated)
+ levels:
+ - l1_server
+ - l1_workstation
+ status: automated
+ rules:
+ - mount_option_var_tmp_nodev
+
+ - id: 1.1.2.5.3
+ title: Ensure nosuid option set on /var/tmp partition (Automated)
+ levels:
+ - l1_server
+ - l1_workstation
+ status: automated
+ rules:
+ - mount_option_var_tmp_nosuid
+
+ - id: 1.1.2.5.4
+ title: Ensure noexec option set on /var/tmp partition (Automated)
+ levels:
+ - l1_server
+ - l1_workstation
+ status: automated
+ rules:
+ - mount_option_var_tmp_noexec
+
+ - id: 1.1.2.6.1
+ title: Ensure separate partition exists for /var/log (Automated)
+ levels:
+ - l2_server
+ - l2_workstation
+ status: automated
+ rules:
+ - partition_for_var_log
+
+ - id: 1.1.2.6.2
+ title: Ensure nodev option set on /var/log partition (Automated)
+ levels:
+ - l1_server
+ - l1_workstation
+ status: automated
+ rules:
+ - mount_option_var_log_nodev
+
+ - id: 1.1.2.6.3
+ title: Ensure nosuid option set on /var/log partition (Automated)
+ levels:
+ - l1_server
+ - l1_workstation
+ status: automated
+ rules:
+ - mount_option_var_log_nosuid
+
+ - id: 1.1.2.6.4
+ title: Ensure noexec option set on /var/log partition (Automated)
+ levels:
+ - l1_server
+ - l1_workstation
+ status: automated
+ rules:
+ - mount_option_var_log_noexec
+
+ - id: 1.1.2.7.1
+ title: Ensure separate partition exists for /var/log/audit (Automated)
+ levels:
+ - l2_server
+ - l2_workstation
+ status: automated
+ rules:
+ - partition_for_var_log_audit
+
+ - id: 1.1.2.7.2
+ title: Ensure nodev option set on /var/log/audit partition (Automated)
+ levels:
+ - l1_server
+ - l1_workstation
+ status: automated
+ rules:
+ - mount_option_var_log_audit_nodev
+
+ - id: 1.1.2.7.3
+ title: Ensure nosuid option set on /var/log/audit partition (Automated)
+ levels:
+ - l1_server
+ - l1_workstation
+ status: automated
+ rules:
+ - mount_option_var_log_audit_nosuid
+
+ - id: 1.1.2.7.4
+ title: Ensure noexec option set on /var/log/audit partition (Automated)
+ levels:
+ - l1_server
+ - l1_workstation
+ status: automated
+ rules:
+ - mount_option_var_log_audit_noexec
+
+ - id: 1.2.1.1
+ title: Ensure GPG keys are configured (Manual)
+ levels:
+ - l1_server
+ - l1_workstation
+ status: manual
+ related_rules:
+ - ensure_redhat_gpgkey_installed
+
+ - id: 1.2.1.2
+ title: Ensure gpgcheck is globally activated (Automated)
+ levels:
+ - l1_server
+ - l1_workstation
+ status: automated
+ rules:
+ - ensure_gpgcheck_globally_activated
+
+ - id: 1.2.1.3
+ title: Ensure repo_gpgcheck is globally activated (Manual)
+ levels:
+ - l2_server
+ - l2_workstation
+ status: manual
+
+ - id: 1.2.1.4
+ title: Ensure package manager repositories are configured (Manual)
+ levels:
+ - l1_server
+ - l1_workstation
+ status: manual
+
+ - id: 1.2.2.1
+ title: Ensure updates, patches, and additional security software are installed (Manual)
+ levels:
+ - l1_server
+ - l1_workstation
+ status: manual
+ related_rules:
+ - security_patches_up_to_date
+
+ - id: 1.3.1.1
+ title: Ensure SELinux is installed (Automated)
+ levels:
+ - l1_server
+ - l1_workstation
+ status: automated
+ rules:
+ - package_libselinux_installed
+
+ - id: 1.3.1.2
+ title: Ensure SELinux is not disabled in bootloader configuration (Automated)
+ levels:
+ - l1_server
+ - l1_workstation
+ status: automated
+ rules:
+ - grub2_enable_selinux
+
+ - id: 1.3.1.3
+ title: Ensure SELinux policy is configured (Automated)
+ levels:
+ - l1_server
+ - l1_workstation
+ status: automated
+ rules:
+ - var_selinux_policy_name=targeted
+ - selinux_policytype
+
+ - id: 1.3.1.4
+ title: Ensure the SELinux mode is not disabled (Automated)
+ levels:
+ - l1_server
+ - l1_workstation
+ status: automated
+ rules:
+ - selinux_not_disabled
+
+ - id: 1.3.1.5
+ title: Ensure the SELinux mode is enforcing (Automated)
+ levels:
+ - l2_server
+ - l2_workstation
+ status: automated
+ rules:
+ - var_selinux_state=enforcing
+ - selinux_state
+
+ - id: 1.3.1.6
+ title: Ensure no unconfined services exist (Manual)
+ levels:
+ - l2_server
+ - l2_workstation
+ status: manual
+ related_rules:
+ - selinux_confinement_of_daemons
+
+ - id: 1.3.1.7
+ title: Ensure the MCS Translation Service (mcstrans) is not installed (Automated)
+ levels:
+ - l1_server
+ - l1_workstation
+ status: automated
+ rules:
+ - package_mcstrans_removed
+
+ - id: 1.3.1.8
+ title: Ensure SETroubleshoot is not installed (Automated)
+ levels:
+ - l1_server
+ status: automated
+ rules:
+ - package_setroubleshoot_removed
+
+ - id: 1.4.1
+ title: Ensure bootloader password is set (Automated)
+ levels:
+ - l1_server
+ - l1_workstation
+ status: automated
+ rules:
+ - grub2_password
+ related_rules:
+ - grub2_uefi_password
+
+ - id: 1.4.2
+ title: Ensure access to bootloader config is configured (Automated)
+ levels:
+ - l1_server
+ - l1_workstation
+ status: pending
+ rules:
+ - file_groupowner_grub2_cfg
+ - file_owner_grub2_cfg
+ - file_permissions_grub2_cfg
+ - file_groupowner_user_cfg
+ - file_owner_user_cfg
+ - file_permissions_user_cfg
+ related_rules:
+ - file_groupowner_efi_grub2_cfg
+ - file_owner_efi_grub2_cfg
+ - file_permissions_efi_grub2_cfg
+ - file_groupowner_efi_user_cfg
+ - file_owner_efi_user_cfg
+ - file_permissions_efi_user_cfg
+
+ - id: 1.5.1
+ title: Ensure address space layout randomization is enabled (Automated)
+ levels:
+ - l1_server
+ - l1_workstation
+ status: automated
+ notes: |-
+ Address Space Layout Randomization (ASLR)
+ rules:
+ - sysctl_kernel_randomize_va_space
+
+ - id: 1.5.2
+ title: Ensure ptrace_scope is restricted (Automated)
+ levels:
+ - l1_server
+ - l1_workstation
+ status: automated
+ rules:
+ - sysctl_kernel_yama_ptrace_scope
+
+ - id: 1.5.3
+ title: Ensure core dump backtraces are disabled (Automated)
+ levels:
+ - l1_server
+ - l1_workstation
+ status: automated
+ rules:
+ - coredump_disable_backtraces
+
+ - id: 1.5.4
+ title: Ensure core dump storage is disabled (Automated)
+ levels:
+ - l1_server
+ - l1_workstation
+ status: automated
+ rules:
+ - coredump_disable_storage
+
+ - id: 1.6.1
+ title: Ensure system wide crypto policy is not set to legacy (Automated)
+ levels:
+ - l1_server
+ - l1_workstation
+ status: automated
+ rules:
+ - configure_crypto_policy
+ - var_system_crypto_policy=default_nosha1
+
+ - id: 1.6.2
+ title: Ensure system wide crypto policy is not set in sshd configuration (Automated)
+ levels:
+ - l1_server
+ - l1_workstation
+ status: automated
+ rules:
+ - configure_ssh_crypto_policy
+
+ - id: 1.6.3
+ title: Ensure system wide crypto policy disables sha1 hash and signature support (Automated)
+ levels:
+ - l1_server
+ - l1_workstation
+ status: automated
+ notes: |-
+ This requirement is already satisfied by 1.6.1.
+ related_rules:
+ - configure_crypto_policy
+
+ - id: 1.6.4
+ title: Ensure system wide crypto policy disables macs less than 128 bits (Automated)
+ levels:
+ - l1_server
+ - l1_workstation
+ status: pending
+ notes: |-
+ It is necessary a new rule to ensure a module disabling weak MACs in
+ /etc/crypto-policies/policies/modules/ so it can be used by update-crypto-policies command.
+ related_rules:
+ - configure_crypto_policy
+
+ - id: 1.6.5
+ title: Ensure system wide crypto policy disables cbc for ssh (Automated)
+ levels:
+ - l1_server
+ - l1_workstation
+ status: pending
+ notes: |-
+ It is necessary a new rule to ensure a module disabling CBC in
+ /etc/crypto-policies/policies/modules/ so it can be used by update-crypto-policies command.
+ related_rules:
+ - configure_crypto_policy
+
+ - id: 1.6.6
+ title: Ensure system wide crypto policy disables chacha20-poly1305 for ssh (Automated)
+ levels:
+ - l1_server
+ - l1_workstation
+ status: manual
+ notes: |-
+ User should manually ensure that CVE-2023-48795 is addressed.
+ This is not automated and it might be difficult to automate actually.
+ Therefore, keeping this control as manual.
+ - id: 1.6.7
+ title: Ensure system wide crypto policy disables EtM for ssh (Automated)
+ levels:
+ - l1_server
+ - l1_workstation
+ status: manual
+
+ - id: 1.7.1
+ title: Ensure message of the day is configured properly (Automated)
+ levels:
+ - l1_server
+ - l1_workstation
+ status: automated
+ rules:
+ - banner_etc_motd_cis
+ - cis_banner_text=cis
+
+ - id: 1.7.2
+ title: Ensure local login warning banner is configured properly (Automated)
+ levels:
+ - l1_server
+ - l1_workstation
+ status: automated
+ rules:
+ - banner_etc_issue_cis
+ - cis_banner_text=cis
+
+ - id: 1.7.3
+ title: Ensure remote login warning banner is configured properly (Automated)
+ levels:
+ - l1_server
+ - l1_workstation
+ status: automated
+ rules:
+ - banner_etc_issue_net_cis
+ - cis_banner_text=cis
+
+ - id: 1.7.4
+ title: Ensure access to /etc/motd is configured (Automated)
+ levels:
+ - l1_server
+ - l1_workstation
+ status: automated
+ rules:
+ - file_groupowner_etc_motd
+ - file_owner_etc_motd
+ - file_permissions_etc_motd
+
+ - id: 1.7.5
+ title: Ensure access to /etc/issue is configured (Automated)
+ levels:
+ - l1_server
+ - l1_workstation
+ status: automated
+ rules:
+ - file_groupowner_etc_issue
+ - file_owner_etc_issue
+ - file_permissions_etc_issue
+
+ - id: 1.7.6
+ title: Ensure access to /etc/issue.net is configured (Automated)
+ levels:
+ - l1_server
+ - l1_workstation
+ status: automated
+ rules:
+ - file_groupowner_etc_issue_net
+ - file_owner_etc_issue_net
+ - file_permissions_etc_issue_net
+
+ - id: 1.8.1
+ title: Ensure GNOME Display Manager is removed (Automated)
+ levels:
+ - l2_server
+ status: automated
+ rules:
+ - package_gdm_removed
+
+ - id: 1.8.2
+ title: Ensure GDM login banner is configured (Automated)
+ levels:
+ - l1_server
+ - l1_workstation
+ status: automated
+ rules:
+ - dconf_gnome_banner_enabled
+ - dconf_gnome_login_banner_text
+ - login_banner_text=cis_banners
+
+ - id: 1.8.3
+ title: Ensure GDM disable-user-list option is enabled (Automated)
+ levels:
+ - l1_server
+ - l1_workstation
+ status: automated
+ rules:
+ - dconf_gnome_disable_user_list
+
+ - id: 1.8.4
+ title: Ensure GDM screen locks when the user is idle (Automated)
+ levels:
+ - l1_server
+ - l1_workstation
+ status: automated
+ rules:
+ - dconf_gnome_screensaver_idle_delay
+ - dconf_gnome_screensaver_lock_delay
+ - inactivity_timeout_value=15_minutes
+ - var_screensaver_lock_delay=5_seconds
+
+ - id: 1.8.5
+ title: Ensure GDM screen locks cannot be overridden (Automated)
+ levels:
+ - l1_server
+ - l1_workstation
+ status: automated
+ rules:
+ - dconf_gnome_session_idle_user_locks
+ - dconf_gnome_screensaver_user_locks
+
+ - id: 1.8.6
+ title: Ensure GDM automatic mounting of removable media is disabled (Automated)
+ levels:
+ - l1_server
+ - l2_workstation
+ status: automated
+ rules:
+ - dconf_gnome_disable_automount
+ - dconf_gnome_disable_automount_open
+
+ - id: 1.8.7
+ title: Ensure GDM disabling automatic mounting of removable media is not overridden (Automated)
+ levels:
+ - l1_server
+ - l2_workstation
+ status: automated
+ rules:
+ - dconf_gnome_disable_automount
+ - dconf_gnome_disable_automount_open
+
+ - id: 1.8.8
+ title: Ensure GDM autorun-never is enabled (Automated)
+ levels:
+ - l1_server
+ - l1_workstation
+ status: automated
+ rules:
+ - dconf_gnome_disable_autorun
+
+ - id: 1.8.9
+ title: Ensure GDM autorun-never is not overridden (Automated)
+ levels:
+ - l1_server
+ - l1_workstation
+ status: automated
+ rules:
+ - dconf_gnome_disable_autorun
+
+ - id: 1.8.10
+ title: Ensure XDMCP is not enabled (Automated)
+ levels:
+ - l1_server
+ - l1_workstation
+ status: automated
+ rules:
+ - gnome_gdm_disable_xdmcp
+
+ - id: 2.1.1
+ title: Ensure autofs services are not in use (Automated)
+ levels:
+ - l1_server
+ - l2_workstation
+ status: automated
+ rules:
+ - service_autofs_disabled
+
+ - id: 2.1.2
+ title: Ensure avahi daemon services are not in use (Automated)
+ levels:
+ - l1_server
+ - l2_workstation
+ status: automated
+ rules:
+ - service_avahi-daemon_disabled
+ related_rules:
+ - package_avahi_removed
+
+ - id: 2.1.3
+ title: Ensure dhcp server services are not in use (Automated)
+ levels:
+ - l1_server
+ - l1_workstation
+ status: automated
+ rules:
+ - package_dhcp_removed
+ related_rules:
+ - service_dhcpd_disabled
+
+ - id: 2.1.4
+ title: Ensure dns server services are not in use (Automated)
+ levels:
+ - l1_server
+ - l1_workstation
+ status: automated
+ rules:
+ - package_bind_removed
+ related_rules:
+ - service_named_disabled
+
+ - id: 2.1.5
+ title: Ensure dnsmasq services are not in use (Automated)
+ levels:
+ - l1_server
+ - l1_workstation
+ status: automated
+ rules:
+ - package_dnsmasq_removed
+
+ - id: 2.1.6
+ title: Ensure samba file server services are not in use (Automated)
+ levels:
+ - l1_server
+ - l1_workstation
+ status: automated
+ rules:
+ - package_samba_removed
+ related_rules:
+ - service_smb_disabled
+
+ - id: 2.1.7
+ title: Ensure ftp server services are not in use (Automated)
+ levels:
+ - l1_server
+ - l1_workstation
+ status: automated
+ rules:
+ - package_vsftpd_removed
+ related_rules:
+ - service_vsftpd_disabled
+
+ - id: 2.1.8
+ title: Ensure message access server services are not in use (Automated)
+ levels:
+ - l1_server
+ - l1_workstation
+ status: automated
+ rules:
+ - package_dovecot_removed
+ - package_cyrus-imapd_removed
+ related_rules:
+ - service_dovecot_disabled
+ # new rule would be nice to disable cyrus-imapd service
+
+ - id: 2.1.9
+ title: Ensure network file system services are not in use (Automated)
+ levels:
+ - l1_server
+ - l1_workstation
+ status: automated
+ notes: |-
+ Many of the libvirt packages used by Enterprise Linux virtualization are dependent on the
+ nfs-utils package.
+ rules:
+ - service_nfs_disabled
+ related_rules:
+ - package_nfs-utils_removed
+
+ - id: 2.1.10
+ title: Ensure nis server services are not in use (Automated)
+ levels:
+ - l1_server
+ - l1_workstation
+ status: automated
+ rules:
+ - package_ypserv_removed
+ related_rules:
+ - service_ypserv_disabled
+
+ - id: 2.1.11
+ title: Ensure print server services are not in use (Automated)
+ levels:
+ - l1_server
+ status: automated
+ rules:
+ - service_cups_disabled
+ related_rules:
+ - package_cups_removed
+
+ - id: 2.1.12
+ title: Ensure rpcbind services are not in use (Automated)
+ levels:
+ - l1_server
+ - l1_workstation
+ status: automated
+ notes: |-
+ Many of the libvirt packages used by Enterprise Linux virtualization, and the nfs-utils
+ package used for The Network File System (NFS), are dependent on the rpcbind package.
+ rules:
+ - service_rpcbind_disabled
+ related_rules:
+ - package_rpcbind_removed
+
+ - id: 2.1.13
+ title: Ensure rsync services are not in use (Automated)
+ levels:
+ - l1_server
+ - l1_workstation
+ status: automated
+ rules:
+ - package_rsync_removed
+ related_rules:
+ - service_rsyncd_disabled
+
+ - id: 2.1.14
+ title: Ensure snmp services are not in use (Automated)
+ levels:
+ - l1_server
+ - l1_workstation
+ status: automated
+ rules:
+ - package_net-snmp_removed
+ related_rules:
+ - service_snmpd_disabled
+
+ - id: 2.1.15
+ title: Ensure telnet server services are not in use (Automated)
+ levels:
+ - l1_server
+ - l1_workstation
+ status: automated
+ rules:
+ - package_telnet-server_removed
+ related_rules:
+ - service_telnet_disabled
+
+ - id: 2.1.16
+ title: Ensure tftp server services are not in use (Automated)
+ levels:
+ - l1_server
+ - l1_workstation
+ status: automated
+ rules:
+ - package_tftp-server_removed
+ related_rules:
+ - service_tftp_disabled
+
+ - id: 2.1.17
+ title: Ensure web proxy server services are not in use (Automated)
+ levels:
+ - l1_server
+ - l1_workstation
+ status: automated
+ rules:
+ - package_squid_removed
+ related_rules:
+ - service_squid_disabled
+
+ - id: 2.1.18
+ title: Ensure web server services are not in use (Automated)
+ levels:
+ - l1_server
+ - l1_workstation
+ status: automated
+ rules:
+ - package_httpd_removed
+ - package_nginx_removed
+ related_rules:
+ - service_httpd_disabled
+ # rule would be nice to disable nginx service
+
+ - id: 2.1.19
+ title: Ensure xinetd services are not in use (Automated)
+ levels:
+ - l1_server
+ - l1_workstation
+ status: automated
+ rules:
+ - package_xinetd_removed
+ related_rules:
+ - service_xinetd_disabled
+
+ - id: 2.1.20
+ title: Ensure X window server services are not in use (Automated)
+ levels:
+ - l2_server
+ status: automated
+ notes: |-
+ The rule also configures correct run level to prevent unbootable system.
+ rules:
+ - package_xorg-x11-server-common_removed
+ - xwindows_runlevel_target
+
+ - id: 2.1.21
+ title: Ensure mail transfer agents are configured for local-only mode (Automated)
+ levels:
+ - l1_server
+ - l1_workstation
+ status: partial
+ notes: |-
+ The rule has_nonlocal_mta currently checks for services listening only on port 25,
+ but the policy checks also for ports 465 and 587
+ rules:
+ - postfix_network_listening_disabled
+ - var_postfix_inet_interfaces=loopback-only
+ - has_nonlocal_mta
+
+ - id: 2.1.22
+ title: Ensure only approved services are listening on a network interface (Manual)
+ levels:
+ - l1_server
+ - l1_workstation
+ status: manual
+
+ - id: 2.2.1
+ title: Ensure ftp client is not installed (Automated)
+ levels:
+ - l1_server
+ - l1_workstation
+ status: automated
+ rules:
+ - package_ftp_removed
+
+ - id: 2.2.2
+ title: Ensure ldap client is not installed (Automated)
+ levels:
+ - l2_server
+ - l2_workstation
+ status: automated
+ rules:
+ - package_openldap-clients_removed
+
+ - id: 2.2.3
+ title: Ensure nis client is not installed (Automated)
+ levels:
+ - l1_server
+ - l1_workstation
+ status: automated
+ rules:
+ - package_ypbind_removed
+
+ - id: 2.2.4
+ title: Ensure telnet client is not installed (Automated)
+ levels:
+ - l1_server
+ - l1_workstation
+ status: automated
+ rules:
+ - package_telnet_removed
+
+ - id: 2.2.5
+ title: Ensure tftp client is not installed (Automated)
+ levels:
+ - l1_server
+ - l1_workstation
+ status: automated
+ rules:
+ - package_tftp_removed
+
+ - id: 2.3.1
+ title: Ensure time synchronization is in use (Automated)
+ levels:
+ - l1_server
+ - l1_workstation
+ status: automated
+ rules:
+ - package_chrony_installed
+
+ - id: 2.3.2
+ title: Ensure chrony is configured (Automated)
+ levels:
+ - l1_server
+ - l1_workstation
+ status: automated
+ rules:
+ - chronyd_specify_remote_server
+ - var_multiple_time_servers=almalinux
+
+ - id: 2.3.3
+ title: Ensure chrony is not run as the root user (Automated)
+ levels:
+ - l1_server
+ - l1_workstation
+ status: automated
+ rules:
+ - chronyd_run_as_chrony_user
+
+ - id: 2.4.1.1
+ title: Ensure cron daemon is enabled and active (Automated)
+ levels:
+ - l1_server
+ - l1_workstation
+ status: automated
+ rules:
+ - package_cron_installed
+ - service_crond_enabled
+
+ - id: 2.4.1.2
+ title: Ensure permissions on /etc/crontab are configured (Automated)
+ levels:
+ - l1_server
+ - l1_workstation
+ status: automated
+ rules:
+ - file_groupowner_crontab
+ - file_owner_crontab
+ - file_permissions_crontab
+
+ - id: 2.4.1.3
+ title: Ensure permissions on /etc/cron.hourly are configured (Automated)
+ levels:
+ - l1_server
+ - l1_workstation
+ status: automated
+ rules:
+ - file_groupowner_cron_hourly
+ - file_owner_cron_hourly
+ - file_permissions_cron_hourly
+
+ - id: 2.4.1.4
+ title: Ensure permissions on /etc/cron.daily are configured (Automated)
+ levels:
+ - l1_server
+ - l1_workstation
+ status: automated
+ rules:
+ - file_groupowner_cron_daily
+ - file_owner_cron_daily
+ - file_permissions_cron_daily
+
+ - id: 2.4.1.5
+ title: Ensure permissions on /etc/cron.weekly are configured (Automated)
+ levels:
+ - l1_server
+ - l1_workstation
+ status: automated
+ rules:
+ - file_groupowner_cron_weekly
+ - file_owner_cron_weekly
+ - file_permissions_cron_weekly
+
+ - id: 2.4.1.6
+ title: Ensure permissions on /etc/cron.monthly are configured (Automated)
+ levels:
+ - l1_server
+ - l1_workstation
+ status: automated
+ rules:
+ - file_groupowner_cron_monthly
+ - file_owner_cron_monthly
+ - file_permissions_cron_monthly
+
+ - id: 2.4.1.7
+ title: Ensure permissions on /etc/cron.d are configured (Automated)
+ levels:
+ - l1_server
+ - l1_workstation
+ status: automated
+ rules:
+ - file_groupowner_cron_d
+ - file_owner_cron_d
+ - file_permissions_cron_d
+
+ - id: 2.4.1.8
+ title: Ensure crontab is restricted to authorized users (Automated)
+ levels:
+ - l1_server
+ - l1_workstation
+ status: automated
+ rules:
+ - file_cron_deny_not_exist
+ - file_cron_allow_exists
+ - file_groupowner_cron_allow
+ - file_owner_cron_allow
+ - file_permissions_cron_allow
+
+ - id: 2.4.2.1
+ title: Ensure at is restricted to authorized users (Automated)
+ levels:
+ - l1_server
+ - l1_workstation
+ status: partial
+ notes: |-
+ It is necessary to create a rule to ensure the existence of at.allow.
+ file_cron_allow_exists can be used as reference for a new templated rule.
+ rules:
+ - file_at_deny_not_exist
+ - file_groupowner_at_allow
+ - file_owner_at_allow
+ - file_permissions_at_allow
+
+ - id: 3.1.1
+ title: Ensure IPv6 status is identified (Manual)
+ levels:
+ - l1_server
+ - l1_workstation
+ status: manual
+
+ - id: 3.1.2
+ title: Ensure wireless interfaces are disabled (Automated)
+ levels:
+ - l1_server
+ status: automated
+ rules:
+ - wireless_disable_interfaces
+
+ - id: 3.1.3
+ title: Ensure bluetooth services are not in use (Automated)
+ levels:
+ - l1_server
+ - l2_workstation
+ status: automated
+ rules:
+ - service_bluetooth_disabled
+
+ - id: 3.2.1
+ title: Ensure dccp kernel module is not available (Automated)
+ levels:
+ - l2_server
+ - l2_workstation
+ status: automated
+ rules:
+ - kernel_module_dccp_disabled
+
+ - id: 3.2.2
+ title: Ensure tipc kernel module is not available (Automated)
+ levels:
+ - l2_server
+ - l2_workstation
+ status: automated
+ rules:
+ - kernel_module_tipc_disabled
+
+ - id: 3.2.3
+ title: Ensure rds kernel module is not available (Automated)
+ levels:
+ - l2_server
+ - l2_workstation
+ status: automated
+ rules:
+ - kernel_module_rds_disabled
+
+ - id: 3.2.4
+ title: Ensure sctp kernel module is not available (Automated)
+ levels:
+ - l2_server
+ - l2_workstation
+ status: automated
+ rules:
+ - kernel_module_sctp_disabled
+
+ - id: 3.3.1
+ title: Ensure IP forwarding is disabled (Automated)
+ levels:
+ - l1_server
+ - l1_workstation
+ status: automated
+ rules:
+ - sysctl_net_ipv4_ip_forward
+ - sysctl_net_ipv6_conf_all_forwarding
+ - sysctl_net_ipv6_conf_all_forwarding_value=disabled
+
+ - id: 3.3.2
+ title: Ensure packet redirect sending is disabled (Automated)
+ levels:
+ - l1_server
+ - l1_workstation
+ status: automated
+ rules:
+ - sysctl_net_ipv4_conf_all_send_redirects
+ - sysctl_net_ipv4_conf_default_send_redirects
+
+ - id: 3.3.3
+ title: Ensure bogus icmp responses are ignored (Automated)
+ levels:
+ - l1_server
+ - l1_workstation
+ status: automated
+ rules:
+ - sysctl_net_ipv4_icmp_ignore_bogus_error_responses
+ - sysctl_net_ipv4_icmp_ignore_bogus_error_responses_value=enabled
+
+ - id: 3.3.4
+ title: Ensure broadcast icmp requests are ignored (Automated)
+ levels:
+ - l1_server
+ - l1_workstation
+ status: automated
+ rules:
+ - sysctl_net_ipv4_icmp_echo_ignore_broadcasts
+ - sysctl_net_ipv4_icmp_echo_ignore_broadcasts_value=enabled
+
+ - id: 3.3.5
+ title: Ensure icmp redirects are not accepted (Automated)
+ levels:
+ - l1_server
+ - l1_workstation
+ status: automated
+ rules:
+ - sysctl_net_ipv4_conf_all_accept_redirects
+ - sysctl_net_ipv4_conf_all_accept_redirects_value=disabled
+ - sysctl_net_ipv4_conf_default_accept_redirects
+ - sysctl_net_ipv4_conf_default_accept_redirects_value=disabled
+ - sysctl_net_ipv6_conf_all_accept_redirects
+ - sysctl_net_ipv6_conf_all_accept_redirects_value=disabled
+ - sysctl_net_ipv6_conf_default_accept_redirects
+ - sysctl_net_ipv6_conf_default_accept_redirects_value=disabled
+
+ - id: 3.3.6
+ title: Ensure secure icmp redirects are not accepted (Automated)
+ levels:
+ - l1_server
+ - l1_workstation
+ status: automated
+ rules:
+ - sysctl_net_ipv4_conf_all_secure_redirects
+ - sysctl_net_ipv4_conf_all_secure_redirects_value=disabled
+ - sysctl_net_ipv4_conf_default_secure_redirects
+ - sysctl_net_ipv4_conf_default_secure_redirects_value=disabled
+
+ - id: 3.3.7
+ title: Ensure reverse path filtering is enabled (Automated)
+ levels:
+ - l1_server
+ - l1_workstation
+ status: automated
+ rules:
+ - sysctl_net_ipv4_conf_all_rp_filter
+ - sysctl_net_ipv4_conf_all_rp_filter_value=enabled
+ - sysctl_net_ipv4_conf_default_rp_filter
+ - sysctl_net_ipv4_conf_default_rp_filter_value=enabled
+
+ - id: 3.3.8
+ title: Ensure source routed packets are not accepted (Automated)
+ levels:
+ - l1_server
+ - l1_workstation
+ status: automated
+ rules:
+ - sysctl_net_ipv4_conf_all_accept_source_route
+ - sysctl_net_ipv4_conf_all_accept_source_route_value=disabled
+ - sysctl_net_ipv4_conf_default_accept_source_route
+ - sysctl_net_ipv4_conf_default_accept_source_route_value=disabled
+ - sysctl_net_ipv6_conf_all_accept_source_route
+ - sysctl_net_ipv6_conf_all_accept_source_route_value=disabled
+ - sysctl_net_ipv6_conf_default_accept_source_route
+ - sysctl_net_ipv6_conf_default_accept_source_route_value=disabled
+
+ - id: 3.3.9
+ title: Ensure suspicious packets are logged (Automated)
+ levels:
+ - l1_server
+ - l1_workstation
+ status: automated
+ rules:
+ - sysctl_net_ipv4_conf_all_log_martians
+ - sysctl_net_ipv4_conf_all_log_martians_value=enabled
+ - sysctl_net_ipv4_conf_default_log_martians
+ - sysctl_net_ipv4_conf_default_log_martians_value=enabled
+
+ - id: 3.3.10
+ title: Ensure tcp syn cookies is enabled (Automated)
+ levels:
+ - l1_server
+ - l1_workstation
+ status: automated
+ rules:
+ - sysctl_net_ipv4_tcp_syncookies
+ - sysctl_net_ipv4_tcp_syncookies_value=enabled
+
+ - id: 3.3.11
+ title: Ensure IPv6 router advertisements are not accepted (Automated)
+ levels:
+ - l1_server
+ - l1_workstation
+ status: automated
+ rules:
+ - sysctl_net_ipv6_conf_all_accept_ra
+ - sysctl_net_ipv6_conf_all_accept_ra_value=disabled
+ - sysctl_net_ipv6_conf_default_accept_ra
+ - sysctl_net_ipv6_conf_default_accept_ra_value=disabled
+
+ - id: 4.1.1
+ title: Ensure nftables is installed (Automated)
+ levels:
+ - l1_server
+ - l1_workstation
+ status: automated
+ rules:
+ - package_nftables_installed
+
+ - id: 4.1.2
+ title: Ensure a single firewall configuration utility is in use (Automated)
+ levels:
+ - l1_server
+ - l1_workstation
+ status: automated
+ rules:
+ - service_firewalld_enabled
+ - package_firewalld_installed
+ - service_nftables_disabled
+
+ - id: 4.2.1
+ title: Ensure firewalld drops unnecessary services and ports (Manual)
+ levels:
+ - l1_server
+ - l1_workstation
+ status: manual
+ related_rules:
+ - configure_firewalld_ports
+
+ - id: 4.2.2
+ title: Ensure firewalld loopback traffic is configured (Automated)
+ levels:
+ - l1_server
+ - l1_workstation
+ status: automated
+ rules:
+ - firewalld_loopback_traffic_trusted
+ - firewalld_loopback_traffic_restricted
+
+ - id: 4.3.1
+ title: Ensure nftables base chains exist (Automated)
+ levels:
+ - l1_server
+ - l1_workstation
+ status: supported
+ related_rules:
+ - set_nftables_base_chain
+ - var_nftables_table=firewalld
+ - var_nftables_family=inet
+ - var_nftables_base_chain_names=chain_names
+ - var_nftables_base_chain_types=chain_types
+ - var_nftables_base_chain_hooks=chain_hooks
+ - var_nftables_base_chain_priorities=chain_priorities
+ - var_nftables_base_chain_policies=chain_policies
+
+ - id: 4.3.2
+ title: Ensure nftables established connections are configured (Manual)
+ levels:
+ - l1_server
+ - l1_workstation
+ status: manual
+
+ - id: 4.3.3
+ title: Ensure nftables default deny firewall policy (Automated)
+ levels:
+ - l1_server
+ - l1_workstation
+ status: supported
+ related_rules:
+ - nftables_ensure_default_deny_policy
+
+ - id: 4.3.4
+ title: Ensure nftables loopback traffic is configured (Automated)
+ levels:
+ - l1_server
+ - l1_workstation
+ status: supported
+ related_rules:
+ - set_nftables_loopback_traffic
+
+ - id: 5.1.1
+ title: Ensure permissions on /etc/ssh/sshd_config are configured (Automated)
+ levels:
+ - l1_server
+ - l1_workstation
+ status: automated
+ rules:
+ - file_groupowner_sshd_config
+ - file_owner_sshd_config
+ - file_permissions_sshd_config
+
+ - id: 5.1.2
+ title: Ensure permissions on SSH private host key files are configured (Automated)
+ levels:
+ - l1_server
+ - l1_workstation
+ status: automated
+ rules:
+ - file_permissions_sshd_private_key
+ - file_ownership_sshd_private_key
+ - file_groupownership_sshd_private_key
+
+ - id: 5.1.3
+ title: Ensure permissions on SSH public host key files are configured (Automated)
+ levels:
+ - l1_server
+ - l1_workstation
+ status: automated
+ rules:
+ - file_permissions_sshd_pub_key
+ - file_ownership_sshd_pub_key
+ - file_groupownership_sshd_pub_key
+
+ - id: 5.1.4
+ title: Ensure sshd Ciphers are configured (Automated)
+ levels:
+ - l1_server
+ - l1_workstation
+ status: pending
+ related_rules:
+ - sshd_use_approved_ciphers
+ - sshd_approved_ciphers=cis_rhel9
+
+ - id: 5.1.5
+ title: Ensure sshd KexAlgorithms is configured (Automated)
+ levels:
+ - l1_server
+ - l1_workstation
+ status: pending
+ notes: |-
+ The status was automated but we need to double check the approach used in this rule.
+ Therefore I moved it to pending until deeper investigation.
+ rules:
+ - sshd_use_strong_kex
+ - sshd_strong_kex=cis_rhel9
+
+ - id: 5.1.6
+ title: Ensure sshd MACs are configured (Automated)
+ levels:
+ - l1_server
+ - l1_workstation
+ status: pending
+ notes: |-
+ The status was automated but we need to double check the approach used in this rule.
+ Therefore I moved it to pending until deeper investigation.
+ rules:
+ - sshd_use_strong_macs
+ - sshd_strong_macs=cis_rhel9
+
+ - id: 5.1.7
+ title: Ensure sshd access is configured (Automated)
+ levels:
+ - l1_server
+ - l1_workstation
+ status: automated
+ rules:
+ - sshd_limit_user_access
+
+ - id: 5.1.8
+ title: Ensure sshd Banner is configured (Automated)
+ levels:
+ - l1_server
+ - l1_workstation
+ status: automated
+ rules:
+ - sshd_enable_warning_banner_net
+ related_rules:
+ - sshd_enable_warning_banner
+
+ - id: 5.1.9
+ title: Ensure sshd ClientAliveInterval and ClientAliveCountMax are configured (Automated)
+ levels:
+ - l1_server
+ - l1_workstation
+ status: automated
+ notes: |-
+ The requirement gives an example of 45 seconds, but is flexible about the values. It is only
+ necessary to ensure there is a timeout configured in alignment to the site policy.
+ rules:
+ - sshd_idle_timeout_value=5_minutes
+ - sshd_set_idle_timeout
+ - sshd_set_keepalive
+ - var_sshd_set_keepalive=1
+
+ - id: 5.1.10
+ title: Ensure sshd DisableForwarding is enabled (Automated)
+ levels:
+ - l2_server
+ - l1_workstation
+ status: pending
+ notes: |-
+ New templated rule is necessary for "disableforwarding" option.
+ related_rules:
+ - sshd_disable_tcp_forwarding
+ - sshd_disable_x11_forwarding
+
+ - id: 5.1.11
+ title: Ensure sshd GSSAPIAuthentication is disabled (Automated)
+ levels:
+ - l2_server
+ - l1_workstation
+ status: automated
+ rules:
+ - sshd_disable_gssapi_auth
+
+ - id: 5.1.12
+ title: Ensure sshd HostbasedAuthentication is disabled (Automated)
+ levels:
+ - l1_server
+ - l1_workstation
+ status: automated
+ rules:
+ - disable_host_auth
+
+ - id: 5.1.13
+ title: Ensure sshd IgnoreRhosts is enabled (Automated)
+ levels:
+ - l1_server
+ - l1_workstation
+ status: automated
+ rules:
+ - sshd_disable_rhosts
+
+ - id: 5.1.14
+ title: Ensure sshd LoginGraceTime is configured (Automated)
+ levels:
+ - l1_server
+ - l1_workstation
+ status: automated
+ rules:
+ - sshd_set_login_grace_time
+ - var_sshd_set_login_grace_time=60
+
+ - id: 5.1.15
+ title: Ensure sshd LogLevel is configured (Automated)
+ levels:
+ - l1_server
+ - l1_workstation
+ status: automated
+ notes: |-
+ The CIS benchmark is not opinionated about which loglevel is selected here. Here, this
+ profile uses VERBOSE by default, as it allows for the capture of login and logout activity
+ as well as key fingerprints.
+ rules:
+ - sshd_set_loglevel_verbose
+ related_rules:
+ - sshd_set_loglevel_info
+
+ - id: 5.1.16
+ title: Ensure sshd MaxAuthTries is configured (Automated)
+ levels:
+ - l1_server
+ - l1_workstation
+ status: automated
+ rules:
+ - sshd_max_auth_tries_value=4
+ - sshd_set_max_auth_tries
+
+ - id: 5.1.17
+ title: Ensure sshd MaxStartups is configured (Automated)
+ levels:
+ - l1_server
+ - l1_workstation
+ status: automated
+ rules:
+ - sshd_set_maxstartups
+ - var_sshd_set_maxstartups=10:30:60
+
+ - id: 5.1.18
+ title: Ensure sshd MaxSessions is configured (Automated)
+ levels:
+ - l1_server
+ - l1_workstation
+ status: automated
+ rules:
+ - sshd_set_max_sessions
+ - var_sshd_max_sessions=10
+
+ - id: 5.1.19
+ title: Ensure sshd PermitEmptyPasswords is disabled (Automated)
+ levels:
+ - l1_server
+ - l1_workstation
+ status: automated
+ rules:
+ - sshd_disable_empty_passwords
+
+ - id: 5.1.20
+ title: Ensure sshd PermitRootLogin is disabled (Automated)
+ levels:
+ - l1_server
+ - l1_workstation
+ status: automated
+ rules:
+ - sshd_disable_root_login
+
+ - id: 5.1.21
+ title: Ensure sshd PermitUserEnvironment is disabled (Automated)
+ levels:
+ - l1_server
+ - l1_workstation
+ status: automated
+ rules:
+ - sshd_do_not_permit_user_env
+
+ - id: 5.1.22
+ title: Ensure sshd UsePAM is enabled (Automated)
+ levels:
+ - l1_server
+ - l1_workstation
+ status: automated
+ rules:
+ - sshd_enable_pam
+
+ - id: 5.2.1
+ title: Ensure sudo is installed (Automated)
+ levels:
+ - l1_server
+ - l1_workstation
+ status: automated
+ rules:
+ - package_sudo_installed
+
+ - id: 5.2.2
+ title: Ensure sudo commands use pty (Automated)
+ levels:
+ - l1_server
+ - l1_workstation
+ status: automated
+ rules:
+ - sudo_add_use_pty
+
+ - id: 5.2.3
+ title: Ensure sudo log file exists (Automated)
+ levels:
+ - l1_server
+ - l1_workstation
+ status: automated
+ rules:
+ - sudo_custom_logfile
+
+ - id: 5.2.4
+ title: Ensure users must provide password for escalation (Automated)
+ levels:
+ - l2_server
+ - l2_workstation
+ status: automated
+ rules:
+ - sudo_require_authentication
+
+ - id: 5.2.5
+ title: Ensure re-authentication for privilege escalation is not disabled globally (Automated)
+ levels:
+ - l1_server
+ - l1_workstation
+ status: automated
+ rules:
+ - sudo_require_reauthentication
+
+ - id: 5.2.6
+ title: Ensure sudo authentication timeout is configured correctly (Automated)
+ levels:
+ - l1_server
+ - l1_workstation
+ status: automated
+ rules:
+ - sudo_require_reauthentication
+
+ - id: 5.2.7
+ title: Ensure access to the su command is restricted (Automated)
+ levels:
+ - l1_server
+ - l1_workstation
+ status: automated
+ notes: |-
+ Members of "wheel" or GID 0 groups are checked by default if the group option is not set for
+ pam_wheel.so module. The recommendation states the group should be empty to reinforce the
+ use of "sudo" for privileged access. Therefore, members of these groups should be manually
+ checked or a different group should be informed.
+ rules:
+ - var_pam_wheel_group_for_su=cis
+ - use_pam_wheel_group_for_su
+ - ensure_pam_wheel_group_empty
+
+ - id: 5.3.1.1
+ title: Ensure latest version of pam is installed (Automated)
+ levels:
+ - l1_server
+ - l1_workstation
+ status: pending
+ notes: |-
+ It is necessary a new rule to ensure PAM package is updated.
+
+ - id: 5.3.1.2
+ title: Ensure latest version of authselect is installed (Automated)
+ levels:
+ - l1_server
+ - l1_workstation
+ status: pending
+ notes: |-
+ It is necessary a new rule to ensure authselect package is updated.
+
+ - id: 5.3.1.3
+ title: Ensure latest version of libpwquality is installed (Automated)
+ levels:
+ - l1_server
+ - l1_workstation
+ status: pending
+ notes: |-
+ It is necessary a new rule to ensure libpwquality package is updated.
+ rules:
+ - package_pam_pwquality_installed
+
+ - id: 5.3.2.1
+ title: Ensure active authselect profile includes pam modules (Automated)
+ levels:
+ - l1_server
+ - l1_workstation
+ status: partial
+ notes: |-
+ This requirement is hard to be automated without any specific requirement. The policy even
+ states that provided commands are examples, other custom settings might be in place and the
+ settings might be different depending on site policies. The other rules will already make
+ sure there is a correct autheselect profile regardless of the existing settings. It is
+ necessary to better discuss with CIS Community.
+ related_rules:
+ - no_empty_passwords
+
+ - id: 5.3.2.2
+ title: Ensure pam_faillock module is enabled (Automated)
+ levels:
+ - l1_server
+ - l1_workstation
+ status: automated
+ notes: |-
+ This requirement is also indirectly satisfied by the requirement 5.3.3.1.
+ rules:
+ - account_password_pam_faillock_password_auth
+ - account_password_pam_faillock_system_auth
+
+ - id: 5.3.2.3
+ title: Ensure pam_pwquality module is enabled (Automated)
+ levels:
+ - l1_server
+ - l1_workstation
+ status: automated
+ notes: |-
+ This requirement is also indirectly satisfied by the requirement 5.3.3.2.
+ related_rules:
+ - package_pam_pwquality_installed
+
+ - id: 5.3.2.4
+ title: Ensure pam_pwhistory module is enabled (Automated)
+ levels:
+ - l1_server
+ - l1_workstation
+ status: automated
+ notes: |-
+ The module is properly enabled by the rules mentioned in related_rules.
+ Requirements in 5.3.3.3 use these rules.
+ related_rules:
+ - accounts_password_pam_pwhistory_remember_password_auth
+ - accounts_password_pam_pwhistory_remember_system_auth
+
+ - id: 5.3.2.5
+ title: Ensure pam_unix module is enabled (Automated)
+ levels:
+ - l1_server
+ - l1_workstation
+ status: partial
+ notes: |-
+ This module is always present by default. It is necessary to investigate if a new rule to
+ check its existence needs to be created. But so far the rule no_empty_passwords, used in
+ 5.3.3.4 can ensure this requirement is attended.
+ related_rules:
+ - no_empty_passwords
+
+ - id: 5.3.3.1.1
+ title: Ensure password failed attempts lockout is configured (Automated)
+ levels:
+ - l1_server
+ - l1_workstation
+ status: automated
+ rules:
+ - accounts_passwords_pam_faillock_deny
+ - var_accounts_passwords_pam_faillock_deny=5
+
+ - id: 5.3.3.1.2
+ title: Ensure password unlock time is configured (Automated)
+ levels:
+ - l1_server
+ - l1_workstation
+ status: automated
+ notes: |-
+ The policy also accepts value 0, which means the locked accounts should be manually unlocked
+ by an administrator. However, it also mentions that using value 0 can facilitate a DoS
+ attack to legitimate users.
+ rules:
+ - accounts_passwords_pam_faillock_unlock_time
+ - var_accounts_passwords_pam_faillock_unlock_time=900
+
+ - id: 5.3.3.1.3
+ title: Ensure password failed attempts lockout includes root account (Automated)
+ levels:
+ - l2_server
+ - l2_workstation
+ status: automated
+ rules:
+ - accounts_passwords_pam_faillock_deny_root
+
+ - id: 5.3.3.2.1
+ title: Ensure password number of changed characters is configured (Automated)
+ levels:
+ - l1_server
+ - l1_workstation
+ status: automated
+ rules:
+ - accounts_password_pam_difok
+ - var_password_pam_difok=2
+
+ - id: 5.3.3.2.2
+ title: Ensure password length is configured (Automated)
+ levels:
+ - l1_server
+ - l1_workstation
+ status: automated
+ rules:
+ - accounts_password_pam_minlen
+ - var_password_pam_minlen=14
+
+ - id: 5.3.3.2.3
+ title: Ensure password complexity is configured (Manual)
+ levels:
+ - l1_server
+ - l1_workstation
+ status: automated
+ rules:
+ - accounts_password_pam_minclass
+ - var_password_pam_minclass=4
+ related_rules:
+ - accounts_password_pam_dcredit
+ - accounts_password_pam_lcredit
+ - accounts_password_pam_ocredit
+ - accounts_password_pam_ucredit
+
+ - id: 5.3.3.2.4
+ title: Ensure password same consecutive characters is configured (Automated)
+ levels:
+ - l1_server
+ - l1_workstation
+ status: automated
+ rules:
+ - accounts_password_pam_maxrepeat
+ - var_password_pam_maxrepeat=3
+
+ - id: 5.3.3.2.5
+ title: Ensure password maximum sequential characters is configured (Automated)
+ levels:
+ - l1_server
+ - l1_workstation
+ status: planned
+ notes: |-
+ A new templated rule and variable are necessary for the maxsequence option.
+
+ - id: 5.3.3.2.6
+ title: Ensure password dictionary check is enabled (Automated)
+ levels:
+ - l1_server
+ - l1_workstation
+ status: automated
+ rules:
+ - accounts_password_pam_dictcheck
+ - var_password_pam_dictcheck=1
+
+ - id: 5.3.3.2.7
+ title: Ensure password quality is enforced for the root user (Automated)
+ levels:
+ - l1_server
+ - l1_workstation
+ status: automated
+ rules:
+ - accounts_password_pam_enforce_root
+
+ - id: 5.3.3.3.1
+ title: Ensure password history remember is configured (Automated)
+ levels:
+ - l1_server
+ - l1_workstation
+ status: automated
+ notes: |-
+ Although mentioned in the section 5.3.3.3, there is no explicit requirement to configure
+ retry option of pam_pwhistory. If come in the future, the rule accounts_password_pam_retry
+ can be used.
+ rules:
+ - accounts_password_pam_pwhistory_remember_password_auth
+ - accounts_password_pam_pwhistory_remember_system_auth
+ - var_password_pam_remember_control_flag=requisite_or_required
+ - var_password_pam_remember=24
+ related_rules:
+ - accounts_password_pam_retry
+
+ - id: 5.3.3.3.2
+ title: Ensure password history is enforced for the root user (Automated)
+ levels:
+ - l1_server
+ - l1_workstation
+ status: planned
+ notes: |-
+ A new rule needs to be created to check and remediate the enforce_for_root option in
+ /etc/security/pwhistory.conf. accounts_password_pam_enforce_root can be used as reference.
+
+ - id: 5.3.3.3.3
+ title: Ensure pam_pwhistory includes use_authtok (Automated)
+ levels:
+ - l1_server
+ - l1_workstation
+ status: partial
+ related_rules:
+ - accounts_password_pam_pwhistory_remember_password_auth
+ - accounts_password_pam_pwhistory_remember_system_auth
+
+ - id: 5.3.3.4.1
+ title: Ensure pam_unix does not include nullok (Automated)
+ levels:
+ - l1_server
+ - l1_workstation
+ status: automated
+ notes: |-
+ The rule more specifically used in this requirement also satify the requirement 5.3.2.5.
+ rules:
+ - no_empty_passwords
+
+ - id: 5.3.3.4.2
+ title: Ensure pam_unix does not include remember (Automated)
+ levels:
+ - l1_server
+ - l1_workstation
+ status: pending
+ notes: |-
+ Usage of pam_unix.so module together with "remember" option is deprecated and is not
+ recommened by this policy. Instead, it should be used remember option of pam_pwhistory
+ module, as required in 5.3.3.3.1. See here for more details about pam_unix.so:
+ https://bugzilla.redhat.com/show_bug.cgi?id=1778929
+ A new rule needs to be created to remove the remember option from pam_unix module.
+
+ - id: 5.3.3.4.3
+ title: Ensure pam_unix includes a strong password hashing algorithm (Automated)
+ levels:
+ - l1_server
+ - l1_workstation
+ status: automated
+ notes: |-
+ Changes in logindefs mentioned in this requirement are more specifically covered by 5.4.1.4
+ rules:
+ - set_password_hashing_algorithm_systemauth
+ - set_password_hashing_algorithm_passwordauth
+ - var_password_hashing_algorithm_pam=sha512
+
+ - id: 5.3.3.4.4
+ title: Ensure pam_unix includes use_authtok (Automated)
+ levels:
+ - l1_server
+ - l1_workstation
+ status: partial
+
+ - id: 5.4.1.1
+ title: Ensure password expiration is configured (Automated)
+ levels:
+ - l1_server
+ - l1_workstation
+ status: automated
+ rules:
+ - accounts_maximum_age_login_defs
+ - var_accounts_maximum_age_login_defs=365
+ - accounts_password_set_max_life_existing
+
+ - id: 5.4.1.2
+ title: Ensure minimum password days is configured (Automated)
+ levels:
+ - l2_server
+ - l2_workstation
+ status: automated
+ rules:
+ - accounts_minimum_age_login_defs
+ - var_accounts_minimum_age_login_defs=1
+ - accounts_password_set_min_life_existing
+
+ - id: 5.4.1.3
+ title: Ensure password expiration warning days is configured (Automated)
+ levels:
+ - l1_server
+ - l1_workstation
+ status: automated
+ rules:
+ - accounts_password_warn_age_login_defs
+ - var_accounts_password_warn_age_login_defs=7
+ - accounts_password_set_warn_age_existing
+
+ - id: 5.4.1.4
+ title: Ensure strong password hashing algorithm is configured (Automated)
+ levels:
+ - l1_server
+ - l1_workstation
+ status: automated
+ rules:
+ - set_password_hashing_algorithm_libuserconf
+ - set_password_hashing_algorithm_logindefs
+ - var_password_hashing_algorithm=SHA512
+ - var_password_hashing_algorithm_pam=sha512
+
+ - id: 5.4.1.5
+ title: Ensure inactive password lock is configured (Automated)
+ levels:
+ - l1_server
+ - l1_workstation
+ status: automated
+ rules:
+ - account_disable_post_pw_expiration
+ - accounts_set_post_pw_existing
+ - var_account_disable_post_pw_expiration=45
+
+ - id: 5.4.1.6
+ title: Ensure all users last password change date is in the past (Automated)
+ levels:
+ - l1_server
+ - l1_workstation
+ status: automated
+ rules:
+ - accounts_password_last_change_is_in_past
+
+ - id: 5.4.2.1
+ title: Ensure root is the only UID 0 account (Automated)
+ levels:
+ - l1_server
+ - l1_workstation
+ status: automated
+ rules:
+ - accounts_no_uid_except_zero
+
+ - id: 5.4.2.2
+ title: Ensure root is the only GID 0 account (Automated)
+ levels:
+ - l1_server
+ - l1_workstation
+ status: partial
+ notes: |-
+ The rule confirms the primary group for root, but doesn't check if any other user are also
+ using GID 0. New rule is necessary.
+ There is assessment but no automated remediation for this rule and this sounds reasonable.
+ rules:
+ - accounts_root_gid_zero
+
+ - id: 5.4.2.3
+ title: Ensure group root is the only GID 0 group (Automated)
+ levels:
+ - l1_server
+ - l1_workstation
+ status: pending
+
+ - id: 5.4.2.4
+ title: Ensure root account access is controlled (Automated)
+ levels:
+ - l1_server
+ - l1_workstation
+ status: automated
+ rules:
+ - ensure_root_password_configured
+
+ - id: 5.4.2.5
+ title: Ensure root path integrity (Automated)
+ levels:
+ - l1_server
+ - l1_workstation
+ status: automated
+ rules:
+ - accounts_root_path_dirs_no_write
+ - root_path_no_dot
+
+ - id: 5.4.2.6
+ title: Ensure root user umask is configured (Automated)
+ levels:
+ - l1_server
+ - l1_workstation
+ status: pending
+ notes: |-
+ There is no rule to ensure umask in /root/.bash_profile and /root/.bashrc. A new rule have
+ to be created. It can be based on accounts_umask_interactive_users.
+
+ - id: 5.4.2.7
+ title: Ensure system accounts do not have a valid login shell (Automated)
+ levels:
+ - l1_server
+ - l1_workstation
+ status: automated
+ rules:
+ - no_password_auth_for_systemaccounts
+ - no_shelllogin_for_systemaccounts
+
+ - id: 5.4.2.8
+ title: Ensure accounts without a valid login shell are locked (Automated)
+ levels:
+ - l1_server
+ - l1_workstation
+ status: pending
+
+ - id: 5.4.3.1
+ title: Ensure nologin is not listed in /etc/shells (Automated)
+ levels:
+ - l2_server
+ - l2_workstation
+ status: pending
+ notes: |-
+ It is necessary to create a new rule to check and remove nologin from /etc/shells.
+ The no_tmux_in_shells rule can be used as referece.
+
+ - id: 5.4.3.2
+ title: Ensure default user shell timeout is configured (Automated)
+ levels:
+ - l1_server
+ - l1_workstation
+ status: automated
+ rules:
+ - accounts_tmout
+ - var_accounts_tmout=15_min
+
+ - id: 5.4.3.3
+ title: Ensure default user umask is configured (Automated)
+ levels:
+ - l1_server
+ - l1_workstation
+ status: automated
+ rules:
+ - accounts_umask_etc_bashrc
+ - accounts_umask_etc_login_defs
+ - accounts_umask_etc_profile
+ - var_accounts_user_umask=027
+
+ - id: 6.1.1
+ title: Ensure AIDE is installed (Automated)
+ levels:
+ - l1_server
+ - l1_workstation
+ status: automated
+ rules:
+ - package_aide_installed
+ - aide_build_database
+
+ - id: 6.1.2
+ title: Ensure filesystem integrity is regularly checked (Automated)
+ levels:
+ - l1_server
+ - l1_workstation
+ status: automated
+ rules:
+ - aide_periodic_cron_checking
+
+ - id: 6.1.3
+ title: Ensure cryptographic mechanisms are used to protect the integrity of audit tools (Automated)
+ levels:
+ - l1_server
+ - l1_workstation
+ status: automated
+ rules:
+ - aide_check_audit_tools
+ related_rules:
+ - aide_use_fips_hashes
+
+ - id: 6.2.1.1
+ title: Ensure journald service is enabled and active (Automated)
+ levels:
+ - l1_server
+ - l1_workstation
+ status: automated
+ rules:
+ - service_systemd-journald_enabled
+
+ - id: 6.2.1.2
+ title: Ensure journald log file access is configured (Manual)
+ levels:
+ - l1_server
+ - l1_workstation
+ status: manual
+
+ - id: 6.2.1.3
+ title: Ensure journald log file rotation is configured (Manual)
+ levels:
+ - l1_server
+ - l1_workstation
+ status: manual
+
+ - id: 6.2.1.4
+ title: Ensure only one logging system is in use (Automated)
+ levels:
+ - l1_server
+ - l1_workstation
+ status: pending
+ notes: |-
+ It is necessary to create a new rule to check the status of journald and rsyslog.
+ It would also be necessary a new rule to disable or remove rsyslog.
+
+ - id: 6.2.2.1.1
+ title: Ensure systemd-journal-remote is installed (Automated)
+ levels:
+ - l1_server
+ - l1_workstation
+ status: automated
+ rules:
+ - package_systemd-journal-remote_installed
+
+ - id: 6.2.2.1.2
+ title: Ensure systemd-journal-upload authentication is configured (Manual)
+ levels:
+ - l1_server
+ - l1_workstation
+ status: manual
+
+ - id: 6.2.2.1.3
+ title: Ensure systemd-journal-upload is enabled and active (Automated)
+ levels:
+ - l1_server
+ - l1_workstation
+ status: pending
+
+ - id: 6.2.2.1.4
+ title: Ensure systemd-journal-remote service is not in use (Automated)
+ levels:
+ - l1_server
+ - l1_workstation
+ status: automated
+ rules:
+ - socket_systemd-journal-remote_disabled
+
+ - id: 6.2.2.2
+ title: Ensure journald ForwardToSyslog is disabled (Automated)
+ levels:
+ - l1_server
+ - l1_workstation
+ status: pending
+ notes: |-
+ This rule conflicts with 6.2.3.3. More investigation is needed to properly solve this.
+ related_rules:
+ - journald_forward_to_syslog
+
+ - id: 6.2.2.3
+ title: Ensure journald Compress is configured (Automated)
+ levels:
+ - l1_server
+ - l1_workstation
+ status: automated
+ rules:
+ - journald_compress
+
+ - id: 6.2.2.4
+ title: Ensure journald Storage is configured (Automated)
+ levels:
+ - l1_server
+ - l1_workstation
+ status: automated
+ rules:
+ - journald_storage
+
+ - id: 6.2.3.1
+ title: Ensure rsyslog is installed (Automated)
+ levels:
+ - l1_server
+ - l1_workstation
+ status: supported
+ related_rules:
+ - package_rsyslog_installed
+
+ - id: 6.2.3.2
+ title: Ensure rsyslog service is enabled and active (Automated)
+ levels:
+ - l1_server
+ - l1_workstation
+ status: supported
+ related_rules:
+ - service_rsyslog_enabled
+
+ - id: 6.2.3.3
+ title: Ensure journald is configured to send logs to rsyslog (Automated)
+ levels:
+ - l1_server
+ - l1_workstation
+ status: supported
+ related_rules:
+ - journald_forward_to_syslog
+
+ - id: 6.2.3.4
+ title: Ensure rsyslog log file creation mode is configured (Automated)
+ levels:
+ - l1_server
+ - l1_workstation
+ status: supported
+ related_rules:
+ - rsyslog_filecreatemode
+
+ - id: 6.2.3.5
+ title: Ensure rsyslog logging is configured (Manual)
+ levels:
+ - l1_server
+ - l1_workstation
+ status: manual
+
+ - id: 6.2.3.6
+ title: Ensure rsyslog is configured to send logs to a remote log host (Manual)
+ levels:
+ - l1_server
+ - l1_workstation
+ status: manual
+ related_rules:
+ - rsyslog_remote_loghost
+
+ - id: 6.2.3.7
+ title: Ensure rsyslog is not configured to receive logs from a remote client (Automated)
+ levels:
+ - l1_server
+ - l1_workstation
+ status: supported
+ related_rules:
+ - rsyslog_nolisten
+
+ - id: 6.2.3.8
+ title: Ensure rsyslog logrotate is configured (Manual)
+ levels:
+ - l1_server
+ - l1_workstation
+ status: manual
+ related_rules:
+ - ensure_logrotate_activated
+ - package_logrotate_installed
+ - timer_logrotate_enabled
+
+ - id: 6.2.4.1
+ title: Ensure access to all logfiles has been configured (Automated)
+ levels:
+ - l1_server
+ - l1_workstation
+ status: automated
+ notes: |-
+ It is not harmful to run these rules even if rsyslog is not installed or active.
+ rules:
+ - rsyslog_files_groupownership
+ - rsyslog_files_ownership
+ - rsyslog_files_permissions
+
+ - id: 6.3.1.1
+ title: Ensure auditd packages are installed (Automated)
+ levels:
+ - l2_server
+ - l2_workstation
+ status: automated
+ rules:
+ - package_audit_installed
+ - package_audit-libs_installed
+
+ - id: 6.3.1.2
+ title: Ensure auditing for processes that start prior to auditd is enabled (Automated)
+ levels:
+ - l2_server
+ - l2_workstation
+ status: automated
+ rules:
+ - grub2_audit_argument
+
+ - id: 6.3.1.3
+ title: Ensure audit_backlog_limit is sufficient (Automated)
+ levels:
+ - l2_server
+ - l2_workstation
+ status: automated
+ rules:
+ - grub2_audit_backlog_limit_argument
+
+ - id: 6.3.1.4
+ title: Ensure auditd service is enabled and active (Automated)
+ levels:
+ - l2_server
+ - l2_workstation
+ status: automated
+ rules:
+ - service_auditd_enabled
+
+ - id: 6.3.2.1
+ title: Ensure audit log storage size is configured (Automated)
+ levels:
+ - l2_server
+ - l2_workstation
+ status: automated
+ rules:
+ - auditd_data_retention_max_log_file
+ - var_auditd_max_log_file=6
+
+ - id: 6.3.2.2
+ title: Ensure audit logs are not automatically deleted (Automated)
+ levels:
+ - l2_server
+ - l2_workstation
+ status: automated
+ rules:
+ - auditd_data_retention_max_log_file_action
+ - var_auditd_max_log_file_action=keep_logs
+
+ - id: 6.3.2.3
+ title: Ensure system is disabled when audit logs are full (Automated)
+ levels:
+ - l2_server
+ - l2_workstation
+ status: automated
+ rules:
+ - auditd_data_disk_error_action
+ - auditd_data_disk_full_action
+ - var_auditd_disk_error_action=cis_rhel9
+ - var_auditd_disk_full_action=cis_rhel9
+
+ - id: 6.3.2.4
+ title: Ensure system warns when audit logs are low on space (Automated)
+ levels:
+ - l2_server
+ - l2_workstation
+ status: automated
+ rules:
+ - auditd_data_retention_action_mail_acct
+ - auditd_data_retention_admin_space_left_action
+ - auditd_data_retention_space_left_action
+ - var_auditd_action_mail_acct=root
+ - var_auditd_admin_space_left_action=cis_rhel9
+ - var_auditd_space_left_action=cis_rhel9
+
+ - id: 6.3.3.1
+ title: Ensure changes to system administration scope (sudoers) is collected (Automated)
+ levels:
+ - l2_server
+ - l2_workstation
+ status: automated
+ rules:
+ - audit_rules_sysadmin_actions
+
+ - id: 6.3.3.2
+ title: Ensure actions as another user are always logged (Automated)
+ levels:
+ - l2_server
+ - l2_workstation
+ status: automated
+ rules:
+ - audit_rules_suid_auid_privilege_function
+
+ - id: 6.3.3.3
+ title: Ensure events that modify the sudo log file are collected (Automated)
+ levels:
+ - l2_server
+ - l2_workstation
+ status: automated
+ rules:
+ - audit_sudo_log_events
+
+ - id: 6.3.3.4
+ title: Ensure events that modify date and time information are collected (Automated)
+ levels:
+ - l2_server
+ - l2_workstation
+ status: automated
+ rules:
+ - audit_rules_time_adjtimex
+ - audit_rules_time_settimeofday
+ - audit_rules_time_clock_settime
+ - audit_rules_time_watch_localtime
+ related_rules:
+ - audit_rules_time_stime
+
+ - id: 6.3.3.5
+ title: Ensure events that modify the system's network environment are collected (Automated)
+ levels:
+ - l2_server
+ - l2_workstation
+ status: partial
+ notes: |-
+ These rules are not covering "/etc/hostname" and "/etc/NetworkManager/".
+ rules:
+ - audit_rules_networkconfig_modification
+ - audit_rules_networkconfig_modification_network_scripts
+
+ - id: 6.3.3.6
+ title: Ensure use of privileged commands are collected (Automated)
+ levels:
+ - l2_server
+ - l2_workstation
+ status: automated
+ rules:
+ - audit_rules_privileged_commands
+
+ - id: 6.3.3.7
+ title: Ensure unsuccessful file access attempts are collected (Automated)
+ levels:
+ - l2_server
+ - l2_workstation
+ status: automated
+ rules:
+ - audit_rules_unsuccessful_file_modification_creat
+ - audit_rules_unsuccessful_file_modification_ftruncate
+ - audit_rules_unsuccessful_file_modification_open
+ - audit_rules_unsuccessful_file_modification_openat
+ - audit_rules_unsuccessful_file_modification_truncate
+
+ - id: 6.3.3.8
+ title: Ensure events that modify user/group information are collected (Automated)
+ levels:
+ - l2_server
+ - l2_workstation
+ status: partial
+ notes: |-
+ Missing rules to check "/etc/nsswitch.conf", "/etc/pam.conf" and "/etc/pam.d"
+ rules:
+ - audit_rules_usergroup_modification_group
+ - audit_rules_usergroup_modification_gshadow
+ - audit_rules_usergroup_modification_opasswd
+ - audit_rules_usergroup_modification_passwd
+ - audit_rules_usergroup_modification_shadow
+
+ - id: 6.3.3.9
+ title: Ensure discretionary access control permission modification events are collected (Automated)
+ levels:
+ - l2_server
+ - l2_workstation
+ status: automated
+ rules:
+ - audit_rules_dac_modification_chmod
+ - audit_rules_dac_modification_chown
+ - audit_rules_dac_modification_fchmod
+ - audit_rules_dac_modification_fchmodat
+ - audit_rules_dac_modification_fchown
+ - audit_rules_dac_modification_fchownat
+ - audit_rules_dac_modification_fremovexattr
+ - audit_rules_dac_modification_fsetxattr
+ - audit_rules_dac_modification_lchown
+ - audit_rules_dac_modification_lremovexattr
+ - audit_rules_dac_modification_lsetxattr
+ - audit_rules_dac_modification_removexattr
+ - audit_rules_dac_modification_setxattr
+
+ - id: 6.3.3.10
+ title: Ensure successful file system mounts are collected (Automated)
+ levels:
+ - l2_server
+ - l2_workstation
+ status: automated
+ rules:
+ - audit_rules_media_export
+
+ - id: 6.3.3.11
+ title: Ensure session initiation information is collected (Automated)
+ levels:
+ - l2_server
+ - l2_workstation
+ status: automated
+ rules:
+ - audit_rules_session_events
+
+ - id: 6.3.3.12
+ title: Ensure login and logout events are collected (Automated)
+ levels:
+ - l2_server
+ - l2_workstation
+ status: automated
+ rules:
+ - audit_rules_login_events_faillock
+ - audit_rules_login_events_lastlog
+ - var_accounts_passwords_pam_faillock_dir=run
+
+ - id: 6.3.3.13
+ title: Ensure file deletion events by users are collected (Automated)
+ levels:
+ - l2_server
+ - l2_workstation
+ status: automated
+ rules:
+ - audit_rules_file_deletion_events_rename
+ - audit_rules_file_deletion_events_renameat
+ - audit_rules_file_deletion_events_unlink
+ - audit_rules_file_deletion_events_unlinkat
+
+ - id: 6.3.3.14
+ title: Ensure events that modify the system's Mandatory Access Controls are collected (Automated)
+ levels:
+ - l2_server
+ - l2_workstation
+ status: automated
+ rules:
+ - audit_rules_mac_modification
+ - audit_rules_mac_modification_usr_share
+
+ - id: 6.3.3.15
+ title: Ensure successful and unsuccessful attempts to use the chcon command are collected (Automated)
+ levels:
+ - l2_server
+ - l2_workstation
+ status: automated
+ rules:
+ - audit_rules_execution_chcon
+
+ - id: 6.3.3.16
+ title: Ensure successful and unsuccessful attempts to use the setfacl command are collected (Automated)
+ levels:
+ - l2_server
+ - l2_workstation
+ status: automated
+ rules:
+ - audit_rules_execution_setfacl
+
+ - id: 6.3.3.17
+ title: Ensure successful and unsuccessful attempts to use the chacl command are collected (Automated)
+ levels:
+ - l2_server
+ - l2_workstation
+ status: automated
+ rules:
+ - audit_rules_execution_chacl
+
+ - id: 6.3.3.18
+ title: Ensure successful and unsuccessful attempts to use the usermod command are collected (Automated)
+ levels:
+ - l2_server
+ - l2_workstation
+ status: automated
+ rules:
+ - audit_rules_privileged_commands_usermod
+
+ - id: 6.3.3.19
+ title: Ensure kernel module loading unloading and modification is collected (Automated)
+ levels:
+ - l2_server
+ - l2_workstation
+ status: automated
+ rules:
+ - audit_rules_kernel_module_loading_create
+ - audit_rules_kernel_module_loading_delete
+ - audit_rules_kernel_module_loading_finit
+ - audit_rules_kernel_module_loading_init
+ - audit_rules_kernel_module_loading_query
+ - audit_rules_privileged_commands_kmod
+
+ - id: 6.3.3.20
+ title: Ensure the audit configuration is immutable (Automated)
+ levels:
+ - l2_server
+ - l2_workstation
+ status: automated
+ rules:
+ - audit_rules_immutable
+
+ - id: 6.3.3.21
+ title: Ensure the running and on disk configuration is the same (Manual)
+ levels:
+ - l2_server
+ - l2_workstation
+ status: manual
+
+ - id: 6.3.4.1
+ title: Ensure the audit log file directory mode is configured (Automated)
+ levels:
+ - l2_server
+ - l2_workstation
+ status: automated
+ rules:
+ - directory_permissions_var_log_audit
+
+ - id: 6.3.4.2
+ title: Ensure audit log files mode is configured (Automated)
+ levels:
+ - l2_server
+ - l2_workstation
+ status: automated
+ rules:
+ - file_permissions_var_log_audit
+
+ - id: 6.3.4.3
+ title: Ensure audit log files owner is configured (Automated)
+ levels:
+ - l2_server
+ - l2_workstation
+ status: automated
+ rules:
+ - file_ownership_var_log_audit_stig
+
+ - id: 6.3.4.4
+ title: Ensure audit log files group owner is configured (Automated)
+ levels:
+ - l2_server
+ - l2_workstation
+ status: automated
+ rules:
+ - file_group_ownership_var_log_audit
+
+ - id: 6.3.4.5
+ title: Ensure audit configuration files mode is configured (Automated)
+ levels:
+ - l2_server
+ - l2_workstation
+ status: automated
+ rules:
+ - file_permissions_audit_configuration
+
+ - id: 6.3.4.6
+ title: Ensure audit configuration files owner is configured (Automated)
+ levels:
+ - l2_server
+ - l2_workstation
+ status: automated
+ rules:
+ - file_ownership_audit_configuration
+
+ - id: 6.3.4.7
+ title: Ensure audit configuration files group owner is configured (Automated)
+ levels:
+ - l2_server
+ - l2_workstation
+ status: automated
+ rules:
+ - file_groupownership_audit_configuration
+
+ - id: 6.3.4.8
+ title: Ensure audit tools mode is configured (Automated)
+ levels:
+ - l2_server
+ - l2_workstation
+ status: automated
+ rules:
+ - file_permissions_audit_binaries
+
+ - id: 6.3.4.9
+ title: Ensure audit tools owner is configured (Automated)
+ levels:
+ - l2_server
+ - l2_workstation
+ status: automated
+ rules:
+ - file_ownership_audit_binaries
+
+ - id: 6.3.4.10
+ title: Ensure audit tools group owner is configured (Automated)
+ levels:
+ - l2_server
+ - l2_workstation
+ status: automated
+ rules:
+ - file_groupownership_audit_binaries
+
+ - id: 7.1.1
+ title: Ensure permissions on /etc/passwd are configured (Automated)
+ levels:
+ - l1_server
+ - l1_workstation
+ status: automated
+ rules:
+ - file_groupowner_etc_passwd
+ - file_owner_etc_passwd
+ - file_permissions_etc_passwd
+
+ - id: 7.1.2
+ title: Ensure permissions on /etc/passwd- are configured (Automated)
+ levels:
+ - l1_server
+ - l1_workstation
+ status: automated
+ rules:
+ - file_groupowner_backup_etc_passwd
+ - file_owner_backup_etc_passwd
+ - file_permissions_backup_etc_passwd
+
+ - id: 7.1.3
+ title: Ensure permissions on /etc/group are configured (Automated)
+ levels:
+ - l1_server
+ - l1_workstation
+ status: automated
+ rules:
+ - file_groupowner_etc_group
+ - file_owner_etc_group
+ - file_permissions_etc_group
+
+ - id: 7.1.4
+ title: Ensure permissions on /etc/group- are configured (Automated)
+ levels:
+ - l1_server
+ - l1_workstation
+ status: automated
+ rules:
+ - file_groupowner_backup_etc_group
+ - file_owner_backup_etc_group
+ - file_permissions_backup_etc_group
+
+ - id: 7.1.5
+ title: Ensure permissions on /etc/shadow are configured (Automated)
+ levels:
+ - l1_server
+ - l1_workstation
+ status: automated
+ rules:
+ - file_owner_etc_shadow
+ - file_groupowner_etc_shadow
+ - file_permissions_etc_shadow
+
+ - id: 7.1.6
+ title: Ensure permissions on /etc/shadow- are configured (Automated)
+ levels:
+ - l1_server
+ - l1_workstation
+ status: automated
+ rules:
+ - file_groupowner_backup_etc_shadow
+ - file_owner_backup_etc_shadow
+ - file_permissions_backup_etc_shadow
+
+ - id: 7.1.7
+ title: Ensure permissions on /etc/gshadow are configured (Automated)
+ levels:
+ - l1_server
+ - l1_workstation
+ status: automated
+ rules:
+ - file_groupowner_etc_gshadow
+ - file_owner_etc_gshadow
+ - file_permissions_etc_gshadow
+
+ - id: 7.1.8
+ title: Ensure permissions on /etc/gshadow- are configured (Automated)
+ levels:
+ - l1_server
+ - l1_workstation
+ status: automated
+ rules:
+ - file_groupowner_backup_etc_gshadow
+ - file_owner_backup_etc_gshadow
+ - file_permissions_backup_etc_gshadow
+
+ - id: 7.1.9
+ title: Ensure permissions on /etc/shells are configured (Automated)
+ levels:
+ - l1_server
+ - l1_workstation
+ status: automated
+ rules:
+ - file_groupowner_etc_shells
+ - file_owner_etc_shells
+ - file_permissions_etc_shells
+
+ - id: 7.1.10
+ title: Ensure permissions on /etc/security/opasswd are configured (Automated)
+ levels:
+ - l1_server
+ - l1_workstation
+ status: partial
+ rules:
+ # TODO: We need another rule that checks /etc/security/opasswd.old
+ - file_etc_security_opasswd
+
+ - id: 7.1.11
+ title: Ensure world writable files and directories are secured (Automated)
+ levels:
+ - l1_server
+ - l1_workstation
+ status: automated
+ rules:
+ - file_permissions_unauthorized_world_writable
+ - dir_perms_world_writable_sticky_bits
+
+ - id: 7.1.12
+ title: Ensure no files or directories without an owner and a group exist (Automated)
+ levels:
+ - l1_server
+ - l1_workstation
+ status: partial
+ rules:
+ # TODO: add rules for unowned/ungrouped directories
+ - no_files_unowned_by_user
+ - file_permissions_ungroupowned
+
+ - id: 7.1.13
+ title: Ensure SUID and SGID files are reviewed (Manual)
+ levels:
+ - l1_server
+ - l1_workstation
+ status: manual
+ related_rules:
+ - file_permissions_unauthorized_suid
+ - file_permissions_unauthorized_sgid
+
+ - id: 7.1.14
+ title: Audit system file permissions (Manual)
+ levels:
+ - l2_server
+ - l2_workstation
+ status: manual
+ related_rules:
+ - rpm_verify_permissions
+ - rpm_verify_ownership
+
+ - id: 7.2.1
+ title: Ensure accounts in /etc/passwd use shadowed passwords (Automated)
+ levels:
+ - l1_server
+ - l1_workstation
+ status: automated
+ rules:
+ - accounts_password_all_shadowed
+
+ - id: 7.2.2
+ title: Ensure /etc/shadow password fields are not empty (Automated)
+ levels:
+ - l1_server
+ - l1_workstation
+ status: automated
+ rules:
+ - no_empty_passwords_etc_shadow
+
+ - id: 7.2.3
+ title: Ensure all groups in /etc/passwd exist in /etc/group (Automated)
+ levels:
+ - l1_server
+ - l1_workstation
+ status: automated
+ rules:
+ - gid_passwd_group_same
+
+ - id: 7.2.4
+ title: Ensure no duplicate UIDs exist (Automated)
+ levels:
+ - l1_server
+ - l1_workstation
+ status: automated
+ rules:
+ - account_unique_id
+
+ - id: 7.2.5
+ title: Ensure no duplicate GIDs exist (Automated)
+ levels:
+ - l1_server
+ - l1_workstation
+ status: automated
+ rules:
+ - group_unique_id
+
+ - id: 7.2.6
+ title: Ensure no duplicate user names exist (Automated)
+ levels:
+ - l1_server
+ - l1_workstation
+ status: automated
+ rules:
+ - account_unique_name
+
+ - id: 7.2.7
+ title: Ensure no duplicate group names exist (Automated)
+ levels:
+ - l1_server
+ - l1_workstation
+ status: automated
+ rules:
+ - group_unique_name
+
+ - id: 7.2.8
+ title: Ensure local interactive user home directories are configured (Automated)
+ levels:
+ - l1_server
+ - l1_workstation
+ status: automated
+ rules:
+ - accounts_user_interactive_home_directory_exists
+ - file_ownership_home_directories
+ - file_permissions_home_directories
+ related_rules:
+ - file_groupownership_home_directories
+
+ - id: 7.2.9
+ title: Ensure local interactive user dot files access is configured (Automated)
+ levels:
+ - l1_server
+ - l1_workstation
+ notes: |-
+ Missing a rule to check that .bash_history is mode 0600 or more restrictive.
+ status: partial
+ rules:
+ - accounts_user_dot_group_ownership
+ - accounts_user_dot_user_ownership
+ - accounts_user_dot_no_world_writable_programs
+ - file_permission_user_init_files
+ - var_user_initialization_files_regex=all_dotfiles
+ - no_forward_files
+ - no_netrc_files
+ - no_rsh_trust_files
+ related_rules:
+ - accounts_users_netrc_file_permissions
diff --git a/controls/hipaa.yml b/controls/hipaa.yml
index 6faea5caac4..becdc0de33e 100644
--- a/controls/hipaa.yml
+++ b/controls/hipaa.yml
@@ -165,6 +165,7 @@ controls:
- ensure_gpgcheck_repo_metadata
- ensure_redhat_gpgkey_installed
- ensure_suse_gpgkey_installed
+ - ensure_almalinux_gpgkey_installed
status: automated
- id: 164.308(a)(3)
@@ -1374,6 +1375,7 @@ controls:
- ensure_gpgcheck_repo_metadata
- ensure_redhat_gpgkey_installed
- ensure_suse_gpgkey_installed
+ - ensure_almalinux_gpgkey_installed
status: automated
- id: 164.312(c)
@@ -1404,6 +1406,7 @@ controls:
- ensure_gpgcheck_repo_metadata
- ensure_redhat_gpgkey_installed
- ensure_suse_gpgkey_installed
+ - ensure_almalinux_gpgkey_installed
status: automated
- id: 164.312(c)(2)
@@ -1423,6 +1426,7 @@ controls:
- ensure_gpgcheck_repo_metadata
- ensure_redhat_gpgkey_installed
- ensure_suse_gpgkey_installed
+ - ensure_almalinux_gpgkey_installed
status: automated
- id: 164.312(d)
@@ -1695,6 +1699,7 @@ controls:
- ensure_gpgcheck_repo_metadata
- ensure_redhat_gpgkey_installed
- ensure_suse_gpgkey_installed
+ - ensure_almalinux_gpgkey_installed
status: automated
- id: 164.312(e)(2)(ii)
diff --git a/controls/pcidss_4.yml b/controls/pcidss_4.yml
index 267ee78d418..f8ff8b30b74 100644
--- a/controls/pcidss_4.yml
+++ b/controls/pcidss_4.yml
@@ -1557,6 +1557,7 @@ controls:
rules:
- ensure_redhat_gpgkey_installed
- ensure_suse_gpgkey_installed
+ - ensure_almalinux_gpgkey_installed
- ensure_gpgcheck_globally_activated
- ensure_gpgcheck_never_disabled
- security_patches_up_to_date
diff --git a/linux_os/guide/services/ntp/var_multiple_time_servers.var b/linux_os/guide/services/ntp/var_multiple_time_servers.var
index a216673d8a1..d3074a95547 100644
--- a/linux_os/guide/services/ntp/var_multiple_time_servers.var
+++ b/linux_os/guide/services/ntp/var_multiple_time_servers.var
@@ -19,3 +19,4 @@ options:
alinux: "0.ntp.cloud.aliyuncs.com,1.ntp.aliyun.com,2.ntp1.aliyun.com,3.ntp1.cloud.aliyuncs.com"
amazon: "0.rhel.pool.ntp.org,1.rhel.pool.ntp.org,2.rhel.pool.ntp.org,3.rhel.pool.ntp.org"
ubuntu: "0.ubuntu.pool.ntp.org,1.ubuntu.pool.ntp.org,2.ubuntu.pool.ntp.org,3.ubuntu.pool.ntp.org"
+ almalinux: "0.almalinux.pool.ntp.org,1.almalinux.pool.ntp.org,2.almalinux.pool.ntp.org,3.almalinux.pool.ntp.org"
diff --git a/linux_os/guide/system/software/updating/ensure_almalinux_gpgkey_installed/ansible/shared.yml b/linux_os/guide/system/software/updating/ensure_almalinux_gpgkey_installed/ansible/shared.yml
new file mode 100644
index 00000000000..add0cd7ddc7
--- /dev/null
+++ b/linux_os/guide/system/software/updating/ensure_almalinux_gpgkey_installed/ansible/shared.yml
@@ -0,0 +1,38 @@
+# platform = multi_platform_almalinux
+# reboot = false
+# strategy = restrict
+# complexity = medium
+# disruption = medium
+- name: "Read permission of GPG key directory"
+ ansible.builtin.stat:
+ path: /etc/pki/rpm-gpg/
+ register: gpg_key_directory_permission
+ check_mode: no
+
+# It should fail if it doesn't find any fingerprints in file - maybe file was not parsed well.
+
+- name: Read signatures in GPG key
+ # According to /usr/share/doc/gnupg2/DETAILS fingerprints are in "fpr" record in field 10
+ ansible.builtin.command: gpg --show-keys --with-fingerprint --with-colons "/etc/pki/rpm-gpg/RPM-GPG-KEY-AlmaLinux-9"
+ changed_when: False
+ register: gpg_fingerprints
+ check_mode: no
+
+- name: Set Fact - Installed GPG Fingerprints
+ ansible.builtin.set_fact:
+ gpg_installed_fingerprints: "{{ gpg_fingerprints.stdout | regex_findall('^pub.*\n(?:^fpr[:]*)([0-9A-Fa-f]*)', '\\1') | list }}"
+
+- name: Set Fact - Valid fingerprints
+ ansible.builtin.set_fact:
+ gpg_valid_fingerprints:
+ - "{{{ release_key_fingerprint }}}"
+
+- name: Import AlmaLinux GPG key
+ ansible.builtin.rpm_key:
+ state: present
+ key: /etc/pki/rpm-gpg/RPM-GPG-KEY-AlmaLinux-9
+ when:
+ - gpg_key_directory_permission.stat.mode <= '0755'
+ - (gpg_installed_fingerprints | difference(gpg_valid_fingerprints)) | length == 0
+ - gpg_installed_fingerprints | length > 0
+ - ansible_distribution == "AlmaLinux" and ansible_distribution_version == "9"
diff --git a/linux_os/guide/system/software/updating/ensure_almalinux_gpgkey_installed/bash/shared.sh b/linux_os/guide/system/software/updating/ensure_almalinux_gpgkey_installed/bash/shared.sh
new file mode 100644
index 00000000000..f78a6fb82b6
--- /dev/null
+++ b/linux_os/guide/system/software/updating/ensure_almalinux_gpgkey_installed/bash/shared.sh
@@ -0,0 +1,24 @@
+# platform = multi_platform_almalinux
+readonly ALMALINUX_RELEASE_FINGERPRINT="{{{ release_key_fingerprint }}}"
+
+# Location of the key we would like to import (once it's integrity verified)
+readonly ALMALINUX_RELEASE_KEY="/etc/pki/rpm-gpg/RPM-GPG-KEY-AlmaLinux-9"
+
+RPM_GPG_DIR_PERMS=$(stat -c %a "$(dirname "$ALMALINUX_RELEASE_KEY")")
+
+# Verify /etc/pki/rpm-gpg directory permissions are safe
+if [ "${RPM_GPG_DIR_PERMS}" -le "755" ]
+then
+ # If they are safe, try to obtain fingerprints from the key file
+ # (to ensure there won't be e.g. CRC error).
+ readarray -t GPG_OUT < <(gpg --show-keys --with-fingerprint --with-colons "$ALMALINUX_RELEASE_KEY" | grep -A1 "^pub" | grep "^fpr" | cut -d ":" -f 10)
+ GPG_RESULT=$?
+ # No CRC error, safe to proceed
+ if [ "${GPG_RESULT}" -eq "0" ]
+ then
+ echo "${GPG_OUT[*]}" | grep -vE "${ALMALINUX_RELEASE_FINGERPRINT}" || {
+ # If $ALMALINUX_RELEASE_KEY file doesn't contain any keys with unknown fingerprint, import it
+ rpm --import "${ALMALINUX_RELEASE_KEY}"
+ }
+ fi
+fi
diff --git a/linux_os/guide/system/software/updating/ensure_almalinux_gpgkey_installed/oval/shared.xml b/linux_os/guide/system/software/updating/ensure_almalinux_gpgkey_installed/oval/shared.xml
new file mode 100644
index 00000000000..74481fb1875
--- /dev/null
+++ b/linux_os/guide/system/software/updating/ensure_almalinux_gpgkey_installed/oval/shared.xml
@@ -0,0 +1,37 @@
+{{% if pkg_version %}}
+{{# If pkg_version isn't defined, then the rule should be NOTCHECKED, because we don't have data needed for the check #}}
+
+
+ {{{ oval_metadata("The AlmaLinux release packages are required to be installed.") }}}
+
+
+
+
+
+
+
+
+
+
+
+
+ gpg-pubkey
+
+
+
+
+
+
+
+
+
+
+ {{{ pkg_release }}}
+ {{{ pkg_version }}}
+
+
+
+{{% endif %}}
diff --git a/linux_os/guide/system/software/updating/ensure_almalinux_gpgkey_installed/rule.yml b/linux_os/guide/system/software/updating/ensure_almalinux_gpgkey_installed/rule.yml
new file mode 100644
index 00000000000..e1c9c1653d3
--- /dev/null
+++ b/linux_os/guide/system/software/updating/ensure_almalinux_gpgkey_installed/rule.yml
@@ -0,0 +1,49 @@
+documentation_complete: true
+
+
+title: 'Ensure AlmaLinux GPG Key Installed'
+
+description: |-
+ To ensure the system can cryptographically verify base software packages
+ come from AlmaLinux (and to connect to the AlmaLinux repositories to
+ receive them), the AlmaLinux GPG key must be properly installed. To install
+ the AlmaLinux GPG key, run:
+ $ sudo rpm --import /etc/pki/rpm-gpg/RPM-GPG-KEY-AlmaLinux-9
+
+rationale: |-
+ Changes to software components can have significant effects on the overall
+ security of the operating system. This requirement ensures the software has
+ not been tampered with and that it has been provided by a trusted vendor.
+ The AlmaLinux GPG key is necessary to cryptographically verify packages are
+ from AlmaLinux.
+
+severity: high
+
+references:
+ cis-csc: 11,2,3,9
+ cjis: 5.10.4.1
+ cobit5: APO01.06,BAI03.05,BAI06.01,BAI10.01,BAI10.02,BAI10.03,BAI10.05,DSS06.02
+ cui: 3.4.8
+ disa: CCI-001749
+ hipaa: 164.308(a)(1)(ii)(D),164.312(b),164.312(c)(1),164.312(c)(2),164.312(e)(2)(i)
+ isa-62443-2009: 4.3.4.3.2,4.3.4.3.3,4.3.4.4.4
+ isa-62443-2013: 'SR 3.1,SR 3.3,SR 3.4,SR 3.8,SR 7.6'
+ iso27001-2013: A.11.2.4,A.12.1.2,A.12.2.1,A.12.5.1,A.12.6.2,A.14.1.2,A.14.1.3,A.14.2.2,A.14.2.3,A.14.2.4
+ nerc-cip: CIP-003-8 R4.2,CIP-003-8 R6,CIP-007-3 R4,CIP-007-3 R4.1,CIP-007-3 R4.2,CIP-007-3 R5.1
+ nist: CM-5(3),SI-7,SC-12,SC-12(3),CM-6(a)
+ nist-csf: PR.DS-6,PR.DS-8,PR.IP-1
+ ospp: FPT_TUD_EXT.1,FPT_TUD_EXT.2
+ pcidss: Req-6.2
+ srg: SRG-OS-000366-GPOS-00153
+
+ocil_clause: 'the AlmaLinux GPG Key is not installed'
+
+ocil: |-
+ To ensure that the GPG key is installed, run:
+ $ rpm -q --queryformat "%{SUMMARY}\n" gpg-pubkey
+ The command should return the string below:
+ AlmaLinux OS 9 <packager@almalinux.org> public key
+
+fixtext: |-
+ Install {{{ full_name }}} GPG key. Run the following command:
+ $ sudo rpm --import /etc/pki/rpm-gpg/RPM-GPG-KEY-AlmaLinux-9
diff --git a/linux_os/guide/system/software/updating/ensure_almalinux_gpgkey_installed/tests/key_installed.pass.sh b/linux_os/guide/system/software/updating/ensure_almalinux_gpgkey_installed/tests/key_installed.pass.sh
new file mode 100644
index 00000000000..87b82cb016f
--- /dev/null
+++ b/linux_os/guide/system/software/updating/ensure_almalinux_gpgkey_installed/tests/key_installed.pass.sh
@@ -0,0 +1,5 @@
+#!/bin/bash
+#
+# platform = AlmaLinux OS 9
+
+rpm --import /etc/pki/rpm-gpg/RPM-GPG-KEY-AlmaLinux-9
diff --git a/linux_os/guide/system/software/updating/ensure_almalinux_gpgkey_installed/tests/missing_key.fail.sh b/linux_os/guide/system/software/updating/ensure_almalinux_gpgkey_installed/tests/missing_key.fail.sh
new file mode 100644
index 00000000000..32a39a04487
--- /dev/null
+++ b/linux_os/guide/system/software/updating/ensure_almalinux_gpgkey_installed/tests/missing_key.fail.sh
@@ -0,0 +1,12 @@
+#!/bin/bash
+#
+
+# remove all available keys
+
+KEYS=$(rpm -q gpg-pubkey --qf '%{NAME}-%{VERSION}-%{RELEASE}\n')
+
+if [ $? = 0 ]; then
+ for KEY in $KEYS; do
+ rpm -e $KEY
+ done
+fi
diff --git a/products/alinux2/profiles/pci-dss.profile b/products/alinux2/profiles/pci-dss.profile
index 4144316bfba..5f42682ec7a 100644
--- a/products/alinux2/profiles/pci-dss.profile
+++ b/products/alinux2/profiles/pci-dss.profile
@@ -78,6 +78,7 @@ selections:
- '!dconf_db_up_to_date'
- '!bios_enable_execution_restrictions'
- '!ensure_suse_gpgkey_installed'
+ - '!ensure_almalinux_gpgkey_installed'
- '!accounts_passwords_pam_tally2_unlock_time'
- '!gnome_gdm_disable_automatic_login'
- '!cracklib_accounts_password_pam_minlen'
diff --git a/products/alinux3/profiles/pci-dss.profile b/products/alinux3/profiles/pci-dss.profile
index 266cadc2bbf..2d63198fce8 100644
--- a/products/alinux3/profiles/pci-dss.profile
+++ b/products/alinux3/profiles/pci-dss.profile
@@ -84,6 +84,7 @@ selections:
- '!dconf_db_up_to_date'
- '!bios_enable_execution_restrictions'
- '!ensure_suse_gpgkey_installed'
+ - '!ensure_almalinux_gpgkey_installed'
- '!accounts_passwords_pam_tally2_unlock_time'
- '!gnome_gdm_disable_automatic_login'
- '!cracklib_accounts_password_pam_minlen'
diff --git a/products/almalinux9/CMakeLists.txt b/products/almalinux9/CMakeLists.txt
new file mode 100644
index 00000000000..99799a70970
--- /dev/null
+++ b/products/almalinux9/CMakeLists.txt
@@ -0,0 +1,6 @@
+# Sometimes our users will try to do: "cd almalinux9; cmake ." That needs to error in a nice way.
+if("${CMAKE_SOURCE_DIR}" STREQUAL "${CMAKE_CURRENT_SOURCE_DIR}")
+ message(FATAL_ERROR "cmake has to be used on the root CMakeLists.txt, see the Building ComplianceAsCode section in the Developer Guide!")
+endif()
+
+ssg_build_product("almalinux9")
diff --git a/products/almalinux9/overlays/.gitkeep b/products/almalinux9/overlays/.gitkeep
new file mode 100644
index 00000000000..e69de29bb2d
diff --git a/products/almalinux9/product.yml b/products/almalinux9/product.yml
new file mode 100644
index 00000000000..c1a4ba48762
--- /dev/null
+++ b/products/almalinux9/product.yml
@@ -0,0 +1,30 @@
+product: almalinux9
+full_name: AlmaLinux OS 9
+type: platform
+
+major_version_ordinal: 9
+
+benchmark_id: ALMALINUX-9
+benchmark_root: "../../linux_os/guide"
+components_root: "../../components"
+
+profiles_root: "./profiles"
+
+pkg_manager: "dnf"
+
+init_system: "systemd"
+
+cpes_root: "../../shared/applicability"
+cpes:
+ - almalinux9:
+ name: "cpe:/o:almalinux:almalinux:9"
+ title: "AlmaLinux OS 9"
+ check_id: installed_OS_is_almalinux9
+
+
+# See https://almalinux.org/security/
+release_key_fingerprint: "BF18AC2876178908D6E71267D36CB86CB86B3716"
+oval_feed_url: "https://security.almalinux.org/oval/org.almalinux.alsa-9.xml.bz2"
+
+reference_uris:
+ cis: 'https://workbench.cisecurity.org/files/5425/download/7650'
diff --git a/products/almalinux9/profiles/cis.profile b/products/almalinux9/profiles/cis.profile
new file mode 100644
index 00000000000..f0e6cc24fe6
--- /dev/null
+++ b/products/almalinux9/profiles/cis.profile
@@ -0,0 +1,24 @@
+documentation_complete: true
+
+metadata:
+ version: 2.0.0
+ SMEs:
+ - sej7278
+
+reference: https://www.cisecurity.org/benchmark/almalinuxos_linux/
+
+title: 'CIS AlmaLinux OS 9 Benchmark for Level 2 - Server'
+
+description: |-
+ This profile defines a baseline that aligns to the "Level 2 - Server"
+ configuration from the Center for Internet Security® AlmaLinux OS 9
+ Benchmark™, v2.0.0, released 2024-06-20.
+
+ This profile includes Center for Internet Security®
+ AlmaLinux OS 9 CIS Benchmarks™ content.
+
+selections:
+ - cis_almalinux9:all:l2_server
+ - '!file_ownership_home_directories'
+ - '!group_unique_name'
+ - '!file_owner_at_allow'
diff --git a/products/almalinux9/profiles/cis_server_l1.profile b/products/almalinux9/profiles/cis_server_l1.profile
new file mode 100644
index 00000000000..4f49074be5d
--- /dev/null
+++ b/products/almalinux9/profiles/cis_server_l1.profile
@@ -0,0 +1,24 @@
+documentation_complete: true
+
+metadata:
+ version: 2.0.0
+ SMEs:
+ - sej7278
+
+reference: https://www.cisecurity.org/benchmark/almalinuxos_linux/
+
+title: 'CIS AlmaLinux OS 9 Benchmark for Level 1 - Server'
+
+description: |-
+ This profile defines a baseline that aligns to the "Level 1 - Server"
+ configuration from the Center for Internet Security® AlmaLinux OS 9
+ Benchmark™, v2.0.0, released 2024-06-20.
+
+ This profile includes Center for Internet Security®
+ AlmaLinux OS 9 CIS Benchmarks™ content.
+
+selections:
+ - cis_almalinux9:all:l1_server
+ - '!file_ownership_home_directories'
+ - '!group_unique_name'
+ - '!file_owner_at_allow'
diff --git a/products/almalinux9/profiles/cis_workstation_l1.profile b/products/almalinux9/profiles/cis_workstation_l1.profile
new file mode 100644
index 00000000000..60caa95deb9
--- /dev/null
+++ b/products/almalinux9/profiles/cis_workstation_l1.profile
@@ -0,0 +1,24 @@
+documentation_complete: true
+
+metadata:
+ version: 2.0.0
+ SMEs:
+ - sej7278
+
+reference: https://www.cisecurity.org/benchmark/almalinuxos_linux/
+
+title: 'CIS AlmaLinux OS 9 Benchmark for Level 1 - Workstation'
+
+description: |-
+ This profile defines a baseline that aligns to the "Level 1 - Workstation"
+ configuration from the Center for Internet Security® AlmaLinux OS 9
+ Benchmark™, v2.0.0, released 2024-06-20.
+
+ This profile includes Center for Internet Security®
+ AlmaLinux OS 9 CIS Benchmarks™ content.
+
+selections:
+ - cis_almalinux9:all:l1_workstation
+ - '!file_ownership_home_directories'
+ - '!group_unique_name'
+ - '!file_owner_at_allow'
diff --git a/products/almalinux9/profiles/cis_workstation_l2.profile b/products/almalinux9/profiles/cis_workstation_l2.profile
new file mode 100644
index 00000000000..cf303976401
--- /dev/null
+++ b/products/almalinux9/profiles/cis_workstation_l2.profile
@@ -0,0 +1,24 @@
+documentation_complete: true
+
+metadata:
+ version: 2.0.0
+ SMEs:
+ - sej7278
+
+reference: https://www.cisecurity.org/benchmark/almalinuxos_linux/
+
+title: 'CIS AlmaLinux OS 9 Benchmark for Level 2 - Workstation'
+
+description: |-
+ This profile defines a baseline that aligns to the "Level 2 - Workstation"
+ configuration from the Center for Internet Security® AlmaLinux OS 9
+ Linux 9 Benchmark™, v2.0.0, released 2024-06-20.
+
+ This profile includes Center for Internet Security®
+ AlmaLinux OS 9 CIS Benchmarks™ content.
+
+selections:
+ - cis_almalinux9:all:l2_workstation
+ - '!file_ownership_home_directories'
+ - '!group_unique_name'
+ - '!file_owner_at_allow'
diff --git a/products/almalinux9/profiles/hipaa.profile b/products/almalinux9/profiles/hipaa.profile
new file mode 100644
index 00000000000..9bfea98199c
--- /dev/null
+++ b/products/almalinux9/profiles/hipaa.profile
@@ -0,0 +1,161 @@
+documentation_complete: true
+
+metadata:
+ SMEs:
+ - sej7278
+
+reference: https://www.hhs.gov/hipaa/for-professionals/index.html
+
+title: 'Health Insurance Portability and Accountability Act (HIPAA)'
+
+description: |-
+ The HIPAA Security Rule establishes U.S. national standards to protect individuals’
+ electronic personal health information that is created, received, used, or
+ maintained by a covered entity. The Security Rule requires appropriate
+ administrative, physical and technical safeguards to ensure the
+ confidentiality, integrity, and security of electronic protected health
+ information.
+
+ This profile configures AlmaLinux OS 9 to the HIPAA Security
+ Rule identified for securing of electronic protected health information.
+ Use of this profile in no way guarantees or makes claims against legal compliance against the HIPAA Security Rule(s).
+
+selections:
+ - grub2_password
+ - grub2_uefi_password
+ - file_groupowner_grub2_cfg
+ - file_owner_grub2_cfg
+ - grub2_disable_interactive_boot
+ - no_direct_root_logins
+ - no_empty_passwords
+ - require_singleuser_auth
+ - restrict_serial_port_logins
+ - securetty_root_login_console_only
+ - service_debug-shell_disabled
+ - disable_ctrlaltdel_reboot
+ - disable_ctrlaltdel_burstaction
+ - dconf_db_up_to_date
+ - dconf_gnome_remote_access_credential_prompt
+ - dconf_gnome_remote_access_encryption
+ - sshd_use_directory_configuration
+ - sshd_disable_empty_passwords
+ - sshd_disable_root_login
+ - libreswan_approved_tunnels
+ - no_rsh_trust_files
+ - package_talk_removed
+ - package_talk-server_removed
+ - package_telnet_removed
+ - package_telnet-server_removed
+ - package_cron_installed
+ - service_crond_enabled
+ - service_telnet_disabled
+ - use_kerberos_security_all_exports
+ - var_authselect_profile=sssd
+ - enable_authselect
+ - disable_host_auth
+ - sshd_allow_only_protocol2
+ - sshd_disable_compression
+ - sshd_disable_gssapi_auth
+ - sshd_disable_kerb_auth
+ - sshd_do_not_permit_user_env
+ - sshd_enable_strictmodes
+ - sshd_enable_warning_banner
+ - var_sshd_set_keepalive=1
+ - encrypt_partitions
+ - var_system_crypto_policy=fips
+ - configure_crypto_policy
+ - configure_ssh_crypto_policy
+ - var_selinux_policy_name=targeted
+ - var_selinux_state=enforcing
+ - grub2_enable_selinux
+ - sebool_selinuxuser_execheap
+ - sebool_selinuxuser_execmod
+ - sebool_selinuxuser_execstack
+ - selinux_confinement_of_daemons
+ - selinux_policytype
+ - selinux_state
+ - service_kdump_disabled
+ - sysctl_fs_suid_dumpable
+ - sysctl_kernel_dmesg_restrict
+ - sysctl_kernel_exec_shield
+ - sysctl_kernel_randomize_va_space
+ - rpm_verify_hashes
+ - rpm_verify_permissions
+ - ensure_almalinux_gpgkey_installed
+ - ensure_gpgcheck_globally_activated
+ - ensure_gpgcheck_never_disabled
+ - ensure_gpgcheck_local_packages
+ - grub2_audit_argument
+ - service_auditd_enabled
+ - audit_rules_privileged_commands_sudo
+ - audit_rules_privileged_commands_su
+ - audit_rules_immutable
+ - kernel_module_usb-storage_disabled
+ - service_autofs_disabled
+ - auditd_audispd_syslog_plugin_activated
+ - rsyslog_remote_loghost
+ - auditd_data_retention_flush
+ - audit_rules_dac_modification_chmod
+ - audit_rules_dac_modification_chown
+ - audit_rules_dac_modification_fchmodat
+ - audit_rules_dac_modification_fchmod
+ - audit_rules_dac_modification_fchownat
+ - audit_rules_dac_modification_fchown
+ - audit_rules_dac_modification_fremovexattr
+ - audit_rules_dac_modification_fsetxattr
+ - audit_rules_dac_modification_lchown
+ - audit_rules_dac_modification_lremovexattr
+ - audit_rules_dac_modification_lsetxattr
+ - audit_rules_dac_modification_removexattr
+ - audit_rules_dac_modification_setxattr
+ - audit_rules_execution_chcon
+ - audit_rules_execution_restorecon
+ - audit_rules_execution_semanage
+ - audit_rules_execution_setsebool
+ - audit_rules_file_deletion_events_renameat
+ - audit_rules_file_deletion_events_rename
+ - audit_rules_file_deletion_events_rmdir
+ - audit_rules_file_deletion_events_unlinkat
+ - audit_rules_file_deletion_events_unlink
+ - audit_rules_kernel_module_loading_delete
+ - audit_rules_kernel_module_loading_init
+ - audit_rules_login_events_faillock
+ - audit_rules_login_events_lastlog
+ - audit_rules_login_events_tallylog
+ - audit_rules_mac_modification
+ - audit_rules_media_export
+ - audit_rules_networkconfig_modification
+ - audit_rules_privileged_commands_chage
+ - audit_rules_privileged_commands_chsh
+ - audit_rules_privileged_commands_crontab
+ - audit_rules_privileged_commands_gpasswd
+ - audit_rules_privileged_commands_newgrp
+ - audit_rules_privileged_commands_pam_timestamp_check
+ - audit_rules_privileged_commands_passwd
+ - audit_rules_privileged_commands_postdrop
+ - audit_rules_privileged_commands_postqueue
+ - audit_rules_privileged_commands_ssh_keysign
+ - audit_rules_privileged_commands_sudoedit
+ - audit_rules_privileged_commands_umount
+ - audit_rules_privileged_commands_unix_chkpwd
+ - audit_rules_privileged_commands_userhelper
+ - audit_rules_session_events
+ - audit_rules_sysadmin_actions
+ - audit_rules_system_shutdown
+ - var_audit_failure_mode=panic
+ - audit_rules_time_adjtimex
+ - audit_rules_time_clock_settime
+ - audit_rules_time_settimeofday
+ - audit_rules_time_stime
+ - audit_rules_time_watch_localtime
+ - audit_rules_unsuccessful_file_modification_creat
+ - audit_rules_unsuccessful_file_modification_ftruncate
+ - audit_rules_unsuccessful_file_modification_openat
+ - audit_rules_unsuccessful_file_modification_open_by_handle_at
+ - audit_rules_unsuccessful_file_modification_open
+ - audit_rules_unsuccessful_file_modification_truncate
+ - audit_rules_usergroup_modification_group
+ - audit_rules_usergroup_modification_gshadow
+ - audit_rules_usergroup_modification_opasswd
+ - audit_rules_usergroup_modification_passwd
+ - audit_rules_usergroup_modification_shadow
diff --git a/products/almalinux9/profiles/pci-dss.profile b/products/almalinux9/profiles/pci-dss.profile
new file mode 100644
index 00000000000..199d9457c12
--- /dev/null
+++ b/products/almalinux9/profiles/pci-dss.profile
@@ -0,0 +1,70 @@
+documentation_complete: true
+
+metadata:
+ version: '4.0.1'
+ SMEs:
+ - sej7278
+
+reference: https://docs-prv.pcisecuritystandards.org/PCI%20DSS/Standard/PCI-DSS-v4_0_1.pdf
+
+title: 'PCI-DSS v4.0.1 Control Baseline for AlmaLinux OS 9'
+
+description: |-
+ Payment Card Industry - Data Security Standard (PCI-DSS) is a set of
+ security standards designed to ensure the secure handling of payment card
+ data, with the goal of preventing data breaches and protecting sensitive
+ financial information.
+
+ This profile ensures AlmaLinux OS 9 is configured in alignment
+ with PCI-DSS v4.0.1 requirements.
+
+selections:
+ - pcidss_4:all
+ # audit-audispd-plugins package does not exist in AlmaLinux OS 9
+ # use only package_audispd-plugins_installed
+ - '!package_audit-audispd-plugins_installed'
+ # More tests are needed to identify which rule is conflicting with rpm_verify_permissions.
+ # https://github.com/ComplianceAsCode/content/issues/11285
+ - '!rpm_verify_permissions'
+ # these rules do not apply to AlmaLinux but they have to keep the prodtype for historical reasons
+ # most of these packages are no longer available in EL9 distributions
+ - '!package_audit-audispd-plugins_installed'
+ - '!service_ntp_enabled'
+ - '!ntpd_specify_remote_server'
+ - '!ntpd_specify_multiple_servers'
+ - '!set_ipv6_loopback_traffic'
+ - '!set_loopback_traffic'
+ - '!service_ntpd_enabled'
+ - '!package_ypserv_removed'
+ - '!package_ypbind_removed'
+ - '!package_talk_removed'
+ - '!package_talk-server_removed'
+ - '!package_xinetd_removed'
+ - '!package_rsh_removed'
+ - '!package_rsh-server_removed'
+ # Following rules once had a prodtype incompatible with the almalinux9 product
+ - '!service_chronyd_or_ntpd_enabled'
+ - '!install_PAE_kernel_on_x86-32'
+ - '!mask_nonessential_services'
+ - '!aide_periodic_checking_systemd_timer'
+ - '!nftables_ensure_default_deny_policy'
+ - '!cracklib_accounts_password_pam_lcredit'
+ - '!file_owner_at_allow'
+ - '!ensure_firewall_rules_for_open_ports'
+ - '!cracklib_accounts_password_pam_retry'
+ - '!gnome_gdm_disable_guest_login'
+ - '!sshd_use_strong_kex'
+ - '!sshd_use_approved_macs'
+ - '!group_unique_name'
+ - '!permissions_local_var_log'
+ - '!sshd_use_approved_ciphers'
+ - '!accounts_passwords_pam_tally2'
+ - '!ensure_suse_gpgkey_installed'
+ - '!ensure_redhat_gpgkey_installed'
+ - '!gnome_gdm_disable_unattended_automatic_login'
+ - '!accounts_passwords_pam_tally2_unlock_time'
+ - '!cracklib_accounts_password_pam_minlen'
+ - '!set_password_hashing_algorithm_commonauth'
+ - '!cracklib_accounts_password_pam_dcredit'
+ - '!ensure_shadow_group_empty'
+ - '!service_timesyncd_enabled'
diff --git a/products/almalinux9/profiles/standard.profile b/products/almalinux9/profiles/standard.profile
new file mode 100644
index 00000000000..65b8739c2ee
--- /dev/null
+++ b/products/almalinux9/profiles/standard.profile
@@ -0,0 +1,16 @@
+documentation_complete: false
+
+title: 'Standard System Security Profile for AlmaLinux OS 9'
+
+description: |-
+ This profile contains rules to ensure standard security baseline
+ of an AlmaLinux OS 9 system. Regardless of your system's workload
+ all of these checks should pass.
+
+selections:
+ - sshd_disable_root_login
+ - ensure_almalinux_gpgkey_installed
+ - ensure_gpgcheck_globally_activated
+ - ensure_gpgcheck_never_disabled
+ - rpm_verify_permissions
+ - security_patches_up_to_date
diff --git a/products/almalinux9/transforms/constants.xslt b/products/almalinux9/transforms/constants.xslt
new file mode 100644
index 00000000000..5b1f302d3a8
--- /dev/null
+++ b/products/almalinux9/transforms/constants.xslt
@@ -0,0 +1,12 @@
+
+
+
+
+AlmaLinux OS 9
+AlmaLinux 9
+ALMALINUX_9_STIG
+almalinux9
+
+https://workbench.cisecurity.org/files/5425/download/7650
+
+
diff --git a/products/almalinux9/transforms/table-style.xslt b/products/almalinux9/transforms/table-style.xslt
new file mode 100644
index 00000000000..8b6caeab8cd
--- /dev/null
+++ b/products/almalinux9/transforms/table-style.xslt
@@ -0,0 +1,5 @@
+
+
+
+
+
diff --git a/products/almalinux9/transforms/xccdf-apply-overlay-stig.xslt b/products/almalinux9/transforms/xccdf-apply-overlay-stig.xslt
new file mode 100644
index 00000000000..f2f1d725f12
--- /dev/null
+++ b/products/almalinux9/transforms/xccdf-apply-overlay-stig.xslt
@@ -0,0 +1,8 @@
+
+
+
+
+
+
+
+
diff --git a/products/almalinux9/transforms/xccdf2table-cce.xslt b/products/almalinux9/transforms/xccdf2table-cce.xslt
new file mode 100644
index 00000000000..f156a669566
--- /dev/null
+++ b/products/almalinux9/transforms/xccdf2table-cce.xslt
@@ -0,0 +1,9 @@
+
+
+
+
+
+
+
+
+
diff --git a/products/almalinux9/transforms/xccdf2table-profileccirefs.xslt b/products/almalinux9/transforms/xccdf2table-profileccirefs.xslt
new file mode 100644
index 00000000000..30419e92b28
--- /dev/null
+++ b/products/almalinux9/transforms/xccdf2table-profileccirefs.xslt
@@ -0,0 +1,9 @@
+
+
+
+
+
+
+
+
+
diff --git a/products/anolis23/profiles/pci-dss.profile b/products/anolis23/profiles/pci-dss.profile
index e4c22c09d96..0d91935a0be 100644
--- a/products/anolis23/profiles/pci-dss.profile
+++ b/products/anolis23/profiles/pci-dss.profile
@@ -102,6 +102,7 @@ selections:
- '!dconf_db_up_to_date'
- '!bios_enable_execution_restrictions'
- '!ensure_suse_gpgkey_installed'
+ - '!ensure_almalinux_gpgkey_installed'
- '!accounts_passwords_pam_tally2_unlock_time'
- '!selinux_policytype'
- '!gnome_gdm_disable_automatic_login'
diff --git a/products/anolis8/profiles/pci-dss.profile b/products/anolis8/profiles/pci-dss.profile
index 6655cbfac3c..6fbbf775560 100644
--- a/products/anolis8/profiles/pci-dss.profile
+++ b/products/anolis8/profiles/pci-dss.profile
@@ -101,6 +101,7 @@ selections:
- '!package_ypbind_removed'
- '!bios_enable_execution_restrictions'
- '!ensure_suse_gpgkey_installed'
+ - '!ensure_almalinux_gpgkey_installed'
- '!accounts_passwords_pam_tally2_unlock_time'
- '!selinux_policytype'
- '!gnome_gdm_disable_automatic_login'
diff --git a/products/ol8/profiles/pci-dss.profile b/products/ol8/profiles/pci-dss.profile
index c29c05fbe83..009ccf95f01 100644
--- a/products/ol8/profiles/pci-dss.profile
+++ b/products/ol8/profiles/pci-dss.profile
@@ -51,6 +51,7 @@ selections:
# Use Oracle gpgkey rule
- '!ensure_redhat_gpgkey_installed'
- '!ensure_suse_gpgkey_installed'
+ - '!ensure_almalinux_gpgkey_installed'
- 'ensure_oracle_gpgkey_installed'
# Rules not applicable to OL8
- '!package_dhcp_removed'
diff --git a/products/ol9/profiles/pci-dss.profile b/products/ol9/profiles/pci-dss.profile
index d2aa5da92ca..ca75232ab40 100644
--- a/products/ol9/profiles/pci-dss.profile
+++ b/products/ol9/profiles/pci-dss.profile
@@ -51,6 +51,7 @@ selections:
- '!accounts_passwords_pam_tally2'
- '!ensure_suse_gpgkey_installed'
- '!ensure_redhat_gpgkey_installed'
+ - '!ensure_almalinux_gpgkey_installed'
- '!gnome_gdm_disable_unattended_automatic_login'
- '!accounts_passwords_pam_tally2_unlock_time'
- '!cracklib_accounts_password_pam_minlen'
diff --git a/products/rhel10/profiles/hipaa.profile b/products/rhel10/profiles/hipaa.profile
index 05b230e850f..ecddf30b438 100644
--- a/products/rhel10/profiles/hipaa.profile
+++ b/products/rhel10/profiles/hipaa.profile
@@ -32,6 +32,7 @@ selections:
- '!dconf_gnome_remote_access_encryption'
- '!ensure_suse_gpgkey_installed'
- '!ensure_fedora_gpgkey_installed'
+ - '!ensure_almalinux_gpgkey_installed'
- '!grub2_uefi_admin_username'
- '!grub2_uefi_pass'
- '!service_ypbind_disabled'
diff --git a/products/rhel10/profiles/pci-dss.profile b/products/rhel10/profiles/pci-dss.profile
index 960d0a9d2de..e23020b7aa9 100644
--- a/products/rhel10/profiles/pci-dss.profile
+++ b/products/rhel10/profiles/pci-dss.profile
@@ -57,6 +57,7 @@ selections:
- '!ensure_firewall_rules_for_open_ports'
- '!ensure_shadow_group_empty'
- '!ensure_suse_gpgkey_installed'
+ - '!ensure_almalinux_gpgkey_installed'
- '!install_PAE_kernel_on_x86-32'
- '!mask_nonessential_services'
- '!nftables_ensure_default_deny_policy'
diff --git a/products/rhel8/profiles/pci-dss.profile b/products/rhel8/profiles/pci-dss.profile
index 522b22fe294..b942efc6fc9 100644
--- a/products/rhel8/profiles/pci-dss.profile
+++ b/products/rhel8/profiles/pci-dss.profile
@@ -48,6 +48,7 @@ selections:
- '!cracklib_accounts_password_pam_lcredit'
- '!service_timesyncd_enabled'
- '!ensure_suse_gpgkey_installed'
+ - '!ensure_almalinux_gpgkey_installed'
- '!ensure_shadow_group_empty'
- '!mask_nonessential_services'
- '!gnome_gdm_disable_unattended_automatic_login'
diff --git a/products/rhel9/profiles/pci-dss.profile b/products/rhel9/profiles/pci-dss.profile
index 63e40ce0bc6..29b9947da4d 100644
--- a/products/rhel9/profiles/pci-dss.profile
+++ b/products/rhel9/profiles/pci-dss.profile
@@ -61,6 +61,7 @@ selections:
- '!sshd_use_approved_ciphers'
- '!accounts_passwords_pam_tally2'
- '!ensure_suse_gpgkey_installed'
+ - '!ensure_almalinux_gpgkey_installed'
- '!gnome_gdm_disable_unattended_automatic_login'
- '!accounts_passwords_pam_tally2_unlock_time'
- '!cracklib_accounts_password_pam_minlen'
diff --git a/products/sle15/profiles/pci-dss-4.profile b/products/sle15/profiles/pci-dss-4.profile
index c1cbd5275d0..3faff51e7c7 100644
--- a/products/sle15/profiles/pci-dss-4.profile
+++ b/products/sle15/profiles/pci-dss-4.profile
@@ -42,6 +42,7 @@ selections:
- '!file_owner_user_cfg'
- '!accounts_passwords_pam_faillock_unlock_time'
- '!ensure_redhat_gpgkey_installed'
+ - '!ensure_almalinux_gpgkey_installed'
- '!firewalld_loopback_traffic_restricted'
- '!accounts_password_pam_lcredit'
- '!file_group_ownership_var_log_audit'
diff --git a/shared/checks/oval/installed_OS_is_almalinux9.xml b/shared/checks/oval/installed_OS_is_almalinux9.xml
new file mode 100644
index 00000000000..eb957dd5338
--- /dev/null
+++ b/shared/checks/oval/installed_OS_is_almalinux9.xml
@@ -0,0 +1,34 @@
+
+
+
+ AlmaLinux OS 9
+
+ multi_platform_all
+
+
+ The operating system installed on the system is AlmaLinux OS 9
+
+
+
+
+
+
+
+
+
+
+
+
+ /etc/almalinux-release
+
+
+
+
+
+
+ /etc/almalinux-release
+ ^AlmaLinux release 9.[0-9]+ .*$
+ 1
+
+
+
diff --git a/shared/checks/oval/sysctl_kernel_ipv6_disable.xml b/shared/checks/oval/sysctl_kernel_ipv6_disable.xml
index 19129cc6912..f803e8ff040 100644
--- a/shared/checks/oval/sysctl_kernel_ipv6_disable.xml
+++ b/shared/checks/oval/sysctl_kernel_ipv6_disable.xml
@@ -4,6 +4,7 @@
Kernel Runtime Parameter IPv6 Check
multi_platform_alinux
+ multi_platform_almalinux
multi_platform_anolis
multi_platform_debian
multi_platform_example
diff --git a/ssg/constants.py b/ssg/constants.py
index baa5484df23..f6a5ff1e0e1 100644
--- a/ssg/constants.py
+++ b/ssg/constants.py
@@ -40,6 +40,7 @@
product_directories = [
'alinux2',
'alinux3',
+ 'almalinux9',
'anolis8',
'anolis23',
'al2023',
@@ -203,6 +204,7 @@
FULL_NAME_TO_PRODUCT_MAPPING = {
"Alibaba Cloud Linux 2": "alinux2",
"Alibaba Cloud Linux 3": "alinux3",
+ "AlmaLinux OS 9": "almalinux9",
"Anolis OS 8": "anolis8",
"Anolis OS 23": "anolis23",
"Amazon Linux 2023": "al2023",
@@ -289,10 +291,11 @@
"openeuler", "kylinserver",
"opensuse", "sle", "ol", "ocp", "rhcos",
"example", "eks", "alinux", "anolis", "openembedded", "al",
- "slmicro"]
+ "slmicro", "almalinux"]
MULTI_PLATFORM_MAPPING = {
"multi_platform_alinux": ["alinux2", "alinux3"],
+ "multi_platform_almalinux": ["almalinux9"],
"multi_platform_anolis": ["anolis8", "anolis23"],
"multi_platform_debian": ["debian11", "debian12"],
"multi_platform_example": ["example"],
@@ -418,6 +421,7 @@
# _version_name_map = {
MAKEFILE_ID_TO_PRODUCT_MAP = {
'alinux': 'Alibaba Cloud Linux',
+ 'almalinux': 'AlmaLinux OS',
'anolis': 'Anolis OS',
'chromium': 'Google Chromium Browser',
'fedora': 'Fedora',