In some instances, security beyond a default install is very important. Here is how you can start with a system that is already mostly compliant.
When installing a new RHEL, Rocky or AlmaLinux system, you will be provided with a screen to set the passwords and networking. In bottom right corner under System, you will see “Security Profile”.
Click on that link. You will then be presented with several profiles. Here I have selected the “CIS Level 2 - Server” profile. This a common compliance level that is quite good. Press Select Profile. Areas that need remediation will be shown. A specific partition layout will be required, which will protect your OS from filling up the drive and crashing the OS.
CIS Level 2 does not allow for a graphical UI. The Gnome UI can be installed later, but then it is not CIS Level 2 Server compliance. CIS Level 1 Server is less restrictive but allows for a UI.
How to install the Gnome UI: https://castinganet.net/posts/ALMALINUX-INSTALL-GUI/