TickYouOff
Sign in
Back
🔒

AlmaLinux 9 STIG

Hard 25 items · 1 day
testuser's avatar
testuser Published 1 month ago
Security

This checklist converts the DISA AlmaLinux OS 9 STIG into practical actions to bring AlmaLinux 9 systems into compliance. It’s aimed at system administrators and security engineers responsible for hardening AlmaLinux 9 servers in managed environments.

Source: https://ncp.nist.gov/checklist/1264

Progress
0 / 25
  1. Download the AlmaLinux OS 9 STIG XCCDF — Get the standalone XCCDF (e.g., 1.1.4) or latest STIG from DISA.
  2. Review STIG requirements and scope — Identify which controls apply to your environment and systems.
  3. Inventory target AlmaLinux 9 systems — Record hostnames, IPs, OS versions, and roles.
  4. Backup system configs and critical data — Create snapshots and config backups before making changes.
  5. Apply system updates and patches — Install vendor patches for kernel, libraries, and apps.
  6. Update package index — Run dnf makecache or equivalent before upgrades.
  7. Upgrade installed packages — Run dnf upgrade to apply available package updates.
  8. Reboot systems if the kernel or critical packages updated — Reboot when required to apply kernel/security fixes.
  9. Enable and configure the system firewall — Use firewalld or nftables and apply default deny rules.
  10. Open only required ports and services — Limit ports to necessary services and required zones.
  11. Harden SSH configuration — Disable root login, disable password auth if using keys, restrict protocols.
  12. Enforce password and account policies — Set complexity, expiration, lockout thresholds, and minimum lengths.
  13. Enable SELinux in enforcing mode — Confirm SELinux is enforcing and remediate denials as needed.
  14. Configure auditing and log forwarding — Enable auditd rules and forward logs to centralized collector.
  15. Apply sysctl kernel hardening settings — Harden network and kernel parameters in /etc/sysctl.conf.
  16. Remove or disable unused services and packages — Uninstall packages and stop services not required for the host role.
  17. Restrict sudoers and enforce least privilege — Limit who can sudo and require logging of privileged actions.
  18. Configure automatic updates or patch management — Set automated patching or integrate hosts with patch tooling.
  19. Verify time synchronization (chrony or ntp) — Ensure accurate system time for logs and authentication.
  20. Run vulnerability scans and remediate findings — Use scanners to find missing patches and config issues; remediate accordingly.
  21. Document changes and create a rollback plan — Record configuration changes and rollback steps for each action.
  22. Test changes in a staging environment — Validate stability and functionality before production rollout.
  23. Deploy validated changes to production — Apply tested hardening and patches to production hosts.
  24. Schedule periodic compliance audits and reviews — Plan recurring checks to ensure STIG controls remain enforced.
  25. Subscribe to STIG updates and track change history — Monitor DISA and NIST updates and update checklist as needed.
Sign in to save
📝 My Notes