diff --git a/CMakeLists.txt b/CMakeLists.txt index 5d4bc725f..747c58353 100644 --- a/CMakeLists.txt +++ b/CMakeLists.txt @@ -80,6 +80,7 @@ option(SSG_PRODUCT_DEFAULT "If enabled, all default release products will be bui # unless explicitly asked for. option(SSG_PRODUCT_ALINUX2 "If enabled, the Alibaba Cloud Linux 2 SCAP content will be built" ${SSG_PRODUCT_DEFAULT}) option(SSG_PRODUCT_ALINUX3 "If enabled, the Alibaba Cloud Linux 3 SCAP content will be built" ${SSG_PRODUCT_DEFAULT}) +option(SSG_PRODUCT_ALMALINUX9 "If enabled, the AlmaLinux 9 SCAP content will be built" ${SSG_PRODUCT_DEFAULT}) option(SSG_PRODUCT_ANOLIS8 "If enabled, the Anolis OS 8 SCAP content will be built" ${SSG_PRODUCT_DEFAULT}) option(SSG_PRODUCT_ANOLIS23 "If enabled, the Anolis OS 23 SCAP content will be built" ${SSG_PRODUCT_DEFAULT}) option(SSG_PRODUCT_CHROMIUM "If enabled, the Chromium SCAP content will be built" ${SSG_PRODUCT_DEFAULT}) @@ -310,6 +311,7 @@ message(STATUS " ") message(STATUS "Products:") message(STATUS "Alibaba Cloud Linux 2: ${SSG_PRODUCT_ALINUX2}") message(STATUS "Alibaba Cloud Linux 3: ${SSG_PRODUCT_ALINUX3}") +message(STATUS "AlmaLinux 9: ${SSG_PRODUCT_ALMALINUX9}") message(STATUS "Anolis OS 8: ${SSG_PRODUCT_ANOLIS8}") message(STATUS "Anolis OS 23: ${SSG_PRODUCT_ANOLIS23}") message(STATUS "Chromium: ${SSG_PRODUCT_CHROMIUM}") @@ -380,6 +382,9 @@ endif() if(SSG_PRODUCT_ALINUX3) add_subdirectory("products/alinux3" "alinux3") endif() +if(SSG_PRODUCT_ALMALINUX9) + add_subdirectory("products/almalinux9" "almalinux9") +endif() if(SSG_PRODUCT_ANOLIS8) add_subdirectory("products/anolis8" "anolis8") endif() diff --git a/build_product b/build_product index e6fb86991..5b17c591c 100755 --- a/build_product +++ b/build_product @@ -347,6 +347,7 @@ set_explict_build_targets() { all_cmake_products=( ALINUX2 ALINUX3 + ALMALINUX9 ANOLIS8 ANOLIS23 CHROMIUM diff --git a/components/rpm.yml b/components/rpm.yml index 2b00bd908..4fc431b04 100644 --- a/components/rpm.yml +++ b/components/rpm.yml @@ -9,6 +9,7 @@ rules: - dnf-automatic_apply_updates - dnf-automatic_security_updates_only - ensure_GPG_keys_are_configured +- ensure_almalinux_gpgkey_installed - ensure_fedora_gpgkey_installed - ensure_gpgcheck_globally_activated - ensure_gpgcheck_local_packages diff --git a/controls/anssi.yml b/controls/anssi.yml index d02cd2523..b00619dfa 100644 --- a/controls/anssi.yml +++ b/controls/anssi.yml @@ -1238,7 +1238,7 @@ controls: - ensure_gpgcheck_never_disabled - ensure_gpgcheck_globally_activated - ensure_gpgcheck_local_packages - - ensure_redhat_gpgkey_installed + - ensure_almalinux_gpgkey_installed - ensure_oracle_gpgkey_installed - id: R60 diff --git a/controls/cis_rhel8.yml b/controls/cis_rhel8.yml index 48406c172..28ae0c5c2 100644 --- a/controls/cis_rhel8.yml +++ b/controls/cis_rhel8.yml @@ -353,7 +353,7 @@ controls: - l1_workstation status: manual related_rules: - - ensure_redhat_gpgkey_installed + - ensure_almalinux_gpgkey_installed - id: 1.2.2 title: Ensure gpgcheck is globally activated (Automated) diff --git a/controls/cis_rhel9.yml b/controls/cis_rhel9.yml index b6dfc5736..e7fc56cfe 100644 --- a/controls/cis_rhel9.yml +++ b/controls/cis_rhel9.yml @@ -308,7 +308,7 @@ controls: - l1_workstation status: manual related_rules: - - ensure_redhat_gpgkey_installed + - ensure_almalinux_gpgkey_installed - id: 1.2.2 title: Ensure gpgcheck is globally activated (Automated) diff --git a/controls/pcidss_4.yml b/controls/pcidss_4.yml index 1b2cd2e27..374f27ef7 100644 --- a/controls/pcidss_4.yml +++ b/controls/pcidss_4.yml @@ -1549,7 +1549,7 @@ controls: - base status: automated rules: - - ensure_redhat_gpgkey_installed + - ensure_almalinux_gpgkey_installed - ensure_suse_gpgkey_installed - ensure_gpgcheck_globally_activated - ensure_gpgcheck_never_disabled diff --git a/controls/srg_gpos/SRG-OS-000366-GPOS-00153.yml b/controls/srg_gpos/SRG-OS-000366-GPOS-00153.yml index 77571c24c..d4672d117 100644 --- a/controls/srg_gpos/SRG-OS-000366-GPOS-00153.yml +++ b/controls/srg_gpos/SRG-OS-000366-GPOS-00153.yml @@ -12,9 +12,7 @@ controls: - ensure_gpgcheck_globally_activated - ensure_gpgcheck_local_packages - ensure_gpgcheck_never_disabled - {{% if 'rhel' in product %}} - - ensure_redhat_gpgkey_installed - {{% endif %}} + - ensure_almalinux_gpgkey_installed {{% if 'ol' in product %}} - ensure_oracle_gpgkey_installed {{% endif %}} diff --git a/controls/stig_rhel9.yml b/controls/stig_rhel9.yml index 49e9d1e29..1de7ebe9b 100644 --- a/controls/stig_rhel9.yml +++ b/controls/stig_rhel9.yml @@ -386,7 +386,7 @@ controls: - medium title: RHEL 9 must ensure cryptographic verification of vendor software packages. rules: - - ensure_redhat_gpgkey_installed + - ensure_almalinux_gpgkey_installed status: automated - id: RHEL-09-214015 diff --git a/linux_os/guide/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_fremovexattr/rule.yml b/linux_os/guide/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_fremovexattr/rule.yml index 47d373ac3..3583836a0 100644 --- a/linux_os/guide/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_fremovexattr/rule.yml +++ b/linux_os/guide/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_fremovexattr/rule.yml @@ -11,13 +11,13 @@ description: |- startup (the default), add the following line to a file with suffix .rules in the directory /etc/audit/rules.d:
-a always,exit -F arch=b32 -S fremovexattr -F auid>={{{ auid }}} -F auid!=unset -F key=perm_mod
-{{%- if product in ["ol8", "ol9", "rhel8", "rhel9"] %}} +{{%- if product in ["ol8", "ol9", "rhel8", "rhel9", "almalinux9"] %}}
-a always,exit -F arch=b32 -S fremovexattr -F auid=0 -F key=perm_mod
{{%- endif %}}

If the system is 64 bit then also add the following line:
-a always,exit -F arch=b64 -S fremovexattr -F auid>={{{ auid }}} -F auid!=unset -F key=perm_mod
-{{%- if product in ["ol8", "ol9", "rhel8", "rhel9"] %}} +{{%- if product in ["ol8", "ol9", "rhel8", "rhel9", "almalinux9"] %}}
-a always,exit -F arch=b64 -S fremovexattr -F auid=0 -F key=perm_mod
{{%- endif %}}

@@ -25,13 +25,13 @@ description: |- utility to read audit rules during daemon startup, add the following line to /etc/audit/audit.rules file:
-a always,exit -F arch=b32 -S fremovexattr -F auid>={{{ auid }}} -F auid!=unset -F key=perm_mod
-{{%- if product in ["ol8", "ol9", "rhel8", "rhel9"] %}} +{{%- if product in ["ol8", "ol9", "rhel8", "rhel9", "almalinux9"] %}}
-a always,exit -F arch=b32 -S fremovexattr -F auid=0 -F key=perm_mod
{{%- endif %}}

If the system is 64 bit then also add the following line:
-a always,exit -F arch=b64 -S fremovexattr -F auid>={{{ auid }}} -F auid!=unset -F key=perm_mod
-{{%- if product in ["ol8", "ol9", "rhel8", "rhel9"] %}} +{{%- if product in ["ol8", "ol9", "rhel8", "rhel9", "almalinux9"] %}}
-a always,exit -F arch=b64 -S fremovexattr -F auid=0 -F key=perm_mod
{{%- endif %}} diff --git a/linux_os/guide/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_fsetxattr/rule.yml b/linux_os/guide/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_fsetxattr/rule.yml index 95271f7f7..37ad3a79c 100644 --- a/linux_os/guide/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_fsetxattr/rule.yml +++ b/linux_os/guide/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_fsetxattr/rule.yml @@ -9,24 +9,24 @@ description: |- startup (the default), add the following line to a file with suffix .rules in the directory /etc/audit/rules.d:
-a always,exit -F arch=b32 -S fsetxattr -F auid>={{{ auid }}} -F auid!=unset -F key=perm_mod
-{{%- if product in ["ol8", "ol9", "rhel8", "rhel9"] %}} +{{%- if product in ["ol8", "ol9", "rhel8", "rhel9", "almalinux9"] %}}
-a always,exit -F arch=b32 -S fsetxattr -F auid=0 -F key=perm_mod
{{%- endif %}} If the system is 64 bit then also add the following line:
-a always,exit -F arch=b64 -S fsetxattr -F auid>={{{ auid }}} -F auid!=unset -F key=perm_mod
-{{%- if product in ["ol8", "ol9", "rhel8", "rhel9"] %}} +{{%- if product in ["ol8", "ol9", "rhel8", "rhel9", "almalinux9"] %}}
-a always,exit -F arch=b64 -S fsetxattr -F auid=0 -F key=perm_mod
{{%- endif %}} If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following line to /etc/audit/audit.rules file:
-a always,exit -F arch=b32 -S fsetxattr -F auid>={{{ auid }}} -F auid!=unset -F key=perm_mod
-{{%- if product in ["ol8", "ol9", "rhel8", "rhel9"] %}} +{{%- if product in ["ol8", "ol9", "rhel8", "rhel9", "almalinux9"] %}}
-a always,exit -F arch=b32 -S fsetxattr -F auid=0 -F key=perm_mod
{{%- endif %}} If the system is 64 bit then also add the following line:
-a always,exit -F arch=b64 -S fsetxattr -F auid>={{{ auid }}} -F auid!=unset -F key=perm_mod
-{{%- if product in ["ol8", "ol9", "rhel8", "rhel9"] %}} +{{%- if product in ["ol8", "ol9", "rhel8", "rhel9", "almalinux9"] %}}
-a always,exit -F arch=b64 -S fsetxattr -F auid=0 -F key=perm_mod
{{%- endif %}} diff --git a/linux_os/guide/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_lremovexattr/rule.yml b/linux_os/guide/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_lremovexattr/rule.yml index 3e671303b..4e399addd 100644 --- a/linux_os/guide/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_lremovexattr/rule.yml +++ b/linux_os/guide/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_lremovexattr/rule.yml @@ -11,13 +11,13 @@ description: |- startup (the default), add the following line to a file with suffix .rules in the directory /etc/audit/rules.d:
-a always,exit -F arch=b32 -S lremovexattr -F auid>={{{ auid }}} -F auid!=unset -F key=perm_mod
-{{%- if product in ["ol8", "ol9", "rhel8", "rhel9"] %}} +{{%- if product in ["ol8", "ol9", "rhel8", "rhel9", "almalinux9"] %}}
-a always,exit -F arch=b32 -S lremovexattr -F auid=0 -F key=perm_mod
{{%- endif %}}

If the system is 64 bit then also add the following line:
-a always,exit -F arch=b64 -S lremovexattr -F auid>={{{ auid }}} -F auid!=unset -F key=perm_mod
-{{%- if product in ["ol8", "ol9", "rhel8", "rhel9"] %}} +{{%- if product in ["ol8", "ol9", "rhel8", "rhel9", "almalinux9"] %}}
-a always,exit -F arch=b64 -S lremovexattr -F auid=0 -F key=perm_mod
{{%- endif %}}

@@ -25,13 +25,13 @@ description: |- utility to read audit rules during daemon startup, add the following line to /etc/audit/audit.rules file:
-a always,exit -F arch=b32 -S lremovexattr -F auid>={{{ auid }}} -F auid!=unset -F key=perm_mod
-{{%- if product in ["ol8", "ol9", "rhel8", "rhel9"] %}} +{{%- if product in ["ol8", "ol9", "rhel8", "rhel9", "almalinux9"] %}}
-a always,exit -F arch=b32 -S lremovexattr -F auid=0 -F key=perm_mod
{{%- endif %}}

If the system is 64 bit then also add the following line:
-a always,exit -F arch=b64 -S lremovexattr -F auid>={{{ auid }}} -F auid!=unset -F key=perm_mod
-{{%- if product in ["ol8", "ol9", "rhel8", "rhel9"] %}} +{{%- if product in ["ol8", "ol9", "rhel8", "rhel9", "almalinux9"] %}}
-a always,exit -F arch=b64 -S lremovexattr -F auid=0 -F key=perm_mod
{{%- endif %}} diff --git a/linux_os/guide/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_lsetxattr/rule.yml b/linux_os/guide/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_lsetxattr/rule.yml index 446d7bd3c..163387a68 100644 --- a/linux_os/guide/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_lsetxattr/rule.yml +++ b/linux_os/guide/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_lsetxattr/rule.yml @@ -9,24 +9,24 @@ description: |- startup (the default), add the following line to a file with suffix .rules in the directory /etc/audit/rules.d:
-a always,exit -F arch=b32 -S lsetxattr -F auid>={{{ auid }}} -F auid!=unset -F key=perm_mod
-{{%- if product in ["ol8", "ol9", "rhel8", "rhel9"] %}} +{{%- if product in ["ol8", "ol9", "rhel8", "rhel9", "almalinux9"] %}}
-a always,exit -F arch=b32 -S lsetxattr -F auid=0 -F key=perm_mod
{{%- endif %}} If the system is 64 bit then also add the following line:
-a always,exit -F arch=b64 -S lsetxattr -F auid>={{{ auid }}} -F auid!=unset -F key=perm_mod
-{{%- if product in ["ol8", "ol9", "rhel8", "rhel9"] %}} +{{%- if product in ["ol8", "ol9", "rhel8", "rhel9", "almalinux9"] %}}
-a always,exit -F arch=b64 -S lsetxattr -F auid=0 -F key=perm_mod
{{%- endif %}} If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following line to /etc/audit/audit.rules file:
-a always,exit -F arch=b32 -S lsetxattr -F auid>={{{ auid }}} -F auid!=unset -F key=perm_mod
-{{%- if product in ["ol8", "ol9", "rhel8", "rhel9"] %}} +{{%- if product in ["ol8", "ol9", "rhel8", "rhel9", "almalinux9"] %}}
-a always,exit -F arch=b32 -S lsetxattr -F auid=0 -F key=perm_mod
{{%- endif %}} If the system is 64 bit then also add the following line:
-a always,exit -F arch=b64 -S lsetxattr -F auid>={{{ auid }}} -F auid!=unset -F key=perm_mod
-{{%- if product in ["ol8", "ol9", "rhel8", "rhel9"] %}} +{{%- if product in ["ol8", "ol9", "rhel8", "rhel9", "almalinux9"] %}}
-a always,exit -F arch=b64 -S lsetxattr -F auid=0 -F key=perm_mod
{{%- endif %}} diff --git a/linux_os/guide/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_removexattr/rule.yml b/linux_os/guide/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_removexattr/rule.yml index a83fb513f..59c6d45df 100644 --- a/linux_os/guide/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_removexattr/rule.yml +++ b/linux_os/guide/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_removexattr/rule.yml @@ -10,13 +10,13 @@ description: |- program to read audit rules during daemon startup (the default), add the following line to a file with suffix .rules in the directory /etc/audit/rules.d:
-a always,exit -F arch=b32 -S removexattr -F auid>={{{ auid }}} -F auid!=unset -F key=perm_mod
-{{%- if product in ["ol8", "ol9", "rhel8", "rhel9"] %}} +{{%- if product in ["ol8", "ol9", "rhel8", "rhel9", "almalinux9"] %}}
-a always,exit -F arch=b32 -S removexattr -F auid=0 -F key=perm_mod
{{%- endif %}}

If the system is 64 bit then also add the following line:
-a always,exit -F arch=b64 -S removexattr -F auid>={{{ auid }}} -F auid!=unset -F key=perm_mod
-{{%- if product in ["ol8", "ol9", "rhel8", "rhel9"] %}} +{{%- if product in ["ol8", "ol9", "rhel8", "rhel9", "almalinux9"] %}}
-a always,exit -F arch=b64 -S removexattr -F auid=0 -F key=perm_mod
{{%- endif %}}

@@ -24,13 +24,13 @@ description: |- utility to read audit rules during daemon startup, add the following line to /etc/audit/audit.rules file:
-a always,exit -F arch=b32 -S removexattr -F auid>={{{ auid }}} -F auid!=unset -F key=perm_mod
-{{%- if product in ["ol8", "ol9", "rhel8", "rhel9"] %}} +{{%- if product in ["ol8", "ol9", "rhel8", "rhel9", "almalinux9"] %}}
-a always,exit -F arch=b32 -S removexattr -F auid=0 -F key=perm_mod
{{%- endif %}}

If the system is 64 bit then also add the following line:
-a always,exit -F arch=b64 -S removexattr -F auid>={{{ auid }}} -F auid!=unset -F key=perm_mod
-{{%- if product in ["ol8", "ol9", "rhel8", "rhel9"] %}} +{{%- if product in ["ol8", "ol9", "rhel8", "rhel9", "almalinux9"] %}}
-a always,exit -F arch=b64 -S removexattr -F auid=0 -F key=perm_mod
{{%- endif %}} diff --git a/linux_os/guide/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_setxattr/rule.yml b/linux_os/guide/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_setxattr/rule.yml index c46dc6dd0..f76604368 100644 --- a/linux_os/guide/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_setxattr/rule.yml +++ b/linux_os/guide/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_setxattr/rule.yml @@ -9,24 +9,24 @@ description: |- startup (the default), add the following line to a file with suffix .rules in the directory /etc/audit/rules.d:
-a always,exit -F arch=b32 -S setxattr -F auid>={{{ auid }}} -F auid!=unset -F key=perm_mod
-{{%- if product in ["ol8", "ol9", "rhel8", "rhel9"] %}} +{{%- if product in ["ol8", "ol9", "rhel8", "rhel9", "almalinux9"] %}}
-a always,exit -F arch=b32 -S setxattr -F auid=0 -F key=perm_mod
{{%- endif %}} If the system is 64 bit then also add the following line:
-a always,exit -F arch=b64 -S setxattr -F auid>={{{ auid }}} -F auid!=unset -F key=perm_mod
-{{%- if product in ["ol8", "ol9", "rhel8", "rhel9"] %}} +{{%- if product in ["ol8", "ol9", "rhel8", "rhel9", "almalinux9"] %}}
-a always,exit -F arch=b64 -S setxattr -F auid=0 -F key=perm_mod
{{%- endif %}} If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following line to /etc/audit/audit.rules file:
-a always,exit -F arch=b32 -S setxattr -F auid>={{{ auid }}} -F auid!=unset -F key=perm_mod
-{{%- if product in ["ol8", "ol9", "rhel8", "rhel9"] %}} +{{%- if product in ["ol8", "ol9", "rhel8", "rhel9", "almalinux9"] %}}
-a always,exit -F arch=b32 -S setxattr -F auid=0 -F key=perm_mod
{{%- endif %}} If the system is 64 bit then also add the following line:
-a always,exit -F arch=b64 -S setxattr -F auid>={{{ auid }}} -F auid!=unset -F key=perm_mod
-{{%- if product in ["ol8", "ol9", "rhel8", "rhel9"] %}} +{{%- if product in ["ol8", "ol9", "rhel8", "rhel9", "almalinux9"] %}}
-a always,exit -F arch=b64 -S setxattr -F auid=0 -F key=perm_mod
{{%- endif %}} diff --git a/linux_os/guide/auditing/auditd_configure_rules/audit_execution_selinux_commands/audit_rules_execution_chcon/rule.yml b/linux_os/guide/auditing/auditd_configure_rules/audit_execution_selinux_commands/audit_rules_execution_chcon/rule.yml index b88b106a4..ec859c6c2 100644 --- a/linux_os/guide/auditing/auditd_configure_rules/audit_execution_selinux_commands/audit_rules_execution_chcon/rule.yml +++ b/linux_os/guide/auditing/auditd_configure_rules/audit_execution_selinux_commands/audit_rules_execution_chcon/rule.yml @@ -1,4 +1,4 @@ -{{%- if product in ["fedora", "ol7", "ol8", "ol9", "rhel7", "rhel8", "rhel9", "sle12", "sle15", "ubuntu2004", "ubuntu2204"] %}} +{{%- if product in ["fedora", "ol7", "ol8", "ol9", "rhel7", "rhel8", "rhel9", "almalinux9", "sle12", "sle15", "ubuntu2004", "ubuntu2204"] %}} {{%- set perm_x="-F perm=x " %}} {{%- endif %}} diff --git a/linux_os/guide/auditing/auditd_configure_rules/audit_execution_selinux_commands/audit_rules_execution_restorecon/rule.yml b/linux_os/guide/auditing/auditd_configure_rules/audit_execution_selinux_commands/audit_rules_execution_restorecon/rule.yml index 4431537de..240070ba1 100644 --- a/linux_os/guide/auditing/auditd_configure_rules/audit_execution_selinux_commands/audit_rules_execution_restorecon/rule.yml +++ b/linux_os/guide/auditing/auditd_configure_rules/audit_execution_selinux_commands/audit_rules_execution_restorecon/rule.yml @@ -1,4 +1,4 @@ -{{%- if product in ["fedora", "ol8", "ol9", "rhel8", "rhel9", "sle12", "sle15", "ubuntu2004", "ubuntu2204"] %}} +{{%- if product in ["fedora", "ol8", "ol9", "rhel8", "rhel9", "almalinux9", "sle12", "sle15", "ubuntu2004", "ubuntu2204"] %}} {{%- set perm_x="-F perm=x " %}} {{%- endif %}} diff --git a/linux_os/guide/auditing/auditd_configure_rules/audit_execution_selinux_commands/audit_rules_execution_semanage/rule.yml b/linux_os/guide/auditing/auditd_configure_rules/audit_execution_selinux_commands/audit_rules_execution_semanage/rule.yml index 5f9cad679..0366d1732 100644 --- a/linux_os/guide/auditing/auditd_configure_rules/audit_execution_selinux_commands/audit_rules_execution_semanage/rule.yml +++ b/linux_os/guide/auditing/auditd_configure_rules/audit_execution_selinux_commands/audit_rules_execution_semanage/rule.yml @@ -1,4 +1,4 @@ -{{%- if product in ["fedora", "ol7", "ol8", "ol9", "rhel7", "rhel8", "rhel9", "sle12", "sle15", "ubuntu2004", "ubuntu2204"] %}} +{{%- if product in ["fedora", "ol7", "ol8", "ol9", "rhel7", "rhel8", "rhel9", "almalinux9", "sle12", "sle15", "ubuntu2004", "ubuntu2204"] %}} {{%- set perm_x="-F perm=x " %}} {{%- endif %}} diff --git a/linux_os/guide/auditing/auditd_configure_rules/audit_execution_selinux_commands/audit_rules_execution_setfiles/rule.yml b/linux_os/guide/auditing/auditd_configure_rules/audit_execution_selinux_commands/audit_rules_execution_setfiles/rule.yml index 24b333352..5bc3a371b 100644 --- a/linux_os/guide/auditing/auditd_configure_rules/audit_execution_selinux_commands/audit_rules_execution_setfiles/rule.yml +++ b/linux_os/guide/auditing/auditd_configure_rules/audit_execution_selinux_commands/audit_rules_execution_setfiles/rule.yml @@ -1,4 +1,4 @@ -{{%- if product in ["fedora", "ol7", "ol8", "ol9", "rhel7", "rhel8", "rhel9", "sle12", "sle15", "ubuntu2004", "ubuntu2204"] %}} +{{%- if product in ["fedora", "ol7", "ol8", "ol9", "rhel7", "rhel8", "rhel9", "almalinux9", "sle12", "sle15", "ubuntu2004", "ubuntu2204"] %}} {{%- set perm_x="-F perm=x " %}} {{%- endif %}} diff --git a/linux_os/guide/auditing/auditd_configure_rules/audit_execution_selinux_commands/audit_rules_execution_setsebool/rule.yml b/linux_os/guide/auditing/auditd_configure_rules/audit_execution_selinux_commands/audit_rules_execution_setsebool/rule.yml index 3ecdebdb5..93fc32b9a 100644 --- a/linux_os/guide/auditing/auditd_configure_rules/audit_execution_selinux_commands/audit_rules_execution_setsebool/rule.yml +++ b/linux_os/guide/auditing/auditd_configure_rules/audit_execution_selinux_commands/audit_rules_execution_setsebool/rule.yml @@ -1,4 +1,4 @@ -{{%- if product in ["fedora", "ol7", "ol8", "ol9", "rhel7", "rhel8", "rhel9", "sle12", "sle15", "ubuntu2004", "ubuntu2204"] %}} +{{%- if product in ["fedora", "ol7", "ol8", "ol9", "rhel7", "rhel8", "rhel9", "almalinux9", "sle12", "sle15", "ubuntu2004", "ubuntu2204"] %}} {{%- set perm_x="-F perm=x " %}} {{%- endif %}} diff --git a/linux_os/guide/auditing/auditd_configure_rules/audit_execution_selinux_commands/audit_rules_execution_seunshare/rule.yml b/linux_os/guide/auditing/auditd_configure_rules/audit_execution_selinux_commands/audit_rules_execution_seunshare/rule.yml index 1214ad408..a7dee9775 100644 --- a/linux_os/guide/auditing/auditd_configure_rules/audit_execution_selinux_commands/audit_rules_execution_seunshare/rule.yml +++ b/linux_os/guide/auditing/auditd_configure_rules/audit_execution_selinux_commands/audit_rules_execution_seunshare/rule.yml @@ -1,4 +1,4 @@ -{{%- if product in ["fedora", "ol8", "ol9", "rhel8", "rhel9", "sle12", "sle15", "ubuntu2004", "ubuntu2204"] %}} +{{%- if product in ["fedora", "ol8", "ol9", "rhel8", "rhel9", "almalinux9", "sle12", "sle15", "ubuntu2004", "ubuntu2204"] %}} {{%- set perm_x="-F perm=x " %}} {{%- endif %}} diff --git a/linux_os/guide/auditing/auditd_configure_rules/audit_file_deletion_events/audit_rules_file_deletion_events/bash/shared.sh b/linux_os/guide/auditing/auditd_configure_rules/audit_file_deletion_events/audit_rules_file_deletion_events/bash/shared.sh index 53e61fb25..e9a0edcde 100644 --- a/linux_os/guide/auditing/auditd_configure_rules/audit_file_deletion_events/audit_rules_file_deletion_events/bash/shared.sh +++ b/linux_os/guide/auditing/auditd_configure_rules/audit_file_deletion_events/audit_rules_file_deletion_events/bash/shared.sh @@ -1,4 +1,4 @@ -# platform = Red Hat Virtualization 4,multi_platform_ol,multi_platform_rhel,multi_platform_sle +# platform = Red Hat Virtualization 4,multi_platform_ol,multi_platform_rhel,multi_platform_almalinux,multi_platform_sle # Perform the remediation for the syscall rule # Retrieve hardware architecture of the underlying system diff --git a/linux_os/guide/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification/bash/shared.sh b/linux_os/guide/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification/bash/shared.sh index 8a48783f6..b846f8113 100644 --- a/linux_os/guide/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification/bash/shared.sh +++ b/linux_os/guide/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification/bash/shared.sh @@ -1,4 +1,4 @@ -# platform = Red Hat Virtualization 4,multi_platform_ol,multi_platform_rhel,multi_platform_sle +# platform = Red Hat Virtualization 4,multi_platform_ol,multi_platform_rhel,multi_platform_almalinux,multi_platform_sle # Perform the remediation of the syscall rule # Retrieve hardware architecture of the underlying system diff --git a/linux_os/guide/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification_open_by_handle_at_o_creat/bash/shared.sh b/linux_os/guide/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification_open_by_handle_at_o_creat/bash/shared.sh index c1352ae38..31de43746 100644 --- a/linux_os/guide/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification_open_by_handle_at_o_creat/bash/shared.sh +++ b/linux_os/guide/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification_open_by_handle_at_o_creat/bash/shared.sh @@ -1,3 +1,3 @@ -# platform = Red Hat Virtualization 4,multi_platform_ol,multi_platform_rhel +# platform = Red Hat Virtualization 4,multi_platform_ol,multi_platform_rhel,multi_platform_almalinux {{{ bash_create_audit_remediation_unsuccessful_file_modification_detailed("/etc/audit/rules.d/30-ospp-v42-remediation.rules") }}} diff --git a/linux_os/guide/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification_open_by_handle_at_o_trunc_write/bash/shared.sh b/linux_os/guide/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification_open_by_handle_at_o_trunc_write/bash/shared.sh index c1352ae38..31de43746 100644 --- a/linux_os/guide/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification_open_by_handle_at_o_trunc_write/bash/shared.sh +++ b/linux_os/guide/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification_open_by_handle_at_o_trunc_write/bash/shared.sh @@ -1,3 +1,3 @@ -# platform = Red Hat Virtualization 4,multi_platform_ol,multi_platform_rhel +# platform = Red Hat Virtualization 4,multi_platform_ol,multi_platform_rhel,multi_platform_almalinux {{{ bash_create_audit_remediation_unsuccessful_file_modification_detailed("/etc/audit/rules.d/30-ospp-v42-remediation.rules") }}} diff --git a/linux_os/guide/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification_open_by_handle_at_rule_order/bash/shared.sh b/linux_os/guide/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification_open_by_handle_at_rule_order/bash/shared.sh index c944fb9e6..b506644af 100644 --- a/linux_os/guide/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification_open_by_handle_at_rule_order/bash/shared.sh +++ b/linux_os/guide/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification_open_by_handle_at_rule_order/bash/shared.sh @@ -1,3 +1,3 @@ -# platform = multi_platform_rhel,multi_platform_ol +# platform = multi_platform_rhel,multi_platform_almalinux,multi_platform_ol {{{ bash_create_audit_remediation_unsuccessful_file_modification_detailed("/etc/audit/rules.d/30-ospp-v42-remediation.rules") }}} diff --git a/linux_os/guide/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification_open_o_creat/bash/shared.sh b/linux_os/guide/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification_open_o_creat/bash/shared.sh index c1352ae38..31de43746 100644 --- a/linux_os/guide/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification_open_o_creat/bash/shared.sh +++ b/linux_os/guide/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification_open_o_creat/bash/shared.sh @@ -1,3 +1,3 @@ -# platform = Red Hat Virtualization 4,multi_platform_ol,multi_platform_rhel +# platform = Red Hat Virtualization 4,multi_platform_ol,multi_platform_rhel,multi_platform_almalinux {{{ bash_create_audit_remediation_unsuccessful_file_modification_detailed("/etc/audit/rules.d/30-ospp-v42-remediation.rules") }}} diff --git a/linux_os/guide/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification_open_o_trunc_write/bash/shared.sh b/linux_os/guide/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification_open_o_trunc_write/bash/shared.sh index c1352ae38..31de43746 100644 --- a/linux_os/guide/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification_open_o_trunc_write/bash/shared.sh +++ b/linux_os/guide/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification_open_o_trunc_write/bash/shared.sh @@ -1,3 +1,3 @@ -# platform = Red Hat Virtualization 4,multi_platform_ol,multi_platform_rhel +# platform = Red Hat Virtualization 4,multi_platform_ol,multi_platform_rhel,multi_platform_almalinux {{{ bash_create_audit_remediation_unsuccessful_file_modification_detailed("/etc/audit/rules.d/30-ospp-v42-remediation.rules") }}} diff --git a/linux_os/guide/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification_open_rule_order/bash/shared.sh b/linux_os/guide/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification_open_rule_order/bash/shared.sh index c944fb9e6..b506644af 100644 --- a/linux_os/guide/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification_open_rule_order/bash/shared.sh +++ b/linux_os/guide/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification_open_rule_order/bash/shared.sh @@ -1,3 +1,3 @@ -# platform = multi_platform_rhel,multi_platform_ol +# platform = multi_platform_rhel,multi_platform_almalinux,multi_platform_ol {{{ bash_create_audit_remediation_unsuccessful_file_modification_detailed("/etc/audit/rules.d/30-ospp-v42-remediation.rules") }}} diff --git a/linux_os/guide/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification_openat_o_creat/bash/shared.sh b/linux_os/guide/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification_openat_o_creat/bash/shared.sh index c1352ae38..31de43746 100644 --- a/linux_os/guide/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification_openat_o_creat/bash/shared.sh +++ b/linux_os/guide/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification_openat_o_creat/bash/shared.sh @@ -1,3 +1,3 @@ -# platform = Red Hat Virtualization 4,multi_platform_ol,multi_platform_rhel +# platform = Red Hat Virtualization 4,multi_platform_ol,multi_platform_rhel,multi_platform_almalinux {{{ bash_create_audit_remediation_unsuccessful_file_modification_detailed("/etc/audit/rules.d/30-ospp-v42-remediation.rules") }}} diff --git a/linux_os/guide/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification_openat_o_trunc_write/bash/shared.sh b/linux_os/guide/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification_openat_o_trunc_write/bash/shared.sh index c1352ae38..31de43746 100644 --- a/linux_os/guide/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification_openat_o_trunc_write/bash/shared.sh +++ b/linux_os/guide/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification_openat_o_trunc_write/bash/shared.sh @@ -1,3 +1,3 @@ -# platform = Red Hat Virtualization 4,multi_platform_ol,multi_platform_rhel +# platform = Red Hat Virtualization 4,multi_platform_ol,multi_platform_rhel,multi_platform_almalinux {{{ bash_create_audit_remediation_unsuccessful_file_modification_detailed("/etc/audit/rules.d/30-ospp-v42-remediation.rules") }}} diff --git a/linux_os/guide/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification_openat_rule_order/bash/shared.sh b/linux_os/guide/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification_openat_rule_order/bash/shared.sh index c944fb9e6..b506644af 100644 --- a/linux_os/guide/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification_openat_rule_order/bash/shared.sh +++ b/linux_os/guide/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification_openat_rule_order/bash/shared.sh @@ -1,3 +1,3 @@ -# platform = multi_platform_rhel,multi_platform_ol +# platform = multi_platform_rhel,multi_platform_almalinux,multi_platform_ol {{{ bash_create_audit_remediation_unsuccessful_file_modification_detailed("/etc/audit/rules.d/30-ospp-v42-remediation.rules") }}} diff --git a/linux_os/guide/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading/ansible/shared.yml b/linux_os/guide/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading/ansible/shared.yml index 590a5ff6b..5ceb15d9b 100644 --- a/linux_os/guide/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading/ansible/shared.yml +++ b/linux_os/guide/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading/ansible/shared.yml @@ -1,4 +1,4 @@ -# platform = multi_platform_rhel,multi_platform_fedora,multi_platform_ol,multi_platform_rhv,multi_platform_sle +# platform = multi_platform_rhel,multi_platform_almalinux,multi_platform_fedora,multi_platform_ol,multi_platform_rhv,multi_platform_sle # reboot = true # strategy = restrict # complexity = low diff --git a/linux_os/guide/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading_create/kubernetes/shared.yml b/linux_os/guide/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading_create/kubernetes/shared.yml index bdf3015c4..658327033 100644 --- a/linux_os/guide/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading_create/kubernetes/shared.yml +++ b/linux_os/guide/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading_create/kubernetes/shared.yml @@ -1,5 +1,5 @@ --- -# platform = multi_platform_rhel,multi_platform_fedora,multi_platform_rhcos +# platform = multi_platform_rhel,multi_platform_almalinux,multi_platform_fedora,multi_platform_rhcos apiVersion: machineconfiguration.openshift.io/v1 kind: MachineConfig spec: diff --git a/linux_os/guide/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading_delete/ansible/shared.yml b/linux_os/guide/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading_delete/ansible/shared.yml index 2e008b37e..7e74c94e7 100644 --- a/linux_os/guide/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading_delete/ansible/shared.yml +++ b/linux_os/guide/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading_delete/ansible/shared.yml @@ -1,4 +1,4 @@ -# platform = multi_platform_rhel,multi_platform_rhv,multi_platform_sle,multi_platform_ol,multi_platform_ubuntu,multi_platform_debian +# platform = multi_platform_rhel,multi_platform_almalinux,multi_platform_rhv,multi_platform_sle,multi_platform_ol,multi_platform_ubuntu,multi_platform_debian # reboot = false # complexity = low # disruption = low diff --git a/linux_os/guide/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading_delete/kubernetes/shared.yml b/linux_os/guide/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading_delete/kubernetes/shared.yml index 7c8e520c1..e5c1d9d93 100644 --- a/linux_os/guide/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading_delete/kubernetes/shared.yml +++ b/linux_os/guide/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading_delete/kubernetes/shared.yml @@ -1,5 +1,5 @@ --- -# platform = multi_platform_rhel,multi_platform_fedora,multi_platform_rhcos +# platform = multi_platform_rhel,multi_platform_almalinux,multi_platform_fedora,multi_platform_rhcos apiVersion: machineconfiguration.openshift.io/v1 kind: MachineConfig spec: diff --git a/linux_os/guide/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading_finit/ansible/shared.yml b/linux_os/guide/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading_finit/ansible/shared.yml index 9349085f7..b20604aa7 100644 --- a/linux_os/guide/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading_finit/ansible/shared.yml +++ b/linux_os/guide/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading_finit/ansible/shared.yml @@ -1,4 +1,4 @@ -# platform = multi_platform_rhel,multi_platform_ol,multi_platform_rhv,multi_platform_sle,multi_platform_ubuntu,multi_platform_debian +# platform = multi_platform_rhel,multi_platform_almalinux,multi_platform_ol,multi_platform_rhv,multi_platform_sle,multi_platform_ubuntu,multi_platform_debian # reboot = false # complexity = low # disruption = low diff --git a/linux_os/guide/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading_finit/kubernetes/shared.yml b/linux_os/guide/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading_finit/kubernetes/shared.yml index 639d76a21..7f4d463d6 100644 --- a/linux_os/guide/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading_finit/kubernetes/shared.yml +++ b/linux_os/guide/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading_finit/kubernetes/shared.yml @@ -1,5 +1,5 @@ --- -# platform = multi_platform_rhel,multi_platform_fedora,multi_platform_rhcos +# platform = multi_platform_rhel,multi_platform_almalinux,multi_platform_fedora,multi_platform_rhcos apiVersion: machineconfiguration.openshift.io/v1 kind: MachineConfig spec: diff --git a/linux_os/guide/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading_init/ansible/shared.yml b/linux_os/guide/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading_init/ansible/shared.yml index 73a9f1dff..6daf2c30b 100644 --- a/linux_os/guide/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading_init/ansible/shared.yml +++ b/linux_os/guide/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading_init/ansible/shared.yml @@ -1,4 +1,4 @@ -# platform = multi_platform_rhel,multi_platform_rhv,multi_platform_sle,multi_platform_ol,multi_platform_ubuntu,multi_platform_debian +# platform = multi_platform_rhel,multi_platform_almalinux,multi_platform_rhv,multi_platform_sle,multi_platform_ol,multi_platform_ubuntu,multi_platform_debian # reboot = false # complexity = low # disruption = low diff --git a/linux_os/guide/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading_init/kubernetes/shared.yml b/linux_os/guide/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading_init/kubernetes/shared.yml index 083a612a0..3228b89b7 100644 --- a/linux_os/guide/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading_init/kubernetes/shared.yml +++ b/linux_os/guide/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading_init/kubernetes/shared.yml @@ -1,5 +1,5 @@ --- -# platform = multi_platform_rhel,multi_platform_fedora,multi_platform_rhcos +# platform = multi_platform_rhel,multi_platform_almalinux,multi_platform_fedora,multi_platform_rhcos apiVersion: machineconfiguration.openshift.io/v1 kind: MachineConfig spec: diff --git a/linux_os/guide/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading_query/tests/missing_auid_filter.fail.sh b/linux_os/guide/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading_query/tests/missing_auid_filter.fail.sh index 009564309..784bba987 100644 --- a/linux_os/guide/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading_query/tests/missing_auid_filter.fail.sh +++ b/linux_os/guide/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading_query/tests/missing_auid_filter.fail.sh @@ -1,5 +1,5 @@ #!/bin/bash -# platform = Red Hat Enterprise Linux 8,Red Hat Enterprise Linux 9 +# platform = Red Hat Enterprise Linux 8,Red Hat Enterprise Linux 9,AlmaLinux 9 # packages = audit rm -f /etc/audit/rules.d/* diff --git a/linux_os/guide/auditing/auditd_configure_rules/audit_login_events/audit_rules_login_events/bash/shared.sh b/linux_os/guide/auditing/auditd_configure_rules/audit_login_events/audit_rules_login_events/bash/shared.sh index 1ea2bcfa9..06d0f131a 100644 --- a/linux_os/guide/auditing/auditd_configure_rules/audit_login_events/audit_rules_login_events/bash/shared.sh +++ b/linux_os/guide/auditing/auditd_configure_rules/audit_login_events/audit_rules_login_events/bash/shared.sh @@ -1,4 +1,4 @@ -# platform = Red Hat Virtualization 4,multi_platform_fedora,multi_platform_ol,multi_platform_rhel +# platform = Red Hat Virtualization 4,multi_platform_fedora,multi_platform_ol,multi_platform_rhel,multi_platform_almalinux # Perform the remediation for both possible tools: 'auditctl' and 'augenrules' diff --git a/linux_os/guide/auditing/auditd_configure_rules/audit_login_events/audit_rules_login_events_faillock/tests/auditctl_correct_cis.pass.sh b/linux_os/guide/auditing/auditd_configure_rules/audit_login_events/audit_rules_login_events_faillock/tests/auditctl_correct_cis.pass.sh index 123bfa32f..e4cf27034 100644 --- a/linux_os/guide/auditing/auditd_configure_rules/audit_login_events/audit_rules_login_events_faillock/tests/auditctl_correct_cis.pass.sh +++ b/linux_os/guide/auditing/auditd_configure_rules/audit_login_events/audit_rules_login_events_faillock/tests/auditctl_correct_cis.pass.sh @@ -1,6 +1,6 @@ #!/bin/bash # packages = audit -# platform = Red Hat Enterprise Linux 8, Red Hat Enterprise Linux 9 +# platform = Red Hat Enterprise Linux 8, Red Hat Enterprise Linux 9,AlmaLinux 9 # profiles = xccdf_org.ssgproject.content_profile_cis path="/var/run/faillock" diff --git a/linux_os/guide/auditing/auditd_configure_rules/audit_login_events/audit_rules_login_events_faillock/tests/auditctl_correct_extra_permission_cis.pass.sh b/linux_os/guide/auditing/auditd_configure_rules/audit_login_events/audit_rules_login_events_faillock/tests/auditctl_correct_extra_permission_cis.pass.sh index 2c17afeaa..2671c5a97 100644 --- a/linux_os/guide/auditing/auditd_configure_rules/audit_login_events/audit_rules_login_events_faillock/tests/auditctl_correct_extra_permission_cis.pass.sh +++ b/linux_os/guide/auditing/auditd_configure_rules/audit_login_events/audit_rules_login_events_faillock/tests/auditctl_correct_extra_permission_cis.pass.sh @@ -1,6 +1,6 @@ #!/bin/bash # packages = audit -# platform = Red Hat Enterprise Linux 8, Red Hat Enterprise Linux 9 +# platform = Red Hat Enterprise Linux 8, Red Hat Enterprise Linux 9,AlmaLinux 9 # profiles = xccdf_org.ssgproject.content_profile_cis path="/var/run/faillock" diff --git a/linux_os/guide/auditing/auditd_configure_rules/audit_login_events/audit_rules_login_events_faillock/tests/auditctl_correct_without_key_cis.pass.sh b/linux_os/guide/auditing/auditd_configure_rules/audit_login_events/audit_rules_login_events_faillock/tests/auditctl_correct_without_key_cis.pass.sh index ea2066f6f..a933d7648 100644 --- a/linux_os/guide/auditing/auditd_configure_rules/audit_login_events/audit_rules_login_events_faillock/tests/auditctl_correct_without_key_cis.pass.sh +++ b/linux_os/guide/auditing/auditd_configure_rules/audit_login_events/audit_rules_login_events_faillock/tests/auditctl_correct_without_key_cis.pass.sh @@ -1,6 +1,6 @@ #!/bin/bash # packages = audit -# platform = Red Hat Enterprise Linux 8, Red Hat Enterprise Linux 9 +# platform = Red Hat Enterprise Linux 8, Red Hat Enterprise Linux 9,AlmaLinux 9 # profiles = xccdf_org.ssgproject.content_profile_cis path="/var/run/faillock" diff --git a/linux_os/guide/auditing/auditd_configure_rules/audit_login_events/audit_rules_login_events_faillock/tests/auditctl_remove_all_rules_cis.fail.sh b/linux_os/guide/auditing/auditd_configure_rules/audit_login_events/audit_rules_login_events_faillock/tests/auditctl_remove_all_rules_cis.fail.sh index 609e9755d..e3a533a78 100644 --- a/linux_os/guide/auditing/auditd_configure_rules/audit_login_events/audit_rules_login_events_faillock/tests/auditctl_remove_all_rules_cis.fail.sh +++ b/linux_os/guide/auditing/auditd_configure_rules/audit_login_events/audit_rules_login_events_faillock/tests/auditctl_remove_all_rules_cis.fail.sh @@ -1,6 +1,6 @@ #!/bin/bash # packages = audit -# platform = Red Hat Enterprise Linux 8, Red Hat Enterprise Linux 9 +# platform = Red Hat Enterprise Linux 8, Red Hat Enterprise Linux 9,AlmaLinux 9 # profiles = xccdf_org.ssgproject.content_profile_cis path="/var/run/faillock" diff --git a/linux_os/guide/auditing/auditd_configure_rules/audit_login_events/audit_rules_login_events_faillock/tests/auditctl_wrong_rule_cis.fail.sh b/linux_os/guide/auditing/auditd_configure_rules/audit_login_events/audit_rules_login_events_faillock/tests/auditctl_wrong_rule_cis.fail.sh index caf40c54b..180926634 100644 --- a/linux_os/guide/auditing/auditd_configure_rules/audit_login_events/audit_rules_login_events_faillock/tests/auditctl_wrong_rule_cis.fail.sh +++ b/linux_os/guide/auditing/auditd_configure_rules/audit_login_events/audit_rules_login_events_faillock/tests/auditctl_wrong_rule_cis.fail.sh @@ -1,6 +1,6 @@ #!/bin/bash # packages = audit -# platform = Red Hat Enterprise Linux 8, Red Hat Enterprise Linux 9 +# platform = Red Hat Enterprise Linux 8, Red Hat Enterprise Linux 9,AlmaLinux 9 # profiles = xccdf_org.ssgproject.content_profile_cis path="/var/run/faillock" diff --git a/linux_os/guide/auditing/auditd_configure_rules/audit_login_events/audit_rules_login_events_faillock/tests/auditctl_wrong_rule_without_key_cis.fail.sh b/linux_os/guide/auditing/auditd_configure_rules/audit_login_events/audit_rules_login_events_faillock/tests/auditctl_wrong_rule_without_key_cis.fail.sh index ee1fdc951..114358c95 100644 --- a/linux_os/guide/auditing/auditd_configure_rules/audit_login_events/audit_rules_login_events_faillock/tests/auditctl_wrong_rule_without_key_cis.fail.sh +++ b/linux_os/guide/auditing/auditd_configure_rules/audit_login_events/audit_rules_login_events_faillock/tests/auditctl_wrong_rule_without_key_cis.fail.sh @@ -1,6 +1,6 @@ #!/bin/bash # packages = audit -# platform = Red Hat Enterprise Linux 8, Red Hat Enterprise Linux 9 +# platform = Red Hat Enterprise Linux 8, Red Hat Enterprise Linux 9,AlmaLinux 9 # profiles = xccdf_org.ssgproject.content_profile_cis path="/var/run/faillock" diff --git a/linux_os/guide/auditing/auditd_configure_rules/audit_login_events/audit_rules_login_events_faillock/tests/augenrules_correct_cis.pass.sh b/linux_os/guide/auditing/auditd_configure_rules/audit_login_events/audit_rules_login_events_faillock/tests/augenrules_correct_cis.pass.sh index e2750dbee..f6561744c 100644 --- a/linux_os/guide/auditing/auditd_configure_rules/audit_login_events/audit_rules_login_events_faillock/tests/augenrules_correct_cis.pass.sh +++ b/linux_os/guide/auditing/auditd_configure_rules/audit_login_events/audit_rules_login_events_faillock/tests/augenrules_correct_cis.pass.sh @@ -1,6 +1,6 @@ #!/bin/bash # packages = audit -# platform = Red Hat Enterprise Linux 8, Red Hat Enterprise Linux 9 +# platform = Red Hat Enterprise Linux 8, Red Hat Enterprise Linux 9,AlmaLinux 9 # profiles = xccdf_org.ssgproject.content_profile_cis path="/var/run/faillock" diff --git a/linux_os/guide/auditing/auditd_configure_rules/audit_login_events/audit_rules_login_events_faillock/tests/augenrules_correct_extra_permission_cis.pass.sh b/linux_os/guide/auditing/auditd_configure_rules/audit_login_events/audit_rules_login_events_faillock/tests/augenrules_correct_extra_permission_cis.pass.sh index d8379bfe5..eff862abe 100644 --- a/linux_os/guide/auditing/auditd_configure_rules/audit_login_events/audit_rules_login_events_faillock/tests/augenrules_correct_extra_permission_cis.pass.sh +++ b/linux_os/guide/auditing/auditd_configure_rules/audit_login_events/audit_rules_login_events_faillock/tests/augenrules_correct_extra_permission_cis.pass.sh @@ -1,6 +1,6 @@ #!/bin/bash # packages = audit -# platform = Red Hat Enterprise Linux 8, Red Hat Enterprise Linux 9 +# platform = Red Hat Enterprise Linux 8, Red Hat Enterprise Linux 9,AlmaLinux 9 # profiles = xccdf_org.ssgproject.content_profile_cis path="/var/run/faillock" diff --git a/linux_os/guide/auditing/auditd_configure_rules/audit_login_events/audit_rules_login_events_faillock/tests/augenrules_correct_without_key_cis.pass.sh b/linux_os/guide/auditing/auditd_configure_rules/audit_login_events/audit_rules_login_events_faillock/tests/augenrules_correct_without_key_cis.pass.sh index cbbcb5f67..6e8ac702e 100644 --- a/linux_os/guide/auditing/auditd_configure_rules/audit_login_events/audit_rules_login_events_faillock/tests/augenrules_correct_without_key_cis.pass.sh +++ b/linux_os/guide/auditing/auditd_configure_rules/audit_login_events/audit_rules_login_events_faillock/tests/augenrules_correct_without_key_cis.pass.sh @@ -1,6 +1,6 @@ #!/bin/bash # packages = audit -# platform = Red Hat Enterprise Linux 8, Red Hat Enterprise Linux 9 +# platform = Red Hat Enterprise Linux 8, Red Hat Enterprise Linux 9,AlmaLinux 9 # profiles = xccdf_org.ssgproject.content_profile_cis path="/var/run/faillock" diff --git a/linux_os/guide/auditing/auditd_configure_rules/audit_login_events/audit_rules_login_events_faillock/tests/augenrules_remove_all_rules_cis.fail.sh b/linux_os/guide/auditing/auditd_configure_rules/audit_login_events/audit_rules_login_events_faillock/tests/augenrules_remove_all_rules_cis.fail.sh index 22b979187..ff6aa93e4 100644 --- a/linux_os/guide/auditing/auditd_configure_rules/audit_login_events/audit_rules_login_events_faillock/tests/augenrules_remove_all_rules_cis.fail.sh +++ b/linux_os/guide/auditing/auditd_configure_rules/audit_login_events/audit_rules_login_events_faillock/tests/augenrules_remove_all_rules_cis.fail.sh @@ -1,6 +1,6 @@ #!/bin/bash # packages = audit -# platform = Red Hat Enterprise Linux 8, Red Hat Enterprise Linux 9 +# platform = Red Hat Enterprise Linux 8, Red Hat Enterprise Linux 9,AlmaLinux 9 # profiles = xccdf_org.ssgproject.content_profile_cis path="/var/run/faillock" diff --git a/linux_os/guide/auditing/auditd_configure_rules/audit_login_events/audit_rules_login_events_faillock/tests/augenrules_wrong_rule_cis.fail.sh b/linux_os/guide/auditing/auditd_configure_rules/audit_login_events/audit_rules_login_events_faillock/tests/augenrules_wrong_rule_cis.fail.sh index afdeb73d1..71066fdfb 100644 --- a/linux_os/guide/auditing/auditd_configure_rules/audit_login_events/audit_rules_login_events_faillock/tests/augenrules_wrong_rule_cis.fail.sh +++ b/linux_os/guide/auditing/auditd_configure_rules/audit_login_events/audit_rules_login_events_faillock/tests/augenrules_wrong_rule_cis.fail.sh @@ -1,6 +1,6 @@ #!/bin/bash # packages = audit -# platform = Red Hat Enterprise Linux 8, Red Hat Enterprise Linux 9 +# platform = Red Hat Enterprise Linux 8, Red Hat Enterprise Linux 9,AlmaLinux 9 # profiles = xccdf_org.ssgproject.content_profile_cis path="/var/run/faillock" diff --git a/linux_os/guide/auditing/auditd_configure_rules/audit_login_events/audit_rules_login_events_faillock/tests/augenrules_wrong_rule_without_key_cis.fail.sh b/linux_os/guide/auditing/auditd_configure_rules/audit_login_events/audit_rules_login_events_faillock/tests/augenrules_wrong_rule_without_key_cis.fail.sh index b14bc1951..3788e02a3 100644 --- a/linux_os/guide/auditing/auditd_configure_rules/audit_login_events/audit_rules_login_events_faillock/tests/augenrules_wrong_rule_without_key_cis.fail.sh +++ b/linux_os/guide/auditing/auditd_configure_rules/audit_login_events/audit_rules_login_events_faillock/tests/augenrules_wrong_rule_without_key_cis.fail.sh @@ -1,6 +1,6 @@ #!/bin/bash # packages = audit -# platform = Red Hat Enterprise Linux 8, Red Hat Enterprise Linux 9 +# platform = Red Hat Enterprise Linux 8, Red Hat Enterprise Linux 9,AlmaLinux 9 # profiles = xccdf_org.ssgproject.content_profile_cis path="/var/run/faillock" diff --git a/linux_os/guide/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands/ansible/shared.yml b/linux_os/guide/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands/ansible/shared.yml index b3f4eb102..e6bb717eb 100644 --- a/linux_os/guide/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands/ansible/shared.yml +++ b/linux_os/guide/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands/ansible/shared.yml @@ -1,4 +1,4 @@ -# platform = multi_platform_rhel,multi_platform_fedora,multi_platform_ol,multi_platform_rhv,multi_platform_sle,multi_platform_debian +# platform = multi_platform_rhel,multi_platform_almalinux,multi_platform_fedora,multi_platform_ol,multi_platform_rhv,multi_platform_sle,multi_platform_debian # reboot = false # strategy = configure # complexity = low diff --git a/linux_os/guide/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands/tests/auditctl_default.fail.sh b/linux_os/guide/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands/tests/auditctl_default.fail.sh index 8615165ec..002902145 100644 --- a/linux_os/guide/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands/tests/auditctl_default.fail.sh +++ b/linux_os/guide/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands/tests/auditctl_default.fail.sh @@ -1,5 +1,5 @@ #!/bin/bash # packages = audit -# platform = multi_platform_fedora,multi_platform_rhel,Oracle Linux 7,Oracle Linux 8 +# platform = multi_platform_fedora,multi_platform_rhel,multi_platform_almalinux,Oracle Linux 7,Oracle Linux 8 sed -i "s%^ExecStartPost=.*%ExecStartPost=-/sbin/auditctl%" /usr/lib/systemd/system/auditd.service diff --git a/linux_os/guide/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands/tests/auditctl_missing_rule.fail.sh b/linux_os/guide/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands/tests/auditctl_missing_rule.fail.sh index bc3f67c9c..a37ccd0bf 100644 --- a/linux_os/guide/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands/tests/auditctl_missing_rule.fail.sh +++ b/linux_os/guide/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands/tests/auditctl_missing_rule.fail.sh @@ -1,6 +1,6 @@ #!/bin/bash # packages = audit -# platform = multi_platform_fedora,multi_platform_rhel,Oracle Linux 7,Oracle Linux 8 +# platform = multi_platform_fedora,multi_platform_rhel,multi_platform_almalinux,Oracle Linux 7,Oracle Linux 8 ./generate_privileged_commands_rule.sh {{{ uid_min }}} privileged /etc/audit/audit.rules sed -i '/newgrp/d' /etc/audit/audit.rules diff --git a/linux_os/guide/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands/tests/auditctl_one_rule.fail.sh b/linux_os/guide/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands/tests/auditctl_one_rule.fail.sh index ed2cc6c29..13cbaac12 100644 --- a/linux_os/guide/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands/tests/auditctl_one_rule.fail.sh +++ b/linux_os/guide/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands/tests/auditctl_one_rule.fail.sh @@ -1,6 +1,6 @@ #!/bin/bash # packages = audit -# platform = multi_platform_fedora,multi_platform_rhel,Oracle Linux 7,Oracle Linux 8 +# platform = multi_platform_fedora,multi_platform_rhel,multi_platform_almalinux,Oracle Linux 7,Oracle Linux 8 echo "-a always,exit -F path=/usr/bin/sudo -F perm=x -F auid>={{{ uid_min }}} -F auid!=unset -k privileged" >> /etc/audit/audit.rules sed -i "s%^ExecStartPost=.*%ExecStartPost=-/sbin/auditctl%" /usr/lib/systemd/system/auditd.service diff --git a/linux_os/guide/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands/tests/auditctl_rules_configured.pass.sh b/linux_os/guide/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands/tests/auditctl_rules_configured.pass.sh index e1d5d05df..6a758969a 100644 --- a/linux_os/guide/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands/tests/auditctl_rules_configured.pass.sh +++ b/linux_os/guide/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands/tests/auditctl_rules_configured.pass.sh @@ -1,6 +1,6 @@ #!/bin/bash # packages = audit -# platform = multi_platform_fedora,multi_platform_rhel,Oracle Linux 7,Oracle Linux 8 +# platform = multi_platform_fedora,multi_platform_rhel,multi_platform_almalinux,Oracle Linux 7,Oracle Linux 8 ./generate_privileged_commands_rule.sh {{{ uid_min }}} privileged /etc/audit/audit.rules sed -i "s%^ExecStartPost=.*%ExecStartPost=-/sbin/auditctl%" /usr/lib/systemd/system/auditd.service diff --git a/linux_os/guide/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands/tests/auditctl_rules_without_perm_x.pass.sh b/linux_os/guide/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands/tests/auditctl_rules_without_perm_x.pass.sh index ec89d9ce8..81e0062b1 100644 --- a/linux_os/guide/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands/tests/auditctl_rules_without_perm_x.pass.sh +++ b/linux_os/guide/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands/tests/auditctl_rules_without_perm_x.pass.sh @@ -1,6 +1,6 @@ #!/bin/bash # packages = audit -# platform = multi_platform_fedora,multi_platform_rhel,Oracle Linux 7,Oracle Linux 8 +# platform = multi_platform_fedora,multi_platform_rhel,multi_platform_almalinux,Oracle Linux 7,Oracle Linux 8 ./generate_privileged_commands_rule.sh {{{ uid_min }}} privileged /etc/audit/audit.rules sed -i -E 's/^(.*path=[[:graph:]]+) -F perm=x(.*$)/\1\2/' /etc/audit/audit.rules diff --git a/linux_os/guide/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands/tests/augenrules_default.fail.sh b/linux_os/guide/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands/tests/augenrules_default.fail.sh index ee36da807..bd848737d 100644 --- a/linux_os/guide/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands/tests/augenrules_default.fail.sh +++ b/linux_os/guide/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands/tests/augenrules_default.fail.sh @@ -1,5 +1,5 @@ #!/bin/bash # packages = audit -# platform = multi_platform_fedora,multi_platform_rhel,Oracle Linux 7,Oracle Linux 8 +# platform = multi_platform_fedora,multi_platform_rhel,multi_platform_almalinux,Oracle Linux 7,Oracle Linux 8 # augenrules is default for rhel7 diff --git a/linux_os/guide/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands/tests/augenrules_duplicated.fail.sh b/linux_os/guide/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands/tests/augenrules_duplicated.fail.sh index b6aabf247..8405f0ba1 100644 --- a/linux_os/guide/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands/tests/augenrules_duplicated.fail.sh +++ b/linux_os/guide/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands/tests/augenrules_duplicated.fail.sh @@ -1,7 +1,7 @@ #!/bin/bash # packages = audit # remediation = none -# platform = multi_platform_fedora,multi_platform_rhel,Oracle Linux 7,Oracle Linux 8 +# platform = multi_platform_fedora,multi_platform_rhel,multi_platform_almalinux,Oracle Linux 7,Oracle Linux 8 ./generate_privileged_commands_rule.sh {{{ uid_min }}} privileged /tmp/privileged.rules diff --git a/linux_os/guide/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands/tests/augenrules_extra_rules_configured.pass.sh b/linux_os/guide/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands/tests/augenrules_extra_rules_configured.pass.sh index 12f1b429a..8dea24479 100644 --- a/linux_os/guide/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands/tests/augenrules_extra_rules_configured.pass.sh +++ b/linux_os/guide/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands/tests/augenrules_extra_rules_configured.pass.sh @@ -1,6 +1,6 @@ #!/bin/bash # packages = audit -# platform = multi_platform_fedora,multi_platform_rhel,Oracle Linux 7,Oracle Linux 8 +# platform = multi_platform_fedora,multi_platform_rhel,multi_platform_almalinux,Oracle Linux 7,Oracle Linux 8 ./generate_privileged_commands_rule.sh {{{ uid_min }}} privileged /etc/audit/rules.d/privileged.rules echo "-a always,exit -F path=/usr/bin/notrelevant -F perm=x -F auid>={{{ uid_min }}} -F auid!=unset -F key=privileged" >> /etc/audit/rules.d/privileged.rules diff --git a/linux_os/guide/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands/tests/augenrules_missing_rule.fail.sh b/linux_os/guide/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands/tests/augenrules_missing_rule.fail.sh index 711bae803..617ff1b33 100644 --- a/linux_os/guide/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands/tests/augenrules_missing_rule.fail.sh +++ b/linux_os/guide/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands/tests/augenrules_missing_rule.fail.sh @@ -1,6 +1,6 @@ #!/bin/bash # packages = audit -# platform = multi_platform_fedora,multi_platform_rhel,Oracle Linux 7,Oracle Linux 8 +# platform = multi_platform_fedora,multi_platform_rhel,multi_platform_almalinux,Oracle Linux 7,Oracle Linux 8 ./generate_privileged_commands_rule.sh {{{ uid_min }}} privileged /etc/audit/rules.d/privileged.rules sed -i '/newgrp/d' /etc/audit/rules.d/privileged.rules diff --git a/linux_os/guide/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands/tests/augenrules_one_rule.fail.sh b/linux_os/guide/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands/tests/augenrules_one_rule.fail.sh index d272fd1d5..f7c0fec7d 100644 --- a/linux_os/guide/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands/tests/augenrules_one_rule.fail.sh +++ b/linux_os/guide/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands/tests/augenrules_one_rule.fail.sh @@ -1,5 +1,5 @@ #!/bin/bash # packages = audit -# platform = multi_platform_fedora,multi_platform_rhel,Oracle Linux 7,Oracle Linux 8 +# platform = multi_platform_fedora,multi_platform_rhel,multi_platform_almalinux,Oracle Linux 7,Oracle Linux 8 echo "-a always,exit -F path=/usr/bin/sudo -F perm=x -F auid>={{{ uid_min }}} -F auid!=unset -F key=privileged" >> /etc/audit/rules.d/privileged.rules diff --git a/linux_os/guide/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands/tests/augenrules_rules_configured.pass.sh b/linux_os/guide/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands/tests/augenrules_rules_configured.pass.sh index ecda20ef9..115487067 100644 --- a/linux_os/guide/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands/tests/augenrules_rules_configured.pass.sh +++ b/linux_os/guide/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands/tests/augenrules_rules_configured.pass.sh @@ -1,5 +1,5 @@ #!/bin/bash # packages = audit -# platform = multi_platform_fedora,multi_platform_rhel,Oracle Linux 7,Oracle Linux 8 +# platform = multi_platform_fedora,multi_platform_rhel,multi_platform_almalinux,Oracle Linux 7,Oracle Linux 8 ./generate_privileged_commands_rule.sh {{{ uid_min }}} privileged /etc/audit/rules.d/privileged.rules diff --git a/linux_os/guide/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands/tests/augenrules_rules_configured_mixed_keys.pass.sh b/linux_os/guide/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands/tests/augenrules_rules_configured_mixed_keys.pass.sh index 51482922f..4ac366ec9 100644 --- a/linux_os/guide/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands/tests/augenrules_rules_configured_mixed_keys.pass.sh +++ b/linux_os/guide/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands/tests/augenrules_rules_configured_mixed_keys.pass.sh @@ -1,6 +1,6 @@ #!/bin/bash # packages = audit -# platform = multi_platform_fedora,multi_platform_rhel,Oracle Linux 7,Oracle Linux 8 +# platform = multi_platform_fedora,multi_platform_rhel,multi_platform_almalinux,Oracle Linux 7,Oracle Linux 8 ./generate_privileged_commands_rule.sh {{{ uid_min }}} privileged /etc/audit/rules.d/privileged.rules # change key of rules for binaries in /usr/sbin diff --git a/linux_os/guide/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands/tests/augenrules_rules_ignore_dracut_tmp.pass.sh b/linux_os/guide/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands/tests/augenrules_rules_ignore_dracut_tmp.pass.sh index 6ef31d987..2da0682e0 100644 --- a/linux_os/guide/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands/tests/augenrules_rules_ignore_dracut_tmp.pass.sh +++ b/linux_os/guide/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands/tests/augenrules_rules_ignore_dracut_tmp.pass.sh @@ -1,6 +1,6 @@ #!/bin/bash # packages = audit -# platform = multi_platform_fedora,multi_platform_rhel,Oracle Linux 7,Oracle Linux 8 +# platform = multi_platform_fedora,multi_platform_rhel,multi_platform_almalinux,Oracle Linux 7,Oracle Linux 8 ./generate_privileged_commands_rule.sh {{{ uid_min }}} privileged /etc/audit/rules.d/privileged.rules diff --git a/linux_os/guide/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands/tests/augenrules_rules_without_perm_x.pass.sh b/linux_os/guide/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands/tests/augenrules_rules_without_perm_x.pass.sh index 79c0bb972..2968492ac 100644 --- a/linux_os/guide/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands/tests/augenrules_rules_without_perm_x.pass.sh +++ b/linux_os/guide/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands/tests/augenrules_rules_without_perm_x.pass.sh @@ -1,6 +1,6 @@ #!/bin/bash # packages = audit -# platform = multi_platform_fedora,multi_platform_rhel,Oracle Linux 7,Oracle Linux 8 +# platform = multi_platform_fedora,multi_platform_rhel,multi_platform_almalinux,Oracle Linux 7,Oracle Linux 8 ./generate_privileged_commands_rule.sh {{{ uid_min }}} privileged /etc/audit/rules.d/privileged.rules sed -i -E 's/^(.*path=[[:graph:]]+) -F perm=x(.*$)/\1\2/' /etc/audit/rules.d/privileged.rules diff --git a/linux_os/guide/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands/tests/augenrules_two_rules_mixed_keys.fail.sh b/linux_os/guide/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands/tests/augenrules_two_rules_mixed_keys.fail.sh index a8667bbfb..471d2aff2 100644 --- a/linux_os/guide/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands/tests/augenrules_two_rules_mixed_keys.fail.sh +++ b/linux_os/guide/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands/tests/augenrules_two_rules_mixed_keys.fail.sh @@ -1,6 +1,6 @@ #!/bin/bash # packages = audit -# platform = multi_platform_fedora,multi_platform_rhel,Oracle Linux 7,Oracle Linux 8 +# platform = multi_platform_fedora,multi_platform_rhel,multi_platform_almalinux,Oracle Linux 7,Oracle Linux 8 echo "-a always,exit -F path=/usr/bin/newgrp -F perm=x -F auid>={{{ uid_min }}} -F auid!=unset -k privileged" >> /etc/audit/rules.d/privileged.rules echo "-a always,exit -F path=/usr/bin/passwd -F perm=x -F auid>={{{ uid_min }}} -F auid!=unset -F key=privileged" >> /etc/audit/rules.d/privileged.rules diff --git a/linux_os/guide/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands/tests/augenrules_two_rules_sep_files.fail.sh b/linux_os/guide/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands/tests/augenrules_two_rules_sep_files.fail.sh index b2e18d1cd..5c56cdb6d 100644 --- a/linux_os/guide/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands/tests/augenrules_two_rules_sep_files.fail.sh +++ b/linux_os/guide/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands/tests/augenrules_two_rules_sep_files.fail.sh @@ -1,6 +1,6 @@ #!/bin/bash # packages = audit -# platform = multi_platform_fedora,multi_platform_rhel,Oracle Linux 7,Oracle Linux 8 +# platform = multi_platform_fedora,multi_platform_rhel,multi_platform_almalinux,Oracle Linux 7,Oracle Linux 8 echo "-a always,exit -F path=/usr/bin/newgrp -F perm=x -F auid>={{{ uid_min }}} -F auid!=unset -F key=privileged" >> /etc/audit/rules.d/priv.rules echo "-a always,exit -F path=/usr/bin/notrelevant -F perm=x -F auid>={{{ uid_min }}} -F auid!=unset -F key=privileged" >> /etc/audit/rules.d/priv.rules diff --git a/linux_os/guide/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands/tests/rules_with_own_key.pass.sh b/linux_os/guide/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands/tests/rules_with_own_key.pass.sh index 81fc6dd16..9c3f84ef8 100644 --- a/linux_os/guide/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands/tests/rules_with_own_key.pass.sh +++ b/linux_os/guide/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands/tests/rules_with_own_key.pass.sh @@ -1,5 +1,5 @@ #!/bin/bash # packages = audit -# platform = multi_platform_fedora,multi_platform_rhel,Oracle Linux 7,Oracle Linux 8 +# platform = multi_platform_fedora,multi_platform_rhel,multi_platform_almalinux,Oracle Linux 7,Oracle Linux 8 ./generate_privileged_commands_rule.sh {{{ uid_min }}} own_key /etc/audit/rules.d/privileged.rules diff --git a/linux_os/guide/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_at/rule.yml b/linux_os/guide/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_at/rule.yml index d5ec19271..86b0d2358 100644 --- a/linux_os/guide/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_at/rule.yml +++ b/linux_os/guide/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_at/rule.yml @@ -1,4 +1,4 @@ -{{%- if product in ["fedora", "ol8", "ol9", "rhel8", "rhel9", "sle12", "sle15", "ubuntu2004", "ubuntu2204"] %}} +{{%- if product in ["fedora", "ol8", "ol9", "rhel8", "rhel9", "almalinux9", "sle12", "sle15", "ubuntu2004", "ubuntu2204"] %}} {{%- set perm_x="-F perm=x " %}} {{%- endif %}} diff --git a/linux_os/guide/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_chage/rule.yml b/linux_os/guide/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_chage/rule.yml index d891fc1fc..30673c92c 100644 --- a/linux_os/guide/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_chage/rule.yml +++ b/linux_os/guide/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_chage/rule.yml @@ -1,4 +1,4 @@ -{{%- if product in ["fedora", "ol7", "ol8", "ol9", "rhcos4", "rhel7", "rhel8", "rhel9", "sle12", "sle15", "ubuntu2004", "ubuntu2204"] %}} +{{%- if product in ["fedora", "ol7", "ol8", "ol9", "rhcos4", "rhel7", "rhel8", "rhel9", "almalinux9", "sle12", "sle15", "ubuntu2004", "ubuntu2204"] %}} {{%- set perm_x="-F perm=x " %}} {{%- endif %}} diff --git a/linux_os/guide/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_chsh/rule.yml b/linux_os/guide/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_chsh/rule.yml index ea03eab50..c56b3b568 100644 --- a/linux_os/guide/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_chsh/rule.yml +++ b/linux_os/guide/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_chsh/rule.yml @@ -1,4 +1,4 @@ -{{%- if product in ["fedora", "ol7", "ol8", "ol9", "rhel7", "rhel8", "rhel9", "sle12", "sle15", "ubuntu2004", "ubuntu2204"] %}} +{{%- if product in ["fedora", "ol7", "ol8", "ol9", "rhel7", "rhel8", "rhel9", "almalinux9", "sle12", "sle15", "ubuntu2004", "ubuntu2204"] %}} {{%- set perm_x="-F perm=x " %}} {{%- endif %}} diff --git a/linux_os/guide/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_crontab/rule.yml b/linux_os/guide/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_crontab/rule.yml index bb54d9f50..54cc53861 100644 --- a/linux_os/guide/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_crontab/rule.yml +++ b/linux_os/guide/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_crontab/rule.yml @@ -1,4 +1,4 @@ -{{%- if product in ["fedora", "ol7", "ol8", "ol9", "rhel7", "rhel8", "rhel9", "sle12", "sle15", "ubuntu2004", "ubuntu2204"] %}} +{{%- if product in ["fedora", "ol7", "ol8", "ol9", "rhel7", "rhel8", "rhel9", "almalinux9", "sle12", "sle15", "ubuntu2004", "ubuntu2204"] %}} {{%- set perm_x="-F perm=x " %}} {{%- endif %}} diff --git a/linux_os/guide/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_dbus_daemon_launch_helper/rule.yml b/linux_os/guide/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_dbus_daemon_launch_helper/rule.yml index b54fefd34..f426d37f6 100644 --- a/linux_os/guide/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_dbus_daemon_launch_helper/rule.yml +++ b/linux_os/guide/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_dbus_daemon_launch_helper/rule.yml @@ -1,4 +1,4 @@ -{{%- if product in ["fedora", "ol7", "ol8", "ol9", "rhcos4", "rhel7", "rhel8", "rhel9", "sle12", "sle15", "ubuntu2004", "ubuntu2204"] %}} +{{%- if product in ["fedora", "ol7", "ol8", "ol9", "rhcos4", "rhel7", "rhel8", "rhel9", "almalinux9", "sle12", "sle15", "ubuntu2004", "ubuntu2204"] %}} {{%- set perm_x="-F perm=x " %}} {{%- endif %}} diff --git a/linux_os/guide/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_fusermount/rule.yml b/linux_os/guide/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_fusermount/rule.yml index de8adac1e..ca7913543 100644 --- a/linux_os/guide/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_fusermount/rule.yml +++ b/linux_os/guide/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_fusermount/rule.yml @@ -1,4 +1,4 @@ -{{%- if product in ["fedora", "ol7", "ol8", "ol9", "rhcos4", "rhel7", "rhel8", "rhel9", "sle12", "sle15", "ubuntu2004", "ubuntu2204"] %}} +{{%- if product in ["fedora", "ol7", "ol8", "ol9", "rhcos4", "rhel7", "rhel8", "rhel9", "almalinux9", "sle12", "sle15", "ubuntu2004", "ubuntu2204"] %}} {{%- set perm_x="-F perm=x " %}} {{%- endif %}} diff --git a/linux_os/guide/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_fusermount3/rule.yml b/linux_os/guide/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_fusermount3/rule.yml index 3b94d7faa..e60224fcd 100644 --- a/linux_os/guide/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_fusermount3/rule.yml +++ b/linux_os/guide/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_fusermount3/rule.yml @@ -1,4 +1,4 @@ -{{%- if product in ["fedora", "ol7", "ol8", "ol9", "rhcos4", "rhel7", "rhel8", "rhel9", "sle12", "sle15", "ubuntu2004", "ubuntu2204"] %}} +{{%- if product in ["fedora", "ol7", "ol8", "ol9", "rhcos4", "rhel7", "rhel8", "rhel9", "almalinux9", "sle12", "sle15", "ubuntu2004", "ubuntu2204"] %}} {{%- set perm_x="-F perm=x " %}} {{%- endif %}} diff --git a/linux_os/guide/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_gpasswd/rule.yml b/linux_os/guide/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_gpasswd/rule.yml index 8180bd48a..49e035e4a 100644 --- a/linux_os/guide/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_gpasswd/rule.yml +++ b/linux_os/guide/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_gpasswd/rule.yml @@ -1,4 +1,4 @@ -{{%- if product in ["fedora", "ol7", "ol8", "ol9", "rhcos4", "rhel7", "rhel8", "rhel9", "sle12", "sle15", "ubuntu2004", "ubuntu2204"] %}} +{{%- if product in ["fedora", "ol7", "ol8", "ol9", "rhcos4", "rhel7", "rhel8", "rhel9", "almalinux9", "sle12", "sle15", "ubuntu2004", "ubuntu2204"] %}} {{%- set perm_x="-F perm=x " %}} {{%- endif %}} diff --git a/linux_os/guide/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_grub2_set_bootflag/rule.yml b/linux_os/guide/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_grub2_set_bootflag/rule.yml index cf58bda23..eca79ad87 100644 --- a/linux_os/guide/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_grub2_set_bootflag/rule.yml +++ b/linux_os/guide/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_grub2_set_bootflag/rule.yml @@ -1,4 +1,4 @@ -{{%- if product in ["fedora", "ol7", "ol8", "ol9", "rhcos4", "rhel7", "rhel8", "rhel9", "sle12", "sle15", "ubuntu2004", "ubuntu2204"] %}} +{{%- if product in ["fedora", "ol7", "ol8", "ol9", "rhcos4", "rhel7", "rhel8", "rhel9", "almalinux9", "sle12", "sle15", "ubuntu2004", "ubuntu2204"] %}} {{%- set perm_x="-F perm=x " %}} {{%- endif %}} diff --git a/linux_os/guide/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_insmod/ansible/shared.yml b/linux_os/guide/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_insmod/ansible/shared.yml index 5baa999e7..cb49a4d71 100644 --- a/linux_os/guide/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_insmod/ansible/shared.yml +++ b/linux_os/guide/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_insmod/ansible/shared.yml @@ -1,4 +1,4 @@ -# platform = multi_platform_sle,multi_platform_rhel +# platform = multi_platform_sle,multi_platform_rhel,multi_platform_almalinux # reboot = false # strategy = restrict # complexity = low diff --git a/linux_os/guide/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_insmod/bash/shared.sh b/linux_os/guide/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_insmod/bash/shared.sh index 29bfc7be7..d0910b1c6 100644 --- a/linux_os/guide/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_insmod/bash/shared.sh +++ b/linux_os/guide/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_insmod/bash/shared.sh @@ -1,4 +1,4 @@ -# platform = multi_platform_rhel,multi_platform_sle,multi_platform_ubuntu +# platform = multi_platform_rhel,multi_platform_almalinux,multi_platform_sle,multi_platform_ubuntu # Perform the remediation for both possible tools: 'auditctl' and 'augenrules' {{{ bash_fix_audit_watch_rule("auditctl", "/sbin/insmod", "x", "modules") }}} diff --git a/linux_os/guide/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_kmod/rule.yml b/linux_os/guide/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_kmod/rule.yml index 0d5422c37..923089b93 100644 --- a/linux_os/guide/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_kmod/rule.yml +++ b/linux_os/guide/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_kmod/rule.yml @@ -1,4 +1,4 @@ -{{%- if product in ["ol7", "rhel7", "rhel8", "rhel9"] %}} +{{%- if product in ["ol7", "rhel7", "rhel8", "rhel9", "almalinux9"] %}} {{%- set kmod_audit="-a always,exit -F path=/usr/bin/kmod -F perm=x -F auid>=" ~ uid_min ~ " -F auid!=unset -F key=privileged" %}} {{%- else %}} {{%- set kmod_audit="-w /usr/bin/kmod -p x -k modules" %}} diff --git a/linux_os/guide/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_modprobe/ansible/shared.yml b/linux_os/guide/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_modprobe/ansible/shared.yml index 8f61ee32a..07ddf4291 100644 --- a/linux_os/guide/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_modprobe/ansible/shared.yml +++ b/linux_os/guide/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_modprobe/ansible/shared.yml @@ -1,4 +1,4 @@ -# platform = multi_platform_sle,multi_platform_rhel +# platform = multi_platform_sle,multi_platform_rhel,multi_platform_almalinux # reboot = false # strategy = restrict # complexity = low diff --git a/linux_os/guide/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_modprobe/bash/shared.sh b/linux_os/guide/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_modprobe/bash/shared.sh index ed9771d0d..665d2cc0f 100644 --- a/linux_os/guide/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_modprobe/bash/shared.sh +++ b/linux_os/guide/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_modprobe/bash/shared.sh @@ -1,4 +1,4 @@ -# platform = multi_platform_sle,multi_platform_rhel,multi_platform_ubuntu +# platform = multi_platform_sle,multi_platform_rhel,multi_platform_almalinux,multi_platform_ubuntu # Perform the remediation for both possible tools: 'auditctl' and 'augenrules' {{{ bash_fix_audit_watch_rule("auditctl", "/sbin/modprobe", "x", "modules") }}} diff --git a/linux_os/guide/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_mount/rule.yml b/linux_os/guide/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_mount/rule.yml index e773b8a2e..49088b389 100644 --- a/linux_os/guide/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_mount/rule.yml +++ b/linux_os/guide/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_mount/rule.yml @@ -1,4 +1,4 @@ -{{%- if product in ["fedora", "ol7", "ol8", "ol9", "rhcos4", "rhel7", "rhel8", "rhel9", "sle12", "sle15", "ubuntu2004", "ubuntu2204"] %}} +{{%- if product in ["fedora", "ol7", "ol8", "ol9", "rhcos4", "rhel7", "rhel8", "rhel9", "almalinux9", "sle12", "sle15", "ubuntu2004", "ubuntu2204"] %}} {{%- set perm_x="-F perm=x " %}} {{%- endif %}} diff --git a/linux_os/guide/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_mount_nfs/rule.yml b/linux_os/guide/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_mount_nfs/rule.yml index 54e0d6227..d1de5e66f 100644 --- a/linux_os/guide/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_mount_nfs/rule.yml +++ b/linux_os/guide/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_mount_nfs/rule.yml @@ -1,4 +1,4 @@ -{{%- if product in ["fedora", "ol7", "ol8", "ol9", "rhcos4", "rhel7", "rhel8", "rhel9", "sle12", "sle15", "ubuntu2004", "ubuntu2204"] %}} +{{%- if product in ["fedora", "ol7", "ol8", "ol9", "rhcos4", "rhel7", "rhel8", "rhel9", "almalinux9", "sle12", "sle15", "ubuntu2004", "ubuntu2204"] %}} {{%- set perm_x="-F perm=x " %}} {{%- endif %}} diff --git a/linux_os/guide/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_newgidmap/rule.yml b/linux_os/guide/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_newgidmap/rule.yml index a2014eb70..861d6ccfe 100644 --- a/linux_os/guide/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_newgidmap/rule.yml +++ b/linux_os/guide/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_newgidmap/rule.yml @@ -1,4 +1,4 @@ -{{%- if product in ["fedora", "ol8", "ol9", "rhel8", "rhel9", "sle12", "sle15", "ubuntu2004", "ubuntu2204"] %}} +{{%- if product in ["fedora", "ol8", "ol9", "rhel8", "rhel9", "almalinux9", "sle12", "sle15", "ubuntu2004", "ubuntu2204"] %}} {{%- set perm_x="-F perm=x " %}} {{%- endif %}} diff --git a/linux_os/guide/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_newgrp/rule.yml b/linux_os/guide/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_newgrp/rule.yml index 7da59f723..cfea265d7 100644 --- a/linux_os/guide/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_newgrp/rule.yml +++ b/linux_os/guide/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_newgrp/rule.yml @@ -1,4 +1,4 @@ -{{%- if product in ["fedora", "ol7", "ol8", "ol9", "rhcos4", "rhel7", "rhel8", "rhel9", "sle12", "sle15", "ubuntu2004", "ubuntu2204"] %}} +{{%- if product in ["fedora", "ol7", "ol8", "ol9", "rhcos4", "rhel7", "rhel8", "rhel9", "almalinux9", "sle12", "sle15", "ubuntu2004", "ubuntu2204"] %}} {{%- set perm_x="-F perm=x " %}} {{%- endif %}} diff --git a/linux_os/guide/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_newuidmap/rule.yml b/linux_os/guide/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_newuidmap/rule.yml index 32f9f451e..6259d09d0 100644 --- a/linux_os/guide/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_newuidmap/rule.yml +++ b/linux_os/guide/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_newuidmap/rule.yml @@ -1,4 +1,4 @@ -{{%- if product in ["fedora", "ol8", "ol9", "rhel8", "rhel9", "sle12", "sle15", "ubuntu2004", "ubuntu2204"] %}} +{{%- if product in ["fedora", "ol8", "ol9", "rhel8", "rhel9", "almalinux9", "sle12", "sle15", "ubuntu2004", "ubuntu2204"] %}} {{%- set perm_x="-F perm=x " %}} {{%- endif %}} diff --git a/linux_os/guide/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_pam_timestamp_check/rule.yml b/linux_os/guide/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_pam_timestamp_check/rule.yml index b7e787772..c67b7f4a8 100644 --- a/linux_os/guide/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_pam_timestamp_check/rule.yml +++ b/linux_os/guide/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_pam_timestamp_check/rule.yml @@ -1,4 +1,4 @@ -{{%- if product in ["fedora", "ol7", "ol8", "ol9", "rhcos4", "rhel7", "rhel8", "rhel9", "sle12", "sle15", "ubuntu2004", "ubuntu2204"] %}} +{{%- if product in ["fedora", "ol7", "ol8", "ol9", "rhcos4", "rhel7", "rhel8", "rhel9", "almalinux9", "sle12", "sle15", "ubuntu2004", "ubuntu2204"] %}} {{%- set perm_x="-F perm=x " %}} {{%- endif %}} diff --git a/linux_os/guide/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_passwd/rule.yml b/linux_os/guide/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_passwd/rule.yml index 1bbfd35d8..f3a008c3a 100644 --- a/linux_os/guide/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_passwd/rule.yml +++ b/linux_os/guide/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_passwd/rule.yml @@ -1,4 +1,4 @@ -{{%- if product in ["fedora", "ol7", "ol8", "ol9", "rhcos4", "rhel7", "rhel8", "rhel9", "sle12", "sle15", "ubuntu2004", "ubuntu2204"] %}} +{{%- if product in ["fedora", "ol7", "ol8", "ol9", "rhcos4", "rhel7", "rhel8", "rhel9", "almalinux9", "sle12", "sle15", "ubuntu2004", "ubuntu2204"] %}} {{%- set perm_x="-F perm=x " %}} {{%- endif %}} diff --git a/linux_os/guide/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_pkexec/rule.yml b/linux_os/guide/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_pkexec/rule.yml index 53dc91957..2f6f1c102 100644 --- a/linux_os/guide/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_pkexec/rule.yml +++ b/linux_os/guide/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_pkexec/rule.yml @@ -1,4 +1,4 @@ -{{%- if product in ["fedora", "ol7", "ol8", "ol9", "rhcos4", "rhel7", "rhel8", "rhel9", "sle12", "sle15", "ubuntu2004", "ubuntu2204"] %}} +{{%- if product in ["fedora", "ol7", "ol8", "ol9", "rhcos4", "rhel7", "rhel8", "rhel9", "almalinux9", "sle12", "sle15", "ubuntu2004", "ubuntu2204"] %}} {{%- set perm_x="-F perm=x " %}} {{%- endif %}} diff --git a/linux_os/guide/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_polkit_helper/rule.yml b/linux_os/guide/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_polkit_helper/rule.yml index bc443d98c..425cbdbbb 100644 --- a/linux_os/guide/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_polkit_helper/rule.yml +++ b/linux_os/guide/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_polkit_helper/rule.yml @@ -1,4 +1,4 @@ -{{%- if product in ["fedora", "ol7", "ol8", "ol9", "rhcos4", "rhel7", "rhel8", "rhel9", "sle12", "sle15", "ubuntu2004", "ubuntu2204"] %}} +{{%- if product in ["fedora", "ol7", "ol8", "ol9", "rhcos4", "rhel7", "rhel8", "rhel9", "almalinux9", "sle12", "sle15", "ubuntu2004", "ubuntu2204"] %}} {{%- set perm_x="-F perm=x " %}} {{%- endif %}} diff --git a/linux_os/guide/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_postdrop/rule.yml b/linux_os/guide/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_postdrop/rule.yml index c3cfc617b..4ad88e7e1 100644 --- a/linux_os/guide/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_postdrop/rule.yml +++ b/linux_os/guide/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_postdrop/rule.yml @@ -1,4 +1,4 @@ -{{%- if product in ["fedora", "ol7", "ol8", "ol9", "rhel7", "rhel8", "rhel9", "sle12", "sle15", "ubuntu2004", "ubuntu2204"] %}} +{{%- if product in ["fedora", "ol7", "ol8", "ol9", "rhel7", "rhel8", "rhel9", "almalinux9", "sle12", "sle15", "ubuntu2004", "ubuntu2204"] %}} {{%- set perm_x="-F perm=x " %}} {{%- endif %}} diff --git a/linux_os/guide/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_postqueue/rule.yml b/linux_os/guide/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_postqueue/rule.yml index 33490fcf5..8bc144232 100644 --- a/linux_os/guide/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_postqueue/rule.yml +++ b/linux_os/guide/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_postqueue/rule.yml @@ -1,4 +1,4 @@ -{{%- if product in ["fedora", "ol7", "ol8", "ol9", "rhel7", "rhel8", "rhel9", "sle12", "sle15", "ubuntu2004", "ubuntu2204"] %}} +{{%- if product in ["fedora", "ol7", "ol8", "ol9", "rhel7", "rhel8", "rhel9", "almalinux9", "sle12", "sle15", "ubuntu2004", "ubuntu2204"] %}} {{%- set perm_x="-F perm=x " %}} {{%- endif %}} diff --git a/linux_os/guide/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_pt_chown/rule.yml b/linux_os/guide/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_pt_chown/rule.yml index a33830c58..4c3bc3154 100644 --- a/linux_os/guide/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_pt_chown/rule.yml +++ b/linux_os/guide/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_pt_chown/rule.yml @@ -1,4 +1,4 @@ -{{%- if product in ["fedora", "ol8", "ol9", "rhel8", "rhel9", "sle12", "sle15", "ubuntu2004", "ubuntu2204"] %}} +{{%- if product in ["fedora", "ol8", "ol9", "rhel8", "rhel9", "almalinux9", "sle12", "sle15", "ubuntu2004", "ubuntu2204"] %}} {{%- set perm_x="-F perm=x " %}} {{%- endif %}} diff --git a/linux_os/guide/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_rmmod/ansible/shared.yml b/linux_os/guide/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_rmmod/ansible/shared.yml index f3c3324e2..d5545d32c 100644 --- a/linux_os/guide/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_rmmod/ansible/shared.yml +++ b/linux_os/guide/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_rmmod/ansible/shared.yml @@ -1,4 +1,4 @@ -# platform = multi_platform_sle,multi_platform_rhel +# platform = multi_platform_sle,multi_platform_rhel,multi_platform_almalinux # reboot = false # strategy = restrict # complexity = low diff --git a/linux_os/guide/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_rmmod/bash/shared.sh b/linux_os/guide/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_rmmod/bash/shared.sh index bf0a58b43..0b13f7c0d 100644 --- a/linux_os/guide/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_rmmod/bash/shared.sh +++ b/linux_os/guide/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_rmmod/bash/shared.sh @@ -1,4 +1,4 @@ -# platform = multi_platform_rhel,multi_platform_sle,multi_platform_ubuntu +# platform = multi_platform_rhel,multi_platform_almalinux,multi_platform_sle,multi_platform_ubuntu # Perform the remediation for both possible tools: 'auditctl' and 'augenrules' {{{ bash_fix_audit_watch_rule("auditctl", "/sbin/rmmod", "x", "modules") }}} diff --git a/linux_os/guide/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_ssh_keysign/rule.yml b/linux_os/guide/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_ssh_keysign/rule.yml index 9352b1582..cc3c75c73 100644 --- a/linux_os/guide/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_ssh_keysign/rule.yml +++ b/linux_os/guide/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_ssh_keysign/rule.yml @@ -1,4 +1,4 @@ -{{%- if product in ["fedora", "ol7", "ol8", "ol9", "rhel7", "rhel8", "rhel9", "sle12", "sle15", "ubuntu2004", "ubuntu2204"] %}} +{{%- if product in ["fedora", "ol7", "ol8", "ol9", "rhel7", "rhel8", "rhel9", "almalinux9", "sle12", "sle15", "ubuntu2004", "ubuntu2204"] %}} {{%- set perm_x="-F perm=x " %}} {{%- endif %}} diff --git a/linux_os/guide/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_sssd_krb5_child/rule.yml b/linux_os/guide/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_sssd_krb5_child/rule.yml index 83273d633..583657c1b 100644 --- a/linux_os/guide/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_sssd_krb5_child/rule.yml +++ b/linux_os/guide/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_sssd_krb5_child/rule.yml @@ -1,4 +1,4 @@ -{{%- if product in ["fedora", "ol7", "ol8", "ol9", "rhcos4", "rhel7", "rhel8", "rhel9", "sle12", "sle15", "ubuntu2004", "ubuntu2204"] %}} +{{%- if product in ["fedora", "ol7", "ol8", "ol9", "rhcos4", "rhel7", "rhel8", "rhel9", "almalinux9", "sle12", "sle15", "ubuntu2004", "ubuntu2204"] %}} {{%- set perm_x="-F perm=x " %}} {{%- endif %}} diff --git a/linux_os/guide/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_sssd_ldap_child/rule.yml b/linux_os/guide/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_sssd_ldap_child/rule.yml index 0e7b0caf1..5330961e9 100644 --- a/linux_os/guide/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_sssd_ldap_child/rule.yml +++ b/linux_os/guide/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_sssd_ldap_child/rule.yml @@ -1,4 +1,4 @@ -{{%- if product in ["fedora", "ol7", "ol8", "ol9", "rhcos4", "rhel7", "rhel8", "rhel9", "sle12", "sle15", "ubuntu2004", "ubuntu2204"] %}} +{{%- if product in ["fedora", "ol7", "ol8", "ol9", "rhcos4", "rhel7", "rhel8", "rhel9", "almalinux9", "sle12", "sle15", "ubuntu2004", "ubuntu2204"] %}} {{%- set perm_x="-F perm=x " %}} {{%- endif %}} diff --git a/linux_os/guide/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_sssd_proxy_child/rule.yml b/linux_os/guide/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_sssd_proxy_child/rule.yml index 88d9a1d49..11965876a 100644 --- a/linux_os/guide/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_sssd_proxy_child/rule.yml +++ b/linux_os/guide/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_sssd_proxy_child/rule.yml @@ -1,4 +1,4 @@ -{{%- if product in ["fedora", "ol7", "ol8", "ol9", "rhcos4", "rhel7", "rhel8", "rhel9", "sle12", "sle15", "ubuntu2004", "ubuntu2204"] %}} +{{%- if product in ["fedora", "ol7", "ol8", "ol9", "rhcos4", "rhel7", "rhel8", "rhel9", "almalinux9", "sle12", "sle15", "ubuntu2004", "ubuntu2204"] %}} {{%- set perm_x="-F perm=x " %}} {{%- endif %}} diff --git a/linux_os/guide/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_sssd_selinux_child/rule.yml b/linux_os/guide/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_sssd_selinux_child/rule.yml index 880059066..7813c164b 100644 --- a/linux_os/guide/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_sssd_selinux_child/rule.yml +++ b/linux_os/guide/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_sssd_selinux_child/rule.yml @@ -1,4 +1,4 @@ -{{%- if product in ["fedora", "ol7", "ol8", "ol9", "rhcos4", "rhel7", "rhel8", "rhel9", "sle12", "sle15", "ubuntu2004", "ubuntu2204"] %}} +{{%- if product in ["fedora", "ol7", "ol8", "ol9", "rhcos4", "rhel7", "rhel8", "rhel9", "almalinux9", "sle12", "sle15", "ubuntu2004", "ubuntu2204"] %}} {{%- set perm_x="-F perm=x " %}} {{%- endif %}} diff --git a/linux_os/guide/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_su/rule.yml b/linux_os/guide/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_su/rule.yml index de9472122..06eff4e3e 100644 --- a/linux_os/guide/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_su/rule.yml +++ b/linux_os/guide/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_su/rule.yml @@ -1,4 +1,4 @@ -{{%- if product in ["fedora", "ol7", "ol8", "ol9", "rhcos4", "rhel7", "rhel8", "rhel9", "sle12", "sle15", "ubuntu2004", "ubuntu2204"] %}} +{{%- if product in ["fedora", "ol7", "ol8", "ol9", "rhcos4", "rhel7", "rhel8", "rhel9", "almalinux9", "sle12", "sle15", "ubuntu2004", "ubuntu2204"] %}} {{%- set perm_x="-F perm=x " %}} {{%- endif %}} diff --git a/linux_os/guide/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_sudo/rule.yml b/linux_os/guide/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_sudo/rule.yml index 035ad30ce..533a26532 100644 --- a/linux_os/guide/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_sudo/rule.yml +++ b/linux_os/guide/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_sudo/rule.yml @@ -1,4 +1,4 @@ -{{%- if product in ["fedora", "ol7", "ol8", "ol9", "rhcos4", "rhel7", "rhel8", "rhel9", "sle12", "sle15", "ubuntu2004", "ubuntu2204"] %}} +{{%- if product in ["fedora", "ol7", "ol8", "ol9", "rhcos4", "rhel7", "rhel8", "rhel9", "almalinux9", "sle12", "sle15", "ubuntu2004", "ubuntu2204"] %}} {{%- set perm_x="-F perm=x " %}} {{%- endif %}} diff --git a/linux_os/guide/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_sudoedit/rule.yml b/linux_os/guide/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_sudoedit/rule.yml index 2887b4eb6..d13d896a0 100644 --- a/linux_os/guide/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_sudoedit/rule.yml +++ b/linux_os/guide/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_sudoedit/rule.yml @@ -1,4 +1,4 @@ -{{%- if product in ["fedora", "ol8", "ol9", "rhel8", "rhel9", "sle12", "sle15", "ubuntu2004", "ubuntu2204"] %}} +{{%- if product in ["fedora", "ol8", "ol9", "rhel8", "rhel9", "almalinux9", "sle12", "sle15", "ubuntu2004", "ubuntu2204"] %}} {{%- set perm_x="-F perm=x " %}} {{%- endif %}} diff --git a/linux_os/guide/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_umount/rule.yml b/linux_os/guide/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_umount/rule.yml index 9ff295587..6834feddc 100644 --- a/linux_os/guide/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_umount/rule.yml +++ b/linux_os/guide/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_umount/rule.yml @@ -1,4 +1,4 @@ -{{%- if product in ["fedora", "ol7", "ol8", "ol9", "rhcos4", "rhel7", "rhel8", "rhel9", "sle12", "sle15", "ubuntu2004", "ubuntu2204"] %}} +{{%- if product in ["fedora", "ol7", "ol8", "ol9", "rhcos4", "rhel7", "rhel8", "rhel9", "almalinux9", "sle12", "sle15", "ubuntu2004", "ubuntu2204"] %}} {{%- set perm_x="-F perm=x " %}} {{%- endif %}} diff --git a/linux_os/guide/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_unix_chkpwd/rule.yml b/linux_os/guide/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_unix_chkpwd/rule.yml index 7a160905b..0bdfb0583 100644 --- a/linux_os/guide/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_unix_chkpwd/rule.yml +++ b/linux_os/guide/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_unix_chkpwd/rule.yml @@ -1,4 +1,4 @@ -{{%- if product in ["fedora", "ol7", "ol8", "ol9", "rhcos4", "rhel7", "rhel8", "rhel9", "sle12", "sle15", "ubuntu2004", "ubuntu2204"] %}} +{{%- if product in ["fedora", "ol7", "ol8", "ol9", "rhcos4", "rhel7", "rhel8", "rhel9", "almalinux9", "sle12", "sle15", "ubuntu2004", "ubuntu2204"] %}} {{%- set perm_x="-F perm=x " %}} {{%- endif %}} diff --git a/linux_os/guide/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_userhelper/rule.yml b/linux_os/guide/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_userhelper/rule.yml index bda6d3239..5e69cead0 100644 --- a/linux_os/guide/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_userhelper/rule.yml +++ b/linux_os/guide/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_userhelper/rule.yml @@ -1,4 +1,4 @@ -{{%- if product in ["fedora", "ol7", "ol8", "ol9", "rhel7", "rhel8", "rhel9", "sle12", "sle15", "ubuntu2004", "ubuntu2204"] %}} +{{%- if product in ["fedora", "ol7", "ol8", "ol9", "rhel7", "rhel8", "rhel9", "almalinux9", "sle12", "sle15", "ubuntu2004", "ubuntu2204"] %}} {{%- set perm_x="-F perm=x " %}} {{%- endif %}} diff --git a/linux_os/guide/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_usernetctl/rule.yml b/linux_os/guide/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_usernetctl/rule.yml index fe6140d32..6f74fc3ec 100644 --- a/linux_os/guide/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_usernetctl/rule.yml +++ b/linux_os/guide/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_usernetctl/rule.yml @@ -1,4 +1,4 @@ -{{%- if product in ["fedora", "ol8", "ol9", "rhel8", "rhel9", "sle12", "sle15", "ubuntu2004", "ubuntu2204"] %}} +{{%- if product in ["fedora", "ol8", "ol9", "rhel8", "rhel9", "almalinux9", "sle12", "sle15", "ubuntu2004", "ubuntu2204"] %}} {{%- set perm_x="-F perm=x " %}} {{%- endif %}} diff --git a/linux_os/guide/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_utempter/rule.yml b/linux_os/guide/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_utempter/rule.yml index c14eefeee..84346ff43 100644 --- a/linux_os/guide/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_utempter/rule.yml +++ b/linux_os/guide/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_utempter/rule.yml @@ -1,4 +1,4 @@ -{{%- if product in ["fedora", "ol7", "ol8", "ol9", "rhcos4", "rhel7", "rhel8", "rhel9", "sle12", "sle15", "ubuntu2004", "ubuntu2204"] %}} +{{%- if product in ["fedora", "ol7", "ol8", "ol9", "rhcos4", "rhel7", "rhel8", "rhel9", "almalinux9", "sle12", "sle15", "ubuntu2004", "ubuntu2204"] %}} {{%- set perm_x="-F perm=x " %}} {{%- endif %}} diff --git a/linux_os/guide/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_write/rule.yml b/linux_os/guide/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_write/rule.yml index c8c5434f0..84dc1ff4a 100644 --- a/linux_os/guide/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_write/rule.yml +++ b/linux_os/guide/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_write/rule.yml @@ -1,4 +1,4 @@ -{{%- if product in ["fedora", "ol7", "ol8", "ol9", "rhcos4", "rhel7", "rhel8", "rhel9", "sle12", "sle15", "ubuntu2004", "ubuntu2204"] %}} +{{%- if product in ["fedora", "ol7", "ol8", "ol9", "rhcos4", "rhel7", "rhel8", "rhel9", "almalinux9", "sle12", "sle15", "ubuntu2004", "ubuntu2204"] %}} {{%- set perm_x="-F perm=x " %}} {{%- endif %}} diff --git a/linux_os/guide/auditing/auditd_configure_rules/audit_rules_immutable/bash/shared.sh b/linux_os/guide/auditing/auditd_configure_rules/audit_rules_immutable/bash/shared.sh index b57078075..5d03b92a6 100644 --- a/linux_os/guide/auditing/auditd_configure_rules/audit_rules_immutable/bash/shared.sh +++ b/linux_os/guide/auditing/auditd_configure_rules/audit_rules_immutable/bash/shared.sh @@ -1,4 +1,4 @@ -# platform = Red Hat Virtualization 4,multi_platform_fedora,multi_platform_ol,multi_platform_rhel,multi_platform_sle,multi_platform_ubuntu,multi_platform_debian +# platform = Red Hat Virtualization 4,multi_platform_fedora,multi_platform_ol,multi_platform_rhel,multi_platform_almalinux,multi_platform_sle,multi_platform_ubuntu,multi_platform_debian # Traverse all of: # diff --git a/linux_os/guide/auditing/auditd_configure_rules/audit_rules_immutable/kubernetes/shared.yml b/linux_os/guide/auditing/auditd_configure_rules/audit_rules_immutable/kubernetes/shared.yml index 26d02c24e..28daa9106 100644 --- a/linux_os/guide/auditing/auditd_configure_rules/audit_rules_immutable/kubernetes/shared.yml +++ b/linux_os/guide/auditing/auditd_configure_rules/audit_rules_immutable/kubernetes/shared.yml @@ -1,5 +1,5 @@ --- -# platform = multi_platform_rhel,multi_platform_fedora,multi_platform_rhcos +# platform = multi_platform_rhel,multi_platform_almalinux,multi_platform_fedora,multi_platform_rhcos apiVersion: machineconfiguration.openshift.io/v1 kind: MachineConfig spec: diff --git a/linux_os/guide/auditing/auditd_configure_rules/audit_rules_immutable_login_uids/ansible/shared.yml b/linux_os/guide/auditing/auditd_configure_rules/audit_rules_immutable_login_uids/ansible/shared.yml index 94768073f..6fd009b50 100644 --- a/linux_os/guide/auditing/auditd_configure_rules/audit_rules_immutable_login_uids/ansible/shared.yml +++ b/linux_os/guide/auditing/auditd_configure_rules/audit_rules_immutable_login_uids/ansible/shared.yml @@ -1,4 +1,4 @@ -# platform = multi_platform_rhel,multi_platform_fedora,multi_platform_ol,multi_platform_rhv,multi_platform_sle +# platform = multi_platform_rhel,multi_platform_almalinux,multi_platform_fedora,multi_platform_ol,multi_platform_rhv,multi_platform_sle # reboot = false # strategy = restrict # complexity = low diff --git a/linux_os/guide/auditing/auditd_configure_rules/audit_rules_mac_modification/ansible/shared.yml b/linux_os/guide/auditing/auditd_configure_rules/audit_rules_mac_modification/ansible/shared.yml index e55119fd1..2e7514b51 100644 --- a/linux_os/guide/auditing/auditd_configure_rules/audit_rules_mac_modification/ansible/shared.yml +++ b/linux_os/guide/auditing/auditd_configure_rules/audit_rules_mac_modification/ansible/shared.yml @@ -1,4 +1,4 @@ -# platform = multi_platform_rhel,multi_platform_fedora,multi_platform_ol,multi_platform_rhv,multi_platform_sle +# platform = multi_platform_rhel,multi_platform_almalinux,multi_platform_fedora,multi_platform_ol,multi_platform_rhv,multi_platform_sle # reboot = true # strategy = restrict # complexity = low diff --git a/linux_os/guide/auditing/auditd_configure_rules/audit_rules_mac_modification/bash/shared.sh b/linux_os/guide/auditing/auditd_configure_rules/audit_rules_mac_modification/bash/shared.sh index 79440e79b..614a4e09c 100644 --- a/linux_os/guide/auditing/auditd_configure_rules/audit_rules_mac_modification/bash/shared.sh +++ b/linux_os/guide/auditing/auditd_configure_rules/audit_rules_mac_modification/bash/shared.sh @@ -1,4 +1,4 @@ -# platform = Red Hat Virtualization 4,multi_platform_fedora,multi_platform_ol,multi_platform_rhel,multi_platform_sle,multi_platform_ubuntu +# platform = Red Hat Virtualization 4,multi_platform_fedora,multi_platform_ol,multi_platform_rhel,multi_platform_almalinux,multi_platform_sle,multi_platform_ubuntu # Perform the remediation for both possible tools: 'auditctl' and 'augenrules' {{{ bash_fix_audit_watch_rule("auditctl", "/etc/selinux/", "wa", "MAC-policy") }}} diff --git a/linux_os/guide/auditing/auditd_configure_rules/audit_rules_mac_modification/kubernetes/shared.yml b/linux_os/guide/auditing/auditd_configure_rules/audit_rules_mac_modification/kubernetes/shared.yml index 889f83178..7896d4cb1 100644 --- a/linux_os/guide/auditing/auditd_configure_rules/audit_rules_mac_modification/kubernetes/shared.yml +++ b/linux_os/guide/auditing/auditd_configure_rules/audit_rules_mac_modification/kubernetes/shared.yml @@ -1,5 +1,5 @@ --- -# platform = multi_platform_rhel,multi_platform_fedora,multi_platform_rhcos +# platform = multi_platform_rhel,multi_platform_almalinux,multi_platform_fedora,multi_platform_rhcos # reboot = true # strategy = restrict # complexity = low diff --git a/linux_os/guide/auditing/auditd_configure_rules/audit_rules_mac_modification_usr_share/ansible/shared.yml b/linux_os/guide/auditing/auditd_configure_rules/audit_rules_mac_modification_usr_share/ansible/shared.yml index 496670fad..a9cce0a56 100644 --- a/linux_os/guide/auditing/auditd_configure_rules/audit_rules_mac_modification_usr_share/ansible/shared.yml +++ b/linux_os/guide/auditing/auditd_configure_rules/audit_rules_mac_modification_usr_share/ansible/shared.yml @@ -1,4 +1,4 @@ -# platform = multi_platform_fedora,multi_platform_ol,multi_platform_rhel,multi_platform_rhv,multi_platform_sle +# platform = multi_platform_fedora,multi_platform_ol,multi_platform_rhel,multi_platform_almalinux,multi_platform_rhv,multi_platform_sle # reboot = true # strategy = restrict # complexity = low diff --git a/linux_os/guide/auditing/auditd_configure_rules/audit_rules_mac_modification_usr_share/bash/shared.sh b/linux_os/guide/auditing/auditd_configure_rules/audit_rules_mac_modification_usr_share/bash/shared.sh index b61368c0c..eb3bf47f9 100644 --- a/linux_os/guide/auditing/auditd_configure_rules/audit_rules_mac_modification_usr_share/bash/shared.sh +++ b/linux_os/guide/auditing/auditd_configure_rules/audit_rules_mac_modification_usr_share/bash/shared.sh @@ -1,4 +1,4 @@ -# platform = multi_platform_fedora,multi_platform_ol,multi_platform_rhel,multi_platform_rhv,multi_platform_sle,multi_platform_ubuntu +# platform = multi_platform_fedora,multi_platform_ol,multi_platform_rhel,multi_platform_almalinux,multi_platform_rhv,multi_platform_sle,multi_platform_ubuntu # Perform the remediation for both possible tools: 'auditctl' and 'augenrules' {{{ bash_fix_audit_watch_rule("auditctl", "/usr/share/selinux/", "wa", "MAC-policy") }}} diff --git a/linux_os/guide/auditing/auditd_configure_rules/audit_rules_networkconfig_modification/ansible/shared.yml b/linux_os/guide/auditing/auditd_configure_rules/audit_rules_networkconfig_modification/ansible/shared.yml index fb56e5550..ea6929b63 100644 --- a/linux_os/guide/auditing/auditd_configure_rules/audit_rules_networkconfig_modification/ansible/shared.yml +++ b/linux_os/guide/auditing/auditd_configure_rules/audit_rules_networkconfig_modification/ansible/shared.yml @@ -1,4 +1,4 @@ -# platform = multi_platform_rhel,multi_platform_fedora,multi_platform_ol,multi_platform_rhv,multi_platform_sle,multi_platform_debian +# platform = multi_platform_rhel,multi_platform_almalinux,multi_platform_fedora,multi_platform_ol,multi_platform_rhv,multi_platform_sle,multi_platform_debian # reboot =false # strategy = restrict # complexity = low diff --git a/linux_os/guide/auditing/auditd_configure_rules/audit_rules_networkconfig_modification/bash/shared.sh b/linux_os/guide/auditing/auditd_configure_rules/audit_rules_networkconfig_modification/bash/shared.sh index 1e040de05..65a6c1127 100644 --- a/linux_os/guide/auditing/auditd_configure_rules/audit_rules_networkconfig_modification/bash/shared.sh +++ b/linux_os/guide/auditing/auditd_configure_rules/audit_rules_networkconfig_modification/bash/shared.sh @@ -1,4 +1,4 @@ -# platform = Red Hat Virtualization 4,multi_platform_fedora,multi_platform_ol,multi_platform_rhel,multi_platform_sle,multi_platform_ubuntu,multi_platform_debian +# platform = Red Hat Virtualization 4,multi_platform_fedora,multi_platform_ol,multi_platform_rhel,multi_platform_almalinux,multi_platform_sle,multi_platform_ubuntu,multi_platform_debian # First perform the remediation of the syscall rule # Retrieve hardware architecture of the underlying system diff --git a/linux_os/guide/auditing/auditd_configure_rules/audit_rules_session_events/ansible/shared.yml b/linux_os/guide/auditing/auditd_configure_rules/audit_rules_session_events/ansible/shared.yml index 58be87f4b..3adce26dc 100644 --- a/linux_os/guide/auditing/auditd_configure_rules/audit_rules_session_events/ansible/shared.yml +++ b/linux_os/guide/auditing/auditd_configure_rules/audit_rules_session_events/ansible/shared.yml @@ -1,4 +1,4 @@ -# platform = multi_platform_rhel,multi_platform_fedora,multi_platform_ol,multi_platform_rhv,multi_platform_sle,multi_platform_debian +# platform = multi_platform_rhel,multi_platform_almalinux,multi_platform_fedora,multi_platform_ol,multi_platform_rhv,multi_platform_sle,multi_platform_debian # reboot = true # strategy = restrict # complexity = low diff --git a/linux_os/guide/auditing/auditd_configure_rules/audit_rules_session_events/bash/shared.sh b/linux_os/guide/auditing/auditd_configure_rules/audit_rules_session_events/bash/shared.sh index bd42cc0f1..366b790a4 100644 --- a/linux_os/guide/auditing/auditd_configure_rules/audit_rules_session_events/bash/shared.sh +++ b/linux_os/guide/auditing/auditd_configure_rules/audit_rules_session_events/bash/shared.sh @@ -1,4 +1,4 @@ -# platform = Red Hat Virtualization 4,multi_platform_fedora,multi_platform_ol,multi_platform_rhel,multi_platform_sle,multi_platform_ubuntu,multi_platform_debian +# platform = Red Hat Virtualization 4,multi_platform_fedora,multi_platform_ol,multi_platform_rhel,multi_platform_almalinux,multi_platform_sle,multi_platform_ubuntu,multi_platform_debian # Perform the remediation for both possible tools: 'auditctl' and 'augenrules' {{{ bash_fix_audit_watch_rule("auditctl", "/var/run/utmp", "wa", "session") }}} diff --git a/linux_os/guide/auditing/auditd_configure_rules/audit_rules_session_events/kubernetes/shared.yml b/linux_os/guide/auditing/auditd_configure_rules/audit_rules_session_events/kubernetes/shared.yml index 8b2377d44..39c2bba69 100644 --- a/linux_os/guide/auditing/auditd_configure_rules/audit_rules_session_events/kubernetes/shared.yml +++ b/linux_os/guide/auditing/auditd_configure_rules/audit_rules_session_events/kubernetes/shared.yml @@ -1,5 +1,5 @@ --- -# platform = multi_platform_rhel,multi_platform_fedora,multi_platform_rhcos +# platform = multi_platform_rhel,multi_platform_almalinux,multi_platform_fedora,multi_platform_rhcos # reboot = true # strategy = restrict # complexity = low diff --git a/linux_os/guide/auditing/auditd_configure_rules/audit_rules_suid_auid_privilege_function/ansible/shared.yml b/linux_os/guide/auditing/auditd_configure_rules/audit_rules_suid_auid_privilege_function/ansible/shared.yml index 64e8dde85..3d4f65278 100644 --- a/linux_os/guide/auditing/auditd_configure_rules/audit_rules_suid_auid_privilege_function/ansible/shared.yml +++ b/linux_os/guide/auditing/auditd_configure_rules/audit_rules_suid_auid_privilege_function/ansible/shared.yml @@ -1,4 +1,4 @@ -# platform = multi_platform_rhel +# platform = multi_platform_rhel,multi_platform_almalinux # reboot = false # strategy = restrict # complexity = low diff --git a/linux_os/guide/auditing/auditd_configure_rules/audit_rules_suid_auid_privilege_function/bash/shared.sh b/linux_os/guide/auditing/auditd_configure_rules/audit_rules_suid_auid_privilege_function/bash/shared.sh index 15d6fa4e2..7f98c9915 100644 --- a/linux_os/guide/auditing/auditd_configure_rules/audit_rules_suid_auid_privilege_function/bash/shared.sh +++ b/linux_os/guide/auditing/auditd_configure_rules/audit_rules_suid_auid_privilege_function/bash/shared.sh @@ -1,4 +1,4 @@ -# platform = multi_platform_rhel +# platform = multi_platform_rhel,multi_platform_almalinux # First perform the remediation of the syscall rule # Retrieve hardware architecture of the underlying system diff --git a/linux_os/guide/auditing/auditd_configure_rules/audit_rules_suid_privilege_function/ansible/shared.yml b/linux_os/guide/auditing/auditd_configure_rules/audit_rules_suid_privilege_function/ansible/shared.yml index 4b841e808..80473d8ce 100644 --- a/linux_os/guide/auditing/auditd_configure_rules/audit_rules_suid_privilege_function/ansible/shared.yml +++ b/linux_os/guide/auditing/auditd_configure_rules/audit_rules_suid_privilege_function/ansible/shared.yml @@ -1,4 +1,4 @@ -# platform = multi_platform_fedora,multi_platform_ol,multi_platform_rhel,multi_platform_sle +# platform = multi_platform_fedora,multi_platform_ol,multi_platform_rhel,multi_platform_almalinux,multi_platform_sle # reboot = false # strategy = restrict # complexity = low diff --git a/linux_os/guide/auditing/auditd_configure_rules/audit_rules_suid_privilege_function/bash/shared.sh b/linux_os/guide/auditing/auditd_configure_rules/audit_rules_suid_privilege_function/bash/shared.sh index 8fdd7e75a..9c16b41cc 100644 --- a/linux_os/guide/auditing/auditd_configure_rules/audit_rules_suid_privilege_function/bash/shared.sh +++ b/linux_os/guide/auditing/auditd_configure_rules/audit_rules_suid_privilege_function/bash/shared.sh @@ -1,4 +1,4 @@ -# platform = multi_platform_fedora,multi_platform_ol,multi_platform_rhel,multi_platform_sle,multi_platform_ubuntu +# platform = multi_platform_fedora,multi_platform_ol,multi_platform_rhel,multi_platform_almalinux,multi_platform_sle,multi_platform_ubuntu # First perform the remediation of the syscall rule # Retrieve hardware architecture of the underlying system diff --git a/linux_os/guide/auditing/auditd_configure_rules/audit_rules_suid_privilege_function/kubernetes/shared.yml b/linux_os/guide/auditing/auditd_configure_rules/audit_rules_suid_privilege_function/kubernetes/shared.yml index 323a798b1..46fad7416 100644 --- a/linux_os/guide/auditing/auditd_configure_rules/audit_rules_suid_privilege_function/kubernetes/shared.yml +++ b/linux_os/guide/auditing/auditd_configure_rules/audit_rules_suid_privilege_function/kubernetes/shared.yml @@ -1,5 +1,5 @@ --- -# platform = multi_platform_rhel,multi_platform_fedora,multi_platform_rhcos +# platform = multi_platform_rhel,multi_platform_almalinux,multi_platform_fedora,multi_platform_rhcos # reboot = true # strategy = restrict # complexity = low diff --git a/linux_os/guide/auditing/auditd_configure_rules/audit_rules_sysadmin_actions/bash/shared.sh b/linux_os/guide/auditing/auditd_configure_rules/audit_rules_sysadmin_actions/bash/shared.sh index 027623091..c1c2c1952 100644 --- a/linux_os/guide/auditing/auditd_configure_rules/audit_rules_sysadmin_actions/bash/shared.sh +++ b/linux_os/guide/auditing/auditd_configure_rules/audit_rules_sysadmin_actions/bash/shared.sh @@ -1,4 +1,4 @@ -# platform = multi_platform_fedora,multi_platform_ol,multi_platform_rhel,multi_platform_rhv,multi_platform_sle,multi_platform_ubuntu,multi_platform_debian +# platform = multi_platform_fedora,multi_platform_ol,multi_platform_rhel,multi_platform_almalinux,multi_platform_rhv,multi_platform_sle,multi_platform_ubuntu,multi_platform_debian # Perform the remediation for both possible tools: 'auditctl' and 'augenrules' diff --git a/linux_os/guide/auditing/auditd_configure_rules/audit_rules_sysadmin_actions/kubernetes/shared.yml b/linux_os/guide/auditing/auditd_configure_rules/audit_rules_sysadmin_actions/kubernetes/shared.yml index 336beb2b7..26c47e462 100644 --- a/linux_os/guide/auditing/auditd_configure_rules/audit_rules_sysadmin_actions/kubernetes/shared.yml +++ b/linux_os/guide/auditing/auditd_configure_rules/audit_rules_sysadmin_actions/kubernetes/shared.yml @@ -1,5 +1,5 @@ --- -# platform = multi_platform_rhel,multi_platform_fedora,multi_platform_rhcos +# platform = multi_platform_rhel,multi_platform_almalinux,multi_platform_fedora,multi_platform_rhcos # reboot = true # strategy = restrict # complexity = low diff --git a/linux_os/guide/auditing/auditd_configure_rules/audit_rules_usergroup_modification/bash/shared.sh b/linux_os/guide/auditing/auditd_configure_rules/audit_rules_usergroup_modification/bash/shared.sh index 07965e2c7..908fa6e54 100644 --- a/linux_os/guide/auditing/auditd_configure_rules/audit_rules_usergroup_modification/bash/shared.sh +++ b/linux_os/guide/auditing/auditd_configure_rules/audit_rules_usergroup_modification/bash/shared.sh @@ -1,4 +1,4 @@ -# platform = Red Hat Virtualization 4,multi_platform_ol,multi_platform_rhel,multi_platform_sle +# platform = Red Hat Virtualization 4,multi_platform_ol,multi_platform_rhel,multi_platform_almalinux,multi_platform_sle # Perform the remediation for both possible tools: 'auditctl' and 'augenrules' {{{ bash_fix_audit_watch_rule("auditctl", "/etc/group", "wa", "audit_rules_usergroup_modification") }}} diff --git a/linux_os/guide/auditing/auditd_configure_rules/audit_time_rules/audit_rules_time_adjtimex/bash/shared.sh b/linux_os/guide/auditing/auditd_configure_rules/audit_time_rules/audit_rules_time_adjtimex/bash/shared.sh index 24b4da6b6..1b2b4dd27 100644 --- a/linux_os/guide/auditing/auditd_configure_rules/audit_time_rules/audit_rules_time_adjtimex/bash/shared.sh +++ b/linux_os/guide/auditing/auditd_configure_rules/audit_time_rules/audit_rules_time_adjtimex/bash/shared.sh @@ -1,3 +1,3 @@ -# platform = Red Hat Virtualization 4,multi_platform_fedora,multi_platform_ol,multi_platform_rhel,multi_platform_sle,multi_platform_ubuntu,multi_platform_debian +# platform = Red Hat Virtualization 4,multi_platform_fedora,multi_platform_ol,multi_platform_rhel,multi_platform_almalinux,multi_platform_sle,multi_platform_ubuntu,multi_platform_debian {{{ bash_perform_audit_adjtimex_settimeofday_stime_remediation() }}} diff --git a/linux_os/guide/auditing/auditd_configure_rules/audit_time_rules/audit_rules_time_adjtimex/kubernetes/shared.yml b/linux_os/guide/auditing/auditd_configure_rules/audit_time_rules/audit_rules_time_adjtimex/kubernetes/shared.yml index 49c97e395..51f48c0f9 100644 --- a/linux_os/guide/auditing/auditd_configure_rules/audit_time_rules/audit_rules_time_adjtimex/kubernetes/shared.yml +++ b/linux_os/guide/auditing/auditd_configure_rules/audit_time_rules/audit_rules_time_adjtimex/kubernetes/shared.yml @@ -1,5 +1,5 @@ --- -# platform = multi_platform_rhel,multi_platform_fedora,multi_platform_rhcos +# platform = multi_platform_rhel,multi_platform_almalinux,multi_platform_fedora,multi_platform_rhcos # reboot = true # strategy = restrict # complexity = low diff --git a/linux_os/guide/auditing/auditd_configure_rules/audit_time_rules/audit_rules_time_clock_settime/bash/shared.sh b/linux_os/guide/auditing/auditd_configure_rules/audit_time_rules/audit_rules_time_clock_settime/bash/shared.sh index c511ede45..617b679c5 100644 --- a/linux_os/guide/auditing/auditd_configure_rules/audit_time_rules/audit_rules_time_clock_settime/bash/shared.sh +++ b/linux_os/guide/auditing/auditd_configure_rules/audit_time_rules/audit_rules_time_clock_settime/bash/shared.sh @@ -1,4 +1,4 @@ -# platform = Red Hat Virtualization 4,multi_platform_fedora,multi_platform_ol,multi_platform_rhel,multi_platform_sle,multi_platform_ubuntu,multi_platform_debian +# platform = Red Hat Virtualization 4,multi_platform_fedora,multi_platform_ol,multi_platform_rhel,multi_platform_almalinux,multi_platform_sle,multi_platform_ubuntu,multi_platform_debian # First perform the remediation of the syscall rule # Retrieve hardware architecture of the underlying system diff --git a/linux_os/guide/auditing/auditd_configure_rules/audit_time_rules/audit_rules_time_clock_settime/kubernetes/shared.yml b/linux_os/guide/auditing/auditd_configure_rules/audit_time_rules/audit_rules_time_clock_settime/kubernetes/shared.yml index ec76157d4..0f9e9f7cc 100644 --- a/linux_os/guide/auditing/auditd_configure_rules/audit_time_rules/audit_rules_time_clock_settime/kubernetes/shared.yml +++ b/linux_os/guide/auditing/auditd_configure_rules/audit_time_rules/audit_rules_time_clock_settime/kubernetes/shared.yml @@ -1,5 +1,5 @@ --- -# platform = multi_platform_rhel,multi_platform_fedora,multi_platform_rhcos +# platform = multi_platform_rhel,multi_platform_almalinux,multi_platform_fedora,multi_platform_rhcos # reboot = true # strategy = restrict # complexity = low diff --git a/linux_os/guide/auditing/auditd_configure_rules/audit_time_rules/audit_rules_time_settimeofday/bash/shared.sh b/linux_os/guide/auditing/auditd_configure_rules/audit_time_rules/audit_rules_time_settimeofday/bash/shared.sh index b7f44ab38..e6b1d1856 100644 --- a/linux_os/guide/auditing/auditd_configure_rules/audit_time_rules/audit_rules_time_settimeofday/bash/shared.sh +++ b/linux_os/guide/auditing/auditd_configure_rules/audit_time_rules/audit_rules_time_settimeofday/bash/shared.sh @@ -1,3 +1,3 @@ -# platform = Red Hat Virtualization 4,multi_platform_fedora,multi_platform_ol,multi_platform_rhel,multi_platform_sle,multi_platform_ubuntu +# platform = Red Hat Virtualization 4,multi_platform_fedora,multi_platform_ol,multi_platform_rhel,multi_platform_almalinux,multi_platform_sle,multi_platform_ubuntu {{{ bash_perform_audit_adjtimex_settimeofday_stime_remediation() }}} diff --git a/linux_os/guide/auditing/auditd_configure_rules/audit_time_rules/audit_rules_time_settimeofday/kubernetes/shared.yml b/linux_os/guide/auditing/auditd_configure_rules/audit_time_rules/audit_rules_time_settimeofday/kubernetes/shared.yml index 3f43030e9..85e9a47c8 100644 --- a/linux_os/guide/auditing/auditd_configure_rules/audit_time_rules/audit_rules_time_settimeofday/kubernetes/shared.yml +++ b/linux_os/guide/auditing/auditd_configure_rules/audit_time_rules/audit_rules_time_settimeofday/kubernetes/shared.yml @@ -1,5 +1,5 @@ --- -# platform = multi_platform_rhel,multi_platform_fedora,multi_platform_rhcos +# platform = multi_platform_rhel,multi_platform_almalinux,multi_platform_fedora,multi_platform_rhcos # reboot = true # strategy = restrict # complexity = low diff --git a/linux_os/guide/auditing/auditd_configure_rules/audit_time_rules/audit_rules_time_stime/bash/shared.sh b/linux_os/guide/auditing/auditd_configure_rules/audit_time_rules/audit_rules_time_stime/bash/shared.sh index b7f44ab38..e6b1d1856 100644 --- a/linux_os/guide/auditing/auditd_configure_rules/audit_time_rules/audit_rules_time_stime/bash/shared.sh +++ b/linux_os/guide/auditing/auditd_configure_rules/audit_time_rules/audit_rules_time_stime/bash/shared.sh @@ -1,3 +1,3 @@ -# platform = Red Hat Virtualization 4,multi_platform_fedora,multi_platform_ol,multi_platform_rhel,multi_platform_sle,multi_platform_ubuntu +# platform = Red Hat Virtualization 4,multi_platform_fedora,multi_platform_ol,multi_platform_rhel,multi_platform_almalinux,multi_platform_sle,multi_platform_ubuntu {{{ bash_perform_audit_adjtimex_settimeofday_stime_remediation() }}} diff --git a/linux_os/guide/auditing/auditd_configure_rules/audit_time_rules/audit_rules_time_stime/kubernetes/shared.yml b/linux_os/guide/auditing/auditd_configure_rules/audit_time_rules/audit_rules_time_stime/kubernetes/shared.yml index 8a58bbc38..1a73014dc 100644 --- a/linux_os/guide/auditing/auditd_configure_rules/audit_time_rules/audit_rules_time_stime/kubernetes/shared.yml +++ b/linux_os/guide/auditing/auditd_configure_rules/audit_time_rules/audit_rules_time_stime/kubernetes/shared.yml @@ -1,5 +1,5 @@ --- -# platform = multi_platform_rhel,multi_platform_fedora,multi_platform_rhcos +# platform = multi_platform_rhel,multi_platform_almalinux,multi_platform_fedora,multi_platform_rhcos # reboot = true # strategy = restrict # complexity = low diff --git a/linux_os/guide/auditing/auditd_configure_rules/audit_time_rules/audit_rules_time_watch_localtime/bash/shared.sh b/linux_os/guide/auditing/auditd_configure_rules/audit_time_rules/audit_rules_time_watch_localtime/bash/shared.sh index 0899dcded..fa722e21d 100644 --- a/linux_os/guide/auditing/auditd_configure_rules/audit_time_rules/audit_rules_time_watch_localtime/bash/shared.sh +++ b/linux_os/guide/auditing/auditd_configure_rules/audit_time_rules/audit_rules_time_watch_localtime/bash/shared.sh @@ -1,4 +1,4 @@ -# platform = Red Hat Virtualization 4,multi_platform_fedora,multi_platform_ol,multi_platform_rhel,multi_platform_sle,multi_platform_ubuntu,multi_platform_debian +# platform = Red Hat Virtualization 4,multi_platform_fedora,multi_platform_ol,multi_platform_rhel,multi_platform_almalinux,multi_platform_sle,multi_platform_ubuntu,multi_platform_debian # Perform the remediation for both possible tools: 'auditctl' and 'augenrules' {{{ bash_fix_audit_watch_rule("auditctl", "/etc/localtime", "wa", "audit_time_rules") }}} diff --git a/linux_os/guide/auditing/auditd_configure_rules/audit_time_rules/audit_rules_time_watch_localtime/kubernetes/shared.yml b/linux_os/guide/auditing/auditd_configure_rules/audit_time_rules/audit_rules_time_watch_localtime/kubernetes/shared.yml index 140506b60..4290a051f 100644 --- a/linux_os/guide/auditing/auditd_configure_rules/audit_time_rules/audit_rules_time_watch_localtime/kubernetes/shared.yml +++ b/linux_os/guide/auditing/auditd_configure_rules/audit_time_rules/audit_rules_time_watch_localtime/kubernetes/shared.yml @@ -1,5 +1,5 @@ --- -# platform = multi_platform_rhel,multi_platform_fedora,multi_platform_rhcos +# platform = multi_platform_rhel,multi_platform_almalinux,multi_platform_fedora,multi_platform_rhcos # reboot = true # strategy = restrict # complexity = low diff --git a/linux_os/guide/auditing/auditd_configure_rules/directory_access_var_log_audit/ansible/shared.yml b/linux_os/guide/auditing/auditd_configure_rules/directory_access_var_log_audit/ansible/shared.yml index ec17adf55..0ecb4079c 100644 --- a/linux_os/guide/auditing/auditd_configure_rules/directory_access_var_log_audit/ansible/shared.yml +++ b/linux_os/guide/auditing/auditd_configure_rules/directory_access_var_log_audit/ansible/shared.yml @@ -1,4 +1,4 @@ -# platform = multi_platform_rhel,multi_platform_fedora,multi_platform_ol,multi_platform_rhv +# platform = multi_platform_rhel,multi_platform_almalinux,multi_platform_fedora,multi_platform_ol,multi_platform_rhv # reboot = false # strategy = restrict # complexity = low diff --git a/linux_os/guide/auditing/auditd_configure_rules/directory_group_ownership_var_log_audit/tests/correct_value_non-root_group.pass.sh b/linux_os/guide/auditing/auditd_configure_rules/directory_group_ownership_var_log_audit/tests/correct_value_non-root_group.pass.sh index 09d4e8ff5..6a8e8bdab 100644 --- a/linux_os/guide/auditing/auditd_configure_rules/directory_group_ownership_var_log_audit/tests/correct_value_non-root_group.pass.sh +++ b/linux_os/guide/auditing/auditd_configure_rules/directory_group_ownership_var_log_audit/tests/correct_value_non-root_group.pass.sh @@ -1,6 +1,6 @@ #!/bin/bash # packages = audit -# platform = multi_platform_rhel +# platform = multi_platform_rhel,multi_platform_almalinux groupadd group_test diff --git a/linux_os/guide/auditing/auditd_configure_rules/directory_permissions_var_log_audit/bash/shared.sh b/linux_os/guide/auditing/auditd_configure_rules/directory_permissions_var_log_audit/bash/shared.sh index 0dad1bfe1..29632f729 100644 --- a/linux_os/guide/auditing/auditd_configure_rules/directory_permissions_var_log_audit/bash/shared.sh +++ b/linux_os/guide/auditing/auditd_configure_rules/directory_permissions_var_log_audit/bash/shared.sh @@ -1,4 +1,4 @@ -# platform = Red Hat Virtualization 4,multi_platform_ol,multi_platform_rhel,multi_platform_ubuntu +# platform = Red Hat Virtualization 4,multi_platform_ol,multi_platform_rhel,multi_platform_almalinux,multi_platform_ubuntu if LC_ALL=C grep -iw ^log_file /etc/audit/auditd.conf; then DIR=$(awk -F "=" '/^log_file/ {print $2}' /etc/audit/auditd.conf | tr -d ' ' | rev | cut -d"/" -f2- | rev) diff --git a/linux_os/guide/auditing/auditd_configure_rules/directory_permissions_var_log_audit/tests/correct_value_0700.pass.sh b/linux_os/guide/auditing/auditd_configure_rules/directory_permissions_var_log_audit/tests/correct_value_0700.pass.sh index 7e8c49123..999d914cd 100644 --- a/linux_os/guide/auditing/auditd_configure_rules/directory_permissions_var_log_audit/tests/correct_value_0700.pass.sh +++ b/linux_os/guide/auditing/auditd_configure_rules/directory_permissions_var_log_audit/tests/correct_value_0700.pass.sh @@ -1,6 +1,6 @@ #!/bin/bash # packages = audit -# platform = multi_platform_ol,multi_platform_rhel +# platform = multi_platform_ol,multi_platform_rhel,multi_platform_almalinux source common_0700.sh diff --git a/linux_os/guide/auditing/auditd_configure_rules/directory_permissions_var_log_audit/tests/correct_value_default_0700.pass.sh b/linux_os/guide/auditing/auditd_configure_rules/directory_permissions_var_log_audit/tests/correct_value_default_0700.pass.sh index 7cfadc195..3bb0cefbb 100644 --- a/linux_os/guide/auditing/auditd_configure_rules/directory_permissions_var_log_audit/tests/correct_value_default_0700.pass.sh +++ b/linux_os/guide/auditing/auditd_configure_rules/directory_permissions_var_log_audit/tests/correct_value_default_0700.pass.sh @@ -1,6 +1,6 @@ #!/bin/bash # packages = audit -# platform = multi_platform_ol,multi_platform_rhel +# platform = multi_platform_ol,multi_platform_rhel,multi_platform_almalinux source common_0700.sh diff --git a/linux_os/guide/auditing/auditd_configure_rules/directory_permissions_var_log_audit/tests/incorrect_value_0700.fail.sh b/linux_os/guide/auditing/auditd_configure_rules/directory_permissions_var_log_audit/tests/incorrect_value_0700.fail.sh index 3654389ed..64e3e8ebc 100644 --- a/linux_os/guide/auditing/auditd_configure_rules/directory_permissions_var_log_audit/tests/incorrect_value_0700.fail.sh +++ b/linux_os/guide/auditing/auditd_configure_rules/directory_permissions_var_log_audit/tests/incorrect_value_0700.fail.sh @@ -1,6 +1,6 @@ #!/bin/bash # packages = audit -# platform = multi_platform_ol,multi_platform_rhel +# platform = multi_platform_ol,multi_platform_rhel,multi_platform_almalinux source common_0700.sh diff --git a/linux_os/guide/auditing/auditd_configure_rules/directory_permissions_var_log_audit/tests/incorrect_value_default_file_0700.fail.sh b/linux_os/guide/auditing/auditd_configure_rules/directory_permissions_var_log_audit/tests/incorrect_value_default_file_0700.fail.sh index b93254a4b..c7d66ccbb 100644 --- a/linux_os/guide/auditing/auditd_configure_rules/directory_permissions_var_log_audit/tests/incorrect_value_default_file_0700.fail.sh +++ b/linux_os/guide/auditing/auditd_configure_rules/directory_permissions_var_log_audit/tests/incorrect_value_default_file_0700.fail.sh @@ -1,6 +1,6 @@ #!/bin/bash # packages = audit -# platform = multi_platform_ol,multi_platform_rhel +# platform = multi_platform_ol,multi_platform_rhel,multi_platform_almalinux source common_0700.sh diff --git a/linux_os/guide/auditing/auditd_configure_rules/file_group_ownership_var_log_audit/tests/correct_value_non-root_group.pass.sh b/linux_os/guide/auditing/auditd_configure_rules/file_group_ownership_var_log_audit/tests/correct_value_non-root_group.pass.sh index 6f19e15c6..b1d995c61 100644 --- a/linux_os/guide/auditing/auditd_configure_rules/file_group_ownership_var_log_audit/tests/correct_value_non-root_group.pass.sh +++ b/linux_os/guide/auditing/auditd_configure_rules/file_group_ownership_var_log_audit/tests/correct_value_non-root_group.pass.sh @@ -1,6 +1,6 @@ #!/bin/bash # packages = audit -# platform = multi_platform_rhel +# platform = multi_platform_rhel,multi_platform_almalinux if grep -iwq "log_file" /etc/audit/auditd.conf; then FILE=$(awk -F "=" '/^log_file/ {print $2}' /etc/audit/auditd.conf | tr -d ' ') diff --git a/linux_os/guide/auditing/auditd_configure_rules/file_group_ownership_var_log_audit/tests/wrong_value_non-root_group.fail.sh b/linux_os/guide/auditing/auditd_configure_rules/file_group_ownership_var_log_audit/tests/wrong_value_non-root_group.fail.sh index cf4b02b90..cd69f17c2 100644 --- a/linux_os/guide/auditing/auditd_configure_rules/file_group_ownership_var_log_audit/tests/wrong_value_non-root_group.fail.sh +++ b/linux_os/guide/auditing/auditd_configure_rules/file_group_ownership_var_log_audit/tests/wrong_value_non-root_group.fail.sh @@ -1,6 +1,6 @@ #!/bin/bash # packages = audit -# platform = multi_platform_rhel +# platform = multi_platform_rhel,multi_platform_almalinux if grep -iwq "log_file" /etc/audit/auditd.conf; then FILE=$(awk -F "=" '/^log_file/ {print $2}' /etc/audit/auditd.conf | tr -d ' ') diff --git a/linux_os/guide/auditing/auditd_configure_rules/file_ownership_var_log_audit_stig/tests/correct_value_default_file.pass.sh b/linux_os/guide/auditing/auditd_configure_rules/file_ownership_var_log_audit_stig/tests/correct_value_default_file.pass.sh index 3a0d9a4e9..ab43ceb2b 100644 --- a/linux_os/guide/auditing/auditd_configure_rules/file_ownership_var_log_audit_stig/tests/correct_value_default_file.pass.sh +++ b/linux_os/guide/auditing/auditd_configure_rules/file_ownership_var_log_audit_stig/tests/correct_value_default_file.pass.sh @@ -1,4 +1,4 @@ -# platform = multi_platform_ol,multi_platform_rhel +# platform = multi_platform_ol,multi_platform_rhel,multi_platform_almalinux #!/bin/bash sed -i "/^\s*log_file.*/d" /etc/audit/auditd.conf diff --git a/linux_os/guide/auditing/auditd_configure_rules/file_ownership_var_log_audit_stig/tests/wrong_value_default_file.fail.sh b/linux_os/guide/auditing/auditd_configure_rules/file_ownership_var_log_audit_stig/tests/wrong_value_default_file.fail.sh index 1879113b8..8798ae1ae 100644 --- a/linux_os/guide/auditing/auditd_configure_rules/file_ownership_var_log_audit_stig/tests/wrong_value_default_file.fail.sh +++ b/linux_os/guide/auditing/auditd_configure_rules/file_ownership_var_log_audit_stig/tests/wrong_value_default_file.fail.sh @@ -1,4 +1,4 @@ -# platform = multi_platform_ol,multi_platform_rhel +# platform = multi_platform_ol,multi_platform_rhel,multi_platform_almalinux #!/bin/bash sed -i "/^\s*log_file.*/d" /etc/audit/auditd.conf diff --git a/linux_os/guide/auditing/auditd_configure_rules/file_permissions_var_log_audit/ansible/shared.yml b/linux_os/guide/auditing/auditd_configure_rules/file_permissions_var_log_audit/ansible/shared.yml index 722f6731a..7f1879db2 100644 --- a/linux_os/guide/auditing/auditd_configure_rules/file_permissions_var_log_audit/ansible/shared.yml +++ b/linux_os/guide/auditing/auditd_configure_rules/file_permissions_var_log_audit/ansible/shared.yml @@ -1,4 +1,4 @@ -# platform = multi_platform_rhel,multi_platform_fedora,multi_platform_ol,multi_platform_rhv,multi_platform_sle +# platform = multi_platform_rhel,multi_platform_almalinux,multi_platform_fedora,multi_platform_ol,multi_platform_rhv,multi_platform_sle # reboot = false # strategy = restrict # complexity = low diff --git a/linux_os/guide/auditing/auditd_configure_rules/file_permissions_var_log_audit/bash/shared.sh b/linux_os/guide/auditing/auditd_configure_rules/file_permissions_var_log_audit/bash/shared.sh index 0b42da512..013401d8c 100644 --- a/linux_os/guide/auditing/auditd_configure_rules/file_permissions_var_log_audit/bash/shared.sh +++ b/linux_os/guide/auditing/auditd_configure_rules/file_permissions_var_log_audit/bash/shared.sh @@ -1,4 +1,4 @@ -# platform = multi_platform_rhel,multi_platform_ol,multi_platform_fedora,multi_platform_rhv,multi_platform_sle,multi_platform_ubuntu +# platform = multi_platform_rhel,multi_platform_almalinux,multi_platform_ol,multi_platform_fedora,multi_platform_rhv,multi_platform_sle,multi_platform_ubuntu if LC_ALL=C grep -iw ^log_file /etc/audit/auditd.conf; then FILE=$(awk -F "=" '/^log_file/ {print $2}' /etc/audit/auditd.conf | tr -d ' ') diff --git a/linux_os/guide/auditing/auditd_configure_rules/file_permissions_var_log_audit/tests/correct_value_0600.pass.sh b/linux_os/guide/auditing/auditd_configure_rules/file_permissions_var_log_audit/tests/correct_value_0600.pass.sh index 15023ca70..488ef3e3f 100644 --- a/linux_os/guide/auditing/auditd_configure_rules/file_permissions_var_log_audit/tests/correct_value_0600.pass.sh +++ b/linux_os/guide/auditing/auditd_configure_rules/file_permissions_var_log_audit/tests/correct_value_0600.pass.sh @@ -1,5 +1,5 @@ #!/bin/bash -# platform = multi_platform_ol,multi_platform_rhel +# platform = multi_platform_ol,multi_platform_rhel,multi_platform_almalinux # packages = audit source common_0600.sh diff --git a/linux_os/guide/auditing/auditd_configure_rules/file_permissions_var_log_audit/tests/correct_value_default_file_0600.pass.sh b/linux_os/guide/auditing/auditd_configure_rules/file_permissions_var_log_audit/tests/correct_value_default_file_0600.pass.sh index 04d76809f..6475f83ae 100644 --- a/linux_os/guide/auditing/auditd_configure_rules/file_permissions_var_log_audit/tests/correct_value_default_file_0600.pass.sh +++ b/linux_os/guide/auditing/auditd_configure_rules/file_permissions_var_log_audit/tests/correct_value_default_file_0600.pass.sh @@ -1,5 +1,5 @@ #!/bin/bash -# platform = multi_platform_ol,multi_platform_rhel +# platform = multi_platform_ol,multi_platform_rhel,multi_platform_almalinux # packages = audit source common_0600.sh diff --git a/linux_os/guide/auditing/auditd_configure_rules/file_permissions_var_log_audit/tests/incorrect_value_0600.fail.sh b/linux_os/guide/auditing/auditd_configure_rules/file_permissions_var_log_audit/tests/incorrect_value_0600.fail.sh index aea9d1b10..3f045e4c7 100644 --- a/linux_os/guide/auditing/auditd_configure_rules/file_permissions_var_log_audit/tests/incorrect_value_0600.fail.sh +++ b/linux_os/guide/auditing/auditd_configure_rules/file_permissions_var_log_audit/tests/incorrect_value_0600.fail.sh @@ -1,5 +1,5 @@ #!/bin/bash -# platform = multi_platform_ol,multi_platform_rhel +# platform = multi_platform_ol,multi_platform_rhel,multi_platform_almalinux # packages = audit source common_0600.sh diff --git a/linux_os/guide/auditing/auditd_configure_rules/file_permissions_var_log_audit/tests/incorrect_value_default_file_0600.fail.sh b/linux_os/guide/auditing/auditd_configure_rules/file_permissions_var_log_audit/tests/incorrect_value_default_file_0600.fail.sh index 003e3330f..368540adc 100644 --- a/linux_os/guide/auditing/auditd_configure_rules/file_permissions_var_log_audit/tests/incorrect_value_default_file_0600.fail.sh +++ b/linux_os/guide/auditing/auditd_configure_rules/file_permissions_var_log_audit/tests/incorrect_value_default_file_0600.fail.sh @@ -1,5 +1,5 @@ #!/bin/bash -# platform = multi_platform_ol,multi_platform_rhel +# platform = multi_platform_ol,multi_platform_rhel,multi_platform_almalinux # packages = audit source common_0600.sh diff --git a/linux_os/guide/auditing/configure_auditd_data_retention/auditd_audispd_configure_remote_server/ansible/shared.yml b/linux_os/guide/auditing/configure_auditd_data_retention/auditd_audispd_configure_remote_server/ansible/shared.yml index 1e0529f08..9ed9948a4 100644 --- a/linux_os/guide/auditing/configure_auditd_data_retention/auditd_audispd_configure_remote_server/ansible/shared.yml +++ b/linux_os/guide/auditing/configure_auditd_data_retention/auditd_audispd_configure_remote_server/ansible/shared.yml @@ -1,4 +1,4 @@ -# platform = Red Hat Virtualization 4,multi_platform_fedora,multi_platform_ol,multi_platform_rhel,multi_platform_sle +# platform = Red Hat Virtualization 4,multi_platform_fedora,multi_platform_ol,multi_platform_rhel,multi_platform_almalinux,multi_platform_sle # reboot = false # strategy = configure # complexity = low diff --git a/linux_os/guide/auditing/configure_auditd_data_retention/auditd_audispd_configure_remote_server/bash/shared.sh b/linux_os/guide/auditing/configure_auditd_data_retention/auditd_audispd_configure_remote_server/bash/shared.sh index 53a56e255..554799735 100644 --- a/linux_os/guide/auditing/configure_auditd_data_retention/auditd_audispd_configure_remote_server/bash/shared.sh +++ b/linux_os/guide/auditing/configure_auditd_data_retention/auditd_audispd_configure_remote_server/bash/shared.sh @@ -1,4 +1,4 @@ -# platform = Red Hat Virtualization 4,multi_platform_fedora,multi_platform_ol,multi_platform_rhel,multi_platform_sle,multi_platform_ubuntu +# platform = Red Hat Virtualization 4,multi_platform_fedora,multi_platform_ol,multi_platform_rhel,multi_platform_almalinux,multi_platform_sle,multi_platform_ubuntu {{{ bash_instantiate_variables("var_audispd_remote_server") }}} diff --git a/linux_os/guide/auditing/configure_auditd_data_retention/auditd_audispd_disk_full_action/ansible/shared.yml b/linux_os/guide/auditing/configure_auditd_data_retention/auditd_audispd_disk_full_action/ansible/shared.yml index 942cd0f5d..a53df57b1 100644 --- a/linux_os/guide/auditing/configure_auditd_data_retention/auditd_audispd_disk_full_action/ansible/shared.yml +++ b/linux_os/guide/auditing/configure_auditd_data_retention/auditd_audispd_disk_full_action/ansible/shared.yml @@ -1,4 +1,4 @@ -# platform = Red Hat Virtualization 4,multi_platform_fedora,multi_platform_ol,multi_platform_rhel,multi_platform_sle +# platform = Red Hat Virtualization 4,multi_platform_fedora,multi_platform_ol,multi_platform_rhel,multi_platform_almalinux,multi_platform_sle # reboot = false # strategy = configure # complexity = low diff --git a/linux_os/guide/auditing/configure_auditd_data_retention/auditd_audispd_disk_full_action/bash/shared.sh b/linux_os/guide/auditing/configure_auditd_data_retention/auditd_audispd_disk_full_action/bash/shared.sh index 36e7f8cda..842f3922d 100644 --- a/linux_os/guide/auditing/configure_auditd_data_retention/auditd_audispd_disk_full_action/bash/shared.sh +++ b/linux_os/guide/auditing/configure_auditd_data_retention/auditd_audispd_disk_full_action/bash/shared.sh @@ -1,4 +1,4 @@ -# platform = Red Hat Virtualization 4,multi_platform_fedora,multi_platform_ol,multi_platform_rhel,multi_platform_sle,multi_platform_ubuntu +# platform = Red Hat Virtualization 4,multi_platform_fedora,multi_platform_ol,multi_platform_rhel,multi_platform_almalinux,multi_platform_sle,multi_platform_ubuntu {{{ bash_instantiate_variables("var_audispd_disk_full_action") }}} diff --git a/linux_os/guide/auditing/configure_auditd_data_retention/auditd_audispd_encrypt_sent_records/rule.yml b/linux_os/guide/auditing/configure_auditd_data_retention/auditd_audispd_encrypt_sent_records/rule.yml index ad68d3a77..0a285fe7c 100644 --- a/linux_os/guide/auditing/configure_auditd_data_retention/auditd_audispd_encrypt_sent_records/rule.yml +++ b/linux_os/guide/auditing/configure_auditd_data_retention/auditd_audispd_encrypt_sent_records/rule.yml @@ -56,7 +56,7 @@ ocil: |- fixtext: |- Configure {{{ full_name }}} to encrypt audit records sent with audispd plugin. -{{% if product in ["rhel8", "rhel9", "fedora", "ol8", "rhv4"] %}} +{{% if product in ["rhel8", "rhel9", "almalinux9", "fedora", "ol8", "rhv4"] %}} Set the "transport" option in "{{{ audisp_conf_path }}}/audisp-remote.conf" to "KRB5". {{% else %}} Uncomment the "enable_krb5" option in "{{{ audisp_conf_path }}}/audisp-remote.conf", diff --git a/linux_os/guide/auditing/configure_auditd_data_retention/auditd_audispd_network_failure_action/ansible/shared.yml b/linux_os/guide/auditing/configure_auditd_data_retention/auditd_audispd_network_failure_action/ansible/shared.yml index 71fc81683..835402712 100644 --- a/linux_os/guide/auditing/configure_auditd_data_retention/auditd_audispd_network_failure_action/ansible/shared.yml +++ b/linux_os/guide/auditing/configure_auditd_data_retention/auditd_audispd_network_failure_action/ansible/shared.yml @@ -1,4 +1,4 @@ -# platform = Red Hat Virtualization 4,multi_platform_fedora,multi_platform_ol,multi_platform_rhel,multi_platform_sle +# platform = Red Hat Virtualization 4,multi_platform_fedora,multi_platform_ol,multi_platform_rhel,multi_platform_almalinux,multi_platform_sle # reboot = false # strategy = configure # complexity = low diff --git a/linux_os/guide/auditing/configure_auditd_data_retention/auditd_audispd_network_failure_action/bash/shared.sh b/linux_os/guide/auditing/configure_auditd_data_retention/auditd_audispd_network_failure_action/bash/shared.sh index d1a513600..8ca091bea 100644 --- a/linux_os/guide/auditing/configure_auditd_data_retention/auditd_audispd_network_failure_action/bash/shared.sh +++ b/linux_os/guide/auditing/configure_auditd_data_retention/auditd_audispd_network_failure_action/bash/shared.sh @@ -1,4 +1,4 @@ -# platform = Red Hat Virtualization 4,multi_platform_fedora,multi_platform_ol,multi_platform_rhel,multi_platform_sle,multi_platform_ubuntu +# platform = Red Hat Virtualization 4,multi_platform_fedora,multi_platform_ol,multi_platform_rhel,multi_platform_almalinux,multi_platform_sle,multi_platform_ubuntu {{{ bash_instantiate_variables("var_audispd_network_failure_action") }}} diff --git a/linux_os/guide/auditing/configure_auditd_data_retention/auditd_audispd_network_failure_action/tests/audisp_network_failure_action_absent.fail.sh b/linux_os/guide/auditing/configure_auditd_data_retention/auditd_audispd_network_failure_action/tests/audisp_network_failure_action_absent.fail.sh index d244d4bd0..ec516de8a 100644 --- a/linux_os/guide/auditing/configure_auditd_data_retention/auditd_audispd_network_failure_action/tests/audisp_network_failure_action_absent.fail.sh +++ b/linux_os/guide/auditing/configure_auditd_data_retention/auditd_audispd_network_failure_action/tests/audisp_network_failure_action_absent.fail.sh @@ -1,5 +1,5 @@ #!/bin/bash -# platform = Red Hat Virtualization 4,multi_platform_fedora,multi_platform_ol,multi_platform_rhel,multi_platform_sle +# platform = Red Hat Virtualization 4,multi_platform_fedora,multi_platform_ol,multi_platform_rhel,multi_platform_almalinux,multi_platform_sle . $SHARED/auditd_utils.sh prepare_auditd_test_enviroment diff --git a/linux_os/guide/auditing/configure_auditd_data_retention/auditd_audispd_network_failure_action/tests/audisp_network_failure_action_set.pass.sh b/linux_os/guide/auditing/configure_auditd_data_retention/auditd_audispd_network_failure_action/tests/audisp_network_failure_action_set.pass.sh index af96da871..3bcbba05c 100644 --- a/linux_os/guide/auditing/configure_auditd_data_retention/auditd_audispd_network_failure_action/tests/audisp_network_failure_action_set.pass.sh +++ b/linux_os/guide/auditing/configure_auditd_data_retention/auditd_audispd_network_failure_action/tests/audisp_network_failure_action_set.pass.sh @@ -1,5 +1,5 @@ #!/bin/bash -# platform = Red Hat Virtualization 4,multi_platform_fedora,multi_platform_ol,multi_platform_rhel,multi_platform_sle +# platform = Red Hat Virtualization 4,multi_platform_fedora,multi_platform_ol,multi_platform_rhel,multi_platform_almalinux,multi_platform_sle . $SHARED/auditd_utils.sh prepare_auditd_test_enviroment diff --git a/linux_os/guide/auditing/configure_auditd_data_retention/auditd_audispd_syslog_plugin_activated/tests/audit_syslog_plugin_activated.pass.sh b/linux_os/guide/auditing/configure_auditd_data_retention/auditd_audispd_syslog_plugin_activated/tests/audit_syslog_plugin_activated.pass.sh index caf9766f5..e559c56ae 100644 --- a/linux_os/guide/auditing/configure_auditd_data_retention/auditd_audispd_syslog_plugin_activated/tests/audit_syslog_plugin_activated.pass.sh +++ b/linux_os/guide/auditing/configure_auditd_data_retention/auditd_audispd_syslog_plugin_activated/tests/audit_syslog_plugin_activated.pass.sh @@ -1,6 +1,6 @@ #!/bin/bash # packages = audit -# platform = Oracle Linux 8,Red Hat Enterprise Linux 8,Red Hat Enterprise Linux 9,multi_platform_fedora +# platform = Oracle Linux 8,Red Hat Enterprise Linux 8,Red Hat Enterprise Linux 9,AlmaLinux 9,multi_platform_fedora # remediation = bash . $SHARED/auditd_utils.sh diff --git a/linux_os/guide/auditing/configure_auditd_data_retention/auditd_audispd_syslog_plugin_activated/tests/audit_syslog_plugin_activated_not_there.fail.sh b/linux_os/guide/auditing/configure_auditd_data_retention/auditd_audispd_syslog_plugin_activated/tests/audit_syslog_plugin_activated_not_there.fail.sh index c87268eae..d28fac1a9 100644 --- a/linux_os/guide/auditing/configure_auditd_data_retention/auditd_audispd_syslog_plugin_activated/tests/audit_syslog_plugin_activated_not_there.fail.sh +++ b/linux_os/guide/auditing/configure_auditd_data_retention/auditd_audispd_syslog_plugin_activated/tests/audit_syslog_plugin_activated_not_there.fail.sh @@ -1,6 +1,6 @@ #!/bin/bash # packages = audit -# platform = Oracle Linux 8,Red Hat Enterprise Linux 8,Red Hat Enterprise Linux 9,multi_platform_fedora +# platform = Oracle Linux 8,Red Hat Enterprise Linux 8,Red Hat Enterprise Linux 9,AlmaLinux 9,multi_platform_fedora # remediation = bash . $SHARED/auditd_utils.sh diff --git a/linux_os/guide/auditing/configure_auditd_data_retention/auditd_audispd_syslog_plugin_activated/tests/audit_syslog_plugin_not_activated.fail.sh b/linux_os/guide/auditing/configure_auditd_data_retention/auditd_audispd_syslog_plugin_activated/tests/audit_syslog_plugin_not_activated.fail.sh index 0bb1518ef..d1023b9e6 100644 --- a/linux_os/guide/auditing/configure_auditd_data_retention/auditd_audispd_syslog_plugin_activated/tests/audit_syslog_plugin_not_activated.fail.sh +++ b/linux_os/guide/auditing/configure_auditd_data_retention/auditd_audispd_syslog_plugin_activated/tests/audit_syslog_plugin_not_activated.fail.sh @@ -1,6 +1,6 @@ #!/bin/bash # packages = audit -# platform = Oracle Linux 8,Red Hat Enterprise Linux 8,Red Hat Enterprise Linux 9,multi_platform_fedora +# platform = Oracle Linux 8,Red Hat Enterprise Linux 8,Red Hat Enterprise Linux 9,AlmaLinux 9,multi_platform_fedora # remediation = bash . $SHARED/auditd_utils.sh diff --git a/linux_os/guide/auditing/configure_auditd_data_retention/auditd_data_disk_error_action/ansible/shared.yml b/linux_os/guide/auditing/configure_auditd_data_retention/auditd_data_disk_error_action/ansible/shared.yml index b075778f5..d9baf1b4f 100644 --- a/linux_os/guide/auditing/configure_auditd_data_retention/auditd_data_disk_error_action/ansible/shared.yml +++ b/linux_os/guide/auditing/configure_auditd_data_retention/auditd_data_disk_error_action/ansible/shared.yml @@ -1,4 +1,4 @@ -# platform = Red Hat Virtualization 4,multi_platform_fedora,multi_platform_ol,multi_platform_rhel +# platform = Red Hat Virtualization 4,multi_platform_fedora,multi_platform_ol,multi_platform_rhel,multi_platform_almalinux # reboot = false # strategy = restrict # complexity = low diff --git a/linux_os/guide/auditing/configure_auditd_data_retention/auditd_data_disk_error_action/bash/shared.sh b/linux_os/guide/auditing/configure_auditd_data_retention/auditd_data_disk_error_action/bash/shared.sh index d0065b38c..7027992a4 100644 --- a/linux_os/guide/auditing/configure_auditd_data_retention/auditd_data_disk_error_action/bash/shared.sh +++ b/linux_os/guide/auditing/configure_auditd_data_retention/auditd_data_disk_error_action/bash/shared.sh @@ -1,4 +1,4 @@ -# platform = Red Hat Virtualization 4,multi_platform_ol,multi_platform_rhel +# platform = Red Hat Virtualization 4,multi_platform_ol,multi_platform_rhel,multi_platform_almalinux {{{ bash_instantiate_variables("var_auditd_disk_error_action") }}} diff --git a/linux_os/guide/auditing/configure_auditd_data_retention/auditd_data_disk_error_action/kubernetes/shared.yml b/linux_os/guide/auditing/configure_auditd_data_retention/auditd_data_disk_error_action/kubernetes/shared.yml index 55f407e01..b9084af21 100644 --- a/linux_os/guide/auditing/configure_auditd_data_retention/auditd_data_disk_error_action/kubernetes/shared.yml +++ b/linux_os/guide/auditing/configure_auditd_data_retention/auditd_data_disk_error_action/kubernetes/shared.yml @@ -1,5 +1,5 @@ --- -# platform = multi_platform_fedora,multi_platform_rhel,multi_platform_rhcos +# platform = multi_platform_fedora,multi_platform_rhel,multi_platform_almalinux,multi_platform_rhcos # reboot = true # strategy = restrict # complexity = low diff --git a/linux_os/guide/auditing/configure_auditd_data_retention/auditd_data_disk_error_action_stig/ansible/shared.yml b/linux_os/guide/auditing/configure_auditd_data_retention/auditd_data_disk_error_action_stig/ansible/shared.yml index 06f4a10c6..ba788edbf 100644 --- a/linux_os/guide/auditing/configure_auditd_data_retention/auditd_data_disk_error_action_stig/ansible/shared.yml +++ b/linux_os/guide/auditing/configure_auditd_data_retention/auditd_data_disk_error_action_stig/ansible/shared.yml @@ -1,4 +1,4 @@ -# platform = Red Hat Virtualization 4,multi_platform_fedora,multi_platform_ol,multi_platform_rhel +# platform = Red Hat Virtualization 4,multi_platform_fedora,multi_platform_ol,multi_platform_rhel,multi_platform_almalinux # reboot = false # strategy = restrict # complexity = low diff --git a/linux_os/guide/auditing/configure_auditd_data_retention/auditd_data_disk_error_action_stig/bash/shared.sh b/linux_os/guide/auditing/configure_auditd_data_retention/auditd_data_disk_error_action_stig/bash/shared.sh index 78726bbc6..0a36846ab 100644 --- a/linux_os/guide/auditing/configure_auditd_data_retention/auditd_data_disk_error_action_stig/bash/shared.sh +++ b/linux_os/guide/auditing/configure_auditd_data_retention/auditd_data_disk_error_action_stig/bash/shared.sh @@ -1,4 +1,4 @@ -# platform = Red Hat Virtualization 4,multi_platform_ol,multi_platform_rhel +# platform = Red Hat Virtualization 4,multi_platform_ol,multi_platform_rhel,multi_platform_almalinux {{{ bash_instantiate_variables("var_auditd_disk_error_action") }}} diff --git a/linux_os/guide/auditing/configure_auditd_data_retention/auditd_data_disk_error_action_stig/kubernetes/shared.yml b/linux_os/guide/auditing/configure_auditd_data_retention/auditd_data_disk_error_action_stig/kubernetes/shared.yml index 55f407e01..b9084af21 100644 --- a/linux_os/guide/auditing/configure_auditd_data_retention/auditd_data_disk_error_action_stig/kubernetes/shared.yml +++ b/linux_os/guide/auditing/configure_auditd_data_retention/auditd_data_disk_error_action_stig/kubernetes/shared.yml @@ -1,5 +1,5 @@ --- -# platform = multi_platform_fedora,multi_platform_rhel,multi_platform_rhcos +# platform = multi_platform_fedora,multi_platform_rhel,multi_platform_almalinux,multi_platform_rhcos # reboot = true # strategy = restrict # complexity = low diff --git a/linux_os/guide/auditing/configure_auditd_data_retention/auditd_data_disk_full_action/ansible/shared.yml b/linux_os/guide/auditing/configure_auditd_data_retention/auditd_data_disk_full_action/ansible/shared.yml index 0adf2b538..376952524 100644 --- a/linux_os/guide/auditing/configure_auditd_data_retention/auditd_data_disk_full_action/ansible/shared.yml +++ b/linux_os/guide/auditing/configure_auditd_data_retention/auditd_data_disk_full_action/ansible/shared.yml @@ -1,4 +1,4 @@ -# platform = Red Hat Virtualization 4,multi_platform_fedora,multi_platform_ol,multi_platform_rhel,multi_platform_sle +# platform = Red Hat Virtualization 4,multi_platform_fedora,multi_platform_ol,multi_platform_rhel,multi_platform_almalinux,multi_platform_sle # reboot = false # strategy = restrict # complexity = low diff --git a/linux_os/guide/auditing/configure_auditd_data_retention/auditd_data_disk_full_action/bash/shared.sh b/linux_os/guide/auditing/configure_auditd_data_retention/auditd_data_disk_full_action/bash/shared.sh index ce4f4d029..6ab8e06dd 100644 --- a/linux_os/guide/auditing/configure_auditd_data_retention/auditd_data_disk_full_action/bash/shared.sh +++ b/linux_os/guide/auditing/configure_auditd_data_retention/auditd_data_disk_full_action/bash/shared.sh @@ -1,4 +1,4 @@ -# platform = Red Hat Virtualization 4,multi_platform_ol,multi_platform_rhel,multi_platform_sle,multi_platform_ubuntu +# platform = Red Hat Virtualization 4,multi_platform_ol,multi_platform_rhel,multi_platform_almalinux,multi_platform_sle,multi_platform_ubuntu {{{ bash_instantiate_variables("var_auditd_disk_full_action") }}} diff --git a/linux_os/guide/auditing/configure_auditd_data_retention/auditd_data_disk_full_action/kubernetes/shared.yml b/linux_os/guide/auditing/configure_auditd_data_retention/auditd_data_disk_full_action/kubernetes/shared.yml index 55f407e01..b9084af21 100644 --- a/linux_os/guide/auditing/configure_auditd_data_retention/auditd_data_disk_full_action/kubernetes/shared.yml +++ b/linux_os/guide/auditing/configure_auditd_data_retention/auditd_data_disk_full_action/kubernetes/shared.yml @@ -1,5 +1,5 @@ --- -# platform = multi_platform_fedora,multi_platform_rhel,multi_platform_rhcos +# platform = multi_platform_fedora,multi_platform_rhel,multi_platform_almalinux,multi_platform_rhcos # reboot = true # strategy = restrict # complexity = low diff --git a/linux_os/guide/auditing/configure_auditd_data_retention/auditd_data_disk_full_action_stig/ansible/shared.yml b/linux_os/guide/auditing/configure_auditd_data_retention/auditd_data_disk_full_action_stig/ansible/shared.yml index 61cc4751d..7f66a5c15 100644 --- a/linux_os/guide/auditing/configure_auditd_data_retention/auditd_data_disk_full_action_stig/ansible/shared.yml +++ b/linux_os/guide/auditing/configure_auditd_data_retention/auditd_data_disk_full_action_stig/ansible/shared.yml @@ -1,4 +1,4 @@ -# platform = Red Hat Virtualization 4,multi_platform_fedora,multi_platform_ol,multi_platform_rhel,multi_platform_sle +# platform = Red Hat Virtualization 4,multi_platform_fedora,multi_platform_ol,multi_platform_rhel,multi_platform_almalinux,multi_platform_sle # reboot = false # strategy = restrict # complexity = low diff --git a/linux_os/guide/auditing/configure_auditd_data_retention/auditd_data_disk_full_action_stig/bash/shared.sh b/linux_os/guide/auditing/configure_auditd_data_retention/auditd_data_disk_full_action_stig/bash/shared.sh index 8ab6e16ab..110211558 100644 --- a/linux_os/guide/auditing/configure_auditd_data_retention/auditd_data_disk_full_action_stig/bash/shared.sh +++ b/linux_os/guide/auditing/configure_auditd_data_retention/auditd_data_disk_full_action_stig/bash/shared.sh @@ -1,4 +1,4 @@ -# platform = Red Hat Virtualization 4,multi_platform_ol,multi_platform_rhel,multi_platform_sle,multi_platform_ubuntu +# platform = Red Hat Virtualization 4,multi_platform_ol,multi_platform_rhel,multi_platform_almalinux,multi_platform_sle,multi_platform_ubuntu {{{ bash_instantiate_variables("var_auditd_disk_full_action") }}} diff --git a/linux_os/guide/auditing/configure_auditd_data_retention/auditd_data_disk_full_action_stig/kubernetes/shared.yml b/linux_os/guide/auditing/configure_auditd_data_retention/auditd_data_disk_full_action_stig/kubernetes/shared.yml index 55f407e01..b9084af21 100644 --- a/linux_os/guide/auditing/configure_auditd_data_retention/auditd_data_disk_full_action_stig/kubernetes/shared.yml +++ b/linux_os/guide/auditing/configure_auditd_data_retention/auditd_data_disk_full_action_stig/kubernetes/shared.yml @@ -1,5 +1,5 @@ --- -# platform = multi_platform_fedora,multi_platform_rhel,multi_platform_rhcos +# platform = multi_platform_fedora,multi_platform_rhel,multi_platform_almalinux,multi_platform_rhcos # reboot = true # strategy = restrict # complexity = low diff --git a/linux_os/guide/auditing/configure_auditd_data_retention/auditd_data_retention_action_mail_acct/ansible/shared.yml b/linux_os/guide/auditing/configure_auditd_data_retention/auditd_data_retention_action_mail_acct/ansible/shared.yml index b82e6d174..717e52b99 100644 --- a/linux_os/guide/auditing/configure_auditd_data_retention/auditd_data_retention_action_mail_acct/ansible/shared.yml +++ b/linux_os/guide/auditing/configure_auditd_data_retention/auditd_data_retention_action_mail_acct/ansible/shared.yml @@ -1,4 +1,4 @@ -# platform = Red Hat Virtualization 4,multi_platform_fedora,multi_platform_ol,multi_platform_rhel,multi_platform_sle +# platform = Red Hat Virtualization 4,multi_platform_fedora,multi_platform_ol,multi_platform_rhel,multi_platform_almalinux,multi_platform_sle # reboot = false # strategy = restrict # complexity = low diff --git a/linux_os/guide/auditing/configure_auditd_data_retention/auditd_data_retention_action_mail_acct/bash/shared.sh b/linux_os/guide/auditing/configure_auditd_data_retention/auditd_data_retention_action_mail_acct/bash/shared.sh index dfb8d3035..28e3fd6c9 100644 --- a/linux_os/guide/auditing/configure_auditd_data_retention/auditd_data_retention_action_mail_acct/bash/shared.sh +++ b/linux_os/guide/auditing/configure_auditd_data_retention/auditd_data_retention_action_mail_acct/bash/shared.sh @@ -1,4 +1,4 @@ -# platform = Red Hat Virtualization 4,multi_platform_fedora,multi_platform_ol,multi_platform_rhel,multi_platform_sle,multi_platform_ubuntu +# platform = Red Hat Virtualization 4,multi_platform_fedora,multi_platform_ol,multi_platform_rhel,multi_platform_almalinux,multi_platform_sle,multi_platform_ubuntu {{{ bash_instantiate_variables("var_auditd_action_mail_acct") }}} diff --git a/linux_os/guide/auditing/configure_auditd_data_retention/auditd_data_retention_admin_space_left_action/ansible/shared.yml b/linux_os/guide/auditing/configure_auditd_data_retention/auditd_data_retention_admin_space_left_action/ansible/shared.yml index 49efdc918..ab901e892 100644 --- a/linux_os/guide/auditing/configure_auditd_data_retention/auditd_data_retention_admin_space_left_action/ansible/shared.yml +++ b/linux_os/guide/auditing/configure_auditd_data_retention/auditd_data_retention_admin_space_left_action/ansible/shared.yml @@ -1,4 +1,4 @@ -# platform = Red Hat Virtualization 4,multi_platform_fedora,multi_platform_ol,multi_platform_rhel,multi_platform_sle +# platform = Red Hat Virtualization 4,multi_platform_fedora,multi_platform_ol,multi_platform_rhel,multi_platform_almalinux,multi_platform_sle # reboot = false # strategy = restrict # complexity = low diff --git a/linux_os/guide/auditing/configure_auditd_data_retention/auditd_data_retention_admin_space_left_action/bash/shared.sh b/linux_os/guide/auditing/configure_auditd_data_retention/auditd_data_retention_admin_space_left_action/bash/shared.sh index f377a92dd..44680a119 100644 --- a/linux_os/guide/auditing/configure_auditd_data_retention/auditd_data_retention_admin_space_left_action/bash/shared.sh +++ b/linux_os/guide/auditing/configure_auditd_data_retention/auditd_data_retention_admin_space_left_action/bash/shared.sh @@ -1,4 +1,4 @@ -# platform = Red Hat Virtualization 4,multi_platform_fedora,multi_platform_ol,multi_platform_rhel,multi_platform_sle,multi_platform_ubuntu +# platform = Red Hat Virtualization 4,multi_platform_fedora,multi_platform_ol,multi_platform_rhel,multi_platform_almalinux,multi_platform_sle,multi_platform_ubuntu {{{ bash_instantiate_variables("var_auditd_admin_space_left_action") }}} diff --git a/linux_os/guide/auditing/configure_auditd_data_retention/auditd_data_retention_admin_space_left_action/kubernetes/shared.yml b/linux_os/guide/auditing/configure_auditd_data_retention/auditd_data_retention_admin_space_left_action/kubernetes/shared.yml index 55f407e01..b9084af21 100644 --- a/linux_os/guide/auditing/configure_auditd_data_retention/auditd_data_retention_admin_space_left_action/kubernetes/shared.yml +++ b/linux_os/guide/auditing/configure_auditd_data_retention/auditd_data_retention_admin_space_left_action/kubernetes/shared.yml @@ -1,5 +1,5 @@ --- -# platform = multi_platform_fedora,multi_platform_rhel,multi_platform_rhcos +# platform = multi_platform_fedora,multi_platform_rhel,multi_platform_almalinux,multi_platform_rhcos # reboot = true # strategy = restrict # complexity = low diff --git a/linux_os/guide/auditing/configure_auditd_data_retention/auditd_data_retention_flush/ansible/shared.yml b/linux_os/guide/auditing/configure_auditd_data_retention/auditd_data_retention_flush/ansible/shared.yml index 9c8afcfa3..53a6da7e0 100644 --- a/linux_os/guide/auditing/configure_auditd_data_retention/auditd_data_retention_flush/ansible/shared.yml +++ b/linux_os/guide/auditing/configure_auditd_data_retention/auditd_data_retention_flush/ansible/shared.yml @@ -1,4 +1,4 @@ -# platform = Red Hat Virtualization 4,multi_platform_fedora,multi_platform_ol,multi_platform_rhel,multi_platform_sle +# platform = Red Hat Virtualization 4,multi_platform_fedora,multi_platform_ol,multi_platform_rhel,multi_platform_almalinux,multi_platform_sle # reboot = false # strategy = restrict # complexity = low diff --git a/linux_os/guide/auditing/configure_auditd_data_retention/auditd_data_retention_flush/bash/shared.sh b/linux_os/guide/auditing/configure_auditd_data_retention/auditd_data_retention_flush/bash/shared.sh index 79b916559..40632d099 100644 --- a/linux_os/guide/auditing/configure_auditd_data_retention/auditd_data_retention_flush/bash/shared.sh +++ b/linux_os/guide/auditing/configure_auditd_data_retention/auditd_data_retention_flush/bash/shared.sh @@ -1,4 +1,4 @@ -# platform = Red Hat Virtualization 4,multi_platform_ol,multi_platform_rhel,multi_platform_sle +# platform = Red Hat Virtualization 4,multi_platform_ol,multi_platform_rhel,multi_platform_almalinux,multi_platform_sle {{{ bash_instantiate_variables("var_auditd_flush") }}} diff --git a/linux_os/guide/auditing/configure_auditd_data_retention/auditd_data_retention_flush/kubernetes/shared.yml b/linux_os/guide/auditing/configure_auditd_data_retention/auditd_data_retention_flush/kubernetes/shared.yml index 55f407e01..b9084af21 100644 --- a/linux_os/guide/auditing/configure_auditd_data_retention/auditd_data_retention_flush/kubernetes/shared.yml +++ b/linux_os/guide/auditing/configure_auditd_data_retention/auditd_data_retention_flush/kubernetes/shared.yml @@ -1,5 +1,5 @@ --- -# platform = multi_platform_fedora,multi_platform_rhel,multi_platform_rhcos +# platform = multi_platform_fedora,multi_platform_rhel,multi_platform_almalinux,multi_platform_rhcos # reboot = true # strategy = restrict # complexity = low diff --git a/linux_os/guide/auditing/configure_auditd_data_retention/auditd_data_retention_flush/tests/flush_data.fail.sh b/linux_os/guide/auditing/configure_auditd_data_retention/auditd_data_retention_flush/tests/flush_data.fail.sh index ba44b2bb5..303e1d8f7 100644 --- a/linux_os/guide/auditing/configure_auditd_data_retention/auditd_data_retention_flush/tests/flush_data.fail.sh +++ b/linux_os/guide/auditing/configure_auditd_data_retention/auditd_data_retention_flush/tests/flush_data.fail.sh @@ -1,6 +1,6 @@ #!/bin/bash # packages = audit -# platform = multi_platform_fedora,multi_platform_ol,multi_platform_rhel +# platform = multi_platform_fedora,multi_platform_ol,multi_platform_rhel,multi_platform_almalinux # profiles = xccdf_org.ssgproject.content_profile_ospp # remediation = bash diff --git a/linux_os/guide/auditing/configure_auditd_data_retention/auditd_data_retention_flush/tests/flush_incremental.fail.sh b/linux_os/guide/auditing/configure_auditd_data_retention/auditd_data_retention_flush/tests/flush_incremental.fail.sh index a8f68412c..0c0d35e0d 100644 --- a/linux_os/guide/auditing/configure_auditd_data_retention/auditd_data_retention_flush/tests/flush_incremental.fail.sh +++ b/linux_os/guide/auditing/configure_auditd_data_retention/auditd_data_retention_flush/tests/flush_incremental.fail.sh @@ -1,6 +1,6 @@ #!/bin/bash # packages = audit -# platform = multi_platform_fedora,multi_platform_ol,multi_platform_rhel +# platform = multi_platform_fedora,multi_platform_ol,multi_platform_rhel,multi_platform_almalinux # profiles = xccdf_org.ssgproject.content_profile_ospp # remediation = bash diff --git a/linux_os/guide/auditing/configure_auditd_data_retention/auditd_data_retention_flush/tests/flush_incremental_async.pass.sh b/linux_os/guide/auditing/configure_auditd_data_retention/auditd_data_retention_flush/tests/flush_incremental_async.pass.sh index f3301e81a..eb39696dd 100644 --- a/linux_os/guide/auditing/configure_auditd_data_retention/auditd_data_retention_flush/tests/flush_incremental_async.pass.sh +++ b/linux_os/guide/auditing/configure_auditd_data_retention/auditd_data_retention_flush/tests/flush_incremental_async.pass.sh @@ -1,6 +1,6 @@ #!/bin/bash # packages = audit -# platform = multi_platform_fedora,multi_platform_ol,multi_platform_rhel +# platform = multi_platform_fedora,multi_platform_ol,multi_platform_rhel,multi_platform_almalinux # profiles = xccdf_org.ssgproject.content_profile_ospp # remediation = bash diff --git a/linux_os/guide/auditing/configure_auditd_data_retention/auditd_data_retention_flush/tests/flush_none.fail.sh b/linux_os/guide/auditing/configure_auditd_data_retention/auditd_data_retention_flush/tests/flush_none.fail.sh index 64ebd312f..c43471049 100644 --- a/linux_os/guide/auditing/configure_auditd_data_retention/auditd_data_retention_flush/tests/flush_none.fail.sh +++ b/linux_os/guide/auditing/configure_auditd_data_retention/auditd_data_retention_flush/tests/flush_none.fail.sh @@ -1,6 +1,6 @@ #!/bin/bash # packages = audit -# platform = multi_platform_fedora,multi_platform_ol,multi_platform_rhel +# platform = multi_platform_fedora,multi_platform_ol,multi_platform_rhel,multi_platform_almalinux # profiles = xccdf_org.ssgproject.content_profile_ospp # remediation = bash diff --git a/linux_os/guide/auditing/configure_auditd_data_retention/auditd_data_retention_flush/tests/flush_not_there.fail.sh b/linux_os/guide/auditing/configure_auditd_data_retention/auditd_data_retention_flush/tests/flush_not_there.fail.sh index f6e0c1088..a51782746 100644 --- a/linux_os/guide/auditing/configure_auditd_data_retention/auditd_data_retention_flush/tests/flush_not_there.fail.sh +++ b/linux_os/guide/auditing/configure_auditd_data_retention/auditd_data_retention_flush/tests/flush_not_there.fail.sh @@ -1,6 +1,6 @@ #!/bin/bash # packages = audit -# platform = multi_platform_fedora,multi_platform_ol,multi_platform_rhel +# platform = multi_platform_fedora,multi_platform_ol,multi_platform_rhel,multi_platform_almalinux # profiles = xccdf_org.ssgproject.content_profile_ospp # remediation = bash diff --git a/linux_os/guide/auditing/configure_auditd_data_retention/auditd_data_retention_flush/tests/flush_sync.fail.sh b/linux_os/guide/auditing/configure_auditd_data_retention/auditd_data_retention_flush/tests/flush_sync.fail.sh index 47f3daf89..5cab1da02 100644 --- a/linux_os/guide/auditing/configure_auditd_data_retention/auditd_data_retention_flush/tests/flush_sync.fail.sh +++ b/linux_os/guide/auditing/configure_auditd_data_retention/auditd_data_retention_flush/tests/flush_sync.fail.sh @@ -1,6 +1,6 @@ #!/bin/bash # packages = audit -# platform = multi_platform_fedora,multi_platform_ol,multi_platform_rhel +# platform = multi_platform_fedora,multi_platform_ol,multi_platform_rhel,multi_platform_almalinux # profiles = xccdf_org.ssgproject.content_profile_ospp # remediation = bash diff --git a/linux_os/guide/auditing/configure_auditd_data_retention/auditd_data_retention_max_log_file/ansible/shared.yml b/linux_os/guide/auditing/configure_auditd_data_retention/auditd_data_retention_max_log_file/ansible/shared.yml index c70cd104e..c97fbf56e 100644 --- a/linux_os/guide/auditing/configure_auditd_data_retention/auditd_data_retention_max_log_file/ansible/shared.yml +++ b/linux_os/guide/auditing/configure_auditd_data_retention/auditd_data_retention_max_log_file/ansible/shared.yml @@ -1,4 +1,4 @@ -# platform = Red Hat Virtualization 4,multi_platform_fedora,multi_platform_ol,multi_platform_rhel,multi_platform_sle +# platform = Red Hat Virtualization 4,multi_platform_fedora,multi_platform_ol,multi_platform_rhel,multi_platform_almalinux,multi_platform_sle # reboot = false # strategy = restrict # complexity = low diff --git a/linux_os/guide/auditing/configure_auditd_data_retention/auditd_data_retention_max_log_file/bash/shared.sh b/linux_os/guide/auditing/configure_auditd_data_retention/auditd_data_retention_max_log_file/bash/shared.sh index 8a53bf847..95c5446b6 100644 --- a/linux_os/guide/auditing/configure_auditd_data_retention/auditd_data_retention_max_log_file/bash/shared.sh +++ b/linux_os/guide/auditing/configure_auditd_data_retention/auditd_data_retention_max_log_file/bash/shared.sh @@ -1,4 +1,4 @@ -# platform = Red Hat Virtualization 4,multi_platform_fedora,multi_platform_ol,multi_platform_rhel,multi_platform_sle,multi_platform_ubuntu +# platform = Red Hat Virtualization 4,multi_platform_fedora,multi_platform_ol,multi_platform_rhel,multi_platform_almalinux,multi_platform_sle,multi_platform_ubuntu {{{ bash_instantiate_variables("var_auditd_max_log_file") }}} diff --git a/linux_os/guide/auditing/configure_auditd_data_retention/auditd_data_retention_max_log_file/kubernetes/shared.yml b/linux_os/guide/auditing/configure_auditd_data_retention/auditd_data_retention_max_log_file/kubernetes/shared.yml index 55f407e01..b9084af21 100644 --- a/linux_os/guide/auditing/configure_auditd_data_retention/auditd_data_retention_max_log_file/kubernetes/shared.yml +++ b/linux_os/guide/auditing/configure_auditd_data_retention/auditd_data_retention_max_log_file/kubernetes/shared.yml @@ -1,5 +1,5 @@ --- -# platform = multi_platform_fedora,multi_platform_rhel,multi_platform_rhcos +# platform = multi_platform_fedora,multi_platform_rhel,multi_platform_almalinux,multi_platform_rhcos # reboot = true # strategy = restrict # complexity = low diff --git a/linux_os/guide/auditing/configure_auditd_data_retention/auditd_data_retention_max_log_file_action/ansible/shared.yml b/linux_os/guide/auditing/configure_auditd_data_retention/auditd_data_retention_max_log_file_action/ansible/shared.yml index 69ae3cb89..f48f36569 100644 --- a/linux_os/guide/auditing/configure_auditd_data_retention/auditd_data_retention_max_log_file_action/ansible/shared.yml +++ b/linux_os/guide/auditing/configure_auditd_data_retention/auditd_data_retention_max_log_file_action/ansible/shared.yml @@ -1,4 +1,4 @@ -# platform = Red Hat Virtualization 4,multi_platform_fedora,multi_platform_ol,multi_platform_rhel,multi_platform_sle +# platform = Red Hat Virtualization 4,multi_platform_fedora,multi_platform_ol,multi_platform_rhel,multi_platform_almalinux,multi_platform_sle # reboot = false # strategy = restrict # complexity = low diff --git a/linux_os/guide/auditing/configure_auditd_data_retention/auditd_data_retention_max_log_file_action/bash/shared.sh b/linux_os/guide/auditing/configure_auditd_data_retention/auditd_data_retention_max_log_file_action/bash/shared.sh index 5007f965f..4c06ea831 100644 --- a/linux_os/guide/auditing/configure_auditd_data_retention/auditd_data_retention_max_log_file_action/bash/shared.sh +++ b/linux_os/guide/auditing/configure_auditd_data_retention/auditd_data_retention_max_log_file_action/bash/shared.sh @@ -1,4 +1,4 @@ -# platform = Red Hat Virtualization 4,multi_platform_fedora,multi_platform_ol,multi_platform_rhel,multi_platform_sle,multi_platform_ubuntu +# platform = Red Hat Virtualization 4,multi_platform_fedora,multi_platform_ol,multi_platform_rhel,multi_platform_almalinux,multi_platform_sle,multi_platform_ubuntu {{{ bash_instantiate_variables("var_auditd_max_log_file_action") }}} diff --git a/linux_os/guide/auditing/configure_auditd_data_retention/auditd_data_retention_max_log_file_action/kubernetes/shared.yml b/linux_os/guide/auditing/configure_auditd_data_retention/auditd_data_retention_max_log_file_action/kubernetes/shared.yml index 55f407e01..b9084af21 100644 --- a/linux_os/guide/auditing/configure_auditd_data_retention/auditd_data_retention_max_log_file_action/kubernetes/shared.yml +++ b/linux_os/guide/auditing/configure_auditd_data_retention/auditd_data_retention_max_log_file_action/kubernetes/shared.yml @@ -1,5 +1,5 @@ --- -# platform = multi_platform_fedora,multi_platform_rhel,multi_platform_rhcos +# platform = multi_platform_fedora,multi_platform_rhel,multi_platform_almalinux,multi_platform_rhcos # reboot = true # strategy = restrict # complexity = low diff --git a/linux_os/guide/auditing/configure_auditd_data_retention/auditd_data_retention_max_log_file_action_stig/ansible/shared.yml b/linux_os/guide/auditing/configure_auditd_data_retention/auditd_data_retention_max_log_file_action_stig/ansible/shared.yml index 69ae3cb89..f48f36569 100644 --- a/linux_os/guide/auditing/configure_auditd_data_retention/auditd_data_retention_max_log_file_action_stig/ansible/shared.yml +++ b/linux_os/guide/auditing/configure_auditd_data_retention/auditd_data_retention_max_log_file_action_stig/ansible/shared.yml @@ -1,4 +1,4 @@ -# platform = Red Hat Virtualization 4,multi_platform_fedora,multi_platform_ol,multi_platform_rhel,multi_platform_sle +# platform = Red Hat Virtualization 4,multi_platform_fedora,multi_platform_ol,multi_platform_rhel,multi_platform_almalinux,multi_platform_sle # reboot = false # strategy = restrict # complexity = low diff --git a/linux_os/guide/auditing/configure_auditd_data_retention/auditd_data_retention_max_log_file_action_stig/bash/shared.sh b/linux_os/guide/auditing/configure_auditd_data_retention/auditd_data_retention_max_log_file_action_stig/bash/shared.sh index 4609f8ec9..f4b4664e3 100644 --- a/linux_os/guide/auditing/configure_auditd_data_retention/auditd_data_retention_max_log_file_action_stig/bash/shared.sh +++ b/linux_os/guide/auditing/configure_auditd_data_retention/auditd_data_retention_max_log_file_action_stig/bash/shared.sh @@ -1,4 +1,4 @@ -# platform = Red Hat Virtualization 4,multi_platform_fedora,multi_platform_ol,multi_platform_rhel,multi_platform_sle +# platform = Red Hat Virtualization 4,multi_platform_fedora,multi_platform_ol,multi_platform_rhel,multi_platform_almalinux,multi_platform_sle {{{ bash_instantiate_variables("var_auditd_max_log_file_action") }}} diff --git a/linux_os/guide/auditing/configure_auditd_data_retention/auditd_data_retention_max_log_file_action_stig/kubernetes/shared.yml b/linux_os/guide/auditing/configure_auditd_data_retention/auditd_data_retention_max_log_file_action_stig/kubernetes/shared.yml index 55f407e01..b9084af21 100644 --- a/linux_os/guide/auditing/configure_auditd_data_retention/auditd_data_retention_max_log_file_action_stig/kubernetes/shared.yml +++ b/linux_os/guide/auditing/configure_auditd_data_retention/auditd_data_retention_max_log_file_action_stig/kubernetes/shared.yml @@ -1,5 +1,5 @@ --- -# platform = multi_platform_fedora,multi_platform_rhel,multi_platform_rhcos +# platform = multi_platform_fedora,multi_platform_rhel,multi_platform_almalinux,multi_platform_rhcos # reboot = true # strategy = restrict # complexity = low diff --git a/linux_os/guide/auditing/configure_auditd_data_retention/auditd_data_retention_num_logs/ansible/shared.yml b/linux_os/guide/auditing/configure_auditd_data_retention/auditd_data_retention_num_logs/ansible/shared.yml index 7deaa0607..748a59d80 100644 --- a/linux_os/guide/auditing/configure_auditd_data_retention/auditd_data_retention_num_logs/ansible/shared.yml +++ b/linux_os/guide/auditing/configure_auditd_data_retention/auditd_data_retention_num_logs/ansible/shared.yml @@ -1,4 +1,4 @@ -# platform = Red Hat Virtualization 4,multi_platform_fedora,multi_platform_ol,multi_platform_rhel,multi_platform_sle +# platform = Red Hat Virtualization 4,multi_platform_fedora,multi_platform_ol,multi_platform_rhel,multi_platform_almalinux,multi_platform_sle # reboot = false # strategy = restrict # complexity = low diff --git a/linux_os/guide/auditing/configure_auditd_data_retention/auditd_data_retention_num_logs/kubernetes/shared.yml b/linux_os/guide/auditing/configure_auditd_data_retention/auditd_data_retention_num_logs/kubernetes/shared.yml index 55f407e01..b9084af21 100644 --- a/linux_os/guide/auditing/configure_auditd_data_retention/auditd_data_retention_num_logs/kubernetes/shared.yml +++ b/linux_os/guide/auditing/configure_auditd_data_retention/auditd_data_retention_num_logs/kubernetes/shared.yml @@ -1,5 +1,5 @@ --- -# platform = multi_platform_fedora,multi_platform_rhel,multi_platform_rhcos +# platform = multi_platform_fedora,multi_platform_rhel,multi_platform_almalinux,multi_platform_rhcos # reboot = true # strategy = restrict # complexity = low diff --git a/linux_os/guide/auditing/configure_auditd_data_retention/auditd_data_retention_space_left/ansible/shared.yml b/linux_os/guide/auditing/configure_auditd_data_retention/auditd_data_retention_space_left/ansible/shared.yml index ab0bea58e..a6158699d 100644 --- a/linux_os/guide/auditing/configure_auditd_data_retention/auditd_data_retention_space_left/ansible/shared.yml +++ b/linux_os/guide/auditing/configure_auditd_data_retention/auditd_data_retention_space_left/ansible/shared.yml @@ -1,4 +1,4 @@ -# platform = Red Hat Virtualization 4,multi_platform_fedora,multi_platform_rhel,multi_platform_ol,multi_platform_sle +# platform = Red Hat Virtualization 4,multi_platform_fedora,multi_platform_rhel,multi_platform_almalinux,multi_platform_ol,multi_platform_sle # reboot = false # strategy = restrict # complexity = low diff --git a/linux_os/guide/auditing/configure_auditd_data_retention/auditd_data_retention_space_left/bash/shared.sh b/linux_os/guide/auditing/configure_auditd_data_retention/auditd_data_retention_space_left/bash/shared.sh index a53f062b5..e0200450d 100644 --- a/linux_os/guide/auditing/configure_auditd_data_retention/auditd_data_retention_space_left/bash/shared.sh +++ b/linux_os/guide/auditing/configure_auditd_data_retention/auditd_data_retention_space_left/bash/shared.sh @@ -1,4 +1,4 @@ -# platform = Red Hat Virtualization 4,multi_platform_rhel,multi_platform_ol,multi_platform_sle,multi_platform_ubuntu +# platform = Red Hat Virtualization 4,multi_platform_rhel,multi_platform_almalinux,multi_platform_ol,multi_platform_sle,multi_platform_ubuntu {{{ bash_instantiate_variables("var_auditd_space_left") }}} diff --git a/linux_os/guide/auditing/configure_auditd_data_retention/auditd_data_retention_space_left/kubernetes/shared.yml b/linux_os/guide/auditing/configure_auditd_data_retention/auditd_data_retention_space_left/kubernetes/shared.yml index 55f407e01..b9084af21 100644 --- a/linux_os/guide/auditing/configure_auditd_data_retention/auditd_data_retention_space_left/kubernetes/shared.yml +++ b/linux_os/guide/auditing/configure_auditd_data_retention/auditd_data_retention_space_left/kubernetes/shared.yml @@ -1,5 +1,5 @@ --- -# platform = multi_platform_fedora,multi_platform_rhel,multi_platform_rhcos +# platform = multi_platform_fedora,multi_platform_rhel,multi_platform_almalinux,multi_platform_rhcos # reboot = true # strategy = restrict # complexity = low diff --git a/linux_os/guide/auditing/configure_auditd_data_retention/auditd_data_retention_space_left_action/ansible/shared.yml b/linux_os/guide/auditing/configure_auditd_data_retention/auditd_data_retention_space_left_action/ansible/shared.yml index ec0ed4850..3c3b130e8 100644 --- a/linux_os/guide/auditing/configure_auditd_data_retention/auditd_data_retention_space_left_action/ansible/shared.yml +++ b/linux_os/guide/auditing/configure_auditd_data_retention/auditd_data_retention_space_left_action/ansible/shared.yml @@ -1,4 +1,4 @@ -# platform = Red Hat Virtualization 4,multi_platform_fedora,multi_platform_ol,multi_platform_rhel,multi_platform_sle +# platform = Red Hat Virtualization 4,multi_platform_fedora,multi_platform_ol,multi_platform_rhel,multi_platform_almalinux,multi_platform_sle # reboot = false # strategy = restrict # complexity = low diff --git a/linux_os/guide/auditing/configure_auditd_data_retention/auditd_data_retention_space_left_action/bash/shared.sh b/linux_os/guide/auditing/configure_auditd_data_retention/auditd_data_retention_space_left_action/bash/shared.sh index b6e0267bb..990063e2f 100644 --- a/linux_os/guide/auditing/configure_auditd_data_retention/auditd_data_retention_space_left_action/bash/shared.sh +++ b/linux_os/guide/auditing/configure_auditd_data_retention/auditd_data_retention_space_left_action/bash/shared.sh @@ -1,4 +1,4 @@ -# platform = Red Hat Virtualization 4,multi_platform_fedora,multi_platform_ol,multi_platform_rhel,multi_platform_sle,multi_platform_ubuntu +# platform = Red Hat Virtualization 4,multi_platform_fedora,multi_platform_ol,multi_platform_rhel,multi_platform_almalinux,multi_platform_sle,multi_platform_ubuntu {{{ bash_instantiate_variables("var_auditd_space_left_action") }}} diff --git a/linux_os/guide/auditing/configure_auditd_data_retention/auditd_data_retention_space_left_action/kubernetes/shared.yml b/linux_os/guide/auditing/configure_auditd_data_retention/auditd_data_retention_space_left_action/kubernetes/shared.yml index 55f407e01..b9084af21 100644 --- a/linux_os/guide/auditing/configure_auditd_data_retention/auditd_data_retention_space_left_action/kubernetes/shared.yml +++ b/linux_os/guide/auditing/configure_auditd_data_retention/auditd_data_retention_space_left_action/kubernetes/shared.yml @@ -1,5 +1,5 @@ --- -# platform = multi_platform_fedora,multi_platform_rhel,multi_platform_rhcos +# platform = multi_platform_fedora,multi_platform_rhel,multi_platform_almalinux,multi_platform_rhcos # reboot = true # strategy = restrict # complexity = low diff --git a/linux_os/guide/auditing/configure_auditd_data_retention/auditd_freq/kubernetes/shared.yml b/linux_os/guide/auditing/configure_auditd_data_retention/auditd_freq/kubernetes/shared.yml index 55f407e01..b9084af21 100644 --- a/linux_os/guide/auditing/configure_auditd_data_retention/auditd_freq/kubernetes/shared.yml +++ b/linux_os/guide/auditing/configure_auditd_data_retention/auditd_freq/kubernetes/shared.yml @@ -1,5 +1,5 @@ --- -# platform = multi_platform_fedora,multi_platform_rhel,multi_platform_rhcos +# platform = multi_platform_fedora,multi_platform_rhel,multi_platform_almalinux,multi_platform_rhcos # reboot = true # strategy = restrict # complexity = low diff --git a/linux_os/guide/auditing/configure_auditd_data_retention/auditd_local_events/kubernetes/shared.yml b/linux_os/guide/auditing/configure_auditd_data_retention/auditd_local_events/kubernetes/shared.yml index 55f407e01..b9084af21 100644 --- a/linux_os/guide/auditing/configure_auditd_data_retention/auditd_local_events/kubernetes/shared.yml +++ b/linux_os/guide/auditing/configure_auditd_data_retention/auditd_local_events/kubernetes/shared.yml @@ -1,5 +1,5 @@ --- -# platform = multi_platform_fedora,multi_platform_rhel,multi_platform_rhcos +# platform = multi_platform_fedora,multi_platform_rhel,multi_platform_almalinux,multi_platform_rhcos # reboot = true # strategy = restrict # complexity = low diff --git a/linux_os/guide/auditing/configure_auditd_data_retention/auditd_log_format/kubernetes/shared.yml b/linux_os/guide/auditing/configure_auditd_data_retention/auditd_log_format/kubernetes/shared.yml index 55f407e01..b9084af21 100644 --- a/linux_os/guide/auditing/configure_auditd_data_retention/auditd_log_format/kubernetes/shared.yml +++ b/linux_os/guide/auditing/configure_auditd_data_retention/auditd_log_format/kubernetes/shared.yml @@ -1,5 +1,5 @@ --- -# platform = multi_platform_fedora,multi_platform_rhel,multi_platform_rhcos +# platform = multi_platform_fedora,multi_platform_rhel,multi_platform_almalinux,multi_platform_rhcos # reboot = true # strategy = restrict # complexity = low diff --git a/linux_os/guide/auditing/configure_auditd_data_retention/auditd_name_format/ansible/shared.yml b/linux_os/guide/auditing/configure_auditd_data_retention/auditd_name_format/ansible/shared.yml index 015e9d6ef..cb221f19e 100644 --- a/linux_os/guide/auditing/configure_auditd_data_retention/auditd_name_format/ansible/shared.yml +++ b/linux_os/guide/auditing/configure_auditd_data_retention/auditd_name_format/ansible/shared.yml @@ -1,4 +1,4 @@ -# platform = multi_platform_fedora,multi_platform_rhel,multi_platform_ol +# platform = multi_platform_fedora,multi_platform_rhel,multi_platform_almalinux,multi_platform_ol # reboot = false # strategy = restrict # complexity = low diff --git a/linux_os/guide/auditing/configure_auditd_data_retention/auditd_name_format/bash/shared.sh b/linux_os/guide/auditing/configure_auditd_data_retention/auditd_name_format/bash/shared.sh index a08fddc90..1b881f0ff 100644 --- a/linux_os/guide/auditing/configure_auditd_data_retention/auditd_name_format/bash/shared.sh +++ b/linux_os/guide/auditing/configure_auditd_data_retention/auditd_name_format/bash/shared.sh @@ -1,4 +1,4 @@ -# platform = multi_platform_fedora,multi_platform_rhel,multi_platform_ol +# platform = multi_platform_fedora,multi_platform_rhel,multi_platform_almalinux,multi_platform_ol # reboot = true # strategy = restrict # complexity = low diff --git a/linux_os/guide/auditing/configure_auditd_data_retention/auditd_name_format/kubernetes/shared.yml b/linux_os/guide/auditing/configure_auditd_data_retention/auditd_name_format/kubernetes/shared.yml index 55f407e01..b9084af21 100644 --- a/linux_os/guide/auditing/configure_auditd_data_retention/auditd_name_format/kubernetes/shared.yml +++ b/linux_os/guide/auditing/configure_auditd_data_retention/auditd_name_format/kubernetes/shared.yml @@ -1,5 +1,5 @@ --- -# platform = multi_platform_fedora,multi_platform_rhel,multi_platform_rhcos +# platform = multi_platform_fedora,multi_platform_rhel,multi_platform_almalinux,multi_platform_rhcos # reboot = true # strategy = restrict # complexity = low diff --git a/linux_os/guide/auditing/configure_auditd_data_retention/auditd_overflow_action/ansible/shared.yml b/linux_os/guide/auditing/configure_auditd_data_retention/auditd_overflow_action/ansible/shared.yml index 12d8541cb..a3d1c459b 100644 --- a/linux_os/guide/auditing/configure_auditd_data_retention/auditd_overflow_action/ansible/shared.yml +++ b/linux_os/guide/auditing/configure_auditd_data_retention/auditd_overflow_action/ansible/shared.yml @@ -1,4 +1,4 @@ -# platform = multi_platform_fedora,multi_platform_rhel,multi_platform_ol +# platform = multi_platform_fedora,multi_platform_rhel,multi_platform_almalinux,multi_platform_ol # reboot = false # strategy = restrict # complexity = low diff --git a/linux_os/guide/auditing/configure_auditd_data_retention/auditd_overflow_action/bash/shared.sh b/linux_os/guide/auditing/configure_auditd_data_retention/auditd_overflow_action/bash/shared.sh index f308bd675..e9789ea24 100644 --- a/linux_os/guide/auditing/configure_auditd_data_retention/auditd_overflow_action/bash/shared.sh +++ b/linux_os/guide/auditing/configure_auditd_data_retention/auditd_overflow_action/bash/shared.sh @@ -1,4 +1,4 @@ -# platform = multi_platform_fedora,multi_platform_rhel,multi_platform_ol +# platform = multi_platform_fedora,multi_platform_rhel,multi_platform_almalinux,multi_platform_ol # reboot = true # strategy = restrict # complexity = low diff --git a/linux_os/guide/auditing/configure_auditd_data_retention/auditd_write_logs/kubernetes/shared.yml b/linux_os/guide/auditing/configure_auditd_data_retention/auditd_write_logs/kubernetes/shared.yml index 55f407e01..b9084af21 100644 --- a/linux_os/guide/auditing/configure_auditd_data_retention/auditd_write_logs/kubernetes/shared.yml +++ b/linux_os/guide/auditing/configure_auditd_data_retention/auditd_write_logs/kubernetes/shared.yml @@ -1,5 +1,5 @@ --- -# platform = multi_platform_fedora,multi_platform_rhel,multi_platform_rhcos +# platform = multi_platform_fedora,multi_platform_rhel,multi_platform_almalinux,multi_platform_rhcos # reboot = true # strategy = restrict # complexity = low diff --git a/linux_os/guide/auditing/package_audit-audispd-plugins_installed/rule.yml b/linux_os/guide/auditing/package_audit-audispd-plugins_installed/rule.yml index 0e80ce5f7..ce671e76b 100644 --- a/linux_os/guide/auditing/package_audit-audispd-plugins_installed/rule.yml +++ b/linux_os/guide/auditing/package_audit-audispd-plugins_installed/rule.yml @@ -35,7 +35,7 @@ template: pkgname@ubuntu1804: audispd-plugins pkgname@ubuntu2004: audispd-plugins -{{% if product in ["rhel7", "rhel8", "rhel9"] %}} +{{% if product in ["rhel7", "rhel8", "rhel9", "almalinux9"] %}} warnings: - general: This package is not available in {{{ full_name }}} [{{{ product }}}]. The correct package diff --git a/linux_os/guide/auditing/policy_rules/audit_access_failed_aarch64/kubernetes/shared.yml b/linux_os/guide/auditing/policy_rules/audit_access_failed_aarch64/kubernetes/shared.yml index f29a4afc6..26ac0688c 100644 --- a/linux_os/guide/auditing/policy_rules/audit_access_failed_aarch64/kubernetes/shared.yml +++ b/linux_os/guide/auditing/policy_rules/audit_access_failed_aarch64/kubernetes/shared.yml @@ -1,5 +1,5 @@ --- -# platform = multi_platform_rhel,multi_platform_fedora,multi_platform_rhcos +# platform = multi_platform_rhel,multi_platform_almalinux,multi_platform_fedora,multi_platform_rhcos apiVersion: machineconfiguration.openshift.io/v1 kind: MachineConfig spec: diff --git a/linux_os/guide/auditing/policy_rules/audit_access_failed_ppc64le/kubernetes/shared.yml b/linux_os/guide/auditing/policy_rules/audit_access_failed_ppc64le/kubernetes/shared.yml index 412c67f15..ec1467404 100644 --- a/linux_os/guide/auditing/policy_rules/audit_access_failed_ppc64le/kubernetes/shared.yml +++ b/linux_os/guide/auditing/policy_rules/audit_access_failed_ppc64le/kubernetes/shared.yml @@ -1,5 +1,5 @@ --- -# platform = multi_platform_rhel,multi_platform_fedora,multi_platform_rhcos +# platform = multi_platform_rhel,multi_platform_almalinux,multi_platform_fedora,multi_platform_rhcos apiVersion: machineconfiguration.openshift.io/v1 kind: MachineConfig spec: diff --git a/linux_os/guide/auditing/policy_rules/audit_access_success/kubernetes/shared.yml b/linux_os/guide/auditing/policy_rules/audit_access_success/kubernetes/shared.yml index 413293083..3f8c50a39 100644 --- a/linux_os/guide/auditing/policy_rules/audit_access_success/kubernetes/shared.yml +++ b/linux_os/guide/auditing/policy_rules/audit_access_success/kubernetes/shared.yml @@ -1,5 +1,5 @@ --- -# platform = multi_platform_rhel,multi_platform_fedora,multi_platform_rhcos +# platform = multi_platform_rhel,multi_platform_almalinux,multi_platform_fedora,multi_platform_rhcos apiVersion: machineconfiguration.openshift.io/v1 kind: MachineConfig spec: diff --git a/linux_os/guide/auditing/policy_rules/audit_access_success_aarch64/kubernetes/shared.yml b/linux_os/guide/auditing/policy_rules/audit_access_success_aarch64/kubernetes/shared.yml index 1d08bae3a..3e2300448 100644 --- a/linux_os/guide/auditing/policy_rules/audit_access_success_aarch64/kubernetes/shared.yml +++ b/linux_os/guide/auditing/policy_rules/audit_access_success_aarch64/kubernetes/shared.yml @@ -1,5 +1,5 @@ --- -# platform = multi_platform_rhel,multi_platform_fedora,multi_platform_rhcos +# platform = multi_platform_rhel,multi_platform_almalinux,multi_platform_fedora,multi_platform_rhcos apiVersion: machineconfiguration.openshift.io/v1 kind: MachineConfig spec: diff --git a/linux_os/guide/auditing/policy_rules/audit_access_success_ppc64le/kubernetes/shared.yml b/linux_os/guide/auditing/policy_rules/audit_access_success_ppc64le/kubernetes/shared.yml index 372b7c27c..4e2ce77e9 100644 --- a/linux_os/guide/auditing/policy_rules/audit_access_success_ppc64le/kubernetes/shared.yml +++ b/linux_os/guide/auditing/policy_rules/audit_access_success_ppc64le/kubernetes/shared.yml @@ -1,5 +1,5 @@ --- -# platform = multi_platform_rhel,multi_platform_fedora,multi_platform_rhcos +# platform = multi_platform_rhel,multi_platform_almalinux,multi_platform_fedora,multi_platform_rhcos apiVersion: machineconfiguration.openshift.io/v1 kind: MachineConfig spec: diff --git a/linux_os/guide/auditing/policy_rules/audit_basic_configuration/kubernetes/shared.yml b/linux_os/guide/auditing/policy_rules/audit_basic_configuration/kubernetes/shared.yml index f62426900..bd3ddd10a 100644 --- a/linux_os/guide/auditing/policy_rules/audit_basic_configuration/kubernetes/shared.yml +++ b/linux_os/guide/auditing/policy_rules/audit_basic_configuration/kubernetes/shared.yml @@ -1,5 +1,5 @@ --- -# platform = multi_platform_rhel,multi_platform_fedora,multi_platform_rhcos +# platform = multi_platform_rhel,multi_platform_almalinux,multi_platform_fedora,multi_platform_rhcos apiVersion: machineconfiguration.openshift.io/v1 kind: MachineConfig spec: diff --git a/linux_os/guide/auditing/policy_rules/audit_create_failed_aarch64/kubernetes/shared.yml b/linux_os/guide/auditing/policy_rules/audit_create_failed_aarch64/kubernetes/shared.yml index c26dc39be..d32b854fd 100644 --- a/linux_os/guide/auditing/policy_rules/audit_create_failed_aarch64/kubernetes/shared.yml +++ b/linux_os/guide/auditing/policy_rules/audit_create_failed_aarch64/kubernetes/shared.yml @@ -1,5 +1,5 @@ --- -# platform = multi_platform_rhel,multi_platform_fedora +# platform = multi_platform_rhel,multi_platform_almalinux,multi_platform_fedora apiVersion: machineconfiguration.openshift.io/v1 kind: MachineConfig spec: diff --git a/linux_os/guide/auditing/policy_rules/audit_create_failed_ppc64le/kubernetes/shared.yml b/linux_os/guide/auditing/policy_rules/audit_create_failed_ppc64le/kubernetes/shared.yml index 08c8dc855..e9277f263 100644 --- a/linux_os/guide/auditing/policy_rules/audit_create_failed_ppc64le/kubernetes/shared.yml +++ b/linux_os/guide/auditing/policy_rules/audit_create_failed_ppc64le/kubernetes/shared.yml @@ -1,5 +1,5 @@ --- -# platform = multi_platform_rhel,multi_platform_fedora +# platform = multi_platform_rhel,multi_platform_almalinux,multi_platform_fedora apiVersion: machineconfiguration.openshift.io/v1 kind: MachineConfig spec: diff --git a/linux_os/guide/auditing/policy_rules/audit_delete_failed/kubernetes/shared.yml b/linux_os/guide/auditing/policy_rules/audit_delete_failed/kubernetes/shared.yml index dab3d0eaa..620596c44 100644 --- a/linux_os/guide/auditing/policy_rules/audit_delete_failed/kubernetes/shared.yml +++ b/linux_os/guide/auditing/policy_rules/audit_delete_failed/kubernetes/shared.yml @@ -1,5 +1,5 @@ --- -# platform = multi_platform_rhel,multi_platform_fedora,multi_platform_rhcos +# platform = multi_platform_rhel,multi_platform_almalinux,multi_platform_fedora,multi_platform_rhcos apiVersion: machineconfiguration.openshift.io/v1 kind: MachineConfig spec: diff --git a/linux_os/guide/auditing/policy_rules/audit_delete_failed_aarch64/kubernetes/shared.yml b/linux_os/guide/auditing/policy_rules/audit_delete_failed_aarch64/kubernetes/shared.yml index 22d3990f0..ed4f8bce8 100644 --- a/linux_os/guide/auditing/policy_rules/audit_delete_failed_aarch64/kubernetes/shared.yml +++ b/linux_os/guide/auditing/policy_rules/audit_delete_failed_aarch64/kubernetes/shared.yml @@ -1,5 +1,5 @@ --- -# platform = multi_platform_rhel,multi_platform_fedora,multi_platform_rhcos +# platform = multi_platform_rhel,multi_platform_almalinux,multi_platform_fedora,multi_platform_rhcos apiVersion: machineconfiguration.openshift.io/v1 kind: MachineConfig spec: diff --git a/linux_os/guide/auditing/policy_rules/audit_delete_failed_ppc64le/kubernetes/shared.yml b/linux_os/guide/auditing/policy_rules/audit_delete_failed_ppc64le/kubernetes/shared.yml index 2fb2c25aa..e182781c4 100644 --- a/linux_os/guide/auditing/policy_rules/audit_delete_failed_ppc64le/kubernetes/shared.yml +++ b/linux_os/guide/auditing/policy_rules/audit_delete_failed_ppc64le/kubernetes/shared.yml @@ -1,5 +1,5 @@ --- -# platform = multi_platform_rhel,multi_platform_fedora,multi_platform_rhcos +# platform = multi_platform_rhel,multi_platform_almalinux,multi_platform_fedora,multi_platform_rhcos apiVersion: machineconfiguration.openshift.io/v1 kind: MachineConfig spec: diff --git a/linux_os/guide/auditing/policy_rules/audit_delete_success/kubernetes/shared.yml b/linux_os/guide/auditing/policy_rules/audit_delete_success/kubernetes/shared.yml index bff04fe4c..a56d7f18f 100644 --- a/linux_os/guide/auditing/policy_rules/audit_delete_success/kubernetes/shared.yml +++ b/linux_os/guide/auditing/policy_rules/audit_delete_success/kubernetes/shared.yml @@ -1,5 +1,5 @@ --- -# platform = multi_platform_rhel,multi_platform_fedora,multi_platform_rhcos +# platform = multi_platform_rhel,multi_platform_almalinux,multi_platform_fedora,multi_platform_rhcos {{% set file_contents = """## Successful file delete -a always,exit -F arch=b32 -S unlink,unlinkat,rename,renameat -F success=1 -F auid>=" ~ uid_min ~ " -F auid!=unset -F key=successful-delete diff --git a/linux_os/guide/auditing/policy_rules/audit_delete_success_aarch64/kubernetes/shared.yml b/linux_os/guide/auditing/policy_rules/audit_delete_success_aarch64/kubernetes/shared.yml index 37b8b3676..d1be71273 100644 --- a/linux_os/guide/auditing/policy_rules/audit_delete_success_aarch64/kubernetes/shared.yml +++ b/linux_os/guide/auditing/policy_rules/audit_delete_success_aarch64/kubernetes/shared.yml @@ -1,5 +1,5 @@ --- -# platform = multi_platform_rhel,multi_platform_fedora,multi_platform_rhcos +# platform = multi_platform_rhel,multi_platform_almalinux,multi_platform_fedora,multi_platform_rhcos {{% set file_contents = """## Successful file delete -a always,exit -F arch=b32 -S unlink,unlinkat,rename,renameat -F success=1 -F auid>=" ~ uid_min ~ " -F auid!=unset -F key=successful-delete diff --git a/linux_os/guide/auditing/policy_rules/audit_delete_success_ppc64le/kubernetes/shared.yml b/linux_os/guide/auditing/policy_rules/audit_delete_success_ppc64le/kubernetes/shared.yml index a46066d62..731636c7f 100644 --- a/linux_os/guide/auditing/policy_rules/audit_delete_success_ppc64le/kubernetes/shared.yml +++ b/linux_os/guide/auditing/policy_rules/audit_delete_success_ppc64le/kubernetes/shared.yml @@ -1,5 +1,5 @@ --- -# platform = multi_platform_rhel,multi_platform_fedora,multi_platform_rhcos +# platform = multi_platform_rhel,multi_platform_almalinux,multi_platform_fedora,multi_platform_rhcos {{% set file_contents = """## Successful file delete -a always,exit -F arch=b64 -S unlink,unlinkat,rename,renameat -F success=1 -F auid>=" ~ uid_min ~ " -F auid!=unset -F key=successful-delete""" -%}} diff --git a/linux_os/guide/auditing/policy_rules/audit_immutable_login_uids/kubernetes/shared.yml b/linux_os/guide/auditing/policy_rules/audit_immutable_login_uids/kubernetes/shared.yml index ff5e61676..f7012bed2 100644 --- a/linux_os/guide/auditing/policy_rules/audit_immutable_login_uids/kubernetes/shared.yml +++ b/linux_os/guide/auditing/policy_rules/audit_immutable_login_uids/kubernetes/shared.yml @@ -1,5 +1,5 @@ --- -# platform = multi_platform_rhel,multi_platform_fedora,multi_platform_rhcos +# platform = multi_platform_rhel,multi_platform_almalinux,multi_platform_fedora,multi_platform_rhcos apiVersion: machineconfiguration.openshift.io/v1 kind: MachineConfig spec: diff --git a/linux_os/guide/auditing/policy_rules/audit_modify_failed/kubernetes/shared.yml b/linux_os/guide/auditing/policy_rules/audit_modify_failed/kubernetes/shared.yml index 2d9279849..ec6477378 100644 --- a/linux_os/guide/auditing/policy_rules/audit_modify_failed/kubernetes/shared.yml +++ b/linux_os/guide/auditing/policy_rules/audit_modify_failed/kubernetes/shared.yml @@ -1,5 +1,5 @@ --- -# platform = multi_platform_rhel,multi_platform_fedora,multi_platform_rhcos +# platform = multi_platform_rhel,multi_platform_almalinux,multi_platform_fedora,multi_platform_rhcos apiVersion: machineconfiguration.openshift.io/v1 kind: MachineConfig spec: diff --git a/linux_os/guide/auditing/policy_rules/audit_modify_failed_aarch64/kubernetes/shared.yml b/linux_os/guide/auditing/policy_rules/audit_modify_failed_aarch64/kubernetes/shared.yml index dae466002..527bc8489 100644 --- a/linux_os/guide/auditing/policy_rules/audit_modify_failed_aarch64/kubernetes/shared.yml +++ b/linux_os/guide/auditing/policy_rules/audit_modify_failed_aarch64/kubernetes/shared.yml @@ -1,5 +1,5 @@ --- -# platform = multi_platform_rhel,multi_platform_fedora,multi_platform_rhcos +# platform = multi_platform_rhel,multi_platform_almalinux,multi_platform_fedora,multi_platform_rhcos apiVersion: machineconfiguration.openshift.io/v1 kind: MachineConfig spec: diff --git a/linux_os/guide/auditing/policy_rules/audit_modify_failed_ppc64le/kubernetes/shared.yml b/linux_os/guide/auditing/policy_rules/audit_modify_failed_ppc64le/kubernetes/shared.yml index f07ff3607..62de7826c 100644 --- a/linux_os/guide/auditing/policy_rules/audit_modify_failed_ppc64le/kubernetes/shared.yml +++ b/linux_os/guide/auditing/policy_rules/audit_modify_failed_ppc64le/kubernetes/shared.yml @@ -1,5 +1,5 @@ --- -# platform = multi_platform_rhel,multi_platform_fedora,multi_platform_rhcos +# platform = multi_platform_rhel,multi_platform_almalinux,multi_platform_fedora,multi_platform_rhcos apiVersion: machineconfiguration.openshift.io/v1 kind: MachineConfig spec: diff --git a/linux_os/guide/auditing/policy_rules/audit_modify_success/kubernetes/shared.yml b/linux_os/guide/auditing/policy_rules/audit_modify_success/kubernetes/shared.yml index c6f796967..7a6e545c4 100644 --- a/linux_os/guide/auditing/policy_rules/audit_modify_success/kubernetes/shared.yml +++ b/linux_os/guide/auditing/policy_rules/audit_modify_success/kubernetes/shared.yml @@ -1,5 +1,5 @@ --- -# platform = multi_platform_rhel,multi_platform_fedora +# platform = multi_platform_rhel,multi_platform_almalinux,multi_platform_fedora apiVersion: machineconfiguration.openshift.io/v1 kind: MachineConfig spec: diff --git a/linux_os/guide/auditing/policy_rules/audit_modify_success_aarch64/kubernetes/shared.yml b/linux_os/guide/auditing/policy_rules/audit_modify_success_aarch64/kubernetes/shared.yml index 212ec4ba5..62e1ee6de 100644 --- a/linux_os/guide/auditing/policy_rules/audit_modify_success_aarch64/kubernetes/shared.yml +++ b/linux_os/guide/auditing/policy_rules/audit_modify_success_aarch64/kubernetes/shared.yml @@ -1,5 +1,5 @@ --- -# platform = multi_platform_rhel,multi_platform_fedora +# platform = multi_platform_rhel,multi_platform_almalinux,multi_platform_fedora apiVersion: machineconfiguration.openshift.io/v1 kind: MachineConfig spec: diff --git a/linux_os/guide/auditing/policy_rules/audit_modify_success_ppc64le/kubernetes/shared.yml b/linux_os/guide/auditing/policy_rules/audit_modify_success_ppc64le/kubernetes/shared.yml index 92310b977..e76e314a6 100644 --- a/linux_os/guide/auditing/policy_rules/audit_modify_success_ppc64le/kubernetes/shared.yml +++ b/linux_os/guide/auditing/policy_rules/audit_modify_success_ppc64le/kubernetes/shared.yml @@ -1,5 +1,5 @@ --- -# platform = multi_platform_rhel,multi_platform_fedora +# platform = multi_platform_rhel,multi_platform_almalinux,multi_platform_fedora apiVersion: machineconfiguration.openshift.io/v1 kind: MachineConfig spec: diff --git a/linux_os/guide/auditing/policy_rules/audit_module_load/kubernetes/shared.yml b/linux_os/guide/auditing/policy_rules/audit_module_load/kubernetes/shared.yml index f8cd8b73d..090554c02 100644 --- a/linux_os/guide/auditing/policy_rules/audit_module_load/kubernetes/shared.yml +++ b/linux_os/guide/auditing/policy_rules/audit_module_load/kubernetes/shared.yml @@ -1,5 +1,5 @@ --- -# platform = multi_platform_rhel,multi_platform_fedora,multi_platform_rhcos +# platform = multi_platform_rhel,multi_platform_almalinux,multi_platform_fedora,multi_platform_rhcos apiVersion: machineconfiguration.openshift.io/v1 kind: MachineConfig spec: diff --git a/linux_os/guide/auditing/policy_rules/audit_module_load_ppc64le/kubernetes/shared.yml b/linux_os/guide/auditing/policy_rules/audit_module_load_ppc64le/kubernetes/shared.yml index 231034a9c..460877cec 100644 --- a/linux_os/guide/auditing/policy_rules/audit_module_load_ppc64le/kubernetes/shared.yml +++ b/linux_os/guide/auditing/policy_rules/audit_module_load_ppc64le/kubernetes/shared.yml @@ -1,5 +1,5 @@ --- -# platform = multi_platform_rhel,multi_platform_fedora,multi_platform_rhcos +# platform = multi_platform_rhel,multi_platform_almalinux,multi_platform_fedora,multi_platform_rhcos apiVersion: machineconfiguration.openshift.io/v1 kind: MachineConfig spec: diff --git a/linux_os/guide/auditing/policy_rules/audit_ospp_general/kubernetes/shared.yml b/linux_os/guide/auditing/policy_rules/audit_ospp_general/kubernetes/shared.yml index 6002067e5..0515753c4 100644 --- a/linux_os/guide/auditing/policy_rules/audit_ospp_general/kubernetes/shared.yml +++ b/linux_os/guide/auditing/policy_rules/audit_ospp_general/kubernetes/shared.yml @@ -1,5 +1,5 @@ --- -# platform = multi_platform_rhel,multi_platform_fedora,multi_platform_rhcos +# platform = multi_platform_rhel,multi_platform_almalinux,multi_platform_fedora,multi_platform_rhcos apiVersion: machineconfiguration.openshift.io/v1 kind: MachineConfig spec: diff --git a/linux_os/guide/auditing/policy_rules/audit_ospp_general_aarch64/kubernetes/shared.yml b/linux_os/guide/auditing/policy_rules/audit_ospp_general_aarch64/kubernetes/shared.yml index c122b209f..d1f676a94 100644 --- a/linux_os/guide/auditing/policy_rules/audit_ospp_general_aarch64/kubernetes/shared.yml +++ b/linux_os/guide/auditing/policy_rules/audit_ospp_general_aarch64/kubernetes/shared.yml @@ -1,5 +1,5 @@ --- -# platform = multi_platform_rhel,multi_platform_fedora,multi_platform_rhcos +# platform = multi_platform_rhel,multi_platform_almalinux,multi_platform_fedora,multi_platform_rhcos apiVersion: machineconfiguration.openshift.io/v1 kind: MachineConfig spec: diff --git a/linux_os/guide/auditing/policy_rules/audit_ospp_general_ppc64le/kubernetes/shared.yml b/linux_os/guide/auditing/policy_rules/audit_ospp_general_ppc64le/kubernetes/shared.yml index fa81ece03..7a26684d2 100644 --- a/linux_os/guide/auditing/policy_rules/audit_ospp_general_ppc64le/kubernetes/shared.yml +++ b/linux_os/guide/auditing/policy_rules/audit_ospp_general_ppc64le/kubernetes/shared.yml @@ -1,5 +1,5 @@ --- -# platform = multi_platform_rhel,multi_platform_fedora,multi_platform_rhcos +# platform = multi_platform_rhel,multi_platform_almalinux,multi_platform_fedora,multi_platform_rhcos apiVersion: machineconfiguration.openshift.io/v1 kind: MachineConfig spec: diff --git a/linux_os/guide/auditing/service_auditd_enabled/kubernetes/shared.yml b/linux_os/guide/auditing/service_auditd_enabled/kubernetes/shared.yml index 89d6152dc..7afbf02b7 100644 --- a/linux_os/guide/auditing/service_auditd_enabled/kubernetes/shared.yml +++ b/linux_os/guide/auditing/service_auditd_enabled/kubernetes/shared.yml @@ -1,5 +1,5 @@ --- -# platform = multi_platform_rhel,multi_platform_fedora,multi_platform_ol,multi_platform_rhv,multi_platform_rhcos +# platform = multi_platform_rhel,multi_platform_almalinux,multi_platform_fedora,multi_platform_ol,multi_platform_rhv,multi_platform_rhcos apiVersion: machineconfiguration.openshift.io/v1 kind: MachineConfig spec: diff --git a/linux_os/guide/services/base/service_kdump_disabled/anaconda/shared.anaconda b/linux_os/guide/services/base/service_kdump_disabled/anaconda/shared.anaconda index 1f6a233ed..9f3a4d6b4 100644 --- a/linux_os/guide/services/base/service_kdump_disabled/anaconda/shared.anaconda +++ b/linux_os/guide/services/base/service_kdump_disabled/anaconda/shared.anaconda @@ -1,3 +1,3 @@ -# platform = multi_platform_rhel,multi_platform_ol +# platform = multi_platform_rhel,multi_platform_almalinux,multi_platform_ol kdump --disable diff --git a/linux_os/guide/services/ldap/openldap_client/ldap_client_start_tls/bash/shared.sh b/linux_os/guide/services/ldap/openldap_client/ldap_client_start_tls/bash/shared.sh index 646e63f4b..cb346ebf4 100644 --- a/linux_os/guide/services/ldap/openldap_client/ldap_client_start_tls/bash/shared.sh +++ b/linux_os/guide/services/ldap/openldap_client/ldap_client_start_tls/bash/shared.sh @@ -1,4 +1,4 @@ -# platform = Red Hat Virtualization 4,multi_platform_rhel,multi_platform_ol +# platform = Red Hat Virtualization 4,multi_platform_rhel,multi_platform_almalinux,multi_platform_ol # Use LDAP for authentication diff --git a/linux_os/guide/services/mail/postfix_client/postfix_client_configure_mail_alias/ansible/shared.yml b/linux_os/guide/services/mail/postfix_client/postfix_client_configure_mail_alias/ansible/shared.yml index 3a86771d6..bacfaa7d0 100644 --- a/linux_os/guide/services/mail/postfix_client/postfix_client_configure_mail_alias/ansible/shared.yml +++ b/linux_os/guide/services/mail/postfix_client/postfix_client_configure_mail_alias/ansible/shared.yml @@ -1,4 +1,4 @@ -# platform = multi_platform_rhel,multi_platform_rhv,multi_platform_sle,multi_platform_debian +# platform = multi_platform_rhel,multi_platform_almalinux,multi_platform_rhv,multi_platform_sle,multi_platform_debian # reboot = false # strategy = configure # complexity = low diff --git a/linux_os/guide/services/mail/postfix_client/postfix_client_configure_mail_alias/bash/shared.sh b/linux_os/guide/services/mail/postfix_client/postfix_client_configure_mail_alias/bash/shared.sh index 743d47775..54354e10c 100644 --- a/linux_os/guide/services/mail/postfix_client/postfix_client_configure_mail_alias/bash/shared.sh +++ b/linux_os/guide/services/mail/postfix_client/postfix_client_configure_mail_alias/bash/shared.sh @@ -1,4 +1,4 @@ -# platform = multi_platform_rhel,multi_platform_rhv,multi_platform_sle,multi_platform_debian +# platform = multi_platform_rhel,multi_platform_almalinux,multi_platform_rhv,multi_platform_sle,multi_platform_debian {{{ bash_instantiate_variables("var_postfix_root_mail_alias") }}} diff --git a/linux_os/guide/services/mail/postfix_client/postfix_network_listening_disabled/ansible/shared.yml b/linux_os/guide/services/mail/postfix_client/postfix_network_listening_disabled/ansible/shared.yml index c5e7ae18c..1ab2a0a40 100644 --- a/linux_os/guide/services/mail/postfix_client/postfix_network_listening_disabled/ansible/shared.yml +++ b/linux_os/guide/services/mail/postfix_client/postfix_network_listening_disabled/ansible/shared.yml @@ -1,4 +1,4 @@ -# platform = multi_platform_rhel,multi_platform_fedora,multi_platform_ol,multi_platform_sle +# platform = multi_platform_rhel,multi_platform_almalinux,multi_platform_fedora,multi_platform_ol,multi_platform_sle # reboot = false # strategy = restrict # complexity = low diff --git a/linux_os/guide/services/mail/postfix_client/postfix_network_listening_disabled/bash/shared.sh b/linux_os/guide/services/mail/postfix_client/postfix_network_listening_disabled/bash/shared.sh index befe1acf3..e36b1fd3e 100644 --- a/linux_os/guide/services/mail/postfix_client/postfix_network_listening_disabled/bash/shared.sh +++ b/linux_os/guide/services/mail/postfix_client/postfix_network_listening_disabled/bash/shared.sh @@ -1,4 +1,4 @@ -# platform = multi_platform_rhel,multi_platform_fedora,multi_platform_ol,multi_platform_sle,multi_platform_ubuntu +# platform = multi_platform_rhel,multi_platform_almalinux,multi_platform_fedora,multi_platform_ol,multi_platform_sle,multi_platform_ubuntu {{{ bash_instantiate_variables("var_postfix_inet_interfaces") }}} diff --git a/linux_os/guide/services/ntp/chronyd_client_only/bash/shared.sh b/linux_os/guide/services/ntp/chronyd_client_only/bash/shared.sh index 524cdc7d0..2678708d2 100644 --- a/linux_os/guide/services/ntp/chronyd_client_only/bash/shared.sh +++ b/linux_os/guide/services/ntp/chronyd_client_only/bash/shared.sh @@ -1,4 +1,4 @@ -# platform = multi_platform_rhel,multi_platform_fedora,multi_platform_ol +# platform = multi_platform_rhel,multi_platform_almalinux,multi_platform_fedora,multi_platform_ol {{{ bash_replace_or_append(chrony_conf_path, '^port', '0', '%s %s') }}} diff --git a/linux_os/guide/services/ntp/chronyd_client_only/kubernetes/shared.yml b/linux_os/guide/services/ntp/chronyd_client_only/kubernetes/shared.yml index c435df983..b80ffbf7b 100644 --- a/linux_os/guide/services/ntp/chronyd_client_only/kubernetes/shared.yml +++ b/linux_os/guide/services/ntp/chronyd_client_only/kubernetes/shared.yml @@ -1,5 +1,5 @@ --- -# platform = multi_platform_fedora,multi_platform_rhel,multi_platform_rhcos +# platform = multi_platform_fedora,multi_platform_rhel,multi_platform_almalinux,multi_platform_rhcos # reboot = true # strategy = restrict # complexity = low diff --git a/linux_os/guide/services/ntp/chronyd_no_chronyc_network/bash/shared.sh b/linux_os/guide/services/ntp/chronyd_no_chronyc_network/bash/shared.sh index 25b768688..a1e46bc12 100644 --- a/linux_os/guide/services/ntp/chronyd_no_chronyc_network/bash/shared.sh +++ b/linux_os/guide/services/ntp/chronyd_no_chronyc_network/bash/shared.sh @@ -1,4 +1,4 @@ -# platform = multi_platform_rhel,multi_platform_fedora,multi_platform_ol +# platform = multi_platform_rhel,multi_platform_almalinux,multi_platform_fedora,multi_platform_ol {{{ bash_replace_or_append(chrony_conf_path, '^cmdport', '0', '%s %s') }}} diff --git a/linux_os/guide/services/ntp/chronyd_no_chronyc_network/kubernetes/shared.yml b/linux_os/guide/services/ntp/chronyd_no_chronyc_network/kubernetes/shared.yml index c435df983..b80ffbf7b 100644 --- a/linux_os/guide/services/ntp/chronyd_no_chronyc_network/kubernetes/shared.yml +++ b/linux_os/guide/services/ntp/chronyd_no_chronyc_network/kubernetes/shared.yml @@ -1,5 +1,5 @@ --- -# platform = multi_platform_fedora,multi_platform_rhel,multi_platform_rhcos +# platform = multi_platform_fedora,multi_platform_rhel,multi_platform_almalinux,multi_platform_rhcos # reboot = true # strategy = restrict # complexity = low diff --git a/linux_os/guide/services/ntp/chronyd_or_ntpd_set_maxpoll/kubernetes/shared.yml b/linux_os/guide/services/ntp/chronyd_or_ntpd_set_maxpoll/kubernetes/shared.yml index c435df983..b80ffbf7b 100644 --- a/linux_os/guide/services/ntp/chronyd_or_ntpd_set_maxpoll/kubernetes/shared.yml +++ b/linux_os/guide/services/ntp/chronyd_or_ntpd_set_maxpoll/kubernetes/shared.yml @@ -1,5 +1,5 @@ --- -# platform = multi_platform_fedora,multi_platform_rhel,multi_platform_rhcos +# platform = multi_platform_fedora,multi_platform_rhel,multi_platform_almalinux,multi_platform_rhcos # reboot = true # strategy = restrict # complexity = low diff --git a/linux_os/guide/services/ntp/chronyd_or_ntpd_specify_multiple_servers/kubernetes/shared.yml b/linux_os/guide/services/ntp/chronyd_or_ntpd_specify_multiple_servers/kubernetes/shared.yml index c435df983..b80ffbf7b 100644 --- a/linux_os/guide/services/ntp/chronyd_or_ntpd_specify_multiple_servers/kubernetes/shared.yml +++ b/linux_os/guide/services/ntp/chronyd_or_ntpd_specify_multiple_servers/kubernetes/shared.yml @@ -1,5 +1,5 @@ --- -# platform = multi_platform_fedora,multi_platform_rhel,multi_platform_rhcos +# platform = multi_platform_fedora,multi_platform_rhel,multi_platform_almalinux,multi_platform_rhcos # reboot = true # strategy = restrict # complexity = low diff --git a/linux_os/guide/services/ntp/chronyd_or_ntpd_specify_remote_server/kubernetes/shared.yml b/linux_os/guide/services/ntp/chronyd_or_ntpd_specify_remote_server/kubernetes/shared.yml index c435df983..b80ffbf7b 100644 --- a/linux_os/guide/services/ntp/chronyd_or_ntpd_specify_remote_server/kubernetes/shared.yml +++ b/linux_os/guide/services/ntp/chronyd_or_ntpd_specify_remote_server/kubernetes/shared.yml @@ -1,5 +1,5 @@ --- -# platform = multi_platform_fedora,multi_platform_rhel,multi_platform_rhcos +# platform = multi_platform_fedora,multi_platform_rhel,multi_platform_almalinux,multi_platform_rhcos # reboot = true # strategy = restrict # complexity = low diff --git a/linux_os/guide/services/ntp/chronyd_run_as_chrony_user/ansible/shared.yml b/linux_os/guide/services/ntp/chronyd_run_as_chrony_user/ansible/shared.yml index 595aa3c95..f2880e388 100644 --- a/linux_os/guide/services/ntp/chronyd_run_as_chrony_user/ansible/shared.yml +++ b/linux_os/guide/services/ntp/chronyd_run_as_chrony_user/ansible/shared.yml @@ -5,7 +5,7 @@ # disruption = low {{%- set ok_by_default = false %}} -{{%- if product in ["rhel7", "ol7", "rhel8", "ol8", "rhel9", "ol9", "fedora"] %}} +{{%- if product in ["rhel7", "ol7", "rhel8", "ol8", "rhel9", "almalinux9", "ol9", "fedora"] %}} {{%- set ok_by_default = true %}} {{%- endif %}} diff --git a/linux_os/guide/services/ntp/chronyd_run_as_chrony_user/bash/shared.sh b/linux_os/guide/services/ntp/chronyd_run_as_chrony_user/bash/shared.sh index 462528038..da0f9330b 100644 --- a/linux_os/guide/services/ntp/chronyd_run_as_chrony_user/bash/shared.sh +++ b/linux_os/guide/services/ntp/chronyd_run_as_chrony_user/bash/shared.sh @@ -1,6 +1,6 @@ # platform = multi_platform_all {{%- set ok_by_default = false %}} -{{%- if product in ["rhel7", "ol7", "rhel8", "ol8", "rhel9", "ol9", "fedora"] %}} +{{%- if product in ["rhel7", "ol7", "rhel8", "ol8", "rhel9", "almalinux9", "ol9", "fedora"] %}} {{%- set ok_by_default = true %}} {{%- endif %}} diff --git a/linux_os/guide/services/ntp/chronyd_run_as_chrony_user/oval/shared.xml b/linux_os/guide/services/ntp/chronyd_run_as_chrony_user/oval/shared.xml index e1d712f25..1a6e10840 100644 --- a/linux_os/guide/services/ntp/chronyd_run_as_chrony_user/oval/shared.xml +++ b/linux_os/guide/services/ntp/chronyd_run_as_chrony_user/oval/shared.xml @@ -1,5 +1,5 @@ {{%- set ok_by_default = false %}} -{{%- if product in ["rhel7", "ol7", "rhel8", "ol8", "rhel9", "ol9", "fedora"] %}} +{{%- if product in ["rhel7", "ol7", "rhel8", "ol8", "rhel9", "almalinux9", "ol9", "fedora"] %}} {{%- set ok_by_default = true %}} {{%- endif %}} diff --git a/linux_os/guide/services/ntp/chronyd_run_as_chrony_user/rule.yml b/linux_os/guide/services/ntp/chronyd_run_as_chrony_user/rule.yml index b49373989..30f32f821 100644 --- a/linux_os/guide/services/ntp/chronyd_run_as_chrony_user/rule.yml +++ b/linux_os/guide/services/ntp/chronyd_run_as_chrony_user/rule.yml @@ -4,7 +4,7 @@ documentation_complete: true title: 'Ensure that chronyd is running under chrony user account' {{%- set ok_by_default = false %}} -{{%- if product in ["rhel7", "ol7", "rhel8", "ol8", "rhel9", "ol9", "fedora"] %}} +{{%- if product in ["rhel7", "ol7", "rhel8", "ol8", "rhel9", "almalinux9", "ol9", "fedora"] %}} {{%- set ok_by_default = true %}} {{%- endif %}} diff --git a/linux_os/guide/services/ntp/chronyd_run_as_chrony_user/tests/correct.pass.sh b/linux_os/guide/services/ntp/chronyd_run_as_chrony_user/tests/correct.pass.sh index 2e3d4e406..a348b99df 100644 --- a/linux_os/guide/services/ntp/chronyd_run_as_chrony_user/tests/correct.pass.sh +++ b/linux_os/guide/services/ntp/chronyd_run_as_chrony_user/tests/correct.pass.sh @@ -1,5 +1,5 @@ #!/bin/bash -# platform = multi_platform_rhel,multi_platform_fedora,multi_platform_ol,multi_platform_sle +# platform = multi_platform_rhel,multi_platform_almalinux,multi_platform_fedora,multi_platform_ol,multi_platform_sle # packages = chrony diff --git a/linux_os/guide/services/ntp/chronyd_run_as_chrony_user/tests/correct_multiple_options.pass.sh b/linux_os/guide/services/ntp/chronyd_run_as_chrony_user/tests/correct_multiple_options.pass.sh index b75e59c2e..6c3415c34 100644 --- a/linux_os/guide/services/ntp/chronyd_run_as_chrony_user/tests/correct_multiple_options.pass.sh +++ b/linux_os/guide/services/ntp/chronyd_run_as_chrony_user/tests/correct_multiple_options.pass.sh @@ -1,5 +1,5 @@ #!/bin/bash -# platform = multi_platform_rhel,multi_platform_fedora,multi_platform_ol,multi_platform_sle +# platform = multi_platform_rhel,multi_platform_almalinux,multi_platform_fedora,multi_platform_ol,multi_platform_sle # packages = chrony diff --git a/linux_os/guide/services/ntp/chronyd_run_as_chrony_user/tests/empty.pass.sh b/linux_os/guide/services/ntp/chronyd_run_as_chrony_user/tests/empty.pass.sh index e7c266e7f..7ce4dd93a 100644 --- a/linux_os/guide/services/ntp/chronyd_run_as_chrony_user/tests/empty.pass.sh +++ b/linux_os/guide/services/ntp/chronyd_run_as_chrony_user/tests/empty.pass.sh @@ -1,5 +1,5 @@ #!/bin/bash -# platform = multi_platform_ol,multi_platform_rhel,multi_platform_fedora +# platform = multi_platform_ol,multi_platform_rhel,multi_platform_almalinux,multi_platform_fedora # packages = chrony diff --git a/linux_os/guide/services/ntp/chronyd_run_as_chrony_user/tests/empty_options.pass.sh b/linux_os/guide/services/ntp/chronyd_run_as_chrony_user/tests/empty_options.pass.sh index 7b9cbcb9a..154effcbd 100644 --- a/linux_os/guide/services/ntp/chronyd_run_as_chrony_user/tests/empty_options.pass.sh +++ b/linux_os/guide/services/ntp/chronyd_run_as_chrony_user/tests/empty_options.pass.sh @@ -1,5 +1,5 @@ #!/bin/bash -# platform = multi_platform_ol,multi_platform_rhel,multi_platform_fedora +# platform = multi_platform_ol,multi_platform_rhel,multi_platform_almalinux,multi_platform_fedora # packages = chrony diff --git a/linux_os/guide/services/ntp/chronyd_run_as_chrony_user/tests/wrong_line.fail.sh b/linux_os/guide/services/ntp/chronyd_run_as_chrony_user/tests/wrong_line.fail.sh index 0b8c54cfb..7a44d477b 100644 --- a/linux_os/guide/services/ntp/chronyd_run_as_chrony_user/tests/wrong_line.fail.sh +++ b/linux_os/guide/services/ntp/chronyd_run_as_chrony_user/tests/wrong_line.fail.sh @@ -1,5 +1,5 @@ #!/bin/bash -# platform = multi_platform_rhel,multi_platform_fedora,multi_platform_ol,multi_platform_sle +# platform = multi_platform_rhel,multi_platform_almalinux,multi_platform_fedora,multi_platform_ol,multi_platform_sle # packages = chrony diff --git a/linux_os/guide/services/ntp/chronyd_run_as_chrony_user/tests/wrong_line_2.fail.sh b/linux_os/guide/services/ntp/chronyd_run_as_chrony_user/tests/wrong_line_2.fail.sh index 69908e41f..0c506bca3 100644 --- a/linux_os/guide/services/ntp/chronyd_run_as_chrony_user/tests/wrong_line_2.fail.sh +++ b/linux_os/guide/services/ntp/chronyd_run_as_chrony_user/tests/wrong_line_2.fail.sh @@ -1,5 +1,5 @@ #!/bin/bash -# platform = multi_platform_rhel,multi_platform_fedora,multi_platform_ol,multi_platform_sle +# platform = multi_platform_rhel,multi_platform_almalinux,multi_platform_fedora,multi_platform_ol,multi_platform_sle # packages = chrony diff --git a/linux_os/guide/services/ntp/chronyd_server_directive/tests/file_empty.fail.sh b/linux_os/guide/services/ntp/chronyd_server_directive/tests/file_empty.fail.sh index b2427c1d5..2d62ca68b 100644 --- a/linux_os/guide/services/ntp/chronyd_server_directive/tests/file_empty.fail.sh +++ b/linux_os/guide/services/ntp/chronyd_server_directive/tests/file_empty.fail.sh @@ -1,6 +1,6 @@ #!/bin/bash # packages = chrony -# platform = multi_platform_fedora,multi_platform_ol,multi_platform_rhel +# platform = multi_platform_fedora,multi_platform_ol,multi_platform_rhel,multi_platform_almalinux # remediation = none echo "" > {{{ chrony_conf_path }}} diff --git a/linux_os/guide/services/ntp/chronyd_server_directive/tests/file_missing.fail.sh b/linux_os/guide/services/ntp/chronyd_server_directive/tests/file_missing.fail.sh index 16c634e0a..e0e0b136a 100644 --- a/linux_os/guide/services/ntp/chronyd_server_directive/tests/file_missing.fail.sh +++ b/linux_os/guide/services/ntp/chronyd_server_directive/tests/file_missing.fail.sh @@ -1,6 +1,6 @@ #!/bin/bash # packages = chrony -# platform = multi_platform_fedora,multi_platform_ol,multi_platform_rhel +# platform = multi_platform_fedora,multi_platform_ol,multi_platform_rhel,multi_platform_almalinux # remediation = none rm -f {{{ chrony_conf_path }}} diff --git a/linux_os/guide/services/ntp/chronyd_server_directive/tests/line_missing.fail.sh b/linux_os/guide/services/ntp/chronyd_server_directive/tests/line_missing.fail.sh index 56b414e2e..c28bc2f7f 100644 --- a/linux_os/guide/services/ntp/chronyd_server_directive/tests/line_missing.fail.sh +++ b/linux_os/guide/services/ntp/chronyd_server_directive/tests/line_missing.fail.sh @@ -1,6 +1,6 @@ #!/bin/bash # packages = chrony -# platform = multi_platform_fedora,multi_platform_ol,multi_platform_rhel +# platform = multi_platform_fedora,multi_platform_ol,multi_platform_rhel,multi_platform_almalinux # remediation = none echo "some line" > {{{ chrony_conf_path }}} diff --git a/linux_os/guide/services/ntp/chronyd_server_directive/tests/multiple_servers.pass.sh b/linux_os/guide/services/ntp/chronyd_server_directive/tests/multiple_servers.pass.sh index 01a21e0b0..3b8082c73 100644 --- a/linux_os/guide/services/ntp/chronyd_server_directive/tests/multiple_servers.pass.sh +++ b/linux_os/guide/services/ntp/chronyd_server_directive/tests/multiple_servers.pass.sh @@ -1,6 +1,6 @@ #!/bin/bash # packages = chrony -# platform = multi_platform_fedora,multi_platform_ol,multi_platform_rhel +# platform = multi_platform_fedora,multi_platform_ol,multi_platform_rhel,multi_platform_almalinux # remediation = none sed -i "^pool.*" {{{ chrony_conf_path }}} diff --git a/linux_os/guide/services/ntp/chronyd_server_directive/tests/only_pool.fail.sh b/linux_os/guide/services/ntp/chronyd_server_directive/tests/only_pool.fail.sh index 6f45a555f..5d03e6e21 100644 --- a/linux_os/guide/services/ntp/chronyd_server_directive/tests/only_pool.fail.sh +++ b/linux_os/guide/services/ntp/chronyd_server_directive/tests/only_pool.fail.sh @@ -1,6 +1,6 @@ #!/bin/bash # packages = chrony -# platform = multi_platform_fedora,multi_platform_ol,multi_platform_rhel +# platform = multi_platform_fedora,multi_platform_ol,multi_platform_rhel,multi_platform_almalinux # remediation = none sed -i "^server.*" {{{ chrony_conf_path }}} diff --git a/linux_os/guide/services/ntp/chronyd_server_directive/tests/only_server.pass.sh b/linux_os/guide/services/ntp/chronyd_server_directive/tests/only_server.pass.sh index ec9e58c75..1a31ccf74 100644 --- a/linux_os/guide/services/ntp/chronyd_server_directive/tests/only_server.pass.sh +++ b/linux_os/guide/services/ntp/chronyd_server_directive/tests/only_server.pass.sh @@ -1,6 +1,6 @@ #!/bin/bash # packages = chrony -# platform = multi_platform_fedora,multi_platform_ol,multi_platform_rhel +# platform = multi_platform_fedora,multi_platform_ol,multi_platform_rhel,multi_platform_almalinux sed -i "^pool.*" {{{ chrony_conf_path }}} echo "server 0.pool.ntp.org" > {{{ chrony_conf_path }}} diff --git a/linux_os/guide/services/ntp/chronyd_specify_remote_server/tests/correct.pass.sh b/linux_os/guide/services/ntp/chronyd_specify_remote_server/tests/correct.pass.sh index d74bde623..8f83241cd 100644 --- a/linux_os/guide/services/ntp/chronyd_specify_remote_server/tests/correct.pass.sh +++ b/linux_os/guide/services/ntp/chronyd_specify_remote_server/tests/correct.pass.sh @@ -1,5 +1,5 @@ #!/bin/bash # packages = chrony -# platform = multi_platform_fedora,multi_platform_ol,multi_platform_rhel +# platform = multi_platform_fedora,multi_platform_ol,multi_platform_rhel,multi_platform_almalinux echo "server 0.pool.ntp.org" > {{{ chrony_conf_path }}} diff --git a/linux_os/guide/services/ntp/chronyd_specify_remote_server/tests/correct_pool.pass.sh b/linux_os/guide/services/ntp/chronyd_specify_remote_server/tests/correct_pool.pass.sh index 56cee5abd..a8d771d62 100644 --- a/linux_os/guide/services/ntp/chronyd_specify_remote_server/tests/correct_pool.pass.sh +++ b/linux_os/guide/services/ntp/chronyd_specify_remote_server/tests/correct_pool.pass.sh @@ -1,5 +1,5 @@ #!/bin/bash # packages = chrony -# platform = multi_platform_fedora,multi_platform_ol,multi_platform_rhel +# platform = multi_platform_fedora,multi_platform_ol,multi_platform_rhel,multi_platform_almalinux echo "pool 0.pool.ntp.org" > {{{ chrony_conf_path }}} diff --git a/linux_os/guide/services/ntp/chronyd_specify_remote_server/tests/file_empty.fail.sh b/linux_os/guide/services/ntp/chronyd_specify_remote_server/tests/file_empty.fail.sh index 50e0715cc..e75a1ec07 100644 --- a/linux_os/guide/services/ntp/chronyd_specify_remote_server/tests/file_empty.fail.sh +++ b/linux_os/guide/services/ntp/chronyd_specify_remote_server/tests/file_empty.fail.sh @@ -1,5 +1,5 @@ #!/bin/bash # packages = chrony -# platform = multi_platform_fedora,multi_platform_ol,multi_platform_rhel +# platform = multi_platform_fedora,multi_platform_ol,multi_platform_rhel,multi_platform_almalinux echo "" > {{{ chrony_conf_path }}} diff --git a/linux_os/guide/services/ntp/chronyd_specify_remote_server/tests/file_missing.fail.sh b/linux_os/guide/services/ntp/chronyd_specify_remote_server/tests/file_missing.fail.sh index d89bdb1e5..a56b2e0dc 100644 --- a/linux_os/guide/services/ntp/chronyd_specify_remote_server/tests/file_missing.fail.sh +++ b/linux_os/guide/services/ntp/chronyd_specify_remote_server/tests/file_missing.fail.sh @@ -1,5 +1,5 @@ #!/bin/bash # packages = chrony -# platform = multi_platform_fedora,multi_platform_ol,multi_platform_rhel +# platform = multi_platform_fedora,multi_platform_ol,multi_platform_rhel,multi_platform_almalinux rm -f {{{ chrony_conf_path }}} diff --git a/linux_os/guide/services/ntp/chronyd_specify_remote_server/tests/line_missing.fail.sh b/linux_os/guide/services/ntp/chronyd_specify_remote_server/tests/line_missing.fail.sh index ce121222a..3c7d36f8b 100644 --- a/linux_os/guide/services/ntp/chronyd_specify_remote_server/tests/line_missing.fail.sh +++ b/linux_os/guide/services/ntp/chronyd_specify_remote_server/tests/line_missing.fail.sh @@ -1,6 +1,6 @@ #!/bin/bash # packages = chrony -# platform = multi_platform_fedora,multi_platform_ol,multi_platform_rhel +# platform = multi_platform_fedora,multi_platform_ol,multi_platform_rhel,multi_platform_almalinux echo "some line" > {{{ chrony_conf_path }}} echo "another line" >> {{{ chrony_conf_path }}} diff --git a/linux_os/guide/services/ntp/chronyd_specify_remote_server/tests/multiple_servers.pass.sh b/linux_os/guide/services/ntp/chronyd_specify_remote_server/tests/multiple_servers.pass.sh index 917d2e610..eccff3389 100644 --- a/linux_os/guide/services/ntp/chronyd_specify_remote_server/tests/multiple_servers.pass.sh +++ b/linux_os/guide/services/ntp/chronyd_specify_remote_server/tests/multiple_servers.pass.sh @@ -1,6 +1,6 @@ #!/bin/bash # packages = chrony -# platform = multi_platform_fedora,multi_platform_ol,multi_platform_rhel +# platform = multi_platform_fedora,multi_platform_ol,multi_platform_rhel,multi_platform_almalinux echo "server 0.pool.ntp.org" > {{{ chrony_conf_path }}} echo "server 1.pool.ntp.org" >> {{{ chrony_conf_path }}} diff --git a/linux_os/guide/services/ntp/chronyd_specify_remote_server/tests/server_not_specified.fail.sh b/linux_os/guide/services/ntp/chronyd_specify_remote_server/tests/server_not_specified.fail.sh index 5f0ad2c6e..7c6175efb 100644 --- a/linux_os/guide/services/ntp/chronyd_specify_remote_server/tests/server_not_specified.fail.sh +++ b/linux_os/guide/services/ntp/chronyd_specify_remote_server/tests/server_not_specified.fail.sh @@ -1,5 +1,5 @@ #!/bin/bash # packages = chrony -# platform = multi_platform_fedora,multi_platform_ol,multi_platform_rhel +# platform = multi_platform_fedora,multi_platform_ol,multi_platform_rhel,multi_platform_almalinux echo "server " > {{{ chrony_conf_path }}} diff --git a/linux_os/guide/services/ntp/service_ntp_enabled/rule.yml b/linux_os/guide/services/ntp/service_ntp_enabled/rule.yml index bb3ac288b..62f8e5a3f 100644 --- a/linux_os/guide/services/ntp/service_ntp_enabled/rule.yml +++ b/linux_os/guide/services/ntp/service_ntp_enabled/rule.yml @@ -47,7 +47,7 @@ template: vars: servicename: ntp -{{% if product in ["rhel7", "rhel8", "rhel9", "sle15"] %}} +{{% if product in ["rhel7", "rhel8", "rhel9", "almalinux9", "sle15"] %}} warnings: - general: {{% if product == "rhel7" %}} diff --git a/linux_os/guide/services/ntp/service_ntpd_enabled/rule.yml b/linux_os/guide/services/ntp/service_ntpd_enabled/rule.yml index 3cfd6d067..6ab7288f0 100644 --- a/linux_os/guide/services/ntp/service_ntpd_enabled/rule.yml +++ b/linux_os/guide/services/ntp/service_ntpd_enabled/rule.yml @@ -49,7 +49,7 @@ template: platform: package[ntp] -{{% if product in ["rhel8", "rhel9", "sle15"] %}} +{{% if product in ["rhel8", "rhel9", "almalinux9", "sle15"] %}} warnings: - general: The
ntp
package is not available in {{{ full_name }}}. Please diff --git a/linux_os/guide/services/obsolete/inetd_and_xinetd/package_xinetd_removed/rule.yml b/linux_os/guide/services/obsolete/inetd_and_xinetd/package_xinetd_removed/rule.yml index ba96f00d5..ad79b5ea4 100644 --- a/linux_os/guide/services/obsolete/inetd_and_xinetd/package_xinetd_removed/rule.yml +++ b/linux_os/guide/services/obsolete/inetd_and_xinetd/package_xinetd_removed/rule.yml @@ -44,7 +44,7 @@ template: vars: pkgname: xinetd -{{% if product in ["rhel9"] %}} +{{% if product in ["rhel9", "almalinux9"] %}} warnings: - general: The package is not available in {{{ full_name }}}. diff --git a/linux_os/guide/services/obsolete/nis/package_ypbind_removed/rule.yml b/linux_os/guide/services/obsolete/nis/package_ypbind_removed/rule.yml index 10bac615f..9cf17fb5e 100644 --- a/linux_os/guide/services/obsolete/nis/package_ypbind_removed/rule.yml +++ b/linux_os/guide/services/obsolete/nis/package_ypbind_removed/rule.yml @@ -37,7 +37,7 @@ template: vars: pkgname: ypbind -{{% if product in ["rhel9"] %}} +{{% if product in ["rhel9", "almalinux9"] %}} warnings: - general: The package is not available in {{{ full_name }}}. diff --git a/linux_os/guide/services/obsolete/nis/package_ypserv_removed/rule.yml b/linux_os/guide/services/obsolete/nis/package_ypserv_removed/rule.yml index 0414eabc7..5bbc3963d 100644 --- a/linux_os/guide/services/obsolete/nis/package_ypserv_removed/rule.yml +++ b/linux_os/guide/services/obsolete/nis/package_ypserv_removed/rule.yml @@ -47,7 +47,7 @@ template: vars: pkgname: ypserv -{{% if product in ["rhel9"] %}} +{{% if product in ["rhel9", "almalinux9"] %}} warnings: - general: The package is not available in {{{ full_name }}}. diff --git a/linux_os/guide/services/obsolete/r_services/no_rsh_trust_files/ansible/shared.yml b/linux_os/guide/services/obsolete/r_services/no_rsh_trust_files/ansible/shared.yml index 9c6fc297c..7db8e8320 100644 --- a/linux_os/guide/services/obsolete/r_services/no_rsh_trust_files/ansible/shared.yml +++ b/linux_os/guide/services/obsolete/r_services/no_rsh_trust_files/ansible/shared.yml @@ -1,4 +1,4 @@ -# platform = Red Hat Virtualization 4,multi_platform_fedora,multi_platform_ol,multi_platform_rhel,multi_platform_sle +# platform = Red Hat Virtualization 4,multi_platform_fedora,multi_platform_ol,multi_platform_rhel,multi_platform_almalinux,multi_platform_sle # reboot = false # strategy = restrict # complexity = low diff --git a/linux_os/guide/services/obsolete/r_services/no_rsh_trust_files/bash/shared.sh b/linux_os/guide/services/obsolete/r_services/no_rsh_trust_files/bash/shared.sh index e64838b15..baaa07631 100644 --- a/linux_os/guide/services/obsolete/r_services/no_rsh_trust_files/bash/shared.sh +++ b/linux_os/guide/services/obsolete/r_services/no_rsh_trust_files/bash/shared.sh @@ -1,4 +1,4 @@ -# platform = Red Hat Virtualization 4,multi_platform_ol,multi_platform_rhel,multi_platform_sle,multi_platform_ubuntu +# platform = Red Hat Virtualization 4,multi_platform_ol,multi_platform_rhel,multi_platform_almalinux,multi_platform_sle,multi_platform_ubuntu find /root -xdev -type f -name ".rhosts" -exec rm -f {} \; find /home -maxdepth 2 -xdev -type f -name ".rhosts" -exec rm -f {} \; diff --git a/linux_os/guide/services/obsolete/r_services/package_rsh-server_removed/rule.yml b/linux_os/guide/services/obsolete/r_services/package_rsh-server_removed/rule.yml index ada9d1653..9d94a40bf 100644 --- a/linux_os/guide/services/obsolete/r_services/package_rsh-server_removed/rule.yml +++ b/linux_os/guide/services/obsolete/r_services/package_rsh-server_removed/rule.yml @@ -48,7 +48,7 @@ template: vars: pkgname: rsh-server -{{% if product in ["rhel8", "rhel9"] %}} +{{% if product in ["rhel8", "rhel9", "almalinux9"] %}} warnings: - general: The package is not available in {{{ full_name }}}. diff --git a/linux_os/guide/services/obsolete/r_services/package_rsh_removed/rule.yml b/linux_os/guide/services/obsolete/r_services/package_rsh_removed/rule.yml index bf34d2106..8e9449f00 100644 --- a/linux_os/guide/services/obsolete/r_services/package_rsh_removed/rule.yml +++ b/linux_os/guide/services/obsolete/r_services/package_rsh_removed/rule.yml @@ -56,7 +56,7 @@ template: pkgname@ubuntu2004: rsh-client pkgname@ubuntu2204: rsh-client -{{% if product in ["rhel8", "rhel9"] %}} +{{% if product in ["rhel8", "rhel9", "almalinux9"] %}} warnings: - general: The package is not available in {{{ full_name }}}. diff --git a/linux_os/guide/services/obsolete/talk/package_talk-server_removed/rule.yml b/linux_os/guide/services/obsolete/talk/package_talk-server_removed/rule.yml index e5ebfb140..c4add39f7 100644 --- a/linux_os/guide/services/obsolete/talk/package_talk-server_removed/rule.yml +++ b/linux_os/guide/services/obsolete/talk/package_talk-server_removed/rule.yml @@ -29,7 +29,7 @@ template: vars: pkgname: talk-server -{{% if product in ["rhel8", "rhel9"] %}} +{{% if product in ["rhel8", "rhel9", "almalinux9"] %}} warnings: - general: The package is not available in {{{ full_name }}}. diff --git a/linux_os/guide/services/obsolete/talk/package_talk_removed/rule.yml b/linux_os/guide/services/obsolete/talk/package_talk_removed/rule.yml index 9990302be..2381fe6a2 100644 --- a/linux_os/guide/services/obsolete/talk/package_talk_removed/rule.yml +++ b/linux_os/guide/services/obsolete/talk/package_talk_removed/rule.yml @@ -38,7 +38,7 @@ template: vars: pkgname: talk -{{% if product in ["rhel8", "rhel9"] %}} +{{% if product in ["rhel8", "rhel9", "almalinux9"] %}} warnings: - general: The package is not available in {{{ full_name }}}. diff --git a/linux_os/guide/services/smb/configuring_samba/require_smb_client_signing/ansible/shared.yml b/linux_os/guide/services/smb/configuring_samba/require_smb_client_signing/ansible/shared.yml index a66068605..f25b95045 100644 --- a/linux_os/guide/services/smb/configuring_samba/require_smb_client_signing/ansible/shared.yml +++ b/linux_os/guide/services/smb/configuring_samba/require_smb_client_signing/ansible/shared.yml @@ -1,4 +1,4 @@ -# platform = multi_platform_rhel,multi_platform_fedora +# platform = multi_platform_rhel,multi_platform_almalinux,multi_platform_fedora # reboot = false # strategy = configure # complexity = low diff --git a/linux_os/guide/services/smb/configuring_samba/require_smb_client_signing/bash/shared.sh b/linux_os/guide/services/smb/configuring_samba/require_smb_client_signing/bash/shared.sh index 9e1f01f53..d7d4c2651 100644 --- a/linux_os/guide/services/smb/configuring_samba/require_smb_client_signing/bash/shared.sh +++ b/linux_os/guide/services/smb/configuring_samba/require_smb_client_signing/bash/shared.sh @@ -1,4 +1,4 @@ -# platform = multi_platform_rhel +# platform = multi_platform_rhel,multi_platform_almalinux ###################################################################### #By Luke "Brisk-OH" Brisk #luke.brisk@boeing.com or luke.brisk@gmail.com diff --git a/linux_os/guide/services/ssh/file_groupownership_sshd_private_key/tests/correct_groupowner.pass.sh b/linux_os/guide/services/ssh/file_groupownership_sshd_private_key/tests/correct_groupowner.pass.sh index cd5171c1b..6301578ba 100644 --- a/linux_os/guide/services/ssh/file_groupownership_sshd_private_key/tests/correct_groupowner.pass.sh +++ b/linux_os/guide/services/ssh/file_groupownership_sshd_private_key/tests/correct_groupowner.pass.sh @@ -1,5 +1,5 @@ #!/bin/bash -# platform = multi_platform_ol,multi_platform_rhel +# platform = multi_platform_ol,multi_platform_rhel,multi_platform_almalinux if ! grep -q ssh_keys /etc/group; then groupadd ssh_keys diff --git a/linux_os/guide/services/ssh/file_groupownership_sshd_private_key/tests/incorrect_groupowner.fail.sh b/linux_os/guide/services/ssh/file_groupownership_sshd_private_key/tests/incorrect_groupowner.fail.sh index 840370623..c64f052be 100644 --- a/linux_os/guide/services/ssh/file_groupownership_sshd_private_key/tests/incorrect_groupowner.fail.sh +++ b/linux_os/guide/services/ssh/file_groupownership_sshd_private_key/tests/incorrect_groupowner.fail.sh @@ -1,5 +1,5 @@ #!/bin/bash -# platform = multi_platform_ol,multi_platform_rhel +# platform = multi_platform_ol,multi_platform_rhel,multi_platform_almalinux test_group="cac_testgroup" groupadd $test_group diff --git a/linux_os/guide/services/ssh/file_groupownership_sshd_private_key/tests/multiple_keys.fail.sh b/linux_os/guide/services/ssh/file_groupownership_sshd_private_key/tests/multiple_keys.fail.sh index 4964fe4a1..f5fd88dd3 100644 --- a/linux_os/guide/services/ssh/file_groupownership_sshd_private_key/tests/multiple_keys.fail.sh +++ b/linux_os/guide/services/ssh/file_groupownership_sshd_private_key/tests/multiple_keys.fail.sh @@ -1,5 +1,5 @@ #!/bin/bash -# platform = multi_platform_ol,multi_platform_rhel +# platform = multi_platform_ol,multi_platform_rhel,multi_platform_almalinux test_group="cac_testgroup" groupadd $test_group diff --git a/linux_os/guide/services/ssh/file_groupownership_sshd_pub_key/tests/correct_groupowner.pass.sh b/linux_os/guide/services/ssh/file_groupownership_sshd_pub_key/tests/correct_groupowner.pass.sh index 8028e0466..36ebda0b3 100644 --- a/linux_os/guide/services/ssh/file_groupownership_sshd_pub_key/tests/correct_groupowner.pass.sh +++ b/linux_os/guide/services/ssh/file_groupownership_sshd_pub_key/tests/correct_groupowner.pass.sh @@ -1,5 +1,5 @@ #!/bin/bash -# platform = multi_platform_ol,multi_platform_rhel +# platform = multi_platform_ol,multi_platform_rhel,multi_platform_almalinux FAKE_KEY=$(mktemp -p /etc/ssh/ XXXX.pub) chgrp root "$FAKE_KEY" diff --git a/linux_os/guide/services/ssh/file_groupownership_sshd_pub_key/tests/incorrect_groupowner.fail.sh b/linux_os/guide/services/ssh/file_groupownership_sshd_pub_key/tests/incorrect_groupowner.fail.sh index 56c713f3d..505f3adfb 100644 --- a/linux_os/guide/services/ssh/file_groupownership_sshd_pub_key/tests/incorrect_groupowner.fail.sh +++ b/linux_os/guide/services/ssh/file_groupownership_sshd_pub_key/tests/incorrect_groupowner.fail.sh @@ -1,5 +1,5 @@ #!/bin/bash -# platform = multi_platform_ol,multi_platform_rhel +# platform = multi_platform_ol,multi_platform_rhel,multi_platform_almalinux test_group="cac_testgroup" groupadd $test_group diff --git a/linux_os/guide/services/ssh/file_groupownership_sshd_pub_key/tests/missing_file_test.pass.sh b/linux_os/guide/services/ssh/file_groupownership_sshd_pub_key/tests/missing_file_test.pass.sh index 7cffa2c97..9c0f3a28b 100644 --- a/linux_os/guide/services/ssh/file_groupownership_sshd_pub_key/tests/missing_file_test.pass.sh +++ b/linux_os/guide/services/ssh/file_groupownership_sshd_pub_key/tests/missing_file_test.pass.sh @@ -1,4 +1,4 @@ #!/bin/bash -# platform = multi_platform_ol,multi_platform_rhel +# platform = multi_platform_ol,multi_platform_rhel,multi_platform_almalinux rm -f /etc/ssh/*.pub diff --git a/linux_os/guide/services/ssh/file_groupownership_sshd_pub_key/tests/multiple_keys.fail.sh b/linux_os/guide/services/ssh/file_groupownership_sshd_pub_key/tests/multiple_keys.fail.sh index b6bef987d..799d5044b 100644 --- a/linux_os/guide/services/ssh/file_groupownership_sshd_pub_key/tests/multiple_keys.fail.sh +++ b/linux_os/guide/services/ssh/file_groupownership_sshd_pub_key/tests/multiple_keys.fail.sh @@ -1,5 +1,5 @@ #!/bin/bash -# platform = multi_platform_ol,multi_platform_rhel +# platform = multi_platform_ol,multi_platform_rhel,multi_platform_almalinux test_group="cac_testgroup" groupadd $test_group diff --git a/linux_os/guide/services/ssh/file_ownership_sshd_private_key/tests/correct_owner.pass.sh b/linux_os/guide/services/ssh/file_ownership_sshd_private_key/tests/correct_owner.pass.sh index b36e8a3d7..494455df2 100644 --- a/linux_os/guide/services/ssh/file_ownership_sshd_private_key/tests/correct_owner.pass.sh +++ b/linux_os/guide/services/ssh/file_ownership_sshd_private_key/tests/correct_owner.pass.sh @@ -1,5 +1,5 @@ #!/bin/bash -# platform = multi_platform_ol,multi_platform_rhel +# platform = multi_platform_ol,multi_platform_rhel,multi_platform_almalinux FAKE_KEY=$(mktemp -p /etc/ssh/ XXXX_key) chown root "$FAKE_KEY" diff --git a/linux_os/guide/services/ssh/file_ownership_sshd_private_key/tests/incorrect_owner.fail.sh b/linux_os/guide/services/ssh/file_ownership_sshd_private_key/tests/incorrect_owner.fail.sh index 30da398eb..4ee3a3c1f 100644 --- a/linux_os/guide/services/ssh/file_ownership_sshd_private_key/tests/incorrect_owner.fail.sh +++ b/linux_os/guide/services/ssh/file_ownership_sshd_private_key/tests/incorrect_owner.fail.sh @@ -1,5 +1,5 @@ #!/bin/bash -# platform = multi_platform_ol,multi_platform_rhel +# platform = multi_platform_ol,multi_platform_rhel,multi_platform_almalinux test_user="cac_testuser" useradd $test_user diff --git a/linux_os/guide/services/ssh/file_ownership_sshd_private_key/tests/multiple_keys.fail.sh b/linux_os/guide/services/ssh/file_ownership_sshd_private_key/tests/multiple_keys.fail.sh index 59f414be3..484da1eec 100644 --- a/linux_os/guide/services/ssh/file_ownership_sshd_private_key/tests/multiple_keys.fail.sh +++ b/linux_os/guide/services/ssh/file_ownership_sshd_private_key/tests/multiple_keys.fail.sh @@ -1,5 +1,5 @@ #!/bin/bash -# platform = multi_platform_ol,multi_platform_rhel +# platform = multi_platform_ol,multi_platform_rhel,multi_platform_almalinux test_user="cac_testuser" useradd $test_user diff --git a/linux_os/guide/services/ssh/file_ownership_sshd_pub_key/tests/correct_owner.pass.sh b/linux_os/guide/services/ssh/file_ownership_sshd_pub_key/tests/correct_owner.pass.sh index adc985a1a..489f65995 100644 --- a/linux_os/guide/services/ssh/file_ownership_sshd_pub_key/tests/correct_owner.pass.sh +++ b/linux_os/guide/services/ssh/file_ownership_sshd_pub_key/tests/correct_owner.pass.sh @@ -1,5 +1,5 @@ #!/bin/bash -# platform = multi_platform_ol,multi_platform_rhel +# platform = multi_platform_ol,multi_platform_rhel,multi_platform_almalinux FAKE_KEY=$(mktemp -p /etc/ssh/ XXXX.pub) chown root "$FAKE_KEY" diff --git a/linux_os/guide/services/ssh/file_ownership_sshd_pub_key/tests/incorrect_owner.fail.sh b/linux_os/guide/services/ssh/file_ownership_sshd_pub_key/tests/incorrect_owner.fail.sh index 4fa528fe3..bbc3c6147 100644 --- a/linux_os/guide/services/ssh/file_ownership_sshd_pub_key/tests/incorrect_owner.fail.sh +++ b/linux_os/guide/services/ssh/file_ownership_sshd_pub_key/tests/incorrect_owner.fail.sh @@ -1,5 +1,5 @@ #!/bin/bash -# platform = multi_platform_ol,multi_platform_rhel +# platform = multi_platform_ol,multi_platform_rhel,multi_platform_almalinux test_user="cac_testuser" useradd $test_user diff --git a/linux_os/guide/services/ssh/file_ownership_sshd_pub_key/tests/multiple_keys.fail.sh b/linux_os/guide/services/ssh/file_ownership_sshd_pub_key/tests/multiple_keys.fail.sh index 16878dc1d..6c3983a9d 100644 --- a/linux_os/guide/services/ssh/file_ownership_sshd_pub_key/tests/multiple_keys.fail.sh +++ b/linux_os/guide/services/ssh/file_ownership_sshd_pub_key/tests/multiple_keys.fail.sh @@ -1,5 +1,5 @@ #!/bin/bash -# platform = multi_platform_ol,multi_platform_rhel +# platform = multi_platform_ol,multi_platform_rhel,multi_platform_almalinux test_user="cac_testuser" useradd $test_user diff --git a/linux_os/guide/services/ssh/file_permissions_sshd_private_key/tests/altcorrect_permissions.pass.sh b/linux_os/guide/services/ssh/file_permissions_sshd_private_key/tests/altcorrect_permissions.pass.sh index 28325e1f7..d19148a0b 100644 --- a/linux_os/guide/services/ssh/file_permissions_sshd_private_key/tests/altcorrect_permissions.pass.sh +++ b/linux_os/guide/services/ssh/file_permissions_sshd_private_key/tests/altcorrect_permissions.pass.sh @@ -1,5 +1,5 @@ #!/bin/bash -# platform = multi_platform_ol,multi_platform_rhel +# platform = multi_platform_ol,multi_platform_rhel,multi_platform_almalinux FAKE_KEY=$(mktemp -p /etc/ssh/ XXXX_key) chown root:ssh_keys "$FAKE_KEY" diff --git a/linux_os/guide/services/ssh/file_permissions_sshd_private_key/tests/altlenient_permissions.fail.sh b/linux_os/guide/services/ssh/file_permissions_sshd_private_key/tests/altlenient_permissions.fail.sh index 63e2d8642..8a5a658b5 100644 --- a/linux_os/guide/services/ssh/file_permissions_sshd_private_key/tests/altlenient_permissions.fail.sh +++ b/linux_os/guide/services/ssh/file_permissions_sshd_private_key/tests/altlenient_permissions.fail.sh @@ -1,5 +1,5 @@ #!/bin/bash -# platform = multi_platform_ol,multi_platform_rhel +# platform = multi_platform_ol,multi_platform_rhel,multi_platform_almalinux FAKE_KEY=$(mktemp -p /etc/ssh/ XXXX_key) chown root:ssh_keys "$FAKE_KEY" diff --git a/linux_os/guide/services/ssh/file_permissions_sshd_private_key/tests/supercompliance.pass.sh b/linux_os/guide/services/ssh/file_permissions_sshd_private_key/tests/supercompliance.pass.sh index 48ecfbcac..c5a05db8b 100644 --- a/linux_os/guide/services/ssh/file_permissions_sshd_private_key/tests/supercompliance.pass.sh +++ b/linux_os/guide/services/ssh/file_permissions_sshd_private_key/tests/supercompliance.pass.sh @@ -1,5 +1,5 @@ #!/bin/bash -# platform = multi_platform_ol,multi_platform_rhel +# platform = multi_platform_ol,multi_platform_rhel,multi_platform_almalinux FAKE_KEY=$(mktemp -p /etc/ssh/ XXXX_key) chown root:ssh_keys "$FAKE_KEY" diff --git a/linux_os/guide/services/ssh/ssh_server/disable_host_auth/kubernetes/shared.yml b/linux_os/guide/services/ssh/ssh_server/disable_host_auth/kubernetes/shared.yml index 5a97f74df..104b27f3f 100644 --- a/linux_os/guide/services/ssh/ssh_server/disable_host_auth/kubernetes/shared.yml +++ b/linux_os/guide/services/ssh/ssh_server/disable_host_auth/kubernetes/shared.yml @@ -1,5 +1,5 @@ --- -# platform = multi_platform_rhel,multi_platform_fedora,multi_platform_rhcos +# platform = multi_platform_rhel,multi_platform_almalinux,multi_platform_fedora,multi_platform_rhcos apiVersion: machineconfiguration.openshift.io/v1 kind: MachineConfig spec: diff --git a/linux_os/guide/services/ssh/ssh_server/firewalld_sshd_port_enabled/oval/shared.xml b/linux_os/guide/services/ssh/ssh_server/firewalld_sshd_port_enabled/oval/shared.xml index 280020823..582a114c6 100644 --- a/linux_os/guide/services/ssh/ssh_server/firewalld_sshd_port_enabled/oval/shared.xml +++ b/linux_os/guide/services/ssh/ssh_server/firewalld_sshd_port_enabled/oval/shared.xml @@ -53,7 +53,7 @@ - {{% if product in ["fedora", "ol9", "rhel9"] %}} + {{% if product in ["fedora", "ol9", "rhel9", "almalinux9"] %}} /etc/NetworkManager/system-connections .*\.nmconnection ^zone=(.*)$ @@ -83,7 +83,7 @@ - {{% if product in ["fedora", "ol9", "rhel9"] %}} + {{% if product in ["fedora", "ol9", "rhel9", "almalinux9"] %}} /etc/NetworkManager/system-connections .*\.nmconnection {{% else %}} diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_allow_only_protocol2/ansible/shared.yml b/linux_os/guide/services/ssh/ssh_server/sshd_allow_only_protocol2/ansible/shared.yml index 39102e5d7..2dcfeeb0f 100644 --- a/linux_os/guide/services/ssh/ssh_server/sshd_allow_only_protocol2/ansible/shared.yml +++ b/linux_os/guide/services/ssh/ssh_server/sshd_allow_only_protocol2/ansible/shared.yml @@ -1,4 +1,4 @@ -# platform = multi_platform_rhel,multi_platform_fedora,multi_platform_ol,multi_platform_rhv +# platform = multi_platform_rhel,multi_platform_almalinux,multi_platform_fedora,multi_platform_ol,multi_platform_rhv # reboot = false # strategy = restrict # complexity = low diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_allow_only_protocol2/bash/shared.sh b/linux_os/guide/services/ssh/ssh_server/sshd_allow_only_protocol2/bash/shared.sh index ba5987621..d972650ea 100644 --- a/linux_os/guide/services/ssh/ssh_server/sshd_allow_only_protocol2/bash/shared.sh +++ b/linux_os/guide/services/ssh/ssh_server/sshd_allow_only_protocol2/bash/shared.sh @@ -1,4 +1,4 @@ -# platform = multi_platform_rhel,multi_platform_ol,multi_platform_rhv +# platform = multi_platform_rhel,multi_platform_almalinux,multi_platform_ol,multi_platform_rhv {{{ bash_replace_or_append('/etc/ssh/sshd_config', '^Protocol', '2', '%s %s') }}} diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_disable_compression/ansible/shared.yml b/linux_os/guide/services/ssh/ssh_server/sshd_disable_compression/ansible/shared.yml index f8d422c6c..aafcd046f 100644 --- a/linux_os/guide/services/ssh/ssh_server/sshd_disable_compression/ansible/shared.yml +++ b/linux_os/guide/services/ssh/ssh_server/sshd_disable_compression/ansible/shared.yml @@ -1,4 +1,4 @@ -# platform = multi_platform_rhel,multi_platform_fedora,multi_platform_ol,multi_platform_rhv,multi_platform_sle +# platform = multi_platform_rhel,multi_platform_almalinux,multi_platform_fedora,multi_platform_ol,multi_platform_rhv,multi_platform_sle # reboot = false # strategy = restrict # complexity = low diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_disable_compression/bash/shared.sh b/linux_os/guide/services/ssh/ssh_server/sshd_disable_compression/bash/shared.sh index c7212d5b8..dc1e8c4b9 100644 --- a/linux_os/guide/services/ssh/ssh_server/sshd_disable_compression/bash/shared.sh +++ b/linux_os/guide/services/ssh/ssh_server/sshd_disable_compression/bash/shared.sh @@ -1,4 +1,4 @@ -# platform = multi_platform_rhel,multi_platform_ol,multi_platform_rhv,multi_platform_sle +# platform = multi_platform_rhel,multi_platform_almalinux,multi_platform_ol,multi_platform_rhv,multi_platform_sle {{{ bash_instantiate_variables("var_sshd_disable_compression") }}} {{{ bash_sshd_remediation("Compression", "$var_sshd_disable_compression") }}} diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_disable_compression/tests/param_conflict_directory.fail.sh b/linux_os/guide/services/ssh/ssh_server/sshd_disable_compression/tests/param_conflict_directory.fail.sh index f1c15c139..b22ea6c66 100644 --- a/linux_os/guide/services/ssh/ssh_server/sshd_disable_compression/tests/param_conflict_directory.fail.sh +++ b/linux_os/guide/services/ssh/ssh_server/sshd_disable_compression/tests/param_conflict_directory.fail.sh @@ -1,6 +1,6 @@ #!/bin/bash -# platform = multi_platform_fedora,Red Hat Enterprise Linux 9 +# platform = multi_platform_fedora,Red Hat Enterprise Linux 9,AlmaLinux 9 SSHD_PARAM="Compression" diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_disable_rhosts_rsa/ansible/shared.yml b/linux_os/guide/services/ssh/ssh_server/sshd_disable_rhosts_rsa/ansible/shared.yml index 228a1166a..6ba91af43 100644 --- a/linux_os/guide/services/ssh/ssh_server/sshd_disable_rhosts_rsa/ansible/shared.yml +++ b/linux_os/guide/services/ssh/ssh_server/sshd_disable_rhosts_rsa/ansible/shared.yml @@ -1,4 +1,4 @@ -# platform = multi_platform_rhel,multi_platform_fedora,multi_platform_ol,multi_platform_rhv +# platform = multi_platform_rhel,multi_platform_almalinux,multi_platform_fedora,multi_platform_ol,multi_platform_rhv # reboot = false # strategy = restrict # complexity = low diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_disable_rhosts_rsa/bash/shared.sh b/linux_os/guide/services/ssh/ssh_server/sshd_disable_rhosts_rsa/bash/shared.sh index 5a1ec5cf7..d240b4711 100644 --- a/linux_os/guide/services/ssh/ssh_server/sshd_disable_rhosts_rsa/bash/shared.sh +++ b/linux_os/guide/services/ssh/ssh_server/sshd_disable_rhosts_rsa/bash/shared.sh @@ -1,4 +1,4 @@ -# platform = multi_platform_rhel,multi_platform_fedora,multi_platform_ol,multi_platform_rhv +# platform = multi_platform_rhel,multi_platform_almalinux,multi_platform_fedora,multi_platform_ol,multi_platform_rhv {{{ bash_replace_or_append('/etc/ssh/sshd_config', '^RhostsRSAAuthentication', 'no', '%s %s') }}} diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_rekey_limit/tests/bad_size_directory.fail.sh b/linux_os/guide/services/ssh/ssh_server/sshd_rekey_limit/tests/bad_size_directory.fail.sh index 9b10c1d19..9d45a7368 100644 --- a/linux_os/guide/services/ssh/ssh_server/sshd_rekey_limit/tests/bad_size_directory.fail.sh +++ b/linux_os/guide/services/ssh/ssh_server/sshd_rekey_limit/tests/bad_size_directory.fail.sh @@ -1,4 +1,4 @@ -# platform = multi_platform_fedora,Oracle Linux 9,Red Hat Enterprise Linux 9 +# platform = multi_platform_fedora,Oracle Linux 9,Red Hat Enterprise Linux 9,AlmaLinux 9 # variables = var_rekey_limit_time=1h mkdir -p /etc/ssh/sshd_config.d diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_rekey_limit/tests/bad_time_directory.fail.sh b/linux_os/guide/services/ssh/ssh_server/sshd_rekey_limit/tests/bad_time_directory.fail.sh index 6bd150bbc..50057c216 100644 --- a/linux_os/guide/services/ssh/ssh_server/sshd_rekey_limit/tests/bad_time_directory.fail.sh +++ b/linux_os/guide/services/ssh/ssh_server/sshd_rekey_limit/tests/bad_time_directory.fail.sh @@ -1,4 +1,4 @@ -# platform = multi_platform_fedora,Oracle Linux 9,Red Hat Enterprise Linux 9 +# platform = multi_platform_fedora,Oracle Linux 9,Red Hat Enterprise Linux 9,AlmaLinux 9 # variables = var_rekey_limit_size=512M mkdir -p /etc/ssh/sshd_config.d diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_rekey_limit/tests/no_line_directory.fail.sh b/linux_os/guide/services/ssh/ssh_server/sshd_rekey_limit/tests/no_line_directory.fail.sh index 59aaab6dc..5a12d9fc2 100644 --- a/linux_os/guide/services/ssh/ssh_server/sshd_rekey_limit/tests/no_line_directory.fail.sh +++ b/linux_os/guide/services/ssh/ssh_server/sshd_rekey_limit/tests/no_line_directory.fail.sh @@ -1,4 +1,4 @@ -# platform = multi_platform_fedora,Oracle Linux 9,Red Hat Enterprise Linux 9 +# platform = multi_platform_fedora,Oracle Linux 9,Red Hat Enterprise Linux 9,AlmaLinux 9 mkdir -p /etc/ssh/sshd_config.d touch /etc/ssh/sshd_config.d/nothing diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_rekey_limit/tests/param_conflict_directory.fail.sh b/linux_os/guide/services/ssh/ssh_server/sshd_rekey_limit/tests/param_conflict_directory.fail.sh index bc254a3a5..7cf6f6145 100644 --- a/linux_os/guide/services/ssh/ssh_server/sshd_rekey_limit/tests/param_conflict_directory.fail.sh +++ b/linux_os/guide/services/ssh/ssh_server/sshd_rekey_limit/tests/param_conflict_directory.fail.sh @@ -1,6 +1,6 @@ #!/bin/bash -# platform = multi_platform_fedora,Red Hat Enterprise Linux 9 +# platform = multi_platform_fedora,Red Hat Enterprise Linux 9,AlmaLinux 9 SSHD_PARAM="RekeyLimit" diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_rekey_limit/tests/rhel8_ospp_ok.pass.sh b/linux_os/guide/services/ssh/ssh_server/sshd_rekey_limit/tests/rhel8_ospp_ok.pass.sh index a31a14f8a..c9d542ec0 100644 --- a/linux_os/guide/services/ssh/ssh_server/sshd_rekey_limit/tests/rhel8_ospp_ok.pass.sh +++ b/linux_os/guide/services/ssh/ssh_server/sshd_rekey_limit/tests/rhel8_ospp_ok.pass.sh @@ -1,4 +1,4 @@ -# platform = Oracle Linux 8,Red Hat Enterprise Linux 8,Red Hat Enterprise Linux 9 +# platform = Oracle Linux 8,Red Hat Enterprise Linux 8,Red Hat Enterprise Linux 9,AlmaLinux 9 # profiles = xccdf_org.ssgproject.content_profile_ospp mkdir -p /etc/ssh/sshd_config.d diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_rekey_limit/tests/rhel9_ospp_ok.pass.sh b/linux_os/guide/services/ssh/ssh_server/sshd_rekey_limit/tests/rhel9_ospp_ok.pass.sh index 021280218..904930d1a 100644 --- a/linux_os/guide/services/ssh/ssh_server/sshd_rekey_limit/tests/rhel9_ospp_ok.pass.sh +++ b/linux_os/guide/services/ssh/ssh_server/sshd_rekey_limit/tests/rhel9_ospp_ok.pass.sh @@ -1,4 +1,4 @@ -# platform = Red Hat Enterprise Linux 9 +# platform = Red Hat Enterprise Linux 9,AlmaLinux 9 # profiles = xccdf_org.ssgproject.content_profile_ospp mkdir -p /etc/ssh/sshd_config.d diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_set_idle_timeout/ansible/shared.yml b/linux_os/guide/services/ssh/ssh_server/sshd_set_idle_timeout/ansible/shared.yml index 5b54ab892..4213bc152 100644 --- a/linux_os/guide/services/ssh/ssh_server/sshd_set_idle_timeout/ansible/shared.yml +++ b/linux_os/guide/services/ssh/ssh_server/sshd_set_idle_timeout/ansible/shared.yml @@ -1,4 +1,4 @@ -# platform = multi_platform_rhel,multi_platform_fedora,multi_platform_ol,multi_platform_rhv,multi_platform_sle +# platform = multi_platform_rhel,multi_platform_almalinux,multi_platform_fedora,multi_platform_ol,multi_platform_rhv,multi_platform_sle # reboot = false # strategy = restrict # complexity = low diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_set_idle_timeout/tests/correct_value_directory.pass.sh b/linux_os/guide/services/ssh/ssh_server/sshd_set_idle_timeout/tests/correct_value_directory.pass.sh index 66b0d783a..78adcaa64 100644 --- a/linux_os/guide/services/ssh/ssh_server/sshd_set_idle_timeout/tests/correct_value_directory.pass.sh +++ b/linux_os/guide/services/ssh/ssh_server/sshd_set_idle_timeout/tests/correct_value_directory.pass.sh @@ -1,5 +1,5 @@ #!/bin/bash -# platform = multi_platform_fedora,Red Hat Enterprise Linux 9 +# platform = multi_platform_fedora,Red Hat Enterprise Linux 9,AlmaLinux 9 SSHD_CONFIG_DIR="/etc/ssh/sshd_config.d" SSHD_CONFIG="${SSHD_CONFIG_DIR}/good_config.conf" diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_set_idle_timeout/tests/param_conflict_directory.fail.sh b/linux_os/guide/services/ssh/ssh_server/sshd_set_idle_timeout/tests/param_conflict_directory.fail.sh index ea5e8f16c..5df0dd4af 100644 --- a/linux_os/guide/services/ssh/ssh_server/sshd_set_idle_timeout/tests/param_conflict_directory.fail.sh +++ b/linux_os/guide/services/ssh/ssh_server/sshd_set_idle_timeout/tests/param_conflict_directory.fail.sh @@ -1,5 +1,5 @@ #!/bin/bash -# platform = multi_platform_fedora,Red Hat Enterprise Linux 9 +# platform = multi_platform_fedora,Red Hat Enterprise Linux 9,AlmaLinux 9 SSHD_CONFIG_DIR="/etc/ssh/sshd_config.d" SSHD_CONFIG_BAD="${SSHD_CONFIG_DIR}/bad_config.conf" diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_set_idle_timeout/tests/wrong_value_directory.fail.sh b/linux_os/guide/services/ssh/ssh_server/sshd_set_idle_timeout/tests/wrong_value_directory.fail.sh index ead09cc23..c4dae825a 100644 --- a/linux_os/guide/services/ssh/ssh_server/sshd_set_idle_timeout/tests/wrong_value_directory.fail.sh +++ b/linux_os/guide/services/ssh/ssh_server/sshd_set_idle_timeout/tests/wrong_value_directory.fail.sh @@ -1,5 +1,5 @@ #!/bin/bash -# platform = multi_platform_fedora,Red Hat Enterprise Linux 9 +# platform = multi_platform_fedora,Red Hat Enterprise Linux 9,AlmaLinux 9 SSHD_CONFIG_DIR="/etc/ssh/sshd_config.d" SSHD_CONFIG="${SSHD_CONFIG_DIR}/bad_config.conf" diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_set_keepalive/ansible/shared.yml b/linux_os/guide/services/ssh/ssh_server/sshd_set_keepalive/ansible/shared.yml index be6b3672f..869beb409 100644 --- a/linux_os/guide/services/ssh/ssh_server/sshd_set_keepalive/ansible/shared.yml +++ b/linux_os/guide/services/ssh/ssh_server/sshd_set_keepalive/ansible/shared.yml @@ -1,4 +1,4 @@ -# platform = multi_platform_rhel,multi_platform_fedora,multi_platform_ol,multi_platform_rhv,multi_platform_sle,multi_platform_ubuntu,multi_platform_debian +# platform = multi_platform_rhel,multi_platform_almalinux,multi_platform_fedora,multi_platform_ol,multi_platform_rhv,multi_platform_sle,multi_platform_ubuntu,multi_platform_debian # reboot = false # strategy = restrict # complexity = low diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_set_keepalive/bash/shared.sh b/linux_os/guide/services/ssh/ssh_server/sshd_set_keepalive/bash/shared.sh index e777ce8fe..588ca64d7 100644 --- a/linux_os/guide/services/ssh/ssh_server/sshd_set_keepalive/bash/shared.sh +++ b/linux_os/guide/services/ssh/ssh_server/sshd_set_keepalive/bash/shared.sh @@ -1,4 +1,4 @@ -# platform = multi_platform_rhel,multi_platform_fedora,multi_platform_ol,multi_platform_rhv,multi_platform_sle,multi_platform_ubuntu,multi_platform_debian +# platform = multi_platform_rhel,multi_platform_almalinux,multi_platform_fedora,multi_platform_ol,multi_platform_rhv,multi_platform_sle,multi_platform_ubuntu,multi_platform_debian {{{ bash_instantiate_variables("var_sshd_set_keepalive") }}} diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_set_keepalive/tests/correct_value_dot_dir.pass.sh b/linux_os/guide/services/ssh/ssh_server/sshd_set_keepalive/tests/correct_value_dot_dir.pass.sh index 8c774768c..9e8a8c6cd 100644 --- a/linux_os/guide/services/ssh/ssh_server/sshd_set_keepalive/tests/correct_value_dot_dir.pass.sh +++ b/linux_os/guide/services/ssh/ssh_server/sshd_set_keepalive/tests/correct_value_dot_dir.pass.sh @@ -1,5 +1,5 @@ #!/bin/bash -# platform = multi_platform_fedora,Red Hat Enterprise Linux 9 +# platform = multi_platform_fedora,Red Hat Enterprise Linux 9,AlmaLinux 9 # variables = var_sshd_set_keepalive=1 SSHD_CONFIG="/etc/ssh/sshd_config.d/00-complianceascode-hardening.conf" diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_set_keepalive/tests/param_conflict_directory.fail.sh b/linux_os/guide/services/ssh/ssh_server/sshd_set_keepalive/tests/param_conflict_directory.fail.sh index acbca14d8..287c3763a 100644 --- a/linux_os/guide/services/ssh/ssh_server/sshd_set_keepalive/tests/param_conflict_directory.fail.sh +++ b/linux_os/guide/services/ssh/ssh_server/sshd_set_keepalive/tests/param_conflict_directory.fail.sh @@ -1,5 +1,5 @@ #!/bin/bash -# platform = multi_platform_fedora,Red Hat Enterprise Linux 9 +# platform = multi_platform_fedora,Red Hat Enterprise Linux 9,AlmaLinux 9 # variables = var_sshd_set_keepalive=1 mkdir -p /etc/ssh/sshd_config.d diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_set_keepalive/tests/wrong_value_dot_dir.fail.sh b/linux_os/guide/services/ssh/ssh_server/sshd_set_keepalive/tests/wrong_value_dot_dir.fail.sh index 17f1bd721..49ba4cfa7 100644 --- a/linux_os/guide/services/ssh/ssh_server/sshd_set_keepalive/tests/wrong_value_dot_dir.fail.sh +++ b/linux_os/guide/services/ssh/ssh_server/sshd_set_keepalive/tests/wrong_value_dot_dir.fail.sh @@ -1,5 +1,5 @@ #!/bin/bash -# platform = multi_platform_fedora,Red Hat Enterprise Linux 9 +# platform = multi_platform_fedora,Red Hat Enterprise Linux 9,AlmaLinux 9 # variables = var_sshd_set_keepalive=1 SSHD_CONFIG="/etc/ssh/sshd_config.d/00-complianceascode-hardening.conf" diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_set_max_auth_tries/ansible/shared.yml b/linux_os/guide/services/ssh/ssh_server/sshd_set_max_auth_tries/ansible/shared.yml index a7a2ed3d6..f4ba85ff9 100644 --- a/linux_os/guide/services/ssh/ssh_server/sshd_set_max_auth_tries/ansible/shared.yml +++ b/linux_os/guide/services/ssh/ssh_server/sshd_set_max_auth_tries/ansible/shared.yml @@ -1,4 +1,4 @@ -# platform = multi_platform_rhel,multi_platform_fedora,multi_platform_ol,multi_platform_rhv,multi_platform_sle +# platform = multi_platform_rhel,multi_platform_almalinux,multi_platform_fedora,multi_platform_ol,multi_platform_rhv,multi_platform_sle # reboot = false # strategy = restrict # complexity = low diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_set_max_auth_tries/bash/shared.sh b/linux_os/guide/services/ssh/ssh_server/sshd_set_max_auth_tries/bash/shared.sh index 2920273f9..32fba975e 100644 --- a/linux_os/guide/services/ssh/ssh_server/sshd_set_max_auth_tries/bash/shared.sh +++ b/linux_os/guide/services/ssh/ssh_server/sshd_set_max_auth_tries/bash/shared.sh @@ -1,4 +1,4 @@ -# platform = multi_platform_rhel,multi_platform_fedora,multi_platform_ol,multi_platform_rhv,multi_platform_sle,multi_platform_ubuntu +# platform = multi_platform_rhel,multi_platform_almalinux,multi_platform_fedora,multi_platform_ol,multi_platform_rhv,multi_platform_sle,multi_platform_ubuntu {{{ bash_instantiate_variables("sshd_max_auth_tries_value") }}} diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_set_max_sessions/tests/wrong_value.fail.sh b/linux_os/guide/services/ssh/ssh_server/sshd_set_max_sessions/tests/wrong_value.fail.sh index fcdb800c2..77c3e82da 100644 --- a/linux_os/guide/services/ssh/ssh_server/sshd_set_max_sessions/tests/wrong_value.fail.sh +++ b/linux_os/guide/services/ssh/ssh_server/sshd_set_max_sessions/tests/wrong_value.fail.sh @@ -1,4 +1,4 @@ -# platform = multi_platform_rhel, multi_platform_fedora +# platform = multi_platform_rhel,multi_platform_almalinux, multi_platform_fedora #!/bin/bash SSHD_CONFIG="/etc/ssh/sshd_config" diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_kex_ordered_stig/tests/comment.fail.sh b/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_kex_ordered_stig/tests/comment.fail.sh index 4319832c0..313cc1c9d 100644 --- a/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_kex_ordered_stig/tests/comment.fail.sh +++ b/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_kex_ordered_stig/tests/comment.fail.sh @@ -1,5 +1,5 @@ #!/bin/bash -# platform = multi_platform_ol,multi_platform_rhel,multi_platform_sle,multi_platform_ubuntu +# platform = multi_platform_ol,multi_platform_rhel,multi_platform_almalinux,multi_platform_sle,multi_platform_ubuntu source common.sh diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_kex_ordered_stig/tests/correct_reduced_list.pass.sh b/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_kex_ordered_stig/tests/correct_reduced_list.pass.sh index 64199ace8..438c06875 100644 --- a/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_kex_ordered_stig/tests/correct_reduced_list.pass.sh +++ b/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_kex_ordered_stig/tests/correct_reduced_list.pass.sh @@ -1,5 +1,5 @@ #!/bin/bash -# platform = multi_platform_ol,multi_platform_rhel,multi_platform_sle,multi_platform_ubuntu +# platform = multi_platform_ol,multi_platform_rhel,multi_platform_almalinux,multi_platform_sle,multi_platform_ubuntu source common.sh diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_kex_ordered_stig/tests/correct_scrambled.fail.sh b/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_kex_ordered_stig/tests/correct_scrambled.fail.sh index dfe21de81..9ec1188e8 100644 --- a/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_kex_ordered_stig/tests/correct_scrambled.fail.sh +++ b/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_kex_ordered_stig/tests/correct_scrambled.fail.sh @@ -1,5 +1,5 @@ #!/bin/bash -# platform = multi_platform_ol,multi_platform_rhel,multi_platform_sle,multi_platform_ubuntu +# platform = multi_platform_ol,multi_platform_rhel,multi_platform_almalinux,multi_platform_sle,multi_platform_ubuntu source common.sh diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_kex_ordered_stig/tests/correct_value.pass.sh b/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_kex_ordered_stig/tests/correct_value.pass.sh index 63774b1e3..780664422 100644 --- a/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_kex_ordered_stig/tests/correct_value.pass.sh +++ b/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_kex_ordered_stig/tests/correct_value.pass.sh @@ -1,5 +1,5 @@ #!/bin/bash -# platform = multi_platform_ol,multi_platform_rhel,multi_platform_sle,multi_platform_ubuntu +# platform = multi_platform_ol,multi_platform_rhel,multi_platform_almalinux,multi_platform_sle,multi_platform_ubuntu source common.sh diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_kex_ordered_stig/tests/line_not_there.fail.sh b/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_kex_ordered_stig/tests/line_not_there.fail.sh index a9ddcf7c1..e696c5c82 100644 --- a/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_kex_ordered_stig/tests/line_not_there.fail.sh +++ b/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_kex_ordered_stig/tests/line_not_there.fail.sh @@ -1,4 +1,4 @@ #!/bin/bash -# platform = multi_platform_ol,multi_platform_rhel,multi_platform_sle,multi_platform_ubuntu +# platform = multi_platform_ol,multi_platform_rhel,multi_platform_almalinux,multi_platform_sle,multi_platform_ubuntu source common.sh diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_kex_ordered_stig/tests/no_parameters.fail.sh b/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_kex_ordered_stig/tests/no_parameters.fail.sh index 682758a9d..7f2f9144a 100644 --- a/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_kex_ordered_stig/tests/no_parameters.fail.sh +++ b/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_kex_ordered_stig/tests/no_parameters.fail.sh @@ -1,5 +1,5 @@ #!/bin/bash -# platform = multi_platform_ol,multi_platform_rhel,multi_platform_sle,multi_platform_ubuntu +# platform = multi_platform_ol,multi_platform_rhel,multi_platform_almalinux,multi_platform_sle,multi_platform_ubuntu source common.sh diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_kex_ordered_stig/tests/wrong_value.fail.sh b/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_kex_ordered_stig/tests/wrong_value.fail.sh index 4cac68a12..e329787c3 100644 --- a/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_kex_ordered_stig/tests/wrong_value.fail.sh +++ b/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_kex_ordered_stig/tests/wrong_value.fail.sh @@ -1,5 +1,5 @@ #!/bin/bash -# platform = multi_platform_ol,multi_platform_rhel,multi_platform_sle,multi_platform_ubuntu +# platform = multi_platform_ol,multi_platform_rhel,multi_platform_almalinux,multi_platform_sle,multi_platform_ubuntu source common.sh diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_macs/tests/default_correct_value.pass.sh b/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_macs/tests/default_correct_value.pass.sh index edb2553d2..2bfd42c86 100644 --- a/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_macs/tests/default_correct_value.pass.sh +++ b/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_macs/tests/default_correct_value.pass.sh @@ -1,3 +1,3 @@ -# platform = multi_platform_ol,multi_platform_rhel +# platform = multi_platform_ol,multi_platform_rhel,multi_platform_almalinux {{{ bash_replace_or_append('/etc/ssh/sshd_config', '^MACs', "hmac-sha2-512,hmac-sha2-256,hmac-sha1,hmac-sha1-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com", '%s %s') }}} diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_macs/tests/wrong_value.fail.sh b/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_macs/tests/wrong_value.fail.sh index b903a7a08..cd6f95db4 100644 --- a/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_macs/tests/wrong_value.fail.sh +++ b/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_macs/tests/wrong_value.fail.sh @@ -1,3 +1,3 @@ -# platform = multi_platform_ol,multi_platform_rhel +# platform = multi_platform_ol,multi_platform_rhel,multi_platform_almalinux {{{ bash_replace_or_append('/etc/ssh/sshd_config', '^MACs', "wrong_value_expected_to_fail.com", '%s %s') }}} diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_use_strong_ciphers/tests/good_cipher.pass.sh b/linux_os/guide/services/ssh/ssh_server/sshd_use_strong_ciphers/tests/good_cipher.pass.sh index ba493f99f..dad0a61e3 100644 --- a/linux_os/guide/services/ssh/ssh_server/sshd_use_strong_ciphers/tests/good_cipher.pass.sh +++ b/linux_os/guide/services/ssh/ssh_server/sshd_use_strong_ciphers/tests/good_cipher.pass.sh @@ -1,4 +1,4 @@ -# platform = multi_platform_fedora,multi_platform_ol,multi_platform_rhel +# platform = multi_platform_fedora,multi_platform_ol,multi_platform_rhel,multi_platform_almalinux sed -i 's/^\s*Ciphers\s.*//i' /etc/ssh/sshd_config echo "Ciphers aes256-ctr" >> /etc/ssh/sshd_config diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_use_strong_ciphers/tests/no_ciphers.fail.sh b/linux_os/guide/services/ssh/ssh_server/sshd_use_strong_ciphers/tests/no_ciphers.fail.sh index 27a2e37ac..3e678dccb 100644 --- a/linux_os/guide/services/ssh/ssh_server/sshd_use_strong_ciphers/tests/no_ciphers.fail.sh +++ b/linux_os/guide/services/ssh/ssh_server/sshd_use_strong_ciphers/tests/no_ciphers.fail.sh @@ -1,3 +1,3 @@ -# platform = multi_platform_fedora,multi_platform_ol,multi_platform_rhel +# platform = multi_platform_fedora,multi_platform_ol,multi_platform_rhel,multi_platform_almalinux sed -i 's/^\s*Ciphers\s/# &/i' /etc/ssh/sshd_config diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_use_strong_macs/tests/good_mac.pass.sh b/linux_os/guide/services/ssh/ssh_server/sshd_use_strong_macs/tests/good_mac.pass.sh index ca08e633a..f90fa48d6 100644 --- a/linux_os/guide/services/ssh/ssh_server/sshd_use_strong_macs/tests/good_mac.pass.sh +++ b/linux_os/guide/services/ssh/ssh_server/sshd_use_strong_macs/tests/good_mac.pass.sh @@ -1,4 +1,4 @@ -# platform = multi_platform_fedora,multi_platform_ol,multi_platform_rhel +# platform = multi_platform_fedora,multi_platform_ol,multi_platform_rhel,multi_platform_almalinux sed -i 's/^\s*MACs\s.*//i' /etc/ssh/sshd_config echo "MACs hmac-sha2-512" >> /etc/ssh/sshd_config diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_use_strong_macs/tests/no_macs.fail.sh b/linux_os/guide/services/ssh/ssh_server/sshd_use_strong_macs/tests/no_macs.fail.sh index 5a98fc0eb..846cdd444 100644 --- a/linux_os/guide/services/ssh/ssh_server/sshd_use_strong_macs/tests/no_macs.fail.sh +++ b/linux_os/guide/services/ssh/ssh_server/sshd_use_strong_macs/tests/no_macs.fail.sh @@ -1,3 +1,3 @@ -# platform = multi_platform_fedora,multi_platform_ol,multi_platform_rhel +# platform = multi_platform_fedora,multi_platform_ol,multi_platform_rhel,multi_platform_almalinux sed -i 's/^\s*MACs\s/# &/i' /etc/ssh/sshd_config diff --git a/linux_os/guide/services/sssd/sssd-ldap/sssd_ldap_configure_tls_ca_dir/ansible/shared.yml b/linux_os/guide/services/sssd/sssd-ldap/sssd_ldap_configure_tls_ca_dir/ansible/shared.yml index 202fc7f44..711cc57c6 100644 --- a/linux_os/guide/services/sssd/sssd-ldap/sssd_ldap_configure_tls_ca_dir/ansible/shared.yml +++ b/linux_os/guide/services/sssd/sssd-ldap/sssd_ldap_configure_tls_ca_dir/ansible/shared.yml @@ -1,4 +1,4 @@ -# platform = multi_platform_rhel,multi_platform_fedora,multi_platform_ol +# platform = multi_platform_rhel,multi_platform_almalinux,multi_platform_fedora,multi_platform_ol # reboot = false # strategy = unknown # complexity = low diff --git a/linux_os/guide/services/sssd/sssd-ldap/sssd_ldap_configure_tls_ca_dir/bash/shared.sh b/linux_os/guide/services/sssd/sssd-ldap/sssd_ldap_configure_tls_ca_dir/bash/shared.sh index 68a6a1291..740c94e10 100644 --- a/linux_os/guide/services/sssd/sssd-ldap/sssd_ldap_configure_tls_ca_dir/bash/shared.sh +++ b/linux_os/guide/services/sssd/sssd-ldap/sssd_ldap_configure_tls_ca_dir/bash/shared.sh @@ -1,4 +1,4 @@ -# platform = multi_platform_rhel,multi_platform_fedora,multi_platform_ol +# platform = multi_platform_rhel,multi_platform_almalinux,multi_platform_fedora,multi_platform_ol {{{ bash_instantiate_variables("var_sssd_ldap_tls_ca_dir") }}} diff --git a/linux_os/guide/services/sssd/sssd-ldap/sssd_ldap_configure_tls_reqcert/ansible/shared.yml b/linux_os/guide/services/sssd/sssd-ldap/sssd_ldap_configure_tls_reqcert/ansible/shared.yml index 891b3e2f9..6cb0bce26 100644 --- a/linux_os/guide/services/sssd/sssd-ldap/sssd_ldap_configure_tls_reqcert/ansible/shared.yml +++ b/linux_os/guide/services/sssd/sssd-ldap/sssd_ldap_configure_tls_reqcert/ansible/shared.yml @@ -1,4 +1,4 @@ -# platform = multi_platform_rhel,multi_platform_fedora,multi_platform_ol +# platform = multi_platform_rhel,multi_platform_almalinux,multi_platform_fedora,multi_platform_ol # reboot = false # strategy = unknown # complexity = low diff --git a/linux_os/guide/services/sssd/sssd-ldap/sssd_ldap_configure_tls_reqcert/bash/shared.sh b/linux_os/guide/services/sssd/sssd-ldap/sssd_ldap_configure_tls_reqcert/bash/shared.sh index 5c83263bc..91e28ba16 100644 --- a/linux_os/guide/services/sssd/sssd-ldap/sssd_ldap_configure_tls_reqcert/bash/shared.sh +++ b/linux_os/guide/services/sssd/sssd-ldap/sssd_ldap_configure_tls_reqcert/bash/shared.sh @@ -1,3 +1,3 @@ -# platform = multi_platform_rhel,multi_platform_fedora,multi_platform_ol +# platform = multi_platform_rhel,multi_platform_almalinux,multi_platform_fedora,multi_platform_ol {{{ bash_sssd_ldap_config(parameter="ldap_tls_reqcert", value="demand") }}} diff --git a/linux_os/guide/services/sssd/sssd-ldap/sssd_ldap_start_tls/ansible/shared.yml b/linux_os/guide/services/sssd/sssd-ldap/sssd_ldap_start_tls/ansible/shared.yml index b38bc41fe..33c5c9034 100644 --- a/linux_os/guide/services/sssd/sssd-ldap/sssd_ldap_start_tls/ansible/shared.yml +++ b/linux_os/guide/services/sssd/sssd-ldap/sssd_ldap_start_tls/ansible/shared.yml @@ -1,4 +1,4 @@ -# platform = multi_platform_rhel,multi_platform_fedora,multi_platform_ol +# platform = multi_platform_rhel,multi_platform_almalinux,multi_platform_fedora,multi_platform_ol # reboot = false # strategy = unknown # complexity = low diff --git a/linux_os/guide/services/sssd/sssd-ldap/sssd_ldap_start_tls/bash/shared.sh b/linux_os/guide/services/sssd/sssd-ldap/sssd_ldap_start_tls/bash/shared.sh index 564e32815..02bed6db8 100644 --- a/linux_os/guide/services/sssd/sssd-ldap/sssd_ldap_start_tls/bash/shared.sh +++ b/linux_os/guide/services/sssd/sssd-ldap/sssd_ldap_start_tls/bash/shared.sh @@ -1,4 +1,4 @@ -# platform = multi_platform_rhel,multi_platform_fedora,multi_platform_ol +# platform = multi_platform_rhel,multi_platform_almalinux,multi_platform_fedora,multi_platform_ol {{{ bash_sssd_ldap_config(parameter="ldap_id_use_start_tls", value="true") }}} diff --git a/linux_os/guide/services/sssd/sssd_certificate_verification/ansible/shared.yml b/linux_os/guide/services/sssd/sssd_certificate_verification/ansible/shared.yml index 02cfde93e..1b9644302 100644 --- a/linux_os/guide/services/sssd/sssd_certificate_verification/ansible/shared.yml +++ b/linux_os/guide/services/sssd/sssd_certificate_verification/ansible/shared.yml @@ -1,4 +1,4 @@ -# platform = multi_platform_fedora,multi_platform_ol,multi_platform_rhel +# platform = multi_platform_fedora,multi_platform_ol,multi_platform_rhel,multi_platform_almalinux # reboot = false # strategy = configure # complexity = low diff --git a/linux_os/guide/services/sssd/sssd_certificate_verification/bash/shared.sh b/linux_os/guide/services/sssd/sssd_certificate_verification/bash/shared.sh index a7e449e52..84da3094e 100644 --- a/linux_os/guide/services/sssd/sssd_certificate_verification/bash/shared.sh +++ b/linux_os/guide/services/sssd/sssd_certificate_verification/bash/shared.sh @@ -1,4 +1,4 @@ -# platform = multi_platform_ol,multi_platform_rhel,multi_platform_fedora +# platform = multi_platform_ol,multi_platform_rhel,multi_platform_almalinux,multi_platform_fedora # reboot = false # strategy = configure # complexity = low diff --git a/linux_os/guide/services/sssd/sssd_enable_pam_services/bash/shared.sh b/linux_os/guide/services/sssd/sssd_enable_pam_services/bash/shared.sh index 09e863e4a..ba1f546e9 100644 --- a/linux_os/guide/services/sssd/sssd_enable_pam_services/bash/shared.sh +++ b/linux_os/guide/services/sssd/sssd_enable_pam_services/bash/shared.sh @@ -1,4 +1,4 @@ -# platform = Red Hat Virtualization 4,multi_platform_rhel,multi_platform_ol +# platform = Red Hat Virtualization 4,multi_platform_rhel,multi_platform_almalinux,multi_platform_ol diff --git a/linux_os/guide/services/sssd/sssd_enable_smartcards/ansible/shared.yml b/linux_os/guide/services/sssd/sssd_enable_smartcards/ansible/shared.yml index 1fec69763..2c6be5e1f 100644 --- a/linux_os/guide/services/sssd/sssd_enable_smartcards/ansible/shared.yml +++ b/linux_os/guide/services/sssd/sssd_enable_smartcards/ansible/shared.yml @@ -47,7 +47,7 @@ replace: 'pam_cert_auth = True' with_items: "{{ sssd_conf_d_files.files }}" -{{% if product in ["fedora", "ol8", "ol9", "rhel8", "rhel9"] %}} +{{% if product in ["fedora", "ol8", "ol9", "rhel8", "rhel9", "almalinux9"] %}} - name: '{{{ rule_title }}} - Check if system relies on authselect' ansible.builtin.stat: path: /usr/bin/authselect diff --git a/linux_os/guide/services/sssd/sssd_enable_smartcards/bash/shared.sh b/linux_os/guide/services/sssd/sssd_enable_smartcards/bash/shared.sh index b896f4f7d..01802032f 100644 --- a/linux_os/guide/services/sssd/sssd_enable_smartcards/bash/shared.sh +++ b/linux_os/guide/services/sssd/sssd_enable_smartcards/bash/shared.sh @@ -13,7 +13,7 @@ umask u=rw,go= umask $OLD_UMASK -{{% if product in ["fedora", "ol8", "ol9", "rhel8", "rhel9"] %}} +{{% if product in ["fedora", "ol8", "ol9", "rhel8", "rhel9", "almalinux9"] %}} if [ -f /usr/bin/authselect ]; then {{{ bash_enable_authselect_feature('with-smartcard') | indent(4) }}} else diff --git a/linux_os/guide/services/sssd/sssd_enable_smartcards/oval/shared.xml b/linux_os/guide/services/sssd/sssd_enable_smartcards/oval/shared.xml index 1cadee2e4..dfd1e3568 100644 --- a/linux_os/guide/services/sssd/sssd_enable_smartcards/oval/shared.xml +++ b/linux_os/guide/services/sssd/sssd_enable_smartcards/oval/shared.xml @@ -5,7 +5,7 @@ - {{% if product in ["fedora", "ol8", "ol9", "rhel8", "rhel9"] %}} + {{% if product in ["fedora", "ol8", "ol9", "rhel8", "rhel9", "almalinux9"] %}} (?i)true - {{% if product in ["fedora", "ol8", "ol9", "rhel8", "rhel9"] %}} + {{% if product in ["fedora", "ol8", "ol9", "rhel8", "rhel9", "almalinux9"] %}} diff --git a/linux_os/guide/services/sssd/sssd_enable_smartcards/rule.yml b/linux_os/guide/services/sssd/sssd_enable_smartcards/rule.yml index bb15da50b..4fb83496c 100644 --- a/linux_os/guide/services/sssd/sssd_enable_smartcards/rule.yml +++ b/linux_os/guide/services/sssd/sssd_enable_smartcards/rule.yml @@ -10,7 +10,7 @@ description: |-
[pam]
     pam_cert_auth = True
     
- {{% if product in ["fedora", "ol8", "ol9", "rhel8", "rhel9"] %}} + {{% if product in ["fedora", "ol8", "ol9", "rhel8", "rhel9", "almalinux9"] %}} Add or update "pam_sss.so" line in auth section of "/etc/pam.d/system-auth" file to include "try_cert_auth" or "require_cert_auth" option, like in the following example:
@@ -60,7 +60,7 @@ ocil: |-
     If configured properly, output should be
     
pam_cert_auth = True
- {{% if product in ["fedora", "ol8", "ol9", "rhel8", "rhel9"] %}} + {{% if product in ["fedora", "ol8", "ol9", "rhel8", "rhel9", "almalinux9"] %}} To verify that smart cards are enabled in PAM files, run the following command:
$ sudo grep -e "auth.*pam_sss\.so.*\(allow_missing_name\|try_cert_auth\)" /etc/pam.d/smartcard-auth /etc/pam.d/system-auth
If configured properly, output should be @@ -75,7 +75,7 @@ fixtext: |- pam_cert_auth = True - {{% if product in ["fedora", "ol8", "ol9", "rhel8", "rhel9"] %}} + {{% if product in ["fedora", "ol8", "ol9", "rhel8", "rhel9", "almalinux9"] %}} Enable the with-smartcard feature using the authselect command: sudo authselect enable-feature with-smartcard sudo authselect apply-changes -b diff --git a/linux_os/guide/services/sssd/sssd_enable_smartcards/tests/authselect_modified_pam.fail.sh b/linux_os/guide/services/sssd/sssd_enable_smartcards/tests/authselect_modified_pam.fail.sh index bcaae2a60..557b38fd7 100644 --- a/linux_os/guide/services/sssd/sssd_enable_smartcards/tests/authselect_modified_pam.fail.sh +++ b/linux_os/guide/services/sssd/sssd_enable_smartcards/tests/authselect_modified_pam.fail.sh @@ -1,6 +1,6 @@ #!/bin/bash # packages = authselect,sssd -# platform = multi_platform_fedora,Oracle Linux 8,Oracle Linux 9,Red Hat Enterprise Linux 8,Red Hat Enterprise Linux 9 +# platform = multi_platform_fedora,Oracle Linux 8,Oracle Linux 9,Red Hat Enterprise Linux 8,Red Hat Enterprise Linux 9,AlmaLinux 9 # remediation = none SSSD_FILE="/etc/sssd/sssd.conf" diff --git a/linux_os/guide/services/sssd/sssd_enable_smartcards/tests/authselect_smartcard_disabled.fail.sh b/linux_os/guide/services/sssd/sssd_enable_smartcards/tests/authselect_smartcard_disabled.fail.sh index 5f4aaa725..61c139b34 100644 --- a/linux_os/guide/services/sssd/sssd_enable_smartcards/tests/authselect_smartcard_disabled.fail.sh +++ b/linux_os/guide/services/sssd/sssd_enable_smartcards/tests/authselect_smartcard_disabled.fail.sh @@ -1,6 +1,6 @@ #!/bin/bash # packages = authselect,sssd -# platform = multi_platform_fedora,Oracle Linux 8,Oracle Linux 9,Red Hat Enterprise Linux 8,Red Hat Enterprise Linux 9 +# platform = multi_platform_fedora,Oracle Linux 8,Oracle Linux 9,Red Hat Enterprise Linux 8,Red Hat Enterprise Linux 9,AlmaLinux 9 SSSD_FILE="/etc/sssd/sssd.conf" echo "[pam]" > $SSSD_FILE diff --git a/linux_os/guide/services/sssd/sssd_enable_smartcards/tests/authselect_smartcard_enabled.pass.sh b/linux_os/guide/services/sssd/sssd_enable_smartcards/tests/authselect_smartcard_enabled.pass.sh index 860e0bb6c..ce5ac4325 100644 --- a/linux_os/guide/services/sssd/sssd_enable_smartcards/tests/authselect_smartcard_enabled.pass.sh +++ b/linux_os/guide/services/sssd/sssd_enable_smartcards/tests/authselect_smartcard_enabled.pass.sh @@ -1,6 +1,6 @@ #!/bin/bash # packages = authselect,sssd -# platform = multi_platform_fedora,Oracle Linux 8,Oracle Linux 9,Red Hat Enterprise Linux 8,Red Hat Enterprise Linux 9 +# platform = multi_platform_fedora,Oracle Linux 8,Oracle Linux 9,Red Hat Enterprise Linux 8,Red Hat Enterprise Linux 9,AlmaLinux 9 SSSD_FILE="/etc/sssd/sssd.conf" echo "[pam]" > $SSSD_FILE diff --git a/linux_os/guide/services/sssd/sssd_enable_smartcards/tests/authselect_smartcard_enabled_conf_d.pass.sh b/linux_os/guide/services/sssd/sssd_enable_smartcards/tests/authselect_smartcard_enabled_conf_d.pass.sh index 7e2019cff..abc286cb3 100644 --- a/linux_os/guide/services/sssd/sssd_enable_smartcards/tests/authselect_smartcard_enabled_conf_d.pass.sh +++ b/linux_os/guide/services/sssd/sssd_enable_smartcards/tests/authselect_smartcard_enabled_conf_d.pass.sh @@ -1,6 +1,6 @@ #!/bin/bash # packages = authselect,sssd -# platform = multi_platform_fedora,Oracle Linux 8,Oracle Linux 9,Red Hat Enterprise Linux 8,Red Hat Enterprise Linux 9 +# platform = multi_platform_fedora,Oracle Linux 8,Oracle Linux 9,Red Hat Enterprise Linux 8,Red Hat Enterprise Linux 9,AlmaLinux 9 SSSD_FILE="/etc/sssd/conf.d/unused.conf" echo "[pam]" > $SSSD_FILE diff --git a/linux_os/guide/services/sssd/sssd_enable_smartcards/tests/authselect_smartcard_enabled_lower.pass.sh b/linux_os/guide/services/sssd/sssd_enable_smartcards/tests/authselect_smartcard_enabled_lower.pass.sh index 78b79752a..b49c8942d 100644 --- a/linux_os/guide/services/sssd/sssd_enable_smartcards/tests/authselect_smartcard_enabled_lower.pass.sh +++ b/linux_os/guide/services/sssd/sssd_enable_smartcards/tests/authselect_smartcard_enabled_lower.pass.sh @@ -1,6 +1,6 @@ #!/bin/bash # packages = authselect,sssd -# platform = multi_platform_fedora,Oracle Linux 8,Oracle Linux 9,Red Hat Enterprise Linux 8,Red Hat Enterprise Linux 9 +# platform = multi_platform_fedora,Oracle Linux 8,Oracle Linux 9,Red Hat Enterprise Linux 8,Red Hat Enterprise Linux 9,AlmaLinux 9 SSSD_FILE="/etc/sssd/sssd.conf" echo "[pam]" > $SSSD_FILE diff --git a/linux_os/guide/services/sssd/sssd_enable_smartcards/tests/authselect_sssd_parameter_false.fail.sh b/linux_os/guide/services/sssd/sssd_enable_smartcards/tests/authselect_sssd_parameter_false.fail.sh index aaf33d7b0..30144aeae 100644 --- a/linux_os/guide/services/sssd/sssd_enable_smartcards/tests/authselect_sssd_parameter_false.fail.sh +++ b/linux_os/guide/services/sssd/sssd_enable_smartcards/tests/authselect_sssd_parameter_false.fail.sh @@ -1,6 +1,6 @@ #!/bin/bash # packages = authselect,sssd -# platform = multi_platform_fedora,Oracle Linux 8,Oracle Linux 9,Red Hat Enterprise Linux 8,Red Hat Enterprise Linux 9 +# platform = multi_platform_fedora,Oracle Linux 8,Oracle Linux 9,Red Hat Enterprise Linux 8,Red Hat Enterprise Linux 9,AlmaLinux 9 SSSD_FILE="/etc/sssd/sssd.conf" echo "[pam]" > $SSSD_FILE diff --git a/linux_os/guide/services/sssd/sssd_enable_smartcards/tests/authselect_sssd_parameter_false_conf_d.fail.sh b/linux_os/guide/services/sssd/sssd_enable_smartcards/tests/authselect_sssd_parameter_false_conf_d.fail.sh index b1ed28f39..6cbd85707 100644 --- a/linux_os/guide/services/sssd/sssd_enable_smartcards/tests/authselect_sssd_parameter_false_conf_d.fail.sh +++ b/linux_os/guide/services/sssd/sssd_enable_smartcards/tests/authselect_sssd_parameter_false_conf_d.fail.sh @@ -1,6 +1,6 @@ #!/bin/bash # packages = authselect,sssd -# platform = multi_platform_fedora,Oracle Linux 8,Oracle Linux 9,Red Hat Enterprise Linux 8,Red Hat Enterprise Linux 9 +# platform = multi_platform_fedora,Oracle Linux 8,Oracle Linux 9,Red Hat Enterprise Linux 8,Red Hat Enterprise Linux 9,AlmaLinux 9 SSSD_FILE="/etc/sssd/conf.d/unused.conf" echo "[pam]" > $SSSD_FILE diff --git a/linux_os/guide/services/sssd/sssd_enable_smartcards/tests/authselect_sssd_parameter_missing.fail.sh b/linux_os/guide/services/sssd/sssd_enable_smartcards/tests/authselect_sssd_parameter_missing.fail.sh index 85bb1de67..fb0e3b2df 100644 --- a/linux_os/guide/services/sssd/sssd_enable_smartcards/tests/authselect_sssd_parameter_missing.fail.sh +++ b/linux_os/guide/services/sssd/sssd_enable_smartcards/tests/authselect_sssd_parameter_missing.fail.sh @@ -1,6 +1,6 @@ #!/bin/bash # packages = authselect,sssd -# platform = multi_platform_fedora,Oracle Linux 8,Oracle Linux 9,Red Hat Enterprise Linux 8,Red Hat Enterprise Linux 9 +# platform = multi_platform_fedora,Oracle Linux 8,Oracle Linux 9,Red Hat Enterprise Linux 8,Red Hat Enterprise Linux 9,AlmaLinux 9 SSSD_FILE="/etc/sssd/sssd.conf" echo "[pam]" > $SSSD_FILE diff --git a/linux_os/guide/services/sssd/sssd_enable_smartcards/tests/authselect_sssd_parameter_missing_file.fail.sh b/linux_os/guide/services/sssd/sssd_enable_smartcards/tests/authselect_sssd_parameter_missing_file.fail.sh index 43e19d382..6c7a50002 100644 --- a/linux_os/guide/services/sssd/sssd_enable_smartcards/tests/authselect_sssd_parameter_missing_file.fail.sh +++ b/linux_os/guide/services/sssd/sssd_enable_smartcards/tests/authselect_sssd_parameter_missing_file.fail.sh @@ -1,6 +1,6 @@ #!/bin/bash # packages = authselect,sssd -# platform = multi_platform_fedora,Oracle Linux 8,Oracle Linux 9,Red Hat Enterprise Linux 8,Red Hat Enterprise Linux 9 +# platform = multi_platform_fedora,Oracle Linux 8,Oracle Linux 9,Red Hat Enterprise Linux 8,Red Hat Enterprise Linux 9,AlmaLinux 9 SSSD_FILE="/etc/sssd/sssd.conf" rm -f $SSSD_FILE diff --git a/linux_os/guide/services/sssd/sssd_memcache_timeout/ansible/shared.yml b/linux_os/guide/services/sssd/sssd_memcache_timeout/ansible/shared.yml index efd5408e4..8e7ade7bc 100644 --- a/linux_os/guide/services/sssd/sssd_memcache_timeout/ansible/shared.yml +++ b/linux_os/guide/services/sssd/sssd_memcache_timeout/ansible/shared.yml @@ -1,4 +1,4 @@ -# platform = Red Hat Virtualization 4,multi_platform_fedora,multi_platform_ol,multi_platform_rhel,multi_platform_sle +# platform = Red Hat Virtualization 4,multi_platform_fedora,multi_platform_ol,multi_platform_rhel,multi_platform_almalinux,multi_platform_sle # reboot = false # strategy = unknown # complexity = low diff --git a/linux_os/guide/services/sssd/sssd_memcache_timeout/bash/shared.sh b/linux_os/guide/services/sssd/sssd_memcache_timeout/bash/shared.sh index e7d5d3916..ed768f876 100644 --- a/linux_os/guide/services/sssd/sssd_memcache_timeout/bash/shared.sh +++ b/linux_os/guide/services/sssd/sssd_memcache_timeout/bash/shared.sh @@ -1,4 +1,4 @@ -# platform = Red Hat Virtualization 4,multi_platform_fedora,multi_platform_ol,multi_platform_rhel,multi_platform_sle +# platform = Red Hat Virtualization 4,multi_platform_fedora,multi_platform_ol,multi_platform_rhel,multi_platform_almalinux,multi_platform_sle {{{ bash_instantiate_variables("var_sssd_memcache_timeout") }}} diff --git a/linux_os/guide/services/sssd/sssd_run_as_sssd_user/bash/shared.sh b/linux_os/guide/services/sssd/sssd_run_as_sssd_user/bash/shared.sh index 3da9609d7..06586bd8a 100644 --- a/linux_os/guide/services/sssd/sssd_run_as_sssd_user/bash/shared.sh +++ b/linux_os/guide/services/sssd/sssd_run_as_sssd_user/bash/shared.sh @@ -1,4 +1,4 @@ -# platform = multi_platform_rhel,multi_platform_fedora,multi_platform_ol +# platform = multi_platform_rhel,multi_platform_almalinux,multi_platform_fedora,multi_platform_ol MAIN_CONF="/etc/sssd/conf.d/ospp.conf" diff --git a/linux_os/guide/services/sssd/sssd_ssh_known_hosts_timeout/ansible/shared.yml b/linux_os/guide/services/sssd/sssd_ssh_known_hosts_timeout/ansible/shared.yml index b92e1d3a6..747a90b31 100644 --- a/linux_os/guide/services/sssd/sssd_ssh_known_hosts_timeout/ansible/shared.yml +++ b/linux_os/guide/services/sssd/sssd_ssh_known_hosts_timeout/ansible/shared.yml @@ -1,4 +1,4 @@ -# platform = Red Hat Virtualization 4,multi_platform_fedora,multi_platform_rhel,multi_platform_ol +# platform = Red Hat Virtualization 4,multi_platform_fedora,multi_platform_rhel,multi_platform_almalinux,multi_platform_ol # reboot = false # strategy = unknown # complexity = low diff --git a/linux_os/guide/services/sssd/sssd_ssh_known_hosts_timeout/bash/shared.sh b/linux_os/guide/services/sssd/sssd_ssh_known_hosts_timeout/bash/shared.sh index f066ef1bd..01254fa6f 100644 --- a/linux_os/guide/services/sssd/sssd_ssh_known_hosts_timeout/bash/shared.sh +++ b/linux_os/guide/services/sssd/sssd_ssh_known_hosts_timeout/bash/shared.sh @@ -1,4 +1,4 @@ -# platform = Red Hat Virtualization 4,multi_platform_fedora,multi_platform_ol,multi_platform_rhel +# platform = Red Hat Virtualization 4,multi_platform_fedora,multi_platform_ol,multi_platform_rhel,multi_platform_almalinux {{{ bash_instantiate_variables("var_sssd_ssh_known_hosts_timeout") }}} diff --git a/linux_os/guide/services/usbguard/configure_usbguard_auditbackend/kubernetes/shared.yml b/linux_os/guide/services/usbguard/configure_usbguard_auditbackend/kubernetes/shared.yml index 331627492..72a361b30 100644 --- a/linux_os/guide/services/usbguard/configure_usbguard_auditbackend/kubernetes/shared.yml +++ b/linux_os/guide/services/usbguard/configure_usbguard_auditbackend/kubernetes/shared.yml @@ -1,3 +1,3 @@ --- -# platform = multi_platform_rhel,multi_platform_fedora,multi_platform_ol,multi_platform_rhv,multi_platform_rhcos +# platform = multi_platform_rhel,multi_platform_almalinux,multi_platform_fedora,multi_platform_ol,multi_platform_rhv,multi_platform_rhcos {{{ kubernetes_usbguard_set(["xccdf_org.ssgproject.content_rule_package_usbguard_installed"]) }}} diff --git a/linux_os/guide/services/usbguard/package_usbguard_installed/kubernetes/shared.yml b/linux_os/guide/services/usbguard/package_usbguard_installed/kubernetes/shared.yml index 9f18591b3..b49d5217a 100644 --- a/linux_os/guide/services/usbguard/package_usbguard_installed/kubernetes/shared.yml +++ b/linux_os/guide/services/usbguard/package_usbguard_installed/kubernetes/shared.yml @@ -1,5 +1,5 @@ --- -# platform = multi_platform_rhel,multi_platform_fedora,multi_platform_ol,multi_platform_rhv,multi_platform_rhcos +# platform = multi_platform_rhel,multi_platform_almalinux,multi_platform_fedora,multi_platform_ol,multi_platform_rhv,multi_platform_rhcos apiVersion: machineconfiguration.openshift.io/v1 kind: MachineConfig spec: diff --git a/linux_os/guide/services/usbguard/service_usbguard_enabled/kubernetes/shared.yml b/linux_os/guide/services/usbguard/service_usbguard_enabled/kubernetes/shared.yml index e9c55dfb0..9be805c13 100644 --- a/linux_os/guide/services/usbguard/service_usbguard_enabled/kubernetes/shared.yml +++ b/linux_os/guide/services/usbguard/service_usbguard_enabled/kubernetes/shared.yml @@ -1,5 +1,5 @@ --- -# platform = multi_platform_rhel,multi_platform_fedora,multi_platform_ol,multi_platform_rhv,multi_platform_rhcos +# platform = multi_platform_rhel,multi_platform_almalinux,multi_platform_fedora,multi_platform_ol,multi_platform_rhv,multi_platform_rhcos apiVersion: machineconfiguration.openshift.io/v1 kind: MachineConfig metadata: diff --git a/linux_os/guide/services/usbguard/usbguard_allow_hid_and_hub/kubernetes/shared.yml b/linux_os/guide/services/usbguard/usbguard_allow_hid_and_hub/kubernetes/shared.yml index 5ef460be8..8a12559f6 100644 --- a/linux_os/guide/services/usbguard/usbguard_allow_hid_and_hub/kubernetes/shared.yml +++ b/linux_os/guide/services/usbguard/usbguard_allow_hid_and_hub/kubernetes/shared.yml @@ -1,5 +1,5 @@ --- -# platform = multi_platform_rhel,multi_platform_fedora,multi_platform_ol,multi_platform_rhv,multi_platform_rhcos +# platform = multi_platform_rhel,multi_platform_almalinux,multi_platform_fedora,multi_platform_ol,multi_platform_rhv,multi_platform_rhcos {{% macro usbguard_hid_and_hub_config_source() %}} allow with-interface match-all { 03:*:* 09:00:* } {{%- endmacro -%}} diff --git a/linux_os/guide/services/usbguard/usbguard_generate_policy/ansible/shared.yml b/linux_os/guide/services/usbguard/usbguard_generate_policy/ansible/shared.yml index cca593262..5ac5c0678 100644 --- a/linux_os/guide/services/usbguard/usbguard_generate_policy/ansible/shared.yml +++ b/linux_os/guide/services/usbguard/usbguard_generate_policy/ansible/shared.yml @@ -1,4 +1,4 @@ -# platform = multi_platform_ol,multi_platform_rhel +# platform = multi_platform_ol,multi_platform_rhel,multi_platform_almalinux # reboot = false # strategy = configure # complexity = low diff --git a/linux_os/guide/services/usbguard/usbguard_generate_policy/bash/shared.sh b/linux_os/guide/services/usbguard/usbguard_generate_policy/bash/shared.sh index 88d55f160..f2f336700 100644 --- a/linux_os/guide/services/usbguard/usbguard_generate_policy/bash/shared.sh +++ b/linux_os/guide/services/usbguard/usbguard_generate_policy/bash/shared.sh @@ -1,4 +1,4 @@ -# platform = multi_platform_ol,multi_platform_rhel +# platform = multi_platform_ol,multi_platform_rhel,multi_platform_almalinux # reboot = false # strategy = configure # complexity = low diff --git a/linux_os/guide/system/accounts/accounts-banners/banner_etc_issue/ansible/shared.yml b/linux_os/guide/system/accounts/accounts-banners/banner_etc_issue/ansible/shared.yml index 1dea09b2f..cbc23c694 100644 --- a/linux_os/guide/system/accounts/accounts-banners/banner_etc_issue/ansible/shared.yml +++ b/linux_os/guide/system/accounts/accounts-banners/banner_etc_issue/ansible/shared.yml @@ -1,4 +1,4 @@ -# platform = multi_platform_rhel,multi_platform_fedora,multi_platform_ol,multi_platform_sle +# platform = multi_platform_rhel,multi_platform_almalinux,multi_platform_fedora,multi_platform_ol,multi_platform_sle # reboot = false # strategy = unknown # complexity = low diff --git a/linux_os/guide/system/accounts/accounts-banners/banner_etc_issue/bash/shared.sh b/linux_os/guide/system/accounts/accounts-banners/banner_etc_issue/bash/shared.sh index 63ceaaf88..e50ada3e4 100644 --- a/linux_os/guide/system/accounts/accounts-banners/banner_etc_issue/bash/shared.sh +++ b/linux_os/guide/system/accounts/accounts-banners/banner_etc_issue/bash/shared.sh @@ -1,4 +1,4 @@ -# platform = multi_platform_rhel,multi_platform_fedora,multi_platform_ol,multi_platform_rhv,multi_platform_sle,multi_platform_ubuntu +# platform = multi_platform_rhel,multi_platform_almalinux,multi_platform_fedora,multi_platform_ol,multi_platform_rhv,multi_platform_sle,multi_platform_ubuntu {{{ bash_instantiate_variables("login_banner_text") }}} diff --git a/linux_os/guide/system/accounts/accounts-banners/banner_etc_issue/kubernetes/shared.yml b/linux_os/guide/system/accounts/accounts-banners/banner_etc_issue/kubernetes/shared.yml index c2feb1fbc..116c6cde5 100644 --- a/linux_os/guide/system/accounts/accounts-banners/banner_etc_issue/kubernetes/shared.yml +++ b/linux_os/guide/system/accounts/accounts-banners/banner_etc_issue/kubernetes/shared.yml @@ -1,5 +1,5 @@ --- -# platform = multi_platform_fedora,multi_platform_rhel,multi_platform_rhcos +# platform = multi_platform_fedora,multi_platform_rhel,multi_platform_almalinux,multi_platform_rhcos apiVersion: machineconfiguration.openshift.io/v1 kind: MachineConfig metadata: diff --git a/linux_os/guide/system/accounts/accounts-banners/banner_etc_motd/ansible/shared.yml b/linux_os/guide/system/accounts/accounts-banners/banner_etc_motd/ansible/shared.yml index 5735d2035..0ca7771ef 100644 --- a/linux_os/guide/system/accounts/accounts-banners/banner_etc_motd/ansible/shared.yml +++ b/linux_os/guide/system/accounts/accounts-banners/banner_etc_motd/ansible/shared.yml @@ -1,4 +1,4 @@ -# platform = multi_platform_rhel,multi_platform_fedora,multi_platform_ol,multi_platform_rhv,multi_platform_sle +# platform = multi_platform_rhel,multi_platform_almalinux,multi_platform_fedora,multi_platform_ol,multi_platform_rhv,multi_platform_sle # reboot = false # strategy = unknown # complexity = low diff --git a/linux_os/guide/system/accounts/accounts-banners/banner_etc_motd/bash/shared.sh b/linux_os/guide/system/accounts/accounts-banners/banner_etc_motd/bash/shared.sh index 4d77e8336..4ed727fc5 100644 --- a/linux_os/guide/system/accounts/accounts-banners/banner_etc_motd/bash/shared.sh +++ b/linux_os/guide/system/accounts/accounts-banners/banner_etc_motd/bash/shared.sh @@ -1,4 +1,4 @@ -# platform = multi_platform_rhel,multi_platform_fedora,multi_platform_ol,multi_platform_rhv,multi_platform_sle,multi_platform_ubuntu +# platform = multi_platform_rhel,multi_platform_almalinux,multi_platform_fedora,multi_platform_ol,multi_platform_rhv,multi_platform_sle,multi_platform_ubuntu {{{ bash_instantiate_variables("motd_banner_text") }}} diff --git a/linux_os/guide/system/accounts/accounts-banners/gui_login_banner/dconf_gnome_banner_enabled/ansible/shared.yml b/linux_os/guide/system/accounts/accounts-banners/gui_login_banner/dconf_gnome_banner_enabled/ansible/shared.yml index 5814a30bd..aa4aa4c5c 100644 --- a/linux_os/guide/system/accounts/accounts-banners/gui_login_banner/dconf_gnome_banner_enabled/ansible/shared.yml +++ b/linux_os/guide/system/accounts/accounts-banners/gui_login_banner/dconf_gnome_banner_enabled/ansible/shared.yml @@ -1,4 +1,4 @@ -# platform = multi_platform_rhel,multi_platform_fedora,multi_platform_ol,multi_platform_sle +# platform = multi_platform_rhel,multi_platform_almalinux,multi_platform_fedora,multi_platform_ol,multi_platform_sle # reboot = false # strategy = unknown # complexity = low diff --git a/linux_os/guide/system/accounts/accounts-banners/gui_login_banner/dconf_gnome_login_banner_text/ansible/shared.yml b/linux_os/guide/system/accounts/accounts-banners/gui_login_banner/dconf_gnome_login_banner_text/ansible/shared.yml index 86aff54f9..b295782b0 100644 --- a/linux_os/guide/system/accounts/accounts-banners/gui_login_banner/dconf_gnome_login_banner_text/ansible/shared.yml +++ b/linux_os/guide/system/accounts/accounts-banners/gui_login_banner/dconf_gnome_login_banner_text/ansible/shared.yml @@ -1,4 +1,4 @@ -# platform = multi_platform_rhel,multi_platform_fedora,multi_platform_ol,multi_platform_sle +# platform = multi_platform_rhel,multi_platform_almalinux,multi_platform_fedora,multi_platform_ol,multi_platform_sle # reboot = false # strategy = unknown # complexity = low diff --git a/linux_os/guide/system/accounts/accounts-pam/display_login_attempts/ansible/shared.yml b/linux_os/guide/system/accounts/accounts-pam/display_login_attempts/ansible/shared.yml index 428fbd7fa..390b6513d 100644 --- a/linux_os/guide/system/accounts/accounts-pam/display_login_attempts/ansible/shared.yml +++ b/linux_os/guide/system/accounts/accounts-pam/display_login_attempts/ansible/shared.yml @@ -1,4 +1,4 @@ -# platform = multi_platform_fedora,multi_platform_ol,multi_platform_rhel,multi_platform_sle,Red Hat Virtualization 4 +# platform = multi_platform_fedora,multi_platform_ol,multi_platform_rhel,multi_platform_almalinux,multi_platform_sle,Red Hat Virtualization 4 # reboot = false # strategy = configure # complexity = low diff --git a/linux_os/guide/system/accounts/accounts-pam/display_login_attempts/bash/shared.sh b/linux_os/guide/system/accounts/accounts-pam/display_login_attempts/bash/shared.sh index badc79bff..f6c602159 100644 --- a/linux_os/guide/system/accounts/accounts-pam/display_login_attempts/bash/shared.sh +++ b/linux_os/guide/system/accounts/accounts-pam/display_login_attempts/bash/shared.sh @@ -1,4 +1,4 @@ -# platform = multi_platform_sle,Red Hat Virtualization 4,multi_platform_fedora,multi_platform_ol,multi_platform_rhel,multi_platform_ubuntu +# platform = multi_platform_sle,Red Hat Virtualization 4,multi_platform_fedora,multi_platform_ol,multi_platform_rhel,multi_platform_almalinux,multi_platform_ubuntu {{%- if "sle" in product or "ubuntu" in product %}} {{%- set pam_lastlog_path = "/etc/pam.d/login" %}} diff --git a/linux_os/guide/system/accounts/accounts-pam/display_login_attempts/tests/authselect_correct_options.pass.sh b/linux_os/guide/system/accounts/accounts-pam/display_login_attempts/tests/authselect_correct_options.pass.sh index 79b84c92e..3f1c44fb3 100644 --- a/linux_os/guide/system/accounts/accounts-pam/display_login_attempts/tests/authselect_correct_options.pass.sh +++ b/linux_os/guide/system/accounts/accounts-pam/display_login_attempts/tests/authselect_correct_options.pass.sh @@ -1,6 +1,6 @@ #!/bin/bash # packages = authselect -# platform = multi_platform_fedora,Oracle Linux 8,Oracle Linux 9,Red Hat Enterprise Linux 8,Red Hat Enterprise Linux 9 +# platform = multi_platform_fedora,Oracle Linux 8,Oracle Linux 9,Red Hat Enterprise Linux 8,Red Hat Enterprise Linux 9,AlmaLinux 9 if authselect list-features minimal | grep -q with-silent-lastlog; then authselect select sssd --force diff --git a/linux_os/guide/system/accounts/accounts-pam/display_login_attempts/tests/authselect_modified_pam.fail.sh b/linux_os/guide/system/accounts/accounts-pam/display_login_attempts/tests/authselect_modified_pam.fail.sh index 60ede2a24..9149a89a2 100644 --- a/linux_os/guide/system/accounts/accounts-pam/display_login_attempts/tests/authselect_modified_pam.fail.sh +++ b/linux_os/guide/system/accounts/accounts-pam/display_login_attempts/tests/authselect_modified_pam.fail.sh @@ -1,6 +1,6 @@ #!/bin/bash # packages = authselect -# platform = multi_platform_fedora,Oracle Linux 8,Oracle Linux 9,Red Hat Enterprise Linux 8,Red Hat Enterprise Linux 9 +# platform = multi_platform_fedora,Oracle Linux 8,Oracle Linux 9,Red Hat Enterprise Linux 8,Red Hat Enterprise Linux 9,AlmaLinux 9 # remediation = none authselect create-profile hardening -b sssd diff --git a/linux_os/guide/system/accounts/accounts-pam/display_login_attempts/tests/authselect_silent_lastlog.fail.sh b/linux_os/guide/system/accounts/accounts-pam/display_login_attempts/tests/authselect_silent_lastlog.fail.sh index 15c424a2d..6a58770a0 100644 --- a/linux_os/guide/system/accounts/accounts-pam/display_login_attempts/tests/authselect_silent_lastlog.fail.sh +++ b/linux_os/guide/system/accounts/accounts-pam/display_login_attempts/tests/authselect_silent_lastlog.fail.sh @@ -1,6 +1,6 @@ #!/bin/bash # packages = authselect -# platform = multi_platform_fedora,Oracle Linux 8,Oracle Linux 9,Red Hat Enterprise Linux 8,Red Hat Enterprise Linux 9 +# platform = multi_platform_fedora,Oracle Linux 8,Oracle Linux 9,Red Hat Enterprise Linux 8,Red Hat Enterprise Linux 9,AlmaLinux 9 if authselect list-features minimal | grep -q with-silent-lastlog; then authselect select sssd --force diff --git a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/account_password_pam_faillock_password_auth/tests/correct_value.pass.sh b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/account_password_pam_faillock_password_auth/tests/correct_value.pass.sh index 98fab1858..683ccc76d 100644 --- a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/account_password_pam_faillock_password_auth/tests/correct_value.pass.sh +++ b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/account_password_pam_faillock_password_auth/tests/correct_value.pass.sh @@ -1,6 +1,6 @@ #!/bin/bash # packages = authselect,pam -# platform = Oracle Linux 8,Oracle Linux 9,Red Hat Enterprise Linux 8,Red Hat Enterprise Linux 9 +# platform = Oracle Linux 8,Oracle Linux 9,Red Hat Enterprise Linux 8,Red Hat Enterprise Linux 9,AlmaLinux 9 authselect create-profile test_profile -b sssd authselect select "custom/test_profile" --force diff --git a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/account_password_pam_faillock_password_auth/tests/no_value.fail.sh b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/account_password_pam_faillock_password_auth/tests/no_value.fail.sh index ce36c2d22..014d85397 100644 --- a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/account_password_pam_faillock_password_auth/tests/no_value.fail.sh +++ b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/account_password_pam_faillock_password_auth/tests/no_value.fail.sh @@ -1,6 +1,6 @@ #!/bin/bash # packages = authselect,pam -# platform = Oracle Linux 8,Oracle Linux 9,Red Hat Enterprise Linux 8,Red Hat Enterprise Linux 9 +# platform = Oracle Linux 8,Oracle Linux 9,Red Hat Enterprise Linux 8,Red Hat Enterprise Linux 9,AlmaLinux 9 authselect create-profile test_profile -b sssd authselect select "custom/test_profile" --force diff --git a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/account_password_pam_faillock_system_auth/tests/correct_value.pass.sh b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/account_password_pam_faillock_system_auth/tests/correct_value.pass.sh index 98fab1858..683ccc76d 100644 --- a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/account_password_pam_faillock_system_auth/tests/correct_value.pass.sh +++ b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/account_password_pam_faillock_system_auth/tests/correct_value.pass.sh @@ -1,6 +1,6 @@ #!/bin/bash # packages = authselect,pam -# platform = Oracle Linux 8,Oracle Linux 9,Red Hat Enterprise Linux 8,Red Hat Enterprise Linux 9 +# platform = Oracle Linux 8,Oracle Linux 9,Red Hat Enterprise Linux 8,Red Hat Enterprise Linux 9,AlmaLinux 9 authselect create-profile test_profile -b sssd authselect select "custom/test_profile" --force diff --git a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/account_password_pam_faillock_system_auth/tests/no_value.fail.sh b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/account_password_pam_faillock_system_auth/tests/no_value.fail.sh index ce36c2d22..014d85397 100644 --- a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/account_password_pam_faillock_system_auth/tests/no_value.fail.sh +++ b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/account_password_pam_faillock_system_auth/tests/no_value.fail.sh @@ -1,6 +1,6 @@ #!/bin/bash # packages = authselect,pam -# platform = Oracle Linux 8,Oracle Linux 9,Red Hat Enterprise Linux 8,Red Hat Enterprise Linux 9 +# platform = Oracle Linux 8,Oracle Linux 9,Red Hat Enterprise Linux 8,Red Hat Enterprise Linux 9,AlmaLinux 9 authselect create-profile test_profile -b sssd authselect select "custom/test_profile" --force diff --git a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/account_passwords_pam_faillock_audit/ansible/shared.yml b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/account_passwords_pam_faillock_audit/ansible/shared.yml index e9ecd879f..74e4c0b09 100644 --- a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/account_passwords_pam_faillock_audit/ansible/shared.yml +++ b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/account_passwords_pam_faillock_audit/ansible/shared.yml @@ -1,4 +1,4 @@ -# platform = multi_platform_rhel,multi_platform_fedora,multi_platform_ol,multi_platform_rhv,multi_platform_sle +# platform = multi_platform_rhel,multi_platform_almalinux,multi_platform_fedora,multi_platform_ol,multi_platform_rhv,multi_platform_sle # reboot = false # strategy = restrict # complexity = low diff --git a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/account_passwords_pam_faillock_audit/bash/shared.sh b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/account_passwords_pam_faillock_audit/bash/shared.sh index 63d03f08d..e0eae4498 100644 --- a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/account_passwords_pam_faillock_audit/bash/shared.sh +++ b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/account_passwords_pam_faillock_audit/bash/shared.sh @@ -1,4 +1,4 @@ -# platform = multi_platform_rhel,multi_platform_fedora,multi_platform_ol,multi_platform_rhv,multi_platform_sle +# platform = multi_platform_rhel,multi_platform_almalinux,multi_platform_fedora,multi_platform_ol,multi_platform_rhv,multi_platform_sle {{{ bash_pam_faillock_enable() }}} {{{ bash_pam_faillock_parameter_value("audit", authfail=False)}}} diff --git a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/account_passwords_pam_faillock_audit/tests/conflicting_settings_authselect.fail.sh b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/account_passwords_pam_faillock_audit/tests/conflicting_settings_authselect.fail.sh index 5e75c996c..125502173 100644 --- a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/account_passwords_pam_faillock_audit/tests/conflicting_settings_authselect.fail.sh +++ b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/account_passwords_pam_faillock_audit/tests/conflicting_settings_authselect.fail.sh @@ -1,7 +1,7 @@ #!/bin/bash # packages = authselect,pam -# platform = Oracle Linux 8,Oracle Linux 9,Red Hat Enterprise Linux 8,Red Hat Enterprise Linux 9 +# platform = Oracle Linux 8,Oracle Linux 9,Red Hat Enterprise Linux 8,Red Hat Enterprise Linux 9,AlmaLinux 9 source common.sh diff --git a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/account_passwords_pam_faillock_audit/tests/expected_faillock_conf.pass.sh b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/account_passwords_pam_faillock_audit/tests/expected_faillock_conf.pass.sh index e1eb0a970..74c1da0a8 100644 --- a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/account_passwords_pam_faillock_audit/tests/expected_faillock_conf.pass.sh +++ b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/account_passwords_pam_faillock_audit/tests/expected_faillock_conf.pass.sh @@ -1,6 +1,6 @@ #!/bin/bash # packages = authselect,pam -# platform = Oracle Linux 8,Oracle Linux 9,Red Hat Enterprise Linux 8,Red Hat Enterprise Linux 9 +# platform = Oracle Linux 8,Oracle Linux 9,Red Hat Enterprise Linux 8,Red Hat Enterprise Linux 9,AlmaLinux 9 source common.sh diff --git a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_password_pam_pwhistory_remember_password_auth/ansible/shared.yml b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_password_pam_pwhistory_remember_password_auth/ansible/shared.yml index 95c3a04db..37caefc2f 100644 --- a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_password_pam_pwhistory_remember_password_auth/ansible/shared.yml +++ b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_password_pam_pwhistory_remember_password_auth/ansible/shared.yml @@ -1,4 +1,4 @@ -# platform = multi_platform_rhel,multi_platform_fedora,multi_platform_ol,multi_platform_rhv,multi_platform_sle +# platform = multi_platform_rhel,multi_platform_almalinux,multi_platform_fedora,multi_platform_ol,multi_platform_rhv,multi_platform_sle # reboot = false # strategy = configure # complexity = low diff --git a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_password_pam_pwhistory_remember_password_auth/bash/shared.sh b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_password_pam_pwhistory_remember_password_auth/bash/shared.sh index 365006509..2a10d041b 100644 --- a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_password_pam_pwhistory_remember_password_auth/bash/shared.sh +++ b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_password_pam_pwhistory_remember_password_auth/bash/shared.sh @@ -1,4 +1,4 @@ -# platform = multi_platform_rhel,multi_platform_fedora,multi_platform_ol,multi_platform_rhv +# platform = multi_platform_rhel,multi_platform_almalinux,multi_platform_fedora,multi_platform_ol,multi_platform_rhv {{{ bash_instantiate_variables("var_password_pam_remember", "var_password_pam_remember_control_flag") }}} diff --git a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_password_pam_pwhistory_remember_password_auth/tests/authselect_conflict_settings.fail.sh b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_password_pam_pwhistory_remember_password_auth/tests/authselect_conflict_settings.fail.sh index bef6bbcea..f7a2048f0 100644 --- a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_password_pam_pwhistory_remember_password_auth/tests/authselect_conflict_settings.fail.sh +++ b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_password_pam_pwhistory_remember_password_auth/tests/authselect_conflict_settings.fail.sh @@ -1,6 +1,6 @@ #!/bin/bash # packages = authselect -# platform = Oracle Linux 8,Oracle Linux 9,Red Hat Enterprise Linux 8,Red Hat Enterprise Linux 9,multi_platform_fedora +# platform = Oracle Linux 8,Oracle Linux 9,Red Hat Enterprise Linux 8,Red Hat Enterprise Linux 9,AlmaLinux 9,multi_platform_fedora # variables = var_password_pam_remember=5,var_password_pam_remember_control_flag=requisite remember_cnt=5 diff --git a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_password_pam_pwhistory_remember_password_auth/tests/authselect_correct_value_conf.pass.sh b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_password_pam_pwhistory_remember_password_auth/tests/authselect_correct_value_conf.pass.sh index 111ed3df6..b0029939b 100644 --- a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_password_pam_pwhistory_remember_password_auth/tests/authselect_correct_value_conf.pass.sh +++ b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_password_pam_pwhistory_remember_password_auth/tests/authselect_correct_value_conf.pass.sh @@ -1,6 +1,6 @@ #!/bin/bash # packages = authselect -# platform = Oracle Linux 8,Oracle Linux 9,Red Hat Enterprise Linux 8,Red Hat Enterprise Linux 9,multi_platform_fedora +# platform = Oracle Linux 8,Oracle Linux 9,Red Hat Enterprise Linux 8,Red Hat Enterprise Linux 9,AlmaLinux 9,multi_platform_fedora # variables = var_password_pam_remember=5,var_password_pam_remember_control_flag=requisite remember_cnt=5 diff --git a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_password_pam_pwhistory_remember_password_auth/tests/authselect_correct_value_pam.pass.sh b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_password_pam_pwhistory_remember_password_auth/tests/authselect_correct_value_pam.pass.sh index cc133d939..24e3f36f4 100644 --- a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_password_pam_pwhistory_remember_password_auth/tests/authselect_correct_value_pam.pass.sh +++ b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_password_pam_pwhistory_remember_password_auth/tests/authselect_correct_value_pam.pass.sh @@ -1,6 +1,6 @@ #!/bin/bash # packages = authselect -# platform = Oracle Linux 8,Oracle Linux 9,Red Hat Enterprise Linux 8,Red Hat Enterprise Linux 9,multi_platform_fedora +# platform = Oracle Linux 8,Oracle Linux 9,Red Hat Enterprise Linux 8,Red Hat Enterprise Linux 9,AlmaLinux 9,multi_platform_fedora # variables = var_password_pam_remember=5,var_password_pam_remember_control_flag=requisite remember_cnt=5 diff --git a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_password_pam_pwhistory_remember_password_auth/tests/authselect_missing_argument.fail.sh b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_password_pam_pwhistory_remember_password_auth/tests/authselect_missing_argument.fail.sh index 006ff25ae..bf7405aa9 100644 --- a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_password_pam_pwhistory_remember_password_auth/tests/authselect_missing_argument.fail.sh +++ b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_password_pam_pwhistory_remember_password_auth/tests/authselect_missing_argument.fail.sh @@ -1,6 +1,6 @@ #!/bin/bash # packages = authselect -# platform = Oracle Linux 8,Oracle Linux 9,Red Hat Enterprise Linux 8,Red Hat Enterprise Linux 9,multi_platform_fedora +# platform = Oracle Linux 8,Oracle Linux 9,Red Hat Enterprise Linux 8,Red Hat Enterprise Linux 9,AlmaLinux 9,multi_platform_fedora # variables = var_password_pam_remember=5,var_password_pam_remember_control_flag=requisite if authselect list-features minimal | grep -q with-pwhistory; then diff --git a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_password_pam_pwhistory_remember_password_auth/tests/authselect_missing_line.fail.sh b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_password_pam_pwhistory_remember_password_auth/tests/authselect_missing_line.fail.sh index e16e7434b..13c772ae4 100644 --- a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_password_pam_pwhistory_remember_password_auth/tests/authselect_missing_line.fail.sh +++ b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_password_pam_pwhistory_remember_password_auth/tests/authselect_missing_line.fail.sh @@ -1,6 +1,6 @@ #!/bin/bash # packages = authselect -# platform = Oracle Linux 8,Oracle Linux 9,Red Hat Enterprise Linux 8,Red Hat Enterprise Linux 9,multi_platform_fedora +# platform = Oracle Linux 8,Oracle Linux 9,Red Hat Enterprise Linux 8,Red Hat Enterprise Linux 9,AlmaLinux 9,multi_platform_fedora # variables = var_password_pam_remember=5,var_password_pam_remember_control_flag=requisite if authselect list-features minimal | grep -q with-pwhistory; then diff --git a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_password_pam_pwhistory_remember_password_auth/tests/authselect_modified_pam.fail.sh b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_password_pam_pwhistory_remember_password_auth/tests/authselect_modified_pam.fail.sh index e5af75fdc..b884806b9 100644 --- a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_password_pam_pwhistory_remember_password_auth/tests/authselect_modified_pam.fail.sh +++ b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_password_pam_pwhistory_remember_password_auth/tests/authselect_modified_pam.fail.sh @@ -1,6 +1,6 @@ #!/bin/bash # packages = authselect -# platform = Oracle Linux 8,Oracle Linux 9,Red Hat Enterprise Linux 8,Red Hat Enterprise Linux 9,multi_platform_fedora +# platform = Oracle Linux 8,Oracle Linux 9,Red Hat Enterprise Linux 8,Red Hat Enterprise Linux 9,AlmaLinux 9,multi_platform_fedora # remediation = none SYSTEM_AUTH_FILE="/etc/pam.d/system-auth" diff --git a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_password_pam_pwhistory_remember_password_auth/tests/authselect_wrong_control.fail.sh b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_password_pam_pwhistory_remember_password_auth/tests/authselect_wrong_control.fail.sh index aef7595c6..d71a7e2f0 100644 --- a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_password_pam_pwhistory_remember_password_auth/tests/authselect_wrong_control.fail.sh +++ b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_password_pam_pwhistory_remember_password_auth/tests/authselect_wrong_control.fail.sh @@ -1,6 +1,6 @@ #!/bin/bash # packages = authselect -# platform = Oracle Linux 8,Oracle Linux 9,Red Hat Enterprise Linux 8,Red Hat Enterprise Linux 9,multi_platform_fedora +# platform = Oracle Linux 8,Oracle Linux 9,Red Hat Enterprise Linux 8,Red Hat Enterprise Linux 9,AlmaLinux 9,multi_platform_fedora # variables = var_password_pam_remember=5,var_password_pam_remember_control_flag=requisite if authselect list-features minimal | grep -q with-pwhistory; then diff --git a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_password_pam_pwhistory_remember_password_auth/tests/authselect_wrong_value_conf.fail.sh b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_password_pam_pwhistory_remember_password_auth/tests/authselect_wrong_value_conf.fail.sh index f16643985..3727d7077 100644 --- a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_password_pam_pwhistory_remember_password_auth/tests/authselect_wrong_value_conf.fail.sh +++ b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_password_pam_pwhistory_remember_password_auth/tests/authselect_wrong_value_conf.fail.sh @@ -1,6 +1,6 @@ #!/bin/bash # packages = authselect -# platform = Oracle Linux 8,Oracle Linux 9,Red Hat Enterprise Linux 8,Red Hat Enterprise Linux 9,multi_platform_fedora +# platform = Oracle Linux 8,Oracle Linux 9,Red Hat Enterprise Linux 8,Red Hat Enterprise Linux 9,AlmaLinux 9,multi_platform_fedora # variables = var_password_pam_remember=5,var_password_pam_remember_control_flag=requisite remember_cnt=3 diff --git a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_password_pam_pwhistory_remember_password_auth/tests/authselect_wrong_value_pam.fail.sh b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_password_pam_pwhistory_remember_password_auth/tests/authselect_wrong_value_pam.fail.sh index debcc53ca..0bf8c576e 100644 --- a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_password_pam_pwhistory_remember_password_auth/tests/authselect_wrong_value_pam.fail.sh +++ b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_password_pam_pwhistory_remember_password_auth/tests/authselect_wrong_value_pam.fail.sh @@ -1,6 +1,6 @@ #!/bin/bash # packages = authselect -# platform = Oracle Linux 8,Oracle Linux 9,Red Hat Enterprise Linux 8,Red Hat Enterprise Linux 9,multi_platform_fedora +# platform = Oracle Linux 8,Oracle Linux 9,Red Hat Enterprise Linux 8,Red Hat Enterprise Linux 9,AlmaLinux 9,multi_platform_fedora # variables = var_password_pam_remember=5,var_password_pam_remember_control_flag=requisite remember_cnt=3 diff --git a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_password_pam_pwhistory_remember_system_auth/ansible/shared.yml b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_password_pam_pwhistory_remember_system_auth/ansible/shared.yml index e4be20de0..a9d7e2ec1 100644 --- a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_password_pam_pwhistory_remember_system_auth/ansible/shared.yml +++ b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_password_pam_pwhistory_remember_system_auth/ansible/shared.yml @@ -1,4 +1,4 @@ -# platform = multi_platform_rhel,multi_platform_fedora,multi_platform_ol,multi_platform_rhv,multi_platform_sle +# platform = multi_platform_rhel,multi_platform_almalinux,multi_platform_fedora,multi_platform_ol,multi_platform_rhv,multi_platform_sle # reboot = false # strategy = configure # complexity = low diff --git a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_password_pam_pwhistory_remember_system_auth/bash/shared.sh b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_password_pam_pwhistory_remember_system_auth/bash/shared.sh index a55f86dc3..5506f8c40 100644 --- a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_password_pam_pwhistory_remember_system_auth/bash/shared.sh +++ b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_password_pam_pwhistory_remember_system_auth/bash/shared.sh @@ -1,4 +1,4 @@ -# platform = multi_platform_rhel,multi_platform_fedora,multi_platform_ol,multi_platform_rhv +# platform = multi_platform_rhel,multi_platform_almalinux,multi_platform_fedora,multi_platform_ol,multi_platform_rhv {{{ bash_instantiate_variables("var_password_pam_remember", "var_password_pam_remember_control_flag") }}} diff --git a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_password_pam_pwhistory_remember_system_auth/tests/authselect_conflict_settings.fail.sh b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_password_pam_pwhistory_remember_system_auth/tests/authselect_conflict_settings.fail.sh index fe238b41b..afb618418 100644 --- a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_password_pam_pwhistory_remember_system_auth/tests/authselect_conflict_settings.fail.sh +++ b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_password_pam_pwhistory_remember_system_auth/tests/authselect_conflict_settings.fail.sh @@ -1,6 +1,6 @@ #!/bin/bash # packages = authselect -# platform = Oracle Linux 8,Oracle Linux 9,Red Hat Enterprise Linux 8,Red Hat Enterprise Linux 9,multi_platform_fedora +# platform = Oracle Linux 8,Oracle Linux 9,Red Hat Enterprise Linux 8,Red Hat Enterprise Linux 9,AlmaLinux 9,multi_platform_fedora # variables = var_password_pam_remember=5,var_password_pam_remember_control_flag=requisite remember_cnt=5 diff --git a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_password_pam_pwhistory_remember_system_auth/tests/authselect_correct_value_conf.pass.sh b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_password_pam_pwhistory_remember_system_auth/tests/authselect_correct_value_conf.pass.sh index bc6d5ab7f..5e83891a3 100644 --- a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_password_pam_pwhistory_remember_system_auth/tests/authselect_correct_value_conf.pass.sh +++ b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_password_pam_pwhistory_remember_system_auth/tests/authselect_correct_value_conf.pass.sh @@ -1,6 +1,6 @@ #!/bin/bash # packages = authselect -# platform = Oracle Linux 8,Oracle Linux 9,Red Hat Enterprise Linux 8,Red Hat Enterprise Linux 9,multi_platform_fedora +# platform = Oracle Linux 8,Oracle Linux 9,Red Hat Enterprise Linux 8,Red Hat Enterprise Linux 9,AlmaLinux 9,multi_platform_fedora # variables = var_password_pam_remember=5,var_password_pam_remember_control_flag=requisite remember_cnt=5 diff --git a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_password_pam_pwhistory_remember_system_auth/tests/authselect_correct_value_pam.pass.sh b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_password_pam_pwhistory_remember_system_auth/tests/authselect_correct_value_pam.pass.sh index dd12efbc1..057c54a24 100644 --- a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_password_pam_pwhistory_remember_system_auth/tests/authselect_correct_value_pam.pass.sh +++ b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_password_pam_pwhistory_remember_system_auth/tests/authselect_correct_value_pam.pass.sh @@ -1,6 +1,6 @@ #!/bin/bash # packages = authselect -# platform = Oracle Linux 8,Oracle Linux 9,Red Hat Enterprise Linux 8,Red Hat Enterprise Linux 9,multi_platform_fedora +# platform = Oracle Linux 8,Oracle Linux 9,Red Hat Enterprise Linux 8,Red Hat Enterprise Linux 9,AlmaLinux 9,multi_platform_fedora # variables = var_password_pam_remember=5,var_password_pam_remember_control_flag=requisite remember_cnt=5 diff --git a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_password_pam_pwhistory_remember_system_auth/tests/authselect_missing_argument.fail.sh b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_password_pam_pwhistory_remember_system_auth/tests/authselect_missing_argument.fail.sh index 21a16e3f7..815679b6d 100644 --- a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_password_pam_pwhistory_remember_system_auth/tests/authselect_missing_argument.fail.sh +++ b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_password_pam_pwhistory_remember_system_auth/tests/authselect_missing_argument.fail.sh @@ -1,6 +1,6 @@ #!/bin/bash # packages = authselect -# platform = Oracle Linux 8,Oracle Linux 9,Red Hat Enterprise Linux 8,Red Hat Enterprise Linux 9,multi_platform_fedora +# platform = Oracle Linux 8,Oracle Linux 9,Red Hat Enterprise Linux 8,Red Hat Enterprise Linux 9,AlmaLinux 9,multi_platform_fedora # variables = var_password_pam_remember=5,var_password_pam_remember_control_flag=requisite if authselect list-features minimal | grep -q with-pwhistory; then diff --git a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_password_pam_pwhistory_remember_system_auth/tests/authselect_missing_line.fail.sh b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_password_pam_pwhistory_remember_system_auth/tests/authselect_missing_line.fail.sh index 678ea16f7..a557caa01 100644 --- a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_password_pam_pwhistory_remember_system_auth/tests/authselect_missing_line.fail.sh +++ b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_password_pam_pwhistory_remember_system_auth/tests/authselect_missing_line.fail.sh @@ -1,6 +1,6 @@ #!/bin/bash # packages = authselect -# platform = Oracle Linux 8,Oracle Linux 9,Red Hat Enterprise Linux 8,Red Hat Enterprise Linux 9,multi_platform_fedora +# platform = Oracle Linux 8,Oracle Linux 9,Red Hat Enterprise Linux 8,Red Hat Enterprise Linux 9,AlmaLinux 9,multi_platform_fedora # variables = var_password_pam_remember=5,var_password_pam_remember_control_flag=requisite if authselect list-features minimal | grep -q with-pwhistory; then diff --git a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_password_pam_pwhistory_remember_system_auth/tests/authselect_modified_pam.fail.sh b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_password_pam_pwhistory_remember_system_auth/tests/authselect_modified_pam.fail.sh index e5af75fdc..b884806b9 100644 --- a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_password_pam_pwhistory_remember_system_auth/tests/authselect_modified_pam.fail.sh +++ b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_password_pam_pwhistory_remember_system_auth/tests/authselect_modified_pam.fail.sh @@ -1,6 +1,6 @@ #!/bin/bash # packages = authselect -# platform = Oracle Linux 8,Oracle Linux 9,Red Hat Enterprise Linux 8,Red Hat Enterprise Linux 9,multi_platform_fedora +# platform = Oracle Linux 8,Oracle Linux 9,Red Hat Enterprise Linux 8,Red Hat Enterprise Linux 9,AlmaLinux 9,multi_platform_fedora # remediation = none SYSTEM_AUTH_FILE="/etc/pam.d/system-auth" diff --git a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_password_pam_pwhistory_remember_system_auth/tests/authselect_wrong_control.fail.sh b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_password_pam_pwhistory_remember_system_auth/tests/authselect_wrong_control.fail.sh index 26cc946a1..e0a147227 100644 --- a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_password_pam_pwhistory_remember_system_auth/tests/authselect_wrong_control.fail.sh +++ b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_password_pam_pwhistory_remember_system_auth/tests/authselect_wrong_control.fail.sh @@ -1,6 +1,6 @@ #!/bin/bash # packages = authselect -# platform = Oracle Linux 8,Oracle Linux 9,Red Hat Enterprise Linux 8,Red Hat Enterprise Linux 9,multi_platform_fedora +# platform = Oracle Linux 8,Oracle Linux 9,Red Hat Enterprise Linux 8,Red Hat Enterprise Linux 9,AlmaLinux 9,multi_platform_fedora # variables = var_password_pam_remember=5,var_password_pam_remember_control_flag=requisite if authselect list-features minimal | grep -q with-pwhistory; then diff --git a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_password_pam_pwhistory_remember_system_auth/tests/authselect_wrong_value_conf.fail.sh b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_password_pam_pwhistory_remember_system_auth/tests/authselect_wrong_value_conf.fail.sh index e25a158f7..d168e2b40 100644 --- a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_password_pam_pwhistory_remember_system_auth/tests/authselect_wrong_value_conf.fail.sh +++ b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_password_pam_pwhistory_remember_system_auth/tests/authselect_wrong_value_conf.fail.sh @@ -1,6 +1,6 @@ #!/bin/bash # packages = authselect -# platform = Oracle Linux 8,Oracle Linux 9,Red Hat Enterprise Linux 8,Red Hat Enterprise Linux 9,multi_platform_fedora +# platform = Oracle Linux 8,Oracle Linux 9,Red Hat Enterprise Linux 8,Red Hat Enterprise Linux 9,AlmaLinux 9,multi_platform_fedora # variables = var_password_pam_remember=5,var_password_pam_remember_control_flag=requisite remember_cnt=3 diff --git a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_password_pam_pwhistory_remember_system_auth/tests/authselect_wrong_value_pam.fail.sh b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_password_pam_pwhistory_remember_system_auth/tests/authselect_wrong_value_pam.fail.sh index 253d50de1..4892717b8 100644 --- a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_password_pam_pwhistory_remember_system_auth/tests/authselect_wrong_value_pam.fail.sh +++ b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_password_pam_pwhistory_remember_system_auth/tests/authselect_wrong_value_pam.fail.sh @@ -1,6 +1,6 @@ #!/bin/bash # packages = authselect -# platform = Oracle Linux 8,Oracle Linux 9,Red Hat Enterprise Linux 8,Red Hat Enterprise Linux 9,multi_platform_fedora +# platform = Oracle Linux 8,Oracle Linux 9,Red Hat Enterprise Linux 8,Red Hat Enterprise Linux 9,AlmaLinux 9,multi_platform_fedora # variables = var_password_pam_remember=5,var_password_pam_remember_control_flag=requisite remember_cnt=3 diff --git a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_password_pam_unix_remember/ansible/shared.yml b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_password_pam_unix_remember/ansible/shared.yml index 658f8a3e4..de28cf579 100644 --- a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_password_pam_unix_remember/ansible/shared.yml +++ b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_password_pam_unix_remember/ansible/shared.yml @@ -1,4 +1,4 @@ -# platform = multi_platform_rhel,multi_platform_fedora,multi_platform_ol,multi_platform_rhv,multi_platform_sle +# platform = multi_platform_rhel,multi_platform_almalinux,multi_platform_fedora,multi_platform_ol,multi_platform_rhv,multi_platform_sle # reboot = false # strategy = configure # complexity = low diff --git a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_password_pam_unix_remember/bash/shared.sh b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_password_pam_unix_remember/bash/shared.sh index c830c07aa..3548b0341 100644 --- a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_password_pam_unix_remember/bash/shared.sh +++ b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_password_pam_unix_remember/bash/shared.sh @@ -1,4 +1,4 @@ -# platform = multi_platform_rhel,multi_platform_fedora,multi_platform_ol,multi_platform_rhv,multi_platform_sle +# platform = multi_platform_rhel,multi_platform_almalinux,multi_platform_fedora,multi_platform_ol,multi_platform_rhv,multi_platform_sle {{% if product in [ "sle12", "sle15" ] %}} {{%- set accounts_password_pam_unix_remember_file = '/etc/pam.d/common-password' -%}} diff --git a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_password_pam_unix_remember/tests/authselect_conflict_settings.fail.sh b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_password_pam_unix_remember/tests/authselect_conflict_settings.fail.sh index a18fa3d6c..69fae67e2 100644 --- a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_password_pam_unix_remember/tests/authselect_conflict_settings.fail.sh +++ b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_password_pam_unix_remember/tests/authselect_conflict_settings.fail.sh @@ -1,6 +1,6 @@ #!/bin/bash # packages = authselect -# platform = multi_platform_fedora,Oracle Linux 8,Oracle Linux 9,Red Hat Enterprise Linux 8,Red Hat Enterprise Linux 9 +# platform = multi_platform_fedora,Oracle Linux 8,Oracle Linux 9,Red Hat Enterprise Linux 8,Red Hat Enterprise Linux 9,AlmaLinux 9 # variables = var_password_pam_remember=5,var_password_pam_remember_control_flag=requisite remember_cnt=5 diff --git a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_password_pam_unix_remember/tests/authselect_correct_value_conf.pass.sh b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_password_pam_unix_remember/tests/authselect_correct_value_conf.pass.sh index bc6d5ab7f..5e83891a3 100644 --- a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_password_pam_unix_remember/tests/authselect_correct_value_conf.pass.sh +++ b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_password_pam_unix_remember/tests/authselect_correct_value_conf.pass.sh @@ -1,6 +1,6 @@ #!/bin/bash # packages = authselect -# platform = Oracle Linux 8,Oracle Linux 9,Red Hat Enterprise Linux 8,Red Hat Enterprise Linux 9,multi_platform_fedora +# platform = Oracle Linux 8,Oracle Linux 9,Red Hat Enterprise Linux 8,Red Hat Enterprise Linux 9,AlmaLinux 9,multi_platform_fedora # variables = var_password_pam_remember=5,var_password_pam_remember_control_flag=requisite remember_cnt=5 diff --git a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_password_pam_unix_remember/tests/authselect_correct_value_pam.pass.sh b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_password_pam_unix_remember/tests/authselect_correct_value_pam.pass.sh index dd12efbc1..057c54a24 100644 --- a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_password_pam_unix_remember/tests/authselect_correct_value_pam.pass.sh +++ b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_password_pam_unix_remember/tests/authselect_correct_value_pam.pass.sh @@ -1,6 +1,6 @@ #!/bin/bash # packages = authselect -# platform = Oracle Linux 8,Oracle Linux 9,Red Hat Enterprise Linux 8,Red Hat Enterprise Linux 9,multi_platform_fedora +# platform = Oracle Linux 8,Oracle Linux 9,Red Hat Enterprise Linux 8,Red Hat Enterprise Linux 9,AlmaLinux 9,multi_platform_fedora # variables = var_password_pam_remember=5,var_password_pam_remember_control_flag=requisite remember_cnt=5 diff --git a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_password_pam_unix_remember/tests/authselect_missing_argument.fail.sh b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_password_pam_unix_remember/tests/authselect_missing_argument.fail.sh index d774ac79a..bf9f42a01 100644 --- a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_password_pam_unix_remember/tests/authselect_missing_argument.fail.sh +++ b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_password_pam_unix_remember/tests/authselect_missing_argument.fail.sh @@ -1,6 +1,6 @@ #!/bin/bash # packages = authselect -# platform = Oracle Linux 8,Red Hat Enterprise Linux 8,Red Hat Enterprise Linux 9,multi_platform_fedora +# platform = Oracle Linux 8,Red Hat Enterprise Linux 8,Red Hat Enterprise Linux 9,AlmaLinux 9,multi_platform_fedora # variables = var_password_pam_unix_remember=5 if authselect list-features minimal | grep -q with-pwhistory; then diff --git a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_password_pam_unix_remember/tests/authselect_missing_line.fail.sh b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_password_pam_unix_remember/tests/authselect_missing_line.fail.sh index 4ef7a3f61..ddd8feb77 100644 --- a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_password_pam_unix_remember/tests/authselect_missing_line.fail.sh +++ b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_password_pam_unix_remember/tests/authselect_missing_line.fail.sh @@ -1,6 +1,6 @@ #!/bin/bash # packages = authselect -# platform = Oracle Linux 8,Red Hat Enterprise Linux 8,Red Hat Enterprise Linux 9,multi_platform_fedora +# platform = Oracle Linux 8,Red Hat Enterprise Linux 8,Red Hat Enterprise Linux 9,AlmaLinux 9,multi_platform_fedora # variables = var_password_pam_unix_remember=5 if authselect list-features minimal | grep -q with-pwhistory; then diff --git a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_password_pam_unix_remember/tests/authselect_modified_pam.fail.sh b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_password_pam_unix_remember/tests/authselect_modified_pam.fail.sh index 02d30f17a..1a687f0b9 100644 --- a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_password_pam_unix_remember/tests/authselect_modified_pam.fail.sh +++ b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_password_pam_unix_remember/tests/authselect_modified_pam.fail.sh @@ -1,6 +1,6 @@ #!/bin/bash # packages = authselect -# platform = Oracle Linux 8,Red Hat Enterprise Linux 8,Red Hat Enterprise Linux 9,multi_platform_fedora +# platform = Oracle Linux 8,Red Hat Enterprise Linux 8,Red Hat Enterprise Linux 9,AlmaLinux 9,multi_platform_fedora # remediation = none SYSTEM_AUTH_FILE="/etc/pam.d/system-auth" diff --git a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_password_pam_unix_remember/tests/authselect_pam_unix_legacy_correct.pass.sh b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_password_pam_unix_remember/tests/authselect_pam_unix_legacy_correct.pass.sh index 7f6215029..5756729af 100644 --- a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_password_pam_unix_remember/tests/authselect_pam_unix_legacy_correct.pass.sh +++ b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_password_pam_unix_remember/tests/authselect_pam_unix_legacy_correct.pass.sh @@ -1,6 +1,6 @@ #!/bin/bash # packages = authselect -# platform = Oracle Linux 8,Red Hat Enterprise Linux 8,Red Hat Enterprise Linux 9,multi_platform_fedora +# platform = Oracle Linux 8,Red Hat Enterprise Linux 8,Red Hat Enterprise Linux 9,AlmaLinux 9,multi_platform_fedora # variables = var_password_pam_unix_remember=5 remember_cnt=5 diff --git a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_password_pam_unix_remember/tests/authselect_pam_unix_legacy_wrong.fail.sh b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_password_pam_unix_remember/tests/authselect_pam_unix_legacy_wrong.fail.sh index 3c1cea1d5..94513096b 100644 --- a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_password_pam_unix_remember/tests/authselect_pam_unix_legacy_wrong.fail.sh +++ b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_password_pam_unix_remember/tests/authselect_pam_unix_legacy_wrong.fail.sh @@ -1,6 +1,6 @@ #!/bin/bash # packages = authselect -# platform = Oracle Linux 8,Red Hat Enterprise Linux 8,Red Hat Enterprise Linux 9,multi_platform_fedora +# platform = Oracle Linux 8,Red Hat Enterprise Linux 8,Red Hat Enterprise Linux 9,AlmaLinux 9,multi_platform_fedora # variables = var_password_pam_unix_remember=5 remember_cnt=3 diff --git a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_password_pam_unix_remember/tests/authselect_wrong_value_conf.fail.sh b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_password_pam_unix_remember/tests/authselect_wrong_value_conf.fail.sh index e25a158f7..d168e2b40 100644 --- a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_password_pam_unix_remember/tests/authselect_wrong_value_conf.fail.sh +++ b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_password_pam_unix_remember/tests/authselect_wrong_value_conf.fail.sh @@ -1,6 +1,6 @@ #!/bin/bash # packages = authselect -# platform = Oracle Linux 8,Oracle Linux 9,Red Hat Enterprise Linux 8,Red Hat Enterprise Linux 9,multi_platform_fedora +# platform = Oracle Linux 8,Oracle Linux 9,Red Hat Enterprise Linux 8,Red Hat Enterprise Linux 9,AlmaLinux 9,multi_platform_fedora # variables = var_password_pam_remember=5,var_password_pam_remember_control_flag=requisite remember_cnt=3 diff --git a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_password_pam_unix_remember/tests/authselect_wrong_value_pam.fail.sh b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_password_pam_unix_remember/tests/authselect_wrong_value_pam.fail.sh index 253d50de1..4892717b8 100644 --- a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_password_pam_unix_remember/tests/authselect_wrong_value_pam.fail.sh +++ b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_password_pam_unix_remember/tests/authselect_wrong_value_pam.fail.sh @@ -1,6 +1,6 @@ #!/bin/bash # packages = authselect -# platform = Oracle Linux 8,Oracle Linux 9,Red Hat Enterprise Linux 8,Red Hat Enterprise Linux 9,multi_platform_fedora +# platform = Oracle Linux 8,Oracle Linux 9,Red Hat Enterprise Linux 8,Red Hat Enterprise Linux 9,AlmaLinux 9,multi_platform_fedora # variables = var_password_pam_remember=5,var_password_pam_remember_control_flag=requisite remember_cnt=3 diff --git a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_audit/ansible/shared.yml b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_audit/ansible/shared.yml index 1eab1f8c4..f29521f1b 100644 --- a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_audit/ansible/shared.yml +++ b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_audit/ansible/shared.yml @@ -1,4 +1,4 @@ -# platform = multi_platform_rhel,multi_platform_fedora,multi_platform_ol,multi_platform_rhv,multi_platform_sle,multi_platform_ubuntu +# platform = multi_platform_rhel,multi_platform_almalinux,multi_platform_fedora,multi_platform_ol,multi_platform_rhv,multi_platform_sle,multi_platform_ubuntu # reboot = false # strategy = restrict # complexity = low diff --git a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_audit/bash/shared.sh b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_audit/bash/shared.sh index 021a400c0..09b9d3918 100644 --- a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_audit/bash/shared.sh +++ b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_audit/bash/shared.sh @@ -1,4 +1,4 @@ -# platform = multi_platform_rhel,multi_platform_fedora,multi_platform_ol,multi_platform_rhv,multi_platform_sle,multi_platform_ubuntu +# platform = multi_platform_rhel,multi_platform_almalinux,multi_platform_fedora,multi_platform_ol,multi_platform_rhv,multi_platform_sle,multi_platform_ubuntu {{{ bash_pam_faillock_enable() }}} {{{ bash_pam_faillock_parameter_value("audit", authfail=False)}}} diff --git a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_audit/tests/conflicting_settings_authselect.fail.sh b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_audit/tests/conflicting_settings_authselect.fail.sh index d805aa018..e4b5b6570 100644 --- a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_audit/tests/conflicting_settings_authselect.fail.sh +++ b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_audit/tests/conflicting_settings_authselect.fail.sh @@ -1,6 +1,6 @@ #!/bin/bash # packages = authselect,pam -# platform = Oracle Linux 8,Oracle Linux 9,Red Hat Enterprise Linux 8,Red Hat Enterprise Linux 9 +# platform = Oracle Linux 8,Oracle Linux 9,Red Hat Enterprise Linux 8,Red Hat Enterprise Linux 9,AlmaLinux 9 source common.sh diff --git a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_audit/tests/expected_faillock_conf.pass.sh b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_audit/tests/expected_faillock_conf.pass.sh index e1eb0a970..74c1da0a8 100644 --- a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_audit/tests/expected_faillock_conf.pass.sh +++ b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_audit/tests/expected_faillock_conf.pass.sh @@ -1,6 +1,6 @@ #!/bin/bash # packages = authselect,pam -# platform = Oracle Linux 8,Oracle Linux 9,Red Hat Enterprise Linux 8,Red Hat Enterprise Linux 9 +# platform = Oracle Linux 8,Oracle Linux 9,Red Hat Enterprise Linux 8,Red Hat Enterprise Linux 9,AlmaLinux 9 source common.sh diff --git a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_audit/tests/expected_pam_files.pass.sh b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_audit/tests/expected_pam_files.pass.sh index c35696fee..f9615fcef 100644 --- a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_audit/tests/expected_pam_files.pass.sh +++ b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_audit/tests/expected_pam_files.pass.sh @@ -1,6 +1,6 @@ #!/bin/bash # packages = authselect,pam -# platform = multi_platform_rhel,multi_platform_fedora,multi_platform_ol,multi_platform_rhv,multi_platform_sle +# platform = multi_platform_rhel,multi_platform_almalinux,multi_platform_fedora,multi_platform_ol,multi_platform_rhv,multi_platform_sle source common.sh diff --git a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_audit/tests/missing_parameter.fail.sh b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_audit/tests/missing_parameter.fail.sh index 5bbbc464e..15a644bba 100644 --- a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_audit/tests/missing_parameter.fail.sh +++ b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_audit/tests/missing_parameter.fail.sh @@ -1,5 +1,5 @@ #!/bin/bash # packages = authselect,pam -# platform = multi_platform_rhel,multi_platform_fedora,multi_platform_ol,multi_platform_rhv,multi_platform_sle +# platform = multi_platform_rhel,multi_platform_almalinux,multi_platform_fedora,multi_platform_ol,multi_platform_rhv,multi_platform_sle source common.sh diff --git a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_deny/ansible/shared.yml b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_deny/ansible/shared.yml index 8ab749d4f..00c16754b 100644 --- a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_deny/ansible/shared.yml +++ b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_deny/ansible/shared.yml @@ -1,4 +1,4 @@ -# platform = multi_platform_rhel,multi_platform_fedora,multi_platform_ol,multi_platform_rhv +# platform = multi_platform_rhel,multi_platform_almalinux,multi_platform_fedora,multi_platform_ol,multi_platform_rhv # reboot = false # strategy = restrict # complexity = low diff --git a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_deny/bash/shared.sh b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_deny/bash/shared.sh index 449d912d0..22f5dc375 100644 --- a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_deny/bash/shared.sh +++ b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_deny/bash/shared.sh @@ -1,4 +1,4 @@ -# platform = multi_platform_rhel,multi_platform_fedora,multi_platform_ol,multi_platform_rhv,multi_platform_sle,multi_platform_ubuntu +# platform = multi_platform_rhel,multi_platform_almalinux,multi_platform_fedora,multi_platform_ol,multi_platform_rhv,multi_platform_sle,multi_platform_ubuntu {{{ bash_instantiate_variables("var_accounts_passwords_pam_faillock_deny") }}} diff --git a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_deny/tests/authselect_modified_pam.fail.sh b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_deny/tests/authselect_modified_pam.fail.sh index b3232cc93..97b5d1069 100644 --- a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_deny/tests/authselect_modified_pam.fail.sh +++ b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_deny/tests/authselect_modified_pam.fail.sh @@ -1,5 +1,5 @@ #!/bin/bash -# platform = Oracle Linux 8,Oracle Linux 9,Red Hat Enterprise Linux 8,Red Hat Enterprise Linux 9,multi_platform_fedora +# platform = Oracle Linux 8,Oracle Linux 9,Red Hat Enterprise Linux 8,Red Hat Enterprise Linux 9,AlmaLinux 9,multi_platform_fedora # remediation = none SYSTEM_AUTH_FILE="/etc/pam.d/system-auth" diff --git a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_deny/tests/conflicting_settings_authselect.fail.sh b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_deny/tests/conflicting_settings_authselect.fail.sh index 24f5731f6..875972eb2 100644 --- a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_deny/tests/conflicting_settings_authselect.fail.sh +++ b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_deny/tests/conflicting_settings_authselect.fail.sh @@ -1,6 +1,6 @@ #!/bin/bash # packages = authselect,pam -# platform = Oracle Linux 8,Oracle Linux 9,Red Hat Enterprise Linux 8,Red Hat Enterprise Linux 9 +# platform = Oracle Linux 8,Oracle Linux 9,Red Hat Enterprise Linux 8,Red Hat Enterprise Linux 9,AlmaLinux 9 pam_files=("password-auth" "system-auth") diff --git a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_deny/tests/pam_faillock_conflicting_settings.fail.sh b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_deny/tests/pam_faillock_conflicting_settings.fail.sh index aa3ca061d..64992df97 100644 --- a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_deny/tests/pam_faillock_conflicting_settings.fail.sh +++ b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_deny/tests/pam_faillock_conflicting_settings.fail.sh @@ -1,6 +1,6 @@ #!/bin/bash # packages = authselect -# platform = multi_platform_fedora,Oracle Linux 9,Red Hat Enterprise Linux 8,Red Hat Enterprise Linux 9,Oracle Linux 8 +# platform = multi_platform_fedora,Oracle Linux 9,Red Hat Enterprise Linux 8,Red Hat Enterprise Linux 9,AlmaLinux 9,Oracle Linux 8 # remediation = none # variables = var_accounts_passwords_pam_faillock_deny=3 diff --git a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_deny/tests/pam_faillock_disabled.fail.sh b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_deny/tests/pam_faillock_disabled.fail.sh index 579e5670e..238b7431d 100644 --- a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_deny/tests/pam_faillock_disabled.fail.sh +++ b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_deny/tests/pam_faillock_disabled.fail.sh @@ -1,5 +1,5 @@ #!/bin/bash -# platform = multi_platform_fedora,multi_platform_rhel,multi_platform_ol,multi_platform_rhv,multi_platform_sle +# platform = multi_platform_fedora,multi_platform_rhel,multi_platform_almalinux,multi_platform_ol,multi_platform_rhv,multi_platform_sle {{%- if product in ["rhel7"] %}} # packages = authconfig {{%- else %}} diff --git a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_deny/tests/pam_faillock_expected_faillock_conf.pass.sh b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_deny/tests/pam_faillock_expected_faillock_conf.pass.sh index e770e300f..ae701fdab 100644 --- a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_deny/tests/pam_faillock_expected_faillock_conf.pass.sh +++ b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_deny/tests/pam_faillock_expected_faillock_conf.pass.sh @@ -1,6 +1,6 @@ #!/bin/bash # packages = authselect -# platform = multi_platform_fedora,Oracle Linux 9,Red Hat Enterprise Linux 8,Red Hat Enterprise Linux 9,Oracle Linux 8 +# platform = multi_platform_fedora,Oracle Linux 9,Red Hat Enterprise Linux 8,Red Hat Enterprise Linux 9,AlmaLinux 9,Oracle Linux 8 # variables = var_accounts_passwords_pam_faillock_deny=3 authselect select sssd --force diff --git a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_deny/tests/pam_faillock_lenient_faillock_conf.fail.sh b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_deny/tests/pam_faillock_lenient_faillock_conf.fail.sh index fd57152b8..664e42beb 100644 --- a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_deny/tests/pam_faillock_lenient_faillock_conf.fail.sh +++ b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_deny/tests/pam_faillock_lenient_faillock_conf.fail.sh @@ -1,6 +1,6 @@ #!/bin/bash # packages = authselect -# platform = multi_platform_fedora,Oracle Linux 9,Red Hat Enterprise Linux 8,Red Hat Enterprise Linux 9,Oracle Linux 8 +# platform = multi_platform_fedora,Oracle Linux 9,Red Hat Enterprise Linux 8,Red Hat Enterprise Linux 9,AlmaLinux 9,Oracle Linux 8 # variables = var_accounts_passwords_pam_faillock_deny=3 authselect select sssd --force diff --git a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_deny/tests/pam_faillock_multiple_pam_unix_faillock_conf.fail.sh b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_deny/tests/pam_faillock_multiple_pam_unix_faillock_conf.fail.sh index efb57601c..bac7a6401 100644 --- a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_deny/tests/pam_faillock_multiple_pam_unix_faillock_conf.fail.sh +++ b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_deny/tests/pam_faillock_multiple_pam_unix_faillock_conf.fail.sh @@ -1,6 +1,6 @@ #!/bin/bash # packages = authselect -# platform = multi_platform_fedora,Oracle Linux 9,Red Hat Enterprise Linux 8,Red Hat Enterprise Linux 9,Oracle Linux 8 +# platform = multi_platform_fedora,Oracle Linux 9,Red Hat Enterprise Linux 8,Red Hat Enterprise Linux 9,AlmaLinux 9,Oracle Linux 8 # remediation = none # variables = var_accounts_passwords_pam_faillock_deny=3 diff --git a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_deny/tests/pam_faillock_not_required_pam_files.fail.sh b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_deny/tests/pam_faillock_not_required_pam_files.fail.sh index b780f3203..bc0966113 100644 --- a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_deny/tests/pam_faillock_not_required_pam_files.fail.sh +++ b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_deny/tests/pam_faillock_not_required_pam_files.fail.sh @@ -1,5 +1,5 @@ #!/bin/bash -# platform = multi_platform_fedora,multi_platform_rhel,multi_platform_ol,multi_platform_rhv,multi_platform_sle +# platform = multi_platform_fedora,multi_platform_rhel,multi_platform_almalinux,multi_platform_ol,multi_platform_rhv,multi_platform_sle {{%- if product in ["rhel7"] %}} # packages = authconfig {{%- else %}} diff --git a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_deny/tests/pam_faillock_stricter_faillock_conf.pass.sh b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_deny/tests/pam_faillock_stricter_faillock_conf.pass.sh index 595b85192..f547b7431 100644 --- a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_deny/tests/pam_faillock_stricter_faillock_conf.pass.sh +++ b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_deny/tests/pam_faillock_stricter_faillock_conf.pass.sh @@ -1,6 +1,6 @@ #!/bin/bash # packages = authselect -# platform = multi_platform_fedora,Oracle Linux 9,Red Hat Enterprise Linux 8,Red Hat Enterprise Linux 9,Oracle Linux 8 +# platform = multi_platform_fedora,Oracle Linux 9,Red Hat Enterprise Linux 8,Red Hat Enterprise Linux 9,AlmaLinux 9,Oracle Linux 8 # variables = var_accounts_passwords_pam_faillock_deny=3 authselect select sssd --force diff --git a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_deny_root/ansible/shared.yml b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_deny_root/ansible/shared.yml index 2a6868f38..70448df97 100644 --- a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_deny_root/ansible/shared.yml +++ b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_deny_root/ansible/shared.yml @@ -1,4 +1,4 @@ -# platform = multi_platform_rhel,multi_platform_fedora,multi_platform_ol,multi_platform_rhv +# platform = multi_platform_rhel,multi_platform_almalinux,multi_platform_fedora,multi_platform_ol,multi_platform_rhv # reboot = false # strategy = restrict # complexity = low diff --git a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_deny_root/bash/shared.sh b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_deny_root/bash/shared.sh index 09d8aeee0..72b3aeacb 100644 --- a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_deny_root/bash/shared.sh +++ b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_deny_root/bash/shared.sh @@ -1,4 +1,4 @@ -# platform = multi_platform_rhel,multi_platform_fedora,multi_platform_ol,multi_platform_rhv +# platform = multi_platform_rhel,multi_platform_almalinux,multi_platform_fedora,multi_platform_ol,multi_platform_rhv {{{ bash_pam_faillock_enable() }}} {{{ bash_pam_faillock_parameter_value("even_deny_root", "") }}} diff --git a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_deny_root/tests/authselect_modified_pam.fail.sh b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_deny_root/tests/authselect_modified_pam.fail.sh index b3232cc93..97b5d1069 100644 --- a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_deny_root/tests/authselect_modified_pam.fail.sh +++ b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_deny_root/tests/authselect_modified_pam.fail.sh @@ -1,5 +1,5 @@ #!/bin/bash -# platform = Oracle Linux 8,Oracle Linux 9,Red Hat Enterprise Linux 8,Red Hat Enterprise Linux 9,multi_platform_fedora +# platform = Oracle Linux 8,Oracle Linux 9,Red Hat Enterprise Linux 8,Red Hat Enterprise Linux 9,AlmaLinux 9,multi_platform_fedora # remediation = none SYSTEM_AUTH_FILE="/etc/pam.d/system-auth" diff --git a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_deny_root/tests/conflicting_settings_authselect.fail.sh b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_deny_root/tests/conflicting_settings_authselect.fail.sh index 99025443d..0541b5d3d 100644 --- a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_deny_root/tests/conflicting_settings_authselect.fail.sh +++ b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_deny_root/tests/conflicting_settings_authselect.fail.sh @@ -1,6 +1,6 @@ #!/bin/bash # packages = authselect,pam -# platform = Oracle Linux 8,Oracle Linux 9,Red Hat Enterprise Linux 8,Red Hat Enterprise Linux 9 +# platform = Oracle Linux 8,Oracle Linux 9,Red Hat Enterprise Linux 8,Red Hat Enterprise Linux 9,AlmaLinux 9 pam_files=("password-auth" "system-auth") diff --git a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_deny_root/tests/pam_faillock_conflicting_settings.fail.sh b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_deny_root/tests/pam_faillock_conflicting_settings.fail.sh index 476c4e77e..387e5d90a 100644 --- a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_deny_root/tests/pam_faillock_conflicting_settings.fail.sh +++ b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_deny_root/tests/pam_faillock_conflicting_settings.fail.sh @@ -1,6 +1,6 @@ #!/bin/bash # packages = authselect -# platform = multi_platform_fedora,Oracle Linux 9,Red Hat Enterprise Linux 8,Red Hat Enterprise Linux 9,Oracle Linux 8 +# platform = multi_platform_fedora,Oracle Linux 9,Red Hat Enterprise Linux 8,Red Hat Enterprise Linux 9,AlmaLinux 9,Oracle Linux 8 # remediation = none authselect select sssd --force diff --git a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_deny_root/tests/pam_faillock_expected_faillock_conf.pass.sh b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_deny_root/tests/pam_faillock_expected_faillock_conf.pass.sh index 87bca6919..c59070dd3 100644 --- a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_deny_root/tests/pam_faillock_expected_faillock_conf.pass.sh +++ b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_deny_root/tests/pam_faillock_expected_faillock_conf.pass.sh @@ -1,6 +1,6 @@ #!/bin/bash # packages = authselect -# platform = multi_platform_fedora,Oracle Linux 9,Red Hat Enterprise Linux 8,Red Hat Enterprise Linux 9,Oracle Linux 8 +# platform = multi_platform_fedora,Oracle Linux 9,Red Hat Enterprise Linux 8,Red Hat Enterprise Linux 9,AlmaLinux 9,Oracle Linux 8 authselect select sssd --force authselect enable-feature with-faillock diff --git a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_deny_root/tests/pam_faillock_multiple_pam_unix_faillock_conf.fail.sh b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_deny_root/tests/pam_faillock_multiple_pam_unix_faillock_conf.fail.sh index 7c702d669..652c29b25 100644 --- a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_deny_root/tests/pam_faillock_multiple_pam_unix_faillock_conf.fail.sh +++ b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_deny_root/tests/pam_faillock_multiple_pam_unix_faillock_conf.fail.sh @@ -1,6 +1,6 @@ #!/bin/bash # packages = authselect -# platform = multi_platform_fedora,Oracle Linux 9,Red Hat Enterprise Linux 8,Red Hat Enterprise Linux 9,Oracle Linux 8 +# platform = multi_platform_fedora,Oracle Linux 9,Red Hat Enterprise Linux 8,Red Hat Enterprise Linux 9,AlmaLinux 9,Oracle Linux 8 # remediation = none authselect select sssd --force diff --git a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_dir/tests/conflicting_settings_authselect.fail.sh b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_dir/tests/conflicting_settings_authselect.fail.sh index 679e47bcc..f345e12ae 100644 --- a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_dir/tests/conflicting_settings_authselect.fail.sh +++ b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_dir/tests/conflicting_settings_authselect.fail.sh @@ -1,6 +1,6 @@ #!/bin/bash # packages = authselect,pam -# platform = multi_platform_fedora,Oracle Linux 8,Oracle Linux 9,Red Hat Enterprise Linux 8,Red Hat Enterprise Linux 9 +# platform = multi_platform_fedora,Oracle Linux 8,Oracle Linux 9,Red Hat Enterprise Linux 8,Red Hat Enterprise Linux 9,AlmaLinux 9 source common.sh diff --git a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_dir/tests/expected_faillock_conf.pass.sh b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_dir/tests/expected_faillock_conf.pass.sh index 6bb763cf5..cd6900bb5 100644 --- a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_dir/tests/expected_faillock_conf.pass.sh +++ b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_dir/tests/expected_faillock_conf.pass.sh @@ -1,6 +1,6 @@ #!/bin/bash # packages = authselect,pam -# platform = multi_platform_fedora,Oracle Linux 8,Oracle Linux 9,Red Hat Enterprise Linux 8,Red Hat Enterprise Linux 9 +# platform = multi_platform_fedora,Oracle Linux 8,Oracle Linux 9,Red Hat Enterprise Linux 8,Red Hat Enterprise Linux 9,AlmaLinux 9 source common.sh diff --git a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_dir/tests/wrong_faillock_conf.fail.sh b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_dir/tests/wrong_faillock_conf.fail.sh index 2f08a7d47..86f0bb1d8 100644 --- a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_dir/tests/wrong_faillock_conf.fail.sh +++ b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_dir/tests/wrong_faillock_conf.fail.sh @@ -1,6 +1,6 @@ #!/bin/bash # packages = authselect,pam -# platform = multi_platform_fedora,Oracle Linux 8,Oracle Linux 9,Red Hat Enterprise Linux 8,Red Hat Enterprise Linux 9 +# platform = multi_platform_fedora,Oracle Linux 8,Oracle Linux 9,Red Hat Enterprise Linux 8,Red Hat Enterprise Linux 9,AlmaLinux 9 source common.sh diff --git a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_enforce_local/ansible/shared.yml b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_enforce_local/ansible/shared.yml index fd8e44443..d30a92fd8 100644 --- a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_enforce_local/ansible/shared.yml +++ b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_enforce_local/ansible/shared.yml @@ -1,4 +1,4 @@ -# platform = multi_platform_fedora,Red Hat Enterprise Linux 8,Red Hat Enterprise Linux 9 +# platform = multi_platform_fedora,Red Hat Enterprise Linux 8,Red Hat Enterprise Linux 9,AlmaLinux 9 # reboot = false # strategy = restrict # complexity = low diff --git a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_enforce_local/bash/shared.sh b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_enforce_local/bash/shared.sh index e9c09b713..ffbbb68cd 100644 --- a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_enforce_local/bash/shared.sh +++ b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_enforce_local/bash/shared.sh @@ -1,4 +1,4 @@ -# platform = multi_platform_fedora,Red Hat Enterprise Linux 8,Red Hat Enterprise Linux 9 +# platform = multi_platform_fedora,Red Hat Enterprise Linux 8,Red Hat Enterprise Linux 9,AlmaLinux 9 {{{ bash_pam_faillock_enable() }}} {{{ bash_pam_faillock_parameter_value("local_users_only", "") }}} diff --git a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_enforce_local/tests/pam_faillock_disabled.fail.sh b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_enforce_local/tests/pam_faillock_disabled.fail.sh index 856bd56ea..9f76150c3 100644 --- a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_enforce_local/tests/pam_faillock_disabled.fail.sh +++ b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_enforce_local/tests/pam_faillock_disabled.fail.sh @@ -1,6 +1,6 @@ #!/bin/bash # packages = authselect -# platform = multi_platform_fedora,Red Hat Enterprise Linux 8,Red Hat Enterprise Linux 9,Oracle Linux 8 +# platform = multi_platform_fedora,Red Hat Enterprise Linux 8,Red Hat Enterprise Linux 9,AlmaLinux 9,Oracle Linux 8 authselect select sssd --force authselect disable-feature with-faillock diff --git a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_enforce_local/tests/pam_faillock_expected_faillock_conf.pass.sh b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_enforce_local/tests/pam_faillock_expected_faillock_conf.pass.sh index 075791de6..899751de9 100644 --- a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_enforce_local/tests/pam_faillock_expected_faillock_conf.pass.sh +++ b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_enforce_local/tests/pam_faillock_expected_faillock_conf.pass.sh @@ -1,6 +1,6 @@ #!/bin/bash # packages = authselect -# platform = multi_platform_fedora,Red Hat Enterprise Linux 8,Red Hat Enterprise Linux 9,Oracle Linux 8 +# platform = multi_platform_fedora,Red Hat Enterprise Linux 8,Red Hat Enterprise Linux 9,AlmaLinux 9,Oracle Linux 8 authselect select sssd --force authselect enable-feature with-faillock diff --git a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_enforce_local/tests/pam_faillock_multiple_pam_unix_faillock_conf.fail.sh b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_enforce_local/tests/pam_faillock_multiple_pam_unix_faillock_conf.fail.sh index 978cccce6..a3e8b3365 100644 --- a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_enforce_local/tests/pam_faillock_multiple_pam_unix_faillock_conf.fail.sh +++ b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_enforce_local/tests/pam_faillock_multiple_pam_unix_faillock_conf.fail.sh @@ -1,6 +1,6 @@ #!/bin/bash # packages = authselect -# platform = multi_platform_fedora,Red Hat Enterprise Linux 8,Red Hat Enterprise Linux 9,Oracle Linux 8 +# platform = multi_platform_fedora,Red Hat Enterprise Linux 8,Red Hat Enterprise Linux 9,AlmaLinux 9,Oracle Linux 8 # remediation = none authselect select sssd --force diff --git a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_enforce_local/tests/pam_faillock_not_required_pam_files.fail.sh b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_enforce_local/tests/pam_faillock_not_required_pam_files.fail.sh index 053f91100..f294bc5a0 100644 --- a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_enforce_local/tests/pam_faillock_not_required_pam_files.fail.sh +++ b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_enforce_local/tests/pam_faillock_not_required_pam_files.fail.sh @@ -1,6 +1,6 @@ #!/bin/bash # packages = authselect -# platform = multi_platform_fedora,Red Hat Enterprise Linux 8,Red Hat Enterprise Linux 9,Oracle Linux 8 +# platform = multi_platform_fedora,Red Hat Enterprise Linux 8,Red Hat Enterprise Linux 9,AlmaLinux 9,Oracle Linux 8 # remediation = none # This test scenario manually modify the pam_faillock.so entries in auth section from diff --git a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_interval/ansible/shared.yml b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_interval/ansible/shared.yml index 039fc5191..cb0f0134d 100644 --- a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_interval/ansible/shared.yml +++ b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_interval/ansible/shared.yml @@ -1,4 +1,4 @@ -# platform = multi_platform_rhel,multi_platform_fedora,multi_platform_ol,multi_platform_rhv +# platform = multi_platform_rhel,multi_platform_almalinux,multi_platform_fedora,multi_platform_ol,multi_platform_rhv # reboot = false # strategy = restrict # complexity = low diff --git a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_interval/bash/shared.sh b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_interval/bash/shared.sh index e7a0882f2..c07fd02e0 100644 --- a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_interval/bash/shared.sh +++ b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_interval/bash/shared.sh @@ -1,4 +1,4 @@ -# platform = multi_platform_rhel,multi_platform_fedora,multi_platform_ol,multi_platform_rhv,multi_platform_ubuntu +# platform = multi_platform_rhel,multi_platform_almalinux,multi_platform_fedora,multi_platform_ol,multi_platform_rhv,multi_platform_ubuntu {{{ bash_instantiate_variables("var_accounts_passwords_pam_faillock_fail_interval") }}} diff --git a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_interval/tests/authselect_modified_pam.fail.sh b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_interval/tests/authselect_modified_pam.fail.sh index b3232cc93..97b5d1069 100644 --- a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_interval/tests/authselect_modified_pam.fail.sh +++ b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_interval/tests/authselect_modified_pam.fail.sh @@ -1,5 +1,5 @@ #!/bin/bash -# platform = Oracle Linux 8,Oracle Linux 9,Red Hat Enterprise Linux 8,Red Hat Enterprise Linux 9,multi_platform_fedora +# platform = Oracle Linux 8,Oracle Linux 9,Red Hat Enterprise Linux 8,Red Hat Enterprise Linux 9,AlmaLinux 9,multi_platform_fedora # remediation = none SYSTEM_AUTH_FILE="/etc/pam.d/system-auth" diff --git a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_interval/tests/conflicting_settings_authselect.fail.sh b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_interval/tests/conflicting_settings_authselect.fail.sh index 9a553893c..e8f966aa5 100644 --- a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_interval/tests/conflicting_settings_authselect.fail.sh +++ b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_interval/tests/conflicting_settings_authselect.fail.sh @@ -1,6 +1,6 @@ #!/bin/bash # packages = authselect,pam -# platform = Oracle Linux 8,Oracle Linux 9,Red Hat Enterprise Linux 8,Red Hat Enterprise Linux 9 +# platform = Oracle Linux 8,Oracle Linux 9,Red Hat Enterprise Linux 8,Red Hat Enterprise Linux 9,AlmaLinux 9 pam_files=("password-auth" "system-auth") diff --git a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_interval/tests/pam_faillock_conflicting_settings.fail.sh b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_interval/tests/pam_faillock_conflicting_settings.fail.sh index 0b67e0e02..2f33f8a90 100644 --- a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_interval/tests/pam_faillock_conflicting_settings.fail.sh +++ b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_interval/tests/pam_faillock_conflicting_settings.fail.sh @@ -1,6 +1,6 @@ #!/bin/bash # packages = authselect -# platform = multi_platform_fedora,Oracle Linux 9,Red Hat Enterprise Linux 8,Red Hat Enterprise Linux 9,Oracle Linux 8 +# platform = multi_platform_fedora,Oracle Linux 9,Red Hat Enterprise Linux 8,Red Hat Enterprise Linux 9,AlmaLinux 9,Oracle Linux 8 # remediation = none # variables = var_accounts_passwords_pam_faillock_fail_interval=900 diff --git a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_interval/tests/pam_faillock_disabled.fail.sh b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_interval/tests/pam_faillock_disabled.fail.sh index 59daba0dd..f4d1b8bf0 100644 --- a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_interval/tests/pam_faillock_disabled.fail.sh +++ b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_interval/tests/pam_faillock_disabled.fail.sh @@ -1,5 +1,5 @@ #!/bin/bash -# platform = multi_platform_fedora,multi_platform_rhel,multi_platform_ol,multi_platform_rhv,multi_platform_sle +# platform = multi_platform_fedora,multi_platform_rhel,multi_platform_almalinux,multi_platform_ol,multi_platform_rhv,multi_platform_sle {{%- if product in ["rhel7"] %}} # packages = authconfig {{%- else %}} diff --git a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_interval/tests/pam_faillock_expected_faillock_conf.pass.sh b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_interval/tests/pam_faillock_expected_faillock_conf.pass.sh index 82bf9fa75..758999d53 100644 --- a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_interval/tests/pam_faillock_expected_faillock_conf.pass.sh +++ b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_interval/tests/pam_faillock_expected_faillock_conf.pass.sh @@ -1,6 +1,6 @@ #!/bin/bash # packages = authselect -# platform = multi_platform_fedora,Oracle Linux 9,Red Hat Enterprise Linux 8,Red Hat Enterprise Linux 9,Oracle Linux 8 +# platform = multi_platform_fedora,Oracle Linux 9,Red Hat Enterprise Linux 8,Red Hat Enterprise Linux 9,AlmaLinux 9,Oracle Linux 8 # variables = var_accounts_passwords_pam_faillock_fail_interval=900 authselect select sssd --force diff --git a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_interval/tests/pam_faillock_lenient_faillock_conf.fail.sh b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_interval/tests/pam_faillock_lenient_faillock_conf.fail.sh index 74236e2fb..75bd18da8 100644 --- a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_interval/tests/pam_faillock_lenient_faillock_conf.fail.sh +++ b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_interval/tests/pam_faillock_lenient_faillock_conf.fail.sh @@ -1,6 +1,6 @@ #!/bin/bash # packages = authselect -# platform = multi_platform_fedora,Oracle Linux 9,Red Hat Enterprise Linux 8,Red Hat Enterprise Linux 9,Oracle Linux 8 +# platform = multi_platform_fedora,Oracle Linux 9,Red Hat Enterprise Linux 8,Red Hat Enterprise Linux 9,AlmaLinux 9,Oracle Linux 8 # variables = var_accounts_passwords_pam_faillock_fail_interval=900 authselect select sssd --force diff --git a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_interval/tests/pam_faillock_multiple_pam_unix_faillock_conf.fail.sh b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_interval/tests/pam_faillock_multiple_pam_unix_faillock_conf.fail.sh index ef2461160..783bf6cdb 100644 --- a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_interval/tests/pam_faillock_multiple_pam_unix_faillock_conf.fail.sh +++ b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_interval/tests/pam_faillock_multiple_pam_unix_faillock_conf.fail.sh @@ -1,6 +1,6 @@ #!/bin/bash # packages = authselect -# platform = multi_platform_fedora,Oracle Linux 9,Red Hat Enterprise Linux 8,Red Hat Enterprise Linux 9,Oracle Linux 8 +# platform = multi_platform_fedora,Oracle Linux 9,Red Hat Enterprise Linux 8,Red Hat Enterprise Linux 9,AlmaLinux 9,Oracle Linux 8 # remediation = none # variables = var_accounts_passwords_pam_faillock_fail_interval=900 diff --git a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_interval/tests/pam_faillock_not_required_pam_files.fail.sh b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_interval/tests/pam_faillock_not_required_pam_files.fail.sh index 95ad62037..0a78cef63 100644 --- a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_interval/tests/pam_faillock_not_required_pam_files.fail.sh +++ b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_interval/tests/pam_faillock_not_required_pam_files.fail.sh @@ -1,5 +1,5 @@ #!/bin/bash -# platform = multi_platform_fedora,multi_platform_rhel,multi_platform_ol,multi_platform_rhv,multi_platform_sle +# platform = multi_platform_fedora,multi_platform_rhel,multi_platform_almalinux,multi_platform_ol,multi_platform_rhv,multi_platform_sle {{%- if product in ["rhel7"] %}} # packages = authconfig {{%- else %}} diff --git a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_interval/tests/pam_faillock_stricter_faillock_conf.pass.sh b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_interval/tests/pam_faillock_stricter_faillock_conf.pass.sh index c71a12afe..93a3aee74 100644 --- a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_interval/tests/pam_faillock_stricter_faillock_conf.pass.sh +++ b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_interval/tests/pam_faillock_stricter_faillock_conf.pass.sh @@ -1,6 +1,6 @@ #!/bin/bash # packages = authselect -# platform = multi_platform_fedora,Oracle Linux 9,Red Hat Enterprise Linux 8,Red Hat Enterprise Linux 9,Oracle Linux 8 +# platform = multi_platform_fedora,Oracle Linux 9,Red Hat Enterprise Linux 8,Red Hat Enterprise Linux 9,AlmaLinux 9,Oracle Linux 8 # variables = var_accounts_passwords_pam_faillock_fail_interval=900 authselect select sssd --force diff --git a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_silent/tests/expected_faillock_conf.pass.sh b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_silent/tests/expected_faillock_conf.pass.sh index fdd0c4c06..e65906af5 100644 --- a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_silent/tests/expected_faillock_conf.pass.sh +++ b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_silent/tests/expected_faillock_conf.pass.sh @@ -1,6 +1,6 @@ #!/bin/bash # packages = authselect -# platform = Oracle Linux 8,Oracle Linux 9,Red Hat Enterprise Linux 8,Red Hat Enterprise Linux 9 +# platform = Oracle Linux 8,Oracle Linux 9,Red Hat Enterprise Linux 8,Red Hat Enterprise Linux 9,AlmaLinux 9 source common.sh diff --git a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_silent/tests/expected_pam_files.pass.sh b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_silent/tests/expected_pam_files.pass.sh index ebabc6518..b02f953cc 100644 --- a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_silent/tests/expected_pam_files.pass.sh +++ b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_silent/tests/expected_pam_files.pass.sh @@ -1,6 +1,6 @@ #!/bin/bash # packages = authselect -# platform = multi_platform_rhel,multi_platform_fedora,multi_platform_ol,multi_platform_rhv,multi_platform_sle +# platform = multi_platform_rhel,multi_platform_almalinux,multi_platform_fedora,multi_platform_ol,multi_platform_rhv,multi_platform_sle source common.sh diff --git a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_silent/tests/missing_parameter.fail.sh b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_silent/tests/missing_parameter.fail.sh index a10547339..c01c35a48 100644 --- a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_silent/tests/missing_parameter.fail.sh +++ b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_silent/tests/missing_parameter.fail.sh @@ -1,5 +1,5 @@ #!/bin/bash # packages = authselect -# platform = multi_platform_rhel,multi_platform_fedora,multi_platform_ol,multi_platform_rhv,multi_platform_sle +# platform = multi_platform_rhel,multi_platform_almalinux,multi_platform_fedora,multi_platform_ol,multi_platform_rhv,multi_platform_sle source common.sh diff --git a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_silent/tests/missing_parameter_password_auth.fail.sh b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_silent/tests/missing_parameter_password_auth.fail.sh index f73c751f5..812b6ba1b 100644 --- a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_silent/tests/missing_parameter_password_auth.fail.sh +++ b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_silent/tests/missing_parameter_password_auth.fail.sh @@ -1,6 +1,6 @@ #!/bin/bash # packages = authselect -# platform = Oracle Linux 8,Oracle Linux 9,Red Hat Enterprise Linux 8,Red Hat Enterprise Linux 9 +# platform = Oracle Linux 8,Oracle Linux 9,Red Hat Enterprise Linux 8,Red Hat Enterprise Linux 9,AlmaLinux 9 source common.sh diff --git a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_silent/tests/missing_parameter_system_auth.fail.sh b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_silent/tests/missing_parameter_system_auth.fail.sh index 514b2bb37..52f16f216 100644 --- a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_silent/tests/missing_parameter_system_auth.fail.sh +++ b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_silent/tests/missing_parameter_system_auth.fail.sh @@ -1,6 +1,6 @@ #!/bin/bash # packages = authselect -# platform = Oracle Linux 8,Oracle Linux 9,Red Hat Enterprise Linux 8,Red Hat Enterprise Linux 9 +# platform = Oracle Linux 8,Oracle Linux 9,Red Hat Enterprise Linux 8,Red Hat Enterprise Linux 9,AlmaLinux 9 source common.sh diff --git a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_unlock_time/ansible/shared.yml b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_unlock_time/ansible/shared.yml index 230ff5eaa..c53da64d0 100644 --- a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_unlock_time/ansible/shared.yml +++ b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_unlock_time/ansible/shared.yml @@ -1,4 +1,4 @@ -# platform = multi_platform_rhel,multi_platform_fedora,multi_platform_ol,multi_platform_rhv +# platform = multi_platform_rhel,multi_platform_almalinux,multi_platform_fedora,multi_platform_ol,multi_platform_rhv # reboot = false # strategy = restrict # complexity = low diff --git a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_unlock_time/bash/shared.sh b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_unlock_time/bash/shared.sh index 3a32aad36..d1f4a0327 100644 --- a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_unlock_time/bash/shared.sh +++ b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_unlock_time/bash/shared.sh @@ -1,4 +1,4 @@ -# platform = multi_platform_rhel,multi_platform_fedora,multi_platform_ol,multi_platform_rhv,multi_platform_ubuntu +# platform = multi_platform_rhel,multi_platform_almalinux,multi_platform_fedora,multi_platform_ol,multi_platform_rhv,multi_platform_ubuntu {{{ bash_instantiate_variables("var_accounts_passwords_pam_faillock_unlock_time") }}} diff --git a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_unlock_time/tests/authselect_modified_pam.fail.sh b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_unlock_time/tests/authselect_modified_pam.fail.sh index b3232cc93..97b5d1069 100644 --- a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_unlock_time/tests/authselect_modified_pam.fail.sh +++ b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_unlock_time/tests/authselect_modified_pam.fail.sh @@ -1,5 +1,5 @@ #!/bin/bash -# platform = Oracle Linux 8,Oracle Linux 9,Red Hat Enterprise Linux 8,Red Hat Enterprise Linux 9,multi_platform_fedora +# platform = Oracle Linux 8,Oracle Linux 9,Red Hat Enterprise Linux 8,Red Hat Enterprise Linux 9,AlmaLinux 9,multi_platform_fedora # remediation = none SYSTEM_AUTH_FILE="/etc/pam.d/system-auth" diff --git a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_unlock_time/tests/conflicting_settings_authselect.fail.sh b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_unlock_time/tests/conflicting_settings_authselect.fail.sh index d547b0e35..8882d876b 100644 --- a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_unlock_time/tests/conflicting_settings_authselect.fail.sh +++ b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_unlock_time/tests/conflicting_settings_authselect.fail.sh @@ -1,6 +1,6 @@ #!/bin/bash # packages = authselect,pam -# platform = Oracle Linux 8,Oracle Linux 9,Red Hat Enterprise Linux 8,Red Hat Enterprise Linux 9 +# platform = Oracle Linux 8,Oracle Linux 9,Red Hat Enterprise Linux 8,Red Hat Enterprise Linux 9,AlmaLinux 9 pam_files=("password-auth" "system-auth") diff --git a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_unlock_time/tests/pam_faillock_conflicting_settings.fail.sh b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_unlock_time/tests/pam_faillock_conflicting_settings.fail.sh index 057348eb4..0345fd442 100644 --- a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_unlock_time/tests/pam_faillock_conflicting_settings.fail.sh +++ b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_unlock_time/tests/pam_faillock_conflicting_settings.fail.sh @@ -1,6 +1,6 @@ #!/bin/bash # packages = authselect -# platform = multi_platform_fedora,Oracle Linux 9,Red Hat Enterprise Linux 8,Red Hat Enterprise Linux 9,Oracle Linux 8 +# platform = multi_platform_fedora,Oracle Linux 9,Red Hat Enterprise Linux 8,Red Hat Enterprise Linux 9,AlmaLinux 9,Oracle Linux 8 # remediation = none # variables = var_accounts_passwords_pam_faillock_unlock_time=600 diff --git a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_unlock_time/tests/pam_faillock_disabled.fail.sh b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_unlock_time/tests/pam_faillock_disabled.fail.sh index 1be527fa2..068b4ead0 100644 --- a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_unlock_time/tests/pam_faillock_disabled.fail.sh +++ b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_unlock_time/tests/pam_faillock_disabled.fail.sh @@ -1,5 +1,5 @@ #!/bin/bash -# platform = multi_platform_fedora,multi_platform_rhel,multi_platform_ol,multi_platform_rhv,multi_platform_sle +# platform = multi_platform_fedora,multi_platform_rhel,multi_platform_almalinux,multi_platform_ol,multi_platform_rhv,multi_platform_sle {{%- if product in ["rhel7"] %}} # packages = authconfig {{%- else %}} diff --git a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_unlock_time/tests/pam_faillock_expected_faillock_conf.pass.sh b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_unlock_time/tests/pam_faillock_expected_faillock_conf.pass.sh index 1840cae45..7f2b5cddf 100644 --- a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_unlock_time/tests/pam_faillock_expected_faillock_conf.pass.sh +++ b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_unlock_time/tests/pam_faillock_expected_faillock_conf.pass.sh @@ -1,6 +1,6 @@ #!/bin/bash # packages = authselect -# platform = multi_platform_fedora,Oracle Linux 9,Red Hat Enterprise Linux 8,Red Hat Enterprise Linux 9,Oracle Linux 8 +# platform = multi_platform_fedora,Oracle Linux 9,Red Hat Enterprise Linux 8,Red Hat Enterprise Linux 9,AlmaLinux 9,Oracle Linux 8 # variables = var_accounts_passwords_pam_faillock_unlock_time=600 authselect select sssd --force diff --git a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_unlock_time/tests/pam_faillock_lenient_faillock_conf.fail.sh b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_unlock_time/tests/pam_faillock_lenient_faillock_conf.fail.sh index 838ab7c53..527dec679 100644 --- a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_unlock_time/tests/pam_faillock_lenient_faillock_conf.fail.sh +++ b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_unlock_time/tests/pam_faillock_lenient_faillock_conf.fail.sh @@ -1,6 +1,6 @@ #!/bin/bash # packages = authselect -# platform = multi_platform_fedora,Oracle Linux 9,Red Hat Enterprise Linux 8,Red Hat Enterprise Linux 9,Oracle Linux 8 +# platform = multi_platform_fedora,Oracle Linux 9,Red Hat Enterprise Linux 8,Red Hat Enterprise Linux 9,AlmaLinux 9,Oracle Linux 8 # variables = var_accounts_passwords_pam_faillock_unlock_time=600 authselect select sssd --force diff --git a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_unlock_time/tests/pam_faillock_multiple_pam_unix_faillock_conf.fail.sh b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_unlock_time/tests/pam_faillock_multiple_pam_unix_faillock_conf.fail.sh index b7b1532bb..7f9bb22e6 100644 --- a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_unlock_time/tests/pam_faillock_multiple_pam_unix_faillock_conf.fail.sh +++ b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_unlock_time/tests/pam_faillock_multiple_pam_unix_faillock_conf.fail.sh @@ -1,6 +1,6 @@ #!/bin/bash # packages = authselect -# platform = multi_platform_fedora,Oracle Linux 9,Red Hat Enterprise Linux 8,Red Hat Enterprise Linux 9,Oracle Linux 8 +# platform = multi_platform_fedora,Oracle Linux 9,Red Hat Enterprise Linux 8,Red Hat Enterprise Linux 9,AlmaLinux 9,Oracle Linux 8 # remediation = none # variables = var_accounts_passwords_pam_faillock_unlock_time=600 diff --git a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_unlock_time/tests/pam_faillock_not_required_pam_files.fail.sh b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_unlock_time/tests/pam_faillock_not_required_pam_files.fail.sh index e271e2689..d04463db4 100644 --- a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_unlock_time/tests/pam_faillock_not_required_pam_files.fail.sh +++ b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_unlock_time/tests/pam_faillock_not_required_pam_files.fail.sh @@ -1,5 +1,5 @@ #!/bin/bash -# platform = multi_platform_fedora,multi_platform_rhel,multi_platform_ol,multi_platform_rhv,multi_platform_sle +# platform = multi_platform_fedora,multi_platform_rhel,multi_platform_almalinux,multi_platform_ol,multi_platform_rhv,multi_platform_sle {{%- if product in ["rhel7"] %}} # packages = authconfig {{%- else %}} diff --git a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_unlock_time/tests/pam_faillock_stricter_faillock_conf.pass.sh b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_unlock_time/tests/pam_faillock_stricter_faillock_conf.pass.sh index a57645eb1..641d38610 100644 --- a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_unlock_time/tests/pam_faillock_stricter_faillock_conf.pass.sh +++ b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_unlock_time/tests/pam_faillock_stricter_faillock_conf.pass.sh @@ -1,6 +1,6 @@ #!/bin/bash # packages = authselect -# platform = multi_platform_fedora,Oracle Linux 9,Red Hat Enterprise Linux 8,Red Hat Enterprise Linux 9,Oracle Linux 8 +# platform = multi_platform_fedora,Oracle Linux 9,Red Hat Enterprise Linux 8,Red Hat Enterprise Linux 9,AlmaLinux 9,Oracle Linux 8 # variables = var_accounts_passwords_pam_faillock_unlock_time=600 authselect select sssd --force diff --git a/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_pwquality_password_auth/ansible/shared.yml b/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_pwquality_password_auth/ansible/shared.yml index 06f7962fd..dc6eea20d 100644 --- a/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_pwquality_password_auth/ansible/shared.yml +++ b/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_pwquality_password_auth/ansible/shared.yml @@ -1,4 +1,4 @@ -# platform = Red Hat Virtualization 4,multi_platform_fedora,multi_platform_rhel,multi_platform_ol +# platform = Red Hat Virtualization 4,multi_platform_fedora,multi_platform_rhel,multi_platform_almalinux,multi_platform_ol # reboot = false # strategy = configure # complexity = low diff --git a/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_pwquality_password_auth/bash/shared.sh b/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_pwquality_password_auth/bash/shared.sh index a55859203..377efc82e 100644 --- a/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_pwquality_password_auth/bash/shared.sh +++ b/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_pwquality_password_auth/bash/shared.sh @@ -1,3 +1,3 @@ -# platform = Red Hat Virtualization 4,multi_platform_fedora,multi_platform_rhel,multi_platform_ol +# platform = Red Hat Virtualization 4,multi_platform_fedora,multi_platform_rhel,multi_platform_almalinux,multi_platform_ol {{{ bash_ensure_pam_module_configuration('/etc/pam.d/password-auth', 'password', 'requisite', 'pam_pwquality.so', '', '', '^account.*required.*pam_permit\.so') }}} diff --git a/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_pwquality_password_auth/tests/authselect_commented_entry.fail.sh b/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_pwquality_password_auth/tests/authselect_commented_entry.fail.sh index 81d2955d3..ac3aae234 100644 --- a/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_pwquality_password_auth/tests/authselect_commented_entry.fail.sh +++ b/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_pwquality_password_auth/tests/authselect_commented_entry.fail.sh @@ -1,6 +1,6 @@ #!/bin/bash # packages = authselect -# platform = Oracle Linux 8,Oracle Linux 9,Red Hat Enterprise Linux 8,Red Hat Enterprise Linux 9,multi_platform_fedora +# platform = Oracle Linux 8,Oracle Linux 9,Red Hat Enterprise Linux 8,Red Hat Enterprise Linux 9,AlmaLinux 9,multi_platform_fedora authselect create-profile hardening -b sssd CUSTOM_PROFILE="custom/hardening" diff --git a/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_pwquality_password_auth/tests/authselect_correct_entry.pass.sh b/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_pwquality_password_auth/tests/authselect_correct_entry.pass.sh index 4bb7a4872..c878fd41e 100644 --- a/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_pwquality_password_auth/tests/authselect_correct_entry.pass.sh +++ b/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_pwquality_password_auth/tests/authselect_correct_entry.pass.sh @@ -1,6 +1,6 @@ #!/bin/bash # packages = authselect -# platform = Oracle Linux 8,Oracle Linux 9,Red Hat Enterprise Linux 8,Red Hat Enterprise Linux 9,multi_platform_fedora +# platform = Oracle Linux 8,Oracle Linux 9,Red Hat Enterprise Linux 8,Red Hat Enterprise Linux 9,AlmaLinux 9,multi_platform_fedora authselect create-profile hardening -b sssd CUSTOM_PROFILE="custom/hardening" diff --git a/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_pwquality_password_auth/tests/authselect_missing_entry.fail.sh b/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_pwquality_password_auth/tests/authselect_missing_entry.fail.sh index 32ce46407..53719b5d8 100644 --- a/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_pwquality_password_auth/tests/authselect_missing_entry.fail.sh +++ b/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_pwquality_password_auth/tests/authselect_missing_entry.fail.sh @@ -1,6 +1,6 @@ #!/bin/bash # packages = authselect -# platform = Oracle Linux 8,Oracle Linux 9,Red Hat Enterprise Linux 8,Red Hat Enterprise Linux 9,multi_platform_fedora +# platform = Oracle Linux 8,Oracle Linux 9,Red Hat Enterprise Linux 8,Red Hat Enterprise Linux 9,AlmaLinux 9,multi_platform_fedora authselect create-profile hardening -b sssd CUSTOM_PROFILE="custom/hardening" diff --git a/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_pwquality_password_auth/tests/authselect_modified_pam.fail.sh b/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_pwquality_password_auth/tests/authselect_modified_pam.fail.sh index 0f9b75cec..dc9f9b1af 100644 --- a/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_pwquality_password_auth/tests/authselect_modified_pam.fail.sh +++ b/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_pwquality_password_auth/tests/authselect_modified_pam.fail.sh @@ -1,6 +1,6 @@ #!/bin/bash # packages = authselect -# platform = Oracle Linux 8,Oracle Linux 9,Red Hat Enterprise Linux 8,Red Hat Enterprise Linux 9,multi_platform_fedora +# platform = Oracle Linux 8,Oracle Linux 9,Red Hat Enterprise Linux 8,Red Hat Enterprise Linux 9,AlmaLinux 9,multi_platform_fedora # remediation = none SYSTEM_AUTH_FILE="/etc/pam.d/password-auth" diff --git a/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_pwquality_password_auth/tests/authselect_wrong_control.fail.sh b/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_pwquality_password_auth/tests/authselect_wrong_control.fail.sh index 61c28f2d6..1bbd85df1 100644 --- a/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_pwquality_password_auth/tests/authselect_wrong_control.fail.sh +++ b/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_pwquality_password_auth/tests/authselect_wrong_control.fail.sh @@ -1,6 +1,6 @@ #!/bin/bash # packages = authselect -# platform = Oracle Linux 8,Oracle Linux 9,Red Hat Enterprise Linux 8,Red Hat Enterprise Linux 9,multi_platform_fedora +# platform = Oracle Linux 8,Oracle Linux 9,Red Hat Enterprise Linux 8,Red Hat Enterprise Linux 9,AlmaLinux 9,multi_platform_fedora authselect create-profile hardening -b sssd CUSTOM_PROFILE="custom/hardening" diff --git a/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_pwquality_system_auth/ansible/shared.yml b/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_pwquality_system_auth/ansible/shared.yml index 90484d66f..81664de52 100644 --- a/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_pwquality_system_auth/ansible/shared.yml +++ b/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_pwquality_system_auth/ansible/shared.yml @@ -1,4 +1,4 @@ -# platform = Red Hat Virtualization 4,multi_platform_fedora,multi_platform_rhel,multi_platform_ol +# platform = Red Hat Virtualization 4,multi_platform_fedora,multi_platform_rhel,multi_platform_almalinux,multi_platform_ol # reboot = false # strategy = configure # complexity = low diff --git a/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_pwquality_system_auth/bash/shared.sh b/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_pwquality_system_auth/bash/shared.sh index 4ea10f4c4..6c1de4e4c 100644 --- a/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_pwquality_system_auth/bash/shared.sh +++ b/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_pwquality_system_auth/bash/shared.sh @@ -1,3 +1,3 @@ -# platform = Red Hat Virtualization 4,multi_platform_fedora,multi_platform_rhel,multi_platform_ol +# platform = Red Hat Virtualization 4,multi_platform_fedora,multi_platform_rhel,multi_platform_almalinux,multi_platform_ol {{{ bash_ensure_pam_module_configuration('/etc/pam.d/system-auth', 'password', 'requisite', 'pam_pwquality.so', '', '', '^account.*required.*pam_permit\.so') }}} diff --git a/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_pwquality_system_auth/tests/authselect_commented_entry.fail.sh b/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_pwquality_system_auth/tests/authselect_commented_entry.fail.sh index f68622be4..6b3eb34dd 100644 --- a/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_pwquality_system_auth/tests/authselect_commented_entry.fail.sh +++ b/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_pwquality_system_auth/tests/authselect_commented_entry.fail.sh @@ -1,6 +1,6 @@ #!/bin/bash # packages = authselect -# platform = Oracle Linux 8,Oracle Linux 9,Red Hat Enterprise Linux 8,Red Hat Enterprise Linux 9,multi_platform_fedora +# platform = Oracle Linux 8,Oracle Linux 9,Red Hat Enterprise Linux 8,Red Hat Enterprise Linux 9,AlmaLinux 9,multi_platform_fedora authselect create-profile hardening -b sssd CUSTOM_PROFILE="custom/hardening" diff --git a/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_pwquality_system_auth/tests/authselect_correct_entry.pass.sh b/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_pwquality_system_auth/tests/authselect_correct_entry.pass.sh index 0de6065a2..8565473b6 100644 --- a/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_pwquality_system_auth/tests/authselect_correct_entry.pass.sh +++ b/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_pwquality_system_auth/tests/authselect_correct_entry.pass.sh @@ -1,6 +1,6 @@ #!/bin/bash # packages = authselect -# platform = Oracle Linux 8,Oracle Linux 9,Red Hat Enterprise Linux 8,Red Hat Enterprise Linux 9,multi_platform_fedora +# platform = Oracle Linux 8,Oracle Linux 9,Red Hat Enterprise Linux 8,Red Hat Enterprise Linux 9,AlmaLinux 9,multi_platform_fedora authselect create-profile hardening -b sssd CUSTOM_PROFILE="custom/hardening" diff --git a/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_pwquality_system_auth/tests/authselect_missing_entry.fail.sh b/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_pwquality_system_auth/tests/authselect_missing_entry.fail.sh index 03a4ef295..3c65f0c19 100644 --- a/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_pwquality_system_auth/tests/authselect_missing_entry.fail.sh +++ b/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_pwquality_system_auth/tests/authselect_missing_entry.fail.sh @@ -1,6 +1,6 @@ #!/bin/bash # packages = authselect -# platform = Oracle Linux 8,Oracle Linux 9,Red Hat Enterprise Linux 8,Red Hat Enterprise Linux 9,multi_platform_fedora +# platform = Oracle Linux 8,Oracle Linux 9,Red Hat Enterprise Linux 8,Red Hat Enterprise Linux 9,AlmaLinux 9,multi_platform_fedora authselect create-profile hardening -b sssd CUSTOM_PROFILE="custom/hardening" diff --git a/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_pwquality_system_auth/tests/authselect_modified_pam.fail.sh b/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_pwquality_system_auth/tests/authselect_modified_pam.fail.sh index ae0ed105d..e1e6ce6bf 100644 --- a/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_pwquality_system_auth/tests/authselect_modified_pam.fail.sh +++ b/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_pwquality_system_auth/tests/authselect_modified_pam.fail.sh @@ -1,6 +1,6 @@ #!/bin/bash # packages = authselect -# platform = Oracle Linux 8,Oracle Linux 9,Red Hat Enterprise Linux 8,Red Hat Enterprise Linux 9,multi_platform_fedora +# platform = Oracle Linux 8,Oracle Linux 9,Red Hat Enterprise Linux 8,Red Hat Enterprise Linux 9,AlmaLinux 9,multi_platform_fedora # remediation = none SYSTEM_AUTH_FILE="/etc/pam.d/system-auth" diff --git a/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_pwquality_system_auth/tests/authselect_wrong_control.fail.sh b/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_pwquality_system_auth/tests/authselect_wrong_control.fail.sh index 60ebfdeba..b53e75109 100644 --- a/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_pwquality_system_auth/tests/authselect_wrong_control.fail.sh +++ b/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_pwquality_system_auth/tests/authselect_wrong_control.fail.sh @@ -1,6 +1,6 @@ #!/bin/bash # packages = authselect -# platform = Oracle Linux 8,Oracle Linux 9,Red Hat Enterprise Linux 8,Red Hat Enterprise Linux 9,multi_platform_fedora +# platform = Oracle Linux 8,Oracle Linux 9,Red Hat Enterprise Linux 8,Red Hat Enterprise Linux 9,AlmaLinux 9,multi_platform_fedora authselect create-profile hardening -b sssd CUSTOM_PROFILE="custom/hardening" diff --git a/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_retry/ansible/shared.yml b/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_retry/ansible/shared.yml index 36e9a27b9..fe1b603ab 100644 --- a/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_retry/ansible/shared.yml +++ b/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_retry/ansible/shared.yml @@ -1,4 +1,4 @@ -# platform = Red Hat Virtualization 4,multi_platform_fedora,multi_platform_ol,multi_platform_rhel +# platform = Red Hat Virtualization 4,multi_platform_fedora,multi_platform_ol,multi_platform_rhel,multi_platform_almalinux # reboot = false # strategy = configure # complexity = low diff --git a/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_retry/tests/argument_missing.fail.sh b/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_retry/tests/argument_missing.fail.sh index 03723cd8c..1df4f1d61 100644 --- a/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_retry/tests/argument_missing.fail.sh +++ b/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_retry/tests/argument_missing.fail.sh @@ -1,5 +1,5 @@ #!/bin/bash -# platform = Red Hat Virtualization 4,multi_platform_fedora,multi_platform_ol,multi_platform_rhel,multi_platform_ubuntu +# platform = Red Hat Virtualization 4,multi_platform_fedora,multi_platform_ol,multi_platform_rhel,multi_platform_almalinux,multi_platform_ubuntu # variables = var_password_pam_retry=3 source common.sh diff --git a/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_retry/tests/pwquality_conf_commented.fail.sh b/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_retry/tests/pwquality_conf_commented.fail.sh index 19cac93f4..95a79c236 100644 --- a/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_retry/tests/pwquality_conf_commented.fail.sh +++ b/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_retry/tests/pwquality_conf_commented.fail.sh @@ -1,6 +1,6 @@ #!/bin/bash # packages = authselect -# platform = Oracle Linux 8,Oracle Linux 9,Red Hat Enterprise Linux 8,Red Hat Enterprise Linux 9 +# platform = Oracle Linux 8,Oracle Linux 9,Red Hat Enterprise Linux 8,Red Hat Enterprise Linux 9,AlmaLinux 9 # variables = var_password_pam_retry=3 source common.sh diff --git a/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_retry/tests/pwquality_conf_correct.pass.sh b/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_retry/tests/pwquality_conf_correct.pass.sh index ae605f717..0e5676805 100644 --- a/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_retry/tests/pwquality_conf_correct.pass.sh +++ b/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_retry/tests/pwquality_conf_correct.pass.sh @@ -1,6 +1,6 @@ #!/bin/bash # packages = authselect -# platform = Oracle Linux 8,Oracle Linux 9,Red Hat Enterprise Linux 8,Red Hat Enterprise Linux 9 +# platform = Oracle Linux 8,Oracle Linux 9,Red Hat Enterprise Linux 8,Red Hat Enterprise Linux 9,AlmaLinux 9 # variables = var_password_pam_retry=3 source common.sh diff --git a/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_retry/tests/pwquality_conf_correct_with_space.pass.sh b/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_retry/tests/pwquality_conf_correct_with_space.pass.sh index ce7f4b7a3..9c8b93a75 100644 --- a/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_retry/tests/pwquality_conf_correct_with_space.pass.sh +++ b/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_retry/tests/pwquality_conf_correct_with_space.pass.sh @@ -1,6 +1,6 @@ #!/bin/bash # packages = authselect -# platform = Oracle Linux 8,Oracle Linux 9,Red Hat Enterprise Linux 8,Red Hat Enterprise Linux 9 +# platform = Oracle Linux 8,Oracle Linux 9,Red Hat Enterprise Linux 8,Red Hat Enterprise Linux 9,AlmaLinux 9 # variables = var_password_pam_retry=3 source common.sh diff --git a/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_retry/tests/pwquality_conf_overriden.fail.sh b/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_retry/tests/pwquality_conf_overriden.fail.sh index 962112d6a..7703ed3f7 100644 --- a/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_retry/tests/pwquality_conf_overriden.fail.sh +++ b/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_retry/tests/pwquality_conf_overriden.fail.sh @@ -1,6 +1,6 @@ #!/bin/bash # packages = authselect -# platform = Oracle Linux 8,Oracle Linux 9,Red Hat Enterprise Linux 8,Red Hat Enterprise Linux 9 +# platform = Oracle Linux 8,Oracle Linux 9,Red Hat Enterprise Linux 8,Red Hat Enterprise Linux 9,AlmaLinux 9 # variables = var_password_pam_retry=3 source common.sh diff --git a/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_retry/tests/pwquality_conf_wrong.fail.sh b/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_retry/tests/pwquality_conf_wrong.fail.sh index ea2eb57fe..31e80535f 100644 --- a/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_retry/tests/pwquality_conf_wrong.fail.sh +++ b/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_retry/tests/pwquality_conf_wrong.fail.sh @@ -1,6 +1,6 @@ #!/bin/bash # packages = authselect -# platform = Oracle Linux 8,Oracle Linux 9,Red Hat Enterprise Linux 8,Red Hat Enterprise Linux 9 +# platform = Oracle Linux 8,Oracle Linux 9,Red Hat Enterprise Linux 8,Red Hat Enterprise Linux 9,AlmaLinux 9 # variables = var_password_pam_retry=3 source common.sh diff --git a/linux_os/guide/system/accounts/accounts-pam/set_password_hashing_algorithm/set_password_hashing_algorithm_libuserconf/ansible/shared.yml b/linux_os/guide/system/accounts/accounts-pam/set_password_hashing_algorithm/set_password_hashing_algorithm_libuserconf/ansible/shared.yml index b3e32aa31..547d137b1 100644 --- a/linux_os/guide/system/accounts/accounts-pam/set_password_hashing_algorithm/set_password_hashing_algorithm_libuserconf/ansible/shared.yml +++ b/linux_os/guide/system/accounts/accounts-pam/set_password_hashing_algorithm/set_password_hashing_algorithm_libuserconf/ansible/shared.yml @@ -1,4 +1,4 @@ -# platform = multi_platform_rhel,multi_platform_fedora,multi_platform_ol,multi_platform_rhv,multi_platform_sle +# platform = multi_platform_rhel,multi_platform_almalinux,multi_platform_fedora,multi_platform_ol,multi_platform_rhv,multi_platform_sle # reboot = false # strategy = restrict # complexity = low diff --git a/linux_os/guide/system/accounts/accounts-pam/set_password_hashing_algorithm/set_password_hashing_algorithm_libuserconf/bash/shared.sh b/linux_os/guide/system/accounts/accounts-pam/set_password_hashing_algorithm/set_password_hashing_algorithm_libuserconf/bash/shared.sh index 115273566..bd94d707c 100644 --- a/linux_os/guide/system/accounts/accounts-pam/set_password_hashing_algorithm/set_password_hashing_algorithm_libuserconf/bash/shared.sh +++ b/linux_os/guide/system/accounts/accounts-pam/set_password_hashing_algorithm/set_password_hashing_algorithm_libuserconf/bash/shared.sh @@ -1,4 +1,4 @@ -# platform = multi_platform_rhel,multi_platform_fedora,multi_platform_ol,multi_platform_rhv,multi_platform_sle +# platform = multi_platform_rhel,multi_platform_almalinux,multi_platform_fedora,multi_platform_ol,multi_platform_rhv,multi_platform_sle LIBUSER_CONF="/etc/libuser.conf" CRYPT_STYLE_REGEX='[[:space:]]*\[defaults](.*(\n)+)+?[[:space:]]*crypt_style[[:space:]]*' diff --git a/linux_os/guide/system/accounts/accounts-pam/set_password_hashing_algorithm/set_password_hashing_algorithm_logindefs/ansible/shared.yml b/linux_os/guide/system/accounts/accounts-pam/set_password_hashing_algorithm/set_password_hashing_algorithm_logindefs/ansible/shared.yml index 8dedf993c..51c76b11a 100644 --- a/linux_os/guide/system/accounts/accounts-pam/set_password_hashing_algorithm/set_password_hashing_algorithm_logindefs/ansible/shared.yml +++ b/linux_os/guide/system/accounts/accounts-pam/set_password_hashing_algorithm/set_password_hashing_algorithm_logindefs/ansible/shared.yml @@ -1,4 +1,4 @@ -# platform = multi_platform_rhel,multi_platform_fedora,multi_platform_ol,multi_platform_rhv,multi_platform_sle +# platform = multi_platform_rhel,multi_platform_almalinux,multi_platform_fedora,multi_platform_ol,multi_platform_rhv,multi_platform_sle # reboot = false # strategy = restrict # complexity = low diff --git a/linux_os/guide/system/accounts/accounts-pam/set_password_hashing_algorithm/set_password_hashing_algorithm_logindefs/bash/shared.sh b/linux_os/guide/system/accounts/accounts-pam/set_password_hashing_algorithm/set_password_hashing_algorithm_logindefs/bash/shared.sh index 2712118e5..d4ec2c50c 100644 --- a/linux_os/guide/system/accounts/accounts-pam/set_password_hashing_algorithm/set_password_hashing_algorithm_logindefs/bash/shared.sh +++ b/linux_os/guide/system/accounts/accounts-pam/set_password_hashing_algorithm/set_password_hashing_algorithm_logindefs/bash/shared.sh @@ -1,4 +1,4 @@ -# platform = multi_platform_rhel,multi_platform_fedora,multi_platform_ol,multi_platform_rhv,multi_platform_sle,multi_platform_ubuntu +# platform = multi_platform_rhel,multi_platform_almalinux,multi_platform_fedora,multi_platform_ol,multi_platform_rhv,multi_platform_sle,multi_platform_ubuntu {{{ bash_instantiate_variables("var_password_hashing_algorithm") }}} {{{ bash_replace_or_append('/etc/login.defs', '^ENCRYPT_METHOD', "$var_password_hashing_algorithm", '%s %s') }}} diff --git a/linux_os/guide/system/accounts/accounts-pam/set_password_hashing_algorithm/set_password_hashing_algorithm_passwordauth/ansible/shared.yml b/linux_os/guide/system/accounts/accounts-pam/set_password_hashing_algorithm/set_password_hashing_algorithm_passwordauth/ansible/shared.yml index 31c14211e..be9f04642 100644 --- a/linux_os/guide/system/accounts/accounts-pam/set_password_hashing_algorithm/set_password_hashing_algorithm_passwordauth/ansible/shared.yml +++ b/linux_os/guide/system/accounts/accounts-pam/set_password_hashing_algorithm/set_password_hashing_algorithm_passwordauth/ansible/shared.yml @@ -1,4 +1,4 @@ -# platform = multi_platform_rhel,multi_platform_fedora,multi_platform_rhv,multi_platform_ol +# platform = multi_platform_rhel,multi_platform_almalinux,multi_platform_fedora,multi_platform_rhv,multi_platform_ol # reboot = false # strategy = configure # complexity = low diff --git a/linux_os/guide/system/accounts/accounts-pam/set_password_hashing_algorithm/set_password_hashing_algorithm_passwordauth/bash/shared.sh b/linux_os/guide/system/accounts/accounts-pam/set_password_hashing_algorithm/set_password_hashing_algorithm_passwordauth/bash/shared.sh index 55f43ef98..2b993b52b 100644 --- a/linux_os/guide/system/accounts/accounts-pam/set_password_hashing_algorithm/set_password_hashing_algorithm_passwordauth/bash/shared.sh +++ b/linux_os/guide/system/accounts/accounts-pam/set_password_hashing_algorithm/set_password_hashing_algorithm_passwordauth/bash/shared.sh @@ -1,3 +1,3 @@ -# platform = multi_platform_rhel,multi_platform_fedora,multi_platform_rhv,multi_platform_ol +# platform = multi_platform_rhel,multi_platform_almalinux,multi_platform_fedora,multi_platform_rhv,multi_platform_ol {{{ bash_ensure_pam_module_configuration('/etc/pam.d/password-auth', 'password', 'sufficient', 'pam_unix.so', 'sha512', '', '') }}} diff --git a/linux_os/guide/system/accounts/accounts-pam/set_password_hashing_algorithm/set_password_hashing_algorithm_passwordauth/tests/authselect_correct_value.pass.sh b/linux_os/guide/system/accounts/accounts-pam/set_password_hashing_algorithm/set_password_hashing_algorithm_passwordauth/tests/authselect_correct_value.pass.sh index 17a57e1e1..666d1d152 100644 --- a/linux_os/guide/system/accounts/accounts-pam/set_password_hashing_algorithm/set_password_hashing_algorithm_passwordauth/tests/authselect_correct_value.pass.sh +++ b/linux_os/guide/system/accounts/accounts-pam/set_password_hashing_algorithm/set_password_hashing_algorithm_passwordauth/tests/authselect_correct_value.pass.sh @@ -1,6 +1,6 @@ #!/bin/bash # packages = authselect -# platform = Oracle Linux 8,Oracle Linux 9,Red Hat Enterprise Linux 8,Red Hat Enterprise Linux 9,multi_platform_fedora +# platform = Oracle Linux 8,Oracle Linux 9,Red Hat Enterprise Linux 8,Red Hat Enterprise Linux 9,AlmaLinux 9,multi_platform_fedora authselect create-profile hardening -b sssd CUSTOM_PROFILE="custom/hardening" diff --git a/linux_os/guide/system/accounts/accounts-pam/set_password_hashing_algorithm/set_password_hashing_algorithm_passwordauth/tests/authselect_missing_option.fail.sh b/linux_os/guide/system/accounts/accounts-pam/set_password_hashing_algorithm/set_password_hashing_algorithm_passwordauth/tests/authselect_missing_option.fail.sh index b76a6118f..9425e8c90 100644 --- a/linux_os/guide/system/accounts/accounts-pam/set_password_hashing_algorithm/set_password_hashing_algorithm_passwordauth/tests/authselect_missing_option.fail.sh +++ b/linux_os/guide/system/accounts/accounts-pam/set_password_hashing_algorithm/set_password_hashing_algorithm_passwordauth/tests/authselect_missing_option.fail.sh @@ -1,6 +1,6 @@ #!/bin/bash # packages = authselect -# platform = Oracle Linux 8,Oracle Linux 9,Red Hat Enterprise Linux 8,Red Hat Enterprise Linux 9,multi_platform_fedora +# platform = Oracle Linux 8,Oracle Linux 9,Red Hat Enterprise Linux 8,Red Hat Enterprise Linux 9,AlmaLinux 9,multi_platform_fedora authselect create-profile hardening -b sssd CUSTOM_PROFILE="custom/hardening" diff --git a/linux_os/guide/system/accounts/accounts-pam/set_password_hashing_algorithm/set_password_hashing_algorithm_passwordauth/tests/authselect_modified_pam.fail.sh b/linux_os/guide/system/accounts/accounts-pam/set_password_hashing_algorithm/set_password_hashing_algorithm_passwordauth/tests/authselect_modified_pam.fail.sh index 0ca781181..87ccb7bb1 100644 --- a/linux_os/guide/system/accounts/accounts-pam/set_password_hashing_algorithm/set_password_hashing_algorithm_passwordauth/tests/authselect_modified_pam.fail.sh +++ b/linux_os/guide/system/accounts/accounts-pam/set_password_hashing_algorithm/set_password_hashing_algorithm_passwordauth/tests/authselect_modified_pam.fail.sh @@ -1,6 +1,6 @@ #!/bin/bash # packages = authselect -# platform = Oracle Linux 8,Oracle Linux 9,Red Hat Enterprise Linux 8,Red Hat Enterprise Linux 9,multi_platform_fedora +# platform = Oracle Linux 8,Oracle Linux 9,Red Hat Enterprise Linux 8,Red Hat Enterprise Linux 9,AlmaLinux 9,multi_platform_fedora # remediation = none PASSWORD_AUTH_FILE="/etc/pam.d/password-auth" diff --git a/linux_os/guide/system/accounts/accounts-pam/set_password_hashing_algorithm/set_password_hashing_algorithm_passwordauth/tests/authselect_wrong_control.fail.sh b/linux_os/guide/system/accounts/accounts-pam/set_password_hashing_algorithm/set_password_hashing_algorithm_passwordauth/tests/authselect_wrong_control.fail.sh index f72c7bde2..25fd37ced 100644 --- a/linux_os/guide/system/accounts/accounts-pam/set_password_hashing_algorithm/set_password_hashing_algorithm_passwordauth/tests/authselect_wrong_control.fail.sh +++ b/linux_os/guide/system/accounts/accounts-pam/set_password_hashing_algorithm/set_password_hashing_algorithm_passwordauth/tests/authselect_wrong_control.fail.sh @@ -1,6 +1,6 @@ #!/bin/bash # packages = authselect -# platform = Oracle Linux 8,Oracle Linux 9,Red Hat Enterprise Linux 8,Red Hat Enterprise Linux 9,multi_platform_fedora +# platform = Oracle Linux 8,Oracle Linux 9,Red Hat Enterprise Linux 8,Red Hat Enterprise Linux 9,AlmaLinux 9,multi_platform_fedora authselect create-profile hardening -b sssd CUSTOM_PROFILE="custom/hardening" diff --git a/linux_os/guide/system/accounts/accounts-pam/set_password_hashing_algorithm/set_password_hashing_algorithm_systemauth/tests/authselect_correct_value.pass.sh b/linux_os/guide/system/accounts/accounts-pam/set_password_hashing_algorithm/set_password_hashing_algorithm_systemauth/tests/authselect_correct_value.pass.sh index 74ea0c265..92599832a 100644 --- a/linux_os/guide/system/accounts/accounts-pam/set_password_hashing_algorithm/set_password_hashing_algorithm_systemauth/tests/authselect_correct_value.pass.sh +++ b/linux_os/guide/system/accounts/accounts-pam/set_password_hashing_algorithm/set_password_hashing_algorithm_systemauth/tests/authselect_correct_value.pass.sh @@ -1,6 +1,6 @@ #!/bin/bash # packages = authselect -# platform = Oracle Linux 8,Oracle Linux 9,Red Hat Enterprise Linux 8,Red Hat Enterprise Linux 9,multi_platform_fedora +# platform = Oracle Linux 8,Oracle Linux 9,Red Hat Enterprise Linux 8,Red Hat Enterprise Linux 9,AlmaLinux 9,multi_platform_fedora authselect create-profile hardening -b sssd CUSTOM_PROFILE="custom/hardening" diff --git a/linux_os/guide/system/accounts/accounts-pam/set_password_hashing_algorithm/set_password_hashing_algorithm_systemauth/tests/authselect_missing_option.fail.sh b/linux_os/guide/system/accounts/accounts-pam/set_password_hashing_algorithm/set_password_hashing_algorithm_systemauth/tests/authselect_missing_option.fail.sh index f74ccbd86..8d694c0f2 100644 --- a/linux_os/guide/system/accounts/accounts-pam/set_password_hashing_algorithm/set_password_hashing_algorithm_systemauth/tests/authselect_missing_option.fail.sh +++ b/linux_os/guide/system/accounts/accounts-pam/set_password_hashing_algorithm/set_password_hashing_algorithm_systemauth/tests/authselect_missing_option.fail.sh @@ -1,6 +1,6 @@ #!/bin/bash # packages = authselect -# platform = Oracle Linux 8,Oracle Linux 9,Red Hat Enterprise Linux 8,Red Hat Enterprise Linux 9,multi_platform_fedora +# platform = Oracle Linux 8,Oracle Linux 9,Red Hat Enterprise Linux 8,Red Hat Enterprise Linux 9,AlmaLinux 9,multi_platform_fedora authselect create-profile hardening -b sssd CUSTOM_PROFILE="custom/hardening" diff --git a/linux_os/guide/system/accounts/accounts-pam/set_password_hashing_algorithm/set_password_hashing_algorithm_systemauth/tests/authselect_modified_pam.fail.sh b/linux_os/guide/system/accounts/accounts-pam/set_password_hashing_algorithm/set_password_hashing_algorithm_systemauth/tests/authselect_modified_pam.fail.sh index 27be252bc..3622e705e 100644 --- a/linux_os/guide/system/accounts/accounts-pam/set_password_hashing_algorithm/set_password_hashing_algorithm_systemauth/tests/authselect_modified_pam.fail.sh +++ b/linux_os/guide/system/accounts/accounts-pam/set_password_hashing_algorithm/set_password_hashing_algorithm_systemauth/tests/authselect_modified_pam.fail.sh @@ -1,6 +1,6 @@ #!/bin/bash # packages = authselect -# platform = Oracle Linux 8,Oracle Linux 9,Red Hat Enterprise Linux 8,Red Hat Enterprise Linux 9,multi_platform_fedora +# platform = Oracle Linux 8,Oracle Linux 9,Red Hat Enterprise Linux 8,Red Hat Enterprise Linux 9,AlmaLinux 9,multi_platform_fedora # remediation = none SYSTEM_AUTH_FILE="/etc/pam.d/system-auth" diff --git a/linux_os/guide/system/accounts/accounts-pam/set_password_hashing_algorithm/set_password_hashing_algorithm_systemauth/tests/authselect_wrong_control.fail.sh b/linux_os/guide/system/accounts/accounts-pam/set_password_hashing_algorithm/set_password_hashing_algorithm_systemauth/tests/authselect_wrong_control.fail.sh index d4b163f24..819ad4b0a 100644 --- a/linux_os/guide/system/accounts/accounts-pam/set_password_hashing_algorithm/set_password_hashing_algorithm_systemauth/tests/authselect_wrong_control.fail.sh +++ b/linux_os/guide/system/accounts/accounts-pam/set_password_hashing_algorithm/set_password_hashing_algorithm_systemauth/tests/authselect_wrong_control.fail.sh @@ -1,6 +1,6 @@ #!/bin/bash # packages = authselect -# platform = Oracle Linux 8,Oracle Linux 9,Red Hat Enterprise Linux 8,Red Hat Enterprise Linux 9,multi_platform_fedora +# platform = Oracle Linux 8,Oracle Linux 9,Red Hat Enterprise Linux 8,Red Hat Enterprise Linux 9,AlmaLinux 9,multi_platform_fedora authselect create-profile hardening -b sssd CUSTOM_PROFILE="custom/hardening" diff --git a/linux_os/guide/system/accounts/accounts-physical/disable_ctrlaltdel_burstaction/kubernetes/shared.yml b/linux_os/guide/system/accounts/accounts-physical/disable_ctrlaltdel_burstaction/kubernetes/shared.yml index 3045574e5..7ce6bb466 100644 --- a/linux_os/guide/system/accounts/accounts-physical/disable_ctrlaltdel_burstaction/kubernetes/shared.yml +++ b/linux_os/guide/system/accounts/accounts-physical/disable_ctrlaltdel_burstaction/kubernetes/shared.yml @@ -1,5 +1,5 @@ --- -# platform = multi_platform_rhel,multi_platform_fedora,multi_platform_rhcos +# platform = multi_platform_rhel,multi_platform_almalinux,multi_platform_fedora,multi_platform_rhcos apiVersion: machineconfiguration.openshift.io/v1 kind: MachineConfig spec: diff --git a/linux_os/guide/system/accounts/accounts-physical/disable_ctrlaltdel_reboot/kubernetes/shared.yml b/linux_os/guide/system/accounts/accounts-physical/disable_ctrlaltdel_reboot/kubernetes/shared.yml index 517c83c6e..041e9a29c 100644 --- a/linux_os/guide/system/accounts/accounts-physical/disable_ctrlaltdel_reboot/kubernetes/shared.yml +++ b/linux_os/guide/system/accounts/accounts-physical/disable_ctrlaltdel_reboot/kubernetes/shared.yml @@ -1,5 +1,5 @@ --- -# platform = multi_platform_rhel,multi_platform_fedora,multi_platform_rhcos +# platform = multi_platform_rhel,multi_platform_almalinux,multi_platform_fedora,multi_platform_rhcos # reboot = true # strategy = restrict # complexity = low diff --git a/linux_os/guide/system/accounts/accounts-physical/require_emergency_target_auth/ansible/shared.yml b/linux_os/guide/system/accounts/accounts-physical/require_emergency_target_auth/ansible/shared.yml index a3490a60d..81831631c 100644 --- a/linux_os/guide/system/accounts/accounts-physical/require_emergency_target_auth/ansible/shared.yml +++ b/linux_os/guide/system/accounts/accounts-physical/require_emergency_target_auth/ansible/shared.yml @@ -18,7 +18,7 @@ create: yes dest: /usr/lib/systemd/system/emergency.service regexp: "^#?ExecStart=" - {{% if product in ["fedora", "ol8", "ol9", "rhel8", "rhel9"] -%}} + {{% if product in ["fedora", "ol8", "ol9", "rhel8", "rhel9", "almalinux9"] -%}} line: "ExecStart=-/usr/lib/systemd/systemd-sulogin-shell emergency" {{%- else -%}} line: 'ExecStart=-/bin/sh -c "/sbin/sulogin; /usr/bin/systemctl --fail --no-block default"' diff --git a/linux_os/guide/system/accounts/accounts-physical/require_emergency_target_auth/bash/shared.sh b/linux_os/guide/system/accounts/accounts-physical/require_emergency_target_auth/bash/shared.sh index 2a65ef992..641747e9e 100644 --- a/linux_os/guide/system/accounts/accounts-physical/require_emergency_target_auth/bash/shared.sh +++ b/linux_os/guide/system/accounts/accounts-physical/require_emergency_target_auth/bash/shared.sh @@ -7,7 +7,7 @@ service_dropin_file="${service_dropin_cfg_dir}/10-oscap.conf" service_file="/usr/lib/systemd/system/emergency.service" {{% endif %}} -{{% if product in ["fedora", "ol8", "ol9", "rhel8", "rhel9", "sle12", "sle15"] -%}} +{{% if product in ["fedora", "ol8", "ol9", "rhel8", "rhel9", "almalinux9", "sle12", "sle15"] -%}} sulogin="/usr/lib/systemd/systemd-sulogin-shell emergency" {{%- else -%}} sulogin='/bin/sh -c "/sbin/sulogin; /usr/bin/systemctl --fail --no-block default"' diff --git a/linux_os/guide/system/accounts/accounts-physical/require_emergency_target_auth/oval/shared.xml b/linux_os/guide/system/accounts/accounts-physical/require_emergency_target_auth/oval/shared.xml index 90ef51b2a..742ee525f 100644 --- a/linux_os/guide/system/accounts/accounts-physical/require_emergency_target_auth/oval/shared.xml +++ b/linux_os/guide/system/accounts/accounts-physical/require_emergency_target_auth/oval/shared.xml @@ -24,7 +24,7 @@ /usr/lib/systemd/system/emergency.service - {{%- if product in ["fedora", "ol8", "ol9", "openeuler2203", "rhel8", "rhel9", "sle12", "sle15"] -%}} + {{%- if product in ["fedora", "ol8", "ol9", "openeuler2203", "rhel8", "rhel9", "almalinux9", "sle12", "sle15"] -%}} ^ExecStart=\-/usr/lib/systemd/systemd-sulogin-shell[\s]+emergency {{%- else -%}} ^ExecStart=\-/bin/sh[\s]+-c[\s]+\"(/usr)?/sbin/sulogin;[\s]+/usr/bin/systemctl[\s]+--fail[\s]+--no-block[\s]+default\" diff --git a/linux_os/guide/system/accounts/accounts-physical/require_emergency_target_auth/rule.yml b/linux_os/guide/system/accounts/accounts-physical/require_emergency_target_auth/rule.yml index 3366217dd..41b483eb6 100644 --- a/linux_os/guide/system/accounts/accounts-physical/require_emergency_target_auth/rule.yml +++ b/linux_os/guide/system/accounts/accounts-physical/require_emergency_target_auth/rule.yml @@ -51,7 +51,7 @@ ocil: |- To check if authentication is required for emergency mode, run the following command:
$ grep sulogin /usr/lib/systemd/system/emergency.service
The output should be similar to the following, and the line must begin with - {{% if product in ["fedora", "ol8", "ol9", "rhel8", "rhel9", "sle12", "sle15"] -%}} + {{% if product in ["fedora", "ol8", "ol9", "rhel8", "rhel9", "almalinux9", "sle12", "sle15"] -%}} ExecStart and /usr/lib/systemd/systemd-sulogin-shell.
ExecStart=-/usr/lib/systemd/systemd-sulogin-shell emergency
{{%- else -%}} @@ -79,7 +79,7 @@ fixtext: |- Configure {{{ full_name }}} to require authentication for system emergency mode. Add or edit the following line in "/usr/lib/systemd/system/emergency.service": - {{% if product in ["fedora", "ol8", "ol9", "openeuler2203", "rhel8", "rhel9", "sle12", "sle15"] -%}} + {{% if product in ["fedora", "ol8", "ol9", "openeuler2203", "rhel8", "rhel9", "almalinux9", "sle12", "sle15"] -%}} ExecStart=-/usr/lib/systemd/systemd-sulogin-shell emergency {{%- else -%}} ExecStart=-/bin/sh -c "/sbin/sulogin; /usr/bin/systemctl --fail --no-block default" diff --git a/linux_os/guide/system/accounts/accounts-physical/require_emergency_target_auth/tests/correct_value.pass.sh b/linux_os/guide/system/accounts/accounts-physical/require_emergency_target_auth/tests/correct_value.pass.sh index bce932b72..dda999a74 100644 --- a/linux_os/guide/system/accounts/accounts-physical/require_emergency_target_auth/tests/correct_value.pass.sh +++ b/linux_os/guide/system/accounts/accounts-physical/require_emergency_target_auth/tests/correct_value.pass.sh @@ -1,5 +1,5 @@ #!/bin/bash -# platform = Oracle Linux 8,Oracle Linux 9,Red Hat Enterprise Linux 8,Red Hat Enterprise Linux 9,multi_platform_fedora +# platform = Oracle Linux 8,Oracle Linux 9,Red Hat Enterprise Linux 8,Red Hat Enterprise Linux 9,AlmaLinux 9,multi_platform_fedora service_file="/usr/lib/systemd/system/emergency.service" sulogin="/usr/lib/systemd/systemd-sulogin-shell" diff --git a/linux_os/guide/system/accounts/accounts-physical/require_emergency_target_auth/tests/wrong_value.fail.sh b/linux_os/guide/system/accounts/accounts-physical/require_emergency_target_auth/tests/wrong_value.fail.sh index d9fdc678f..a4f6ea6a9 100644 --- a/linux_os/guide/system/accounts/accounts-physical/require_emergency_target_auth/tests/wrong_value.fail.sh +++ b/linux_os/guide/system/accounts/accounts-physical/require_emergency_target_auth/tests/wrong_value.fail.sh @@ -1,5 +1,5 @@ #!/bin/bash -# platform = multi_platform_fedora,multi_platform_ol,multi_platform_rhel +# platform = multi_platform_fedora,multi_platform_ol,multi_platform_rhel,multi_platform_almalinux service_file="/usr/lib/systemd/system/emergency.service" sulogin="/bin/bash" diff --git a/linux_os/guide/system/accounts/accounts-physical/require_singleuser_auth/ansible/shared.yml b/linux_os/guide/system/accounts/accounts-physical/require_singleuser_auth/ansible/shared.yml index 225a73f0b..3943c04f0 100644 --- a/linux_os/guide/system/accounts/accounts-physical/require_singleuser_auth/ansible/shared.yml +++ b/linux_os/guide/system/accounts/accounts-physical/require_singleuser_auth/ansible/shared.yml @@ -9,7 +9,7 @@ create: yes dest: /usr/lib/systemd/system/rescue.service regexp: "^#?ExecStart=" - {{% if product in ["fedora", "ol8", "ol9", "rhel8", "rhel9", "sle12", "sle15"] -%}} + {{% if product in ["fedora", "ol8", "ol9", "rhel8", "rhel9", "almalinux9", "sle12", "sle15"] -%}} line: "ExecStart=-/usr/lib/systemd/systemd-sulogin-shell rescue" {{% elif product in ["rhel7"] %}} line: 'ExecStart=-/bin/sh -c "/usr/sbin/sulogin; /usr/bin/systemctl --fail --no-block default"' diff --git a/linux_os/guide/system/accounts/accounts-physical/require_singleuser_auth/bash/shared.sh b/linux_os/guide/system/accounts/accounts-physical/require_singleuser_auth/bash/shared.sh index e4624e582..347c51e12 100644 --- a/linux_os/guide/system/accounts/accounts-physical/require_singleuser_auth/bash/shared.sh +++ b/linux_os/guide/system/accounts/accounts-physical/require_singleuser_auth/bash/shared.sh @@ -2,7 +2,7 @@ service_file="/usr/lib/systemd/system/rescue.service" -{{% if product in ["fedora", "ol8", "ol9", "rhel8", "rhel9", "sle12", "sle15"] -%}} +{{% if product in ["fedora", "ol8", "ol9", "rhel8", "rhel9", "almalinux9", "sle12", "sle15"] -%}} sulogin="/usr/lib/systemd/systemd-sulogin-shell rescue" {{%- elif product in ["rhel7"] -%}} sulogin='/bin/sh -c "/usr/sbin/sulogin; /usr/bin/systemctl --fail --no-block default"' diff --git a/linux_os/guide/system/accounts/accounts-physical/require_singleuser_auth/oval/shared.xml b/linux_os/guide/system/accounts/accounts-physical/require_singleuser_auth/oval/shared.xml index 62fd1a76a..d4074b6b5 100644 --- a/linux_os/guide/system/accounts/accounts-physical/require_singleuser_auth/oval/shared.xml +++ b/linux_os/guide/system/accounts/accounts-physical/require_singleuser_auth/oval/shared.xml @@ -14,7 +14,7 @@ /usr/lib/systemd/system/rescue.service - {{%- if product in ["fedora", "ol8", "ol9", "rhel8", "rhel9", "rhcos4", "sle12", "sle15"] -%}} + {{%- if product in ["fedora", "ol8", "ol9", "rhel8", "rhel9", "almalinux9", "rhcos4", "sle12", "sle15"] -%}} ^ExecStart=\-.*/usr/lib/systemd/systemd-sulogin-shell[ ]+rescue {{%- else -%}} ^ExecStart=\-/bin/sh[\s]+-c[\s]+\"(/usr)?/sbin/sulogin;[\s]+/usr/bin/systemctl[\s]+--fail[\s]+--no-block[\s]+default\" diff --git a/linux_os/guide/system/accounts/accounts-physical/require_singleuser_auth/rule.yml b/linux_os/guide/system/accounts/accounts-physical/require_singleuser_auth/rule.yml index 121c8f619..16d6f0717 100644 --- a/linux_os/guide/system/accounts/accounts-physical/require_singleuser_auth/rule.yml +++ b/linux_os/guide/system/accounts/accounts-physical/require_singleuser_auth/rule.yml @@ -55,7 +55,7 @@ ocil: |- To check if authentication is required for single-user mode, run the following command:
$ grep sulogin /usr/lib/systemd/system/rescue.service
The output should be similar to the following, and the line must begin with - {{% if product in ["fedora", "ol8", "ol9", "rhel8", "rhel9", "rhcos4"] -%}} + {{% if product in ["fedora", "ol8", "ol9", "rhel8", "rhel9", "almalinux9", "rhcos4"] -%}} ExecStart and /usr/lib/systemd/systemd-sulogin-shell.
ExecStart=-/usr/lib/systemd/systemd-sulogin-shell rescue
{{%- elif product in ["rhel7"] -%}} @@ -88,7 +88,7 @@ fixtext: |- Configure {{{ full_name }}} to require authentication in single user mode. Add or update the following line in "/usr/lib/systemd/system/rescue.service": - {{% if product in ["fedora", "ol8", "ol9", "rhel8", "rhel9", "sle12", "sle15"] -%}} + {{% if product in ["fedora", "ol8", "ol9", "rhel8", "rhel9", "almalinux9", "sle12", "sle15"] -%}} ExecStart=-/usr/lib/systemd/systemd-sulogin-shell rescue {{%- elif product in ["rhel7"] -%}} ExecStart=-/bin/sh -c "/usr/sbin/sulogin; /usr/bin/systemctl --fail --no-block default" diff --git a/linux_os/guide/system/accounts/accounts-physical/require_singleuser_auth/tests/correct_value.pass.sh b/linux_os/guide/system/accounts/accounts-physical/require_singleuser_auth/tests/correct_value.pass.sh index fd13fbd1c..ce2a1a9dc 100644 --- a/linux_os/guide/system/accounts/accounts-physical/require_singleuser_auth/tests/correct_value.pass.sh +++ b/linux_os/guide/system/accounts/accounts-physical/require_singleuser_auth/tests/correct_value.pass.sh @@ -1,5 +1,5 @@ #!/bin/bash -# platform = Oracle Linux 8,Oracle Linux 9,Red Hat Enterprise Linux 8,Red Hat Enterprise Linux 9,multi_platform_fedora +# platform = Oracle Linux 8,Oracle Linux 9,Red Hat Enterprise Linux 8,Red Hat Enterprise Linux 9,AlmaLinux 9,multi_platform_fedora service_file="/usr/lib/systemd/system/rescue.service" sulogin="/usr/lib/systemd/systemd-sulogin-shell" diff --git a/linux_os/guide/system/accounts/accounts-physical/require_singleuser_auth/tests/wrong_value.fail.sh b/linux_os/guide/system/accounts/accounts-physical/require_singleuser_auth/tests/wrong_value.fail.sh index 63b9b08b5..15abe6cec 100644 --- a/linux_os/guide/system/accounts/accounts-physical/require_singleuser_auth/tests/wrong_value.fail.sh +++ b/linux_os/guide/system/accounts/accounts-physical/require_singleuser_auth/tests/wrong_value.fail.sh @@ -1,5 +1,5 @@ #!/bin/bash -# platform = multi_platform_fedora,multi_platform_ol,multi_platform_rhel +# platform = multi_platform_fedora,multi_platform_ol,multi_platform_rhel,multi_platform_almalinux service_file="/usr/lib/systemd/system/rescue.service" sulogin="/bin/bash" diff --git a/linux_os/guide/system/accounts/accounts-physical/screen_locking/console_screen_locking/configure_bashrc_exec_tmux/ansible/shared.yml b/linux_os/guide/system/accounts/accounts-physical/screen_locking/console_screen_locking/configure_bashrc_exec_tmux/ansible/shared.yml index 75395cf61..1dcee69f3 100644 --- a/linux_os/guide/system/accounts/accounts-physical/screen_locking/console_screen_locking/configure_bashrc_exec_tmux/ansible/shared.yml +++ b/linux_os/guide/system/accounts/accounts-physical/screen_locking/console_screen_locking/configure_bashrc_exec_tmux/ansible/shared.yml @@ -1,4 +1,4 @@ -# platform = multi_platform_rhel,multi_platform_fedora,multi_platform_ol +# platform = multi_platform_rhel,multi_platform_almalinux,multi_platform_fedora,multi_platform_ol # reboot = false # strategy = configure # complexity = low diff --git a/linux_os/guide/system/accounts/accounts-physical/screen_locking/console_screen_locking/configure_bashrc_tmux/ansible/shared.yml b/linux_os/guide/system/accounts/accounts-physical/screen_locking/console_screen_locking/configure_bashrc_tmux/ansible/shared.yml index f47326940..42d591752 100644 --- a/linux_os/guide/system/accounts/accounts-physical/screen_locking/console_screen_locking/configure_bashrc_tmux/ansible/shared.yml +++ b/linux_os/guide/system/accounts/accounts-physical/screen_locking/console_screen_locking/configure_bashrc_tmux/ansible/shared.yml @@ -1,4 +1,4 @@ -# platform = multi_platform_rhel,multi_platform_fedora,multi_platform_ol +# platform = multi_platform_rhel,multi_platform_almalinux,multi_platform_fedora,multi_platform_ol # reboot = false # strategy = configure # complexity = low diff --git a/linux_os/guide/system/accounts/accounts-physical/screen_locking/console_screen_locking/configure_tmux_lock_after_time/ansible/shared.yml b/linux_os/guide/system/accounts/accounts-physical/screen_locking/console_screen_locking/configure_tmux_lock_after_time/ansible/shared.yml index dc63eb653..dc6931307 100644 --- a/linux_os/guide/system/accounts/accounts-physical/screen_locking/console_screen_locking/configure_tmux_lock_after_time/ansible/shared.yml +++ b/linux_os/guide/system/accounts/accounts-physical/screen_locking/console_screen_locking/configure_tmux_lock_after_time/ansible/shared.yml @@ -1,4 +1,4 @@ -# platform = multi_platform_rhel,multi_platform_fedora,multi_platform_ol +# platform = multi_platform_rhel,multi_platform_almalinux,multi_platform_fedora,multi_platform_ol # reboot = false # strategy = restrict # complexity = low diff --git a/linux_os/guide/system/accounts/accounts-physical/screen_locking/console_screen_locking/configure_tmux_lock_keybinding/tests/alternative_value.pass.sh b/linux_os/guide/system/accounts/accounts-physical/screen_locking/console_screen_locking/configure_tmux_lock_keybinding/tests/alternative_value.pass.sh index 0b31379f0..778d63d74 100644 --- a/linux_os/guide/system/accounts/accounts-physical/screen_locking/console_screen_locking/configure_tmux_lock_keybinding/tests/alternative_value.pass.sh +++ b/linux_os/guide/system/accounts/accounts-physical/screen_locking/console_screen_locking/configure_tmux_lock_keybinding/tests/alternative_value.pass.sh @@ -1,5 +1,5 @@ #!/bin/bash -# platform = Oracle Linux 8,multi_platform_rhel,multi_platform_fedora +# platform = Oracle Linux 8,multi_platform_rhel,multi_platform_almalinux,multi_platform_fedora echo 'bind W lock-session' >> '/etc/tmux.conf' chmod 0644 "/etc/tmux.conf" diff --git a/linux_os/guide/system/accounts/accounts-physical/screen_locking/console_screen_locking/configure_tmux_lock_keybinding/tests/correct.pass.sh b/linux_os/guide/system/accounts/accounts-physical/screen_locking/console_screen_locking/configure_tmux_lock_keybinding/tests/correct.pass.sh index e38203195..55a8aff57 100644 --- a/linux_os/guide/system/accounts/accounts-physical/screen_locking/console_screen_locking/configure_tmux_lock_keybinding/tests/correct.pass.sh +++ b/linux_os/guide/system/accounts/accounts-physical/screen_locking/console_screen_locking/configure_tmux_lock_keybinding/tests/correct.pass.sh @@ -1,5 +1,5 @@ #!/bin/bash -# platform = Oracle Linux 8,multi_platform_rhel,multi_platform_fedora +# platform = Oracle Linux 8,multi_platform_rhel,multi_platform_almalinux,multi_platform_fedora # packages = tmux echo 'bind X lock-session' >> '/etc/tmux.conf' diff --git a/linux_os/guide/system/accounts/accounts-physical/screen_locking/console_screen_locking/configure_tmux_lock_keybinding/tests/file_empty.fail.sh b/linux_os/guide/system/accounts/accounts-physical/screen_locking/console_screen_locking/configure_tmux_lock_keybinding/tests/file_empty.fail.sh index 45458b6f2..87e6ded51 100644 --- a/linux_os/guide/system/accounts/accounts-physical/screen_locking/console_screen_locking/configure_tmux_lock_keybinding/tests/file_empty.fail.sh +++ b/linux_os/guide/system/accounts/accounts-physical/screen_locking/console_screen_locking/configure_tmux_lock_keybinding/tests/file_empty.fail.sh @@ -1,5 +1,5 @@ #!/bin/bash -# platform = Oracle Linux 8,multi_platform_rhel,multi_platform_fedora +# platform = Oracle Linux 8,multi_platform_rhel,multi_platform_almalinux,multi_platform_fedora # packages = tmux echo > '/etc/tmux.conf' diff --git a/linux_os/guide/system/accounts/accounts-physical/screen_locking/console_screen_locking/configure_tmux_lock_keybinding/tests/line_commented.fail.sh b/linux_os/guide/system/accounts/accounts-physical/screen_locking/console_screen_locking/configure_tmux_lock_keybinding/tests/line_commented.fail.sh index 93ed8cbf4..bff755146 100644 --- a/linux_os/guide/system/accounts/accounts-physical/screen_locking/console_screen_locking/configure_tmux_lock_keybinding/tests/line_commented.fail.sh +++ b/linux_os/guide/system/accounts/accounts-physical/screen_locking/console_screen_locking/configure_tmux_lock_keybinding/tests/line_commented.fail.sh @@ -1,5 +1,5 @@ #!/bin/bash -# platform = Oracle Linux 8,multi_platform_rhel,multi_platform_fedora +# platform = Oracle Linux 8,multi_platform_rhel,multi_platform_almalinux,multi_platform_fedora # packages = tmux echo '# bind X lock-session' >> '/etc/tmux.conf' diff --git a/linux_os/guide/system/accounts/accounts-physical/screen_locking/console_screen_locking/configure_tmux_lock_keybinding/tests/wrong_permissions.fail.sh b/linux_os/guide/system/accounts/accounts-physical/screen_locking/console_screen_locking/configure_tmux_lock_keybinding/tests/wrong_permissions.fail.sh index da006625e..8e02e36e8 100644 --- a/linux_os/guide/system/accounts/accounts-physical/screen_locking/console_screen_locking/configure_tmux_lock_keybinding/tests/wrong_permissions.fail.sh +++ b/linux_os/guide/system/accounts/accounts-physical/screen_locking/console_screen_locking/configure_tmux_lock_keybinding/tests/wrong_permissions.fail.sh @@ -1,5 +1,5 @@ #!/bin/bash -# platform = Oracle Linux 8,multi_platform_rhel,multi_platform_fedora +# platform = Oracle Linux 8,multi_platform_rhel,multi_platform_almalinux,multi_platform_fedora # packages = tmux echo 'bind X lock-session' >> '/etc/tmux.conf' diff --git a/linux_os/guide/system/accounts/accounts-physical/screen_locking/console_screen_locking/no_tmux_in_shells/kubernetes/shared.yml b/linux_os/guide/system/accounts/accounts-physical/screen_locking/console_screen_locking/no_tmux_in_shells/kubernetes/shared.yml index 6b2d6cd5e..c20712c9f 100644 --- a/linux_os/guide/system/accounts/accounts-physical/screen_locking/console_screen_locking/no_tmux_in_shells/kubernetes/shared.yml +++ b/linux_os/guide/system/accounts/accounts-physical/screen_locking/console_screen_locking/no_tmux_in_shells/kubernetes/shared.yml @@ -1,5 +1,5 @@ --- -# platform = multi_platform_rhel,multi_platform_fedora,multi_platform_rhcos +# platform = multi_platform_rhel,multi_platform_almalinux,multi_platform_fedora,multi_platform_rhcos apiVersion: machineconfiguration.openshift.io/v1 kind: MachineConfig spec: diff --git a/linux_os/guide/system/accounts/accounts-physical/screen_locking/smart_card_login/force_opensc_card_drivers/ansible/shared.yml b/linux_os/guide/system/accounts/accounts-physical/screen_locking/smart_card_login/force_opensc_card_drivers/ansible/shared.yml index 1a9d35f69..9a5753d98 100644 --- a/linux_os/guide/system/accounts/accounts-physical/screen_locking/smart_card_login/force_opensc_card_drivers/ansible/shared.yml +++ b/linux_os/guide/system/accounts/accounts-physical/screen_locking/smart_card_login/force_opensc_card_drivers/ansible/shared.yml @@ -1,4 +1,4 @@ -# platform = multi_platform_rhel,multi_platform_fedora,multi_platform_rhv,multi_platform_ol,multi_platform_sle +# platform = multi_platform_rhel,multi_platform_almalinux,multi_platform_fedora,multi_platform_rhv,multi_platform_ol,multi_platform_sle # reboot = false # strategy = configure # complexity = low diff --git a/linux_os/guide/system/accounts/accounts-physical/screen_locking/smart_card_login/smartcard_configure_cert_checking/ansible/shared.yml b/linux_os/guide/system/accounts/accounts-physical/screen_locking/smart_card_login/smartcard_configure_cert_checking/ansible/shared.yml index 18231e23a..c986f5c73 100644 --- a/linux_os/guide/system/accounts/accounts-physical/screen_locking/smart_card_login/smartcard_configure_cert_checking/ansible/shared.yml +++ b/linux_os/guide/system/accounts/accounts-physical/screen_locking/smart_card_login/smartcard_configure_cert_checking/ansible/shared.yml @@ -1,4 +1,4 @@ -# platform = multi_platform_sle,multi_platform_rhel +# platform = multi_platform_sle,multi_platform_rhel,multi_platform_almalinux # reboot = false # strategy = restrict # complexity = low diff --git a/linux_os/guide/system/accounts/accounts-physical/screen_locking/smart_card_login/smartcard_configure_cert_checking/tests/commented.fail.sh b/linux_os/guide/system/accounts/accounts-physical/screen_locking/smart_card_login/smartcard_configure_cert_checking/tests/commented.fail.sh index c2afecc19..652fbedb7 100644 --- a/linux_os/guide/system/accounts/accounts-physical/screen_locking/smart_card_login/smartcard_configure_cert_checking/tests/commented.fail.sh +++ b/linux_os/guide/system/accounts/accounts-physical/screen_locking/smart_card_login/smartcard_configure_cert_checking/tests/commented.fail.sh @@ -1,5 +1,5 @@ #!/bin/bash -# platform = multi_platform_ubuntu,multi_platform_rhel +# platform = multi_platform_ubuntu,multi_platform_rhel,multi_platform_almalinux # packages = openssl-pkcs11 if [ ! -f /etc/pam_pkcs11/pam_pkcs11.conf ]; then diff --git a/linux_os/guide/system/accounts/accounts-physical/screen_locking/smart_card_login/smartcard_configure_cert_checking/tests/correct.pass.sh b/linux_os/guide/system/accounts/accounts-physical/screen_locking/smart_card_login/smartcard_configure_cert_checking/tests/correct.pass.sh index d7103cc0a..68c252f78 100644 --- a/linux_os/guide/system/accounts/accounts-physical/screen_locking/smart_card_login/smartcard_configure_cert_checking/tests/correct.pass.sh +++ b/linux_os/guide/system/accounts/accounts-physical/screen_locking/smart_card_login/smartcard_configure_cert_checking/tests/correct.pass.sh @@ -1,5 +1,5 @@ #!/bin/bash -# platform = multi_platform_ol,multi_platform_rhel,multi_platform_ubuntu +# platform = multi_platform_ol,multi_platform_rhel,multi_platform_almalinux,multi_platform_ubuntu # packages = openssl-pkcs11 if [ ! -f /etc/pam_pkcs11/pam_pkcs11.conf ]; then diff --git a/linux_os/guide/system/accounts/accounts-physical/screen_locking/smart_card_login/smartcard_configure_cert_checking/tests/missing_ocsp.fail.sh b/linux_os/guide/system/accounts/accounts-physical/screen_locking/smart_card_login/smartcard_configure_cert_checking/tests/missing_ocsp.fail.sh index c0cc3c94f..6db041b04 100644 --- a/linux_os/guide/system/accounts/accounts-physical/screen_locking/smart_card_login/smartcard_configure_cert_checking/tests/missing_ocsp.fail.sh +++ b/linux_os/guide/system/accounts/accounts-physical/screen_locking/smart_card_login/smartcard_configure_cert_checking/tests/missing_ocsp.fail.sh @@ -1,5 +1,5 @@ #!/bin/bash -# platform = multi_platform_ol,multi_platform_rhel,multi_platform_ubuntu +# platform = multi_platform_ol,multi_platform_rhel,multi_platform_almalinux,multi_platform_ubuntu # packages = openssl-pkcs11 if [ ! -f /etc/pam_pkcs11/pam_pkcs11.conf ]; then diff --git a/linux_os/guide/system/accounts/accounts-restrictions/account_expiration/account_disable_post_pw_expiration/ansible/shared.yml b/linux_os/guide/system/accounts/accounts-restrictions/account_expiration/account_disable_post_pw_expiration/ansible/shared.yml index 74598bc7e..680caf4ba 100644 --- a/linux_os/guide/system/accounts/accounts-restrictions/account_expiration/account_disable_post_pw_expiration/ansible/shared.yml +++ b/linux_os/guide/system/accounts/accounts-restrictions/account_expiration/account_disable_post_pw_expiration/ansible/shared.yml @@ -1,4 +1,4 @@ -# platform = multi_platform_rhel,multi_platform_fedora,multi_platform_ol,multi_platform_rhv,multi_platform_sle +# platform = multi_platform_rhel,multi_platform_almalinux,multi_platform_fedora,multi_platform_ol,multi_platform_rhv,multi_platform_sle # reboot = false # strategy = restrict # complexity = low diff --git a/linux_os/guide/system/accounts/accounts-restrictions/account_expiration/account_disable_post_pw_expiration/bash/shared.sh b/linux_os/guide/system/accounts/accounts-restrictions/account_expiration/account_disable_post_pw_expiration/bash/shared.sh index f299285d4..52e841b61 100644 --- a/linux_os/guide/system/accounts/accounts-restrictions/account_expiration/account_disable_post_pw_expiration/bash/shared.sh +++ b/linux_os/guide/system/accounts/accounts-restrictions/account_expiration/account_disable_post_pw_expiration/bash/shared.sh @@ -1,4 +1,4 @@ -# platform = multi_platform_rhel,multi_platform_fedora,multi_platform_ol,multi_platform_rhv,multi_platform_ubuntu,multi_platform_sle +# platform = multi_platform_rhel,multi_platform_almalinux,multi_platform_fedora,multi_platform_ol,multi_platform_rhv,multi_platform_ubuntu,multi_platform_sle {{{ bash_instantiate_variables("var_account_disable_post_pw_expiration") }}} diff --git a/linux_os/guide/system/accounts/accounts-restrictions/accounts_authorized_local_users/tests/default.pass.sh b/linux_os/guide/system/accounts/accounts-restrictions/accounts_authorized_local_users/tests/default.pass.sh index aa147fdce..bb8288f5b 100644 --- a/linux_os/guide/system/accounts/accounts-restrictions/accounts_authorized_local_users/tests/default.pass.sh +++ b/linux_os/guide/system/accounts/accounts-restrictions/accounts_authorized_local_users/tests/default.pass.sh @@ -1,5 +1,5 @@ #! /bin/bash -# platform = multi_platform_ol,multi_platform_rhel +# platform = multi_platform_ol,multi_platform_rhel,multi_platform_almalinux # variables = var_accounts_authorized_local_users_regex=^(root|bin|daemon|adm|lp|sync|shutdown|halt|mail|operator|games|ftp|nobody|pegasus|systemd-bus-proxy|systemd-network|dbus|polkitd|abrt|unbound|tss|libstoragemgmt|rpc|colord|usbmuxd$|pcp|saslauth|geoclue|setroubleshoot|rtkit|chrony|qemu|radvd|rpcuser|nfsnobody|pulse|gdm|gnome-initial-setup|postfix|avahi|ntp|sshd|tcpdump|oprofile|uuidd)$ var_accounts_authorized_local_users_regex="^(root|bin|daemon|adm|lp|sync|shutdown|halt|mail|operator|games|ftp|nobody|pegasus|systemd-bus-proxy|systemd-network|dbus|polkitd|abrt|unbound|tss|libstoragemgmt|rpc|colord|usbmuxd$|pcp|saslauth|geoclue|setroubleshoot|rtkit|chrony|qemu|radvd|rpcuser|nfsnobody|pulse|gdm|gnome-initial-setup|postfix|avahi|ntp|sshd|tcpdump|oprofile|uuidd)$" diff --git a/linux_os/guide/system/accounts/accounts-restrictions/password_expiration/accounts_maximum_age_login_defs/ansible/shared.yml b/linux_os/guide/system/accounts/accounts-restrictions/password_expiration/accounts_maximum_age_login_defs/ansible/shared.yml index 1e571bcbf..7901ceae0 100644 --- a/linux_os/guide/system/accounts/accounts-restrictions/password_expiration/accounts_maximum_age_login_defs/ansible/shared.yml +++ b/linux_os/guide/system/accounts/accounts-restrictions/password_expiration/accounts_maximum_age_login_defs/ansible/shared.yml @@ -1,4 +1,4 @@ -# platform = multi_platform_rhel,multi_platform_fedora,multi_platform_ol,multi_platform_rhv,multi_platform_sle,multi_platform_debian +# platform = multi_platform_rhel,multi_platform_almalinux,multi_platform_fedora,multi_platform_ol,multi_platform_rhv,multi_platform_sle,multi_platform_debian # reboot = false # strategy = restrict # complexity = low diff --git a/linux_os/guide/system/accounts/accounts-restrictions/password_expiration/accounts_minimum_age_login_defs/ansible/shared.yml b/linux_os/guide/system/accounts/accounts-restrictions/password_expiration/accounts_minimum_age_login_defs/ansible/shared.yml index 0c81c0ee5..29f31c654 100644 --- a/linux_os/guide/system/accounts/accounts-restrictions/password_expiration/accounts_minimum_age_login_defs/ansible/shared.yml +++ b/linux_os/guide/system/accounts/accounts-restrictions/password_expiration/accounts_minimum_age_login_defs/ansible/shared.yml @@ -1,4 +1,4 @@ -# platform = multi_platform_rhel,multi_platform_fedora,multi_platform_ol,multi_platform_rhv,multi_platform_sle +# platform = multi_platform_rhel,multi_platform_almalinux,multi_platform_fedora,multi_platform_ol,multi_platform_rhv,multi_platform_sle # reboot = false # strategy = restrict # complexity = low diff --git a/linux_os/guide/system/accounts/accounts-restrictions/password_expiration/accounts_password_minlen_login_defs/ansible/shared.yml b/linux_os/guide/system/accounts/accounts-restrictions/password_expiration/accounts_password_minlen_login_defs/ansible/shared.yml index b04d7cdb8..0d5a5831e 100644 --- a/linux_os/guide/system/accounts/accounts-restrictions/password_expiration/accounts_password_minlen_login_defs/ansible/shared.yml +++ b/linux_os/guide/system/accounts/accounts-restrictions/password_expiration/accounts_password_minlen_login_defs/ansible/shared.yml @@ -1,4 +1,4 @@ -# platform = Red Hat Virtualization 4,multi_platform_fedora,multi_platform_ol,multi_platform_rhel,multi_platform_sle +# platform = Red Hat Virtualization 4,multi_platform_fedora,multi_platform_ol,multi_platform_rhel,multi_platform_almalinux,multi_platform_sle # reboot = false # strategy = restrict # complexity = low diff --git a/linux_os/guide/system/accounts/accounts-restrictions/password_expiration/accounts_password_minlen_login_defs/bash/shared.sh b/linux_os/guide/system/accounts/accounts-restrictions/password_expiration/accounts_password_minlen_login_defs/bash/shared.sh index dcc5de3f1..268aafbab 100644 --- a/linux_os/guide/system/accounts/accounts-restrictions/password_expiration/accounts_password_minlen_login_defs/bash/shared.sh +++ b/linux_os/guide/system/accounts/accounts-restrictions/password_expiration/accounts_password_minlen_login_defs/bash/shared.sh @@ -1,4 +1,4 @@ -# platform = Red Hat Virtualization 4,multi_platform_fedora,multi_platform_ol,multi_platform_rhel,multi_platform_sle +# platform = Red Hat Virtualization 4,multi_platform_fedora,multi_platform_ol,multi_platform_rhel,multi_platform_almalinux,multi_platform_sle {{{ bash_instantiate_variables("var_accounts_password_minlen_login_defs") }}} {{{ bash_replace_or_append('/etc/login.defs', '^PASS_MIN_LEN', "$var_accounts_password_minlen_login_defs", '%s %s') }}} diff --git a/linux_os/guide/system/accounts/accounts-restrictions/password_expiration/accounts_password_set_max_life_existing/ansible/shared.yml b/linux_os/guide/system/accounts/accounts-restrictions/password_expiration/accounts_password_set_max_life_existing/ansible/shared.yml index a32ce4ae4..b298b6a66 100644 --- a/linux_os/guide/system/accounts/accounts-restrictions/password_expiration/accounts_password_set_max_life_existing/ansible/shared.yml +++ b/linux_os/guide/system/accounts/accounts-restrictions/password_expiration/accounts_password_set_max_life_existing/ansible/shared.yml @@ -1,4 +1,4 @@ -# platform = multi_platform_rhel,multi_platform_sle +# platform = multi_platform_rhel,multi_platform_almalinux,multi_platform_sle # reboot = false # strategy = restrict # complexity = low diff --git a/linux_os/guide/system/accounts/accounts-restrictions/password_expiration/accounts_password_set_max_life_existing/bash/shared.sh b/linux_os/guide/system/accounts/accounts-restrictions/password_expiration/accounts_password_set_max_life_existing/bash/shared.sh index 8ff7cba19..14ece5d17 100644 --- a/linux_os/guide/system/accounts/accounts-restrictions/password_expiration/accounts_password_set_max_life_existing/bash/shared.sh +++ b/linux_os/guide/system/accounts/accounts-restrictions/password_expiration/accounts_password_set_max_life_existing/bash/shared.sh @@ -1,4 +1,4 @@ -# platform = Red Hat Virtualization 4,multi_platform_fedora,multi_platform_ol,multi_platform_rhel,multi_platform_sle,multi_platform_ubuntu +# platform = Red Hat Virtualization 4,multi_platform_fedora,multi_platform_ol,multi_platform_rhel,multi_platform_almalinux,multi_platform_sle,multi_platform_ubuntu # reboot = false # strategy = restrict # complexity = low diff --git a/linux_os/guide/system/accounts/accounts-restrictions/password_expiration/accounts_password_set_max_life_root/ansible/shared.yml b/linux_os/guide/system/accounts/accounts-restrictions/password_expiration/accounts_password_set_max_life_root/ansible/shared.yml index 0960e05ac..d3087c13b 100644 --- a/linux_os/guide/system/accounts/accounts-restrictions/password_expiration/accounts_password_set_max_life_root/ansible/shared.yml +++ b/linux_os/guide/system/accounts/accounts-restrictions/password_expiration/accounts_password_set_max_life_root/ansible/shared.yml @@ -1,4 +1,4 @@ -# platform = multi_platform_rhel +# platform = multi_platform_rhel,multi_platform_almalinux # reboot = false # strategy = restrict # complexity = low diff --git a/linux_os/guide/system/accounts/accounts-restrictions/password_expiration/accounts_password_set_max_life_root/bash/shared.sh b/linux_os/guide/system/accounts/accounts-restrictions/password_expiration/accounts_password_set_max_life_root/bash/shared.sh index 808365173..495477850 100644 --- a/linux_os/guide/system/accounts/accounts-restrictions/password_expiration/accounts_password_set_max_life_root/bash/shared.sh +++ b/linux_os/guide/system/accounts/accounts-restrictions/password_expiration/accounts_password_set_max_life_root/bash/shared.sh @@ -1,4 +1,4 @@ -# platform = multi_platform_rhel +# platform = multi_platform_rhel,multi_platform_almalinux # reboot = false # strategy = restrict # complexity = low diff --git a/linux_os/guide/system/accounts/accounts-restrictions/password_expiration/accounts_password_warn_age_login_defs/ansible/shared.yml b/linux_os/guide/system/accounts/accounts-restrictions/password_expiration/accounts_password_warn_age_login_defs/ansible/shared.yml index 4994ff315..e8469b8e9 100644 --- a/linux_os/guide/system/accounts/accounts-restrictions/password_expiration/accounts_password_warn_age_login_defs/ansible/shared.yml +++ b/linux_os/guide/system/accounts/accounts-restrictions/password_expiration/accounts_password_warn_age_login_defs/ansible/shared.yml @@ -1,4 +1,4 @@ -# platform = Red Hat Virtualization 4,multi_platform_fedora,multi_platform_rhel,multi_platform_ol,multi_platform_sle +# platform = Red Hat Virtualization 4,multi_platform_fedora,multi_platform_rhel,multi_platform_almalinux,multi_platform_ol,multi_platform_sle # reboot = false # strategy = restrict # complexity = low diff --git a/linux_os/guide/system/accounts/accounts-restrictions/password_storage/accounts_password_pam_unix_rounds_password_auth/ansible/shared.yml b/linux_os/guide/system/accounts/accounts-restrictions/password_storage/accounts_password_pam_unix_rounds_password_auth/ansible/shared.yml index 82110016d..2a73ed386 100644 --- a/linux_os/guide/system/accounts/accounts-restrictions/password_storage/accounts_password_pam_unix_rounds_password_auth/ansible/shared.yml +++ b/linux_os/guide/system/accounts/accounts-restrictions/password_storage/accounts_password_pam_unix_rounds_password_auth/ansible/shared.yml @@ -1,4 +1,4 @@ -# platform = multi_platform_rhel,multi_platform_fedora,multi_platform_ol,multi_platform_rhv,multi_platform_sle +# platform = multi_platform_rhel,multi_platform_almalinux,multi_platform_fedora,multi_platform_ol,multi_platform_rhv,multi_platform_sle # reboot = false # strategy = configure # complexity = low diff --git a/linux_os/guide/system/accounts/accounts-restrictions/password_storage/accounts_password_pam_unix_rounds_password_auth/bash/shared.sh b/linux_os/guide/system/accounts/accounts-restrictions/password_storage/accounts_password_pam_unix_rounds_password_auth/bash/shared.sh index a40010714..d244fc548 100644 --- a/linux_os/guide/system/accounts/accounts-restrictions/password_storage/accounts_password_pam_unix_rounds_password_auth/bash/shared.sh +++ b/linux_os/guide/system/accounts/accounts-restrictions/password_storage/accounts_password_pam_unix_rounds_password_auth/bash/shared.sh @@ -1,4 +1,4 @@ -# platform = multi_platform_rhel,multi_platform_fedora,multi_platform_ol,multi_platform_rhv,multi_platform_sle +# platform = multi_platform_rhel,multi_platform_almalinux,multi_platform_fedora,multi_platform_ol,multi_platform_rhv,multi_platform_sle {{{ bash_instantiate_variables("var_password_pam_unix_rounds") }}} diff --git a/linux_os/guide/system/accounts/accounts-restrictions/password_storage/accounts_password_pam_unix_rounds_password_auth/tests/authselect_argument_missing.fail.sh b/linux_os/guide/system/accounts/accounts-restrictions/password_storage/accounts_password_pam_unix_rounds_password_auth/tests/authselect_argument_missing.fail.sh index 3e24ba16a..1770f4b7e 100644 --- a/linux_os/guide/system/accounts/accounts-restrictions/password_storage/accounts_password_pam_unix_rounds_password_auth/tests/authselect_argument_missing.fail.sh +++ b/linux_os/guide/system/accounts/accounts-restrictions/password_storage/accounts_password_pam_unix_rounds_password_auth/tests/authselect_argument_missing.fail.sh @@ -1,6 +1,6 @@ #!/bin/bash # packages = authselect -# platform = Oracle Linux 8,Red Hat Enterprise Linux 8,Red Hat Enterprise Linux 9,multi_platform_fedora +# platform = Oracle Linux 8,Red Hat Enterprise Linux 8,Red Hat Enterprise Linux 9,AlmaLinux 9,multi_platform_fedora # variables = var_password_pam_unix_rounds=65536 authselect create-profile hardening -b sssd diff --git a/linux_os/guide/system/accounts/accounts-restrictions/password_storage/accounts_password_pam_unix_rounds_password_auth/tests/authselect_correct_value.pass.sh b/linux_os/guide/system/accounts/accounts-restrictions/password_storage/accounts_password_pam_unix_rounds_password_auth/tests/authselect_correct_value.pass.sh index 39690d88d..914ee7d84 100644 --- a/linux_os/guide/system/accounts/accounts-restrictions/password_storage/accounts_password_pam_unix_rounds_password_auth/tests/authselect_correct_value.pass.sh +++ b/linux_os/guide/system/accounts/accounts-restrictions/password_storage/accounts_password_pam_unix_rounds_password_auth/tests/authselect_correct_value.pass.sh @@ -1,6 +1,6 @@ #!/bin/bash # packages = authselect -# platform = Oracle Linux 8,Red Hat Enterprise Linux 8,Red Hat Enterprise Linux 9,multi_platform_fedora +# platform = Oracle Linux 8,Red Hat Enterprise Linux 8,Red Hat Enterprise Linux 9,AlmaLinux 9,multi_platform_fedora # variables = var_password_pam_unix_rounds=65536 ROUNDS=65536 diff --git a/linux_os/guide/system/accounts/accounts-restrictions/password_storage/accounts_password_pam_unix_rounds_password_auth/tests/authselect_default_rounds.fail.sh b/linux_os/guide/system/accounts/accounts-restrictions/password_storage/accounts_password_pam_unix_rounds_password_auth/tests/authselect_default_rounds.fail.sh index eabb4af89..966a5b6e8 100644 --- a/linux_os/guide/system/accounts/accounts-restrictions/password_storage/accounts_password_pam_unix_rounds_password_auth/tests/authselect_default_rounds.fail.sh +++ b/linux_os/guide/system/accounts/accounts-restrictions/password_storage/accounts_password_pam_unix_rounds_password_auth/tests/authselect_default_rounds.fail.sh @@ -1,6 +1,6 @@ #!/bin/bash # packages = authselect -# platform = Oracle Linux 8,Red Hat Enterprise Linux 8,Red Hat Enterprise Linux 9,multi_platform_fedora +# platform = Oracle Linux 8,Red Hat Enterprise Linux 8,Red Hat Enterprise Linux 9,AlmaLinux 9,multi_platform_fedora # variables = var_password_pam_unix_rounds=5000 authselect create-profile hardening -b sssd diff --git a/linux_os/guide/system/accounts/accounts-restrictions/password_storage/accounts_password_pam_unix_rounds_password_auth/tests/authselect_modified_pam.fail.sh b/linux_os/guide/system/accounts/accounts-restrictions/password_storage/accounts_password_pam_unix_rounds_password_auth/tests/authselect_modified_pam.fail.sh index 9c99fc307..7db9d4a78 100644 --- a/linux_os/guide/system/accounts/accounts-restrictions/password_storage/accounts_password_pam_unix_rounds_password_auth/tests/authselect_modified_pam.fail.sh +++ b/linux_os/guide/system/accounts/accounts-restrictions/password_storage/accounts_password_pam_unix_rounds_password_auth/tests/authselect_modified_pam.fail.sh @@ -1,6 +1,6 @@ #!/bin/bash # packages = authselect -# platform = Oracle Linux 8,Red Hat Enterprise Linux 8,Red Hat Enterprise Linux 9,multi_platform_fedora +# platform = Oracle Linux 8,Red Hat Enterprise Linux 8,Red Hat Enterprise Linux 9,AlmaLinux 9,multi_platform_fedora # remediation = none # variables = var_password_pam_unix_rounds=65536 diff --git a/linux_os/guide/system/accounts/accounts-restrictions/password_storage/accounts_password_pam_unix_rounds_password_auth/tests/authselect_wrong_control.fail.sh b/linux_os/guide/system/accounts/accounts-restrictions/password_storage/accounts_password_pam_unix_rounds_password_auth/tests/authselect_wrong_control.fail.sh index dc8b11e2d..b44396f63 100644 --- a/linux_os/guide/system/accounts/accounts-restrictions/password_storage/accounts_password_pam_unix_rounds_password_auth/tests/authselect_wrong_control.fail.sh +++ b/linux_os/guide/system/accounts/accounts-restrictions/password_storage/accounts_password_pam_unix_rounds_password_auth/tests/authselect_wrong_control.fail.sh @@ -1,6 +1,6 @@ #!/bin/bash # packages = authselect -# platform = Oracle Linux 8,Red Hat Enterprise Linux 8,Red Hat Enterprise Linux 9,multi_platform_fedora +# platform = Oracle Linux 8,Red Hat Enterprise Linux 8,Red Hat Enterprise Linux 9,AlmaLinux 9,multi_platform_fedora # variables = var_password_pam_unix_rounds=65536 ROUNDS=65536 diff --git a/linux_os/guide/system/accounts/accounts-restrictions/password_storage/accounts_password_pam_unix_rounds_password_auth/tests/authselect_wrong_value.fail.sh b/linux_os/guide/system/accounts/accounts-restrictions/password_storage/accounts_password_pam_unix_rounds_password_auth/tests/authselect_wrong_value.fail.sh index 96bcc3e23..ce746e89b 100644 --- a/linux_os/guide/system/accounts/accounts-restrictions/password_storage/accounts_password_pam_unix_rounds_password_auth/tests/authselect_wrong_value.fail.sh +++ b/linux_os/guide/system/accounts/accounts-restrictions/password_storage/accounts_password_pam_unix_rounds_password_auth/tests/authselect_wrong_value.fail.sh @@ -1,6 +1,6 @@ #!/bin/bash # packages = authselect -# platform = Oracle Linux 8,Red Hat Enterprise Linux 8,Red Hat Enterprise Linux 9,multi_platform_fedora +# platform = Oracle Linux 8,Red Hat Enterprise Linux 8,Red Hat Enterprise Linux 9,AlmaLinux 9,multi_platform_fedora # variables = var_password_pam_unix_rounds=65536 ROUNDS=4000 diff --git a/linux_os/guide/system/accounts/accounts-restrictions/password_storage/accounts_password_pam_unix_rounds_system_auth/ansible/shared.yml b/linux_os/guide/system/accounts/accounts-restrictions/password_storage/accounts_password_pam_unix_rounds_system_auth/ansible/shared.yml index c0b520bdf..70ab14cba 100644 --- a/linux_os/guide/system/accounts/accounts-restrictions/password_storage/accounts_password_pam_unix_rounds_system_auth/ansible/shared.yml +++ b/linux_os/guide/system/accounts/accounts-restrictions/password_storage/accounts_password_pam_unix_rounds_system_auth/ansible/shared.yml @@ -1,4 +1,4 @@ -# platform = multi_platform_rhel,multi_platform_fedora,multi_platform_ol,multi_platform_rhv,multi_platform_sle +# platform = multi_platform_rhel,multi_platform_almalinux,multi_platform_fedora,multi_platform_ol,multi_platform_rhv,multi_platform_sle # reboot = false # strategy = configure # complexity = low diff --git a/linux_os/guide/system/accounts/accounts-restrictions/password_storage/accounts_password_pam_unix_rounds_system_auth/bash/shared.sh b/linux_os/guide/system/accounts/accounts-restrictions/password_storage/accounts_password_pam_unix_rounds_system_auth/bash/shared.sh index 8316e495a..bf8a4c240 100644 --- a/linux_os/guide/system/accounts/accounts-restrictions/password_storage/accounts_password_pam_unix_rounds_system_auth/bash/shared.sh +++ b/linux_os/guide/system/accounts/accounts-restrictions/password_storage/accounts_password_pam_unix_rounds_system_auth/bash/shared.sh @@ -1,4 +1,4 @@ -# platform = multi_platform_rhel,multi_platform_fedora,multi_platform_ol,multi_platform_rhv,multi_platform_sle +# platform = multi_platform_rhel,multi_platform_almalinux,multi_platform_fedora,multi_platform_ol,multi_platform_rhv,multi_platform_sle {{{ bash_instantiate_variables("var_password_pam_unix_rounds") }}} diff --git a/linux_os/guide/system/accounts/accounts-restrictions/password_storage/accounts_password_pam_unix_rounds_system_auth/tests/authselect_argument_missing.fail.sh b/linux_os/guide/system/accounts/accounts-restrictions/password_storage/accounts_password_pam_unix_rounds_system_auth/tests/authselect_argument_missing.fail.sh index 3da866412..4347773a9 100644 --- a/linux_os/guide/system/accounts/accounts-restrictions/password_storage/accounts_password_pam_unix_rounds_system_auth/tests/authselect_argument_missing.fail.sh +++ b/linux_os/guide/system/accounts/accounts-restrictions/password_storage/accounts_password_pam_unix_rounds_system_auth/tests/authselect_argument_missing.fail.sh @@ -1,6 +1,6 @@ #!/bin/bash # packages = authselect -# platform = Oracle Linux 8,Red Hat Enterprise Linux 8,Red Hat Enterprise Linux 9,multi_platform_fedora +# platform = Oracle Linux 8,Red Hat Enterprise Linux 8,Red Hat Enterprise Linux 9,AlmaLinux 9,multi_platform_fedora # variables = var_password_pam_unix_rounds=65536 authselect create-profile hardening -b sssd diff --git a/linux_os/guide/system/accounts/accounts-restrictions/password_storage/accounts_password_pam_unix_rounds_system_auth/tests/authselect_correct_value.pass.sh b/linux_os/guide/system/accounts/accounts-restrictions/password_storage/accounts_password_pam_unix_rounds_system_auth/tests/authselect_correct_value.pass.sh index 67a052f98..2ea2aafe5 100644 --- a/linux_os/guide/system/accounts/accounts-restrictions/password_storage/accounts_password_pam_unix_rounds_system_auth/tests/authselect_correct_value.pass.sh +++ b/linux_os/guide/system/accounts/accounts-restrictions/password_storage/accounts_password_pam_unix_rounds_system_auth/tests/authselect_correct_value.pass.sh @@ -1,6 +1,6 @@ #!/bin/bash # packages = authselect -# platform = Oracle Linux 8,Red Hat Enterprise Linux 8,Red Hat Enterprise Linux 9,multi_platform_fedora +# platform = Oracle Linux 8,Red Hat Enterprise Linux 8,Red Hat Enterprise Linux 9,AlmaLinux 9,multi_platform_fedora # variables = var_password_pam_unix_rounds=65536 ROUNDS=65536 diff --git a/linux_os/guide/system/accounts/accounts-restrictions/password_storage/accounts_password_pam_unix_rounds_system_auth/tests/authselect_default_rounds.fail.sh b/linux_os/guide/system/accounts/accounts-restrictions/password_storage/accounts_password_pam_unix_rounds_system_auth/tests/authselect_default_rounds.fail.sh index 1bbd39228..369c32ae3 100644 --- a/linux_os/guide/system/accounts/accounts-restrictions/password_storage/accounts_password_pam_unix_rounds_system_auth/tests/authselect_default_rounds.fail.sh +++ b/linux_os/guide/system/accounts/accounts-restrictions/password_storage/accounts_password_pam_unix_rounds_system_auth/tests/authselect_default_rounds.fail.sh @@ -1,6 +1,6 @@ #!/bin/bash # packages = authselect -# platform = Oracle Linux 8,Red Hat Enterprise Linux 8,Red Hat Enterprise Linux 9,multi_platform_fedora +# platform = Oracle Linux 8,Red Hat Enterprise Linux 8,Red Hat Enterprise Linux 9,AlmaLinux 9,multi_platform_fedora # variables = var_password_pam_unix_rounds=5000 authselect create-profile hardening -b sssd diff --git a/linux_os/guide/system/accounts/accounts-restrictions/password_storage/accounts_password_pam_unix_rounds_system_auth/tests/authselect_modified_pam.fail.sh b/linux_os/guide/system/accounts/accounts-restrictions/password_storage/accounts_password_pam_unix_rounds_system_auth/tests/authselect_modified_pam.fail.sh index 3e62935b5..ea66520cd 100644 --- a/linux_os/guide/system/accounts/accounts-restrictions/password_storage/accounts_password_pam_unix_rounds_system_auth/tests/authselect_modified_pam.fail.sh +++ b/linux_os/guide/system/accounts/accounts-restrictions/password_storage/accounts_password_pam_unix_rounds_system_auth/tests/authselect_modified_pam.fail.sh @@ -1,6 +1,6 @@ #!/bin/bash # packages = authselect -# platform = Oracle Linux 8,Red Hat Enterprise Linux 8,Red Hat Enterprise Linux 9,multi_platform_fedora +# platform = Oracle Linux 8,Red Hat Enterprise Linux 8,Red Hat Enterprise Linux 9,AlmaLinux 9,multi_platform_fedora # remediation = none # variables = var_password_pam_unix_rounds=65536 diff --git a/linux_os/guide/system/accounts/accounts-restrictions/password_storage/accounts_password_pam_unix_rounds_system_auth/tests/authselect_wrong_control.fail.sh b/linux_os/guide/system/accounts/accounts-restrictions/password_storage/accounts_password_pam_unix_rounds_system_auth/tests/authselect_wrong_control.fail.sh index 85bbbdb7f..814f4e016 100644 --- a/linux_os/guide/system/accounts/accounts-restrictions/password_storage/accounts_password_pam_unix_rounds_system_auth/tests/authselect_wrong_control.fail.sh +++ b/linux_os/guide/system/accounts/accounts-restrictions/password_storage/accounts_password_pam_unix_rounds_system_auth/tests/authselect_wrong_control.fail.sh @@ -1,6 +1,6 @@ #!/bin/bash # packages = authselect -# platform = Oracle Linux 8,Red Hat Enterprise Linux 8,Red Hat Enterprise Linux 9,multi_platform_fedora +# platform = Oracle Linux 8,Red Hat Enterprise Linux 8,Red Hat Enterprise Linux 9,AlmaLinux 9,multi_platform_fedora # variables = var_password_pam_unix_rounds=65536 ROUNDS=65536 diff --git a/linux_os/guide/system/accounts/accounts-restrictions/password_storage/accounts_password_pam_unix_rounds_system_auth/tests/authselect_wrong_value.fail.sh b/linux_os/guide/system/accounts/accounts-restrictions/password_storage/accounts_password_pam_unix_rounds_system_auth/tests/authselect_wrong_value.fail.sh index 244799045..7f57ec0e1 100644 --- a/linux_os/guide/system/accounts/accounts-restrictions/password_storage/accounts_password_pam_unix_rounds_system_auth/tests/authselect_wrong_value.fail.sh +++ b/linux_os/guide/system/accounts/accounts-restrictions/password_storage/accounts_password_pam_unix_rounds_system_auth/tests/authselect_wrong_value.fail.sh @@ -1,6 +1,6 @@ #!/bin/bash # packages = authselect -# platform = Oracle Linux 8,Red Hat Enterprise Linux 8,Red Hat Enterprise Linux 9,multi_platform_fedora +# platform = Oracle Linux 8,Red Hat Enterprise Linux 8,Red Hat Enterprise Linux 9,AlmaLinux 9,multi_platform_fedora # variables = var_password_pam_unix_rounds=65536 ROUNDS=4000 diff --git a/linux_os/guide/system/accounts/accounts-restrictions/password_storage/no_empty_passwords/ansible/shared.yml b/linux_os/guide/system/accounts/accounts-restrictions/password_storage/no_empty_passwords/ansible/shared.yml index 26f00c7de..c9494b5fc 100644 --- a/linux_os/guide/system/accounts/accounts-restrictions/password_storage/no_empty_passwords/ansible/shared.yml +++ b/linux_os/guide/system/accounts/accounts-restrictions/password_storage/no_empty_passwords/ansible/shared.yml @@ -1,4 +1,4 @@ -# platform = multi_platform_rhel,multi_platform_fedora,multi_platform_ol,multi_platform_rhv,multi_platform_ubuntu +# platform = multi_platform_rhel,multi_platform_almalinux,multi_platform_fedora,multi_platform_ol,multi_platform_rhv,multi_platform_ubuntu # reboot = false # strategy = configure # complexity = low diff --git a/linux_os/guide/system/accounts/accounts-restrictions/password_storage/no_empty_passwords/bash/shared.sh b/linux_os/guide/system/accounts/accounts-restrictions/password_storage/no_empty_passwords/bash/shared.sh index a59d563d7..331a34b2c 100644 --- a/linux_os/guide/system/accounts/accounts-restrictions/password_storage/no_empty_passwords/bash/shared.sh +++ b/linux_os/guide/system/accounts/accounts-restrictions/password_storage/no_empty_passwords/bash/shared.sh @@ -1,4 +1,4 @@ -# platform = multi_platform_rhel,multi_platform_fedora,multi_platform_ol,multi_platform_rhv,multi_platform_sle,multi_platform_ubuntu +# platform = multi_platform_rhel,multi_platform_almalinux,multi_platform_fedora,multi_platform_ol,multi_platform_rhv,multi_platform_sle,multi_platform_ubuntu # reboot = false # strategy = configure # complexity = low diff --git a/linux_os/guide/system/accounts/accounts-restrictions/password_storage/no_empty_passwords/kubernetes/shared.yml b/linux_os/guide/system/accounts/accounts-restrictions/password_storage/no_empty_passwords/kubernetes/shared.yml index ad3133b1f..eac1b843a 100644 --- a/linux_os/guide/system/accounts/accounts-restrictions/password_storage/no_empty_passwords/kubernetes/shared.yml +++ b/linux_os/guide/system/accounts/accounts-restrictions/password_storage/no_empty_passwords/kubernetes/shared.yml @@ -1,5 +1,5 @@ --- -# platform = multi_platform_rhel,multi_platform_fedora,multi_platform_ol,multi_platform_rhv,multi_platform_rhcos +# platform = multi_platform_rhel,multi_platform_almalinux,multi_platform_fedora,multi_platform_ol,multi_platform_rhv,multi_platform_rhcos apiVersion: machineconfiguration.openshift.io/v1 kind: MachineConfig spec: diff --git a/linux_os/guide/system/accounts/accounts-restrictions/password_storage/no_empty_passwords/tests/authselect_modified_pam.fail.sh b/linux_os/guide/system/accounts/accounts-restrictions/password_storage/no_empty_passwords/tests/authselect_modified_pam.fail.sh index 1dd45236b..48b3c6c8c 100644 --- a/linux_os/guide/system/accounts/accounts-restrictions/password_storage/no_empty_passwords/tests/authselect_modified_pam.fail.sh +++ b/linux_os/guide/system/accounts/accounts-restrictions/password_storage/no_empty_passwords/tests/authselect_modified_pam.fail.sh @@ -1,6 +1,6 @@ #!/bin/bash # packages = authselect -# platform = Oracle Linux 8,Oracle Linux 9,Red Hat Enterprise Linux 8,Red Hat Enterprise Linux 9,multi_platform_fedora +# platform = Oracle Linux 8,Oracle Linux 9,Red Hat Enterprise Linux 8,Red Hat Enterprise Linux 9,AlmaLinux 9,multi_platform_fedora # remediation = none SYSTEM_AUTH_FILE="/etc/pam.d/system-auth" diff --git a/linux_os/guide/system/accounts/accounts-restrictions/password_storage/no_empty_passwords/tests/authselect_nullok_absent.pass.sh b/linux_os/guide/system/accounts/accounts-restrictions/password_storage/no_empty_passwords/tests/authselect_nullok_absent.pass.sh index 0dfb32e31..04a7b6271 100644 --- a/linux_os/guide/system/accounts/accounts-restrictions/password_storage/no_empty_passwords/tests/authselect_nullok_absent.pass.sh +++ b/linux_os/guide/system/accounts/accounts-restrictions/password_storage/no_empty_passwords/tests/authselect_nullok_absent.pass.sh @@ -1,6 +1,6 @@ #!/bin/bash # packages = authselect -# platform = Oracle Linux 8,Oracle Linux 9,Red Hat Enterprise Linux 8,Red Hat Enterprise Linux 9,multi_platform_fedora +# platform = Oracle Linux 8,Oracle Linux 9,Red Hat Enterprise Linux 8,Red Hat Enterprise Linux 9,AlmaLinux 9,multi_platform_fedora SYSTEM_AUTH_FILE="/etc/pam.d/system-auth" diff --git a/linux_os/guide/system/accounts/accounts-restrictions/password_storage/no_empty_passwords/tests/authselect_nullok_present.fail.sh b/linux_os/guide/system/accounts/accounts-restrictions/password_storage/no_empty_passwords/tests/authselect_nullok_present.fail.sh index 9dc5d7677..f00e9272d 100644 --- a/linux_os/guide/system/accounts/accounts-restrictions/password_storage/no_empty_passwords/tests/authselect_nullok_present.fail.sh +++ b/linux_os/guide/system/accounts/accounts-restrictions/password_storage/no_empty_passwords/tests/authselect_nullok_present.fail.sh @@ -1,6 +1,6 @@ #!/bin/bash # packages = authselect -# platform = Oracle Linux 8,Oracle Linux 9,Red Hat Enterprise Linux 8,Red Hat Enterprise Linux 9,multi_platform_fedora +# platform = Oracle Linux 8,Oracle Linux 9,Red Hat Enterprise Linux 8,Red Hat Enterprise Linux 9,AlmaLinux 9,multi_platform_fedora SYSTEM_AUTH_FILE="/etc/pam.d/system-auth" diff --git a/linux_os/guide/system/accounts/accounts-restrictions/root_logins/ensure_pam_wheel_group_empty/ansible/shared.yml b/linux_os/guide/system/accounts/accounts-restrictions/root_logins/ensure_pam_wheel_group_empty/ansible/shared.yml index 888cc054f..2b7d571ad 100644 --- a/linux_os/guide/system/accounts/accounts-restrictions/root_logins/ensure_pam_wheel_group_empty/ansible/shared.yml +++ b/linux_os/guide/system/accounts/accounts-restrictions/root_logins/ensure_pam_wheel_group_empty/ansible/shared.yml @@ -1,4 +1,4 @@ -# platform = multi_platform_rhel,multi_platform_sle,multi_platform_ubuntu +# platform = multi_platform_rhel,multi_platform_almalinux,multi_platform_sle,multi_platform_ubuntu # reboot = false # strategy = restrict # complexity = low diff --git a/linux_os/guide/system/accounts/accounts-restrictions/root_logins/ensure_pam_wheel_group_empty/bash/shared.sh b/linux_os/guide/system/accounts/accounts-restrictions/root_logins/ensure_pam_wheel_group_empty/bash/shared.sh index 7bbfd7675..3d438fe7a 100644 --- a/linux_os/guide/system/accounts/accounts-restrictions/root_logins/ensure_pam_wheel_group_empty/bash/shared.sh +++ b/linux_os/guide/system/accounts/accounts-restrictions/root_logins/ensure_pam_wheel_group_empty/bash/shared.sh @@ -1,4 +1,4 @@ -# platform = multi_platform_rhel,multi_platform_sle,multi_platform_ubuntu +# platform = multi_platform_rhel,multi_platform_almalinux,multi_platform_sle,multi_platform_ubuntu {{{ bash_instantiate_variables("var_pam_wheel_group_for_su") }}} diff --git a/linux_os/guide/system/accounts/accounts-restrictions/root_logins/no_direct_root_logins/kubernetes/shared.yml b/linux_os/guide/system/accounts/accounts-restrictions/root_logins/no_direct_root_logins/kubernetes/shared.yml index 8f87bf06e..6bed5ef5a 100644 --- a/linux_os/guide/system/accounts/accounts-restrictions/root_logins/no_direct_root_logins/kubernetes/shared.yml +++ b/linux_os/guide/system/accounts/accounts-restrictions/root_logins/no_direct_root_logins/kubernetes/shared.yml @@ -1,5 +1,5 @@ --- -# platform = multi_platform_rhel,multi_platform_fedora,multi_platform_rhcos +# platform = multi_platform_rhel,multi_platform_almalinux,multi_platform_fedora,multi_platform_rhcos apiVersion: machineconfiguration.openshift.io/v1 kind: MachineConfig spec: diff --git a/linux_os/guide/system/accounts/accounts-restrictions/root_logins/restrict_serial_port_logins/ansible/shared.yml b/linux_os/guide/system/accounts/accounts-restrictions/root_logins/restrict_serial_port_logins/ansible/shared.yml index 5f9c92aac..119219eb0 100644 --- a/linux_os/guide/system/accounts/accounts-restrictions/root_logins/restrict_serial_port_logins/ansible/shared.yml +++ b/linux_os/guide/system/accounts/accounts-restrictions/root_logins/restrict_serial_port_logins/ansible/shared.yml @@ -1,4 +1,4 @@ -# platform = multi_platform_rhel,multi_platform_fedora,multi_platform_ol,multi_platform_rhv +# platform = multi_platform_rhel,multi_platform_almalinux,multi_platform_fedora,multi_platform_ol,multi_platform_rhv # reboot = false # strategy = restrict # complexity = low diff --git a/linux_os/guide/system/accounts/accounts-restrictions/root_logins/securetty_root_login_console_only/ansible/shared.yml b/linux_os/guide/system/accounts/accounts-restrictions/root_logins/securetty_root_login_console_only/ansible/shared.yml index 10a747ef2..5a819abfc 100644 --- a/linux_os/guide/system/accounts/accounts-restrictions/root_logins/securetty_root_login_console_only/ansible/shared.yml +++ b/linux_os/guide/system/accounts/accounts-restrictions/root_logins/securetty_root_login_console_only/ansible/shared.yml @@ -1,4 +1,4 @@ -# platform = multi_platform_rhel,multi_platform_fedora,multi_platform_ol,multi_platform_rhv +# platform = multi_platform_rhel,multi_platform_almalinux,multi_platform_fedora,multi_platform_ol,multi_platform_rhv # reboot = false # strategy = restrict # complexity = low diff --git a/linux_os/guide/system/accounts/accounts-restrictions/root_logins/use_pam_wheel_for_su/ansible/shared.yml b/linux_os/guide/system/accounts/accounts-restrictions/root_logins/use_pam_wheel_for_su/ansible/shared.yml index e7f5c730c..8f06c6cfa 100644 --- a/linux_os/guide/system/accounts/accounts-restrictions/root_logins/use_pam_wheel_for_su/ansible/shared.yml +++ b/linux_os/guide/system/accounts/accounts-restrictions/root_logins/use_pam_wheel_for_su/ansible/shared.yml @@ -1,4 +1,4 @@ -# platform = multi_platform_rhel,multi_platform_fedora,multi_platform_ol,multi_platform_rhv,multi_platform_sle +# platform = multi_platform_rhel,multi_platform_almalinux,multi_platform_fedora,multi_platform_ol,multi_platform_rhv,multi_platform_sle # reboot = false # strategy = restrict # complexity = low diff --git a/linux_os/guide/system/accounts/accounts-restrictions/root_logins/use_pam_wheel_for_su/bash/shared.sh b/linux_os/guide/system/accounts/accounts-restrictions/root_logins/use_pam_wheel_for_su/bash/shared.sh index bd1ba1ccb..d139fdda4 100644 --- a/linux_os/guide/system/accounts/accounts-restrictions/root_logins/use_pam_wheel_for_su/bash/shared.sh +++ b/linux_os/guide/system/accounts/accounts-restrictions/root_logins/use_pam_wheel_for_su/bash/shared.sh @@ -1,4 +1,4 @@ -# platform = multi_platform_rhel,multi_platform_fedora,multi_platform_ol,multi_platform_rhv,multi_platform_sle +# platform = multi_platform_rhel,multi_platform_almalinux,multi_platform_fedora,multi_platform_ol,multi_platform_rhv,multi_platform_sle # uncomment the option if commented sed '/^[[:space:]]*#[[:space:]]*auth[[:space:]]\+required[[:space:]]\+pam_wheel\.so[[:space:]]\+use_uid$/s/^[[:space:]]*#//' -i /etc/pam.d/su diff --git a/linux_os/guide/system/accounts/accounts-restrictions/root_logins/use_pam_wheel_group_for_su/ansible/shared.yml b/linux_os/guide/system/accounts/accounts-restrictions/root_logins/use_pam_wheel_group_for_su/ansible/shared.yml index e236b1ec2..d84d7345f 100644 --- a/linux_os/guide/system/accounts/accounts-restrictions/root_logins/use_pam_wheel_group_for_su/ansible/shared.yml +++ b/linux_os/guide/system/accounts/accounts-restrictions/root_logins/use_pam_wheel_group_for_su/ansible/shared.yml @@ -1,4 +1,4 @@ -# platform = multi_platform_rhel,multi_platform_sle,multi_platform_ubuntu +# platform = multi_platform_rhel,multi_platform_almalinux,multi_platform_sle,multi_platform_ubuntu # reboot = false # strategy = restrict # complexity = low diff --git a/linux_os/guide/system/accounts/accounts-restrictions/root_logins/use_pam_wheel_group_for_su/bash/shared.sh b/linux_os/guide/system/accounts/accounts-restrictions/root_logins/use_pam_wheel_group_for_su/bash/shared.sh index d16374ffd..1ae066fd9 100644 --- a/linux_os/guide/system/accounts/accounts-restrictions/root_logins/use_pam_wheel_group_for_su/bash/shared.sh +++ b/linux_os/guide/system/accounts/accounts-restrictions/root_logins/use_pam_wheel_group_for_su/bash/shared.sh @@ -1,4 +1,4 @@ -# platform = multi_platform_rhel,multi_platform_sle,multi_platform_ubuntu +# platform = multi_platform_rhel,multi_platform_almalinux,multi_platform_sle,multi_platform_ubuntu {{{ bash_instantiate_variables("var_pam_wheel_group_for_su") }}} PAM_CONF=/etc/pam.d/su diff --git a/linux_os/guide/system/accounts/accounts-session/accounts_logon_fail_delay/ansible/shared.yml b/linux_os/guide/system/accounts/accounts-session/accounts_logon_fail_delay/ansible/shared.yml index 53b68079e..2a6b66121 100644 --- a/linux_os/guide/system/accounts/accounts-session/accounts_logon_fail_delay/ansible/shared.yml +++ b/linux_os/guide/system/accounts/accounts-session/accounts_logon_fail_delay/ansible/shared.yml @@ -1,4 +1,4 @@ -# platform = Red Hat Virtualization 4,multi_platform_rhel,multi_platform_sle,multi_platform_ol +# platform = Red Hat Virtualization 4,multi_platform_rhel,multi_platform_almalinux,multi_platform_sle,multi_platform_ol # disruption = low # strategy = restrict # complexity = low diff --git a/linux_os/guide/system/accounts/accounts-session/accounts_logon_fail_delay/bash/shared.sh b/linux_os/guide/system/accounts/accounts-session/accounts_logon_fail_delay/bash/shared.sh index 23e6f0dd5..6055798dd 100644 --- a/linux_os/guide/system/accounts/accounts-session/accounts_logon_fail_delay/bash/shared.sh +++ b/linux_os/guide/system/accounts/accounts-session/accounts_logon_fail_delay/bash/shared.sh @@ -1,4 +1,4 @@ -# platform = Red Hat Virtualization 4,multi_platform_rhel,multi_platform_ol,multi_platform_sle +# platform = Red Hat Virtualization 4,multi_platform_rhel,multi_platform_almalinux,multi_platform_ol,multi_platform_sle {{{ bash_instantiate_variables("var_accounts_fail_delay") }}} diff --git a/linux_os/guide/system/accounts/accounts-session/accounts_max_concurrent_login_sessions/ansible/shared.yml b/linux_os/guide/system/accounts/accounts-session/accounts_max_concurrent_login_sessions/ansible/shared.yml index 536ac2956..d1bff5ffa 100644 --- a/linux_os/guide/system/accounts/accounts-session/accounts_max_concurrent_login_sessions/ansible/shared.yml +++ b/linux_os/guide/system/accounts/accounts-session/accounts_max_concurrent_login_sessions/ansible/shared.yml @@ -1,4 +1,4 @@ -# platform = Red Hat Virtualization 4,multi_platform_fedora,multi_platform_ol,multi_platform_rhel,multi_platform_sle +# platform = Red Hat Virtualization 4,multi_platform_fedora,multi_platform_ol,multi_platform_rhel,multi_platform_almalinux,multi_platform_sle # reboot = false # strategy = restrict # complexity = low diff --git a/linux_os/guide/system/accounts/accounts-session/accounts_max_concurrent_login_sessions/bash/shared.sh b/linux_os/guide/system/accounts/accounts-session/accounts_max_concurrent_login_sessions/bash/shared.sh index 0005b2ccb..0329d6cdf 100644 --- a/linux_os/guide/system/accounts/accounts-session/accounts_max_concurrent_login_sessions/bash/shared.sh +++ b/linux_os/guide/system/accounts/accounts-session/accounts_max_concurrent_login_sessions/bash/shared.sh @@ -1,4 +1,4 @@ -# platform = Red Hat Virtualization 4,multi_platform_ol,multi_platform_rhel,multi_platform_ubuntu,multi_platform_sle +# platform = Red Hat Virtualization 4,multi_platform_ol,multi_platform_rhel,multi_platform_almalinux,multi_platform_ubuntu,multi_platform_sle {{{ bash_instantiate_variables("var_accounts_max_concurrent_login_sessions") }}} diff --git a/linux_os/guide/system/accounts/accounts-session/accounts_polyinstantiated_tmp/ansible/shared.yml b/linux_os/guide/system/accounts/accounts-session/accounts_polyinstantiated_tmp/ansible/shared.yml index 3f080376a..6295c853e 100644 --- a/linux_os/guide/system/accounts/accounts-session/accounts_polyinstantiated_tmp/ansible/shared.yml +++ b/linux_os/guide/system/accounts/accounts-session/accounts_polyinstantiated_tmp/ansible/shared.yml @@ -1,4 +1,4 @@ -# platform = multi_platform_fedora,multi_platform_rhel,multi_platform_sle +# platform = multi_platform_fedora,multi_platform_rhel,multi_platform_almalinux,multi_platform_sle # reboot = false # strategy = restrict # complexity = low diff --git a/linux_os/guide/system/accounts/accounts-session/accounts_polyinstantiated_var_tmp/ansible/shared.yml b/linux_os/guide/system/accounts/accounts-session/accounts_polyinstantiated_var_tmp/ansible/shared.yml index 9ca521640..5c961399e 100644 --- a/linux_os/guide/system/accounts/accounts-session/accounts_polyinstantiated_var_tmp/ansible/shared.yml +++ b/linux_os/guide/system/accounts/accounts-session/accounts_polyinstantiated_var_tmp/ansible/shared.yml @@ -1,4 +1,4 @@ -# platform = multi_platform_fedora,multi_platform_rhel,multi_platform_sle +# platform = multi_platform_fedora,multi_platform_rhel,multi_platform_almalinux,multi_platform_sle # reboot = false # strategy = restrict # complexity = low diff --git a/linux_os/guide/system/accounts/accounts-session/root_paths/accounts_root_path_dirs_no_write/ansible/shared.yml b/linux_os/guide/system/accounts/accounts-session/root_paths/accounts_root_path_dirs_no_write/ansible/shared.yml index 5bfb963a1..77807dbfb 100644 --- a/linux_os/guide/system/accounts/accounts-session/root_paths/accounts_root_path_dirs_no_write/ansible/shared.yml +++ b/linux_os/guide/system/accounts/accounts-session/root_paths/accounts_root_path_dirs_no_write/ansible/shared.yml @@ -1,4 +1,4 @@ -# platform = Red Hat Virtualization 4,multi_platform_fedora,multi_platform_ol,multi_platform_rhel,multi_platform_sle +# platform = Red Hat Virtualization 4,multi_platform_fedora,multi_platform_ol,multi_platform_rhel,multi_platform_almalinux,multi_platform_sle # reboot = false # strategy = restrict # complexity = low diff --git a/linux_os/guide/system/accounts/accounts-session/user_umask/accounts_umask_etc_csh_cshrc/bash/shared.sh b/linux_os/guide/system/accounts/accounts-session/user_umask/accounts_umask_etc_csh_cshrc/bash/shared.sh index 0f681a6db..846b47fee 100644 --- a/linux_os/guide/system/accounts/accounts-session/user_umask/accounts_umask_etc_csh_cshrc/bash/shared.sh +++ b/linux_os/guide/system/accounts/accounts-session/user_umask/accounts_umask_etc_csh_cshrc/bash/shared.sh @@ -1,4 +1,4 @@ -# platform = Red Hat Virtualization 4,multi_platform_rhel,multi_platform_ol,multi_platform_ubuntu +# platform = Red Hat Virtualization 4,multi_platform_rhel,multi_platform_almalinux,multi_platform_ol,multi_platform_ubuntu {{{ bash_instantiate_variables("var_accounts_user_umask") }}} diff --git a/linux_os/guide/system/accounts/accounts-session/user_umask/accounts_umask_interactive_users/ansible/shared.yml b/linux_os/guide/system/accounts/accounts-session/user_umask/accounts_umask_interactive_users/ansible/shared.yml index fb91eab05..02b78a6ab 100644 --- a/linux_os/guide/system/accounts/accounts-session/user_umask/accounts_umask_interactive_users/ansible/shared.yml +++ b/linux_os/guide/system/accounts/accounts-session/user_umask/accounts_umask_interactive_users/ansible/shared.yml @@ -1,4 +1,4 @@ -# platform = multi_platform_rhel,multi_platform_ol,multi_platform_sle,multi_platform_rhv4 +# platform = multi_platform_rhel,multi_platform_almalinux,multi_platform_ol,multi_platform_sle,multi_platform_rhv4 # reboot = false # strategy = restrict # complexity = low diff --git a/linux_os/guide/system/accounts/accounts-session/user_umask/accounts_umask_interactive_users/bash/shared.sh b/linux_os/guide/system/accounts/accounts-session/user_umask/accounts_umask_interactive_users/bash/shared.sh index ec59ac915..3e5470b1e 100644 --- a/linux_os/guide/system/accounts/accounts-session/user_umask/accounts_umask_interactive_users/bash/shared.sh +++ b/linux_os/guide/system/accounts/accounts-session/user_umask/accounts_umask_interactive_users/bash/shared.sh @@ -1,4 +1,4 @@ -# platform = multi_platform_rhel,multi_platform_ol,multi_platform_sle,multi_platform_rhv4 +# platform = multi_platform_rhel,multi_platform_almalinux,multi_platform_ol,multi_platform_sle,multi_platform_rhv4 # reboot = false # strategy = restrict # complexity = low diff --git a/linux_os/guide/system/accounts/authconfig_config_files_symlinks/tests/correct_set-up.pass.sh b/linux_os/guide/system/accounts/authconfig_config_files_symlinks/tests/correct_set-up.pass.sh index ec75bf6d2..eb2aa2ea1 100644 --- a/linux_os/guide/system/accounts/authconfig_config_files_symlinks/tests/correct_set-up.pass.sh +++ b/linux_os/guide/system/accounts/authconfig_config_files_symlinks/tests/correct_set-up.pass.sh @@ -1,5 +1,5 @@ #!/bin/bash -# platform = multi_platform_ol,multi_platform_rhel +# platform = multi_platform_ol,multi_platform_rhel,multi_platform_almalinux # remediation = none mv /etc/pam.d/system-auth /etc/pam.d/system-auth-ac diff --git a/linux_os/guide/system/accounts/authconfig_config_files_symlinks/tests/no_symlinks.fail.sh b/linux_os/guide/system/accounts/authconfig_config_files_symlinks/tests/no_symlinks.fail.sh index a545d9791..383a6ee76 100644 --- a/linux_os/guide/system/accounts/authconfig_config_files_symlinks/tests/no_symlinks.fail.sh +++ b/linux_os/guide/system/accounts/authconfig_config_files_symlinks/tests/no_symlinks.fail.sh @@ -1,5 +1,5 @@ #!/bin/bash -# platform = multi_platform_ol,multi_platform_rhel +# platform = multi_platform_ol,multi_platform_rhel,multi_platform_almalinux # remediation = none touch /etc/pam.d/{password,system}-auth-{mycustomconfig,ac} diff --git a/linux_os/guide/system/accounts/authconfig_config_files_symlinks/tests/symlinks_wrong_target.fail.sh b/linux_os/guide/system/accounts/authconfig_config_files_symlinks/tests/symlinks_wrong_target.fail.sh index 82fb5d543..2dbee752d 100644 --- a/linux_os/guide/system/accounts/authconfig_config_files_symlinks/tests/symlinks_wrong_target.fail.sh +++ b/linux_os/guide/system/accounts/authconfig_config_files_symlinks/tests/symlinks_wrong_target.fail.sh @@ -1,5 +1,5 @@ #!/bin/bash -# platform = multi_platform_ol,multi_platform_rhel +# platform = multi_platform_ol,multi_platform_rhel,multi_platform_almalinux # remediation = none mv /etc/pam.d/system-auth /etc/pam.d/system-auth-ac diff --git a/linux_os/guide/system/accounts/enable_authselect/ansible/shared.yml b/linux_os/guide/system/accounts/enable_authselect/ansible/shared.yml index ef7e5cc46..af22bbce4 100644 --- a/linux_os/guide/system/accounts/enable_authselect/ansible/shared.yml +++ b/linux_os/guide/system/accounts/enable_authselect/ansible/shared.yml @@ -1,4 +1,4 @@ -# platform = Red Hat Enterprise Linux 8,Red Hat Enterprise Linux 9,multi_platform_fedora,multi_platform_ol +# platform = Red Hat Enterprise Linux 8,Red Hat Enterprise Linux 9,AlmaLinux 9,multi_platform_fedora,multi_platform_ol # reboot = false # strategy = configure # complexity = low diff --git a/linux_os/guide/system/accounts/enable_authselect/tests/not_remediable.fail.sh b/linux_os/guide/system/accounts/enable_authselect/tests/not_remediable.fail.sh index 31c46debf..9b4e3abe2 100644 --- a/linux_os/guide/system/accounts/enable_authselect/tests/not_remediable.fail.sh +++ b/linux_os/guide/system/accounts/enable_authselect/tests/not_remediable.fail.sh @@ -1,4 +1,4 @@ -# platform = multi_platform_fedora,multi_platform_ol,multi_platform_rhel +# platform = multi_platform_fedora,multi_platform_ol,multi_platform_rhel,multi_platform_almalinux # packages = authselect,pam # remediation = none diff --git a/linux_os/guide/system/accounts/enable_authselect/tests/profile.pass.sh b/linux_os/guide/system/accounts/enable_authselect/tests/profile.pass.sh index ac68df9e0..f589bfb44 100644 --- a/linux_os/guide/system/accounts/enable_authselect/tests/profile.pass.sh +++ b/linux_os/guide/system/accounts/enable_authselect/tests/profile.pass.sh @@ -1,4 +1,4 @@ -# platform = multi_platform_fedora,multi_platform_ol,multi_platform_rhel +# platform = multi_platform_fedora,multi_platform_ol,multi_platform_rhel,multi_platform_almalinux # packages = authselect,pam authselect select minimal --force diff --git a/linux_os/guide/system/accounts/enable_authselect/tests/remediable.fail.sh b/linux_os/guide/system/accounts/enable_authselect/tests/remediable.fail.sh index 3bd07c62e..e328ca74c 100644 --- a/linux_os/guide/system/accounts/enable_authselect/tests/remediable.fail.sh +++ b/linux_os/guide/system/accounts/enable_authselect/tests/remediable.fail.sh @@ -1,4 +1,4 @@ -# platform = multi_platform_fedora,multi_platform_ol,multi_platform_rhel +# platform = multi_platform_fedora,multi_platform_ol,multi_platform_rhel,multi_platform_almalinux # packages = authselect,pam rm -f /etc/pam.d/{fingerprint-auth,password-auth,postlogin,smartcard-auth,system-auth} diff --git a/linux_os/guide/system/bootloader-grub2/grub2_kernel_trust_cpu_rng/tests/wrong_value_entries.fail.sh b/linux_os/guide/system/bootloader-grub2/grub2_kernel_trust_cpu_rng/tests/wrong_value_entries.fail.sh index 00942724d..f68845394 100644 --- a/linux_os/guide/system/bootloader-grub2/grub2_kernel_trust_cpu_rng/tests/wrong_value_entries.fail.sh +++ b/linux_os/guide/system/bootloader-grub2/grub2_kernel_trust_cpu_rng/tests/wrong_value_entries.fail.sh @@ -1,6 +1,6 @@ #!/bin/bash # Based on shared/templates/grub2_bootloader_argument/tests/wrong_value_entries.fail.sh -# platform = Red Hat Enterprise Linux 9 +# platform = Red Hat Enterprise Linux 9,AlmaLinux 9 # Breaks argument in kernel command line in /boot/loader/entries/*.conf diff --git a/linux_os/guide/system/bootloader-zipl/zipl_init_on_alloc_argument/tests/correct_option.pass.sh b/linux_os/guide/system/bootloader-zipl/zipl_init_on_alloc_argument/tests/correct_option.pass.sh index 50cf1b78f..cc8c2577d 100644 --- a/linux_os/guide/system/bootloader-zipl/zipl_init_on_alloc_argument/tests/correct_option.pass.sh +++ b/linux_os/guide/system/bootloader-zipl/zipl_init_on_alloc_argument/tests/correct_option.pass.sh @@ -1,5 +1,5 @@ #!/bin/bash -# platform = multi_platform_fedora,Red Hat Enterprise Linux 8, Red Hat Enterprise Linux 9 +# platform = multi_platform_fedora,Red Hat Enterprise Linux 8, Red Hat Enterprise Linux 9,AlmaLinux 9 # Make sure boot loader entries contain init_on_alloc=1 for file in /boot/loader/entries/*.conf diff --git a/linux_os/guide/system/bootloader-zipl/zipl_init_on_alloc_argument/tests/missing_in_cmdline.fail.sh b/linux_os/guide/system/bootloader-zipl/zipl_init_on_alloc_argument/tests/missing_in_cmdline.fail.sh index 7c0d91547..0490eed84 100644 --- a/linux_os/guide/system/bootloader-zipl/zipl_init_on_alloc_argument/tests/missing_in_cmdline.fail.sh +++ b/linux_os/guide/system/bootloader-zipl/zipl_init_on_alloc_argument/tests/missing_in_cmdline.fail.sh @@ -1,5 +1,5 @@ #!/bin/bash -# platform = multi_platform_fedora,Red Hat Enterprise Linux 8, Red Hat Enterprise Linux 9 +# platform = multi_platform_fedora,Red Hat Enterprise Linux 8, Red Hat Enterprise Linux 9,AlmaLinux 9 # Make sure boot loader entries contain init_on_alloc=1 for file in /boot/loader/entries/*.conf diff --git a/linux_os/guide/system/bootloader-zipl/zipl_init_on_alloc_argument/tests/missing_in_entry.fail.sh b/linux_os/guide/system/bootloader-zipl/zipl_init_on_alloc_argument/tests/missing_in_entry.fail.sh index 9d330c919..bac0815e1 100644 --- a/linux_os/guide/system/bootloader-zipl/zipl_init_on_alloc_argument/tests/missing_in_entry.fail.sh +++ b/linux_os/guide/system/bootloader-zipl/zipl_init_on_alloc_argument/tests/missing_in_entry.fail.sh @@ -1,5 +1,5 @@ #!/bin/bash -# platform = multi_platform_fedora,Red Hat Enterprise Linux 8, Red Hat Enterprise Linux 9 +# platform = multi_platform_fedora,Red Hat Enterprise Linux 8, Red Hat Enterprise Linux 9,AlmaLinux 9 # Remove init_on_alloc=1 from all boot entries sed -Ei 's/(^options.*\s)init_on_alloc=1(.*?)$/\1\2/' /boot/loader/entries/* diff --git a/linux_os/guide/system/bootloader-zipl/zipl_systemd_debug-shell_argument_absent/ansible/shared.yml b/linux_os/guide/system/bootloader-zipl/zipl_systemd_debug-shell_argument_absent/ansible/shared.yml index 5585e0eaf..ec0a8704d 100644 --- a/linux_os/guide/system/bootloader-zipl/zipl_systemd_debug-shell_argument_absent/ansible/shared.yml +++ b/linux_os/guide/system/bootloader-zipl/zipl_systemd_debug-shell_argument_absent/ansible/shared.yml @@ -1,4 +1,4 @@ -# platform = Red Hat Enterprise Linux 8,Red Hat Enterprise Linux 9 +# platform = Red Hat Enterprise Linux 8,Red Hat Enterprise Linux 9,AlmaLinux 9 # reboot = true # strategy = configure # complexity = medium diff --git a/linux_os/guide/system/bootloader-zipl/zipl_systemd_debug-shell_argument_absent/bash/shared.sh b/linux_os/guide/system/bootloader-zipl/zipl_systemd_debug-shell_argument_absent/bash/shared.sh index 0d90d58db..de4f6c4c6 100644 --- a/linux_os/guide/system/bootloader-zipl/zipl_systemd_debug-shell_argument_absent/bash/shared.sh +++ b/linux_os/guide/system/bootloader-zipl/zipl_systemd_debug-shell_argument_absent/bash/shared.sh @@ -1,4 +1,4 @@ -# platform = Red Hat Enterprise Linux 8,Red Hat Enterprise Linux 9 +# platform = Red Hat Enterprise Linux 8,Red Hat Enterprise Linux 9,AlmaLinux 9 # Correct BLS option using grubby, which is a thin wrapper around BLS operations grubby --update-kernel=ALL --remove-args="systemd.debug-shell" diff --git a/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_cron_logging/bash/shared.sh b/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_cron_logging/bash/shared.sh index 773f88904..6060189e7 100644 --- a/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_cron_logging/bash/shared.sh +++ b/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_cron_logging/bash/shared.sh @@ -1,4 +1,4 @@ -# platform = Red Hat Virtualization 4,multi_platform_fedora,multi_platform_ol,multi_platform_rhel +# platform = Red Hat Virtualization 4,multi_platform_fedora,multi_platform_ol,multi_platform_rhel,multi_platform_almalinux if ! grep -s "^\s*cron\.\*\s*/var/log/cron$" /etc/rsyslog.conf /etc/rsyslog.d/*.conf; then mkdir -p /etc/rsyslog.d diff --git a/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_encrypt_offload_actionsendstreamdriverauthmode/ansible/shared.yml b/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_encrypt_offload_actionsendstreamdriverauthmode/ansible/shared.yml index 4e321fecb..2818c4ca1 100644 --- a/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_encrypt_offload_actionsendstreamdriverauthmode/ansible/shared.yml +++ b/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_encrypt_offload_actionsendstreamdriverauthmode/ansible/shared.yml @@ -1,4 +1,4 @@ -# platform = Red Hat Virtualization 4,multi_platform_fedora,multi_platform_ol,multi_platform_rhel +# platform = Red Hat Virtualization 4,multi_platform_fedora,multi_platform_ol,multi_platform_rhel,multi_platform_almalinux # reboot = false # strategy = configure # complexity = low diff --git a/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_encrypt_offload_actionsendstreamdriverauthmode/bash/shared.sh b/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_encrypt_offload_actionsendstreamdriverauthmode/bash/shared.sh index 3933f28b4..d71a075f1 100644 --- a/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_encrypt_offload_actionsendstreamdriverauthmode/bash/shared.sh +++ b/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_encrypt_offload_actionsendstreamdriverauthmode/bash/shared.sh @@ -1,4 +1,4 @@ -# platform = Red Hat Virtualization 4,multi_platform_fedora,multi_platform_ol,multi_platform_rhel +# platform = Red Hat Virtualization 4,multi_platform_fedora,multi_platform_ol,multi_platform_rhel,multi_platform_almalinux # reboot = false # strategy = configure # complexity = low diff --git a/linux_os/guide/system/logging/journald/journald_compress/rule.yml b/linux_os/guide/system/logging/journald/journald_compress/rule.yml index 3bc9b6a1b..d73a74583 100644 --- a/linux_os/guide/system/logging/journald/journald_compress/rule.yml +++ b/linux_os/guide/system/logging/journald/journald_compress/rule.yml @@ -32,7 +32,7 @@ ocil: |- Storing logs with compression can help avoid filling the system disk. Run the following command to verify that journald is compressing logs.
-{{%- if product in ["fedora", "rhel8", "rhel9", "sle15"] %}}
+{{%- if product in ["fedora", "rhel8", "rhel9", "almalinux9", "sle15"] %}}
     grep "^\sCompress" /etc/systemd/journald.conf {{{ journald_conf_dir_path }}}/*.conf
 {{% else %}}
     grep "^\sCompress" /etc/systemd/journald.conf
@@ -43,7 +43,7 @@ ocil: |-
     Compress=yes
     
-{{%- if product in ["fedora", "rhel8", "rhel9", "sle15"] %}} +{{%- if product in ["fedora", "rhel8", "rhel9", "almalinux9", "sle15"] %}} template: name: systemd_dropin_configuration vars: diff --git a/linux_os/guide/system/logging/journald/journald_forward_to_syslog/rule.yml b/linux_os/guide/system/logging/journald/journald_forward_to_syslog/rule.yml index b0101d952..6e95f3bce 100644 --- a/linux_os/guide/system/logging/journald/journald_forward_to_syslog/rule.yml +++ b/linux_os/guide/system/logging/journald/journald_forward_to_syslog/rule.yml @@ -32,7 +32,7 @@ ocil: |- Storing logs remotely protects the integrity of the data from local attacks. Run the following command to verify that journald is forwarding logs to a remote host.
-{{%- if product in ["rhel8", "rhel9", "sle15"] %}}
+{{%- if product in ["rhel8", "rhel9", "almalinux9", "sle15"] %}}
     grep "^\sForwardToSyslog" /etc/systemd/journald.conf {{{ journald_conf_dir_path }}}/*.conf
 {{% else %}}
     grep "^\sForwardToSyslog" /etc/systemd/journald.conf
@@ -43,7 +43,7 @@ ocil: |-
     ForwardToSyslog=yes
     
-{{%- if product in ["rhel8", "rhel9", "sle15"] %}} +{{%- if product in ["rhel8", "rhel9", "almalinux9", "sle15"] %}} template: name: systemd_dropin_configuration vars: diff --git a/linux_os/guide/system/logging/journald/journald_storage/rule.yml b/linux_os/guide/system/logging/journald/journald_storage/rule.yml index bb838d9b7..7604c614a 100644 --- a/linux_os/guide/system/logging/journald/journald_storage/rule.yml +++ b/linux_os/guide/system/logging/journald/journald_storage/rule.yml @@ -31,7 +31,7 @@ ocil: |- Storing logs with persistent storage ensures they are available after a reboot or system crash. Run the command below to verify that logs are being persistently stored to disk.
-{{%- if product in ["fedora", "rhel8", "rhel9", "sle15"] %}}
+{{%- if product in ["fedora", "rhel8", "rhel9", "almalinux9", "sle15"] %}}
     grep "^\sStorage" /etc/systemd/journald.conf {{{ journald_conf_dir_path }}}/*.conf
 {{% else %}}
     grep "^\sStorage" /etc/systemd/journald.conf
@@ -42,7 +42,7 @@ ocil: |-
     Storage=persistent
     
-{{%- if product in ["fedora", "rhel8", "rhel9", "sle15"] %}} +{{%- if product in ["fedora", "rhel8", "rhel9", "almalinux9", "sle15"] %}} template: name: systemd_dropin_configuration vars: diff --git a/linux_os/guide/system/logging/log_rotation/ensure_logrotate_activated/kubernetes/shared.yml b/linux_os/guide/system/logging/log_rotation/ensure_logrotate_activated/kubernetes/shared.yml index 892523fc4..9fbba1ccb 100644 --- a/linux_os/guide/system/logging/log_rotation/ensure_logrotate_activated/kubernetes/shared.yml +++ b/linux_os/guide/system/logging/log_rotation/ensure_logrotate_activated/kubernetes/shared.yml @@ -1,5 +1,5 @@ --- -# platform = multi_platform_fedora,multi_platform_rhel,multi_platform_rhcos +# platform = multi_platform_fedora,multi_platform_rhel,multi_platform_almalinux,multi_platform_rhcos # reboot = true # strategy = restrict # complexity = low diff --git a/linux_os/guide/system/logging/log_rotation/ensure_logrotate_activated/oval/shared.xml b/linux_os/guide/system/logging/log_rotation/ensure_logrotate_activated/oval/shared.xml index c7df0824a..d6ea64596 100644 --- a/linux_os/guide/system/logging/log_rotation/ensure_logrotate_activated/oval/shared.xml +++ b/linux_os/guide/system/logging/log_rotation/ensure_logrotate_activated/oval/shared.xml @@ -11,7 +11,7 @@ test_ref="test_logrotate_conf_no_other_keyword" /> -{{% if product in ["rhcos4", "rhel9", "sle12", "sle15"] %}} +{{% if product in ["rhcos4", "rhel9", "almalinux9", "sle12", "sle15"] %}} {{% endif %}} diff --git a/linux_os/guide/system/logging/rsyslog_sending_messages/rsyslog_remote_loghost/ansible/shared.yml b/linux_os/guide/system/logging/rsyslog_sending_messages/rsyslog_remote_loghost/ansible/shared.yml index f42709ef5..8b35da68b 100644 --- a/linux_os/guide/system/logging/rsyslog_sending_messages/rsyslog_remote_loghost/ansible/shared.yml +++ b/linux_os/guide/system/logging/rsyslog_sending_messages/rsyslog_remote_loghost/ansible/shared.yml @@ -1,4 +1,4 @@ -# platform = Red Hat Virtualization 4,multi_platform_fedora,multi_platform_rhel,multi_platform_ol +# platform = Red Hat Virtualization 4,multi_platform_fedora,multi_platform_rhel,multi_platform_almalinux,multi_platform_ol # reboot = false # strategy = restrict # complexity = low diff --git a/linux_os/guide/system/logging/rsyslog_sending_messages/rsyslog_remote_loghost/bash/shared.sh b/linux_os/guide/system/logging/rsyslog_sending_messages/rsyslog_remote_loghost/bash/shared.sh index f2019bb9a..a12ceb5c1 100644 --- a/linux_os/guide/system/logging/rsyslog_sending_messages/rsyslog_remote_loghost/bash/shared.sh +++ b/linux_os/guide/system/logging/rsyslog_sending_messages/rsyslog_remote_loghost/bash/shared.sh @@ -1,4 +1,4 @@ -# platform = Red Hat Virtualization 4,multi_platform_fedora,multi_platform_rhel,multi_platform_ol,multi_platform_ubuntu +# platform = Red Hat Virtualization 4,multi_platform_fedora,multi_platform_rhel,multi_platform_almalinux,multi_platform_ol,multi_platform_ubuntu {{{ bash_instantiate_variables("rsyslog_remote_loghost_address") }}} diff --git a/linux_os/guide/system/logging/rsyslog_sending_messages/rsyslog_remote_tls/ansible/shared.yml b/linux_os/guide/system/logging/rsyslog_sending_messages/rsyslog_remote_tls/ansible/shared.yml index d6e2b2564..323d3ffaa 100644 --- a/linux_os/guide/system/logging/rsyslog_sending_messages/rsyslog_remote_tls/ansible/shared.yml +++ b/linux_os/guide/system/logging/rsyslog_sending_messages/rsyslog_remote_tls/ansible/shared.yml @@ -1,4 +1,4 @@ -# platform = multi_platform_fedora,multi_platform_ol,multi_platform_rhel,multi_platform_sle +# platform = multi_platform_fedora,multi_platform_ol,multi_platform_rhel,multi_platform_almalinux,multi_platform_sle # reboot = false # strategy = configure # complexity = low diff --git a/linux_os/guide/system/logging/rsyslog_sending_messages/rsyslog_remote_tls/bash/shared.sh b/linux_os/guide/system/logging/rsyslog_sending_messages/rsyslog_remote_tls/bash/shared.sh index ee1cbf7ea..eb4e5adc4 100644 --- a/linux_os/guide/system/logging/rsyslog_sending_messages/rsyslog_remote_tls/bash/shared.sh +++ b/linux_os/guide/system/logging/rsyslog_sending_messages/rsyslog_remote_tls/bash/shared.sh @@ -1,4 +1,4 @@ -# platform = multi_platform_fedora,multi_platform_ol,multi_platform_rhel,multi_platform_sle +# platform = multi_platform_fedora,multi_platform_ol,multi_platform_rhel,multi_platform_almalinux,multi_platform_sle # reboot = false # strategy = configure # complexity = low diff --git a/linux_os/guide/system/network/network-iptables/iptables_ruleset_modifications/ip6tables_rules_for_open_ports/sce/shared.sh b/linux_os/guide/system/network/network-iptables/iptables_ruleset_modifications/ip6tables_rules_for_open_ports/sce/shared.sh index 51b6c4fb6..679e35435 100644 --- a/linux_os/guide/system/network/network-iptables/iptables_ruleset_modifications/ip6tables_rules_for_open_ports/sce/shared.sh +++ b/linux_os/guide/system/network/network-iptables/iptables_ruleset_modifications/ip6tables_rules_for_open_ports/sce/shared.sh @@ -1,5 +1,5 @@ #!/bin/bash -# platform = multi_platform_rhel,multi_platform_ubuntu +# platform = multi_platform_rhel,multi_platform_almalinux,multi_platform_ubuntu # check-import = stdout result=$XCCDF_RESULT_PASS diff --git a/linux_os/guide/system/network/network-iptables/iptables_ruleset_modifications/iptables_rules_for_open_ports/sce/shared.sh b/linux_os/guide/system/network/network-iptables/iptables_ruleset_modifications/iptables_rules_for_open_ports/sce/shared.sh index b2a8e350c..e97d0f4a5 100644 --- a/linux_os/guide/system/network/network-iptables/iptables_ruleset_modifications/iptables_rules_for_open_ports/sce/shared.sh +++ b/linux_os/guide/system/network/network-iptables/iptables_ruleset_modifications/iptables_rules_for_open_ports/sce/shared.sh @@ -1,5 +1,5 @@ #!/bin/bash -# platform = multi_platform_rhel,multi_platform_ubuntu +# platform = multi_platform_rhel,multi_platform_almalinux,multi_platform_ubuntu # check-import = stdout result=$XCCDF_RESULT_PASS diff --git a/linux_os/guide/system/network/network-ipv6/configuring_ipv6/network_ipv6_privacy_extensions/bash/shared.sh b/linux_os/guide/system/network/network-ipv6/configuring_ipv6/network_ipv6_privacy_extensions/bash/shared.sh index d787fbbbf..d209806d8 100644 --- a/linux_os/guide/system/network/network-ipv6/configuring_ipv6/network_ipv6_privacy_extensions/bash/shared.sh +++ b/linux_os/guide/system/network/network-ipv6/configuring_ipv6/network_ipv6_privacy_extensions/bash/shared.sh @@ -1,4 +1,4 @@ -# platform = Red Hat Virtualization 4,multi_platform_rhel,multi_platform_ol +# platform = Red Hat Virtualization 4,multi_platform_rhel,multi_platform_almalinux,multi_platform_ol # enable randomness in ipv6 address generation for interface in /etc/sysconfig/network-scripts/ifcfg-* diff --git a/linux_os/guide/system/network/network-ipv6/configuring_ipv6/sysctl_net_ipv6_conf_all_accept_ra/kubernetes/shared.yml b/linux_os/guide/system/network/network-ipv6/configuring_ipv6/sysctl_net_ipv6_conf_all_accept_ra/kubernetes/shared.yml index 87306fedb..88e2884bc 100644 --- a/linux_os/guide/system/network/network-ipv6/configuring_ipv6/sysctl_net_ipv6_conf_all_accept_ra/kubernetes/shared.yml +++ b/linux_os/guide/system/network/network-ipv6/configuring_ipv6/sysctl_net_ipv6_conf_all_accept_ra/kubernetes/shared.yml @@ -1,5 +1,5 @@ --- -# platform = multi_platform_rhcos,multi_platform_rhel,multi_platform_fedora +# platform = multi_platform_rhcos,multi_platform_rhel,multi_platform_almalinux,multi_platform_fedora apiVersion: machineconfiguration.openshift.io/v1 kind: MachineConfig spec: diff --git a/linux_os/guide/system/network/network-ipv6/configuring_ipv6/sysctl_net_ipv6_conf_all_accept_redirects/kubernetes/shared.yml b/linux_os/guide/system/network/network-ipv6/configuring_ipv6/sysctl_net_ipv6_conf_all_accept_redirects/kubernetes/shared.yml index 8792fc668..2c7c4b025 100644 --- a/linux_os/guide/system/network/network-ipv6/configuring_ipv6/sysctl_net_ipv6_conf_all_accept_redirects/kubernetes/shared.yml +++ b/linux_os/guide/system/network/network-ipv6/configuring_ipv6/sysctl_net_ipv6_conf_all_accept_redirects/kubernetes/shared.yml @@ -1,5 +1,5 @@ --- -# platform = multi_platform_rhcos,multi_platform_rhel,multi_platform_fedora +# platform = multi_platform_rhcos,multi_platform_rhel,multi_platform_almalinux,multi_platform_fedora apiVersion: machineconfiguration.openshift.io/v1 kind: MachineConfig spec: diff --git a/linux_os/guide/system/network/network-ipv6/configuring_ipv6/sysctl_net_ipv6_conf_all_accept_source_route/kubernetes/shared.yml b/linux_os/guide/system/network/network-ipv6/configuring_ipv6/sysctl_net_ipv6_conf_all_accept_source_route/kubernetes/shared.yml index e222b1c88..85b92ce90 100644 --- a/linux_os/guide/system/network/network-ipv6/configuring_ipv6/sysctl_net_ipv6_conf_all_accept_source_route/kubernetes/shared.yml +++ b/linux_os/guide/system/network/network-ipv6/configuring_ipv6/sysctl_net_ipv6_conf_all_accept_source_route/kubernetes/shared.yml @@ -1,5 +1,5 @@ --- -# platform = multi_platform_rhcos,multi_platform_rhel,multi_platform_fedora +# platform = multi_platform_rhcos,multi_platform_rhel,multi_platform_almalinux,multi_platform_fedora apiVersion: machineconfiguration.openshift.io/v1 kind: MachineConfig spec: diff --git a/linux_os/guide/system/network/network-ipv6/configuring_ipv6/sysctl_net_ipv6_conf_default_accept_ra/kubernetes/shared.yml b/linux_os/guide/system/network/network-ipv6/configuring_ipv6/sysctl_net_ipv6_conf_default_accept_ra/kubernetes/shared.yml index 4ed2c480c..f59b6d7c3 100644 --- a/linux_os/guide/system/network/network-ipv6/configuring_ipv6/sysctl_net_ipv6_conf_default_accept_ra/kubernetes/shared.yml +++ b/linux_os/guide/system/network/network-ipv6/configuring_ipv6/sysctl_net_ipv6_conf_default_accept_ra/kubernetes/shared.yml @@ -1,5 +1,5 @@ --- -# platform = multi_platform_rhel,multi_platform_fedora,multi_platform_rhcos +# platform = multi_platform_rhel,multi_platform_almalinux,multi_platform_fedora,multi_platform_rhcos apiVersion: machineconfiguration.openshift.io/v1 kind: MachineConfig spec: diff --git a/linux_os/guide/system/network/network-ipv6/configuring_ipv6/sysctl_net_ipv6_conf_default_accept_redirects/kubernetes/shared.yml b/linux_os/guide/system/network/network-ipv6/configuring_ipv6/sysctl_net_ipv6_conf_default_accept_redirects/kubernetes/shared.yml index 845b013ed..063776b85 100644 --- a/linux_os/guide/system/network/network-ipv6/configuring_ipv6/sysctl_net_ipv6_conf_default_accept_redirects/kubernetes/shared.yml +++ b/linux_os/guide/system/network/network-ipv6/configuring_ipv6/sysctl_net_ipv6_conf_default_accept_redirects/kubernetes/shared.yml @@ -1,5 +1,5 @@ --- -# platform = multi_platform_rhel,multi_platform_fedora,multi_platform_rhcos +# platform = multi_platform_rhel,multi_platform_almalinux,multi_platform_fedora,multi_platform_rhcos apiVersion: machineconfiguration.openshift.io/v1 kind: MachineConfig spec: diff --git a/linux_os/guide/system/network/network-ipv6/configuring_ipv6/sysctl_net_ipv6_conf_default_accept_source_route/kubernetes/shared.yml b/linux_os/guide/system/network/network-ipv6/configuring_ipv6/sysctl_net_ipv6_conf_default_accept_source_route/kubernetes/shared.yml index e2951d845..0335df123 100644 --- a/linux_os/guide/system/network/network-ipv6/configuring_ipv6/sysctl_net_ipv6_conf_default_accept_source_route/kubernetes/shared.yml +++ b/linux_os/guide/system/network/network-ipv6/configuring_ipv6/sysctl_net_ipv6_conf_default_accept_source_route/kubernetes/shared.yml @@ -1,5 +1,5 @@ --- -# platform = multi_platform_rhcos,multi_platform_rhel,multi_platform_fedora +# platform = multi_platform_rhcos,multi_platform_rhel,multi_platform_almalinux,multi_platform_fedora apiVersion: machineconfiguration.openshift.io/v1 kind: MachineConfig spec: diff --git a/linux_os/guide/system/network/network-ipv6/disabling_ipv6/grub2_ipv6_disable_argument/tests/arg_not_there_rhel9.fail.sh b/linux_os/guide/system/network/network-ipv6/disabling_ipv6/grub2_ipv6_disable_argument/tests/arg_not_there_rhel9.fail.sh index fc649d74c..2fa1114da 100644 --- a/linux_os/guide/system/network/network-ipv6/disabling_ipv6/grub2_ipv6_disable_argument/tests/arg_not_there_rhel9.fail.sh +++ b/linux_os/guide/system/network/network-ipv6/disabling_ipv6/grub2_ipv6_disable_argument/tests/arg_not_there_rhel9.fail.sh @@ -1,5 +1,5 @@ #!/bin/bash -# platform = Red Hat Enterprise Linux 9 +# platform = Red Hat Enterprise Linux 9,AlmaLinux 9 # Removes ipv6.disable argument from kernel command line in //boot/loader/entries/*.conf diff --git a/linux_os/guide/system/network/network-ipv6/disabling_ipv6/grub2_ipv6_disable_argument/tests/wrong_value_rhel9.fail.sh b/linux_os/guide/system/network/network-ipv6/disabling_ipv6/grub2_ipv6_disable_argument/tests/wrong_value_rhel9.fail.sh index 3c1cde1dc..a57a1eae5 100644 --- a/linux_os/guide/system/network/network-ipv6/disabling_ipv6/grub2_ipv6_disable_argument/tests/wrong_value_rhel9.fail.sh +++ b/linux_os/guide/system/network/network-ipv6/disabling_ipv6/grub2_ipv6_disable_argument/tests/wrong_value_rhel9.fail.sh @@ -1,5 +1,5 @@ #!/bin/bash -# platform = Red Hat Enterprise Linux 9 +# platform = Red Hat Enterprise Linux 9,AlmaLinux 9 # Break the ipv6.disable argument in kernel command line in /boot/loader/entries/*.conf diff --git a/linux_os/guide/system/network/network-ipv6/disabling_ipv6/network_ipv6_disable_rpc/bash/shared.sh b/linux_os/guide/system/network/network-ipv6/disabling_ipv6/network_ipv6_disable_rpc/bash/shared.sh index 2bd1bdbca..63ab3fe59 100644 --- a/linux_os/guide/system/network/network-ipv6/disabling_ipv6/network_ipv6_disable_rpc/bash/shared.sh +++ b/linux_os/guide/system/network/network-ipv6/disabling_ipv6/network_ipv6_disable_rpc/bash/shared.sh @@ -1,4 +1,4 @@ -# platform = Red Hat Virtualization 4,multi_platform_rhel,multi_platform_ol +# platform = Red Hat Virtualization 4,multi_platform_rhel,multi_platform_almalinux,multi_platform_ol # Drop 'tcp6' and 'udp6' entries from /etc/netconfig to prevent RPC # services for NFSv4 from attempting to start IPv6 network listeners diff --git a/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_all_accept_redirects/kubernetes/shared.yml b/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_all_accept_redirects/kubernetes/shared.yml index 6bb6de134..1f0664a02 100644 --- a/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_all_accept_redirects/kubernetes/shared.yml +++ b/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_all_accept_redirects/kubernetes/shared.yml @@ -1,5 +1,5 @@ --- -# platform = multi_platform_rhcos,multi_platform_rhel,multi_platform_fedora +# platform = multi_platform_rhcos,multi_platform_rhel,multi_platform_almalinux,multi_platform_fedora apiVersion: machineconfiguration.openshift.io/v1 kind: MachineConfig spec: diff --git a/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_all_accept_source_route/kubernetes/shared.yml b/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_all_accept_source_route/kubernetes/shared.yml index b3d72bb4a..b89b8a35a 100644 --- a/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_all_accept_source_route/kubernetes/shared.yml +++ b/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_all_accept_source_route/kubernetes/shared.yml @@ -1,5 +1,5 @@ --- -# platform = multi_platform_rhcos,multi_platform_rhel,multi_platform_fedora +# platform = multi_platform_rhcos,multi_platform_rhel,multi_platform_almalinux,multi_platform_fedora apiVersion: machineconfiguration.openshift.io/v1 kind: MachineConfig spec: diff --git a/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_all_log_martians/kubernetes/shared.yml b/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_all_log_martians/kubernetes/shared.yml index 70e767cc4..fbe1a27a2 100644 --- a/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_all_log_martians/kubernetes/shared.yml +++ b/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_all_log_martians/kubernetes/shared.yml @@ -1,5 +1,5 @@ --- -# platform = multi_platform_rhcos,multi_platform_rhel,multi_platform_fedora +# platform = multi_platform_rhcos,multi_platform_rhel,multi_platform_almalinux,multi_platform_fedora apiVersion: machineconfiguration.openshift.io/v1 kind: MachineConfig spec: diff --git a/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_all_rp_filter/kubernetes/shared.yml b/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_all_rp_filter/kubernetes/shared.yml index c64da37a3..08535e5a1 100644 --- a/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_all_rp_filter/kubernetes/shared.yml +++ b/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_all_rp_filter/kubernetes/shared.yml @@ -1,5 +1,5 @@ --- -# platform = multi_platform_rhcos,multi_platform_rhel,multi_platform_fedora +# platform = multi_platform_rhcos,multi_platform_rhel,multi_platform_almalinux,multi_platform_fedora apiVersion: machineconfiguration.openshift.io/v1 kind: MachineConfig spec: diff --git a/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_all_rp_filter/tests/value_1.pass.sh b/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_all_rp_filter/tests/value_1.pass.sh index 583b70a3b..d9bca3de6 100644 --- a/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_all_rp_filter/tests/value_1.pass.sh +++ b/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_all_rp_filter/tests/value_1.pass.sh @@ -1,5 +1,5 @@ #!/bin/bash -# platform = multi_platform_ol,multi_platform_rhel +# platform = multi_platform_ol,multi_platform_rhel,multi_platform_almalinux # Clean sysctl config directories rm -rf /usr/lib/sysctl.d/* /run/sysctl.d/* /etc/sysctl.d/* diff --git a/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_all_rp_filter/tests/value_2.pass.sh b/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_all_rp_filter/tests/value_2.pass.sh index ef545976d..bf1ccb250 100644 --- a/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_all_rp_filter/tests/value_2.pass.sh +++ b/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_all_rp_filter/tests/value_2.pass.sh @@ -1,5 +1,5 @@ #!/bin/bash -# platform = multi_platform_ol,multi_platform_rhel +# platform = multi_platform_ol,multi_platform_rhel,multi_platform_almalinux # Clean sysctl config directories rm -rf /usr/lib/sysctl.d/* /run/sysctl.d/* /etc/sysctl.d/* diff --git a/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_all_secure_redirects/kubernetes/shared.yml b/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_all_secure_redirects/kubernetes/shared.yml index 8b075d55e..0dd17a34b 100644 --- a/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_all_secure_redirects/kubernetes/shared.yml +++ b/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_all_secure_redirects/kubernetes/shared.yml @@ -1,5 +1,5 @@ --- -# platform = multi_platform_rhcos,multi_platform_rhel,multi_platform_fedora +# platform = multi_platform_rhcos,multi_platform_rhel,multi_platform_almalinux,multi_platform_fedora apiVersion: machineconfiguration.openshift.io/v1 kind: MachineConfig spec: diff --git a/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_default_accept_redirects/kubernetes/shared.yml b/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_default_accept_redirects/kubernetes/shared.yml index 2bfbd9e46..8ea37100a 100644 --- a/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_default_accept_redirects/kubernetes/shared.yml +++ b/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_default_accept_redirects/kubernetes/shared.yml @@ -1,5 +1,5 @@ --- -# platform = multi_platform_rhcos,multi_platform_rhel,multi_platform_fedora +# platform = multi_platform_rhcos,multi_platform_rhel,multi_platform_almalinux,multi_platform_fedora apiVersion: machineconfiguration.openshift.io/v1 kind: MachineConfig spec: diff --git a/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_default_accept_source_route/kubernetes/shared.yml b/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_default_accept_source_route/kubernetes/shared.yml index aa7d1562b..08668d03c 100644 --- a/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_default_accept_source_route/kubernetes/shared.yml +++ b/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_default_accept_source_route/kubernetes/shared.yml @@ -1,5 +1,5 @@ --- -# platform = multi_platform_rhcos,multi_platform_rhel,multi_platform_fedora +# platform = multi_platform_rhcos,multi_platform_rhel,multi_platform_almalinux,multi_platform_fedora apiVersion: machineconfiguration.openshift.io/v1 kind: MachineConfig spec: diff --git a/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_default_log_martians/kubernetes/shared.yml b/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_default_log_martians/kubernetes/shared.yml index 3a60ab17c..728ddb817 100644 --- a/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_default_log_martians/kubernetes/shared.yml +++ b/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_default_log_martians/kubernetes/shared.yml @@ -1,5 +1,5 @@ --- -# platform = multi_platform_rhcos,multi_platform_rhel,multi_platform_fedora +# platform = multi_platform_rhcos,multi_platform_rhel,multi_platform_almalinux,multi_platform_fedora apiVersion: machineconfiguration.openshift.io/v1 kind: MachineConfig spec: diff --git a/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_default_rp_filter/kubernetes/shared.yml b/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_default_rp_filter/kubernetes/shared.yml index b6e53de36..0b652c7cf 100644 --- a/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_default_rp_filter/kubernetes/shared.yml +++ b/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_default_rp_filter/kubernetes/shared.yml @@ -1,5 +1,5 @@ --- -# platform = multi_platform_rhcos,multi_platform_rhel,multi_platform_fedora +# platform = multi_platform_rhcos,multi_platform_rhel,multi_platform_almalinux,multi_platform_fedora apiVersion: machineconfiguration.openshift.io/v1 kind: MachineConfig spec: diff --git a/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_default_secure_redirects/kubernetes/shared.yml b/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_default_secure_redirects/kubernetes/shared.yml index aeb67c4e0..f47a8ab67 100644 --- a/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_default_secure_redirects/kubernetes/shared.yml +++ b/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_default_secure_redirects/kubernetes/shared.yml @@ -1,5 +1,5 @@ --- -# platform = multi_platform_rhcos,multi_platform_rhel,multi_platform_fedora +# platform = multi_platform_rhcos,multi_platform_rhel,multi_platform_almalinux,multi_platform_fedora apiVersion: machineconfiguration.openshift.io/v1 kind: MachineConfig spec: diff --git a/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_icmp_echo_ignore_broadcasts/kubernetes/shared.yml b/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_icmp_echo_ignore_broadcasts/kubernetes/shared.yml index 52d74441b..08c8c256d 100644 --- a/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_icmp_echo_ignore_broadcasts/kubernetes/shared.yml +++ b/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_icmp_echo_ignore_broadcasts/kubernetes/shared.yml @@ -1,5 +1,5 @@ --- -# platform = multi_platform_rhcos,multi_platform_rhel,multi_platform_fedora +# platform = multi_platform_rhcos,multi_platform_rhel,multi_platform_almalinux,multi_platform_fedora apiVersion: machineconfiguration.openshift.io/v1 kind: MachineConfig spec: diff --git a/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_icmp_ignore_bogus_error_responses/kubernetes/shared.yml b/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_icmp_ignore_bogus_error_responses/kubernetes/shared.yml index 9e3a85af9..d4f4d31cb 100644 --- a/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_icmp_ignore_bogus_error_responses/kubernetes/shared.yml +++ b/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_icmp_ignore_bogus_error_responses/kubernetes/shared.yml @@ -1,5 +1,5 @@ --- -# platform = multi_platform_rhcos,multi_platform_rhel,multi_platform_fedora +# platform = multi_platform_rhcos,multi_platform_rhel,multi_platform_almalinux,multi_platform_fedora apiVersion: machineconfiguration.openshift.io/v1 kind: MachineConfig spec: diff --git a/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_tcp_syncookies/kubernetes/shared.yml b/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_tcp_syncookies/kubernetes/shared.yml index 0c8dae788..a26df0c5a 100644 --- a/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_tcp_syncookies/kubernetes/shared.yml +++ b/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_tcp_syncookies/kubernetes/shared.yml @@ -1,5 +1,5 @@ --- -# platform = multi_platform_rhcos,multi_platform_rhel,multi_platform_fedora +# platform = multi_platform_rhcos,multi_platform_rhel,multi_platform_almalinux,multi_platform_fedora apiVersion: machineconfiguration.openshift.io/v1 kind: MachineConfig spec: diff --git a/linux_os/guide/system/network/network-kernel/network_host_parameters/sysctl_net_ipv4_conf_all_send_redirects/kubernetes/shared.yml b/linux_os/guide/system/network/network-kernel/network_host_parameters/sysctl_net_ipv4_conf_all_send_redirects/kubernetes/shared.yml index ea1db12fe..5d8b19f68 100644 --- a/linux_os/guide/system/network/network-kernel/network_host_parameters/sysctl_net_ipv4_conf_all_send_redirects/kubernetes/shared.yml +++ b/linux_os/guide/system/network/network-kernel/network_host_parameters/sysctl_net_ipv4_conf_all_send_redirects/kubernetes/shared.yml @@ -1,5 +1,5 @@ --- -# platform = multi_platform_rhcos,multi_platform_rhel,multi_platform_fedora +# platform = multi_platform_rhcos,multi_platform_rhel,multi_platform_almalinux,multi_platform_fedora apiVersion: machineconfiguration.openshift.io/v1 kind: MachineConfig spec: diff --git a/linux_os/guide/system/network/network-kernel/network_host_parameters/sysctl_net_ipv4_conf_default_send_redirects/kubernetes/shared.yml b/linux_os/guide/system/network/network-kernel/network_host_parameters/sysctl_net_ipv4_conf_default_send_redirects/kubernetes/shared.yml index b54e3d12b..125464d7a 100644 --- a/linux_os/guide/system/network/network-kernel/network_host_parameters/sysctl_net_ipv4_conf_default_send_redirects/kubernetes/shared.yml +++ b/linux_os/guide/system/network/network-kernel/network_host_parameters/sysctl_net_ipv4_conf_default_send_redirects/kubernetes/shared.yml @@ -1,5 +1,5 @@ --- -# platform = multi_platform_rhcos,multi_platform_rhel,multi_platform_fedora +# platform = multi_platform_rhcos,multi_platform_rhel,multi_platform_almalinux,multi_platform_fedora apiVersion: machineconfiguration.openshift.io/v1 kind: MachineConfig spec: diff --git a/linux_os/guide/system/network/network-nftables/set_nftables_table/sce/shared.sh b/linux_os/guide/system/network/network-nftables/set_nftables_table/sce/shared.sh index 89d344c4f..1a926adaa 100644 --- a/linux_os/guide/system/network/network-nftables/set_nftables_table/sce/shared.sh +++ b/linux_os/guide/system/network/network-nftables/set_nftables_table/sce/shared.sh @@ -1,5 +1,5 @@ #!/bin/bash -# platform = multi_platform_rhel,multi_platform_ubuntu +# platform = multi_platform_rhel,multi_platform_almalinux,multi_platform_ubuntu # check-import = stdout tbl_output=$(nft list tables | grep inet) diff --git a/linux_os/guide/system/network/network-uncommon/kernel_module_dccp_disabled/tests/missing_blacklist.fail.sh b/linux_os/guide/system/network/network-uncommon/kernel_module_dccp_disabled/tests/missing_blacklist.fail.sh index 57cc29270..4b1b2805e 100644 --- a/linux_os/guide/system/network/network-uncommon/kernel_module_dccp_disabled/tests/missing_blacklist.fail.sh +++ b/linux_os/guide/system/network/network-uncommon/kernel_module_dccp_disabled/tests/missing_blacklist.fail.sh @@ -1,5 +1,5 @@ #!/bin/bash -# platform = multi_platform_rhel,multi_platform_ol +# platform = multi_platform_rhel,multi_platform_almalinux,multi_platform_ol rm -f /etc/modprobe.d/dccp-blacklist.conf echo "install {{{ KERNMODULE }}} /bin/true" > /etc/modprobe.d/{{{ KERNMODULE }}}.conf diff --git a/linux_os/guide/system/network/network_configure_name_resolution/tests/dns_not_in_nsswitch_and_resolv_is_empty.pass.sh b/linux_os/guide/system/network/network_configure_name_resolution/tests/dns_not_in_nsswitch_and_resolv_is_empty.pass.sh index 0f2d15979..27572472b 100644 --- a/linux_os/guide/system/network/network_configure_name_resolution/tests/dns_not_in_nsswitch_and_resolv_is_empty.pass.sh +++ b/linux_os/guide/system/network/network_configure_name_resolution/tests/dns_not_in_nsswitch_and_resolv_is_empty.pass.sh @@ -1,3 +1,3 @@ -# platform = multi_platform_ol,multi_platform_rhel +# platform = multi_platform_ol,multi_platform_rhel,multi_platform_almalinux source common.sh diff --git a/linux_os/guide/system/network/network_configure_name_resolution/tests/dns_not_in_nsswitch_and_resolv_isnt_empty.fail.sh b/linux_os/guide/system/network/network_configure_name_resolution/tests/dns_not_in_nsswitch_and_resolv_isnt_empty.fail.sh index 469db24e9..671a4d019 100644 --- a/linux_os/guide/system/network/network_configure_name_resolution/tests/dns_not_in_nsswitch_and_resolv_isnt_empty.fail.sh +++ b/linux_os/guide/system/network/network_configure_name_resolution/tests/dns_not_in_nsswitch_and_resolv_isnt_empty.fail.sh @@ -1,4 +1,4 @@ -# platform = multi_platform_ol,multi_platform_rhel +# platform = multi_platform_ol,multi_platform_rhel,multi_platform_almalinux source common.sh diff --git a/linux_os/guide/system/permissions/files/dir_perms_world_writable_sticky_bits/ansible/shared.yml b/linux_os/guide/system/permissions/files/dir_perms_world_writable_sticky_bits/ansible/shared.yml index dcb2b99b7..8dbb02940 100644 --- a/linux_os/guide/system/permissions/files/dir_perms_world_writable_sticky_bits/ansible/shared.yml +++ b/linux_os/guide/system/permissions/files/dir_perms_world_writable_sticky_bits/ansible/shared.yml @@ -1,4 +1,4 @@ -# platform = multi_platform_sle,multi_platform_ol,multi_platform_rhel +# platform = multi_platform_sle,multi_platform_ol,multi_platform_rhel,multi_platform_almalinux # reboot = false # strategy = restrict # complexity = low diff --git a/linux_os/guide/system/permissions/files/dir_perms_world_writable_sticky_bits/bash/shared.sh b/linux_os/guide/system/permissions/files/dir_perms_world_writable_sticky_bits/bash/shared.sh index 91b3495c9..7f3876c49 100644 --- a/linux_os/guide/system/permissions/files/dir_perms_world_writable_sticky_bits/bash/shared.sh +++ b/linux_os/guide/system/permissions/files/dir_perms_world_writable_sticky_bits/bash/shared.sh @@ -1,4 +1,4 @@ -# platform = Red Hat Virtualization 4,multi_platform_ol,multi_platform_rhel,multi_platform_sle,multi_platform_ubuntu +# platform = Red Hat Virtualization 4,multi_platform_ol,multi_platform_rhel,multi_platform_almalinux,multi_platform_sle,multi_platform_ubuntu df --local -P | awk '{if (NR!=1) print $6}' \ | xargs -I '$6' find '$6' -xdev -type d \ \( -perm -0002 -a ! -perm -1000 \) 2>/dev/null \ diff --git a/linux_os/guide/system/permissions/files/permissions_within_important_dirs/dir_ownership_library_dirs/tests/correct_owner.pass.sh b/linux_os/guide/system/permissions/files/permissions_within_important_dirs/dir_ownership_library_dirs/tests/correct_owner.pass.sh index d2b47d989..9f25146b9 100644 --- a/linux_os/guide/system/permissions/files/permissions_within_important_dirs/dir_ownership_library_dirs/tests/correct_owner.pass.sh +++ b/linux_os/guide/system/permissions/files/permissions_within_important_dirs/dir_ownership_library_dirs/tests/correct_owner.pass.sh @@ -1,4 +1,4 @@ -# platform = multi_platform_ol,multi_platform_rhel,multi_platform_sle +# platform = multi_platform_ol,multi_platform_rhel,multi_platform_almalinux,multi_platform_sle DIRS="/lib /lib64 /usr/lib /usr/lib64" for dirPath in $DIRS; do find "$dirPath" -type d -exec chown root '{}' \; diff --git a/linux_os/guide/system/permissions/files/permissions_within_important_dirs/dir_ownership_library_dirs/tests/incorrect_owner.fail.sh b/linux_os/guide/system/permissions/files/permissions_within_important_dirs/dir_ownership_library_dirs/tests/incorrect_owner.fail.sh index 542184ae8..9cdfbf737 100644 --- a/linux_os/guide/system/permissions/files/permissions_within_important_dirs/dir_ownership_library_dirs/tests/incorrect_owner.fail.sh +++ b/linux_os/guide/system/permissions/files/permissions_within_important_dirs/dir_ownership_library_dirs/tests/incorrect_owner.fail.sh @@ -1,4 +1,4 @@ -# platform = multi_platform_ol,multi_platform_rhel,multi_platform_sle +# platform = multi_platform_ol,multi_platform_rhel,multi_platform_almalinux,multi_platform_sle groupadd nogroup DIRS="/lib /lib64" for dirPath in $DIRS; do diff --git a/linux_os/guide/system/permissions/files/permissions_within_important_dirs/dir_permissions_library_dirs/tests/all_dirs_ok.pass.sh b/linux_os/guide/system/permissions/files/permissions_within_important_dirs/dir_permissions_library_dirs/tests/all_dirs_ok.pass.sh index 5f8dcd2eb..7980d87b5 100644 --- a/linux_os/guide/system/permissions/files/permissions_within_important_dirs/dir_permissions_library_dirs/tests/all_dirs_ok.pass.sh +++ b/linux_os/guide/system/permissions/files/permissions_within_important_dirs/dir_permissions_library_dirs/tests/all_dirs_ok.pass.sh @@ -1,4 +1,4 @@ -# platform = multi_platform_ol,multi_platform_rhel,multi_platform_sle,multi_platform_ubuntu +# platform = multi_platform_ol,multi_platform_rhel,multi_platform_almalinux,multi_platform_sle,multi_platform_ubuntu DIRS="/lib /lib64 /usr/lib /usr/lib64" for dirPath in $DIRS; do find "$dirPath" -perm /022 -type d -exec chmod go-w '{}' \; diff --git a/linux_os/guide/system/permissions/files/permissions_within_important_dirs/dir_permissions_library_dirs/tests/owner_only_writable_dir.pass.sh b/linux_os/guide/system/permissions/files/permissions_within_important_dirs/dir_permissions_library_dirs/tests/owner_only_writable_dir.pass.sh index c3cd0944b..3c41df40c 100644 --- a/linux_os/guide/system/permissions/files/permissions_within_important_dirs/dir_permissions_library_dirs/tests/owner_only_writable_dir.pass.sh +++ b/linux_os/guide/system/permissions/files/permissions_within_important_dirs/dir_permissions_library_dirs/tests/owner_only_writable_dir.pass.sh @@ -1,4 +1,4 @@ -# platform = multi_platform_ol,multi_platform_rhel,multi_platform_sle,multi_platform_ubuntu +# platform = multi_platform_ol,multi_platform_rhel,multi_platform_almalinux,multi_platform_sle,multi_platform_ubuntu DIRS="/lib /lib64 /usr/lib /usr/lib64" for dirPath in $DIRS; do chmod -R 755 "$dirPath" diff --git a/linux_os/guide/system/permissions/files/permissions_within_important_dirs/dir_permissions_library_dirs/tests/world_writable_dir_on_lib.fail.sh b/linux_os/guide/system/permissions/files/permissions_within_important_dirs/dir_permissions_library_dirs/tests/world_writable_dir_on_lib.fail.sh index 90ae74be6..243a8e16e 100644 --- a/linux_os/guide/system/permissions/files/permissions_within_important_dirs/dir_permissions_library_dirs/tests/world_writable_dir_on_lib.fail.sh +++ b/linux_os/guide/system/permissions/files/permissions_within_important_dirs/dir_permissions_library_dirs/tests/world_writable_dir_on_lib.fail.sh @@ -1,4 +1,4 @@ -# platform = multi_platform_ol,multi_platform_rhel,multi_platform_sle,multi_platform_ubuntu +# platform = multi_platform_ol,multi_platform_rhel,multi_platform_almalinux,multi_platform_sle,multi_platform_ubuntu DIRS="/lib /lib64" for dirPath in $DIRS; do mkdir -p "$dirPath/testme" && chmod 777 "$dirPath/testme" diff --git a/linux_os/guide/system/permissions/files/permissions_within_important_dirs/dir_permissions_library_dirs/tests/world_writable_dir_on_usr_lib.fail.sh b/linux_os/guide/system/permissions/files/permissions_within_important_dirs/dir_permissions_library_dirs/tests/world_writable_dir_on_usr_lib.fail.sh index ebaf9b766..858020d51 100644 --- a/linux_os/guide/system/permissions/files/permissions_within_important_dirs/dir_permissions_library_dirs/tests/world_writable_dir_on_usr_lib.fail.sh +++ b/linux_os/guide/system/permissions/files/permissions_within_important_dirs/dir_permissions_library_dirs/tests/world_writable_dir_on_usr_lib.fail.sh @@ -1,4 +1,4 @@ -# platform = multi_platform_ol,multi_platform_rhel,multi_platform_sle,multi_platform_ubuntu +# platform = multi_platform_ol,multi_platform_rhel,multi_platform_almalinux,multi_platform_sle,multi_platform_ubuntu DIRS="/usr/lib /usr/lib64" for dirPath in $DIRS; do mkdir -p "$dirPath/testme" && chmod 777 "$dirPath/testme" diff --git a/linux_os/guide/system/permissions/files/permissions_within_important_dirs/file_groupownership_system_commands_dirs/ansible/shared.yml b/linux_os/guide/system/permissions/files/permissions_within_important_dirs/file_groupownership_system_commands_dirs/ansible/shared.yml index 8f479451b..21a923e63 100644 --- a/linux_os/guide/system/permissions/files/permissions_within_important_dirs/file_groupownership_system_commands_dirs/ansible/shared.yml +++ b/linux_os/guide/system/permissions/files/permissions_within_important_dirs/file_groupownership_system_commands_dirs/ansible/shared.yml @@ -1,4 +1,4 @@ -# platform = multi_platform_sle,multi_platform_ol,multi_platform_rhel,multi_platform_fedora +# platform = multi_platform_sle,multi_platform_ol,multi_platform_rhel,multi_platform_almalinux,multi_platform_fedora # reboot = false # strategy = restrict # complexity = medium diff --git a/linux_os/guide/system/permissions/files/permissions_within_important_dirs/file_groupownership_system_commands_dirs/bash/shared.sh b/linux_os/guide/system/permissions/files/permissions_within_important_dirs/file_groupownership_system_commands_dirs/bash/shared.sh index b9bbe4dbe..2652ea041 100644 --- a/linux_os/guide/system/permissions/files/permissions_within_important_dirs/file_groupownership_system_commands_dirs/bash/shared.sh +++ b/linux_os/guide/system/permissions/files/permissions_within_important_dirs/file_groupownership_system_commands_dirs/bash/shared.sh @@ -1,4 +1,4 @@ -# platform = multi_platform_sle,multi_platform_ol,multi_platform_rhel,multi_platform_fedora,multi_platform_ubuntu +# platform = multi_platform_sle,multi_platform_ol,multi_platform_rhel,multi_platform_almalinux,multi_platform_fedora,multi_platform_ubuntu for SYSCMDFILES in /bin /sbin /usr/bin /usr/sbin /usr/local/bin /usr/local/sbin do diff --git a/linux_os/guide/system/permissions/files/permissions_within_important_dirs/file_ownership_binary_dirs/ansible/shared.yml b/linux_os/guide/system/permissions/files/permissions_within_important_dirs/file_ownership_binary_dirs/ansible/shared.yml index 04178f485..ce116710e 100644 --- a/linux_os/guide/system/permissions/files/permissions_within_important_dirs/file_ownership_binary_dirs/ansible/shared.yml +++ b/linux_os/guide/system/permissions/files/permissions_within_important_dirs/file_ownership_binary_dirs/ansible/shared.yml @@ -1,4 +1,4 @@ -# platform = Red Hat Virtualization 4,multi_platform_fedora,multi_platform_rhel,multi_platform_ol,multi_platform_sle +# platform = Red Hat Virtualization 4,multi_platform_fedora,multi_platform_rhel,multi_platform_almalinux,multi_platform_ol,multi_platform_sle # reboot = false # strategy = restrict # complexity = medium diff --git a/linux_os/guide/system/permissions/files/permissions_within_important_dirs/file_ownership_binary_dirs/bash/shared.sh b/linux_os/guide/system/permissions/files/permissions_within_important_dirs/file_ownership_binary_dirs/bash/shared.sh index 5471f360f..1a2c2a9fa 100644 --- a/linux_os/guide/system/permissions/files/permissions_within_important_dirs/file_ownership_binary_dirs/bash/shared.sh +++ b/linux_os/guide/system/permissions/files/permissions_within_important_dirs/file_ownership_binary_dirs/bash/shared.sh @@ -1,4 +1,4 @@ -# platform = Red Hat Virtualization 4,multi_platform_rhel,multi_platform_ol,multi_platform_sle +# platform = Red Hat Virtualization 4,multi_platform_rhel,multi_platform_almalinux,multi_platform_ol,multi_platform_sle find /bin/ \ /usr/bin/ \ /usr/local/bin/ \ diff --git a/linux_os/guide/system/permissions/files/permissions_within_important_dirs/file_ownership_library_dirs/tests/correct_owner.pass.sh b/linux_os/guide/system/permissions/files/permissions_within_important_dirs/file_ownership_library_dirs/tests/correct_owner.pass.sh index 9c3fa6fe9..78ab97152 100644 --- a/linux_os/guide/system/permissions/files/permissions_within_important_dirs/file_ownership_library_dirs/tests/correct_owner.pass.sh +++ b/linux_os/guide/system/permissions/files/permissions_within_important_dirs/file_ownership_library_dirs/tests/correct_owner.pass.sh @@ -1,4 +1,4 @@ -# platform = multi_platform_fedora,multi_platform_ol,multi_platform_rhel,multi_platform_sle,multi_platform_ubuntu +# platform = multi_platform_fedora,multi_platform_ol,multi_platform_rhel,multi_platform_almalinux,multi_platform_sle,multi_platform_ubuntu for SYSLIBDIRS in /lib /lib64 /usr/lib /usr/lib64 do diff --git a/linux_os/guide/system/permissions/files/permissions_within_important_dirs/file_ownership_library_dirs/tests/incorrect_owner.fail.sh b/linux_os/guide/system/permissions/files/permissions_within_important_dirs/file_ownership_library_dirs/tests/incorrect_owner.fail.sh index 02867684c..8b274eded 100644 --- a/linux_os/guide/system/permissions/files/permissions_within_important_dirs/file_ownership_library_dirs/tests/incorrect_owner.fail.sh +++ b/linux_os/guide/system/permissions/files/permissions_within_important_dirs/file_ownership_library_dirs/tests/incorrect_owner.fail.sh @@ -1,4 +1,4 @@ -# platform = multi_platform_fedora,multi_platform_ol,multi_platform_rhel,multi_platform_sle,multi_platform_ubuntu +# platform = multi_platform_fedora,multi_platform_ol,multi_platform_rhel,multi_platform_almalinux,multi_platform_sle,multi_platform_ubuntu useradd user_test for TESTFILE in /lib/test_me /lib64/test_me /usr/lib/test_me /usr/lib64/test_me diff --git a/linux_os/guide/system/permissions/files/permissions_within_important_dirs/file_ownership_library_dirs/tests/incorrect_owner_within_dir.fail.sh b/linux_os/guide/system/permissions/files/permissions_within_important_dirs/file_ownership_library_dirs/tests/incorrect_owner_within_dir.fail.sh index 81d8a339e..70345d4e7 100644 --- a/linux_os/guide/system/permissions/files/permissions_within_important_dirs/file_ownership_library_dirs/tests/incorrect_owner_within_dir.fail.sh +++ b/linux_os/guide/system/permissions/files/permissions_within_important_dirs/file_ownership_library_dirs/tests/incorrect_owner_within_dir.fail.sh @@ -1,4 +1,4 @@ -# platform = multi_platform_fedora,multi_platform_ol,multi_platform_rhel,multi_platform_sle,multi_platform_ubuntu +# platform = multi_platform_fedora,multi_platform_ol,multi_platform_rhel,multi_platform_almalinux,multi_platform_sle,multi_platform_ubuntu useradd user_test diff --git a/linux_os/guide/system/permissions/files/permissions_within_important_dirs/file_ownership_library_dirs/tests/incorrect_symlink.pass.sh b/linux_os/guide/system/permissions/files/permissions_within_important_dirs/file_ownership_library_dirs/tests/incorrect_symlink.pass.sh index 3382568ce..b4f4bd0a0 100644 --- a/linux_os/guide/system/permissions/files/permissions_within_important_dirs/file_ownership_library_dirs/tests/incorrect_symlink.pass.sh +++ b/linux_os/guide/system/permissions/files/permissions_within_important_dirs/file_ownership_library_dirs/tests/incorrect_symlink.pass.sh @@ -1,4 +1,4 @@ -# platform = multi_platform_fedora,multi_platform_ol,multi_platform_rhel,multi_platform_sle,multi_platform_ubuntu +# platform = multi_platform_fedora,multi_platform_ol,multi_platform_rhel,multi_platform_almalinux,multi_platform_sle,multi_platform_ubuntu useradd user_test diff --git a/linux_os/guide/system/permissions/files/permissions_within_important_dirs/file_permissions_binary_dirs/ansible/shared.yml b/linux_os/guide/system/permissions/files/permissions_within_important_dirs/file_permissions_binary_dirs/ansible/shared.yml index aeaa1f058..b69b5cd7a 100644 --- a/linux_os/guide/system/permissions/files/permissions_within_important_dirs/file_permissions_binary_dirs/ansible/shared.yml +++ b/linux_os/guide/system/permissions/files/permissions_within_important_dirs/file_permissions_binary_dirs/ansible/shared.yml @@ -1,4 +1,4 @@ -# platform = Red Hat Virtualization 4,multi_platform_fedora,multi_platform_rhel,multi_platform_ol,multi_platform_sle +# platform = Red Hat Virtualization 4,multi_platform_fedora,multi_platform_rhel,multi_platform_almalinux,multi_platform_ol,multi_platform_sle # reboot = false # strategy = restrict # complexity = medium diff --git a/linux_os/guide/system/permissions/files/permissions_within_important_dirs/file_permissions_binary_dirs/bash/shared.sh b/linux_os/guide/system/permissions/files/permissions_within_important_dirs/file_permissions_binary_dirs/bash/shared.sh index ab89b277a..f4a7c33a9 100644 --- a/linux_os/guide/system/permissions/files/permissions_within_important_dirs/file_permissions_binary_dirs/bash/shared.sh +++ b/linux_os/guide/system/permissions/files/permissions_within_important_dirs/file_permissions_binary_dirs/bash/shared.sh @@ -1,4 +1,4 @@ -# platform = Red Hat Virtualization 4,multi_platform_rhel,multi_platform_ol,multi_platform_sle,multi_platform_ubuntu +# platform = Red Hat Virtualization 4,multi_platform_rhel,multi_platform_almalinux,multi_platform_ol,multi_platform_sle,multi_platform_ubuntu DIRS="/bin /usr/bin /usr/local/bin /sbin /usr/sbin /usr/local/sbin /usr/libexec" for dirPath in $DIRS; do find "$dirPath" -perm /022 -exec chmod go-w '{}' \; diff --git a/linux_os/guide/system/permissions/files/permissions_within_important_dirs/root_permissions_syslibrary_files/tests/correct_groupowner.pass.sh b/linux_os/guide/system/permissions/files/permissions_within_important_dirs/root_permissions_syslibrary_files/tests/correct_groupowner.pass.sh index 5356d3742..a85c88001 100644 --- a/linux_os/guide/system/permissions/files/permissions_within_important_dirs/root_permissions_syslibrary_files/tests/correct_groupowner.pass.sh +++ b/linux_os/guide/system/permissions/files/permissions_within_important_dirs/root_permissions_syslibrary_files/tests/correct_groupowner.pass.sh @@ -1,4 +1,4 @@ -# platform = multi_platform_sle,multi_platform_rhel,multi_platform_fedora,multi_platform_ubuntu +# platform = multi_platform_sle,multi_platform_rhel,multi_platform_almalinux,multi_platform_fedora,multi_platform_ubuntu for SYSLIBDIRS in /lib /lib64 /usr/lib /usr/lib64 do diff --git a/linux_os/guide/system/permissions/files/permissions_within_important_dirs/root_permissions_syslibrary_files/tests/incorrect_groupowner.fail.sh b/linux_os/guide/system/permissions/files/permissions_within_important_dirs/root_permissions_syslibrary_files/tests/incorrect_groupowner.fail.sh index 7352b60aa..fc84e065c 100644 --- a/linux_os/guide/system/permissions/files/permissions_within_important_dirs/root_permissions_syslibrary_files/tests/incorrect_groupowner.fail.sh +++ b/linux_os/guide/system/permissions/files/permissions_within_important_dirs/root_permissions_syslibrary_files/tests/incorrect_groupowner.fail.sh @@ -1,4 +1,4 @@ -# platform = multi_platform_sle,multi_platform_rhel,multi_platform_fedora,multi_platform_ubuntu +# platform = multi_platform_sle,multi_platform_rhel,multi_platform_almalinux,multi_platform_fedora,multi_platform_ubuntu groupadd group_test for TESTFILE in /lib/test_me /lib64/test_me /usr/lib/test_me /usr/lib64/test_me diff --git a/linux_os/guide/system/permissions/files/sysctl_fs_protected_hardlinks/kubernetes/shared.yml b/linux_os/guide/system/permissions/files/sysctl_fs_protected_hardlinks/kubernetes/shared.yml index b0d594003..4a71eccda 100644 --- a/linux_os/guide/system/permissions/files/sysctl_fs_protected_hardlinks/kubernetes/shared.yml +++ b/linux_os/guide/system/permissions/files/sysctl_fs_protected_hardlinks/kubernetes/shared.yml @@ -1,5 +1,5 @@ --- -# platform = multi_platform_rhcos,multi_platform_rhel,multi_platform_fedora +# platform = multi_platform_rhcos,multi_platform_rhel,multi_platform_almalinux,multi_platform_fedora apiVersion: machineconfiguration.openshift.io/v1 kind: MachineConfig spec: diff --git a/linux_os/guide/system/permissions/files/sysctl_fs_protected_symlinks/kubernetes/shared.yml b/linux_os/guide/system/permissions/files/sysctl_fs_protected_symlinks/kubernetes/shared.yml index 5ce0decba..b7a4243e4 100644 --- a/linux_os/guide/system/permissions/files/sysctl_fs_protected_symlinks/kubernetes/shared.yml +++ b/linux_os/guide/system/permissions/files/sysctl_fs_protected_symlinks/kubernetes/shared.yml @@ -1,5 +1,5 @@ --- -# platform = multi_platform_rhcos,multi_platform_rhel,multi_platform_fedora +# platform = multi_platform_rhcos,multi_platform_rhel,multi_platform_almalinux,multi_platform_fedora apiVersion: machineconfiguration.openshift.io/v1 kind: MachineConfig spec: diff --git a/linux_os/guide/system/permissions/partitions/mount_option_var_tmp_bind/bash/shared.sh b/linux_os/guide/system/permissions/partitions/mount_option_var_tmp_bind/bash/shared.sh index 59e39270d..5c154d333 100644 --- a/linux_os/guide/system/permissions/partitions/mount_option_var_tmp_bind/bash/shared.sh +++ b/linux_os/guide/system/permissions/partitions/mount_option_var_tmp_bind/bash/shared.sh @@ -1,4 +1,4 @@ -# platform = multi_platform_rhel,multi_platform_fedora +# platform = multi_platform_rhel,multi_platform_almalinux,multi_platform_fedora # Delete particular /etc/fstab's row if /var/tmp is already configured to # represent a mount point (for some device or filesystem other than /tmp) diff --git a/linux_os/guide/system/permissions/restrictions/coredumps/coredump_disable_backtraces/kubernetes/shared.yml b/linux_os/guide/system/permissions/restrictions/coredumps/coredump_disable_backtraces/kubernetes/shared.yml index d94802273..554e34e00 100644 --- a/linux_os/guide/system/permissions/restrictions/coredumps/coredump_disable_backtraces/kubernetes/shared.yml +++ b/linux_os/guide/system/permissions/restrictions/coredumps/coredump_disable_backtraces/kubernetes/shared.yml @@ -1,5 +1,5 @@ --- -# platform = multi_platform_rhel,multi_platform_fedora,multi_platform_rhcos +# platform = multi_platform_rhel,multi_platform_almalinux,multi_platform_fedora,multi_platform_rhcos apiVersion: machineconfiguration.openshift.io/v1 kind: MachineConfig spec: diff --git a/linux_os/guide/system/permissions/restrictions/coredumps/coredump_disable_storage/kubernetes/shared.yml b/linux_os/guide/system/permissions/restrictions/coredumps/coredump_disable_storage/kubernetes/shared.yml index d94802273..554e34e00 100644 --- a/linux_os/guide/system/permissions/restrictions/coredumps/coredump_disable_storage/kubernetes/shared.yml +++ b/linux_os/guide/system/permissions/restrictions/coredumps/coredump_disable_storage/kubernetes/shared.yml @@ -1,5 +1,5 @@ --- -# platform = multi_platform_rhel,multi_platform_fedora,multi_platform_rhcos +# platform = multi_platform_rhel,multi_platform_almalinux,multi_platform_fedora,multi_platform_rhcos apiVersion: machineconfiguration.openshift.io/v1 kind: MachineConfig spec: diff --git a/linux_os/guide/system/permissions/restrictions/coredumps/disable_users_coredumps/bash/shared.sh b/linux_os/guide/system/permissions/restrictions/coredumps/disable_users_coredumps/bash/shared.sh index 32651fa92..b68ea1c66 100644 --- a/linux_os/guide/system/permissions/restrictions/coredumps/disable_users_coredumps/bash/shared.sh +++ b/linux_os/guide/system/permissions/restrictions/coredumps/disable_users_coredumps/bash/shared.sh @@ -1,4 +1,4 @@ -# platform = Red Hat Virtualization 4,multi_platform_rhel,multi_platform_ol,multi_platform_sle,multi_platform_ubuntu +# platform = Red Hat Virtualization 4,multi_platform_rhel,multi_platform_almalinux,multi_platform_ol,multi_platform_sle,multi_platform_ubuntu SECURITY_LIMITS_FILE="/etc/security/limits.conf" if grep -qE '^\s*\*\s+hard\s+core' $SECURITY_LIMITS_FILE; then diff --git a/linux_os/guide/system/permissions/restrictions/coredumps/disable_users_coredumps/kubernetes/shared.yml b/linux_os/guide/system/permissions/restrictions/coredumps/disable_users_coredumps/kubernetes/shared.yml index 41cbd1197..481afa583 100644 --- a/linux_os/guide/system/permissions/restrictions/coredumps/disable_users_coredumps/kubernetes/shared.yml +++ b/linux_os/guide/system/permissions/restrictions/coredumps/disable_users_coredumps/kubernetes/shared.yml @@ -1,5 +1,5 @@ --- -# platform = multi_platform_rhel,multi_platform_fedora,multi_platform_rhcos +# platform = multi_platform_rhel,multi_platform_almalinux,multi_platform_fedora,multi_platform_rhcos apiVersion: machineconfiguration.openshift.io/v1 kind: MachineConfig spec: diff --git a/linux_os/guide/system/permissions/restrictions/enable_execshield_settings/sysctl_kernel_kptr_restrict/kubernetes/shared.yml b/linux_os/guide/system/permissions/restrictions/enable_execshield_settings/sysctl_kernel_kptr_restrict/kubernetes/shared.yml index 415b0486d..02b1e991a 100644 --- a/linux_os/guide/system/permissions/restrictions/enable_execshield_settings/sysctl_kernel_kptr_restrict/kubernetes/shared.yml +++ b/linux_os/guide/system/permissions/restrictions/enable_execshield_settings/sysctl_kernel_kptr_restrict/kubernetes/shared.yml @@ -1,5 +1,5 @@ --- -# platform = multi_platform_rhcos,multi_platform_rhel,multi_platform_fedora +# platform = multi_platform_rhcos,multi_platform_rhel,multi_platform_almalinux,multi_platform_fedora apiVersion: machineconfiguration.openshift.io/v1 kind: MachineConfig spec: diff --git a/linux_os/guide/system/permissions/restrictions/enable_execshield_settings/sysctl_kernel_kptr_restrict/tests/value_1.pass.sh b/linux_os/guide/system/permissions/restrictions/enable_execshield_settings/sysctl_kernel_kptr_restrict/tests/value_1.pass.sh index 70189666c..22f9e966b 100644 --- a/linux_os/guide/system/permissions/restrictions/enable_execshield_settings/sysctl_kernel_kptr_restrict/tests/value_1.pass.sh +++ b/linux_os/guide/system/permissions/restrictions/enable_execshield_settings/sysctl_kernel_kptr_restrict/tests/value_1.pass.sh @@ -1,5 +1,5 @@ #!/bin/bash -# platform = multi_platform_ol,multi_platform_rhel +# platform = multi_platform_ol,multi_platform_rhel,multi_platform_almalinux # Clean sysctl config directories rm -rf /usr/lib/sysctl.d/* /run/sysctl.d/* /etc/sysctl.d/* diff --git a/linux_os/guide/system/permissions/restrictions/enable_execshield_settings/sysctl_kernel_kptr_restrict/tests/value_2.pass.sh b/linux_os/guide/system/permissions/restrictions/enable_execshield_settings/sysctl_kernel_kptr_restrict/tests/value_2.pass.sh index 209395fa9..23cce30a8 100644 --- a/linux_os/guide/system/permissions/restrictions/enable_execshield_settings/sysctl_kernel_kptr_restrict/tests/value_2.pass.sh +++ b/linux_os/guide/system/permissions/restrictions/enable_execshield_settings/sysctl_kernel_kptr_restrict/tests/value_2.pass.sh @@ -1,5 +1,5 @@ #!/bin/bash -# platform = multi_platform_ol,multi_platform_rhel +# platform = multi_platform_ol,multi_platform_rhel,multi_platform_almalinux # Clean sysctl config directories rm -rf /usr/lib/sysctl.d/* /run/sysctl.d/* /etc/sysctl.d/* diff --git a/linux_os/guide/system/permissions/restrictions/enable_execshield_settings/sysctl_kernel_randomize_va_space/kubernetes/shared.yml b/linux_os/guide/system/permissions/restrictions/enable_execshield_settings/sysctl_kernel_randomize_va_space/kubernetes/shared.yml index 7a4c107b2..22e209120 100644 --- a/linux_os/guide/system/permissions/restrictions/enable_execshield_settings/sysctl_kernel_randomize_va_space/kubernetes/shared.yml +++ b/linux_os/guide/system/permissions/restrictions/enable_execshield_settings/sysctl_kernel_randomize_va_space/kubernetes/shared.yml @@ -1,5 +1,5 @@ --- -# platform = multi_platform_rhcos,multi_platform_rhel,multi_platform_fedora +# platform = multi_platform_rhcos,multi_platform_rhel,multi_platform_almalinux,multi_platform_fedora apiVersion: machineconfiguration.openshift.io/v1 kind: MachineConfig spec: diff --git a/linux_os/guide/system/permissions/restrictions/enable_nx/bios_enable_execution_restrictions/tests/correct_value.pass.sh b/linux_os/guide/system/permissions/restrictions/enable_nx/bios_enable_execution_restrictions/tests/correct_value.pass.sh index 6d87da5f2..021acd31f 100755 --- a/linux_os/guide/system/permissions/restrictions/enable_nx/bios_enable_execution_restrictions/tests/correct_value.pass.sh +++ b/linux_os/guide/system/permissions/restrictions/enable_nx/bios_enable_execution_restrictions/tests/correct_value.pass.sh @@ -1,5 +1,5 @@ #!/bin/bash -# platform = multi_platform_fedora,multi_platform_ol,multi_platform_rhel +# platform = multi_platform_fedora,multi_platform_ol,multi_platform_rhel,multi_platform_almalinux # remediation = none cp /proc/cpuinfo /tmp/cpuinfo diff --git a/linux_os/guide/system/permissions/restrictions/enable_nx/bios_enable_execution_restrictions/tests/wrong_value.fail.sh b/linux_os/guide/system/permissions/restrictions/enable_nx/bios_enable_execution_restrictions/tests/wrong_value.fail.sh index 3260539b3..29d22d491 100755 --- a/linux_os/guide/system/permissions/restrictions/enable_nx/bios_enable_execution_restrictions/tests/wrong_value.fail.sh +++ b/linux_os/guide/system/permissions/restrictions/enable_nx/bios_enable_execution_restrictions/tests/wrong_value.fail.sh @@ -1,5 +1,5 @@ #!/bin/bash -# platform = multi_platform_fedora,multi_platform_ol,multi_platform_rhel +# platform = multi_platform_fedora,multi_platform_ol,multi_platform_rhel,multi_platform_almalinux # remediation = none cp /proc/cpuinfo /tmp/cpuinfo diff --git a/linux_os/guide/system/permissions/restrictions/sysctl_kernel_core_pattern/kubernetes/shared.yml b/linux_os/guide/system/permissions/restrictions/sysctl_kernel_core_pattern/kubernetes/shared.yml index 88c683445..fa9b2020d 100644 --- a/linux_os/guide/system/permissions/restrictions/sysctl_kernel_core_pattern/kubernetes/shared.yml +++ b/linux_os/guide/system/permissions/restrictions/sysctl_kernel_core_pattern/kubernetes/shared.yml @@ -1,5 +1,5 @@ --- -# platform = multi_platform_rhel,multi_platform_fedora,multi_platform_rhcos +# platform = multi_platform_rhel,multi_platform_almalinux,multi_platform_fedora,multi_platform_rhcos apiVersion: machineconfiguration.openshift.io/v1 kind: MachineConfig spec: diff --git a/linux_os/guide/system/permissions/restrictions/sysctl_kernel_core_pattern/rule.yml b/linux_os/guide/system/permissions/restrictions/sysctl_kernel_core_pattern/rule.yml index ebebdebb1..03e24d9bf 100644 --- a/linux_os/guide/system/permissions/restrictions/sysctl_kernel_core_pattern/rule.yml +++ b/linux_os/guide/system/permissions/restrictions/sysctl_kernel_core_pattern/rule.yml @@ -12,7 +12,7 @@ rationale: |- severity: medium -{{% if product in ["rhel9"] %}} +{{% if product in ["rhel9", "almalinux9"] %}} conflicts: - sysctl_kernel_core_pattern_empty_string {{% endif %}} diff --git a/linux_os/guide/system/permissions/restrictions/sysctl_kernel_dmesg_restrict/kubernetes/shared.yml b/linux_os/guide/system/permissions/restrictions/sysctl_kernel_dmesg_restrict/kubernetes/shared.yml index 36e025cc3..e97acde11 100644 --- a/linux_os/guide/system/permissions/restrictions/sysctl_kernel_dmesg_restrict/kubernetes/shared.yml +++ b/linux_os/guide/system/permissions/restrictions/sysctl_kernel_dmesg_restrict/kubernetes/shared.yml @@ -1,5 +1,5 @@ --- -# platform = multi_platform_rhcos,multi_platform_rhel,multi_platform_fedora +# platform = multi_platform_rhcos,multi_platform_rhel,multi_platform_almalinux,multi_platform_fedora apiVersion: machineconfiguration.openshift.io/v1 kind: MachineConfig spec: diff --git a/linux_os/guide/system/permissions/restrictions/sysctl_kernel_kexec_load_disabled/kubernetes/shared.yml b/linux_os/guide/system/permissions/restrictions/sysctl_kernel_kexec_load_disabled/kubernetes/shared.yml index 505b3c12b..cdf18e6dd 100644 --- a/linux_os/guide/system/permissions/restrictions/sysctl_kernel_kexec_load_disabled/kubernetes/shared.yml +++ b/linux_os/guide/system/permissions/restrictions/sysctl_kernel_kexec_load_disabled/kubernetes/shared.yml @@ -1,5 +1,5 @@ --- -# platform = multi_platform_rhcos,multi_platform_rhel,multi_platform_fedora +# platform = multi_platform_rhcos,multi_platform_rhel,multi_platform_almalinux,multi_platform_fedora apiVersion: machineconfiguration.openshift.io/v1 kind: MachineConfig spec: diff --git a/linux_os/guide/system/permissions/restrictions/sysctl_kernel_perf_event_paranoid/kubernetes/shared.yml b/linux_os/guide/system/permissions/restrictions/sysctl_kernel_perf_event_paranoid/kubernetes/shared.yml index 0541e59a7..50020c28c 100644 --- a/linux_os/guide/system/permissions/restrictions/sysctl_kernel_perf_event_paranoid/kubernetes/shared.yml +++ b/linux_os/guide/system/permissions/restrictions/sysctl_kernel_perf_event_paranoid/kubernetes/shared.yml @@ -1,5 +1,5 @@ --- -# platform = multi_platform_rhcos,multi_platform_rhel,multi_platform_fedora +# platform = multi_platform_rhcos,multi_platform_rhel,multi_platform_almalinux,multi_platform_fedora apiVersion: machineconfiguration.openshift.io/v1 kind: MachineConfig spec: diff --git a/linux_os/guide/system/permissions/restrictions/sysctl_kernel_unprivileged_bpf_disabled/kubernetes/shared.yml b/linux_os/guide/system/permissions/restrictions/sysctl_kernel_unprivileged_bpf_disabled/kubernetes/shared.yml index 2e24d9211..7b706bb32 100644 --- a/linux_os/guide/system/permissions/restrictions/sysctl_kernel_unprivileged_bpf_disabled/kubernetes/shared.yml +++ b/linux_os/guide/system/permissions/restrictions/sysctl_kernel_unprivileged_bpf_disabled/kubernetes/shared.yml @@ -1,5 +1,5 @@ --- -# platform = multi_platform_rhcos,multi_platform_rhel,multi_platform_fedora +# platform = multi_platform_rhcos,multi_platform_rhel,multi_platform_almalinux,multi_platform_fedora apiVersion: machineconfiguration.openshift.io/v1 kind: MachineConfig spec: diff --git a/linux_os/guide/system/permissions/restrictions/sysctl_kernel_unprivileged_bpf_disabled_accept_default/tests/system_default.pass.sh b/linux_os/guide/system/permissions/restrictions/sysctl_kernel_unprivileged_bpf_disabled_accept_default/tests/system_default.pass.sh index b9776227b..f58a7ac92 100644 --- a/linux_os/guide/system/permissions/restrictions/sysctl_kernel_unprivileged_bpf_disabled_accept_default/tests/system_default.pass.sh +++ b/linux_os/guide/system/permissions/restrictions/sysctl_kernel_unprivileged_bpf_disabled_accept_default/tests/system_default.pass.sh @@ -1,5 +1,5 @@ #!/bin/bash -# platform = Red Hat Enterprise Linux 9 +# platform = Red Hat Enterprise Linux 9,AlmaLinux 9 # Clean sysctl config directories rm -rf /usr/lib/sysctl.d/* /run/sysctl.d/* /etc/sysctl.d/* diff --git a/linux_os/guide/system/permissions/restrictions/sysctl_kernel_unprivileged_bpf_disabled_accept_default/tests/value_0.fail.sh b/linux_os/guide/system/permissions/restrictions/sysctl_kernel_unprivileged_bpf_disabled_accept_default/tests/value_0.fail.sh index 9f19e0140..b6f94e4b3 100644 --- a/linux_os/guide/system/permissions/restrictions/sysctl_kernel_unprivileged_bpf_disabled_accept_default/tests/value_0.fail.sh +++ b/linux_os/guide/system/permissions/restrictions/sysctl_kernel_unprivileged_bpf_disabled_accept_default/tests/value_0.fail.sh @@ -1,5 +1,5 @@ #!/bin/bash -# platform = Red Hat Enterprise Linux 9 +# platform = Red Hat Enterprise Linux 9,AlmaLinux 9 # Clean sysctl config directories rm -rf /usr/lib/sysctl.d/* /run/sysctl.d/* /etc/sysctl.d/* diff --git a/linux_os/guide/system/permissions/restrictions/sysctl_kernel_unprivileged_bpf_disabled_accept_default/tests/value_1.pass.sh b/linux_os/guide/system/permissions/restrictions/sysctl_kernel_unprivileged_bpf_disabled_accept_default/tests/value_1.pass.sh index e976db594..073e9fdaf 100644 --- a/linux_os/guide/system/permissions/restrictions/sysctl_kernel_unprivileged_bpf_disabled_accept_default/tests/value_1.pass.sh +++ b/linux_os/guide/system/permissions/restrictions/sysctl_kernel_unprivileged_bpf_disabled_accept_default/tests/value_1.pass.sh @@ -1,5 +1,5 @@ #!/bin/bash -# platform = Red Hat Enterprise Linux 9 +# platform = Red Hat Enterprise Linux 9,AlmaLinux 9 # Clean sysctl config directories rm -rf /usr/lib/sysctl.d/* /run/sysctl.d/* /etc/sysctl.d/* diff --git a/linux_os/guide/system/permissions/restrictions/sysctl_kernel_unprivileged_bpf_disabled_accept_default/tests/value_2.pass.sh b/linux_os/guide/system/permissions/restrictions/sysctl_kernel_unprivileged_bpf_disabled_accept_default/tests/value_2.pass.sh index b1537175e..d1f7474e9 100644 --- a/linux_os/guide/system/permissions/restrictions/sysctl_kernel_unprivileged_bpf_disabled_accept_default/tests/value_2.pass.sh +++ b/linux_os/guide/system/permissions/restrictions/sysctl_kernel_unprivileged_bpf_disabled_accept_default/tests/value_2.pass.sh @@ -1,5 +1,5 @@ #!/bin/bash -# platform = Red Hat Enterprise Linux 9 +# platform = Red Hat Enterprise Linux 9,AlmaLinux 9 # Clean sysctl config directories rm -rf /usr/lib/sysctl.d/* /run/sysctl.d/* /etc/sysctl.d/* diff --git a/linux_os/guide/system/permissions/restrictions/sysctl_kernel_yama_ptrace_scope/kubernetes/shared.yml b/linux_os/guide/system/permissions/restrictions/sysctl_kernel_yama_ptrace_scope/kubernetes/shared.yml index ceafd4839..7006e2066 100644 --- a/linux_os/guide/system/permissions/restrictions/sysctl_kernel_yama_ptrace_scope/kubernetes/shared.yml +++ b/linux_os/guide/system/permissions/restrictions/sysctl_kernel_yama_ptrace_scope/kubernetes/shared.yml @@ -1,5 +1,5 @@ --- -# platform = multi_platform_rhcos,multi_platform_rhel,multi_platform_fedora +# platform = multi_platform_rhcos,multi_platform_rhel,multi_platform_almalinux,multi_platform_fedora apiVersion: machineconfiguration.openshift.io/v1 kind: MachineConfig spec: diff --git a/linux_os/guide/system/permissions/restrictions/sysctl_net_core_bpf_jit_harden/kubernetes/shared.yml b/linux_os/guide/system/permissions/restrictions/sysctl_net_core_bpf_jit_harden/kubernetes/shared.yml index 7519b7740..af6c30abd 100644 --- a/linux_os/guide/system/permissions/restrictions/sysctl_net_core_bpf_jit_harden/kubernetes/shared.yml +++ b/linux_os/guide/system/permissions/restrictions/sysctl_net_core_bpf_jit_harden/kubernetes/shared.yml @@ -1,5 +1,5 @@ --- -# platform = multi_platform_rhcos,multi_platform_rhel,multi_platform_fedora +# platform = multi_platform_rhcos,multi_platform_rhel,multi_platform_almalinux,multi_platform_fedora apiVersion: machineconfiguration.openshift.io/v1 kind: MachineConfig spec: diff --git a/linux_os/guide/system/permissions/restrictions/sysctl_user_max_user_namespaces/kubernetes/shared.yml b/linux_os/guide/system/permissions/restrictions/sysctl_user_max_user_namespaces/kubernetes/shared.yml index fdd4fb83e..3274d5b36 100644 --- a/linux_os/guide/system/permissions/restrictions/sysctl_user_max_user_namespaces/kubernetes/shared.yml +++ b/linux_os/guide/system/permissions/restrictions/sysctl_user_max_user_namespaces/kubernetes/shared.yml @@ -1,5 +1,5 @@ --- -# platform = multi_platform_rhel,multi_platform_fedora,multi_platform_rhcos +# platform = multi_platform_rhel,multi_platform_almalinux,multi_platform_fedora,multi_platform_rhcos apiVersion: machineconfiguration.openshift.io/v1 kind: MachineConfig spec: diff --git a/linux_os/guide/system/selinux/grub2_enable_selinux/ansible/shared.yml b/linux_os/guide/system/selinux/grub2_enable_selinux/ansible/shared.yml index 4be24a89d..76c0cc6df 100644 --- a/linux_os/guide/system/selinux/grub2_enable_selinux/ansible/shared.yml +++ b/linux_os/guide/system/selinux/grub2_enable_selinux/ansible/shared.yml @@ -1,4 +1,4 @@ -# platform = multi_platform_rhel,multi_platform_rhv,multi_platform_fedora,multi_platform_ol,SUSE Linux Enterprise 15 +# platform = multi_platform_rhel,multi_platform_almalinux,multi_platform_rhv,multi_platform_fedora,multi_platform_ol,SUSE Linux Enterprise 15 # reboot = false # strategy = restrict # complexity = low diff --git a/linux_os/guide/system/selinux/grub2_enable_selinux/bash/shared.sh b/linux_os/guide/system/selinux/grub2_enable_selinux/bash/shared.sh index 735354a2d..0c13b196e 100644 --- a/linux_os/guide/system/selinux/grub2_enable_selinux/bash/shared.sh +++ b/linux_os/guide/system/selinux/grub2_enable_selinux/bash/shared.sh @@ -1,4 +1,4 @@ -# platform = multi_platform_rhel,multi_platform_rhv,multi_platform_fedora,multi_platform_ol,SUSE Linux Enterprise 15 +# platform = multi_platform_rhel,multi_platform_almalinux,multi_platform_rhv,multi_platform_fedora,multi_platform_ol,SUSE Linux Enterprise 15 sed -i --follow-symlinks "s/selinux=0//gI" /etc/default/grub /etc/grub2.cfg /etc/grub.d/* sed -i --follow-symlinks "s/enforcing=0//gI" /etc/default/grub /etc/grub2.cfg /etc/grub.d/* diff --git a/linux_os/guide/system/selinux/package_libselinux_installed/tests/custom-package-removed.fail.sh b/linux_os/guide/system/selinux/package_libselinux_installed/tests/custom-package-removed.fail.sh index 2520d3dcc..ed0bc9538 100644 --- a/linux_os/guide/system/selinux/package_libselinux_installed/tests/custom-package-removed.fail.sh +++ b/linux_os/guide/system/selinux/package_libselinux_installed/tests/custom-package-removed.fail.sh @@ -1,5 +1,5 @@ #!/bin/bash -# platform = multi_platform_rhel,multi_platform_fedora +# platform = multi_platform_rhel,multi_platform_almalinux,multi_platform_fedora # Package libselinux cannot be uninstalled normally # as it would cause removal of sudo package which is diff --git a/linux_os/guide/system/selinux/selinux_policytype/ansible/shared.yml b/linux_os/guide/system/selinux/selinux_policytype/ansible/shared.yml index fa39b8af6..33e2978d4 100644 --- a/linux_os/guide/system/selinux/selinux_policytype/ansible/shared.yml +++ b/linux_os/guide/system/selinux/selinux_policytype/ansible/shared.yml @@ -1,4 +1,4 @@ -# platform = multi_platform_rhel,multi_platform_fedora,multi_platform_ol,multi_platform_rhv,multi_platform_sle +# platform = multi_platform_rhel,multi_platform_almalinux,multi_platform_fedora,multi_platform_ol,multi_platform_rhv,multi_platform_sle # reboot = true # strategy = restrict # complexity = low diff --git a/linux_os/guide/system/selinux/selinux_policytype/bash/shared.sh b/linux_os/guide/system/selinux/selinux_policytype/bash/shared.sh index 0b33e5768..c9b647b8e 100644 --- a/linux_os/guide/system/selinux/selinux_policytype/bash/shared.sh +++ b/linux_os/guide/system/selinux/selinux_policytype/bash/shared.sh @@ -1,4 +1,4 @@ -# platform = multi_platform_rhel,multi_platform_fedora,multi_platform_ol,multi_platform_rhv,multi_platform_sle +# platform = multi_platform_rhel,multi_platform_almalinux,multi_platform_fedora,multi_platform_ol,multi_platform_rhv,multi_platform_sle # reboot = true # strategy = restrict # complexity = low diff --git a/linux_os/guide/system/selinux/selinux_state/ansible/shared.yml b/linux_os/guide/system/selinux/selinux_state/ansible/shared.yml index 3234ef102..9961cbdd9 100644 --- a/linux_os/guide/system/selinux/selinux_state/ansible/shared.yml +++ b/linux_os/guide/system/selinux/selinux_state/ansible/shared.yml @@ -1,4 +1,4 @@ -# platform = multi_platform_rhel,multi_platform_fedora,multi_platform_ol,multi_platform_rhv,multi_platform_sle +# platform = multi_platform_rhel,multi_platform_almalinux,multi_platform_fedora,multi_platform_ol,multi_platform_rhv,multi_platform_sle # reboot = false # strategy = restrict # complexity = low diff --git a/linux_os/guide/system/selinux/selinux_state/bash/shared.sh b/linux_os/guide/system/selinux/selinux_state/bash/shared.sh index 1f458fa5b..3a9811ea3 100644 --- a/linux_os/guide/system/selinux/selinux_state/bash/shared.sh +++ b/linux_os/guide/system/selinux/selinux_state/bash/shared.sh @@ -1,4 +1,4 @@ -# platform = multi_platform_rhel,multi_platform_fedora,multi_platform_ol,multi_platform_rhv,multi_platform_sle +# platform = multi_platform_rhel,multi_platform_almalinux,multi_platform_fedora,multi_platform_ol,multi_platform_rhv,multi_platform_sle # reboot = true # strategy = restrict # complexity = low diff --git a/linux_os/guide/system/software/gnome/gnome_login_screen/dconf_gnome_disable_restart_shutdown/ansible/shared.yml b/linux_os/guide/system/software/gnome/gnome_login_screen/dconf_gnome_disable_restart_shutdown/ansible/shared.yml index c3baa1b80..be83f158f 100644 --- a/linux_os/guide/system/software/gnome/gnome_login_screen/dconf_gnome_disable_restart_shutdown/ansible/shared.yml +++ b/linux_os/guide/system/software/gnome/gnome_login_screen/dconf_gnome_disable_restart_shutdown/ansible/shared.yml @@ -1,4 +1,4 @@ -# platform = multi_platform_rhel,multi_platform_fedora,multi_platform_ol +# platform = multi_platform_rhel,multi_platform_almalinux,multi_platform_fedora,multi_platform_ol # reboot = false # strategy = unknown # complexity = low diff --git a/linux_os/guide/system/software/gnome/gnome_login_screen/dconf_gnome_disable_user_list/ansible/shared.yml b/linux_os/guide/system/software/gnome/gnome_login_screen/dconf_gnome_disable_user_list/ansible/shared.yml index 917fc7dc4..bc1d7c63c 100644 --- a/linux_os/guide/system/software/gnome/gnome_login_screen/dconf_gnome_disable_user_list/ansible/shared.yml +++ b/linux_os/guide/system/software/gnome/gnome_login_screen/dconf_gnome_disable_user_list/ansible/shared.yml @@ -1,4 +1,4 @@ -# platform = multi_platform_rhel,multi_platform_fedora,multi_platform_ol,multi_platform_sle +# platform = multi_platform_rhel,multi_platform_almalinux,multi_platform_fedora,multi_platform_ol,multi_platform_sle # reboot = false # strategy = unknown # complexity = low diff --git a/linux_os/guide/system/software/gnome/gnome_login_screen/dconf_gnome_enable_smartcard_auth/ansible/shared.yml b/linux_os/guide/system/software/gnome/gnome_login_screen/dconf_gnome_enable_smartcard_auth/ansible/shared.yml index f5d68f1c3..91f02c0d4 100644 --- a/linux_os/guide/system/software/gnome/gnome_login_screen/dconf_gnome_enable_smartcard_auth/ansible/shared.yml +++ b/linux_os/guide/system/software/gnome/gnome_login_screen/dconf_gnome_enable_smartcard_auth/ansible/shared.yml @@ -1,4 +1,4 @@ -# platform = multi_platform_rhel,multi_platform_fedora,multi_platform_ol +# platform = multi_platform_rhel,multi_platform_almalinux,multi_platform_fedora,multi_platform_ol # reboot = false # strategy = unknown # complexity = low diff --git a/linux_os/guide/system/software/gnome/gnome_login_screen/dconf_gnome_login_retries/ansible/shared.yml b/linux_os/guide/system/software/gnome/gnome_login_screen/dconf_gnome_login_retries/ansible/shared.yml index 45e6c24aa..e06d9600f 100644 --- a/linux_os/guide/system/software/gnome/gnome_login_screen/dconf_gnome_login_retries/ansible/shared.yml +++ b/linux_os/guide/system/software/gnome/gnome_login_screen/dconf_gnome_login_retries/ansible/shared.yml @@ -1,4 +1,4 @@ -# platform = multi_platform_rhel,multi_platform_fedora,multi_platform_ol +# platform = multi_platform_rhel,multi_platform_almalinux,multi_platform_fedora,multi_platform_ol # reboot = false # strategy = unknown # complexity = low diff --git a/linux_os/guide/system/software/gnome/gnome_login_screen/gnome_gdm_disable_automatic_login/ansible/shared.yml b/linux_os/guide/system/software/gnome/gnome_login_screen/gnome_gdm_disable_automatic_login/ansible/shared.yml index 6b19c8138..1f656f5a8 100644 --- a/linux_os/guide/system/software/gnome/gnome_login_screen/gnome_gdm_disable_automatic_login/ansible/shared.yml +++ b/linux_os/guide/system/software/gnome/gnome_login_screen/gnome_gdm_disable_automatic_login/ansible/shared.yml @@ -1,4 +1,4 @@ -# platform = multi_platform_rhel,multi_platform_fedora,multi_platform_ol +# platform = multi_platform_rhel,multi_platform_almalinux,multi_platform_fedora,multi_platform_ol # reboot = false # strategy = unknown # complexity = low diff --git a/linux_os/guide/system/software/gnome/gnome_login_screen/gnome_gdm_disable_guest_login/ansible/shared.yml b/linux_os/guide/system/software/gnome/gnome_login_screen/gnome_gdm_disable_guest_login/ansible/shared.yml index ef2933c52..0d72f6f65 100644 --- a/linux_os/guide/system/software/gnome/gnome_login_screen/gnome_gdm_disable_guest_login/ansible/shared.yml +++ b/linux_os/guide/system/software/gnome/gnome_login_screen/gnome_gdm_disable_guest_login/ansible/shared.yml @@ -1,4 +1,4 @@ -# platform = multi_platform_rhel,multi_platform_fedora,multi_platform_ol +# platform = multi_platform_rhel,multi_platform_almalinux,multi_platform_fedora,multi_platform_ol # reboot = false # strategy = unknown # complexity = low diff --git a/linux_os/guide/system/software/gnome/gnome_login_screen/gnome_gdm_disable_xdmcp/ansible/shared.yml b/linux_os/guide/system/software/gnome/gnome_login_screen/gnome_gdm_disable_xdmcp/ansible/shared.yml index 0ca67c74a..332a5018a 100644 --- a/linux_os/guide/system/software/gnome/gnome_login_screen/gnome_gdm_disable_xdmcp/ansible/shared.yml +++ b/linux_os/guide/system/software/gnome/gnome_login_screen/gnome_gdm_disable_xdmcp/ansible/shared.yml @@ -1,4 +1,4 @@ -# platform = Red Hat Virtualization 4,multi_platform_fedora,multi_platform_ol,multi_platform_rhel +# platform = Red Hat Virtualization 4,multi_platform_fedora,multi_platform_ol,multi_platform_rhel,multi_platform_almalinux # reboot = false # strategy = unknown # complexity = low diff --git a/linux_os/guide/system/software/gnome/gnome_media_settings/dconf_gnome_disable_automount/ansible/shared.yml b/linux_os/guide/system/software/gnome/gnome_media_settings/dconf_gnome_disable_automount/ansible/shared.yml index 60417ff4e..0af05e798 100644 --- a/linux_os/guide/system/software/gnome/gnome_media_settings/dconf_gnome_disable_automount/ansible/shared.yml +++ b/linux_os/guide/system/software/gnome/gnome_media_settings/dconf_gnome_disable_automount/ansible/shared.yml @@ -1,4 +1,4 @@ -# platform = multi_platform_rhel,multi_platform_fedora,multi_platform_ol +# platform = multi_platform_rhel,multi_platform_almalinux,multi_platform_fedora,multi_platform_ol # reboot = false # strategy = unknown # complexity = low diff --git a/linux_os/guide/system/software/gnome/gnome_media_settings/dconf_gnome_disable_automount_open/ansible/shared.yml b/linux_os/guide/system/software/gnome/gnome_media_settings/dconf_gnome_disable_automount_open/ansible/shared.yml index ac168ef9f..69ecfa6a7 100644 --- a/linux_os/guide/system/software/gnome/gnome_media_settings/dconf_gnome_disable_automount_open/ansible/shared.yml +++ b/linux_os/guide/system/software/gnome/gnome_media_settings/dconf_gnome_disable_automount_open/ansible/shared.yml @@ -1,4 +1,4 @@ -# platform = multi_platform_rhel,multi_platform_fedora,multi_platform_ol +# platform = multi_platform_rhel,multi_platform_almalinux,multi_platform_fedora,multi_platform_ol # reboot = false # strategy = unknown # complexity = low diff --git a/linux_os/guide/system/software/gnome/gnome_media_settings/dconf_gnome_disable_autorun/ansible/shared.yml b/linux_os/guide/system/software/gnome/gnome_media_settings/dconf_gnome_disable_autorun/ansible/shared.yml index 51e4063c3..3591b7266 100644 --- a/linux_os/guide/system/software/gnome/gnome_media_settings/dconf_gnome_disable_autorun/ansible/shared.yml +++ b/linux_os/guide/system/software/gnome/gnome_media_settings/dconf_gnome_disable_autorun/ansible/shared.yml @@ -1,4 +1,4 @@ -# platform = multi_platform_rhel,multi_platform_fedora,multi_platform_ol +# platform = multi_platform_rhel,multi_platform_almalinux,multi_platform_fedora,multi_platform_ol # reboot = false # strategy = unknown # complexity = low diff --git a/linux_os/guide/system/software/gnome/gnome_media_settings/dconf_gnome_disable_thumbnailers/ansible/shared.yml b/linux_os/guide/system/software/gnome/gnome_media_settings/dconf_gnome_disable_thumbnailers/ansible/shared.yml index 33460b61c..04074e66b 100644 --- a/linux_os/guide/system/software/gnome/gnome_media_settings/dconf_gnome_disable_thumbnailers/ansible/shared.yml +++ b/linux_os/guide/system/software/gnome/gnome_media_settings/dconf_gnome_disable_thumbnailers/ansible/shared.yml @@ -1,4 +1,4 @@ -# platform = multi_platform_rhel,multi_platform_fedora,multi_platform_ol +# platform = multi_platform_rhel,multi_platform_almalinux,multi_platform_fedora,multi_platform_ol # reboot = false # strategy = unknown # complexity = low diff --git a/linux_os/guide/system/software/gnome/gnome_network_settings/dconf_gnome_disable_wifi_create/ansible/shared.yml b/linux_os/guide/system/software/gnome/gnome_network_settings/dconf_gnome_disable_wifi_create/ansible/shared.yml index 4e389aa5c..254db9bfe 100644 --- a/linux_os/guide/system/software/gnome/gnome_network_settings/dconf_gnome_disable_wifi_create/ansible/shared.yml +++ b/linux_os/guide/system/software/gnome/gnome_network_settings/dconf_gnome_disable_wifi_create/ansible/shared.yml @@ -1,4 +1,4 @@ -# platform = multi_platform_rhel,multi_platform_fedora,multi_platform_ol +# platform = multi_platform_rhel,multi_platform_almalinux,multi_platform_fedora,multi_platform_ol # reboot = false # strategy = unknown # complexity = low diff --git a/linux_os/guide/system/software/gnome/gnome_network_settings/dconf_gnome_disable_wifi_notification/ansible/shared.yml b/linux_os/guide/system/software/gnome/gnome_network_settings/dconf_gnome_disable_wifi_notification/ansible/shared.yml index c3922e5b0..40515598a 100644 --- a/linux_os/guide/system/software/gnome/gnome_network_settings/dconf_gnome_disable_wifi_notification/ansible/shared.yml +++ b/linux_os/guide/system/software/gnome/gnome_network_settings/dconf_gnome_disable_wifi_notification/ansible/shared.yml @@ -1,4 +1,4 @@ -# platform = multi_platform_rhel,multi_platform_fedora,multi_platform_ol +# platform = multi_platform_rhel,multi_platform_almalinux,multi_platform_fedora,multi_platform_ol # reboot = false # strategy = unknown # complexity = low diff --git a/linux_os/guide/system/software/gnome/gnome_remote_access_settings/dconf_gnome_remote_access_credential_prompt/ansible/shared.yml b/linux_os/guide/system/software/gnome/gnome_remote_access_settings/dconf_gnome_remote_access_credential_prompt/ansible/shared.yml index 09eed8367..601191b49 100644 --- a/linux_os/guide/system/software/gnome/gnome_remote_access_settings/dconf_gnome_remote_access_credential_prompt/ansible/shared.yml +++ b/linux_os/guide/system/software/gnome/gnome_remote_access_settings/dconf_gnome_remote_access_credential_prompt/ansible/shared.yml @@ -1,4 +1,4 @@ -# platform = multi_platform_rhel,multi_platform_fedora,multi_platform_ol,multi_platform_sle +# platform = multi_platform_rhel,multi_platform_almalinux,multi_platform_fedora,multi_platform_ol,multi_platform_sle # reboot = false # strategy = unknown # complexity = low diff --git a/linux_os/guide/system/software/gnome/gnome_remote_access_settings/dconf_gnome_remote_access_encryption/ansible/shared.yml b/linux_os/guide/system/software/gnome/gnome_remote_access_settings/dconf_gnome_remote_access_encryption/ansible/shared.yml index bf1efbe61..efa5b96a6 100644 --- a/linux_os/guide/system/software/gnome/gnome_remote_access_settings/dconf_gnome_remote_access_encryption/ansible/shared.yml +++ b/linux_os/guide/system/software/gnome/gnome_remote_access_settings/dconf_gnome_remote_access_encryption/ansible/shared.yml @@ -1,4 +1,4 @@ -# platform = multi_platform_rhel,multi_platform_fedora,multi_platform_ol,multi_platform_sle +# platform = multi_platform_rhel,multi_platform_almalinux,multi_platform_fedora,multi_platform_ol,multi_platform_sle # reboot = false # strategy = unknown # complexity = low diff --git a/linux_os/guide/system/software/gnome/gnome_screen_locking/dconf_gnome_screensaver_idle_activation_enabled/ansible/shared.yml b/linux_os/guide/system/software/gnome/gnome_screen_locking/dconf_gnome_screensaver_idle_activation_enabled/ansible/shared.yml index f7c7b4379..95781d5ab 100644 --- a/linux_os/guide/system/software/gnome/gnome_screen_locking/dconf_gnome_screensaver_idle_activation_enabled/ansible/shared.yml +++ b/linux_os/guide/system/software/gnome/gnome_screen_locking/dconf_gnome_screensaver_idle_activation_enabled/ansible/shared.yml @@ -1,4 +1,4 @@ -# platform = multi_platform_rhel,multi_platform_fedora,multi_platform_ol,multi_platform_sle +# platform = multi_platform_rhel,multi_platform_almalinux,multi_platform_fedora,multi_platform_ol,multi_platform_sle # reboot = false # strategy = unknown # complexity = low diff --git a/linux_os/guide/system/software/gnome/gnome_screen_locking/dconf_gnome_screensaver_idle_activation_locked/ansible/shared.yml b/linux_os/guide/system/software/gnome/gnome_screen_locking/dconf_gnome_screensaver_idle_activation_locked/ansible/shared.yml index d3f144c89..ae170b802 100644 --- a/linux_os/guide/system/software/gnome/gnome_screen_locking/dconf_gnome_screensaver_idle_activation_locked/ansible/shared.yml +++ b/linux_os/guide/system/software/gnome/gnome_screen_locking/dconf_gnome_screensaver_idle_activation_locked/ansible/shared.yml @@ -1,4 +1,4 @@ -# platform = multi_platform_rhel,multi_platform_fedora,multi_platform_ol +# platform = multi_platform_rhel,multi_platform_almalinux,multi_platform_fedora,multi_platform_ol # reboot = false # strategy = unknown # complexity = low diff --git a/linux_os/guide/system/software/gnome/gnome_screen_locking/dconf_gnome_screensaver_idle_delay/ansible/shared.yml b/linux_os/guide/system/software/gnome/gnome_screen_locking/dconf_gnome_screensaver_idle_delay/ansible/shared.yml index 5b08acff4..d1af90b16 100644 --- a/linux_os/guide/system/software/gnome/gnome_screen_locking/dconf_gnome_screensaver_idle_delay/ansible/shared.yml +++ b/linux_os/guide/system/software/gnome/gnome_screen_locking/dconf_gnome_screensaver_idle_delay/ansible/shared.yml @@ -1,4 +1,4 @@ -# platform = multi_platform_rhel,multi_platform_fedora,multi_platform_ol,multi_platform_sle +# platform = multi_platform_rhel,multi_platform_almalinux,multi_platform_fedora,multi_platform_ol,multi_platform_sle # reboot = false # strategy = unknown # complexity = low diff --git a/linux_os/guide/system/software/gnome/gnome_screen_locking/dconf_gnome_screensaver_lock_delay/ansible/shared.yml b/linux_os/guide/system/software/gnome/gnome_screen_locking/dconf_gnome_screensaver_lock_delay/ansible/shared.yml index 9d034e519..2c45806b4 100644 --- a/linux_os/guide/system/software/gnome/gnome_screen_locking/dconf_gnome_screensaver_lock_delay/ansible/shared.yml +++ b/linux_os/guide/system/software/gnome/gnome_screen_locking/dconf_gnome_screensaver_lock_delay/ansible/shared.yml @@ -1,4 +1,4 @@ -# platform = multi_platform_rhel,multi_platform_fedora,multi_platform_ol +# platform = multi_platform_rhel,multi_platform_almalinux,multi_platform_fedora,multi_platform_ol # reboot = false # strategy = unknown # complexity = low diff --git a/linux_os/guide/system/software/gnome/gnome_screen_locking/dconf_gnome_screensaver_lock_enabled/ansible/shared.yml b/linux_os/guide/system/software/gnome/gnome_screen_locking/dconf_gnome_screensaver_lock_enabled/ansible/shared.yml index d04e6893f..5b9cba007 100644 --- a/linux_os/guide/system/software/gnome/gnome_screen_locking/dconf_gnome_screensaver_lock_enabled/ansible/shared.yml +++ b/linux_os/guide/system/software/gnome/gnome_screen_locking/dconf_gnome_screensaver_lock_enabled/ansible/shared.yml @@ -1,4 +1,4 @@ -# platform = multi_platform_rhel,multi_platform_fedora,multi_platform_ol,multi_platform_sle +# platform = multi_platform_rhel,multi_platform_almalinux,multi_platform_fedora,multi_platform_ol,multi_platform_sle # reboot = false # strategy = unknown # complexity = low diff --git a/linux_os/guide/system/software/gnome/gnome_screen_locking/dconf_gnome_screensaver_lock_locked/ansible/shared.yml b/linux_os/guide/system/software/gnome/gnome_screen_locking/dconf_gnome_screensaver_lock_locked/ansible/shared.yml index 34ff91ab3..875abf68d 100644 --- a/linux_os/guide/system/software/gnome/gnome_screen_locking/dconf_gnome_screensaver_lock_locked/ansible/shared.yml +++ b/linux_os/guide/system/software/gnome/gnome_screen_locking/dconf_gnome_screensaver_lock_locked/ansible/shared.yml @@ -1,4 +1,4 @@ -# platform = multi_platform_rhel,multi_platform_fedora,multi_platform_ol +# platform = multi_platform_rhel,multi_platform_almalinux,multi_platform_fedora,multi_platform_ol # reboot = false # strategy = unknown # complexity = low diff --git a/linux_os/guide/system/software/gnome/gnome_screen_locking/dconf_gnome_screensaver_mode_blank/ansible/shared.yml b/linux_os/guide/system/software/gnome/gnome_screen_locking/dconf_gnome_screensaver_mode_blank/ansible/shared.yml index 4dbe2b3c8..7313b6bcd 100644 --- a/linux_os/guide/system/software/gnome/gnome_screen_locking/dconf_gnome_screensaver_mode_blank/ansible/shared.yml +++ b/linux_os/guide/system/software/gnome/gnome_screen_locking/dconf_gnome_screensaver_mode_blank/ansible/shared.yml @@ -1,4 +1,4 @@ -# platform = multi_platform_rhel,multi_platform_fedora,multi_platform_ol,multi_platform_sle +# platform = multi_platform_rhel,multi_platform_almalinux,multi_platform_fedora,multi_platform_ol,multi_platform_sle # reboot = false # strategy = unknown # complexity = low diff --git a/linux_os/guide/system/software/gnome/gnome_screen_locking/dconf_gnome_screensaver_user_info/ansible/shared.yml b/linux_os/guide/system/software/gnome/gnome_screen_locking/dconf_gnome_screensaver_user_info/ansible/shared.yml index 606e00c5f..792db4ca4 100644 --- a/linux_os/guide/system/software/gnome/gnome_screen_locking/dconf_gnome_screensaver_user_info/ansible/shared.yml +++ b/linux_os/guide/system/software/gnome/gnome_screen_locking/dconf_gnome_screensaver_user_info/ansible/shared.yml @@ -1,4 +1,4 @@ -# platform = multi_platform_rhel,multi_platform_fedora,multi_platform_ol +# platform = multi_platform_rhel,multi_platform_almalinux,multi_platform_fedora,multi_platform_ol # reboot = false # strategy = unknown # complexity = low diff --git a/linux_os/guide/system/software/gnome/gnome_screen_locking/dconf_gnome_screensaver_user_locks/ansible/shared.yml b/linux_os/guide/system/software/gnome/gnome_screen_locking/dconf_gnome_screensaver_user_locks/ansible/shared.yml index ed7d98843..a41cb7151 100644 --- a/linux_os/guide/system/software/gnome/gnome_screen_locking/dconf_gnome_screensaver_user_locks/ansible/shared.yml +++ b/linux_os/guide/system/software/gnome/gnome_screen_locking/dconf_gnome_screensaver_user_locks/ansible/shared.yml @@ -1,4 +1,4 @@ -# platform = multi_platform_rhel,multi_platform_fedora,multi_platform_ol +# platform = multi_platform_rhel,multi_platform_almalinux,multi_platform_fedora,multi_platform_ol # reboot = false # strategy = unknown # complexity = low diff --git a/linux_os/guide/system/software/gnome/gnome_screen_locking/dconf_gnome_session_idle_user_locks/ansible/shared.yml b/linux_os/guide/system/software/gnome/gnome_screen_locking/dconf_gnome_session_idle_user_locks/ansible/shared.yml index c379700ad..6d91cec21 100644 --- a/linux_os/guide/system/software/gnome/gnome_screen_locking/dconf_gnome_session_idle_user_locks/ansible/shared.yml +++ b/linux_os/guide/system/software/gnome/gnome_screen_locking/dconf_gnome_session_idle_user_locks/ansible/shared.yml @@ -1,4 +1,4 @@ -# platform = multi_platform_rhel,multi_platform_fedora,multi_platform_ol,multi_platform_sle +# platform = multi_platform_rhel,multi_platform_almalinux,multi_platform_fedora,multi_platform_ol,multi_platform_sle # reboot = false # strategy = unknown # complexity = low diff --git a/linux_os/guide/system/software/gnome/gnome_system_settings/dconf_gnome_disable_ctrlaltdel_reboot/ansible/shared.yml b/linux_os/guide/system/software/gnome/gnome_system_settings/dconf_gnome_disable_ctrlaltdel_reboot/ansible/shared.yml index 76181547b..eb340cb5b 100644 --- a/linux_os/guide/system/software/gnome/gnome_system_settings/dconf_gnome_disable_ctrlaltdel_reboot/ansible/shared.yml +++ b/linux_os/guide/system/software/gnome/gnome_system_settings/dconf_gnome_disable_ctrlaltdel_reboot/ansible/shared.yml @@ -1,4 +1,4 @@ -# platform = multi_platform_rhel,multi_platform_fedora,multi_platform_ol +# platform = multi_platform_rhel,multi_platform_almalinux,multi_platform_fedora,multi_platform_ol # reboot = false # strategy = unknown # complexity = low diff --git a/linux_os/guide/system/software/gnome/gnome_system_settings/dconf_gnome_disable_geolocation/ansible/shared.yml b/linux_os/guide/system/software/gnome/gnome_system_settings/dconf_gnome_disable_geolocation/ansible/shared.yml index fa4f578ef..f0d0708d1 100644 --- a/linux_os/guide/system/software/gnome/gnome_system_settings/dconf_gnome_disable_geolocation/ansible/shared.yml +++ b/linux_os/guide/system/software/gnome/gnome_system_settings/dconf_gnome_disable_geolocation/ansible/shared.yml @@ -1,4 +1,4 @@ -# platform = multi_platform_rhel,multi_platform_fedora,multi_platform_ol +# platform = multi_platform_rhel,multi_platform_almalinux,multi_platform_fedora,multi_platform_ol # reboot = false # strategy = unknown # complexity = low diff --git a/linux_os/guide/system/software/gnome/group.yml b/linux_os/guide/system/software/gnome/group.yml index c7617bc43..7de8de33c 100644 --- a/linux_os/guide/system/software/gnome/group.yml +++ b/linux_os/guide/system/software/gnome/group.yml @@ -12,7 +12,7 @@ description: |- {{% if 'ol' in product %}} Oracle Linux Graphical environment. {{% else %}} - Red Hat Graphical environment. + AlmaLinux Graphical environment. {{% endif %}}

For more information on GNOME and the GNOME Project, see {{{ weblink(link="https://www.gnome.org") }}}. diff --git a/linux_os/guide/system/software/integrity/certified-vendor/installed_OS_is_vendor_supported/oval/shared.xml b/linux_os/guide/system/software/integrity/certified-vendor/installed_OS_is_vendor_supported/oval/shared.xml index 7ef0e5992..44f95fe4f 100644 --- a/linux_os/guide/system/software/integrity/certified-vendor/installed_OS_is_vendor_supported/oval/shared.xml +++ b/linux_os/guide/system/software/integrity/certified-vendor/installed_OS_is_vendor_supported/oval/shared.xml @@ -4,6 +4,7 @@ The operating system installed on the system is supported by a vendor that provides security patches. ") }}} + diff --git a/linux_os/guide/system/software/integrity/certified-vendor/installed_OS_is_vendor_supported/rule.yml b/linux_os/guide/system/software/integrity/certified-vendor/installed_OS_is_vendor_supported/rule.yml index c6f87fb5b..e2ba81e29 100644 --- a/linux_os/guide/system/software/integrity/certified-vendor/installed_OS_is_vendor_supported/rule.yml +++ b/linux_os/guide/system/software/integrity/certified-vendor/installed_OS_is_vendor_supported/rule.yml @@ -11,6 +11,9 @@ description: |- {{% elif product in ["sle12", "sle15"] %}} SUSE Linux Enterprise is supported by SUSE. As the SUSE Linux Enterprise vendor, SUSE is responsible for providing security patches. +{{% elif product == "almalinux9" %}} + AlmaLinux is supported by AlmaLinux. As the AlmaLinux + vendor, AlmaLinux is responsible for providing security patches. {{% else %}} Red Hat Enterprise Linux is supported by Red Hat, Inc. As the Red Hat Enterprise Linux vendor, Red Hat, Inc. is responsible for providing security patches. diff --git a/linux_os/guide/system/software/integrity/crypto/configure_bind_crypto_policy/tests/absent.fail.sh b/linux_os/guide/system/software/integrity/crypto/configure_bind_crypto_policy/tests/absent.fail.sh index c7385d2c3..7f6cb14e7 100644 --- a/linux_os/guide/system/software/integrity/crypto/configure_bind_crypto_policy/tests/absent.fail.sh +++ b/linux_os/guide/system/software/integrity/crypto/configure_bind_crypto_policy/tests/absent.fail.sh @@ -1,6 +1,6 @@ #!/bin/bash # packages = bind -# platform = multi_platform_fedora,Oracle Linux 8,Oracle Linux 9,Red Hat Enterprise Linux 8,Red Hat Enterprise Linux 9 +# platform = multi_platform_fedora,Oracle Linux 8,Oracle Linux 9,Red Hat Enterprise Linux 8,Red Hat Enterprise Linux 9,AlmaLinux 9 BIND_CONF='/etc/named.conf' diff --git a/linux_os/guide/system/software/integrity/crypto/configure_bind_crypto_policy/tests/bind_not_installed.pass.sh b/linux_os/guide/system/software/integrity/crypto/configure_bind_crypto_policy/tests/bind_not_installed.pass.sh index b00bbfe21..1769e27e5 100644 --- a/linux_os/guide/system/software/integrity/crypto/configure_bind_crypto_policy/tests/bind_not_installed.pass.sh +++ b/linux_os/guide/system/software/integrity/crypto/configure_bind_crypto_policy/tests/bind_not_installed.pass.sh @@ -1,4 +1,4 @@ #!/bin/bash -# platform = multi_platform_fedora,Oracle Linux 8,Oracle Linux 9,Red Hat Enterprise Linux 8,Red Hat Enterprise Linux 9 +# platform = multi_platform_fedora,Oracle Linux 8,Oracle Linux 9,Red Hat Enterprise Linux 8,Red Hat Enterprise Linux 9,AlmaLinux 9 {{{ bash_package_remove("bind") }}} diff --git a/linux_os/guide/system/software/integrity/crypto/configure_bind_crypto_policy/tests/no_config_file.fail.sh b/linux_os/guide/system/software/integrity/crypto/configure_bind_crypto_policy/tests/no_config_file.fail.sh index 4f9c749eb..9330f1f53 100644 --- a/linux_os/guide/system/software/integrity/crypto/configure_bind_crypto_policy/tests/no_config_file.fail.sh +++ b/linux_os/guide/system/software/integrity/crypto/configure_bind_crypto_policy/tests/no_config_file.fail.sh @@ -1,7 +1,7 @@ #!/bin/bash # packages = bind # -# platform = multi_platform_fedora,Oracle Linux 8,Oracle Linux 9,Red Hat Enterprise Linux 8,Red Hat Enterprise Linux 9 +# platform = multi_platform_fedora,Oracle Linux 8,Oracle Linux 9,Red Hat Enterprise Linux 8,Red Hat Enterprise Linux 9,AlmaLinux 9 # We don't remediate anything if the config file is missing completely. # remediation = none diff --git a/linux_os/guide/system/software/integrity/crypto/configure_bind_crypto_policy/tests/ok.pass.sh b/linux_os/guide/system/software/integrity/crypto/configure_bind_crypto_policy/tests/ok.pass.sh index 34a32a73b..05437d75f 100644 --- a/linux_os/guide/system/software/integrity/crypto/configure_bind_crypto_policy/tests/ok.pass.sh +++ b/linux_os/guide/system/software/integrity/crypto/configure_bind_crypto_policy/tests/ok.pass.sh @@ -1,6 +1,6 @@ #!/bin/bash # packages = bind -# platform = multi_platform_fedora,Oracle Linux 8,Oracle Linux 9,Red Hat Enterprise Linux 8,Red Hat Enterprise Linux 9 +# platform = multi_platform_fedora,Oracle Linux 8,Oracle Linux 9,Red Hat Enterprise Linux 8,Red Hat Enterprise Linux 9,AlmaLinux 9 BIND_CONF='/etc/named.conf' diff --git a/linux_os/guide/system/software/integrity/crypto/configure_bind_crypto_policy/tests/overrides.fail.sh b/linux_os/guide/system/software/integrity/crypto/configure_bind_crypto_policy/tests/overrides.fail.sh index 290e5fb07..b0643b48a 100644 --- a/linux_os/guide/system/software/integrity/crypto/configure_bind_crypto_policy/tests/overrides.fail.sh +++ b/linux_os/guide/system/software/integrity/crypto/configure_bind_crypto_policy/tests/overrides.fail.sh @@ -1,6 +1,6 @@ #!/bin/bash # packages = bind -# platform = multi_platform_fedora,Oracle Linux 8,Oracle Linux 9,Red Hat Enterprise Linux 8,Red Hat Enterprise Linux 9 +# platform = multi_platform_fedora,Oracle Linux 8,Oracle Linux 9,Red Hat Enterprise Linux 8,Red Hat Enterprise Linux 9,AlmaLinux 9 BIND_CONF='/etc/named.conf' diff --git a/linux_os/guide/system/software/integrity/crypto/configure_crypto_policy/kubernetes/shared.yml b/linux_os/guide/system/software/integrity/crypto/configure_crypto_policy/kubernetes/shared.yml index dd096ab41..b180ed3b3 100644 --- a/linux_os/guide/system/software/integrity/crypto/configure_crypto_policy/kubernetes/shared.yml +++ b/linux_os/guide/system/software/integrity/crypto/configure_crypto_policy/kubernetes/shared.yml @@ -1,5 +1,5 @@ --- -# platform = multi_platform_rhel,multi_platform_fedora,multi_platform_rhcos +# platform = multi_platform_rhel,multi_platform_almalinux,multi_platform_fedora,multi_platform_rhcos # reboot = true # strategy = restrict # complexity = low diff --git a/linux_os/guide/system/software/integrity/crypto/configure_crypto_policy/tests/config_and_current_same_time.pass.sh b/linux_os/guide/system/software/integrity/crypto/configure_crypto_policy/tests/config_and_current_same_time.pass.sh index b607202c5..175381afb 100644 --- a/linux_os/guide/system/software/integrity/crypto/configure_crypto_policy/tests/config_and_current_same_time.pass.sh +++ b/linux_os/guide/system/software/integrity/crypto/configure_crypto_policy/tests/config_and_current_same_time.pass.sh @@ -1,5 +1,5 @@ #!/bin/bash -# platform = Oracle Linux 8,Oracle Linux 9,Red Hat Enterprise Linux 8,Red Hat Enterprise Linux 9 +# platform = Oracle Linux 8,Oracle Linux 9,Red Hat Enterprise Linux 8,Red Hat Enterprise Linux 9,AlmaLinux 9 # packages = crypto-policies-scripts # IMPORTANT: This is a false negative scenario. diff --git a/linux_os/guide/system/software/integrity/crypto/configure_crypto_policy/tests/config_newer_than_current.fail.sh b/linux_os/guide/system/software/integrity/crypto/configure_crypto_policy/tests/config_newer_than_current.fail.sh index e5b598342..5608d4124 100644 --- a/linux_os/guide/system/software/integrity/crypto/configure_crypto_policy/tests/config_newer_than_current.fail.sh +++ b/linux_os/guide/system/software/integrity/crypto/configure_crypto_policy/tests/config_newer_than_current.fail.sh @@ -1,5 +1,5 @@ #!/bin/bash -# platform = Oracle Linux 8,Oracle Linux 9,Red Hat Enterprise Linux 8,Red Hat Enterprise Linux 9 +# platform = Oracle Linux 8,Oracle Linux 9,Red Hat Enterprise Linux 8,Red Hat Enterprise Linux 9,AlmaLinux 9 # packages = crypto-policies-scripts update-crypto-policies --set "DEFAULT" diff --git a/linux_os/guide/system/software/integrity/crypto/configure_crypto_policy/tests/missing_nss_config.fail.sh b/linux_os/guide/system/software/integrity/crypto/configure_crypto_policy/tests/missing_nss_config.fail.sh index 7be3c82f3..96c42acfe 100644 --- a/linux_os/guide/system/software/integrity/crypto/configure_crypto_policy/tests/missing_nss_config.fail.sh +++ b/linux_os/guide/system/software/integrity/crypto/configure_crypto_policy/tests/missing_nss_config.fail.sh @@ -1,5 +1,5 @@ #!/bin/bash -# platform = Oracle Linux 8,Oracle Linux 9,Red Hat Enterprise Linux 8,Red Hat Enterprise Linux 9 +# platform = Oracle Linux 8,Oracle Linux 9,Red Hat Enterprise Linux 8,Red Hat Enterprise Linux 9,AlmaLinux 9 # profiles = xccdf_org.ssgproject.content_profile_ospp # packages = crypto-policies-scripts diff --git a/linux_os/guide/system/software/integrity/crypto/configure_crypto_policy/tests/missing_policy.fail.sh b/linux_os/guide/system/software/integrity/crypto/configure_crypto_policy/tests/missing_policy.fail.sh index 261dc3f96..2cde26d7d 100644 --- a/linux_os/guide/system/software/integrity/crypto/configure_crypto_policy/tests/missing_policy.fail.sh +++ b/linux_os/guide/system/software/integrity/crypto/configure_crypto_policy/tests/missing_policy.fail.sh @@ -1,5 +1,5 @@ #!/bin/bash -# platform = multi_platform_fedora,Oracle Linux 8,Oracle Linux 9,Red Hat Enterprise Linux 8,Red Hat Enterprise Linux 9 +# platform = multi_platform_fedora,Oracle Linux 8,Oracle Linux 9,Red Hat Enterprise Linux 8,Red Hat Enterprise Linux 9,AlmaLinux 9 # profiles = xccdf_org.ssgproject.content_profile_ospp, xccdf_org.ssgproject.content_profile_standard # packages = crypto-policies-scripts diff --git a/linux_os/guide/system/software/integrity/crypto/configure_crypto_policy/tests/missing_policy_file.fail.sh b/linux_os/guide/system/software/integrity/crypto/configure_crypto_policy/tests/missing_policy_file.fail.sh index 356aa3ffe..caba47b8c 100644 --- a/linux_os/guide/system/software/integrity/crypto/configure_crypto_policy/tests/missing_policy_file.fail.sh +++ b/linux_os/guide/system/software/integrity/crypto/configure_crypto_policy/tests/missing_policy_file.fail.sh @@ -1,5 +1,5 @@ #!/bin/bash -# platform = multi_platform_fedora,Oracle Linux 8,Oracle Linux 9,Red Hat Enterprise Linux 8,Red Hat Enterprise Linux 9 +# platform = multi_platform_fedora,Oracle Linux 8,Oracle Linux 9,Red Hat Enterprise Linux 8,Red Hat Enterprise Linux 9,AlmaLinux 9 # profiles = xccdf_org.ssgproject.content_profile_ospp, xccdf_org.ssgproject.content_profile_standard # packages = crypto-policies-scripts diff --git a/linux_os/guide/system/software/integrity/crypto/configure_crypto_policy/tests/nss_config_as_file.pass.sh b/linux_os/guide/system/software/integrity/crypto/configure_crypto_policy/tests/nss_config_as_file.pass.sh index 06bd713dd..5d4abd801 100644 --- a/linux_os/guide/system/software/integrity/crypto/configure_crypto_policy/tests/nss_config_as_file.pass.sh +++ b/linux_os/guide/system/software/integrity/crypto/configure_crypto_policy/tests/nss_config_as_file.pass.sh @@ -1,5 +1,5 @@ #!/bin/bash -# platform = Oracle Linux 8,Oracle Linux 9,Red Hat Enterprise Linux 8,Red Hat Enterprise Linux 9 +# platform = Oracle Linux 8,Oracle Linux 9,Red Hat Enterprise Linux 8,Red Hat Enterprise Linux 9,AlmaLinux 9 # profiles = xccdf_org.ssgproject.content_profile_ospp # packages = crypto-policies-scripts diff --git a/linux_os/guide/system/software/integrity/crypto/configure_crypto_policy/tests/nss_config_as_symlink.pass.sh b/linux_os/guide/system/software/integrity/crypto/configure_crypto_policy/tests/nss_config_as_symlink.pass.sh index 56a081eca..aa25f4415 100644 --- a/linux_os/guide/system/software/integrity/crypto/configure_crypto_policy/tests/nss_config_as_symlink.pass.sh +++ b/linux_os/guide/system/software/integrity/crypto/configure_crypto_policy/tests/nss_config_as_symlink.pass.sh @@ -1,5 +1,5 @@ #!/bin/bash -# platform = Oracle Linux 8,Oracle Linux 9,Red Hat Enterprise Linux 8,Red Hat Enterprise Linux 9 +# platform = Oracle Linux 8,Oracle Linux 9,Red Hat Enterprise Linux 8,Red Hat Enterprise Linux 9,AlmaLinux 9 # profiles = xccdf_org.ssgproject.content_profile_ospp # packages = crypto-policies-scripts diff --git a/linux_os/guide/system/software/integrity/crypto/configure_crypto_policy/tests/policy_default_cis_l1.pass.sh b/linux_os/guide/system/software/integrity/crypto/configure_crypto_policy/tests/policy_default_cis_l1.pass.sh index bb3c2b1f8..40d7ba477 100644 --- a/linux_os/guide/system/software/integrity/crypto/configure_crypto_policy/tests/policy_default_cis_l1.pass.sh +++ b/linux_os/guide/system/software/integrity/crypto/configure_crypto_policy/tests/policy_default_cis_l1.pass.sh @@ -1,5 +1,5 @@ #!/bin/bash -# platform = Oracle Linux 8,Oracle Linux 9,Red Hat Enterprise Linux 9 +# platform = Oracle Linux 8,Oracle Linux 9,Red Hat Enterprise Linux 9,AlmaLinux 9 # profiles = xccdf_org.ssgproject.content_profile_cis_server_l1,xccdf_org.ssgproject.content_profile_cis_workstation_l1 # packages = crypto-policies-scripts diff --git a/linux_os/guide/system/software/integrity/crypto/configure_crypto_policy/tests/policy_default_nosha1_set.pass.sh b/linux_os/guide/system/software/integrity/crypto/configure_crypto_policy/tests/policy_default_nosha1_set.pass.sh index a2107d146..6964ade32 100644 --- a/linux_os/guide/system/software/integrity/crypto/configure_crypto_policy/tests/policy_default_nosha1_set.pass.sh +++ b/linux_os/guide/system/software/integrity/crypto/configure_crypto_policy/tests/policy_default_nosha1_set.pass.sh @@ -1,5 +1,5 @@ #!/bin/bash -# platform = multi_platform_fedora,Oracle Linux 8,Oracle Linux 9,Red Hat Enterprise Linux 8,Red Hat Enterprise Linux 9 +# platform = multi_platform_fedora,Oracle Linux 8,Oracle Linux 9,Red Hat Enterprise Linux 8,Red Hat Enterprise Linux 9,AlmaLinux 9 # profiles = xccdf_org.ssgproject.content_profile_e8 # packages = crypto-policies-scripts diff --git a/linux_os/guide/system/software/integrity/crypto/configure_crypto_policy/tests/policy_default_set.pass.sh b/linux_os/guide/system/software/integrity/crypto/configure_crypto_policy/tests/policy_default_set.pass.sh index b06e035fa..a3c503b8d 100644 --- a/linux_os/guide/system/software/integrity/crypto/configure_crypto_policy/tests/policy_default_set.pass.sh +++ b/linux_os/guide/system/software/integrity/crypto/configure_crypto_policy/tests/policy_default_set.pass.sh @@ -1,5 +1,5 @@ #!/bin/bash -# platform = multi_platform_fedora,Oracle Linux 8,Oracle Linux 9,Red Hat Enterprise Linux 8,Red Hat Enterprise Linux 9 +# platform = multi_platform_fedora,Oracle Linux 8,Oracle Linux 9,Red Hat Enterprise Linux 8,Red Hat Enterprise Linux 9,AlmaLinux 9 # profiles = xccdf_org.ssgproject.content_profile_standard # packages = crypto-policies-scripts diff --git a/linux_os/guide/system/software/integrity/crypto/configure_crypto_policy/tests/policy_fips_ospp_set.pass.sh b/linux_os/guide/system/software/integrity/crypto/configure_crypto_policy/tests/policy_fips_ospp_set.pass.sh index 6679f94bd..cc37b1c9d 100644 --- a/linux_os/guide/system/software/integrity/crypto/configure_crypto_policy/tests/policy_fips_ospp_set.pass.sh +++ b/linux_os/guide/system/software/integrity/crypto/configure_crypto_policy/tests/policy_fips_ospp_set.pass.sh @@ -1,5 +1,5 @@ #!/bin/bash -# platform = Oracle Linux 8,Oracle Linux 9,Red Hat Enterprise Linux 8,Red Hat Enterprise Linux 9 +# platform = Oracle Linux 8,Oracle Linux 9,Red Hat Enterprise Linux 8,Red Hat Enterprise Linux 9,AlmaLinux 9 # profiles = xccdf_org.ssgproject.content_profile_ospp # packages = crypto-policies-scripts diff --git a/linux_os/guide/system/software/integrity/crypto/configure_crypto_policy/tests/wrong_policy.fail.sh b/linux_os/guide/system/software/integrity/crypto/configure_crypto_policy/tests/wrong_policy.fail.sh index 9461c3ddd..6b048f2f5 100644 --- a/linux_os/guide/system/software/integrity/crypto/configure_crypto_policy/tests/wrong_policy.fail.sh +++ b/linux_os/guide/system/software/integrity/crypto/configure_crypto_policy/tests/wrong_policy.fail.sh @@ -1,5 +1,5 @@ #!/bin/bash -# platform = multi_platform_fedora,Oracle Linux 8,Oracle Linux 9,Red Hat Enterprise Linux 8,Red Hat Enterprise Linux 9 +# platform = multi_platform_fedora,Oracle Linux 8,Oracle Linux 9,Red Hat Enterprise Linux 8,Red Hat Enterprise Linux 9,AlmaLinux 9 # profiles = xccdf_org.ssgproject.content_profile_ospp, xccdf_org.ssgproject.content_profile_standard # packages = crypto-policies-scripts diff --git a/linux_os/guide/system/software/integrity/crypto/configure_kerberos_crypto_policy/tests/kerberos_correct_policy.pass.sh b/linux_os/guide/system/software/integrity/crypto/configure_kerberos_crypto_policy/tests/kerberos_correct_policy.pass.sh index 4834387dc..439e0a768 100644 --- a/linux_os/guide/system/software/integrity/crypto/configure_kerberos_crypto_policy/tests/kerberos_correct_policy.pass.sh +++ b/linux_os/guide/system/software/integrity/crypto/configure_kerberos_crypto_policy/tests/kerberos_correct_policy.pass.sh @@ -1,5 +1,5 @@ #!/bin/bash -# platform = multi_platform_fedora,Oracle Linux 8,Oracle Linux 9,Red Hat Enterprise Linux 8,Red Hat Enterprise Linux 9 +# platform = multi_platform_fedora,Oracle Linux 8,Oracle Linux 9,Red Hat Enterprise Linux 8,Red Hat Enterprise Linux 9,AlmaLinux 9 rm -f /etc/krb5.conf.d/crypto-policies ln -s /etc/crypto-policies/back-ends/krb5.config /etc/krb5.conf.d/crypto-policies diff --git a/linux_os/guide/system/software/integrity/crypto/configure_kerberos_crypto_policy/tests/kerberos_missing_policy.fail.sh b/linux_os/guide/system/software/integrity/crypto/configure_kerberos_crypto_policy/tests/kerberos_missing_policy.fail.sh index 97ccc0590..5c7895552 100644 --- a/linux_os/guide/system/software/integrity/crypto/configure_kerberos_crypto_policy/tests/kerberos_missing_policy.fail.sh +++ b/linux_os/guide/system/software/integrity/crypto/configure_kerberos_crypto_policy/tests/kerberos_missing_policy.fail.sh @@ -1,4 +1,4 @@ #!/bin/bash -# platform = multi_platform_fedora,Oracle Linux 8,Oracle Linux 9,Red Hat Enterprise Linux 8,Red Hat Enterprise Linux 9 +# platform = multi_platform_fedora,Oracle Linux 8,Oracle Linux 9,Red Hat Enterprise Linux 8,Red Hat Enterprise Linux 9,AlmaLinux 9 rm -f /etc/krb5.conf.d/crypto-policies diff --git a/linux_os/guide/system/software/integrity/crypto/configure_kerberos_crypto_policy/tests/kerberos_wrong_policy.fail.sh b/linux_os/guide/system/software/integrity/crypto/configure_kerberos_crypto_policy/tests/kerberos_wrong_policy.fail.sh index 4eb5348f2..42201408e 100644 --- a/linux_os/guide/system/software/integrity/crypto/configure_kerberos_crypto_policy/tests/kerberos_wrong_policy.fail.sh +++ b/linux_os/guide/system/software/integrity/crypto/configure_kerberos_crypto_policy/tests/kerberos_wrong_policy.fail.sh @@ -1,5 +1,5 @@ #!/bin/bash -# platform = multi_platform_fedora,Oracle Linux 8,Oracle Linux 9,Red Hat Enterprise Linux 8,Red Hat Enterprise Linux 9 +# platform = multi_platform_fedora,Oracle Linux 8,Oracle Linux 9,Red Hat Enterprise Linux 8,Red Hat Enterprise Linux 9,AlmaLinux 9 rm -f /etc/krb5.conf.d/crypto-policies ln -s /etc/crypto-policies/back-ends/openssh.config /etc/krb5.conf.d/crypto-policies diff --git a/linux_os/guide/system/software/integrity/crypto/configure_libreswan_crypto_policy/tests/libreswan_not_installed.pass.sh b/linux_os/guide/system/software/integrity/crypto/configure_libreswan_crypto_policy/tests/libreswan_not_installed.pass.sh index 9379b5ff3..dabf4b06b 100644 --- a/linux_os/guide/system/software/integrity/crypto/configure_libreswan_crypto_policy/tests/libreswan_not_installed.pass.sh +++ b/linux_os/guide/system/software/integrity/crypto/configure_libreswan_crypto_policy/tests/libreswan_not_installed.pass.sh @@ -1,4 +1,4 @@ #!/bin/bash -# platform = multi_platform_fedora,Oracle Linux 8,Oracle Linux 9,Red Hat Enterprise Linux 8,Red Hat Enterprise Linux 9 +# platform = multi_platform_fedora,Oracle Linux 8,Oracle Linux 9,Red Hat Enterprise Linux 8,Red Hat Enterprise Linux 9,AlmaLinux 9 {{{ bash_package_remove("libreswan") }}} diff --git a/linux_os/guide/system/software/integrity/crypto/configure_libreswan_crypto_policy/tests/line_commented.fail.sh b/linux_os/guide/system/software/integrity/crypto/configure_libreswan_crypto_policy/tests/line_commented.fail.sh index 439da4978..927540f2c 100644 --- a/linux_os/guide/system/software/integrity/crypto/configure_libreswan_crypto_policy/tests/line_commented.fail.sh +++ b/linux_os/guide/system/software/integrity/crypto/configure_libreswan_crypto_policy/tests/line_commented.fail.sh @@ -1,6 +1,6 @@ #!/bin/bash # packages = libreswan -# platform = multi_platform_fedora,Oracle Linux 8,Oracle Linux 9,Red Hat Enterprise Linux 8,Red Hat Enterprise Linux 9 +# platform = multi_platform_fedora,Oracle Linux 8,Oracle Linux 9,Red Hat Enterprise Linux 8,Red Hat Enterprise Linux 9,AlmaLinux 9 cp ipsec.conf /etc diff --git a/linux_os/guide/system/software/integrity/crypto/configure_libreswan_crypto_policy/tests/line_is_there.pass.sh b/linux_os/guide/system/software/integrity/crypto/configure_libreswan_crypto_policy/tests/line_is_there.pass.sh index fbc8f1001..ced17d043 100644 --- a/linux_os/guide/system/software/integrity/crypto/configure_libreswan_crypto_policy/tests/line_is_there.pass.sh +++ b/linux_os/guide/system/software/integrity/crypto/configure_libreswan_crypto_policy/tests/line_is_there.pass.sh @@ -1,6 +1,6 @@ #!/bin/bash # packages = libreswan -# platform = multi_platform_fedora,Oracle Linux 8,Oracle Linux 9,Red Hat Enterprise Linux 8,Red Hat Enterprise Linux 9 +# platform = multi_platform_fedora,Oracle Linux 8,Oracle Linux 9,Red Hat Enterprise Linux 8,Red Hat Enterprise Linux 9,AlmaLinux 9 cp ipsec.conf /etc diff --git a/linux_os/guide/system/software/integrity/crypto/configure_libreswan_crypto_policy/tests/line_not_there.fail.sh b/linux_os/guide/system/software/integrity/crypto/configure_libreswan_crypto_policy/tests/line_not_there.fail.sh index 70f822342..c48a70d45 100644 --- a/linux_os/guide/system/software/integrity/crypto/configure_libreswan_crypto_policy/tests/line_not_there.fail.sh +++ b/linux_os/guide/system/software/integrity/crypto/configure_libreswan_crypto_policy/tests/line_not_there.fail.sh @@ -1,6 +1,6 @@ #!/bin/bash # packages = libreswan -# platform = multi_platform_fedora,Oracle Linux 8,Oracle Linux 9,Red Hat Enterprise Linux 8,Red Hat Enterprise Linux 9 +# platform = multi_platform_fedora,Oracle Linux 8,Oracle Linux 9,Red Hat Enterprise Linux 8,Red Hat Enterprise Linux 9,AlmaLinux 9 cp ipsec.conf /etc diff --git a/linux_os/guide/system/software/integrity/crypto/configure_libreswan_crypto_policy/tests/wrong_value.fail.sh b/linux_os/guide/system/software/integrity/crypto/configure_libreswan_crypto_policy/tests/wrong_value.fail.sh index 2863c6102..425d537a5 100644 --- a/linux_os/guide/system/software/integrity/crypto/configure_libreswan_crypto_policy/tests/wrong_value.fail.sh +++ b/linux_os/guide/system/software/integrity/crypto/configure_libreswan_crypto_policy/tests/wrong_value.fail.sh @@ -1,6 +1,6 @@ #!/bin/bash # packages = libreswan -# platform = multi_platform_fedora,Oracle Linux 8,Oracle Linux 9,Red Hat Enterprise Linux 8,Red Hat Enterprise Linux 9 +# platform = multi_platform_fedora,Oracle Linux 8,Oracle Linux 9,Red Hat Enterprise Linux 8,Red Hat Enterprise Linux 9,AlmaLinux 9 cp ipsec.conf /etc diff --git a/linux_os/guide/system/software/integrity/crypto/configure_openssl_crypto_policy/ansible/shared.yml b/linux_os/guide/system/software/integrity/crypto/configure_openssl_crypto_policy/ansible/shared.yml index ec317036c..f5cfd007c 100644 --- a/linux_os/guide/system/software/integrity/crypto/configure_openssl_crypto_policy/ansible/shared.yml +++ b/linux_os/guide/system/software/integrity/crypto/configure_openssl_crypto_policy/ansible/shared.yml @@ -11,7 +11,7 @@ {{%- set openssl_cnf_dir="/etc/pki/tls" %}} {{% endif %}} -{{% if product in ["fedora", "ol9", "rhel9"] %}} +{{% if product in ["fedora", "ol9", "rhel9", "almalinux9"] %}} {{% set ansible_openssl_include_directive = ".include = /etc/crypto-policies/back-ends/opensslcnf.config" %}} {{% else %}} {{% set ansible_openssl_include_directive = ".include /etc/crypto-policies/back-ends/opensslcnf.config" %}} diff --git a/linux_os/guide/system/software/integrity/crypto/configure_openssl_crypto_policy/bash/shared.sh b/linux_os/guide/system/software/integrity/crypto/configure_openssl_crypto_policy/bash/shared.sh index 4e77718c8..d73aa3a79 100644 --- a/linux_os/guide/system/software/integrity/crypto/configure_openssl_crypto_policy/bash/shared.sh +++ b/linux_os/guide/system/software/integrity/crypto/configure_openssl_crypto_policy/bash/shared.sh @@ -2,7 +2,7 @@ OPENSSL_CRYPTO_POLICY_SECTION='[ crypto_policy ]' OPENSSL_CRYPTO_POLICY_SECTION_REGEX='\[\s*crypto_policy\s*\]' -{{% if product in ["fedora", "ol9", "rhel9"] %}} +{{% if product in ["fedora", "ol9", "rhel9", "almalinux9"] %}} OPENSSL_CRYPTO_POLICY_INCLUSION='.include = /etc/crypto-policies/back-ends/opensslcnf.config' {{% else %}} OPENSSL_CRYPTO_POLICY_INCLUSION='.include /etc/crypto-policies/back-ends/opensslcnf.config' diff --git a/linux_os/guide/system/software/integrity/crypto/configure_openssl_crypto_policy/rule.yml b/linux_os/guide/system/software/integrity/crypto/configure_openssl_crypto_policy/rule.yml index b3ef46578..b4d6e99cf 100644 --- a/linux_os/guide/system/software/integrity/crypto/configure_openssl_crypto_policy/rule.yml +++ b/linux_os/guide/system/software/integrity/crypto/configure_openssl_crypto_policy/rule.yml @@ -9,7 +9,7 @@ title: 'Configure OpenSSL library to use System Crypto Policy' {{%- set openssl_cnf_path="/etc/pki/tls/openssl.cnf" %}} {{%- endif %}} -{{% if product in ["fedora", "ol9", "rhel9"] %}} +{{% if product in ["fedora", "ol9", "rhel9", "almalinux9"] %}} {{% set include_directive = ".include = /etc/crypto-policies/back-ends/opensslcnf.config" %}} {{% else %}} {{% set include_directive = ".include /etc/crypto-policies/back-ends/opensslcnf.config" %}} diff --git a/linux_os/guide/system/software/integrity/crypto/configure_openssl_crypto_policy/tests/include_with_equal_sign.pass.sh b/linux_os/guide/system/software/integrity/crypto/configure_openssl_crypto_policy/tests/include_with_equal_sign.pass.sh index 8ccb6cef9..75803a026 100644 --- a/linux_os/guide/system/software/integrity/crypto/configure_openssl_crypto_policy/tests/include_with_equal_sign.pass.sh +++ b/linux_os/guide/system/software/integrity/crypto/configure_openssl_crypto_policy/tests/include_with_equal_sign.pass.sh @@ -1,5 +1,5 @@ #!/bin/bash -# platform = multi_platform_fedora,Oracle Linux 8,Oracle Linux 9,Red Hat Enterprise Linux 8,Red Hat Enterprise Linux 9 +# platform = multi_platform_fedora,Oracle Linux 8,Oracle Linux 9,Red Hat Enterprise Linux 8,Red Hat Enterprise Linux 9,AlmaLinux 9 . common.sh diff --git a/linux_os/guide/system/software/integrity/crypto/configure_openssl_crypto_policy/tests/nothing.fail.sh b/linux_os/guide/system/software/integrity/crypto/configure_openssl_crypto_policy/tests/nothing.fail.sh index edeca90f0..250872dbe 100644 --- a/linux_os/guide/system/software/integrity/crypto/configure_openssl_crypto_policy/tests/nothing.fail.sh +++ b/linux_os/guide/system/software/integrity/crypto/configure_openssl_crypto_policy/tests/nothing.fail.sh @@ -1,5 +1,5 @@ #!/bin/bash -# platform = multi_platform_fedora,Oracle Linux 8,Oracle Linux 9,Red Hat Enterprise Linux 8,Red Hat Enterprise Linux 9,multi_platform_sle +# platform = multi_platform_fedora,Oracle Linux 8,Oracle Linux 9,Red Hat Enterprise Linux 8,Red Hat Enterprise Linux 9,AlmaLinux 9,multi_platform_sle . common.sh diff --git a/linux_os/guide/system/software/integrity/crypto/configure_openssl_crypto_policy/tests/ok.pass.sh b/linux_os/guide/system/software/integrity/crypto/configure_openssl_crypto_policy/tests/ok.pass.sh index 8c509ef32..cede47573 100644 --- a/linux_os/guide/system/software/integrity/crypto/configure_openssl_crypto_policy/tests/ok.pass.sh +++ b/linux_os/guide/system/software/integrity/crypto/configure_openssl_crypto_policy/tests/ok.pass.sh @@ -1,5 +1,5 @@ #!/bin/bash -# platform = multi_platform_fedora,Oracle Linux 8,Oracle Linux 9,Red Hat Enterprise Linux 8,Red Hat Enterprise Linux 9,multi_platform_sle +# platform = multi_platform_fedora,Oracle Linux 8,Oracle Linux 9,Red Hat Enterprise Linux 8,Red Hat Enterprise Linux 9,AlmaLinux 9,multi_platform_sle . common.sh diff --git a/linux_os/guide/system/software/integrity/crypto/configure_openssl_crypto_policy/tests/section_not_include.fail.sh b/linux_os/guide/system/software/integrity/crypto/configure_openssl_crypto_policy/tests/section_not_include.fail.sh index 1c9342e23..836ed61d1 100644 --- a/linux_os/guide/system/software/integrity/crypto/configure_openssl_crypto_policy/tests/section_not_include.fail.sh +++ b/linux_os/guide/system/software/integrity/crypto/configure_openssl_crypto_policy/tests/section_not_include.fail.sh @@ -1,5 +1,5 @@ #!/bin/bash -# platform = multi_platform_fedora,Oracle Linux 8,Oracle Linux 9,Red Hat Enterprise Linux 8,Red Hat Enterprise Linux 9,multi_platform_sle +# platform = multi_platform_fedora,Oracle Linux 8,Oracle Linux 9,Red Hat Enterprise Linux 8,Red Hat Enterprise Linux 9,AlmaLinux 9,multi_platform_sle . common.sh diff --git a/linux_os/guide/system/software/integrity/crypto/configure_openssl_crypto_policy/tests/wrong.fail.sh b/linux_os/guide/system/software/integrity/crypto/configure_openssl_crypto_policy/tests/wrong.fail.sh index 1b2ea8d80..fcffa0118 100644 --- a/linux_os/guide/system/software/integrity/crypto/configure_openssl_crypto_policy/tests/wrong.fail.sh +++ b/linux_os/guide/system/software/integrity/crypto/configure_openssl_crypto_policy/tests/wrong.fail.sh @@ -1,5 +1,5 @@ #!/bin/bash -# platform = multi_platform_fedora,Oracle Linux 8,Oracle Linux 9,Red Hat Enterprise Linux 8,Red Hat Enterprise Linux 9,multi_platform_sle +# platform = multi_platform_fedora,Oracle Linux 8,Oracle Linux 9,Red Hat Enterprise Linux 8,Red Hat Enterprise Linux 9,AlmaLinux 9,multi_platform_sle . common.sh diff --git a/linux_os/guide/system/software/integrity/crypto/configure_ssh_crypto_policy/tests/absent.pass.sh b/linux_os/guide/system/software/integrity/crypto/configure_ssh_crypto_policy/tests/absent.pass.sh index 96ae6a064..b0a717135 100644 --- a/linux_os/guide/system/software/integrity/crypto/configure_ssh_crypto_policy/tests/absent.pass.sh +++ b/linux_os/guide/system/software/integrity/crypto/configure_ssh_crypto_policy/tests/absent.pass.sh @@ -1,6 +1,6 @@ #!/bin/bash # -# platform = multi_platform_fedora,Oracle Linux 8,Oracle Linux 9,Red Hat Enterprise Linux 8,Red Hat Enterprise Linux 9 +# platform = multi_platform_fedora,Oracle Linux 8,Oracle Linux 9,Red Hat Enterprise Linux 8,Red Hat Enterprise Linux 9,AlmaLinux 9 SSH_CONF="/etc/sysconfig/sshd" diff --git a/linux_os/guide/system/software/integrity/crypto/configure_ssh_crypto_policy/tests/case_insensitive_present.fail.sh b/linux_os/guide/system/software/integrity/crypto/configure_ssh_crypto_policy/tests/case_insensitive_present.fail.sh index 6ab33f749..46f010e8d 100644 --- a/linux_os/guide/system/software/integrity/crypto/configure_ssh_crypto_policy/tests/case_insensitive_present.fail.sh +++ b/linux_os/guide/system/software/integrity/crypto/configure_ssh_crypto_policy/tests/case_insensitive_present.fail.sh @@ -1,6 +1,6 @@ #!/bin/bash # -# platform = multi_platform_fedora,Oracle Linux 8,Oracle Linux 9,Red Hat Enterprise Linux 8,Red Hat Enterprise Linux 9 +# platform = multi_platform_fedora,Oracle Linux 8,Oracle Linux 9,Red Hat Enterprise Linux 8,Red Hat Enterprise Linux 9,AlmaLinux 9 SSH_CONF="/etc/sysconfig/sshd" diff --git a/linux_os/guide/system/software/integrity/crypto/configure_ssh_crypto_policy/tests/comment.pass.sh b/linux_os/guide/system/software/integrity/crypto/configure_ssh_crypto_policy/tests/comment.pass.sh index bcea9badc..24728b674 100644 --- a/linux_os/guide/system/software/integrity/crypto/configure_ssh_crypto_policy/tests/comment.pass.sh +++ b/linux_os/guide/system/software/integrity/crypto/configure_ssh_crypto_policy/tests/comment.pass.sh @@ -1,6 +1,6 @@ #!/bin/bash # -# platform = multi_platform_fedora,Oracle Linux 8,Oracle Linux 9,Red Hat Enterprise Linux 8,Red Hat Enterprise Linux 9 +# platform = multi_platform_fedora,Oracle Linux 8,Oracle Linux 9,Red Hat Enterprise Linux 8,Red Hat Enterprise Linux 9,AlmaLinux 9 SSH_CONF="/etc/sysconfig/sshd" diff --git a/linux_os/guide/system/software/integrity/crypto/configure_ssh_crypto_policy/tests/no_config_file.pass.sh b/linux_os/guide/system/software/integrity/crypto/configure_ssh_crypto_policy/tests/no_config_file.pass.sh index ea6d23ee1..04ec08881 100644 --- a/linux_os/guide/system/software/integrity/crypto/configure_ssh_crypto_policy/tests/no_config_file.pass.sh +++ b/linux_os/guide/system/software/integrity/crypto/configure_ssh_crypto_policy/tests/no_config_file.pass.sh @@ -1,6 +1,6 @@ #!/bin/bash # -# platform = multi_platform_fedora,Oracle Linux 8,Oracle Linux 9,Red Hat Enterprise Linux 8,Red Hat Enterprise Linux 9 +# platform = multi_platform_fedora,Oracle Linux 8,Oracle Linux 9,Red Hat Enterprise Linux 8,Red Hat Enterprise Linux 9,AlmaLinux 9 SSH_CONF="/etc/sysconfig/sshd" diff --git a/linux_os/guide/system/software/integrity/crypto/configure_ssh_crypto_policy/tests/overrides.fail.sh b/linux_os/guide/system/software/integrity/crypto/configure_ssh_crypto_policy/tests/overrides.fail.sh index a6e7c89da..953ad981c 100644 --- a/linux_os/guide/system/software/integrity/crypto/configure_ssh_crypto_policy/tests/overrides.fail.sh +++ b/linux_os/guide/system/software/integrity/crypto/configure_ssh_crypto_policy/tests/overrides.fail.sh @@ -1,6 +1,6 @@ #!/bin/bash # -# platform = multi_platform_fedora,Oracle Linux 8,Oracle Linux 9,Red Hat Enterprise Linux 8,Red Hat Enterprise Linux 9 +# platform = multi_platform_fedora,Oracle Linux 8,Oracle Linux 9,Red Hat Enterprise Linux 8,Red Hat Enterprise Linux 9,AlmaLinux 9 SSH_CONF="/etc/sysconfig/sshd" diff --git a/linux_os/guide/system/software/integrity/disable_prelink/ansible/shared.yml b/linux_os/guide/system/software/integrity/disable_prelink/ansible/shared.yml index 0447bf2c4..43627ebd3 100644 --- a/linux_os/guide/system/software/integrity/disable_prelink/ansible/shared.yml +++ b/linux_os/guide/system/software/integrity/disable_prelink/ansible/shared.yml @@ -1,4 +1,4 @@ -# platform = Red Hat Virtualization 4,multi_platform_fedora,multi_platform_ol,multi_platform_rhel,multi_platform_sle +# platform = Red Hat Virtualization 4,multi_platform_fedora,multi_platform_ol,multi_platform_rhel,multi_platform_almalinux,multi_platform_sle # reboot = false # strategy = restrict # complexity = low diff --git a/linux_os/guide/system/software/integrity/fips/enable_dracut_fips_module/ansible/shared.yml b/linux_os/guide/system/software/integrity/fips/enable_dracut_fips_module/ansible/shared.yml index 9647791ef..9f70b30d4 100644 --- a/linux_os/guide/system/software/integrity/fips/enable_dracut_fips_module/ansible/shared.yml +++ b/linux_os/guide/system/software/integrity/fips/enable_dracut_fips_module/ansible/shared.yml @@ -1,4 +1,4 @@ -# platform = multi_platform_rhel,multi_platform_fedora,multi_platform_ol +# platform = multi_platform_rhel,multi_platform_almalinux,multi_platform_fedora,multi_platform_ol # reboot = true # strategy = restrict # complexity = medium diff --git a/linux_os/guide/system/software/integrity/fips/enable_dracut_fips_module/bash/shared.sh b/linux_os/guide/system/software/integrity/fips/enable_dracut_fips_module/bash/shared.sh index 5da0c99e6..57ac7592b 100644 --- a/linux_os/guide/system/software/integrity/fips/enable_dracut_fips_module/bash/shared.sh +++ b/linux_os/guide/system/software/integrity/fips/enable_dracut_fips_module/bash/shared.sh @@ -1,4 +1,4 @@ -# platform = multi_platform_rhel,multi_platform_fedora,multi_platform_ol,Red Hat Virtualization 4 +# platform = multi_platform_rhel,multi_platform_almalinux,multi_platform_fedora,multi_platform_ol,Red Hat Virtualization 4 fips-mode-setup --enable FIPS_CONF="/etc/dracut.conf.d/40-fips.conf" diff --git a/linux_os/guide/system/software/integrity/fips/enable_dracut_fips_module/tests/fips_dracut_module_missing.fail.sh b/linux_os/guide/system/software/integrity/fips/enable_dracut_fips_module/tests/fips_dracut_module_missing.fail.sh index 9c232fc94..f3d71ee21 100644 --- a/linux_os/guide/system/software/integrity/fips/enable_dracut_fips_module/tests/fips_dracut_module_missing.fail.sh +++ b/linux_os/guide/system/software/integrity/fips/enable_dracut_fips_module/tests/fips_dracut_module_missing.fail.sh @@ -1,6 +1,6 @@ #!/bin/bash # packages = crypto-policies-scripts -# platform = multi_platform_rhel,Red Hat Virtualization 4,multi_platform_ol +# platform = multi_platform_rhel,multi_platform_almalinux,Red Hat Virtualization 4,multi_platform_ol fips-mode-setup --enable FIPS_CONF="/etc/dracut.conf.d/40-fips.conf" diff --git a/linux_os/guide/system/software/integrity/fips/enable_dracut_fips_module/tests/fips_dracut_module_present.pass.sh b/linux_os/guide/system/software/integrity/fips/enable_dracut_fips_module/tests/fips_dracut_module_present.pass.sh index b92e82236..138d2c997 100644 --- a/linux_os/guide/system/software/integrity/fips/enable_dracut_fips_module/tests/fips_dracut_module_present.pass.sh +++ b/linux_os/guide/system/software/integrity/fips/enable_dracut_fips_module/tests/fips_dracut_module_present.pass.sh @@ -1,6 +1,6 @@ #!/bin/bash # packages = crypto-policies-scripts -# platform = multi_platform_rhel,Red Hat Virtualization 4,multi_platform_ol +# platform = multi_platform_rhel,multi_platform_almalinux,Red Hat Virtualization 4,multi_platform_ol fips-mode-setup --enable FIPS_CONF="/etc/dracut.conf.d/40-fips.conf" diff --git a/linux_os/guide/system/software/integrity/fips/enable_fips_mode/oval/shared.xml b/linux_os/guide/system/software/integrity/fips/enable_fips_mode/oval/shared.xml index 3b50e0706..fe102e2f5 100644 --- a/linux_os/guide/system/software/integrity/fips/enable_fips_mode/oval/shared.xml +++ b/linux_os/guide/system/software/integrity/fips/enable_fips_mode/oval/shared.xml @@ -68,7 +68,7 @@ - {{% if product in ["ol9","rhel9"] -%}} + {{% if product in ["ol9","rhel9", "almalinux9"] -%}} ^FIPS(:OSPP)?$ {{%- else %}} {{# Legacy and more relaxed list of crypto policies that were historically considered diff --git a/linux_os/guide/system/software/integrity/software-integrity/aide/aide_build_database/bash/shared.sh b/linux_os/guide/system/software/integrity/software-integrity/aide/aide_build_database/bash/shared.sh index 04e69228b..9072c4023 100644 --- a/linux_os/guide/system/software/integrity/software-integrity/aide/aide_build_database/bash/shared.sh +++ b/linux_os/guide/system/software/integrity/software-integrity/aide/aide_build_database/bash/shared.sh @@ -1,4 +1,4 @@ -# platform = Red Hat Virtualization 4,multi_platform_fedora,multi_platform_ol,multi_platform_rhel,multi_platform_sle +# platform = Red Hat Virtualization 4,multi_platform_fedora,multi_platform_ol,multi_platform_rhel,multi_platform_almalinux,multi_platform_sle {{% if 'sle' in product %}} zypper -q --no-remote ref diff --git a/linux_os/guide/system/software/integrity/software-integrity/aide/aide_check_audit_tools/ansible/shared.yml b/linux_os/guide/system/software/integrity/software-integrity/aide/aide_check_audit_tools/ansible/shared.yml index 4109e8d44..65a693e23 100644 --- a/linux_os/guide/system/software/integrity/software-integrity/aide/aide_check_audit_tools/ansible/shared.yml +++ b/linux_os/guide/system/software/integrity/software-integrity/aide/aide_check_audit_tools/ansible/shared.yml @@ -1,4 +1,4 @@ -# platform = multi_platform_sle,multi_platform_ol,multi_platform_rhel,multi_platform_ubuntu +# platform = multi_platform_sle,multi_platform_ol,multi_platform_rhel,multi_platform_almalinux,multi_platform_ubuntu # reboot = false # strategy = restrict # complexity = low diff --git a/linux_os/guide/system/software/integrity/software-integrity/aide/aide_check_audit_tools/bash/shared.sh b/linux_os/guide/system/software/integrity/software-integrity/aide/aide_check_audit_tools/bash/shared.sh index ea2a1113b..fbc6b9b8a 100644 --- a/linux_os/guide/system/software/integrity/software-integrity/aide/aide_check_audit_tools/bash/shared.sh +++ b/linux_os/guide/system/software/integrity/software-integrity/aide/aide_check_audit_tools/bash/shared.sh @@ -1,4 +1,4 @@ -# platform = multi_platform_ol,multi_platform_rhel,multi_platform_ubuntu,multi_platform_sle +# platform = multi_platform_ol,multi_platform_rhel,multi_platform_almalinux,multi_platform_ubuntu,multi_platform_sle # reboot = false # strategy = restrict # complexity = low diff --git a/linux_os/guide/system/software/integrity/software-integrity/aide/aide_check_audit_tools/tests/correct.pass.sh b/linux_os/guide/system/software/integrity/software-integrity/aide/aide_check_audit_tools/tests/correct.pass.sh index 5f751bee5..2684687ff 100644 --- a/linux_os/guide/system/software/integrity/software-integrity/aide/aide_check_audit_tools/tests/correct.pass.sh +++ b/linux_os/guide/system/software/integrity/software-integrity/aide/aide_check_audit_tools/tests/correct.pass.sh @@ -1,5 +1,5 @@ #!/bin/bash -# platform = multi_platform_fedora,multi_platform_ol,multi_platform_rhel +# platform = multi_platform_fedora,multi_platform_ol,multi_platform_rhel,multi_platform_almalinux # packages = aide aide --init diff --git a/linux_os/guide/system/software/integrity/software-integrity/aide/aide_check_audit_tools/tests/correct_with_selinux.pass.sh b/linux_os/guide/system/software/integrity/software-integrity/aide/aide_check_audit_tools/tests/correct_with_selinux.pass.sh index f80f6fd52..3d2bde623 100644 --- a/linux_os/guide/system/software/integrity/software-integrity/aide/aide_check_audit_tools/tests/correct_with_selinux.pass.sh +++ b/linux_os/guide/system/software/integrity/software-integrity/aide/aide_check_audit_tools/tests/correct_with_selinux.pass.sh @@ -1,5 +1,5 @@ #!/bin/bash -# platform = multi_platform_fedora,multi_platform_ol,multi_platform_rhel +# platform = multi_platform_fedora,multi_platform_ol,multi_platform_rhel,multi_platform_almalinux # packages = aide declare -a bins diff --git a/linux_os/guide/system/software/integrity/software-integrity/aide/aide_check_audit_tools/tests/extra_suffix.fail.sh b/linux_os/guide/system/software/integrity/software-integrity/aide/aide_check_audit_tools/tests/extra_suffix.fail.sh index 692a60d0e..50411aad5 100644 --- a/linux_os/guide/system/software/integrity/software-integrity/aide/aide_check_audit_tools/tests/extra_suffix.fail.sh +++ b/linux_os/guide/system/software/integrity/software-integrity/aide/aide_check_audit_tools/tests/extra_suffix.fail.sh @@ -1,5 +1,5 @@ #!/bin/bash -# platform = multi_platform_fedora,multi_platform_ol,multi_platform_rhel +# platform = multi_platform_fedora,multi_platform_ol,multi_platform_rhel,multi_platform_almalinux # packages = aide declare -a bins diff --git a/linux_os/guide/system/software/integrity/software-integrity/aide/aide_check_audit_tools/tests/not_config.fail.sh b/linux_os/guide/system/software/integrity/software-integrity/aide/aide_check_audit_tools/tests/not_config.fail.sh index 65bf85123..708ef4e4d 100644 --- a/linux_os/guide/system/software/integrity/software-integrity/aide/aide_check_audit_tools/tests/not_config.fail.sh +++ b/linux_os/guide/system/software/integrity/software-integrity/aide/aide_check_audit_tools/tests/not_config.fail.sh @@ -1,5 +1,5 @@ #!/bin/bash -# platform = multi_platform_fedora,multi_platform_ol,multi_platform_rhel +# platform = multi_platform_fedora,multi_platform_ol,multi_platform_rhel,multi_platform_almalinux # packages = aide aide --init diff --git a/linux_os/guide/system/software/integrity/software-integrity/aide/aide_periodic_cron_checking/bash/shared.sh b/linux_os/guide/system/software/integrity/software-integrity/aide/aide_periodic_cron_checking/bash/shared.sh index dfa5c1b6c..60ac94141 100644 --- a/linux_os/guide/system/software/integrity/software-integrity/aide/aide_periodic_cron_checking/bash/shared.sh +++ b/linux_os/guide/system/software/integrity/software-integrity/aide/aide_periodic_cron_checking/bash/shared.sh @@ -1,4 +1,4 @@ -# platform = Red Hat Virtualization 4,multi_platform_fedora,multi_platform_ol,multi_platform_rhel,multi_platform_sle +# platform = Red Hat Virtualization 4,multi_platform_fedora,multi_platform_ol,multi_platform_rhel,multi_platform_almalinux,multi_platform_sle {{{ bash_package_install("aide") }}} diff --git a/linux_os/guide/system/software/integrity/software-integrity/aide/aide_use_fips_hashes/bash/shared.sh b/linux_os/guide/system/software/integrity/software-integrity/aide/aide_use_fips_hashes/bash/shared.sh index 34a114520..b22a658da 100644 --- a/linux_os/guide/system/software/integrity/software-integrity/aide/aide_use_fips_hashes/bash/shared.sh +++ b/linux_os/guide/system/software/integrity/software-integrity/aide/aide_use_fips_hashes/bash/shared.sh @@ -1,4 +1,4 @@ -# platform = Red Hat Virtualization 4,multi_platform_fedora,multi_platform_rhel,multi_platform_ol +# platform = Red Hat Virtualization 4,multi_platform_fedora,multi_platform_rhel,multi_platform_almalinux,multi_platform_ol {{{ bash_package_install("aide") }}} diff --git a/linux_os/guide/system/software/integrity/software-integrity/rpm_verification/rpm_verify_hashes/ansible/shared.yml b/linux_os/guide/system/software/integrity/software-integrity/rpm_verification/rpm_verify_hashes/ansible/shared.yml index 9e5172cc5..88a2fa5de 100644 --- a/linux_os/guide/system/software/integrity/software-integrity/rpm_verification/rpm_verify_hashes/ansible/shared.yml +++ b/linux_os/guide/system/software/integrity/software-integrity/rpm_verification/rpm_verify_hashes/ansible/shared.yml @@ -1,5 +1,5 @@ # and the regex_findall does not filter out configuration files the same as bash remediation does -# platform = multi_platform_rhel,multi_platform_fedora,multi_platform_ol,multi_platform_rhv,multi_platform_sle +# platform = multi_platform_rhel,multi_platform_almalinux,multi_platform_fedora,multi_platform_ol,multi_platform_rhv,multi_platform_sle # reboot = false # strategy = restrict # complexity = high @@ -7,7 +7,7 @@ - name: "Set fact: Package manager reinstall command" set_fact: package_manager_reinstall_cmd: {{{ pkg_manager }}} reinstall -y - when: ansible_distribution in [ "Fedora", "RedHat", "CentOS", "OracleLinux" ] + when: ansible_distribution in [ "Fedora", "RedHat", "CentOS", "OracleLinux", "AlmaLinux" ] - name: "Set fact: Package manager reinstall command (zypper)" set_fact: diff --git a/linux_os/guide/system/software/integrity/software-integrity/rpm_verification/rpm_verify_hashes/bash/shared.sh b/linux_os/guide/system/software/integrity/software-integrity/rpm_verification/rpm_verify_hashes/bash/shared.sh index a40f350d4..b1c682604 100644 --- a/linux_os/guide/system/software/integrity/software-integrity/rpm_verification/rpm_verify_hashes/bash/shared.sh +++ b/linux_os/guide/system/software/integrity/software-integrity/rpm_verification/rpm_verify_hashes/bash/shared.sh @@ -1,4 +1,4 @@ -# platform = multi_platform_rhel,multi_platform_fedora,multi_platform_ol,multi_platform_rhv,multi_platform_sle +# platform = multi_platform_rhel,multi_platform_almalinux,multi_platform_fedora,multi_platform_ol,multi_platform_rhv,multi_platform_sle # Find which files have incorrect hash (not in /etc, because of the system related config files) and then get files names files_with_incorrect_hash="$(rpm -Va --noconfig | grep -E '^..5' | awk '{print $NF}' )" diff --git a/linux_os/guide/system/software/integrity/software-integrity/rpm_verification/rpm_verify_ownership/ansible/shared.yml b/linux_os/guide/system/software/integrity/software-integrity/rpm_verification/rpm_verify_ownership/ansible/shared.yml index 5c39628ff..9aa639575 100644 --- a/linux_os/guide/system/software/integrity/software-integrity/rpm_verification/rpm_verify_ownership/ansible/shared.yml +++ b/linux_os/guide/system/software/integrity/software-integrity/rpm_verification/rpm_verify_ownership/ansible/shared.yml @@ -1,4 +1,4 @@ -# platform = multi_platform_rhel,multi_platform_fedora,multi_platform_rhv,multi_platform_ol +# platform = multi_platform_rhel,multi_platform_almalinux,multi_platform_fedora,multi_platform_rhv,multi_platform_ol # reboot = false # strategy = restrict # complexity = high diff --git a/linux_os/guide/system/software/integrity/software-integrity/rpm_verification/rpm_verify_ownership/bash/shared.sh b/linux_os/guide/system/software/integrity/software-integrity/rpm_verification/rpm_verify_ownership/bash/shared.sh index 329a00f56..d3cce1c0c 100644 --- a/linux_os/guide/system/software/integrity/software-integrity/rpm_verification/rpm_verify_ownership/bash/shared.sh +++ b/linux_os/guide/system/software/integrity/software-integrity/rpm_verification/rpm_verify_ownership/bash/shared.sh @@ -1,4 +1,4 @@ -# platform = multi_platform_rhel,multi_platform_ol,multi_platform_rhv +# platform = multi_platform_rhel,multi_platform_almalinux,multi_platform_ol,multi_platform_rhv # reboot = false # strategy = restrict # complexity = high diff --git a/linux_os/guide/system/software/integrity/software-integrity/rpm_verification/rpm_verify_permissions/ansible/shared.yml b/linux_os/guide/system/software/integrity/software-integrity/rpm_verification/rpm_verify_permissions/ansible/shared.yml index 0bd8e7e8a..25b5bd333 100644 --- a/linux_os/guide/system/software/integrity/software-integrity/rpm_verification/rpm_verify_permissions/ansible/shared.yml +++ b/linux_os/guide/system/software/integrity/software-integrity/rpm_verification/rpm_verify_permissions/ansible/shared.yml @@ -1,4 +1,4 @@ -# platform = multi_platform_rhel,multi_platform_fedora,multi_platform_ol,multi_platform_rhv,multi_platform_sle +# platform = multi_platform_rhel,multi_platform_almalinux,multi_platform_fedora,multi_platform_ol,multi_platform_rhv,multi_platform_sle # reboot = false # strategy = restrict # complexity = high diff --git a/linux_os/guide/system/software/integrity/software-integrity/rpm_verification/rpm_verify_permissions/bash/shared.sh b/linux_os/guide/system/software/integrity/software-integrity/rpm_verification/rpm_verify_permissions/bash/shared.sh index 0f791c95e..0efde1682 100644 --- a/linux_os/guide/system/software/integrity/software-integrity/rpm_verification/rpm_verify_permissions/bash/shared.sh +++ b/linux_os/guide/system/software/integrity/software-integrity/rpm_verification/rpm_verify_permissions/bash/shared.sh @@ -1,4 +1,4 @@ -# platform = multi_platform_rhel,multi_platform_ol,multi_platform_fedora,multi_platform_rhv,multi_platform_sle +# platform = multi_platform_rhel,multi_platform_almalinux,multi_platform_ol,multi_platform_fedora,multi_platform_rhv,multi_platform_sle # reboot = false # strategy = restrict # complexity = high diff --git a/linux_os/guide/system/software/sudo/sudo_add_umask/tests/0027_var_and_0022_state.fail.sh b/linux_os/guide/system/software/sudo/sudo_add_umask/tests/0027_var_and_0022_state.fail.sh index 21ece11e5..26403c434 100644 --- a/linux_os/guide/system/software/sudo/sudo_add_umask/tests/0027_var_and_0022_state.fail.sh +++ b/linux_os/guide/system/software/sudo/sudo_add_umask/tests/0027_var_and_0022_state.fail.sh @@ -1,5 +1,5 @@ #!/bin/bash -# platform = multi_platform_ol,multi_platform_rhel +# platform = multi_platform_ol,multi_platform_rhel,multi_platform_almalinux # variables = var_sudo_umask=0027 # Default umask is not explicitly set and has value 0022 diff --git a/linux_os/guide/system/software/sudo/sudo_add_umask/tests/0027_var_and_0027_state.pass.sh b/linux_os/guide/system/software/sudo/sudo_add_umask/tests/0027_var_and_0027_state.pass.sh index c01587242..de0605d2d 100644 --- a/linux_os/guide/system/software/sudo/sudo_add_umask/tests/0027_var_and_0027_state.pass.sh +++ b/linux_os/guide/system/software/sudo/sudo_add_umask/tests/0027_var_and_0027_state.pass.sh @@ -1,5 +1,5 @@ #!/bin/bash -# platform = multi_platform_ol,multi_platform_rhel +# platform = multi_platform_ol,multi_platform_rhel,multi_platform_almalinux # variables = var_sudo_umask=0027 # Default umask is not explicitly set and has value 0022 diff --git a/linux_os/guide/system/software/sudo/sudo_add_umask/tests/0027_var_and_default_state.fail.sh b/linux_os/guide/system/software/sudo/sudo_add_umask/tests/0027_var_and_default_state.fail.sh index eb5220278..e19cec598 100644 --- a/linux_os/guide/system/software/sudo/sudo_add_umask/tests/0027_var_and_default_state.fail.sh +++ b/linux_os/guide/system/software/sudo/sudo_add_umask/tests/0027_var_and_default_state.fail.sh @@ -1,5 +1,5 @@ #!/bin/bash -# platform = multi_platform_ol,multi_platform_rhel +# platform = multi_platform_ol,multi_platform_rhel,multi_platform_almalinux # variables = var_sudo_umask=0027 # Default umask is not explicitly set and has value 0022 diff --git a/linux_os/guide/system/software/sudo/sudo_add_umask/tests/0027_var_multiple_values.fail.sh b/linux_os/guide/system/software/sudo/sudo_add_umask/tests/0027_var_multiple_values.fail.sh index 0ca7c09b3..05dcae714 100644 --- a/linux_os/guide/system/software/sudo/sudo_add_umask/tests/0027_var_multiple_values.fail.sh +++ b/linux_os/guide/system/software/sudo/sudo_add_umask/tests/0027_var_multiple_values.fail.sh @@ -1,5 +1,5 @@ #!/bin/bash -# platform = multi_platform_ol,multi_platform_rhel +# platform = multi_platform_ol,multi_platform_rhel,multi_platform_almalinux # variables = var_sudo_umask=0027 echo "Defaults use_pty,umask=0022,noexec" >> /etc/sudoers diff --git a/linux_os/guide/system/software/sudo/sudo_add_umask/tests/0027_var_multiple_values.pass.sh b/linux_os/guide/system/software/sudo/sudo_add_umask/tests/0027_var_multiple_values.pass.sh index 39ec72b52..a2849d3b4 100644 --- a/linux_os/guide/system/software/sudo/sudo_add_umask/tests/0027_var_multiple_values.pass.sh +++ b/linux_os/guide/system/software/sudo/sudo_add_umask/tests/0027_var_multiple_values.pass.sh @@ -1,5 +1,5 @@ #!/bin/bash -# platform = multi_platform_ol,multi_platform_rhel +# platform = multi_platform_ol,multi_platform_rhel,multi_platform_almalinux # variables = var_sudo_umask=0027 echo "Defaults use_pty,umask=0027,noexec" >> /etc/sudoers diff --git a/linux_os/guide/system/software/sudo/sudo_dedicated_group/tests/root_default.fail.sh b/linux_os/guide/system/software/sudo/sudo_dedicated_group/tests/root_default.fail.sh index 0e5aed5d0..c75edccd5 100644 --- a/linux_os/guide/system/software/sudo/sudo_dedicated_group/tests/root_default.fail.sh +++ b/linux_os/guide/system/software/sudo/sudo_dedicated_group/tests/root_default.fail.sh @@ -1,4 +1,4 @@ -# platform = multi_platform_ol,multi_platform_rhel +# platform = multi_platform_ol,multi_platform_rhel,multi_platform_almalinux # remediation = none # Make sure sudo is owned by root group diff --git a/linux_os/guide/system/software/sudo/sudoers_validate_passwd/tests/sudoers_d_duplicate.pass.sh b/linux_os/guide/system/software/sudo/sudoers_validate_passwd/tests/sudoers_d_duplicate.pass.sh index a258d108a..904d4adb0 100644 --- a/linux_os/guide/system/software/sudo/sudoers_validate_passwd/tests/sudoers_d_duplicate.pass.sh +++ b/linux_os/guide/system/software/sudo/sudoers_validate_passwd/tests/sudoers_d_duplicate.pass.sh @@ -1,4 +1,4 @@ -# platform = multi_platform_fedora,multi_platform_ol,multi_platform_rhel,SUSE Linux Enterprise 15 +# platform = multi_platform_fedora,multi_platform_ol,multi_platform_rhel,multi_platform_almalinux,SUSE Linux Enterprise 15 # packages = sudo echo 'Defaults !targetpw' >> /etc/sudoers diff --git a/linux_os/guide/system/software/sudo/sudoers_validate_passwd/tests/sudoers_validate_passwd.fail.sh b/linux_os/guide/system/software/sudo/sudoers_validate_passwd/tests/sudoers_validate_passwd.fail.sh index cdd8174d2..ab7afd6a4 100644 --- a/linux_os/guide/system/software/sudo/sudoers_validate_passwd/tests/sudoers_validate_passwd.fail.sh +++ b/linux_os/guide/system/software/sudo/sudoers_validate_passwd/tests/sudoers_validate_passwd.fail.sh @@ -1,4 +1,4 @@ -# platform = multi_platform_fedora,multi_platform_ol,multi_platform_rhel,SUSE Linux Enterprise 15 +# platform = multi_platform_fedora,multi_platform_ol,multi_platform_rhel,multi_platform_almalinux,SUSE Linux Enterprise 15 # packages = sudo touch /etc/sudoers.d/empty diff --git a/linux_os/guide/system/software/sudo/sudoers_validate_passwd/tests/sudoers_validate_passwd.pass.sh b/linux_os/guide/system/software/sudo/sudoers_validate_passwd/tests/sudoers_validate_passwd.pass.sh index 093f9dd80..0cd6dbf48 100644 --- a/linux_os/guide/system/software/sudo/sudoers_validate_passwd/tests/sudoers_validate_passwd.pass.sh +++ b/linux_os/guide/system/software/sudo/sudoers_validate_passwd/tests/sudoers_validate_passwd.pass.sh @@ -1,4 +1,4 @@ -# platform = multi_platform_fedora,multi_platform_ol,multi_platform_rhel,SUSE Linux Enterprise 15 +# platform = multi_platform_fedora,multi_platform_ol,multi_platform_rhel,multi_platform_almalinux,SUSE Linux Enterprise 15 # packages = sudo echo 'Defaults !targetpw' >> /etc/sudoers diff --git a/linux_os/guide/system/software/sudo/sudoers_validate_passwd/tests/sudoers_validate_passwd_conflicting_values.fail.sh b/linux_os/guide/system/software/sudo/sudoers_validate_passwd/tests/sudoers_validate_passwd_conflicting_values.fail.sh index 3372c20b7..6c9e6fc44 100644 --- a/linux_os/guide/system/software/sudo/sudoers_validate_passwd/tests/sudoers_validate_passwd_conflicting_values.fail.sh +++ b/linux_os/guide/system/software/sudo/sudoers_validate_passwd/tests/sudoers_validate_passwd_conflicting_values.fail.sh @@ -1,4 +1,4 @@ -# platform = multi_platform_fedora,multi_platform_ol,multi_platform_rhel,SUSE Linux Enterprise 15 +# platform = multi_platform_fedora,multi_platform_ol,multi_platform_rhel,multi_platform_almalinux,SUSE Linux Enterprise 15 # packages = sudo echo 'Defaults !targetpw' >> /etc/sudoers diff --git a/linux_os/guide/system/software/sudo/sudoers_validate_passwd/tests/sudoers_validate_passwd_duplicates.fail.sh b/linux_os/guide/system/software/sudo/sudoers_validate_passwd/tests/sudoers_validate_passwd_duplicates.fail.sh index ef0abd449..9606a913c 100644 --- a/linux_os/guide/system/software/sudo/sudoers_validate_passwd/tests/sudoers_validate_passwd_duplicates.fail.sh +++ b/linux_os/guide/system/software/sudo/sudoers_validate_passwd/tests/sudoers_validate_passwd_duplicates.fail.sh @@ -1,4 +1,4 @@ -# platform = SUSE Linux Enterprise 15,multi_platform_fedora,multi_platform_ol,multi_platform_rhel +# platform = SUSE Linux Enterprise 15,multi_platform_fedora,multi_platform_ol,multi_platform_rhel,multi_platform_almalinux # packages = sudo echo 'Defaults !targetpw' >> /etc/sudoers diff --git a/linux_os/guide/system/software/sudo/sudoers_validate_passwd/tests/sudoers_validate_passwd_duplicates.pass.sh b/linux_os/guide/system/software/sudo/sudoers_validate_passwd/tests/sudoers_validate_passwd_duplicates.pass.sh index 6247b5230..bd82dc53d 100644 --- a/linux_os/guide/system/software/sudo/sudoers_validate_passwd/tests/sudoers_validate_passwd_duplicates.pass.sh +++ b/linux_os/guide/system/software/sudo/sudoers_validate_passwd/tests/sudoers_validate_passwd_duplicates.pass.sh @@ -1,4 +1,4 @@ -# platform = multi_platform_fedora,multi_platform_ol,multi_platform_rhel,SUSE Linux Enterprise 15 +# platform = multi_platform_fedora,multi_platform_ol,multi_platform_rhel,multi_platform_almalinux,SUSE Linux Enterprise 15 # packages = sudo echo 'Defaults !targetpw' >> /etc/sudoers diff --git a/linux_os/guide/system/software/sudo/sudoers_validate_passwd/tests/sudoers_validate_passwd_multiple_files.pass.sh b/linux_os/guide/system/software/sudo/sudoers_validate_passwd/tests/sudoers_validate_passwd_multiple_files.pass.sh index 071e3a0ab..b6779c1c5 100644 --- a/linux_os/guide/system/software/sudo/sudoers_validate_passwd/tests/sudoers_validate_passwd_multiple_files.pass.sh +++ b/linux_os/guide/system/software/sudo/sudoers_validate_passwd/tests/sudoers_validate_passwd_multiple_files.pass.sh @@ -1,4 +1,4 @@ -# platform = multi_platform_fedora,multi_platform_ol,multi_platform_rhel,SUSE Linux Enterprise 15 +# platform = multi_platform_fedora,multi_platform_ol,multi_platform_rhel,multi_platform_almalinux,SUSE Linux Enterprise 15 # packages = sudo echo 'Defaults !targetpw' >> /etc/sudoers diff --git a/linux_os/guide/system/software/sudo/sudoers_validate_passwd/tests/sudoers_validate_rootpw.fail.sh b/linux_os/guide/system/software/sudo/sudoers_validate_passwd/tests/sudoers_validate_rootpw.fail.sh index 273fb4529..b15cdc1da 100644 --- a/linux_os/guide/system/software/sudo/sudoers_validate_passwd/tests/sudoers_validate_rootpw.fail.sh +++ b/linux_os/guide/system/software/sudo/sudoers_validate_passwd/tests/sudoers_validate_rootpw.fail.sh @@ -1,4 +1,4 @@ -# platform = multi_platform_fedora,multi_platform_ol,multi_platform_rhel,SUSE Linux Enterprise 15 +# platform = multi_platform_fedora,multi_platform_ol,multi_platform_rhel,multi_platform_almalinux,SUSE Linux Enterprise 15 # packages = sudo touch /etc/sudoers.d/empty diff --git a/linux_os/guide/system/software/sudo/sudoers_validate_passwd/tests/sudoers_validate_runaspw.fail.sh b/linux_os/guide/system/software/sudo/sudoers_validate_passwd/tests/sudoers_validate_runaspw.fail.sh index d477b5972..569a80382 100644 --- a/linux_os/guide/system/software/sudo/sudoers_validate_passwd/tests/sudoers_validate_runaspw.fail.sh +++ b/linux_os/guide/system/software/sudo/sudoers_validate_passwd/tests/sudoers_validate_runaspw.fail.sh @@ -1,4 +1,4 @@ -# platform = multi_platform_fedora,multi_platform_ol,multi_platform_rhel,SUSE Linux Enterprise 15 +# platform = multi_platform_fedora,multi_platform_ol,multi_platform_rhel,multi_platform_almalinux,SUSE Linux Enterprise 15 # packages = sudo touch /etc/sudoers.d/empty diff --git a/linux_os/guide/system/software/sudo/sudoers_validate_passwd/tests/sudoers_validate_targetpw.fail.sh b/linux_os/guide/system/software/sudo/sudoers_validate_passwd/tests/sudoers_validate_targetpw.fail.sh index a4c5bde62..42fb94bf8 100644 --- a/linux_os/guide/system/software/sudo/sudoers_validate_passwd/tests/sudoers_validate_targetpw.fail.sh +++ b/linux_os/guide/system/software/sudo/sudoers_validate_passwd/tests/sudoers_validate_targetpw.fail.sh @@ -1,4 +1,4 @@ -# platform = multi_platform_fedora,multi_platform_ol,multi_platform_rhel,SUSE Linux Enterprise 15 +# platform = multi_platform_fedora,multi_platform_ol,multi_platform_rhel,multi_platform_almalinux,SUSE Linux Enterprise 15 # packages = sudo touch /etc/sudoers.d/empty diff --git a/linux_os/guide/system/software/system-tools/package_subscription-manager_installed/rule.yml b/linux_os/guide/system/software/system-tools/package_subscription-manager_installed/rule.yml index e930dc900..5db2c1329 100644 --- a/linux_os/guide/system/software/system-tools/package_subscription-manager_installed/rule.yml +++ b/linux_os/guide/system/software/system-tools/package_subscription-manager_installed/rule.yml @@ -13,7 +13,7 @@ rationale: |- or an on-premise server such as Subscription Asset Manager) and works with content management tools such as {{{ package_manager }}}. - {{% if product in ["rhel9"] %}} + {{% if product in ["rhel9", "almalinux9"] %}} The package provides, among other things, {{{ package_manager }}} plugins to interact with repositories and subscriptions from the Red Hat entitlement platform - the subscription-manager and diff --git a/linux_os/guide/system/software/updating/clean_components_post_updating/ansible/shared.yml b/linux_os/guide/system/software/updating/clean_components_post_updating/ansible/shared.yml index 71b66ebab..f51a5fa0a 100644 --- a/linux_os/guide/system/software/updating/clean_components_post_updating/ansible/shared.yml +++ b/linux_os/guide/system/software/updating/clean_components_post_updating/ansible/shared.yml @@ -1,4 +1,4 @@ -# platform = multi_platform_rhel,multi_platform_fedora,multi_platform_ol,multi_platform_rhv,multi_platform_sle +# platform = multi_platform_rhel,multi_platform_almalinux,multi_platform_fedora,multi_platform_ol,multi_platform_rhv,multi_platform_sle # reboot = false # strategy = restrict # complexity = low diff --git a/linux_os/guide/system/software/updating/clean_components_post_updating/bash/shared.sh b/linux_os/guide/system/software/updating/clean_components_post_updating/bash/shared.sh index 34127fd17..e30b09600 100644 --- a/linux_os/guide/system/software/updating/clean_components_post_updating/bash/shared.sh +++ b/linux_os/guide/system/software/updating/clean_components_post_updating/bash/shared.sh @@ -1,4 +1,4 @@ -# platform = multi_platform_fedora,multi_platform_ol,multi_platform_rhel,multi_platform_rhv,multi_platform_sle +# platform = multi_platform_fedora,multi_platform_ol,multi_platform_rhel,multi_platform_almalinux,multi_platform_rhv,multi_platform_sle {{% if 'sle' in product %}} {{{ bash_replace_or_append('/etc/zypp/zypp.conf', '^solver.upgradeRemoveDroppedPackages', 'true', '%s=%s') }}} diff --git a/linux_os/guide/system/software/updating/clean_components_post_updating/tests/yum_commented.fail.sh b/linux_os/guide/system/software/updating/clean_components_post_updating/tests/yum_commented.fail.sh index 4cba82b3c..1d8495018 100644 --- a/linux_os/guide/system/software/updating/clean_components_post_updating/tests/yum_commented.fail.sh +++ b/linux_os/guide/system/software/updating/clean_components_post_updating/tests/yum_commented.fail.sh @@ -1,5 +1,5 @@ #!/bin/bash -# platform = multi_platform_fedora,multi_platform_ol,multi_platform_rhel +# platform = multi_platform_fedora,multi_platform_ol,multi_platform_rhel,multi_platform_almalinux file={{{ pkg_manager_config_file }}} diff --git a/linux_os/guide/system/software/updating/clean_components_post_updating/tests/yum_correct.pass.sh b/linux_os/guide/system/software/updating/clean_components_post_updating/tests/yum_correct.pass.sh index 3b3bd71f7..d54501d5c 100644 --- a/linux_os/guide/system/software/updating/clean_components_post_updating/tests/yum_correct.pass.sh +++ b/linux_os/guide/system/software/updating/clean_components_post_updating/tests/yum_correct.pass.sh @@ -1,5 +1,5 @@ #!/bin/bash -# platform = multi_platform_fedora,multi_platform_ol,multi_platform_rhel +# platform = multi_platform_fedora,multi_platform_ol,multi_platform_rhel,multi_platform_almalinux file={{{ pkg_manager_config_file }}} diff --git a/linux_os/guide/system/software/updating/clean_components_post_updating/tests/yum_wrong_value.fail.sh b/linux_os/guide/system/software/updating/clean_components_post_updating/tests/yum_wrong_value.fail.sh index 8f2e4fac8..20d00061a 100644 --- a/linux_os/guide/system/software/updating/clean_components_post_updating/tests/yum_wrong_value.fail.sh +++ b/linux_os/guide/system/software/updating/clean_components_post_updating/tests/yum_wrong_value.fail.sh @@ -1,5 +1,5 @@ #!/bin/bash -# platform = multi_platform_fedora,multi_platform_ol,multi_platform_rhel +# platform = multi_platform_fedora,multi_platform_ol,multi_platform_rhel,multi_platform_almalinux file={{{ pkg_manager_config_file }}} diff --git a/linux_os/guide/system/software/updating/dnf-automatic_apply_updates/ansible/shared.yml b/linux_os/guide/system/software/updating/dnf-automatic_apply_updates/ansible/shared.yml index d74db7b2b..b44ee67b3 100644 --- a/linux_os/guide/system/software/updating/dnf-automatic_apply_updates/ansible/shared.yml +++ b/linux_os/guide/system/software/updating/dnf-automatic_apply_updates/ansible/shared.yml @@ -1,4 +1,4 @@ -# platform = multi_platform_fedora,multi_platform_rhel,multi_platform_sle,Oracle Linux 8 +# platform = multi_platform_fedora,multi_platform_rhel,multi_platform_almalinux,multi_platform_sle,Oracle Linux 8 # reboot = false # strategy = unknown # complexity = low diff --git a/linux_os/guide/system/software/updating/dnf-automatic_security_updates_only/ansible/shared.yml b/linux_os/guide/system/software/updating/dnf-automatic_security_updates_only/ansible/shared.yml index ba0c54f3f..1890b7708 100644 --- a/linux_os/guide/system/software/updating/dnf-automatic_security_updates_only/ansible/shared.yml +++ b/linux_os/guide/system/software/updating/dnf-automatic_security_updates_only/ansible/shared.yml @@ -1,4 +1,4 @@ -# platform = multi_platform_fedora,multi_platform_rhel,multi_platform_sle,Oracle Linux 8 +# platform = multi_platform_fedora,multi_platform_rhel,multi_platform_almalinux,multi_platform_sle,Oracle Linux 8 # reboot = false # strategy = unknown # complexity = low diff --git a/linux_os/guide/system/software/updating/ensure_almalinux_gpgkey_installed/ansible/shared.yml b/linux_os/guide/system/software/updating/ensure_almalinux_gpgkey_installed/ansible/shared.yml new file mode 100644 index 000000000..b9b1e3ea0 --- /dev/null +++ b/linux_os/guide/system/software/updating/ensure_almalinux_gpgkey_installed/ansible/shared.yml @@ -0,0 +1,39 @@ +# platform=multi_platform_almalinux +# reboot = false +# strategy = restrict +# complexity = medium +# disruption = medium +- name: "Read permission of GPG key directory" + stat: + path: /etc/pki/rpm-gpg/ + register: gpg_key_directory_permission + check_mode: no + +# It should fail if it doesn't find any fingerprints in file - maybe file was not parsed well. + +- name: Read signatures in GPG key + # According to /usr/share/doc/gnupg2/DETAILS fingerprints are in "fpr" record in field 10 + command: gpg --show-keys --with-fingerprint --with-colons "/etc/pki/rpm-gpg/RPM-GPG-KEY-AlmaLinux-9" + args: + warn: False + changed_when: False + register: gpg_fingerprints + check_mode: no + +- name: Set Fact - Installed GPG Fingerprints + set_fact: + gpg_installed_fingerprints: "{{ gpg_fingerprints.stdout | regex_findall('^pub.*\n(?:^fpr[:]*)([0-9A-Fa-f]*)', '\\1') | list }}" + +- name: Set Fact - Valid fingerprints + set_fact: + gpg_valid_fingerprints: ("{{{ release_key_fingerprint }}}" "{{{ auxiliary_key_fingerprint }}}") + +- name: Import AlmaLinux GPG key + rpm_key: + state: present + key: /etc/pki/rpm-gpg/RPM-GPG-KEY-AlmaLinux-9 + when: + - gpg_key_directory_permission.stat.mode <= '0755' + - (gpg_installed_fingerprints | difference(gpg_valid_fingerprints)) | length == 0 + - gpg_installed_fingerprints | length > 0 + - ansible_distribution == "AlmaLinux" diff --git a/linux_os/guide/system/software/updating/ensure_almalinux_gpgkey_installed/bash/shared.sh b/linux_os/guide/system/software/updating/ensure_almalinux_gpgkey_installed/bash/shared.sh new file mode 100644 index 000000000..89e6d6aeb --- /dev/null +++ b/linux_os/guide/system/software/updating/ensure_almalinux_gpgkey_installed/bash/shared.sh @@ -0,0 +1,26 @@ +# platform = multi_platform_almalinux +readonly ALMALINUX_FINGERPRINT="BF18AC2876178908D6E71267D36CB86CB86B3716" + +# Location of the key we would like to import (once it's integrity verified) +readonly ALMALINUX_RELEASE_KEY="/etc/pki/rpm-gpg/RPM-GPG-KEY-AlmaLinux-9" + +RPM_GPG_DIR_PERMS=$(stat -c %a "$(dirname "$ALMALINUX_RELEASE_KEY")") + +# Verify /etc/pki/rpm-gpg directory permissions are safe +if [ "${RPM_GPG_DIR_PERMS}" -le "755" ] +then + # If they are safe, try to obtain fingerprints from the key file + # (to ensure there won't be e.g. CRC error) + readarray -t GPG_OUT < <(gpg --with-fingerprint --with-colons "$ALMALINUX_RELEASE_KEY" | grep "^fpr" | cut -d ":" -f 10) + GPG_RESULT=$? + # No CRC error, safe to proceed + if [ "${GPG_RESULT}" -eq "0" ] + then + # Filter just hexadecimal fingerprints from gpg's output from + # processing of a key file + echo "${GPG_OUT[*]}" | grep -vE "${ALMALINUX_FINGERPRINT}" || { + # If $ ALMALINUX_RELEASE_KEY file doesn't contain any keys with unknown fingerprint, import it + rpm --import "${ALMALINUX_RELEASE_KEY}" + } + fi +fi diff --git a/linux_os/guide/system/software/updating/ensure_almalinux_gpgkey_installed/oval/shared.xml b/linux_os/guide/system/software/updating/ensure_almalinux_gpgkey_installed/oval/shared.xml new file mode 100644 index 000000000..f02f04002 --- /dev/null +++ b/linux_os/guide/system/software/updating/ensure_almalinux_gpgkey_installed/oval/shared.xml @@ -0,0 +1,42 @@ + + + + AlmaLinux gpg-pubkey Package Installed + + multi_platform_almalinux + + The AlmaLinux key packages are required to be installed. + + + + + + + + + + + + + + + + + gpg-pubkey + + + + + + + + + + {{{ pkg_release }}} + {{{ pkg_version }}} + + + diff --git a/linux_os/guide/system/software/updating/ensure_almalinux_gpgkey_installed/rule.yml b/linux_os/guide/system/software/updating/ensure_almalinux_gpgkey_installed/rule.yml new file mode 100644 index 000000000..bc0ba8d22 --- /dev/null +++ b/linux_os/guide/system/software/updating/ensure_almalinux_gpgkey_installed/rule.yml @@ -0,0 +1,44 @@ +documentation_complete: true + +title: 'Ensure AlmaLinux GPG Key Installed' + +description: |- + To ensure the system can cryptographically verify base software + packages come from AlmaLinux, the AlmaLinux GPG key must properly be installed. + To install the AlmaLinux GPG key, run: +
$ sudo rpm --import https://repo.almalinux.org/almalinux/RPM-GPG-KEY-AlmaLinux-9
+ If the system is not connected to the Internet, + then install the AlmaLinux GPG key from trusted media such as + the AlmaLinux installation CD-ROM or DVD. Assuming the disc is mounted + in /media/cdrom, use the following command as the root user to import + it into the keyring: +
$ sudo rpm --import /media/cdrom/RPM-GPG-KEY
+ +rationale: |- + Changes to software components can have significant effects on the + overall security of the operating system. This requirement ensures + the software has not been tampered with and that it has been provided + by a trusted vendor. The AlmaLinux GPG key is necessary to + cryptographically verify packages are from AlmaLinux. + +severity: high + +references: + cis: 1.2.2 + disa: CCI-001749 + nist: CM-5(3),SI-7,SC-12,SC-12(3),CM-6(a),CM-11(a),CM-11(b) + nist-csf: PR.DS-6,PR.DS-8,PR.IP-1 + pcidss: Req-6.2 + isa-62443-2013: 'SR 3.1,SR 3.3,SR 3.4,SR 3.8,SR 7.6' + isa-62443-2009: 4.3.4.3.2,4.3.4.3.3,4.3.4.4.4 + cobit5: APO01.06,BAI03.05,BAI06.01,BAI10.01,BAI10.02,BAI10.03,BAI10.05,DSS06.02 + iso27001-2013: A.11.2.4,A.12.1.2,A.12.2.1,A.12.5.1,A.12.6.2,A.14.1.2,A.14.1.3,A.14.2.2,A.14.2.3,A.14.2.4 + cis-csc: 11,2,3,9 + +ocil_clause: 'the AlmaLinux GPG Key is not installed' + +ocil: |- + To ensure that the GPG key is installed, run: +
$ rpm -q --queryformat "%{SUMMARY}\n" gpg-pubkey
+ The command should return the string below: +
gpg(AlmaLinux <packager@almalinux.org>
diff --git a/linux_os/guide/system/software/updating/ensure_gpgcheck_globally_activated/bash/shared.sh b/linux_os/guide/system/software/updating/ensure_gpgcheck_globally_activated/bash/shared.sh index 2bf91c8ca..b5f520737 100644 --- a/linux_os/guide/system/software/updating/ensure_gpgcheck_globally_activated/bash/shared.sh +++ b/linux_os/guide/system/software/updating/ensure_gpgcheck_globally_activated/bash/shared.sh @@ -1,3 +1,3 @@ -# platform = multi_platform_rhel,multi_platform_ol,multi_platform_fedora,multi_platform_rhv,multi_platform_sle +# platform = multi_platform_rhel,multi_platform_almalinux,multi_platform_ol,multi_platform_fedora,multi_platform_rhv,multi_platform_sle {{{ bash_replace_or_append( pkg_manager_config_file , '^gpgcheck', '1') }}} diff --git a/linux_os/guide/system/software/updating/ensure_gpgcheck_never_disabled/ansible/shared.yml b/linux_os/guide/system/software/updating/ensure_gpgcheck_never_disabled/ansible/shared.yml index a653565f5..0e8220272 100644 --- a/linux_os/guide/system/software/updating/ensure_gpgcheck_never_disabled/ansible/shared.yml +++ b/linux_os/guide/system/software/updating/ensure_gpgcheck_never_disabled/ansible/shared.yml @@ -1,4 +1,4 @@ -# platform = multi_platform_rhel,multi_platform_ol,multi_platform_fedora,multi_platform_rhv,multi_platform_sle +# platform = multi_platform_rhel,multi_platform_almalinux,multi_platform_ol,multi_platform_fedora,multi_platform_rhv,multi_platform_sle # reboot = false # strategy = enable # complexity = low diff --git a/linux_os/guide/system/software/updating/ensure_gpgcheck_never_disabled/bash/shared.sh b/linux_os/guide/system/software/updating/ensure_gpgcheck_never_disabled/bash/shared.sh index 07e02fa47..ee1d023d9 100644 --- a/linux_os/guide/system/software/updating/ensure_gpgcheck_never_disabled/bash/shared.sh +++ b/linux_os/guide/system/software/updating/ensure_gpgcheck_never_disabled/bash/shared.sh @@ -1,4 +1,4 @@ -# platform = multi_platform_rhel,multi_platform_ol,multi_platform_fedora,multi_platform_rhv,multi_platform_sle +# platform = multi_platform_rhel,multi_platform_almalinux,multi_platform_ol,multi_platform_fedora,multi_platform_rhv,multi_platform_sle {{% if product in ["sle12", "sle15"] %}} sed -i 's/gpgcheck\s*=.*/gpgcheck=1/g' /etc/zypp/repos.d/* {{% else %}} diff --git a/linux_os/guide/system/software/updating/ensure_gpgcheck_never_disabled/tests/gpgcheck_disabled.fail.sh b/linux_os/guide/system/software/updating/ensure_gpgcheck_never_disabled/tests/gpgcheck_disabled.fail.sh index 37e47e4d4..a852e856f 100644 --- a/linux_os/guide/system/software/updating/ensure_gpgcheck_never_disabled/tests/gpgcheck_disabled.fail.sh +++ b/linux_os/guide/system/software/updating/ensure_gpgcheck_never_disabled/tests/gpgcheck_disabled.fail.sh @@ -1,4 +1,4 @@ #!/bin/bash -# platform = multi_platform_rhel,multi_platform_ol,multi_platform_fedora,multi_platform_rhv +# platform = multi_platform_rhel,multi_platform_almalinux,multi_platform_ol,multi_platform_fedora,multi_platform_rhv sed -i 's/gpgcheck\s*=.*/gpgcheck=0/g' /etc/yum.repos.d/* diff --git a/linux_os/guide/system/software/updating/ensure_gpgcheck_never_disabled/tests/gpgcheck_enabled.pass.sh b/linux_os/guide/system/software/updating/ensure_gpgcheck_never_disabled/tests/gpgcheck_enabled.pass.sh index 04ff6e577..b97d75469 100644 --- a/linux_os/guide/system/software/updating/ensure_gpgcheck_never_disabled/tests/gpgcheck_enabled.pass.sh +++ b/linux_os/guide/system/software/updating/ensure_gpgcheck_never_disabled/tests/gpgcheck_enabled.pass.sh @@ -1,4 +1,4 @@ #!/bin/bash -# platform = multi_platform_rhel,multi_platform_ol,multi_platform_fedora,multi_platform_rhv +# platform = multi_platform_rhel,multi_platform_almalinux,multi_platform_ol,multi_platform_fedora,multi_platform_rhv sed -i 's/gpgcheck\s*=.*/gpgcheck=1/g' /etc/yum.repos.d/* diff --git a/linux_os/guide/system/software/updating/security_patches_up_to_date/rule.yml b/linux_os/guide/system/software/updating/security_patches_up_to_date/rule.yml index fed8d1e7e..5a3335b8b 100644 --- a/linux_os/guide/system/software/updating/security_patches_up_to_date/rule.yml +++ b/linux_os/guide/system/software/updating/security_patches_up_to_date/rule.yml @@ -16,6 +16,11 @@ description: |-
$ sudo yum update
If the system is not configured to use one of these sources, updates (in the form of RPM packages) can be manually downloaded from the ULN and installed using rpm. +{{% elif product in ["almalinux9"] %}} + Run the following command to install updates: +
$ sudo yum update
+ If the system is not configured to use repos, updates (in the form of RPM packages) + can be manually downloaded from the repos and installed using rpm. {{% elif product in ["sle12", "sle15"] %}} If the system is configured for online updates, invoking the following command will list available security updates: diff --git a/products/almalinux9/CMakeLists.txt b/products/almalinux9/CMakeLists.txt new file mode 100644 index 000000000..ae4b60220 --- /dev/null +++ b/products/almalinux9/CMakeLists.txt @@ -0,0 +1,26 @@ +# Sometimes our users will try to do: "cd almalinux9; cmake ." That needs to error in a nice way. +if("${CMAKE_SOURCE_DIR}" STREQUAL "${CMAKE_CURRENT_SOURCE_DIR}") + message(FATAL_ERROR "cmake has to be used on the root CMakeLists.txt, see the Building ComplianceAsCode section in the Developer Guide!") +endif() + +set(PRODUCT "almalinux9") + +ssg_build_product(${PRODUCT}) + +ssg_build_html_cce_table(${PRODUCT}) + +ssg_build_html_srgmap_tables(${PRODUCT}) + +if(SSG_SRG_XLSX_EXPORT) + ssg_build_xlsx_srg_export(${PRODUCT} "srg_gpos") +endif() + +ssg_build_html_stig_tables(${PRODUCT}) +ssg_build_html_stig_tables_per_profile(${PRODUCT} "stig") +ssg_build_html_stig_tables_per_profile(${PRODUCT} "stig_gui") + +#ssg_build_html_stig_tables(${PRODUCT} "ospp") + +if(SSG_CENTOS_DERIVATIVES_ENABLED) + ssg_build_derivative_product(${PRODUCT} "centos" "cs9") +endif() diff --git a/products/almalinux9/kickstart/ssg-almalinux9-anssi_bp28_enhanced-ks.cfg b/products/almalinux9/kickstart/ssg-almalinux9-anssi_bp28_enhanced-ks.cfg new file mode 100644 index 000000000..af3334038 --- /dev/null +++ b/products/almalinux9/kickstart/ssg-almalinux9-anssi_bp28_enhanced-ks.cfg @@ -0,0 +1,144 @@ +# SCAP Security Guide ANSSI BP-028 (enhanced) profile kickstart for AlmaLinux 9 +# Version: 0.0.1 +# Date: 2021-07-13 +# +# Based on: +# https://pykickstart.readthedocs.io/en/latest/ +# http://usgcb.nist.gov/usgcb/content/configuration/workstation-ks.cfg +# For more information see the following documentation: +# https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/9/html/security_hardening/scanning-the-system-for-configuration-compliance-and-vulnerabilities_security-hardening#deploying-baseline-compliant-rhel-systems-using-kickstart_deploying-systems-that-are-compliant-with-a-security-profile-immediately-after-an-installation + +# Specify installation method to use for installation +# To use a different one comment out the 'url' one below, update +# the selected choice with proper options & un-comment it +# +# Install from an installation tree on a remote server via FTP or HTTP: +# --url the URL to install from +# +# Example: +# +# url --url=http://192.168.122.1/image +# +# Modify concrete URL in the above example appropriately to reflect the actual +# environment machine is to be installed in +# +# Other possible / supported installation methods: +# * install from the first CD-ROM/DVD drive on the system: +# +# cdrom +# +# * install from a directory of ISO images on a local drive: +# +# harddrive --partition=hdb2 --dir=/tmp/install-tree +# +# * install from provided NFS server: +# +# nfs --server= --dir= [--opts=] +# +# Set language to use during installation and the default language to use on the installed system (required) +lang en_US.UTF-8 + +# Set system keyboard type / layout (required) +keyboard --vckeymap us + +# Configure network information for target system and activate network devices in the installer environment (optional) +# --onboot enable device at a boot time +# --device device to be activated and / or configured with the network command +# --bootproto method to obtain networking configuration for device (default dhcp) +# --noipv6 disable IPv6 on this device +network --onboot yes --bootproto dhcp --noipv6 + +# Set the system's root password (required) +# Plaintext password is: server +# Refer to e.g. +# https://pykickstart.readthedocs.io/en/latest/commands.html#rootpw +# to see how to create encrypted password form for different plaintext password +rootpw --iscrypted $6$0WWGZ1e6icT$1KiHZK.Nzp3HQerfiy8Ic3pOeCWeIzA.zkQ7mkvYT3bNC5UeGK2ceE5b6TkSg4D/kiSudkT04QlSKknsrNE220 + +# The selected profile will restrict root login +# Add a user that can login and escalate privileges +# Plaintext password is: admin123 +user --name=admin --groups=wheel --password=$6$Ga6ZnIlytrWpuCzO$q0LqT1USHpahzUafQM9jyHCY9BiE5/ahXLNWUMiVQnFGblu0WWGZ1e6icTaCGO4GNgZNtspp1Let/qpM7FMVB0 --iscrypted + +# Configure firewall settings for the system (optional) +# --enabled reject incoming connections that are not in response to outbound requests +# --ssh allow sshd service through the firewall +firewall --enabled --ssh + +# Set the system time zone (required) +timezone --utc America/New_York + +# Specify how the bootloader should be installed (required) +# Plaintext password is: password +# Refer to e.g. +# grub2-mkpasswd-pbkdf2 +# to see how to create encrypted password form for different plaintext password +bootloader --append="audit=1 audit_backlog_limit=8192" --password=grub.pbkdf2.sha512.10000.45912D32B964BA58B91EAF9847F3CCE6F4C962638922543AFFAEE4D29951757F4336C181E6FC9030E07B7D9874DAD696A1B18978D995B1D7F27AF9C38159FDF3.99F65F3896012A0A3D571A99D6E6C695F3C51BE5343A01C1B6907E1C3E1373CB7F250C2BC66C44BB876961E9071F40205006A05189E51C2C14770C70C723F3FD --iscrypted + +# Initialize (format) all disks (optional) +zerombr + +# The following partition layout scheme assumes disk of size 20GB or larger +# Modify size of partitions appropriately to reflect actual machine's hardware +# +# Remove Linux partitions from the system prior to creating new ones (optional) +# --linux erase all Linux partitions +# --initlabel initialize the disk label to the default based on the underlying architecture +clearpart --linux --initlabel + +# Create primary system partitions (required for installs) +part /boot --fstype=xfs --size=512 --fsoptions="nodev,nosuid,noexec" +part pv.01 --grow --size=1 + +# Create a Logical Volume Management (LVM) group (optional) +volgroup VolGroup pv.01 + +# Create particular logical volumes (optional) +logvol / --fstype=xfs --name=root --vgname=VolGroup --size=3192 --grow +# Ensure /usr Located On Separate Partition +logvol /usr --fstype=xfs --name=usr --vgname=VolGroup --size=5000 --fsoptions="nodev" +# Ensure /opt Located On Separate Partition +logvol /opt --fstype=xfs --name=opt --vgname=VolGroup --size=1024 --fsoptions="nodev,nosuid" +# Ensure /srv Located On Separate Partition +logvol /srv --fstype=xfs --name=srv --vgname=VolGroup --size=1024 --fsoptions="nodev,nosuid" +# Ensure /home Located On Separate Partition +logvol /home --fstype=xfs --name=home --vgname=VolGroup --size=1024 --fsoptions="nodev" +# Ensure /tmp Located On Separate Partition +logvol /tmp --fstype=xfs --name=tmp --vgname=VolGroup --size=1024 --fsoptions="nodev,nosuid,noexec" +# Ensure /var/tmp Located On Separate Partition +logvol /var/tmp --fstype=xfs --name=vartmp --vgname=VolGroup --size=1024 --fsoptions="nodev,nosuid,noexec" +# Ensure /var Located On Separate Partition +logvol /var --fstype=xfs --name=var --vgname=VolGroup --size=3072 --fsoptions="nodev" +# Ensure /var/log Located On Separate Partition +logvol /var/log --fstype=xfs --name=varlog --vgname=VolGroup --size=1024 --fsoptions="nodev,nosuid,noexec" +# Ensure /var/log/audit Located On Separate Partition +logvol /var/log/audit --fstype=xfs --name=varlogaudit --vgname=VolGroup --size=512 --fsoptions="nodev,nosuid,noexec" +logvol swap --name=swap --vgname=VolGroup --size=2016 + +# The OpenSCAP installer add-on is used to apply SCAP (Security Content Automation Protocol) +# content - security policies - on the installed system.This add-on has been enabled by default +# since Red Hat Enterprise Linux 7.2. When enabled, the packages necessary to provide this +# functionality will automatically be installed. However, by default, no policies are enforced, +# meaning that no checks are performed during or after installation unless specifically configured. +# +# Important +# Applying a security policy is not necessary on all systems. This screen should only be used +# when a specific policy is mandated by your organization rules or government regulations. +# Unlike most other commands, this add-on does not accept regular options, but uses key-value +# pairs in the body of the %addon definition instead. These pairs are whitespace-agnostic. +# Values can be optionally enclosed in single quotes (') or double quotes ("). +# +# For more details and configuration options see +# https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/9/html-single/performing_an_advanced_rhel_9_installation/index#addon-com_redhat_oscap_kickstart-commands-for-addons-supplied-with-the-rhel-installation-program +%addon com_redhat_oscap + content-type = scap-security-guide + profile = xccdf_org.ssgproject.content_profile_anssi_bp28_enhanced +%end + +# Packages selection (%packages section is required) +%packages +%end + +# Reboot after the installation is complete (optional) +# --eject attempt to eject CD or DVD media before rebooting +reboot --eject diff --git a/products/almalinux9/kickstart/ssg-almalinux9-anssi_bp28_high-ks.cfg b/products/almalinux9/kickstart/ssg-almalinux9-anssi_bp28_high-ks.cfg new file mode 100644 index 000000000..5cebc6ceb --- /dev/null +++ b/products/almalinux9/kickstart/ssg-almalinux9-anssi_bp28_high-ks.cfg @@ -0,0 +1,148 @@ +# SCAP Security Guide ANSSI BP-028 (high) profile kickstart for AlmaLinux 9 +# Version: 0.0.1 +# Date: 2021-07-13 +# +# Based on: +# https://pykickstart.readthedocs.io/en/latest/ +# http://usgcb.nist.gov/usgcb/content/configuration/workstation-ks.cfg +# For more information see the following documentation: +# https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/9/html/security_hardening/scanning-the-system-for-configuration-compliance-and-vulnerabilities_security-hardening#deploying-baseline-compliant-rhel-systems-using-kickstart_deploying-systems-that-are-compliant-with-a-security-profile-immediately-after-an-installation + +# Specify installation method to use for installation +# To use a different one comment out the 'url' one below, update +# the selected choice with proper options & un-comment it +# +# Install from an installation tree on a remote server via FTP or HTTP: +# --url the URL to install from +# +# Example: +# +# url --url=http://192.168.122.1/image +# +# Modify concrete URL in the above example appropriately to reflect the actual +# environment machine is to be installed in +# +# Other possible / supported installation methods: +# * install from the first CD-ROM/DVD drive on the system: +# +# cdrom +# +# * install from a directory of ISO images on a local drive: +# +# harddrive --partition=hdb2 --dir=/tmp/install-tree +# +# * install from provided NFS server: +# +# nfs --server= --dir= [--opts=] +# +# Set language to use during installation and the default language to use on the installed system (required) +lang en_US.UTF-8 + +# Set system keyboard type / layout (required) +keyboard --vckeymap us + +# Configure network information for target system and activate network devices in the installer environment (optional) +# --onboot enable device at a boot time +# --device device to be activated and / or configured with the network command +# --bootproto method to obtain networking configuration for device (default dhcp) +# --noipv6 disable IPv6 on this device +network --onboot yes --bootproto dhcp --noipv6 + +# Set the system's root password (required) +# Plaintext password is: server +# Refer to e.g. +# https://pykickstart.readthedocs.io/en/latest/commands.html#rootpw +# to see how to create encrypted password form for different plaintext password +rootpw --iscrypted $6$0WWGZ1e6icT$1KiHZK.Nzp3HQerfiy8Ic3pOeCWeIzA.zkQ7mkvYT3bNC5UeGK2ceE5b6TkSg4D/kiSudkT04QlSKknsrNE220 + +# The selected profile will restrict root login +# Add a user that can login and escalate privileges +# Plaintext password is: admin123 +user --name=admin --groups=wheel --password=$6$Ga6ZnIlytrWpuCzO$q0LqT1USHpahzUafQM9jyHCY9BiE5/ahXLNWUMiVQnFGblu0WWGZ1e6icTaCGO4GNgZNtspp1Let/qpM7FMVB0 --iscrypted + +# Configure firewall settings for the system (optional) +# --enabled reject incoming connections that are not in response to outbound requests +# --ssh allow sshd service through the firewall +firewall --enabled --ssh + +# State of SELinux on the installed system (optional) +# Defaults to enforcing +selinux --enforcing + +# Set the system time zone (required) +timezone --utc America/New_York + +# Specify how the bootloader should be installed (required) +# Plaintext password is: password +# Refer to e.g. +# grub2-mkpasswd-pbkdf2 +# to see how to create encrypted password form for different plaintext password +bootloader --append="audit=1 audit_backlog_limit=8192" --password=grub.pbkdf2.sha512.10000.45912D32B964BA58B91EAF9847F3CCE6F4C962638922543AFFAEE4D29951757F4336C181E6FC9030E07B7D9874DAD696A1B18978D995B1D7F27AF9C38159FDF3.99F65F3896012A0A3D571A99D6E6C695F3C51BE5343A01C1B6907E1C3E1373CB7F250C2BC66C44BB876961E9071F40205006A05189E51C2C14770C70C723F3FD --iscrypted + +# Initialize (format) all disks (optional) +zerombr + +# The following partition layout scheme assumes disk of size 20GB or larger +# Modify size of partitions appropriately to reflect actual machine's hardware +# +# Remove Linux partitions from the system prior to creating new ones (optional) +# --linux erase all Linux partitions +# --initlabel initialize the disk label to the default based on the underlying architecture +clearpart --linux --initlabel + +# Create primary system partitions (required for installs) +part /boot --fstype=xfs --size=512 --fsoptions="nodev,nosuid,noexec" +part pv.01 --grow --size=1 + +# Create a Logical Volume Management (LVM) group (optional) +volgroup VolGroup pv.01 + +# Create particular logical volumes (optional) +logvol / --fstype=xfs --name=root --vgname=VolGroup --size=3192 --grow +# Ensure /usr Located On Separate Partition +logvol /usr --fstype=xfs --name=usr --vgname=VolGroup --size=5000 --fsoptions="nodev" +# Ensure /opt Located On Separate Partition +logvol /opt --fstype=xfs --name=opt --vgname=VolGroup --size=1024 --fsoptions="nodev,nosuid" +# Ensure /srv Located On Separate Partition +logvol /srv --fstype=xfs --name=srv --vgname=VolGroup --size=1024 --fsoptions="nodev,nosuid" +# Ensure /home Located On Separate Partition +logvol /home --fstype=xfs --name=home --vgname=VolGroup --size=1024 --fsoptions="nodev" +# Ensure /tmp Located On Separate Partition +logvol /tmp --fstype=xfs --name=tmp --vgname=VolGroup --size=1024 --fsoptions="nodev,nosuid,noexec" +# Ensure /var/tmp Located On Separate Partition +logvol /var/tmp --fstype=xfs --name=vartmp --vgname=VolGroup --size=1024 --fsoptions="nodev,nosuid,noexec" +# Ensure /var Located On Separate Partition +logvol /var --fstype=xfs --name=var --vgname=VolGroup --size=3072 --fsoptions="nodev" +# Ensure /var/log Located On Separate Partition +logvol /var/log --fstype=xfs --name=varlog --vgname=VolGroup --size=1024 --fsoptions="nodev,nosuid,noexec" +# Ensure /var/log/audit Located On Separate Partition +logvol /var/log/audit --fstype=xfs --name=varlogaudit --vgname=VolGroup --size=512 --fsoptions="nodev,nosuid,noexec" +logvol swap --name=swap --vgname=VolGroup --size=2016 + +# The OpenSCAP installer add-on is used to apply SCAP (Security Content Automation Protocol) +# content - security policies - on the installed system.This add-on has been enabled by default +# since Red Hat Enterprise Linux 7.2. When enabled, the packages necessary to provide this +# functionality will automatically be installed. However, by default, no policies are enforced, +# meaning that no checks are performed during or after installation unless specifically configured. +# +# Important +# Applying a security policy is not necessary on all systems. This screen should only be used +# when a specific policy is mandated by your organization rules or government regulations. +# Unlike most other commands, this add-on does not accept regular options, but uses key-value +# pairs in the body of the %addon definition instead. These pairs are whitespace-agnostic. +# Values can be optionally enclosed in single quotes (') or double quotes ("). +# +# For more details and configuration options see +# https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/9/html-single/performing_an_advanced_rhel_9_installation/index#addon-com_redhat_oscap_kickstart-commands-for-addons-supplied-with-the-rhel-installation-program +%addon com_redhat_oscap + content-type = scap-security-guide + profile = xccdf_org.ssgproject.content_profile_anssi_bp28_high +%end + +# Packages selection (%packages section is required) +%packages +%end + +# Reboot after the installation is complete (optional) +# --eject attempt to eject CD or DVD media before rebooting +reboot --eject diff --git a/products/almalinux9/kickstart/ssg-almalinux9-anssi_bp28_intermediary-ks.cfg b/products/almalinux9/kickstart/ssg-almalinux9-anssi_bp28_intermediary-ks.cfg new file mode 100644 index 000000000..71fbb5eb2 --- /dev/null +++ b/products/almalinux9/kickstart/ssg-almalinux9-anssi_bp28_intermediary-ks.cfg @@ -0,0 +1,144 @@ +# SCAP Security Guide ANSSI BP-028 (intermediary) profile kickstart for AlmaLinux 9 +# Version: 0.0.1 +# Date: 2021-07-13 +# +# Based on: +# https://pykickstart.readthedocs.io/en/latest/ +# http://usgcb.nist.gov/usgcb/content/configuration/workstation-ks.cfg +# For more information see the following documentation: +# https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/9/html/security_hardening/scanning-the-system-for-configuration-compliance-and-vulnerabilities_security-hardening#deploying-baseline-compliant-rhel-systems-using-kickstart_deploying-systems-that-are-compliant-with-a-security-profile-immediately-after-an-installation + +# Specify installation method to use for installation +# To use a different one comment out the 'url' one below, update +# the selected choice with proper options & un-comment it +# +# Install from an installation tree on a remote server via FTP or HTTP: +# --url the URL to install from +# +# Example: +# +# url --url=http://192.168.122.1/image +# +# Modify concrete URL in the above example appropriately to reflect the actual +# environment machine is to be installed in +# +# Other possible / supported installation methods: +# * install from the first CD-ROM/DVD drive on the system: +# +# cdrom +# +# * install from a directory of ISO images on a local drive: +# +# harddrive --partition=hdb2 --dir=/tmp/install-tree +# +# * install from provided NFS server: +# +# nfs --server= --dir= [--opts=] +# +# Set language to use during installation and the default language to use on the installed system (required) +lang en_US.UTF-8 + +# Set system keyboard type / layout (required) +keyboard --vckeymap us + +# Configure network information for target system and activate network devices in the installer environment (optional) +# --onboot enable device at a boot time +# --device device to be activated and / or configured with the network command +# --bootproto method to obtain networking configuration for device (default dhcp) +# --noipv6 disable IPv6 on this device +network --onboot yes --bootproto dhcp --noipv6 + +# Set the system's root password (required) +# Plaintext password is: server +# Refer to e.g. +# https://pykickstart.readthedocs.io/en/latest/commands.html#rootpw +# to see how to create encrypted password form for different plaintext password +rootpw --iscrypted $6$0WWGZ1e6icT$1KiHZK.Nzp3HQerfiy8Ic3pOeCWeIzA.zkQ7mkvYT3bNC5UeGK2ceE5b6TkSg4D/kiSudkT04QlSKknsrNE220 + +# The selected profile will restrict root login +# Add a user that can login and escalate privileges +# Plaintext password is: admin123 +user --name=admin --groups=wheel --password=$6$Ga6ZnIlytrWpuCzO$q0LqT1USHpahzUafQM9jyHCY9BiE5/ahXLNWUMiVQnFGblu0WWGZ1e6icTaCGO4GNgZNtspp1Let/qpM7FMVB0 --iscrypted + +# Configure firewall settings for the system (optional) +# --enabled reject incoming connections that are not in response to outbound requests +# --ssh allow sshd service through the firewall +firewall --enabled --ssh + +# Set the system time zone (required) +timezone --utc America/New_York + +# Specify how the bootloader should be installed (required) +# Plaintext password is: password +# Refer to e.g. +# grub2-mkpasswd-pbkdf2 +# to see how to create encrypted password form for different plaintext password +bootloader + +# Initialize (format) all disks (optional) +zerombr + +# The following partition layout scheme assumes disk of size 20GB or larger +# Modify size of partitions appropriately to reflect actual machine's hardware +# +# Remove Linux partitions from the system prior to creating new ones (optional) +# --linux erase all Linux partitions +# --initlabel initialize the disk label to the default based on the underlying architecture +clearpart --linux --initlabel + +# Create primary system partitions (required for installs) +part /boot --fstype=xfs --size=512 --fsoptions="nodev,nosuid,noexec" +part pv.01 --grow --size=1 + +# Create a Logical Volume Management (LVM) group (optional) +volgroup VolGroup pv.01 + +# Create particular logical volumes (optional) +logvol / --fstype=xfs --name=root --vgname=VolGroup --size=3192 --grow +# Ensure /usr Located On Separate Partition +logvol /usr --fstype=xfs --name=usr --vgname=VolGroup --size=5000 --fsoptions="nodev" +# Ensure /opt Located On Separate Partition +logvol /opt --fstype=xfs --name=opt --vgname=VolGroup --size=1024 --fsoptions="nodev,nosuid" +# Ensure /srv Located On Separate Partition +logvol /srv --fstype=xfs --name=srv --vgname=VolGroup --size=1024 --fsoptions="nodev,nosuid" +# Ensure /home Located On Separate Partition +logvol /home --fstype=xfs --name=home --vgname=VolGroup --size=1024 --fsoptions="nodev" +# Ensure /tmp Located On Separate Partition +logvol /tmp --fstype=xfs --name=tmp --vgname=VolGroup --size=1024 --fsoptions="nodev,nosuid,noexec" +# Ensure /var/tmp Located On Separate Partition +logvol /var/tmp --fstype=xfs --name=vartmp --vgname=VolGroup --size=1024 --fsoptions="nodev,nosuid,noexec" +# Ensure /var Located On Separate Partition +logvol /var --fstype=xfs --name=var --vgname=VolGroup --size=3072 --fsoptions="nodev" +# Ensure /var/log Located On Separate Partition +logvol /var/log --fstype=xfs --name=varlog --vgname=VolGroup --size=1024 --fsoptions="nodev,nosuid,noexec" +# Ensure /var/log/audit Located On Separate Partition +logvol /var/log/audit --fstype=xfs --name=varlogaudit --vgname=VolGroup --size=512 --fsoptions="nodev,nosuid,noexec" +logvol swap --name=swap --vgname=VolGroup --size=2016 + +# The OpenSCAP installer add-on is used to apply SCAP (Security Content Automation Protocol) +# content - security policies - on the installed system.This add-on has been enabled by default +# since Red Hat Enterprise Linux 7.2. When enabled, the packages necessary to provide this +# functionality will automatically be installed. However, by default, no policies are enforced, +# meaning that no checks are performed during or after installation unless specifically configured. +# +# Important +# Applying a security policy is not necessary on all systems. This screen should only be used +# when a specific policy is mandated by your organization rules or government regulations. +# Unlike most other commands, this add-on does not accept regular options, but uses key-value +# pairs in the body of the %addon definition instead. These pairs are whitespace-agnostic. +# Values can be optionally enclosed in single quotes (') or double quotes ("). +# +# For more details and configuration options see +# https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/9/html-single/performing_an_advanced_rhel_9_installation/index#addon-com_redhat_oscap_kickstart-commands-for-addons-supplied-with-the-rhel-installation-program +%addon com_redhat_oscap + content-type = scap-security-guide + profile = xccdf_org.ssgproject.content_profile_anssi_bp28_intermediary +%end + +# Packages selection (%packages section is required) +%packages +%end + +# Reboot after the installation is complete (optional) +# --eject attempt to eject CD or DVD media before rebooting +reboot --eject diff --git a/products/almalinux9/kickstart/ssg-almalinux9-anssi_bp28_minimal-ks.cfg b/products/almalinux9/kickstart/ssg-almalinux9-anssi_bp28_minimal-ks.cfg new file mode 100644 index 000000000..131851bc1 --- /dev/null +++ b/products/almalinux9/kickstart/ssg-almalinux9-anssi_bp28_minimal-ks.cfg @@ -0,0 +1,108 @@ +# SCAP Security Guide ANSSI BP-028 (minimal) profile kickstart for AlmaLinux 9 +# Version: 0.0.1 +# Date: 2021-07-13 +# +# Based on: +# https://pykickstart.readthedocs.io/en/latest/ +# http://usgcb.nist.gov/usgcb/content/configuration/workstation-ks.cfg +# For more information see the following documentation: +# https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/9/html/security_hardening/scanning-the-system-for-configuration-compliance-and-vulnerabilities_security-hardening#deploying-baseline-compliant-rhel-systems-using-kickstart_deploying-systems-that-are-compliant-with-a-security-profile-immediately-after-an-installation + +# Specify installation method to use for installation +# To use a different one comment out the 'url' one below, update +# the selected choice with proper options & un-comment it +# +# Install from an installation tree on a remote server via FTP or HTTP: +# --url the URL to install from +# +# Example: +# +# url --url=http://192.168.122.1/image +# +# Modify concrete URL in the above example appropriately to reflect the actual +# environment machine is to be installed in +# +# Other possible / supported installation methods: +# * install from the first CD-ROM/DVD drive on the system: +# +# cdrom +# +# * install from a directory of ISO images on a local drive: +# +# harddrive --partition=hdb2 --dir=/tmp/install-tree +# +# * install from provided NFS server: +# +# nfs --server= --dir= [--opts=] +# +# Set language to use during installation and the default language to use on the installed system (required) +lang en_US.UTF-8 + +# Set system keyboard type / layout (required) +keyboard --vckeymap us + +# Configure network information for target system and activate network devices in the installer environment (optional) +# --onboot enable device at a boot time +# --device device to be activated and / or configured with the network command +# --bootproto method to obtain networking configuration for device (default dhcp) +# --noipv6 disable IPv6 on this device +network --onboot yes --bootproto dhcp + +# Set the system's root password (required) +# Plaintext password is: server +# Refer to e.g. +# https://pykickstart.readthedocs.io/en/latest/commands.html#rootpw +# to see how to create encrypted password form for different plaintext password +rootpw --iscrypted $6$0WWGZ1e6icT$1KiHZK.Nzp3HQerfiy8Ic3pOeCWeIzA.zkQ7mkvYT3bNC5UeGK2ceE5b6TkSg4D/kiSudkT04QlSKknsrNE220 + +# Set the system time zone (required) +timezone --utc America/New_York + +# Specify how the bootloader should be installed (required) +# Plaintext password is: password +# Refer to e.g. +# grub2-mkpasswd-pbkdf2 +# to see how to create encrypted password form for different plaintext password +bootloader + +# Initialize (format) all disks (optional) +zerombr + +# The following partition layout scheme assumes disk of size 20GB or larger +# Modify size of partitions appropriately to reflect actual machine's hardware +# +# Remove Linux partitions from the system prior to creating new ones (optional) +# --linux erase all Linux partitions +# --initlabel initialize the disk label to the default based on the underlying architecture +clearpart --linux --initlabel + +# Create primary system partitions (required for installs) +autopart + +# The OpenSCAP installer add-on is used to apply SCAP (Security Content Automation Protocol) +# content - security policies - on the installed system.This add-on has been enabled by default +# since Red Hat Enterprise Linux 7.2. When enabled, the packages necessary to provide this +# functionality will automatically be installed. However, by default, no policies are enforced, +# meaning that no checks are performed during or after installation unless specifically configured. +# +# Important +# Applying a security policy is not necessary on all systems. This screen should only be used +# when a specific policy is mandated by your organization rules or government regulations. +# Unlike most other commands, this add-on does not accept regular options, but uses key-value +# pairs in the body of the %addon definition instead. These pairs are whitespace-agnostic. +# Values can be optionally enclosed in single quotes (') or double quotes ("). +# +# For more details and configuration options see +# https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/9/html-single/performing_an_advanced_rhel_9_installation/index#addon-com_redhat_oscap_kickstart-commands-for-addons-supplied-with-the-rhel-installation-program +%addon com_redhat_oscap + content-type = scap-security-guide + profile = xccdf_org.ssgproject.content_profile_anssi_bp28_minimal +%end + +# Packages selection (%packages section is required) +%packages +%end + +# Reboot after the installation is complete (optional) +# --eject attempt to eject CD or DVD media before rebooting +reboot --eject diff --git a/products/almalinux9/kickstart/ssg-almalinux9-ccn_advanced-ks.cfg b/products/almalinux9/kickstart/ssg-almalinux9-ccn_advanced-ks.cfg new file mode 100644 index 000000000..15ede51cd --- /dev/null +++ b/products/almalinux9/kickstart/ssg-almalinux9-ccn_advanced-ks.cfg @@ -0,0 +1,137 @@ +# SCAP Security Guide CCN profile (Advanced) kickstart for AlmaLinux 9 +# Version: 0.0.1 +# Date: 2023-07-18 +# +# Based on: +# https://pykickstart.readthedocs.io/en/latest/ +# For more information see the following documentation: +# https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/9/html/security_hardening/scanning-the-system-for-configuration-compliance-and-vulnerabilities_security-hardening#deploying-baseline-compliant-rhel-systems-using-kickstart_deploying-systems-that-are-compliant-with-a-security-profile-immediately-after-an-installation + +# Specify installation method to use for installation. To use a different one comment out +# the 'url' one below, update the selected choice with proper options & un-comment it. +# +# Install from an installation tree on a remote server via FTP or HTTP: +# --url the URL to install from +# +# Example: +# url --url=http://192.168.122.1/image +# +# Modify concrete URL in the above example appropriately to reflect the actual +# environment machine is to be installed in. +# +# Other possible / supported installation methods: +# * install from the first CD-ROM/DVD drive on the system: +# +# cdrom +# * install from a directory of ISO images on a local drive: +# +# harddrive --partition=hdb2 --dir=/tmp/install-tree +# * install from provided NFS server: +# +# nfs --server= --dir= [--opts=] + + +# Set language to use during installation and default language on the installed system (required) +lang en_US.UTF-8 + +# Set system keyboard type / layout (required) +keyboard --vckeymap us + +# Configure network information for target system and activate network devices in the +# installer environment (optional): +# --onboot enable device at a boot time +# --device device to be activated and / or configured with the network command +# --bootproto method to obtain networking configuration for device (default dhcp) +# --noipv6 disable IPv6 on this device +network --onboot yes --device eth0 --bootproto dhcp --noipv6 + +# Set the system's root password (required) +# Plaintext password is: server +# Refer to e.g. https://pykickstart.readthedocs.io/en/latest/commands.html#rootpw to see +# how to create encrypted password form for different plaintext password. +rootpw --iscrypted $6$/0RYeeRdK70ynvYz$jH2ZN/80HM6DjndHMxfUF9KIibwipitvizzXDH1zW.fTjyD3RD3tkNdNUaND18B/XqfAUW3vy1uebkBybCuIm0 + +# The selected profile may restrict root login. +# Add a user that can login and escalate privileges. +# Plaintext password is: admin123 +user --name=admin --groups=wheel --password=$6$Ga6ZnIlytrWpuCzO$q0LqT1USHpahzUafQM9jyHCY9BiE5/ahXLNWUMiVQnFGblu0WWGZ1e6icTaCGO4GNgZNtspp1Let/qpM7FMVB0 --iscrypted + +# Configure firewall settings for the system (optional) +# --enabled reject incoming connections that are not in response to outbound requests +# --ssh allow sshd service through the firewall +firewall --enabled --ssh + +# State of SELinux on the installed system (optional) +# Defaults to enforcing. +selinux --enforcing + +# Set the system time zone (required) +timezone --utc America/New_York + +# Specify how the bootloader should be installed (required) +# Plaintext password is: password +# Refer to e.g. grub2-mkpasswd-pbkdf2 to see how to create +# encrypted password form for different plaintext password. +bootloader --password=grub.pbkdf2.sha512.10000.45912D32B964BA58B91EAF9847F3CCE6F4C962638922543AFFAEE4D29951757F4336C181E6FC9030E07B7D9874DAD696A1B18978D995B1D7F27AF9C38159FDF3.99F65F3896012A0A3D571A99D6E6C695F3C51BE5343A01C1B6907E1C3E1373CB7F250C2BC66C44BB876961E9071F40205006A05189E51C2C14770C70C723F3FD --iscrypted + +# Initialize (format) all disks (optional) +zerombr + +# The following partition layout scheme assumes disk of size 20GB or larger. +# Modify size of partitions appropriately to reflect actual machine's hardware. +# +# Remove Linux partitions from the system prior to creating new ones (optional) +# --linux erase all Linux partitions +# --initlabel initialize the disk label to the default based on the underlying architecture +clearpart --linux --initlabel + +# Create primary system partitions (required for installs) +part /boot --fstype=xfs --size=512 +part pv.01 --grow --size=1 + +# Create a Logical Volume Management (LVM) group (optional) +volgroup VolGroup pv.01 + +# Create particular logical volumes (optional) +logvol / --fstype=xfs --name=root --vgname=VolGroup --size=9728 --grow +# Ensure /home Located On Separate Partition +logvol /home --fstype=xfs --name=home --vgname=VolGroup --size=1024 --fsoptions="nodev" +# Ensure /tmp Located On Separate Partition +logvol /tmp --fstype=xfs --name=tmp --vgname=VolGroup --size=1024 --fsoptions="nodev,noexec,nosuid" +# Ensure /var/tmp Located On Separate Partition +logvol /var/tmp --fstype=xfs --name=vartmp --vgname=VolGroup --size=1024 --fsoptions="nodev,nosuid,noexec" +# Ensure /var Located On Separate Partition +logvol /var --fstype=xfs --name=var --vgname=VolGroup --size=3072 +# Ensure /var/log Located On Separate Partition +logvol /var/log --fstype=xfs --name=varlog --vgname=VolGroup --size=1024 +# Ensure /var/log/audit Located On Separate Partition +logvol /var/log/audit --fstype=xfs --name=varlogaudit --vgname=VolGroup --size=512 +logvol swap --name=swap --vgname=VolGroup --size=2016 + +# The OpenSCAP installer add-on is used to apply SCAP (Security Content Automation Protocol) +# content - security policies - on the installed system.This add-on has been enabled by default +# since Red Hat Enterprise Linux 7.2. When enabled, the packages necessary to provide this +# functionality will automatically be installed. However, by default, no policies are enforced, +# meaning that no checks are performed during or after installation unless specifically configured. +# +# Important +# Applying a security policy is not necessary on all systems. This screen should only be used +# when a specific policy is mandated by your organization rules or government regulations. +# Unlike most other commands, this add-on does not accept regular options, but uses key-value +# pairs in the body of the %addon definition instead. These pairs are whitespace-agnostic. +# Values can be optionally enclosed in single quotes (') or double quotes ("). +# +# For more details and configuration options see +# https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/9/html-single/performing_an_advanced_rhel_9_installation/index#addon-com_redhat_oscap_kickstart-commands-for-addons-supplied-with-the-rhel-installation-program +%addon com_redhat_oscap + content-type = scap-security-guide + profile = xccdf_org.ssgproject.content_profile_ccn_advanced +%end + +# Packages selection (%packages section is required) +%packages +%end + +# Reboot after the installation is complete (optional) +# --eject attempt to eject CD or DVD media before rebooting +reboot --eject diff --git a/products/almalinux9/kickstart/ssg-almalinux9-ccn_basic-ks.cfg b/products/almalinux9/kickstart/ssg-almalinux9-ccn_basic-ks.cfg new file mode 100644 index 000000000..c31fb47b8 --- /dev/null +++ b/products/almalinux9/kickstart/ssg-almalinux9-ccn_basic-ks.cfg @@ -0,0 +1,137 @@ +# SCAP Security Guide CCN profile (Basic) kickstart for AlmaLinux 9 +# Version: 0.0.1 +# Date: 2023-07-18 +# +# Based on: +# https://pykickstart.readthedocs.io/en/latest/ +# For more information see the following documentation: +# https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/9/html/security_hardening/scanning-the-system-for-configuration-compliance-and-vulnerabilities_security-hardening#deploying-baseline-compliant-rhel-systems-using-kickstart_deploying-systems-that-are-compliant-with-a-security-profile-immediately-after-an-installation + +# Specify installation method to use for installation. To use a different one comment out +# the 'url' one below, update the selected choice with proper options & un-comment it. +# +# Install from an installation tree on a remote server via FTP or HTTP: +# --url the URL to install from +# +# Example: +# url --url=http://192.168.122.1/image +# +# Modify concrete URL in the above example appropriately to reflect the actual +# environment machine is to be installed in. +# +# Other possible / supported installation methods: +# * install from the first CD-ROM/DVD drive on the system: +# +# cdrom +# * install from a directory of ISO images on a local drive: +# +# harddrive --partition=hdb2 --dir=/tmp/install-tree +# * install from provided NFS server: +# +# nfs --server= --dir= [--opts=] + + +# Set language to use during installation and default language on the installed system (required) +lang en_US.UTF-8 + +# Set system keyboard type / layout (required) +keyboard --vckeymap us + +# Configure network information for target system and activate network devices in the +# installer environment (optional): +# --onboot enable device at a boot time +# --device device to be activated and / or configured with the network command +# --bootproto method to obtain networking configuration for device (default dhcp) +# --noipv6 disable IPv6 on this device +network --onboot yes --device eth0 --bootproto dhcp --noipv6 + +# Set the system's root password (required) +# Plaintext password is: server +# Refer to e.g. https://pykickstart.readthedocs.io/en/latest/commands.html#rootpw to see +# how to create encrypted password form for different plaintext password. +rootpw --iscrypted $6$/0RYeeRdK70ynvYz$jH2ZN/80HM6DjndHMxfUF9KIibwipitvizzXDH1zW.fTjyD3RD3tkNdNUaND18B/XqfAUW3vy1uebkBybCuIm0 + +# The selected profile may restrict root login. +# Add a user that can login and escalate privileges. +# Plaintext password is: admin123 +user --name=admin --groups=wheel --password=$6$Ga6ZnIlytrWpuCzO$q0LqT1USHpahzUafQM9jyHCY9BiE5/ahXLNWUMiVQnFGblu0WWGZ1e6icTaCGO4GNgZNtspp1Let/qpM7FMVB0 --iscrypted + +# Configure firewall settings for the system (optional) +# --enabled reject incoming connections that are not in response to outbound requests +# --ssh allow sshd service through the firewall +firewall --enabled --ssh + +# State of SELinux on the installed system (optional) +# Defaults to enforcing. +selinux --enforcing + +# Set the system time zone (required) +timezone --utc America/New_York + +# Specify how the bootloader should be installed (required) +# Plaintext password is: password +# Refer to e.g. grub2-mkpasswd-pbkdf2 to see how to create +# encrypted password form for different plaintext password. +bootloader --password=grub.pbkdf2.sha512.10000.45912D32B964BA58B91EAF9847F3CCE6F4C962638922543AFFAEE4D29951757F4336C181E6FC9030E07B7D9874DAD696A1B18978D995B1D7F27AF9C38159FDF3.99F65F3896012A0A3D571A99D6E6C695F3C51BE5343A01C1B6907E1C3E1373CB7F250C2BC66C44BB876961E9071F40205006A05189E51C2C14770C70C723F3FD --iscrypted + +# Initialize (format) all disks (optional) +zerombr + +# The following partition layout scheme assumes disk of size 20GB or larger. +# Modify size of partitions appropriately to reflect actual machine's hardware. +# +# Remove Linux partitions from the system prior to creating new ones (optional) +# --linux erase all Linux partitions +# --initlabel initialize the disk label to the default based on the underlying architecture +clearpart --linux --initlabel + +# Create primary system partitions (required for installs) +part /boot --fstype=xfs --size=512 +part pv.01 --grow --size=1 + +# Create a Logical Volume Management (LVM) group (optional) +volgroup VolGroup pv.01 + +# Create particular logical volumes (optional) +logvol / --fstype=xfs --name=root --vgname=VolGroup --size=9728 --grow +# Ensure /home Located On Separate Partition +logvol /home --fstype=xfs --name=home --vgname=VolGroup --size=1024 --fsoptions="nodev" +# Ensure /tmp Located On Separate Partition +logvol /tmp --fstype=xfs --name=tmp --vgname=VolGroup --size=1024 --fsoptions="nodev,noexec,nosuid" +# Ensure /var/tmp Located On Separate Partition +logvol /var/tmp --fstype=xfs --name=vartmp --vgname=VolGroup --size=1024 --fsoptions="nodev,nosuid,noexec" +# Ensure /var Located On Separate Partition +logvol /var --fstype=xfs --name=var --vgname=VolGroup --size=3072 +# Ensure /var/log Located On Separate Partition +logvol /var/log --fstype=xfs --name=varlog --vgname=VolGroup --size=1024 +# Ensure /var/log/audit Located On Separate Partition +logvol /var/log/audit --fstype=xfs --name=varlogaudit --vgname=VolGroup --size=512 +logvol swap --name=swap --vgname=VolGroup --size=2016 + +# The OpenSCAP installer add-on is used to apply SCAP (Security Content Automation Protocol) +# content - security policies - on the installed system.This add-on has been enabled by default +# since Red Hat Enterprise Linux 7.2. When enabled, the packages necessary to provide this +# functionality will automatically be installed. However, by default, no policies are enforced, +# meaning that no checks are performed during or after installation unless specifically configured. +# +# Important +# Applying a security policy is not necessary on all systems. This screen should only be used +# when a specific policy is mandated by your organization rules or government regulations. +# Unlike most other commands, this add-on does not accept regular options, but uses key-value +# pairs in the body of the %addon definition instead. These pairs are whitespace-agnostic. +# Values can be optionally enclosed in single quotes (') or double quotes ("). +# +# For more details and configuration options see +# https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/9/html-single/performing_an_advanced_rhel_9_installation/index#addon-com_redhat_oscap_kickstart-commands-for-addons-supplied-with-the-rhel-installation-program +%addon com_redhat_oscap + content-type = scap-security-guide + profile = xccdf_org.ssgproject.content_profile_ccn_basic +%end + +# Packages selection (%packages section is required) +%packages +%end + +# Reboot after the installation is complete (optional) +# --eject attempt to eject CD or DVD media before rebooting +reboot --eject diff --git a/products/almalinux9/kickstart/ssg-almalinux9-ccn_intermediate-ks.cfg b/products/almalinux9/kickstart/ssg-almalinux9-ccn_intermediate-ks.cfg new file mode 100644 index 000000000..1badb172d --- /dev/null +++ b/products/almalinux9/kickstart/ssg-almalinux9-ccn_intermediate-ks.cfg @@ -0,0 +1,137 @@ +# SCAP Security Guide CCN profile (Intermediate) kickstart for AlmaLinux 9 +# Version: 0.0.1 +# Date: 2023-07-18 +# +# Based on: +# https://pykickstart.readthedocs.io/en/latest/ +# For more information see the following documentation: +# https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/9/html/security_hardening/scanning-the-system-for-configuration-compliance-and-vulnerabilities_security-hardening#deploying-baseline-compliant-rhel-systems-using-kickstart_deploying-systems-that-are-compliant-with-a-security-profile-immediately-after-an-installation + +# Specify installation method to use for installation. To use a different one comment out +# the 'url' one below, update the selected choice with proper options & un-comment it. +# +# Install from an installation tree on a remote server via FTP or HTTP: +# --url the URL to install from +# +# Example: +# url --url=http://192.168.122.1/image +# +# Modify concrete URL in the above example appropriately to reflect the actual +# environment machine is to be installed in. +# +# Other possible / supported installation methods: +# * install from the first CD-ROM/DVD drive on the system: +# +# cdrom +# * install from a directory of ISO images on a local drive: +# +# harddrive --partition=hdb2 --dir=/tmp/install-tree +# * install from provided NFS server: +# +# nfs --server= --dir= [--opts=] + + +# Set language to use during installation and default language on the installed system (required) +lang en_US.UTF-8 + +# Set system keyboard type / layout (required) +keyboard --vckeymap us + +# Configure network information for target system and activate network devices in the +# installer environment (optional): +# --onboot enable device at a boot time +# --device device to be activated and / or configured with the network command +# --bootproto method to obtain networking configuration for device (default dhcp) +# --noipv6 disable IPv6 on this device +network --onboot yes --device eth0 --bootproto dhcp --noipv6 + +# Set the system's root password (required) +# Plaintext password is: server +# Refer to e.g. https://pykickstart.readthedocs.io/en/latest/commands.html#rootpw to see +# how to create encrypted password form for different plaintext password. +rootpw --iscrypted $6$/0RYeeRdK70ynvYz$jH2ZN/80HM6DjndHMxfUF9KIibwipitvizzXDH1zW.fTjyD3RD3tkNdNUaND18B/XqfAUW3vy1uebkBybCuIm0 + +# The selected profile may restrict root login. +# Add a user that can login and escalate privileges. +# Plaintext password is: admin123 +user --name=admin --groups=wheel --password=$6$Ga6ZnIlytrWpuCzO$q0LqT1USHpahzUafQM9jyHCY9BiE5/ahXLNWUMiVQnFGblu0WWGZ1e6icTaCGO4GNgZNtspp1Let/qpM7FMVB0 --iscrypted + +# Configure firewall settings for the system (optional) +# --enabled reject incoming connections that are not in response to outbound requests +# --ssh allow sshd service through the firewall +firewall --enabled --ssh + +# State of SELinux on the installed system (optional) +# Defaults to enforcing. +selinux --enforcing + +# Set the system time zone (required) +timezone --utc America/New_York + +# Specify how the bootloader should be installed (required) +# Plaintext password is: password +# Refer to e.g. grub2-mkpasswd-pbkdf2 to see how to create +# encrypted password form for different plaintext password. +bootloader --password=grub.pbkdf2.sha512.10000.45912D32B964BA58B91EAF9847F3CCE6F4C962638922543AFFAEE4D29951757F4336C181E6FC9030E07B7D9874DAD696A1B18978D995B1D7F27AF9C38159FDF3.99F65F3896012A0A3D571A99D6E6C695F3C51BE5343A01C1B6907E1C3E1373CB7F250C2BC66C44BB876961E9071F40205006A05189E51C2C14770C70C723F3FD --iscrypted + +# Initialize (format) all disks (optional) +zerombr + +# The following partition layout scheme assumes disk of size 20GB or larger. +# Modify size of partitions appropriately to reflect actual machine's hardware. +# +# Remove Linux partitions from the system prior to creating new ones (optional) +# --linux erase all Linux partitions +# --initlabel initialize the disk label to the default based on the underlying architecture +clearpart --linux --initlabel + +# Create primary system partitions (required for installs) +part /boot --fstype=xfs --size=512 +part pv.01 --grow --size=1 + +# Create a Logical Volume Management (LVM) group (optional) +volgroup VolGroup pv.01 + +# Create particular logical volumes (optional) +logvol / --fstype=xfs --name=root --vgname=VolGroup --size=9728 --grow +# Ensure /home Located On Separate Partition +logvol /home --fstype=xfs --name=home --vgname=VolGroup --size=1024 --fsoptions="nodev" +# Ensure /tmp Located On Separate Partition +logvol /tmp --fstype=xfs --name=tmp --vgname=VolGroup --size=1024 --fsoptions="nodev,noexec,nosuid" +# Ensure /var/tmp Located On Separate Partition +logvol /var/tmp --fstype=xfs --name=vartmp --vgname=VolGroup --size=1024 --fsoptions="nodev,nosuid,noexec" +# Ensure /var Located On Separate Partition +logvol /var --fstype=xfs --name=var --vgname=VolGroup --size=3072 +# Ensure /var/log Located On Separate Partition +logvol /var/log --fstype=xfs --name=varlog --vgname=VolGroup --size=1024 +# Ensure /var/log/audit Located On Separate Partition +logvol /var/log/audit --fstype=xfs --name=varlogaudit --vgname=VolGroup --size=512 +logvol swap --name=swap --vgname=VolGroup --size=2016 + +# The OpenSCAP installer add-on is used to apply SCAP (Security Content Automation Protocol) +# content - security policies - on the installed system.This add-on has been enabled by default +# since Red Hat Enterprise Linux 7.2. When enabled, the packages necessary to provide this +# functionality will automatically be installed. However, by default, no policies are enforced, +# meaning that no checks are performed during or after installation unless specifically configured. +# +# Important +# Applying a security policy is not necessary on all systems. This screen should only be used +# when a specific policy is mandated by your organization rules or government regulations. +# Unlike most other commands, this add-on does not accept regular options, but uses key-value +# pairs in the body of the %addon definition instead. These pairs are whitespace-agnostic. +# Values can be optionally enclosed in single quotes (') or double quotes ("). +# +# For more details and configuration options see +# https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/9/html-single/performing_an_advanced_rhel_9_installation/index#addon-com_redhat_oscap_kickstart-commands-for-addons-supplied-with-the-rhel-installation-program +%addon com_redhat_oscap + content-type = scap-security-guide + profile = xccdf_org.ssgproject.content_profile_ccn_intermediate +%end + +# Packages selection (%packages section is required) +%packages +%end + +# Reboot after the installation is complete (optional) +# --eject attempt to eject CD or DVD media before rebooting +reboot --eject diff --git a/products/almalinux9/kickstart/ssg-almalinux9-cis-ks.cfg b/products/almalinux9/kickstart/ssg-almalinux9-cis-ks.cfg new file mode 100644 index 000000000..877821d88 --- /dev/null +++ b/products/almalinux9/kickstart/ssg-almalinux9-cis-ks.cfg @@ -0,0 +1,141 @@ +# SCAP Security Guide CIS profile (Level 2 - Server) kickstart for AlmaLinux 9 +# Version: 0.0.1 +# Date: 2021-08-12 +# +# Based on: +# https://pykickstart.readthedocs.io/en/latest/ +# For more information see the following documentation: +# https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/9/html/security_hardening/scanning-the-system-for-configuration-compliance-and-vulnerabilities_security-hardening#deploying-baseline-compliant-rhel-systems-using-kickstart_deploying-systems-that-are-compliant-with-a-security-profile-immediately-after-an-installation + +# Specify installation method to use for installation +# To use a different one comment out the 'url' one below, update +# the selected choice with proper options & un-comment it +# +# Install from an installation tree on a remote server via FTP or HTTP: +# --url the URL to install from +# +# Example: +# +# url --url=http://192.168.122.1/image +# +# Modify concrete URL in the above example appropriately to reflect the actual +# environment machine is to be installed in +# +# Other possible / supported installation methods: +# * install from the first CD-ROM/DVD drive on the system: +# +# cdrom +# +# * install from a directory of ISO images on a local drive: +# +# harddrive --partition=hdb2 --dir=/tmp/install-tree +# +# * install from provided NFS server: +# +# nfs --server= --dir= [--opts=] +# + +# Set language to use during installation and the default language to use on the installed system (required) +lang en_US.UTF-8 + +# Set system keyboard type / layout (required) +keyboard --vckeymap us + +# Configure network information for target system and activate network devices in the installer environment (optional) +# --onboot enable device at a boot time +# --device device to be activated and / or configured with the network command +# --bootproto method to obtain networking configuration for device (default dhcp) +# --noipv6 disable IPv6 on this device +network --onboot yes --device eth0 --bootproto dhcp --noipv6 + +# Set the system's root password (required) +# Plaintext password is: server +# Refer to e.g. https://pykickstart.readthedocs.io/en/latest/commands.html#rootpw to see how to create +# encrypted password form for different plaintext password +rootpw --iscrypted $6$/0RYeeRdK70ynvYz$jH2ZN/80HM6DjndHMxfUF9KIibwipitvizzXDH1zW.fTjyD3RD3tkNdNUaND18B/XqfAUW3vy1uebkBybCuIm0 + +# The selected profile will restrict root login +# Add a user that can login and escalate privileges +# Plaintext password is: admin123 +user --name=admin --groups=wheel --password=$6$Ga6ZnIlytrWpuCzO$q0LqT1USHpahzUafQM9jyHCY9BiE5/ahXLNWUMiVQnFGblu0WWGZ1e6icTaCGO4GNgZNtspp1Let/qpM7FMVB0 --iscrypted + +# Configure firewall settings for the system (optional) +# --enabled reject incoming connections that are not in response to outbound requests +# --ssh allow sshd service through the firewall +firewall --enabled --ssh + +# State of SELinux on the installed system (optional) +# Defaults to enforcing +selinux --enforcing + +# Set the system time zone (required) +timezone --utc America/New_York + +# Specify how the bootloader should be installed (required) +# Plaintext password is: password +# Refer to e.g. grub2-mkpasswd-pbkdf2 to see how to create +# encrypted password form for different plaintext password +bootloader --password=grub.pbkdf2.sha512.10000.45912D32B964BA58B91EAF9847F3CCE6F4C962638922543AFFAEE4D29951757F4336C181E6FC9030E07B7D9874DAD696A1B18978D995B1D7F27AF9C38159FDF3.99F65F3896012A0A3D571A99D6E6C695F3C51BE5343A01C1B6907E1C3E1373CB7F250C2BC66C44BB876961E9071F40205006A05189E51C2C14770C70C723F3FD --iscrypted + +# Initialize (format) all disks (optional) +zerombr + +# The following partition layout scheme assumes disk of size 20GB or larger +# Modify size of partitions appropriately to reflect actual machine's hardware +# +# Remove Linux partitions from the system prior to creating new ones (optional) +# --linux erase all Linux partitions +# --initlabel initialize the disk label to the default based on the underlying architecture +clearpart --linux --initlabel + +# Create primary system partitions (required for installs) +part /boot --fstype=xfs --size=512 +part pv.01 --grow --size=1 + +# Create a Logical Volume Management (LVM) group (optional) +volgroup VolGroup pv.01 + +# Create particular logical volumes (optional) +logvol / --fstype=xfs --name=root --vgname=VolGroup --size=9728 --grow +# Ensure /home Located On Separate Partition +logvol /home --fstype=xfs --name=home --vgname=VolGroup --size=1024 --fsoptions="nodev" +# Ensure /tmp Located On Separate Partition +logvol /tmp --fstype=xfs --name=tmp --vgname=VolGroup --size=1024 --fsoptions="nodev,noexec,nosuid" +# Ensure /var/tmp Located On Separate Partition +logvol /var/tmp --fstype=xfs --name=vartmp --vgname=VolGroup --size=1024 --fsoptions="nodev,nosuid,noexec" +# Ensure /var Located On Separate Partition +logvol /var --fstype=xfs --name=var --vgname=VolGroup --size=3072 +# Ensure /var/log Located On Separate Partition +logvol /var/log --fstype=xfs --name=varlog --vgname=VolGroup --size=1024 +# Ensure /var/log/audit Located On Separate Partition +logvol /var/log/audit --fstype=xfs --name=varlogaudit --vgname=VolGroup --size=512 +logvol swap --name=swap --vgname=VolGroup --size=2016 + + +# The OpenSCAP installer add-on is used to apply SCAP (Security Content Automation Protocol) +# content - security policies - on the installed system.This add-on has been enabled by default +# since Red Hat Enterprise Linux 7.2. When enabled, the packages necessary to provide this +# functionality will automatically be installed. However, by default, no policies are enforced, +# meaning that no checks are performed during or after installation unless specifically configured. +# +# Important +# Applying a security policy is not necessary on all systems. This screen should only be used +# when a specific policy is mandated by your organization rules or government regulations. +# Unlike most other commands, this add-on does not accept regular options, but uses key-value +# pairs in the body of the %addon definition instead. These pairs are whitespace-agnostic. +# Values can be optionally enclosed in single quotes (') or double quotes ("). +# +# For more details and configuration options see +# https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/9/html-single/performing_an_advanced_rhel_9_installation/index#addon-com_redhat_oscap_kickstart-commands-for-addons-supplied-with-the-rhel-installation-program +%addon com_redhat_oscap + content-type = scap-security-guide + profile = xccdf_org.ssgproject.content_profile_cis +%end + +# Packages selection (%packages section is required) +%packages +%end + +# Reboot after the installation is complete (optional) +# --eject attempt to eject CD or DVD media before rebooting +reboot --eject diff --git a/products/almalinux9/kickstart/ssg-almalinux9-cis_server_l1-ks.cfg b/products/almalinux9/kickstart/ssg-almalinux9-cis_server_l1-ks.cfg new file mode 100644 index 000000000..17105cd14 --- /dev/null +++ b/products/almalinux9/kickstart/ssg-almalinux9-cis_server_l1-ks.cfg @@ -0,0 +1,141 @@ +# SCAP Security Guide CIS profile (Level 1 - Server) kickstart for AlmaLinux 9 +# Version: 0.0.1 +# Date: 2021-08-12 +# +# Based on: +# https://pykickstart.readthedocs.io/en/latest/ +# For more information see the following documentation: +# https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/9/html/security_hardening/scanning-the-system-for-configuration-compliance-and-vulnerabilities_security-hardening#deploying-baseline-compliant-rhel-systems-using-kickstart_deploying-systems-that-are-compliant-with-a-security-profile-immediately-after-an-installation + +# Specify installation method to use for installation +# To use a different one comment out the 'url' one below, update +# the selected choice with proper options & un-comment it +# +# Install from an installation tree on a remote server via FTP or HTTP: +# --url the URL to install from +# +# Example: +# +# url --url=http://192.168.122.1/image +# +# Modify concrete URL in the above example appropriately to reflect the actual +# environment machine is to be installed in +# +# Other possible / supported installation methods: +# * install from the first CD-ROM/DVD drive on the system: +# +# cdrom +# +# * install from a directory of ISO images on a local drive: +# +# harddrive --partition=hdb2 --dir=/tmp/install-tree +# +# * install from provided NFS server: +# +# nfs --server= --dir= [--opts=] +# + +# Set language to use during installation and the default language to use on the installed system (required) +lang en_US.UTF-8 + +# Set system keyboard type / layout (required) +keyboard --vckeymap us + +# Configure network information for target system and activate network devices in the installer environment (optional) +# --onboot enable device at a boot time +# --device device to be activated and / or configured with the network command +# --bootproto method to obtain networking configuration for device (default dhcp) +# --noipv6 disable IPv6 on this device +network --onboot yes --device eth0 --bootproto dhcp --noipv6 + +# Set the system's root password (required) +# Plaintext password is: server +# Refer to e.g. https://pykickstart.readthedocs.io/en/latest/commands.html#rootpw to see how to create +# encrypted password form for different plaintext password +rootpw --iscrypted $6$/0RYeeRdK70ynvYz$jH2ZN/80HM6DjndHMxfUF9KIibwipitvizzXDH1zW.fTjyD3RD3tkNdNUaND18B/XqfAUW3vy1uebkBybCuIm0 + +# The selected profile will restrict root login +# Add a user that can login and escalate privileges +# Plaintext password is: admin123 +user --name=admin --groups=wheel --password=$6$Ga6ZnIlytrWpuCzO$q0LqT1USHpahzUafQM9jyHCY9BiE5/ahXLNWUMiVQnFGblu0WWGZ1e6icTaCGO4GNgZNtspp1Let/qpM7FMVB0 --iscrypted + +# Configure firewall settings for the system (optional) +# --enabled reject incoming connections that are not in response to outbound requests +# --ssh allow sshd service through the firewall +firewall --enabled --ssh + +# State of SELinux on the installed system (optional) +# Defaults to enforcing +selinux --enforcing + +# Set the system time zone (required) +timezone --utc America/New_York + +# Specify how the bootloader should be installed (required) +# Plaintext password is: password +# Refer to e.g. grub2-mkpasswd-pbkdf2 to see how to create +# encrypted password form for different plaintext password +bootloader --password=grub.pbkdf2.sha512.10000.45912D32B964BA58B91EAF9847F3CCE6F4C962638922543AFFAEE4D29951757F4336C181E6FC9030E07B7D9874DAD696A1B18978D995B1D7F27AF9C38159FDF3.99F65F3896012A0A3D571A99D6E6C695F3C51BE5343A01C1B6907E1C3E1373CB7F250C2BC66C44BB876961E9071F40205006A05189E51C2C14770C70C723F3FD --iscrypted + +# Initialize (format) all disks (optional) +zerombr + +# The following partition layout scheme assumes disk of size 20GB or larger +# Modify size of partitions appropriately to reflect actual machine's hardware +# +# Remove Linux partitions from the system prior to creating new ones (optional) +# --linux erase all Linux partitions +# --initlabel initialize the disk label to the default based on the underlying architecture +clearpart --linux --initlabel + +# Create primary system partitions (required for installs) +part /boot --fstype=xfs --size=512 +part pv.01 --grow --size=1 + +# Create a Logical Volume Management (LVM) group (optional) +volgroup VolGroup pv.01 + +# Create particular logical volumes (optional) +logvol / --fstype=xfs --name=root --vgname=VolGroup --size=9728 --grow +# Ensure /home Located On Separate Partition +logvol /home --fstype=xfs --name=home --vgname=VolGroup --size=1024 --fsoptions="nodev" +# Ensure /tmp Located On Separate Partition +logvol /tmp --fstype=xfs --name=tmp --vgname=VolGroup --size=1024 --fsoptions="nodev,noexec,nosuid" +# Ensure /var/tmp Located On Separate Partition +logvol /var/tmp --fstype=xfs --name=vartmp --vgname=VolGroup --size=1024 --fsoptions="nodev,nosuid,noexec" +# Ensure /var Located On Separate Partition +logvol /var --fstype=xfs --name=var --vgname=VolGroup --size=3072 +# Ensure /var/log Located On Separate Partition +logvol /var/log --fstype=xfs --name=varlog --vgname=VolGroup --size=1024 +# Ensure /var/log/audit Located On Separate Partition +logvol /var/log/audit --fstype=xfs --name=varlogaudit --vgname=VolGroup --size=512 +logvol swap --name=swap --vgname=VolGroup --size=2016 + + +# The OpenSCAP installer add-on is used to apply SCAP (Security Content Automation Protocol) +# content - security policies - on the installed system.This add-on has been enabled by default +# since Red Hat Enterprise Linux 7.2. When enabled, the packages necessary to provide this +# functionality will automatically be installed. However, by default, no policies are enforced, +# meaning that no checks are performed during or after installation unless specifically configured. +# +# Important +# Applying a security policy is not necessary on all systems. This screen should only be used +# when a specific policy is mandated by your organization rules or government regulations. +# Unlike most other commands, this add-on does not accept regular options, but uses key-value +# pairs in the body of the %addon definition instead. These pairs are whitespace-agnostic. +# Values can be optionally enclosed in single quotes (') or double quotes ("). +# +# For more details and configuration options see +# https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/9/html-single/performing_an_advanced_rhel_9_installation/index#addon-com_redhat_oscap_kickstart-commands-for-addons-supplied-with-the-rhel-installation-program +%addon com_redhat_oscap + content-type = scap-security-guide + profile = xccdf_org.ssgproject.content_profile_cis_server_l1 +%end + +# Packages selection (%packages section is required) +%packages +%end + +# Reboot after the installation is complete (optional) +# --eject attempt to eject CD or DVD media before rebooting +reboot --eject diff --git a/products/almalinux9/kickstart/ssg-almalinux9-cis_workstation_l1-ks.cfg b/products/almalinux9/kickstart/ssg-almalinux9-cis_workstation_l1-ks.cfg new file mode 100644 index 000000000..b8ed410c8 --- /dev/null +++ b/products/almalinux9/kickstart/ssg-almalinux9-cis_workstation_l1-ks.cfg @@ -0,0 +1,141 @@ +# SCAP Security Guide CIS profile (Level 1 - Workstation) kickstart for AlmaLinux 9 +# Version: 0.0.1 +# Date: 2021-08-12 +# +# Based on: +# https://pykickstart.readthedocs.io/en/latest/ +# For more information see the following documentation: +# https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/9/html/security_hardening/scanning-the-system-for-configuration-compliance-and-vulnerabilities_security-hardening#deploying-baseline-compliant-rhel-systems-using-kickstart_deploying-systems-that-are-compliant-with-a-security-profile-immediately-after-an-installation + +# Specify installation method to use for installation +# To use a different one comment out the 'url' one below, update +# the selected choice with proper options & un-comment it +# +# Install from an installation tree on a remote server via FTP or HTTP: +# --url the URL to install from +# +# Example: +# +# url --url=http://192.168.122.1/image +# +# Modify concrete URL in the above example appropriately to reflect the actual +# environment machine is to be installed in +# +# Other possible / supported installation methods: +# * install from the first CD-ROM/DVD drive on the system: +# +# cdrom +# +# * install from a directory of ISO images on a local drive: +# +# harddrive --partition=hdb2 --dir=/tmp/install-tree +# +# * install from provided NFS server: +# +# nfs --server= --dir= [--opts=] +# + +# Set language to use during installation and the default language to use on the installed system (required) +lang en_US.UTF-8 + +# Set system keyboard type / layout (required) +keyboard --vckeymap us + +# Configure network information for target system and activate network devices in the installer environment (optional) +# --onboot enable device at a boot time +# --device device to be activated and / or configured with the network command +# --bootproto method to obtain networking configuration for device (default dhcp) +# --noipv6 disable IPv6 on this device +network --onboot yes --device eth0 --bootproto dhcp --noipv6 + +# Set the system's root password (required) +# Plaintext password is: server +# Refer to e.g. https://pykickstart.readthedocs.io/en/latest/commands.html#rootpw to see how to create +# encrypted password form for different plaintext password +rootpw --iscrypted $6$/0RYeeRdK70ynvYz$jH2ZN/80HM6DjndHMxfUF9KIibwipitvizzXDH1zW.fTjyD3RD3tkNdNUaND18B/XqfAUW3vy1uebkBybCuIm0 + +# The selected profile will restrict root login +# Add a user that can login and escalate privileges +# Plaintext password is: admin123 +user --name=admin --groups=wheel --password=$6$Ga6ZnIlytrWpuCzO$q0LqT1USHpahzUafQM9jyHCY9BiE5/ahXLNWUMiVQnFGblu0WWGZ1e6icTaCGO4GNgZNtspp1Let/qpM7FMVB0 --iscrypted + +# Configure firewall settings for the system (optional) +# --enabled reject incoming connections that are not in response to outbound requests +# --ssh allow sshd service through the firewall +firewall --enabled --ssh + +# State of SELinux on the installed system (optional) +# Defaults to enforcing +selinux --enforcing + +# Set the system time zone (required) +timezone --utc America/New_York + +# Specify how the bootloader should be installed (required) +# Plaintext password is: password +# Refer to e.g. grub2-mkpasswd-pbkdf2 to see how to create +# encrypted password form for different plaintext password +bootloader --password=grub.pbkdf2.sha512.10000.45912D32B964BA58B91EAF9847F3CCE6F4C962638922543AFFAEE4D29951757F4336C181E6FC9030E07B7D9874DAD696A1B18978D995B1D7F27AF9C38159FDF3.99F65F3896012A0A3D571A99D6E6C695F3C51BE5343A01C1B6907E1C3E1373CB7F250C2BC66C44BB876961E9071F40205006A05189E51C2C14770C70C723F3FD --iscrypted + +# Initialize (format) all disks (optional) +zerombr + +# The following partition layout scheme assumes disk of size 20GB or larger +# Modify size of partitions appropriately to reflect actual machine's hardware +# +# Remove Linux partitions from the system prior to creating new ones (optional) +# --linux erase all Linux partitions +# --initlabel initialize the disk label to the default based on the underlying architecture +clearpart --linux --initlabel + +# Create primary system partitions (required for installs) +part /boot --fstype=xfs --size=512 +part pv.01 --grow --size=1 + +# Create a Logical Volume Management (LVM) group (optional) +volgroup VolGroup pv.01 + +# Create particular logical volumes (optional) +logvol / --fstype=xfs --name=root --vgname=VolGroup --size=9728 --grow +# Ensure /home Located On Separate Partition +logvol /home --fstype=xfs --name=home --vgname=VolGroup --size=1024 --fsoptions="nodev" +# Ensure /tmp Located On Separate Partition +logvol /tmp --fstype=xfs --name=tmp --vgname=VolGroup --size=1024 --fsoptions="nodev,noexec,nosuid" +# Ensure /var/tmp Located On Separate Partition +logvol /var/tmp --fstype=xfs --name=vartmp --vgname=VolGroup --size=1024 --fsoptions="nodev,nosuid,noexec" +# Ensure /var Located On Separate Partition +logvol /var --fstype=xfs --name=var --vgname=VolGroup --size=3072 +# Ensure /var/log Located On Separate Partition +logvol /var/log --fstype=xfs --name=varlog --vgname=VolGroup --size=1024 +# Ensure /var/log/audit Located On Separate Partition +logvol /var/log/audit --fstype=xfs --name=varlogaudit --vgname=VolGroup --size=512 +logvol swap --name=swap --vgname=VolGroup --size=2016 + + +# The OpenSCAP installer add-on is used to apply SCAP (Security Content Automation Protocol) +# content - security policies - on the installed system.This add-on has been enabled by default +# since Red Hat Enterprise Linux 7.2. When enabled, the packages necessary to provide this +# functionality will automatically be installed. However, by default, no policies are enforced, +# meaning that no checks are performed during or after installation unless specifically configured. +# +# Important +# Applying a security policy is not necessary on all systems. This screen should only be used +# when a specific policy is mandated by your organization rules or government regulations. +# Unlike most other commands, this add-on does not accept regular options, but uses key-value +# pairs in the body of the %addon definition instead. These pairs are whitespace-agnostic. +# Values can be optionally enclosed in single quotes (') or double quotes ("). +# +# For more details and configuration options see +# https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/9/html-single/performing_an_advanced_rhel_9_installation/index#addon-com_redhat_oscap_kickstart-commands-for-addons-supplied-with-the-rhel-installation-program +%addon com_redhat_oscap + content-type = scap-security-guide + profile = xccdf_org.ssgproject.content_profile_cis_workstation_l1 +%end + +# Packages selection (%packages section is required) +%packages +%end + +# Reboot after the installation is complete (optional) +# --eject attempt to eject CD or DVD media before rebooting +reboot --eject diff --git a/products/almalinux9/kickstart/ssg-almalinux9-cis_workstation_l2-ks.cfg b/products/almalinux9/kickstart/ssg-almalinux9-cis_workstation_l2-ks.cfg new file mode 100644 index 000000000..4268d2026 --- /dev/null +++ b/products/almalinux9/kickstart/ssg-almalinux9-cis_workstation_l2-ks.cfg @@ -0,0 +1,141 @@ +# SCAP Security Guide CIS profile (Level 2 - Workstation) kickstart for AlmaLinux 9 +# Version: 0.0.1 +# Date: 2021-08-12 +# +# Based on: +# https://pykickstart.readthedocs.io/en/latest/ +# For more information see the following documentation: +# https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/9/html/security_hardening/scanning-the-system-for-configuration-compliance-and-vulnerabilities_security-hardening#deploying-baseline-compliant-rhel-systems-using-kickstart_deploying-systems-that-are-compliant-with-a-security-profile-immediately-after-an-installation + +# Specify installation method to use for installation +# To use a different one comment out the 'url' one below, update +# the selected choice with proper options & un-comment it +# +# Install from an installation tree on a remote server via FTP or HTTP: +# --url the URL to install from +# +# Example: +# +# url --url=http://192.168.122.1/image +# +# Modify concrete URL in the above example appropriately to reflect the actual +# environment machine is to be installed in +# +# Other possible / supported installation methods: +# * install from the first CD-ROM/DVD drive on the system: +# +# cdrom +# +# * install from a directory of ISO images on a local drive: +# +# harddrive --partition=hdb2 --dir=/tmp/install-tree +# +# * install from provided NFS server: +# +# nfs --server= --dir= [--opts=] +# + +# Set language to use during installation and the default language to use on the installed system (required) +lang en_US.UTF-8 + +# Set system keyboard type / layout (required) +keyboard --vckeymap us + +# Configure network information for target system and activate network devices in the installer environment (optional) +# --onboot enable device at a boot time +# --device device to be activated and / or configured with the network command +# --bootproto method to obtain networking configuration for device (default dhcp) +# --noipv6 disable IPv6 on this device +network --onboot yes --device eth0 --bootproto dhcp --noipv6 + +# Set the system's root password (required) +# Plaintext password is: server +# Refer to e.g. https://pykickstart.readthedocs.io/en/latest/commands.html#rootpw to see how to create +# encrypted password form for different plaintext password +rootpw --iscrypted $6$/0RYeeRdK70ynvYz$jH2ZN/80HM6DjndHMxfUF9KIibwipitvizzXDH1zW.fTjyD3RD3tkNdNUaND18B/XqfAUW3vy1uebkBybCuIm0 + +# The selected profile will restrict root login +# Add a user that can login and escalate privileges +# Plaintext password is: admin123 +user --name=admin --groups=wheel --password=$6$Ga6ZnIlytrWpuCzO$q0LqT1USHpahzUafQM9jyHCY9BiE5/ahXLNWUMiVQnFGblu0WWGZ1e6icTaCGO4GNgZNtspp1Let/qpM7FMVB0 --iscrypted + +# Configure firewall settings for the system (optional) +# --enabled reject incoming connections that are not in response to outbound requests +# --ssh allow sshd service through the firewall +firewall --enabled --ssh + +# State of SELinux on the installed system (optional) +# Defaults to enforcing +selinux --enforcing + +# Set the system time zone (required) +timezone --utc America/New_York + +# Specify how the bootloader should be installed (required) +# Plaintext password is: password +# Refer to e.g. grub2-mkpasswd-pbkdf2 to see how to create +# encrypted password form for different plaintext password +bootloader --password=grub.pbkdf2.sha512.10000.45912D32B964BA58B91EAF9847F3CCE6F4C962638922543AFFAEE4D29951757F4336C181E6FC9030E07B7D9874DAD696A1B18978D995B1D7F27AF9C38159FDF3.99F65F3896012A0A3D571A99D6E6C695F3C51BE5343A01C1B6907E1C3E1373CB7F250C2BC66C44BB876961E9071F40205006A05189E51C2C14770C70C723F3FD --iscrypted + +# Initialize (format) all disks (optional) +zerombr + +# The following partition layout scheme assumes disk of size 20GB or larger +# Modify size of partitions appropriately to reflect actual machine's hardware +# +# Remove Linux partitions from the system prior to creating new ones (optional) +# --linux erase all Linux partitions +# --initlabel initialize the disk label to the default based on the underlying architecture +clearpart --linux --initlabel + +# Create primary system partitions (required for installs) +part /boot --fstype=xfs --size=512 +part pv.01 --grow --size=1 + +# Create a Logical Volume Management (LVM) group (optional) +volgroup VolGroup pv.01 + +# Create particular logical volumes (optional) +logvol / --fstype=xfs --name=root --vgname=VolGroup --size=9728 --grow +# Ensure /home Located On Separate Partition +logvol /home --fstype=xfs --name=home --vgname=VolGroup --size=1024 --fsoptions="nodev" +# Ensure /tmp Located On Separate Partition +logvol /tmp --fstype=xfs --name=tmp --vgname=VolGroup --size=1024 --fsoptions="nodev,noexec,nosuid" +# Ensure /var/tmp Located On Separate Partition +logvol /var/tmp --fstype=xfs --name=vartmp --vgname=VolGroup --size=1024 --fsoptions="nodev,nosuid,noexec" +# Ensure /var Located On Separate Partition +logvol /var --fstype=xfs --name=var --vgname=VolGroup --size=3072 +# Ensure /var/log Located On Separate Partition +logvol /var/log --fstype=xfs --name=varlog --vgname=VolGroup --size=1024 +# Ensure /var/log/audit Located On Separate Partition +logvol /var/log/audit --fstype=xfs --name=varlogaudit --vgname=VolGroup --size=512 +logvol swap --name=swap --vgname=VolGroup --size=2016 + + +# The OpenSCAP installer add-on is used to apply SCAP (Security Content Automation Protocol) +# content - security policies - on the installed system.This add-on has been enabled by default +# since Red Hat Enterprise Linux 7.2. When enabled, the packages necessary to provide this +# functionality will automatically be installed. However, by default, no policies are enforced, +# meaning that no checks are performed during or after installation unless specifically configured. +# +# Important +# Applying a security policy is not necessary on all systems. This screen should only be used +# when a specific policy is mandated by your organization rules or government regulations. +# Unlike most other commands, this add-on does not accept regular options, but uses key-value +# pairs in the body of the %addon definition instead. These pairs are whitespace-agnostic. +# Values can be optionally enclosed in single quotes (') or double quotes ("). +# +# For more details and configuration options see +# https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/9/html-single/performing_an_advanced_rhel_9_installation/index#addon-com_redhat_oscap_kickstart-commands-for-addons-supplied-with-the-rhel-installation-program +%addon com_redhat_oscap + content-type = scap-security-guide + profile = xccdf_org.ssgproject.content_profile_cis_workstation_l2 +%end + +# Packages selection (%packages section is required) +%packages +%end + +# Reboot after the installation is complete (optional) +# --eject attempt to eject CD or DVD media before rebooting +reboot --eject diff --git a/products/almalinux9/kickstart/ssg-almalinux9-cui-ks.cfg b/products/almalinux9/kickstart/ssg-almalinux9-cui-ks.cfg new file mode 100644 index 000000000..a23ef892e --- /dev/null +++ b/products/almalinux9/kickstart/ssg-almalinux9-cui-ks.cfg @@ -0,0 +1,139 @@ +# SCAP Security Guide CUI profile kickstart for AlmaLinux 9 +# +# Based on: +# https://pykickstart.readthedocs.io/en/latest/ +# http://usgcb.nist.gov/usgcb/content/configuration/workstation-ks.cfg +# For more information see the following documentation: +# https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/9/html/security_hardening/scanning-the-system-for-configuration-compliance-and-vulnerabilities_security-hardening#deploying-baseline-compliant-rhel-systems-using-kickstart_deploying-systems-that-are-compliant-with-a-security-profile-immediately-after-an-installation + +# Specify installation method to use for installation +# To use a different one comment out the 'url' one below, update +# the selected choice with proper options & un-comment it +# +# Install from an installation tree on a remote server via FTP or HTTP: +# --url the URL to install from +# +# Example: +# +# url --url=http://192.168.122.1/image +# +# Modify concrete URL in the above example appropriately to reflect the actual +# environment machine is to be installed in +# +# Other possible / supported installation methods: +# * install from the first CD-ROM/DVD drive on the system: +# +# cdrom +# +# * install from a directory of ISO images on a local drive: +# +# harddrive --partition=hdb2 --dir=/tmp/install-tree +# +# * install from provided NFS server: +# +# nfs --server= --dir= [--opts=] +# +# Set language to use during installation and the default language to use on the installed system (required) +lang en_US.UTF-8 + +# Set system keyboard type / layout (required) +keyboard --vckeymap us + +# Configure network information for target system and activate network devices in the installer environment (optional) +# --onboot enable device at a boot time +# --device device to be activated and / or configured with the network command +# --bootproto method to obtain networking configuration for device (default dhcp) +# --noipv6 disable IPv6 on this device +network --onboot yes --bootproto dhcp + +# Set the system's root password (required) +# Plaintext password is: server +# Refer to e.g. +# https://pykickstart.readthedocs.io/en/latest/commands.html#rootpw +# to see how to create encrypted password form for different plaintext password +rootpw --iscrypted $6$0WWGZ1e6icT$1KiHZK.Nzp3HQerfiy8Ic3pOeCWeIzA.zkQ7mkvYT3bNC5UeGK2ceE5b6TkSg4D/kiSudkT04QlSKknsrNE220 + +# The selected profile will restrict root login +# Add a user that can login and escalate privileges +# Plaintext password is: admin123 +user --name=admin --groups=wheel --password=$6$Ga6ZnIlytrWpuCzO$q0LqT1USHpahzUafQM9jyHCY9BiE5/ahXLNWUMiVQnFGblu0WWGZ1e6icTaCGO4GNgZNtspp1Let/qpM7FMVB0 --iscrypted + +# Configure firewall settings for the system (optional) +# --enabled reject incoming connections that are not in response to outbound requests +# --ssh allow sshd service through the firewall +firewall --enabled --ssh + +# State of SELinux on the installed system (optional) +# Defaults to enforcing +selinux --enforcing + +# Set the system time zone (required) +timezone --utc America/New_York + +# Specify how the bootloader should be installed (required) +# Refer to e.g. +# grub2-mkpasswd-pbkdf2 +# to see how to create encrypted password form for different plaintext password +bootloader --append="audit=1 audit_backlog_limit=8192 slub_debug=P page_poison=1 vsyscall=none" + +# Initialize (format) all disks (optional) +zerombr + +# The following partition layout scheme assumes disk of size 20GB or larger +# Modify size of partitions appropriately to reflect actual machine's hardware +# +# Remove Linux partitions from the system prior to creating new ones (optional) +# --linux erase all Linux partitions +# --initlabel initialize the disk label to the default based on the underlying architecture +clearpart --linux --initlabel + +# Create primary system partitions (required for installs) +part /boot --fstype=xfs --size=512 +part pv.01 --grow --size=1 + +# Create a Logical Volume Management (LVM) group (optional) +volgroup VolGroup pv.01 + +# Create particular logical volumes (optional) +logvol / --fstype=xfs --name=root --vgname=VolGroup --size=10240 --grow +# Ensure /home Located On Separate Partition +logvol /home --fstype=xfs --name=home --vgname=VolGroup --size=1024 --fsoptions="nodev" +# Ensure /tmp Located On Separate Partition +logvol /tmp --fstype=xfs --name=tmp --vgname=VolGroup --size=1024 --fsoptions="nodev,nosuid,noexec" +# Ensure /var/tmp Located On Separate Partition +logvol /var/tmp --fstype=xfs --name=vartmp --vgname=VolGroup --size=1024 --fsoptions="nodev,nosuid,noexec" +# Ensure /var Located On Separate Partition +logvol /var --fstype=xfs --name=var --vgname=VolGroup --size=3072 --fsoptions="nodev" +# Ensure /var/log Located On Separate Partition +logvol /var/log --fstype=xfs --name=varlog --vgname=VolGroup --size=1024 --fsoptions="nodev,nosuid,noexec" +# Ensure /var/log/audit Located On Separate Partition +logvol /var/log/audit --fstype=xfs --name=varlogaudit --vgname=VolGroup --size=512 --fsoptions="nodev,nosuid,noexec" +logvol swap --name=swap --vgname=VolGroup --size=2016 + +# The OpenSCAP installer add-on is used to apply SCAP (Security Content Automation Protocol) +# content - security policies - on the installed system.This add-on has been enabled by default +# since Red Hat Enterprise Linux 7.2. When enabled, the packages necessary to provide this +# functionality will automatically be installed. However, by default, no policies are enforced, +# meaning that no checks are performed during or after installation unless specifically configured. +# +# Important +# Applying a security policy is not necessary on all systems. This screen should only be used +# when a specific policy is mandated by your organization rules or government regulations. +# Unlike most other commands, this add-on does not accept regular options, but uses key-value +# pairs in the body of the %addon definition instead. These pairs are whitespace-agnostic. +# Values can be optionally enclosed in single quotes (') or double quotes ("). +# +# For more details and configuration options see +# https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/9/html-single/performing_an_advanced_rhel_9_installation/index#addon-com_redhat_oscap_kickstart-commands-for-addons-supplied-with-the-rhel-installation-program +%addon com_redhat_oscap + content-type = scap-security-guide + profile = xccdf_org.ssgproject.content_profile_cui +%end + +# Packages selection (%packages section is required) +%packages +%end + +# Reboot after the installation is complete (optional) +# --eject attempt to eject CD or DVD media before rebooting +reboot --eject diff --git a/products/almalinux9/kickstart/ssg-almalinux9-e8-ks.cfg b/products/almalinux9/kickstart/ssg-almalinux9-e8-ks.cfg new file mode 100644 index 000000000..87ebac5ea --- /dev/null +++ b/products/almalinux9/kickstart/ssg-almalinux9-e8-ks.cfg @@ -0,0 +1,120 @@ +# SCAP Security Guide Essential Eight profile kickstart for AlmaLinux 9 +# Version: 0.0.1 +# Date: 2021-07-13 +# +# Based on: +# https://pykickstart.readthedocs.io/en/latest/ +# For more information see the following documentation: +# https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/9/html/security_hardening/scanning-the-system-for-configuration-compliance-and-vulnerabilities_security-hardening#deploying-baseline-compliant-rhel-systems-using-kickstart_deploying-systems-that-are-compliant-with-a-security-profile-immediately-after-an-installation + +# Specify installation method to use for installation +# To use a different one comment out the 'url' one below, update +# the selected choice with proper options & un-comment it +# +# Install from an installation tree on a remote server via FTP or HTTP: +# --url the URL to install from +# +# Example: +# +# url --url=http://192.168.122.1/image +# +# Modify concrete URL in the above example appropriately to reflect the actual +# environment machine is to be installed in +# +# Other possible / supported installation methods: +# * install from the first CD-ROM/DVD drive on the system: +# +# cdrom +# +# * install from a directory of ISO images on a local drive: +# +# harddrive --partition=hdb2 --dir=/tmp/install-tree +# +# * install from provided NFS server: +# +# nfs --server= --dir= [--opts=] +# + +# Set language to use during installation and the default language to use on the installed system (required) +lang en_US.UTF-8 + +# Set system keyboard type / layout (required) +keyboard --vckeymap us + +# Configure network information for target system and activate network devices in the installer environment (optional) +# --onboot enable device at a boot time +# --device device to be activated and / or configured with the network command +# --bootproto method to obtain networking configuration for device (default dhcp) +# --noipv6 disable IPv6 on this device +network --onboot yes --device eth0 --bootproto dhcp --noipv6 + +# Set the system's root password (required) +# Plaintext password is: server +# Refer to e.g. https://pykickstart.readthedocs.io/en/latest/commands.html#rootpw to see how to create +# encrypted password form for different plaintext password +rootpw --iscrypted $6$/0RYeeRdK70ynvYz$jH2ZN/80HM6DjndHMxfUF9KIibwipitvizzXDH1zW.fTjyD3RD3tkNdNUaND18B/XqfAUW3vy1uebkBybCuIm0 + +# The selected profile will restrict root login +# Add a user that can login and escalate privileges +# Plaintext password is: admin123 +user --name=admin --groups=wheel --password=$6$Ga6ZnIlytrWpuCzO$q0LqT1USHpahzUafQM9jyHCY9BiE5/ahXLNWUMiVQnFGblu0WWGZ1e6icTaCGO4GNgZNtspp1Let/qpM7FMVB0 --iscrypted + +# Configure firewall settings for the system (optional) +# --enabled reject incoming connections that are not in response to outbound requests +# --ssh allow sshd service through the firewall +firewall --enabled --ssh + +# State of SELinux on the installed system (optional) +# Defaults to enforcing +selinux --enforcing + +# Set the system time zone (required) +timezone --utc America/New_York + +# Specify how the bootloader should be installed (required) +# Plaintext password is: password +# Refer to e.g. grub2-mkpasswd-pbkdf2 to see how to create +# encrypted password form for different plaintext password +bootloader --password=grub.pbkdf2.sha512.10000.45912D32B964BA58B91EAF9847F3CCE6F4C962638922543AFFAEE4D29951757F4336C181E6FC9030E07B7D9874DAD696A1B18978D995B1D7F27AF9C38159FDF3.99F65F3896012A0A3D571A99D6E6C695F3C51BE5343A01C1B6907E1C3E1373CB7F250C2BC66C44BB876961E9071F40205006A05189E51C2C14770C70C723F3FD --iscrypted + +# Initialize (format) all disks (optional) +zerombr + +# The following partition layout scheme assumes disk of size 20GB or larger +# Modify size of partitions appropriately to reflect actual machine's hardware +# +# Remove Linux partitions from the system prior to creating new ones (optional) +# --linux erase all Linux partitions +# --initlabel initialize the disk label to the default based on the underlying architecture +clearpart --linux --initlabel + +# Create primary system partitions (required for installs) +autopart + +# The OpenSCAP installer add-on is used to apply SCAP (Security Content Automation Protocol) +# content - security policies - on the installed system.This add-on has been enabled by default +# since Red Hat Enterprise Linux 7.2. When enabled, the packages necessary to provide this +# functionality will automatically be installed. However, by default, no policies are enforced, +# meaning that no checks are performed during or after installation unless specifically configured. +# +# Important +# Applying a security policy is not necessary on all systems. This screen should only be used +# when a specific policy is mandated by your organization rules or government regulations. +# Unlike most other commands, this add-on does not accept regular options, but uses key-value +# pairs in the body of the %addon definition instead. These pairs are whitespace-agnostic. +# Values can be optionally enclosed in single quotes (') or double quotes ("). +# +# For more details and configuration options see +# https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/9/html-single/performing_an_advanced_rhel_9_installation/index#addon-com_redhat_oscap_kickstart-commands-for-addons-supplied-with-the-rhel-installation-program +%addon com_redhat_oscap + content-type = scap-security-guide + profile = xccdf_org.ssgproject.content_profile_e8 +%end + +# Packages selection (%packages section is required) +%packages +%end + +# Reboot after the installation is complete (optional) +# --eject attempt to eject CD or DVD media before rebooting +reboot --eject diff --git a/products/almalinux9/kickstart/ssg-almalinux9-hipaa-ks.cfg b/products/almalinux9/kickstart/ssg-almalinux9-hipaa-ks.cfg new file mode 100644 index 000000000..b197c7233 --- /dev/null +++ b/products/almalinux9/kickstart/ssg-almalinux9-hipaa-ks.cfg @@ -0,0 +1,120 @@ +# SCAP Security Guide HIPAA profile kickstart for AlmaLinux 9 +# Version: 0.0.1 +# Date: 2021-07-13 +# +# Based on: +# https://pykickstart.readthedocs.io/en/latest/ +# For more information see the following documentation: +# https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/9/html/security_hardening/scanning-the-system-for-configuration-compliance-and-vulnerabilities_security-hardening#deploying-baseline-compliant-rhel-systems-using-kickstart_deploying-systems-that-are-compliant-with-a-security-profile-immediately-after-an-installation + +# Specify installation method to use for installation +# To use a different one comment out the 'url' one below, update +# the selected choice with proper options & un-comment it +# +# Install from an installation tree on a remote server via FTP or HTTP: +# --url the URL to install from +# +# Example: +# +# url --url=http://192.168.122.1/image +# +# Modify concrete URL in the above example appropriately to reflect the actual +# environment machine is to be installed in +# +# Other possible / supported installation methods: +# * install from the first CD-ROM/DVD drive on the system: +# +# cdrom +# +# * install from a directory of ISO images on a local drive: +# +# harddrive --partition=hdb2 --dir=/tmp/install-tree +# +# * install from provided NFS server: +# +# nfs --server= --dir= [--opts=] +# + +# Set language to use during installation and the default language to use on the installed system (required) +lang en_US.UTF-8 + +# Set system keyboard type / layout (required) +keyboard --vckeymap us + +# Configure network information for target system and activate network devices in the installer environment (optional) +# --onboot enable device at a boot time +# --device device to be activated and / or configured with the network command +# --bootproto method to obtain networking configuration for device (default dhcp) +# --noipv6 disable IPv6 on this device +network --onboot yes --device eth0 --bootproto dhcp --noipv6 + +# Set the system's root password (required) +# Plaintext password is: server +# Refer to e.g. https://pykickstart.readthedocs.io/en/latest/commands.html#rootpw to see how to create +# encrypted password form for different plaintext password +rootpw --iscrypted $6$/0RYeeRdK70ynvYz$jH2ZN/80HM6DjndHMxfUF9KIibwipitvizzXDH1zW.fTjyD3RD3tkNdNUaND18B/XqfAUW3vy1uebkBybCuIm0 + +# The selected profile will restrict root login +# Add a user that can login and escalate privileges +# Plaintext password is: admin123 +user --name=admin --groups=wheel --password=$6$Ga6ZnIlytrWpuCzO$q0LqT1USHpahzUafQM9jyHCY9BiE5/ahXLNWUMiVQnFGblu0WWGZ1e6icTaCGO4GNgZNtspp1Let/qpM7FMVB0 --iscrypted + +# Configure firewall settings for the system (optional) +# --enabled reject incoming connections that are not in response to outbound requests +# --ssh allow sshd service through the firewall +firewall --enabled --ssh + +# State of SELinux on the installed system (optional) +# Defaults to enforcing +selinux --enforcing + +# Set the system time zone (required) +timezone --utc America/New_York + +# Specify how the bootloader should be installed (required) +# Plaintext password is: password +# Refer to e.g. grub2-mkpasswd-pbkdf2 to see how to create +# encrypted password form for different plaintext password +bootloader --password=grub.pbkdf2.sha512.10000.45912D32B964BA58B91EAF9847F3CCE6F4C962638922543AFFAEE4D29951757F4336C181E6FC9030E07B7D9874DAD696A1B18978D995B1D7F27AF9C38159FDF3.99F65F3896012A0A3D571A99D6E6C695F3C51BE5343A01C1B6907E1C3E1373CB7F250C2BC66C44BB876961E9071F40205006A05189E51C2C14770C70C723F3FD --iscrypted + +# Initialize (format) all disks (optional) +zerombr + +# The following partition layout scheme assumes disk of size 20GB or larger +# Modify size of partitions appropriately to reflect actual machine's hardware +# +# Remove Linux partitions from the system prior to creating new ones (optional) +# --linux erase all Linux partitions +# --initlabel initialize the disk label to the default based on the underlying architecture +clearpart --linux --initlabel + +# Create primary system partitions (required for installs) +autopart + +# The OpenSCAP installer add-on is used to apply SCAP (Security Content Automation Protocol) +# content - security policies - on the installed system.This add-on has been enabled by default +# since Red Hat Enterprise Linux 7.2. When enabled, the packages necessary to provide this +# functionality will automatically be installed. However, by default, no policies are enforced, +# meaning that no checks are performed during or after installation unless specifically configured. +# +# Important +# Applying a security policy is not necessary on all systems. This screen should only be used +# when a specific policy is mandated by your organization rules or government regulations. +# Unlike most other commands, this add-on does not accept regular options, but uses key-value +# pairs in the body of the %addon definition instead. These pairs are whitespace-agnostic. +# Values can be optionally enclosed in single quotes (') or double quotes ("). +# +# For more details and configuration options see +# https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/9/html-single/performing_an_advanced_rhel_9_installation/index#addon-com_redhat_oscap_kickstart-commands-for-addons-supplied-with-the-rhel-installation-program +%addon com_redhat_oscap + content-type = scap-security-guide + profile = xccdf_org.ssgproject.content_profile_hipaa +%end + +# Packages selection (%packages section is required) +%packages +%end + +# Reboot after the installation is complete (optional) +# --eject attempt to eject CD or DVD media before rebooting +reboot --eject diff --git a/products/almalinux9/kickstart/ssg-almalinux9-ism_o-ks.cfg b/products/almalinux9/kickstart/ssg-almalinux9-ism_o-ks.cfg new file mode 100644 index 000000000..508da4df3 --- /dev/null +++ b/products/almalinux9/kickstart/ssg-almalinux9-ism_o-ks.cfg @@ -0,0 +1,119 @@ +# SCAP Security Guide ISM Official profile kickstart for AlmaLinux 9 +# Version: 0.0.1 +# Date: 2021-08-16 +# +# Based on: +# https://pykickstart.readthedocs.io/en/latest/ +# For more information see the following documentation: +# https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/9/html/security_hardening/scanning-the-system-for-configuration-compliance-and-vulnerabilities_security-hardening#deploying-baseline-compliant-rhel-systems-using-kickstart_deploying-systems-that-are-compliant-with-a-security-profile-immediately-after-an-installation + +# Specify installation method to use for installation +# To use a different one comment out the 'url' one below, update +# the selected choice with proper options & un-comment it +# +# Install from an installation tree on a remote server via FTP or HTTP: +# --url the URL to install from +# +# Example: +# +# url --url=http://192.168.122.1/image +# +# Modify concrete URL in the above example appropriately to reflect the actual +# environment machine is to be installed in +# +# Other possible / supported installation methods: +# * install from the first CD-ROM/DVD drive on the system: +# +# cdrom +# +# * install from a directory of ISO images on a local drive: +# +# harddrive --partition=hdb2 --dir=/tmp/install-tree +# +# * install from provided NFS server: +# +# nfs --server= --dir= [--opts=] +# + +# Set language to use during installation and the default language to use on the installed system (required) +lang en_US.UTF-8 + +# Set system keyboard type / layout (required) +keyboard --vckeymap us + +# Configure network information for target system and activate network devices in the installer environment (optional) +# --onboot enable device at a boot time +# --device device to be activated and / or configured with the network command +# --bootproto method to obtain networking configuration for device (default dhcp) +# --noipv6 disable IPv6 on this device +# +# +network --onboot yes --device eth0 --bootproto dhcp --noipv6 + +# Set the system's root password (required) +# Plaintext password is: server +# Refer to e.g. https://pykickstart.readthedocs.io/en/latest/commands.html#rootpw to see how to create +# encrypted password form for different plaintext password +rootpw --iscrypted $6$/0RYeeRdK70ynvYz$jH2ZN/80HM6DjndHMxfUF9KIibwipitvizzXDH1zW.fTjyD3RD3tkNdNUaND18B/XqfAUW3vy1uebkBybCuIm0 + +# The selected profile will restrict root login +# Add a user that can login and escalate privileges +# Plaintext password is: admin123 +user --name=admin --groups=wheel --password=$6$Ga6ZnIlytrWpuCzO$q0LqT1USHpahzUafQM9jyHCY9BiE5/ahXLNWUMiVQnFGblu0WWGZ1e6icTaCGO4GNgZNtspp1Let/qpM7FMVB0 --iscrypted + +# Configure firewall settings for the system (optional) +# --enabled reject incoming connections that are not in response to outbound requests +# --ssh allow sshd service through the firewall +firewall --enabled --ssh + +# State of SELinux on the installed system (optional) +# Defaults to enforcing +selinux --enforcing + +# Set the system time zone (required) +timezone --utc America/New_York + +# Specify how the bootloader should be installed (required) +bootloader + +# Initialize (format) all disks (optional) +zerombr + +# The following partition layout scheme assumes disk of size 20GB or larger +# Modify size of partitions appropriately to reflect actual machine's hardware +# +# Remove Linux partitions from the system prior to creating new ones (optional) +# --linux erase all Linux partitions +# --initlabel initialize the disk label to the default based on the underlying architecture +clearpart --linux --initlabel + +# Create primary system partitions (required for installs) +autopart + +# The OpenSCAP installer add-on is used to apply SCAP (Security Content Automation Protocol) +# content - security policies - on the installed system.This add-on has been enabled by default +# since Red Hat Enterprise Linux 7.2. When enabled, the packages necessary to provide this +# functionality will automatically be installed. However, by default, no policies are enforced, +# meaning that no checks are performed during or after installation unless specifically configured. +# +# Important +# Applying a security policy is not necessary on all systems. This screen should only be used +# when a specific policy is mandated by your organization rules or government regulations. +# Unlike most other commands, this add-on does not accept regular options, but uses key-value +# pairs in the body of the %addon definition instead. These pairs are whitespace-agnostic. +# Values can be optionally enclosed in single quotes (') or double quotes ("). +# +# For more details and configuration options see +# https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/9/html-single/performing_an_advanced_rhel_9_installation/index#addon-com_redhat_oscap_kickstart-commands-for-addons-supplied-with-the-rhel-installation-program +%addon com_redhat_oscap + content-type = scap-security-guide + profile = xccdf_org.ssgproject.content_profile_ism_o +%end + +# Packages selection (%packages section is required) +%packages +%end + +# Reboot after the installation is complete (optional) +# --eject attempt to eject CD or DVD media before rebooting +reboot --eject diff --git a/products/almalinux9/kickstart/ssg-almalinux9-ospp-ks.cfg b/products/almalinux9/kickstart/ssg-almalinux9-ospp-ks.cfg new file mode 100644 index 000000000..d96ca6fbc --- /dev/null +++ b/products/almalinux9/kickstart/ssg-almalinux9-ospp-ks.cfg @@ -0,0 +1,139 @@ +# SCAP Security Guide OSPP profile kickstart for AlmaLinux 9 +# +# Based on: +# https://pykickstart.readthedocs.io/en/latest/ +# http://usgcb.nist.gov/usgcb/content/configuration/workstation-ks.cfg +# For more information see the following documentation: +# https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/9/html/security_hardening/scanning-the-system-for-configuration-compliance-and-vulnerabilities_security-hardening#deploying-baseline-compliant-rhel-systems-using-kickstart_deploying-systems-that-are-compliant-with-a-security-profile-immediately-after-an-installation + +# Specify installation method to use for installation +# To use a different one comment out the 'url' one below, update +# the selected choice with proper options & un-comment it +# +# Install from an installation tree on a remote server via FTP or HTTP: +# --url the URL to install from +# +# Example: +# +# url --url=http://192.168.122.1/image +# +# Modify concrete URL in the above example appropriately to reflect the actual +# environment machine is to be installed in +# +# Other possible / supported installation methods: +# * install from the first CD-ROM/DVD drive on the system: +# +# cdrom +# +# * install from a directory of ISO images on a local drive: +# +# harddrive --partition=hdb2 --dir=/tmp/install-tree +# +# * install from provided NFS server: +# +# nfs --server= --dir= [--opts=] +# +# Set language to use during installation and the default language to use on the installed system (required) +lang en_US.UTF-8 + +# Set system keyboard type / layout (required) +keyboard --vckeymap us + +# Configure network information for target system and activate network devices in the installer environment (optional) +# --onboot enable device at a boot time +# --device device to be activated and / or configured with the network command +# --bootproto method to obtain networking configuration for device (default dhcp) +# --noipv6 disable IPv6 on this device +network --onboot yes --bootproto dhcp + +# Set the system's root password (required) +# Plaintext password is: server +# Refer to e.g. +# https://pykickstart.readthedocs.io/en/latest/commands.html#rootpw +# to see how to create encrypted password form for different plaintext password +rootpw --iscrypted $6$0WWGZ1e6icT$1KiHZK.Nzp3HQerfiy8Ic3pOeCWeIzA.zkQ7mkvYT3bNC5UeGK2ceE5b6TkSg4D/kiSudkT04QlSKknsrNE220 + +# The selected profile will restrict root login +# Add a user that can login and escalate privileges +# Plaintext password is: admin123 +user --name=admin --groups=wheel --password=$6$Ga6ZnIlytrWpuCzO$q0LqT1USHpahzUafQM9jyHCY9BiE5/ahXLNWUMiVQnFGblu0WWGZ1e6icTaCGO4GNgZNtspp1Let/qpM7FMVB0 --iscrypted + +# Configure firewall settings for the system (optional) +# --enabled reject incoming connections that are not in response to outbound requests +# --ssh allow sshd service through the firewall +firewall --enabled --ssh + +# State of SELinux on the installed system (optional) +# Defaults to enforcing +selinux --enforcing + +# Set the system time zone (required) +timezone --utc America/New_York + +# Specify how the bootloader should be installed (required) +# Refer to e.g. +# grub2-mkpasswd-pbkdf2 +# to see how to create encrypted password form for different plaintext password +bootloader --append="audit=1 audit_backlog_limit=8192 slub_debug=P page_poison=1 vsyscall=none" + +# Initialize (format) all disks (optional) +zerombr + +# The following partition layout scheme assumes disk of size 20GB or larger +# Modify size of partitions appropriately to reflect actual machine's hardware +# +# Remove Linux partitions from the system prior to creating new ones (optional) +# --linux erase all Linux partitions +# --initlabel initialize the disk label to the default based on the underlying architecture +clearpart --linux --initlabel + +# Create primary system partitions (required for installs) +part /boot --fstype=xfs --size=512 +part pv.01 --grow --size=1 + +# Create a Logical Volume Management (LVM) group (optional) +volgroup VolGroup pv.01 + +# Create particular logical volumes (optional) +logvol / --fstype=xfs --name=root --vgname=VolGroup --size=10240 --grow +# Ensure /home Located On Separate Partition +logvol /home --fstype=xfs --name=home --vgname=VolGroup --size=1024 --fsoptions="nodev" +# Ensure /tmp Located On Separate Partition +logvol /tmp --fstype=xfs --name=tmp --vgname=VolGroup --size=1024 --fsoptions="nodev,nosuid,noexec" +# Ensure /var/tmp Located On Separate Partition +logvol /var/tmp --fstype=xfs --name=vartmp --vgname=VolGroup --size=1024 --fsoptions="nodev,nosuid,noexec" +# Ensure /var Located On Separate Partition +logvol /var --fstype=xfs --name=var --vgname=VolGroup --size=3072 --fsoptions="nodev" +# Ensure /var/log Located On Separate Partition +logvol /var/log --fstype=xfs --name=varlog --vgname=VolGroup --size=1024 --fsoptions="nodev,nosuid,noexec" +# Ensure /var/log/audit Located On Separate Partition +logvol /var/log/audit --fstype=xfs --name=varlogaudit --vgname=VolGroup --size=512 --fsoptions="nodev,nosuid,noexec" +logvol swap --name=swap --vgname=VolGroup --size=2016 + +# The OpenSCAP installer add-on is used to apply SCAP (Security Content Automation Protocol) +# content - security policies - on the installed system.This add-on has been enabled by default +# since Red Hat Enterprise Linux 7.2. When enabled, the packages necessary to provide this +# functionality will automatically be installed. However, by default, no policies are enforced, +# meaning that no checks are performed during or after installation unless specifically configured. +# +# Important +# Applying a security policy is not necessary on all systems. This screen should only be used +# when a specific policy is mandated by your organization rules or government regulations. +# Unlike most other commands, this add-on does not accept regular options, but uses key-value +# pairs in the body of the %addon definition instead. These pairs are whitespace-agnostic. +# Values can be optionally enclosed in single quotes (') or double quotes ("). +# +# For more details and configuration options see +# https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/9/html-single/performing_an_advanced_rhel_9_installation/index#addon-com_redhat_oscap_kickstart-commands-for-addons-supplied-with-the-rhel-installation-program +%addon com_redhat_oscap + content-type = scap-security-guide + profile = xccdf_org.ssgproject.content_profile_ospp +%end + +# Packages selection (%packages section is required) +%packages +%end + +# Reboot after the installation is complete (optional) +# --eject attempt to eject CD or DVD media before rebooting +reboot --eject diff --git a/products/almalinux9/kickstart/ssg-almalinux9-pci-dss-ks.cfg b/products/almalinux9/kickstart/ssg-almalinux9-pci-dss-ks.cfg new file mode 100644 index 000000000..562a184d6 --- /dev/null +++ b/products/almalinux9/kickstart/ssg-almalinux9-pci-dss-ks.cfg @@ -0,0 +1,134 @@ +# SCAP Security Guide PCI-DSS profile kickstart for AlmaLinux 9 +# +# Based on: +# https://pykickstart.readthedocs.io/en/latest/ +# http://usgcb.nist.gov/usgcb/content/configuration/workstation-ks.cfg +# For more information see the following documentation: +# https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/9/html/security_hardening/scanning-the-system-for-configuration-compliance-and-vulnerabilities_security-hardening#deploying-baseline-compliant-rhel-systems-using-kickstart_deploying-systems-that-are-compliant-with-a-security-profile-immediately-after-an-installation + +# Specify installation method to use for installation +# To use a different one comment out the 'url' one below, update +# the selected choice with proper options & un-comment it +# +# Install from an installation tree on a remote server via FTP or HTTP: +# --url the URL to install from +# +# Example: +# +# url --url=http://192.168.122.1/image +# +# Modify concrete URL in the above example appropriately to reflect the actual +# environment machine is to be installed in +# +# Other possible / supported installation methods: +# * install from the first CD-ROM/DVD drive on the system: +# +# cdrom +# +# * install from a directory of ISO images on a local drive: +# +# harddrive --partition=hdb2 --dir=/tmp/install-tree +# +# * install from provided NFS server: +# +# nfs --server= --dir= [--opts=] +# + +# Set language to use during installation and the default language to use on the installed system (required) +lang en_US.UTF-8 + +# Set system keyboard type / layout (required) +keyboard --vckeymap us + +# Configure network information for target system and activate network devices in the installer environment (optional) +# --onboot enable device at a boot time +# --device device to be activated and / or configured with the network command +# --bootproto method to obtain networking configuration for device (default dhcp) +# --noipv6 disable IPv6 on this device +network --onboot yes --bootproto dhcp --noipv6 + +# Set the system's root password (required) +# Plaintext password is: server +# Refer to e.g. +# https://pykickstart.readthedocs.io/en/latest/commands.html#rootpw +# to see how to create encrypted password form for different plaintext password +rootpw --iscrypted $6$0WWGZ1e6icT$1KiHZK.Nzp3HQerfiy8Ic3pOeCWeIzA.zkQ7mkvYT3bNC5UeGK2ceE5b6TkSg4D/kiSudkT04QlSKknsrNE220 + +# Configure firewall settings for the system (optional) +# --enabled reject incoming connections that are not in response to outbound requests +# --ssh allow sshd service through the firewall +firewall --enabled --ssh + +# State of SELinux on the installed system (optional) +# Defaults to enforcing +selinux --enforcing + +# Set the system time zone (required) +timezone --utc America/New_York + +# Specify how the bootloader should be installed (required) +# Plaintext password is: password +# Refer to e.g. +# grub2-mkpasswd-pbkdf2 +# to see how to create encrypted password form for different plaintext password +bootloader --append="audit=1 audit_backlog_limit=8192 slub_debug=P page_poison=1 vsyscall=none" --password=grub.pbkdf2.sha512.10000.45912D32B964BA58B91EAF9847F3CCE6F4C962638922543AFFAEE4D29951757F4336C181E6FC9030E07B7D9874DAD696A1B18978D995B1D7F27AF9C38159FDF3.99F65F3896012A0A3D571A99D6E6C695F3C51BE5343A01C1B6907E1C3E1373CB7F250C2BC66C44BB876961E9071F40205006A05189E51C2C14770C70C723F3FD --iscrypted + +# Initialize (format) all disks (optional) +zerombr + +# The following partition layout scheme assumes disk of size 20GB or larger +# Modify size of partitions appropriately to reflect actual machine's hardware +# +# Remove Linux partitions from the system prior to creating new ones (optional) +# --linux erase all Linux partitions +# --initlabel initialize the disk label to the default based on the underlying architecture +clearpart --linux --initlabel + +# Create primary system partitions (required for installs) +part /boot --fstype=xfs --size=512 +part pv.01 --grow --size=1 + +# Create a Logical Volume Management (LVM) group (optional) +volgroup VolGroup pv.01 + +# Create particular logical volumes (optional) +logvol / --fstype=xfs --name=root --vgname=VolGroup --size=11264 --grow +# CCE-26557-9: Ensure /home Located On Separate Partition +logvol /home --fstype=xfs --name=home --vgname=VolGroup --size=1024 --fsoptions="nodev" +# CCE-26435-8: Ensure /tmp Located On Separate Partition +logvol /tmp --fstype=xfs --name=tmp --vgname=VolGroup --size=1024 --fsoptions="nodev,noexec,nosuid" +# CCE-26639-5: Ensure /var Located On Separate Partition +logvol /var --fstype=xfs --name=var --vgname=VolGroup --size=3072 --fsoptions="nodev" +# CCE-26215-4: Ensure /var/log Located On Separate Partition +logvol /var/log --fstype=xfs --name=varlog --vgname=VolGroup --size=1024 --fsoptions="nodev" +# CCE-26436-6: Ensure /var/log/audit Located On Separate Partition +logvol /var/log/audit --fstype=xfs --name=varlogaudit --vgname=VolGroup --size=512 --fsoptions="nodev" +logvol swap --name=swap --vgname=VolGroup --size=2016 + +# The OpenSCAP installer add-on is used to apply SCAP (Security Content Automation Protocol) +# content - security policies - on the installed system.This add-on has been enabled by default +# since Red Hat Enterprise Linux 7.2. When enabled, the packages necessary to provide this +# functionality will automatically be installed. However, by default, no policies are enforced, +# meaning that no checks are performed during or after installation unless specifically configured. +# +# Important +# Applying a security policy is not necessary on all systems. This screen should only be used +# when a specific policy is mandated by your organization rules or government regulations. +# Unlike most other commands, this add-on does not accept regular options, but uses key-value +# pairs in the body of the %addon definition instead. These pairs are whitespace-agnostic. +# Values can be optionally enclosed in single quotes (') or double quotes ("). +# +# For more details and configuration options see +# https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/9/html-single/performing_an_advanced_rhel_9_installation/index#addon-com_redhat_oscap_kickstart-commands-for-addons-supplied-with-the-rhel-installation-program +%addon com_redhat_oscap + content-type = scap-security-guide + profile = xccdf_org.ssgproject.content_profile_pci-dss +%end + +# Packages selection (%packages section is required) +%packages +%end + +# Reboot after the installation is complete (optional) +# --eject attempt to eject CD or DVD media before rebooting +reboot --eject diff --git a/products/almalinux9/kickstart/ssg-almalinux9-stig-ks.cfg b/products/almalinux9/kickstart/ssg-almalinux9-stig-ks.cfg new file mode 100644 index 000000000..c48252116 --- /dev/null +++ b/products/almalinux9/kickstart/ssg-almalinux9-stig-ks.cfg @@ -0,0 +1,140 @@ +# SCAP Security Guide STIG profile kickstart for AlmaLinux 9 +# +# Based on: +# https://pykickstart.readthedocs.io/en/latest/ +# http://usgcb.nist.gov/usgcb/content/configuration/workstation-ks.cfg +# For more information see the following documentation: +# https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/9/html/security_hardening/scanning-the-system-for-configuration-compliance-and-vulnerabilities_security-hardening#deploying-baseline-compliant-rhel-systems-using-kickstart_deploying-systems-that-are-compliant-with-a-security-profile-immediately-after-an-installation + +# Specify installation method to use for installation +# To use a different one comment out the 'url' one below, update +# the selected choice with proper options & un-comment it +# +# Install from an installation tree on a remote server via FTP or HTTP: +# --url the URL to install from +# +# Example: +# +# url --url=http://192.168.122.1/image +# +# Modify concrete URL in the above example appropriately to reflect the actual +# environment machine is to be installed in +# +# Other possible / supported installation methods: +# * install from the first CD-ROM/DVD drive on the system: +# +# cdrom +# +# * install from a directory of ISO images on a local drive: +# +# harddrive --partition=hdb2 --dir=/tmp/install-tree +# +# * install from provided NFS server: +# +# nfs --server= --dir= [--opts=] +# +# Set language to use during installation and the default language to use on the installed system (required) +lang en_US.UTF-8 + +# Set system keyboard type / layout (required) +keyboard --vckeymap us + +# Configure network information for target system and activate network devices in the installer environment (optional) +# --onboot enable device at a boot time +# --device device to be activated and / or configured with the network command +# --bootproto method to obtain networking configuration for device (default dhcp) +# --noipv6 disable IPv6 on this device +network --onboot yes --bootproto dhcp + +# Set the system's root password (required) +# Plaintext password is: server +# Refer to e.g. +# https://pykickstart.readthedocs.io/en/latest/commands.html#rootpw +# to see how to create encrypted password form for different plaintext password +rootpw --iscrypted $6$0WWGZ1e6icT$1KiHZK.Nzp3HQerfiy8Ic3pOeCWeIzA.zkQ7mkvYT3bNC5UeGK2ceE5b6TkSg4D/kiSudkT04QlSKknsrNE220 + +# The selected profile will restrict root login +# Add a user that can login and escalate privileges +# Plaintext password is: admin123 +user --name=admin --groups=wheel --password=$6$Ga6ZnIlytrWpuCzO$q0LqT1USHpahzUafQM9jyHCY9BiE5/ahXLNWUMiVQnFGblu0WWGZ1e6icTaCGO4GNgZNtspp1Let/qpM7FMVB0 --iscrypted + +# Configure firewall settings for the system (optional) +# --enabled reject incoming connections that are not in response to outbound requests +# --ssh allow sshd service through the firewall +firewall --enabled --ssh + +# State of SELinux on the installed system (optional) +# Defaults to enforcing +selinux --enforcing + +# Set the system time zone (required) +timezone --utc America/New_York + +# Specify how the bootloader should be installed (required) +# Plaintext password is: password +# Refer to e.g. +# grub2-mkpasswd-pbkdf2 +# to see how to create encrypted password form for different plaintext password +bootloader --append="audit=1 audit_backlog_limit=8192 slub_debug=P page_poison=1 vsyscall=none" --password=grub.pbkdf2.sha512.10000.45912D32B964BA58B91EAF9847F3CCE6F4C962638922543AFFAEE4D29951757F4336C181E6FC9030E07B7D9874DAD696A1B18978D995B1D7F27AF9C38159FDF3.99F65F3896012A0A3D571A99D6E6C695F3C51BE5343A01C1B6907E1C3E1373CB7F250C2BC66C44BB876961E9071F40205006A05189E51C2C14770C70C723F3FD --iscrypted + +# Initialize (format) all disks (optional) +zerombr + +# The following partition layout scheme assumes disk of size 20GB or larger +# Modify size of partitions appropriately to reflect actual machine's hardware +# +# Remove Linux partitions from the system prior to creating new ones (optional) +# --linux erase all Linux partitions +# --initlabel initialize the disk label to the default based on the underlying architecture +clearpart --linux --initlabel + +# Create primary system partitions (required for installs) +part /boot --fstype=xfs --size=512 --fsoptions="nodev,nosuid,noexec" +part pv.01 --grow --size=1 + +# Create a Logical Volume Management (LVM) group (optional) +volgroup VolGroup pv.01 + +# Create particular logical volumes (optional) +logvol / --fstype=xfs --name=root --vgname=VolGroup --size=10240 --grow +# Ensure /home Located On Separate Partition +logvol /home --fstype=xfs --name=home --vgname=VolGroup --size=1024 --fsoptions="nodev" +# Ensure /tmp Located On Separate Partition +logvol /tmp --fstype=xfs --name=tmp --vgname=VolGroup --size=1024 --fsoptions="nodev,nosuid,noexec" +# Ensure /var/tmp Located On Separate Partition +logvol /var/tmp --fstype=xfs --name=vartmp --vgname=VolGroup --size=1024 --fsoptions="nodev,nosuid,noexec" +# Ensure /var Located On Separate Partition +logvol /var --fstype=xfs --name=var --vgname=VolGroup --size=3072 --fsoptions="nodev" +# Ensure /var/log Located On Separate Partition +logvol /var/log --fstype=xfs --name=varlog --vgname=VolGroup --size=1024 --fsoptions="nodev,nosuid,noexec" +# Ensure /var/log/audit Located On Separate Partition +logvol /var/log/audit --fstype=xfs --name=varlogaudit --vgname=VolGroup --size=10240 --fsoptions="nodev,nosuid,noexec" +logvol swap --name=swap --vgname=VolGroup --size=2016 + +# The OpenSCAP installer add-on is used to apply SCAP (Security Content Automation Protocol) +# content - security policies - on the installed system.This add-on has been enabled by default +# since Red Hat Enterprise Linux 7.2. When enabled, the packages necessary to provide this +# functionality will automatically be installed. However, by default, no policies are enforced, +# meaning that no checks are performed during or after installation unless specifically configured. +# +# Important +# Applying a security policy is not necessary on all systems. This screen should only be used +# when a specific policy is mandated by your organization rules or government regulations. +# Unlike most other commands, this add-on does not accept regular options, but uses key-value +# pairs in the body of the %addon definition instead. These pairs are whitespace-agnostic. +# Values can be optionally enclosed in single quotes (') or double quotes ("). +# +# For more details and configuration options see +# https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/9/html-single/performing_an_advanced_rhel_9_installation/index#addon-com_redhat_oscap_kickstart-commands-for-addons-supplied-with-the-rhel-installation-program +%addon com_redhat_oscap + content-type = scap-security-guide + profile = xccdf_org.ssgproject.content_profile_stig +%end + +# Packages selection (%packages section is required) +%packages +%end + +# Reboot after the installation is complete (optional) +# --eject attempt to eject CD or DVD media before rebooting +reboot --eject diff --git a/products/almalinux9/kickstart/ssg-almalinux9-stig_gui-ks.cfg b/products/almalinux9/kickstart/ssg-almalinux9-stig_gui-ks.cfg new file mode 100644 index 000000000..caf659d9a --- /dev/null +++ b/products/almalinux9/kickstart/ssg-almalinux9-stig_gui-ks.cfg @@ -0,0 +1,144 @@ +# SCAP Security Guide STIG with GUI profile kickstart for AlmaLinux 9 +# +# Based on: +# https://pykickstart.readthedocs.io/en/latest/ +# http://usgcb.nist.gov/usgcb/content/configuration/workstation-ks.cfg +# For more information see the following documentation: +# https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/9/html/security_hardening/scanning-the-system-for-configuration-compliance-and-vulnerabilities_security-hardening#deploying-baseline-compliant-rhel-systems-using-kickstart_deploying-systems-that-are-compliant-with-a-security-profile-immediately-after-an-installation + +# Specify installation method to use for installation +# To use a different one comment out the 'url' one below, update +# the selected choice with proper options & un-comment it +# +# Install from an installation tree on a remote server via FTP or HTTP: +# --url the URL to install from +# +# Example: +# +# url --url=http://192.168.122.1/image +# +# Modify concrete URL in the above example appropriately to reflect the actual +# environment machine is to be installed in +# +# Other possible / supported installation methods: +# * install from the first CD-ROM/DVD drive on the system: +# +# cdrom +# +# * install from a directory of ISO images on a local drive: +# +# harddrive --partition=hdb2 --dir=/tmp/install-tree +# +# * install from provided NFS server: +# +# nfs --server= --dir= [--opts=] +# +# Set language to use during installation and the default language to use on the installed system (required) +lang en_US.UTF-8 + +# Set system keyboard type / layout (required) +keyboard --vckeymap us + +# Configure network information for target system and activate network devices in the installer environment (optional) +# --onboot enable device at a boot time +# --device device to be activated and / or configured with the network command +# --bootproto method to obtain networking configuration for device (default dhcp) +# --noipv6 disable IPv6 on this device +network --onboot yes --bootproto dhcp + +# Set the system's root password (required) +# Plaintext password is: server +# Refer to e.g. +# https://pykickstart.readthedocs.io/en/latest/commands.html#rootpw +# to see how to create encrypted password form for different plaintext password +rootpw --iscrypted $6$0WWGZ1e6icT$1KiHZK.Nzp3HQerfiy8Ic3pOeCWeIzA.zkQ7mkvYT3bNC5UeGK2ceE5b6TkSg4D/kiSudkT04QlSKknsrNE220 + +# The selected profile will restrict root login +# Add a user that can login and escalate privileges +# Plaintext password is: admin123 +user --name=admin --groups=wheel --password=$6$Ga6ZnIlytrWpuCzO$q0LqT1USHpahzUafQM9jyHCY9BiE5/ahXLNWUMiVQnFGblu0WWGZ1e6icTaCGO4GNgZNtspp1Let/qpM7FMVB0 --iscrypted + +# Configure firewall settings for the system (optional) +# --enabled reject incoming connections that are not in response to outbound requests +# --ssh allow sshd service through the firewall +firewall --enabled --ssh + + +# State of SELinux on the installed system (optional) +# Defaults to enforcing +selinux --enforcing + +# Set the system time zone (required) +timezone --utc America/New_York + +# Specify how the bootloader should be installed (required) +# Plaintext password is: password +# Refer to e.g. +# grub2-mkpasswd-pbkdf2 +# to see how to create encrypted password form for different plaintext password +bootloader --append="audit=1 audit_backlog_limit=8192 slub_debug=P page_poison=1 vsyscall=none" --password=grub.pbkdf2.sha512.10000.45912D32B964BA58B91EAF9847F3CCE6F4C962638922543AFFAEE4D29951757F4336C181E6FC9030E07B7D9874DAD696A1B18978D995B1D7F27AF9C38159FDF3.99F65F3896012A0A3D571A99D6E6C695F3C51BE5343A01C1B6907E1C3E1373CB7F250C2BC66C44BB876961E9071F40205006A05189E51C2C14770C70C723F3FD --iscrypted + +# Initialize (format) all disks (optional) +zerombr + +# The following partition layout scheme assumes disk of size 20GB or larger +# Modify size of partitions appropriately to reflect actual machine's hardware +# +# Remove Linux partitions from the system prior to creating new ones (optional) +# --linux erase all Linux partitions +# --initlabel initialize the disk label to the default based on the underlying architecture +clearpart --linux --initlabel + +# Create primary system partitions (required for installs) +part /boot --fstype=xfs --size=512 --fsoptions="nodev,nosuid,noexec" +part pv.01 --grow --size=1 + +# Create a Logical Volume Management (LVM) group (optional) +volgroup VolGroup pv.01 + +# Create particular logical volumes (optional) +logvol / --fstype=xfs --name=root --vgname=VolGroup --size=10240 --grow +# Ensure /home Located On Separate Partition +logvol /home --fstype=xfs --name=home --vgname=VolGroup --size=1024 --fsoptions="nodev" +# Ensure /tmp Located On Separate Partition +logvol /tmp --fstype=xfs --name=tmp --vgname=VolGroup --size=1024 --fsoptions="nodev,nosuid,noexec" +# Ensure /var/tmp Located On Separate Partition +logvol /var/tmp --fstype=xfs --name=vartmp --vgname=VolGroup --size=1024 --fsoptions="nodev,nosuid,noexec" +# Ensure /var Located On Separate Partition +logvol /var --fstype=xfs --name=var --vgname=VolGroup --size=3072 --fsoptions="nodev" +# Ensure /var/log Located On Separate Partition +logvol /var/log --fstype=xfs --name=varlog --vgname=VolGroup --size=1024 --fsoptions="nodev,nosuid,noexec" +# Ensure /var/log/audit Located On Separate Partition +logvol /var/log/audit --fstype=xfs --name=varlogaudit --vgname=VolGroup --size=10240 --fsoptions="nodev,nosuid,noexec" +logvol swap --name=swap --vgname=VolGroup --size=2016 + +# The OpenSCAP installer add-on is used to apply SCAP (Security Content Automation Protocol) +# content - security policies - on the installed system.This add-on has been enabled by default +# since Red Hat Enterprise Linux 7.2. When enabled, the packages necessary to provide this +# functionality will automatically be installed. However, by default, no policies are enforced, +# meaning that no checks are performed during or after installation unless specifically configured. +# +# Important +# Applying a security policy is not necessary on all systems. This screen should only be used +# when a specific policy is mandated by your organization rules or government regulations. +# Unlike most other commands, this add-on does not accept regular options, but uses key-value +# pairs in the body of the %addon definition instead. These pairs are whitespace-agnostic. +# Values can be optionally enclosed in single quotes (') or double quotes ("). +# +# For more details and configuration options see +# https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/9/html-single/performing_an_advanced_rhel_9_installation/index#addon-com_redhat_oscap_kickstart-commands-for-addons-supplied-with-the-rhel-installation-program +%addon com_redhat_oscap + content-type = scap-security-guide + profile = xccdf_org.ssgproject.content_profile_stig_gui +%end + +# Packages selection (%packages section is required) +%packages + +@Server with GUI + +%end + +# Reboot after the installation is complete (optional) +# --eject attempt to eject CD or DVD media before rebooting +reboot --eject diff --git a/products/almalinux9/overlays/srg_support.xml b/products/almalinux9/overlays/srg_support.xml new file mode 100644 index 000000000..bdfb1cbd8 --- /dev/null +++ b/products/almalinux9/overlays/srg_support.xml @@ -0,0 +1,173 @@ + diff --git a/products/almalinux9/product.yml b/products/almalinux9/product.yml new file mode 100644 index 000000000..1e5798e91 --- /dev/null +++ b/products/almalinux9/product.yml @@ -0,0 +1,55 @@ +product: almalinux9 +full_name: AlmaLinux 9 +type: platform + +families: + - rhel + - rhel-like + +major_version_ordinal: 9 + +benchmark_id: ALMALINUX-9 +benchmark_root: "../../linux_os/guide" +components_root: "../../components" + +profiles_root: "./profiles" + +pkg_manager: "dnf" + +init_system: "systemd" + +# EFI and non-EFI configs are stored in same path, see https://fedoraproject.org/wiki/Changes/UnifyGrubConfig + +groups: + dedicated_ssh_keyowner: + name: ssh_keys + +sshd_distributed_config: "true" + +dconf_gdm_dir: "distro.d" + +faillock_path: "/var/log/faillock" + +# The fingerprints below are retrieved from https://almalinux.org/security/ +pkg_release: "61e69f29" +pkg_version: "b86b3716" + +release_key_fingerprint: "BF18AC2876178908D6E71267D36CB86CB86B3716" + +cpes_root: "../../shared/applicability" +cpes: + - almalinux9: + name: "cpe:/o:almalinux:almalinux:9" + title: "AlmaLinux 9" + check_id: installed_OS_is_almalinux9 + +# Mapping of CPE platform to package +platform_package_overrides: + login_defs: "shadow-utils" + +reference_uris: + cis: 'https://www.cisecurity.org/benchmark/almalinuxos_linux/' + ccn: 'https://www.ccn-cert.cni.es/pdf/guias/series-ccn-stic/guias-de-acceso-publico-ccn-stic/6768-ccn-stic-610a22-perfilado-de-seguridad-red-hat-enterprise-linux-9-0/file.html' + + +journald_conf_dir_path: /etc/systemd/journald.conf.d diff --git a/products/almalinux9/profiles/anssi_bp28_enhanced.profile b/products/almalinux9/profiles/anssi_bp28_enhanced.profile new file mode 100644 index 000000000..a85a84120 --- /dev/null +++ b/products/almalinux9/profiles/anssi_bp28_enhanced.profile @@ -0,0 +1,54 @@ +documentation_complete: true + +metadata: + SMEs: + - marcusburghardt + - yuumasato + +title: 'ANSSI-BP-028 (enhanced)' + +description: |- + This profile contains configurations that align to ANSSI-BP-028 v2.0 at the enhanced hardening level. + + ANSSI is the French National Information Security Agency, and stands for Agence nationale de la sécurité des systèmes d'information. + ANSSI-BP-028 is a configuration recommendation for GNU/Linux systems. + + A copy of the ANSSI-BP-028 can be found at the ANSSI website: + https://www.ssi.gouv.fr/administration/guide/recommandations-de-securite-relatives-a-un-systeme-gnulinux/ + + An English version of the ANSSI-BP-028 can also be found at the ANSSI website: + https://cyber.gouv.fr/publications/configuration-recommendations-gnulinux-system + +selections: + - anssi:all:enhanced + # Following rules once had a prodtype incompatible with the rhel9 product + - '!partition_for_opt' + - '!accounts_passwords_pam_tally2_deny_root' + - '!install_PAE_kernel_on_x86-32' + - '!partition_for_boot' + - '!sudo_add_ignore_dot' + - '!audit_rules_privileged_commands_rmmod' + - '!audit_rules_privileged_commands_modprobe' + - '!package_dracut-fips-aesni_installed' + - '!cracklib_accounts_password_pam_lcredit' + - '!partition_for_usr' + - '!cracklib_accounts_password_pam_ocredit' + - '!enable_pam_namespace' + - '!audit_rules_privileged_commands_insmod' + - '!service_chronyd_or_ntpd_enabled' + - '!chronyd_configure_pool_and_server' + - '!accounts_passwords_pam_tally2' + - '!cracklib_accounts_password_pam_ucredit' + - '!accounts_passwords_pam_tally2_unlock_time' + - '!sudo_add_umask' + - '!sudo_add_env_reset' + - '!cracklib_accounts_password_pam_minlen' + - '!cracklib_accounts_password_pam_dcredit' + - '!ensure_oracle_gpgkey_installed' + # RHEL9 unified the paths for grub2 files. These rules are selected in control file by R29. + - '!file_groupowner_efi_grub2_cfg' + - '!file_owner_efi_grub2_cfg' + - '!file_permissions_efi_grub2_cfg' + - '!file_groupowner_efi_user_cfg' + - '!file_owner_efi_user_cfg' + - '!file_permissions_efi_user_cfg' diff --git a/products/almalinux9/profiles/anssi_bp28_high.profile b/products/almalinux9/profiles/anssi_bp28_high.profile new file mode 100644 index 000000000..6a0d74b61 --- /dev/null +++ b/products/almalinux9/profiles/anssi_bp28_high.profile @@ -0,0 +1,50 @@ +documentation_complete: true + +metadata: + SMEs: + - marcusburghardt + - yuumasato + +title: 'ANSSI-BP-028 (high)' + +description: |- + This profile contains configurations that align to ANSSI-BP-028 v2.0 at the high hardening level. + + ANSSI is the French National Information Security Agency, and stands for Agence nationale de la sécurité des systèmes d'information. + ANSSI-BP-028 is a configuration recommendation for GNU/Linux systems. + + A copy of the ANSSI-BP-028 can be found at the ANSSI website: + https://www.ssi.gouv.fr/administration/guide/recommandations-de-securite-relatives-a-un-systeme-gnulinux/ + + An English version of the ANSSI-BP-028 can also be found at the ANSSI website: + https://cyber.gouv.fr/publications/configuration-recommendations-gnulinux-system + +selections: + - anssi:all:high + # the following rule renders UEFI systems unbootable + - '!sebool_secure_mode_insmod' + # Following rules once had a prodtype incompatible with the rhel9 product + - '!partition_for_opt' + - '!accounts_passwords_pam_tally2_deny_root' + - '!install_PAE_kernel_on_x86-32' + - '!partition_for_boot' + - '!aide_periodic_checking_systemd_timer' + - '!sudo_add_ignore_dot' + - '!audit_rules_privileged_commands_rmmod' + - '!audit_rules_privileged_commands_modprobe' + - '!package_dracut-fips-aesni_installed' + - '!cracklib_accounts_password_pam_lcredit' + - '!partition_for_usr' + - '!cracklib_accounts_password_pam_ocredit' + - '!enable_pam_namespace' + - '!audit_rules_privileged_commands_insmod' + - '!service_chronyd_or_ntpd_enabled' + - '!chronyd_configure_pool_and_server' + - '!accounts_passwords_pam_tally2' + - '!cracklib_accounts_password_pam_ucredit' + - '!accounts_passwords_pam_tally2_unlock_time' + - '!sudo_add_umask' + - '!sudo_add_env_reset' + - '!cracklib_accounts_password_pam_minlen' + - '!cracklib_accounts_password_pam_dcredit' + - '!ensure_oracle_gpgkey_installed' diff --git a/products/almalinux9/profiles/anssi_bp28_intermediary.profile b/products/almalinux9/profiles/anssi_bp28_intermediary.profile new file mode 100644 index 000000000..6ea26cae6 --- /dev/null +++ b/products/almalinux9/profiles/anssi_bp28_intermediary.profile @@ -0,0 +1,40 @@ +documentation_complete: true + +metadata: + SMEs: + - marcusburghardt + - yuumasato + +title: 'ANSSI-BP-028 (intermediary)' + +description: |- + This profile contains configurations that align to ANSSI-BP-028 v2.0 at the intermediary hardening level. + + ANSSI is the French National Information Security Agency, and stands for Agence nationale de la sécurité des systèmes d'information. + ANSSI-BP-028 is a configuration recommendation for GNU/Linux systems. + + A copy of the ANSSI-BP-028 can be found at the ANSSI website: + https://www.ssi.gouv.fr/administration/guide/recommandations-de-securite-relatives-a-un-systeme-gnulinux/ + + An English version of the ANSSI-BP-028 can also be found at the ANSSI website: + https://cyber.gouv.fr/publications/configuration-recommendations-gnulinux-system + +selections: + - anssi:all:intermediary + # Following rules once had a prodtype incompatible with the rhel9 product + - '!partition_for_opt' + - '!cracklib_accounts_password_pam_minlen' + - '!accounts_passwords_pam_tally2_deny_root' + - '!accounts_passwords_pam_tally2' + - '!cracklib_accounts_password_pam_ucredit' + - '!cracklib_accounts_password_pam_dcredit' + - '!cracklib_accounts_password_pam_lcredit' + - '!partition_for_usr' + - '!partition_for_boot' + - '!cracklib_accounts_password_pam_ocredit' + - '!enable_pam_namespace' + - '!accounts_passwords_pam_tally2_unlock_time' + - '!sudo_add_umask' + - '!sudo_add_ignore_dot' + - '!sudo_add_env_reset' + - '!ensure_oracle_gpgkey_installed' diff --git a/products/almalinux9/profiles/anssi_bp28_minimal.profile b/products/almalinux9/profiles/anssi_bp28_minimal.profile new file mode 100644 index 000000000..b58ee5990 --- /dev/null +++ b/products/almalinux9/profiles/anssi_bp28_minimal.profile @@ -0,0 +1,33 @@ +documentation_complete: true + +metadata: + SMEs: + - marcusburghardt + - yuumasato + +title: 'ANSSI-BP-028 (minimal)' + +description: |- + This profile contains configurations that align to ANSSI-BP-028 v2.0 at the minimal hardening level. + + ANSSI is the French National Information Security Agency, and stands for Agence nationale de la sécurité des systèmes d'information. + ANSSI-BP-028 is a configuration recommendation for GNU/Linux systems. + + A copy of the ANSSI-BP-028 can be found at the ANSSI website: + https://www.ssi.gouv.fr/administration/guide/recommandations-de-securite-relatives-a-un-systeme-gnulinux/ + + An English version of the ANSSI-BP-028 can also be found at the ANSSI website: + https://cyber.gouv.fr/publications/configuration-recommendations-gnulinux-system + +selections: + - anssi:all:minimal + # Following rules once had a prodtype incompatible with the rhel9 product + - '!cracklib_accounts_password_pam_minlen' + - '!accounts_passwords_pam_tally2_deny_root' + - '!accounts_passwords_pam_tally2' + - '!cracklib_accounts_password_pam_ucredit' + - '!cracklib_accounts_password_pam_dcredit' + - '!cracklib_accounts_password_pam_lcredit' + - '!cracklib_accounts_password_pam_ocredit' + - '!accounts_passwords_pam_tally2_unlock_time' + - '!ensure_oracle_gpgkey_installed' diff --git a/products/almalinux9/profiles/ccn_advanced.profile b/products/almalinux9/profiles/ccn_advanced.profile new file mode 100644 index 000000000..0563e5c0c --- /dev/null +++ b/products/almalinux9/profiles/ccn_advanced.profile @@ -0,0 +1,19 @@ +documentation_complete: true + +metadata: + SMEs: + - marcusburghardt + +reference: https://www.ccn-cert.cni.es/pdf/guias/series-ccn-stic/guias-de-acceso-publico-ccn-stic/6768-ccn-stic-610a22-perfilado-de-seguridad-red-hat-enterprise-linux-9-0/file.html + +title: 'Centro Criptológico Nacional (CCN) - STIC for Red Hat Enterprise Linux 9 - Advanced' + +description: |- + This profile defines a baseline that aligns with the "Advanced" configuration of the + CCN-STIC-610A22 Guide issued by the National Cryptological Center of Spain in 2022-10. + + The CCN-STIC-610A22 guide includes hardening settings for Red Hat Enterprise Linux 9 at basic, + intermediate, and advanced levels. + +selections: + - ccn_rhel9:all:advanced diff --git a/products/almalinux9/profiles/ccn_basic.profile b/products/almalinux9/profiles/ccn_basic.profile new file mode 100644 index 000000000..0ebc2912c --- /dev/null +++ b/products/almalinux9/profiles/ccn_basic.profile @@ -0,0 +1,19 @@ +documentation_complete: true + +metadata: + SMEs: + - marcusburghardt + +reference: https://www.ccn-cert.cni.es/pdf/guias/series-ccn-stic/guias-de-acceso-publico-ccn-stic/6768-ccn-stic-610a22-perfilado-de-seguridad-red-hat-enterprise-linux-9-0/file.html + +title: 'Centro Criptológico Nacional (CCN) - STIC for Red Hat Enterprise Linux 9 - Basic' + +description: |- + This profile defines a baseline that aligns with the "Basic" configuration of the + CCN-STIC-610A22 Guide issued by the National Cryptological Center of Spain in 2022-10. + + The CCN-STIC-610A22 guide includes hardening settings for Red Hat Enterprise Linux 9 at basic, + intermediate, and advanced levels. + +selections: + - ccn_rhel9:all:basic diff --git a/products/almalinux9/profiles/ccn_intermediate.profile b/products/almalinux9/profiles/ccn_intermediate.profile new file mode 100644 index 000000000..f5b86b0a3 --- /dev/null +++ b/products/almalinux9/profiles/ccn_intermediate.profile @@ -0,0 +1,19 @@ +documentation_complete: true + +metadata: + SMEs: + - marcusburghardt + +reference: https://www.ccn-cert.cni.es/pdf/guias/series-ccn-stic/guias-de-acceso-publico-ccn-stic/6768-ccn-stic-610a22-perfilado-de-seguridad-red-hat-enterprise-linux-9-0/file.html + +title: 'Centro Criptológico Nacional (CCN) - STIC for Red Hat Enterprise Linux 9 - Intermediate' + +description: |- + This profile defines a baseline that aligns with the "Intermediate" configuration of the + CCN-STIC-610A22 Guide issued by the National Cryptological Center of Spain in 2022-10. + + The CCN-STIC-610A22 guide includes hardening settings for Red Hat Enterprise Linux 9 at basic, + intermediate, and advanced levels. + +selections: + - ccn_rhel9:all:intermediate diff --git a/products/almalinux9/profiles/cis.profile b/products/almalinux9/profiles/cis.profile new file mode 100644 index 000000000..0fd466f03 --- /dev/null +++ b/products/almalinux9/profiles/cis.profile @@ -0,0 +1,27 @@ +documentation_complete: true + +metadata: + version: 1.0.0 + SMEs: + - marcusburghardt + - vojtapolasek + - yuumasato + +reference: https://www.cisecurity.org/benchmark/almalinuxos_linux/ + +title: 'CIS AlmaLinux OS 9 Benchmark for Level 2 - Server' + +description: |- + This profile defines a baseline that aligns to the "Level 2 - Server" + configuration from the Center for Internet Security® + AlmaLinux OS 9 Benchmark™, v1.0.0, released 2022-12-12. + + This profile includes Center for Internet Security® + AlmaLinux OS 9 CIS Benchmarks™ content. + +selections: + - cis_rhel9:all:l2_server + # Following rules once had a prodtype incompatible with the rhel9 product + - '!file_ownership_home_directories' + - '!group_unique_name' + - '!file_owner_at_allow' diff --git a/products/almalinux9/profiles/cis_server_l1.profile b/products/almalinux9/profiles/cis_server_l1.profile new file mode 100644 index 000000000..9a639fdae --- /dev/null +++ b/products/almalinux9/profiles/cis_server_l1.profile @@ -0,0 +1,27 @@ +documentation_complete: true + +metadata: + version: 1.0.0 + SMEs: + - marcusburghardt + - vojtapolasek + - yuumasato + +reference: https://www.cisecurity.org/benchmark/almalinuxos_linux/ + +title: 'CIS AlmaLinux OS 9 Benchmark for Level 1 - Server' + +description: |- + This profile defines a baseline that aligns to the "Level 1 - Server" + configuration from the Center for Internet Security® + AlmaLinux OS 9 Benchmark™, v1.0.0, released 2022-12-12. + + This profile includes Center for Internet Security® + AlmaLinux OS 9 CIS Benchmarks™ content. + +selections: + - cis_rhel9:all:l1_server + # Following rules once had a prodtype incompatible with the rhel9 product + - '!file_ownership_home_directories' + - '!group_unique_name' + - '!file_owner_at_allow' diff --git a/products/almalinux9/profiles/cis_workstation_l1.profile b/products/almalinux9/profiles/cis_workstation_l1.profile new file mode 100644 index 000000000..239e8dd83 --- /dev/null +++ b/products/almalinux9/profiles/cis_workstation_l1.profile @@ -0,0 +1,27 @@ +documentation_complete: true + +metadata: + version: 1.0.0 + SMEs: + - marcusburghardt + - vojtapolasek + - yuumasato + +reference: https://www.cisecurity.org/benchmark/almalinuxos_linux/ + +title: 'CIS AlmaLinux OS 9 Benchmark for Level 1 - Workstation' + +description: |- + This profile defines a baseline that aligns to the "Level 1 - Workstation" + configuration from the Center for Internet Security® + AlmaLinux OS 9 Benchmark™, v1.0.0, released 2022-12-12. + + This profile includes Center for Internet Security® + AlmaLinux OS 9 CIS Benchmarks™ content. + +selections: + - cis_rhel9:all:l1_workstation + # Following rules once had a prodtype incompatible with the rhel9 product + - '!file_ownership_home_directories' + - '!group_unique_name' + - '!file_owner_at_allow' diff --git a/products/almalinux9/profiles/cis_workstation_l2.profile b/products/almalinux9/profiles/cis_workstation_l2.profile new file mode 100644 index 000000000..6a05f77c7 --- /dev/null +++ b/products/almalinux9/profiles/cis_workstation_l2.profile @@ -0,0 +1,28 @@ +documentation_complete: true + +metadata: + version: 1.0.0 + SMEs: + - marcusburghardt + - vojtapolasek + - yuumasato + +reference: https://www.cisecurity.org/benchmark/almalinuxos_linux/ + +title: 'CIS AlmaLinux OS 9 Benchmark for Level 2 - Workstation' + +description: |- + This profile defines a baseline that aligns to the "Level 2 - Workstation" + configuration from the Center for Internet Security® + AlmaLinux OS 9 Benchmark™, v1.0.0, released 2022-12-12. + + This profile includes Center for Internet Security® + AlmaLinux OS 9 CIS Benchmarks™ content. + +selections: + - cis_rhel9:all:l2_workstation + - '!package_avahi_removed' + # Following rules once had a prodtype incompatible with the rhel9 product + - '!file_ownership_home_directories' + - '!group_unique_name' + - '!file_owner_at_allow' diff --git a/products/almalinux9/profiles/cui.profile b/products/almalinux9/profiles/cui.profile new file mode 100644 index 000000000..686ee2c43 --- /dev/null +++ b/products/almalinux9/profiles/cui.profile @@ -0,0 +1,33 @@ +documentation_complete: true + +metadata: + version: TBD + SMEs: + - ggbecker + +title: 'DRAFT - Unclassified Information in Non-federal Information Systems and Organizations (NIST 800-171)' + +description: |- + From NIST 800-171, Section 2.2: + Security requirements for protecting the confidentiality of CUI in nonfederal + information systems and organizations have a well-defined structure that + consists of: + + (i) a basic security requirements section; + (ii) a derived security requirements section. + + The basic security requirements are obtained from FIPS Publication 200, which + provides the high-level and fundamental security requirements for federal + information and information systems. The derived security requirements, which + supplement the basic security requirements, are taken from the security controls + in NIST Special Publication 800-53. + + This profile configures AlmaLinux 9 to the NIST Special + Publication 800-53 controls identified for securing Controlled Unclassified + Information (CUI)." + +extends: ospp + +selections: + - inactivity_timeout_value=10_minutes + - var_system_crypto_policy=fips diff --git a/products/almalinux9/profiles/default.profile b/products/almalinux9/profiles/default.profile new file mode 100644 index 000000000..d22005611 --- /dev/null +++ b/products/almalinux9/profiles/default.profile @@ -0,0 +1,555 @@ +documentation_complete: true + +hidden: true + +title: Default Profile for AlmaLinux 9 + +description: |- + This profile contains all the rules that once belonged to the + rhel9 product via 'prodtype'. This profile won't + be rendered into an XCCDF Profile entity, nor it will select any + of these rules by default. The only purpose of this profile + is to keep a rule in the product's XCCDF Benchmark. + +selections: + - sebool_nfsd_anon_write + - sebool_squid_connect_any + - sebool_polipo_connect_all_unreserved + - audit_rules_successful_file_modification_open_by_handle_at_o_trunc_write + - auditd_data_disk_full_action + - mount_option_var_tmp_bind + - sebool_selinuxuser_use_ssh_chroot + - sebool_condor_tcp_network_connect + - sebool_xserver_object_manager + - mount_option_home_grpquota + - sebool_mpd_enable_homedirs + - sebool_logadm_exec_content + - auditd_audispd_encrypt_sent_records + - audit_rules_unsuccessful_file_modification_openat_rule_order + - sebool_logwatch_can_network_connect_mail + - sebool_mpd_use_nfs + - sebool_virt_use_sanlock + - kernel_module_vfat_disabled + - sebool_xguest_use_bluetooth + - sebool_puppetagent_manage_all_files + - sshd_use_strong_rng + - grub2_uefi_admin_username + - sebool_staff_use_svirt + - audit_rules_successful_file_modification_lsetxattr + - sebool_daemons_enable_cluster_mode + - package_krb5-workstation_removed + - package_samba-common_installed + - sebool_httpd_enable_cgi + - accounts_passwords_pam_faillock_silent + - xwindows_remove_packages + - sebool_httpd_can_network_memcache + - sebool_git_system_use_nfs + - sudoers_no_root_target + - sebool_httpd_can_connect_zabbix + - sebool_samba_portmapper + - audit_rules_etc_shadow_open + - sebool_httpd_graceful_shutdown + - sebool_ftpd_use_fusefs + - service_cups_disabled + - sebool_selinuxuser_ping + - sebool_unconfined_chrome_sandbox_transition + - dconf_gnome_screensaver_lock_locked + - package_ntpdate_removed + - package_avahi_removed + - file_groupowner_efi_user_cfg + - set_loopback_traffic + - ntpd_specify_multiple_servers + - sebool_gitosis_can_sendmail + - audit_rules_unsuccessful_file_modification_renameat + - sebool_pcp_read_generic_logs + - sebool_httpd_run_ipa + - sebool_selinuxuser_share_music + - file_groupowner_var_log_syslog + - service_netfs_disabled + - sebool_dbadm_manage_user_files + - sebool_smbd_anon_write + - auditd_audispd_configure_remote_server + - service_ypserv_disabled + - sebool_nagios_run_sudo + - sebool_dbadm_exec_content + - package_ntp_installed + - package_cron_installed + - dconf_gnome_screensaver_idle_activation_locked + - audit_rules_successful_file_modification_unlinkat + - package_audit-audispd-plugins_installed + - sebool_xserver_clients_write_xshm + - sebool_xdm_exec_bootloader + - sebool_httpd_serve_cobbler_files + - sebool_use_ecryptfs_home_dirs + - sebool_container_connect_any + - sebool_sge_domain_can_network_connect + - sebool_staff_exec_content + - file_permissions_home_dirs + - audit_rules_privileged_commands_newgidmap + - sebool_ssh_chroot_rw_homedirs + - sebool_virt_use_xserver + - sebool_mozilla_plugin_use_spice + - sebool_tmpreaper_use_nfs + - sebool_httpd_can_connect_ldap + - sudoers_default_includedir + - sebool_mmap_low_allowed + - sebool_glance_use_fusefs + - sebool_httpd_dontaudit_search_dirs + - sebool_named_tcp_bind_http_port + - auditd_audispd_network_failure_action + - sebool_wine_mmap_zero_ignore + - sebool_cluster_use_execmem + - audit_rules_privileged_commands_usernetctl + - dconf_gnome_disable_user_admin + - service_rlogin_disabled + - sebool_ftpd_use_nfs + - sebool_httpd_use_fusefs + - service_iptables_enabled + - sebool_tor_bind_all_unreserved_ports + - sebool_virt_sandbox_use_all_caps + - sebool_httpd_use_openstack + - sebool_icecast_use_any_tcp_ports + - audit_rules_unsuccessful_file_modification_rename + - sebool_openshift_use_nfs + - sebool_mailman_use_fusefs + - sebool_nfs_export_all_rw + - sebool_httpd_dbus_avahi + - mount_option_smb_client_signing + - audit_rules_successful_file_modification_open_o_trunc_write + - sebool_mplayer_execstack + - sebool_virt_sandbox_use_mknod + - audit_rules_unsuccessful_file_modification_open_by_handle_at_rule_order + - package_pam_pwquality_installed + - sebool_fcron_crond + - sebool_httpd_read_user_content + - sebool_samba_domain_controller + - service_sshd_disabled + - zipl_page_poison_argument + - file_owner_efi_user_cfg + - sebool_cobbler_anon_write + - audit_rules_successful_file_modification_openat_o_trunc_write + - audit_rules_successful_file_modification_removexattr + - sebool_xdm_write_home + - sebool_httpd_mod_auth_pam + - audit_rules_successful_file_modification_fchownat + - service_httpd_disabled + - package_nfs-utils_removed + - sebool_pppd_for_user + - sebool_rsync_export_all_ro + - audit_rules_successful_file_modification_open_o_creat + - install_hids + - sebool_authlogin_radius + - sebool_swift_can_network + - audit_rules_file_deletion_events + - sshd_disable_pubkey_auth + - sebool_tor_can_network_relay + - sebool_virt_use_samba + - sebool_spamassassin_can_network + - package_syslogng_installed + - sebool_selinuxuser_postgresql_connect_enabled + - sebool_virt_sandbox_use_sys_admin + - sebool_irssi_use_full_network + - sebool_sysadm_exec_content + - sebool_polipo_use_cifs + - sebool_samba_load_libgfapi + - package_rpcbind_removed + - sebool_samba_run_unconfined + - sebool_webadm_manage_user_files + - sebool_zoneminder_run_sudo + - sebool_ftpd_anon_write + - sebool_rsync_anon_write + - mount_option_proc_hidepid + - sebool_nfs_export_all_ro + - audit_rules_unsuccessful_file_modification_chown + - sebool_selinuxuser_udp_server + - sebool_cups_execmem + - service_ntpdate_disabled + - sebool_httpd_execmem + - sebool_httpd_sys_script_anon_write + - audit_rules_unsuccessful_file_modification_open_by_handle_at_o_trunc_write + - sebool_ftpd_use_cifs + - service_atd_disabled + - audit_rules_etc_shadow_open_by_handle_at + - sebool_mysql_connect_any + - audit_rules_privileged_commands_pt_chown + - sebool_httpd_can_sendmail + - sebool_prosody_bind_http_port + - sebool_httpd_use_sasl + - sebool_tftp_home_dir + - sebool_gssd_read_tmp + - kernel_module_uvcvideo_disabled + - sebool_squid_use_tproxy + - sebool_httpd_ssi_exec + - sebool_use_lpd_server + - audit_rules_successful_file_modification_open_by_handle_at_o_creat + - sebool_unconfined_login + - account_use_centralized_automated_auth + - file_groupowner_efi_grub2_cfg + - sebool_xdm_bind_vnc_tcp_port + - sebool_deny_ptrace + - sebool_postgresql_selinux_transmit_client_label + - sysctl_net_ipv6_conf_all_disable_ipv6 + - sebool_smartmon_3ware + - dconf_gnome_login_retries + - audit_rules_unsuccessful_file_modification_setxattr + - sudo_vdsm_nopasswd + - sebool_global_ssp + - service_smb_disabled + - sebool_virt_rw_qemu_ga_data + - sebool_selinuxuser_tcp_server + - package_inetutils-telnetd_removed + - audit_rules_successful_file_modification_openat + - audit_rules_unsuccessful_file_modification_fchmod + - service_ntpd_enabled + - file_permissions_httpd_server_conf_files + - sebool_httpd_use_gpg + - sebool_spamd_enable_home_dirs + - package_openldap-servers_removed + - avahi_disable_publishing + - audit_rules_successful_file_modification_fchmod + - sebool_fenced_can_network_connect + - sebool_virt_use_nfs + - sebool_lsmd_plugin_connect_any + - account_passwords_pam_faillock_dir + - sebool_authlogin_yubikey + - sebool_authlogin_nsswitch_use_ldap + - dconf_gnome_disable_geolocation + - sebool_httpd_run_preupgrade + - sebool_httpd_use_cifs + - sebool_telepathy_tcp_connect_generic_network_ports + - zipl_slub_debug_argument + - sebool_entropyd_use_audio + - grub2_kernel_trust_cpu_rng + - sebool_httpd_enable_ftp_server + - sebool_postgresql_selinux_users_ddl + - package_ypbind_removed + - xwindows_runlevel_target + - package_talk-server_removed + - kernel_module_ipv6_option_disabled + - sebool_cobbler_use_nfs + - sebool_mozilla_plugin_can_network_connect + - sebool_ftpd_full_access + - sebool_mcelog_foreground + - sebool_xguest_exec_content + - sebool_daemons_dump_core + - audit_rules_successful_file_modification_renameat + - service_rngd_enabled + - kernel_module_cfg80211_disabled + - sebool_git_cgi_use_cifs + - sebool_virt_sandbox_use_netlink + - enable_dconf_user_profile + - service_dhcpd_disabled + - kernel_module_jffs2_disabled + - sebool_openvpn_run_unconfined + - sebool_gluster_anon_write + - audit_rules_successful_file_modification_open + - sebool_secure_mode_insmod + - sebool_nscd_use_shm + - sebool_ksmtuned_use_cifs + - sebool_nagios_run_pnp4nagios + - sebool_selinuxuser_direct_dri_enabled + - sebool_haproxy_connect_any + - audit_rules_etc_shadow_openat + - sebool_pppd_can_insmod + - sebool_glance_api_can_network + - accounts_passwords_pam_faillock_enforce_local + - sebool_mozilla_plugin_use_bluejeans + - sebool_mozilla_read_content + - sebool_virt_use_usb + - sebool_virt_use_execmem + - sebool_virt_read_qemu_ga_data + - service_vsftpd_disabled + - ssh_private_keys_have_passcode + - sebool_user_exec_content + - sebool_gluster_export_all_ro + - sebool_mcelog_server + - sebool_mount_anyfile + - sebool_sge_use_nfs + - sebool_daemons_use_tty + - sebool_mcelog_client + - sebool_rsync_client + - sebool_privoxy_connect_any + - postfix_client_configure_relayhost + - sebool_httpd_builtin_scripting + - etc_system_fips_exists + - iptables_sshd_disabled + - grub2_ipv6_disable_argument + - dconf_gnome_disable_thumbnailers + - sebool_varnishd_connect_any + - kernel_module_hfsplus_disabled + - audit_rules_for_ospp + - package_rsh_removed + - dconf_gnome_enable_smartcard_auth + - service_oddjobd_disabled + - service_postfix_enabled + - package_openssh-server_removed + - sebool_httpd_can_connect_mythtv + - audit_rules_successful_file_modification_lchown + - sebool_tftp_anon_write + - sebool_cobbler_can_network_connect + - sebool_samba_export_all_ro + - service_cron_enabled + - file_permissions_efi_user_cfg + - service_rhnsd_disabled + - audit_rules_successful_file_modification_unlink + - no_all_squash_exports + - sebool_use_samba_home_dirs + - audit_rules_etc_gshadow_openat + - service_ufw_enabled + - harden_sshd_macs_openssh_conf_crypto_policy + - dir_permissions_binary_dirs + - sebool_xend_run_blktap + - dconf_gnome_disable_wifi_notification + - package_nis_removed + - service_xinetd_disabled + - audit_rules_etc_passwd_open + - dhcp_client_restrict_options + - sebool_openvpn_can_network_connect + - kernel_module_freevxfs_disabled + - account_emergency_expire_date + - sebool_unconfined_mozilla_plugin_transition + - audit_rules_unsuccessful_file_modification_lremovexattr + - file_permissions_var_log_syslog + - sebool_git_cgi_enable_homedirs + - audit_rules_etc_passwd_open_by_handle_at + - audit_rules_privileged_commands_at + - sebool_virt_use_fusefs + - kernel_module_iwlmvm_disabled + - service_ntp_enabled + - file_owner_var_log_syslog + - service_ip6tables_enabled + - sebool_logging_syslogd_run_nagios_plugins + - sebool_mozilla_plugin_use_gps + - service_slapd_disabled + - audit_rules_unsuccessful_file_modification_open_o_trunc_write + - sebool_ftpd_connect_all_unreserved + - configure_user_data_backups + - dir_ownership_binary_dirs + - sebool_mcelog_exec_scripts + - sysctl_net_ipv4_tcp_invalid_ratelimit + - sebool_xserver_execmem + - sysctl_net_ipv6_conf_default_disable_ipv6 + - sebool_cron_userdomain_transition + - sebool_collectd_tcp_network_connect + - sebool_httpd_enable_homedirs + - sebool_httpd_unified + - audit_rules_privileged_commands_newuidmap + - sebool_zabbix_can_network + - audit_rules_unsuccessful_file_modification_chmod + - sebool_gpg_web_anon_write + - fapolicyd_prevent_home_folder_access + - no_legacy_plus_entries_etc_passwd + - sebool_sanlock_use_nfs + - sebool_racoon_read_shadow + - audit_rules_successful_file_modification_fsetxattr + - audit_rules_successful_file_modification_fremovexattr + - package_krb5-server_removed + - file_permissions_httpd_server_conf_d_files + - audit_rules_successful_file_modification_rename + - sebool_guest_exec_content + - kernel_module_rds_disabled + - sebool_selinuxuser_mysql_connect_enabled + - sebool_antivirus_use_jit + - sebool_ksmtuned_use_nfs + - service_qpidd_disabled + - audit_rules_successful_file_modification_setxattr + - sebool_polipo_session_bind_all_unreserved_ports + - sebool_secure_mode_policyload + - sebool_webadm_read_user_files + - audit_rules_unsuccessful_file_modification_open_by_handle_at_o_creat + - audit_rules_unsuccessful_file_modification_fsetxattr + - kernel_module_hfs_disabled + - sebool_git_session_users + - sebool_exim_manage_user_files + - configure_gnutls_tls_crypto_policy + - sshd_enable_gssapi_auth + - sebool_minidlna_read_generic_user_content + - audit_rules_etc_group_openat + - sebool_httpd_can_network_connect_cobbler + - auditd_data_disk_error_action + - audit_rules_unsuccessful_file_modification_fchownat + - sebool_openvpn_enable_homedirs + - zipl_enable_selinux + - audit_rules_unsuccessful_file_modification_open_o_creat + - kernel_config_ipv6 + - audit_rules_successful_file_modification_chown + - audit_rules_successful_file_modification_fchmodat + - sebool_dhcpc_exec_iptables + - file_permissions_efi_grub2_cfg + - audit_rules_unsuccessful_file_modification_removexattr + - sebool_telepathy_connect_all_ports + - sebool_postgresql_can_rsync + - audit_rules_unsuccessful_file_modification_openat_o_trunc_write + - rpm_verify_permissions + - package_telnetd_removed + - sebool_httpd_setrlimit + - harden_sshd_macs_opensshserver_conf_crypto_policy + - service_dovecot_disabled + - service_cockpit_disabled + - no_legacy_plus_entries_etc_group + - mount_option_boot_noauto + - sebool_git_cgi_use_nfs + - sebool_git_system_use_cifs + - sebool_httpd_use_nfs + - audit_rules_unsuccessful_file_modification_lchown + - dconf_gnome_disable_wifi_create + - audit_rules_successful_file_modification_fchown + - sebool_git_system_enable_homedirs + - sebool_httpd_can_check_spam + - sebool_mpd_use_cifs + - sebool_xen_use_nfs + - sebool_samba_enable_home_dirs + - service_named_disabled + - service_syslogng_enabled + - sebool_sanlock_use_fusefs + - account_passwords_pam_faillock_audit + - sebool_ssh_keysign + - sebool_zebra_write_config + - auditd_data_retention_num_logs + - sebool_kerberos_enabled + - sebool_irc_use_any_tcp_ports + - package_xinetd_removed + - audit_rules_etc_gshadow_open_by_handle_at + - sebool_samba_export_all_rw + - audit_rules_successful_file_modification_truncate + - dhcp_server_minimize_served_info + - file_permissions_httpd_server_modules_files + - audit_rules_successful_file_modification_open_by_handle_at + - sebool_tmpreaper_use_samba + - sebool_xdm_sysadm_login + - sebool_samba_create_home_dirs + - sebool_login_console_enabled + - sebool_secadm_exec_content + - audit_rules_successful_file_modification_chmod + - sebool_nis_enabled + - sebool_cvs_read_shadow + - audit_rules_unsuccessful_file_modification_lsetxattr + - sebool_xend_run_qemu + - sebool_virt_use_comm + - installed_OS_is_FIPS_certified + - sebool_httpd_can_network_connect + - sebool_virt_sandbox_use_audit + - sshd_disable_root_password_login + - package_telnetd-ssl_removed + - sebool_puppetmaster_use_db + - audit_rules_successful_file_modification_ftruncate + - fapolicy_default_deny + - dconf_gnome_disable_power_settings + - sebool_mozilla_plugin_bind_unreserved_ports + - package_MFEhiplsm_installed + - sebool_fenced_can_ssh + - sebool_glance_use_execmem + - audit_rules_etc_passwd_openat + - sebool_rsync_full_access + - snmpd_no_rwusers + - mount_option_home_usrquota + - sebool_logging_syslogd_can_sendmail + - sebool_ftpd_use_passive_mode + - sebool_cluster_can_network_connect + - sebool_cdrecord_read_content + - sebool_antivirus_can_scan_system + - rsyslog_logging_configured + - sebool_httpd_manage_ipa + - sebool_samba_share_nfs + - sebool_domain_kernel_load_modules + - package_389-ds-base_removed + - sebool_logging_syslogd_use_tty + - audit_rules_etc_group_open + - sebool_secure_mode + - set_iptables_default_rule_forward + - service_rdisc_disabled + - zipl_vsyscall_argument + - audit_rules_unsuccessful_file_modification_openat_o_creat + - sebool_awstats_purge_apache_log_files + - sebool_httpd_tmp_exec + - package_postfix_installed + - sebool_sanlock_use_samba + - force_opensc_card_drivers + - audit_rules_successful_file_modification_creat + - sebool_domain_fd_use + - package_avahi-autoipd_removed + - sebool_httpd_can_connect_ftp + - sebool_httpd_anon_write + - sebool_dhcpd_use_ldap + - coreos_enable_selinux_kernel_argument + - sebool_postgresql_selinux_unconfined_dbadm + - kernel_disable_entropy_contribution_for_solid_state_drives + - sebool_use_fusefs_home_dirs + - audit_rules_successful_file_modification_lremovexattr + - sebool_virt_transition_userdomain + - package_freeradius_removed + - file_owner_efi_grub2_cfg + - sebool_httpd_tty_comm + - sebool_dbadm_read_user_files + - audit_rules_unsuccessful_file_modification_unlink + - auditd_audispd_disk_full_action + - sebool_exim_read_user_files + - ftp_limit_users + - sebool_zarafa_setrlimit + - kernel_module_mac80211_disabled + - sebool_kdumpgui_run_bootloader + - rsyslog_accept_remote_messages_tcp + - sebool_httpd_verify_dns + - accounts_password_pam_enforce_local + - usbguard_allow_hub + - sebool_polipo_use_nfs + - sebool_exim_can_connect_db + - sebool_unprivuser_use_svirt + - sebool_httpd_run_stickshift + - set_ipv6_loopback_traffic + - ftp_configure_firewall + - sebool_cron_can_relabel + - audit_rules_unsuccessful_file_modification_fremovexattr + - sebool_httpd_dbus_sssd + - sebool_xguest_connect_network + - package_geolite2-country_removed + - audit_rules_etc_group_open_by_handle_at + - sebool_daemons_use_tcp_wrapper + - sebool_use_nfs_home_dirs + - sshd_set_keepalive_0 + - sebool_conman_can_network + - sebool_logrotate_use_nfs + - audit_rules_unsuccessful_file_modification_fchown + - sebool_httpd_can_network_connect_db + - sebool_gluster_export_all_rw + - sebool_named_write_master_zones + - sebool_postfix_local_write_mail_spool + - sebool_xguest_mount_media + - sebool_selinuxuser_rw_noexattrfile + - sebool_cron_system_cronjob_use_shares + - sebool_virt_use_rawip + - sebool_pcp_bind_all_unreserved_ports + - audit_rules_etc_gshadow_open + - sebool_saslauthd_read_shadow + - sebool_mock_enable_homedirs + - ntpd_specify_remote_server + - selinux_user_login_roles + - audit_rules_successful_file_modification_openat_o_creat + - kernel_module_iwlwifi_disabled + - sebool_zoneminder_anon_write + - sshd_enable_x11_forwarding + - dconf_gnome_screensaver_user_info + - sshd_disable_rhosts_rsa + - sebool_neutron_can_network + - sebool_ftpd_connect_db + - sebool_httpd_mod_auth_ntlm_winbind + - sebool_samba_share_fusefs + - harden_ssh_client_crypto_policy + - sebool_cobbler_use_cifs + - sebool_httpd_can_network_relay + - package_geolite2-city_removed + - set_iptables_default_rule + - sebool_piranha_lvs_can_network_connect + - usbguard_allow_hid + - package_talk_removed + - no_legacy_plus_entries_etc_shadow + - sebool_git_session_bind_all_unreserved_ports + - rsyslog_accept_remote_messages_udp + - sebool_boinc_execmem + - audit_rules_unsuccessful_file_modification_unlinkat + - sebool_fips_mode + - audit_rules_unsuccessful_file_modification_open_rule_order + - audit_rules_unsuccessful_file_modification_fchmodat + - sebool_polipo_session_users + - sebool_cluster_manage_all_files + - configure_firewalld_ports diff --git a/products/almalinux9/profiles/e8.profile b/products/almalinux9/profiles/e8.profile new file mode 100644 index 000000000..b8e703fcc --- /dev/null +++ b/products/almalinux9/profiles/e8.profile @@ -0,0 +1,150 @@ +documentation_complete: true + +metadata: + SMEs: + - shaneboulden + - tjbutt58 + +reference: https://www.cyber.gov.au/acsc/view-all-content/publications/hardening-linux-workstations-and-servers + +title: 'Australian Cyber Security Centre (ACSC) Essential Eight' + +description: |- + This profile contains configuration checks for AlmaLinux 9 + that align to the Australian Cyber Security Centre (ACSC) Essential Eight. + + A copy of the Essential Eight in Linux Environments guide can be found at the + ACSC website: + + https://www.cyber.gov.au/acsc/view-all-content/publications/hardening-linux-workstations-and-servers + +selections: + + ### Remove obsolete packages + - package_talk_removed + - package_talk-server_removed + - package_ypbind_removed + - package_telnet_removed + - service_telnet_disabled + - package_telnet-server_removed + - package_rsh_removed + - package_rsh-server_removed + - package_quagga_removed + - service_avahi-daemon_disabled + - package_squid_removed + - service_squid_disabled + + ### Software update + - ensure_almalinux_gpgkey_installed + - ensure_gpgcheck_never_disabled + - ensure_gpgcheck_local_packages + - ensure_gpgcheck_globally_activated + - security_patches_up_to_date + - dnf-automatic_security_updates_only + + ### System security settings + - sysctl_kernel_randomize_va_space + - sysctl_kernel_exec_shield + - sysctl_kernel_kptr_restrict + - sysctl_kernel_dmesg_restrict + - sysctl_kernel_kexec_load_disabled + - sysctl_kernel_yama_ptrace_scope + - sysctl_kernel_unprivileged_bpf_disabled + - sysctl_net_core_bpf_jit_harden + + ### SELinux + - var_selinux_state=enforcing + - selinux_state + - var_selinux_policy_name=targeted + - selinux_policytype + + ### Filesystem integrity + - rpm_verify_hashes + - rpm_verify_permissions + - rpm_verify_ownership + - file_permissions_unauthorized_sgid + - file_permissions_unauthorized_suid + - file_permissions_unauthorized_world_writable + - dir_perms_world_writable_sticky_bits + - file_permissions_library_dirs + - file_ownership_binary_dirs + - file_permissions_binary_dirs + - file_ownership_library_dirs + + ### Passwords + - var_authselect_profile=sssd + - enable_authselect + - no_empty_passwords + + ### Partitioning + - mount_option_dev_shm_nodev + - mount_option_dev_shm_nosuid + - mount_option_dev_shm_noexec + + ### Network + - package_firewalld_installed + - service_firewalld_enabled + - network_sniffer_disabled + + ### Admin privileges + - accounts_no_uid_except_zero + - sudo_remove_nopasswd + - sudo_remove_no_authenticate + - sudo_require_authentication + + ### Audit + - package_rsyslog_installed + - service_rsyslog_enabled + - service_auditd_enabled + - var_auditd_flush=incremental_async + - auditd_data_retention_flush + - auditd_local_events + - auditd_write_logs + - auditd_log_format + - auditd_freq + - auditd_name_format + - audit_rules_login_events_tallylog + - audit_rules_login_events_faillock + - audit_rules_login_events_lastlog + - audit_rules_login_events + - audit_rules_time_adjtimex + - audit_rules_time_clock_settime + - audit_rules_time_watch_localtime + - audit_rules_time_settimeofday + - audit_rules_time_stime + - audit_rules_execution_restorecon + - audit_rules_execution_chcon + - audit_rules_execution_semanage + - audit_rules_execution_setsebool + - audit_rules_execution_setfiles + - audit_rules_execution_seunshare + - audit_rules_sysadmin_actions + - audit_rules_networkconfig_modification + - audit_rules_usergroup_modification + - audit_rules_dac_modification_chmod + - audit_rules_dac_modification_chown + - audit_rules_kernel_module_loading + + ### Secure access + - sshd_use_directory_configuration + - sshd_disable_root_login + - sshd_disable_gssapi_auth + - sshd_print_last_log + - sshd_do_not_permit_user_env + - sshd_disable_rhosts + - sshd_set_loglevel_info + - sshd_disable_empty_passwords + - sshd_disable_user_known_hosts + - sshd_enable_strictmodes + + # See also: https://www.cyber.gov.au/acsc/view-all-content/guidance/asd-approved-cryptographic-algorithms + - var_system_crypto_policy=default_nosha1 + - configure_crypto_policy + - configure_ssh_crypto_policy + + ### Application whitelisting + - package_fapolicyd_installed + - service_fapolicyd_enabled + + ### Backup + - package_rear_installed diff --git a/products/almalinux9/profiles/hipaa.profile b/products/almalinux9/profiles/hipaa.profile new file mode 100644 index 000000000..7fd934311 --- /dev/null +++ b/products/almalinux9/profiles/hipaa.profile @@ -0,0 +1,160 @@ +documentation_complete: True + +metadata: + SMEs: + - jjaswanson4 + +reference: https://www.hhs.gov/hipaa/for-professionals/index.html + +title: 'Health Insurance Portability and Accountability Act (HIPAA)' + +description: |- + The HIPAA Security Rule establishes U.S. national standards to protect individuals’ + electronic personal health information that is created, received, used, or + maintained by a covered entity. The Security Rule requires appropriate + administrative, physical and technical safeguards to ensure the + confidentiality, integrity, and security of electronic protected health + information. + + This profile configures AlmaLinux 9 to the HIPAA Security + Rule identified for securing of electronic protected health information. + Use of this profile in no way guarantees or makes claims against legal compliance against the HIPAA Security Rule(s). + +selections: + - grub2_password + - grub2_uefi_password + - file_groupowner_grub2_cfg + - file_owner_grub2_cfg + - grub2_disable_interactive_boot + - no_direct_root_logins + - no_empty_passwords + - require_singleuser_auth + - restrict_serial_port_logins + - securetty_root_login_console_only + - service_debug-shell_disabled + - disable_ctrlaltdel_reboot + - disable_ctrlaltdel_burstaction + - dconf_db_up_to_date + - dconf_gnome_remote_access_credential_prompt + - dconf_gnome_remote_access_encryption + - sshd_use_directory_configuration + - sshd_disable_empty_passwords + - sshd_disable_root_login + - libreswan_approved_tunnels + - no_rsh_trust_files + - package_talk_removed + - package_talk-server_removed + - package_telnet_removed + - package_telnet-server_removed + - service_crond_enabled + - service_telnet_disabled + - use_kerberos_security_all_exports + - var_authselect_profile=sssd + - enable_authselect + - disable_host_auth + - sshd_allow_only_protocol2 + - sshd_disable_compression + - sshd_disable_gssapi_auth + - sshd_disable_kerb_auth + - sshd_do_not_permit_user_env + - sshd_enable_strictmodes + - sshd_enable_warning_banner + - var_sshd_set_keepalive=1 + - encrypt_partitions + - var_system_crypto_policy=fips + - configure_crypto_policy + - configure_ssh_crypto_policy + - var_selinux_policy_name=targeted + - var_selinux_state=enforcing + - grub2_enable_selinux + - sebool_selinuxuser_execheap + - sebool_selinuxuser_execmod + - sebool_selinuxuser_execstack + - selinux_confinement_of_daemons + - selinux_policytype + - selinux_state + - service_kdump_disabled + - sysctl_fs_suid_dumpable + - sysctl_kernel_dmesg_restrict + - sysctl_kernel_exec_shield + - sysctl_kernel_randomize_va_space + - rpm_verify_hashes + - rpm_verify_permissions + - ensure_almalinux_gpgkey_installed + - ensure_gpgcheck_globally_activated + - ensure_gpgcheck_never_disabled + - ensure_gpgcheck_local_packages + - grub2_audit_argument + - service_auditd_enabled + - audit_rules_privileged_commands_sudo + - audit_rules_privileged_commands_su + - audit_rules_immutable + - kernel_module_usb-storage_disabled + - service_autofs_disabled + - auditd_audispd_syslog_plugin_activated + - rsyslog_remote_loghost + - auditd_data_retention_flush + - audit_rules_dac_modification_chmod + - audit_rules_dac_modification_chown + - audit_rules_dac_modification_fchmodat + - audit_rules_dac_modification_fchmod + - audit_rules_dac_modification_fchownat + - audit_rules_dac_modification_fchown + - audit_rules_dac_modification_fremovexattr + - audit_rules_dac_modification_fsetxattr + - audit_rules_dac_modification_lchown + - audit_rules_dac_modification_lremovexattr + - audit_rules_dac_modification_lsetxattr + - audit_rules_dac_modification_removexattr + - audit_rules_dac_modification_setxattr + - audit_rules_execution_chcon + - audit_rules_execution_restorecon + - audit_rules_execution_semanage + - audit_rules_execution_setsebool + - audit_rules_file_deletion_events_renameat + - audit_rules_file_deletion_events_rename + - audit_rules_file_deletion_events_rmdir + - audit_rules_file_deletion_events_unlinkat + - audit_rules_file_deletion_events_unlink + - audit_rules_kernel_module_loading_delete + - audit_rules_kernel_module_loading_init + - audit_rules_login_events_faillock + - audit_rules_login_events_lastlog + - audit_rules_login_events_tallylog + - audit_rules_mac_modification + - audit_rules_media_export + - audit_rules_networkconfig_modification + - audit_rules_privileged_commands_chage + - audit_rules_privileged_commands_chsh + - audit_rules_privileged_commands_crontab + - audit_rules_privileged_commands_gpasswd + - audit_rules_privileged_commands_newgrp + - audit_rules_privileged_commands_pam_timestamp_check + - audit_rules_privileged_commands_passwd + - audit_rules_privileged_commands_postdrop + - audit_rules_privileged_commands_postqueue + - audit_rules_privileged_commands_ssh_keysign + - audit_rules_privileged_commands_sudoedit + - audit_rules_privileged_commands_umount + - audit_rules_privileged_commands_unix_chkpwd + - audit_rules_privileged_commands_userhelper + - audit_rules_session_events + - audit_rules_sysadmin_actions + - audit_rules_system_shutdown + - var_audit_failure_mode=panic + - audit_rules_time_adjtimex + - audit_rules_time_clock_settime + - audit_rules_time_settimeofday + - audit_rules_time_stime + - audit_rules_time_watch_localtime + - audit_rules_unsuccessful_file_modification_creat + - audit_rules_unsuccessful_file_modification_ftruncate + - audit_rules_unsuccessful_file_modification_openat + - audit_rules_unsuccessful_file_modification_open_by_handle_at + - audit_rules_unsuccessful_file_modification_open + - audit_rules_unsuccessful_file_modification_truncate + - audit_rules_usergroup_modification_group + - audit_rules_usergroup_modification_gshadow + - audit_rules_usergroup_modification_opasswd + - audit_rules_usergroup_modification_passwd + - audit_rules_usergroup_modification_shadow diff --git a/products/almalinux9/profiles/ism_o.profile b/products/almalinux9/profiles/ism_o.profile new file mode 100644 index 000000000..8c86a5552 --- /dev/null +++ b/products/almalinux9/profiles/ism_o.profile @@ -0,0 +1,138 @@ +documentation_complete: true + +metadata: + SMEs: + - shaneboulden + - wcushen + - eliseelk + - sashperso + - anjuskantha + +reference: https://www.cyber.gov.au/ism + +title: 'Australian Cyber Security Centre (ACSC) ISM Official' + +description: |- + This profile contains configuration checks for AlmaLinux 9 + that align to the Australian Cyber Security Centre (ACSC) Information Security Manual (ISM) + with the applicability marking of OFFICIAL. + + The ISM uses a risk-based approach to cyber security. This profile provides a guide to aligning + AlmaLinux security controls with the ISM, which can be used to select controls + specific to an organisation's security posture and risk profile. + + A copy of the ISM can be found at the ACSC website: + + https://www.cyber.gov.au/ism + +extends: e8 + +selections: + + ## Operating system configuration + ## Identifiers 1491 + - no_shelllogin_for_systemaccounts + + ## Local administrator accounts + ## Identifiers 1382 / 1410 + - accounts_password_all_shadowed + - package_sudo_installed + + ## Content filtering & Anti virus + ## Identifiers 0576 / 1341 / 1034 / 1417 / 1288 + - package_aide_installed + + ## Software firewall + ## Identifiers 1416 + - configure_firewalld_ports + ## Removing due to build error + ## - configure_firewalld_rate_limiting + - firewalld_sshd_port_enabled + - set_firewalld_default_zone + + ## Endpoint device control software + ## Identifiers 1418 + - package_usbguard_installed + - service_usbguard_enabled + - usbguard_allow_hid_and_hub + + ## Authentication hardening + ## Identifiers 1546 / 0974 / 1173 / 1504 / 1505 / 1401 / 1559 / 1560 + ## 1561 / 1546 / 0421 / 1557 / 0422 / 1558 / 1403 / 0431 + - sshd_use_directory_configuration + - sshd_max_auth_tries_value=5 + - disable_host_auth + - require_emergency_target_auth + - require_singleuser_auth + - sshd_disable_kerb_auth + - sshd_set_max_auth_tries + + ## Password authentication & Protecting credentials + ## Identifiers 0421 / 0431 / 0418 / 1402 + - var_password_pam_minlen=14 + - var_accounts_password_warn_age_login_defs=7 + - var_accounts_minimum_age_login_defs=1 + - var_accounts_maximum_age_login_defs=60 + - var_authselect_profile=sssd + - enable_authselect + - accounts_password_warn_age_login_defs + - accounts_maximum_age_login_defs + - accounts_minimum_age_login_defs + - accounts_passwords_pam_faillock_interval + - accounts_passwords_pam_faillock_unlock_time + - accounts_passwords_pam_faillock_deny + - accounts_passwords_pam_faillock_deny_root + - accounts_password_pam_minlen + + ## Centralised logging facility + ## Identifiers 1405 / 0988 + - rsyslog_cron_logging + - rsyslog_files_groupownership + - rsyslog_files_ownership + - rsyslog_files_permissions + - rsyslog_nolisten + - rsyslog_remote_loghost + - rsyslog_remote_tls + - rsyslog_remote_tls_cacert + - package_chrony_installed + - service_chronyd_enabled + # - chronyd_specify_multiple_servers + - chronyd_specify_remote_server + + ## Events to be logged + ## Identifiers 0580 / 0584 / 0582 / 0585 / 0586 / 0846 / 0957 + - display_login_attempts + - sebool_auditadm_exec_content + - audit_rules_privileged_commands + - audit_rules_session_events + - audit_rules_unsuccessful_file_modification + - audit_access_failed + - audit_access_success + + ## Web application & Database servers + ## Identifiers 1552 / 1277 + + ## Network design and configuration + ## Identifiers 1055 / 1311 + - network_nmcli_permissions + - service_snmpd_disabled + - snmpd_use_newer_protocol + + ## Wireless networks + ## Identifiers 1315 + - wireless_disable_interfaces + + ## ASD Approved Cryptographic Algorithms + ## Identifiers 0471 / 0472 / 0473 / 0474 / 0475 / 0476 / 0477 / + ## 0479 / 0480 / 0481 / 0489 / 0497 / 0994 / 0998 / 1001 / 1139 / + ## 1372 / 1373 / 1374 / 1375 + - enable_fips_mode + - var_system_crypto_policy=fips + - configure_crypto_policy + + ## Secure Shell access + ## Identifiers 0484 / 1506 / 1449 / 0487 + - sshd_allow_only_protocol2 + - sshd_enable_warning_banner + - sshd_disable_x11_forwarding + - file_permissions_sshd_private_key diff --git a/products/almalinux9/profiles/ospp.profile b/products/almalinux9/profiles/ospp.profile new file mode 100644 index 000000000..744eec65d --- /dev/null +++ b/products/almalinux9/profiles/ospp.profile @@ -0,0 +1,347 @@ +documentation_complete: true + +metadata: + version: 4.3 + SMEs: + - ggbecker + - matusmarhefka + +reference: https://www.niap-ccevs.org/Profile/Info.cfm?PPID=469&id=469 + +title: 'Protection Profile for General Purpose Operating Systems' + +description: |- + This profile is part of Red Hat Enterprise Linux 9 Common Criteria Guidance + documentation for Target of Evaluation based on Protection Profile for + General Purpose Operating Systems (OSPP) version 4.3 and Functional + Package for SSH version 1.0. + + Where appropriate, CNSSI 1253 or DoD-specific values are used for + configuration, based on Configuration Annex to the OSPP. + +selections: + + ####################################################### + ### GENERAL REQUIREMENTS + ### Things needed to meet OSPP functional requirements. + ####################################################### + + ### Partitioning + - partition_for_var_log_audit + - mount_option_var_log_audit_nodev + - mount_option_var_log_audit_nosuid + - mount_option_var_log_audit_noexec + + ### Services + # sshd + - sshd_use_directory_configuration + - sshd_disable_root_login + - disable_host_auth + - sshd_disable_empty_passwords + - sshd_disable_kerb_auth + - sshd_disable_gssapi_auth + - sshd_rekey_limit + - var_rekey_limit_size=1G + - var_rekey_limit_time=1hour + + # Time Server + - chronyd_client_only + + ### systemd + - disable_ctrlaltdel_reboot + - disable_ctrlaltdel_burstaction + - service_debug-shell_disabled + - grub2_systemd_debug-shell_argument_absent + + ### Software update + - ensure_almalinux_gpgkey_installed + - ensure_gpgcheck_globally_activated + - ensure_gpgcheck_local_packages + - ensure_gpgcheck_never_disabled + + ### Kernel Config + ## Boot prompt + - grub2_audit_argument + - grub2_audit_backlog_limit_argument + - grub2_vsyscall_argument + - grub2_init_on_alloc_argument + - grub2_page_alloc_shuffle_argument + + ## Security Settings + - sysctl_kernel_kptr_restrict + - sysctl_kernel_dmesg_restrict + - sysctl_kernel_kexec_load_disabled + - sysctl_kernel_yama_ptrace_scope + - sysctl_kernel_perf_event_paranoid + - sysctl_user_max_user_namespaces + - sysctl_kernel_unprivileged_bpf_disabled_accept_default + - sysctl_kernel_unprivileged_bpf_disabled_value=2 + - service_kdump_disabled + + ### Audit + - service_auditd_enabled + - var_auditd_flush=incremental_async + - auditd_data_retention_flush + - auditd_log_format + - auditd_freq + - auditd_name_format + + ### Module Disabled + - kernel_module_bluetooth_disabled + - kernel_module_sctp_disabled + - kernel_module_can_disabled + - kernel_module_tipc_disabled + + ### rpcbind + + ### Install Required Packages + - package_dnf-automatic_installed + - package_subscription-manager_installed + - package_firewalld_installed + - package_openscap-scanner_installed + - package_sudo_installed + - package_usbguard_installed + - package_scap-security-guide_installed + - package_audit_installed + - package_crypto-policies_installed + - package_openssh-server_installed + - package_openssh-clients_installed + - package_chrony_installed + - package_gnutls-utils_installed + + ### Login + - sysctl_kernel_core_pattern_empty_string + - sysctl_kernel_core_uses_pid + - service_systemd-coredump_disabled + - var_authselect_profile=minimal + - enable_authselect + - use_pam_wheel_for_su + + ### SELinux Configuration + - var_selinux_state=enforcing + - selinux_state + - var_selinux_policy_name=targeted + - selinux_policytype + + ### Application Whitelisting (RHEL 9) + - package_fapolicyd_installed + - service_fapolicyd_enabled + + ### Configure USBGuard + - service_usbguard_enabled + - configure_usbguard_auditbackend + - usbguard_allow_hid_and_hub + + + ### Enable / Configure FIPS + - enable_fips_mode + - var_system_crypto_policy=fips_ospp + - configure_crypto_policy + - configure_ssh_crypto_policy + - configure_openssl_crypto_policy + - enable_dracut_fips_module + + ####################################################### + ### CONFIGURATION ANNEX TO THE PROTECTION PROFILE + ### FOR GENERAL PURPOSE OPERATING SYSTEMS + ### ANNEX RELEASE 1 + ### FOR PROTECTION PROFILE VERSIONS 4.2 + ### + ### https://www.niap-ccevs.org/MMO/PP/-442ConfigAnnex-/ + ####################################################### + + ## Configure Minimum Password Length to 12 Characters + ## IA-5 (1)(a) / FMT_MOF_EXT.1 (FMT_SMF_EXT.1) + - var_password_pam_minlen=12 + - accounts_password_pam_minlen + + ## Require at Least 1 Special Character in Password + ## IA-5(1)(a) / FMT_MOF_EXT.1 (FMT_SMF_EXT.1) + - var_password_pam_ocredit=1 + - accounts_password_pam_ocredit + + ## Require at Least 1 Numeric Character in Password + ## IA-5(1)(a) / FMT_MOF_EXT.1 (FMT_SMF_EXT.1) + - var_password_pam_dcredit=1 + - accounts_password_pam_dcredit + + ## Require at Least 1 Uppercase Character in Password + ## IA-5(1)(a) / FMT_MOF_EXT.1 (FMT_SMF_EXT.1) + - var_password_pam_ucredit=1 + - accounts_password_pam_ucredit + + ## Require at Least 1 Lowercase Character in Password + ## IA-5(1)(a) / FMT_MOF_EXT.1 (FMT_SMF_EXT.1) + - var_password_pam_lcredit=1 + - accounts_password_pam_lcredit + + ## Enable Screen Lock + ## FMT_MOF_EXT.1 (FMT_SMF_EXT.1) + - package_tmux_installed + - configure_bashrc_exec_tmux + - no_tmux_in_shells + - configure_tmux_lock_command + + ## Set Screen Lock Timeout Period to 30 Minutes or Less + ## AC-11(a) / FMT_MOF_EXT.1 (FMT_SMF_EXT.1) + - configure_tmux_lock_after_time + + ## Disable Unauthenticated Login (such as Guest Accounts) + ## FIA_UAU.1 + - require_singleuser_auth + - grub2_disable_recovery + - grub2_uefi_password + - no_empty_passwords + + ## Set Maximum Number of Authentication Failures to 3 Within 15 Minutes + ## AC-7 / FIA_AFL.1 + - var_accounts_passwords_pam_faillock_deny=3 + - accounts_passwords_pam_faillock_deny + - var_accounts_passwords_pam_faillock_fail_interval=900 + - accounts_passwords_pam_faillock_interval + - var_accounts_passwords_pam_faillock_unlock_time=never + - accounts_passwords_pam_faillock_unlock_time + + ## Enable Host-Based Firewall + ## SC-7(12) / FMT_MOF_EXT.1 (FMT_SMF_EXT.1) + - service_firewalld_enabled + + ## Configure Name/Addres of Remote Management Server + ## From Which to Receive Config Settings + ## CM-3(3) / FMT_MOF_EXT.1 + # Management server not selected in FTP_ITC_EXT.1 + + ## Configure the System to Offload Audit Records to a Log + ## Server + ## AU-4(1) / FAU_GEN.1.1.c + # Audit server not selected in FTP_ITC_EXT.1 + + ## Set Logon Warning Banner + ## AC-8(a) / FMT_MOF_EXT.1 (FTA_TAB.1) + - sshd_enable_warning_banner + + ## Audit All Logons (Success/Failure) and Logoffs (Success) + ## CNSSI 1253 Value or DoD-Specific Values: + ## (1) Logons (Success/Failure) + ## (2) Logoffs (Success) + ## AU-2(a) / FAU_GEN.1.1.c + + ## Audit File and Object Events (Unsuccessful) + ## CNSSI 1253 Value or DoD-specific Values: + ## (1) Create (Success/Failure) + ## (2) Access (Success/Failure) + ## (3) Delete (Sucess/Failure) + ## (4) Modify (Success/Failure) + ## (5) Permission Modification (Sucess/Failure) + ## (6) Ownership Modification (Success/Failure) + ## AU-2(a) / FAU_GEN.1.1.c + ## + ## + ## (1) Create (Success/Failure) + ## (open with O_CREAT) + ## (2) Access (Success/Failure) + ## (3) Delete (Success/Failure) + ## (4) Modify (Success/Failure) + ## (5) Permission Modification (Success/Failure) + ## (6) Ownership Modification (Success/Failure) + + ## Audit User and Group Management Events (Success/Failure) + ## CNSSI 1253 Value or DoD-specific Values: + ## (1) User add, delete, modify, disable, enable (Success/Failure) + ## (2) Group/Role add, delete, modify (Success/Failure) + ## AU-2(a) / FAU_GEN.1.1.c + ## + ## Generic User and Group Management Events (Success/Failure) + ## Selection of setuid programs that relate to + ## user accounts. + ## + ## CNSSI 1253: (1) User add, delete, modify, disable, enable (Success/Failure) + ## + ## CNSSI 1252: (2) Group/Role add, delete, modify (Success/Failure) + ## + ## Audit Privilege or Role Escalation Events (Success/Failure) + ## CNSSI 1253 Value or DoD-specific Values: + ## - Privilege/Role escalation (Success/Failure) + ## AU-2(a) / FAU_GEN.1.1.c + ## Audit All Audit and Log Data Accesses (Success/Failure) + ## CNSSI 1253 Value or DoD-specific Values: + ## - Audit and log data access (Success/Failure) + ## AU-2(a) / FAU_GEN.1.1.c + ## Audit Cryptographic Verification of Software (Success/Failure) + ## CNSSI 1253 Value or DoD-specific Values: + ## - Applications (e.g. Firefox, Internet Explorer, MS Office Suite, + ## etc) initialization (Success/Failure) + ## AU-2(a) / FAU_GEN.1.1.c + ## Audit Kernel Module Loading and Unloading Events (Success/Failure) + ## AU-2(a) / FAU_GEN.1.1.c + - audit_basic_configuration + - audit_immutable_login_uids + - audit_create_failed + - audit_create_failed_aarch64 + - audit_create_failed_ppc64le + - audit_create_success + - audit_create_success_aarch64 + - audit_create_success_ppc64le + - audit_modify_failed + - audit_modify_failed_aarch64 + - audit_modify_failed_ppc64le + - audit_modify_success + - audit_modify_success_aarch64 + - audit_modify_success_ppc64le + - audit_access_failed + - audit_access_failed_aarch64 + - audit_access_failed_ppc64le + - audit_access_success + - audit_access_success.severity=info + - audit_access_success.role=unscored + - audit_access_success_aarch64 + - audit_access_success_aarch64.severity=info + - audit_access_success_aarch64.role=unscored + - audit_access_success_ppc64le + - audit_access_success_ppc64le.severity=info + - audit_access_success_ppc64le.role=unscored + - audit_delete_failed + - audit_delete_failed_aarch64 + - audit_delete_failed_ppc64le + - audit_delete_success + - audit_delete_success_aarch64 + - audit_delete_success_ppc64le + - audit_perm_change_failed + - audit_perm_change_failed_aarch64 + - audit_perm_change_failed_ppc64le + - audit_perm_change_success + - audit_perm_change_success_aarch64 + - audit_perm_change_success_ppc64le + - audit_owner_change_failed + - audit_owner_change_failed_aarch64 + - audit_owner_change_failed_ppc64le + - audit_owner_change_success + - audit_owner_change_success_aarch64 + - audit_owner_change_success_ppc64le + - audit_ospp_general + - audit_ospp_general_aarch64 + - audit_ospp_general_ppc64le + - audit_module_load + - audit_module_load_ppc64le + + ## Enable Automatic Software Updates + ## SI-2 / FMT_MOF_EXT.1 (FMT_SMF_EXT.1) + # Configure dnf-automatic to Install Available Updates Automatically + - dnf-automatic_apply_updates + + # Enable dnf-automatic Timer + - timer_dnf-automatic_enabled + + # set ssh client rekey limit + - ssh_client_rekey_limit + - var_ssh_client_rekey_limit_size=1G + - var_ssh_client_rekey_limit_time=1hour + + # zIPl specific rules + - zipl_bls_entries_only + - zipl_bootmap_is_up_to_date + - zipl_audit_argument + - zipl_audit_backlog_limit_argument + - zipl_init_on_alloc_argument + - zipl_page_alloc_shuffle_argument + - zipl_systemd_debug-shell_argument_absent diff --git a/products/almalinux9/profiles/pci-dss.profile b/products/almalinux9/profiles/pci-dss.profile new file mode 100644 index 000000000..7b7940245 --- /dev/null +++ b/products/almalinux9/profiles/pci-dss.profile @@ -0,0 +1,70 @@ +documentation_complete: true + +metadata: + version: '4.0' + SMEs: + - marcusburghardt + - mab879 + - vojtapolasek + +reference: https://docs-prv.pcisecuritystandards.org/PCI%20DSS/Standard/PCI-DSS-v4_0.pdf + +title: 'PCI-DSS v4.0 Control Baseline for Red Hat Enterprise Linux 9' + +description: |- + Payment Card Industry - Data Security Standard (PCI-DSS) is a set of + security standards designed to ensure the secure handling of payment card + data, with the goal of preventing data breaches and protecting sensitive + financial information. + + This profile ensures Red Hat Enterprise Linux 9 is configured in alignment + with PCI-DSS v4.0 requirements. + +selections: + - pcidss_4:all + # audit-audispd-plugins package does not exist in RHEL 9 + # use only package_audispd-plugins_installed + - '!package_audit-audispd-plugins_installed' + # More tests are needed to identify which rule is conflicting with rpm_verify_permissions. + # https://github.com/ComplianceAsCode/content/issues/11285 + - '!rpm_verify_permissions' + # these rules do not apply to RHEL but they have to keep the prodtype for historical reasons + - '!package_audit-audispd-plugins_installed' + - '!service_ntp_enabled' + - '!ntpd_specify_remote_server' + - '!ntpd_specify_multiple_servers' + - '!set_ipv6_loopback_traffic' + - '!set_loopback_traffic' + - '!service_ntpd_enabled' + - '!package_ypserv_removed' + - '!package_ypbind_removed' + - '!package_talk_removed' + - '!package_talk-server_removed' + - '!package_xinetd_removed' + - '!package_rsh_removed' + - '!package_rsh-server_removed' + # Following rules once had a prodtype incompatible with the rhel9 product + - '!service_chronyd_or_ntpd_enabled' + - '!install_PAE_kernel_on_x86-32' + - '!mask_nonessential_services' + - '!aide_periodic_checking_systemd_timer' + - '!nftables_ensure_default_deny_policy' + - '!cracklib_accounts_password_pam_lcredit' + - '!file_owner_at_allow' + - '!ensure_firewall_rules_for_open_ports' + - '!cracklib_accounts_password_pam_retry' + - '!gnome_gdm_disable_guest_login' + - '!sshd_use_strong_kex' + - '!sshd_use_approved_macs' + - '!group_unique_name' + - '!permissions_local_var_log' + - '!sshd_use_approved_ciphers' + - '!accounts_passwords_pam_tally2' + - '!ensure_suse_gpgkey_installed' + - '!gnome_gdm_disable_unattended_automatic_login' + - '!accounts_passwords_pam_tally2_unlock_time' + - '!cracklib_accounts_password_pam_minlen' + - '!set_password_hashing_algorithm_commonauth' + - '!cracklib_accounts_password_pam_dcredit' + - '!ensure_shadow_group_empty' + - '!service_timesyncd_enabled' diff --git a/products/almalinux9/profiles/stig.profile b/products/almalinux9/profiles/stig.profile new file mode 100644 index 000000000..252a98c5f --- /dev/null +++ b/products/almalinux9/profiles/stig.profile @@ -0,0 +1,30 @@ +documentation_complete: true + +metadata: + version: V1R3 + SMEs: + - mab879 + - ggbecker + +reference: https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cunix-linux + +title: 'DISA STIG for Red Hat Enterprise Linux 9' + +description: |- + This profile contains configuration checks that align to the + DISA STIG for Red Hat Enterprise Linux 9 V1R3. + + In addition to being applicable to Red Hat Enterprise Linux 9, DISA recognizes this + configuration baseline as applicable to the operating system tier of + Red Hat technologies that are based on Red Hat Enterprise Linux 9, such as: + + - Red Hat Enterprise Linux Server + - Red Hat Enterprise Linux Workstation and Desktop + - Red Hat Enterprise Linux for HPC + - Red Hat Storage + - Red Hat Containers with a Red Hat Enterprise Linux 9 image + +selections: + - stig_rhel9:all + # Following rules once had a prodtype incompatible with the rhel9 product + - '!audit_rules_immutable_login_uids' diff --git a/products/almalinux9/profiles/stig_gui.profile b/products/almalinux9/profiles/stig_gui.profile new file mode 100644 index 000000000..9d63ff7e5 --- /dev/null +++ b/products/almalinux9/profiles/stig_gui.profile @@ -0,0 +1,49 @@ +documentation_complete: true + +metadata: + version: V1R3 + SMEs: + - mab879 + - ggbecker + +reference: https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cunix-linux + +title: 'DISA STIG with GUI for Red Hat Enterprise Linux 9' + +description: |- + This profile contains configuration checks that align to the + DISA STIG for Red Hat Enterprise Linux 9 V1R3. + + + In addition to being applicable to Red Hat Enterprise Linux 9, DISA recognizes this + configuration baseline as applicable to the operating system tier of + Red Hat technologies that are based on Red Hat Enterprise Linux 9, such as: + + - Red Hat Enterprise Linux Server + - Red Hat Enterprise Linux Workstation and Desktop + - Red Hat Enterprise Linux for HPC + - Red Hat Storage + - Red Hat Containers with a Red Hat Enterprise Linux 9 image + + Warning: The installation and use of a Graphical User Interface (GUI) + increases your attack vector and decreases your overall security posture. If + your Information Systems Security Officer (ISSO) lacks a documented operational + requirement for a graphical user interface, please consider using the + standard DISA STIG for Red Hat Enterprise Linux 9 profile. + +extends: stig + +selections: + # RHEL-09-215070 + - '!xwindows_remove_packages' + + # RHEL-09-211030 + - '!xwindows_runlevel_target' + + # RHEL-09-215025 + - '!package_nfs-utils_removed' + + # RHEL-09-213105 + # Limiting user namespaces cause issues with user apps, such as Firefox and Cheese + # https://issues.redhat.com/browse/RHEL-10416 + - '!sysctl_user_max_user_namespaces' diff --git a/products/almalinux9/transforms/constants.xslt b/products/almalinux9/transforms/constants.xslt new file mode 100644 index 000000000..9e1090184 --- /dev/null +++ b/products/almalinux9/transforms/constants.xslt @@ -0,0 +1,13 @@ + + + + +AlmaLinux 9 +AL9 +AL_9_STIG +almalinux9 + +https://www.cisecurity.org/benchmark/almalinuxos_linux/ + + + diff --git a/products/almalinux9/transforms/table-style.xslt b/products/almalinux9/transforms/table-style.xslt new file mode 100644 index 000000000..8b6caeab8 --- /dev/null +++ b/products/almalinux9/transforms/table-style.xslt @@ -0,0 +1,5 @@ + + + + + diff --git a/products/almalinux9/transforms/xccdf-apply-overlay-stig.xslt b/products/almalinux9/transforms/xccdf-apply-overlay-stig.xslt new file mode 100644 index 000000000..4789419b8 --- /dev/null +++ b/products/almalinux9/transforms/xccdf-apply-overlay-stig.xslt @@ -0,0 +1,8 @@ + + + + + + + + diff --git a/products/almalinux9/transforms/xccdf2table-cce.xslt b/products/almalinux9/transforms/xccdf2table-cce.xslt new file mode 100644 index 000000000..f156a6695 --- /dev/null +++ b/products/almalinux9/transforms/xccdf2table-cce.xslt @@ -0,0 +1,9 @@ + + + + + + + + + diff --git a/products/almalinux9/transforms/xccdf2table-profileccirefs.xslt b/products/almalinux9/transforms/xccdf2table-profileccirefs.xslt new file mode 100644 index 000000000..30419e92b --- /dev/null +++ b/products/almalinux9/transforms/xccdf2table-profileccirefs.xslt @@ -0,0 +1,9 @@ + + + + + + + + + diff --git a/shared/checks/oval/installed_OS_is_almalinux9.xml b/shared/checks/oval/installed_OS_is_almalinux9.xml new file mode 100644 index 000000000..168031ef5 --- /dev/null +++ b/shared/checks/oval/installed_OS_is_almalinux9.xml @@ -0,0 +1,36 @@ + + + + AlmaLinux 9 + + multi_platform_all + + + + The operating system installed on the system is + AlmaLinux 9 + + + + + + + + + + + + + + + ^9.*$ + + + almalinux-release + + + diff --git a/shared/checks/oval/sysctl_kernel_ipv6_disable.xml b/shared/checks/oval/sysctl_kernel_ipv6_disable.xml index e5cf1ffba..29e76b97e 100644 --- a/shared/checks/oval/sysctl_kernel_ipv6_disable.xml +++ b/shared/checks/oval/sysctl_kernel_ipv6_disable.xml @@ -14,6 +14,7 @@ multi_platform_ol multi_platform_rhcos multi_platform_rhel +multi_platform_almalinux multi_platform_rhv multi_platform_sle multi_platform_ubuntu diff --git a/shared/references/disa-stig-almalinux9-v1r1-xccdf-scap.xml b/shared/references/disa-stig-almalinux9-v1r1-xccdf-scap.xml new file mode 120000 index 000000000..6f97d155d --- /dev/null +++ b/shared/references/disa-stig-almalinux9-v1r1-xccdf-scap.xml @@ -0,0 +1 @@ +disa-stig-rhel9-v1r1-xccdf-scap.xml \ No newline at end of file diff --git a/shared/references/disa-stig-almalinux9-v1r3-xccdf-manual.xml b/shared/references/disa-stig-almalinux9-v1r3-xccdf-manual.xml new file mode 120000 index 000000000..bf80a7731 --- /dev/null +++ b/shared/references/disa-stig-almalinux9-v1r3-xccdf-manual.xml @@ -0,0 +1 @@ +disa-stig-rhel9-v1r3-xccdf-manual.xml \ No newline at end of file diff --git a/shared/references/disa-stig-ol7-v2r14-xccdf-manual.xml b/shared/references/disa-stig-ol7-v2r14-xccdf-manual.xml index 1d087be21..306818938 100644 --- a/shared/references/disa-stig-ol7-v2r14-xccdf-manual.xml +++ b/shared/references/disa-stig-ol7-v2r14-xccdf-manual.xml @@ -934,7 +934,7 @@ Check to see if an encrypted grub superusers password is set. On systems that us $ sudo grep -iw grub2_password /boot/grub2/user.cfg GRUB2_PASSWORD=grub.pbkdf2.sha512.[password_hash] -If the grub superusers password does not begin with "grub.pbkdf2.sha512", this is a finding.SRG-OS-000080-GPOS-00048<GroupDescription></GroupDescription>OL07-00-010491Oracle Linux operating systems version 7.2 or newer using Unified Extensible Firmware Interface (UEFI) must require authentication upon booting into single-user and maintenance modes.<VulnDiscussion>If the system does not require valid authentication before it boots into single-user or maintenance mode, anyone who invokes single-user or maintenance mode is granted privileged access to all files on the system. GRUB 2 is the default boot loader for Oracle Linux 7 and is designed to require a password to boot into single-user mode or make modifications to the boot menu.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Oracle Linux 7DISADPMS TargetOracle Linux 74089V-99143SV-108247CCI-000213Configure the system to encrypt the boot password for the grub superusers account with the grub2-setpassword command, which creates/overwrites the /boot/efi/EFI/redhat/user.cfg file. +If the grub superusers password does not begin with "grub.pbkdf2.sha512", this is a finding.SRG-OS-000080-GPOS-00048<GroupDescription></GroupDescription>OL07-00-010491Oracle Linux operating systems version 7.2 or newer using Unified Extensible Firmware Interface (UEFI) must require authentication upon booting into single-user and maintenance modes.<VulnDiscussion>If the system does not require valid authentication before it boots into single-user or maintenance mode, anyone who invokes single-user or maintenance mode is granted privileged access to all files on the system. GRUB 2 is the default boot loader for Oracle Linux 7 and is designed to require a password to boot into single-user mode or make modifications to the boot menu.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Oracle Linux 7DISADPMS TargetOracle Linux 74089V-99143SV-108247CCI-000213Configure the system to encrypt the boot password for the grub superusers account with the grub2-setpassword command, which creates/overwrites the /boot/efi/EFI/almalinux/user.cfg file. Generate an encrypted grub2 password for the grub superusers account with the following command: @@ -946,7 +946,7 @@ For systems that are running a version of Oracle Linux prior to 7.2, this is Not Check to see if an encrypted grub superusers password is set. On systems that use UEFI, use the following command: -$ sudo grep -iw grub2_password /boot/efi/EFI/redhat/user.cfg +$ sudo grep -iw grub2_password /boot/efi/EFI/almalinux/user.cfg GRUB2_PASSWORD=grub.pbkdf2.sha512.[password_hash] If the grub superusers password does not begin with "grub.pbkdf2.sha512", this is a finding.SRG-OS-000104-GPOS-00051<GroupDescription></GroupDescription>OL07-00-010500The Oracle Linux operating system must uniquely identify and must authenticate organizational users (or processes acting on behalf of organizational users) using multifactor authentication.<VulnDiscussion>To ensure accountability and prevent unauthenticated access, organizational users must be identified and authenticated to prevent potential misuse and compromise of the system. @@ -1838,7 +1838,7 @@ On BIOS-based machines, use the following command: On UEFI-based machines, use the following command: -# grub2-mkconfig -o /boot/efi/EFI/redhat/grub.cfg +# grub2-mkconfig -o /boot/efi/EFI/almalinux/grub.cfg If /boot or /boot/efi reside on separate partitions, the kernel parameter boot=<partition of /boot or /boot/efi> must be added to the kernel command line. You can identify a partition by running the df /boot or df /boot/efi command: @@ -1869,7 +1869,7 @@ dracut-fips-033-360.el7_2.x86_64.rpm If a "dracut-fips" package is installed, check to see if the kernel command line is configured to use FIPS mode with the following command: -Note: GRUB 2 reads its configuration from the "/boot/grub2/grub.cfg" file on traditional BIOS-based machines and from the "/boot/efi/EFI/redhat/grub.cfg" file on UEFI machines. +Note: GRUB 2 reads its configuration from the "/boot/grub2/grub.cfg" file on traditional BIOS-based machines and from the "/boot/efi/EFI/almalinux/grub.cfg" file on UEFI machines. # grep fips /boot/grub2/grub.cfg /vmlinuz-3.8.0-0.40.el7.x86_64 root=/dev/mapper/rhel-root ro rd.md=0 rd.dm=0 rd.lvm.lv=rhel/swap crashkernel=auto rd.luks=0 vconsole.keymap=us rd.lvm.lv=rhel/root rhgb fips=1 quiet @@ -1941,23 +1941,23 @@ An example rule that includes the "sha512" rule follows: If the "sha512" rule is not being used on all uncommented selection lines in the "/etc/aide.conf" file, or another file integrity tool is not using FIPS 140-2-approved cryptographic hashes for validating file contents and directories, this is a finding.SRG-OS-000364-GPOS-00151<GroupDescription></GroupDescription>OL07-00-021700The Oracle Linux operating system must not allow removable media to be used as the boot loader unless approved.<VulnDiscussion>Malicious users with removable boot media can gain access to a system configured to use removable media as the boot loader. If removable media is designed to be used as the boot loader, the requirement must be documented with the information system security officer (ISSO).</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Oracle Linux 7DISADPMS TargetOracle Linux 74089SV-108367V-99263CCI-001813Remove alternate methods of booting the system from removable media or document the configuration to boot from removable media with the ISSO.Verify the system is not configured to use a boot loader on removable media. -Note: GRUB 2 reads its configuration from the "/boot/grub2/grub.cfg" file on traditional BIOS-based machines and from the "/boot/efi/EFI/redhat/grub.cfg" file on UEFI machines. +Note: GRUB 2 reads its configuration from the "/boot/grub2/grub.cfg" file on traditional BIOS-based machines and from the "/boot/efi/EFI/almalinux/grub.cfg" file on UEFI machines. Check for the existence of alternate boot loader configuration files with the following command: # find / -name grub.cfg - /boot/efi/EFI/redhat/grub.cfg + /boot/efi/EFI/almalinux/grub.cfg -If a "grub.cfg" is found in any subdirectories other than "/boot/grub2/" and "/boot/efi/EFI/redhat/", ask the system administrator (SA) if there is documentation signed by the information system security officer (ISSO) to approve the use of removable media as a boot loader. +If a "grub.cfg" is found in any subdirectories other than "/boot/grub2/" and "/boot/efi/EFI/almalinux/", ask the system administrator (SA) if there is documentation signed by the information system security officer (ISSO) to approve the use of removable media as a boot loader. List the number of menu entries defined in the grub configuration file with the following command (the number will vary between systems): - # grep -cw menuentry /boot/efi/EFI/redhat/grub.cfg + # grep -cw menuentry /boot/efi/EFI/almalinux/grub.cfg 4 Check that the grub configuration file has the "set root" command for each menu entry with the following command ("set root" defines the disk and partition or directory where the kernel and GRUB 2 modules are stored): - # grep 'set root' /boot/efi/EFI/redhat/grub.cfg + # grep 'set root' /boot/efi/EFI/almalinux/grub.cfg set root='hd0,gpt2' set root='hd0,gpt2' set root='hd0,gpt2' @@ -4481,12 +4481,12 @@ password_pbkdf2 [someuniquestringhere] ${GRUB2_PASSWORD} Generate a new grub.cfg file with the following command: -$ sudo grub2-mkconfig -o /boot/efi/EFI/redhat/grub.cfgFor systems that use BIOS, this is Not Applicable. +$ sudo grub2-mkconfig -o /boot/efi/EFI/almalinux/grub.cfgFor systems that use BIOS, this is Not Applicable. For systems that are running a version of Oracle Linux prior to 7.2, this is Not Applicable. Verify that a unique name is set as the "superusers" account: -$ sudo grep -iw "superusers" /boot/efi/EFI/redhat/grub.cfg +$ sudo grep -iw "superusers" /boot/efi/EFI/almalinux/grub.cfg set superusers="[someuniquestringhere]" export superusers diff --git a/shared/references/disa-stig-ol8-v1r10-xccdf-manual.xml b/shared/references/disa-stig-ol8-v1r10-xccdf-manual.xml index 54f2012ff..ed7a02856 100644 --- a/shared/references/disa-stig-ol8-v1r10-xccdf-manual.xml +++ b/shared/references/disa-stig-ol8-v1r10-xccdf-manual.xml @@ -435,7 +435,7 @@ SHA_CRYPT_MIN_ROUNDS 5000SRG-OS-000080-GPOS-00048<GroupDescription></GroupDescription>OL08-00-010140OL 8 operating systems booted with United Extensible Firmware Interface (UEFI) must require authentication upon booting into single-user mode and maintenance.<VulnDiscussion>If the system does not require valid authentication before it boots into single-user or maintenance mode, anyone who invokes single-user or maintenance mode is granted privileged access to all files on the system. GRUB 2 is the default boot loader for OL 8 and is designed to require a password to boot into single-user mode or modify the boot menu.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Oracle Linux 8DISADPMS TargetOracle Linux 85416CCI-000213Configure the system to require an encrypted grub bootloader password for the grub superusers account with the grub2-setpassword command, which creates/overwrites the "/boot/efi/EFI/redhat/user.cfg" file. +If both "SHA_CRYPT_MIN_ROUNDS" and "SHA_CRYPT_MAX_ROUNDS" are set, and the value for either is below "5000", this is a finding.SRG-OS-000080-GPOS-00048<GroupDescription></GroupDescription>OL08-00-010140OL 8 operating systems booted with United Extensible Firmware Interface (UEFI) must require authentication upon booting into single-user mode and maintenance.<VulnDiscussion>If the system does not require valid authentication before it boots into single-user or maintenance mode, anyone who invokes single-user or maintenance mode is granted privileged access to all files on the system. GRUB 2 is the default boot loader for OL 8 and is designed to require a password to boot into single-user mode or modify the boot menu.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Oracle Linux 8DISADPMS TargetOracle Linux 85416CCI-000213Configure the system to require an encrypted grub bootloader password for the grub superusers account with the grub2-setpassword command, which creates/overwrites the "/boot/efi/EFI/almalinux/user.cfg" file. Generate an encrypted grub2 password for the grub superusers account with the following command: @@ -445,7 +445,7 @@ Confirm password:For systems that use BIOS, this is Not Applicable. +$ sudo grub2-mkconfig -o /boot/efi/EFI/almalinux/grub.cfgFor systems that use BIOS, this is Not Applicable. Verify that a unique name is set as the "superusers" account: -$ sudo grep -iw "superusers" /boot/efi/EFI/redhat/grub.cfg +$ sudo grep -iw "superusers" /boot/efi/EFI/almalinux/grub.cfg set superusers="[someuniqueUserNamehere]" export superusers diff --git a/shared/references/disa-stig-rhel7-v3r14-xccdf-manual.xml b/shared/references/disa-stig-rhel7-v3r14-xccdf-manual.xml index 77da6ecf9..ba6bdc8d9 100644 --- a/shared/references/disa-stig-rhel7-v3r14-xccdf-manual.xml +++ b/shared/references/disa-stig-rhel7-v3r14-xccdf-manual.xml @@ -907,7 +907,7 @@ Check to see if an encrypted grub superusers password is set. On systems that us $ sudo grep -iw grub2_password /boot/grub2/user.cfg GRUB2_PASSWORD=grub.pbkdf2.sha512.[password_hash] -If the grub superusers password does not begin with "grub.pbkdf2.sha512", this is a finding.SRG-OS-000080-GPOS-00048<GroupDescription></GroupDescription>RHEL-07-010491Red Hat Enterprise Linux operating systems version 7.2 or newer using Unified Extensible Firmware Interface (UEFI) must require authentication upon booting into single-user and maintenance modes.<VulnDiscussion>If the system does not require valid authentication before it boots into single-user or maintenance mode, anyone who invokes single-user or maintenance mode is granted privileged access to all files on the system. GRUB 2 is the default boot loader for RHEL 7 and is designed to require a password to boot into single-user mode or make modifications to the boot menu.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 7DISADPMS TargetRed Hat Enterprise Linux 72899SV-95719V-81007CCI-000213Configure the system to encrypt the boot password for the grub superusers account with the grub2-setpassword command, which creates/overwrites the /boot/efi/EFI/redhat/user.cfg file. +If the grub superusers password does not begin with "grub.pbkdf2.sha512", this is a finding.SRG-OS-000080-GPOS-00048<GroupDescription></GroupDescription>RHEL-07-010491Red Hat Enterprise Linux operating systems version 7.2 or newer using Unified Extensible Firmware Interface (UEFI) must require authentication upon booting into single-user and maintenance modes.<VulnDiscussion>If the system does not require valid authentication before it boots into single-user or maintenance mode, anyone who invokes single-user or maintenance mode is granted privileged access to all files on the system. GRUB 2 is the default boot loader for RHEL 7 and is designed to require a password to boot into single-user mode or make modifications to the boot menu.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 7DISADPMS TargetRed Hat Enterprise Linux 72899SV-95719V-81007CCI-000213Configure the system to encrypt the boot password for the grub superusers account with the grub2-setpassword command, which creates/overwrites the /boot/efi/EFI/almalinux/user.cfg file. Generate an encrypted grub2 password for the grub superusers account with the following command: @@ -919,7 +919,7 @@ For systems that are running a version of RHEL prior to 7.2, this is Not Applica Check to see if an encrypted grub superusers password is set. On systems that use UEFI, use the following command: -$ sudo grep -iw grub2_password /boot/efi/EFI/redhat/user.cfg +$ sudo grep -iw grub2_password /boot/efi/EFI/almalinux/user.cfg GRUB2_PASSWORD=grub.pbkdf2.sha512.[password_hash] If the grub superusers password does not begin with "grub.pbkdf2.sha512", this is a finding.SRG-OS-000104-GPOS-00051<GroupDescription></GroupDescription>RHEL-07-010500The Red Hat Enterprise Linux operating system must uniquely identify and must authenticate organizational users (or processes acting on behalf of organizational users) using multifactor authentication.<VulnDiscussion>To assure accountability and prevent unauthenticated access, organizational users must be identified and authenticated to prevent potential misuse and compromise of the system. @@ -1847,7 +1847,7 @@ On BIOS-based machines, use the following command: On UEFI-based machines, use the following command: -# grub2-mkconfig -o /boot/efi/EFI/redhat/grub.cfg +# grub2-mkconfig -o /boot/efi/EFI/almalinux/grub.cfg If /boot or /boot/efi reside on separate partitions, the kernel parameter boot=<partition of /boot or /boot/efi> must be added to the kernel command line. You can identify a partition by running the df /boot or df /boot/efi command: @@ -1878,7 +1878,7 @@ dracut-fips-033-360.el7_2.x86_64.rpm If a "dracut-fips" package is installed, check to see if the kernel command line is configured to use FIPS mode with the following command: -Note: GRUB 2 reads its configuration from the "/boot/grub2/grub.cfg" file on traditional BIOS-based machines and from the "/boot/efi/EFI/redhat/grub.cfg" file on UEFI machines. +Note: GRUB 2 reads its configuration from the "/boot/grub2/grub.cfg" file on traditional BIOS-based machines and from the "/boot/efi/EFI/almalinux/grub.cfg" file on UEFI machines. # grep fips /boot/grub2/grub.cfg /vmlinuz-3.8.0-0.40.el7.x86_64 root=/dev/mapper/rhel-root ro rd.md=0 rd.dm=0 rd.lvm.lv=rhel/swap crashkernel=auto rd.luks=0 vconsole.keymap=us rd.lvm.lv=rhel/root rhgb fips=1 quiet @@ -1951,23 +1951,23 @@ An example rule that includes the "sha512" rule follows: If the "sha512" rule is not being used on all uncommented selection lines in the "/etc/aide.conf" file, or another file integrity tool is not using FIPS 140-2-approved cryptographic hashes for validating file contents and directories, this is a finding.SRG-OS-000364-GPOS-00151<GroupDescription></GroupDescription>RHEL-07-021700The Red Hat Enterprise Linux operating system must not allow removable media to be used as the boot loader unless approved.<VulnDiscussion>Malicious users with removable boot media can gain access to a system configured to use removable media as the boot loader. If removable media is designed to be used as the boot loader, the requirement must be documented with the information system security officer (ISSO).</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 7DISADPMS TargetRed Hat Enterprise Linux 72899SV-86699V-72075CCI-000318CCI-000368CCI-001812CCI-001813CCI-001814Remove alternate methods of booting the system from removable media or document the configuration to boot from removable media with the ISSO.Verify the system is not configured to use a boot loader on removable media. -Note: GRUB 2 reads its configuration from the "/boot/grub2/grub.cfg" file on traditional BIOS-based machines and from the "/boot/efi/EFI/redhat/grub.cfg" file on UEFI machines. +Note: GRUB 2 reads its configuration from the "/boot/grub2/grub.cfg" file on traditional BIOS-based machines and from the "/boot/efi/EFI/almalinux/grub.cfg" file on UEFI machines. Check for the existence of alternate boot loader configuration files with the following command: # find / -name grub.cfg - /boot/efi/EFI/redhat/grub.cfg + /boot/efi/EFI/almalinux/grub.cfg -If a "grub.cfg" is found in any subdirectories other than "/boot/grub2/" and "/boot/efi/EFI/redhat/", ask the system administrator (SA) if there is documentation signed by the ISSO to approve the use of removable media as a boot loader. +If a "grub.cfg" is found in any subdirectories other than "/boot/grub2/" and "/boot/efi/EFI/almalinux/", ask the system administrator (SA) if there is documentation signed by the ISSO to approve the use of removable media as a boot loader. List the number of menu entries defined in the grub configuration file with the following command (the number will vary between systems): - # grep -cw menuentry /boot/efi/EFI/redhat/grub.cfg + # grep -cw menuentry /boot/efi/EFI/almalinux/grub.cfg 4 Check that the grub configuration file has the "set root" command for each menu entry with the following command ("set root" defines the disk and partition or directory where the kernel and GRUB 2 modules are stored): - # grep 'set root' /boot/efi/EFI/redhat/grub.cfg + # grep 'set root' /boot/efi/EFI/almalinux/grub.cfg set root='hd0,gpt2' set root='hd0,gpt2' set root='hd0,gpt2' @@ -4457,13 +4457,13 @@ password_pbkdf2 [someuniquestringhere] ${GRUB2_PASSWORD} Generate a new grub.cfg file with the following command: -$ sudo grub2-mkconfig -o /boot/efi/EFI/redhat/grub.cfgFor systems that use BIOS, this is Not Applicable. +$ sudo grub2-mkconfig -o /boot/efi/EFI/almalinux/grub.cfgFor systems that use BIOS, this is Not Applicable. For systems that are running a version of RHEL prior to 7.2, this is Not Applicable. Verify that a unique name is set as the "superusers" account: -$ sudo grep -iw "superusers" /boot/efi/EFI/redhat/grub.cfg +$ sudo grep -iw "superusers" /boot/efi/EFI/almalinux/grub.cfg set superusers="[someuniquestringhere]" export superusers diff --git a/shared/references/disa-stig-rhel7-v3r14-xccdf-scap.xml b/shared/references/disa-stig-rhel7-v3r14-xccdf-scap.xml index 2417b5813..cad9967ce 100644 --- a/shared/references/disa-stig-rhel7-v3r14-xccdf-scap.xml +++ b/shared/references/disa-stig-rhel7-v3r14-xccdf-scap.xml @@ -3133,7 +3133,7 @@ Confirm password: SV-95719 V-81007 CCI-000213 - Configure the system to encrypt the boot password for the grub superusers account with the grub2-setpassword command, which creates/overwrites the /boot/efi/EFI/redhat/user.cfg file. + Configure the system to encrypt the boot password for the grub superusers account with the grub2-setpassword command, which creates/overwrites the /boot/efi/EFI/almalinux/user.cfg file. Generate an encrypted grub2 password for the grub superusers account with the following command: @@ -3942,7 +3942,7 @@ On BIOS-based machines, use the following command: On UEFI-based machines, use the following command: -# grub2-mkconfig -o /boot/efi/EFI/redhat/grub.cfg +# grub2-mkconfig -o /boot/efi/EFI/almalinux/grub.cfg If /boot or /boot/efi reside on separate partitions, the kernel parameter boot=<partition of /boot or /boot/efi> must be added to the kernel command line. You can identify a partition by running the df /boot or df /boot/efi command: @@ -7619,7 +7619,8 @@ Remove any duplicate or conflicting lines from /etc/sudoers and /etc/sudoers.d/ Package openssh-server Removed - multi_platform_rhel + multi_platform_rhel +multi_platform_almalinux multi_platform_fedora multi_platform_sle @@ -8231,7 +8232,8 @@ Operating systems need to track periods of inactivity and disable application id Limit Password Reuse - multi_platform_rhel + multi_platform_rhel +multi_platform_almalinux multi_platform_fedora The passwords to remember should be set correctly. @@ -8247,7 +8249,8 @@ Operating systems need to track periods of inactivity and disable application id RHEL-07-040160 - The Red Hat Enterprise Linux operating system must be configured so that all network connections associated with a communication session are terminated at the end of the session or after 15 minutes of inactivity from the user at a command prompt, except to fulfill documented and validated mission requirements. - multi_platform_rhel + multi_platform_rhel +multi_platform_almalinux Terminating an idle session within a short time period reduces the window of opportunity for unauthorized personnel to take control of a management session enabled on the console or console port that has been left unattended. In addition, quickly terminating an idle session will also free up resources committed by the managed network element. @@ -8304,7 +8307,8 @@ Terminating network connections associated with communications sessions includes RHEL-07-030410 - The Red Hat Enterprise Linux operating system must audit all uses of the chmod, fchmod and fchmodat syscalls. - multi_platform_rhel + multi_platform_rhel +multi_platform_almalinux Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. @@ -8360,7 +8364,8 @@ The system call rules are loaded into a matching engine that intercepts each sys RHEL-07-030370 - The Red Hat Enterprise Linux operating system must audit all uses of the chown, fchown, fchownat and lchown syscalls. - multi_platform_rhel + multi_platform_rhel +multi_platform_almalinux @@ -8406,7 +8411,8 @@ When a user logs on, the auid is set to the uid of the account that is being aut RHEL-07-030440 - The Red Hat Enterprise Linux operating system must audit all uses of the setxattr, fsetxattr, lsetxattr, removexattr, fremovexattr and lremovexattr syscalls. - multi_platform_rhel + multi_platform_rhel +multi_platform_almalinux @@ -9503,7 +9509,8 @@ The system call rules are loaded into a matching engine that intercepts each sys Disable Host-Based Authentication - multi_platform_rhel + multi_platform_rhel +multi_platform_almalinux SSH host-based authentication should be disabled. @@ -9614,7 +9621,8 @@ The system call rules are loaded into a matching engine that intercepts each sys Mount Remote Filesystems with nosuid - multi_platform_rhel + multi_platform_rhel +multi_platform_almalinux @@ -9644,7 +9652,8 @@ The system call rules are loaded into a matching engine that intercepts each sys Package net-snmp Removed - multi_platform_rhel + multi_platform_rhel +multi_platform_almalinux The RPM package net-snmp should be removed. @@ -9671,7 +9680,8 @@ The system call rules are loaded into a matching engine that intercepts each sys Package telnet-server Removed - multi_platform_rhel + multi_platform_rhel +multi_platform_almalinux The RPM package telnet-server should be removed. @@ -9699,7 +9709,8 @@ The system call rules are loaded into a matching engine that intercepts each sys Package vsftpd Removed - multi_platform_rhel + multi_platform_rhel +multi_platform_almalinux The RPM package vsftpd should be removed. @@ -9712,7 +9723,8 @@ The system call rules are loaded into a matching engine that intercepts each sys Package xorg-x11-server-common Removed - multi_platform_rhel + multi_platform_rhel +multi_platform_almalinux multi_platform_fedora @@ -9741,7 +9753,8 @@ The system call rules are loaded into a matching engine that intercepts each sys Ensure /home Located On Separate Partition - multi_platform_rhel + multi_platform_rhel +multi_platform_almalinux If user home directories will be stored locally, create a separate partition for /home. If /home will be mounted from another @@ -9759,7 +9772,8 @@ The system call rules are loaded into a matching engine that intercepts each sys Ensure /var Located On Separate Partition - multi_platform_rhel + multi_platform_rhel +multi_platform_almalinux @@ -9777,7 +9791,8 @@ The system call rules are loaded into a matching engine that intercepts each sys Ensure /var/log/audit Located On Separate Partition - multi_platform_rhel + multi_platform_rhel +multi_platform_almalinux @@ -9796,7 +9811,8 @@ The system call rules are loaded into a matching engine that intercepts each sys Verify File Hashes with RPM multi_platform_fedora - multi_platform_rhel + multi_platform_rhel +multi_platform_almalinux Verify the RPM digests of system binaries using the RPM database. @@ -9853,7 +9869,8 @@ The system call rules are loaded into a matching engine that intercepts each sys Ensure Only Protocol 2 Connections Allowed - multi_platform_rhel + multi_platform_rhel +multi_platform_almalinux multi_platform_debian multi_platform_ubuntu @@ -9889,7 +9906,8 @@ The system call rules are loaded into a matching engine that intercepts each sys Disable .rhosts Files - multi_platform_rhel + multi_platform_rhel +multi_platform_almalinux @@ -9954,7 +9972,8 @@ This should be disabled. Do Not Allow Users to Set Environment Options - multi_platform_rhel + multi_platform_rhel +multi_platform_almalinux PermitUserEnvironment should be disabled @@ -10286,7 +10305,8 @@ By specifying a cipher list with the order of ciphers being in a "strongest to w Package openssh-server is version 7.4 or higher - multi_platform_rhel + multi_platform_rhel +multi_platform_almalinux multi_platform_fedora multi_platform_sle @@ -10510,12 +10530,12 @@ The ability to enable/disable a session lock is given to the user by default. Di The UEFI grub2 boot loader should have password protection enabled. - + - + - - + + @@ -11729,7 +11749,7 @@ This requirement addresses concurrent sessions for information system accounts a - + @@ -12184,10 +12204,10 @@ This requirement addresses concurrent sessions for information system accounts a - + - + @@ -13837,7 +13857,7 @@ This requirement addresses concurrent sessions for information system accounts a /boot/grub2/grub.cfg - /boot/efi/EFI/redhat/grub.cfg + /boot/efi/EFI/almalinux/grub.cfg @@ -14554,12 +14574,12 @@ This requirement addresses concurrent sessions for information system accounts a 1 - /boot/efi/EFI/redhat/user.cfg + /boot/efi/EFI/almalinux/user.cfg ^[\s]*GRUB2_PASSWORD=grub\.pbkdf2\.sha512\.\S+$ 1 - /boot/efi/EFI/redhat/grub.cfg + /boot/efi/EFI/almalinux/grub.cfg ^[\s]*set[\s]+superusers=\"\S+\"$ 1 @@ -15096,7 +15116,7 @@ This requirement addresses concurrent sessions for information system accounts a /boot/grub2/grub.cfg - /boot/efi/EFI/redhat/grub.cfg + /boot/efi/EFI/almalinux/grub.cfg @@ -15129,7 +15149,7 @@ This requirement addresses concurrent sessions for information system accounts a /boot/grub2/grub.cfg - /boot/efi/EFI/redhat/grub.cfg + /boot/efi/EFI/almalinux/grub.cfg /etc/sysctl.d diff --git a/shared/references/disa-stig-rhel8-v1r12-xccdf-scap.xml b/shared/references/disa-stig-rhel8-v1r12-xccdf-scap.xml index cf7ead7c0..c6400910a 100644 --- a/shared/references/disa-stig-rhel8-v1r12-xccdf-scap.xml +++ b/shared/references/disa-stig-rhel8-v1r12-xccdf-scap.xml @@ -2579,7 +2579,7 @@ SHA_CRYPT_MIN_ROUNDS 5000 2921 CCI-000213 - Configure the system to require a grub bootloader password for the grub superusers account with the grub2-setpassword command, which creates/overwrites the /boot/efi/EFI/redhat/user.cfg file. + Configure the system to require a grub bootloader password for the grub superusers account with the grub2-setpassword command, which creates/overwrites the /boot/efi/EFI/almalinux/user.cfg file. Generate an encrypted grub2 password for the grub superusers account with the following command: @@ -10359,11 +10359,11 @@ Passwords need to be protected at all times, and encryption is the standard meth If the system does not require valid authentication before it boots into single-user or maintenance mode, anyone who invokes single-user or maintenance mode is granted privileged access to all files on the system. GRUB 2 is the default boot loader for RHEL 8 and is designed to require a password to boot into single-user mode or make modifications to the boot menu. - - + + - - + + @@ -10999,7 +10999,7 @@ Configuration settings are the set of parameters that can be changed in hardware The "nosuid" mount option causes the system not to execute "setuid" and "setgid" files with owner privileges. This option must be used for mounting any file system not containing approved "setuid" and "setguid" files. Executing files from untrusted file systems increases the opportunity for unprivileged users to attain unauthorized administrative access. - + @@ -14588,15 +14588,15 @@ By limiting the number of attempts to meet the pwquality module complexity requi - + - + - + @@ -16399,18 +16399,18 @@ By limiting the number of attempts to meet the pwquality module complexity requi ^\s*SHA_CRYPT_MAX_ROUNDS\s+(\d+)\b 1 - - /boot/efi/EFI/redhat/grub.cfg + + /boot/efi/EFI/almalinux/grub.cfg ^\s*set\s+superusers\s*=\s*"(\w+)"\s*$ 1 - - /boot/efi/EFI/redhat/user.cfg + + /boot/efi/EFI/almalinux/user.cfg ^\s*GRUB2_PASSWORD=(\S+)\b 1 - - /boot/efi/EFI/redhat/grub.cfg + + /boot/efi/EFI/almalinux/grub.cfg /boot/grub2/grub.cfg diff --git a/shared/references/disa-stig-rhel8-v1r14-xccdf-manual.xml b/shared/references/disa-stig-rhel8-v1r14-xccdf-manual.xml index 89b69d69d..cf9365113 100644 --- a/shared/references/disa-stig-rhel8-v1r14-xccdf-manual.xml +++ b/shared/references/disa-stig-rhel8-v1r14-xccdf-manual.xml @@ -374,7 +374,7 @@ SHA_CRYPT_MIN_ROUNDS 5000SRG-OS-000080-GPOS-00048<GroupDescription></GroupDescription>RHEL-08-010140RHEL 8 operating systems booted with United Extensible Firmware Interface (UEFI) must require authentication upon booting into single-user mode and maintenance.<VulnDiscussion>If the system does not require valid authentication before it boots into single-user or maintenance mode, anyone who invokes single-user or maintenance mode is granted privileged access to all files on the system. GRUB 2 is the default boot loader for RHEL 8 and is designed to require a password to boot into single-user mode or make modifications to the boot menu.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 8DISADPMS TargetRed Hat Enterprise Linux 82921CCI-000213Configure the system to require a grub bootloader password for the grub superusers account with the grub2-setpassword command, which creates/overwrites the /boot/efi/EFI/redhat/user.cfg file. +If both "SHA_CRYPT_MIN_ROUNDS" and "SHA_CRYPT_MAX_ROUNDS" are set, and the highest value for either is below "5000", this is a finding.SRG-OS-000080-GPOS-00048<GroupDescription></GroupDescription>RHEL-08-010140RHEL 8 operating systems booted with United Extensible Firmware Interface (UEFI) must require authentication upon booting into single-user mode and maintenance.<VulnDiscussion>If the system does not require valid authentication before it boots into single-user or maintenance mode, anyone who invokes single-user or maintenance mode is granted privileged access to all files on the system. GRUB 2 is the default boot loader for RHEL 8 and is designed to require a password to boot into single-user mode or make modifications to the boot menu.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 8DISADPMS TargetRed Hat Enterprise Linux 82921CCI-000213Configure the system to require a grub bootloader password for the grub superusers account with the grub2-setpassword command, which creates/overwrites the /boot/efi/EFI/almalinux/user.cfg file. Generate an encrypted grub2 password for the grub superusers account with the following command: @@ -384,7 +384,7 @@ Confirm password:For systems that use BIOS, this is Not Applicable. +$ sudo grub2-mkconfig -o /boot/efi/EFI/almalinux/grub.cfgFor systems that use BIOS, this is Not Applicable. Verify that a unique name is set as the "superusers" account: -$ sudo grep -iw "superusers" /boot/efi/EFI/redhat/grub.cfg +$ sudo grep -iw "superusers" /boot/efi/EFI/almalinux/grub.cfg set superusers="[someuniquestringhere]" export superusers diff --git a/shared/references/disa-stig-rhel9-v1r1-xccdf-scap.xml b/shared/references/disa-stig-rhel9-v1r1-xccdf-scap.xml index c14013393..8b6269729 100644 --- a/shared/references/disa-stig-rhel9-v1r1-xccdf-scap.xml +++ b/shared/references/disa-stig-rhel9-v1r1-xccdf-scap.xml @@ -16849,7 +16849,8 @@ include "/etc/crypto-policies/back-ends/bind.config"; The operating system must use a Linux Security Module configured to enforce limits on system services. - Red Hat Enterprise Linux 9 + Red Hat Enterprise Linux 9 +AlmaLinux 9 SELINUX is active, enforcing, and configured to enforce @@ -20991,7 +20992,7 @@ include "/etc/crypto-policies/back-ends/bind.config"; - + @@ -21114,7 +21115,8 @@ include "/etc/crypto-policies/back-ends/bind.config"; RHEL-09-211010 - RHEL 9 must be a vendor-supported release. - Red Hat Enterprise Linux 9 + Red Hat Enterprise Linux 9 +AlmaLinux 9 An operating system release is considered "supported" if the vendor continues to provide security patches for the product. With an unsupported release, it will not be possible to resolve security issues discovered in the system software. @@ -21128,7 +21130,8 @@ Red Hat offers the Extended Update Support (EUS) add-on to a Red Hat Enterprise RHEL-09-211025 - RHEL 9 must implement the Endpoint Security for Linux Threat Prevention tool. - Red Hat Enterprise Linux 9 + Red Hat Enterprise Linux 9 +AlmaLinux 9 Without the use of automated mechanisms to scan for security flaws on a continuous and/or periodic basis, the operating system or other system components may remain vulnerable to the exploits presented by undetected software flaws. @@ -21142,7 +21145,8 @@ To support this requirement, the operating system may have an integrated solutio RHEL-09-211030 - The graphical display manager must not be the default target on RHEL 9 unless approved. - Red Hat Enterprise Linux 9 + Red Hat Enterprise Linux 9 +AlmaLinux 9 Unnecessary service packages must not be installed to decrease the attack surface of the system. Graphical display managers have a long history of security vulnerabilities and must not be used, unless approved and documented. @@ -21154,7 +21158,8 @@ To support this requirement, the operating system may have an integrated solutio RHEL-09-211035 - RHEL 9 must enable the hardware random number generator entropy gatherer service. - Red Hat Enterprise Linux 9 + Red Hat Enterprise Linux 9 +AlmaLinux 9 The most important characteristic of a random number generator is its randomness, namely its ability to deliver random numbers that are impossible to predict. Entropy in computer security is associated with the unpredictability of a source of randomness. The random source with high entropy tends to achieve a uniform distribution of random values. Random number generators are one of the most important building blocks of cryptosystems. @@ -21168,7 +21173,8 @@ The rngd service feeds random data from hardware device to kernel random device. RHEL-09-211040 - RHEL 9 systemd-journald service must be enabled. - Red Hat Enterprise Linux 9 + Red Hat Enterprise Linux 9 +AlmaLinux 9 In the event of a system failure, RHEL 9 must preserve any information necessary to determine cause of failure and any information necessary to return to operations with least disruption to system processes. @@ -21180,7 +21186,8 @@ The rngd service feeds random data from hardware device to kernel random device. RHEL-09-211045 - The systemd Ctrl-Alt-Delete burst key sequence in RHEL 9 must be disabled. - Red Hat Enterprise Linux 9 + Red Hat Enterprise Linux 9 +AlmaLinux 9 A locally logged-on user who presses Ctrl-Alt-Delete when at the console can reboot the system. If accidentally pressed, as could happen in the case of a mixed OS environment, this can create the risk of short-term loss of availability of systems due to unintentional reboot. In a graphical user environment, risk of unintentional reboot from the Ctrl-Alt-Delete sequence is reduced because the user will be prompted before any action is taken. @@ -21194,7 +21201,8 @@ Satisfies: SRG-OS-000324-GPOS-00125, SRG-OS-000480-GPOS-00227 RHEL-09-211050 - The x86 Ctrl-Alt-Delete key sequence must be disabled on RHEL 9. - Red Hat Enterprise Linux 9 + Red Hat Enterprise Linux 9 +AlmaLinux 9 A locally logged-on user who presses Ctrl-Alt-Delete when at the console can reboot the system. If accidentally pressed, as could happen in the case of a mixed OS environment, this can create the risk of short-term loss of availability of systems due to unintentional reboot. In a graphical user environment, risk of unintentional reboot from the Ctrl-Alt-Delete sequence is reduced because the user will be prompted before any action is taken. @@ -21208,7 +21216,8 @@ Satisfies: SRG-OS-000324-GPOS-00125, SRG-OS-000480-GPOS-00227 RHEL-09-211055 - RHEL 9 debug-shell systemd service must be disabled. - Red Hat Enterprise Linux 9 + Red Hat Enterprise Linux 9 +AlmaLinux 9 The debug-shell requires no authentication and provides root privileges to anyone who has physical access to the machine. While this feature is disabled by default, masking it adds an additional layer of assurance that it will not be enabled via a dependency in systemd. This also prevents attackers with physical access from trivially bypassing security on the machine through valid troubleshooting configurations and gaining root access when the system is rebooted. @@ -21222,7 +21231,8 @@ Satisfies: SRG-OS-000324-GPOS-00125, SRG-OS-000480-GPOS-00227 RHEL-09-212010 - RHEL 9 must require a boot loader superuser password. - Red Hat Enterprise Linux 9 + Red Hat Enterprise Linux 9 +AlmaLinux 9 To mitigate the risk of unauthorized access to sensitive information by entities that have been issued certificates by DOD-approved PKIs, all DOD systems (e.g., web servers and web portals) must be properly configured to incorporate access control methods that do not rely solely on the possession of a certificate for access. Successful authentication must not automatically give an entity access to an asset or security boundary. Authorization procedures and controls must be implemented to ensure each authenticated entity also has a validated and current authorization. Authorization is the process of determining whether an entity, once authenticated, is permitted to access a specific asset. Information systems use access control policies and enforcement mechanisms to implement this requirement. @@ -21236,7 +21246,8 @@ Password protection on the boot loader configuration ensures users with physical RHEL-09-212015 - RHEL 9 must disable the ability of systemd to spawn an interactive boot process. - Red Hat Enterprise Linux 9 + Red Hat Enterprise Linux 9 +AlmaLinux 9 Using interactive or recovery boot, the console user could disable auditing, firewalls, or other services, weakening system security. @@ -21248,7 +21259,8 @@ Password protection on the boot loader configuration ensures users with physical RHEL-09-212025 - RHEL 9 /boot/grub2/grub.cfg file must be group-owned by root. - Red Hat Enterprise Linux 9 + Red Hat Enterprise Linux 9 +AlmaLinux 9 The "root" group is a highly privileged group. Furthermore, the group-owner of this file should not have any access privileges anyway. @@ -21260,7 +21272,8 @@ Password protection on the boot loader configuration ensures users with physical RHEL-09-212030 - RHEL 9 /boot/grub2/grub.cfg file must be owned by root. - Red Hat Enterprise Linux 9 + Red Hat Enterprise Linux 9 +AlmaLinux 9 The " /boot/grub2/grub.cfg" file stores sensitive system configuration. Protection of this file is critical for system security. @@ -21272,7 +21285,8 @@ Password protection on the boot loader configuration ensures users with physical RHEL-09-212035 - RHEL 9 must disable virtual system calls. - Red Hat Enterprise Linux 9 + Red Hat Enterprise Linux 9 +AlmaLinux 9 System calls are special routines in the Linux kernel, which userspace applications ask to do privileged tasks. Invoking a system call is an expensive operation because the processor must interrupt the currently executing task and switch context to kernel mode and then back to userspace after the system call completes. Virtual system calls map into user space a page that contains some variables and the implementation of some system calls. This allows the system calls to be executed in userspace to alleviate the context switching expense. @@ -21288,7 +21302,8 @@ Satisfies: SRG-OS-000480-GPOS-00227, SRG-OS-000134-GPOS-00068 RHEL-09-212040 - RHEL 9 must clear the page allocator to prevent use-after-free attacks. - Red Hat Enterprise Linux 9 + Red Hat Enterprise Linux 9 +AlmaLinux 9 Poisoning writes an arbitrary value to freed pages, so any modification or reference to that page after being freed or before being initialized will be detected and prevented. This prevents many types of use-after-free vulnerabilities at little performance cost. Also prevents leak of data and detection of corrupted memory. @@ -21302,7 +21317,8 @@ Satisfies: SRG-OS-000480-GPOS-00227, SRG-OS-000134-GPOS-00068 RHEL-09-212045 - RHEL 9 must clear SLUB/SLAB objects to prevent use-after-free attacks. - Red Hat Enterprise Linux 9 + Red Hat Enterprise Linux 9 +AlmaLinux 9 Some adversaries launch attacks with the intent of executing code in nonexecutable regions of memory or in memory locations that are prohibited. Security safeguards employed to protect memory include, for example, data execution prevention and address space layout randomization. Data execution prevention safeguards can be either hardware-enforced or software-enforced with hardware providing the greater strength of mechanism. @@ -21320,7 +21336,8 @@ Satisfies: SRG-OS-000433-GPOS-00192, SRG-OS-000134-GPOS-00068 RHEL-09-212050 - RHEL 9 must enable mitigations against processor-based vulnerabilities. - Red Hat Enterprise Linux 9 + Red Hat Enterprise Linux 9 +AlmaLinux 9 Kernel page-table isolation is a kernel feature that mitigates the Meltdown security vulnerability and hardens the kernel against attempts to bypass kernel address space layout randomization (KASLR). @@ -21334,7 +21351,8 @@ Satisfies: SRG-OS-000433-GPOS-00193, SRG-OS-000095-GPOS-00049 RHEL-09-212055 - RHEL 9 must enable auditing of processes that start prior to the audit daemon. - Red Hat Enterprise Linux 9 + Red Hat Enterprise Linux 9 +AlmaLinux 9 Without the capability to generate audit records, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. @@ -21350,7 +21368,8 @@ Satisfies: SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPO RHEL-09-213010 - RHEL 9 must restrict access to the kernel message buffer. - Red Hat Enterprise Linux 9 + Red Hat Enterprise Linux 9 +AlmaLinux 9 Preventing unauthorized information transfers mitigates the risk of information, including encrypted representations of information, produced by the actions of prior users/roles (or the actions of processes acting on behalf of prior users/roles) from being available to any current users/roles (or current processes) that obtain access to shared system resources (e.g., registers, main memory, hard disks) after those resources have been released back to information systems. The control of information in shared resources is also commonly referred to as object reuse and residual information protection. @@ -21370,7 +21389,8 @@ Satisfies: SRG-OS-000132-GPOS-00067, SRG-OS-000138-GPOS-00069 RHEL-09-213015 - RHEL 9 must prevent kernel profiling by nonprivileged users. - Red Hat Enterprise Linux 9 + Red Hat Enterprise Linux 9 +AlmaLinux 9 Preventing unauthorized information transfers mitigates the risk of information, including encrypted representations of information, produced by the actions of prior users/roles (or the actions of processes acting on behalf of prior users/roles) from being available to any current users/roles (or current processes) that obtain access to shared system resources (e.g., registers, main memory, hard disks) after those resources have been released back to information systems. The control of information in shared resources is also commonly referred to as object reuse and residual information protection. @@ -21390,7 +21410,8 @@ Satisfies: SRG-OS-000132-GPOS-00067, SRG-OS-000138-GPOS-00069 RHEL-09-213020 - RHEL 9 must prevent the loading of a new kernel for later execution. - Red Hat Enterprise Linux 9 + Red Hat Enterprise Linux 9 +AlmaLinux 9 Changes to any software components can have significant effects on the overall security of the operating system. This requirement ensures the software has not been tampered with and that it has been provided by a trusted vendor. @@ -21406,7 +21427,8 @@ Satisfies: SRG-OS-000480-GPOS-00227, SRG-OS-000366-GPOS-00153 RHEL-09-213025 - RHEL 9 must restrict exposed kernel pointer addresses access. - Red Hat Enterprise Linux 9 + Red Hat Enterprise Linux 9 +AlmaLinux 9 Exposing kernel pointers (through procfs or "seq_printf()") exposes kernel writeable structures, which may contain functions pointers. If a write vulnerability occurs in the kernel, allowing write access to any of this structure, the kernel can be compromised. This option disallows any program without the CAP_SYSLOG capability to get the addresses of kernel pointers by replacing them with "0". @@ -21420,7 +21442,8 @@ Satisfies: SRG-OS-000132-GPOS-00067, SRG-OS-000433-GPOS-00192, SRG-OS-000480-GPO RHEL-09-213030 - RHEL 9 must enable kernel parameters to enforce discretionary access control on hardlinks. - Red Hat Enterprise Linux 9 + Red Hat Enterprise Linux 9 +AlmaLinux 9 By enabling the fs.protected_hardlinks kernel parameter, users can no longer create soft or hard links to files they do not own. Disallowing such hardlinks mitigates vulnerabilities based on insecure file system accessed by privileged programs, avoiding an exploitation vector exploiting unsafe use of open() or creat(). @@ -21434,7 +21457,8 @@ Satisfies: SRG-OS-000312-GPOS-00123, SRG-OS-000324-GPOS-00125 RHEL-09-213035 - RHEL 9 must enable kernel parameters to enforce discretionary access control on symlinks. - Red Hat Enterprise Linux 9 + Red Hat Enterprise Linux 9 +AlmaLinux 9 By enabling the fs.protected_symlinks kernel parameter, symbolic links are permitted to be followed only when outside a sticky world-writable directory, or when the user identifier (UID) of the link and follower match, or when the directory owner matches the symlink's owner. Disallowing such symlinks helps mitigate vulnerabilities based on insecure file system accessed by privileged programs, avoiding an exploitation vector exploiting unsafe use of open() or creat(). @@ -21448,7 +21472,8 @@ Satisfies: SRG-OS-000312-GPOS-00123, SRG-OS-000324-GPOS-00125 RHEL-09-213040 - RHEL 9 must disable the kernel.core_pattern. - Red Hat Enterprise Linux 9 + Red Hat Enterprise Linux 9 +AlmaLinux 9 A core dump includes a memory image taken at the time the operating system terminates an application. The memory image could contain sensitive data and is generally useful only for developers trying to debug problems. @@ -21460,7 +21485,8 @@ Satisfies: SRG-OS-000312-GPOS-00123, SRG-OS-000324-GPOS-00125 RHEL-09-213045 - RHEL 9 must be configured to disable the Asynchronous Transfer Mode kernel module. - Red Hat Enterprise Linux 9 + Red Hat Enterprise Linux 9 +AlmaLinux 9 Disabling Asynchronous Transfer Mode (ATM) protects the system against exploitation of any flaws in its implementation. @@ -21472,7 +21498,8 @@ Satisfies: SRG-OS-000312-GPOS-00123, SRG-OS-000324-GPOS-00125 RHEL-09-213050 - RHEL 9 must be configured to disable the Controller Area Network kernel module. - Red Hat Enterprise Linux 9 + Red Hat Enterprise Linux 9 +AlmaLinux 9 Disabling Controller Area Network (CAN) protects the system against exploitation of any flaws in its implementation. @@ -21484,7 +21511,8 @@ Satisfies: SRG-OS-000312-GPOS-00123, SRG-OS-000324-GPOS-00125 RHEL-09-213055 - RHEL 9 must be configured to disable the FireWire kernel module. - Red Hat Enterprise Linux 9 + Red Hat Enterprise Linux 9 +AlmaLinux 9 Disabling firewire protects the system against exploitation of any flaws in its implementation. @@ -21496,7 +21524,8 @@ Satisfies: SRG-OS-000312-GPOS-00123, SRG-OS-000324-GPOS-00125 RHEL-09-213060 - RHEL 9 must disable the Stream Control Transmission Protocol (SCTP) kernel module. - Red Hat Enterprise Linux 9 + Red Hat Enterprise Linux 9 +AlmaLinux 9 It is detrimental for operating systems to provide, or install by default, functionality exceeding requirements or mission objectives. These unnecessary capabilities or services are often overlooked and therefore may remain unsecured. They increase the risk to the platform by providing additional attack vectors. @@ -21512,7 +21541,8 @@ The Stream Control Transmission Protocol (SCTP) is a transport layer protocol, d RHEL-09-213065 - RHEL 9 must disable the Transparent Inter Process Communication (TIPC) kernel module. - Red Hat Enterprise Linux 9 + Red Hat Enterprise Linux 9 +AlmaLinux 9 It is detrimental for operating systems to provide, or install by default, functionality exceeding requirements or mission objectives. These unnecessary capabilities or services are often overlooked and therefore may remain unsecured. They increase the risk to the platform by providing additional attack vectors. @@ -21528,7 +21558,8 @@ The Transparent Inter Process Communication (TIPC) is a protocol that is special RHEL-09-213070 - RHEL 9 must implement address space layout randomization (ASLR) to protect its memory from unauthorized code execution. - Red Hat Enterprise Linux 9 + Red Hat Enterprise Linux 9 +AlmaLinux 9 Address space layout randomization (ASLR) makes it more difficult for an attacker to predict the location of attack code they have introduced into a process' address space during an attempt at exploitation. Additionally, ASLR makes it more difficult for an attacker to know the location of existing code in order to repurpose it using return oriented programming (ROP) techniques. @@ -21542,7 +21573,8 @@ Satisfies: SRG-OS-000433-GPOS-00193, SRG-OS-000480-GPOS-00227 RHEL-09-213075 - RHEL 9 must disable access to network bpf system call from nonprivileged processes. - Red Hat Enterprise Linux 9 + Red Hat Enterprise Linux 9 +AlmaLinux 9 Loading and accessing the packet filters programs and maps using the bpf() system call has the potential of revealing sensitive information about the kernel state. @@ -21556,7 +21588,8 @@ Satisfies: SRG-OS-000132-GPOS-00067, SRG-OS-000480-GPOS-00227 RHEL-09-213080 - RHEL 9 must restrict usage of ptrace to descendant processes. - Red Hat Enterprise Linux 9 + Red Hat Enterprise Linux 9 +AlmaLinux 9 Unrestricted usage of ptrace allows compromised binaries to run ptrace on other processes of the user. Like this, the attacker can steal sensitive information from the target processes (e.g., SSH sessions, web browser, etc.) without any additional assistance from the user (i.e., without resorting to phishing). @@ -21570,7 +21603,8 @@ Satisfies: SRG-OS-000132-GPOS-00067, SRG-OS-000480-GPOS-00227 RHEL-09-213085 - RHEL 9 must disable core dump backtraces. - Red Hat Enterprise Linux 9 + Red Hat Enterprise Linux 9 +AlmaLinux 9 A core dump includes a memory image taken at the time the operating system terminates an application. The memory image could contain sensitive data and is generally useful only for developers or system operators trying to debug problems. @@ -21584,7 +21618,8 @@ Enabling core dumps on production systems is not recommended; however, there may RHEL-09-213090 - RHEL 9 must disable storing core dumps. - Red Hat Enterprise Linux 9 + Red Hat Enterprise Linux 9 +AlmaLinux 9 A core dump includes a memory image taken at the time the operating system terminates an application. The memory image could contain sensitive data and is generally useful only for developers or system operators trying to debug problems. Enabling core dumps on production systems is not recommended; however, there may be overriding operational requirements to enable advanced debugging. Permitting temporary enablement of core dumps during such situations must be reviewed through local needs and policy. @@ -21596,7 +21631,8 @@ Enabling core dumps on production systems is not recommended; however, there may RHEL-09-213095 - RHEL 9 must disable core dumps for all users. - Red Hat Enterprise Linux 9 + Red Hat Enterprise Linux 9 +AlmaLinux 9 A core dump includes a memory image taken at the time the operating system terminates an application. The memory image could contain sensitive data and is generally useful only for developers trying to debug problems. @@ -21608,7 +21644,8 @@ Enabling core dumps on production systems is not recommended; however, there may RHEL-09-213100 - RHEL 9 must disable acquiring, saving, and processing core dumps. - Red Hat Enterprise Linux 9 + Red Hat Enterprise Linux 9 +AlmaLinux 9 A core dump includes a memory image taken at the time the operating system terminates an application. The memory image could contain sensitive data and is generally useful only for developers trying to debug problems. @@ -21620,7 +21657,8 @@ Enabling core dumps on production systems is not recommended; however, there may RHEL-09-213105 - RHEL 9 must disable the use of user namespaces. - Red Hat Enterprise Linux 9 + Red Hat Enterprise Linux 9 +AlmaLinux 9 User namespaces are used primarily for Linux containers. The value "0" disallows the use of user namespaces. @@ -21632,7 +21670,8 @@ Enabling core dumps on production systems is not recommended; however, there may RHEL-09-213115 - The kdump service on RHEL 9 must be disabled. - Red Hat Enterprise Linux 9 + Red Hat Enterprise Linux 9 +AlmaLinux 9 Kernel core dumps may contain the full contents of system memory at the time of the crash. Kernel core dumps consume a considerable amount of disk space and may result in denial of service by exhausting the available space on the target file system partition. Unless the system is used for kernel development or testing, there is little need to run the kdump service. @@ -21644,7 +21683,8 @@ Enabling core dumps on production systems is not recommended; however, there may RHEL-09-214015 - RHEL 9 must check the GPG signature of software packages originating from external software repositories before installation. - Red Hat Enterprise Linux 9 + Red Hat Enterprise Linux 9 +AlmaLinux 9 Changes to any software components can have significant effects on the overall security of the operating system. This requirement ensures the software has not been tampered with and that it has been provided by a trusted vendor. @@ -21660,7 +21700,8 @@ Verifying the authenticity of software prior to installation validates the integ RHEL-09-214020 - RHEL 9 must check the GPG signature of locally installed software packages before installation. - Red Hat Enterprise Linux 9 + Red Hat Enterprise Linux 9 +AlmaLinux 9 Changes to any software components can have significant effects on the overall security of the operating system. This requirement ensures the software has not been tampered with and that it has been provided by a trusted vendor. @@ -21676,7 +21717,8 @@ Verifying the authenticity of software prior to installation validates the integ RHEL-09-214025 - RHEL 9 must have GPG signature verification enabled for all software repositories. - Red Hat Enterprise Linux 9 + Red Hat Enterprise Linux 9 +AlmaLinux 9 Changes to any software components can have significant effects on the overall security of the operating system. This requirement ensures the software has not been tampered with and that it has been provided by a trusted vendor. @@ -21692,7 +21734,8 @@ Verifying the authenticity of software prior to installation validates the integ RHEL-09-214035 - RHEL 9 must remove all software components after updated versions have been installed. - Red Hat Enterprise Linux 9 + Red Hat Enterprise Linux 9 +AlmaLinux 9 Previous versions of software components that are not removed from the information system after updates have been installed may be exploited by some adversaries. @@ -21704,7 +21747,8 @@ Verifying the authenticity of software prior to installation validates the integ RHEL-09-215010 - RHEL 9 subscription-manager package must be installed. - Red Hat Enterprise Linux 9 + Red Hat Enterprise Linux 9 +AlmaLinux 9 The Red Hat Subscription Manager application manages software subscriptions and software repositories for installed software products on the local system. It communicates with backend servers, such as the Red Hat Customer Portal or an on-premise instance of Subscription Asset Manager, to register the local system and grant access to software resources determined by the subscription entitlement. @@ -21716,7 +21760,8 @@ Verifying the authenticity of software prior to installation validates the integ RHEL-09-215015 - RHEL 9 must not have a File Transfer Protocol (FTP) server package installed. - Red Hat Enterprise Linux 9 + Red Hat Enterprise Linux 9 +AlmaLinux 9 The FTP service provides an unencrypted remote access that does not provide for the confidentiality and integrity of user passwords or the remote session. If a privileged user were to log on using this service, the privileged user password could be compromised. SSH or other encrypted file transfer methods must be used in place of this service. @@ -21732,7 +21777,8 @@ Satisfies: SRG-OS-000074-GPOS-00042, SRG-OS-000095-GPOS-00049, SRG-OS-000480-GPO RHEL-09-215020 - RHEL 9 must not have the sendmail package installed. - Red Hat Enterprise Linux 9 + Red Hat Enterprise Linux 9 +AlmaLinux 9 The sendmail software was not developed with security in mind, and its design prevents it from being effectively contained by SELinux. Postfix must be used instead. @@ -21746,7 +21792,8 @@ Satisfies: SRG-OS-000480-GPOS-00227, SRG-OS-000095-GPOS-00049 RHEL-09-215025 - RHEL 9 must not have the nfs-utils package installed. - Red Hat Enterprise Linux 9 + Red Hat Enterprise Linux 9 +AlmaLinux 9 "nfs-utils" provides a daemon for the kernel NFS server and related tools. This package also contains the "showmount" program. "showmount" queries the mount daemon on a remote host for information about the Network File System (NFS) server on the remote host. For example, "showmount" can display the clients that are mounted on that host. @@ -21758,7 +21805,8 @@ Satisfies: SRG-OS-000480-GPOS-00227, SRG-OS-000095-GPOS-00049 RHEL-09-215030 - RHEL 9 must not have the ypserv package installed. - Red Hat Enterprise Linux 9 + Red Hat Enterprise Linux 9 +AlmaLinux 9 The NIS service provides an unencrypted authentication service, which does not provide for the confidentiality and integrity of user passwords or the remote session. @@ -21772,7 +21820,8 @@ Removing the "ypserv" package decreases the risk of the accidental (or intention RHEL-09-215035 - RHEL 9 must not have the rsh-server package installed. - Red Hat Enterprise Linux 9 + Red Hat Enterprise Linux 9 +AlmaLinux 9 The "rsh-server" service provides unencrypted remote access service, which does not provide for the confidentiality and integrity of user passwords or the remote session and has very weak authentication. If a privileged user were to login using this service, the privileged user password could be compromised. The "rsh-server" package provides several obsolete and insecure network services. Removing it decreases the risk of accidental (or intentional) activation of those services. @@ -21784,7 +21833,8 @@ Removing the "ypserv" package decreases the risk of the accidental (or intention RHEL-09-215040 - RHEL 9 must not have the telnet-server package installed. - Red Hat Enterprise Linux 9 + Red Hat Enterprise Linux 9 +AlmaLinux 9 It is detrimental for operating systems to provide, or install by default, functionality exceeding requirements or mission objectives. These unnecessary capabilities are often overlooked and therefore, may remain unsecure. They increase the risk to the platform by providing additional attack vectors. @@ -21800,7 +21850,8 @@ Removing the "telnet-server" package decreases the risk of accidental (or intent RHEL-09-215045 - RHEL 9 must not have the gssproxy package installed. - Red Hat Enterprise Linux 9 + Red Hat Enterprise Linux 9 +AlmaLinux 9 It is detrimental for operating systems to provide, or install by default, functionality exceeding requirements or mission objectives. These unnecessary capabilities or services are often overlooked and therefore, may remain unsecured. They increase the risk to the platform by providing additional attack vectors. @@ -21818,7 +21869,8 @@ Satisfies: SRG-OS-000095-GPOS-00049, SRG-OS-000480-GPOS-00227 RHEL-09-215050 - RHEL 9 must not have the iprutils package installed. - Red Hat Enterprise Linux 9 + Red Hat Enterprise Linux 9 +AlmaLinux 9 It is detrimental for operating systems to provide, or install by default, functionality exceeding requirements or mission objectives. These unnecessary capabilities or services are often overlooked and therefore may remain unsecured. They increase the risk to the platform by providing additional attack vectors. @@ -21836,7 +21888,8 @@ Satisfies: SRG-OS-000095-GPOS-00049, SRG-OS-000480-GPOS-00227 RHEL-09-215055 - RHEL 9 must not have the tuned package installed. - Red Hat Enterprise Linux 9 + Red Hat Enterprise Linux 9 +AlmaLinux 9 It is detrimental for operating systems to provide, or install by default, functionality exceeding requirements or mission objectives. These unnecessary capabilities or services are often overlooked and therefore may remain unsecured. They increase the risk to the platform by providing additional attack vectors. @@ -21854,7 +21907,8 @@ Satisfies: SRG-OS-000095-GPOS-00049, SRG-OS-000480-GPOS-00227 RHEL-09-215060 - RHEL 9 must not have a Trivial File Transfer Protocol (TFTP) server package installed. - Red Hat Enterprise Linux 9 + Red Hat Enterprise Linux 9 +AlmaLinux 9 Removing the "tftp-server" package decreases the risk of the accidental (or intentional) activation of tftp services. @@ -21868,7 +21922,8 @@ If TFTP is required for operational support (such as transmission of router conf RHEL-09-215065 - RHEL 9 must not have the quagga package installed. - Red Hat Enterprise Linux 9 + Red Hat Enterprise Linux 9 +AlmaLinux 9 Quagga is a network routing software suite providing implementations of Open Shortest Path First (OSPF), Routing Information Protocol (RIP), Border Gateway Protocol (BGP) for Unix and Linux platforms. @@ -21882,7 +21937,8 @@ If there is no need to make the router software available, removing it provides RHEL-09-215070 - A graphical display manager must not be installed on RHEL 9 unless approved. - Red Hat Enterprise Linux 9 + Red Hat Enterprise Linux 9 +AlmaLinux 9 Unnecessary service packages must not be installed to decrease the attack surface of the system. Graphical display managers have a long history of security vulnerabilities and must not be used, unless approved and documented. @@ -21894,7 +21950,8 @@ If there is no need to make the router software available, removing it provides RHEL-09-215075 - RHEL 9 must have the openssl-pkcs11 package installed. - Red Hat Enterprise Linux 9 + Red Hat Enterprise Linux 9 +AlmaLinux 9 Without the use of multifactor authentication, the ease of access to privileged functions is greatly increased. Multifactor authentication requires using two or more factors to achieve authentication. A privileged account is defined as an information system account with authorizations of a privileged user. The DOD CAC with DOD-approved PKI is an example of multifactor authentication. @@ -21908,7 +21965,8 @@ Satisfies: SRG-OS-000105-GPOS-00052, SRG-OS-000375-GPOS-00160, SRG-OS-000376-GPO RHEL-09-215080 - RHEL 9 must have the gnutls-utils package installed. - Red Hat Enterprise Linux 9 + Red Hat Enterprise Linux 9 +AlmaLinux 9 GnuTLS is a secure communications library implementing the SSL, TLS and DTLS protocols and technologies around them. It provides a simple C language application programming interface (API) to access the secure communications protocols as well as APIs to parse and write X.509, PKCS #12, OpenPGP and other required structures. This package contains command line TLS client and server and certificate manipulation tools. @@ -21920,7 +21978,8 @@ Satisfies: SRG-OS-000105-GPOS-00052, SRG-OS-000375-GPOS-00160, SRG-OS-000376-GPO RHEL-09-215085 - RHEL 9 must have the nss-tools package installed. - Red Hat Enterprise Linux 9 + Red Hat Enterprise Linux 9 +AlmaLinux 9 Network Security Services (NSS) is a set of libraries designed to support cross-platform development of security-enabled client and server applications. Install the "nss-tools" package to install command-line tools to manipulate the NSS certificate and key database. @@ -21932,7 +21991,8 @@ Satisfies: SRG-OS-000105-GPOS-00052, SRG-OS-000375-GPOS-00160, SRG-OS-000376-GPO RHEL-09-215090 - RHEL 9 must have the rng-tools package installed. - Red Hat Enterprise Linux 9 + Red Hat Enterprise Linux 9 +AlmaLinux 9 "rng-tools" provides hardware random number generator tools, such as those used in the formation of x509/PKI certificates. @@ -21944,7 +22004,8 @@ Satisfies: SRG-OS-000105-GPOS-00052, SRG-OS-000375-GPOS-00160, SRG-OS-000376-GPO RHEL-09-215095 - RHEL 9 must have the s-nail package installed. - Red Hat Enterprise Linux 9 + Red Hat Enterprise Linux 9 +AlmaLinux 9 The "s-nail" package provides the mail command required to allow sending email notifications of unauthorized configuration changes to designated personnel. @@ -21956,7 +22017,8 @@ Satisfies: SRG-OS-000105-GPOS-00052, SRG-OS-000375-GPOS-00160, SRG-OS-000376-GPO RHEL-09-231010 - A separate RHEL 9 file system must be used for user home directories (such as /home or an equivalent). - Red Hat Enterprise Linux 9 + Red Hat Enterprise Linux 9 +AlmaLinux 9 Ensuring that "/home" is mounted on its own partition enables the setting of more restrictive mount options, and also helps ensure that users cannot trivially fill partitions used for log or audit data storage. @@ -21968,7 +22030,8 @@ Satisfies: SRG-OS-000105-GPOS-00052, SRG-OS-000375-GPOS-00160, SRG-OS-000376-GPO RHEL-09-231015 - RHEL 9 must use a separate file system for /tmp. - Red Hat Enterprise Linux 9 + Red Hat Enterprise Linux 9 +AlmaLinux 9 The "/tmp" partition is used as temporary storage by many programs. Placing "/tmp" in its own partition enables the setting of more restrictive mount options, which can help protect programs that use it. @@ -21980,7 +22043,8 @@ Satisfies: SRG-OS-000105-GPOS-00052, SRG-OS-000375-GPOS-00160, SRG-OS-000376-GPO RHEL-09-231020 - RHEL 9 must use a separate file system for /var. - Red Hat Enterprise Linux 9 + Red Hat Enterprise Linux 9 +AlmaLinux 9 Ensuring that "/var" is mounted on its own partition enables the setting of more restrictive mount options. This helps protect system services such as daemons or other programs which use it. It is not uncommon for the "/var" directory to contain world-writable directories installed by other software packages. @@ -21992,7 +22056,8 @@ Satisfies: SRG-OS-000105-GPOS-00052, SRG-OS-000375-GPOS-00160, SRG-OS-000376-GPO RHEL-09-231025 - RHEL 9 must use a separate file system for /var/log. - Red Hat Enterprise Linux 9 + Red Hat Enterprise Linux 9 +AlmaLinux 9 Placing "/var/log" in its own partition enables better separation between log files and other files in "/var/". @@ -22004,7 +22069,8 @@ Satisfies: SRG-OS-000105-GPOS-00052, SRG-OS-000375-GPOS-00160, SRG-OS-000376-GPO RHEL-09-231030 - RHEL 9 must use a separate file system for the system audit data path. - Red Hat Enterprise Linux 9 + Red Hat Enterprise Linux 9 +AlmaLinux 9 Placing "/var/log/audit" in its own partition enables better separation between audit files and other system files, and helps ensure that auditing cannot be halted due to the partition running out of space. @@ -22018,7 +22084,8 @@ Satisfies: SRG-OS-000341-GPOS-00132, SRG-OS-000480-GPOS-00227 RHEL-09-231035 - RHEL 9 must use a separate file system for /var/tmp. - Red Hat Enterprise Linux 9 + Red Hat Enterprise Linux 9 +AlmaLinux 9 The "/var/tmp" partition is used as temporary storage by many programs. Placing "/var/tmp" in its own partition enables the setting of more restrictive mount options, which can help protect programs that use it. @@ -22030,7 +22097,8 @@ Satisfies: SRG-OS-000341-GPOS-00132, SRG-OS-000480-GPOS-00227 RHEL-09-231040 - RHEL 9 file system automount function must be disabled unless required. - Red Hat Enterprise Linux 9 + Red Hat Enterprise Linux 9 +AlmaLinux 9 An authentication process resists replay attacks if it is impractical to achieve a successful authentication by recording and replaying a previous authentication message. @@ -22044,7 +22112,8 @@ Satisfies: SRG-OS-000114-GPOS-00059, SRG-OS-000378-GPOS-00163, SRG-OS-000480-GPO RHEL-09-231045 - RHEL 9 must prevent device files from being interpreted on file systems that contain user home directories. - Red Hat Enterprise Linux 9 + Red Hat Enterprise Linux 9 +AlmaLinux 9 The "nodev" mount option causes the system to not interpret character or block special devices. Executing character or block special devices from untrusted file systems increases the opportunity for nonprivileged users to attain unauthorized administrative access. @@ -22058,7 +22127,8 @@ The only legitimate location for device files is the "/dev" directory located on RHEL-09-231050 - RHEL 9 must prevent files with the setuid and setgid bit set from being executed on file systems that contain user home directories. - Red Hat Enterprise Linux 9 + Red Hat Enterprise Linux 9 +AlmaLinux 9 The "nosuid" mount option causes the system to not execute "setuid" and "setgid" files with owner privileges. This option must be used for mounting any file system not containing approved "setuid" and "setguid" files. Executing files from untrusted file systems increases the opportunity for nonprivileged users to attain unauthorized administrative access. @@ -22072,7 +22142,8 @@ Satisfies: SRG-OS-000368-GPOS-00154, SRG-OS-000480-GPOS-00227 RHEL-09-231055 - RHEL 9 must prevent code from being executed on file systems that contain user home directories. - Red Hat Enterprise Linux 9 + Red Hat Enterprise Linux 9 +AlmaLinux 9 The "noexec" mount option causes the system to not execute binary files. This option must be used for mounting any file system not containing approved binary files, as they may be incompatible. Executing files from untrusted file systems increases the opportunity for nonprivileged users to attain unauthorized administrative access. @@ -22084,7 +22155,8 @@ Satisfies: SRG-OS-000368-GPOS-00154, SRG-OS-000480-GPOS-00227 RHEL-09-231060 - RHEL 9 must be configured so that the Network File System (NFS) is configured to use RPCSEC_GSS. - Red Hat Enterprise Linux 9 + Red Hat Enterprise Linux 9 +AlmaLinux 9 When an NFS server is configured to use RPCSEC_SYS, a selected userid and groupid are used to handle requests from the remote user. The userid and groupid could mistakenly or maliciously be set incorrectly. The RPCSEC_GSS method of authentication uses certificates on the server and client systems to more securely authenticate the remote mount request. @@ -22096,7 +22168,8 @@ Satisfies: SRG-OS-000368-GPOS-00154, SRG-OS-000480-GPOS-00227 RHEL-09-231065 - RHEL 9 must prevent special devices on file systems that are imported via Network File System (NFS). - Red Hat Enterprise Linux 9 + Red Hat Enterprise Linux 9 +AlmaLinux 9 The "nodev" mount option causes the system to not interpret character or block special devices. Executing character or block special devices from untrusted file systems increases the opportunity for nonprivileged users to attain unauthorized administrative access. @@ -22108,7 +22181,8 @@ Satisfies: SRG-OS-000368-GPOS-00154, SRG-OS-000480-GPOS-00227 RHEL-09-231070 - RHEL 9 must prevent code from being executed on file systems that are imported via Network File System (NFS). - Red Hat Enterprise Linux 9 + Red Hat Enterprise Linux 9 +AlmaLinux 9 The "noexec" mount option causes the system not to execute binary files. This option must be used for mounting any file system not containing approved binary as they may be incompatible. Executing files from untrusted file systems increases the opportunity for nonprivileged users to attain unauthorized administrative access. @@ -22120,7 +22194,8 @@ Satisfies: SRG-OS-000368-GPOS-00154, SRG-OS-000480-GPOS-00227 RHEL-09-231075 - RHEL 9 must prevent files with the setuid and setgid bit set from being executed on file systems that are imported via Network File System (NFS). - Red Hat Enterprise Linux 9 + Red Hat Enterprise Linux 9 +AlmaLinux 9 The "nosuid" mount option causes the system not to execute "setuid" and "setgid" files with owner privileges. This option must be used for mounting any file system not containing approved "setuid" and "setguid" files. Executing files from untrusted file systems increases the opportunity for nonprivileged users to attain unauthorized administrative access. @@ -22132,7 +22207,8 @@ Satisfies: SRG-OS-000368-GPOS-00154, SRG-OS-000480-GPOS-00227 RHEL-09-231095 - RHEL 9 must mount /boot with the nodev option. - Red Hat Enterprise Linux 9 + Red Hat Enterprise Linux 9 +AlmaLinux 9 The only legitimate location for device files is the "/dev" directory located on the root partition. The only exception to this is chroot jails. @@ -22144,7 +22220,8 @@ Satisfies: SRG-OS-000368-GPOS-00154, SRG-OS-000480-GPOS-00227 RHEL-09-231100 - RHEL 9 must prevent files with the setuid and setgid bit set from being executed on the /boot directory. - Red Hat Enterprise Linux 9 + Red Hat Enterprise Linux 9 +AlmaLinux 9 The "nosuid" mount option causes the system not to execute "setuid" and "setgid" files with owner privileges. This option must be used for mounting any file system not containing approved "setuid" and "setguid" files. Executing files from untrusted file systems increases the opportunity for nonprivileged users to attain unauthorized administrative access. @@ -22158,7 +22235,8 @@ Satisfies: SRG-OS-000368-GPOS-00154, SRG-OS-000480-GPOS-00227 RHEL-09-231105 - RHEL 9 must prevent files with the setuid and setgid bit set from being executed on the /boot/efi directory. - Red Hat Enterprise Linux 9 + Red Hat Enterprise Linux 9 +AlmaLinux 9 The "nosuid" mount option causes the system not to execute "setuid" and "setgid" files with owner privileges. This option must be used for mounting any file system not containing approved "setuid" and "setguid" files. Executing files from untrusted file systems increases the opportunity for nonprivileged users to attain unauthorized administrative access. @@ -22172,7 +22250,8 @@ Satisfies: SRG-OS-000368-GPOS-00154, SRG-OS-000480-GPOS-00227 RHEL-09-231110 - RHEL 9 must mount /dev/shm with the nodev option. - Red Hat Enterprise Linux 9 + Red Hat Enterprise Linux 9 +AlmaLinux 9 The "nodev" mount option causes the system to not interpret character or block special devices. Executing character or block special devices from untrusted file systems increases the opportunity for nonprivileged users to attain unauthorized administrative access. @@ -22186,7 +22265,8 @@ The only legitimate location for device files is the "/dev" directory located on RHEL-09-231115 - RHEL 9 must mount /dev/shm with the noexec option. - Red Hat Enterprise Linux 9 + Red Hat Enterprise Linux 9 +AlmaLinux 9 The "noexec" mount option causes the system to not execute binary files. This option must be used for mounting any file system not containing approved binary files, as they may be incompatible. Executing files from untrusted file systems increases the opportunity for nonprivileged users to attain unauthorized administrative access. @@ -22198,7 +22278,8 @@ The only legitimate location for device files is the "/dev" directory located on RHEL-09-231120 - RHEL 9 must mount /dev/shm with the nosuid option. - Red Hat Enterprise Linux 9 + Red Hat Enterprise Linux 9 +AlmaLinux 9 The "nosuid" mount option causes the system to not execute "setuid" and "setgid" files with owner privileges. This option must be used for mounting any file system not containing approved "setuid" and "setguid" files. Executing files from untrusted file systems increases the opportunity for nonprivileged users to attain unauthorized administrative access. @@ -22210,7 +22291,8 @@ The only legitimate location for device files is the "/dev" directory located on RHEL-09-231125 - RHEL 9 must mount /tmp with the nodev option. - Red Hat Enterprise Linux 9 + Red Hat Enterprise Linux 9 +AlmaLinux 9 The "nodev" mount option causes the system to not interpret character or block special devices. Executing character or block special devices from untrusted file systems increases the opportunity for nonprivileged users to attain unauthorized administrative access. @@ -22224,7 +22306,8 @@ The only legitimate location for device files is the "/dev" directory located on RHEL-09-231130 - RHEL 9 must mount /tmp with the noexec option. - Red Hat Enterprise Linux 9 + Red Hat Enterprise Linux 9 +AlmaLinux 9 The "noexec" mount option causes the system to not execute binary files. This option must be used for mounting any file system not containing approved binary files, as they may be incompatible. Executing files from untrusted file systems increases the opportunity for nonprivileged users to attain unauthorized administrative access. @@ -22236,7 +22319,8 @@ The only legitimate location for device files is the "/dev" directory located on RHEL-09-231135 - RHEL 9 must mount /tmp with the nosuid option. - Red Hat Enterprise Linux 9 + Red Hat Enterprise Linux 9 +AlmaLinux 9 The "nosuid" mount option causes the system to not execute "setuid" and "setgid" files with owner privileges. This option must be used for mounting any file system not containing approved "setuid" and "setguid" files. Executing files from untrusted file systems increases the opportunity for nonprivileged users to attain unauthorized administrative access. @@ -22248,7 +22332,8 @@ The only legitimate location for device files is the "/dev" directory located on RHEL-09-231140 - RHEL 9 must mount /var with the nodev option. - Red Hat Enterprise Linux 9 + Red Hat Enterprise Linux 9 +AlmaLinux 9 The "nodev" mount option causes the system to not interpret character or block special devices. Executing character or block special devices from untrusted file systems increases the opportunity for nonprivileged users to attain unauthorized administrative access. @@ -22262,7 +22347,8 @@ The only legitimate location for device files is the "/dev" directory located on RHEL-09-231145 - RHEL 9 must mount /var/log with the nodev option. - Red Hat Enterprise Linux 9 + Red Hat Enterprise Linux 9 +AlmaLinux 9 The "nodev" mount option causes the system to not interpret character or block special devices. Executing character or block special devices from untrusted file systems increases the opportunity for nonprivileged users to attain unauthorized administrative access. @@ -22276,7 +22362,8 @@ The only legitimate location for device files is the "/dev" directory located on RHEL-09-231150 - RHEL 9 must mount /var/log with the noexec option. - Red Hat Enterprise Linux 9 + Red Hat Enterprise Linux 9 +AlmaLinux 9 The "noexec" mount option causes the system to not execute binary files. This option must be used for mounting any file system not containing approved binary files, as they may be incompatible. Executing files from untrusted file systems increases the opportunity for nonprivileged users to attain unauthorized administrative access. @@ -22288,7 +22375,8 @@ The only legitimate location for device files is the "/dev" directory located on RHEL-09-231155 - RHEL 9 must mount /var/log with the nosuid option. - Red Hat Enterprise Linux 9 + Red Hat Enterprise Linux 9 +AlmaLinux 9 The "nosuid" mount option causes the system to not execute "setuid" and "setgid" files with owner privileges. This option must be used for mounting any file system not containing approved "setuid" and "setguid" files. Executing files from untrusted file systems increases the opportunity for nonprivileged users to attain unauthorized administrative access. @@ -22300,7 +22388,8 @@ The only legitimate location for device files is the "/dev" directory located on RHEL-09-231160 - RHEL 9 must mount /var/log/audit with the nodev option. - Red Hat Enterprise Linux 9 + Red Hat Enterprise Linux 9 +AlmaLinux 9 The "nodev" mount option causes the system to not interpret character or block special devices. Executing character or block special devices from untrusted file systems increases the opportunity for nonprivileged users to attain unauthorized administrative access. @@ -22314,7 +22403,8 @@ The only legitimate location for device files is the "/dev" directory located on RHEL-09-231165 - RHEL 9 must mount /var/log/audit with the noexec option. - Red Hat Enterprise Linux 9 + Red Hat Enterprise Linux 9 +AlmaLinux 9 The "noexec" mount option causes the system to not execute binary files. This option must be used for mounting any file system not containing approved binary files, as they may be incompatible. Executing files from untrusted file systems increases the opportunity for nonprivileged users to attain unauthorized administrative access. @@ -22326,7 +22416,8 @@ The only legitimate location for device files is the "/dev" directory located on RHEL-09-231170 - RHEL 9 must mount /var/log/audit with the nosuid option. - Red Hat Enterprise Linux 9 + Red Hat Enterprise Linux 9 +AlmaLinux 9 The "nosuid" mount option causes the system to not execute "setuid" and "setgid" files with owner privileges. This option must be used for mounting any file system not containing approved "setuid" and "setguid" files. Executing files from untrusted file systems increases the opportunity for nonprivileged users to attain unauthorized administrative access. @@ -22338,7 +22429,8 @@ The only legitimate location for device files is the "/dev" directory located on RHEL-09-231175 - RHEL 9 must mount /var/tmp with the nodev option. - Red Hat Enterprise Linux 9 + Red Hat Enterprise Linux 9 +AlmaLinux 9 The "nodev" mount option causes the system to not interpret character or block special devices. Executing character or block special devices from untrusted file systems increases the opportunity for nonprivileged users to attain unauthorized administrative access. @@ -22352,7 +22444,8 @@ The only legitimate location for device files is the "/dev" directory located on RHEL-09-231180 - RHEL 9 must mount /var/tmp with the noexec option. - Red Hat Enterprise Linux 9 + Red Hat Enterprise Linux 9 +AlmaLinux 9 The "noexec" mount option causes the system to not execute binary files. This option must be used for mounting any file system not containing approved binary files, as they may be incompatible. Executing files from untrusted file systems increases the opportunity for nonprivileged users to attain unauthorized administrative access. @@ -22364,7 +22457,8 @@ The only legitimate location for device files is the "/dev" directory located on RHEL-09-231185 - RHEL 9 must mount /var/tmp with the nosuid option. - Red Hat Enterprise Linux 9 + Red Hat Enterprise Linux 9 +AlmaLinux 9 The "nosuid" mount option causes the system to not execute "setuid" and "setgid" files with owner privileges. This option must be used for mounting any file system not containing approved "setuid" and "setguid" files. Executing files from untrusted file systems increases the opportunity for nonprivileged users to attain unauthorized administrative access. @@ -22376,7 +22470,8 @@ The only legitimate location for device files is the "/dev" directory located on RHEL-09-231195 - RHEL 9 must disable mounting of cramfs. - Red Hat Enterprise Linux 9 + Red Hat Enterprise Linux 9 +AlmaLinux 9 It is detrimental for operating systems to provide, or install by default, functionality exceeding requirements or mission objectives. These unnecessary capabilities or services are often overlooked and therefore may remain unsecured. They increase the risk to the platform by providing additional attack vectors. @@ -22392,7 +22487,8 @@ Compressed ROM/RAM file system (or cramfs) is a read-only file system designed f RHEL-09-231200 - RHEL 9 must prevent special devices on non-root local partitions. - Red Hat Enterprise Linux 9 + Red Hat Enterprise Linux 9 +AlmaLinux 9 The "nodev" mount option causes the system to not interpret character or block special devices. Executing character or block special devices from untrusted file systems increases the opportunity for nonprivileged users to attain unauthorized administrative access. @@ -22406,7 +22502,8 @@ The only legitimate location for device files is the "/dev" directory located on RHEL-09-232010 - RHEL 9 system commands must have mode 755 or less permissive. - Red Hat Enterprise Linux 9 + Red Hat Enterprise Linux 9 +AlmaLinux 9 If RHEL 9 allowed any user to make changes to software libraries, then those changes might be implemented without undergoing the appropriate testing and approvals that are part of a robust change management process. @@ -22420,7 +22517,8 @@ This requirement applies to RHEL 9 with software libraries that are accessible a RHEL-09-232015 - RHEL 9 library directories must have mode 755 or less permissive. - Red Hat Enterprise Linux 9 + Red Hat Enterprise Linux 9 +AlmaLinux 9 If RHEL 9 allowed any user to make changes to software libraries, then those changes might be implemented without undergoing the appropriate testing and approvals that are part of a robust change management process. @@ -22434,7 +22532,8 @@ This requirement applies to RHEL 9 with software libraries that are accessible a RHEL-09-232020 - RHEL 9 library files must have mode 755 or less permissive. - Red Hat Enterprise Linux 9 + Red Hat Enterprise Linux 9 +AlmaLinux 9 If RHEL 9 allowed any user to make changes to software libraries, then those changes might be implemented without undergoing the appropriate testing and approvals that are part of a robust change management process. @@ -22448,7 +22547,8 @@ This requirement applies to RHEL 9 with software libraries that are accessible a RHEL-09-232025 - RHEL 9 /var/log directory must have mode 0755 or less permissive. - Red Hat Enterprise Linux 9 + Red Hat Enterprise Linux 9 +AlmaLinux 9 Only authorized personnel should be aware of errors and the details of the errors. Error messages are an indicator of an organization's operational state or can identify the RHEL 9 system or platform. Additionally, personally identifiable information (PII) and operational information must not be revealed through error messages to unauthorized personnel or their designated representatives. @@ -22462,7 +22562,8 @@ The structure and content of error messages must be carefully considered by the RHEL-09-232030 - RHEL 9 /var/log/messages file must have mode 0640 or less permissive. - Red Hat Enterprise Linux 9 + Red Hat Enterprise Linux 9 +AlmaLinux 9 Only authorized personnel should be aware of errors and the details of the errors. Error messages are an indicator of an organization's operational state or can identify the RHEL 9 system or platform. Additionally, personally identifiable information (PII) and operational information must not be revealed through error messages to unauthorized personnel or their designated representatives. @@ -22476,7 +22577,8 @@ The structure and content of error messages must be carefully considered by the RHEL-09-232035 - RHEL 9 audit tools must have a mode of 0755 or less permissive. - Red Hat Enterprise Linux 9 + Red Hat Enterprise Linux 9 +AlmaLinux 9 Protecting audit information also includes identifying and protecting the tools used to view and manipulate log data. Therefore, protecting audit tools is necessary to prevent unauthorized operation on audit information. @@ -22492,7 +22594,8 @@ Audit tools include, but are not limited to, vendor-provided and open source aud RHEL-09-232040 - RHEL 9 cron configuration directories must have a mode of 0700 or less permissive. - Red Hat Enterprise Linux 9 + Red Hat Enterprise Linux 9 +AlmaLinux 9 Service configuration files enable or disable features of their respective services that if configured incorrectly can lead to insecure and vulnerable configurations. Therefore, service configuration files should have the correct access rights to prevent unauthorized changes. @@ -22504,7 +22607,8 @@ Audit tools include, but are not limited to, vendor-provided and open source aud RHEL-09-232045 - All RHEL 9 local initialization files must have mode 0740 or less permissive. - Red Hat Enterprise Linux 9 + Red Hat Enterprise Linux 9 +AlmaLinux 9 Local initialization files are used to configure the user's shell environment upon logon. Malicious modification of these files could compromise accounts upon logon. @@ -22516,7 +22620,8 @@ Audit tools include, but are not limited to, vendor-provided and open source aud RHEL-09-232050 - All RHEL 9 local interactive user home directories must have mode 0750 or less permissive. - Red Hat Enterprise Linux 9 + Red Hat Enterprise Linux 9 +AlmaLinux 9 Excessive permissions on local interactive user home directories may allow unauthorized access to user files by other users. @@ -22528,7 +22633,8 @@ Audit tools include, but are not limited to, vendor-provided and open source aud RHEL-09-232055 - RHEL 9 /etc/group file must have mode 0644 or less permissive to prevent unauthorized access. - Red Hat Enterprise Linux 9 + Red Hat Enterprise Linux 9 +AlmaLinux 9 The "/etc/group" file contains information regarding groups that are configured on the system. Protection of this file is important for system security. @@ -22540,7 +22646,8 @@ Audit tools include, but are not limited to, vendor-provided and open source aud RHEL-09-232060 - RHEL 9 /etc/group- file must have mode 0644 or less permissive to prevent unauthorized access. - Red Hat Enterprise Linux 9 + Red Hat Enterprise Linux 9 +AlmaLinux 9 The "/etc/group-" file is a backup file of "/etc/group", and as such, contains information regarding groups that are configured on the system. Protection of this file is important for system security. @@ -22552,7 +22659,8 @@ Audit tools include, but are not limited to, vendor-provided and open source aud RHEL-09-232065 - RHEL 9 /etc/gshadow file must have mode 0000 or less permissive to prevent unauthorized access. - Red Hat Enterprise Linux 9 + Red Hat Enterprise Linux 9 +AlmaLinux 9 The "/etc/gshadow" file contains group password hashes. Protection of this file is critical for system security. @@ -22564,7 +22672,8 @@ Audit tools include, but are not limited to, vendor-provided and open source aud RHEL-09-232070 - RHEL 9 /etc/gshadow- file must have mode 0000 or less permissive to prevent unauthorized access. - Red Hat Enterprise Linux 9 + Red Hat Enterprise Linux 9 +AlmaLinux 9 The "/etc/gshadow-" file is a backup of "/etc/gshadow", and as such, contains group password hashes. Protection of this file is critical for system security. @@ -22576,7 +22685,8 @@ Audit tools include, but are not limited to, vendor-provided and open source aud RHEL-09-232075 - RHEL 9 /etc/passwd file must have mode 0644 or less permissive to prevent unauthorized access. - Red Hat Enterprise Linux 9 + Red Hat Enterprise Linux 9 +AlmaLinux 9 If the "/etc/passwd" file is writable by a group-owner or the world the risk of its compromise is increased. The file contains the list of accounts on the system and associated information, and protection of this file is critical for system security. @@ -22588,7 +22698,8 @@ Audit tools include, but are not limited to, vendor-provided and open source aud RHEL-09-232080 - RHEL 9 /etc/passwd- file must have mode 0644 or less permissive to prevent unauthorized access. - Red Hat Enterprise Linux 9 + Red Hat Enterprise Linux 9 +AlmaLinux 9 The "/etc/passwd-" file is a backup file of "/etc/passwd", and as such, contains information about the users that are configured on the system. Protection of this file is critical for system security. @@ -22600,7 +22711,8 @@ Audit tools include, but are not limited to, vendor-provided and open source aud RHEL-09-232085 - RHEL 9 /etc/shadow- file must have mode 0000 or less permissive to prevent unauthorized access. - Red Hat Enterprise Linux 9 + Red Hat Enterprise Linux 9 +AlmaLinux 9 The "/etc/shadow-" file is a backup file of "/etc/shadow", and as such, contains the list of local system accounts and password hashes. Protection of this file is critical for system security. @@ -22612,7 +22724,8 @@ Audit tools include, but are not limited to, vendor-provided and open source aud RHEL-09-232090 - RHEL 9 /etc/group file must be owned by root. - Red Hat Enterprise Linux 9 + Red Hat Enterprise Linux 9 +AlmaLinux 9 The "/etc/group" file contains information regarding groups that are configured on the system. Protection of this file is important for system security. @@ -22624,7 +22737,8 @@ Audit tools include, but are not limited to, vendor-provided and open source aud RHEL-09-232095 - RHEL 9 /etc/group file must be group-owned by root. - Red Hat Enterprise Linux 9 + Red Hat Enterprise Linux 9 +AlmaLinux 9 The "/etc/group" file contains information regarding groups that are configured on the system. Protection of this file is important for system security. @@ -22636,7 +22750,8 @@ Audit tools include, but are not limited to, vendor-provided and open source aud RHEL-09-232100 - RHEL 9 /etc/group- file must be owned by root. - Red Hat Enterprise Linux 9 + Red Hat Enterprise Linux 9 +AlmaLinux 9 The "/etc/group-" file is a backup file of "/etc/group", and as such, contains information regarding groups that are configured on the system. Protection of this file is important for system security. @@ -22648,7 +22763,8 @@ Audit tools include, but are not limited to, vendor-provided and open source aud RHEL-09-232105 - RHEL 9 /etc/group- file must be group-owned by root. - Red Hat Enterprise Linux 9 + Red Hat Enterprise Linux 9 +AlmaLinux 9 The "/etc/group-" file is a backup file of "/etc/group", and as such, contains information regarding groups that are configured on the system. Protection of this file is important for system security. @@ -22660,7 +22776,8 @@ Audit tools include, but are not limited to, vendor-provided and open source aud RHEL-09-232110 - RHEL 9 /etc/gshadow file must be owned by root. - Red Hat Enterprise Linux 9 + Red Hat Enterprise Linux 9 +AlmaLinux 9 The "/etc/gshadow" file contains group password hashes. Protection of this file is critical for system security. @@ -22672,7 +22789,8 @@ Audit tools include, but are not limited to, vendor-provided and open source aud RHEL-09-232115 - RHEL 9 /etc/gshadow file must be group-owned by root. - Red Hat Enterprise Linux 9 + Red Hat Enterprise Linux 9 +AlmaLinux 9 The "/etc/gshadow" file contains group password hashes. Protection of this file is critical for system security. @@ -22684,7 +22802,8 @@ Audit tools include, but are not limited to, vendor-provided and open source aud RHEL-09-232120 - RHEL 9 /etc/gshadow- file must be owned by root. - Red Hat Enterprise Linux 9 + Red Hat Enterprise Linux 9 +AlmaLinux 9 The "/etc/gshadow-" file is a backup of "/etc/gshadow", and as such, contains group password hashes. Protection of this file is critical for system security. @@ -22696,7 +22815,8 @@ Audit tools include, but are not limited to, vendor-provided and open source aud RHEL-09-232125 - RHEL 9 /etc/gshadow- file must be group-owned by root. - Red Hat Enterprise Linux 9 + Red Hat Enterprise Linux 9 +AlmaLinux 9 The "/etc/gshadow-" file is a backup of "/etc/gshadow", and as such, contains group password hashes. Protection of this file is critical for system security. @@ -22708,7 +22828,8 @@ Audit tools include, but are not limited to, vendor-provided and open source aud RHEL-09-232130 - RHEL 9 /etc/passwd file must be owned by root. - Red Hat Enterprise Linux 9 + Red Hat Enterprise Linux 9 +AlmaLinux 9 The "/etc/passwd" file contains information about the users that are configured on the system. Protection of this file is critical for system security. @@ -22720,7 +22841,8 @@ Audit tools include, but are not limited to, vendor-provided and open source aud RHEL-09-232135 - RHEL 9 /etc/passwd file must be group-owned by root. - Red Hat Enterprise Linux 9 + Red Hat Enterprise Linux 9 +AlmaLinux 9 The "/etc/passwd" file contains information about the users that are configured on the system. Protection of this file is critical for system security. @@ -22732,7 +22854,8 @@ Audit tools include, but are not limited to, vendor-provided and open source aud RHEL-09-232140 - RHEL 9 /etc/passwd- file must be owned by root. - Red Hat Enterprise Linux 9 + Red Hat Enterprise Linux 9 +AlmaLinux 9 The "/etc/passwd-" file is a backup file of "/etc/passwd", and as such, contains information about the users that are configured on the system. Protection of this file is critical for system security. @@ -22744,7 +22867,8 @@ Audit tools include, but are not limited to, vendor-provided and open source aud RHEL-09-232145 - RHEL 9 /etc/passwd- file must be group-owned by root. - Red Hat Enterprise Linux 9 + Red Hat Enterprise Linux 9 +AlmaLinux 9 The "/etc/passwd-" file is a backup file of "/etc/passwd", and as such, contains information about the users that are configured on the system. Protection of this file is critical for system security. @@ -22756,7 +22880,8 @@ Audit tools include, but are not limited to, vendor-provided and open source aud RHEL-09-232150 - RHEL 9 /etc/shadow file must be owned by root. - Red Hat Enterprise Linux 9 + Red Hat Enterprise Linux 9 +AlmaLinux 9 The "/etc/shadow" file contains the list of local system accounts and stores password hashes. Protection of this file is critical for system security. Failure to give ownership of this file to root provides the designated owner with access to sensitive information, which could weaken the system security posture. @@ -22768,7 +22893,8 @@ Audit tools include, but are not limited to, vendor-provided and open source aud RHEL-09-232155 - RHEL 9 /etc/shadow file must be group-owned by root. - Red Hat Enterprise Linux 9 + Red Hat Enterprise Linux 9 +AlmaLinux 9 The "/etc/shadow" file stores password hashes. Protection of this file is critical for system security. @@ -22780,7 +22906,8 @@ Audit tools include, but are not limited to, vendor-provided and open source aud RHEL-09-232160 - RHEL 9 /etc/shadow- file must be owned by root. - Red Hat Enterprise Linux 9 + Red Hat Enterprise Linux 9 +AlmaLinux 9 The "/etc/shadow-" file is a backup file of "/etc/shadow", and as such, contains the list of local system accounts and password hashes. Protection of this file is critical for system security. @@ -22792,7 +22919,8 @@ Audit tools include, but are not limited to, vendor-provided and open source aud RHEL-09-232165 - RHEL 9 /etc/shadow- file must be group-owned by root. - Red Hat Enterprise Linux 9 + Red Hat Enterprise Linux 9 +AlmaLinux 9 The "/etc/shadow-" file is a backup file of "/etc/shadow", and as such, contains the list of local system accounts and password hashes. Protection of this file is critical for system security. @@ -22804,7 +22932,8 @@ Audit tools include, but are not limited to, vendor-provided and open source aud RHEL-09-232170 - RHEL 9 /var/log directory must be owned by root. - Red Hat Enterprise Linux 9 + Red Hat Enterprise Linux 9 +AlmaLinux 9 Only authorized personnel should be aware of errors and the details of the errors. Error messages are an indicator of an organization's operational state or can identify the RHEL 9 system or platform. Additionally, personally identifiable information (PII) and operational information must not be revealed through error messages to unauthorized personnel or their designated representatives. @@ -22818,7 +22947,8 @@ The structure and content of error messages must be carefully considered by the RHEL-09-232175 - RHEL 9 /var/log directory must be group-owned by root. - Red Hat Enterprise Linux 9 + Red Hat Enterprise Linux 9 +AlmaLinux 9 Only authorized personnel should be aware of errors and the details of the errors. Error messages are an indicator of an organization's operational state or can identify the RHEL 9 system or platform. Additionally, personally identifiable information (PII) and operational information must not be revealed through error messages to unauthorized personnel or their designated representatives. @@ -22832,7 +22962,8 @@ The structure and content of error messages must be carefully considered by the RHEL-09-232180 - RHEL 9 /var/log/messages file must be owned by root. - Red Hat Enterprise Linux 9 + Red Hat Enterprise Linux 9 +AlmaLinux 9 Only authorized personnel should be aware of errors and the details of the errors. Error messages are an indicator of an organization's operational state or can identify the RHEL 9 system or platform. Additionally, personally identifiable information (PII) and operational information must not be revealed through error messages to unauthorized personnel or their designated representatives. @@ -22846,7 +22977,8 @@ The structure and content of error messages must be carefully considered by the RHEL-09-232185 - RHEL 9 /var/log/messages file must be group-owned by root. - Red Hat Enterprise Linux 9 + Red Hat Enterprise Linux 9 +AlmaLinux 9 Only authorized personnel should be aware of errors and the details of the errors. Error messages are an indicator of an organization's operational state or can identify the RHEL 9 system or platform. Additionally, personally identifiable information (PII) and operational information must not be revealed through error messages to unauthorized personnel or their designated representatives. @@ -22860,7 +22992,8 @@ The structure and content of error messages must be carefully considered by the RHEL-09-232190 - RHEL 9 system commands must be owned by root. - Red Hat Enterprise Linux 9 + Red Hat Enterprise Linux 9 +AlmaLinux 9 If RHEL 9 allowed any user to make changes to software libraries, then those changes might be implemented without undergoing the appropriate testing and approvals that are part of a robust change management process. @@ -22874,7 +23007,8 @@ This requirement applies to RHEL 9 with software libraries that are accessible a RHEL-09-232195 - RHEL 9 system commands must be group-owned by root or a system account. - Red Hat Enterprise Linux 9 + Red Hat Enterprise Linux 9 +AlmaLinux 9 If RHEL 9 allowed any user to make changes to software libraries, then those changes might be implemented without undergoing the appropriate testing and approvals that are part of a robust change management process. @@ -22888,7 +23022,8 @@ This requirement applies to RHEL 9 with software libraries that are accessible a RHEL-09-232200 - RHEL 9 library files must be owned by root. - Red Hat Enterprise Linux 9 + Red Hat Enterprise Linux 9 +AlmaLinux 9 If RHEL 9 allowed any user to make changes to software libraries, then those changes might be implemented without undergoing the appropriate testing and approvals that are part of a robust change management process. @@ -22902,7 +23037,8 @@ This requirement applies to RHEL 9 with software libraries that are accessible a RHEL-09-232205 - RHEL 9 library files must be group-owned by root or a system account. - Red Hat Enterprise Linux 9 + Red Hat Enterprise Linux 9 +AlmaLinux 9 If RHEL 9 allowed any user to make changes to software libraries, then those changes might be implemented without undergoing the appropriate testing and approvals that are part of a robust change management process. @@ -22916,7 +23052,8 @@ This requirement applies to RHEL 9 with software libraries that are accessible a RHEL-09-232210 - RHEL 9 library directories must be owned by root. - Red Hat Enterprise Linux 9 + Red Hat Enterprise Linux 9 +AlmaLinux 9 If RHEL 9 allowed any user to make changes to software libraries, then those changes might be implemented without undergoing the appropriate testing and approvals that are part of a robust change management process. @@ -22930,7 +23067,8 @@ This requirement applies to RHEL 9 with software libraries that are accessible a RHEL-09-232215 - RHEL 9 library directories must be group-owned by root or a system account. - Red Hat Enterprise Linux 9 + Red Hat Enterprise Linux 9 +AlmaLinux 9 If RHEL 9 allowed any user to make changes to software libraries, then those changes might be implemented without undergoing the appropriate testing and approvals that are part of a robust change management process. @@ -22944,7 +23082,8 @@ This requirement applies to RHEL 9 with software libraries that are accessible a RHEL-09-232220 - RHEL 9 audit tools must be owned by root. - Red Hat Enterprise Linux 9 + Red Hat Enterprise Linux 9 +AlmaLinux 9 Protecting audit information also includes identifying and protecting the tools used to view and manipulate log data. Therefore, protecting audit tools is necessary to prevent unauthorized operation on audit information. @@ -22960,7 +23099,8 @@ Audit tools include, but are not limited to, vendor-provided and open source aud RHEL-09-232225 - RHEL 9 audit tools must be group-owned by root. - Red Hat Enterprise Linux 9 + Red Hat Enterprise Linux 9 +AlmaLinux 9 Protecting audit information also includes identifying and protecting the tools used to view and manipulate log data; therefore, protecting audit tools is necessary to prevent unauthorized operation on audit information. @@ -22976,7 +23116,8 @@ Audit tools include, but are not limited to, vendor-provided and open source aud RHEL-09-232230 - RHEL 9 cron configuration files directory must be owned by root. - Red Hat Enterprise Linux 9 + Red Hat Enterprise Linux 9 +AlmaLinux 9 Service configuration files enable or disable features of their respective services that if configured incorrectly can lead to insecure and vulnerable configurations; therefore, service configuration files must be owned by the correct group to prevent unauthorized changes. @@ -22988,7 +23129,8 @@ Audit tools include, but are not limited to, vendor-provided and open source aud RHEL-09-232235 - RHEL 9 cron configuration files directory must be group-owned by root. - Red Hat Enterprise Linux 9 + Red Hat Enterprise Linux 9 +AlmaLinux 9 Service configuration files enable or disable features of their respective services that if configured incorrectly can lead to insecure and vulnerable configurations; therefore, service configuration files should be owned by the correct group to prevent unauthorized changes. @@ -23000,7 +23142,8 @@ Audit tools include, but are not limited to, vendor-provided and open source aud RHEL-09-232265 - RHEL 9 /etc/crontab file must have mode 0600. - Red Hat Enterprise Linux 9 + Red Hat Enterprise Linux 9 +AlmaLinux 9 Service configuration files enable or disable features of their respective services that if configured incorrectly can lead to insecure and vulnerable configurations; therefore, service configuration files must have the correct access rights to prevent unauthorized changes. @@ -23012,7 +23155,8 @@ Audit tools include, but are not limited to, vendor-provided and open source aud RHEL-09-232270 - RHEL 9 /etc/shadow file must have mode 0000 to prevent unauthorized access. - Red Hat Enterprise Linux 9 + Red Hat Enterprise Linux 9 +AlmaLinux 9 The "/etc/shadow" file contains the list of local system accounts and stores password hashes. Protection of this file is critical for system security. Failure to give ownership of this file to root provides the designated owner with access to sensitive information, which could weaken the system security posture. @@ -23024,7 +23168,8 @@ Audit tools include, but are not limited to, vendor-provided and open source aud RHEL-09-251010 - RHEL 9 must have the firewalld package installed. - Red Hat Enterprise Linux 9 + Red Hat Enterprise Linux 9 +AlmaLinux 9 "Firewalld" provides an easy and effective way to block/limit remote access to the system via ports, services, and protocols. @@ -23052,7 +23197,8 @@ Satisfies: SRG-OS-000096-GPOS-00050, SRG-OS-000297-GPOS-00115, SRG-OS-000298-GPO RHEL-09-251015 - The firewalld service on RHEL 9 must be active. - Red Hat Enterprise Linux 9 + Red Hat Enterprise Linux 9 +AlmaLinux 9 "Firewalld" provides an easy and effective way to block/limit remote access to the system via ports, services, and protocols. @@ -23072,7 +23218,8 @@ Satisfies: SRG-OS-000096-GPOS-00050, SRG-OS-000297-GPOS-00115, SRG-OS-000480-GPO RHEL-09-251030 - RHEL 9 must protect against or limit the effects of denial-of-service (DoS) attacks by ensuring rate-limiting measures on impacted network interfaces are implemented. - Red Hat Enterprise Linux 9 + Red Hat Enterprise Linux 9 +AlmaLinux 9 DoS is a condition when a resource is not available for legitimate users. When this occurs, the organization either cannot accomplish its mission or must operate at degraded capacity. @@ -23086,7 +23233,8 @@ This requirement addresses the configuration of RHEL 9 to mitigate the impact of RHEL-09-251040 - RHEL 9 network interfaces must not be in promiscuous mode. - Red Hat Enterprise Linux 9 + Red Hat Enterprise Linux 9 +AlmaLinux 9 Network interfaces in promiscuous mode allow for the capture of all network traffic visible to the system. If unauthorized individuals can access these applications, it may allow them to collect information such as logon IDs, passwords, and key exchanges between systems. @@ -23100,7 +23248,8 @@ If the system is being used to perform a network troubleshooting function, the u RHEL-09-251045 - RHEL 9 must enable hardening for the Berkeley Packet Filter just-in-time compiler. - Red Hat Enterprise Linux 9 + Red Hat Enterprise Linux 9 +AlmaLinux 9 When hardened, the extended Berkeley Packet Filter (BPF) just-in-time (JIT) compiler will randomize any kernel addresses in the BPF programs and maps, and will not expose the JIT addresses in "/proc/kallsyms". @@ -23112,7 +23261,8 @@ If the system is being used to perform a network troubleshooting function, the u RHEL-09-252010 - RHEL 9 must have the chrony package installed. - Red Hat Enterprise Linux 9 + Red Hat Enterprise Linux 9 +AlmaLinux 9 Inaccurate time stamps make it more difficult to correlate events and can lead to an inaccurate analysis. Determining the correct time a particular event occurred on a system is critical when conducting forensic analysis and investigating system events. Sources outside the configured acceptable allowance (drift) may be inaccurate. @@ -23124,7 +23274,8 @@ If the system is being used to perform a network troubleshooting function, the u RHEL-09-252015 - RHEL 9 chronyd service must be enabled. - Red Hat Enterprise Linux 9 + Red Hat Enterprise Linux 9 +AlmaLinux 9 Inaccurate time stamps make it more difficult to correlate events and can lead to an inaccurate analysis. Determining the correct time a particular event occurred on a system is critical when conducting forensic analysis and investigating system events. Sources outside the configured acceptable allowance (drift) may be inaccurate. @@ -23138,7 +23289,8 @@ Synchronizing internal information system clocks provides uniformity of time sta RHEL-09-252025 - RHEL 9 must disable the chrony daemon from acting as a server. - Red Hat Enterprise Linux 9 + Red Hat Enterprise Linux 9 +AlmaLinux 9 Minimizing the exposure of the server functionality of the chrony daemon diminishes the attack surface. @@ -23152,7 +23304,8 @@ Satisfies: SRG-OS-000096-GPOS-00050, SRG-OS-000095-GPOS-00049 RHEL-09-252030 - RHEL 9 must disable network management of the chrony daemon. - Red Hat Enterprise Linux 9 + Red Hat Enterprise Linux 9 +AlmaLinux 9 Not exposing the management interface of the chrony daemon on the network diminishes the attack space. @@ -23166,7 +23319,8 @@ Satisfies: SRG-OS-000096-GPOS-00050, SRG-OS-000095-GPOS-00049 RHEL-09-252035 - RHEL 9 systems using Domain Name Servers (DNS) resolution must have at least two name servers configured. - Red Hat Enterprise Linux 9 + Red Hat Enterprise Linux 9 +AlmaLinux 9 To provide availability for name resolution services, multiple redundant name servers are mandated. A failure in name resolution could lead to the failure of security functions requiring name resolution, which may include time synchronization, centralized authentication, and remote system logging. @@ -23178,7 +23332,8 @@ Satisfies: SRG-OS-000096-GPOS-00050, SRG-OS-000095-GPOS-00049 RHEL-09-252040 - RHEL 9 must configure a DNS processing mode set be Network Manager. - Red Hat Enterprise Linux 9 + Red Hat Enterprise Linux 9 +AlmaLinux 9 In order to ensure that DNS resolver settings are respected, a DNS mode in Network Manager must be configured. @@ -23190,7 +23345,8 @@ Satisfies: SRG-OS-000096-GPOS-00050, SRG-OS-000095-GPOS-00049 RHEL-09-252050 - RHEL 9 must be configured to prevent unrestricted mail relaying. - Red Hat Enterprise Linux 9 + Red Hat Enterprise Linux 9 +AlmaLinux 9 If unrestricted mail relaying is permitted, unauthorized senders could use this host as a mail relay for the purpose of sending spam or other unauthorized activity. @@ -23202,7 +23358,8 @@ Satisfies: SRG-OS-000096-GPOS-00050, SRG-OS-000095-GPOS-00049 RHEL-09-252060 - RHEL 9 must forward mail from postmaster to the root account using a postfix alias. - Red Hat Enterprise Linux 9 + Red Hat Enterprise Linux 9 +AlmaLinux 9 It is critical for the appropriate personnel to be aware if a system is at risk of failing to process audit logs as required. Without this notification, the security personnel may be unaware of an impending failure of the audit capability, and system operation may be adversely affected. @@ -23216,7 +23373,8 @@ Audit processing failures include software/hardware errors, failures in the audi RHEL-09-252065 - RHEL 9 libreswan package must be installed. - Red Hat Enterprise Linux 9 + Red Hat Enterprise Linux 9 +AlmaLinux 9 Providing the ability for remote users or systems to initiate a secure VPN connection protects information when it is transmitted over a wide area network. @@ -23230,7 +23388,8 @@ Satisfies: SRG-OS-000480-GPOS-00227, SRG-OS-000120-GPOS-00061 RHEL-09-252070 - There must be no shosts.equiv files on RHEL 9. - Red Hat Enterprise Linux 9 + Red Hat Enterprise Linux 9 +AlmaLinux 9 The shosts.equiv files are used to configure host-based authentication for the system via SSH. Host-based authentication is not sufficient for preventing unauthorized access to the system, as it does not require interactive identification and authentication of a connection request, or for the use of two-factor authentication. @@ -23242,7 +23401,8 @@ Satisfies: SRG-OS-000480-GPOS-00227, SRG-OS-000120-GPOS-00061 RHEL-09-252075 - There must be no .shosts files on RHEL 9. - Red Hat Enterprise Linux 9 + Red Hat Enterprise Linux 9 +AlmaLinux 9 The .shosts files are used to configure host-based authentication for individual users or the system via SSH. Host-based authentication is not sufficient for preventing unauthorized access to the system, as it does not require interactive identification and authentication of a connection request, or for the use of two-factor authentication. @@ -23254,7 +23414,8 @@ Satisfies: SRG-OS-000480-GPOS-00227, SRG-OS-000120-GPOS-00061 RHEL-09-253010 - RHEL 9 must be configured to use TCP syncookies. - Red Hat Enterprise Linux 9 + Red Hat Enterprise Linux 9 +AlmaLinux 9 Denial of service (DoS) is a condition when a resource is not available for legitimate users. When this occurs, the organization either cannot accomplish its mission or must operate at degraded capacity. @@ -23270,7 +23431,8 @@ Satisfies: SRG-OS-000480-GPOS-00227, SRG-OS-000420-GPOS-00186, SRG-OS-000142-GPO RHEL-09-253015 - RHEL 9 must ignore Internet Protocol version 4 (IPv4) Internet Control Message Protocol (ICMP) redirect messages. - Red Hat Enterprise Linux 9 + Red Hat Enterprise Linux 9 +AlmaLinux 9 ICMP redirect messages are used by routers to inform hosts that a more direct route exists for a particular destination. These messages modify the host's route table and are unauthenticated. An illicit ICMP redirect message could result in a man-in-the-middle attack. @@ -23284,7 +23446,8 @@ This feature of the IPv4 protocol has few legitimate uses. It should be disabled RHEL-09-253020 - RHEL 9 must not forward Internet Protocol version 4 (IPv4) source-routed packets. - Red Hat Enterprise Linux 9 + Red Hat Enterprise Linux 9 +AlmaLinux 9 Source-routed packets allow the source of the packet to suggest routers forward the packet along a different path than configured on the router, which can be used to bypass network security measures. This requirement applies only to the forwarding of source-routerd traffic, such as when IPv4 forwarding is enabled and the system is functioning as a router. @@ -23298,7 +23461,8 @@ Accepting source-routed packets in the IPv4 protocol has few legitimate uses. It RHEL-09-253025 - RHEL 9 must log IPv4 packets with impossible addresses. - Red Hat Enterprise Linux 9 + Red Hat Enterprise Linux 9 +AlmaLinux 9 The presence of "martian" packets (which have impossible addresses) as well as spoofed packets, source-routed packets, and redirects could be a sign of nefarious network activity. Logging these packets enables this activity to be detected. @@ -23310,7 +23474,8 @@ Accepting source-routed packets in the IPv4 protocol has few legitimate uses. It RHEL-09-253030 - RHEL 9 must log IPv4 packets with impossible addresses by default. - Red Hat Enterprise Linux 9 + Red Hat Enterprise Linux 9 +AlmaLinux 9 The presence of "martian" packets (which have impossible addresses) as well as spoofed packets, source-routed packets, and redirects could be a sign of nefarious network activity. Logging these packets enables this activity to be detected. @@ -23322,7 +23487,8 @@ Accepting source-routed packets in the IPv4 protocol has few legitimate uses. It RHEL-09-253035 - RHEL 9 must use reverse path filtering on all IPv4 interfaces. - Red Hat Enterprise Linux 9 + Red Hat Enterprise Linux 9 +AlmaLinux 9 Enabling reverse path filtering drops packets with source addresses that should not have been able to be received on the interface on which they were received. It must not be used on systems that are routers for complicated networks, but is helpful for end hosts and routers serving small networks. @@ -23334,7 +23500,8 @@ Accepting source-routed packets in the IPv4 protocol has few legitimate uses. It RHEL-09-253040 - RHEL 9 must prevent IPv4 Internet Control Message Protocol (ICMP) redirect messages from being accepted. - Red Hat Enterprise Linux 9 + Red Hat Enterprise Linux 9 +AlmaLinux 9 ICMP redirect messages are used by routers to inform hosts that a more direct route exists for a particular destination. These messages modify the host's route table and are unauthenticated. An illicit ICMP redirect message could result in a man-in-the-middle attack. @@ -23348,7 +23515,8 @@ This feature of the IPv4 protocol has few legitimate uses. It must be disabled u RHEL-09-253045 - RHEL 9 must not forward IPv4 source-routed packets by default. - Red Hat Enterprise Linux 9 + Red Hat Enterprise Linux 9 +AlmaLinux 9 Source-routed packets allow the source of the packet to suggest routers forward the packet along a different path than configured on the router, which can be used to bypass network security measures. @@ -23362,7 +23530,8 @@ Accepting source-routed packets in the IPv4 protocol has few legitimate uses. It RHEL-09-253050 - RHEL 9 must use a reverse-path filter for IPv4 network traffic when possible by default. - Red Hat Enterprise Linux 9 + Red Hat Enterprise Linux 9 +AlmaLinux 9 Enabling reverse path filtering drops packets with source addresses that should not have been able to be received on the interface on which they were received. It must not be used on systems that are routers for complicated networks, but is helpful for end hosts and routers serving small networks. @@ -23374,7 +23543,8 @@ Accepting source-routed packets in the IPv4 protocol has few legitimate uses. It RHEL-09-253055 - RHEL 9 must not respond to Internet Control Message Protocol (ICMP) echoes sent to a broadcast address. - Red Hat Enterprise Linux 9 + Red Hat Enterprise Linux 9 +AlmaLinux 9 Responding to broadcast (ICMP) echoes facilitates network mapping and provides a vector for amplification attacks. @@ -23388,7 +23558,8 @@ Ignoring ICMP echo requests (pings) sent to broadcast or multicast addresses mak RHEL-09-253060 - RHEL 9 must limit the number of bogus Internet Control Message Protocol (ICMP) response errors logs. - Red Hat Enterprise Linux 9 + Red Hat Enterprise Linux 9 +AlmaLinux 9 Some routers will send responses to broadcast frames that violate RFC-1122, which fills up a log file system with many useless error messages. An attacker may take advantage of this and attempt to flood the logs with bogus error logs. Ignoring bogus ICMP error responses reduces log size, although some activity would not be logged. @@ -23400,7 +23571,8 @@ Ignoring ICMP echo requests (pings) sent to broadcast or multicast addresses mak RHEL-09-253065 - RHEL 9 must not send Internet Control Message Protocol (ICMP) redirects. - Red Hat Enterprise Linux 9 + Red Hat Enterprise Linux 9 +AlmaLinux 9 ICMP redirect messages are used by routers to inform hosts that a more direct route exists for a particular destination. These messages contain information from the system's route table possibly revealing portions of the network topology. @@ -23414,7 +23586,8 @@ The ability to send ICMP redirects is only appropriate for systems acting as rou RHEL-09-253070 - RHEL 9 must not allow interfaces to perform Internet Control Message Protocol (ICMP) redirects by default. - Red Hat Enterprise Linux 9 + Red Hat Enterprise Linux 9 +AlmaLinux 9 ICMP redirect messages are used by routers to inform hosts that a more direct route exists for a particular destination. These messages contain information from the system's route table possibly revealing portions of the network topology. @@ -23428,7 +23601,8 @@ The ability to send ICMP redirects is only appropriate for systems acting as rou RHEL-09-253075 - RHEL 9 must not enable IPv4 packet forwarding unless the system is a router. - Red Hat Enterprise Linux 9 + Red Hat Enterprise Linux 9 +AlmaLinux 9 Routing protocol daemons are typically used on routers to exchange network topology information with other routers. If this capability is used when not required, system network information may be unnecessarily transmitted across the network. @@ -23440,7 +23614,8 @@ The ability to send ICMP redirects is only appropriate for systems acting as rou RHEL-09-254010 - RHEL 9 must not accept router advertisements on all IPv6 interfaces. - Red Hat Enterprise Linux 9 + Red Hat Enterprise Linux 9 +AlmaLinux 9 An illicit router advertisement message could result in a man-in-the-middle attack. @@ -23452,7 +23627,8 @@ The ability to send ICMP redirects is only appropriate for systems acting as rou RHEL-09-254015 - RHEL 9 must ignore IPv6 Internet Control Message Protocol (ICMP) redirect messages. - Red Hat Enterprise Linux 9 + Red Hat Enterprise Linux 9 +AlmaLinux 9 An illicit ICMP redirect message could result in a man-in-the-middle attack. @@ -23464,7 +23640,8 @@ The ability to send ICMP redirects is only appropriate for systems acting as rou RHEL-09-254020 - RHEL 9 must not forward IPv6 source-routed packets. - Red Hat Enterprise Linux 9 + Red Hat Enterprise Linux 9 +AlmaLinux 9 Source-routed packets allow the source of the packet to suggest that routers forward the packet along a different path than configured on the router, which can be used to bypass network security measures. This requirement applies only to the forwarding of source-routed traffic, such as when forwarding is enabled and the system is functioning as a router. @@ -23476,7 +23653,8 @@ The ability to send ICMP redirects is only appropriate for systems acting as rou RHEL-09-254025 - RHEL 9 must not enable IPv6 packet forwarding unless the system is a router. - Red Hat Enterprise Linux 9 + Red Hat Enterprise Linux 9 +AlmaLinux 9 IP forwarding permits the kernel to forward packets from one network interface to another. The ability to forward packets between two networks is only appropriate for systems acting as routers. @@ -23488,7 +23666,8 @@ The ability to send ICMP redirects is only appropriate for systems acting as rou RHEL-09-254030 - RHEL 9 must not accept router advertisements on all IPv6 interfaces by default. - Red Hat Enterprise Linux 9 + Red Hat Enterprise Linux 9 +AlmaLinux 9 An illicit router advertisement message could result in a man-in-the-middle attack. @@ -23500,7 +23679,8 @@ The ability to send ICMP redirects is only appropriate for systems acting as rou RHEL-09-254035 - RHEL 9 must prevent IPv6 Internet Control Message Protocol (ICMP) redirect messages from being accepted. - Red Hat Enterprise Linux 9 + Red Hat Enterprise Linux 9 +AlmaLinux 9 ICMP redirect messages are used by routers to inform hosts that a more direct route exists for a particular destination. These messages modify the host's route table and are unauthenticated. An illicit ICMP redirect message could result in a man-in-the-middle attack. @@ -23512,7 +23692,8 @@ The ability to send ICMP redirects is only appropriate for systems acting as rou RHEL-09-254040 - RHEL 9 must not forward IPv6 source-routed packets by default. - Red Hat Enterprise Linux 9 + Red Hat Enterprise Linux 9 +AlmaLinux 9 Source-routed packets allow the source of the packet to suggest that routers forward the packet along a different path than configured on the router, which can be used to bypass network security measures. This requirement applies only to the forwarding of source-routed traffic, such as when forwarding is enabled and the system is functioning as a router. @@ -23526,7 +23707,8 @@ Accepting source-routed packets in the IPv6 protocol has few legitimate uses. It RHEL-09-255010 - All RHEL 9 networked systems must have SSH installed. - Red Hat Enterprise Linux 9 + Red Hat Enterprise Linux 9 +AlmaLinux 9 Without protection of the transmitted information, confidentiality and integrity may be compromised because unprotected communications can be intercepted and either read or altered. @@ -23544,7 +23726,8 @@ Satisfies: SRG-OS-000423-GPOS-00187, SRG-OS-000424-GPOS-00188, SRG-OS-000425-GPO RHEL-09-255015 - All RHEL 9 networked systems must have and implement SSH to protect the confidentiality and integrity of transmitted and received information, as well as information during preparation for transmission. - Red Hat Enterprise Linux 9 + Red Hat Enterprise Linux 9 +AlmaLinux 9 Without protection of the transmitted information, confidentiality and integrity may be compromised because unprotected communications can be intercepted and either read or altered. @@ -23562,7 +23745,8 @@ Satisfies: SRG-OS-000423-GPOS-00187, SRG-OS-000424-GPOS-00188, SRG-OS-000425-GPO RHEL-09-255020 - RHEL 9 must have the openssh-clients package installed. - Red Hat Enterprise Linux 9 + Red Hat Enterprise Linux 9 +AlmaLinux 9 This package includes utilities to make encrypted connections and transfer files securely to SSH servers. @@ -23574,7 +23758,8 @@ Satisfies: SRG-OS-000423-GPOS-00187, SRG-OS-000424-GPOS-00188, SRG-OS-000425-GPO RHEL-09-255025 - RHEL 9 must display the Standard Mandatory DOD Notice and Consent Banner before granting local or remote access to the system via a SSH logon. - Red Hat Enterprise Linux 9 + Red Hat Enterprise Linux 9 +AlmaLinux 9 The warning message reinforces policy awareness during the logon process and facilitates possible legal action against attackers. Alternatively, systems whose ownership should not be obvious should ensure usage of a banner that does not provide easy attribution. @@ -23588,7 +23773,8 @@ Satisfies: SRG-OS-000023-GPOS-00006, SRG-OS-000228-GPOS-00088 RHEL-09-255030 - RHEL 9 must log SSH connection attempts and failures to the server. - Red Hat Enterprise Linux 9 + Red Hat Enterprise Linux 9 +AlmaLinux 9 SSH provides several logging levels with varying amounts of verbosity. "DEBUG" is specifically not recommended other than strictly for debugging SSH communications since it provides so much data that it is difficult to identify important security information. "INFO" or "VERBOSE" level is the basic level that only records login activity of SSH users. In many situations, such as Incident Response, it is important to determine when a particular user was active on a system. The logout record can eliminate those users who disconnected, which helps narrow the field. @@ -23600,7 +23786,8 @@ Satisfies: SRG-OS-000023-GPOS-00006, SRG-OS-000228-GPOS-00088 RHEL-09-255035 - RHEL 9 SSHD must accept public key authentication. - Red Hat Enterprise Linux 9 + Red Hat Enterprise Linux 9 +AlmaLinux 9 Without the use of multifactor authentication, the ease of access to privileged functions is greatly increased. Multifactor authentication requires using two or more factors to achieve authentication. A privileged account is defined as an information system account with authorizations of a privileged user. A DOD CAC with DOD-approved PKI is an example of multifactor authentication. @@ -23614,7 +23801,8 @@ Satisfies: SRG-OS-000105-GPOS-00052, SRG-OS-000106-GPOS-00053, SRG-OS-000107-GPO RHEL-09-255040 - RHEL 9 SSHD must not allow blank passwords. - Red Hat Enterprise Linux 9 + Red Hat Enterprise Linux 9 +AlmaLinux 9 If an account has an empty password, anyone could log on and run commands with the privileges of that account. Accounts with empty passwords should never be used in operational environments. @@ -23628,7 +23816,8 @@ Satisfies: SRG-OS-000106-GPOS-00053, SRG-OS-000480-GPOS-00229, SRG-OS-000480-GPO RHEL-09-255045 - RHEL 9 must not permit direct logons to the root account using remote access via SSH. - Red Hat Enterprise Linux 9 + Red Hat Enterprise Linux 9 +AlmaLinux 9 Even though the communications channel may be encrypted, an additional layer of security is gained by extending the policy of not logging directly on as root. In addition, logging in with a user-specific account provides individual accountability of actions performed on the system and also helps to minimize direct attack attempts on root's password. @@ -23644,7 +23833,8 @@ Satisfies: SRG-OS-000109-GPOS-00056, SRG-OS-000480-GPOS-00227 RHEL-09-255050 - RHEL 9 must enable the Pluggable Authentication Module (PAM) interface for SSHD. - Red Hat Enterprise Linux 9 + Red Hat Enterprise Linux 9 +AlmaLinux 9 When UsePAM is set to "yes", PAM runs through account and session types properly. This is important when restricted access to services based off of IP, time, or other factors of the account is needed. Additionally, this ensures users can inherit certain environment variables on login or disallow access to the server. @@ -23656,7 +23846,8 @@ Satisfies: SRG-OS-000109-GPOS-00056, SRG-OS-000480-GPOS-00227 RHEL-09-255055 - RHEL 9 SSH daemon must be configured to use system-wide crypto policies. - Red Hat Enterprise Linux 9 + Red Hat Enterprise Linux 9 +AlmaLinux 9 Without cryptographic integrity protections, information can be altered by unauthorized users without detection. @@ -23672,7 +23863,8 @@ Cryptographic mechanisms used for protecting the integrity of information includ RHEL-09-255060 - RHEL 9 must implement DOD-approved encryption ciphers to protect the confidentiality of SSH client connections. - Red Hat Enterprise Linux 9 + Red Hat Enterprise Linux 9 +AlmaLinux 9 Without cryptographic integrity protections, information can be altered by unauthorized users without detection. @@ -23690,7 +23882,8 @@ RHEL 9 incorporates system-wide crypto policies by default. The SSH configuratio RHEL-09-255065 - RHEL 9 must implement DOD-approved encryption ciphers to protect the confidentiality of SSH server connections. - Red Hat Enterprise Linux 9 + Red Hat Enterprise Linux 9 +AlmaLinux 9 Without cryptographic integrity protections, information can be altered by unauthorized users without detection. @@ -23708,7 +23901,8 @@ RHEL 9 incorporates system-wide crypto policies by default. The SSH configuratio RHEL-09-255070 - RHEL 9 SSH client must be configured to use only Message Authentication Codes (MACs) employing FIPS 140-3 validated cryptographic hash algorithms. - Red Hat Enterprise Linux 9 + Red Hat Enterprise Linux 9 +AlmaLinux 9 Without cryptographic integrity protections, information can be altered by unauthorized users without detection. @@ -23726,7 +23920,8 @@ RHEL 9 incorporates system-wide crypto policies by default. The SSH configuratio RHEL-09-255075 - RHEL 9 SSH server must be configured to use only Message Authentication Codes (MACs) employing FIPS 140-3 validated cryptographic hash algorithms. - Red Hat Enterprise Linux 9 + Red Hat Enterprise Linux 9 +AlmaLinux 9 Without cryptographic integrity protections, information can be altered by unauthorized users without detection. @@ -23744,7 +23939,8 @@ RHEL 9 incorporates system-wide crypto policies by default. The SSH configuratio RHEL-09-255080 - RHEL 9 must not allow a noncertificate trusted host SSH logon to the system. - Red Hat Enterprise Linux 9 + Red Hat Enterprise Linux 9 +AlmaLinux 9 SSH trust relationships mean a compromise on one host can allow an attacker to move trivially to other hosts. @@ -23756,7 +23952,8 @@ RHEL 9 incorporates system-wide crypto policies by default. The SSH configuratio RHEL-09-255085 - RHEL 9 must not allow users to override SSH environment variables. - Red Hat Enterprise Linux 9 + Red Hat Enterprise Linux 9 +AlmaLinux 9 SSH environment options potentially allow users to bypass access restriction in some configurations. @@ -23768,7 +23965,8 @@ RHEL 9 incorporates system-wide crypto policies by default. The SSH configuratio RHEL-09-255090 - RHEL 9 must force a frequent session key renegotiation for SSH connections to the server. - Red Hat Enterprise Linux 9 + Red Hat Enterprise Linux 9 +AlmaLinux 9 Without protection of the transmitted information, confidentiality and integrity may be compromised because unprotected communications can be intercepted and either read or altered. @@ -23788,7 +23986,8 @@ Satisfies: SRG-OS-000423-GPOS-00187, SRG-OS-000033-GPOS-00014, SRG-OS-000424-GPO RHEL-09-255095 - RHEL 9 must be configured so that all network connections associated with SSH traffic terminate after becoming unresponsive. - Red Hat Enterprise Linux 9 + Red Hat Enterprise Linux 9 +AlmaLinux 9 Terminating an unresponsive SSH session within a short time period reduces the window of opportunity for unauthorized personnel to take control of a management session enabled on the console or console port that has been left unattended. In addition, quickly terminating an idle SSH session will also free up resources committed by the managed network element. @@ -23806,7 +24005,8 @@ Satisfies: SRG-OS-000163-GPOS-00072, SRG-OS-000279-GPOS-00109 RHEL-09-255100 - RHEL 9 must be configured so that all network connections associated with SSH traffic are terminated after 10 minutes of becoming unresponsive. - Red Hat Enterprise Linux 9 + Red Hat Enterprise Linux 9 +AlmaLinux 9 Terminating an unresponsive SSH session within a short time period reduces the window of opportunity for unauthorized personnel to take control of a management session enabled on the console or console port that has been left unattended. In addition, quickly terminating an idle SSH session will also free up resources committed by the managed network element. @@ -23824,7 +24024,8 @@ Satisfies: SRG-OS-000126-GPOS-00066, SRG-OS-000163-GPOS-00072, SRG-OS-000279-GPO RHEL-09-255105 - RHEL 9 SSH server configuration file must be group-owned by root. - Red Hat Enterprise Linux 9 + Red Hat Enterprise Linux 9 +AlmaLinux 9 Service configuration files enable or disable features of their respective services, which if configured incorrectly, can lead to insecure and vulnerable configurations. Therefore, service configuration files must be owned by the correct group to prevent unauthorized changes. @@ -23836,7 +24037,8 @@ Satisfies: SRG-OS-000126-GPOS-00066, SRG-OS-000163-GPOS-00072, SRG-OS-000279-GPO RHEL-09-255110 - RHEL 9 SSH server configuration file must be owned by root. - Red Hat Enterprise Linux 9 + Red Hat Enterprise Linux 9 +AlmaLinux 9 Service configuration files enable or disable features of their respective services, which if configured incorrectly, can lead to insecure and vulnerable configurations. Therefore, service configuration files must be owned by the correct group to prevent unauthorized changes. @@ -23848,7 +24050,8 @@ Satisfies: SRG-OS-000126-GPOS-00066, SRG-OS-000163-GPOS-00072, SRG-OS-000279-GPO RHEL-09-255115 - RHEL 9 SSH server configuration file must have mode 0600 or less permissive. - Red Hat Enterprise Linux 9 + Red Hat Enterprise Linux 9 +AlmaLinux 9 Service configuration files enable or disable features of their respective services that if configured incorrectly can lead to insecure and vulnerable configurations. Therefore, service configuration files should be owned by the correct group to prevent unauthorized changes. @@ -23860,7 +24063,8 @@ Satisfies: SRG-OS-000126-GPOS-00066, SRG-OS-000163-GPOS-00072, SRG-OS-000279-GPO RHEL-09-255120 - RHEL 9 SSH private host key files must have mode 0640 or less permissive. - Red Hat Enterprise Linux 9 + Red Hat Enterprise Linux 9 +AlmaLinux 9 If an unauthorized user obtains the private SSH host key file, the host could be impersonated. @@ -23872,7 +24076,8 @@ Satisfies: SRG-OS-000126-GPOS-00066, SRG-OS-000163-GPOS-00072, SRG-OS-000279-GPO RHEL-09-255125 - RHEL 9 SSH public host key files must have mode 0644 or less permissive. - Red Hat Enterprise Linux 9 + Red Hat Enterprise Linux 9 +AlmaLinux 9 If a public host key file is modified by an unauthorized user, the SSH service may be compromised. @@ -23884,7 +24089,8 @@ Satisfies: SRG-OS-000126-GPOS-00066, SRG-OS-000163-GPOS-00072, SRG-OS-000279-GPO RHEL-09-255130 - RHEL 9 SSH daemon must not allow compression or must only allow compression after successful authentication. - Red Hat Enterprise Linux 9 + Red Hat Enterprise Linux 9 +AlmaLinux 9 If compression is allowed in an SSH connection prior to authentication, vulnerabilities in the compression software could result in compromise of the system from an unauthenticated connection, potentially with root privileges. @@ -23896,7 +24102,8 @@ Satisfies: SRG-OS-000126-GPOS-00066, SRG-OS-000163-GPOS-00072, SRG-OS-000279-GPO RHEL-09-255135 - RHEL 9 SSH daemon must not allow GSSAPI authentication. - Red Hat Enterprise Linux 9 + Red Hat Enterprise Linux 9 +AlmaLinux 9 Generic Security Service Application Program Interface (GSSAPI) authentication is used to provide additional authentication mechanisms to applications. Allowing GSSAPI authentication through SSH exposes the system's GSSAPI to remote hosts, increasing the attack surface of the system. @@ -23910,7 +24117,8 @@ Satisfies: SRG-OS-000364-GPOS-00151, SRG-OS-000480-GPOS-00227 RHEL-09-255140 - RHEL 9 SSH daemon must not allow Kerberos authentication. - Red Hat Enterprise Linux 9 + Red Hat Enterprise Linux 9 +AlmaLinux 9 Kerberos authentication for SSH is often implemented using Generic Security Service Application Program Interface (GSSAPI). If Kerberos is enabled through SSH, the SSH daemon provides a means of access to the system's Kerberos implementation. Vulnerabilities in the system's Kerberos implementations may be subject to exploitation. @@ -23924,7 +24132,8 @@ Satisfies: SRG-OS-000364-GPOS-00151, SRG-OS-000480-GPOS-00227 RHEL-09-255145 - RHEL 9 SSH daemon must not allow rhosts authentication. - Red Hat Enterprise Linux 9 + Red Hat Enterprise Linux 9 +AlmaLinux 9 SSH trust relationships mean a compromise on one host can allow an attacker to move trivially to other hosts. @@ -23936,7 +24145,8 @@ Satisfies: SRG-OS-000364-GPOS-00151, SRG-OS-000480-GPOS-00227 RHEL-09-255150 - RHEL 9 SSH daemon must not allow known hosts authentication. - Red Hat Enterprise Linux 9 + Red Hat Enterprise Linux 9 +AlmaLinux 9 Configuring the IgnoreUserKnownHosts setting for the SSH daemon provides additional assurance that remote login via SSH will require a password, even in the event of misconfiguration elsewhere. @@ -23948,7 +24158,8 @@ Satisfies: SRG-OS-000364-GPOS-00151, SRG-OS-000480-GPOS-00227 RHEL-09-255155 - RHEL 9 SSH daemon must disable remote X connections for interactive users. - Red Hat Enterprise Linux 9 + Red Hat Enterprise Linux 9 +AlmaLinux 9 When X11 forwarding is enabled, there may be additional exposure to the server and client displays if the sshd proxy display is configured to listen on the wildcard address. By default, sshd binds the forwarding server to the loopback address and sets the hostname part of the DISPLAY environment variable to localhost. This prevents remote hosts from connecting to the proxy display. @@ -23960,7 +24171,8 @@ Satisfies: SRG-OS-000364-GPOS-00151, SRG-OS-000480-GPOS-00227 RHEL-09-255160 - RHEL 9 SSH daemon must perform strict mode checking of home directory configuration files. - Red Hat Enterprise Linux 9 + Red Hat Enterprise Linux 9 +AlmaLinux 9 If other users have access to modify user-specific SSH configuration files, they may be able to log into the system as another user. @@ -23972,7 +24184,8 @@ Satisfies: SRG-OS-000364-GPOS-00151, SRG-OS-000480-GPOS-00227 RHEL-09-255165 - RHEL 9 SSH daemon must display the date and time of the last successful account logon upon an SSH logon. - Red Hat Enterprise Linux 9 + Red Hat Enterprise Linux 9 +AlmaLinux 9 Providing users feedback on when account accesses last occurred facilitates user recognition and reporting of unauthorized account use. @@ -23984,7 +24197,8 @@ Satisfies: SRG-OS-000364-GPOS-00151, SRG-OS-000480-GPOS-00227 RHEL-09-255170 - RHEL 9 SSH daemon must be configured to use privilege separation. - Red Hat Enterprise Linux 9 + Red Hat Enterprise Linux 9 +AlmaLinux 9 SSH daemon privilege separation causes the SSH process to drop root privileges when not needed, which would decrease the impact of software vulnerabilities in the nonprivileged section. @@ -23996,7 +24210,8 @@ Satisfies: SRG-OS-000364-GPOS-00151, SRG-OS-000480-GPOS-00227 RHEL-09-255175 - RHEL 9 SSH daemon must prevent remote hosts from connecting to the proxy display. - Red Hat Enterprise Linux 9 + Red Hat Enterprise Linux 9 +AlmaLinux 9 When X11 forwarding is enabled, there may be additional exposure to the server and client displays if the sshd proxy display is configured to listen on the wildcard address. By default, sshd binds the forwarding server to the loopback address and sets the hostname part of the "DISPLAY" environment variable to localhost. This prevents remote hosts from connecting to the proxy display. @@ -24008,7 +24223,8 @@ Satisfies: SRG-OS-000364-GPOS-00151, SRG-OS-000480-GPOS-00227 RHEL-09-271015 - RHEL 9 must prevent a user from overriding the banner-message-enable setting for the graphical user interface. - Red Hat Enterprise Linux 9 + Red Hat Enterprise Linux 9 +AlmaLinux 9 Display of a standardized and approved use notification before granting access to the operating system ensures privacy and security notification verbiage used is consistent with applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance. @@ -24024,7 +24240,8 @@ Satisfies: SRG-OS-000023-GPOS-00006, SRG-OS-000228-GPOS-00088 RHEL-09-271020 - RHEL 9 must disable the graphical user interface automount function unless required. - Red Hat Enterprise Linux 9 + Red Hat Enterprise Linux 9 +AlmaLinux 9 Automatically mounting file systems permits easy introduction of unknown devices, thereby facilitating malicious activity. @@ -24038,7 +24255,8 @@ Satisfies: SRG-OS-000114-GPOS-00059, SRG-OS-000378-GPOS-00163, SRG-OS-000480-GPO RHEL-09-271025 - RHEL 9 must prevent a user from overriding the disabling of the graphical user interface automount function. - Red Hat Enterprise Linux 9 + Red Hat Enterprise Linux 9 +AlmaLinux 9 A nonprivileged account is any operating system account with authorizations of a nonprivileged user. @@ -24052,7 +24270,8 @@ Satisfies: SRG-OS-000114-GPOS-00059, SRG-OS-000378-GPOS-00163, SRG-OS-000480-GPO RHEL-09-271035 - RHEL 9 must prevent a user from overriding the disabling of the graphical user interface autorun function. - Red Hat Enterprise Linux 9 + Red Hat Enterprise Linux 9 +AlmaLinux 9 Techniques used to address this include protocols using nonces (e.g., numbers generated for a specific one-time use) or challenges (e.g., TLS, WS_Security). Additional techniques include time-synchronous or challenge-response one-time authenticators. @@ -24066,7 +24285,8 @@ Satisfies: SRG-OS-000114-GPOS-00059, SRG-OS-000378-GPOS-00163, SRG-OS-000480-GPO RHEL-09-271040 - RHEL 9 must not allow unattended or automatic logon via the graphical user interface. - Red Hat Enterprise Linux 9 + Red Hat Enterprise Linux 9 +AlmaLinux 9 Failure to restrict system access to authenticated users negatively impacts operating system security. @@ -24078,7 +24298,8 @@ Satisfies: SRG-OS-000114-GPOS-00059, SRG-OS-000378-GPOS-00163, SRG-OS-000480-GPO RHEL-09-271045 - RHEL 9 must be able to initiate directly a session lock for all connection types using smart card when the smart card is removed. - Red Hat Enterprise Linux 9 + Red Hat Enterprise Linux 9 +AlmaLinux 9 A session lock is a temporary action taken when a user stops work and moves away from the immediate physical vicinity of the information system but does not want to log out because of the temporary nature of the absence. @@ -24094,7 +24315,8 @@ Satisfies: SRG-OS-000028-GPOS-00009, SRG-OS-000030-GPOS-00011 RHEL-09-271050 - RHEL 9 must prevent a user from overriding the disabling of the graphical user smart card removal action. - Red Hat Enterprise Linux 9 + Red Hat Enterprise Linux 9 +AlmaLinux 9 A session lock is a temporary action taken when a user stops work and moves away from the immediate physical vicinity of the information system but does not want to log out because of the temporary nature of the absence. @@ -24110,7 +24332,8 @@ Satisfies: SRG-OS-000028-GPOS-00009, SRG-OS-000030-GPOS-00011 RHEL-09-271055 - RHEL 9 must enable a user session lock until that user re-establishes access using established identification and authentication procedures for graphical user sessions. - Red Hat Enterprise Linux 9 + Red Hat Enterprise Linux 9 +AlmaLinux 9 A session lock is a temporary action taken when a user stops work and moves away from the immediate physical vicinity of the information system but does not want to log out because of the temporary nature of the absence. @@ -24128,7 +24351,8 @@ Satisfies: SRG-OS-000028-GPOS-00009, SRG-OS-000030-GPOS-00011 RHEL-09-271060 - RHEL 9 must prevent a user from overriding the screensaver lock-enabled setting for the graphical user interface. - Red Hat Enterprise Linux 9 + Red Hat Enterprise Linux 9 +AlmaLinux 9 A session time-out lock is a temporary action taken when a user stops work and moves away from the immediate physical vicinity of the information system but does not log out because of the temporary nature of the absence. Rather than relying on the user to manually lock their operating system session prior to vacating the vicinity, operating systems need to be able to identify when a user's session has idled and take action to initiate the session lock. @@ -24146,7 +24370,8 @@ Satisfies: SRG-OS-000028-GPOS-00009, SRG-OS-000030-GPOS-00011 RHEL-09-271065 - RHEL 9 must automatically lock graphical user sessions after 15 minutes of inactivity. - Red Hat Enterprise Linux 9 + Red Hat Enterprise Linux 9 +AlmaLinux 9 A session time-out lock is a temporary action taken when a user stops work and moves away from the immediate physical vicinity of the information system but does not logout because of the temporary nature of the absence. Rather than relying on the user to manually lock their operating system session prior to vacating the vicinity, the GNOME desktop can be configured to identify when a user's session has idled and take action to initiate a session lock. @@ -24160,7 +24385,8 @@ Satisfies: SRG-OS-000029-GPOS-00010, SRG-OS-000031-GPOS-00012 RHEL-09-271070 - RHEL 9 must prevent a user from overriding the session idle-delay setting for the graphical user interface. - Red Hat Enterprise Linux 9 + Red Hat Enterprise Linux 9 +AlmaLinux 9 A session time-out lock is a temporary action taken when a user stops work and moves away from the immediate physical vicinity of the information system but does not logout because of the temporary nature of the absence. Rather than relying on the user to manually lock their operating system session prior to vacating the vicinity, the GNOME desktop can be configured to identify when a user's session has idled and take action to initiate the session lock. As such, users should not be allowed to change session settings. @@ -24174,7 +24400,8 @@ Satisfies: SRG-OS-000029-GPOS-00010, SRG-OS-000031-GPOS-00012 RHEL-09-271080 - RHEL 9 must prevent a user from overriding the session lock-delay setting for the graphical user interface. - Red Hat Enterprise Linux 9 + Red Hat Enterprise Linux 9 +AlmaLinux 9 A session time-out lock is a temporary action taken when a user stops work and moves away from the immediate physical vicinity of the information system but does not logout because of the temporary nature of the absence. Rather than relying on the user to manually lock their operating system session prior to vacating the vicinity, the GNOME desktop can be configured to identify when a user's session has idled and take action to initiate the session lock. As such, users should not be allowed to change session settings. @@ -24186,7 +24413,8 @@ Satisfies: SRG-OS-000029-GPOS-00010, SRG-OS-000031-GPOS-00012 RHEL-09-271085 - RHEL 9 must conceal, via the session lock, information previously visible on the display with a publicly viewable image. - Red Hat Enterprise Linux 9 + Red Hat Enterprise Linux 9 +AlmaLinux 9 Setting the screensaver mode to blank-only conceals the contents of the display from passersby. @@ -24198,7 +24426,8 @@ Satisfies: SRG-OS-000029-GPOS-00010, SRG-OS-000031-GPOS-00012 RHEL-09-271095 - RHEL 9 must disable the ability of a user to restart the system from the login screen. - Red Hat Enterprise Linux 9 + Red Hat Enterprise Linux 9 +AlmaLinux 9 A user who is at the console can reboot the system at the login screen. If restart or shutdown buttons are pressed at the login screen, this can create the risk of short-term loss of availability of systems due to reboot. @@ -24210,7 +24439,8 @@ Satisfies: SRG-OS-000029-GPOS-00010, SRG-OS-000031-GPOS-00012 RHEL-09-271100 - RHEL 9 must prevent a user from overriding the disable-restart-buttons setting for the graphical user interface. - Red Hat Enterprise Linux 9 + Red Hat Enterprise Linux 9 +AlmaLinux 9 A user who is at the console can reboot the system at the login screen. If restart or shutdown buttons are pressed at the login screen, this can create the risk of short-term loss of availability of systems due to reboot. @@ -24222,7 +24452,8 @@ Satisfies: SRG-OS-000029-GPOS-00010, SRG-OS-000031-GPOS-00012 RHEL-09-271110 - RHEL 9 must prevent a user from overriding the Ctrl-Alt-Del sequence settings for the graphical user interface. - Red Hat Enterprise Linux 9 + Red Hat Enterprise Linux 9 +AlmaLinux 9 A locally logged-in user who presses Ctrl-Alt-Del, when at the console, can reboot the system. If accidentally pressed, as could happen in the case of mixed OS environment, this can create the risk of short-term loss of availability of systems due to unintentional reboot. @@ -24234,7 +24465,8 @@ Satisfies: SRG-OS-000029-GPOS-00010, SRG-OS-000031-GPOS-00012 RHEL-09-271115 - RHEL 9 must disable the user list at logon for graphical user interfaces. - Red Hat Enterprise Linux 9 + Red Hat Enterprise Linux 9 +AlmaLinux 9 Leaving the user list enabled is a security risk since it allows anyone with physical access to the system to enumerate known user accounts without authenticated access to the system. @@ -24246,7 +24478,8 @@ Satisfies: SRG-OS-000029-GPOS-00010, SRG-OS-000031-GPOS-00012 RHEL-09-291010 - RHEL 9 must be configured to disable USB mass storage. - Red Hat Enterprise Linux 9 + Red Hat Enterprise Linux 9 +AlmaLinux 9 USB mass storage permits easy introduction of unknown devices, thereby facilitating malicious activity. @@ -24260,7 +24493,8 @@ Satisfies: SRG-OS-000114-GPOS-00059, SRG-OS-000378-GPOS-00163, SRG-OS-000480-GPO RHEL-09-291015 - RHEL 9 must have the USBGuard package installed. - Red Hat Enterprise Linux 9 + Red Hat Enterprise Linux 9 +AlmaLinux 9 The USBguard-daemon is the main component of the USBGuard software framework. It runs as a service in the background and enforces the USB device authorization policy for all USB devices. The policy is defined by a set of rules using a rule language described in the usbguard-rules.conf file. The policy and the authorization state of USB devices can be modified during runtime using the usbguard tool. @@ -24274,7 +24508,8 @@ The system administrator (SA) must work with the site information system securit RHEL-09-291020 - RHEL 9 must have the USBGuard package enabled. - Red Hat Enterprise Linux 9 + Red Hat Enterprise Linux 9 +AlmaLinux 9 The USBguard-daemon is the main component of the USBGuard software framework. It runs as a service in the background and enforces the USB device authorization policy for all USB devices. The policy is defined by a set of rules using a rule language described in the usbguard-rules.conf file. The policy and the authorization state of USB devices can be modified during runtime using the usbguard tool. @@ -24288,7 +24523,8 @@ The system administrator (SA) must work with the site information system securit RHEL-09-291025 - RHEL 9 must enable Linux audit logging for the USBGuard daemon. - Red Hat Enterprise Linux 9 + Red Hat Enterprise Linux 9 +AlmaLinux 9 Without the capability to generate audit records, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. @@ -24316,7 +24552,8 @@ DOD has defined the list of events for which RHEL 9 will provide an audit record RHEL-09-291035 - RHEL 9 Bluetooth must be disabled. - Red Hat Enterprise Linux 9 + Red Hat Enterprise Linux 9 +AlmaLinux 9 This requirement applies to wireless peripheral technologies (e.g., wireless mice, keyboards, displays, etc.) used with RHEL 9 systems. Wireless peripherals (e.g., Wi-Fi/Bluetooth/IR keyboards, mice and pointing devices, and near field communications [NFC]) present a unique challenge by creating an open, unsecured port on a computer. Wireless peripherals must meet DOD requirements for wireless data transmission and be approved for use by the Authorizing Official (AO). Even though some wireless peripherals, such as mice and pointing devices, do not ordinarily carry information that need to be protected, modification of communications with these wireless peripherals may be used to compromise the RHEL 9 operating system. @@ -24330,7 +24567,8 @@ Satisfies: SRG-OS-000095-GPOS-00049, SRG-OS-000300-GPOS-00118 RHEL-09-411010 - RHEL 9 user account passwords for new users or password changes must have a 60-day maximum password lifetime restriction in /etc/login.defs. - Red Hat Enterprise Linux 9 + Red Hat Enterprise Linux 9 +AlmaLinux 9 Any password, no matter how complex, can eventually be cracked; therefore, passwords need to be changed periodically. If the operating system does not limit the lifetime of passwords and force users to change their passwords, there is the risk that the operating system passwords could be compromised. @@ -24344,7 +24582,8 @@ Setting the password maximum age ensures users are required to periodically chan RHEL-09-411015 - RHEL 9 user account passwords must have a 60-day maximum password lifetime restriction. - Red Hat Enterprise Linux 9 + Red Hat Enterprise Linux 9 +AlmaLinux 9 Any password, no matter how complex, can eventually be cracked; therefore, passwords need to be changed periodically. If RHEL 9 does not limit the lifetime of passwords and force users to change their passwords, there is the risk that RHEL 9 passwords could be compromised. @@ -24356,7 +24595,8 @@ Setting the password maximum age ensures users are required to periodically chan RHEL-09-411020 - All RHEL 9 local interactive user accounts must be assigned a home directory upon creation. - Red Hat Enterprise Linux 9 + Red Hat Enterprise Linux 9 +AlmaLinux 9 If local interactive users are not assigned a valid home directory, there is no place for the storage and control of files they should own. @@ -24368,7 +24608,8 @@ Setting the password maximum age ensures users are required to periodically chan RHEL-09-411030 - RHEL 9 duplicate User IDs (UIDs) must not exist for interactive users. - Red Hat Enterprise Linux 9 + Red Hat Enterprise Linux 9 +AlmaLinux 9 To ensure accountability and prevent unauthenticated access, interactive users must be identified and authenticated to prevent potential misuse and compromise of the system. @@ -24382,7 +24623,8 @@ Satisfies: SRG-OS-000104-GPOS-00051, SRG-OS-000121-GPOS-00062, SRG-OS-000042-GPO RHEL-09-411035 - RHEL 9 system accounts must not have an interactive login shell. - Red Hat Enterprise Linux 9 + Red Hat Enterprise Linux 9 +AlmaLinux 9 Ensuring shells are not given to system accounts upon login makes it more difficult for attackers to make use of system accounts. @@ -24394,7 +24636,8 @@ Satisfies: SRG-OS-000104-GPOS-00051, SRG-OS-000121-GPOS-00062, SRG-OS-000042-GPO RHEL-09-411045 - All RHEL 9 interactive users must have a primary group that exists. - Red Hat Enterprise Linux 9 + Red Hat Enterprise Linux 9 +AlmaLinux 9 If a user is assigned the Group Identifier (GID) of a group that does not exist on the system, and a group with the GID is subsequently created, the user may have unintended rights to any files associated with the group. @@ -24406,7 +24649,8 @@ Satisfies: SRG-OS-000104-GPOS-00051, SRG-OS-000121-GPOS-00062, SRG-OS-000042-GPO RHEL-09-411050 - RHEL 9 must disable account identifiers (individuals, groups, roles, and devices) after 35 days of inactivity. - Red Hat Enterprise Linux 9 + Red Hat Enterprise Linux 9 +AlmaLinux 9 Inactive identifiers pose a risk to systems and applications because attackers may exploit an inactive identifier and potentially obtain undetected access to the system. @@ -24422,7 +24666,8 @@ Owners of inactive accounts will not notice if unauthorized access to their user RHEL-09-411060 - All RHEL 9 local interactive users must have a home directory assigned in the /etc/passwd file. - Red Hat Enterprise Linux 9 + Red Hat Enterprise Linux 9 +AlmaLinux 9 If local interactive users are not assigned a valid home directory, there is no place for the storage and control of files they should own. @@ -24434,7 +24679,8 @@ Owners of inactive accounts will not notice if unauthorized access to their user RHEL-09-411075 - RHEL 9 must automatically lock an account when three unsuccessful logon attempts occur. - Red Hat Enterprise Linux 9 + Red Hat Enterprise Linux 9 +AlmaLinux 9 By limiting the number of failed logon attempts, the risk of unauthorized system access via user password guessing, otherwise known as brute-force attacks, is reduced. Limits are imposed by locking the account. @@ -24448,7 +24694,8 @@ Satisfies: SRG-OS-000329-GPOS-00128, SRG-OS-000021-GPOS-00005 RHEL-09-411080 - RHEL 9 must automatically lock the root account until the root account is released by an administrator when three unsuccessful logon attempts occur during a 15-minute time period. - Red Hat Enterprise Linux 9 + Red Hat Enterprise Linux 9 +AlmaLinux 9 By limiting the number of failed logon attempts, the risk of unauthorized system access via user password guessing, also known as brute-forcing, is reduced. Limits are imposed by locking the account. @@ -24462,7 +24709,8 @@ Satisfies: SRG-OS-000329-GPOS-00128, SRG-OS-000021-GPOS-00005 RHEL-09-411085 - RHEL 9 must automatically lock an account when three unsuccessful logon attempts occur during a 15-minute time period. - Red Hat Enterprise Linux 9 + Red Hat Enterprise Linux 9 +AlmaLinux 9 By limiting the number of failed logon attempts the risk of unauthorized system access via user password guessing, otherwise known as brute-forcing, is reduced. Limits are imposed by locking the account. @@ -24476,7 +24724,8 @@ Satisfies: SRG-OS-000329-GPOS-00128, SRG-OS-000021-GPOS-00005 RHEL-09-411090 - RHEL 9 must maintain an account lock until the locked account is released by an administrator. - Red Hat Enterprise Linux 9 + Red Hat Enterprise Linux 9 +AlmaLinux 9 By limiting the number of failed logon attempts the risk of unauthorized system access via user password guessing, otherwise known as brute-forcing, is reduced. Limits are imposed by locking the account. @@ -24490,7 +24739,8 @@ Satisfies: SRG-OS-000329-GPOS-00128, SRG-OS-000021-GPOS-00005 RHEL-09-411100 - The root account must be the only account having unrestricted access to RHEL 9 system. - Red Hat Enterprise Linux 9 + Red Hat Enterprise Linux 9 +AlmaLinux 9 An account has root authority if it has a user identifier (UID) of "0". Multiple accounts with a UID of "0" afford more opportunity for potential intruders to guess a password for a privileged account. Proper configuration of sudo is recommended to afford multiple system administrators access to root privileges in an accountable manner. @@ -24502,7 +24752,8 @@ Satisfies: SRG-OS-000329-GPOS-00128, SRG-OS-000021-GPOS-00005 RHEL-09-411105 - RHEL 9 must ensure account lockouts persist. - Red Hat Enterprise Linux 9 + Red Hat Enterprise Linux 9 +AlmaLinux 9 Having lockouts persist across reboots ensures that account is only unlocked by an administrator. If the lockouts did not persist across reboots, an attacker could simply reboot the system to continue brute force attacks against the accounts on the system. @@ -24514,7 +24765,8 @@ Satisfies: SRG-OS-000329-GPOS-00128, SRG-OS-000021-GPOS-00005 RHEL-09-411110 - RHEL 9 groups must have unique Group ID (GID). - Red Hat Enterprise Linux 9 + Red Hat Enterprise Linux 9 +AlmaLinux 9 To ensure accountability and prevent unauthenticated access, groups must be identified uniquely to prevent potential misuse and compromise of the system. @@ -24526,7 +24778,8 @@ Satisfies: SRG-OS-000329-GPOS-00128, SRG-OS-000021-GPOS-00005 RHEL-09-412010 - RHEL 9 must have the tmux package installed. - Red Hat Enterprise Linux 9 + Red Hat Enterprise Linux 9 +AlmaLinux 9 Tmux is a terminal multiplexer that enables a number of terminals to be created, accessed, and controlled from a single screen. Red Hat endorses tmux as the recommended session controlling package. @@ -24540,7 +24793,8 @@ Satisfies: SRG-OS-000030-GPOS-00011, SRG-OS-000028-GPOS-00009 RHEL-09-412020 - RHEL 9 must enable a user session lock until that user re-establishes access using established identification and authentication procedures for command line sessions. - Red Hat Enterprise Linux 9 + Red Hat Enterprise Linux 9 +AlmaLinux 9 A session lock is a temporary action taken when a user stops work and moves away from the immediate physical vicinity of the information system but does not want to log out because of the temporary nature of the absence. @@ -24554,7 +24808,8 @@ The session lock is implemented at the point where session activity can be deter RHEL-09-412025 - RHEL 9 must automatically lock command line user sessions after 15 minutes of inactivity. - Red Hat Enterprise Linux 9 + Red Hat Enterprise Linux 9 +AlmaLinux 9 A session time-out lock is a temporary action taken when a user stops work and moves away from the immediate physical vicinity of the information system but does not logout because of the temporary nature of the absence. Rather than relying on the user to manually lock their operating system session prior to vacating the vicinity, tmux can be configured to identify when a user's session has idled and take action to initiate a session lock. @@ -24568,7 +24823,8 @@ Satisfies: SRG-OS-000029-GPOS-00010, SRG-OS-000031-GPOS-00012 RHEL-09-412030 - RHEL 9 must prevent users from disabling session control mechanisms. - Red Hat Enterprise Linux 9 + Red Hat Enterprise Linux 9 +AlmaLinux 9 The session lock is implemented at the point where session activity can be determined. Rather than be forced to wait for a period of time to expire before the user session can be locked, RHEL 9 must provide users with the ability to manually invoke a session lock so users can secure their session if it is necessary to temporarily vacate the immediate physical vicinity. @@ -24582,7 +24838,8 @@ Satisfies: SRG-OS-000324-GPOS-00125, SRG-OS-000028-GPOS-00009 RHEL-09-412035 - RHEL 9 must automatically exit interactive command shell user sessions after 15 minutes of inactivity. - Red Hat Enterprise Linux 9 + Red Hat Enterprise Linux 9 +AlmaLinux 9 Terminating an idle interactive command shell user session within a short time period reduces the window of opportunity for unauthorized personnel to take control of it when left unattended in a virtual terminal or physical console. @@ -24596,7 +24853,8 @@ Satisfies: SRG-OS-000163-GPOS-00072, SRG-OS-000029-GPOS-00010 RHEL-09-412040 - RHEL 9 must limit the number of concurrent sessions to ten for all accounts and/or account types. - Red Hat Enterprise Linux 9 + Red Hat Enterprise Linux 9 +AlmaLinux 9 Operating system management includes the ability to control the number of users and user sessions that utilize an operating system. Limiting the number of allowed users and sessions per user is helpful in reducing the risks related to denial-of-service (DoS) attacks. @@ -24610,7 +24868,8 @@ This requirement addresses concurrent sessions for information system accounts a RHEL-09-412045 - RHEL 9 must log username information when unsuccessful logon attempts occur. - Red Hat Enterprise Linux 9 + Red Hat Enterprise Linux 9 +AlmaLinux 9 Without auditing of these events, it may be harder or impossible to identify what an attacker did after an attack. @@ -24622,7 +24881,8 @@ This requirement addresses concurrent sessions for information system accounts a RHEL-09-412050 - RHEL 9 must enforce a delay of at least four seconds between logon prompts following a failed logon attempt. - Red Hat Enterprise Linux 9 + Red Hat Enterprise Linux 9 +AlmaLinux 9 Increasing the time between a failed authentication attempt and reprompting to enter credentials helps to slow a single-threaded brute force attack. @@ -24634,7 +24894,8 @@ This requirement addresses concurrent sessions for information system accounts a RHEL-09-412055 - RHEL 9 must define default permissions for the bash shell. - Red Hat Enterprise Linux 9 + Red Hat Enterprise Linux 9 +AlmaLinux 9 The umask controls the default access mode assigned to newly created files. A umask of 077 limits new files to mode 600 or less permissive. Although umask can be represented as a four-digit number, the first digit representing special access modes is typically ignored or required to be "0". This requirement applies to the globally configured system defaults and the local interactive user defaults for each account on the system. @@ -24648,7 +24909,8 @@ Satisfies: SRG-OS-000480-GPOS-00228, SRG-OS-000480-GPOS-00227 RHEL-09-412060 - RHEL 9 must define default permissions for the c shell. - Red Hat Enterprise Linux 9 + Red Hat Enterprise Linux 9 +AlmaLinux 9 The umask controls the default access mode assigned to newly created files. A umask of 077 limits new files to mode 600 or less permissive. Although umask can be represented as a four-digit number, the first digit representing special access modes is typically ignored or required to be "0". This requirement applies to the globally configured system defaults and the local interactive user defaults for each account on the system. @@ -24662,7 +24924,8 @@ Satisfies: SRG-OS-000480-GPOS-00228, SRG-OS-000480-GPOS-00227 RHEL-09-412065 - RHEL 9 must define default permissions for all authenticated users in such a way that the user can only read and modify their own files. - Red Hat Enterprise Linux 9 + Red Hat Enterprise Linux 9 +AlmaLinux 9 Setting the most restrictive default permissions ensures that when new accounts are created, they do not have unnecessary access. @@ -24674,7 +24937,8 @@ Satisfies: SRG-OS-000480-GPOS-00228, SRG-OS-000480-GPOS-00227 RHEL-09-412070 - RHEL 9 must define default permissions for the system default profile. - Red Hat Enterprise Linux 9 + Red Hat Enterprise Linux 9 +AlmaLinux 9 The umask controls the default access mode assigned to newly created files. A umask of 077 limits new files to mode 600 or less permissive. Although umask can be represented as a four-digit number, the first digit representing special access modes is typically ignored or required to be "0". This requirement applies to the globally configured system defaults and the local interactive user defaults for each account on the system. @@ -24688,7 +24952,8 @@ Satisfies: SRG-OS-000480-GPOS-00228, SRG-OS-000480-GPOS-00227 RHEL-09-412075 - RHEL 9 must display the date and time of the last successful account logon upon logon. - Red Hat Enterprise Linux 9 + Red Hat Enterprise Linux 9 +AlmaLinux 9 Users need to be aware of activity that occurs regarding their account. Providing users with information regarding the number of unsuccessful attempts that were made to login to their account allows the user to determine if any unauthorized activity has occurred and gives them an opportunity to notify administrators. @@ -24700,7 +24965,8 @@ Satisfies: SRG-OS-000480-GPOS-00228, SRG-OS-000480-GPOS-00227 RHEL-09-412080 - RHEL 9 must terminate idle user sessions. - Red Hat Enterprise Linux 9 + Red Hat Enterprise Linux 9 +AlmaLinux 9 Terminating an idle session within a short time period reduces the window of opportunity for unauthorized personnel to take control of a management session enabled on the console or console port that has been left unattended. @@ -24712,7 +24978,8 @@ Satisfies: SRG-OS-000480-GPOS-00228, SRG-OS-000480-GPOS-00227 RHEL-09-431010 - RHEL 9 must use a Linux Security Module configured to enforce limits on system services. - Red Hat Enterprise Linux 9 + Red Hat Enterprise Linux 9 +AlmaLinux 9 Without verification of the security functions, security functions may not operate correctly and the failure may go unnoticed. Security function is defined as the hardware, software, and/or firmware of the information system responsible for enforcing the system security policy and supporting the isolation of code and data on which the protection is based. Security functionality includes, but is not limited to, establishing system accounts, configuring access authorizations (i.e., permissions, privileges), setting events to be audited, and setting intrusion detection parameters. @@ -24728,7 +24995,8 @@ Satisfies: SRG-OS-000445-GPOS-00199, SRG-OS-000134-GPOS-00068 RHEL-09-431015 - RHEL 9 must enable the SELinux targeted policy. - Red Hat Enterprise Linux 9 + Red Hat Enterprise Linux 9 +AlmaLinux 9 Setting the SELinux policy to "targeted" or a more specialized policy ensures the system will confine processes that are likely to be targeted for exploitation, such as network or system services. @@ -24742,7 +25010,8 @@ Note: During the development or debugging of SELinux modules, it is common to te RHEL-09-431025 - RHEL 9 must have policycoreutils package installed. - Red Hat Enterprise Linux 9 + Red Hat Enterprise Linux 9 +AlmaLinux 9 Without verification of the security functions, security functions may not operate correctly and the failure may go unnoticed. Security function is defined as the hardware, software, and/or firmware of the information system responsible for enforcing the system security policy and supporting the isolation of code and data on which the protection is based. Security functionality includes, but is not limited to, establishing system accounts, configuring access authorizations (i.e., permissions, privileges), setting events to be audited, and setting intrusion detection parameters. @@ -24758,7 +25027,8 @@ Satisfies: SRG-OS-000480-GPOS-00227, SRG-OS-000134-GPOS-00068 RHEL-09-431030 - RHEL 9 policycoreutils-python-utils package must be installed. - Red Hat Enterprise Linux 9 + Red Hat Enterprise Linux 9 +AlmaLinux 9 The policycoreutils-python-utils package is required to operate and manage an SELinux environment and its policies. It provides utilities such as semanage, audit2allow, audit2why, chcat, and sandbox. @@ -24770,7 +25040,8 @@ Satisfies: SRG-OS-000480-GPOS-00227, SRG-OS-000134-GPOS-00068 RHEL-09-432010 - RHEL 9 must have the sudo package installed. - Red Hat Enterprise Linux 9 + Red Hat Enterprise Linux 9 +AlmaLinux 9 "sudo" is a program designed to allow a system administrator to give limited root privileges to users and log root activity. The basic philosophy is to give as few privileges as possible but still allow system users to get their work done. @@ -24782,7 +25053,8 @@ Satisfies: SRG-OS-000480-GPOS-00227, SRG-OS-000134-GPOS-00068 RHEL-09-432015 - RHEL 9 must require reauthentication when using the "sudo" command. - Red Hat Enterprise Linux 9 + Red Hat Enterprise Linux 9 +AlmaLinux 9 Without reauthentication, users may access resources or perform tasks for which they do not have authorization. @@ -24798,7 +25070,8 @@ If the value is set to an integer less than "0", the user's time stamp will not RHEL-09-432020 - RHEL 9 must use the invoking user's password for privilege escalation when using "sudo". - Red Hat Enterprise Linux 9 + Red Hat Enterprise Linux 9 +AlmaLinux 9 If the rootpw, targetpw, or runaspw flags are defined and not disabled, by default the operating system will prompt the invoking user for the "root" user password. @@ -24810,7 +25083,8 @@ If the value is set to an integer less than "0", the user's time stamp will not RHEL-09-432025 - RHEL 9 must require users to reauthenticate for privilege escalation. - Red Hat Enterprise Linux 9 + Red Hat Enterprise Linux 9 +AlmaLinux 9 Without reauthentication, users may access resources or perform tasks for which they do not have authorization. @@ -24826,7 +25100,8 @@ Satisfies: SRG-OS-000373-GPOS-00156, SRG-OS-000373-GPOS-00157, SRG-OS-000373-GPO RHEL-09-432030 - RHEL 9 must restrict privilege elevation to authorized personnel. - Red Hat Enterprise Linux 9 + Red Hat Enterprise Linux 9 +AlmaLinux 9 If the "sudoers" file is not configured correctly, any user defined on the system can initiate privileged actions on the target system. @@ -24838,7 +25113,8 @@ Satisfies: SRG-OS-000373-GPOS-00156, SRG-OS-000373-GPOS-00157, SRG-OS-000373-GPO RHEL-09-432035 - RHEL 9 must restrict the use of the "su" command. - Red Hat Enterprise Linux 9 + Red Hat Enterprise Linux 9 +AlmaLinux 9 The "su" program allows to run commands with a substitute user and group ID. It is commonly used to run commands as the root user. Limiting access to such commands is considered a good security practice. @@ -24852,7 +25128,8 @@ Satisfies: SRG-OS-000373-GPOS-00156, SRG-OS-000312-GPOS-00123 RHEL-09-433010 - RHEL 9 fapolicy module must be installed. - Red Hat Enterprise Linux 9 + Red Hat Enterprise Linux 9 +AlmaLinux 9 The organization must identify authorized software programs and permit execution of authorized software. The process used to identify software programs that are authorized to execute on organizational information systems is commonly referred to as allowlisting. @@ -24874,7 +25151,8 @@ Satisfies: SRG-OS-000370-GPOS-00155, SRG-OS-000368-GPOS-00154 RHEL-09-433015 - RHEL 9 fapolicy module must be enabled. - Red Hat Enterprise Linux 9 + Red Hat Enterprise Linux 9 +AlmaLinux 9 The organization must identify authorized software programs and permit execution of authorized software. The process used to identify software programs that are authorized to execute on organizational information systems is commonly referred to as allowlisting. @@ -24896,7 +25174,8 @@ Satisfies: SRG-OS-000370-GPOS-00155, SRG-OS-000368-GPOS-00154 RHEL-09-611010 - RHEL 9 must ensure the password complexity module in the system-auth file is configured for three retries or less. - Red Hat Enterprise Linux 9 + Red Hat Enterprise Linux 9 +AlmaLinux 9 Use of a complex password helps to increase the time and resources required to compromise the password. Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks. "pwquality" enforces complex password construction configuration and has the ability to limit brute-force attacks on the system. @@ -24914,7 +25193,8 @@ By limiting the number of attempts to meet the pwquality module complexity requi RHEL-09-611015 - RHEL 9 must be configured in the password-auth file to prohibit password reuse for a minimum of five generations. - Red Hat Enterprise Linux 9 + Red Hat Enterprise Linux 9 +AlmaLinux 9 Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks. If the information system or application allows the user to reuse their password consecutively when that password has exceeded its defined lifetime, the end result is a password that is not changed per policy requirements. @@ -24932,7 +25212,8 @@ Note that manual changes to the listed files may be overwritten by the "authsele RHEL-09-611020 - RHEL 9 must be configured in the system-auth file to prohibit password reuse for a minimum of five generations. - Red Hat Enterprise Linux 9 + Red Hat Enterprise Linux 9 +AlmaLinux 9 Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks. If the information system or application allows the user to reuse their password consecutively when that password has exceeded its defined lifetime, the end result is a password that is not changed per policy requirements. @@ -24950,7 +25231,8 @@ Note that manual changes to the listed files may be overwritten by the "authsele RHEL-09-611025 - RHEL 9 must not allow blank or null passwords. - Red Hat Enterprise Linux 9 + Red Hat Enterprise Linux 9 +AlmaLinux 9 If an account has an empty password, anyone could log in and run commands with the privileges of that account. Accounts with empty passwords should never be used in operational environments. @@ -24963,7 +25245,8 @@ Note that manual changes to the listed files may be overwritten by the "authsele RHEL-09-611040 - RHEL 9 must ensure the password complexity module is enabled in the password-auth file. - Red Hat Enterprise Linux 9 + Red Hat Enterprise Linux 9 +AlmaLinux 9 Enabling PAM password complexity permits enforcement of strong passwords and consequently makes the system less prone to dictionary attacks. @@ -24977,7 +25260,8 @@ Satisfies: SRG-OS-000069-GPOS-00037, SRG-OS-000070-GPOS-00038, SRG-OS-000480-GPO RHEL-09-611045 - RHEL 9 must ensure the password complexity module is enabled in the system-auth file. - Red Hat Enterprise Linux 9 + Red Hat Enterprise Linux 9 +AlmaLinux 9 Enabling PAM password complexity permits enforcement of strong passwords and consequently makes the system less prone to dictionary attacks. @@ -24989,7 +25273,8 @@ Satisfies: SRG-OS-000069-GPOS-00037, SRG-OS-000070-GPOS-00038, SRG-OS-000480-GPO RHEL-09-611050 - RHEL 9 password-auth must be configured to use a sufficient number of hashing rounds. - Red Hat Enterprise Linux 9 + Red Hat Enterprise Linux 9 +AlmaLinux 9 Passwords need to be protected at all times, and encryption is the standard method for protecting passwords. If passwords are not encrypted, they can be plainly read (i.e., clear text) and easily compromised. Passwords that are encrypted with a weak algorithm are no more protected than if they are kept in plain text. @@ -25005,7 +25290,8 @@ Satisfies: SRG-OS-000073-GPOS-00041, SRG-OS-000120-GPOS-00061 RHEL-09-611055 - RHEL 9 system-auth must be configured to use a sufficient number of hashing rounds. - Red Hat Enterprise Linux 9 + Red Hat Enterprise Linux 9 +AlmaLinux 9 Passwords need to be protected at all times, and encryption is the standard method for protecting passwords. If passwords are not encrypted, they can be plainly read (i.e., clear text) and easily compromised. Passwords that are encrypted with a weak algorithm are no more protected than if they are kept in plain text. @@ -25021,7 +25307,8 @@ Satisfies: SRG-OS-000073-GPOS-00041, SRG-OS-000120-GPOS-00061 RHEL-09-611060 - RHEL 9 must enforce password complexity rules for the root account. - Red Hat Enterprise Linux 9 + Red Hat Enterprise Linux 9 +AlmaLinux 9 Use of a complex password helps to increase the time and resources required to compromise the password. Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks. @@ -25037,7 +25324,8 @@ Satisfies: SRG-OS-000072-GPOS-00040, SRG-OS-000071-GPOS-00039, SRG-OS-000070-GPO RHEL-09-611065 - RHEL 9 must enforce password complexity by requiring that at least one lowercase character be used. - Red Hat Enterprise Linux 9 + Red Hat Enterprise Linux 9 +AlmaLinux 9 Use of a complex password helps to increase the time and resources required to compromise the password. Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks. @@ -25051,7 +25339,8 @@ Password complexity is one factor of several that determines how long it takes t RHEL-09-611070 - RHEL 9 must enforce password complexity by requiring that at least one numeric character be used. - Red Hat Enterprise Linux 9 + Red Hat Enterprise Linux 9 +AlmaLinux 9 Use of a complex password helps to increase the time and resources required to compromise the password. Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks. @@ -25065,7 +25354,8 @@ Password complexity is one factor of several that determines how long it takes t RHEL-09-611075 - RHEL 9 passwords for new users or password changes must have a 24 hours minimum password lifetime restriction in /etc/login.defs. - Red Hat Enterprise Linux 9 + Red Hat Enterprise Linux 9 +AlmaLinux 9 Enforcing a minimum password lifetime helps to prevent repeated password changes to defeat the password reuse or history enforcement requirement. If users are allowed to immediately and continually change their password, then the password could be repeatedly changed in a short period of time to defeat the organization's policy regarding password reuse. @@ -25079,7 +25369,8 @@ Setting the minimum password age protects against users cycling back to a favori RHEL-09-611080 - RHEL 9 passwords must have a 24 hours minimum password lifetime restriction in /etc/shadow. - Red Hat Enterprise Linux 9 + Red Hat Enterprise Linux 9 +AlmaLinux 9 Enforcing a minimum password lifetime helps to prevent repeated password changes to defeat the password reuse or history enforcement requirement. If users are allowed to immediately and continually change their password, the password could be repeatedly changed in a short period of time to defeat the organization's policy regarding password reuse. @@ -25091,7 +25382,8 @@ Setting the minimum password age protects against users cycling back to a favori RHEL-09-611085 - RHEL 9 must require users to provide a password for privilege escalation. - Red Hat Enterprise Linux 9 + Red Hat Enterprise Linux 9 +AlmaLinux 9 Without reauthentication, users may access resources or perform tasks for which they do not have authorization. @@ -25107,7 +25399,8 @@ Satisfies: SRG-OS-000373-GPOS-00156, SRG-OS-000373-GPOS-00157, SRG-OS-000373-GPO RHEL-09-611090 - RHEL 9 passwords must be created with a minimum of 15 characters. - Red Hat Enterprise Linux 9 + Red Hat Enterprise Linux 9 +AlmaLinux 9 The shorter the password, the lower the number of possible combinations that need to be tested before the password is compromised. @@ -25127,7 +25420,8 @@ The DOD minimum password requirement is 15 characters. RHEL-09-611095 - RHEL 9 passwords for new users must have a minimum of 15 characters. - Red Hat Enterprise Linux 9 + Red Hat Enterprise Linux 9 +AlmaLinux 9 The shorter the password, the lower the number of possible combinations that need to be tested before the password is compromised. @@ -25143,7 +25437,8 @@ The DOD minimum password requirement is 15 characters. RHEL-09-611100 - RHEL 9 must enforce password complexity by requiring that at least one special character be used. - Red Hat Enterprise Linux 9 + Red Hat Enterprise Linux 9 +AlmaLinux 9 Use of a complex password helps to increase the time and resources required to compromise the password. Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks. Password complexity is one factor of several that determines how long it takes to crack a password. The more complex the password, the greater the number of possible combinations that need to be tested before the password is compromised. RHEL 9 utilizes "pwquality" as a mechanism to enforce password complexity. Note that to require special characters without degrading the "minlen" value, the credit value must be expressed as a negative number in "/etc/security/pwquality.conf". @@ -25155,7 +25450,8 @@ The DOD minimum password requirement is 15 characters. RHEL-09-611105 - RHEL 9 must prevent the use of dictionary words for passwords. - Red Hat Enterprise Linux 9 + Red Hat Enterprise Linux 9 +AlmaLinux 9 Use of a complex password helps to increase the time and resources required to compromise the password. Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks. If RHEL 9 allows the user to select passwords based on dictionary words, this increases the chances of password compromise by increasing the opportunity for successful guesses, and brute-force attacks. @@ -25167,7 +25463,8 @@ The DOD minimum password requirement is 15 characters. RHEL-09-611110 - RHEL 9 must enforce password complexity by requiring that at least one uppercase character be used. - Red Hat Enterprise Linux 9 + Red Hat Enterprise Linux 9 +AlmaLinux 9 Use of a complex password helps to increase the time and resources required to compromise the password. Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks. Password complexity is one factor of several that determines how long it takes to crack a password. The more complex the password, the greater the number of possible combinations that need to be tested before the password is compromised. Requiring a minimum number of uppercase characters makes password guessing attacks more difficult by ensuring a larger search space. @@ -25179,7 +25476,8 @@ The DOD minimum password requirement is 15 characters. RHEL-09-611115 - RHEL 9 must require the change of at least eight characters when passwords are changed. - Red Hat Enterprise Linux 9 + Red Hat Enterprise Linux 9 +AlmaLinux 9 Use of a complex password helps to increase the time and resources required to compromise the password. Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute–force attacks. @@ -25193,7 +25491,8 @@ Password complexity is one factor of several that determines how long it takes t RHEL-09-611120 - RHEL 9 must require the maximum number of repeating characters of the same character class be limited to four when passwords are changed. - Red Hat Enterprise Linux 9 + Red Hat Enterprise Linux 9 +AlmaLinux 9 Use of a complex password helps to increase the time and resources required to compromise the password. Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks. @@ -25207,7 +25506,8 @@ Password complexity is one factor of several that determines how long it takes t RHEL-09-611125 - RHEL 9 must require the maximum number of repeating characters be limited to three when passwords are changed. - Red Hat Enterprise Linux 9 + Red Hat Enterprise Linux 9 +AlmaLinux 9 Use of a complex password helps to increase the time and resources required to compromise the password. Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks. @@ -25221,7 +25521,8 @@ Password complexity is one factor of several that determines how long it takes t RHEL-09-611130 - RHEL 9 must require the change of at least four character classes when passwords are changed. - Red Hat Enterprise Linux 9 + Red Hat Enterprise Linux 9 +AlmaLinux 9 Use of a complex password helps to increase the time and resources required to compromise the password. Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks. @@ -25235,7 +25536,8 @@ Password complexity is one factor of several that determines how long it takes t RHEL-09-611135 - RHEL 9 must be configured so that user and group account administration utilities are configured to store only encrypted representations of passwords. - Red Hat Enterprise Linux 9 + Red Hat Enterprise Linux 9 +AlmaLinux 9 Passwords need to be protected at all times, and encryption is the standard method for protecting passwords. If passwords are not encrypted, they can be plainly read (i.e., clear text) and easily compromised. Passwords that are encrypted with a weak algorithm are no more protected than if they are kept in plain text. @@ -25249,7 +25551,8 @@ This setting ensures user and group account administration utilities are configu RHEL-09-611140 - RHEL 9 must be configured to use the shadow file to store only encrypted representations of passwords. - Red Hat Enterprise Linux 9 + Red Hat Enterprise Linux 9 +AlmaLinux 9 Passwords need to be protected at all times, and encryption is the standard method for protecting passwords. If passwords are not encrypted, they can be plainly read (i.e., clear text) and easily compromised. Passwords that are encrypted with a weak algorithm are no more protected than if they are kept in plain text. @@ -25263,7 +25566,8 @@ This setting ensures user and group account administration utilities are configu RHEL-09-611145 - RHEL 9 must not be configured to bypass password requirements for privilege escalation. - Red Hat Enterprise Linux 9 + Red Hat Enterprise Linux 9 +AlmaLinux 9 Without reauthentication, users may access resources or perform tasks for which they do not have authorization. When operating systems provide the capability to escalate a functional capability, it is critical the user reauthenticate. @@ -25277,7 +25581,8 @@ Satisfies: SRG-OS-000373-GPOS-00156, SRG-OS-000373-GPOS-00157, SRG-OS-000373-GPO RHEL-09-611150 - RHEL 9 shadow password suite must be configured to use a sufficient number of hashing rounds. - Red Hat Enterprise Linux 9 + Red Hat Enterprise Linux 9 +AlmaLinux 9 Passwords need to be protected at all times, and encryption is the standard method for protecting passwords. If passwords are not encrypted, they can be plainly read (i.e., clear text) and easily compromised. Passwords that are encrypted with a weak algorithm are no more protected than if they are kept in plain text. @@ -25293,7 +25598,8 @@ Satisfies: SRG-OS-000073-GPOS-00041, SRG-OS-000120-GPOS-00061 RHEL-09-611155 - RHEL 9 must not have accounts configured with blank or null passwords. - Red Hat Enterprise Linux 9 + Red Hat Enterprise Linux 9 +AlmaLinux 9 If an account has an empty password, anyone could log in and run commands with the privileges of that account. Accounts with empty passwords should never be used in operational environments. @@ -25305,7 +25611,8 @@ Satisfies: SRG-OS-000073-GPOS-00041, SRG-OS-000120-GPOS-00061 RHEL-09-611160 - RHEL 9 must use the CAC smart card driver. - Red Hat Enterprise Linux 9 + Red Hat Enterprise Linux 9 +AlmaLinux 9 Smart card login provides two-factor authentication stronger than that provided by a username and password combination. Smart cards leverage public key infrastructure to provide and verify credentials. Configuring the smart card driver in use by the organization helps to prevent users from using unauthorized smart cards. @@ -25319,7 +25626,8 @@ Satisfies: SRG-OS-000104-GPOS-00051, SRG-OS-000106-GPOS-00053, SRG-OS-000107-GPO RHEL-09-611165 - RHEL 9 must enable certificate based smart card authentication. - Red Hat Enterprise Linux 9 + Red Hat Enterprise Linux 9 +AlmaLinux 9 Without the use of multifactor authentication, the ease of access to privileged functions is greatly increased. Multifactor authentication requires using two or more factors to achieve authentication. A privileged account is defined as an information system account with authorizations of a privileged user. The DOD Common Access Card (CAC) with DOD-approved PKI is an example of multifactor authentication. @@ -25333,7 +25641,8 @@ Satisfies: SRG-OS-000375-GPOS-00160, SRG-OS-000105-GPOS-00052 RHEL-09-611170 - RHEL 9 must implement certificate status checking for multifactor authentication. - Red Hat Enterprise Linux 9 + Red Hat Enterprise Linux 9 +AlmaLinux 9 Using an authentication device, such as a DOD Common Access Card (CAC) or token that is separate from the information system, ensures that even if the information system is compromised, credentials stored on the authentication device will not be affected. @@ -25351,7 +25660,8 @@ Satisfies: SRG-OS-000375-GPOS-00160, SRG-OS-000377-GPOS-00162 RHEL-09-611175 - RHEL 9 must have the pcsc-lite package installed. - Red Hat Enterprise Linux 9 + Red Hat Enterprise Linux 9 +AlmaLinux 9 The pcsc-lite package must be installed if it is to be available for multifactor authentication using smart cards. @@ -25363,7 +25673,8 @@ Satisfies: SRG-OS-000375-GPOS-00160, SRG-OS-000377-GPOS-00162 RHEL-09-611180 - The pcscd service on RHEL 9 must be active. - Red Hat Enterprise Linux 9 + Red Hat Enterprise Linux 9 +AlmaLinux 9 The information system ensures that even if the information system is compromised, that compromise will not affect credentials stored on the authentication device. @@ -25377,7 +25688,8 @@ The daemon program for pcsc-lite and the MuscleCard framework is pcscd. It is a RHEL-09-611185 - RHEL 9 must have the opensc package installed. - Red Hat Enterprise Linux 9 + Red Hat Enterprise Linux 9 +AlmaLinux 9 The use of PIV credentials facilitates standardization and reduces the risk of unauthorized access. @@ -25393,7 +25705,8 @@ Satisfies: SRG-OS-000375-GPOS-00160, SRG-OS-000376-GPOS-00161 RHEL-09-611195 - RHEL 9 must require authentication to access emergency mode. - Red Hat Enterprise Linux 9 + Red Hat Enterprise Linux 9 +AlmaLinux 9 To mitigate the risk of unauthorized access to sensitive information by entities that have been issued certificates by DOD-approved PKIs, all DOD systems (e.g., web servers and web portals) must be properly configured to incorporate access control methods that do not rely solely on the possession of a certificate for access. Successful authentication must not automatically give an entity access to an asset or security boundary. Authorization procedures and controls must be implemented to ensure each authenticated entity also has a validated and current authorization. Authorization is the process of determining whether an entity, once authenticated, is permitted to access a specific asset. Information systems use access control policies and enforcement mechanisms to implement this requirement. @@ -25407,7 +25720,8 @@ This requirement prevents attackers with physical access from trivially bypassin RHEL-09-611200 - RHEL 9 must require authentication to access single-user mode. - Red Hat Enterprise Linux 9 + Red Hat Enterprise Linux 9 +AlmaLinux 9 To mitigate the risk of unauthorized access to sensitive information by entities that have been issued certificates by DOD-approved PKIs, all DOD systems (e.g., web servers and web portals) must be properly configured to incorporate access control methods that do not rely solely on the possession of a certificate for access. Successful authentication must not automatically give an entity access to an asset or security boundary. Authorization procedures and controls must be implemented to ensure each authenticated entity also has a validated and current authorization. Authorization is the process of determining whether an entity, once authenticated, is permitted to access a specific asset. Information systems use access control policies and enforcement mechanisms to implement this requirement. @@ -25421,7 +25735,8 @@ This requirement prevents attackers with physical access from trivially bypassin RHEL-09-611205 - RHEL 9 must prevent system daemons from using Kerberos for authentication. - Red Hat Enterprise Linux 9 + Red Hat Enterprise Linux 9 +AlmaLinux 9 Unapproved mechanisms used for authentication to the cryptographic module are not verified; therefore, cannot be relied upon to provide confidentiality or integrity and DOD data may be compromised. @@ -25439,7 +25754,8 @@ FIPS 140-3 is the current standard for validating that mechanisms used to access RHEL-09-631020 - RHEL 9 must prohibit the use of cached authenticators after one day. - Red Hat Enterprise Linux 9 + Red Hat Enterprise Linux 9 +AlmaLinux 9 If cached authentication information is out-of-date, the validity of the authentication information may be questionable. @@ -25451,7 +25767,8 @@ FIPS 140-3 is the current standard for validating that mechanisms used to access RHEL-09-651010 - RHEL 9 must have the AIDE package installed. - Red Hat Enterprise Linux 9 + Red Hat Enterprise Linux 9 +AlmaLinux 9 Without verification of the security functions, security functions may not operate correctly, and the failure may go unnoticed. Security function is defined as the hardware, software, and/or firmware of the information system responsible for enforcing the system security policy and supporting the isolation of code and data on which the protection is based. Security functionality includes, but is not limited to, establishing system accounts, configuring access authorizations (i.e., permissions, privileges), setting events to be audited, and setting intrusion detection parameters. @@ -25465,7 +25782,8 @@ Satisfies: SRG-OS-000363-GPOS-00150, SRG-OS-000445-GPOS-00199 RHEL-09-651025 - RHEL 9 must use cryptographic mechanisms to protect the integrity of audit tools. - Red Hat Enterprise Linux 9 + Red Hat Enterprise Linux 9 +AlmaLinux 9 Protecting the integrity of the tools used for auditing purposes is a critical step toward ensuring the integrity of audit information. Audit information includes all information (e.g., audit records, audit settings, and audit reports) needed to successfully audit information system activity. @@ -25485,7 +25803,8 @@ Satisfies: SRG-OS-000256-GPOS-00097, SRG-OS-000257-GPOS-00098, SRG-OS-000258-GPO RHEL-09-652010 - RHEL 9 must have the rsyslog package installed. - Red Hat Enterprise Linux 9 + Red Hat Enterprise Linux 9 +AlmaLinux 9 rsyslogd is a system utility providing support for message logging. Support for both internet and Unix domain sockets enables this utility to support both local and remote logging. Couple this utility with "gnutls" (which is a secure communications library implementing the SSL, TLS, and DTLS protocols), to create a method to securely encrypt and offload auditing. @@ -25499,7 +25818,8 @@ Satisfies: SRG-OS-000479-GPOS-00224, SRG-OS-000051-GPOS-00024, SRG-OS-000480-GPO RHEL-09-652015 - RHEL 9 must have the packages required for encrypting offloaded audit logs installed. - Red Hat Enterprise Linux 9 + Red Hat Enterprise Linux 9 +AlmaLinux 9 The rsyslog-gnutls package provides Transport Layer Security (TLS) support for the rsyslog daemon, which enables secure remote logging. @@ -25513,7 +25833,8 @@ Satisfies: SRG-OS-000480-GPOS-00227, SRG-OS-000120-GPOS-00061 RHEL-09-652020 - The rsyslog service on RHEL 9 must be active. - Red Hat Enterprise Linux 9 + Red Hat Enterprise Linux 9 +AlmaLinux 9 The "rsyslog" service must be running to provide logging services, which are essential to system administration. @@ -25525,7 +25846,8 @@ Satisfies: SRG-OS-000480-GPOS-00227, SRG-OS-000120-GPOS-00061 RHEL-09-652025 - RHEL 9 must be configured so that the rsyslog daemon does not accept log messages from other servers unless the server is being used for log aggregation. - Red Hat Enterprise Linux 9 + Red Hat Enterprise Linux 9 +AlmaLinux 9 Unintentionally running a rsyslog server accepting remote messages puts the system at increased risk. Malicious rsyslog messages sent to the server could exploit vulnerabilities in the server software itself, could introduce misleading information into the system's logs, or could fill the system's storage leading to a denial of service. @@ -25539,7 +25861,8 @@ If the system is intended to be a log aggregation server, its use must be docume RHEL-09-652030 - All RHEL 9 remote access methods must be monitored. - Red Hat Enterprise Linux 9 + Red Hat Enterprise Linux 9 +AlmaLinux 9 Logging remote access methods can be used to trace the decrease in the risks associated with remote user access management. It can also be used to spot cyberattacks and ensure ongoing compliance with organizational policies surrounding the use of remote access methods. @@ -25551,7 +25874,8 @@ If the system is intended to be a log aggregation server, its use must be docume RHEL-09-652035 - RHEL 9 must be configured to offload audit records onto a different system from the system being audited via syslog. - Red Hat Enterprise Linux 9 + Red Hat Enterprise Linux 9 +AlmaLinux 9 The auditd service does not include the ability to send audit records to a centralized server for management directly. However, it can use a plug-in for audit event multiplexor (audispd) to pass audit records to the local syslog server. @@ -25565,7 +25889,8 @@ Satisfies: SRG-OS-000342-GPOS-00133, SRG-OS-000479-GPOS-00224 RHEL-09-652040 - RHEL 9 must authenticate the remote logging server for offloading audit logs via rsyslog. - Red Hat Enterprise Linux 9 + Red Hat Enterprise Linux 9 +AlmaLinux 9 Information stored in one location is vulnerable to accidental or incidental deletion or alteration. @@ -25589,7 +25914,8 @@ Satisfies: SRG-OS-000342-GPOS-00133, SRG-OS-000479-GPOS-00224 RHEL-09-652045 - RHEL 9 must encrypt the transfer of audit records offloaded onto a different system or media from the system being audited via rsyslog. - Red Hat Enterprise Linux 9 + Red Hat Enterprise Linux 9 +AlmaLinux 9 Information stored in one location is vulnerable to accidental or incidental deletion or alteration. @@ -25613,7 +25939,8 @@ Satisfies: SRG-OS-000342-GPOS-00133, SRG-OS-000479-GPOS-00224 RHEL-09-652050 - RHEL 9 must encrypt via the gtls driver the transfer of audit records offloaded onto a different system or media from the system being audited via rsyslog. - Red Hat Enterprise Linux 9 + Red Hat Enterprise Linux 9 +AlmaLinux 9 Information stored in one location is vulnerable to accidental or incidental deletion or alteration. @@ -25631,7 +25958,8 @@ Satisfies: SRG-OS-000342-GPOS-00133, SRG-OS-000479-GPOS-00224 RHEL-09-652055 - RHEL 9 must be configured to forward audit records via TCP to a different system or media from the system being audited via rsyslog. - Red Hat Enterprise Linux 9 + Red Hat Enterprise Linux 9 +AlmaLinux 9 Information stored in one location is vulnerable to accidental or incidental deletion or alteration. @@ -25657,7 +25985,8 @@ Satisfies: SRG-OS-000479-GPOS-00224, SRG-OS-000480-GPOS-00227, SRG-OS-000342-GPO RHEL-09-653010 - RHEL 9 audit package must be installed. - Red Hat Enterprise Linux 9 + Red Hat Enterprise Linux 9 +AlmaLinux 9 Without establishing what type of events occurred, the source of events, where events occurred, and the outcome of events, it would be difficult to establish, correlate, and investigate the events leading up to an outage or attack. @@ -25675,7 +26004,8 @@ Satisfies: SRG-OS-000062-GPOS-00031, SRG-OS-000037-GPOS-00015, SRG-OS-000038-GPO RHEL-09-653015 - RHEL 9 audit service must be enabled. - Red Hat Enterprise Linux 9 + Red Hat Enterprise Linux 9 +AlmaLinux 9 Without establishing what type of events occurred, it would be difficult to establish, correlate, and investigate the events leading up to an outage or attack. Ensuring the "auditd" service is active ensures audit records generated by the kernel are appropriately recorded. @@ -25691,7 +26021,8 @@ Satisfies: SRG-OS-000062-GPOS-00031, SRG-OS-000037-GPOS-00015, SRG-OS-000038-GPO RHEL-09-653020 - RHEL 9 audit system must take appropriate action when an error writing to the audit storage volume occurs. - Red Hat Enterprise Linux 9 + Red Hat Enterprise Linux 9 +AlmaLinux 9 It is critical that when the operating system is at risk of failing to process audit logs as required, it takes action to mitigate the failure. Audit processing failures include software/hardware errors; failures in the audit capturing mechanisms; and audit storage capacity being reached or exceeded. Responses to audit failure depend upon the nature of the failure mode. @@ -25703,7 +26034,8 @@ Satisfies: SRG-OS-000062-GPOS-00031, SRG-OS-000037-GPOS-00015, SRG-OS-000038-GPO RHEL-09-653025 - RHEL 9 audit system must take appropriate action when the audit storage volume is full. - Red Hat Enterprise Linux 9 + Red Hat Enterprise Linux 9 +AlmaLinux 9 It is critical that when the operating system is at risk of failing to process audit logs as required, it takes action to mitigate the failure. Audit processing failures include software/hardware errors; failures in the audit capturing mechanisms; and audit storage capacity being reached or exceeded. Responses to audit failure depend upon the nature of the failure mode. @@ -25715,7 +26047,8 @@ Satisfies: SRG-OS-000062-GPOS-00031, SRG-OS-000037-GPOS-00015, SRG-OS-000038-GPO RHEL-09-653030 - RHEL 9 must allocate audit record storage capacity to store at least one week's worth of audit records. - Red Hat Enterprise Linux 9 + Red Hat Enterprise Linux 9 +AlmaLinux 9 To ensure RHEL 9 systems have a sufficient storage capacity in which to write the audit logs, RHEL 9 needs to be able to allocate audit record storage capacity. @@ -25731,7 +26064,8 @@ Satisfies: SRG-OS-000341-GPOS-00132, SRG-OS-000342-GPOS-00133 RHEL-09-653035 - RHEL 9 must take action when allocated audit record storage volume reaches 75 percent of the repository maximum audit record storage capacity. - Red Hat Enterprise Linux 9 + Red Hat Enterprise Linux 9 +AlmaLinux 9 If security personnel are not notified immediately when storage volume reaches 75 percent utilization, they are unable to plan for audit record storage capacity expansion. @@ -25743,7 +26077,8 @@ Satisfies: SRG-OS-000341-GPOS-00132, SRG-OS-000342-GPOS-00133 RHEL-09-653040 - RHEL 9 must notify the system administrator (SA) and information system security officer (ISSO) (at a minimum) when allocated audit record storage volume 75 percent utilization. - Red Hat Enterprise Linux 9 + Red Hat Enterprise Linux 9 +AlmaLinux 9 If security personnel are not notified immediately when storage volume reaches 75 percent utilization, they are unable to plan for audit record storage capacity expansion. @@ -25755,7 +26090,8 @@ Satisfies: SRG-OS-000341-GPOS-00132, SRG-OS-000342-GPOS-00133 RHEL-09-653045 - RHEL 9 must take action when allocated audit record storage volume reaches 95 percent of the audit record storage capacity. - Red Hat Enterprise Linux 9 + Red Hat Enterprise Linux 9 +AlmaLinux 9 If action is not taken when storage volume reaches 95 percent utilization, the auditing system may fail when the storage volume reaches capacity. @@ -25767,7 +26103,8 @@ Satisfies: SRG-OS-000341-GPOS-00132, SRG-OS-000342-GPOS-00133 RHEL-09-653050 - RHEL 9 must take action when allocated audit record storage volume reaches 95 percent of the repository maximum audit record storage capacity. - Red Hat Enterprise Linux 9 + Red Hat Enterprise Linux 9 +AlmaLinux 9 If action is not taken when storage volume reaches 95 percent utilization, the auditing system may fail when the storage volume reaches capacity. @@ -25779,7 +26116,8 @@ Satisfies: SRG-OS-000341-GPOS-00132, SRG-OS-000342-GPOS-00133 RHEL-09-653055 - RHEL 9 audit system must take appropriate action when the audit files have reached maximum size. - Red Hat Enterprise Linux 9 + Red Hat Enterprise Linux 9 +AlmaLinux 9 It is critical that when the operating system is at risk of failing to process audit logs as required, it takes action to mitigate the failure. Audit processing failures include software/hardware errors; failures in the audit capturing mechanisms; and audit storage capacity being reached or exceeded. Responses to audit failure depend upon the nature of the failure mode. @@ -25791,7 +26129,8 @@ Satisfies: SRG-OS-000341-GPOS-00132, SRG-OS-000342-GPOS-00133 RHEL-09-653060 - RHEL 9 must label all offloaded audit logs before sending them to the central log server. - Red Hat Enterprise Linux 9 + Red Hat Enterprise Linux 9 +AlmaLinux 9 Enriched logging is needed to determine who, what, and when events occur on a system. Without this, determining root cause of an event will be much more difficult. @@ -25807,7 +26146,8 @@ Satisfies: SRG-OS-000039-GPOS-00017, SRG-OS-000342-GPOS-00133, SRG-OS-000479-GPO RHEL-09-653065 - RHEL 9 must take appropriate action when the internal event queue is full. - Red Hat Enterprise Linux 9 + Red Hat Enterprise Linux 9 +AlmaLinux 9 The audit system should have an action setup in the event the internal event queue becomes full so that no data is lost. Information stored in one location is vulnerable to accidental or incidental deletion or alteration. @@ -25823,7 +26163,8 @@ Satisfies: SRG-OS-000342-GPOS-00133, SRG-OS-000479-GPOS-00224 RHEL-09-653070 - RHEL 9 System Administrator (SA) and/or information system security officer (ISSO) (at a minimum) must be alerted of an audit processing failure event. - Red Hat Enterprise Linux 9 + Red Hat Enterprise Linux 9 +AlmaLinux 9 It is critical for the appropriate personnel to be aware if a system is at risk of failing to process audit logs as required. Without this notification, the security personnel may be unaware of an impending failure of the audit capability, and system operation may be adversely affected. @@ -25841,7 +26182,8 @@ Satisfies: SRG-OS-000046-GPOS-00022, SRG-OS-000343-GPOS-00134 RHEL-09-653075 - RHEL 9 audit system must audit local events. - Red Hat Enterprise Linux 9 + Red Hat Enterprise Linux 9 +AlmaLinux 9 Without establishing what type of events occurred, the source of events, where events occurred, and the outcome of events, it would be difficult to establish, correlate, and investigate the events leading up to an outage or attack. @@ -25857,7 +26199,8 @@ Satisfies: SRG-OS-000062-GPOS-00031, SRG-OS-000480-GPOS-00227 RHEL-09-653080 - RHEL 9 audit logs must be group-owned by root or by a restricted logging group to prevent unauthorized read access. - Red Hat Enterprise Linux 9 + Red Hat Enterprise Linux 9 +AlmaLinux 9 Unauthorized disclosure of audit records can reveal system and configuration data to attackers, thus compromising its confidentiality. @@ -25871,7 +26214,8 @@ Satisfies: SRG-OS-000057-GPOS-00027, SRG-OS-000058-GPOS-00028, SRG-OS-000059-GPO RHEL-09-653085 - RHEL 9 audit log directory must be owned by root to prevent unauthorized read access. - Red Hat Enterprise Linux 9 + Red Hat Enterprise Linux 9 +AlmaLinux 9 Unauthorized disclosure of audit records can reveal system and configuration data to attackers, thus compromising its confidentiality. @@ -25885,7 +26229,8 @@ Satisfies: SRG-OS-000057-GPOS-00027, SRG-OS-000058-GPOS-00028, SRG-OS-000059-GPO RHEL-09-653090 - RHEL 9 audit logs file must have mode 0600 or less permissive to prevent unauthorized access to the audit log. - Red Hat Enterprise Linux 9 + Red Hat Enterprise Linux 9 +AlmaLinux 9 Only authorized personnel should be aware of errors and the details of the errors. Error messages are an indicator of an organization's operational state or can identify the RHEL 9 system or platform. Additionally, Personally Identifiable Information (PII) and operational information must not be revealed through error messages to unauthorized personnel or their designated representatives. @@ -25901,7 +26246,8 @@ Satisfies: SRG-OS-000057-GPOS-00027, SRG-OS-000058-GPOS-00028, SRG-OS-000059-GPO RHEL-09-653095 - RHEL 9 must periodically flush audit records to disk to prevent the loss of audit records. - Red Hat Enterprise Linux 9 + Red Hat Enterprise Linux 9 +AlmaLinux 9 If option "freq" is not set to a value that requires audit records being written to disk after a threshold number is reached, then audit records may be lost. @@ -25913,7 +26259,8 @@ Satisfies: SRG-OS-000057-GPOS-00027, SRG-OS-000058-GPOS-00028, SRG-OS-000059-GPO RHEL-09-653100 - RHEL 9 must produce audit records containing information to establish the identity of any individual or process associated with the event. - Red Hat Enterprise Linux 9 + Red Hat Enterprise Linux 9 +AlmaLinux 9 Without establishing what type of events occurred, the source of events, where events occurred, and the outcome of events, it would be difficult to establish, correlate, and investigate the events leading up to an outage or attack. @@ -25931,7 +26278,8 @@ Satisfies: SRG-OS-000255-GPOS-00096, SRG-OS-000480-GPOS-00227 RHEL-09-653105 - RHEL 9 must write audit records to disk. - Red Hat Enterprise Linux 9 + Red Hat Enterprise Linux 9 +AlmaLinux 9 Audit data should be synchronously written to disk to ensure log integrity. This setting assures that all audit event data is written disk. @@ -25943,7 +26291,8 @@ Satisfies: SRG-OS-000255-GPOS-00096, SRG-OS-000480-GPOS-00227 RHEL-09-653110 - RHEL 9 must allow only the information system security manager (ISSM) (or individuals or roles appointed by the ISSM) to select which auditable events are to be audited. - Red Hat Enterprise Linux 9 + Red Hat Enterprise Linux 9 +AlmaLinux 9 Without the capability to restrict the roles and individuals that can select which events are audited, unauthorized personnel may be able to prevent the auditing of critical events. Misconfigured audits may degrade the system's performance by overwhelming the audit log. Misconfigured audits may also make it more difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. @@ -25955,7 +26304,8 @@ Satisfies: SRG-OS-000255-GPOS-00096, SRG-OS-000480-GPOS-00227 RHEL-09-653115 - RHEL 9 /etc/audit/auditd.conf file must have 0640 or less permissive to prevent unauthorized access. - Red Hat Enterprise Linux 9 + Red Hat Enterprise Linux 9 +AlmaLinux 9 Without the capability to restrict the roles and individuals that can select which events are audited, unauthorized personnel may be able to prevent the auditing of critical events. Misconfigured audits may degrade the system's performance by overwhelming the audit log. Misconfigured audits may also make it more difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. @@ -25967,7 +26317,8 @@ Satisfies: SRG-OS-000255-GPOS-00096, SRG-OS-000480-GPOS-00227 RHEL-09-653120 - RHEL 9 must allocate an audit_backlog_limit of sufficient size to capture processes that start prior to the audit daemon. - Red Hat Enterprise Linux 9 + Red Hat Enterprise Linux 9 +AlmaLinux 9 Without the capability to generate audit records, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. @@ -25987,7 +26338,8 @@ Satisfies: SRG-OS-000254-GPOS-00095, SRG-OS-000341-GPOS-00132 RHEL-09-653130 - RHEL 9 audispd-plugins package must be installed. - Red Hat Enterprise Linux 9 + Red Hat Enterprise Linux 9 +AlmaLinux 9 "audispd-plugins" provides plugins for the real-time interface to the audit subsystem, "audispd". These plugins can do things like relay events to remote machines or analyze events for suspicious behavior. @@ -25999,7 +26351,8 @@ Satisfies: SRG-OS-000254-GPOS-00095, SRG-OS-000341-GPOS-00132 RHEL-09-654010 - RHEL 9 must audit uses of the "execve" system call. - Red Hat Enterprise Linux 9 + Red Hat Enterprise Linux 9 +AlmaLinux 9 Misuse of privileged functions, either intentionally or unintentionally by authorized users, or by unauthorized external entities that have compromised information system accounts, is a serious and ongoing concern and can have significant adverse impacts on organizations. Auditing the use of privileged functions is one way to detect such misuse and identify the risk from insider threats and the advanced persistent threat. @@ -26013,7 +26366,8 @@ Satisfies: SRG-OS-000326-GPOS-00126, SRG-OS-000327-GPOS-00127 RHEL-09-654015 - RHEL 9 must audit all uses of the chmod, fchmod, and fchmodat system calls. - Red Hat Enterprise Linux 9 + Red Hat Enterprise Linux 9 +AlmaLinux 9 Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. @@ -26033,7 +26387,8 @@ Satisfies: SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPO RHEL-09-654020 - RHEL 9 must audit all uses of the chown, fchown, fchownat, and lchown system calls. - Red Hat Enterprise Linux 9 + Red Hat Enterprise Linux 9 +AlmaLinux 9 Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. @@ -26053,7 +26408,8 @@ Satisfies: SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPO RHEL-09-654025 - RHEL 9 must audit all uses of the setxattr, fsetxattr, lsetxattr, removexattr, fremovexattr, and lremovexattr system calls. - Red Hat Enterprise Linux 9 + Red Hat Enterprise Linux 9 +AlmaLinux 9 Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. @@ -26073,7 +26429,8 @@ Satisfies: SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPO RHEL-09-654030 - RHEL 9 must audit all uses of umount system calls. - Red Hat Enterprise Linux 9 + Red Hat Enterprise Linux 9 +AlmaLinux 9 Without generating audit records specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. @@ -26093,7 +26450,8 @@ Satisfies: SRG-OS-000037-GPOS-00015, SRG-OS-000062-GPOS-00031, SRG-OS-000392-GPO RHEL-09-654035 - RHEL 9 must audit all uses of the chacl command. - Red Hat Enterprise Linux 9 + Red Hat Enterprise Linux 9 +AlmaLinux 9 Without generating audit records specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. @@ -26113,7 +26471,8 @@ Satisfies: SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPO RHEL-09-654040 - RHEL 9 must audit all uses of the setfacl command. - Red Hat Enterprise Linux 9 + Red Hat Enterprise Linux 9 +AlmaLinux 9 Without generating audit records specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. @@ -26133,7 +26492,8 @@ Satisfies: SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPO RHEL-09-654045 - RHEL 9 must audit all uses of the chcon command. - Red Hat Enterprise Linux 9 + Red Hat Enterprise Linux 9 +AlmaLinux 9 Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. @@ -26153,7 +26513,8 @@ Satisfies: SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPO RHEL-09-654050 - RHEL 9 must audit all uses of the semanage command. - Red Hat Enterprise Linux 9 + Red Hat Enterprise Linux 9 +AlmaLinux 9 Without generating audit records specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. @@ -26173,7 +26534,8 @@ Satisfies: SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPO RHEL-09-654055 - RHEL 9 must audit all uses of the setfiles command. - Red Hat Enterprise Linux 9 + Red Hat Enterprise Linux 9 +AlmaLinux 9 Without generating audit records specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. @@ -26193,7 +26555,8 @@ Satisfies: SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPO RHEL-09-654060 - RHEL 9 must audit all uses of the setsebool command. - Red Hat Enterprise Linux 9 + Red Hat Enterprise Linux 9 +AlmaLinux 9 Without generating audit records specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. @@ -26213,7 +26576,8 @@ Satisfies: SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPO RHEL-09-654065 - RHEL 9 must audit all uses of the rename, unlink, rmdir, renameat, and unlinkat system calls. - Red Hat Enterprise Linux 9 + Red Hat Enterprise Linux 9 +AlmaLinux 9 Without generating audit records specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. @@ -26233,7 +26597,8 @@ Satisfies: SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPO RHEL-09-654070 - RHEL 9 must audit all uses of the truncate, ftruncate, creat, open, openat, and open_by_handle_at system calls. - Red Hat Enterprise Linux 9 + Red Hat Enterprise Linux 9 +AlmaLinux 9 Without generating audit records specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. @@ -26253,7 +26618,8 @@ Satisfies: SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPO RHEL-09-654075 - RHEL 9 must audit all uses of the delete_module system call. - Red Hat Enterprise Linux 9 + Red Hat Enterprise Linux 9 +AlmaLinux 9 Without generating audit records specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. @@ -26273,7 +26639,8 @@ Satisfies: SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPO RHEL-09-654080 - RHEL 9 must audit all uses of the init_module and finit_module system calls. - Red Hat Enterprise Linux 9 + Red Hat Enterprise Linux 9 +AlmaLinux 9 Without generating audit records specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. @@ -26293,7 +26660,8 @@ Satisfies: SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPO RHEL-09-654085 - RHEL 9 must audit all uses of the chage command. - Red Hat Enterprise Linux 9 + Red Hat Enterprise Linux 9 +AlmaLinux 9 Without generating audit records specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. @@ -26313,7 +26681,8 @@ Satisfies: SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPO RHEL-09-654090 - RHEL 9 must audit all uses of the chsh command. - Red Hat Enterprise Linux 9 + Red Hat Enterprise Linux 9 +AlmaLinux 9 Without generating audit records specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. @@ -26333,7 +26702,8 @@ Satisfies: SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPO RHEL-09-654095 - RHEL 9 must audit all uses of the crontab command. - Red Hat Enterprise Linux 9 + Red Hat Enterprise Linux 9 +AlmaLinux 9 Without generating audit records specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. @@ -26353,7 +26723,8 @@ Satisfies: SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPO RHEL-09-654100 - RHEL 9 must audit all uses of the gpasswd command. - Red Hat Enterprise Linux 9 + Red Hat Enterprise Linux 9 +AlmaLinux 9 Without generating audit records specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. @@ -26373,7 +26744,8 @@ Satisfies: SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPO RHEL-09-654105 - RHEL 9 must audit all uses of the kmod command. - Red Hat Enterprise Linux 9 + Red Hat Enterprise Linux 9 +AlmaLinux 9 Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. @@ -26393,7 +26765,8 @@ Satisfies: SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPO RHEL-09-654110 - RHEL 9 must audit all uses of the newgrp command. - Red Hat Enterprise Linux 9 + Red Hat Enterprise Linux 9 +AlmaLinux 9 Without generating audit records specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. @@ -26413,7 +26786,8 @@ Satisfies: SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPO RHEL-09-654115 - RHEL 9 must audit all uses of the pam_timestamp_check command. - Red Hat Enterprise Linux 9 + Red Hat Enterprise Linux 9 +AlmaLinux 9 Without generating audit records specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. @@ -26433,7 +26807,8 @@ Satisfies: SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPO RHEL-09-654120 - RHEL 9 must audit all uses of the passwd command. - Red Hat Enterprise Linux 9 + Red Hat Enterprise Linux 9 +AlmaLinux 9 Without generating audit records specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. @@ -26453,7 +26828,8 @@ Satisfies: SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPO RHEL-09-654125 - RHEL 9 must audit all uses of the postdrop command. - Red Hat Enterprise Linux 9 + Red Hat Enterprise Linux 9 +AlmaLinux 9 Without generating audit records specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. @@ -26473,7 +26849,8 @@ Satisfies: SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPO RHEL-09-654130 - RHEL 9 must audit all uses of the postqueue command. - Red Hat Enterprise Linux 9 + Red Hat Enterprise Linux 9 +AlmaLinux 9 Without generating audit record specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. @@ -26493,7 +26870,8 @@ Satisfies: SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPO RHEL-09-654135 - RHEL 9 must audit all uses of the ssh-agent command. - Red Hat Enterprise Linux 9 + Red Hat Enterprise Linux 9 +AlmaLinux 9 Without generating audit record specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. @@ -26513,7 +26891,8 @@ Satisfies: SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPO RHEL-09-654140 - RHEL 9 must audit all uses of the ssh-keysign command. - Red Hat Enterprise Linux 9 + Red Hat Enterprise Linux 9 +AlmaLinux 9 Without generating audit record specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. @@ -26533,7 +26912,8 @@ Satisfies: SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPO RHEL-09-654145 - RHEL 9 must audit all uses of the su command. - Red Hat Enterprise Linux 9 + Red Hat Enterprise Linux 9 +AlmaLinux 9 Without generating audit record specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. @@ -26553,7 +26933,8 @@ Satisfies: SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPO RHEL-09-654150 - RHEL 9 must audit all uses of the sudo command. - Red Hat Enterprise Linux 9 + Red Hat Enterprise Linux 9 +AlmaLinux 9 Without generating audit record specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. @@ -26573,7 +26954,8 @@ Satisfies: SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPO RHEL-09-654155 - RHEL 9 must audit all uses of the sudoedit command. - Red Hat Enterprise Linux 9 + Red Hat Enterprise Linux 9 +AlmaLinux 9 Without generating audit record specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. @@ -26593,7 +26975,8 @@ Satisfies: SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPO RHEL-09-654160 - RHEL 9 must audit all uses of the unix_chkpwd command. - Red Hat Enterprise Linux 9 + Red Hat Enterprise Linux 9 +AlmaLinux 9 Without generating audit record specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. @@ -26613,7 +26996,8 @@ Satisfies: SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPO RHEL-09-654165 - RHEL 9 must audit all uses of the unix_update command. - Red Hat Enterprise Linux 9 + Red Hat Enterprise Linux 9 +AlmaLinux 9 Without generating audit record specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. @@ -26633,7 +27017,8 @@ Satisfies: SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPO RHEL-09-654170 - RHEL 9 must audit all uses of the userhelper command. - Red Hat Enterprise Linux 9 + Red Hat Enterprise Linux 9 +AlmaLinux 9 Without generating audit record specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. @@ -26653,7 +27038,8 @@ Satisfies: SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPO RHEL-09-654175 - RHEL 9 must audit all uses of the usermod command. - Red Hat Enterprise Linux 9 + Red Hat Enterprise Linux 9 +AlmaLinux 9 Without generating audit record specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. @@ -26673,7 +27059,8 @@ Satisfies: SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPO RHEL-09-654180 - RHEL 9 must audit all uses of the mount command. - Red Hat Enterprise Linux 9 + Red Hat Enterprise Linux 9 +AlmaLinux 9 Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. @@ -26693,7 +27080,8 @@ Satisfies: SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPO RHEL-09-654185 - Successful/unsuccessful uses of the init command in RHEL 9 must generate an audit record. - Red Hat Enterprise Linux 9 + Red Hat Enterprise Linux 9 +AlmaLinux 9 Misuse of the init command may cause availability issues for the system. @@ -26705,7 +27093,8 @@ Satisfies: SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPO RHEL-09-654190 - Successful/unsuccessful uses of the poweroff command in RHEL 9 must generate an audit record. - Red Hat Enterprise Linux 9 + Red Hat Enterprise Linux 9 +AlmaLinux 9 Misuse of the poweroff command may cause availability issues for the system. @@ -26717,7 +27106,8 @@ Satisfies: SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPO RHEL-09-654195 - Successful/unsuccessful uses of the reboot command in RHEL 9 must generate an audit record. - Red Hat Enterprise Linux 9 + Red Hat Enterprise Linux 9 +AlmaLinux 9 Misuse of the reboot command may cause availability issues for the system. @@ -26729,7 +27119,8 @@ Satisfies: SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPO RHEL-09-654200 - Successful/unsuccessful uses of the shutdown command in RHEL 9 must generate an audit record. - Red Hat Enterprise Linux 9 + Red Hat Enterprise Linux 9 +AlmaLinux 9 Misuse of the shutdown command may cause availability issues for the system. @@ -26741,7 +27132,8 @@ Satisfies: SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPO RHEL-09-654205 - Successful/unsuccessful uses of the umount system call in RHEL 9 must generate an audit record. - Red Hat Enterprise Linux 9 + Red Hat Enterprise Linux 9 +AlmaLinux 9 The changing of file permissions could indicate that a user is attempting to gain access to information that would otherwise be disallowed. Auditing DAC modifications can facilitate the identification of patterns of abuse among both authorized and unauthorized users. @@ -26755,7 +27147,8 @@ Satisfies: SRG-OS-000037-GPOS-00015, SRG-OS-000062-GPOS-00031, SRG-OS-000392-GPO RHEL-09-654210 - Successful/unsuccessful uses of the umount2 system call in RHEL 9 must generate an audit record. - Red Hat Enterprise Linux 9 + Red Hat Enterprise Linux 9 +AlmaLinux 9 The changing of file permissions could indicate that a user is attempting to gain access to information that would otherwise be disallowed. Auditing DAC modifications can facilitate the identification of patterns of abuse among both authorized and unauthorized users. @@ -26769,7 +27162,8 @@ Satisfies: SRG-OS-000037-GPOS-00015, SRG-OS-000062-GPOS-00031, SRG-OS-000392-GPO RHEL-09-654215 - RHEL 9 must generate audit records for all account creations, modifications, disabling, and termination events that affect /etc/sudoers. - Red Hat Enterprise Linux 9 + Red Hat Enterprise Linux 9 +AlmaLinux 9 The actions taken by system administrators must be audited to keep a record of what was executed on the system, as well as for accountability purposes. Editing the sudoers file may be sign of an attacker trying to establish persistent methods to a system, auditing the editing of the sudoers files mitigates this risk. @@ -26783,7 +27177,8 @@ Satisfies: SRG-OS-000004-GPOS-00004, SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPO RHEL-09-654220 - RHEL 9 must generate audit records for all account creations, modifications, disabling, and termination events that affect /etc/sudoers.d/ directory. - Red Hat Enterprise Linux 9 + Red Hat Enterprise Linux 9 +AlmaLinux 9 The actions taken by system administrators must be audited to keep a record of what was executed on the system, as well as for accountability purposes. Editing the sudoers file may be sign of an attacker trying to establish persistent methods to a system, auditing the editing of the sudoers files mitigates this risk. @@ -26797,7 +27192,8 @@ Satisfies: SRG-OS-000004-GPOS-00004, SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPO RHEL-09-654225 - RHEL 9 must generate audit records for all account creations, modifications, disabling, and termination events that affect /etc/group. - Red Hat Enterprise Linux 9 + Red Hat Enterprise Linux 9 +AlmaLinux 9 In addition to auditing new user and group accounts, these watches will alert the system administrator(s) to any modifications. Any unexpected users, groups, or modifications must be investigated for legitimacy. @@ -26811,7 +27207,8 @@ Satisfies: SRG-OS-000004-GPOS-00004, SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPO RHEL-09-654230 - RHEL 9 must generate audit records for all account creations, modifications, disabling, and termination events that affect /etc/gshadow. - Red Hat Enterprise Linux 9 + Red Hat Enterprise Linux 9 +AlmaLinux 9 In addition to auditing new user and group accounts, these watches will alert the system administrator(s) to any modifications. Any unexpected users, groups, or modifications should be investigated for legitimacy. @@ -26825,7 +27222,8 @@ Satisfies: SRG-OS-000004-GPOS-00004, SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPO RHEL-09-654235 - RHEL 9 must generate audit records for all account creations, modifications, disabling, and termination events that affect /etc/opasswd. - Red Hat Enterprise Linux 9 + Red Hat Enterprise Linux 9 +AlmaLinux 9 In addition to auditing new user and group accounts, these watches will alert the system administrator(s) to any modifications. Any unexpected users, groups, or modifications should be investigated for legitimacy. @@ -26839,7 +27237,8 @@ Satisfies: SRG-OS-000004-GPOS-00004, SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPO RHEL-09-654240 - RHEL 9 must generate audit records for all account creations, modifications, disabling, and termination events that affect /etc/passwd. - Red Hat Enterprise Linux 9 + Red Hat Enterprise Linux 9 +AlmaLinux 9 In addition to auditing new user and group accounts, these watches will alert the system administrator(s) to any modifications. Any unexpected users, groups, or modifications should be investigated for legitimacy. @@ -26853,7 +27252,8 @@ Satisfies: SRG-OS-000004-GPOS-00004, SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPO RHEL-09-654245 - RHEL 9 must generate audit records for all account creations, modifications, disabling, and termination events that affect /etc/shadow. - Red Hat Enterprise Linux 9 + Red Hat Enterprise Linux 9 +AlmaLinux 9 In addition to auditing new user and group accounts, these watches will alert the system administrator(s) to any modifications. Any unexpected users, groups, or modifications should be investigated for legitimacy. @@ -26867,7 +27267,8 @@ Satisfies: SRG-OS-000004-GPOS-00004, SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPO RHEL-09-654250 - RHEL 9 must generate audit records for all account creations, modifications, disabling, and termination events that affect /var/log/faillock. - Red Hat Enterprise Linux 9 + Red Hat Enterprise Linux 9 +AlmaLinux 9 Without generating audit records specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. @@ -26881,7 +27282,8 @@ Satisfies: SRG-OS-000392-GPOS-00172, SRG-OS-000470-GPOS-00214, SRG-OS-000473-GPO RHEL-09-654255 - RHEL 9 must generate audit records for all account creations, modifications, disabling, and termination events that affect /var/log/lastlog. - Red Hat Enterprise Linux 9 + Red Hat Enterprise Linux 9 +AlmaLinux 9 Without generating audit records specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. @@ -26895,7 +27297,8 @@ Satisfies: SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPO RHEL-09-654260 - RHEL 9 must generate audit records for all account creations, modifications, disabling, and termination events that affect /var/log/tallylog. - Red Hat Enterprise Linux 9 + Red Hat Enterprise Linux 9 +AlmaLinux 9 Without generating audit records specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. @@ -26909,7 +27312,8 @@ Satisfies: SRG-OS-000392-GPOS-00172, SRG-OS-000470-GPOS-00214, SRG-OS-000473-GPO RHEL-09-654265 - RHEL 9 must take appropriate action when a critical audit processing failure occurs. - Red Hat Enterprise Linux 9 + Red Hat Enterprise Linux 9 +AlmaLinux 9 It is critical for the appropriate personnel to be aware if a system is at risk of failing to process audit logs as required. Without this notification, the security personnel may be unaware of an impending failure of the audit capability, and system operation may be adversely affected. @@ -26925,7 +27329,8 @@ Satisfies: SRG-OS-000046-GPOS-00022, SRG-OS-000047-GPOS-00023 RHEL-09-654270 - RHEL 9 audit system must protect logon UIDs from unauthorized change. - Red Hat Enterprise Linux 9 + Red Hat Enterprise Linux 9 +AlmaLinux 9 If modification of login user identifiers (UIDs) is not prevented, they can be changed by nonprivileged users and make auditing complicated or impossible. @@ -26939,7 +27344,8 @@ Satisfies: SRG-OS-000462-GPOS-00206, SRG-OS-000475-GPOS-00220, SRG-OS-000057-GPO RHEL-09-654275 - RHEL 9 audit system must protect auditing rules from unauthorized change. - Red Hat Enterprise Linux 9 + Red Hat Enterprise Linux 9 +AlmaLinux 9 Unauthorized disclosure of audit records can reveal system and configuration data to attackers, thus compromising its confidentiality. @@ -26957,7 +27363,8 @@ Satisfies: SRG-OS-000057-GPOS-00027, SRG-OS-000058-GPOS-00028, SRG-OS-000059-GPO RHEL-09-672582300 - RHEL 9 must enable FIPS mode. - Red Hat Enterprise Linux 9 + Red Hat Enterprise Linux 9 +AlmaLinux 9 Use of weak or untested encryption algorithms undermines the purposes of utilizing encryption to protect data. The operating system must implement cryptographic modules adhering to the higher standards approved by the federal government since this provides assurance they have been tested and validated. This includes NIST FIPS-validated cryptography for the following: Provisioning digital signatures, generating cryptographic hashes, and to protect data requiring data-at-rest protections in accordance with applicable federal laws, Executive Orders, directives, policies, regulations, and standards. @@ -26971,7 +27378,8 @@ Satisfies: SRG-OS-000033-GPOS-00014, SRG-OS-000125-GPOS-00065, SRG-OS-000396-GPO RHEL-09-671015 - RHEL 9 must employ FIPS 140-3 approved cryptographic hashing algorithms for all stored passwords. - Red Hat Enterprise Linux 9 + Red Hat Enterprise Linux 9 +AlmaLinux 9 The system must use a strong hashing algorithm to store the password. @@ -26987,7 +27395,8 @@ Satisfies: SRG-OS-000073-GPOS-00041, SRG-OS-000120-GPOS-00061 RHEL-09-671020 - RHEL 9 IP tunnels must use FIPS 140-2/140-3 approved cryptographic algorithms. - Red Hat Enterprise Linux 9 + Red Hat Enterprise Linux 9 +AlmaLinux 9 Overriding the system crypto policy makes the behavior of the Libreswan service violate expectations, and makes system configuration more fragmented. @@ -26999,7 +27408,8 @@ Satisfies: SRG-OS-000073-GPOS-00041, SRG-OS-000120-GPOS-00061 RHEL-09-671025 - RHEL 9 pam_unix.so module must be configured in the password-auth file to use a FIPS 140-3 approved cryptographic hashing algorithm for system authentication. - Red Hat Enterprise Linux 9 + Red Hat Enterprise Linux 9 +AlmaLinux 9 Unapproved mechanisms that are used for authentication to the cryptographic module are not verified and; therefore, cannot be relied upon to provide confidentiality or integrity, and DOD data may be compromised. @@ -27015,7 +27425,8 @@ FIPS 140-3 is the current standard for validating that mechanisms used to access RHEL-09-672010 - RHEL 9 must have the crypto-policies package installed. - Red Hat Enterprise Linux 9 + Red Hat Enterprise Linux 9 +AlmaLinux 9 Centralized cryptographic policies simplify applying secure ciphers across an operating system and the applications that run on that operating system. Use of weak or untested encryption algorithms undermines the purposes of utilizing encryption to protect data. @@ -27029,7 +27440,8 @@ Satisfies: SRG-OS-000396-GPOS-00176, SRG-OS-000393-GPOS-00173, SRG-OS-000394-GPO RHEL-09-672020 - RHEL 9 crypto policy must not be overridden. - Red Hat Enterprise Linux 9 + Red Hat Enterprise Linux 9 +AlmaLinux 9 Centralized cryptographic policies simplify applying secure ciphers across an operating system and the applications that run on that operating system. Use of weak or untested encryption algorithms undermines the purposes of utilizing encryption to protect data. @@ -27043,7 +27455,8 @@ Satisfies: SRG-OS-000396-GPOS-00176, SRG-OS-000393-GPOS-00173, SRG-OS-000394-GPO RHEL-09-672025 - RHEL 9 must use mechanisms meeting the requirements of applicable federal laws, executive orders, directives, policies, regulations, standards, and guidance for authentication to a cryptographic module. - Red Hat Enterprise Linux 9 + Red Hat Enterprise Linux 9 +AlmaLinux 9 Overriding the system crypto policy makes the behavior of Kerberos violate expectations, and makes system configuration more fragmented. @@ -27055,7 +27468,8 @@ Satisfies: SRG-OS-000396-GPOS-00176, SRG-OS-000393-GPOS-00173, SRG-OS-000394-GPO RHEL-09-672030 - RHEL 9 must implement DOD-approved TLS encryption in the GnuTLS package. - Red Hat Enterprise Linux 9 + Red Hat Enterprise Linux 9 +AlmaLinux 9 Without cryptographic integrity protections, information can be altered by unauthorized users without detection. @@ -27073,7 +27487,8 @@ Satisfies: SRG-OS-000250-GPOS-00093, SRG-OS-000423-GPOS-00187 RHEL-09-672035 - RHEL 9 must implement DOD-approved encryption in the OpenSSL package. - Red Hat Enterprise Linux 9 + Red Hat Enterprise Linux 9 +AlmaLinux 9 Without cryptographic integrity protections, information can be altered by unauthorized users without detection. @@ -27091,7 +27506,8 @@ The employed algorithms can be viewed in the /etc/crypto-policies/back-ends/open RHEL-09-672040 - RHEL 9 must implement DOD-approved TLS encryption in the OpenSSL package. - Red Hat Enterprise Linux 9 + Red Hat Enterprise Linux 9 +AlmaLinux 9 Without cryptographic integrity protections, information can be altered by unauthorized users without detection. @@ -27109,7 +27525,8 @@ The employed algorithms can be viewed in the /etc/crypto-policies/back-ends/open RHEL-09-672050 - RHEL 9 must implement DOD-approved encryption in the bind package. - Red Hat Enterprise Linux 9 + Red Hat Enterprise Linux 9 +AlmaLinux 9 Without cryptographic integrity protections, information can be altered by unauthorized users without detection. @@ -29178,7 +29595,7 @@ Satisfies: SRG-OS-000423-GPOS-00187, SRG-OS-000426-GPOS-00190 - + @@ -33049,7 +33466,7 @@ Satisfies: SRG-OS-000423-GPOS-00187, SRG-OS-000426-GPOS-00190 1 - /boot/efi/EFI/redhat/grub.cfg + /boot/efi/EFI/almalinux/grub.cfg /etc/grub2-efi.cfg @@ -34740,7 +35157,8 @@ Satisfies: SRG-OS-000423-GPOS-00187, SRG-OS-000426-GPOS-00190 RHEL 9 is installed - Red Hat Enterprise Linux 9 + Red Hat Enterprise Linux 9 +AlmaLinux 9 RHEL 9 is installed diff --git a/shared/templates/accounts_password/ansible.template b/shared/templates/accounts_password/ansible.template index b324dc01a..6bcaeee57 100644 --- a/shared/templates/accounts_password/ansible.template +++ b/shared/templates/accounts_password/ansible.template @@ -1,4 +1,4 @@ -# platform = multi_platform_rhel,multi_platform_fedora,multi_platform_ol,multi_platform_rhv,multi_platform_ubuntu,multi_platform_sle +# platform = multi_platform_rhel,multi_platform_almalinux,multi_platform_fedora,multi_platform_ol,multi_platform_rhv,multi_platform_ubuntu,multi_platform_sle # reboot = false # strategy = restrict # complexity = low diff --git a/shared/templates/accounts_password/bash.template b/shared/templates/accounts_password/bash.template index 46e98c147..d1e49f5a0 100644 --- a/shared/templates/accounts_password/bash.template +++ b/shared/templates/accounts_password/bash.template @@ -1,4 +1,4 @@ -# platform = multi_platform_rhel,multi_platform_fedora,multi_platform_ol,multi_platform_rhv,multi_platform_ubuntu,multi_platform_sle +# platform = multi_platform_rhel,multi_platform_almalinux,multi_platform_fedora,multi_platform_ol,multi_platform_rhv,multi_platform_ubuntu,multi_platform_sle # reboot = false # strategy = restrict # complexity = low diff --git a/shared/templates/audit_rules_dac_modification/ansible.template b/shared/templates/audit_rules_dac_modification/ansible.template index 5a686b0b2..74a7d8c30 100644 --- a/shared/templates/audit_rules_dac_modification/ansible.template +++ b/shared/templates/audit_rules_dac_modification/ansible.template @@ -1,4 +1,4 @@ -# platform = multi_platform_rhel,multi_platform_fedora,multi_platform_ol,multi_platform_rhv,multi_platform_sle,multi_platform_ubuntu,multi_platform_debian +# platform = multi_platform_rhel,multi_platform_almalinux,multi_platform_fedora,multi_platform_ol,multi_platform_rhv,multi_platform_sle,multi_platform_ubuntu,multi_platform_debian # reboot = true # strategy = restrict # complexity = low diff --git a/shared/templates/audit_rules_dac_modification/bash.template b/shared/templates/audit_rules_dac_modification/bash.template index daee70210..ae6608360 100644 --- a/shared/templates/audit_rules_dac_modification/bash.template +++ b/shared/templates/audit_rules_dac_modification/bash.template @@ -1,4 +1,4 @@ -# platform = multi_platform_rhel,multi_platform_fedora,multi_platform_ol,multi_platform_rhv,multi_platform_sle,multi_platform_ubuntu,multi_platform_debian +# platform = multi_platform_rhel,multi_platform_almalinux,multi_platform_fedora,multi_platform_ol,multi_platform_rhv,multi_platform_sle,multi_platform_ubuntu,multi_platform_debian # First perform the remediation of the syscall rule # Retrieve hardware architecture of the underlying system diff --git a/shared/templates/audit_rules_file_deletion_events/ansible.template b/shared/templates/audit_rules_file_deletion_events/ansible.template index 33b29b977..cbee8fdf7 100644 --- a/shared/templates/audit_rules_file_deletion_events/ansible.template +++ b/shared/templates/audit_rules_file_deletion_events/ansible.template @@ -1,4 +1,4 @@ -# platform = multi_platform_rhel,multi_platform_fedora,multi_platform_ol,multi_platform_rhv,multi_platform_sle,multi_platform_ubuntu,multi_platform_debian +# platform = multi_platform_rhel,multi_platform_almalinux,multi_platform_fedora,multi_platform_ol,multi_platform_rhv,multi_platform_sle,multi_platform_ubuntu,multi_platform_debian # reboot = true # strategy = restrict # complexity = low diff --git a/shared/templates/audit_rules_file_deletion_events/bash.template b/shared/templates/audit_rules_file_deletion_events/bash.template index b3eab4edb..da237aa3d 100644 --- a/shared/templates/audit_rules_file_deletion_events/bash.template +++ b/shared/templates/audit_rules_file_deletion_events/bash.template @@ -1,4 +1,4 @@ -# platform = multi_platform_rhel,multi_platform_fedora,multi_platform_ol,multi_platform_rhv,multi_platform_ubuntu,multi_platform_sle,multi_platform_debian +# platform = multi_platform_rhel,multi_platform_almalinux,multi_platform_fedora,multi_platform_ol,multi_platform_rhv,multi_platform_ubuntu,multi_platform_sle,multi_platform_debian # First perform the remediation of the syscall rule # Retrieve hardware architecture of the underlying system diff --git a/shared/templates/audit_rules_login_events/ansible.template b/shared/templates/audit_rules_login_events/ansible.template index e62981561..4f8c1b6e5 100644 --- a/shared/templates/audit_rules_login_events/ansible.template +++ b/shared/templates/audit_rules_login_events/ansible.template @@ -1,4 +1,4 @@ -# platform = multi_platform_rhel,multi_platform_fedora,multi_platform_ol,multi_platform_rhv,multi_platform_sle,multi_platform_ubuntu,multi_platform_debian +# platform = multi_platform_rhel,multi_platform_almalinux,multi_platform_fedora,multi_platform_ol,multi_platform_rhv,multi_platform_sle,multi_platform_ubuntu,multi_platform_debian # reboot = true # strategy = restrict # complexity = low diff --git a/shared/templates/audit_rules_login_events/bash.template b/shared/templates/audit_rules_login_events/bash.template index e3c55b43a..0a13eabe8 100644 --- a/shared/templates/audit_rules_login_events/bash.template +++ b/shared/templates/audit_rules_login_events/bash.template @@ -1,4 +1,4 @@ -# platform = multi_platform_rhel,multi_platform_fedora,multi_platform_ol,multi_platform_rhv,multi_platform_sle,multi_platform_ubuntu,multi_platform_debian +# platform = multi_platform_rhel,multi_platform_almalinux,multi_platform_fedora,multi_platform_ol,multi_platform_rhv,multi_platform_sle,multi_platform_ubuntu,multi_platform_debian # Perform the remediation for both possible tools: 'auditctl' and 'augenrules' diff --git a/shared/templates/audit_rules_path_syscall/ansible.template b/shared/templates/audit_rules_path_syscall/ansible.template index 68b43b439..9d9ce2fad 100644 --- a/shared/templates/audit_rules_path_syscall/ansible.template +++ b/shared/templates/audit_rules_path_syscall/ansible.template @@ -1,4 +1,4 @@ -# platform = multi_platform_rhel,multi_platform_fedora,multi_platform_ol,multi_platform_rhv,multi_platform_ubuntu +# platform = multi_platform_rhel,multi_platform_almalinux,multi_platform_fedora,multi_platform_ol,multi_platform_rhv,multi_platform_ubuntu # reboot = true # strategy = restrict # complexity = low diff --git a/shared/templates/audit_rules_path_syscall/bash.template b/shared/templates/audit_rules_path_syscall/bash.template index 332c87def..cdcf6352c 100644 --- a/shared/templates/audit_rules_path_syscall/bash.template +++ b/shared/templates/audit_rules_path_syscall/bash.template @@ -1,4 +1,4 @@ -# platform = multi_platform_rhel,multi_platform_fedora,multi_platform_ol,multi_platform_rhv,multi_platform_ubuntu +# platform = multi_platform_rhel,multi_platform_almalinux,multi_platform_fedora,multi_platform_ol,multi_platform_rhv,multi_platform_ubuntu # First perform the remediation of the syscall rule # Retrieve hardware architecture of the underlying system diff --git a/shared/templates/audit_rules_privileged_commands/ansible.template b/shared/templates/audit_rules_privileged_commands/ansible.template index 0edc5c732..c8d61bd1f 100644 --- a/shared/templates/audit_rules_privileged_commands/ansible.template +++ b/shared/templates/audit_rules_privileged_commands/ansible.template @@ -1,7 +1,7 @@ {{%- if product in ["fedora", "ol7", "ol8", "ol9", "rhel7", "rhel8", "rhel9", "sle12", "sle15", "ubuntu2004", "ubuntu2204"] %}} {{%- set perm_x=" -F perm=x" %}} {{%- endif %}} -# platform = multi_platform_rhel,multi_platform_fedora,multi_platform_ol,multi_platform_rhv,multi_platform_sle,multi_platform_ubuntu +# platform = multi_platform_rhel,multi_platform_almalinux,multi_platform_fedora,multi_platform_ol,multi_platform_rhv,multi_platform_sle,multi_platform_ubuntu # reboot = false # strategy = restrict # complexity = low diff --git a/shared/templates/audit_rules_privileged_commands/bash.template b/shared/templates/audit_rules_privileged_commands/bash.template index 63dfcb06c..110b94caf 100644 --- a/shared/templates/audit_rules_privileged_commands/bash.template +++ b/shared/templates/audit_rules_privileged_commands/bash.template @@ -1,7 +1,7 @@ {{%- if product in ["fedora", "ol7", "ol8", "ol9", "rhel7", "rhel8", "rhel9", "sle12", "sle15", "ubuntu2004", "ubuntu2204"] %}} {{%- set perm_x=" -F perm=x" %}} {{%- endif %}} -# platform = multi_platform_rhel,multi_platform_fedora,multi_platform_ol,multi_platform_rhv,multi_platform_sle,multi_platform_ubuntu +# platform = multi_platform_rhel,multi_platform_almalinux,multi_platform_fedora,multi_platform_ol,multi_platform_rhv,multi_platform_sle,multi_platform_ubuntu ACTION_ARCH_FILTERS="-a always,exit" OTHER_FILTERS="-F path={{{ PATH }}}{{{ perm_x }}}" diff --git a/shared/templates/audit_rules_privileged_commands/tests/auditctl_missing_perm_x.fail.sh b/shared/templates/audit_rules_privileged_commands/tests/auditctl_missing_perm_x.fail.sh index 26ed4807d..29b415410 100644 --- a/shared/templates/audit_rules_privileged_commands/tests/auditctl_missing_perm_x.fail.sh +++ b/shared/templates/audit_rules_privileged_commands/tests/auditctl_missing_perm_x.fail.sh @@ -1,5 +1,5 @@ #!/bin/bash -# platform = multi_platform_fedora,multi_platform_ol,multi_platform_rhel,multi_platform_sle,multi_platform_ubuntu +# platform = multi_platform_fedora,multi_platform_ol,multi_platform_rhel,multi_platform_almalinux,multi_platform_sle,multi_platform_ubuntu # packages = audit source common.sh diff --git a/shared/templates/audit_rules_privileged_commands/tests/augenrules_missing_perm_x.fail.sh b/shared/templates/audit_rules_privileged_commands/tests/augenrules_missing_perm_x.fail.sh index 2cfd69a19..f3c352227 100644 --- a/shared/templates/audit_rules_privileged_commands/tests/augenrules_missing_perm_x.fail.sh +++ b/shared/templates/audit_rules_privileged_commands/tests/augenrules_missing_perm_x.fail.sh @@ -1,5 +1,5 @@ #!/bin/bash -# platform = multi_platform_fedora,multi_platform_ol,multi_platform_rhel,multi_platform_sle,multi_platform_ubuntu +# platform = multi_platform_fedora,multi_platform_ol,multi_platform_rhel,multi_platform_almalinux,multi_platform_sle,multi_platform_ubuntu source common.sh diff --git a/shared/templates/audit_rules_syscall_events/ansible.template b/shared/templates/audit_rules_syscall_events/ansible.template index 16dec9827..5e953196e 100644 --- a/shared/templates/audit_rules_syscall_events/ansible.template +++ b/shared/templates/audit_rules_syscall_events/ansible.template @@ -1,4 +1,4 @@ -# platform = multi_platform_rhel,multi_platform_fedora,multi_platform_ol,multi_platform_rhv,multi_platform_sle +# platform = multi_platform_rhel,multi_platform_almalinux,multi_platform_fedora,multi_platform_ol,multi_platform_rhv,multi_platform_sle # reboot = true # strategy = restrict # complexity = low diff --git a/shared/templates/audit_rules_syscall_events/bash.template b/shared/templates/audit_rules_syscall_events/bash.template index bd5bb94cb..d1f68626a 100644 --- a/shared/templates/audit_rules_syscall_events/bash.template +++ b/shared/templates/audit_rules_syscall_events/bash.template @@ -1,4 +1,4 @@ -# platform = multi_platform_rhel,multi_platform_fedora,multi_platform_ol,multi_platform_rhv,multi_platform_sle +# platform = multi_platform_rhel,multi_platform_almalinux,multi_platform_fedora,multi_platform_ol,multi_platform_rhv,multi_platform_sle # First perform the remediation of the syscall rule # Retrieve hardware architecture of the underlying system diff --git a/shared/templates/audit_rules_unsuccessful_file_modification/ansible.template b/shared/templates/audit_rules_unsuccessful_file_modification/ansible.template index 9beb65537..e6da688f0 100644 --- a/shared/templates/audit_rules_unsuccessful_file_modification/ansible.template +++ b/shared/templates/audit_rules_unsuccessful_file_modification/ansible.template @@ -1,4 +1,4 @@ -# platform = multi_platform_rhel,multi_platform_fedora,multi_platform_ol,multi_platform_rhv,multi_platform_sle,multi_platform_ubuntu,multi_platform_debian +# platform = multi_platform_rhel,multi_platform_almalinux,multi_platform_fedora,multi_platform_ol,multi_platform_rhv,multi_platform_sle,multi_platform_ubuntu,multi_platform_debian # reboot = true # strategy = restrict # complexity = low diff --git a/shared/templates/audit_rules_unsuccessful_file_modification/bash.template b/shared/templates/audit_rules_unsuccessful_file_modification/bash.template index b18223c98..e82de6427 100644 --- a/shared/templates/audit_rules_unsuccessful_file_modification/bash.template +++ b/shared/templates/audit_rules_unsuccessful_file_modification/bash.template @@ -1,4 +1,4 @@ -# platform = multi_platform_rhel,multi_platform_fedora,multi_platform_ol,multi_platform_rhv,multi_platform_sle,multi_platform_ubuntu,multi_platform_debian +# platform = multi_platform_rhel,multi_platform_almalinux,multi_platform_fedora,multi_platform_ol,multi_platform_rhv,multi_platform_sle,multi_platform_ubuntu,multi_platform_debian # First perform the remediation of the syscall rule # Retrieve hardware architecture of the underlying system diff --git a/shared/templates/audit_rules_usergroup_modification/ansible.template b/shared/templates/audit_rules_usergroup_modification/ansible.template index 43063a18f..f0440e169 100644 --- a/shared/templates/audit_rules_usergroup_modification/ansible.template +++ b/shared/templates/audit_rules_usergroup_modification/ansible.template @@ -1,4 +1,4 @@ -# platform = multi_platform_rhel,multi_platform_fedora,multi_platform_ol,multi_platform_rhv,multi_platform_sle,multi_platform_ubuntu +# platform = multi_platform_rhel,multi_platform_almalinux,multi_platform_fedora,multi_platform_ol,multi_platform_rhv,multi_platform_sle,multi_platform_ubuntu # reboot = true # strategy = restrict # complexity = low diff --git a/shared/templates/audit_rules_usergroup_modification/bash.template b/shared/templates/audit_rules_usergroup_modification/bash.template index 62faac341..3461e4e29 100644 --- a/shared/templates/audit_rules_usergroup_modification/bash.template +++ b/shared/templates/audit_rules_usergroup_modification/bash.template @@ -1,4 +1,4 @@ -# platform = multi_platform_rhel,multi_platform_fedora,multi_platform_ol,multi_platform_rhv,multi_platform_sle,multi_platform_ubuntu +# platform = multi_platform_rhel,multi_platform_almalinux,multi_platform_fedora,multi_platform_ol,multi_platform_rhv,multi_platform_sle,multi_platform_ubuntu # Perform the remediation for both possible tools: 'auditctl' and 'augenrules' diff --git a/shared/templates/grub2_bootloader_argument/ansible.template b/shared/templates/grub2_bootloader_argument/ansible.template index a573b6a1b..7011157d8 100644 --- a/shared/templates/grub2_bootloader_argument/ansible.template +++ b/shared/templates/grub2_bootloader_argument/ansible.template @@ -1,4 +1,4 @@ -# platform = multi_platform_rhel,multi_platform_fedora,multi_platform_ol,multi_platform_rhv,multi_platform_sle,multi_platform_debian +# platform = multi_platform_rhel,multi_platform_almalinux,multi_platform_fedora,multi_platform_ol,multi_platform_rhv,multi_platform_sle,multi_platform_debian # reboot = true # strategy = restrict # complexity = medium diff --git a/shared/templates/grub2_bootloader_argument/bash.template b/shared/templates/grub2_bootloader_argument/bash.template index 7a7ba6899..ac12c1878 100644 --- a/shared/templates/grub2_bootloader_argument/bash.template +++ b/shared/templates/grub2_bootloader_argument/bash.template @@ -1,4 +1,4 @@ -# platform = multi_platform_rhel,multi_platform_fedora,multi_platform_ol,multi_platform_rhv,multi_platform_ubuntu,multi_platform_sle,multi_platform_debian +# platform = multi_platform_rhel,multi_platform_almalinux,multi_platform_fedora,multi_platform_ol,multi_platform_rhv,multi_platform_ubuntu,multi_platform_sle,multi_platform_debian {{# See the OVAL template for more comments. Product-specific categorization should be synced across all template content types diff --git a/shared/templates/grub2_bootloader_argument/blueprint.template b/shared/templates/grub2_bootloader_argument/blueprint.template index 7e9ea909e..152f27303 100644 --- a/shared/templates/grub2_bootloader_argument/blueprint.template +++ b/shared/templates/grub2_bootloader_argument/blueprint.template @@ -1,4 +1,4 @@ -# platform = multi_platform_rhel,multi_platform_fedora,multi_platform_ol,multi_platform_rhv,multi_platform_ubuntu,multi_platform_sle +# platform = multi_platform_rhel,multi_platform_almalinux,multi_platform_fedora,multi_platform_ol,multi_platform_rhv,multi_platform_ubuntu,multi_platform_sle {{%- if ARG_VARIABLE %}} {{%- set ARG_NAME_VALUE = ARG_NAME ~ "=(blueprint-populate " ~ ARG_VARIABLE ~ ")" -%}} {{%- endif %}} diff --git a/shared/templates/grub2_bootloader_argument/tests/arg_not_there_etcdefaultgrub.fail.sh b/shared/templates/grub2_bootloader_argument/tests/arg_not_there_etcdefaultgrub.fail.sh index b594abe6d..bac3e9fc6 100644 --- a/shared/templates/grub2_bootloader_argument/tests/arg_not_there_etcdefaultgrub.fail.sh +++ b/shared/templates/grub2_bootloader_argument/tests/arg_not_there_etcdefaultgrub.fail.sh @@ -1,6 +1,6 @@ #!/bin/bash -# platform = multi_platform_fedora,multi_platform_ol,multi_platform_rhel,multi_platform_ubuntu +# platform = multi_platform_fedora,multi_platform_ol,multi_platform_rhel,multi_platform_almalinux,multi_platform_ubuntu {{%- if 'ubuntu' in product %}} # packages = grub2 {{%- else %}} diff --git a/shared/templates/grub2_bootloader_argument/tests/invalid_rescue.pass.sh b/shared/templates/grub2_bootloader_argument/tests/invalid_rescue.pass.sh index e84c6e619..3f0ec2ea8 100644 --- a/shared/templates/grub2_bootloader_argument/tests/invalid_rescue.pass.sh +++ b/shared/templates/grub2_bootloader_argument/tests/invalid_rescue.pass.sh @@ -1,6 +1,6 @@ #!/bin/bash -# platform = Red Hat Enterprise Linux 9,multi_platform_fedora +# platform = Red Hat Enterprise Linux 9,AlmaLinux 9,multi_platform_fedora # packages = grub2,grubby {{%- if ARG_VARIABLE %}} # variables = {{{ ARG_VARIABLE }}}=correct_value diff --git a/shared/templates/grub2_bootloader_argument/tests/wrong_value_entries.fail.sh b/shared/templates/grub2_bootloader_argument/tests/wrong_value_entries.fail.sh index c827721ef..597368b03 100644 --- a/shared/templates/grub2_bootloader_argument/tests/wrong_value_entries.fail.sh +++ b/shared/templates/grub2_bootloader_argument/tests/wrong_value_entries.fail.sh @@ -1,6 +1,6 @@ #!/bin/bash -# platform = Red Hat Enterprise Linux 9,multi_platform_fedora +# platform = Red Hat Enterprise Linux 9,AlmaLinux 9,multi_platform_fedora # packages = grub2,grubby source common.sh diff --git a/shared/templates/grub2_bootloader_argument_absent/ansible.template b/shared/templates/grub2_bootloader_argument_absent/ansible.template index 51fc98b7a..c6b147d87 100644 --- a/shared/templates/grub2_bootloader_argument_absent/ansible.template +++ b/shared/templates/grub2_bootloader_argument_absent/ansible.template @@ -1,4 +1,4 @@ -# platform = multi_platform_rhel,multi_platform_fedora,multi_platform_ol,multi_platform_rhv,multi_platform_sle +# platform = multi_platform_rhel,multi_platform_almalinux,multi_platform_fedora,multi_platform_ol,multi_platform_rhv,multi_platform_sle # reboot = true # strategy = restrict # complexity = medium diff --git a/shared/templates/grub2_bootloader_argument_absent/bash.template b/shared/templates/grub2_bootloader_argument_absent/bash.template index 8d7d6e9ea..18b900e51 100644 --- a/shared/templates/grub2_bootloader_argument_absent/bash.template +++ b/shared/templates/grub2_bootloader_argument_absent/bash.template @@ -1,4 +1,4 @@ -# platform = multi_platform_rhel,multi_platform_fedora,multi_platform_ol,multi_platform_rhv,multi_platform_ubuntu,multi_platform_sle +# platform = multi_platform_rhel,multi_platform_almalinux,multi_platform_fedora,multi_platform_ol,multi_platform_rhv,multi_platform_ubuntu,multi_platform_sle {{# See the OVAL template for more comments. Product-specific categorization should be synced across all template content types diff --git a/shared/templates/grub2_bootloader_argument_absent/tests/arg_there_etcdefaultgrub.fail.sh b/shared/templates/grub2_bootloader_argument_absent/tests/arg_there_etcdefaultgrub.fail.sh index 46ca33623..76c1ce48e 100644 --- a/shared/templates/grub2_bootloader_argument_absent/tests/arg_there_etcdefaultgrub.fail.sh +++ b/shared/templates/grub2_bootloader_argument_absent/tests/arg_there_etcdefaultgrub.fail.sh @@ -1,6 +1,6 @@ #!/bin/bash -# platform = Red Hat Enterprise Linux 7,Red Hat Enterprise Linux 8,Red Hat Enterprise Linux 9 +# platform = Red Hat Enterprise Linux 7,Red Hat Enterprise Linux 8,Red Hat Enterprise Linux 9,AlmaLinux 9 # packages = grub2-tools,grubby # Adds argument from kernel command line in /etc/default/grub diff --git a/shared/templates/grub2_bootloader_argument_absent/tests/arg_value_there_etcdefaultgrub.fail.sh b/shared/templates/grub2_bootloader_argument_absent/tests/arg_value_there_etcdefaultgrub.fail.sh index e5ce738c3..c124317b3 100644 --- a/shared/templates/grub2_bootloader_argument_absent/tests/arg_value_there_etcdefaultgrub.fail.sh +++ b/shared/templates/grub2_bootloader_argument_absent/tests/arg_value_there_etcdefaultgrub.fail.sh @@ -1,6 +1,6 @@ #!/bin/bash -# platform = Red Hat Enterprise Linux 7,Red Hat Enterprise Linux 8,Red Hat Enterprise Linux 9 +# platform = Red Hat Enterprise Linux 7,Red Hat Enterprise Linux 8,Red Hat Enterprise Linux 9,AlmaLinux 9 # packages = grub2-tools,grubby # Adds argument with a value from kernel command line in /etc/default/grub diff --git a/shared/templates/grub2_bootloader_argument_absent/tests/mising_arg_invalid_rescue.pass.sh b/shared/templates/grub2_bootloader_argument_absent/tests/mising_arg_invalid_rescue.pass.sh index 511a64335..5402480ab 100644 --- a/shared/templates/grub2_bootloader_argument_absent/tests/mising_arg_invalid_rescue.pass.sh +++ b/shared/templates/grub2_bootloader_argument_absent/tests/mising_arg_invalid_rescue.pass.sh @@ -1,4 +1,4 @@ -# platform = Red Hat Enterprise Linux 7,Red Hat Enterprise Linux 9 +# platform = Red Hat Enterprise Linux 7,Red Hat Enterprise Linux 9,AlmaLinux 9 # packages = grub2,grubby # Ensure the kernel command line for each installed kernel in the bootloader diff --git a/shared/templates/kernel_module_disabled/ansible.template b/shared/templates/kernel_module_disabled/ansible.template index 88e846697..a329cbe76 100644 --- a/shared/templates/kernel_module_disabled/ansible.template +++ b/shared/templates/kernel_module_disabled/ansible.template @@ -1,4 +1,4 @@ -# platform = multi_platform_rhel,multi_platform_fedora,multi_platform_ol,multi_platform_rhv,multi_platform_ubuntu,multi_platform_sle +# platform = multi_platform_rhel,multi_platform_almalinux,multi_platform_fedora,multi_platform_ol,multi_platform_rhv,multi_platform_ubuntu,multi_platform_sle # reboot = true # strategy = disable # complexity = low diff --git a/shared/templates/kernel_module_disabled/bash.template b/shared/templates/kernel_module_disabled/bash.template index df7229bc4..d6dc65bff 100644 --- a/shared/templates/kernel_module_disabled/bash.template +++ b/shared/templates/kernel_module_disabled/bash.template @@ -1,4 +1,4 @@ -# platform = multi_platform_rhel,multi_platform_fedora,multi_platform_ol,multi_platform_rhv,multi_platform_ubuntu,multi_platform_sle +# platform = multi_platform_rhel,multi_platform_almalinux,multi_platform_fedora,multi_platform_ol,multi_platform_rhv,multi_platform_ubuntu,multi_platform_sle # reboot = true # strategy = disable # complexity = low diff --git a/shared/templates/kernel_module_disabled/kubernetes.template b/shared/templates/kernel_module_disabled/kubernetes.template index c77cebfbb..2820e9745 100644 --- a/shared/templates/kernel_module_disabled/kubernetes.template +++ b/shared/templates/kernel_module_disabled/kubernetes.template @@ -1,5 +1,5 @@ --- -# platform = multi_platform_rhel,multi_platform_fedora,multi_platform_ocp,multi_platform_rhcos +# platform = multi_platform_rhel,multi_platform_almalinux,multi_platform_fedora,multi_platform_ocp,multi_platform_rhcos # reboot = true # strategy = disable # complexity = low diff --git a/shared/templates/kernel_module_disabled/tests/missing_blacklist.fail.sh b/shared/templates/kernel_module_disabled/tests/missing_blacklist.fail.sh index 8a1319eed..fb20c3b4a 100644 --- a/shared/templates/kernel_module_disabled/tests/missing_blacklist.fail.sh +++ b/shared/templates/kernel_module_disabled/tests/missing_blacklist.fail.sh @@ -1,5 +1,5 @@ #!/bin/bash -# platform = multi_platform_rhel,multi_platform_ol,multi_platform_ubuntu +# platform = multi_platform_rhel,multi_platform_almalinux,multi_platform_ol,multi_platform_ubuntu echo > /etc/modprobe.d/{{{ KERNMODULE }}}.conf echo "install {{{ KERNMODULE }}} /bin/true" > /etc/modprobe.d/{{{ KERNMODULE }}}.conf diff --git a/shared/templates/mount/anaconda.template b/shared/templates/mount/anaconda.template index fdcb4ee3e..0d1d8dc24 100644 --- a/shared/templates/mount/anaconda.template +++ b/shared/templates/mount/anaconda.template @@ -1,4 +1,4 @@ -# platform = multi_platform_rhel,multi_platform_fedora,multi_platform_ol,multi_platform_rhv +# platform = multi_platform_rhel,multi_platform_almalinux,multi_platform_fedora,multi_platform_ol,multi_platform_rhv # reboot = false # strategy = enable # complexity = low diff --git a/shared/templates/mount/blueprint.template b/shared/templates/mount/blueprint.template index 56617467d..3cdacd4db 100644 --- a/shared/templates/mount/blueprint.template +++ b/shared/templates/mount/blueprint.template @@ -1,4 +1,4 @@ -# platform = multi_platform_rhel,multi_platform_fedora +# platform = multi_platform_rhel,multi_platform_almalinux,multi_platform_fedora [[customizations.filesystem]] mountpoint = "{{{ MOUNTPOINT }}}" diff --git a/shared/templates/mount_option/anaconda.template b/shared/templates/mount_option/anaconda.template index 083b0ef00..14f7018a9 100644 --- a/shared/templates/mount_option/anaconda.template +++ b/shared/templates/mount_option/anaconda.template @@ -1,4 +1,4 @@ -# platform = multi_platform_rhel,multi_platform_fedora,multi_platform_ol,multi_platform_rhv +# platform = multi_platform_rhel,multi_platform_almalinux,multi_platform_fedora,multi_platform_ol,multi_platform_rhv # reboot = false # strategy = enable # complexity = low diff --git a/shared/templates/mount_option_removable_partitions/anaconda.template b/shared/templates/mount_option_removable_partitions/anaconda.template index 8665fb913..07cd9e3ad 100644 --- a/shared/templates/mount_option_removable_partitions/anaconda.template +++ b/shared/templates/mount_option_removable_partitions/anaconda.template @@ -1,4 +1,4 @@ -# platform = multi_platform_rhel,multi_platform_fedora,multi_platform_ol,multi_platform_rhv +# platform = multi_platform_rhel,multi_platform_almalinux,multi_platform_fedora,multi_platform_ol,multi_platform_rhv # reboot = false # strategy = enable # complexity = low diff --git a/shared/templates/package_installed/anaconda.template b/shared/templates/package_installed/anaconda.template index 0ac55f51f..dd0bcddea 100644 --- a/shared/templates/package_installed/anaconda.template +++ b/shared/templates/package_installed/anaconda.template @@ -1,4 +1,4 @@ -# platform = multi_platform_rhel,multi_platform_fedora,multi_platform_ol,multi_platform_rhv +# platform = multi_platform_rhel,multi_platform_almalinux,multi_platform_fedora,multi_platform_ol,multi_platform_rhv # reboot = false # strategy = enable # complexity = low diff --git a/shared/templates/package_installed/bash.template b/shared/templates/package_installed/bash.template index 65c48d381..ee1e6386d 100644 --- a/shared/templates/package_installed/bash.template +++ b/shared/templates/package_installed/bash.template @@ -1,4 +1,4 @@ -# platform = multi_platform_rhel,multi_platform_fedora,multi_platform_ol,multi_platform_rhv,multi_platform_ubuntu,multi_platform_sle,multi_platform_debian +# platform = multi_platform_rhel,multi_platform_almalinux,multi_platform_fedora,multi_platform_ol,multi_platform_rhv,multi_platform_ubuntu,multi_platform_sle,multi_platform_debian # reboot = false # strategy = enable # complexity = low diff --git a/shared/templates/package_removed/anaconda.template b/shared/templates/package_removed/anaconda.template index 489f9bb0f..0120d927c 100644 --- a/shared/templates/package_removed/anaconda.template +++ b/shared/templates/package_removed/anaconda.template @@ -1,4 +1,4 @@ -# platform = multi_platform_rhel,multi_platform_fedora,multi_platform_ol,multi_platform_rhv +# platform = multi_platform_rhel,multi_platform_almalinux,multi_platform_fedora,multi_platform_ol,multi_platform_rhv # reboot = false # strategy = disable # complexity = low diff --git a/shared/templates/rsyslog_logfiles_attributes_modify/tests/legacy_correct_attr.pass.sh b/shared/templates/rsyslog_logfiles_attributes_modify/tests/legacy_correct_attr.pass.sh index 0fa452ba0..8e9abbe3a 100755 --- a/shared/templates/rsyslog_logfiles_attributes_modify/tests/legacy_correct_attr.pass.sh +++ b/shared/templates/rsyslog_logfiles_attributes_modify/tests/legacy_correct_attr.pass.sh @@ -1,5 +1,5 @@ #!/bin/bash -# platform = multi_platform_rhel,multi_platform_fedora,multi_platform_ol,multi_platform_sle +# platform = multi_platform_rhel,multi_platform_almalinux,multi_platform_fedora,multi_platform_ol,multi_platform_sle # Declare variables used for the tests and define the create_rsyslog_test_logs function source $SHARED/rsyslog_log_utils.sh diff --git a/shared/templates/rsyslog_logfiles_attributes_modify/tests/legacy_correct_attr_include.pass.sh b/shared/templates/rsyslog_logfiles_attributes_modify/tests/legacy_correct_attr_include.pass.sh index 54804685b..1c4b4f3e1 100755 --- a/shared/templates/rsyslog_logfiles_attributes_modify/tests/legacy_correct_attr_include.pass.sh +++ b/shared/templates/rsyslog_logfiles_attributes_modify/tests/legacy_correct_attr_include.pass.sh @@ -1,5 +1,5 @@ #!/bin/bash -# platform = multi_platform_rhel,multi_platform_fedora,multi_platform_ol,multi_platform_sle +# platform = multi_platform_rhel,multi_platform_almalinux,multi_platform_fedora,multi_platform_ol,multi_platform_sle # Declare variables used for the tests and define the create_rsyslog_test_logs function source $SHARED/rsyslog_log_utils.sh diff --git a/shared/templates/rsyslog_logfiles_attributes_modify/tests/legacy_lenient_attr.fail.sh b/shared/templates/rsyslog_logfiles_attributes_modify/tests/legacy_lenient_attr.fail.sh index 1ba8e0cda..02f0e77e9 100755 --- a/shared/templates/rsyslog_logfiles_attributes_modify/tests/legacy_lenient_attr.fail.sh +++ b/shared/templates/rsyslog_logfiles_attributes_modify/tests/legacy_lenient_attr.fail.sh @@ -1,5 +1,5 @@ #!/bin/bash -# platform = multi_platform_rhel,multi_platform_fedora,multi_platform_ol,multi_platform_sle,multi_platform_ubuntu +# platform = multi_platform_rhel,multi_platform_almalinux,multi_platform_fedora,multi_platform_ol,multi_platform_sle,multi_platform_ubuntu # Declare variables used for the tests and define the create_rsyslog_test_logs function source $SHARED/rsyslog_log_utils.sh diff --git a/shared/templates/rsyslog_logfiles_attributes_modify/tests/legacy_lenient_attr_include.fail.sh b/shared/templates/rsyslog_logfiles_attributes_modify/tests/legacy_lenient_attr_include.fail.sh index 321df77d9..756bdb524 100755 --- a/shared/templates/rsyslog_logfiles_attributes_modify/tests/legacy_lenient_attr_include.fail.sh +++ b/shared/templates/rsyslog_logfiles_attributes_modify/tests/legacy_lenient_attr_include.fail.sh @@ -1,5 +1,5 @@ #!/bin/bash -# platform = multi_platform_rhel,multi_platform_fedora,multi_platform_ol,multi_platform_sle,multi_platform_ubuntu +# platform = multi_platform_rhel,multi_platform_almalinux,multi_platform_fedora,multi_platform_ol,multi_platform_sle,multi_platform_ubuntu # Declare variables used for the tests and define the create_rsyslog_test_logs function source $SHARED/rsyslog_log_utils.sh diff --git a/shared/templates/rsyslog_logfiles_attributes_modify/tests/legacy_stricter_attr.pass.sh b/shared/templates/rsyslog_logfiles_attributes_modify/tests/legacy_stricter_attr.pass.sh index dc362ae00..36867bb2b 100755 --- a/shared/templates/rsyslog_logfiles_attributes_modify/tests/legacy_stricter_attr.pass.sh +++ b/shared/templates/rsyslog_logfiles_attributes_modify/tests/legacy_stricter_attr.pass.sh @@ -1,5 +1,5 @@ #!/bin/bash -# platform = multi_platform_rhel,multi_platform_fedora,multi_platform_ol,multi_platform_sle +# platform = multi_platform_rhel,multi_platform_almalinux,multi_platform_fedora,multi_platform_ol,multi_platform_sle # Declare variables used for the tests and define the create_rsyslog_test_logs function source $SHARED/rsyslog_log_utils.sh diff --git a/shared/templates/rsyslog_logfiles_attributes_modify/tests/mixed_correct_attr.pass.sh b/shared/templates/rsyslog_logfiles_attributes_modify/tests/mixed_correct_attr.pass.sh index 4aef9fb84..0b7cbcd5f 100755 --- a/shared/templates/rsyslog_logfiles_attributes_modify/tests/mixed_correct_attr.pass.sh +++ b/shared/templates/rsyslog_logfiles_attributes_modify/tests/mixed_correct_attr.pass.sh @@ -1,5 +1,5 @@ #!/bin/bash -# platform = multi_platform_rhel,multi_platform_fedora,multi_platform_ol,multi_platform_sle +# platform = multi_platform_rhel,multi_platform_almalinux,multi_platform_fedora,multi_platform_ol,multi_platform_sle # Declare variables used for the tests and define the create_rsyslog_test_logs function source $SHARED/rsyslog_log_utils.sh diff --git a/shared/templates/rsyslog_logfiles_attributes_modify/tests/mixed_correct_attr_include.pass.sh b/shared/templates/rsyslog_logfiles_attributes_modify/tests/mixed_correct_attr_include.pass.sh index 203f640f5..a127500e8 100755 --- a/shared/templates/rsyslog_logfiles_attributes_modify/tests/mixed_correct_attr_include.pass.sh +++ b/shared/templates/rsyslog_logfiles_attributes_modify/tests/mixed_correct_attr_include.pass.sh @@ -1,5 +1,5 @@ #!/bin/bash -# platform = multi_platform_rhel,multi_platform_fedora,multi_platform_ol,multi_platform_sle +# platform = multi_platform_rhel,multi_platform_almalinux,multi_platform_fedora,multi_platform_ol,multi_platform_sle # Declare variables used for the tests and define the create_rsyslog_test_logs function source $SHARED/rsyslog_log_utils.sh diff --git a/shared/templates/rsyslog_logfiles_attributes_modify/tests/mixed_lenient_attr_cloudinit.fail.sh b/shared/templates/rsyslog_logfiles_attributes_modify/tests/mixed_lenient_attr_cloudinit.fail.sh index f623b6be4..8d4399023 100755 --- a/shared/templates/rsyslog_logfiles_attributes_modify/tests/mixed_lenient_attr_cloudinit.fail.sh +++ b/shared/templates/rsyslog_logfiles_attributes_modify/tests/mixed_lenient_attr_cloudinit.fail.sh @@ -1,5 +1,5 @@ #!/bin/bash -# platform = multi_platform_rhel,multi_platform_fedora,multi_platform_ol,multi_platform_sle,multi_platform_ubuntu +# platform = multi_platform_rhel,multi_platform_almalinux,multi_platform_fedora,multi_platform_ol,multi_platform_sle,multi_platform_ubuntu # Declare variables used for the tests and define the create_rsyslog_test_logs function source $SHARED/rsyslog_log_utils.sh diff --git a/shared/templates/rsyslog_logfiles_attributes_modify/tests/mixed_lenient_attr_legacy.fail.sh b/shared/templates/rsyslog_logfiles_attributes_modify/tests/mixed_lenient_attr_legacy.fail.sh index c825c0b08..746d6dfa4 100755 --- a/shared/templates/rsyslog_logfiles_attributes_modify/tests/mixed_lenient_attr_legacy.fail.sh +++ b/shared/templates/rsyslog_logfiles_attributes_modify/tests/mixed_lenient_attr_legacy.fail.sh @@ -1,5 +1,5 @@ #!/bin/bash -# platform = multi_platform_rhel,multi_platform_fedora,multi_platform_ol,multi_platform_sle,multi_platform_ubuntu +# platform = multi_platform_rhel,multi_platform_almalinux,multi_platform_fedora,multi_platform_ol,multi_platform_sle,multi_platform_ubuntu # Declare variables used for the tests and define the create_rsyslog_test_logs function source $SHARED/rsyslog_log_utils.sh diff --git a/shared/templates/rsyslog_logfiles_attributes_modify/tests/mixed_lenient_attr_legacy_include.fail.sh b/shared/templates/rsyslog_logfiles_attributes_modify/tests/mixed_lenient_attr_legacy_include.fail.sh index a8e723bee..a1e6b245c 100755 --- a/shared/templates/rsyslog_logfiles_attributes_modify/tests/mixed_lenient_attr_legacy_include.fail.sh +++ b/shared/templates/rsyslog_logfiles_attributes_modify/tests/mixed_lenient_attr_legacy_include.fail.sh @@ -1,5 +1,5 @@ #!/bin/bash -# platform = multi_platform_rhel,multi_platform_fedora,multi_platform_ol,multi_platform_sle,multi_platform_ubuntu +# platform = multi_platform_rhel,multi_platform_almalinux,multi_platform_fedora,multi_platform_ol,multi_platform_sle,multi_platform_ubuntu # Declare variables used for the tests and define the create_rsyslog_test_logs function source $SHARED/rsyslog_log_utils.sh diff --git a/shared/templates/rsyslog_logfiles_attributes_modify/tests/mixed_lenient_attr_rainer.fail.sh b/shared/templates/rsyslog_logfiles_attributes_modify/tests/mixed_lenient_attr_rainer.fail.sh index d3f639a2b..b5d757274 100755 --- a/shared/templates/rsyslog_logfiles_attributes_modify/tests/mixed_lenient_attr_rainer.fail.sh +++ b/shared/templates/rsyslog_logfiles_attributes_modify/tests/mixed_lenient_attr_rainer.fail.sh @@ -1,5 +1,5 @@ #!/bin/bash -# platform = multi_platform_rhel,multi_platform_fedora,multi_platform_ol,multi_platform_sle,multi_platform_ubuntu +# platform = multi_platform_rhel,multi_platform_almalinux,multi_platform_fedora,multi_platform_ol,multi_platform_sle,multi_platform_ubuntu # Declare variables used for the tests and define the create_rsyslog_test_logs function source $SHARED/rsyslog_log_utils.sh diff --git a/shared/templates/rsyslog_logfiles_attributes_modify/tests/mixed_lenient_attr_rainer_include.fail.sh b/shared/templates/rsyslog_logfiles_attributes_modify/tests/mixed_lenient_attr_rainer_include.fail.sh index d3be7ffc3..5b4b11307 100755 --- a/shared/templates/rsyslog_logfiles_attributes_modify/tests/mixed_lenient_attr_rainer_include.fail.sh +++ b/shared/templates/rsyslog_logfiles_attributes_modify/tests/mixed_lenient_attr_rainer_include.fail.sh @@ -1,5 +1,5 @@ #!/bin/bash -# platform = multi_platform_rhel,multi_platform_fedora,multi_platform_ol,multi_platform_sle,multi_platform_ubuntu +# platform = multi_platform_rhel,multi_platform_almalinux,multi_platform_fedora,multi_platform_ol,multi_platform_sle,multi_platform_ubuntu # Declare variables used for the tests and define the create_rsyslog_test_logs function source $SHARED/rsyslog_log_utils.sh diff --git a/shared/templates/rsyslog_logfiles_attributes_modify/tests/mixed_stricter_attr.pass.sh b/shared/templates/rsyslog_logfiles_attributes_modify/tests/mixed_stricter_attr.pass.sh index c1c5758d8..3e7441a4a 100755 --- a/shared/templates/rsyslog_logfiles_attributes_modify/tests/mixed_stricter_attr.pass.sh +++ b/shared/templates/rsyslog_logfiles_attributes_modify/tests/mixed_stricter_attr.pass.sh @@ -1,5 +1,5 @@ #!/bin/bash -# platform = multi_platform_rhel,multi_platform_fedora,multi_platform_ol,multi_platform_sle +# platform = multi_platform_rhel,multi_platform_almalinux,multi_platform_fedora,multi_platform_ol,multi_platform_sle # Declare variables used for the tests and define the create_rsyslog_test_logs function source $SHARED/rsyslog_log_utils.sh diff --git a/shared/templates/rsyslog_logfiles_attributes_modify/tests/rainer_correct_attr.pass.sh b/shared/templates/rsyslog_logfiles_attributes_modify/tests/rainer_correct_attr.pass.sh index 3d3bbbd8e..ae10153cd 100755 --- a/shared/templates/rsyslog_logfiles_attributes_modify/tests/rainer_correct_attr.pass.sh +++ b/shared/templates/rsyslog_logfiles_attributes_modify/tests/rainer_correct_attr.pass.sh @@ -1,5 +1,5 @@ #!/bin/bash -# platform = multi_platform_rhel,multi_platform_fedora,multi_platform_ol,multi_platform_sle +# platform = multi_platform_rhel,multi_platform_almalinux,multi_platform_fedora,multi_platform_ol,multi_platform_sle # Declare variables used for the tests and define the create_rsyslog_test_logs function source $SHARED/rsyslog_log_utils.sh diff --git a/shared/templates/rsyslog_logfiles_attributes_modify/tests/rainer_correct_attr_exceptions.pass.sh b/shared/templates/rsyslog_logfiles_attributes_modify/tests/rainer_correct_attr_exceptions.pass.sh index 868318728..d744d549d 100755 --- a/shared/templates/rsyslog_logfiles_attributes_modify/tests/rainer_correct_attr_exceptions.pass.sh +++ b/shared/templates/rsyslog_logfiles_attributes_modify/tests/rainer_correct_attr_exceptions.pass.sh @@ -1,5 +1,5 @@ #!/bin/bash -# platform = multi_platform_rhel,multi_platform_fedora,multi_platform_ol,multi_platform_sle +# platform = multi_platform_rhel,multi_platform_almalinux,multi_platform_fedora,multi_platform_ol,multi_platform_sle # Declare variables used for the tests and define the create_rsyslog_test_logs function source $SHARED/rsyslog_log_utils.sh diff --git a/shared/templates/rsyslog_logfiles_attributes_modify/tests/rainer_correct_attr_include.pass.sh b/shared/templates/rsyslog_logfiles_attributes_modify/tests/rainer_correct_attr_include.pass.sh index 96e9ddaf3..8c8a59a3a 100755 --- a/shared/templates/rsyslog_logfiles_attributes_modify/tests/rainer_correct_attr_include.pass.sh +++ b/shared/templates/rsyslog_logfiles_attributes_modify/tests/rainer_correct_attr_include.pass.sh @@ -1,5 +1,5 @@ #!/bin/bash -# platform = multi_platform_rhel,multi_platform_fedora,multi_platform_ol,multi_platform_sle +# platform = multi_platform_rhel,multi_platform_almalinux,multi_platform_fedora,multi_platform_ol,multi_platform_sle # Declare variables used for the tests and define the create_rsyslog_test_logs function source $SHARED/rsyslog_log_utils.sh diff --git a/shared/templates/rsyslog_logfiles_attributes_modify/tests/rainer_correct_attr_multiline_include.pass.sh b/shared/templates/rsyslog_logfiles_attributes_modify/tests/rainer_correct_attr_multiline_include.pass.sh index ec9296694..6bd64894b 100755 --- a/shared/templates/rsyslog_logfiles_attributes_modify/tests/rainer_correct_attr_multiline_include.pass.sh +++ b/shared/templates/rsyslog_logfiles_attributes_modify/tests/rainer_correct_attr_multiline_include.pass.sh @@ -1,5 +1,5 @@ #!/bin/bash -# platform = multi_platform_rhel,multi_platform_fedora,multi_platform_ol,multi_platform_sle +# platform = multi_platform_rhel,multi_platform_almalinux,multi_platform_fedora,multi_platform_ol,multi_platform_sle # Declare variables used for the tests and define the create_rsyslog_test_logs function source $SHARED/rsyslog_log_utils.sh diff --git a/shared/templates/rsyslog_logfiles_attributes_modify/tests/rainer_lenient_attr.fail.sh b/shared/templates/rsyslog_logfiles_attributes_modify/tests/rainer_lenient_attr.fail.sh index 9dcbe0c2e..b7f6323c9 100755 --- a/shared/templates/rsyslog_logfiles_attributes_modify/tests/rainer_lenient_attr.fail.sh +++ b/shared/templates/rsyslog_logfiles_attributes_modify/tests/rainer_lenient_attr.fail.sh @@ -1,5 +1,5 @@ #!/bin/bash -# platform = multi_platform_rhel,multi_platform_fedora,multi_platform_ol,multi_platform_sle,multi_platform_ubuntu +# platform = multi_platform_rhel,multi_platform_almalinux,multi_platform_fedora,multi_platform_ol,multi_platform_sle,multi_platform_ubuntu # Declare variables used for the tests and define the create_rsyslog_test_logs function source $SHARED/rsyslog_log_utils.sh diff --git a/shared/templates/rsyslog_logfiles_attributes_modify/tests/rainer_lenient_attr_include.fail.sh b/shared/templates/rsyslog_logfiles_attributes_modify/tests/rainer_lenient_attr_include.fail.sh index dc9ea0eef..9c6694804 100755 --- a/shared/templates/rsyslog_logfiles_attributes_modify/tests/rainer_lenient_attr_include.fail.sh +++ b/shared/templates/rsyslog_logfiles_attributes_modify/tests/rainer_lenient_attr_include.fail.sh @@ -1,5 +1,5 @@ #!/bin/bash -# platform = multi_platform_rhel,multi_platform_fedora,multi_platform_ol,multi_platform_sle,multi_platform_ubuntu +# platform = multi_platform_rhel,multi_platform_almalinux,multi_platform_fedora,multi_platform_ol,multi_platform_sle,multi_platform_ubuntu # Declare variables used for the tests and define the create_rsyslog_test_logs function source $SHARED/rsyslog_log_utils.sh diff --git a/shared/templates/rsyslog_logfiles_attributes_modify/tests/rainer_lenient_multiline_attr_include.fail.sh b/shared/templates/rsyslog_logfiles_attributes_modify/tests/rainer_lenient_multiline_attr_include.fail.sh index 6acb37ad7..d235e6249 100755 --- a/shared/templates/rsyslog_logfiles_attributes_modify/tests/rainer_lenient_multiline_attr_include.fail.sh +++ b/shared/templates/rsyslog_logfiles_attributes_modify/tests/rainer_lenient_multiline_attr_include.fail.sh @@ -1,5 +1,5 @@ #!/bin/bash -# platform = multi_platform_rhel,multi_platform_fedora,multi_platform_ol,multi_platform_sle +# platform = multi_platform_rhel,multi_platform_almalinux,multi_platform_fedora,multi_platform_ol,multi_platform_sle # Declare variables used for the tests and define the create_rsyslog_test_logs function source $SHARED/rsyslog_log_utils.sh diff --git a/shared/templates/rsyslog_logfiles_attributes_modify/tests/rainer_stricter_attr.pass.sh b/shared/templates/rsyslog_logfiles_attributes_modify/tests/rainer_stricter_attr.pass.sh index abdb09c48..9cc24d061 100755 --- a/shared/templates/rsyslog_logfiles_attributes_modify/tests/rainer_stricter_attr.pass.sh +++ b/shared/templates/rsyslog_logfiles_attributes_modify/tests/rainer_stricter_attr.pass.sh @@ -1,5 +1,5 @@ #!/bin/bash -# platform = multi_platform_rhel,multi_platform_fedora,multi_platform_ol,multi_platform_sle +# platform = multi_platform_rhel,multi_platform_almalinux,multi_platform_fedora,multi_platform_ol,multi_platform_sle # Declare variables used for the tests and define the create_rsyslog_test_logs function source $SHARED/rsyslog_log_utils.sh diff --git a/shared/templates/sebool/ansible.template b/shared/templates/sebool/ansible.template index 53a67710f..12e9f9b3b 100644 --- a/shared/templates/sebool/ansible.template +++ b/shared/templates/sebool/ansible.template @@ -1,4 +1,4 @@ -# platform = multi_platform_rhel,multi_platform_fedora,multi_platform_ol,multi_platform_rhv,SUSE Linux Enterprise 15 +# platform = multi_platform_rhel,multi_platform_almalinux,multi_platform_fedora,multi_platform_ol,multi_platform_rhv,SUSE Linux Enterprise 15 # reboot = false # strategy = enable # complexity = low diff --git a/shared/templates/sebool/bash.template b/shared/templates/sebool/bash.template index 8cf8e262d..9a8eddad1 100644 --- a/shared/templates/sebool/bash.template +++ b/shared/templates/sebool/bash.template @@ -1,4 +1,4 @@ -# platform = multi_platform_rhel,multi_platform_fedora,multi_platform_ol,multi_platform_rhv,SUSE Linux Enterprise 15 +# platform = multi_platform_rhel,multi_platform_almalinux,multi_platform_fedora,multi_platform_ol,multi_platform_rhv,SUSE Linux Enterprise 15 # reboot = false # strategy = enable # complexity = low diff --git a/shared/templates/service_disabled/bash.template b/shared/templates/service_disabled/bash.template index c8b6826b2..6bbb8eb2a 100644 --- a/shared/templates/service_disabled/bash.template +++ b/shared/templates/service_disabled/bash.template @@ -1,4 +1,4 @@ -# platform = multi_platform_rhel,multi_platform_fedora,multi_platform_ol,multi_platform_rhv,multi_platform_sle,multi_platform_ubuntu +# platform = multi_platform_rhel,multi_platform_almalinux,multi_platform_fedora,multi_platform_ol,multi_platform_rhv,multi_platform_sle,multi_platform_ubuntu # reboot = false # strategy = disable # complexity = low diff --git a/shared/templates/service_disabled/kubernetes.template b/shared/templates/service_disabled/kubernetes.template index 1ab456524..724e7b779 100644 --- a/shared/templates/service_disabled/kubernetes.template +++ b/shared/templates/service_disabled/kubernetes.template @@ -1,4 +1,4 @@ -# platform = multi_platform_rhel,multi_platform_fedora,multi_platform_ocp,multi_platform_rhcos,multi_platform_ubuntu +# platform = multi_platform_rhel,multi_platform_almalinux,multi_platform_fedora,multi_platform_ocp,multi_platform_rhcos,multi_platform_ubuntu # reboot = true # strategy = disable # complexity = low diff --git a/shared/templates/service_enabled/bash.template b/shared/templates/service_enabled/bash.template index 00fd1ee2f..2d99ec854 100644 --- a/shared/templates/service_enabled/bash.template +++ b/shared/templates/service_enabled/bash.template @@ -1,4 +1,4 @@ -# platform = multi_platform_rhel,multi_platform_fedora,multi_platform_ol,multi_platform_rhv,multi_platform_ubuntu,multi_platform_sle +# platform = multi_platform_rhel,multi_platform_almalinux,multi_platform_fedora,multi_platform_ol,multi_platform_rhv,multi_platform_ubuntu,multi_platform_sle # reboot = false # strategy = enable # complexity = low diff --git a/shared/templates/sshd_lineinfile/tests/correct_value_directory.pass.sh b/shared/templates/sshd_lineinfile/tests/correct_value_directory.pass.sh index 7db352eda..8746cc887 100644 --- a/shared/templates/sshd_lineinfile/tests/correct_value_directory.pass.sh +++ b/shared/templates/sshd_lineinfile/tests/correct_value_directory.pass.sh @@ -1,6 +1,6 @@ #!/bin/bash -# platform = multi_platform_fedora,Oracle Linux 8,Oracle Linux 9,Red Hat Enterprise Linux 9,Red Hat Enterprise Linux 10,multi_platform_ubuntu +# platform = multi_platform_fedora,Oracle Linux 8,Oracle Linux 9,Red Hat Enterprise Linux 9,AlmaLinux 9,Red Hat Enterprise Linux 10,multi_platform_ubuntu source common.sh diff --git a/shared/templates/sshd_lineinfile/tests/duplicated_param_directory.pass.sh b/shared/templates/sshd_lineinfile/tests/duplicated_param_directory.pass.sh index e0cd64de1..30c6635e3 100644 --- a/shared/templates/sshd_lineinfile/tests/duplicated_param_directory.pass.sh +++ b/shared/templates/sshd_lineinfile/tests/duplicated_param_directory.pass.sh @@ -1,6 +1,6 @@ #!/bin/bash -# platform = multi_platform_fedora,Oracle Linux 8,Oracle Linux 9,Red Hat Enterprise Linux 9,Red Hat Enterprise Linux 10,multi_platform_ubuntu +# platform = multi_platform_fedora,Oracle Linux 8,Oracle Linux 9,Red Hat Enterprise Linux 9,AlmaLinux 9,Red Hat Enterprise Linux 10,multi_platform_ubuntu mkdir -p /etc/ssh/sshd_config.d touch /etc/ssh/sshd_config.d/nothing diff --git a/shared/templates/sshd_lineinfile/tests/param_conflict_directory.fail.sh b/shared/templates/sshd_lineinfile/tests/param_conflict_directory.fail.sh index fd2cfeb10..dc76764bf 100644 --- a/shared/templates/sshd_lineinfile/tests/param_conflict_directory.fail.sh +++ b/shared/templates/sshd_lineinfile/tests/param_conflict_directory.fail.sh @@ -1,6 +1,6 @@ #!/bin/bash -# platform = multi_platform_fedora,Oracle Linux 8,Oracle Linux 9,Red Hat Enterprise Linux 9,Red Hat Enterprise Linux 10,multi_platform_ubuntu +# platform = multi_platform_fedora,Oracle Linux 8,Oracle Linux 9,Red Hat Enterprise Linux 9,AlmaLinux 9,Red Hat Enterprise Linux 10,multi_platform_ubuntu SSHD_PARAM={{{ PARAMETER }}} SSHD_VAL={{{ VALUE }}} diff --git a/shared/templates/sshd_lineinfile/tests/param_conflict_file_with_directory.fail.sh b/shared/templates/sshd_lineinfile/tests/param_conflict_file_with_directory.fail.sh index 2322e1d7c..2f4eebde8 100644 --- a/shared/templates/sshd_lineinfile/tests/param_conflict_file_with_directory.fail.sh +++ b/shared/templates/sshd_lineinfile/tests/param_conflict_file_with_directory.fail.sh @@ -1,6 +1,6 @@ #!/bin/bash -# platform = multi_platform_fedora,Oracle Linux 8,Oracle Linux 9,Red Hat Enterprise Linux 9,Red Hat Enterprise Linux 10,multi_platform_ubuntu +# platform = multi_platform_fedora,Oracle Linux 8,Oracle Linux 9,Red Hat Enterprise Linux 9,AlmaLinux 9,Red Hat Enterprise Linux 10,multi_platform_ubuntu SSHD_PARAM={{{ PARAMETER }}} SSHD_VAL={{{ VALUE }}} diff --git a/shared/templates/sshd_lineinfile/tests/wrong_value_directory.fail.sh b/shared/templates/sshd_lineinfile/tests/wrong_value_directory.fail.sh index 1810d779a..bd4386724 100644 --- a/shared/templates/sshd_lineinfile/tests/wrong_value_directory.fail.sh +++ b/shared/templates/sshd_lineinfile/tests/wrong_value_directory.fail.sh @@ -1,6 +1,6 @@ #!/bin/bash -# platform = multi_platform_fedora,Oracle Linux 8,Oracle Linux 9,Red Hat Enterprise Linux 9,Red Hat Enterprise Linux 10,multi_platform_ubuntu +# platform = multi_platform_fedora,Oracle Linux 8,Oracle Linux 9,Red Hat Enterprise Linux 9,AlmaLinux 9,Red Hat Enterprise Linux 10,multi_platform_ubuntu SSHD_PARAM={{{ PARAMETER }}} SSHD_VAL="bad_val" diff --git a/shared/templates/sysctl/bash.template b/shared/templates/sysctl/bash.template index 166788260..fa79e7262 100644 --- a/shared/templates/sysctl/bash.template +++ b/shared/templates/sysctl/bash.template @@ -1,4 +1,4 @@ -# platform = multi_platform_rhel,multi_platform_fedora,multi_platform_ol,multi_platform_rhv,multi_platform_ubuntu,multi_platform_sle,multi_platform_debian +# platform = multi_platform_rhel,multi_platform_almalinux,multi_platform_fedora,multi_platform_ol,multi_platform_rhv,multi_platform_ubuntu,multi_platform_sle,multi_platform_debian # reboot = true # strategy = disable # complexity = low diff --git a/shared/templates/systemd_mount_enabled/anaconda.template b/shared/templates/systemd_mount_enabled/anaconda.template index 42ec0778d..475010b6a 100644 --- a/shared/templates/systemd_mount_enabled/anaconda.template +++ b/shared/templates/systemd_mount_enabled/anaconda.template @@ -1,4 +1,4 @@ -# platform = multi_platform_rhel,multi_platform_fedora,multi_platform_ol,multi_platform_rhv +# platform = multi_platform_rhel,multi_platform_almalinux,multi_platform_fedora,multi_platform_ol,multi_platform_rhv # reboot = false # strategy = enable # complexity = low diff --git a/shared/templates/zipl_bls_entries_option/ansible.template b/shared/templates/zipl_bls_entries_option/ansible.template index 336775e4f..854f90a24 100644 --- a/shared/templates/zipl_bls_entries_option/ansible.template +++ b/shared/templates/zipl_bls_entries_option/ansible.template @@ -1,4 +1,4 @@ -# platform = Red Hat Enterprise Linux 8,Red Hat Enterprise Linux 9 +# platform = Red Hat Enterprise Linux 8,Red Hat Enterprise Linux 9,AlmaLinux 9 # reboot = true # strategy = configure # complexity = medium diff --git a/shared/templates/zipl_bls_entries_option/bash.template b/shared/templates/zipl_bls_entries_option/bash.template index 25cd7432c..1ba5c29b7 100644 --- a/shared/templates/zipl_bls_entries_option/bash.template +++ b/shared/templates/zipl_bls_entries_option/bash.template @@ -1,4 +1,4 @@ -# platform = Red Hat Enterprise Linux 8,Red Hat Enterprise Linux 9 +# platform = Red Hat Enterprise Linux 8,Red Hat Enterprise Linux 9,AlmaLinux 9 # Correct BLS option using grubby, which is a thin wrapper around BLS operations grubby --update-kernel=ALL --args="{{{ ARG_NAME }}}={{{ ARG_VALUE }}}" diff --git a/ssg/constants.py b/ssg/constants.py index c02858096..4bf8ea1ea 100644 --- a/ssg/constants.py +++ b/ssg/constants.py @@ -40,6 +40,7 @@ SSG_REF_URIS = { product_directories = [ 'alinux2', 'alinux3', + 'almalinux9', 'anolis8', 'anolis23', 'chromium', @@ -198,6 +199,7 @@ PKG_MANAGER_TO_CONFIG_FILE = { FULL_NAME_TO_PRODUCT_MAPPING = { "Alibaba Cloud Linux 2": "alinux2", "Alibaba Cloud Linux 3": "alinux3", + "AlmaLinux 9": "almalinux9", "Anolis OS 8": "anolis8", "Anolis OS 23": "anolis23", "Chromium": "chromium", @@ -278,13 +280,14 @@ REFERENCES = dict( ) -MULTI_PLATFORM_LIST = ["rhel", "fedora", "rhv", "debian", "ubuntu", +MULTI_PLATFORM_LIST = ["almalinux", "rhel", "fedora", "rhv", "debian", "ubuntu", "openeuler", "opensuse", "sle", "ol", "ocp", "rhcos", "example", "eks", "alinux", "uos", "anolis", "openembedded"] MULTI_PLATFORM_MAPPING = { "multi_platform_alinux": ["alinux2", "alinux3"], + "multi_platform_almalinux": ["almalinux9"], "multi_platform_anolis": ["anolis8", "anolis23"], "multi_platform_debian": ["debian10", "debian11", "debian12"], "multi_platform_example": ["example"], @@ -452,6 +455,7 @@ XCCDF_PLATFORM_TO_PACKAGE = { # _version_name_map = { MAKEFILE_ID_TO_PRODUCT_MAP = { 'alinux': 'Alibaba Cloud Linux', + 'almalinux': 'AlmaLinux', 'anolis': 'Anolis OS', 'chromium': 'Google Chromium Browser', 'fedora': 'Fedora', diff --git a/tests/unit/ssg-module/test_playbook_builder_data/fixes/selinux_state.yml b/tests/unit/ssg-module/test_playbook_builder_data/fixes/selinux_state.yml index ff0b30f03..0116294f1 100644 --- a/tests/unit/ssg-module/test_playbook_builder_data/fixes/selinux_state.yml +++ b/tests/unit/ssg-module/test_playbook_builder_data/fixes/selinux_state.yml @@ -1,4 +1,4 @@ -# platform = multi_platform_rhel,multi_platform_fedora,multi_platform_ol,multi_platform_rhv +# platform = multi_platform_rhel,multi_platform_almalinux,multi_platform_fedora,multi_platform_ol,multi_platform_rhv # reboot = false # strategy = restrict # complexity = low diff --git a/tests/unit/ssg-module/test_playbook_builder_data/guide/configure_crypto_policy/tests/config_and_current_same_time.pass.sh b/tests/unit/ssg-module/test_playbook_builder_data/guide/configure_crypto_policy/tests/config_and_current_same_time.pass.sh index b607202c5..175381afb 100644 --- a/tests/unit/ssg-module/test_playbook_builder_data/guide/configure_crypto_policy/tests/config_and_current_same_time.pass.sh +++ b/tests/unit/ssg-module/test_playbook_builder_data/guide/configure_crypto_policy/tests/config_and_current_same_time.pass.sh @@ -1,5 +1,5 @@ #!/bin/bash -# platform = Oracle Linux 8,Oracle Linux 9,Red Hat Enterprise Linux 8,Red Hat Enterprise Linux 9 +# platform = Oracle Linux 8,Oracle Linux 9,Red Hat Enterprise Linux 8,Red Hat Enterprise Linux 9,AlmaLinux 9 # packages = crypto-policies-scripts # IMPORTANT: This is a false negative scenario. diff --git a/tests/unit/ssg-module/test_playbook_builder_data/guide/configure_crypto_policy/tests/config_newer_than_current.fail.sh b/tests/unit/ssg-module/test_playbook_builder_data/guide/configure_crypto_policy/tests/config_newer_than_current.fail.sh index e5b598342..5608d4124 100644 --- a/tests/unit/ssg-module/test_playbook_builder_data/guide/configure_crypto_policy/tests/config_newer_than_current.fail.sh +++ b/tests/unit/ssg-module/test_playbook_builder_data/guide/configure_crypto_policy/tests/config_newer_than_current.fail.sh @@ -1,5 +1,5 @@ #!/bin/bash -# platform = Oracle Linux 8,Oracle Linux 9,Red Hat Enterprise Linux 8,Red Hat Enterprise Linux 9 +# platform = Oracle Linux 8,Oracle Linux 9,Red Hat Enterprise Linux 8,Red Hat Enterprise Linux 9,AlmaLinux 9 # packages = crypto-policies-scripts update-crypto-policies --set "DEFAULT" diff --git a/tests/unit/ssg-module/test_playbook_builder_data/guide/configure_crypto_policy/tests/missing_nss_config.fail.sh b/tests/unit/ssg-module/test_playbook_builder_data/guide/configure_crypto_policy/tests/missing_nss_config.fail.sh index 7be3c82f3..96c42acfe 100644 --- a/tests/unit/ssg-module/test_playbook_builder_data/guide/configure_crypto_policy/tests/missing_nss_config.fail.sh +++ b/tests/unit/ssg-module/test_playbook_builder_data/guide/configure_crypto_policy/tests/missing_nss_config.fail.sh @@ -1,5 +1,5 @@ #!/bin/bash -# platform = Oracle Linux 8,Oracle Linux 9,Red Hat Enterprise Linux 8,Red Hat Enterprise Linux 9 +# platform = Oracle Linux 8,Oracle Linux 9,Red Hat Enterprise Linux 8,Red Hat Enterprise Linux 9,AlmaLinux 9 # profiles = xccdf_org.ssgproject.content_profile_ospp # packages = crypto-policies-scripts diff --git a/tests/unit/ssg-module/test_playbook_builder_data/guide/configure_crypto_policy/tests/missing_policy.fail.sh b/tests/unit/ssg-module/test_playbook_builder_data/guide/configure_crypto_policy/tests/missing_policy.fail.sh index 261dc3f96..2cde26d7d 100644 --- a/tests/unit/ssg-module/test_playbook_builder_data/guide/configure_crypto_policy/tests/missing_policy.fail.sh +++ b/tests/unit/ssg-module/test_playbook_builder_data/guide/configure_crypto_policy/tests/missing_policy.fail.sh @@ -1,5 +1,5 @@ #!/bin/bash -# platform = multi_platform_fedora,Oracle Linux 8,Oracle Linux 9,Red Hat Enterprise Linux 8,Red Hat Enterprise Linux 9 +# platform = multi_platform_fedora,Oracle Linux 8,Oracle Linux 9,Red Hat Enterprise Linux 8,Red Hat Enterprise Linux 9,AlmaLinux 9 # profiles = xccdf_org.ssgproject.content_profile_ospp, xccdf_org.ssgproject.content_profile_standard # packages = crypto-policies-scripts diff --git a/tests/unit/ssg-module/test_playbook_builder_data/guide/configure_crypto_policy/tests/missing_policy_file.fail.sh b/tests/unit/ssg-module/test_playbook_builder_data/guide/configure_crypto_policy/tests/missing_policy_file.fail.sh index 356aa3ffe..caba47b8c 100644 --- a/tests/unit/ssg-module/test_playbook_builder_data/guide/configure_crypto_policy/tests/missing_policy_file.fail.sh +++ b/tests/unit/ssg-module/test_playbook_builder_data/guide/configure_crypto_policy/tests/missing_policy_file.fail.sh @@ -1,5 +1,5 @@ #!/bin/bash -# platform = multi_platform_fedora,Oracle Linux 8,Oracle Linux 9,Red Hat Enterprise Linux 8,Red Hat Enterprise Linux 9 +# platform = multi_platform_fedora,Oracle Linux 8,Oracle Linux 9,Red Hat Enterprise Linux 8,Red Hat Enterprise Linux 9,AlmaLinux 9 # profiles = xccdf_org.ssgproject.content_profile_ospp, xccdf_org.ssgproject.content_profile_standard # packages = crypto-policies-scripts diff --git a/tests/unit/ssg-module/test_playbook_builder_data/guide/configure_crypto_policy/tests/nss_config_as_file.pass.sh b/tests/unit/ssg-module/test_playbook_builder_data/guide/configure_crypto_policy/tests/nss_config_as_file.pass.sh index 06bd713dd..5d4abd801 100644 --- a/tests/unit/ssg-module/test_playbook_builder_data/guide/configure_crypto_policy/tests/nss_config_as_file.pass.sh +++ b/tests/unit/ssg-module/test_playbook_builder_data/guide/configure_crypto_policy/tests/nss_config_as_file.pass.sh @@ -1,5 +1,5 @@ #!/bin/bash -# platform = Oracle Linux 8,Oracle Linux 9,Red Hat Enterprise Linux 8,Red Hat Enterprise Linux 9 +# platform = Oracle Linux 8,Oracle Linux 9,Red Hat Enterprise Linux 8,Red Hat Enterprise Linux 9,AlmaLinux 9 # profiles = xccdf_org.ssgproject.content_profile_ospp # packages = crypto-policies-scripts diff --git a/tests/unit/ssg-module/test_playbook_builder_data/guide/configure_crypto_policy/tests/nss_config_as_symlink.pass.sh b/tests/unit/ssg-module/test_playbook_builder_data/guide/configure_crypto_policy/tests/nss_config_as_symlink.pass.sh index 56a081eca..aa25f4415 100644 --- a/tests/unit/ssg-module/test_playbook_builder_data/guide/configure_crypto_policy/tests/nss_config_as_symlink.pass.sh +++ b/tests/unit/ssg-module/test_playbook_builder_data/guide/configure_crypto_policy/tests/nss_config_as_symlink.pass.sh @@ -1,5 +1,5 @@ #!/bin/bash -# platform = Oracle Linux 8,Oracle Linux 9,Red Hat Enterprise Linux 8,Red Hat Enterprise Linux 9 +# platform = Oracle Linux 8,Oracle Linux 9,Red Hat Enterprise Linux 8,Red Hat Enterprise Linux 9,AlmaLinux 9 # profiles = xccdf_org.ssgproject.content_profile_ospp # packages = crypto-policies-scripts diff --git a/tests/unit/ssg-module/test_playbook_builder_data/guide/configure_crypto_policy/tests/policy_default_cis_l1.pass.sh b/tests/unit/ssg-module/test_playbook_builder_data/guide/configure_crypto_policy/tests/policy_default_cis_l1.pass.sh index 10cb25593..ff169499c 100644 --- a/tests/unit/ssg-module/test_playbook_builder_data/guide/configure_crypto_policy/tests/policy_default_cis_l1.pass.sh +++ b/tests/unit/ssg-module/test_playbook_builder_data/guide/configure_crypto_policy/tests/policy_default_cis_l1.pass.sh @@ -1,5 +1,5 @@ #!/bin/bash -# platform = Oracle Linux 8,Oracle Linux 9,Red Hat Enterprise Linux 8,Red Hat Enterprise Linux 9 +# platform = Oracle Linux 8,Oracle Linux 9,Red Hat Enterprise Linux 8,Red Hat Enterprise Linux 9,AlmaLinux 9 # profiles = xccdf_org.ssgproject.content_profile_cis_server_l1,xccdf_org.ssgproject.content_profile_cis_workstation_l1 # packages = crypto-policies-scripts diff --git a/tests/unit/ssg-module/test_playbook_builder_data/guide/configure_crypto_policy/tests/policy_default_nosha1_set.pass.sh b/tests/unit/ssg-module/test_playbook_builder_data/guide/configure_crypto_policy/tests/policy_default_nosha1_set.pass.sh index a2107d146..6964ade32 100644 --- a/tests/unit/ssg-module/test_playbook_builder_data/guide/configure_crypto_policy/tests/policy_default_nosha1_set.pass.sh +++ b/tests/unit/ssg-module/test_playbook_builder_data/guide/configure_crypto_policy/tests/policy_default_nosha1_set.pass.sh @@ -1,5 +1,5 @@ #!/bin/bash -# platform = multi_platform_fedora,Oracle Linux 8,Oracle Linux 9,Red Hat Enterprise Linux 8,Red Hat Enterprise Linux 9 +# platform = multi_platform_fedora,Oracle Linux 8,Oracle Linux 9,Red Hat Enterprise Linux 8,Red Hat Enterprise Linux 9,AlmaLinux 9 # profiles = xccdf_org.ssgproject.content_profile_e8 # packages = crypto-policies-scripts diff --git a/tests/unit/ssg-module/test_playbook_builder_data/guide/configure_crypto_policy/tests/policy_default_set.pass.sh b/tests/unit/ssg-module/test_playbook_builder_data/guide/configure_crypto_policy/tests/policy_default_set.pass.sh index b06e035fa..a3c503b8d 100644 --- a/tests/unit/ssg-module/test_playbook_builder_data/guide/configure_crypto_policy/tests/policy_default_set.pass.sh +++ b/tests/unit/ssg-module/test_playbook_builder_data/guide/configure_crypto_policy/tests/policy_default_set.pass.sh @@ -1,5 +1,5 @@ #!/bin/bash -# platform = multi_platform_fedora,Oracle Linux 8,Oracle Linux 9,Red Hat Enterprise Linux 8,Red Hat Enterprise Linux 9 +# platform = multi_platform_fedora,Oracle Linux 8,Oracle Linux 9,Red Hat Enterprise Linux 8,Red Hat Enterprise Linux 9,AlmaLinux 9 # profiles = xccdf_org.ssgproject.content_profile_standard # packages = crypto-policies-scripts diff --git a/tests/unit/ssg-module/test_playbook_builder_data/guide/configure_crypto_policy/tests/policy_fips_ospp_set.pass.sh b/tests/unit/ssg-module/test_playbook_builder_data/guide/configure_crypto_policy/tests/policy_fips_ospp_set.pass.sh index 6679f94bd..cc37b1c9d 100644 --- a/tests/unit/ssg-module/test_playbook_builder_data/guide/configure_crypto_policy/tests/policy_fips_ospp_set.pass.sh +++ b/tests/unit/ssg-module/test_playbook_builder_data/guide/configure_crypto_policy/tests/policy_fips_ospp_set.pass.sh @@ -1,5 +1,5 @@ #!/bin/bash -# platform = Oracle Linux 8,Oracle Linux 9,Red Hat Enterprise Linux 8,Red Hat Enterprise Linux 9 +# platform = Oracle Linux 8,Oracle Linux 9,Red Hat Enterprise Linux 8,Red Hat Enterprise Linux 9,AlmaLinux 9 # profiles = xccdf_org.ssgproject.content_profile_ospp # packages = crypto-policies-scripts diff --git a/tests/unit/ssg-module/test_playbook_builder_data/guide/configure_crypto_policy/tests/policy_future_cis_l2.pass.sh b/tests/unit/ssg-module/test_playbook_builder_data/guide/configure_crypto_policy/tests/policy_future_cis_l2.pass.sh index 116f6b676..15611d80e 100644 --- a/tests/unit/ssg-module/test_playbook_builder_data/guide/configure_crypto_policy/tests/policy_future_cis_l2.pass.sh +++ b/tests/unit/ssg-module/test_playbook_builder_data/guide/configure_crypto_policy/tests/policy_future_cis_l2.pass.sh @@ -1,5 +1,5 @@ #!/bin/bash -# platform = Oracle Linux 8,Oracle Linux 9,Red Hat Enterprise Linux 8,Red Hat Enterprise Linux 9 +# platform = Oracle Linux 8,Oracle Linux 9,Red Hat Enterprise Linux 8,Red Hat Enterprise Linux 9,AlmaLinux 9 # profiles = xccdf_org.ssgproject.content_profile_cis,xccdf_org.ssgproject.content_profile_cis_workstation_l2 # packages = crypto-policies-scripts diff --git a/tests/unit/ssg-module/test_playbook_builder_data/guide/configure_crypto_policy/tests/wrong_policy.fail.sh b/tests/unit/ssg-module/test_playbook_builder_data/guide/configure_crypto_policy/tests/wrong_policy.fail.sh index 9461c3ddd..6b048f2f5 100644 --- a/tests/unit/ssg-module/test_playbook_builder_data/guide/configure_crypto_policy/tests/wrong_policy.fail.sh +++ b/tests/unit/ssg-module/test_playbook_builder_data/guide/configure_crypto_policy/tests/wrong_policy.fail.sh @@ -1,5 +1,5 @@ #!/bin/bash -# platform = multi_platform_fedora,Oracle Linux 8,Oracle Linux 9,Red Hat Enterprise Linux 8,Red Hat Enterprise Linux 9 +# platform = multi_platform_fedora,Oracle Linux 8,Oracle Linux 9,Red Hat Enterprise Linux 8,Red Hat Enterprise Linux 9,AlmaLinux 9 # profiles = xccdf_org.ssgproject.content_profile_ospp, xccdf_org.ssgproject.content_profile_standard # packages = crypto-policies-scripts diff --git a/tests/unit/ssg-module/test_playbook_builder_data/guide/selinux_state/ansible/shared.yml b/tests/unit/ssg-module/test_playbook_builder_data/guide/selinux_state/ansible/shared.yml index 1c1560a86..fc86b614e 100644 --- a/tests/unit/ssg-module/test_playbook_builder_data/guide/selinux_state/ansible/shared.yml +++ b/tests/unit/ssg-module/test_playbook_builder_data/guide/selinux_state/ansible/shared.yml @@ -1,4 +1,4 @@ -# platform = multi_platform_rhel,multi_platform_fedora,multi_platform_ol,multi_platform_rhv +# platform = multi_platform_rhel,multi_platform_almalinux,multi_platform_fedora,multi_platform_ol,multi_platform_rhv # reboot = false # strategy = restrict # complexity = low diff --git a/tests/unit/ssg-module/test_playbook_builder_data/guide/selinux_state/bash/shared.sh b/tests/unit/ssg-module/test_playbook_builder_data/guide/selinux_state/bash/shared.sh index 10ecee505..3d3098f4e 100644 --- a/tests/unit/ssg-module/test_playbook_builder_data/guide/selinux_state/bash/shared.sh +++ b/tests/unit/ssg-module/test_playbook_builder_data/guide/selinux_state/bash/shared.sh @@ -1,4 +1,4 @@ -# platform = multi_platform_rhel,multi_platform_fedora,multi_platform_ol,multi_platform_rhv +# platform = multi_platform_rhel,multi_platform_almalinux,multi_platform_fedora,multi_platform_ol,multi_platform_rhv # reboot = true # strategy = restrict # complexity = low diff --git a/tests/unit/ssg_test_suite/data/correct.pass.sh b/tests/unit/ssg_test_suite/data/correct.pass.sh index 8e5e284ee..ce1b79416 100644 --- a/tests/unit/ssg_test_suite/data/correct.pass.sh +++ b/tests/unit/ssg_test_suite/data/correct.pass.sh @@ -1,6 +1,6 @@ #!/bin/bash # packages = sudo,authselect -# platform = multi_platform_rhel,Fedora +# platform = multi_platform_rhel,multi_platform_almalinux,Fedora # profiles = xccdf_org.ssgproject.content_profile_cis # remediation = none # variables = var_password_pam_remember=5,var_password_pam_remember_control_flag=requisite diff --git a/utils/ansible_playbook_to_role.py b/utils/ansible_playbook_to_role.py index e9a7a9618..5b61e9f94 100755 --- a/utils/ansible_playbook_to_role.py +++ b/utils/ansible_playbook_to_role.py @@ -66,6 +66,7 @@ PRODUCT_ALLOWLIST = set([ "rhel7", "rhel8", "rhel9", + "almalinux9", ]) PROFILE_ALLOWLIST = set([