AlmaLinux OS 9 must be configured so that the cryptographic hashes of system files match vendor values.

Severity	Group ID	Group Title	Version	Rule ID	Date	STIG Version
medium	V-269292	SRG-OS-000480-GPOS-00227	ALMA-09-024000	SV-269292r1050174_rule	2025-02-20	1

Description
The hashes of important files like system executables should match the information given by the RPM database. Executables with erroneous hashes could be a sign of nefarious activity on the system.

ℹ️ Check
The following command will list which files on the system have file hashes different from what is expected by the RPM database: $ rpm -Va --noconfig \| awk '$1 ~ /..5/ && $2 != "c"' If there is an output, this is a finding.

✔️ Fix
Given the output from the check command, identify the package that provides the output and reinstall it. The following trimmed example output shows a package that has failed verification, been identified, reinstalled, and then passed re-verification: $ rpm -Va --noconfig \| awk '$1 ~ /..5/ && $2 != "c"' S.5....T. /usr/bin/tar $ dnf whatprovides /usr/bin/tar tar-2:1.34-6.el9_1.x86_64 : GNU file archiving program $ dnf reinstall tar $ rpm -Va --noconfig \| awk '$1 ~ /..5/ && $2 != "c"' [no output]

✔️ Fix

Given the output from the check command, identify the package that provides the output and reinstall it. The following trimmed example output shows a package that has failed verification, been identified, reinstalled, and then passed re-verification: $ rpm -Va --noconfig | awk '$1 ~ /..5/ && $2 != "c"' S.5....T. /usr/bin/tar $ dnf whatprovides /usr/bin/tar tar-2:1.34-6.el9_1.x86_64 : GNU file archiving program $ dnf reinstall tar $ rpm -Va --noconfig | awk '$1 ~ /..5/ && $2 != "c"' [no output]