From 73368abdb2cf1200ffed328d60b5ea2f485c4f3c Mon Sep 17 00:00:00 2001 From: Jesse Borden Date: Sat, 6 Sep 2025 11:41:12 -0400 Subject: [PATCH 1/7] generatefromRHEL9similarities --- controls/stig_al2023.yml | 1755 ++++++++++++++++++++++++++++++++++++++ 1 file changed, 1755 insertions(+) create mode 100644 controls/stig_al2023.yml diff --git a/controls/stig_al2023.yml b/controls/stig_al2023.yml new file mode 100644 index 000000000000..8351b3697672 --- /dev/null +++ b/controls/stig_al2023.yml @@ -0,0 +1,1755 @@ +policy: 'Amazon Linux 2023 Security Technical Implementation Guide' +title: 'Amazon Linux 2023 Security Technical Implementation Guide' +id: stig_al2023 +source: https://www.cyber.mil/stigs/downloads/ +version: V2R4 +reference_type: stigid +product: rhel9 + +levels: +- id: high +- id: medium +- id: low + +controls: +- id: + levels: + - id: + title: + rules: [] + status: pending +- id: AZLX-23-000100_sim0.886090 + levels: + - high + title: Amazon Linux 2023 local disk partitions must implement cryptographic + mechanisms to prevent unauthorized disclosure or modification of all + information that requires at rest protection. + rules: + - encrypt_partitions + status: automated + +- id: AZLX-23-000110 + levels: + - id: medium + title: Amazon Linux 2023 must ensure cryptographic verification of vendor + software packages. + rules: [] + status: pending +- id: AZLX-23-000115_sim0.984378 + levels: + - high + title: Amazon Linux 2023 must check the GPG signature of locally installed + software packages before installation. + rules: + - ensure_gpgcheck_local_packages + status: automated + +- id: AZLX-23-000120_sim0.988262 + levels: + - high + title: Amazon Linux 2023 must check the GPG signature of software packages + originating from external software repositories before installation. + rules: + - ensure_gpgcheck_globally_activated + status: automated + +- id: AZLX-23-000125_sim0.444188 + levels: + - high + title: Amazon Linux 2023 must have GPG signature verification enabled for all + software repositories. + rules: + - ensure_gpgcheck_never_disabled + status: automated + +- id: AZLX-23-000130_sim0.806855 + levels: + - high + title: Amazon Linux 2023 must be a vendor-supported release. + rules: + - installed_OS_is_vendor_supported + status: automated + +- id: AZLX-23-000135_sim0.975174 + levels: + - medium + title: Amazon Linux 2023 systemd-journald service must be enabled. + rules: + - service_systemd-journald_enabled + status: automated + +- id: AZLX-23-000200_sim0.995375 + levels: + - medium + title: Amazon Linux 2023 must restrict access to the kernel message buffer. + rules: + - sysctl_kernel_dmesg_restrict + status: automated + +- id: AZLX-23-000205_sim0.995352 + levels: + - medium + title: Amazon Linux 2023 must prevent kernel profiling by nonprivileged users. + rules: + - sysctl_kernel_perf_event_paranoid + status: automated + +- id: AZLX-23-000210_sim0.795042 + levels: + - medium + title: Amazon Linux 2023 must restrict exposed kernel pointer addresses + access. + rules: + - sysctl_kernel_kptr_restrict + status: automated + +- id: AZLX-23-000215_sim0.969431 + levels: + - medium + title: Amazon Linux 2023 must disable access to network bpf system call from + nonprivileged processes. + rules: + - sysctl_kernel_unprivileged_bpf_disabled + status: automated + +- id: AZLX-23-000220_sim0.996915 + levels: + - medium + title: Amazon Linux 2023 must restrict usage of ptrace to descendant + processes. + rules: + - sysctl_kernel_yama_ptrace_scope + status: automated + +- id: AZLX-23-000225_sim0.646632 + levels: + - medium + title: Amazon Linux 2023 must implement address space layout randomization + (ASLR) to protect its memory from unauthorized code execution. + rules: + - sysctl_kernel_randomize_va_space + status: automated + +- id: AZLX-23-000300_sim0.810811 + levels: + - high + title: Amazon Linux 2023 must not have the vsftpd package installed. + rules: + - package_vsftpd_removed + status: automated + +- id: AZLX-23-000305_sim0.932394 + levels: + - medium + title: Amazon Linux 2023 must not have the sendmail package installed. + rules: + - package_sendmail_removed + status: automated + +- id: AZLX-23-000310_sim0.959071 + levels: + - medium + title: Amazon Linux 2023 must not have the nfs-utils package installed. + rules: + - package_nfs-utils_removed + status: automated + +- id: AZLX-23-000315_sim0.947496 + levels: + - medium + title: Amazon Linux 2023 must not have the telnet-server package installed. + rules: + - package_telnet-server_removed + status: automated + +- id: AZLX-23-000320_sim0.882558 + levels: + - medium + title: Amazon Linux 2023 must not have the gssproxy package installed. + rules: + - package_gssproxy_removed + status: automated + +- id: AZLX-23-001000_sim0.968209 + levels: + - medium + title: Amazon Linux 2023 must have the sudo package installed. + rules: + - package_sudo_installed + status: automated + +- id: AZLX-23-001005_sim0.993487 + levels: + - medium + title: Amazon Linux 2023 must not be configured to bypass password + requirements for privilege escalation. + rules: + - disallow_bypass_password_sudo + status: automated + +- id: AZLX-23-001010_sim0.954751 + levels: + - medium + title: Amazon Linux 2023 must require reauthentication when using the "sudo" + command. + rules: + - sudo_require_reauthentication + - var_sudo_timestamp_timeout=always_prompt + status: automated + +- id: AZLX-23-001015_sim0.997673 + levels: + - medium + title: Amazon Linux 2023 must require users to reauthenticate for privilege + escalation. + rules: + - sudo_remove_no_authenticate + status: automated + +- id: AZLX-23-001020_sim0.997772 + levels: + - medium + title: Amazon Linux 2023 must require users to provide a password for + privilege escalation. + rules: + - sudo_remove_nopasswd + status: automated + +- id: AZLX-23-001025_sim0.690237 + levels: + - medium + title: Amazon Linux 2023 must have the audit package installed. + rules: + - package_audit_installed + status: automated + +- id: AZLX-23-001030_sim0.513370 + levels: + - medium + title: Amazon Linux 2023 must produce audit records containing information to + establish what type of events occurred. + rules: + - service_auditd_enabled + status: automated + +- id: AZLX-23-001035_sim0.987871 + levels: + - medium + title: Amazon Linux 2023 audispd-plugins package must be installed. + rules: + - package_audispd-plugins_installed + status: automated + +- id: AZLX-23-001040_sim0.752883 + levels: + - medium + title: Amazon Linux 2023 must have the rsyslog package installed. + rules: + - service_rsyslog_enabled + status: automated + +- id: AZLX-23-001045_sim0.882448 + levels: + - medium + title: Amazon Linux 2023 must monitor remote access methods. + rules: + - rsyslog_remote_access_monitoring + status: automated + +- id: AZLX-23-001050_sim0.976132 + levels: + - medium + title: Amazon Linux 2023 must have the chrony package installed. + rules: + - package_chrony_installed + status: automated + +- id: AZLX-23-001055_sim0.851317 + levels: + - medium + title: Amazon Linux 2023 chronyd service must be enabled. + rules: + - service_chronyd_enabled + status: automated + +- id: AZLX-23-001060_sim0.957395 + levels: + - medium + title: Amazon Linux 2023 must have the Advanced Intrusion Detection + Environment (AIDE) package installed. + rules: + - package_aide_installed + - aide_build_database + status: automated + +- id: AZLX-23-001065 + levels: + - id: medium + title: Amazon Linux 2023 must routinely check the baseline configuration for + unauthorized changes and notify the system administrator when anomalies in + the operation of any security functions are discovered. + rules: [] + status: pending +- id: AZLX-23-001070_sim0.989618 + levels: + - medium + title: Amazon Linux 2023 must use cryptographic mechanisms to protect the + integrity of audit tools. + rules: + - aide_check_audit_tools + status: automated + +- id: AZLX-23-001075_sim0.883185 + levels: + - medium + title: Amazon Linux 2023 must have the firewalld package installed. + rules: + - package_firewalld_installed + status: automated + +- id: AZLX-23-001080_sim0.954808 + levels: + - medium + title: Amazon Linux 2023 must have the firewalld servicew active. + rules: + - service_firewalld_enabled + status: automated + +- id: AZLX-23-001085_sim0.666906 + levels: + - medium + title: Amazon Linux 2023 must be configured to disable nonessential + capabilities. + rules: + - firewalld_sshd_port_enabled + status: automated + +- id: AZLX-23-001090_sim0.871564 + levels: + - medium + title: Amazon Linux 2023 must manage excess capacity, bandwidth, or other + redundancy to limit the effects of information flooding types of + denial-of-service (DoS) attacks. + rules: + - firewalld-backend + status: automated + +- id: AZLX-23-001095_sim0.988265 + levels: + - medium + title: Amazon Linux 2023 must have the s-nail package installed. + rules: + - package_s-nail_installed + status: automated + +- id: AZLX-23-001105_sim0.914648 + levels: + - medium + title: Amazon Linux 2023 must have the libreswan package installed. + rules: + - package_libreswan_installed + status: automated + +- id: AZLX-23-001110_sim0.988265 + levels: + - medium + title: Amazon Linux 2023 must have the policycoreutils package installed. + rules: + - package_policycoreutils_installed + status: automated + +- id: AZLX-23-001115_sim0.993185 + levels: + - medium + title: Amazon Linux 2023 must have the pcsc-lite package installed. + rules: + - package_pcsc-lite_installed + status: automated + +- id: AZLX-23-001120 + levels: + - id: medium + title: Amazon Linux 2023 must have the packages required for encrypting + off-loaded audit logs installed. + rules: [] + status: pending +- id: AZLX-23-001125_sim0.988265 + levels: + - medium + title: Amazon Linux 2023 must have the opensc package installed. + rules: + - package_opensc_installed + status: automated + +- id: AZLX-23-001130_sim0.991992 + levels: + - medium + title: Amazon Linux 2023 must have the openssl-pkcs11 package installed. + rules: + - install_smartcard_packages + status: automated + +- id: AZLX-23-001180_sim0.989339 + levels: + - medium + title: Amazon Linux 2023 must have SSH installed. + rules: + - package_openssh-server_installed + status: automated + +- id: AZLX-23-001185_sim0.979225 + levels: + - medium + title: Amazon Linux 2023 must implement SSH to protect the confidentiality and + integrity of transmitted and received information, as well as information + during preparation for transmission. + rules: + - service_sshd_enabled + status: automated + +- id: AZLX-23-001195 + levels: + - id: medium + title: Amazon Linux 2023 must have the crypto-policies package installed. + rules: [] + status: pending +- id: AZLX-23-001200_sim0.810432 + levels: + - medium + title: Amazon Linux 2023 SSH server must be configured to use systemwide + crypto policies. + rules: + - file_sshd_50_redhat_exists + - sshd_include_crypto_policy + status: automated + +- id: AZLX-23-001205_sim0.643222 + levels: + - medium + title: Amazon Linux 2023 server must be configured to use only DOD-approved + encryption ciphers employing FIPS 140-2/140-3 validated cryptographic hash + algorithms to protect the confidentiality of SSH server connections. + status: pending + +- id: AZLX-23-001210 + levels: + - id: medium + title: Amazon Linux 2023 SSH server must be configured to use only Message + Authentication Codes (MACs) employing FIPS 140-2/140-3 validated + cryptographic hash algorithms to protect the confidentiality of SSH server + connections. + rules: [] + status: pending +- id: AZLX-23-001215_sim0.945668 + levels: + - medium + title: Amazon Linux 2023 SSH daemon must not allow Generic Security Service + Application Program Interface (GSSAPI) authentication. + rules: + - sshd_disable_gssapi_auth + status: automated + +- id: AZLX-23-001220_sim0.953733 + levels: + - medium + title: Amazon Linux 2023 SSH daemon must not allow Kerberos authentication. + rules: + - sshd_disable_kerb_auth + status: automated + +- id: AZLX-23-001225_sim0.979620 + levels: + - medium + title: Amazon Linux 2023 must force a frequent session key renegotiation for + SSH connections to the server. + rules: + - sshd_rekey_limit + - var_rekey_limit_size=1G + - var_rekey_limit_time=1hour + status: automated + +- id: AZLX-23-001230_sim0.825376 + levels: + - medium + title: Amazon Linux 2023 SSHD must accept public key authentication. + rules: + - sshd_enable_pubkey_auth + status: automated + +- id: AZLX-23-001235_sim0.974264 + levels: + - high + title: Amazon Linux 2023 SSHD must not allow blank passwords. + rules: + - sshd_disable_empty_passwords + status: automated + +- id: AZLX-23-001240_sim0.974105 + levels: + - medium + title: Amazon Linux 2023 must not permit direct logons to the root account + using remote access via SSH. + rules: + - sshd_disable_root_login + status: automated + +- id: AZLX-23-001245_sim0.956781 + levels: + - medium + title: Amazon Linux 2023 must be configured so that all network connections + associated with SSH traffic are terminated after 10 minutes of becoming + unresponsive. + rules: + - sshd_set_idle_timeout + - sshd_idle_timeout_value=10_minutes + status: automated + +- id: AZLX-23-001250_sim0.895645 + levels: + - medium + title: Amazon Linux 2023 must be configured so that all network connections + associated with SSH traffic terminate after becoming unresponsive. + rules: + - sshd_set_keepalive + - var_sshd_set_keepalive=1 + status: automated + +- id: AZLX-23-001255_sim0.996412 + levels: + - high + title: Amazon Linux 2023 must enable the Pluggable Authentication Module (PAM) + interface for SSHD. + rules: + - sshd_enable_pam + status: automated + +- id: AZLX-23-001260 + levels: + - id: medium + title: Amazon Linux 2023 must implement DOD-approved encryption in the OpenSSL + package. + rules: [] + status: pending +- id: AZLX-23-001265 + levels: + - id: medium + title: Amazon Linux 2023 must implement DOD-approved TLS encryption in the + OpenSSL package. + rules: [] + status: pending +- id: AZLX-23-001270 + levels: + - id: medium + title: Amazon Linux 2023 must implement a FIPS 140-2/140-3 compliant + systemwide cryptographic policy. + rules: [] + status: pending +- id: AZLX-23-001275_sim0.907372 + levels: + - medium + title: Amazon Linux 2023 must implement DOD-approved encryption to protect the + confidentiality of remote access sessions. + rules: + - harden_sshd_ciphers_opensshserver_conf_crypto_policy + - sshd_approved_ciphers=stig_rhel9 + status: automated +- id: AZLX-23-001280_sim0.959110 + levels: + - high + title: Amazon Linux 2023 must enable FIPS mode. + rules: + - enable_fips_mode + - sysctl_crypto_fips_enabled + - var_system_crypto_policy=fips + - enable_dracut_fips_module + status: automated + +- id: AZLX-23-001285 + levels: + - id: medium + title: Amazon Linux 2023 crypto policy must not be overridden. + rules: [] + status: pending +- id: AZLX-23-001290_sim0.853753 + levels: + - medium + title: Amazon Linux 2023 must enable certificate-based smart card + authentication. + rules: + - sssd_enable_smartcards + status: automated + +- id: AZLX-23-001295_sim0.988786 + levels: + - medium + title: Amazon Linux 2023 must map the authenticated identity to the user or + group account for PKI-based authentication. + rules: + - sssd_enable_certmap + status: automated + +- id: AZLX-23-001300_sim0.999596 + levels: + - medium + title: Amazon Linux 2023 must implement certificate status checking for + multifactor authentication. + rules: + - sssd_certificate_verification + - var_sssd_certificate_verification_digest_function=sha512 + status: automated + +- id: AZLX-23-001305_sim0.987544 + levels: + - medium + title: Amazon Linux 2023 must prohibit the use of cached authenticators after + one day. + rules: + - sssd_offline_cred_expiration + status: automated + +- id: AZLX-23-001310 + levels: + - id: medium + title: Amazon Linux 2023, for PKI-based authentication, must validate + certificates by constructing a certification path (which includes status + information) to an accepted trust anchor. + rules: [] + status: pending +- id: AZLX-23-001315_sim0.930405 + levels: + - medium + title: Amazon Linux 2023, for PKI-based authentication, must enforce + authorized access to the corresponding private key. + rules: + - ssh_keys_passphrase_protected + status: automated + +- id: AZLX-23-002000_sim0.996877 + levels: + - medium + title: Amazon Linux 2023 must display the Standard Mandatory DOD Notice and + Consent Banner before granting local or remote access to the system. + rules: + - banner_etc_issue + - login_banner_text=dod_banners + status: automated + +- id: AZLX-23-002005_sim0.988940 + levels: + - medium + title: Amazon Linux 2023 must display the Standard Mandatory DOD Notice and + Consent Banner before granting local or remote access to the system via a + SSH logon. + rules: + - sshd_enable_warning_banner + status: automated + +- id: AZLX-23-002015_sim0.643038 + levels: + - medium + title: Amazon Linux 2023 must allocate audit record storage capacity to store + at least one week's worth of audit records, when audit records are not + immediately sent to a central audit record storage facility. + rules: + - auditd_audispd_configure_sufficiently_large_partition + status: automated + +- id: AZLX-23-002020_sim0.850095 + levels: + - low + title: Amazon Linux 2023 must use a separate file system for the system audit + data path. + rules: + - partition_for_var_log_audit + status: automated + +- id: AZLX-23-002025_sim0.852833 + levels: + - medium + title: Amazon Linux 2023 must label all off-loaded audit logs before sending + them to the central log server. + rules: + - auditd_name_format + - var_auditd_name_format=stig + status: automated + +- id: AZLX-23-002030_sim0.811496 + levels: + - medium + title: Amazon Linux 2023 must take appropriate action when the internal event + queue is full. + rules: + - auditd_overflow_action + status: automated + +- id: AZLX-23-002035_sim0.663485 + levels: + - medium + title: Amazon Linux 2023 must take action when allocated audit record storage + volume reaches 75 percent of the repository maximum audit record storage + capacity. + rules: + - auditd_data_retention_space_left_percentage + - var_auditd_space_left_percentage=25pc + status: automated + +- id: AZLX-23-002040_sim0.997628 + levels: + - medium + title: Amazon Linux 2023 must notify the system administrator (SA) and + information system security officer (ISSO) (at a minimum) when allocated + audit record storage volume 75 percent utilization. + rules: + - auditd_data_retention_space_left_action + - var_auditd_space_left_action=email + status: automated + +- id: AZLX-23-002045_sim0.997064 + levels: + - medium + title: Amazon Linux 2023 must take action when allocated audit record storage + volume reaches 95 percent of the audit record storage capacity. + rules: + - auditd_data_retention_admin_space_left_percentage + - var_auditd_admin_space_left_percentage=5pc + status: automated + +- id: AZLX-23-002050_sim0.966963 + levels: + - medium + title: Amazon Linux 2023 must take action when allocated audit record storage + volume reaches 95 percent of the repository maximum audit record storage + capacity. + rules: + - auditd_data_retention_admin_space_left_action + - var_auditd_admin_space_left_action=single + status: automated + +- id: AZLX-23-002055_sim0.937671 + levels: + - medium + title: Amazon Linux 2023 must immediately notify the system administrator (SA) + and information system security officer (ISSO), at a minimum, of an audit + processing failure event. + rules: + - auditd_data_retention_action_mail_acct + - var_auditd_action_mail_acct=root + status: automated + +- id: AZLX-23-002060 + levels: + - id: medium + title: Amazon Linux 2023 must be configured to off-load audit records onto a + different system from the system being audited via syslog. + rules: [] + status: pending +- id: AZLX-23-002065_sim0.955743 + levels: + - medium + title: Amazon Linux 2023 must authenticate the remote logging server for + off-loading audit logs via rsyslog. + rules: + - rsyslog_encrypt_offload_actionsendstreamdriverauthmode + status: automated + +- id: AZLX-23-002070_sim0.913767 + levels: + - medium + title: Amazon Linux 2023 must encrypt the transfer of audit records off-loaded + onto a different system or media from the system being audited via rsyslog. + rules: + - rsyslog_encrypt_offload_actionsendstreamdrivermode + status: automated + +- id: AZLX-23-002075_sim0.836473 + levels: + - medium + title: Amazon Linux 2023 must encrypt via the gtls driver the transfer of + audit records off-loaded onto a different system or media from the system + being audited via rsyslog. + rules: + - rsyslog_encrypt_offload_defaultnetstreamdriver + status: automated + +- id: AZLX-23-002080_sim0.290845 + levels: + - medium + title: Amazon Linux 2023 must be configured to off-load audit records onto a + different system from the system being audited via syslog. + rules: + - rsyslog_remote_loghost + status: automated + +- id: AZLX-23-002085_sim0.829481 + levels: + - medium + title: Amazon Linux 2023 must generate audit records for all account + creations, modifications, disabling, and termination events that affect + /etc/sudoers. + rules: + - audit_rules_sudoers + status: automated + +- id: AZLX-23-002090 + levels: + - id: medium + title: Amazon Linux 2023 must generate audit records for all account + creations, modifications, disabling, and termination events that affect + /etc/sudoers.d/ directory. + rules: [] + status: pending +- id: AZLX-23-002095_sim0.845575 + levels: + - medium + title: Amazon Linux 2023 must generate audit records for all account + creations, modifications, disabling, and termination events that affect + /etc/group. + rules: + - audit_rules_usergroup_modification_group + status: automated + +- id: AZLX-23-002100_sim0.869651 + levels: + - medium + title: Amazon Linux 2023 must generate audit records for all account + creations, modifications, disabling, and termination events that affect + /etc/gshadow. + rules: + - audit_rules_usergroup_modification_gshadow + status: automated + +- id: AZLX-23-002105_sim0.881490 + levels: + - medium + title: Amazon Linux 2023 must generate audit records for all account + creations, modifications, disabling, and termination events that affect + /etc/opasswd. + rules: + - audit_rules_usergroup_modification_opasswd + status: automated + +- id: AZLX-23-002110_sim0.925449 + levels: + - medium + title: Amazon Linux 2023 must audit uses of the "execve" system call. + rules: + - audit_rules_suid_privilege_function + status: automated + +- id: AZLX-23-002115_sim0.882113 + levels: + - medium + title: Amazon Linux 2023 must audit all uses of the chmod, fchmod, and + fchmodat system calls. + rules: + - audit_rules_dac_modification_chmod + - audit_rules_dac_modification_fchmod + - audit_rules_dac_modification_fchmodat + status: automated + +- id: AZLX-23-002120_sim0.898967 + levels: + - medium + title: Amazon Linux 2023 must audit all uses of the chown, fchown, fchownat, + and lchown system calls. + rules: + - audit_rules_dac_modification_chown + - audit_rules_dac_modification_fchown + - audit_rules_dac_modification_fchownat + - audit_rules_dac_modification_lchown + status: automated + +- id: AZLX-23-002125_sim0.965485 + levels: + - medium + title: Amazon Linux 2023 must audit all uses of the setxattr, fsetxattr, + lsetxattr, removexattr, fremovexattr, and lremovexattr system calls. + rules: + - audit_rules_dac_modification_setxattr + - audit_rules_dac_modification_fsetxattr + - audit_rules_dac_modification_lsetxattr + - audit_rules_dac_modification_removexattr + - audit_rules_dac_modification_fremovexattr + - audit_rules_dac_modification_lremovexattr + status: automated + +- id: AZLX-23-002130_sim0.965205 + levels: + - medium + title: Amazon Linux 2023 must audit all uses of the truncate, ftruncate, + creat, open, openat, and open_by_handle_at system calls. + rules: + - audit_rules_unsuccessful_file_modification_creat + - audit_rules_unsuccessful_file_modification_truncate + - audit_rules_unsuccessful_file_modification_ftruncate + - audit_rules_unsuccessful_file_modification_open + - audit_rules_unsuccessful_file_modification_openat + - audit_rules_unsuccessful_file_modification_open_by_handle_at + status: automated + +- id: AZLX-23-002135_sim0.872869 + levels: + - medium + title: Amazon Linux 2023 must audit all uses of the init_module and + finit_module system calls. + rules: + - audit_rules_kernel_module_loading_finit + - audit_rules_kernel_module_loading_init + status: automated + +- id: AZLX-23-002140_sim0.536035 + levels: + - medium + title: Amazon Linux 2023 must audit all uses of the create_module system call. + rules: + - audit_rules_execution_semanage + status: automated + +- id: AZLX-23-002145_sim0.873758 + levels: + - medium + title: Amazon Linux 2023 must audit all uses of the kmod command. + rules: + - audit_rules_privileged_commands_kmod + status: automated + +- id: AZLX-23-002150_sim0.918115 + levels: + - medium + title: Amazon Linux 2023 must audit all uses of the rename, unlink, rmdir, + renameat, and unlinkat system calls. + rules: + - audit_rules_file_deletion_events_rename + - audit_rules_file_deletion_events_unlink + - audit_rules_file_deletion_events_rmdir + - audit_rules_file_deletion_events_renameat + - audit_rules_file_deletion_events_unlinkat + status: automated + +- id: AZLX-23-002155_sim0.872686 + levels: + - medium + title: Amazon Linux 2023 must audit all uses of the chcon command. + rules: + - audit_rules_execution_chcon + status: automated + +- id: AZLX-23-002160_sim0.859427 + levels: + - medium + title: Amazon Linux 2023 must generate audit records for all account + creations, modifications, disabling, and termination events that affect + /var/log/faillock. + rules: + - audit_rules_login_events_faillock + status: automated + +- id: AZLX-23-002165_sim0.871344 + levels: + - medium + title: Amazon Linux 2023 must generate audit records for all account + creations, modifications, disabling, and termination events that affect + /var/log/lastlog. + rules: + - audit_rules_login_events_lastlog + status: automated + +- id: AZLX-23-002175_sim0.877607 + levels: + - medium + title: Amazon Linux 2023 must audit all uses of the init command. + rules: + - audit_privileged_commands_init + status: automated + +- id: AZLX-23-002180_sim0.862273 + levels: + - medium + title: Amazon Linux 2023 must audit all uses of the reboot command. + rules: + - audit_privileged_commands_reboot + status: automated + +- id: AZLX-23-002185_sim0.883750 + levels: + - medium + title: Amazon Linux 2023 must audit all uses of the shutdown command. + rules: + - audit_privileged_commands_shutdown + status: automated + +- id: AZLX-23-002190_sim0.997163 + levels: + - medium + title: Amazon Linux 2023 audit tools must have a mode of "0755" or less + permissive. + rules: + - file_audit_tools_permissions + status: automated + +- id: AZLX-23-002195_sim0.995583 + levels: + - medium + title: Amazon Linux 2023 audit tools must be owned by root. + rules: + - file_audit_tools_ownership + status: automated + +- id: AZLX-23-002200_sim0.996173 + levels: + - medium + title: Amazon Linux 2023 audit tools must be group-owned by root. + rules: + - file_audit_tools_group_ownership + status: automated + +- id: AZLX-23-002205 + levels: + - id: medium + title: Amazon Linux 2023 must generate audit records for all account + creations, modifications, disabling, and termination events that affect + /etc/passwd. + rules: [] + status: pending +- id: AZLX-23-002210_sim0.837555 + levels: + - medium + title: Amazon Linux 2023 must audit all successful/unsuccessful uses of the + chage command. + rules: + - audit_rules_privileged_commands_chage + status: automated + +- id: AZLX-23-002215 + levels: + - id: medium + title: Amazon Linux 2023 must alert the information system security officer + (ISSO) and system administrator (SA), at a minimum, in the event of an audit + processing failure. + rules: [] + status: pending +- id: AZLX-23-002220_sim0.752220 + levels: + - medium + title: Amazon Linux 2023 must off-load audit records onto a different system + in the event the audit storage volume is full. + rules: + - auditd_data_disk_full_action_stig + - var_auditd_disk_full_action=halt + status: automated + +- id: AZLX-23-002225 + levels: + - id: medium + title: Amazon Linux 2023 audit logs must be group-owned by root or by a + restricted logging group to prevent unauthorized read access. + rules: [] + status: pending +- id: AZLX-23-002230 + levels: + - id: medium + title: Amazon Linux 2023 audit log directory must be owned by root to prevent + unauthorized read access. + rules: [] + status: pending +- id: AZLX-23-002235 + levels: + - id: medium + title: Amazon Linux 2023 audit logs file must have mode "0600" or less + permissive to prevent unauthorized access to the audit log. + rules: [] + status: pending +- id: AZLX-23-002240_sim0.983933 + levels: + - medium + title: Amazon Linux 2023 must allow only the information system security + manager (ISSM) (or individuals or roles appointed by the ISSM) to select + which auditable events are to be audited. + rules: + - file_permissions_audit_configuration + status: automated + +- id: AZLX-23-002245_sim0.787313 + levels: + - medium + title: Amazon Linux 2023 must audit all uses of the sudo command. + rules: + - audit_rules_privileged_commands_sudo + status: automated + +- id: AZLX-23-002250_sim0.858405 + levels: + - medium + title: Amazon Linux 2023 must generate audit records for all account + creations, modifications, disabling, and termination events that affect + /etc/passwd. + rules: + - audit_rules_usergroup_modification_passwd + status: automated + +- id: AZLX-23-002255_sim0.869651 + levels: + - medium + title: Amazon Linux 2023 must generate audit records for all account + creations, modifications, disabling, and termination events that affect + /etc/shadow. + rules: + - audit_rules_usergroup_modification_shadow + status: automated + +- id: AZLX-23-002260_sim0.837474 + levels: + - medium + title: Amazon Linux 2023 must produce audit records containing information to + establish the identity of any individual or process associated with the + event. + rules: + - auditd_log_format + status: automated + +- id: AZLX-23-002265_sim0.997440 + levels: + - medium + title: Amazon Linux 2023 audit logs must be group-owned by root or by a + restricted logging group to prevent unauthorized read access. + rules: + - directory_group_ownership_var_log_audit + status: automated + +- id: AZLX-23-002270_sim0.938413 + levels: + - medium + title: Amazon Linux 2023 must ensure the audit log directory be owned by root + to prevent unauthorized read access. + rules: + - directory_ownership_var_log_audit + status: automated + +- id: AZLX-23-002275_sim0.954897 + levels: + - medium + title: Amazon Linux 2023 audit logs file must have mode "0600" or less + permissive to prevent unauthorized access to the audit log. + rules: + - file_permissions_var_log_audit + status: automated + +- id: AZLX-23-002280_sim0.955920 + levels: + - medium + title: Amazon Linux 2023 library directories must be group-owned by root or a + system account. + rules: + - dir_group_ownership_library_dirs + status: automated + +- id: AZLX-23-002285_sim0.961484 + levels: + - medium + title: Amazon Linux 2023 library directories must have mode "755" or less + permissive. + rules: + - dir_permissions_library_dirs + status: automated + +- id: AZLX-23-002290_sim0.995472 + levels: + - medium + title: Amazon Linux 2023 library files must have mode "755" or less + permissive. + rules: + - file_permissions_library_dirs + status: automated + +- id: AZLX-23-002295_sim0.949083 + levels: + - medium + title: Amazon Linux 2023 library files must be owned by root. + rules: + - file_ownership_library_dirs + status: automated + +- id: AZLX-23-002300_sim0.950613 + levels: + - medium + title: Amazon Linux 2023 library files must be group-owned by root or a system + account. + rules: + - root_permissions_syslibrary_files + status: automated + +- id: AZLX-23-002305_sim0.954705 + levels: + - medium + title: Amazon Linux 2023 library directories must be owned by root. + rules: + - dir_ownership_library_dirs + status: automated + +- id: AZLX-23-002315_sim0.994130 + levels: + - medium + title: Amazon Linux 2023 must ensure the /var/log directory have mode "0755" + or less permissive. + rules: + - file_permissions_var_log + status: automated + +- id: AZLX-23-002320_sim0.848580 + levels: + - medium + title: Amazon Linux 2023 must ensure the /var/log directory be owned by root. + rules: + - file_owner_var_log + status: automated + +- id: AZLX-23-002325_sim0.836401 + levels: + - medium + title: Amazon Linux 2023 must ensure the /var/log directory be group-owned by + root. + rules: + - file_groupowner_var_log + status: automated + +- id: AZLX-23-002330_sim0.969470 + levels: + - medium + title: Amazon Linux 2023 must ensure the /var/log/messages file have mode + "0640" or less permissive. + rules: + - file_permissions_var_log_messages + status: automated + +- id: AZLX-23-002335_sim0.878625 + levels: + - medium + title: Amazon Linux 2023 must ensure the /var/log/messages file be group-owned + by root. + rules: + - file_groupowner_var_log_messages + status: automated + +- id: AZLX-23-002340_sim0.872212 + levels: + - medium + title: Amazon Linux 2023 must ensure the /var/log/messages file be owned by + root. + rules: + - file_owner_var_log_messages + status: automated + +- id: AZLX-23-002345_sim0.991798 + levels: + - medium + title: Amazon Linux 2023 system commands must be owned by root. + rules: + - file_ownership_binary_dirs + status: automated + +- id: AZLX-23-002350_sim0.993214 + levels: + - medium + title: Amazon Linux 2023 system commands must be group-owned by root or a + system account. + rules: + - file_groupownership_system_commands_dirs + status: automated + +- id: AZLX-23-002355_sim0.848555 + levels: + - medium + title: Amazon Linux 2023 must enforce password complexity by requiring that at + least one uppercase character be used. + rules: + - accounts_password_pam_ucredit + - var_password_pam_ucredit=1 + status: automated + +- id: AZLX-23-002360_sim0.848555 + levels: + - medium + title: Amazon Linux 2023 must enforce password complexity by requiring that at + least one lowercase character be used. + rules: + - accounts_password_pam_lcredit + - var_password_pam_lcredit=1 + status: automated + +- id: AZLX-23-002365_sim0.848555 + levels: + - medium + title: Amazon Linux 2023 must enforce password complexity by requiring that at + least one numeric character be used. + rules: + - accounts_password_pam_dcredit + - var_password_pam_dcredit=1 + status: automated + +- id: AZLX-23-002370_sim0.763604 + levels: + - medium + title: Amazon Linux 2023 must require the change of at least 50 percent of the + total number of characters when passwords are changed. + rules: + - accounts_password_pam_difok + - var_password_pam_difok=8 + status: automated + +- id: AZLX-23-002375_sim0.805823 + levels: + - medium + title: Amazon Linux 2023 must enforce a minimum 15-character password length. + rules: + - accounts_password_pam_minlen + - var_password_pam_minlen=15 + status: automated + +- id: AZLX-23-002380_sim0.859753 + levels: + - medium + title: Amazon Linux 2023 must enforce password complexity by requiring that at + least one special character be used. + rules: + - accounts_password_pam_ocredit + - var_password_pam_ocredit=1 + status: automated + +- id: AZLX-23-002385_sim0.871215 + levels: + - medium + title: Amazon Linux 2023 must enforce password complexity rules for the root + account. + rules: + - accounts_password_pam_enforce_root + status: automated + +- id: AZLX-23-002390_sim0.996244 + levels: + - medium + title: Amazon Linux 2023 must prevent the use of dictionary words for + passwords. + rules: + - accounts_password_pam_dictcheck + - var_password_pam_dictcheck=1 + status: automated + +- id: AZLX-23-002395_sim0.997108 + levels: + - low + title: Amazon Linux 2023 must limit the number of concurrent sessions to ten + for all accounts and/or account types. + rules: + - accounts_max_concurrent_login_sessions + - var_accounts_max_concurrent_login_sessions=10 + status: automated + +- id: AZLX-23-002396_sim0.997038 + levels: + - medium + title: Amazon Linux 2023 must automatically exit interactive command shell + user sessions after 15 minutes of inactivity. + rules: + - accounts_tmout + - var_accounts_tmout=10_min + status: automated + +- id: AZLX-23-002400_sim0.904758 + levels: + - medium + title: Amazon Linux 2023 must enforce 24 hours/1 day as the minimum password + lifetime. + rules: + - accounts_minimum_age_login_defs + status: automated + +- id: AZLX-23-002405_sim0.997022 + levels: + - medium + title: Amazon Linux 2023 must enforce a delay of at least four seconds between + logon prompts following a failed logon attempt. + rules: + - accounts_logon_fail_delay + - var_accounts_fail_delay=4 + status: automated + +- id: AZLX-23-002410_sim0.997188 + levels: + - medium + title: Amazon Linux 2023 must define default permissions for all authenticated + users in such a way that the user can only read and modify their own files. + rules: + - accounts_umask_etc_login_defs + status: automated + +- id: AZLX-23-002415 + levels: + - id: medium + title: Amazon Linux 2023 must automatically remove or disable temporary user + accounts after 72 hours. + rules: [] + status: pending +- id: AZLX-23-002420 + levels: + - id: medium + title: Amazon Linux 2023 must automatically lock an account when three + unsuccessful logon attempts occur. + rules: [] + status: pending +- id: AZLX-23-002425_sim0.917402 + levels: + - medium + title: Amazon Linux 2023 must be able to enforce a 60-day maximum password + lifetime restriction. + rules: + - accounts_password_set_max_life_existing + - var_accounts_maximum_age_login_defs=60 + status: automated + +- id: AZLX-23-002430_sim0.998121 + levels: + - medium + title: Amazon Linux 2023 must disable account identifiers (individuals, + groups, roles, and devices) after 35 days of inactivity. + rules: + - account_disable_post_pw_expiration + - var_account_disable_post_pw_expiration=35 + status: automated + +- id: AZLX-23-002435_sim0.993610 + levels: + - medium + title: Amazon Linux 2023 must automatically expire temporary accounts within + 72 hours. + rules: + - account_temp_expire_date + status: automated + +- id: AZLX-23-002440_sim0.998923 + levels: + - medium + title: Amazon Linux 2023 must restrict the use of the "su" command. + rules: + - use_pam_wheel_for_su + status: automated + +- id: AZLX-23-002445_sim0.959827 + levels: + - medium + title: Amazon Linux 2023 must enable the SELinux targeted policy. + rules: + - selinux_policytype + - var_selinux_policy_name=targeted + status: automated + +- id: AZLX-23-002450_sim0.995733 + levels: + - high + title: Amazon Linux 2023 must use a Linux Security Module configured to + enforce limits on system services. + rules: + - selinux_state + - var_selinux_state=enforcing + status: automated + +- id: AZLX-23-002455_sim0.992839 + levels: + - medium + title: Amazon Linux 2023 must automatically lock an account when three + unsuccessful logon attempts occur. + rules: + - accounts_passwords_pam_faillock_deny + - var_accounts_passwords_pam_faillock_deny=3 + status: automated + +- id: AZLX-23-002460_sim0.997304 + levels: + - medium + title: Amazon Linux 2023 must automatically lock the root account until the + root account is released by an administrator when three unsuccessful logon + attempts occur during a 15-minute time period. + rules: + - accounts_passwords_pam_faillock_deny_root + status: automated + +- id: AZLX-23-002465_sim0.706033 + levels: + - medium + title: Amazon Linux 2023 must automatically lock an account until the locked + account is released by an administrator when three unsuccessful logon + attempts in 15 minutes occur. + rules: + - accounts_passwords_pam_faillock_interval + - var_accounts_passwords_pam_faillock_fail_interval=900 + status: automated + +- id: AZLX-23-002470_sim0.995651 + levels: + - medium + title: Amazon Linux 2023 must maintain an account lock until the locked + account is released by an administrator. + rules: + - accounts_passwords_pam_faillock_unlock_time + - var_accounts_passwords_pam_faillock_unlock_time=never + status: automated + +- id: AZLX-23-002475_sim0.504679 + levels: + - medium + title: Amazon Linux 2023 must be configured to prohibit or restrict the use of + functions, ports, protocols, and/or services, as defined in the Ports, + Protocols, and Services Management Category Assurance List (PPSM CAL) and + vulnerability assessments. + rules: + - configured_firewalld_default_deny + status: automated + +- id: AZLX-23-002480_sim0.995759 + levels: + - medium + title: Amazon Linux 2023 must insure all interactive users have a primary + group that exists. + rules: + - gid_passwd_group_same + status: automated + +- id: AZLX-23-002485_sim0.887052 + levels: + - medium + title: Amazon Linux 2023 must ensure all interactive users have unique User + IDs (UIDs). + rules: + - account_unique_id + status: automated + +- id: AZLX-23-002489_sim0.995643 + levels: + - medium + title: Amazon Linux 2023 must ensure the password complexity module is enabled + in the password-auth file. + rules: + - accounts_password_pam_pwquality_password_auth + status: automated + +- id: AZLX-23-002490_sim0.834417 + levels: + - medium + title: Amazon Linux 2023 password-auth must be configured to use a sufficient + number of hashing rounds. + rules: + - accounts_password_pam_unix_rounds_password_auth + - var_password_pam_unix_rounds=100000 + status: automated + +- id: AZLX-23-002495_sim0.825932 + levels: + - medium + title: Amazon Linux 2023 system-auth must be configured to use a sufficient + number of hashing rounds. + rules: + - accounts_password_pam_unix_rounds_system_auth + status: automated + +- id: AZLX-23-002500_sim0.852338 + levels: + - medium + title: Amazon Linux 2023 must ensure a sticky bit be set on all public + directories. + rules: + - dir_perms_world_writable_sticky_bits + status: automated + +- id: AZLX-23-002505_sim0.775069 + levels: + - medium + title: Amazon Linux 2023 must ensure all world-writable directories be owned + by root, sys, bin, or an application user. + rules: + - dir_perms_world_writable_root_owned + status: automated + +- id: AZLX-23-002510_sim0.998269 + levels: + - medium + title: Amazon Linux 2023 must terminate idle user sessions. + rules: + - logind_session_timeout + - var_logind_session_timeout=15_minutes + status: automated + +- id: AZLX-23-002515_sim0.928578 + levels: + - low + title: Amazon Linux 2023 must enable auditing of processes that start prior to + the audit daemon. + rules: + - grub2_audit_argument + status: automated + +- id: AZLX-23-002520_sim0.996238 + levels: + - low + title: Amazon Linux 2023 must allocate an audit_backlog_limit of sufficient + size to capture processes that start prior to the audit daemon. + rules: + - grub2_audit_backlog_limit_argument + status: automated + +- id: AZLX-23-002535_sim0.995059 + levels: + - medium + title: Amazon Linux 2023 must enable discretionary access control on + hardlinks. + rules: + - sysctl_fs_protected_hardlinks + status: automated + +- id: AZLX-23-002540_sim0.995059 + levels: + - medium + title: Amazon Linux 2023 must enable kernel parameters to enforce + discretionary access control on symlinks. + rules: + - sysctl_fs_protected_symlinks + status: automated + +- id: AZLX-23-002555_sim0.998079 + levels: + - medium + title: Amazon Linux 2023 debug-shell systemd service must be disabled. + status: automated + rules: + - service_debug-shell_disabled + +- id: AZLX-23-002560 + levels: + - id: medium + title: Amazon Linux 2023 chrony must be configured with a maximum interval of + 24 hours between requests sent to a USNO server or a time server designated + for the appropriate DOD network. + rules: [] + status: pending +- id: AZLX-23-002565_sim0.972974 + levels: + - medium + title: Amazon Linux 2023 must synchronize internal information system clocks + to the authoritative time source at least every 24 hours. + rules: + - chronyd_or_ntpd_set_maxpoll + - chronyd_server_directive + - chronyd_specify_remote_server + - var_multiple_time_servers=stig + - var_time_service_set_maxpoll=18_hours + status: automated + +- id: AZLX-23-002570_sim0.979111 + levels: + - medium + title: Amazon Linux 2023 must routinely check the baseline configuration for + unauthorized changes and notify the system administrator when anomalies in + the operation of any security functions are discovered. + rules: + - aide_periodic_cron_checking + - aide_scan_notification + status: automated + +- id: AZLX-23-002575_sim0.844952 + levels: + - medium + title: Amazon Linux 2023 must prevent the loading of a new kernel for later + execution. + rules: + - sysctl_kernel_kexec_load_disabled + status: automated + +- id: AZLX-23-002580_sim0.940204 + levels: + - medium + title: Amazon Linux 2023 must prevent files with the setuid and setgid bit set + from being executed on the /boot/efi directory. + rules: + - mount_option_boot_efi_nosuid + status: automated + +- id: AZLX-23-002585_sim0.935211 + levels: + - medium + title: Amazon Linux 2023 must mount /dev/shm with the nodev option. + rules: + - mount_option_dev_shm_nodev + status: automated + +- id: AZLX-23-002590_sim0.933059 + levels: + - medium + title: Amazon Linux 2023 must mount /dev/shm with the nosuid option. + rules: + - mount_option_dev_shm_nosuid + status: automated + +- id: AZLX-23-002595_sim0.872759 + levels: + - medium + title: Amazon Linux 2023 must ensure the pcscd service is active. + rules: + - service_pcscd_enabled + status: automated + +- id: AZLX-23-002600_sim0.995594 + levels: + - medium + title: Amazon Linux 2023 file system automount function must be disabled + unless required. + rules: + - service_autofs_disabled + status: automated + +- id: AZLX-23-002605 + levels: + - id: medium + title: Amazon Linux 2023 must protect against or limit the effects of + denial-of-service (DoS) attacks by ensuring rate-limiting measures are + configured on impacted network interfaces. + rules: [] + status: pending +- id: AZLX-23-002610 + levels: + - id: medium + title: Amazon Linux 2023 must implement nonexecutable data to protect its + memory from unauthorized code execution. + rules: [] + status: pending +- id: AZLX-23-002615_sim0.829819 + levels: + - low + title: Amazon Linux 2023 must remove all software components after updated + versions have been installed. + rules: + - clean_components_post_updating + status: automated + +- id: AZLX-23-002620_sim0.991594 + levels: + - medium + title: Amazon Linux 2023 must configure the use of the pam_faillock.so module + in the /etc/pam.d/system-auth file. + rules: + - account_password_pam_faillock_system_auth + status: automated + +- id: AZLX-23-005000_sim0.825983 + levels: + - medium + title: Amazon Linux 2023 audit system must protect logon user identifiers + (UIDs) from unauthorized change. + rules: + - audit_rules_immutable_login_uids + status: automated + +- id: needed_rules + levels: + - medium + rules: + - enable_authselect + - var_authselect_profile=sssd + From bbb2c69e3f5a53890e3ce8cbd4b106a1d0b483f8 Mon Sep 17 00:00:00 2001 From: BordenCastle Admin <49888529+bordencastle@users.noreply.github.com> Date: Sat, 6 Sep 2025 11:45:23 -0400 Subject: [PATCH 2/7] Update stig_al2023.yml --- controls/stig_al2023.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/controls/stig_al2023.yml b/controls/stig_al2023.yml index 8351b3697672..2e419730c61e 100644 --- a/controls/stig_al2023.yml +++ b/controls/stig_al2023.yml @@ -2,9 +2,9 @@ policy: 'Amazon Linux 2023 Security Technical Implementation Guide' title: 'Amazon Linux 2023 Security Technical Implementation Guide' id: stig_al2023 source: https://www.cyber.mil/stigs/downloads/ -version: V2R4 +version: V1R1 reference_type: stigid -product: rhel9 +product: al2023 levels: - id: high From a28d11c0dd987f7986fc38c3a528fd2e612d75e0 Mon Sep 17 00:00:00 2001 From: Jesse Borden Date: Sun, 7 Sep 2025 18:25:03 -0400 Subject: [PATCH 3/7] added working shell that works with build_product. Still pending review and validation of each control. --- controls/stig_al2023.yml | 50 ++++++++++++--------------- products/al2023/profiles/stig.profile | 21 +++++++++++ 2 files changed, 43 insertions(+), 28 deletions(-) create mode 100644 products/al2023/profiles/stig.profile diff --git a/controls/stig_al2023.yml b/controls/stig_al2023.yml index 2e419730c61e..e1e68413c7db 100644 --- a/controls/stig_al2023.yml +++ b/controls/stig_al2023.yml @@ -12,12 +12,6 @@ levels: - id: low controls: -- id: - levels: - - id: - title: - rules: [] - status: pending - id: AZLX-23-000100_sim0.886090 levels: - high @@ -30,7 +24,7 @@ controls: - id: AZLX-23-000110 levels: - - id: medium + - medium title: Amazon Linux 2023 must ensure cryptographic verification of vendor software packages. rules: [] @@ -284,7 +278,7 @@ controls: - id: AZLX-23-001065 levels: - - id: medium + - medium title: Amazon Linux 2023 must routinely check the baseline configuration for unauthorized changes and notify the system administrator when anomalies in the operation of any security functions are discovered. @@ -368,7 +362,7 @@ controls: - id: AZLX-23-001120 levels: - - id: medium + - medium title: Amazon Linux 2023 must have the packages required for encrypting off-loaded audit logs installed. rules: [] @@ -409,7 +403,7 @@ controls: - id: AZLX-23-001195 levels: - - id: medium + - medium title: Amazon Linux 2023 must have the crypto-policies package installed. rules: [] status: pending @@ -433,7 +427,7 @@ controls: - id: AZLX-23-001210 levels: - - id: medium + - medium title: Amazon Linux 2023 SSH server must be configured to use only Message Authentication Codes (MACs) employing FIPS 140-2/140-3 validated cryptographic hash algorithms to protect the confidentiality of SSH server @@ -525,21 +519,21 @@ controls: - id: AZLX-23-001260 levels: - - id: medium + - medium title: Amazon Linux 2023 must implement DOD-approved encryption in the OpenSSL package. rules: [] status: pending - id: AZLX-23-001265 levels: - - id: medium + - medium title: Amazon Linux 2023 must implement DOD-approved TLS encryption in the OpenSSL package. rules: [] status: pending - id: AZLX-23-001270 levels: - - id: medium + - medium title: Amazon Linux 2023 must implement a FIPS 140-2/140-3 compliant systemwide cryptographic policy. rules: [] @@ -566,7 +560,7 @@ controls: - id: AZLX-23-001285 levels: - - id: medium + - medium title: Amazon Linux 2023 crypto policy must not be overridden. rules: [] status: pending @@ -609,7 +603,7 @@ controls: - id: AZLX-23-001310 levels: - - id: medium + - medium title: Amazon Linux 2023, for PKI-based authentication, must validate certificates by constructing a certification path (which includes status information) to an accepted trust anchor. @@ -738,7 +732,7 @@ controls: - id: AZLX-23-002060 levels: - - id: medium + - medium title: Amazon Linux 2023 must be configured to off-load audit records onto a different system from the system being audited via syslog. rules: [] @@ -792,7 +786,7 @@ controls: - id: AZLX-23-002090 levels: - - id: medium + - medium title: Amazon Linux 2023 must generate audit records for all account creations, modifications, disabling, and termination events that affect /etc/sudoers.d/ directory. @@ -1005,7 +999,7 @@ controls: - id: AZLX-23-002205 levels: - - id: medium + - medium title: Amazon Linux 2023 must generate audit records for all account creations, modifications, disabling, and termination events that affect /etc/passwd. @@ -1022,7 +1016,7 @@ controls: - id: AZLX-23-002215 levels: - - id: medium + - medium title: Amazon Linux 2023 must alert the information system security officer (ISSO) and system administrator (SA), at a minimum, in the event of an audit processing failure. @@ -1040,21 +1034,21 @@ controls: - id: AZLX-23-002225 levels: - - id: medium + - medium title: Amazon Linux 2023 audit logs must be group-owned by root or by a restricted logging group to prevent unauthorized read access. rules: [] status: pending - id: AZLX-23-002230 levels: - - id: medium + - medium title: Amazon Linux 2023 audit log directory must be owned by root to prevent unauthorized read access. rules: [] status: pending - id: AZLX-23-002235 levels: - - id: medium + - medium title: Amazon Linux 2023 audit logs file must have mode "0600" or less permissive to prevent unauthorized access to the audit log. rules: [] @@ -1384,14 +1378,14 @@ controls: - id: AZLX-23-002415 levels: - - id: medium + - medium title: Amazon Linux 2023 must automatically remove or disable temporary user accounts after 72 hours. rules: [] status: pending - id: AZLX-23-002420 levels: - - id: medium + - medium title: Amazon Linux 2023 must automatically lock an account when three unsuccessful logon attempts occur. rules: [] @@ -1623,7 +1617,7 @@ controls: - id: AZLX-23-002560 levels: - - id: medium + - medium title: Amazon Linux 2023 chrony must be configured with a maximum interval of 24 hours between requests sent to a USNO server or a time server designated for the appropriate DOD network. @@ -1706,7 +1700,7 @@ controls: - id: AZLX-23-002605 levels: - - id: medium + - medium title: Amazon Linux 2023 must protect against or limit the effects of denial-of-service (DoS) attacks by ensuring rate-limiting measures are configured on impacted network interfaces. @@ -1714,7 +1708,7 @@ controls: status: pending - id: AZLX-23-002610 levels: - - id: medium + - medium title: Amazon Linux 2023 must implement nonexecutable data to protect its memory from unauthorized code execution. rules: [] diff --git a/products/al2023/profiles/stig.profile b/products/al2023/profiles/stig.profile new file mode 100644 index 000000000000..51db1225ff07 --- /dev/null +++ b/products/al2023/profiles/stig.profile @@ -0,0 +1,21 @@ +documentation_complete: true + +metadata: + version: 1.0.0 + SMEs: + - jesse.j.borden@gmail.com + +reference: https://public.cyber.mil/stigs/downloads/ + +title: 'DISA STIG for Amazon Linux 2023' + +description: |- + This profile contains configuration checks that align to the + DISA STIG (Security Technical Implementation Guide) for Amazon Linux 2023. + + DISA STIGs are the configuration standards for DOD IA and IA-enabled + devices/systems. The requirements are derived from the NIST 800-53 + and related documents. + +selections: + - stig_al2023:all \ No newline at end of file From a4c6bd027808ee5ff849402fe3ee04ea52a6e348 Mon Sep 17 00:00:00 2001 From: Eric-Domeier Date: Sun, 14 Dec 2025 11:28:36 -0500 Subject: [PATCH 4/7] Add the required cmake build, stig overlays, xccdf refence, transforms, first attempt --- Dockerfiles/test_suite-al2023 | 25 + controls/stig_al2023.yml | 340 +- products/al2023/CMakeLists.txt | 9 + products/al2023/overlays/srg_support.xml | 173 + products/al2023/profiles/stig.profile | 2 +- .../transforms/xccdf-apply-overlay-stig.xslt | 8 + .../xccdf2table-profileccirefs.xslt | 9 + .../disa-stig-al2023-v1r1-xccdf-manual.xml | 2972 +++++++++++++++++ 8 files changed, 3367 insertions(+), 171 deletions(-) create mode 100644 Dockerfiles/test_suite-al2023 create mode 100644 products/al2023/overlays/srg_support.xml create mode 100644 products/al2023/transforms/xccdf-apply-overlay-stig.xslt create mode 100644 products/al2023/transforms/xccdf2table-profileccirefs.xslt create mode 100755 shared/references/disa-stig-al2023-v1r1-xccdf-manual.xml diff --git a/Dockerfiles/test_suite-al2023 b/Dockerfiles/test_suite-al2023 new file mode 100644 index 000000000000..0f64554ec529 --- /dev/null +++ b/Dockerfiles/test_suite-al2023 @@ -0,0 +1,25 @@ +# This Dockerfile is a minimal example for a RHEL-based SSG test suite target container. +FROM amazonlinux:2023 + +ENV AUTH_KEYS=/root/.ssh/authorized_keys + +ARG CLIENT_PUBLIC_KEY +ARG ADDITIONAL_PACKAGES + +# Install Python so Ansible remediations can work +# Don't clean all, as the test scenario may require package install. +RUN true \ + && dnf install -y openssh-clients openssh-server openscap-scanner \ + python \ + $ADDITIONAL_PACKAGES \ + && true + +RUN true \ + && for key_type in rsa ecdsa; do ssh-keygen -N '' -t $key_type -f /etc/ssh/ssh_host_${key_type}_key; done \ + && mkdir -p /root/.ssh \ + && printf "%s\n" "$CLIENT_PUBLIC_KEY" >> "$AUTH_KEYS" \ + && chmod og-rw /root/.ssh "$AUTH_KEYS" \ + && sed -i '/session\s\+required\s\+pam_loginuid.so/d' /etc/pam.d/sshd \ +&& true + +RUN echo 'PermitRootLogin yes' >> /etc/ssh/sshd_config diff --git a/controls/stig_al2023.yml b/controls/stig_al2023.yml index e1e68413c7db..f728d37363e8 100644 --- a/controls/stig_al2023.yml +++ b/controls/stig_al2023.yml @@ -12,7 +12,7 @@ levels: - id: low controls: -- id: AZLX-23-000100_sim0.886090 +- id: AZLX-23-000100 levels: - high title: Amazon Linux 2023 local disk partitions must implement cryptographic @@ -29,7 +29,7 @@ controls: software packages. rules: [] status: pending -- id: AZLX-23-000115_sim0.984378 +- id: AZLX-23-000115 levels: - high title: Amazon Linux 2023 must check the GPG signature of locally installed @@ -38,7 +38,7 @@ controls: - ensure_gpgcheck_local_packages status: automated -- id: AZLX-23-000120_sim0.988262 +- id: AZLX-23-000120 levels: - high title: Amazon Linux 2023 must check the GPG signature of software packages @@ -47,7 +47,7 @@ controls: - ensure_gpgcheck_globally_activated status: automated -- id: AZLX-23-000125_sim0.444188 +- id: AZLX-23-000125 levels: - high title: Amazon Linux 2023 must have GPG signature verification enabled for all @@ -56,7 +56,7 @@ controls: - ensure_gpgcheck_never_disabled status: automated -- id: AZLX-23-000130_sim0.806855 +- id: AZLX-23-000130 levels: - high title: Amazon Linux 2023 must be a vendor-supported release. @@ -64,7 +64,7 @@ controls: - installed_OS_is_vendor_supported status: automated -- id: AZLX-23-000135_sim0.975174 +- id: AZLX-23-000135 levels: - medium title: Amazon Linux 2023 systemd-journald service must be enabled. @@ -72,7 +72,7 @@ controls: - service_systemd-journald_enabled status: automated -- id: AZLX-23-000200_sim0.995375 +- id: AZLX-23-000200 levels: - medium title: Amazon Linux 2023 must restrict access to the kernel message buffer. @@ -80,7 +80,7 @@ controls: - sysctl_kernel_dmesg_restrict status: automated -- id: AZLX-23-000205_sim0.995352 +- id: AZLX-23-000205 levels: - medium title: Amazon Linux 2023 must prevent kernel profiling by nonprivileged users. @@ -88,7 +88,7 @@ controls: - sysctl_kernel_perf_event_paranoid status: automated -- id: AZLX-23-000210_sim0.795042 +- id: AZLX-23-000210 levels: - medium title: Amazon Linux 2023 must restrict exposed kernel pointer addresses @@ -97,7 +97,7 @@ controls: - sysctl_kernel_kptr_restrict status: automated -- id: AZLX-23-000215_sim0.969431 +- id: AZLX-23-000215 levels: - medium title: Amazon Linux 2023 must disable access to network bpf system call from @@ -106,7 +106,7 @@ controls: - sysctl_kernel_unprivileged_bpf_disabled status: automated -- id: AZLX-23-000220_sim0.996915 +- id: AZLX-23-000220 levels: - medium title: Amazon Linux 2023 must restrict usage of ptrace to descendant @@ -115,7 +115,7 @@ controls: - sysctl_kernel_yama_ptrace_scope status: automated -- id: AZLX-23-000225_sim0.646632 +- id: AZLX-23-000225 levels: - medium title: Amazon Linux 2023 must implement address space layout randomization @@ -124,7 +124,7 @@ controls: - sysctl_kernel_randomize_va_space status: automated -- id: AZLX-23-000300_sim0.810811 +- id: AZLX-23-000300 levels: - high title: Amazon Linux 2023 must not have the vsftpd package installed. @@ -132,7 +132,7 @@ controls: - package_vsftpd_removed status: automated -- id: AZLX-23-000305_sim0.932394 +- id: AZLX-23-000305 levels: - medium title: Amazon Linux 2023 must not have the sendmail package installed. @@ -140,7 +140,7 @@ controls: - package_sendmail_removed status: automated -- id: AZLX-23-000310_sim0.959071 +- id: AZLX-23-000310 levels: - medium title: Amazon Linux 2023 must not have the nfs-utils package installed. @@ -148,7 +148,7 @@ controls: - package_nfs-utils_removed status: automated -- id: AZLX-23-000315_sim0.947496 +- id: AZLX-23-000315 levels: - medium title: Amazon Linux 2023 must not have the telnet-server package installed. @@ -156,7 +156,7 @@ controls: - package_telnet-server_removed status: automated -- id: AZLX-23-000320_sim0.882558 +- id: AZLX-23-000320 levels: - medium title: Amazon Linux 2023 must not have the gssproxy package installed. @@ -164,7 +164,7 @@ controls: - package_gssproxy_removed status: automated -- id: AZLX-23-001000_sim0.968209 +- id: AZLX-23-001000 levels: - medium title: Amazon Linux 2023 must have the sudo package installed. @@ -172,7 +172,7 @@ controls: - package_sudo_installed status: automated -- id: AZLX-23-001005_sim0.993487 +- id: AZLX-23-001005 levels: - medium title: Amazon Linux 2023 must not be configured to bypass password @@ -181,7 +181,7 @@ controls: - disallow_bypass_password_sudo status: automated -- id: AZLX-23-001010_sim0.954751 +- id: AZLX-23-001010 levels: - medium title: Amazon Linux 2023 must require reauthentication when using the "sudo" @@ -191,7 +191,7 @@ controls: - var_sudo_timestamp_timeout=always_prompt status: automated -- id: AZLX-23-001015_sim0.997673 +- id: AZLX-23-001015 levels: - medium title: Amazon Linux 2023 must require users to reauthenticate for privilege @@ -200,7 +200,7 @@ controls: - sudo_remove_no_authenticate status: automated -- id: AZLX-23-001020_sim0.997772 +- id: AZLX-23-001020 levels: - medium title: Amazon Linux 2023 must require users to provide a password for @@ -209,7 +209,7 @@ controls: - sudo_remove_nopasswd status: automated -- id: AZLX-23-001025_sim0.690237 +- id: AZLX-23-001025 levels: - medium title: Amazon Linux 2023 must have the audit package installed. @@ -217,7 +217,7 @@ controls: - package_audit_installed status: automated -- id: AZLX-23-001030_sim0.513370 +- id: AZLX-23-001030 levels: - medium title: Amazon Linux 2023 must produce audit records containing information to @@ -226,7 +226,7 @@ controls: - service_auditd_enabled status: automated -- id: AZLX-23-001035_sim0.987871 +- id: AZLX-23-001035 levels: - medium title: Amazon Linux 2023 audispd-plugins package must be installed. @@ -234,7 +234,7 @@ controls: - package_audispd-plugins_installed status: automated -- id: AZLX-23-001040_sim0.752883 +- id: AZLX-23-001040 levels: - medium title: Amazon Linux 2023 must have the rsyslog package installed. @@ -242,7 +242,7 @@ controls: - service_rsyslog_enabled status: automated -- id: AZLX-23-001045_sim0.882448 +- id: AZLX-23-001045 levels: - medium title: Amazon Linux 2023 must monitor remote access methods. @@ -250,7 +250,7 @@ controls: - rsyslog_remote_access_monitoring status: automated -- id: AZLX-23-001050_sim0.976132 +- id: AZLX-23-001050 levels: - medium title: Amazon Linux 2023 must have the chrony package installed. @@ -258,7 +258,7 @@ controls: - package_chrony_installed status: automated -- id: AZLX-23-001055_sim0.851317 +- id: AZLX-23-001055 levels: - medium title: Amazon Linux 2023 chronyd service must be enabled. @@ -266,7 +266,7 @@ controls: - service_chronyd_enabled status: automated -- id: AZLX-23-001060_sim0.957395 +- id: AZLX-23-001060 levels: - medium title: Amazon Linux 2023 must have the Advanced Intrusion Detection @@ -284,7 +284,7 @@ controls: the operation of any security functions are discovered. rules: [] status: pending -- id: AZLX-23-001070_sim0.989618 +- id: AZLX-23-001070 levels: - medium title: Amazon Linux 2023 must use cryptographic mechanisms to protect the @@ -293,7 +293,7 @@ controls: - aide_check_audit_tools status: automated -- id: AZLX-23-001075_sim0.883185 +- id: AZLX-23-001075 levels: - medium title: Amazon Linux 2023 must have the firewalld package installed. @@ -301,7 +301,7 @@ controls: - package_firewalld_installed status: automated -- id: AZLX-23-001080_sim0.954808 +- id: AZLX-23-001080 levels: - medium title: Amazon Linux 2023 must have the firewalld servicew active. @@ -309,7 +309,7 @@ controls: - service_firewalld_enabled status: automated -- id: AZLX-23-001085_sim0.666906 +- id: AZLX-23-001085 levels: - medium title: Amazon Linux 2023 must be configured to disable nonessential @@ -318,7 +318,7 @@ controls: - firewalld_sshd_port_enabled status: automated -- id: AZLX-23-001090_sim0.871564 +- id: AZLX-23-001090 levels: - medium title: Amazon Linux 2023 must manage excess capacity, bandwidth, or other @@ -328,7 +328,7 @@ controls: - firewalld-backend status: automated -- id: AZLX-23-001095_sim0.988265 +- id: AZLX-23-001095 levels: - medium title: Amazon Linux 2023 must have the s-nail package installed. @@ -336,7 +336,7 @@ controls: - package_s-nail_installed status: automated -- id: AZLX-23-001105_sim0.914648 +- id: AZLX-23-001105 levels: - medium title: Amazon Linux 2023 must have the libreswan package installed. @@ -344,7 +344,7 @@ controls: - package_libreswan_installed status: automated -- id: AZLX-23-001110_sim0.988265 +- id: AZLX-23-001110 levels: - medium title: Amazon Linux 2023 must have the policycoreutils package installed. @@ -352,7 +352,7 @@ controls: - package_policycoreutils_installed status: automated -- id: AZLX-23-001115_sim0.993185 +- id: AZLX-23-001115 levels: - medium title: Amazon Linux 2023 must have the pcsc-lite package installed. @@ -367,7 +367,7 @@ controls: off-loaded audit logs installed. rules: [] status: pending -- id: AZLX-23-001125_sim0.988265 +- id: AZLX-23-001125 levels: - medium title: Amazon Linux 2023 must have the opensc package installed. @@ -375,7 +375,7 @@ controls: - package_opensc_installed status: automated -- id: AZLX-23-001130_sim0.991992 +- id: AZLX-23-001130 levels: - medium title: Amazon Linux 2023 must have the openssl-pkcs11 package installed. @@ -383,7 +383,7 @@ controls: - install_smartcard_packages status: automated -- id: AZLX-23-001180_sim0.989339 +- id: AZLX-23-001180 levels: - medium title: Amazon Linux 2023 must have SSH installed. @@ -391,7 +391,7 @@ controls: - package_openssh-server_installed status: automated -- id: AZLX-23-001185_sim0.979225 +- id: AZLX-23-001185 levels: - medium title: Amazon Linux 2023 must implement SSH to protect the confidentiality and @@ -407,7 +407,7 @@ controls: title: Amazon Linux 2023 must have the crypto-policies package installed. rules: [] status: pending -- id: AZLX-23-001200_sim0.810432 +- id: AZLX-23-001200 levels: - medium title: Amazon Linux 2023 SSH server must be configured to use systemwide @@ -417,7 +417,7 @@ controls: - sshd_include_crypto_policy status: automated -- id: AZLX-23-001205_sim0.643222 +- id: AZLX-23-001205 levels: - medium title: Amazon Linux 2023 server must be configured to use only DOD-approved @@ -434,7 +434,7 @@ controls: connections. rules: [] status: pending -- id: AZLX-23-001215_sim0.945668 +- id: AZLX-23-001215 levels: - medium title: Amazon Linux 2023 SSH daemon must not allow Generic Security Service @@ -443,7 +443,7 @@ controls: - sshd_disable_gssapi_auth status: automated -- id: AZLX-23-001220_sim0.953733 +- id: AZLX-23-001220 levels: - medium title: Amazon Linux 2023 SSH daemon must not allow Kerberos authentication. @@ -451,7 +451,7 @@ controls: - sshd_disable_kerb_auth status: automated -- id: AZLX-23-001225_sim0.979620 +- id: AZLX-23-001225 levels: - medium title: Amazon Linux 2023 must force a frequent session key renegotiation for @@ -462,7 +462,7 @@ controls: - var_rekey_limit_time=1hour status: automated -- id: AZLX-23-001230_sim0.825376 +- id: AZLX-23-001230 levels: - medium title: Amazon Linux 2023 SSHD must accept public key authentication. @@ -470,7 +470,7 @@ controls: - sshd_enable_pubkey_auth status: automated -- id: AZLX-23-001235_sim0.974264 +- id: AZLX-23-001235 levels: - high title: Amazon Linux 2023 SSHD must not allow blank passwords. @@ -478,7 +478,7 @@ controls: - sshd_disable_empty_passwords status: automated -- id: AZLX-23-001240_sim0.974105 +- id: AZLX-23-001240 levels: - medium title: Amazon Linux 2023 must not permit direct logons to the root account @@ -487,7 +487,7 @@ controls: - sshd_disable_root_login status: automated -- id: AZLX-23-001245_sim0.956781 +- id: AZLX-23-001245 levels: - medium title: Amazon Linux 2023 must be configured so that all network connections @@ -498,7 +498,7 @@ controls: - sshd_idle_timeout_value=10_minutes status: automated -- id: AZLX-23-001250_sim0.895645 +- id: AZLX-23-001250 levels: - medium title: Amazon Linux 2023 must be configured so that all network connections @@ -508,7 +508,7 @@ controls: - var_sshd_set_keepalive=1 status: automated -- id: AZLX-23-001255_sim0.996412 +- id: AZLX-23-001255 levels: - high title: Amazon Linux 2023 must enable the Pluggable Authentication Module (PAM) @@ -538,7 +538,7 @@ controls: systemwide cryptographic policy. rules: [] status: pending -- id: AZLX-23-001275_sim0.907372 +- id: AZLX-23-001275 levels: - medium title: Amazon Linux 2023 must implement DOD-approved encryption to protect the @@ -547,7 +547,7 @@ controls: - harden_sshd_ciphers_opensshserver_conf_crypto_policy - sshd_approved_ciphers=stig_rhel9 status: automated -- id: AZLX-23-001280_sim0.959110 +- id: AZLX-23-001280 levels: - high title: Amazon Linux 2023 must enable FIPS mode. @@ -564,7 +564,7 @@ controls: title: Amazon Linux 2023 crypto policy must not be overridden. rules: [] status: pending -- id: AZLX-23-001290_sim0.853753 +- id: AZLX-23-001290 levels: - medium title: Amazon Linux 2023 must enable certificate-based smart card @@ -573,7 +573,7 @@ controls: - sssd_enable_smartcards status: automated -- id: AZLX-23-001295_sim0.988786 +- id: AZLX-23-001295 levels: - medium title: Amazon Linux 2023 must map the authenticated identity to the user or @@ -582,7 +582,7 @@ controls: - sssd_enable_certmap status: automated -- id: AZLX-23-001300_sim0.999596 +- id: AZLX-23-001300 levels: - medium title: Amazon Linux 2023 must implement certificate status checking for @@ -592,7 +592,7 @@ controls: - var_sssd_certificate_verification_digest_function=sha512 status: automated -- id: AZLX-23-001305_sim0.987544 +- id: AZLX-23-001305 levels: - medium title: Amazon Linux 2023 must prohibit the use of cached authenticators after @@ -609,7 +609,7 @@ controls: information) to an accepted trust anchor. rules: [] status: pending -- id: AZLX-23-001315_sim0.930405 +- id: AZLX-23-001315 levels: - medium title: Amazon Linux 2023, for PKI-based authentication, must enforce @@ -618,7 +618,7 @@ controls: - ssh_keys_passphrase_protected status: automated -- id: AZLX-23-002000_sim0.996877 +- id: AZLX-23-002000 levels: - medium title: Amazon Linux 2023 must display the Standard Mandatory DOD Notice and @@ -628,7 +628,7 @@ controls: - login_banner_text=dod_banners status: automated -- id: AZLX-23-002005_sim0.988940 +- id: AZLX-23-002005 levels: - medium title: Amazon Linux 2023 must display the Standard Mandatory DOD Notice and @@ -638,7 +638,7 @@ controls: - sshd_enable_warning_banner status: automated -- id: AZLX-23-002015_sim0.643038 +- id: AZLX-23-002015 levels: - medium title: Amazon Linux 2023 must allocate audit record storage capacity to store @@ -648,7 +648,7 @@ controls: - auditd_audispd_configure_sufficiently_large_partition status: automated -- id: AZLX-23-002020_sim0.850095 +- id: AZLX-23-002020 levels: - low title: Amazon Linux 2023 must use a separate file system for the system audit @@ -657,7 +657,7 @@ controls: - partition_for_var_log_audit status: automated -- id: AZLX-23-002025_sim0.852833 +- id: AZLX-23-002025 levels: - medium title: Amazon Linux 2023 must label all off-loaded audit logs before sending @@ -667,7 +667,7 @@ controls: - var_auditd_name_format=stig status: automated -- id: AZLX-23-002030_sim0.811496 +- id: AZLX-23-002030 levels: - medium title: Amazon Linux 2023 must take appropriate action when the internal event @@ -676,7 +676,7 @@ controls: - auditd_overflow_action status: automated -- id: AZLX-23-002035_sim0.663485 +- id: AZLX-23-002035 levels: - medium title: Amazon Linux 2023 must take action when allocated audit record storage @@ -687,7 +687,7 @@ controls: - var_auditd_space_left_percentage=25pc status: automated -- id: AZLX-23-002040_sim0.997628 +- id: AZLX-23-002040 levels: - medium title: Amazon Linux 2023 must notify the system administrator (SA) and @@ -698,7 +698,7 @@ controls: - var_auditd_space_left_action=email status: automated -- id: AZLX-23-002045_sim0.997064 +- id: AZLX-23-002045 levels: - medium title: Amazon Linux 2023 must take action when allocated audit record storage @@ -708,7 +708,7 @@ controls: - var_auditd_admin_space_left_percentage=5pc status: automated -- id: AZLX-23-002050_sim0.966963 +- id: AZLX-23-002050 levels: - medium title: Amazon Linux 2023 must take action when allocated audit record storage @@ -719,7 +719,7 @@ controls: - var_auditd_admin_space_left_action=single status: automated -- id: AZLX-23-002055_sim0.937671 +- id: AZLX-23-002055 levels: - medium title: Amazon Linux 2023 must immediately notify the system administrator (SA) @@ -737,7 +737,7 @@ controls: different system from the system being audited via syslog. rules: [] status: pending -- id: AZLX-23-002065_sim0.955743 +- id: AZLX-23-002065 levels: - medium title: Amazon Linux 2023 must authenticate the remote logging server for @@ -746,7 +746,7 @@ controls: - rsyslog_encrypt_offload_actionsendstreamdriverauthmode status: automated -- id: AZLX-23-002070_sim0.913767 +- id: AZLX-23-002070 levels: - medium title: Amazon Linux 2023 must encrypt the transfer of audit records off-loaded @@ -755,7 +755,7 @@ controls: - rsyslog_encrypt_offload_actionsendstreamdrivermode status: automated -- id: AZLX-23-002075_sim0.836473 +- id: AZLX-23-002075 levels: - medium title: Amazon Linux 2023 must encrypt via the gtls driver the transfer of @@ -765,7 +765,7 @@ controls: - rsyslog_encrypt_offload_defaultnetstreamdriver status: automated -- id: AZLX-23-002080_sim0.290845 +- id: AZLX-23-002080 levels: - medium title: Amazon Linux 2023 must be configured to off-load audit records onto a @@ -774,7 +774,7 @@ controls: - rsyslog_remote_loghost status: automated -- id: AZLX-23-002085_sim0.829481 +- id: AZLX-23-002085 levels: - medium title: Amazon Linux 2023 must generate audit records for all account @@ -792,7 +792,7 @@ controls: /etc/sudoers.d/ directory. rules: [] status: pending -- id: AZLX-23-002095_sim0.845575 +- id: AZLX-23-002095 levels: - medium title: Amazon Linux 2023 must generate audit records for all account @@ -802,7 +802,7 @@ controls: - audit_rules_usergroup_modification_group status: automated -- id: AZLX-23-002100_sim0.869651 +- id: AZLX-23-002100 levels: - medium title: Amazon Linux 2023 must generate audit records for all account @@ -812,7 +812,7 @@ controls: - audit_rules_usergroup_modification_gshadow status: automated -- id: AZLX-23-002105_sim0.881490 +- id: AZLX-23-002105 levels: - medium title: Amazon Linux 2023 must generate audit records for all account @@ -822,7 +822,7 @@ controls: - audit_rules_usergroup_modification_opasswd status: automated -- id: AZLX-23-002110_sim0.925449 +- id: AZLX-23-002110 levels: - medium title: Amazon Linux 2023 must audit uses of the "execve" system call. @@ -830,7 +830,7 @@ controls: - audit_rules_suid_privilege_function status: automated -- id: AZLX-23-002115_sim0.882113 +- id: AZLX-23-002115 levels: - medium title: Amazon Linux 2023 must audit all uses of the chmod, fchmod, and @@ -841,7 +841,7 @@ controls: - audit_rules_dac_modification_fchmodat status: automated -- id: AZLX-23-002120_sim0.898967 +- id: AZLX-23-002120 levels: - medium title: Amazon Linux 2023 must audit all uses of the chown, fchown, fchownat, @@ -853,7 +853,7 @@ controls: - audit_rules_dac_modification_lchown status: automated -- id: AZLX-23-002125_sim0.965485 +- id: AZLX-23-002125 levels: - medium title: Amazon Linux 2023 must audit all uses of the setxattr, fsetxattr, @@ -867,7 +867,7 @@ controls: - audit_rules_dac_modification_lremovexattr status: automated -- id: AZLX-23-002130_sim0.965205 +- id: AZLX-23-002130 levels: - medium title: Amazon Linux 2023 must audit all uses of the truncate, ftruncate, @@ -881,7 +881,7 @@ controls: - audit_rules_unsuccessful_file_modification_open_by_handle_at status: automated -- id: AZLX-23-002135_sim0.872869 +- id: AZLX-23-002135 levels: - medium title: Amazon Linux 2023 must audit all uses of the init_module and @@ -891,7 +891,7 @@ controls: - audit_rules_kernel_module_loading_init status: automated -- id: AZLX-23-002140_sim0.536035 +- id: AZLX-23-002140 levels: - medium title: Amazon Linux 2023 must audit all uses of the create_module system call. @@ -899,7 +899,7 @@ controls: - audit_rules_execution_semanage status: automated -- id: AZLX-23-002145_sim0.873758 +- id: AZLX-23-002145 levels: - medium title: Amazon Linux 2023 must audit all uses of the kmod command. @@ -907,7 +907,7 @@ controls: - audit_rules_privileged_commands_kmod status: automated -- id: AZLX-23-002150_sim0.918115 +- id: AZLX-23-002150 levels: - medium title: Amazon Linux 2023 must audit all uses of the rename, unlink, rmdir, @@ -920,7 +920,7 @@ controls: - audit_rules_file_deletion_events_unlinkat status: automated -- id: AZLX-23-002155_sim0.872686 +- id: AZLX-23-002155 levels: - medium title: Amazon Linux 2023 must audit all uses of the chcon command. @@ -928,7 +928,7 @@ controls: - audit_rules_execution_chcon status: automated -- id: AZLX-23-002160_sim0.859427 +- id: AZLX-23-002160 levels: - medium title: Amazon Linux 2023 must generate audit records for all account @@ -938,7 +938,7 @@ controls: - audit_rules_login_events_faillock status: automated -- id: AZLX-23-002165_sim0.871344 +- id: AZLX-23-002165 levels: - medium title: Amazon Linux 2023 must generate audit records for all account @@ -948,7 +948,7 @@ controls: - audit_rules_login_events_lastlog status: automated -- id: AZLX-23-002175_sim0.877607 +- id: AZLX-23-002175 levels: - medium title: Amazon Linux 2023 must audit all uses of the init command. @@ -956,7 +956,7 @@ controls: - audit_privileged_commands_init status: automated -- id: AZLX-23-002180_sim0.862273 +- id: AZLX-23-002180 levels: - medium title: Amazon Linux 2023 must audit all uses of the reboot command. @@ -964,7 +964,7 @@ controls: - audit_privileged_commands_reboot status: automated -- id: AZLX-23-002185_sim0.883750 +- id: AZLX-23-002185 levels: - medium title: Amazon Linux 2023 must audit all uses of the shutdown command. @@ -972,7 +972,7 @@ controls: - audit_privileged_commands_shutdown status: automated -- id: AZLX-23-002190_sim0.997163 +- id: AZLX-23-002190 levels: - medium title: Amazon Linux 2023 audit tools must have a mode of "0755" or less @@ -981,7 +981,7 @@ controls: - file_audit_tools_permissions status: automated -- id: AZLX-23-002195_sim0.995583 +- id: AZLX-23-002195 levels: - medium title: Amazon Linux 2023 audit tools must be owned by root. @@ -989,7 +989,7 @@ controls: - file_audit_tools_ownership status: automated -- id: AZLX-23-002200_sim0.996173 +- id: AZLX-23-002200 levels: - medium title: Amazon Linux 2023 audit tools must be group-owned by root. @@ -1005,7 +1005,7 @@ controls: /etc/passwd. rules: [] status: pending -- id: AZLX-23-002210_sim0.837555 +- id: AZLX-23-002210 levels: - medium title: Amazon Linux 2023 must audit all successful/unsuccessful uses of the @@ -1022,7 +1022,7 @@ controls: processing failure. rules: [] status: pending -- id: AZLX-23-002220_sim0.752220 +- id: AZLX-23-002220 levels: - medium title: Amazon Linux 2023 must off-load audit records onto a different system @@ -1053,7 +1053,7 @@ controls: permissive to prevent unauthorized access to the audit log. rules: [] status: pending -- id: AZLX-23-002240_sim0.983933 +- id: AZLX-23-002240 levels: - medium title: Amazon Linux 2023 must allow only the information system security @@ -1063,7 +1063,7 @@ controls: - file_permissions_audit_configuration status: automated -- id: AZLX-23-002245_sim0.787313 +- id: AZLX-23-002245 levels: - medium title: Amazon Linux 2023 must audit all uses of the sudo command. @@ -1071,7 +1071,7 @@ controls: - audit_rules_privileged_commands_sudo status: automated -- id: AZLX-23-002250_sim0.858405 +- id: AZLX-23-002250 levels: - medium title: Amazon Linux 2023 must generate audit records for all account @@ -1081,7 +1081,7 @@ controls: - audit_rules_usergroup_modification_passwd status: automated -- id: AZLX-23-002255_sim0.869651 +- id: AZLX-23-002255 levels: - medium title: Amazon Linux 2023 must generate audit records for all account @@ -1091,7 +1091,7 @@ controls: - audit_rules_usergroup_modification_shadow status: automated -- id: AZLX-23-002260_sim0.837474 +- id: AZLX-23-002260 levels: - medium title: Amazon Linux 2023 must produce audit records containing information to @@ -1101,7 +1101,7 @@ controls: - auditd_log_format status: automated -- id: AZLX-23-002265_sim0.997440 +- id: AZLX-23-002265 levels: - medium title: Amazon Linux 2023 audit logs must be group-owned by root or by a @@ -1110,7 +1110,7 @@ controls: - directory_group_ownership_var_log_audit status: automated -- id: AZLX-23-002270_sim0.938413 +- id: AZLX-23-002270 levels: - medium title: Amazon Linux 2023 must ensure the audit log directory be owned by root @@ -1119,7 +1119,7 @@ controls: - directory_ownership_var_log_audit status: automated -- id: AZLX-23-002275_sim0.954897 +- id: AZLX-23-002275 levels: - medium title: Amazon Linux 2023 audit logs file must have mode "0600" or less @@ -1128,7 +1128,7 @@ controls: - file_permissions_var_log_audit status: automated -- id: AZLX-23-002280_sim0.955920 +- id: AZLX-23-002280 levels: - medium title: Amazon Linux 2023 library directories must be group-owned by root or a @@ -1137,7 +1137,7 @@ controls: - dir_group_ownership_library_dirs status: automated -- id: AZLX-23-002285_sim0.961484 +- id: AZLX-23-002285 levels: - medium title: Amazon Linux 2023 library directories must have mode "755" or less @@ -1146,7 +1146,7 @@ controls: - dir_permissions_library_dirs status: automated -- id: AZLX-23-002290_sim0.995472 +- id: AZLX-23-002290 levels: - medium title: Amazon Linux 2023 library files must have mode "755" or less @@ -1155,7 +1155,7 @@ controls: - file_permissions_library_dirs status: automated -- id: AZLX-23-002295_sim0.949083 +- id: AZLX-23-002295 levels: - medium title: Amazon Linux 2023 library files must be owned by root. @@ -1163,7 +1163,7 @@ controls: - file_ownership_library_dirs status: automated -- id: AZLX-23-002300_sim0.950613 +- id: AZLX-23-002300 levels: - medium title: Amazon Linux 2023 library files must be group-owned by root or a system @@ -1172,7 +1172,7 @@ controls: - root_permissions_syslibrary_files status: automated -- id: AZLX-23-002305_sim0.954705 +- id: AZLX-23-002305 levels: - medium title: Amazon Linux 2023 library directories must be owned by root. @@ -1180,7 +1180,7 @@ controls: - dir_ownership_library_dirs status: automated -- id: AZLX-23-002315_sim0.994130 +- id: AZLX-23-002315 levels: - medium title: Amazon Linux 2023 must ensure the /var/log directory have mode "0755" @@ -1189,7 +1189,7 @@ controls: - file_permissions_var_log status: automated -- id: AZLX-23-002320_sim0.848580 +- id: AZLX-23-002320 levels: - medium title: Amazon Linux 2023 must ensure the /var/log directory be owned by root. @@ -1197,7 +1197,7 @@ controls: - file_owner_var_log status: automated -- id: AZLX-23-002325_sim0.836401 +- id: AZLX-23-002325 levels: - medium title: Amazon Linux 2023 must ensure the /var/log directory be group-owned by @@ -1206,7 +1206,7 @@ controls: - file_groupowner_var_log status: automated -- id: AZLX-23-002330_sim0.969470 +- id: AZLX-23-002330 levels: - medium title: Amazon Linux 2023 must ensure the /var/log/messages file have mode @@ -1215,7 +1215,7 @@ controls: - file_permissions_var_log_messages status: automated -- id: AZLX-23-002335_sim0.878625 +- id: AZLX-23-002335 levels: - medium title: Amazon Linux 2023 must ensure the /var/log/messages file be group-owned @@ -1224,7 +1224,7 @@ controls: - file_groupowner_var_log_messages status: automated -- id: AZLX-23-002340_sim0.872212 +- id: AZLX-23-002340 levels: - medium title: Amazon Linux 2023 must ensure the /var/log/messages file be owned by @@ -1233,7 +1233,7 @@ controls: - file_owner_var_log_messages status: automated -- id: AZLX-23-002345_sim0.991798 +- id: AZLX-23-002345 levels: - medium title: Amazon Linux 2023 system commands must be owned by root. @@ -1241,7 +1241,7 @@ controls: - file_ownership_binary_dirs status: automated -- id: AZLX-23-002350_sim0.993214 +- id: AZLX-23-002350 levels: - medium title: Amazon Linux 2023 system commands must be group-owned by root or a @@ -1250,7 +1250,7 @@ controls: - file_groupownership_system_commands_dirs status: automated -- id: AZLX-23-002355_sim0.848555 +- id: AZLX-23-002355 levels: - medium title: Amazon Linux 2023 must enforce password complexity by requiring that at @@ -1260,7 +1260,7 @@ controls: - var_password_pam_ucredit=1 status: automated -- id: AZLX-23-002360_sim0.848555 +- id: AZLX-23-002360 levels: - medium title: Amazon Linux 2023 must enforce password complexity by requiring that at @@ -1270,7 +1270,7 @@ controls: - var_password_pam_lcredit=1 status: automated -- id: AZLX-23-002365_sim0.848555 +- id: AZLX-23-002365 levels: - medium title: Amazon Linux 2023 must enforce password complexity by requiring that at @@ -1280,7 +1280,7 @@ controls: - var_password_pam_dcredit=1 status: automated -- id: AZLX-23-002370_sim0.763604 +- id: AZLX-23-002370 levels: - medium title: Amazon Linux 2023 must require the change of at least 50 percent of the @@ -1290,7 +1290,7 @@ controls: - var_password_pam_difok=8 status: automated -- id: AZLX-23-002375_sim0.805823 +- id: AZLX-23-002375 levels: - medium title: Amazon Linux 2023 must enforce a minimum 15-character password length. @@ -1299,7 +1299,7 @@ controls: - var_password_pam_minlen=15 status: automated -- id: AZLX-23-002380_sim0.859753 +- id: AZLX-23-002380 levels: - medium title: Amazon Linux 2023 must enforce password complexity by requiring that at @@ -1309,7 +1309,7 @@ controls: - var_password_pam_ocredit=1 status: automated -- id: AZLX-23-002385_sim0.871215 +- id: AZLX-23-002385 levels: - medium title: Amazon Linux 2023 must enforce password complexity rules for the root @@ -1318,7 +1318,7 @@ controls: - accounts_password_pam_enforce_root status: automated -- id: AZLX-23-002390_sim0.996244 +- id: AZLX-23-002390 levels: - medium title: Amazon Linux 2023 must prevent the use of dictionary words for @@ -1328,7 +1328,7 @@ controls: - var_password_pam_dictcheck=1 status: automated -- id: AZLX-23-002395_sim0.997108 +- id: AZLX-23-002395 levels: - low title: Amazon Linux 2023 must limit the number of concurrent sessions to ten @@ -1338,7 +1338,7 @@ controls: - var_accounts_max_concurrent_login_sessions=10 status: automated -- id: AZLX-23-002396_sim0.997038 +- id: AZLX-23-002396 levels: - medium title: Amazon Linux 2023 must automatically exit interactive command shell @@ -1348,7 +1348,7 @@ controls: - var_accounts_tmout=10_min status: automated -- id: AZLX-23-002400_sim0.904758 +- id: AZLX-23-002400 levels: - medium title: Amazon Linux 2023 must enforce 24 hours/1 day as the minimum password @@ -1357,7 +1357,7 @@ controls: - accounts_minimum_age_login_defs status: automated -- id: AZLX-23-002405_sim0.997022 +- id: AZLX-23-002405 levels: - medium title: Amazon Linux 2023 must enforce a delay of at least four seconds between @@ -1367,7 +1367,7 @@ controls: - var_accounts_fail_delay=4 status: automated -- id: AZLX-23-002410_sim0.997188 +- id: AZLX-23-002410 levels: - medium title: Amazon Linux 2023 must define default permissions for all authenticated @@ -1390,7 +1390,7 @@ controls: unsuccessful logon attempts occur. rules: [] status: pending -- id: AZLX-23-002425_sim0.917402 +- id: AZLX-23-002425 levels: - medium title: Amazon Linux 2023 must be able to enforce a 60-day maximum password @@ -1400,7 +1400,7 @@ controls: - var_accounts_maximum_age_login_defs=60 status: automated -- id: AZLX-23-002430_sim0.998121 +- id: AZLX-23-002430 levels: - medium title: Amazon Linux 2023 must disable account identifiers (individuals, @@ -1410,7 +1410,7 @@ controls: - var_account_disable_post_pw_expiration=35 status: automated -- id: AZLX-23-002435_sim0.993610 +- id: AZLX-23-002435 levels: - medium title: Amazon Linux 2023 must automatically expire temporary accounts within @@ -1419,7 +1419,7 @@ controls: - account_temp_expire_date status: automated -- id: AZLX-23-002440_sim0.998923 +- id: AZLX-23-002440 levels: - medium title: Amazon Linux 2023 must restrict the use of the "su" command. @@ -1427,7 +1427,7 @@ controls: - use_pam_wheel_for_su status: automated -- id: AZLX-23-002445_sim0.959827 +- id: AZLX-23-002445 levels: - medium title: Amazon Linux 2023 must enable the SELinux targeted policy. @@ -1436,7 +1436,7 @@ controls: - var_selinux_policy_name=targeted status: automated -- id: AZLX-23-002450_sim0.995733 +- id: AZLX-23-002450 levels: - high title: Amazon Linux 2023 must use a Linux Security Module configured to @@ -1446,7 +1446,7 @@ controls: - var_selinux_state=enforcing status: automated -- id: AZLX-23-002455_sim0.992839 +- id: AZLX-23-002455 levels: - medium title: Amazon Linux 2023 must automatically lock an account when three @@ -1456,7 +1456,7 @@ controls: - var_accounts_passwords_pam_faillock_deny=3 status: automated -- id: AZLX-23-002460_sim0.997304 +- id: AZLX-23-002460 levels: - medium title: Amazon Linux 2023 must automatically lock the root account until the @@ -1466,7 +1466,7 @@ controls: - accounts_passwords_pam_faillock_deny_root status: automated -- id: AZLX-23-002465_sim0.706033 +- id: AZLX-23-002465 levels: - medium title: Amazon Linux 2023 must automatically lock an account until the locked @@ -1477,7 +1477,7 @@ controls: - var_accounts_passwords_pam_faillock_fail_interval=900 status: automated -- id: AZLX-23-002470_sim0.995651 +- id: AZLX-23-002470 levels: - medium title: Amazon Linux 2023 must maintain an account lock until the locked @@ -1487,7 +1487,7 @@ controls: - var_accounts_passwords_pam_faillock_unlock_time=never status: automated -- id: AZLX-23-002475_sim0.504679 +- id: AZLX-23-002475 levels: - medium title: Amazon Linux 2023 must be configured to prohibit or restrict the use of @@ -1498,7 +1498,7 @@ controls: - configured_firewalld_default_deny status: automated -- id: AZLX-23-002480_sim0.995759 +- id: AZLX-23-002480 levels: - medium title: Amazon Linux 2023 must insure all interactive users have a primary @@ -1507,7 +1507,7 @@ controls: - gid_passwd_group_same status: automated -- id: AZLX-23-002485_sim0.887052 +- id: AZLX-23-002485 levels: - medium title: Amazon Linux 2023 must ensure all interactive users have unique User @@ -1516,7 +1516,7 @@ controls: - account_unique_id status: automated -- id: AZLX-23-002489_sim0.995643 +- id: AZLX-23-002489 levels: - medium title: Amazon Linux 2023 must ensure the password complexity module is enabled @@ -1525,7 +1525,7 @@ controls: - accounts_password_pam_pwquality_password_auth status: automated -- id: AZLX-23-002490_sim0.834417 +- id: AZLX-23-002490 levels: - medium title: Amazon Linux 2023 password-auth must be configured to use a sufficient @@ -1535,7 +1535,7 @@ controls: - var_password_pam_unix_rounds=100000 status: automated -- id: AZLX-23-002495_sim0.825932 +- id: AZLX-23-002495 levels: - medium title: Amazon Linux 2023 system-auth must be configured to use a sufficient @@ -1544,7 +1544,7 @@ controls: - accounts_password_pam_unix_rounds_system_auth status: automated -- id: AZLX-23-002500_sim0.852338 +- id: AZLX-23-002500 levels: - medium title: Amazon Linux 2023 must ensure a sticky bit be set on all public @@ -1553,7 +1553,7 @@ controls: - dir_perms_world_writable_sticky_bits status: automated -- id: AZLX-23-002505_sim0.775069 +- id: AZLX-23-002505 levels: - medium title: Amazon Linux 2023 must ensure all world-writable directories be owned @@ -1562,7 +1562,7 @@ controls: - dir_perms_world_writable_root_owned status: automated -- id: AZLX-23-002510_sim0.998269 +- id: AZLX-23-002510 levels: - medium title: Amazon Linux 2023 must terminate idle user sessions. @@ -1571,7 +1571,7 @@ controls: - var_logind_session_timeout=15_minutes status: automated -- id: AZLX-23-002515_sim0.928578 +- id: AZLX-23-002515 levels: - low title: Amazon Linux 2023 must enable auditing of processes that start prior to @@ -1580,7 +1580,7 @@ controls: - grub2_audit_argument status: automated -- id: AZLX-23-002520_sim0.996238 +- id: AZLX-23-002520 levels: - low title: Amazon Linux 2023 must allocate an audit_backlog_limit of sufficient @@ -1589,7 +1589,7 @@ controls: - grub2_audit_backlog_limit_argument status: automated -- id: AZLX-23-002535_sim0.995059 +- id: AZLX-23-002535 levels: - medium title: Amazon Linux 2023 must enable discretionary access control on @@ -1598,7 +1598,7 @@ controls: - sysctl_fs_protected_hardlinks status: automated -- id: AZLX-23-002540_sim0.995059 +- id: AZLX-23-002540 levels: - medium title: Amazon Linux 2023 must enable kernel parameters to enforce @@ -1607,7 +1607,7 @@ controls: - sysctl_fs_protected_symlinks status: automated -- id: AZLX-23-002555_sim0.998079 +- id: AZLX-23-002555 levels: - medium title: Amazon Linux 2023 debug-shell systemd service must be disabled. @@ -1623,7 +1623,7 @@ controls: for the appropriate DOD network. rules: [] status: pending -- id: AZLX-23-002565_sim0.972974 +- id: AZLX-23-002565 levels: - medium title: Amazon Linux 2023 must synchronize internal information system clocks @@ -1636,7 +1636,7 @@ controls: - var_time_service_set_maxpoll=18_hours status: automated -- id: AZLX-23-002570_sim0.979111 +- id: AZLX-23-002570 levels: - medium title: Amazon Linux 2023 must routinely check the baseline configuration for @@ -1647,7 +1647,7 @@ controls: - aide_scan_notification status: automated -- id: AZLX-23-002575_sim0.844952 +- id: AZLX-23-002575 levels: - medium title: Amazon Linux 2023 must prevent the loading of a new kernel for later @@ -1656,7 +1656,7 @@ controls: - sysctl_kernel_kexec_load_disabled status: automated -- id: AZLX-23-002580_sim0.940204 +- id: AZLX-23-002580 levels: - medium title: Amazon Linux 2023 must prevent files with the setuid and setgid bit set @@ -1665,7 +1665,7 @@ controls: - mount_option_boot_efi_nosuid status: automated -- id: AZLX-23-002585_sim0.935211 +- id: AZLX-23-002585 levels: - medium title: Amazon Linux 2023 must mount /dev/shm with the nodev option. @@ -1673,7 +1673,7 @@ controls: - mount_option_dev_shm_nodev status: automated -- id: AZLX-23-002590_sim0.933059 +- id: AZLX-23-002590 levels: - medium title: Amazon Linux 2023 must mount /dev/shm with the nosuid option. @@ -1681,7 +1681,7 @@ controls: - mount_option_dev_shm_nosuid status: automated -- id: AZLX-23-002595_sim0.872759 +- id: AZLX-23-002595 levels: - medium title: Amazon Linux 2023 must ensure the pcscd service is active. @@ -1689,7 +1689,7 @@ controls: - service_pcscd_enabled status: automated -- id: AZLX-23-002600_sim0.995594 +- id: AZLX-23-002600 levels: - medium title: Amazon Linux 2023 file system automount function must be disabled @@ -1713,7 +1713,7 @@ controls: memory from unauthorized code execution. rules: [] status: pending -- id: AZLX-23-002615_sim0.829819 +- id: AZLX-23-002615 levels: - low title: Amazon Linux 2023 must remove all software components after updated @@ -1722,7 +1722,7 @@ controls: - clean_components_post_updating status: automated -- id: AZLX-23-002620_sim0.991594 +- id: AZLX-23-002620 levels: - medium title: Amazon Linux 2023 must configure the use of the pam_faillock.so module @@ -1731,7 +1731,7 @@ controls: - account_password_pam_faillock_system_auth status: automated -- id: AZLX-23-005000_sim0.825983 +- id: AZLX-23-005000 levels: - medium title: Amazon Linux 2023 audit system must protect logon user identifiers diff --git a/products/al2023/CMakeLists.txt b/products/al2023/CMakeLists.txt index 63f7db32c8c0..498ab6193ef0 100644 --- a/products/al2023/CMakeLists.txt +++ b/products/al2023/CMakeLists.txt @@ -8,3 +8,12 @@ set(PRODUCT "al2023") ssg_build_product(${PRODUCT}) ssg_build_html_cce_table(${PRODUCT}) + +ssg_build_html_ref_tables("${PRODUCT}" "table-${PRODUCT}-{ref_id}refs" "anssi;cis;cui;nist;pcidss") + +ssg_build_html_profile_table("table-${PRODUCT}-nistrefs-stig" "${PRODUCT}" "stig" "nist") + +ssg_build_html_srgmap_tables(${PRODUCT}) + +ssg_build_html_stig_tables(${PRODUCT}) +ssg_build_html_stig_tables_per_profile(${PRODUCT} "stig") \ No newline at end of file diff --git a/products/al2023/overlays/srg_support.xml b/products/al2023/overlays/srg_support.xml new file mode 100644 index 000000000000..35a58161f0aa --- /dev/null +++ b/products/al2023/overlays/srg_support.xml @@ -0,0 +1,173 @@ + diff --git a/products/al2023/profiles/stig.profile b/products/al2023/profiles/stig.profile index 51db1225ff07..d1960eba7bb2 100644 --- a/products/al2023/profiles/stig.profile +++ b/products/al2023/profiles/stig.profile @@ -5,7 +5,7 @@ metadata: SMEs: - jesse.j.borden@gmail.com -reference: https://public.cyber.mil/stigs/downloads/ +reference: https://www.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cunix-linux title: 'DISA STIG for Amazon Linux 2023' diff --git a/products/al2023/transforms/xccdf-apply-overlay-stig.xslt b/products/al2023/transforms/xccdf-apply-overlay-stig.xslt new file mode 100644 index 000000000000..4789419b80a5 --- /dev/null +++ b/products/al2023/transforms/xccdf-apply-overlay-stig.xslt @@ -0,0 +1,8 @@ + + + + + + + + diff --git a/products/al2023/transforms/xccdf2table-profileccirefs.xslt b/products/al2023/transforms/xccdf2table-profileccirefs.xslt new file mode 100644 index 000000000000..9d8d3e5faf1f --- /dev/null +++ b/products/al2023/transforms/xccdf2table-profileccirefs.xslt @@ -0,0 +1,9 @@ + + + + + + + + + diff --git a/shared/references/disa-stig-al2023-v1r1-xccdf-manual.xml b/shared/references/disa-stig-al2023-v1r1-xccdf-manual.xml new file mode 100755 index 000000000000..d27b118c8335 --- /dev/null +++ b/shared/references/disa-stig-al2023-v1r1-xccdf-manual.xml @@ -0,0 +1,2972 @@ +acceptedAmazon Linux 2023 Security Technical Implementation GuideThis Security Technical Implementation Guide is published as a tool to improve the security of Department of Defense (DOD) information systems. The requirements are derived from the National Institute of Standards and Technology (NIST) 800-53 and related documents. Comments or proposed revisions to this document should be sent via email to the following address: disa.stig_spt@mail.mil.DISASTIG.DOD.MILRelease: 1 Benchmark Date: 14 Jul 20253.5.11.10.01I - Mission Critical Classified<ProfileDescription></ProfileDescription>I - Mission Critical Public<ProfileDescription></ProfileDescription>I - Mission Critical Sensitive<ProfileDescription></ProfileDescription>II - Mission Support Classified<ProfileDescription></ProfileDescription>II - Mission Support Public<ProfileDescription></ProfileDescription>II - Mission Support Sensitive<ProfileDescription></ProfileDescription>III - Administrative Classified<ProfileDescription></ProfileDescription>III - Administrative Public<ProfileDescription></ProfileDescription>III - Administrative Sensitive<ProfileDescription></ProfileDescription>SRG-OS-000185-GPOS-00079<GroupDescription></GroupDescription>AZLX-23-000100Amazon Linux 2023 local disk partitions must implement cryptographic mechanisms to prevent unauthorized disclosure or modification of all information that requires at rest protection.<VulnDiscussion>Information at rest refers to the state of information when it is located on a secondary storage device (e.g., disk drive and tape drive, when used for backups) within an operating system. + +This requirement addresses protection of user-generated data, as well as operating system-specific configuration data. Organizations may choose to employ different mechanisms to achieve confidentiality and integrity protections, as appropriate, in accordance with the security category and/or classification of the information. + +Satisfies: SRG-OS-000185-GPOS-00079, SRG-OS-000404-GPOS-00183, SRG-OS-000405-GPOS-00184</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Amazon Linux 2023DISADPMS TargetAmazon Linux 20235700CCI-001199CCI-002475CCI-002476Configure Amazon Linux 2023 to protect the confidentiality and integrity of all information at rest. + +Encrypting a partition in an already installed system is more difficult, because existing partitions will need to be resized and changed. + +To encrypt an entire partition, dedicate a partition for encryption in the partition layout.Verify Amazon Linux 2023 is configured so that all partitions are encrypted with the following command: + +$ sudo blkid +/dev/xvda1: UUID="ed0acbe9-bd05-495e-a9ac-cb615b29327d" TYPE="crypto_LUKS" + +Every persistent disk partition present must be of "Type" "crypto_LUKS". + +If any partitions other than the boot partition, bios partition or pseudo file systems (such as /proc or /sys) are not type "crypto_LUKS", this is a finding.SRG-OS-000366-GPOS-00153<GroupDescription></GroupDescription>AZLX-23-000110Amazon Linux 2023 must ensure cryptographic verification of vendor software packages.<VulnDiscussion>Cryptographic verification of vendor software packages ensures that all software packages are obtained from a valid source and protects against spoofing that could lead to installation of malware on the system. Amazon Linux cryptographically signs all software packages, which includes updates, with a GPG key to Verify they are valid.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Amazon Linux 2023DISADPMS TargetAmazon Linux 20235700CCI-003992Configure Amazon Linux 2023 to have the public key for verifying RPM packages to be installed with the "system-release" package. + +Install the system-release installation with the following command: +$ sudo dnf install -y system-release + +Ensure cryptographic verification of software packages is enabled by editing /etc/dnf/dnf.conf and under '[main]' in the configuration file add: + +gpgcheck=1Verify Amazon Linux 2023 package-signing keys are installed on the system and verify their fingerprints match vendor values. + +Note: For Amazon Linux 2023 software packages, AWS uses GPG keys defined in key file "/etc/pki/rpm-gpg/RPM-GPG-KEY-amazon-linux-2023" by default. + +List Amazon Linux GPG keys installed on the system: + +$ sudo rpm -q gpg-pubkey --qf "%{NAME}-%{VERSION}-%{RELEASE} %{SUMMARY}\n" +gpg-pubkey-d832c631-6515c85e Amazon Linux <amazon-linux@amazon.com> public key + +If there is no Amazon Linux GPG key installed, this is a finding. + +Extract the fingerprint from the key with this command: + +$ sudo gpg -q --keyid-format short --with-fingerprint /etc/pki/rpm-gpg/RPM-GPG-KEY-amazon-linux-2023 +pub rsa4096/D832C631 2022-12-08 [SC] + Key fingerprint = B21C 50FA 44A9 9720 EAA7 2F7F E951 904A D832 C631 +uid Amazon Linux <amazon-linux@amazon.com> + +Compare the Key fingerprint with the key fingerprint from Amazon Documentation and instructions at https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/verify-keys.html + +If key fingerprints do not match, or the key file is missing, this is a finding.SRG-OS-000366-GPOS-00153<GroupDescription></GroupDescription>AZLX-23-000115Amazon Linux 2023 must check the GPG signature of locally installed software packages before installation.<VulnDiscussion>Changes to any software components can have significant effects on the overall security of Amazon Linux 2023. This requirement ensures the software has not been tampered with and that it has been provided by a trusted vendor. + +All software packages must be signed with a cryptographic key recognized and approved by the organization. + +Verifying the authenticity of software prior to installation validates the integrity of the software package received from a vendor. This verifies the software has not been tampered with and that it has been provided by a trusted vendor.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Amazon Linux 2023DISADPMS TargetAmazon Linux 20235700CCI-003992Configure Amazon Linux 2023 to always check the GPG signature of local software packages before installation. + +Add or update the following line in the [main] section of the /etc/dnf/dnf.conf file: + +localpkg_gpgcheck=1Verify Amazon Linux 2023 is configured so that dnf always checks the GPG signature of locally installed software packages before installation: + +$ grep localpkg_gpgcheck /etc/dnf/dnf.conf +localpkg_gpgcheck=1 + +If "localpkg_gpgcheck" is not set to "1" or "True", or if the option is missing or commented out, ask the system administrator how the GPG signatures of local software packages are being verified. + +If there is no process to verify GPG signatures approved by the organization, this is a finding.SRG-OS-000366-GPOS-00153<GroupDescription></GroupDescription>AZLX-23-000120Amazon Linux 2023 must check the GPG signature of software packages originating from external software repositories before installation.<VulnDiscussion>Changes to any software components can have significant effects on the overall security of Amazon Linux 2023. This requirement ensures the software has not been tampered with and that it has been provided by a trusted vendor. + +All software packages must be signed with a cryptographic key recognized and approved by the organization. + +Verifying the authenticity of software prior to installation validates the integrity of the software package received from a vendor. This verifies the software has not been tampered with and that it has been provided by a trusted vendor.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Amazon Linux 2023DISADPMS TargetAmazon Linux 20235700CCI-003992Configure Amazon Linux 2023 to always check the GPG signature of software packages originating from external software repositories before installation. + +Add or update the following line in the [main] section of the /etc/dnf/dnf.conf file: + +gpgcheck=1Verify Amazon Linux 2023 is configured so that dnf always checks the GPG signature of software packages originating from external software repositories before installation: + +$ grep -w gpgcheck /etc/dnf/dnf.conf +gpgcheck=1 + +If "gpgcheck" is not set to "1" or "True", or if the option is missing or commented out, ask the system administrator how the GPG signatures of software packages are being verified. + +If there is no process to verify GPG signatures approved by the organization, this is a finding.SRG-OS-000366-GPOS-00153<GroupDescription></GroupDescription>AZLX-23-000125Amazon Linux 2023 must have GPG signature verification enabled for all software repositories.<VulnDiscussion>Changes to any software components can have significant effects on the overall security of Amazon Linux 2023. This requirement ensures the software has not been tampered with and that it has been provided by a trusted vendor. + +All software packages must be signed with a cryptographic key recognized and approved by the organization. + +Verifying the authenticity of software prior to installation validates the integrity of the software package received from a vendor. This verifies the software has not been tampered with and that it has been provided by a trusted vendor.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Amazon Linux 2023DISADPMS TargetAmazon Linux 20235700CCI-003992Configure Amazon Linux 2023 to verify the signature of packages from a repository prior to installation by setting the following option in the "/etc/yum.repos.d/[your_repo_name].repo" file: + +gpgcheck=1Verify Amazon Linux 2023 software repositories enforce a signature check on the packages prior to allowing installation with the following command: + +$ grep -w gpgcheck /etc/yum.repos.d/*.repo | more +/etc/yum.repos.d/amazonlinux.repo:gpgcheck=1 +/etc/yum.repos.d/amazonlinux.repo:gpgcheck=1 +/etc/yum.repos.d/amazonlinux.repo:gpgcheck=1 +/etc/yum.repos.d/kernel-livepatch.repo:gpgcheck=1 +/etc/yum.repos.d/kernel-livepatch.repo:gpgcheck=1 + +If any repository has "gpgcheck=0" or "False", or if the option is commented out, this is a finding.SRG-OS-000439-GPOS-00195<GroupDescription></GroupDescription>AZLX-23-000130Amazon Linux 2023 must be a vendor-supported release.<VulnDiscussion>An operating system release is considered "supported" if the vendor continues to provide security patches for the product. With an unsupported release, it will not be possible to resolve security issues discovered in the system software.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Amazon Linux 2023DISADPMS TargetAmazon Linux 20235700CCI-002605Configure Amazon Linux 2023 to be a vendor supported release. + +Upgrade to a supported version of Amazon Linux 2023.Verify Amazon Linux 2023 is a vendor-supported version with the following command: + +$ cat /etc/amazon-linux-release +Amazon Linux release 2023.6.20250203 (Amazon Linux) + +If the installed version of Amazon Linux 2023 is not supported, this is a finding.SRG-OS-000269-GPOS-00103<GroupDescription></GroupDescription>AZLX-23-000135Amazon Linux 2023 systemd-journald service must be enabled.<VulnDiscussion>Failure to a known state can address safety or security in accordance with the mission/business needs of the organization. Failure to a known secure state helps prevent a loss of confidentiality, integrity, or availability in the event of a failure of the information system or a component of the system. + +Preserving operating system state information helps to facilitate operating system restart and return to the operational mode of the organization with least disruption to mission/business processes.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Amazon Linux 2023DISADPMS TargetAmazon Linux 20235700CCI-001665Configure Amazon Linux 2023 to enable the systemd-journald service with the following command: + +$ sudo systemctl enable --now systemd-journaldVerify Amazon Linux 2023 is configured so that "systemd-journald" is active with the following command: + +$ systemctl is-active systemd-journald +active + +If the systemd-journald service is not active, this is a finding.SRG-OS-000132-GPOS-00067<GroupDescription></GroupDescription>AZLX-23-000200Amazon Linux 2023 must restrict access to the kernel message buffer.<VulnDiscussion>Preventing unauthorized information transfers mitigates the risk of information, including encrypted representations of information, produced by the actions of prior users/roles (or the actions of processes acting on behalf of prior users/roles) from being available to any current users/roles (or current processes) that obtain access to shared system resources (e.g., registers, main memory, hard disks) after those resources have been released back to information systems. The control of information in shared resources is also commonly referred to as object reuse and residual information protection. + +This requirement generally applies to the design of an information technology product, but it can also apply to the configuration of particular information system components that are, or use, such products. This can be verified by acceptance/validation processes in DOD or other government agencies. + +There may be shared resources with configurable protections (e.g., files in storage) that may be assessed on specific information system components. + +Restricting access to the kernel message buffer limits access to only root. This prevents attackers from gaining additional system information as a nonprivileged user. + +Satisfies: SRG-OS-000132-GPOS-00067, SRG-OS-000138-GPOS-00069</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Amazon Linux 2023DISADPMS TargetAmazon Linux 20235700CCI-001082CCI-001090Configure Amazon Linux 2023 to restrict access to the kernel message buffer. + +Add or edit the following line in a system configuration file, in the "/etc/sysctl.d/" directory: + +kernel.dmesg_restrict = 1 + +Load settings from all system configuration files with the following command: + +$ sudo sysctl --systemVerify Amazon Linux 2023 is configured to restrict access to the kernel message buffer with the following commands: + +Check the status of the kernel.dmesg_restrict kernel parameter. + +$ sudo sysctl kernel.dmesg_restrict +kernel.dmesg_restrict = 1 + +If "kernel.dmesg_restrict" is not set to "1" or is missing, this is a finding.SRG-OS-000132-GPOS-00067<GroupDescription></GroupDescription>AZLX-23-000205Amazon Linux 2023 must prevent kernel profiling by nonprivileged users.<VulnDiscussion>Preventing unauthorized information transfers mitigates the risk of information, including encrypted representations of information, produced by the actions of prior users/roles (or the actions of processes acting on behalf of prior users/roles) from being available to any current users/roles (or current processes) that obtain access to shared system resources (e.g., registers, main memory, hard disks) after those resources have been released back to information systems. The control of information in shared resources is also commonly referred to as object reuse and residual information protection. + +This requirement generally applies to the design of an information technology product, but it can also apply to the configuration of particular information system components that are, or use, such products. This can be verified by acceptance/validation processes in DOD or other government agencies. + +There may be shared resources with configurable protections (e.g., files in storage) that may be assessed on specific information system components. + +Setting the kernel.perf_event_paranoid kernel parameter to "2" prevents attackers from gaining additional system information as a nonprivileged user. + +Satisfies: SRG-OS-000132-GPOS-00067, SRG-OS-000138-GPOS-00069</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Amazon Linux 2023DISADPMS TargetAmazon Linux 20235700CCI-001082CCI-001090Configure Amazon Linux 2023 to prevent kernel profiling by nonprivileged users. + +Add or edit the following line in a system configuration file, in the "/etc/sysctl.d/" directory: + +kernel.perf_event_paranoid = 2 + +Load settings from all system configuration files with the following command: + +$ sudo sysctl --systemVerify Amazon Linux 2023 is configured to prevent kernel profiling by nonprivileged users with the following commands: + +Check the status of the kernel.perf_event_paranoid kernel parameter. + +$ sudo sysctl kernel.perf_event_paranoid +kernel.perf_event_paranoid = 2 + +If "kernel.perf_event_paranoid" is not set to "2" or is missing, this is a finding.SRG-OS-000132-GPOS-00067<GroupDescription></GroupDescription>AZLX-23-000210Amazon Linux 2023 must restrict exposed kernel pointer addresses access.<VulnDiscussion>Exposing kernel pointers (through procfs or "seq_printf()") exposes kernel writeable structures, which may contain functions pointers. If a write vulnerability occurs in the kernel, allowing write access to any of this structure, the kernel can be compromised. This option disallows any program without the CAP_SYSLOG capability to get the addresses of kernel pointers by replacing them with "0". + +Satisfies: SRG-OS-000132-GPOS-00067, SRG-OS-000433-GPOS-00192</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Amazon Linux 2023DISADPMS TargetAmazon Linux 20235700CCI-001082CCI-002824Configure Amazon Linux 2023 to restrict exposed kernel pointer addresses access. + +Add or edit the following line in a system configuration file in the "/etc/sysctl.d/" directory: + +kernel.kptr_restrict = 1 + +Reload settings from all system configuration files with the following command: + +$ sudo sysctl --systemVerify Amazon Linux 2023 restricts exposed kernel pointer addresses access by validating the runtime status of the Amazon Linux 2023 kernel.kptr_restrict kernel parameter with the following command: + +$ sudo sysctl kernel.kptr_restrict +kernel.kptr_restrict = 1 + +If "kernel.kptr_restrict" is not set to "1" or is missing, this is a finding.SRG-OS-000132-GPOS-00067<GroupDescription></GroupDescription>AZLX-23-000215Amazon Linux 2023 must disable access to network bpf system call from nonprivileged processes.<VulnDiscussion>Loading and accessing the packet filters programs and maps using the bpf() system call has the potential of revealing sensitive information about the kernel state.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Amazon Linux 2023DISADPMS TargetAmazon Linux 20235700CCI-001082Configure Amazon Linux 2023 to prevent privilege escalation through the kernel by disabling access to the bpf syscall by adding the following line to a file, in the "/etc/sysctl.d" directory: + +kernel.unprivileged_bpf_disabled = 1 + +The system configuration files must be reloaded for the changes to take effect. To reload the contents of the files, run the following command: + +$ sudo sysctl --systemVerify Amazon Linux 2023 prevents privilege escalation through the kernel by disabling access to the bpf system call with the following commands: + +$ sudo sysctl kernel.unprivileged_bpf_disabled +kernel.unprivileged_bpf_disabled = 1 + +If the returned line does not have a value of "1", or a line is not returned, this is a finding.SRG-OS-000132-GPOS-00067<GroupDescription></GroupDescription>AZLX-23-000220Amazon Linux 2023 must restrict usage of ptrace to descendant processes.<VulnDiscussion>Unrestricted usage of ptrace allows compromised binaries to run ptrace on other processes of the user. Like this, the attacker can steal sensitive information from the target processes (e.g., SSH sessions, web browser, etc.) without any additional assistance from the user (i.e., without resorting to phishing).</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Amazon Linux 2023DISADPMS TargetAmazon Linux 20235700CCI-001082Configure Amazon Linux 2023 to restrict usage of ptrace to descendant processes by adding the following line to a file, in the "/etc/sysctl.d" directory: + +kernel.yama.ptrace_scope = 1 + +The system configuration files need to be reloaded for the changes to take effect. To reload the contents of the files, run the following command: + +$ sudo sysctl --systemVerify Amazon Linux 2023 restricts usage of ptrace to descendant processes with the following commands: + +$ sudo sysctl kernel.yama.ptrace_scope +kernel.yama.ptrace_scope = 1 + +If the returned line does not have a value of "1", or a line is not returned, this is a finding.SRG-OS-000433-GPOS-00193<GroupDescription></GroupDescription>AZLX-23-000225Amazon Linux 2023 must implement address space layout randomization (ASLR) to protect its memory from unauthorized code execution.<VulnDiscussion>ASLR makes it more difficult for an attacker to predict the location of attack code they have introduced into a process' address space during an attempt at exploitation. Additionally, ASLR makes it more difficult for an attacker to know the location of existing code to repurpose it using return oriented programming (ROP) techniques.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Amazon Linux 2023DISADPMS TargetAmazon Linux 20235700CCI-002824Configure Amazon Linux 2023 to enable ASLR to enhance memory protection. + +Enable ASLR by setting the kernel parameter with the following command: +echo 2 | sudo tee /proc/sys/kernel/randomize_va_space + +Add or edit the following line in a system configuration file in the "/etc/sysctl.d/" directory: + +kernel.randomize_va_space = 2 + +Reload settings from all system configuration files with the following command: + +$ sudo sysctl --systemVerify Amazon Linux 2023 is implementing ASLR with the following command: + +$ sysctl kernel.randomize_va_space +kernel.randomize_va_space = 2 + +Check that the configuration files are present to enable this kernel parameter. +Verify the configuration of the kernel.kptr_restrict kernel parameter with the following command: + +$ sudo /usr/lib/systemd/systemd-sysctl --cat-config | egrep -v '^(#|;)' | grep -F kernel.randomize_va_space | tail -1 + +kernel.randomize_va_space = 2 + +If "kernel.randomize_va_space" is not set to "2" or is missing, this is a finding.SRG-OS-000074-GPOS-00042<GroupDescription></GroupDescription>AZLX-23-000300Amazon Linux 2023 must not have the vsftpd package installed.<VulnDiscussion>It is detrimental for operating systems to provide, or install by default, functionality exceeding requirements or mission objectives. These unnecessary capabilities or services are often overlooked and therefore, may remain unsecured. They increase the risk to the platform by providing additional attack vectors. + +Operating systems are capable of providing a variety of functions and services. Some of the functions and services, provided by default, may not be necessary to support essential organizational operations (e.g., key missions, functions). + +Examples of nonessential capabilities include, but are not limited to, games, software packages, tools, and demonstration software, not related to requirements or providing a wide array of functionality not required for every mission, but which cannot be disabled. + +Satisfies: SRG-OS-000074-GPOS-00042, SRG-OS-000095-GPOS-00049</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Amazon Linux 2023DISADPMS TargetAmazon Linux 20235700CCI-000197CCI-000381Configure Amazon Linux 2023 to not have the vsftpd package installed with the following command: + +$ sudo dnf -y remove vsftpdVerify Amazon Linux 2023 does not have the vsftpd package installed with the following command: + +$ dnf list --installed vsftpd +Error: No matching Packages to list + +If the "vsftpd" package is installed, this is a finding.SRG-OS-000095-GPOS-00049<GroupDescription></GroupDescription>AZLX-23-000305Amazon Linux 2023 must not have the sendmail package installed.<VulnDiscussion>It is detrimental for operating systems to provide, or install by default, functionality exceeding requirements or mission objectives. These unnecessary capabilities or services are often overlooked and therefore, may remain unsecured. They increase the risk to the platform by providing additional attack vectors. + +Operating systems are capable of providing a variety of functions and services. Some of the functions and services, provided by default, may not be necessary to support essential organizational operations (e.g., key missions, functions). + +Examples of nonessential capabilities include, but are not limited to, games, software packages, tools, and demonstration software, not related to requirements or providing a wide array of functionality not required for every mission, but which cannot be disabled.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Amazon Linux 2023DISADPMS TargetAmazon Linux 20235700CCI-000381Configure Amazon Linux 2023 to not have the sendmail package installed with the following command: + +$ sudo dnf -y remove sendmailVerify Amazon Linux 2023 does not have the sendmail package installed with the following command: + +$ dnf list --installed sendmail +Error: No matching Packages to list + +If the "sendmail" package is installed, this is a finding.SRG-OS-000095-GPOS-00049<GroupDescription></GroupDescription>AZLX-23-000310Amazon Linux 2023 must not have the nfs-utils package installed.<VulnDiscussion>It is detrimental for operating systems to provide, or install by default, functionality exceeding requirements or mission objectives. These unnecessary capabilities or services are often overlooked and therefore, may remain unsecured. They increase the risk to the platform by providing additional attack vectors. + +Operating systems are capable of providing a variety of functions and services. Some of the functions and services, provided by default, may not be necessary to support essential organizational operations (e.g., key missions, functions). + +Examples of nonessential capabilities include, but are not limited to, games, software packages, tools, and demonstration software, not related to requirements or providing a wide array of functionality not required for every mission, but which cannot be disabled.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Amazon Linux 2023DISADPMS TargetAmazon Linux 20235700CCI-000381Configure Amazon Linux 2023 to not have the nfs-utils package installed with the following command: + +$ sudo dnf -y remove nfs-utilsVerify Amazon Linux 2023 does not have the nfs-utils package installed with the following command: + +$ dnf list --installed nfs-utils +Error: No matching Packages to list + +If the "nfs-utils" package is installed, this is a finding.SRG-OS-000095-GPOS-00049<GroupDescription></GroupDescription>AZLX-23-000315Amazon Linux 2023 must not have the telnet-server package installed.<VulnDiscussion>It is detrimental for operating systems to provide, or install by default, functionality exceeding requirements or mission objectives. These unnecessary capabilities or services are often overlooked and therefore, may remain unsecured. They increase the risk to the platform by providing additional attack vectors. + +Operating systems are capable of providing a variety of functions and services. Some of the functions and services, provided by default, may not be necessary to support essential organizational operations (e.g., key missions, functions). + +Examples of nonessential capabilities include, but are not limited to, games, software packages, tools, and demonstration software, not related to requirements or providing a wide array of functionality not required for every mission, but which cannot be disabled.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Amazon Linux 2023DISADPMS TargetAmazon Linux 20235700CCI-000381Configure Amazon Linux 2023 to not have the telnet-server package installed with the following command: + +$ sudo dnf -y remove telnet-serverVerify Amazon Linux 2023 does not have the telnet-server package installed with the following command: + +$ dnf list --installed telnet-server +Error: No matching Packages to list + +If the "telnet-server" package is installed, this is a finding.SRG-OS-000095-GPOS-00049<GroupDescription></GroupDescription>AZLX-23-000320Amazon Linux 2023 must not have the gssproxy package installed.<VulnDiscussion>It is detrimental for operating systems to provide, or install by default, functionality exceeding requirements or mission objectives. These unnecessary capabilities or services are often overlooked and therefore may remain unsecured. They increase the risk to the platform by providing additional attack vectors. + +Operating systems are capable of providing a variety of functions and services. Some of the functions and services, provided by default, may not be necessary to support essential organizational operations (e.g., key missions, functions). + +Examples of nonessential capabilities include, but are not limited to, games, software packages, tools, and demonstration software, not related to requirements or providing a wide array of functionality not required for every mission, but which cannot be disabled.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Amazon Linux 2023DISADPMS TargetAmazon Linux 20235700CCI-000381Configure Amazon Linux 2023 to not have the gssproxy package installed. + +The gssproxy package can be removed with the following command: + +$ sudo dnf -y remove gssproxyVerify Amazon Linux 2023 does not have the gssproxy package installed with the following command: + +$ dnf list --installed gssproxy +Error: No matching Packages to list + +If the "gssproxy" package is installed, this is a finding.SRG-OS-000324-GPOS-00125<GroupDescription></GroupDescription>AZLX-23-001000Amazon Linux 2023 must have the sudo package installed.<VulnDiscussion>The "sudo" program is designed to allow a system administrator to give limited root privileges to users and log root activity. The basic philosophy is to give as few privileges as possible but still allow system users to get their work done.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Amazon Linux 2023DISADPMS TargetAmazon Linux 20235700CCI-002235Configure Amazon Linux 2023 to have the sudo package installed with the following command: + +$ sudo dnf install -y sudoVerify Amazon Linux 2023 has the sudo package installed with the following command: + +$ dnf list --installed sudo +Installed Packages +sudo.x86_64 1.9.15-1.p5.amzn2023.0.1 @System + +If the "sudo" package is not installed, this is a finding.SRG-OS-000312-GPOS-00123<GroupDescription></GroupDescription>AZLX-23-001005Amazon Linux 2023 must not be configured to bypass password requirements for privilege escalation.<VulnDiscussion>Without reauthentication, users may access resources or perform tasks for which they do not have authorization. When operating systems provide the capability to escalate a functional capability, it is critical the user reauthenticate.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Amazon Linux 2023DISADPMS TargetAmazon Linux 20235700CCI-002165Configure Amazon Linux 2023 to require users to supply a password for privilege escalation. + +Remove any occurrences of "pam_succeed_if " in the "/etc/pam.d/sudo" file.Verify Amazon Linux 2023 is not configured to bypass password requirements for privilege escalation with the following command: + +$ sudo grep pam_succeed_if /etc/pam.d/sudo + +If any occurrences of "pam_succeed_if" are returned, this is a finding.SRG-OS-000373-GPOS-00157<GroupDescription></GroupDescription>AZLX-23-001010Amazon Linux 2023 must require reauthentication when using the "sudo" command.<VulnDiscussion>Without reauthentication, users may access resources or perform tasks for which they do not have authorization.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Amazon Linux 2023DISADPMS TargetAmazon Linux 20235700CCI-002038Configure Amazon Linux 2023 to reauthenticate "sudo" commands after the specified timeout: + +Add the following line to "/etc/sudoers" or a file in "/etc/sudoers.d": + +Defaults timestamp_timeout=0Verify Amazon Linux 2023 requires reauthentication when using the "sudo" command to elevate privileges with the following command: + +$ sudo grep -ir 'timestamp_timeout' /etc/sudoers /etc/sudoers.d/ +/etc/sudoers:Defaults timestamp_timeout=0 + +If results are returned from more than one file location, this is a finding. + +If "timestamp_timeout" is set to a negative number, is commented out, or no results are returned, this is a finding.SRG-OS-000373-GPOS-00156<GroupDescription></GroupDescription>AZLX-23-001015Amazon Linux 2023 must require users to reauthenticate for privilege escalation.<VulnDiscussion>Without reauthentication, users may access resources or perform tasks for which they do not have authorization.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Amazon Linux 2023DISADPMS TargetAmazon Linux 20235700CCI-002038Configure Amazon Linux 2023 to not allow users to execute privileged actions without authenticating. + +Remove any occurrence of "!authenticate" found in "/etc/sudoers" file or files in the "/etc/sudoers.d" directory. + +$ sudo sed -i '/\!authenticate/ s/^/# /g' /etc/sudoers /etc/sudoers.d/*Verify Amazon Linux 2023 requires users to reauthenticate for privilege escalation. + +Ensure that "/etc/sudoers" has no occurrences of "!authenticate" with the following command: + +$ sudo grep -ir '!authenticate' /etc/sudoers /etc/sudoers.d/ + +If any occurrences of "!authenticate" are returned, this is a finding.SRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>AZLX-23-001020Amazon Linux 2023 must require users to provide a password for privilege escalation.<VulnDiscussion>Without reauthentication, users may access resources or perform tasks for which they do not have authorization.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Amazon Linux 2023DISADPMS TargetAmazon Linux 20235700CCI-000366Configure Amazon Linux 2023 to not allow users to execute privileged actions without authenticating with a password. + +Remove any occurrence of "NOPASSWD" found in "/etc/sudoers" file or files in the "/etc/sudoers.d" directory. + +$ sudo sed -i '/NOPASSWD/ s/^/# /g' /etc/sudoers /etc/sudoers.d/*Verify Amazon Linux 2023 requires users to provide a password for privilege escalation. + +Ensure that "/etc/sudoers" has no occurrences of "NOPASSWD" with the following command: + +$ sudo grep -ri nopasswd /etc/sudoers /etc/sudoers.d/ + +If any occurrences of "NOPASSWD" are returned, this is a finding.SRG-OS-000062-GPOS-00031<GroupDescription></GroupDescription>AZLX-23-001025Amazon Linux 2023 must have the audit package installed.<VulnDiscussion>Successful incident response and auditing relies on timely, accurate system information and analysis to allow the organization to identify and respond to potential incidents in a proficient manner. If Amazon Linux 2023 does not provide the ability to centrally review Amazon Linux 2023 logs, forensic analysis is negatively impacted. + +Segregation of logging data to multiple disparate computer systems is counterproductive and makes log analysis and log event alarming difficult to implement and manage, particularly when the system has multiple logging components writing to different locations or systems. + +To support the centralized capability, Amazon Linux 2023 must be able to provide the information in a format that can be extracted and used, allowing the application performing the centralization of the log records to meet this requirement. + +Satisfies: SRG-OS-000062-GPOS-00031, SRG-OS-000042-GPOS-00021, SRG-OS-000037-GPOS-00015, SRG-OS-000038-GPOS-00016, SRG-OS-000039-GPOS-00017, SRG-OS-000040-GPOS-00018, SRG-OS-000041-GPOS-00019, SRG-OS-000051-GPOS-00024, SRG-OS-000054-GPOS-00025, SRG-OS-000122-GPOS-00063, SRG-OS-000254-GPOS-00095, SRG-OS-000255-GPOS-00096, SRG-OS-000337-GPOS-00129, SRG-OS-000348-GPOS-00136, SRG-OS-000349-GPOS-00137, SRG-OS-000350-GPOS-00138, SRG-OS-000351-GPOS-00139, SRG-OS-000352-GPOS-00140, SRG-OS-000353-GPOS-00141, SRG-OS-000354-GPOS-00142, SRG-OS-000358-GPOS-00145, SRG-OS-000365-GPOS-00152, SRG-OS-000392-GPOS-00172, SRG-OS-000475-GPOS-00220, SRG-OS-000055-GPOS-00026</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Amazon Linux 2023DISADPMS TargetAmazon Linux 20235700CCI-000169CCI-000135CCI-000130CCI-000131CCI-000132CCI-000133CCI-000134CCI-000154CCI-000158CCI-001876CCI-001464CCI-001487CCI-001914CCI-001875CCI-001877CCI-001878CCI-001879CCI-001880CCI-001881CCI-001882CCI-001889CCI-003938CCI-002884CCI-000172CCI-000159Configure Amazon Linux 2023 so that the audit service to produce audit records containing the information needed to establish when (date and time) an event occurred. + +Install the audit service (if the audit service is not already installed) with the following command: + +$ sudo dnf install -y auditVerify Amazon Linux 2023 has the audit package installed with the following command: + +$ dnf list --installed audit +Installed Packages +audit.x86_64 3.0.6-1.amzn2023.0.2 @System + +If the "audit" package is not installed, this is a finding.SRG-OS-000037-GPOS-00015<GroupDescription></GroupDescription>AZLX-23-001030Amazon Linux 2023 must produce audit records containing information to establish what type of events occurred.<VulnDiscussion>Without establishing what type of events occurred, it would be difficult to establish, correlate, and investigate the events leading up to an outage or attack. + +Audit record content that may be necessary to satisfy this requirement includes, for example, time stamps, source and destination addresses, user/process identifiers, event descriptions, success/fail indications, filenames involved, and access control or flow control rules invoked. + +Associating event types with detected events in Amazon Linux 2023 audit logs provides a means of investigating an attack; recognizing resource utilization or capacity thresholds; or identifying an improperly configured operating system. + +Satisfies: SRG-OS-000037-GPOS-00015, SRG-OS-000038-GPOS-00016, SRG-OS-000039-GPOS-00017, SRG-OS-000040-GPOS-00018, SRG-OS-000041-GPOS-00019, SRG-OS-000062-GPOS-00031, SRG-OS-000042-GPOS-00021, SRG-OS-000051-GPOS-00024, SRG-OS-000054-GPOS-00025, SRG-OS-000122-GPOS-00063, SRG-OS-000254-GPOS-00095, SRG-OS-000255-GPOS-00096, SRG-OS-000337-GPOS-00129, SRG-OS-000348-GPOS-00136, SRG-OS-000349-GPOS-00137, SRG-OS-000350-GPOS-00138, SRG-OS-000351-GPOS-00139, SRG-OS-000352-GPOS-00140, SRG-OS-000353-GPOS-00141, SRG-OS-000354-GPOS-00142, SRG-OS-000358-GPOS-00145, SRG-OS-000365-GPOS-00152, SRG-OS-000392-GPOS-00172, SRG-OS-000475-GPOS-00220, SRG-OS-000755-GPOS-00220</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Amazon Linux 2023DISADPMS TargetAmazon Linux 20235700CCI-000130CCI-000131CCI-000132CCI-000133CCI-000134CCI-000169CCI-000135CCI-000154CCI-000158CCI-001876CCI-001464CCI-001487CCI-001914CCI-001875CCI-001877CCI-001878CCI-001879CCI-001880CCI-001881CCI-001882CCI-001889CCI-003938CCI-002884CCI-000172CCI-004188Configure Amazon Linux 2023 so that the audit service to produce audit records containing the information needed to establish when an event occurred with the following commands: + +$ sudo systemctl enable auditd.service + +$ sudo systemctl start auditd.serviceVerify Amazon Linux 2023 is configured to produce audit records with the following command: + +$ sudo systemctl status auditd.service +auditd.service - Security Auditing Service + Loaded:loaded (/usr/lib/systemd/system/auditd.service; enabled; preset: enabled) + Active: active (running) since Wed 2024-01-131 12:56:56 EST; 1 weeks 0 days ago + +If the audit service is not "active" and "running", this is a finding.SRG-OS-000342-GPOS-00133<GroupDescription></GroupDescription>AZLX-23-001035Amazon Linux 2023 audispd-plugins package must be installed.<VulnDiscussion>The "audispd-plugins" package provides plugins for the real-time interface to the audit subsystem, "audispd". These plugins can, for example, relay events to remote machines or analyze events for suspicious behavior.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Amazon Linux 2023DISADPMS TargetAmazon Linux 20235700CCI-001851Configure Amazon Linux 2023 to have the audispd-plugins package installed. + +Install the audispd-plugins package with the following command: + +$ sudo dnf install -y audispd-pluginsVerify Amazon Linux 2023 has the audispd-plugins package installed with the following command: + +$ sudo dnf list --installed audispd-plugins +Installed Packages +audispd-plugins.x86_64 3.0.6-1.amzn2023.0.2 @amazonlinux + +If the "audispd-plugins" package is not installed, this is a finding.SRG-OS-000051-GPOS-00024<GroupDescription></GroupDescription>AZLX-23-001040Amazon Linux 2023 must have the rsyslog package installed.<VulnDiscussion>Successful incident response and auditing relies on timely, accurate system information and analysis allow the organization to identify and respond to potential incidents in a proficient manner. If Amazon Linux 2023 does not provide the ability to centrally review Amazon Linux 2023 logs, forensic analysis is negatively impacted. + +Segregation of logging data to multiple disparate computer systems is counterproductive and makes log analysis and log event alarming difficult to implement and manage, particularly when the system has multiple logging components writing to different locations or systems. + +To support the centralized capability, Amazon Linux 2023 must be able to provide the information in a format that can be extracted and used, allowing the application performing the centralization of the log records to meet this requirement. + +Satisfies: SRG-OS-000051-GPOS-00024, SRG-OS-000479-GPOS-00224</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Amazon Linux 2023DISADPMS TargetAmazon Linux 20235700CCI-000154CCI-001851Configure Amazon Linux 2023 to monitor all remote access methods by installing rsyslog with the following command: + +$ sudo dnf install -y rsyslog + +Enable the log service with the following command: + +$ sudo systemctl enable --now rsyslogVerify Amazon Linux 2023 is configured to collect system failure events with the following command: + +$ dnf list --installed rsyslog +Installed Packages +rsyslog.x86_64 8.2204.0-3.amzn2023.0.4 @amazonlinux + +If the "rsyslog" package is not installed, this is a finding. + +Check that the log service is enabled with the following command: + +$ dnf list --installed vsftpd +Error: No matching Packages to list + +If the command above returns "disabled", this is a finding.SRG-OS-000032-GPOS-00013<GroupDescription></GroupDescription>AZLX-23-001045Amazon Linux 2023 must monitor remote access methods.<VulnDiscussion>Remote access services, such as those providing remote access to network devices and information systems, which lack automated monitoring capabilities, increase risk and make remote user access management difficult at best.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Amazon Linux 2023DISADPMS TargetAmazon Linux 20235700CCI-000067Configure Amazon Linux 2023 to monitor all remote access methods by installing rsyslog with the following command: + +$ sudo yum install rsyslog + +Then add or update the following lines to the "/etc/rsyslog.conf" file: + +auth.*;authpriv.*;daemon.* /var/log/secure + +The "rsyslog" service must be restarted for the changes to take effect. To restart the "rsyslog" service, run the following command: + +$ sudo systemctl restart rsyslog.serviceVerify Amazon Linux 2023 monitors all remote access methods. + +Check that remote access methods are being logged by running the following command: + +$ sudo grep -E '(auth.*|authpriv.*|daemon.*)' /etc/rsyslog.conf +auth.*;authpriv.*;daemon.* /var/log/secure + +If "auth.*", "authpriv.*", or "daemon.*" are not configured to be logged, this is a finding.SRG-OS-000355-GPOS-00143<GroupDescription></GroupDescription>AZLX-23-001050Amazon Linux 2023 must have the chrony package installed.<VulnDiscussion>Inaccurate time stamps make it more difficult to correlate events and can lead to an inaccurate analysis. Determining the correct time a particular event occurred on a system is critical when conducting forensic analysis and investigating system events. Sources outside the configured acceptable allowance (drift) may be inaccurate.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Amazon Linux 2023DISADPMS TargetAmazon Linux 20235700CCI-004923Configure Amazon Linux 2023 to have the chrony package installed. + +The chrony package can be installed with the following command: + +$ sudo dnf install -y chronyVerify Amazon Linux 2023 has the chrony package installed with the following command: + +$ sudo dnf list --installed chrony +Installed Packages +chrony.x86_64 4.3-1.amzn2023.0.5 @System + +If the "chrony" package is not installed, this is a finding.SRG-OS-000355-GPOS-00143<GroupDescription></GroupDescription>AZLX-23-001055Amazon Linux 2023 chronyd service must be enabled.<VulnDiscussion>Inaccurate time stamps make it more difficult to correlate events and can lead to an inaccurate analysis. Determining the correct time a particular event occurred on a system is critical when conducting forensic analysis and investigating system events. Sources outside the configured acceptable allowance (drift) may be inaccurate.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Amazon Linux 2023DISADPMS TargetAmazon Linux 20235700CCI-004923Configure Amazon Linux 2023 to have the chronyd service set to active with the following command: + +$ sudo systemctl enable --now chronydVerify Amazon Linux 2023 has the chronyd service set to active with the following command: + +$ systemctl is-active chronyd +active + +If the chronyd service is not active, this is a finding.SRG-OS-000363-GPOS-00150<GroupDescription></GroupDescription>AZLX-23-001060Amazon Linux 2023 must have the Advanced Intrusion Detection Environment (AIDE) package installed.<VulnDiscussion>Without verification of the security functions, security functions may not operate correctly, and the failure may go unnoticed. Security function is defined as the hardware, software, and/or firmware of the information system responsible for enforcing the system security policy and supporting the isolation of code and data on which the protection is based. Security functionality includes, but is not limited to, establishing system accounts, configuring access authorizations (i.e., permissions, privileges), setting events to be audited, and setting intrusion detection parameters. + +Satisfies: SRG-OS-000363-GPOS-00150, SRG-OS-000445-GPOS-00199, SRG-OS-000358-GPOS-00145</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Amazon Linux 2023DISADPMS TargetAmazon Linux 20235700CCI-001744CCI-002696CCI-001889Configure Amazon Linux 2023 to have the AIDE package installed. + +Install AIDE with the following commands: + +Install AIDE: + +$ sudo dnf install -y aide + +Initialize AIDE: + +$ sudo /usr/sbin/aide --init + +sudo mv /var/lib/aide/aide.db.new.gz /var/lib/aide/aide.db.gz + +Perform a manual check: + +$ sudo /usr/sbin/aide --check +Example output: + +2023-06-05 10:16:08 -0600 (AIDE 0.16) +AIDE found NO differences between database and filesystem. Looks okay!!Verify Amazon Linux 2023 has the AIDE package installed with the following command: + +$ dnf list --installed aide +Installed Packages +aide.x86_64 0.18.6-1.amzn2023.0.1 @amazonlinux + +If AIDE is not installed, ask the system administrator (SA) how file integrity checks are performed on the system. + +If there is no application installed to perform integrity checks, this is a finding. + +If AIDE is installed, check if it has been initialized with the following command: + +$ sudo /usr/sbin/aide --check + +If the output is "Couldn't open file /var/lib/aide/aide.db.gz for reading", this is a finding.SRG-OS-000363-GPOS-00150<GroupDescription></GroupDescription>AZLX-23-001065Amazon Linux 2023 must routinely check the baseline configuration for unauthorized changes and notify the system administrator when anomalies in the operation of any security functions are discovered.<VulnDiscussion>Unauthorized changes to the baseline configuration could make the system vulnerable to various attacks or allow unauthorized access to Amazon Linux 2023. Changes to operating system configurations can have unintended side effects, some of which may be relevant to security. + +Detecting such changes and providing an automated response can help avoid unintended, negative consequences that could ultimately affect the security state of Amazon Linux 2023. Amazon Linux 2023's information management officer (IMO)/information system security officer (ISSO) and system administrators (SAs) must be notified via email and/or monitoring system trap when there is an unauthorized modification of a configuration item. + +Notifications provided by information systems include messages to local computer consoles, and/or hardware indications, such as lights. + +This capability must take into account operational requirements for availability for selecting an appropriate response. The organization may choose to shut down or restart the information system upon security function anomaly detection. + +Satisfies: SRG-OS-000363-GPOS-00150, SRG-OS-000446-GPOS-00200, SRG-OS-000447-GPOS-00201</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Amazon Linux 2023DISADPMS TargetAmazon Linux 20235700CCI-001744CCI-002699CCI-002702Configure Amazon Linux 2023 so that the file integrity tool runs automatically on the system at least weekly and notifies designated personnel if baseline configurations are changed in an unauthorized manner. The AIDE tool can be configured to email designated personnel with the use of the cron system. + +The following example output is generic. It will set cron to run AIDE daily and to send email at the completion of the analysis. + +$ sudo more /etc/cron.daily/aide + +#!/bin/bash +/usr/sbin/aide --check | /bin/mail -s "$HOSTNAME - Daily aide integrity check run" root@sysname.milVerify Amazon Linux 2023 routinely executes a file integrity scan for changes to the system baseline. The commands used in the example will use a daily occurrence. + +Check the cron directories for scripts controlling the execution and notification of results of the file integrity application. For example, if Advanced Intrusion Detection Environment (AIDE) is installed on the system, use the following commands: + +$ ls -al /etc/cron.daily | grep aide +-rwxr-xr-x 1 root root 29 Nov 22 2015 aide + +$ sudo grep aide /etc/crontab /var/spool/cron/root + +/etc/crontab: 30 04 * * * root usr/sbin/aide +/var/spool/cron/root: 30 04 * * * root usr/sbin/aide + +$ sudo more /etc/cron.daily/aide + +#!/bin/bash +/usr/sbin/aide --check | /bin/mail -s "$HOSTNAME - Daily aide integrity check run" root@sysname.mil + +If the file integrity application does not exist, or a script file controlling the execution of the file integrity application does not exist, or the file integrity application does not notify designated personnel of changes, this is a finding.SRG-OS-000256-GPOS-00097<GroupDescription></GroupDescription>AZLX-23-001070Amazon Linux 2023 must use cryptographic mechanisms to protect the integrity of audit tools.<VulnDiscussion>Protecting the integrity of the tools used for auditing purposes is a critical step toward ensuring the integrity of audit information. Audit information includes all information (e.g., audit records, audit settings, and audit reports) needed to successfully audit information system activity. + +Audit tools include, but are not limited to, vendor-provided and open-source audit tools needed to successfully view and manipulate audit information system activity and records. Audit tools include custom queries and report generators. + +It is not uncommon for attackers to replace the audit tools or inject code into the existing tools to provide the capability to hide or erase system activity from the audit logs. + +To address this risk, audit tools must be cryptographically signed to provide the capability to identify when the audit tools have been modified, manipulated, or replaced. An example is a checksum hash of the file or files. + +Satisfies: SRG-OS-000256-GPOS-00097, SRG-OS-000257-GPOS-00098, SRG-OS-000258-GPOS-00099, SRG-OS-000278-GPOS-00108</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Amazon Linux 2023DISADPMS TargetAmazon Linux 20235700CCI-001493CCI-001494CCI-001495CCI-001496Configure Amazon Linux 2023 to protect the integrity of the AIDE audit tools. + +Add or update the following lines to "/etc/aide.conf", to protect the integrity of the audit tools. + +/usr/sbin/auditctl p+i+n+u+g+s+b+acl+xattrs+sha512 +/usr/sbin/auditd p+i+n+u+g+s+b+acl+xattrs+sha512 +/usr/sbin/ausearch p+i+n+u+g+s+b+acl+xattrs+sha512 +/usr/sbin/aureport p+i+n+u+g+s+b+acl+xattrs+sha512 +/usr/sbin/autrace p+i+n+u+g+s+b+acl+xattrs+sha512 +/usr/sbin/augenrules p+i+n+u+g+s+b+acl+xattrs+sha512Verify Amazon Linux 2023 is properly configured to protect the integrity of the Advanced Intrusion Detection Environment (AIDE) audit tools with the following command: + +$ sudo grep /usr/sbin/au /etc/aide.conf +/usr/sbin/auditctl p+i+n+u+g+s+b+acl+xattrs+sha512 +/usr/sbin/auditd p+i+n+u+g+s+b+acl+xattrs+sha512 +/usr/sbin/ausearch p+i+n+u+g+s+b+acl+xattrs+sha512 +/usr/sbin/aureport p+i+n+u+g+s+b+acl+xattrs+sha512 +/usr/sbin/autrace p+i+n+u+g+s+b+acl+xattrs+sha512 +/usr/sbin/augenrules p+i+n+u+g+s+b+acl+xattrs+sha512 + +If AIDE is not installed, ask the system administrator (SA) how file integrity checks are performed on the system. + +If any of the audit tools listed above do not have a corresponding line, ask the SA to indicate what cryptographic mechanisms are being used to protect the integrity of the audit tools. + +If there is no evidence of integrity protection, this is a finding.SRG-OS-000096-GPOS-00050<GroupDescription></GroupDescription>AZLX-23-001075Amazon Linux 2023 must have the firewalld package installed.<VulnDiscussion>To prevent unauthorized connection of devices, unauthorized transfer of information, or unauthorized tunneling (i.e., embedding of data types within data types), organizations must disable or restrict unused or unnecessary physical and logical ports/protocols on information systems. + +Operating systems are capable of providing a wide variety of functions and services. Some of the functions and services provided by default may not be necessary to support essential organizational operations. Additionally, it is sometimes convenient to provide multiple services from a single component (e.g., VPN and IPS); however, doing so increases risk over limiting the services provided by any one component. + +To support the requirements and principles of least functionality, Amazon Linux 2023 must support the organizational requirements, providing only essential capabilities and limiting the use of ports, protocols, and/or services to only those required, authorized, and approved to conduct official business or to address authorized quality of life issues. + +Satisfies: SRG-OS-000096-GPOS-00050, SRG-OS-000297-GPOS-00115, SRG-OS-000298-GPOS-00116, SRG-OS-000480-GPOS-00232, SRG-OS-000304-GPOS-00121</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Amazon Linux 2023DISADPMS TargetAmazon Linux 20235700CCI-000382CCI-002314CCI-002322CCI-000366CCI-000015Configure Amazon Linux 2023 to have the firewalld package installed with the following command: + +$ sudo dnf install -y firewalldVerify Amazon Linux 2023 has the firewalld package installed with the following command: + +$ dnf list --installed firewalld +Installed Packages +firewalld.noarch 1.2.3-1.amzn2023 @amazonlinux + +If the "firewalld" package is not installed, this is a finding.SRG-OS-000096-GPOS-00050<GroupDescription></GroupDescription>AZLX-23-001080Amazon Linux 2023 must have the firewalld servicew active.<VulnDiscussion>To prevent unauthorized connection of devices, unauthorized transfer of information, or unauthorized tunneling (i.e., embedding of data types within data types), organizations must disable or restrict unused or unnecessary physical and logical ports/protocols on information systems. + +Operating systems are capable of providing a variety of functions and services. Some of the functions and services provided by default may not be necessary to support essential organizational operations. Additionally, it is sometimes convenient to provide multiple services from a single component (e.g., VPN and IPS); however, doing so increases risk over limiting the services provided by any one component. + +To support the requirements and principles of least functionality, Amazon Linux 2023 must support the organizational requirements, providing only essential capabilities and limiting the use of ports, protocols, and/or services to only those required, authorized, and approved to conduct official business or to address authorized quality of life issues. + +Satisfies: SRG-OS-000096-GPOS-00050, SRG-OS-000297-GPOS-00115, SRG-OS-000298-GPOS-00116, SRG-OS-000480-GPOS-00232, SRG-OS-000304-GPOS-00121</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Amazon Linux 2023DISADPMS TargetAmazon Linux 20235700CCI-000382CCI-002314CCI-002322CCI-000366CCI-000015Configure Amazon Linux 2023 to enable the firewalld service with the following command: + +$ sudo systemctl enable --now firewalldVerify Amazon Linux 2023 firewalld service is active with the following command: + +$ systemctl is-active firewalld +active + +If the "firewalld" service is not active, this is a finding.SRG-OS-000095-GPOS-00049<GroupDescription></GroupDescription>AZLX-23-001085Amazon Linux 2023 must be configured to disable nonessential capabilities.<VulnDiscussion>It is detrimental for operating systems to provide, or install by default, functionality exceeding requirements or mission objectives. These unnecessary capabilities or services are often overlooked and therefore may remain unsecured. They increase the risk to the platform by providing additional attack vectors. + +Operating systems are capable of providing a variety of functions and services. Some of the functions and services, provided by default, may not be necessary to support essential organizational operations (e.g., key missions, functions). + +Examples of nonessential capabilities include, but are not limited to, games, software packages, tools, and demonstration software, not related to requirements or providing a wide array of functionality not required for every mission, but which cannot be disabled.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Amazon Linux 2023DISADPMS TargetAmazon Linux 20235700CCI-000381Configure Amazon Linux 2023 to allow approved settings and/or running services to comply with the PPSM CLSA for the site or program and the PPSM CAL. + +To open a port for a service, configure firewalld using the following command: + +$ sudo firewall-cmd --permanent --add-port=port_number/tcp +or +$ sudo firewall-cmd --permanent --add-service=service_nameVerify Amazon Linux 2023 is configured to disable nonessential capabilities. + +Inspect the list of enabled firewall ports and verify they are configured correctly by running the following command: + +$ sudo firewall-cmd --list-all + +Ask the system administrator for the site or program Ports, Protocols, and Services Management Component Local Service Assessment (PPSM CLSA). Verify the services allowed by the firewall match the PPSM CLSA. + +If there are additional ports, protocols, or services that are not in the PPSM CLSA, or there are ports, protocols, or services that are prohibited by the PPSM Category Assurance List (CAL), or there are no firewall rules configured, this is a finding.SRG-OS-000142-GPOS-00071<GroupDescription></GroupDescription>AZLX-23-001090Amazon Linux 2023 must manage excess capacity, bandwidth, or other redundancy to limit the effects of information flooding types of denial-of-service (DoS) attacks.<VulnDiscussion>DoS is a condition when a resource is not available for legitimate users. When this occurs, the organization either cannot accomplish its mission or must operate at degraded capacity. + +Managing excess capacity ensures that sufficient capacity is available to counter flooding attacks. Employing increased capacity and service redundancy may reduce the susceptibility to some DoS attacks. Managing excess capacity may include, for example, establishing selected usage priorities, quotas, or partitioning.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Amazon Linux 2023DISADPMS TargetAmazon Linux 20235700CCI-001095Configure Amazon Linux 2023 to manage excess capacity, bandwidth, or other redundancy to limit the effects of information flooding types of DoS attacks. + +Configure "nftables" to be the default "firewallbackend" for "firewalld" by adding or editing the following line in "etc/firewalld/firewalld.conf": + +FirewallBackend=nftables + +Establish rate-limiting rules based on organization-defined types of DoS attacks on impacted network interfaces.Verify Amazon Linux 2023 manages excess capacity, bandwidth, or other redundancy to limit the effects of information flooding types of DoS attacks. + +Verify nftables is configured to allow rate limits on any connection to the system with the following command: + +$ sudo grep -i firewallbackend /etc/firewalld/firewalld.conf +FirewallBackend=nftablesSRG-OS-000363-GPOS-00150<GroupDescription></GroupDescription>AZLX-23-001095Amazon Linux 2023 must have the s-nail package installed.<VulnDiscussion>The "s-nail" package provides the mail command required to allow sending email notifications of unauthorized configuration changes to designated personnel.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Amazon Linux 2023DISADPMS TargetAmazon Linux 20235700CCI-001744Configure Amazon Linux 2023 to have the s-nail package installed with the following command: + +$ sudo dnf install -y s-nailVerify Amazon Linux 2023 has the "s-nail" package is installed on the system with the following command: + +$ dnf list --installed s-nail +Installed Packages +s-nail.x86_64 14.9.24-6.amzn2023 @amazonlinux + +If the "s-nail" package is not installed, this is a finding.SRG-OS-000120-GPOS-00061<GroupDescription></GroupDescription>AZLX-23-001105Amazon Linux 2023 must have the libreswan package installed.<VulnDiscussion>Unapproved mechanisms that are used for authentication to the cryptographic module are not verified and therefore, cannot be relied upon to provide confidentiality or integrity, and DOD data may be compromised. + +Operating systems utilizing encryption are required to use FIPS-compliant mechanisms for authenticating to cryptographic modules. + +FIPS 140-2/140-3 is the current standard for validating that mechanisms used to access cryptographic modules utilize authentication that meets DOD requirements. This allows for Security Levels 1, 2, 3, or 4 for use on a general purpose computing system.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Amazon Linux 2023DISADPMS TargetAmazon Linux 20235700CCI-000803Configure Amazon Linux 2023 to have the libreswan package installed with the following command: + +$ sudo dnf install -y libreswanVerify Amazon Linux 2023 has the libreswan package installed with the following command: + +$ dnf list --installed libreswan +Installed Packages +libreswan.x86_64 4.12-3.amzn2023.0.2 @amazonlinux + +If the "libreswan" package is not installed, this is a finding.SRG-OS-000134-GPOS-00068<GroupDescription></GroupDescription>AZLX-23-001110Amazon Linux 2023 must have the policycoreutils package installed.<VulnDiscussion>An isolation boundary provides access control and protects the integrity of the hardware, software, and firmware that perform security functions. + +Security functions are the hardware, software, and/or firmware of the information system responsible for enforcing the system security policy and supporting the isolation of code and data on which the protection is based. Operating systems implement code separation (i.e., separation of security functions from nonsecurity functions) in a number of ways, including through the provision of security kernels via processor rings or processor modes. For nonkernel code, security function isolation is often achieved through file system protections that serve to protect the code on disk and address space protections that protect executing code. + +Developers and implementers can increase the assurance in security functions by employing well-defined security policy models; structured, disciplined, and rigorous hardware and software development techniques; and sound system/security engineering principles. Implementation may include isolation of memory space and libraries. Operating systems restrict access to security functions through the use of access control mechanisms and by implementing least privilege capabilities.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Amazon Linux 2023DISADPMS TargetAmazon Linux 20235700CCI-001084Configure Amazon Linux 2023 to have the policycoreutils package installed with the following command: + +$ sudo dnf install -y policycoreutilsVerify Amazon Linux 2023 has the policycoreutils package installed with the following command: + +$ dnf list --installed policycoreutils +Installed Packages +policycoreutils.x86_64 3.4-6.amzn2023.0.2 @System + +If the "policycoreutils" package is not installed, this is a finding.SRG-OS-000375-GPOS-00160<GroupDescription></GroupDescription>AZLX-23-001115Amazon Linux 2023 must have the pcsc-lite package installed.<VulnDiscussion>The pcsc-lite package must be installed if it is to be available for multifactor authentication using smart cards.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Amazon Linux 2023DISADPMS TargetAmazon Linux 20235700CCI-004046Configure Amazon Linux 2023 to have the pcsc-lite package installed with the following command: + +$ sudo dnf install -y pcsc-liteVerify Amazon Linux 2023 has the pcsc-lite package installed with the following command: + +$ dnf list --installed pcsc-lite +Installed Packages +pcsc-lite.x86_64 1.9.1-1.amzn2023.0.4 @amazonlinux + +If the "pcsc-lite" package is not installed, this is a finding.SRG-OS-000120-GPOS-00061<GroupDescription></GroupDescription>AZLX-23-001120Amazon Linux 2023 must have the packages required for encrypting off-loaded audit logs installed.<VulnDiscussion>Unapproved mechanisms used for authentication to the cryptographic module are not verified and therefore, cannot be relied upon to provide confidentiality or integrity, and DOD data may be compromised. + +Operating systems utilizing encryption are required to use FIPS-compliant mechanisms for authenticating to cryptographic modules. + +FIPS 140-2/140-3 is the current standard for validating that mechanisms used to access cryptographic modules utilize authentication that meets DOD requirements. This allows for Security Levels 1, 2, 3, or 4 for use on a general purpose computing system.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Amazon Linux 2023DISADPMS TargetAmazon Linux 20235700CCI-000803Configure Amazon Linux 2023 to have the rsyslog-openssl package installed with the following command: + +$ sudo dnf install -y rsyslog-opensslVerify Amazon Linux 2023 has the rsyslog-openssl package installed with the following command: + +$ dnf list --installed rsyslog-openssl +Installed Packages +rsyslog-openssl.x86_64 8.2204.0-3.amzn2023.0.4 @amazonlinux + +If the "rsyslog-openssl" package is not installed, this is a finding.SRG-OS-000375-GPOS-00160<GroupDescription></GroupDescription>AZLX-23-001125Amazon Linux 2023 must have the opensc package installed.<VulnDiscussion>The use of PIV credentials facilitates standardization and reduces the risk of unauthorized access. + +The DOD has mandated the use of the Common Access Card (CAC) to support identity management and personal authentication for systems covered under Homeland Security Presidential Directive (HSPD) 12, as well as making the CAC a primary component of layered protection for national security systems. + +Satisfies: SRG-OS-000375-GPOS-00160, SRG-OS-000376-GPOS-00161</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Amazon Linux 2023DISADPMS TargetAmazon Linux 20235700CCI-004046CCI-001953Configure Amazon Linux 2023 to have the opensc package installed with the following command: + +$ sudo dnf install -y openscVerify Amazon Linux 2023 has the opensc package installed with the following command: + +$ sudo dnf list --installed opensc +Installed Packages +opensc.x86_64 0.24.0-1.amzn2023.0.4 @amazonlinux + +If the "opensc" package is not installed, this is a finding.SRG-OS-000375-GPOS-00160<GroupDescription></GroupDescription>AZLX-23-001130Amazon Linux 2023 must have the openssl-pkcs11 package installed.<VulnDiscussion>Without the use of multifactor authentication, the ease of access to privileged functions is greatly increased. Multifactor authentication requires using two or more factors to achieve authentication. A privileged account is defined as an information system account with authorizations of a privileged user. The DOD Common Access Card (CAC) with DOD-approved PKI is an example of multifactor authentication. + +Satisfies: SRG-OS-000375-GPOS-00160, SRG-OS-000376-GPOS-00161, SRG-OS-000377-GPOS-00162</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Amazon Linux 2023DISADPMS TargetAmazon Linux 20235700CCI-004046CCI-001953CCI-001954Configure Amazon Linux 2023 to have the openssl-pkcs11 package installed with the following command: + +$ sudo dnf install -y openssl-pkcs11Verify Amazon Linux 2023 has the openssl-pkcs11 package installed with the following command: + +$ dnf list --installed openssl-pkcs11 +Installed Packages +openssl-pkcs11.x86_64 0.4.12-3.amzn2023.0.1 @System + +If the "openssl-pkcs11" package is not installed, this is a finding.SRG-OS-000112-GPOS-00057<GroupDescription></GroupDescription>AZLX-23-001180Amazon Linux 2023 must have SSH installed.<VulnDiscussion>Without protection of the transmitted information, confidentiality and integrity may be compromised because unprotected communications can be intercepted and either read or altered. + +Satisfies: SRG-OS-000112-GPOS-00057, SRG-OS-000113-GPOS-00058, SRG-OS-000423-GPOS-00187, SRG-OS-000424-GPOS-00188, SRG-OS-000425-GPOS-00189, SRG-OS-000426-GPOS-00190</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Amazon Linux 2023DISADPMS TargetAmazon Linux 20235700CCI-001941CCI-002418CCI-002421CCI-002420CCI-002422Configure Amazon Linux 2023 to have the openssh-server package installed with the following command: + +$ sudo dnf install -y openssh-serverVerify Amazon Linux 2023 has the openssh-server package installed with the following command: + +$ dnf list --installed openssh-server +Installed Packages +openssh-server.x86_64 8.7p1-8.amzn2023.0.13 @amazonlinux + +If the "openssh-server" package is not installed, this is a finding.SRG-OS-000112-GPOS-00057<GroupDescription></GroupDescription>AZLX-23-001185Amazon Linux 2023 must implement SSH to protect the confidentiality and integrity of transmitted and received information, as well as information during preparation for transmission.<VulnDiscussion>Encrypting information for transmission protects information from unauthorized disclosure and modification. Cryptographic mechanisms implemented to protect information integrity include, for example, cryptographic hash functions that have common application in digital signatures, checksums, and message authentication codes. + +Use of this requirement will be limited to situations where the data owner has a strict requirement for ensuring data integrity and confidentiality is maintained at every step of the data transfer and handling process. When transmitting data, operating systems need to leverage transmission protection mechanisms such as TLS, SSL VPNs, or IPSec. + +Satisfies: SRG-OS-000112-GPOS-00057, SRG-OS-000113-GPOS-00058, SRG-OS-000423-GPOS-00187, SRG-OS-000424-GPOS-00188, SRG-OS-000425-GPOS-00189, SRG-OS-000426-GPOS-00190</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Amazon Linux 2023DISADPMS TargetAmazon Linux 20235700CCI-001941CCI-002418CCI-002421CCI-002420CCI-002422Configure Amazon Linux 2023 to enable the sshd service run the following command: + +$ sudo systemctl enable --now sshdVerify Amazon Linux 2023 has "sshd" set to active with the following command: + +$ systemctl is-active sshd +active + +If the "sshd" service is not active, this is a finding.SRG-OS-000396-GPOS-00176<GroupDescription></GroupDescription>AZLX-23-001195Amazon Linux 2023 must have the crypto-policies package installed.<VulnDiscussion>Centralized cryptographic policies simplify applying secure ciphers across an operating system and the applications that run on that operating system. Use of weak or untested encryption algorithms undermines the purposes of utilizing encryption to protect data. + +Satisfies: SRG-OS-000396-GPOS-00176, SRG-OS-000393-GPOS-00173, SRG-OS-000394-GPOS-00174, SRG-OS-000424-GPOS-00188</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Amazon Linux 2023DISADPMS TargetAmazon Linux 20235700CCI-002450CCI-002890CCI-003123CCI-002421Configure Amazon Linux 2023 to have the crypto-policies package installed with the following command: + +$ sudo dnf install -y crypto-policiesVerify Amazon Linux 2023 crypto-policies package is installed with the following command: + +$ dnf list --installed crypto-policies +Installed Packages +crypto-policies.noarch 20240828-2.git626aa59.amzn2023.0.1 @System + +If the "crypto-policies" package is not installed, this is a finding.SRG-OS-000250-GPOS-00093<GroupDescription></GroupDescription>AZLX-23-001200Amazon Linux 2023 SSH server must be configured to use systemwide crypto policies.<VulnDiscussion>Without cryptographic integrity protections, information can be altered by unauthorized users without detection. + +Remote access (e.g., RDP) is access to DOD nonpublic information systems by an authorized user (or an information system) communicating through an external, nonorganization-controlled network. Remote access methods include, for example, dial-up, broadband, and wireless. + +Cryptographic mechanisms used for protecting the integrity of information include, for example, signed hash functions using asymmetric cryptography enabling distribution of the public key to verify the hash information while maintaining the confidentiality of the secret key used to generate the hash.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Amazon Linux 2023DISADPMS TargetAmazon Linux 20235700CCI-001453Configure Amazon Linux 2023 so that the SSH daemon uses systemwide crypto policies by running the following commands: + +$ sudo dnf reinstall -y openssh-serverVerify Amazon Linux 2023 employs systemwide crypto policies for SSH with the following command: + +$ sudo /usr/sbin/sshd -dd 2>&1 | awk '/filename/ {print $4}' | tr -d '\r' | tr '\n' ' ' | xargs sudo grep -iH '^\s*include' +/etc/ssh/sshd_config:Include /etc/ssh/sshd_config.d/*.conf +/etc/ssh/sshd_config.d/50-redhat.conf:Include /etc/crypto-policies/back-ends/opensshserver.config + +If "Include /etc/ssh/sshd_config.d/*.conf" or "Include /etc/crypto-policies/back-ends/opensshserver.config" are not included in the system sshd config or the file /etc/ssh/sshd_config.d/50-redhat.conf is missing, this is a finding.SRG-OS-000250-GPOS-00093<GroupDescription></GroupDescription>AZLX-23-001205Amazon Linux 2023 server must be configured to use only DOD-approved encryption ciphers employing FIPS 140-2/140-3 validated cryptographic hash algorithms to protect the confidentiality of SSH server connections.<VulnDiscussion>Without cryptographic integrity protections, information can be altered by unauthorized users without detection. + +Remote access (e.g., RDP) is access to DOD nonpublic information systems by an authorized user (or an information system) communicating through an external, nonorganization-controlled network. Remote access methods include, for example, dial-up, broadband, and wireless. + +Cryptographic mechanisms used for protecting the integrity of information include, for example, signed hash functions using asymmetric cryptography enabling distribution of the public key to verify the hash information while maintaining the confidentiality of the secret key used to generate the hash. + +Amazon Server 2023 incorporates systemwide crypto policies by default. The SSH configuration file has no effect on the ciphers, MACs, or algorithms unless specifically defined in the /etc/sysconfig/sshd file. The employed algorithms can be viewed in the /etc/crypto-policies/back-ends/opensshserver.config file.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Amazon Linux 2023DISADPMS TargetAmazon Linux 20235700CCI-001453Configure Amazon Linux 2023 so that the SSH server uses only ciphers employing FIPS 140-2/140-3 approved algorithms. + +Reinstall crypto-policies with the following command: + +$ sudo dnf -y reinstall crypto-policies + +Set the crypto-policy to FIPS with the following command: + +$ sudo update-crypto-policies --set FIPS +Setting system policy to FIPS + +Note: Systemwide crypto policies are applied on application startup. It is recommended to restart the system for the change of policies to fully take place.Verify Amazon Linux 2023 SSH server is configured to use only ciphers employing FIPS 140-2/140-3 approved algorithms with the following command: + +$ sudo grep -i Ciphers /etc/crypto-policies/back-ends/opensshserver.config +Ciphers aes256-gcm@openssh.com,aes256-ctr,aes128-gcm@openssh.com,aes128-ctr + +If the cipher entries in the "opensshserver.config" file have any ciphers other than "aes256-gcm@openssh.com,aes256-ctr,aes128-gcm@openssh.com,aes128-ctr", or they are missing or commented out, this is a finding.SRG-OS-000250-GPOS-00093<GroupDescription></GroupDescription>AZLX-23-001210Amazon Linux 2023 SSH server must be configured to use only Message Authentication Codes (MACs) employing FIPS 140-2/140-3 validated cryptographic hash algorithms to protect the confidentiality of SSH server connections.<VulnDiscussion>Without cryptographic integrity protections, information can be altered by unauthorized users without detection. + +Remote access (e.g., RDP) is access to DOD nonpublic information systems by an authorized user (or an information system) communicating through an external, nonorganization-controlled network. Remote access methods include, for example, dial-up, broadband, and wireless. + +Cryptographic mechanisms used for protecting the integrity of information include, for example, signed hash functions using asymmetric cryptography enabling distribution of the public key to verify the hash information while maintaining the confidentiality of the secret key used to generate the hash. + +Amazon Linux 2023 incorporates systemwide crypto policies by default. The SSH configuration file has no effect on the ciphers, MACs, or algorithms unless specifically defined in the /etc/sysconfig/sshd file. The employed algorithms can be viewed in the /etc/crypto-policies/back-ends/opensshserver.config file.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Amazon Linux 2023DISADPMS TargetAmazon Linux 20235700CCI-001453Configure Amazon Linux 2023 so that the SSH server uses only MACs employing FIPS 140-2/140-3 approved algorithms. + +Reinstall crypto-policies with the following command: + +$ sudo dnf -y reinstall crypto-policies + +Set the crypto-policy to FIPS with the following command: + +$ sudo update-crypto-policies --set FIPS +Setting system policy to FIPS + +Note: Systemwide crypto policies are applied on application startup. It is recommended to restart the system for the change of policies to fully take place.Verify Amazon Linux 2023 SSH server is configured to use only MACs employing FIPS 140-2/140-3 approved algorithms. + +To verify the MACs in the systemwide SSH configuration file, use the following command: + +$ sudo grep -i MACs /etc/crypto-policies/back-ends/opensshserver.config +MACs hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-sha2-256,hmac-sha2-512 + +If the MACs entries in the "opensshserver.config" file have any hashes other than "hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-sha2-256,hmac-sha2-512", or they are missing or commented out, this is a finding.SRG-OS-000364-GPOS-00151<GroupDescription></GroupDescription>AZLX-23-001215Amazon Linux 2023 SSH daemon must not allow Generic Security Service Application Program Interface (GSSAPI) authentication.<VulnDiscussion>GSSAPI authentication is used to provide additional authentication mechanisms to applications. Allowing GSSAPI authentication through SSH exposes the system's GSSAPI to remote hosts, increasing the attack surface of the system.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Amazon Linux 2023DISADPMS TargetAmazon Linux 20235700CCI-001813Configure Amazon Linux 2023 so that the SSH daemon does not allow GSSAPI authentication. + +Add or uncomment the following line to "/etc/ssh/sshd_config" or to a file in "/etc/ssh/sshd_config.d" and set the value to "no": + +GSSAPIAuthentication no + +The SSH service must be restarted for changes to take effect: + +$ sudo systemctl restart sshd.serviceVerify Amazon Linux 2023 is configured so that the SSH daemon does not allow GSSAPI authentication with the following command: + +$ sudo /usr/sbin/sshd -dd 2>&1 | awk '/filename/ {print $4}' | tr -d '\r' | tr '\n' ' ' | xargs sudo grep -iH '^\s*gssapiauthentication' +/etc/ssh/sshd_config.d/50-redhat.conf:GSSAPIAuthentication no + +If the value is returned as "yes", the returned line is commented out, no output is returned, and the use of GSSAPI authentication has not been documented with the information system security officer (ISSO), this is a finding. + +If the required value is not set, this is a finding.SRG-OS-000364-GPOS-00151<GroupDescription></GroupDescription>AZLX-23-001220Amazon Linux 2023 SSH daemon must not allow Kerberos authentication.<VulnDiscussion>Kerberos authentication for SSH is often implemented using Generic Security Service Application Program Interface (GSSAPI). If Kerberos is enabled through SSH, the SSH daemon provides a means of access to the system's Kerberos implementation. Vulnerabilities in the system's Kerberos implementations may be subject to exploitation.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Amazon Linux 2023DISADPMS TargetAmazon Linux 20235700CCI-001813Configure Amazon Linux 2023 so that the SSH daemon does not allow Kerberos authentication. + +Add the following line in "/etc/ssh/sshd_config" or to a file in "/etc/ssh/sshd_config.d" or uncomment the line and set the value to "no": + +KerberosAuthentication no + +The SSH service must be restarted for changes to take effect: + +$ sudo systemctl restart sshd.serviceVerify Amazon Linux 2023 is configured so that the SSH daemon does not allow Kerberos authentication with the following command: + +$ [ec2-user@ip-172-31-12-63 ~]$ sudo /usr/sbin/sshd -dd 2>&1 | awk '/filename/ {print $4}' | tr -d '\r' | tr '\n' ' ' | xargs sudo grep -iH '^\s*kerberosauthentication' +/etc/ssh/sshd_config.d/93-KerberosAuthentication.conf:KerberosAuthentication no + +If the value is returned as "yes", the returned line is commented out, no output is returned, and the use of Kerberos authentication has not been documented with the information system security officer (ISSO), this is a finding.SRG-OS-000423-GPOS-00187<GroupDescription></GroupDescription>AZLX-23-001225Amazon Linux 2023 must force a frequent session key renegotiation for SSH connections to the server.<VulnDiscussion>Without protection of the transmitted information, confidentiality and integrity may be compromised because unprotected communications can be intercepted and either read or altered. + +This requirement applies to both internal and external networks and all types of information system components from which information can be transmitted (e.g., servers, mobile devices, notebook computers, printers, copiers, scanners, and facsimile machines). Communication paths outside the physical protection of a controlled boundary are exposed to the possibility of interception and modification. + +Protecting the confidentiality and integrity of organizational information can be accomplished by physical means (e.g., employing physical distribution systems) or by logical means (e.g., employing cryptographic techniques). If physical means of protection are employed, then logical means (cryptography) do not have to be employed, and vice versa. + +Session key regeneration limits the chances of a session key becoming compromised. + +Satisfies: SRG-OS-000423-GPOS-00187, SRG-OS-000033-GPOS-00014, SRG-OS-000424-GPOS-00188</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Amazon Linux 2023DISADPMS TargetAmazon Linux 20235700CCI-002418CCI-000068CCI-002421Configure Amazon Linux 2023 to force a frequent session key renegotiation for SSH connections to the server by adding or modifying the following line in the "/etc/ssh/sshd_config" file or in a file in "/etc/ssh/sshd_config.d": + +RekeyLimit 1G 1h + +Restart the SSH daemon for the settings to take effect. + +$ sudo systemctl restart sshd.serviceVerify Amazon Linux 2023 is configured so that the SSH forces frequent session key renegotiation with the following command: + +$ sudo /usr/sbin/sshd -dd 2>&1 | awk '/filename/ {print $4}' | tr -d '\r' | tr '\n' ' ' | xargs sudo grep -iH '^\s*rekeylimit' +RekeyLimit 1G 1h + +If "RekeyLimit" does not have a maximum data amount and maximum time defined, is missing, or is commented out, this is a finding.SRG-OS-000105-GPOS-00052<GroupDescription></GroupDescription>AZLX-23-001230Amazon Linux 2023 SSHD must accept public key authentication.<VulnDiscussion>Without the use of multifactor authentication, the ease of access to privileged functions is greatly increased. + +Multifactor authentication requires using two or more factors to achieve authentication. + +Factors include: +1. Something a user knows (e.g., password/PIN); +2. Something a user has (e.g., cryptographic identification device, token); and +3. Something a user is (e.g., biometric). + +A privileged account is defined as an information system account with authorizations of a privileged user. + +Network access is defined as access to an information system by a user (or a process acting on behalf of a user) communicating through a network (e.g., local area network, wide area network, or the internet). + +The DOD Common Access Card (CAC) with DOD-approved PKI is an example of multifactor authentication. + +Satisfies: SRG-OS-000105-GPOS-00052, SRG-OS-000106-GPOS-00053, SRG-OS-000107-GPOS-00054, SRG-OS-000108-GPOS-00055</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Amazon Linux 2023DISADPMS TargetAmazon Linux 20235700CCI-000765CCI-000766Configure Amazon Linux 2023 to use public key authentication for SSHD by adding or modifying the following line in "/etc/ssh/sshd_config" or in a file in "/etc/ssh/sshd_config.d". + +PubkeyAuthentication yes + +Restart the SSH daemon for the settings to take effect: + +$ sudo systemctl restart sshd.serviceVerify Amazon Linux 2023 is configured so that the SSH daemon accepts public key encryption with the following command: + +$ sudo grep -ir PubkeyAuthentication /etc/ssh/sshd_config /etc/ssh/sshd_config.d/ +/etc/ssh/sshd_config:#PubkeyAuthentication yes +/etc/ssh/sshd_config.d/90-PubkeyAuth:PubkeyAuthentication yes + +If "PubkeyAuthentication" is set to no, the line is commented out, or the line is missing, this is a finding.SRG-OS-000106-GPOS-00053<GroupDescription></GroupDescription>AZLX-23-001235Amazon Linux 2023 SSHD must not allow blank passwords.<VulnDiscussion>If an account has an empty password, anyone could log on and run commands with the privileges of that account. Accounts with empty passwords must never be used in operational environments. + +Satisfies: SRG-OS-000106-GPOS-00053, SRG-OS-000480-GPOS-00229</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Amazon Linux 2023DISADPMS TargetAmazon Linux 20235700CCI-000766CCI-000366Configure Amazon Linux 2023 to prevent SSH users from logging on with blank passwords. + +Edit the following line in "etc/ssh/sshd_config" or in a file in "/etc/ssh/sshd_config.d": + +PermitEmptyPasswords no + +Restart the SSH daemon for the settings to take effect: + +$ sudo systemctl restart sshd.serviceVerify Amazon Linux 2023 remote access using SSH prevents logging on with a blank password with the following command: + +$ sudo grep -ir PermitEmptyPasswords /etc/ssh/sshd_config /etc/ssh/sshd_config.d/ +/etc/ssh/sshd_config:PermitEmptyPasswords no + +If the "PermitEmptyPassword" keyword is set to "yes", is missing, or is commented out, this is a finding.SRG-OS-000109-GPOS-00056<GroupDescription></GroupDescription>AZLX-23-001240Amazon Linux 2023 must not permit direct logons to the root account using remote access via SSH.<VulnDiscussion>To ensure individual accountability and prevent unauthorized access, organizational users must be individually identified and authenticated. Additionally, an additional layer of security is gained by extending the policy of not logging directly on as root, even though the communications channel may be encrypted. + +A group authenticator is a generic account used by multiple individuals. Use of a group authenticator alone does not uniquely identify individual users. Examples of the group authenticator is the Unix OS "root" user account, the Windows "Administrator" account, the "sa" account, or a "helpdesk" account. + +For example, the Unix and Windows operating systems offer a "switch user" capability allowing users to authenticate with their individual credentials and, when needed, switch" to the administrator role. This method provides for unique individual authentication prior to using a group authenticator. + +Users (and any processes acting on behalf of users) need to be uniquely identified and authenticated for all accesses other than those accesses explicitly identified and documented by the organization, which outlines specific user actions that can be performed on Amazon Linux 2023 without identification or authentication. + +Requiring individuals to be authenticated with an individual authenticator prior to using a group authenticator allows for traceability of actions, as well as adding an additional level of protection of the actions that can be taken with group account knowledge.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Amazon Linux 2023DISADPMS TargetAmazon Linux 20235700CCI-004045Configure Amazon Linux 2023 to prevent SSH users from logging on directly as root add or modify the following line in "/etc/ssh/sshd_config" or in a file in "/etc/ssh/sshd_config.d". + +PermitRootLogin no + +Restart the SSH daemon for the settings to take effect: + +$ sudo systemctl restart sshd.serviceVerify Amazon Linux 2023 remote access using SSH prevents users from logging on directly as "root" with the following command: + +$ sudo grep -ir PermitRootLogin /etc/ssh/sshd_config /etc/ssh/sshd_config.d/ +/etc/ssh/sshd_config:PermitRootLogin no + +If the "PermitRootLogin" keyword is set to "yes", is missing, or is commented out, this is a finding.SRG-OS-000163-GPOS-00072<GroupDescription></GroupDescription>AZLX-23-001245Amazon Linux 2023 must be configured so that all network connections associated with SSH traffic are terminated after 10 minutes of becoming unresponsive.<VulnDiscussion>Terminating an idle session within a short time period reduces the window of opportunity for unauthorized personnel to take control of a management session enabled on the console or console port that has been left unattended. In addition, quickly terminating an idle session will also free up resources committed by the managed network element. + +Terminating network connections associated with communications sessions includes, for example, de-allocating associated TCP/IP address/port pairs at Amazon Linux 2023 level, and de-allocating networking assignments at the application level if multiple application sessions are using a single operating system-level network connection. This does not mean that Amazon Linux 2023 terminates all sessions or network access; it only ends the inactive session and releases the resources associated with that session. + +Satisfies: SRG-OS-000163-GPOS-00072, SRG-OS-000279-GPOS-00109, SRG-OS-000395-GPOS-00175</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Amazon Linux 2023DISADPMS TargetAmazon Linux 20235700CCI-001133CCI-002361CCI-002891Configure Amazon Linux 2023 SSH server to terminate a user session automatically after the SSH client has been unresponsive for 10 minutes. + +Note: This setting must be applied in conjunction with "ClientAliveCountMax 1" to function correctly. + +Modify or append the following lines in the "/etc/ssh/sshd_config" or a dropfile in "/etc/ssh/sshd_config.d" file: + +ClientAliveInterval 600 + +For the changes to take effect, the SSH daemon must be restarted. + +$ sudo systemctl restart sshd.serviceVerify Amazon Linux 2023 has the "ClientAliveInterval" variable set to a value of "600" or less by performing the following command: + +$ sudo /usr/sbin/sshd -dd 2>&1 | awk '/filename/ {print $4}' | tr -d '\r' | tr '\n' ' ' | xargs sudo grep -iH '^\s*clientaliveinterval' +/etc/ssh/sshd_config.d/91-ClientAliveInterval.conf:ClientAliveInterval 600 + +If "ClientAliveInterval" does not exist, does not have a value of "600" or less in "/etc/ssh/sshd_config" or a dropfile in "/etc/ssh/sshd_config.d", or is commented out, this is a finding.SRG-OS-000163-GPOS-00072<GroupDescription></GroupDescription>AZLX-23-001250Amazon Linux 2023 must be configured so that all network connections associated with SSH traffic terminate after becoming unresponsive.<VulnDiscussion>Terminating an idle session within a short time period reduces the window of opportunity for unauthorized personnel to take control of a management session enabled on the console or console port that has been left unattended. In addition, quickly terminating an idle session will also free up resources committed by the managed network element. + +Terminating network connections associated with communications sessions includes, for example, de-allocating associated TCP/IP address/port pairs at Amazon Linux 2023 level, and de-allocating networking assignments at the application level if multiple application sessions are using a single operating system-level network connection. This does not mean that Amazon Linux 2023 terminates all sessions or network access; it only ends the inactive session and releases the resources associated with that session. + +Satisfies: SRG-OS-000163-GPOS-00072, SRG-OS-000279-GPOS-00109</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Amazon Linux 2023DISADPMS TargetAmazon Linux 20235700CCI-001133CCI-002361Configure Amazon Linux 2023 SSHD to terminate a user session automatically after the SSH client has become unresponsive. + +Note: This setting must be applied in conjunction with AZLX-23-000820 to function correctly. + +Modify or append the following lines in the "/etc/ssh/sshd_config" file or a dropfile in "/etc/ssh/sshd_config.d": + +ClientAliveCountMax 1 + +For the changes to take effect, the SSH daemon must be restarted. + +$ sudo systemctl restart sshd.serviceVerify Amazon Linux 2023 SSHD has the "ClientAliveCountMax" set to "1" by performing the following command: + +$ sudo /usr/sbin/sshd -dd 2>&1 | awk '/filename/ {print $4}' | tr -d '\r' | tr '\n' ' ' | xargs sudo grep -iH '^\s*clientalivecountmax' +/etc/ssh/sshd_config.d/92-ClientAliveCountMax.conf:ClientAliveCountMax 1 + +If "ClientAliveCountMax" do not exist, is not set to a value of "1" in "/etc/ssh/sshd_config" or a dropfile in "/etc/ssh/sshd_config.d" , or is commented out, this is a finding.SRG-OS-000125-GPOS-00065<GroupDescription></GroupDescription>AZLX-23-001255Amazon Linux 2023 must enable the Pluggable Authentication Module (PAM) interface for SSHD.<VulnDiscussion>If maintenance tools are used by unauthorized personnel, they may accidentally or intentionally damage or compromise the system. The act of managing systems and applications includes the ability to access sensitive application information, such as system configuration details, diagnostic information, user information, and potentially sensitive application data. + +Some maintenance and test tools are either standalone devices with their own operating systems or are applications bundled with an operating system. + +Nonlocal maintenance and diagnostic activities are those activities conducted by individuals communicating through a network, either an external network (e.g., the internet) or an internal network. Local maintenance and diagnostic activities are those activities carried out by individuals physically present at the information system or information system component and not communicating across a network connection. Typically, strong authentication requires authenticators that are resistant to replay attacks and employ multifactor authentication. Strong authenticators include, for example, PKI where certificates are stored on a token protected by a password, passphrase, or biometric.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Amazon Linux 2023DISADPMS TargetAmazon Linux 20235700CCI-000877Configure Amazon Linux 2023 SSHD to use the UsePAM interface. + +Add or modify the following line in "/etc/ssh/sshd_config": + +UsePAM yes + +Restart the SSH daemon for the settings to take effect: + +$ sudo systemctl restart sshd.serviceVerify Amazon Linux 2023 SSHD is configured to allow for the UsePAM interface with the following command: + +$ sudo /usr/sbin/sshd -dd 2>&1 | awk '/filename/ {print $4}' | tr -d '\r' | tr '\n' ' ' | xargs sudo grep -iH '^\s*usepam' +/etc/ssh/sshd_config.d/50-redhat.conf:UsePAM yes + +If the "UsePAM" keyword is set to "no", is missing, or is commented out, this is a finding.SRG-OS-000250-GPOS-00093<GroupDescription></GroupDescription>AZLX-23-001260Amazon Linux 2023 must implement DOD-approved encryption in the OpenSSL package.<VulnDiscussion>Without cryptographic integrity protections, information can be altered by unauthorized users without detection. + +Remote access (e.g., RDP) is access to DOD nonpublic information systems by an authorized user (or an information system) communicating through an external, nonorganization-controlled network. Remote access methods include, for example, dial-up, broadband, and wireless. + +Cryptographic mechanisms used for protecting the integrity of information include, for example, signed hash functions using asymmetric cryptography enabling distribution of the public key to verify the hash information while maintaining the confidentiality of the secret key used to generate the hash.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Amazon Linux 2023DISADPMS TargetAmazon Linux 20235700CCI-001453Configure Amazon Linux 2023 OpenSSL library to use the system wide cryptographic policy. + +Edit the "/etc/pki/tls/openssl.cnf" and add or modify the following line: + +.include = /etc/crypto-policies/back-ends/opensslcnf.configVerify Amazon Linux 2023 is configured so that the OpenSSL library uses only ciphers employing FIPS 140-2/140-3 approved algorithms with the following command: + +$ sudo grep -i opensslcnf.config /etc/pki/tls/openssl.cnf +.include = /etc/crypto-policies/back-ends/opensslcnf.config + +If the "opensslcnf.config" is not defined in the "/etc/pki/tls/openssl.cnf" file, this is a finding.SRG-OS-000250-GPOS-00093<GroupDescription></GroupDescription>AZLX-23-001265Amazon Linux 2023 must implement DOD-approved TLS encryption in the OpenSSL package.<VulnDiscussion>Without cryptographic integrity protections, information can be altered by unauthorized users without detection. + +Remote access (e.g., RDP) is access to DOD nonpublic information systems by an authorized user (or an information system) communicating through an external, nonorganization-controlled network. Remote access methods include, for example, dial-up, broadband, and wireless. + +Cryptographic mechanisms used for protecting the integrity of information include, for example, signed hash functions using asymmetric cryptography enabling distribution of the public key to verify the hash information while maintaining the confidentiality of the secret key used to generate the hash.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Amazon Linux 2023DISADPMS TargetAmazon Linux 20235700CCI-001453Configure Amazon Linux 2023 OpenSSL library to use only DOD-approved TLS encryption by editing the following line in the "/etc/crypto-policies/back-ends/opensslcnf.config" file: + +TLS.MinProtocol = TLSv1.2 +DTLS.MinProtocol = DTLSv1.2 + +A reboot is required for the changes to take effect.Verify Amazon Linux 2023 is configured so that the OpenSSL library uses TLS 1.2 encryption or stronger with following command: + +$ grep -i minprotocol /etc/crypto-policies/back-ends/opensslcnf.config +TLS.MinProtocol = TLSv1.2 +DTLS.MinProtocol = DTLSv1.2 + +If the "TLS.MinProtocol" is set to anything older than "TLSv1.2" or the "DTLS.MinProtocol" is set to anything older than "DTLSv1.2", this is a finding.SRG-OS-000120-GPOS-00061<GroupDescription></GroupDescription>AZLX-23-001270Amazon Linux 2023 must implement a FIPS 140-2/140-3 compliant systemwide cryptographic policy.<VulnDiscussion>Centralized cryptographic policies simplify applying secure ciphers across an operating system and the applications that run on that operating system. Use of weak or untested encryption algorithms undermines the purposes of utilizing encryption to protect data. + +Satisfies: SRG-OS-000120-GPOS-00061, SRG-OS-000396-GPOS-00176, SRG-OS-000393-GPOS-00173, SRG-OS-000394-GPOS-00174, SRG-OS-000424-GPOS-00188</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Amazon Linux 2023DISADPMS TargetAmazon Linux 20235700CCI-000803CCI-002450CCI-002890CCI-003123CCI-002421Configure Amazon Linux 2023 to use a FIPS 140-2/140-3 compliant systemwide cryptographic policy. + +Create subpolicies for enhancements to the systemwide crypto-policy with the following commands: + +Create or edit the SCOPES-AND-WILDCARDS policy module in a text editor and insert options that modify the systemwide cryptographic policy as follows: +$ sudo vi /etc/crypto-policies/policies/modules/SCOPES-AND-WILDCARDS.pmod + +Add the following lines to the policy: +# Disable CHACHA20-POLY1305 for the TLS protocol (OpenSSL, GnuTLS, NSS, and OpenJDK) +cipher@TLS = -CHACHA20-POLY1305 + +# Disable all CBC mode ciphers for the SSH protocol (libssh and OpenSSH) +cipher@SSH = -*-CBC + +Create or edit the OPENSSH-SUBPOLICY module in a text editor and insert options that modify the systemwide crypto-policy as follows: +$ sudo vi /etc/crypto-policies/policies/modules/OPENSSH-SUBPOLICY.pmod + +Add the following lines to the policy: +# Define ciphers for OpenSSH +cipher@SSH=AES-256-GCM AES-128-GCM AES-256-CTR AES-128-CTR + +# Define MACs for OpenSSH +mac@SSH=HMAC-SHA2-512 HMAC-SHA2-256 + +Create or edit the REQUIRE.pmod file and add the following lines to include the subpolicies in the FIPS configuration with the following command: + +$ sudo vi /etc/crypto-policies/policies/modules/REQUIRE.pmod + +Add the following lines to REQUIRE.pmod: +@OPENSSH-SUBPOLICY +@SCOPES-AND-WILDCARDS + +Apply the policy enhancements to the FIPS systemwide cryptographic policy level with the following command: + +$ sudo update-crypto-policies --set FIPS + +Note: If additional subpolicies are being employed, they should be added to the REQUIRE.pmod as well. REQUIRE.pmod is included in the systemwide crypto-policy when it is set. + +To make the cryptographic settings effective for already running services and applications, restart the system: +$ sudo rebootVerify Amazon Linux 2023 is set to use a FIPS 140-2/140-3 compliant systemwide cryptographic policy. + +$ update-crypto-policies --show +FIPS + +If the systemwide crypto policy is not set to "FIPS", this is a finding. + +Inspect the contents of the REQUIRE.pmod file (if it exists) to verify only authorized modifications to the current policy are included with the following command: + +$ cat /etc/crypto-policies/policies/modules/REQUIRE.pmod + +Note: If subpolicies have been configured, they could be listed in a colon-separated list starting with FIPS as follows FIPS:<SUBPOLICY-NAME>:<SUBPOLICY-NAME>. This is not a finding. + +If the AD-SUPPORT subpolicy module is included (e.g., "FIPS:AD-SUPPORT"), and Active Directory support is not documented as an operational requirement with the information system security officer (ISSO), this is a finding. + +If the NO-ENFORCE-EMS subpolicy module is included (e.g., "FIPS:NO-ENFORCE-EMS"), and not enforcing EMS is not documented as an operational requirement with the ISSO, this is a finding. + +Verify the current minimum crypto-policy configuration with the following commands: + +$ grep -E 'rsa_size|hash' /etc/crypto-policies/state/CURRENT.pol +hash = SHA2-256 SHA2-384 SHA2-512 SHA2-224 SHA3-256 SHA3-384 SHA3-512 SHAKE-256 +min_rsa_size = 2048 + +If the "hash" values do not include at least the following FIPS 140-2/140-3 compliant algorithms "SHA2-256 SHA2-384 SHA2-512 SHA2-224 SHA3-256 SHA3-384 SHA3-512 SHAKE-256", this is a finding. + +If there are algorithms that include "SHA1" or a hash value less than "256" this is a finding. + +If the "min_rsa_size" is not set to a value of at least 2048, this is a finding. + +If these commands do not return any output, this is a finding.SRG-OS-000033-GPOS-00014<GroupDescription></GroupDescription>AZLX-23-001275Amazon Linux 2023 must implement DOD-approved encryption to protect the confidentiality of remote access sessions.<VulnDiscussion>Without confidentiality protection mechanisms, unauthorized individuals may gain access to sensitive information via a remote access session. + +Remote access is access to DOD nonpublic information systems by an authorized user (or an information system) communicating through an external, nonorganization-controlled network. Remote access methods include, for example, dial-up, broadband, and wireless. + +Encryption provides a means to secure the remote connection to prevent unauthorized access to the data traversing the remote access connection (e.g., RDP), thereby providing a degree of confidentiality. The encryption strength of a mechanism is selected based on the security categorization of the information.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Amazon Linux 2023DISADPMS TargetAmazon Linux 20235700CCI-000068Configure Amazon Linux 2023 SSH server to use only ciphers employing FIPS 140-2/140-3 approved algorithms by updating the "/etc/crypto-policies/back-ends/opensshserver.config" file with the following line: + +Ciphers aes256-gcm@openssh.com,aes256-ctr,aes128-gcm@openssh.com,aes128-ctr + +A reboot is required for the changes to take effect.Verify Amazon Linux 2023 is configured so that the SSH server uses only ciphers employing FIPS 140-2/140-3 approved algorithms with the following command: + +$ sudo grep -i ciphers /etc/crypto-policies/back-ends/opensshserver.config +Ciphers aes256-gcm@openssh.com,aes256-ctr,aes128-gcm@openssh.com,aes128-ctr + +If the cipher entries in the "opensshserver.config" file have any ciphers other than "aes256-gcm@openssh.com,aes256-ctr,aes128-gcm@openssh.com,aes128-ctr", they are missing, or commented out, this is a finding.SRG-OS-000033-GPOS-00014<GroupDescription></GroupDescription>AZLX-23-001280Amazon Linux 2023 must enable FIPS mode.<VulnDiscussion>Use of weak or untested encryption algorithms undermines the purposes of utilizing encryption to protect data. Amazon Linux 2023 must implement cryptographic modules adhering to the higher standards approved by the federal government since this provides assurance they have been tested and validated. + +Satisfies: SRG-OS-000033-GPOS-00014, SRG-OS-000125-GPOS-00065, SRG-OS-000396-GPOS-00176, SRG-OS-000423-GPOS-00187, SRG-OS-000478-GPOS-00223</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Amazon Linux 2023DISADPMS TargetAmazon Linux 20235700CCI-000068CCI-000877CCI-002450CCI-002418Configure Amazon Linux 2023 to implement FIPS mode with the following commands: + +$ sudo fips-mode-setup --enable + +Reboot the system for the changes to take effect.Verify Amazon Linux 2023 is in FIPS mode with the following command: + +$ sudo fips-mode-setup --check +FIPS mode is enabled. + +If FIPS mode is not enabled, this is a finding.SRG-OS-000396-GPOS-00176<GroupDescription></GroupDescription>AZLX-23-001285Amazon Linux 2023 crypto policy must not be overridden.<VulnDiscussion>Centralized cryptographic policies simplify applying secure ciphers across an operating system and the applications that run on that operating system. Use of weak or untested encryption algorithms undermines the purposes of utilizing encryption to protect data. + +Satisfies: SRG-OS-000396-GPOS-00176, SRG-OS-000393-GPOS-00173, SRG-OS-000394-GPOS-00174, SRG-OS-000424-GPOS-00188, SRG-OS-000073-GPOS-00041, SRG-OS-000120-GPOS-00061</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Amazon Linux 2023DISADPMS TargetAmazon Linux 20235700CCI-002450CCI-002890CCI-003123CCI-002421CCI-004062CCI-000803Configure Amazon Linux 2023 to correctly implement the systemwide cryptographic policies by reinstalling the crypto-policies package contents. + +Reinstall crypto-policies with the following command: + +$ sudo dnf -y reinstall crypto-policies + +Set the crypto-policy to FIPS with the following command: + +$ sudo update-crypto-policies --set FIPS +Setting system policy to FIPS + +Note: Systemwide crypto policies are applied on application startup. It is recommended to restart the system for the change of policies to fully take place.Verify Amazon Linux 2023 custom crypto policies are loaded correctly with the following command: + +$ ls -l /etc/crypto-policies/back-ends/ +lrwxrwxrwx. 1 root root 40 Mar 7 19:22 bind.config -> /usr/share/crypto-policies/FIPS/bind.txt +lrwxrwxrwx. 1 root root 42 Mar 7 19:22 gnutls.config -> /usr/share/crypto-policies/FIPS/gnutls.txt +lrwxrwxrwx. 1 root root 40 Mar 7 19:22 java.config -> /usr/share/crypto-policies/FIPS/java.txt +lrwxrwxrwx. 1 root root 46 Mar 7 19:22 javasystem.config -> /usr/share/crypto-policies/FIPS/javasystem.txt +lrwxrwxrwx. 1 root root 40 Mar 7 19:22 krb5.config -> /usr/share/crypto-policies/FIPS/krb5.txt +lrwxrwxrwx. 1 root root 45 Mar 7 19:22 libreswan.config -> /usr/share/crypto-policies/FIPS/libreswan.txt +lrwxrwxrwx. 1 root root 42 Mar 7 19:22 libssh.config -> /usr/share/crypto-policies/FIPS/libssh.txt +-rw-r--r--. 1 root root 398 Mar 7 19:22 nss.config +lrwxrwxrwx. 1 root root 43 Mar 7 19:22 openssh.config -> /usr/share/crypto-policies/FIPS/openssh.txt +lrwxrwxrwx. 1 root root 49 Mar 7 19:22 opensshserver.config -> /usr/share/crypto-policies/FIPS/opensshserver.txt +lrwxrwxrwx. 1 root root 43 Mar 7 19:22 openssl.config -> /usr/share/crypto-policies/FIPS/openssl.txt +lrwxrwxrwx. 1 root root 48 Mar 7 19:22 openssl_fips.config -> /usr/share/crypto-policies/FIPS/openssl_fips.txt +lrwxrwxrwx. 1 root root 46 Mar 7 19:22 opensslcnf.config -> /usr/share/crypto-policies/FIPS/opensslcnf.txt + +If the paths do not point to the respective files under /usr/share/crypto-policies/FIPS path, this is a finding. +Note: nss.config must not be hyperlinked.SRG-OS-000375-GPOS-00160<GroupDescription></GroupDescription>AZLX-23-001290Amazon Linux 2023 must enable certificate-based smart card authentication.<VulnDiscussion>Without the use of multifactor authentication, the ease of access to privileged functions is greatly increased. Multifactor authentication requires using two or more factors to achieve authentication. A privileged account is defined as an information system account with authorizations of a privileged user. The DOD Common Access Card (CAC) with DOD-approved PKI is an example of multifactor authentication. + +Satisfies: SRG-OS-000375-GPOS-00160, SRG-OS-000705-GPOS-00150</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Amazon Linux 2023DISADPMS TargetAmazon Linux 20235700CCI-004046CCI-004047Configure Amazon Linux 2023 to have smart cards enabled in SSSD. + +Edit the file "/etc/sssd/sssd.conf" or a configuration file in "/etc/sssd/conf.d" and add or edit the following line: + +pam_cert_auth = TrueNote: If the system administrator demonstrates the use of an approved alternate multifactor authentication method, this requirement is not applicable. + +Verify Amazon Linux 2023 has smart cards enabled in System Security Services Daemon (SSSD), run the following command: + +$ sudo grep -ir pam_cert_auth /etc/sssd/sssd.conf /etc/sssd/conf.d/ +/etc/sssd/sssd.conf:pam_cert_auth = True + +If "pam_cert_auth" is not set to "True", the line is commented out, or the line is missing, this is a finding.SRG-OS-000068-GPOS-00036<GroupDescription></GroupDescription>AZLX-23-001295Amazon Linux 2023 must map the authenticated identity to the user or group account for PKI-based authentication.<VulnDiscussion>Without mapping the certificate used to authenticate to the user account, the ability to determine the identity of the individual user or group will not be available for forensic analysis.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Amazon Linux 2023DISADPMS TargetAmazon Linux 20235700CCI-000187Configure Amazon Linux 2023 to map the authenticated identity to the user or group account by adding or modifying the certmap section of the "/etc/sssd/sssd.conf file based on the following example: + +[certmap/testing.test/rule_name] +matchrule =<SAN>.*EDIPI@mil +maprule = (userCertificate;binary={cert!bin}) +domains = testing.test + +The "sssd" service must be restarted for the changes to take effect. To restart the "sssd" service, run the following command: + +$ sudo systemctl restart sssd.serviceNote: If the system administrator (SA) demonstrates the use of an approved alternate multifactor authentication method, this requirement is not applicable. + +Verify the certificate of the user or group is mapped to the corresponding user or group in the "sssd.conf" file with the following command: + +$ sudo find /etc/sssd/sssd.conf /etc/sssd/conf.d/ -type f -exec cat {} \; +[sssd] +config_file_version = 2 +services = pam, sudo, ssh +domains = testing.test + +[pam] +pam_cert_auth = True +offline_credentials_expiration = 1 + +[domain/testing.test] +id_provider = ldap + +[certmap/testing.test/rule_name] +matchrule =<SAN>.*EDIPI@mil +maprule = (userCertificate;binary={cert!bin}) +domains = testing.test + +If the certmap section does not exist, ask the SA to indicate how certificates are mapped to accounts. If there is no evidence of certificate mapping, this is a finding.SRG-OS-000375-GPOS-00160<GroupDescription></GroupDescription>AZLX-23-001300Amazon Linux 2023 must implement certificate status checking for multifactor authentication.<VulnDiscussion>Using an authentication device, such as a DOD Common Access Card (CAC) or token that is separate from the information system, ensures that even if the information system is compromised, credentials stored on the authentication device will not be affected. + +Multifactor solutions that require devices separate from information systems gaining access include, for example, hardware tokens providing time-based or challenge-response authenticators and smart cards such as the U.S. Government Personal Identity Verification (PIV) card and the DOD CAC. + +Amazon Linux 2023 includes multiple options for configuring certificate status checking, but for this requirement focuses on the System Security Services Daemon (SSSD). By default, SSSD performs Online Certificate Status Protocol (OCSP) checking and certificate verification using a sha256 digest function. + +Satisfies: SRG-OS-000375-GPOS-00160, SRG-OS-000377-GPOS-00162</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Amazon Linux 2023DISADPMS TargetAmazon Linux 20235700CCI-004046CCI-001954Configure Amazon Linux 2023 to implement certificate status checking for multifactor authentication. + +Review the "/etc/sssd/conf.d/certificate_verification.conf" file to determine if the system is configured to prevent OCSP or certificate verification. + +Add the following line to the "/etc/sssd/conf.d/certificate_verification.conf" file: + +certificate_verification = ocsp_dgst=sha512 + +Set the correct ownership and permissions on the "/etc/sssd/conf.d/certificate_verification.conf" file by running these commands: + +$ sudo chown root:root "/etc/sssd/conf.d/certificate_verification.conf" +$ sudo chmod 600 "/etc/sssd/conf.d/certificate_verification.conf" + +The "sssd" service must be restarted for the changes to take effect. To restart the "sssd" service, run the following command: + +$ sudo systemctl restart sssd.serviceNote: If the system administrator (SA) demonstrates the use of an approved alternate multifactor authentication method, this requirement is not applicable. + +Verify Amazon Linux 2023 implements Online Certificate Status Protocol (OCSP) and is using the proper digest value on the system with the following command: + +$ sudo grep -ir certificate_verification /etc/sssd/sssd.conf /etc/sssd/conf.d/ | grep -v "^#" +certificate_verification = ocsp_dgst=sha512 + +If the certificate_verification line is missing from the [sssd] section, or is missing "ocsp_dgst=sha512", ask the administrator to indicate what type of multifactor authentication is being utilized and how the system implements certificate status checking. + +If there is no evidence of certificate status checking being used, this is a finding.SRG-OS-000383-GPOS-00166<GroupDescription></GroupDescription>AZLX-23-001305Amazon Linux 2023 must prohibit the use of cached authenticators after one day.<VulnDiscussion>If cached authentication information is out-of-date, the validity of the authentication information may be questionable.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Amazon Linux 2023DISADPMS TargetAmazon Linux 20235700CCI-002007Configure Amazon Linux 2023 SSSD service to prohibit the use of cached authentications after one day. + +Add or change the following line in "/etc/sssd/sssd.conf" just below the line [pam]: + +offline_credentials_expiration = 1Verify Amazon Linux 2023 is configured so that the System Security Services Daemon (SSSD) prohibits the use of cached authentications after one day. + +Note: Cached authentication settings should be configured even if smart card authentication is not used on the system. + +Check that SSSD allows cached authentications with the following command: + +$ sudo grep -ir cache_credentials /etc/sssd/sssd.conf /etc/sssd/conf.d/ +/etc/sssd/sssd.conf:cache_credentials = true + +If "cache_credentials" is set to "false" or missing from the configuration file, this is not a finding and no further checks are required. + +If "cache_credentials" is set to "true", check that SSSD prohibits the use of cached authentications after one day with the following command: + +$ sudo grep -ir offline_credentials_expiration /etc/sssd/sssd.conf /etc/sssd/conf.d/ +/etc/sssd/sssd.conf:offline_credentials_expiration = 1 + +If "offline_credentials_expiration" is not set to a value of "1", this is a finding.SRG-OS-000066-GPOS-00034<GroupDescription></GroupDescription>AZLX-23-001310Amazon Linux 2023, for PKI-based authentication, must validate certificates by constructing a certification path (which includes status information) to an accepted trust anchor.<VulnDiscussion>Without path validation, an informed trust decision by the relying party cannot be made when presented with any certificate not already explicitly trusted. + +A trust anchor is an authoritative entity represented via a public key and associated data. It is used in the context of public key infrastructures, X.509 digital certificates, and DNSSEC. + +When there is a chain of trust, usually the top entity to be trusted becomes the trust anchor; it can be, for example, a Certification Authority (CA). A certification path starts with the subject certificate and proceeds through a number of intermediate certificates up to a trusted root certificate, typically issued by a trusted CA. + +This requirement verifies that a certification path to an accepted trust anchor is used for certificate validation and that the path includes status information. Path validation is necessary for a relying party to make an informed trust decision when presented with any certificate not already explicitly trusted. Status information for certification paths includes certificate revocation lists or online certificate status protocol responses. Validation of the certificate status information is out of scope for this requirement. + +Satisfies: SRG-OS-000066-GPOS-00034, SRG-OS-000775-GPOS-00230, SRG-OS-000384-GPOS-00167, SRG-OS-000403-GPOS-00182</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Amazon Linux 2023DISADPMS TargetAmazon Linux 20235700CCI-000185CCI-004909CCI-004068CCI-002470Configure Amazon Linux 2023 to have valid certificates by using AWS Certificate Manager (ACM) or another certificate manager to manage SSL/TLS certificates. + +In the AWS Management Console, request or import the necessary SSL/TLS certificates into ACM. + +ACM will handle the certificate lifecycle management, including validation and trust chain establishment.Note: If the system administrator (SA) demonstrates the use of an approved alternate multifactor authentication method, this requirement is not applicable. + +Verify Amazon Linux 2023 for PKI-based authentication has valid certificates by constructing a certification path (which includes status information) to an accepted trust anchor. + +Check that the system has a valid DOD root CA installed with the following command: + +$ sudo openssl x509 -text -in /etc/sssd/pki/sssd_auth_ca_db.pem +Certificate: + Data: + Version: 3 (0x2) + Serial Number: 1 (0x1) + Signature Algorithm: sha256WithRSAEncryption + Issuer: C = US, O = U.S. Government, OU = DOD, OU = PKI, CN = DOD Root CA 3 + Validity + Not Before: Mar 20 18:46:41 2012 GMT + Not After : Dec 30 18:46:41 2029 GMT + Subject: C = US, O = U.S. Government, OU = DOD, OU = PKI, CN = DOD Root CA 3 + Subject Public Key Info: + Public Key Algorithm: rsaEncryption + +If the root ca file is not a DOD-issued certificate with a valid date and installed in the /etc/sssd/pki/sssd_auth_ca_db.pem location, this is a finding.SRG-OS-000067-GPOS-00035<GroupDescription></GroupDescription>AZLX-23-001315Amazon Linux 2023, for PKI-based authentication, must enforce authorized access to the corresponding private key.<VulnDiscussion>If the private key is discovered, an attacker can use the key to authenticate as an authorized user and gain access to the network infrastructure. + +The cornerstone of the PKI is the private key used to encrypt or digitally sign information. + +If the private key is stolen, this will lead to the compromise of the authentication and nonrepudiation gained through PKI because the attacker can use the private key to digitally sign documents and pretend to be the authorized user. + +Both the holders of a digital certificate and the issuing authority must protect the computers, storage devices, or whatever they use to keep the private keys.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Amazon Linux 2023DISADPMS TargetAmazon Linux 20235700CCI-000186Configure Amazon Linux 2023 SSH private key files to have a passcode. + +Create a new private and public key pair that utilizes a passcode with the following command: + +$ sudo ssh-keygen -n [passphrase]Verify Amazon Linux 2023 SSH private key files have a passcode. + +For each private key stored on the system, use the following command: + +$ sudo ssh-keygen -y -f /path/to/file + +If the contents of the key are displayed, this is a finding.SRG-OS-000023-GPOS-00006<GroupDescription></GroupDescription>AZLX-23-002000Amazon Linux 2023 must display the Standard Mandatory DOD Notice and Consent Banner before granting local or remote access to the system.<VulnDiscussion>Display of a standardized and approved use notification before granting access to Amazon Linux 2023 ensures privacy and security notification verbiage used is consistent with applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance. + +System use notifications are required only for access via logon interfaces with human users and are not required when such human interfaces do not exist. + +The banner must be formatted in accordance with applicable DOD policy. Use the following verbiage for operating systems that can accommodate banners of 1300 characters: + +"You are accessing a U.S. Government (USG) Information System (IS) that is provided for USG-authorized use only. + +By using this IS (which includes any device attached to this IS), you consent to the following conditions: + +-The USG routinely intercepts and monitors communications on this IS for purposes including, but not limited to, penetration testing, COMSEC monitoring, network operations and defense, personnel misconduct (PM), law enforcement (LE), and counterintelligence (CI) investigations. + +-At any time, the USG may inspect and seize data stored on this IS. + +-Communications using, or data stored on, this IS are not private, are subject to routine monitoring, interception, and search, and may be disclosed or used for any USG-authorized purpose. + +-This IS includes security measures (e.g., authentication and access controls) to protect USG interests--not for your personal benefit or privacy. + +-Notwithstanding the above, using this IS does not constitute consent to PM, LE or CI investigative searching or monitoring of the content of privileged communications, or work product, related to personal representation or services by attorneys, psychotherapists, or clergy, and their assistants. Such communications and work product are private and confidential. See User Agreement for details." + +Use the following verbiage for operating systems that have severe limitations on the number of characters that can be displayed in the banner: + +"I've read & consent to terms in IS user agreem't."</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Amazon Linux 2023DISADPMS TargetAmazon Linux 20235700CCI-000048Configure Amazon Linux 2023 to display the Standard Mandatory DOD Notice and Consent Banner before granting access to the system via the ssh. + +Edit the "/etc/issue" file to replace the default text with the Standard Mandatory DOD Notice and Consent Banner. The DOD-required text is: + +"You are accessing a U.S. Government (USG) Information System (IS) that is provided for USG-authorized use only. + +By using this IS (which includes any device attached to this IS), you consent to the following conditions: + +-The USG routinely intercepts and monitors communications on this IS for purposes including, but not limited to, penetration testing, COMSEC monitoring, network operations and defense, personnel misconduct (PM), law enforcement (LE), and counterintelligence (CI) investigations. + +-At any time, the USG may inspect and seize data stored on this IS. + +-Communications using, or data stored on, this IS are not private, are subject to routine monitoring, interception, and search, and may be disclosed or used for any USG-authorized purpose. + +-This IS includes security measures (e.g., authentication and access controls) to protect USG interests -- not for your personal benefit or privacy. + +-Notwithstanding the above, using this IS does not constitute consent to PM, LE or CI investigative searching or monitoring of the content of privileged communications, or work product, related to personal representation or services by attorneys, psychotherapists, or clergy, and their assistants. Such communications and work product are private and confidential. See User Agreement for details."Verify Amazon Linux 2023 displays the Standard Mandatory DOD Notice and Consent Banner before granting access to the system over any publicly accessible connection. + +View the file specified by the banner keyword to check that it matches the text of the Standard Mandatory DOD Notice and Consent Banner with the following command: + +$ more /etc/issue + +"You are accessing a U.S. Government (USG) Information System (IS) that is provided for USG-authorized use only. By using this IS (which includes any device attached to this IS), you consent to the following conditions: + +-The USG routinely intercepts and monitors communications on this IS for purposes including, but not limited to, penetration testing, COMSEC monitoring, network operations and defense, personnel misconduct (PM), law enforcement (LE), and counterintelligence (CI) investigations. + +-At any time, the USG may inspect and seize data stored on this IS. + +-Communications using, or data stored on, this IS are not private, are subject to routine monitoring, interception, and search, and may be disclosed or used for any USG-authorized purpose. + +-This IS includes security measures (e.g., authentication and access controls) to protect USG interests--not for your personal benefit or privacy. + +-Notwithstanding the above, using this IS does not constitute consent to PM, LE or CI investigative searching or monitoring of the content of privileged communications, or work product, related to personal representation or services by attorneys, psychotherapists, or clergy, and their assistants. Such communications and work product are private and confidential. See User Agreement for details." + +If the system does not display a logon banner or the banner text does not match the Standard Mandatory DOD Notice and Consent Banner, this is a finding.SRG-OS-000228-GPOS-00088<GroupDescription></GroupDescription>AZLX-23-002005Amazon Linux 2023 must display the Standard Mandatory DOD Notice and Consent Banner before granting local or remote access to the system via a SSH logon.<VulnDiscussion>Display of a standardized and approved use notification before granting access to the publicly accessible operating system ensures privacy and security notification verbiage used is consistent with applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance. + +System use notifications are required only for access via logon interfaces with human users and are not required when such human interfaces do not exist. + +The banner must be formatted in accordance with applicable DOD policy. Use the following verbiage for operating systems that can accommodate banners of 1300 characters: + +"You are accessing a U.S. Government (USG) Information System (IS) that is provided for USG-authorized use only. + +By using this IS (which includes any device attached to this IS), you consent to the following conditions: + +-The USG routinely intercepts and monitors communications on this IS for purposes including, but not limited to, penetration testing, COMSEC monitoring, network operations and defense, personnel misconduct (PM), law enforcement (LE), and counterintelligence (CI) investigations. + +-At any time, the USG may inspect and seize data stored on this IS. + +-Communications using, or data stored on, this IS are not private, are subject to routine monitoring, interception, and search, and may be disclosed or used for any USG-authorized purpose. + +-This IS includes security measures (e.g., authentication and access controls) to protect USG interests--not for your personal benefit or privacy. + +-Notwithstanding the above, using this IS does not constitute consent to PM, LE or CI investigative searching or monitoring of the content of privileged communications, or work product, related to personal representation or services by attorneys, psychotherapists, or clergy, and their assistants. Such communications and work product are private and confidential. See User Agreement for details." + +Use the following verbiage for operating systems that have severe limitations on the number of characters that can be displayed in the banner: + +"I've read & consent to terms in IS user agreem't."</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Amazon Linux 2023DISADPMS TargetAmazon Linux 20235700CCI-001384CCI-001385CCI-001386CCI-001387CCI-001388Configure Amazon Linux 2023 to display the Standard Mandatory DOD Notice and Consent Banner before granting access to the system via ssh. + +Edit the "etc/ssh/sshd_config" file or a file in "/etc/ssh/sshd_config.d" to uncomment the banner keyword and configure it to point to a file that will contain the logon banner (this file may be named differently or be in a different location if using a version of SSH that is provided by a third-party vendor). + +An example configuration line is: + +Banner /etc/issueVerify Amazon Linux 2023 displays the Standard Mandatory DOD Notice and Consent Banner before granting access to the system from any SSH connection. + +Check for the location of the banner file being used with the following command: + +$ sudo /usr/sbin/sshd -dd 2>&1 | awk '/filename/ {print $4}' | tr -d '\r' | tr '\n' ' ' | xargs sudo grep -iH '^\s*banner' +/etc/ssh/sshd_config.d/80-bannerPointer.conf:Banner /etc/issue + +This command will return the banner keyword and the name of the file that contains the SSH banner (in this case "/etc/issue"). + +If the line is commented out, this is a finding.SRG-OS-000341-GPOS-00132<GroupDescription></GroupDescription>AZLX-23-002015Amazon Linux 2023 must allocate audit record storage capacity to store at least one week's worth of audit records, when audit records are not immediately sent to a central audit record storage facility.<VulnDiscussion>To ensure operating systems have a sufficient storage capacity in which to write the audit logs, operating systems must be able to allocate audit record storage capacity.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Amazon Linux 2023DISADPMS TargetAmazon Linux 20235700CCI-001849Configure Amazon Linux 2023 to provide adequate storage for at least one-week of audit logs when audit records are not immediately sent to a central audit record storage facility. + +If the storage partition is not large enough for at least one week of audit logs, then either: + +1. Resize the partition to ensure there is enough storage capacity. +2. Create a new partition for the audit logs.Verify Amazon Linux 2023 allocates audit record storage capacity to store at least one week of audit records when audit records are not immediately sent to a central audit record storage facility. + +Note: The partition size needed to capture a week of audit records is based on the activity level of the system and the total storage capacity available. Typically 10.0 GB of storage space for audit records should be sufficient. + +Determine which partition the audit records are being written to with the following command: + +$ sudo grep log_file /etc/audit/auditd.conf +log_file = /var/log/audit/audit.log + +Check the size of the partition that audit records are written to with the following command and verify whether it is sufficiently large: + + # df -h /var/log/audit/ +/dev/sda2 24G 10.4G 13.6G 43% /var/log/audit + +If the audit record partition is not allocated for sufficient storage capacity, this is a finding.SRG-OS-000341-GPOS-00132<GroupDescription></GroupDescription>AZLX-23-002020Amazon Linux 2023 must use a separate file system for the system audit data path.<VulnDiscussion>Placing "/var/log/audit" in its own partition enables better separation between audit files and other system files and helps ensure that auditing cannot be halted due to the partition running out of space.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Amazon Linux 2023DISADPMS TargetAmazon Linux 20235700CCI-001849Configure Amazon Linux 2023 to have a separate file system/partition for the system audit data path. + +Migrate the system audit data path onto a separate partition.Verify Amazon Linux 2023 has a separate file system/partition created for the system audit data path with the following command: + +Note: /var/log/audit is used as the example as it is a common location. + +$ mount | grep /var/log/audit +UUID=2efb2979-45ac-82d7-0ae632d11f51 on /var/log/home type xfs (rw,realtime,seclabel,attr2,inode64)SRG-OS-000342-GPOS-00133<GroupDescription></GroupDescription>AZLX-23-002025Amazon Linux 2023 must label all off-loaded audit logs before sending them to the central log server.<VulnDiscussion>Enriched logging is needed to determine who, what, and when events occur on a system. Without this, determining root cause of an event will be much more difficult.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Amazon Linux 2023DISADPMS TargetAmazon Linux 20235700CCI-001851Configure Amazon Linux 2023 to be configured so that the Audit Daemon labels all off-loaded audit logs. + +Edit the /etc/audit/auditd.conf file and add or update the "name_format" option: + +name_format = hostname + +The audit daemon must be restarted for changes to take effect.Verify Amazon Linux 2023 is configured so that the Audit Daemon labels all off-loaded audit logs with the following command: + +$ sudo grep name_format /etc/audit/auditd.conf +name_format = hostname + +If the "name_format" option is not "hostname", "fqd", or "numeric", or the line is commented out, this is a finding.SRG-OS-000342-GPOS-00133<GroupDescription></GroupDescription>AZLX-23-002030Amazon Linux 2023 must take appropriate action when the internal event queue is full.<VulnDiscussion>The audit system should have an action setup in the event the internal event queue becomes full so that no data is lost. Information stored in one location is vulnerable to accidental or incidental deletion or alteration.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Amazon Linux 2023DISADPMS TargetAmazon Linux 20235700CCI-001851Configure Amazon Linux 2023 so that the audit system takes an appropriate action when the internal event queue is full. + +Edit the /etc/audit/auditd.conf file and add or update the "overflow_action" option: + +overflow_action = syslog + +The audit daemon must be restarted for changes to take effect.Verify Amazon Linux 2023 audit system is configured to take an appropriate action when the internal event queue is full: + +$ sudo grep -i overflow_action /etc/audit/auditd.conf +overflow_action = syslog + +If the value of the "overflow_action" option is not set to "syslog", "single", "halt" or the line is commented out, ask the system administrator (SA) to indicate how the audit logs are off-loaded to a different system or media. + +If there is no evidence that the transfer of the audit logs being off-loaded to another system or media takes appropriate action if the internal event queue becomes full, this is a finding.SRG-OS-000343-GPOS-00134<GroupDescription></GroupDescription>AZLX-23-002035Amazon Linux 2023 must take action when allocated audit record storage volume reaches 75 percent of the repository maximum audit record storage capacity.<VulnDiscussion>If security personnel are not notified immediately when storage volume reaches 75 percent utilization, they are unable to plan for audit record storage capacity expansion.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Amazon Linux 2023DISADPMS TargetAmazon Linux 20235700CCI-001855Configure Amazon Linux 2023 to take action when the audit log storage volume reaches 75 percent of the maximum storage capacity. + +Edit /etc/audit/auditd.conf and ensure the parameter "space_left = 25" is configured.Verify Amazon Linux 2023 takes action when allocated audit record storage volume reaches 75 percent of the repository maximum audit record storage capacity with the following command: + +$ sudo grep -w space_left /etc/audit/auditd.conf +space_left = 25% + +If the value of the "space_left" keyword is not set to 25 percent of the storage volume allocated to audit logs, or if the line is commented out, ask the system administrator (SA) to indicate how the system is providing real-time alerts to the SA and information system security officer (ISSO). If the "space_left" value is not configured to the correct value, this is a finding.SRG-OS-000343-GPOS-00134<GroupDescription></GroupDescription>AZLX-23-002040Amazon Linux 2023 must notify the system administrator (SA) and information system security officer (ISSO) (at a minimum) when allocated audit record storage volume 75 percent utilization.<VulnDiscussion>If security personnel are not notified immediately when storage volume reaches 75 percent utilization, they are unable to plan for audit record storage capacity expansion.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Amazon Linux 2023DISADPMS TargetAmazon Linux 20235700CCI-001855Configure Amazon Linux 2023 to initiate an action to notify the SA and ISSO (at a minimum) when allocated audit record storage volume reaches 75 percent of the repository maximum audit record storage capacity by adding/modifying the following line in the /etc/audit/auditd.conf file. + +space_left_action = emailVerify Amazon Linux 2023 notifies the SA and ISSO (at a minimum) when allocated audit record storage volume reaches 75 percent of the repository maximum audit record storage capacity with the following command: + +$ sudo grep -w space_left_action /etc/audit/auditd.conf +space_left_action = email + +If the value of the "space_left_action" is not set to "email", or if the line is commented out, ask the SA to indicate how the system is providing real-time alerts to the SA and ISSO. + +If there is no evidence that real-time alerts are configured on the system, this is a finding.SRG-OS-000343-GPOS-00134<GroupDescription></GroupDescription>AZLX-23-002045Amazon Linux 2023 must take action when allocated audit record storage volume reaches 95 percent of the audit record storage capacity.<VulnDiscussion>If action is not taken when storage volume reaches 95 percent utilization, the auditing system may fail when the storage volume reaches capacity.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Amazon Linux 2023DISADPMS TargetAmazon Linux 20235700CCI-001855Configure Amazon Linux 2023 to initiate an action when allocated audit record storage volume reaches 95 percent of the repository maximum audit record storage capacity by adding/modifying the following line in the /etc/audit/auditd.conf file. + +admin_space_left = 5%Verify Amazon Linux 2023 takes action when allocated audit record storage volume reaches 95 percent of the repository maximum audit record storage capacity with the following command: + +$ sudo grep -w admin_space_left /etc/audit/auditd.conf +admin_space_left = 5% + +If the value of the "admin_space_left" keyword is not set to 5 percent of the storage volume allocated to audit logs, or if the line is commented out, ask the system administrator (SA) to indicate how the system is taking action if the allocated storage is about to reach capacity. If the "space_left" value is not configured to the correct value, this is a finding.SRG-OS-000343-GPOS-00134<GroupDescription></GroupDescription>AZLX-23-002050Amazon Linux 2023 must take action when allocated audit record storage volume reaches 95 percent of the repository maximum audit record storage capacity.<VulnDiscussion>If action is not taken when storage volume reaches 95 percent utilization, the auditing system may fail when the storage volume reaches capacity.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Amazon Linux 2023DISADPMS TargetAmazon Linux 20235700CCI-001855Configure Amazon Linux 2023 so that the auditd service takes action in the event of allocated audit record storage volume reaching 95 percent of the repository maximum audit record storage capacity. + +Edit the following line in "/etc/audit/auditd.conf" to ensure that the system is forced into single user mode in the event the audit record storage volume is about to reach maximum capacity: + +admin_space_left_action = single + +The audit daemon must be restarted for changes to take effect.Verify Amazon Linux 2023 is configured to take action in the event of allocated audit record storage volume reaches 95 percent of the repository maximum audit record storage capacity with the following command: + +$ sudo grep admin_space_left_action /etc/audit/auditd.conf +admin_space_left_action = single + +If the value of the "admin_space_left_action" is not set to "single", or if the line is commented out, ask the system administrator (SA) to indicate how the system is providing real-time alerts to the SA and information system security officer (ISSO). + +If there is no evidence that real-time alerts are configured on the system, this is a finding.SRG-OS-000343-GPOS-00134<GroupDescription></GroupDescription>AZLX-23-002055Amazon Linux 2023 must immediately notify the system administrator (SA) and information system security officer (ISSO), at a minimum, of an audit processing failure event.<VulnDiscussion>It is critical for the appropriate personnel to be aware if a system is at risk of failing to process audit logs as required. Without this notification, the security personnel may be unaware of an impending failure of the audit capability, and system operation may be adversely affected. + +Audit processing failures include software/hardware errors, failures in the audit capturing mechanisms, and audit storage capacity being reached or exceeded. + +This requirement applies to each audit data storage repository (i.e., distinct information system component where audit records are stored), the centralized audit storage capacity of organizations (i.e., all audit data storage repositories combined), or both.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Amazon Linux 2023DISADPMS TargetAmazon Linux 20235700CCI-001855Configure Amazon Linux 2023 to that the auditd service notifies the SA and ISSO in the event of an audit processing failure. + +Edit the following line in "/etc/audit/auditd.conf" to ensure that administrators are notified via email for those situations: + +action_mail_acct = root + +The audit daemon must be restarted for changes to take effect.Verify Amazon Linux 2023 is configured to notify the SA and/or ISSO (at a minimum) in the event of an audit processing failure with the following command: + +$ sudo grep action_mail_acct /etc/audit/auditd.conf +action_mail_acct = root + +If the value of the "action_mail_acct" keyword is not set to "root" and/or other accounts for security personnel, the "action_mail_acct" keyword is missing, or the retuned line is commented out, ask the SA to indicate how they and the ISSO are notified of an audit process failure. If there is no evidence of the proper personnel being notified of an audit processing failure, this is a finding.SRG-OS-000479-GPOS-00224<GroupDescription></GroupDescription>AZLX-23-002060Amazon Linux 2023 must be configured to off-load audit records onto a different system from the system being audited via syslog.<VulnDiscussion>The auditd service does not include the ability to send audit records to a centralized server for management directly. However, it can use a plug-in for audit event multiplexor (audispd) to pass audit records to the local syslog server.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Amazon Linux 2023DISADPMS TargetAmazon Linux 20235700CCI-001851Configure Amazon Linux 2023 to use the audisp-remote syslog service. + +Edit the /etc/audit/plugins.d/syslog.conf file and add or update the "active" option: + +active = yes + +The audit daemon must be restarted for changes to take effect.Verify Amazon Linux 2023 is configured use the audisp-remote syslog service with the following command: + +$ sudo grep active /etc/audit/plugins.d/syslog.conf +active = yes + +If the "active" keyword does not have a value of "yes", the line is commented out, or the line is missing, this is a finding.SRG-OS-000479-GPOS-00224<GroupDescription></GroupDescription>AZLX-23-002065Amazon Linux 2023 must authenticate the remote logging server for off-loading audit logs via rsyslog.<VulnDiscussion>Information stored in one location is vulnerable to accidental or incidental deletion or alteration.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Amazon Linux 2023DISADPMS TargetAmazon Linux 20235700CCI-001851Configure Amazon Linux 2023 to authenticate the remote logging server for off-loading audit logs by setting the following option in "/etc/rsyslog.conf" or "/etc/rsyslog.d/[customfile].conf": + +$ActionSendStreamDriverAuthMode x509/nameVerify Amazon Linux 2023 authenticates the remote logging server for off-loading audit logs with the following command: + +$ sudo grep -i '$ActionSendStreamDriverAuthMode' /etc/rsyslog.conf /etc/rsyslog.d/*.conf +/etc/rsyslog.conf:$ActionSendStreamDriverAuthMode x509/name + +If the value of the "$ActionSendStreamDriverAuthMode" option is not set to "x509/name" or the line is commented out, ask the system administrator (SA) to indicate how the audit logs are off-loaded to a different system or media. + +If there is no evidence that the transfer of the audit logs being off-loaded to another system or media is encrypted, this is a finding.SRG-OS-000479-GPOS-00224<GroupDescription></GroupDescription>AZLX-23-002070Amazon Linux 2023 must encrypt the transfer of audit records off-loaded onto a different system or media from the system being audited via rsyslog.<VulnDiscussion>Information stored in one location is vulnerable to accidental or incidental deletion or alteration.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Amazon Linux 2023DISADPMS TargetAmazon Linux 20235700CCI-001851Configure Amazon Linux 2023 to encrypt off-loaded audit records via rsyslog by setting the following options in "/etc/rsyslog.conf" or "/etc/rsyslog.d/[customfile].conf": + +$ActionSendStreamDriverMode 1Verify Amazon Linux 2023 encrypts audit records off-loaded onto a different system or media from the system being audited via rsyslog with the following command: + +$ sudo grep -i '$ActionSendStreamDriverMode' /etc/rsyslog.conf /etc/rsyslog.d/*.conf +/etc/rsyslog.conf:$ActionSendStreamDriverMode 1 + +If the value of the "$ActionSendStreamDriverMode" option is not set to "1" or the line is commented out, this is a finding.SRG-OS-000479-GPOS-00224<GroupDescription></GroupDescription>AZLX-23-002075Amazon Linux 2023 must encrypt via the gtls driver the transfer of audit records off-loaded onto a different system or media from the system being audited via rsyslog.<VulnDiscussion>Information stored in one location is vulnerable to accidental or incidental deletion or alteration. + +Off-loading is a common process in information systems with limited audit storage capacity. + +Support for both internet and Unix domain sockets enables this utility to support both local and remote logging. Coupling this utility with "gnutls" (a secure communications library implementing the SSL, TLS, and DTLS protocols) creates a method to securely encrypt and off-load auditing.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Amazon Linux 2023DISADPMS TargetAmazon Linux 20235700CCI-001851Configure Amazon Linux 2023 to use the ossl driver to encrypt offloaded audit records by setting the following options in "/etc/rsyslog.conf" or "/etc/rsyslog.d/[customfile].conf": + +$DefaultNetstreamDriver osslVerify Amazon Linux 2023 uses the gtls driver to encrypt audit records off-loaded onto a different system or media from the system being audited with the following command: + +$ sudo grep -i '$DefaultNetstreamDriver' /etc/rsyslog.conf /etc/rsyslog.d/*.conf +/etc/rsyslog.conf:$DefaultNetstreamDriver ossl + +If the value of the "$DefaultNetstreamDriver" option is not set to "ossl" or the line is commented out, this is a finding.SRG-OS-000342-GPOS-00133<GroupDescription></GroupDescription>AZLX-23-002080Amazon Linux 2023 must be configured to off-load audit records onto a different system from the system being audited via syslog.<VulnDiscussion>The auditd service does not include the ability to send audit records to a centralized server for management directly. However, it can use a plug-in for audit event multiplexor (audispd) to pass audit records to the local syslog server. + +Satisfies: SRG-OS-000342-GPOS-00133, SRG-OS-000479-GPOS-00224</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Amazon Linux 2023DISADPMS TargetAmazon Linux 20235700CCI-001851Configure Amazon Linux 2023 to off-load audit records onto a different system or media from the system being audited. + +If using systemd-journal-upload: +Edit "/etc/systemd/journal-upload.conf" with the appropriate configuration: + +[Upload] +URL=https://[server.domain]:[port]Verify Amazon Linux 2023 off-loads audit records onto a different system with the following command: + +$ more /etc/systemd/journal-upload.conf +[Upload] +URL=192.168.21.2 +ServerKeyFile=/etc/ssl/private/journal-upload.pem +ServerCertificateFile=/etc/ssl/certs/journal-upload.pem +TrustedCertificateFile=/etc/ssl/ca/trusted.pem + +If all of the entries do not have values, are commented out, or are missing, this is a finding.SRG-OS-000004-GPOS-00004<GroupDescription></GroupDescription>AZLX-23-002085Amazon Linux 2023 must generate audit records for all account creations, modifications, disabling, and termination events that affect /etc/sudoers.<VulnDiscussion>The actions taken by system administrators must be audited to keep a record of what was executed on the system, as well as for accountability purposes. Editing the sudoers file may be sign of an attacker trying to establish persistent methods to a system, auditing the editing of the sudoers files mitigates this risk. + +Satisfies: SRG-OS-000004-GPOS-00004, SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPOS-00031, SRG-OS-000304-GPOS-00121, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000470-GPOS-00214, SRG-OS-000471-GPOS-00215, SRG-OS-000239-GPOS-00089, SRG-OS-000240-GPOS-00090, SRG-OS-000241-GPOS-00091, SRG-OS-000303-GPOS-00120, SRG-OS-000466-GPOS-00210, SRG-OS-000476-GPOS-00221</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Amazon Linux 2023DISADPMS TargetAmazon Linux 20235700CCI-000018CCI-000130CCI-000135CCI-000169CCI-000015CCI-002884CCI-000172CCI-001403CCI-001404CCI-001405CCI-002130Configure Amazon Linux 2023 to generate audit records for all account creations, modifications, disabling, and termination events that affect "/etc/sudoers". + +Add or update the following file system rule to "/etc/audit/rules.d/audit.rules": + +-w /etc/sudoers -p wa -k identity + +To load the rules to the kernel immediately, use the following command: + +$ sudo augenrules --loadVerify Amazon Linux 2023 generates audit records for all account creations, modifications, disabling, and termination events that affect "/etc/sudoers" with the following command: + +$ sudo auditctl -l | grep '/etc/sudoers[^.]' +-w /etc/sudoers -p wa -k identity + +If the command does not return a line, or the line is commented out, this is a finding.SRG-OS-000004-GPOS-00004<GroupDescription></GroupDescription>AZLX-23-002090Amazon Linux 2023 must generate audit records for all account creations, modifications, disabling, and termination events that affect /etc/sudoers.d/ directory.<VulnDiscussion>The actions taken by system administrators must be audited to keep a record of what was executed on the system, as well as for accountability purposes. Editing the sudoers file may be sign of an attacker trying to establish persistent methods to a system, auditing the editing of the sudoers files mitigates this risk. + +Satisfies: SRG-OS-000004-GPOS-00004, SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPOS-00031, SRG-OS-000304-GPOS-00121, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000470-GPOS-00214, SRG-OS-000471-GPOS-00215, SRG-OS-000239-GPOS-00089, SRG-OS-000240-GPOS-00090, SRG-OS-000241-GPOS-00091, SRG-OS-000303-GPOS-00120, SRG-OS-000466-GPOS-00210, SRG-OS-000476-GPOS-00221</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Amazon Linux 2023DISADPMS TargetAmazon Linux 20235700CCI-000018CCI-000130CCI-000135CCI-000169CCI-000015CCI-002884CCI-000172CCI-001403CCI-001404CCI-001405CCI-002130Configure Amazon Linux 2023 to generate audit records for all account creations, modifications, disabling, and termination events that affect "/etc/sudoers.d/". + +Add or update the following file system rule to "/etc/audit/rules.d/audit.rules": + +-w /etc/sudoers.d/ -p wa -k identity + +To load the rules to the kernel immediately, use the following command: + +$ sudo augenrules --loadVerify Amazon Linux 2023 generates audit records for all account creations, modifications, disabling, and termination events that affect "/etc/sudoers.d/" with the following command: + +$ sudo auditctl -l | grep /etc/sudoers.d +-w /etc/sudoers.d/ -p wa -k identity + +If the command does not return a line, or the line is commented out, this is a finding.SRG-OS-000004-GPOS-00004<GroupDescription></GroupDescription>AZLX-23-002095Amazon Linux 2023 must generate audit records for all account creations, modifications, disabling, and termination events that affect /etc/group.<VulnDiscussion>In addition to auditing new user and group accounts, these watches will alert the system administrator(s) to any modifications. Any unexpected users, groups, or modifications must be investigated for legitimacy. + +Satisfies: SRG-OS-000004-GPOS-00004, SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPOS-00031, SRG-OS-000304-GPOS-00121, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000470-GPOS-00214, SRG-OS-000471-GPOS-00215, SRG-OS-000239-GPOS-00089, SRG-OS-000240-GPOS-00090, SRG-OS-000241-GPOS-00091, SRG-OS-000303-GPOS-00120, SRG-OS-000466-GPOS-00210, SRG-OS-000476-GPOS-00221</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Amazon Linux 2023DISADPMS TargetAmazon Linux 20235700CCI-000018CCI-000130CCI-000135CCI-000169CCI-000015CCI-002884CCI-000172CCI-001403CCI-001404CCI-001405CCI-002130Configure Amazon Linux 2023 to generate audit records for all account creations, modifications, disabling, and termination events that affect "/etc/group". + +Add or update the following file system rule to "/etc/audit/rules.d/audit.rules": + +-w /etc/group -p wa -k identity + +To load the rules to the kernel immediately, use the following command: + +$ sudo augenrules --loadVerify Amazon Linux 2023 generates audit records for all account creations, modifications, disabling, and termination events that affect "/etc/group" with the following command: + +$ sudo auditctl -l | egrep '(/etc/group)' +-w /etc/group -p wa -k identity + +If the command does not return a line, or the line is commented out, this is a finding.SRG-OS-000004-GPOS-00004<GroupDescription></GroupDescription>AZLX-23-002100Amazon Linux 2023 must generate audit records for all account creations, modifications, disabling, and termination events that affect /etc/gshadow.<VulnDiscussion>In addition to auditing new user and group accounts, these watches will alert the system administrator(s) to any modifications. Any unexpected users, groups, or modifications must be investigated for legitimacy. + +Satisfies: SRG-OS-000004-GPOS-00004, SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPOS-00031, SRG-OS-000304-GPOS-00121, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000470-GPOS-00214, SRG-OS-000471-GPOS-00215, SRG-OS-000239-GPOS-00089, SRG-OS-000240-GPOS-00090, SRG-OS-000241-GPOS-00091, SRG-OS-000303-GPOS-00120, SRG-OS-000466-GPOS-00210, SRG-OS-000476-GPOS-00221</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Amazon Linux 2023DISADPMS TargetAmazon Linux 20235700CCI-000018CCI-000130CCI-000135CCI-000169CCI-000015CCI-002884CCI-000172CCI-001403CCI-001404CCI-001405CCI-002130Configure Amazon Linux 2023 to generate audit records for all account creations, modifications, disabling, and termination events that affect "/etc/gshadow". + +Add or update the following file system rule to "/etc/audit/rules.d/audit.rules": + +-w /etc/gshadow -p wa -k identity + +To load the rules to the kernel immediately, use the following command: + +$ sudo augenrules --loadVerify Amazon Linux 2023 generates audit records for all account creations, modifications, disabling, and termination events that affect "/etc/gshadow" with the following command: + +$ sudo auditctl -l | egrep '(/etc/gshadow)' +-w /etc/gshadow -p wa -k identity + +If the command does not return a line, or the line is commented out, this is a finding.SRG-OS-000004-GPOS-00004<GroupDescription></GroupDescription>AZLX-23-002105Amazon Linux 2023 must generate audit records for all account creations, modifications, disabling, and termination events that affect /etc/opasswd.<VulnDiscussion>In addition to auditing new user and group accounts, these watches will alert the system administrator(s) to any modifications. Any unexpected users, groups, or modifications must be investigated for legitimacy. + +Satisfies: SRG-OS-000004-GPOS-00004, SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPOS-00031, SRG-OS-000304-GPOS-00121, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000470-GPOS-00214, SRG-OS-000471-GPOS-00215, SRG-OS-000239-GPOS-00089, SRG-OS-000240-GPOS-00090, SRG-OS-000241-GPOS-00091, SRG-OS-000303-GPOS-00120, SRG-OS-000466-GPOS-00210, SRG-OS-000476-GPOS-00221</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Amazon Linux 2023DISADPMS TargetAmazon Linux 20235700CCI-000018CCI-000130CCI-000135CCI-000169CCI-000015CCI-002884CCI-000172CCI-001403CCI-001404CCI-001405CCI-002130Configure Amazon Linux 2023 to generate audit records for all account creations, modifications, disabling, and termination events that affect "/etc/security/opasswd". + +Add or update the following file system rule to "/etc/audit/rules.d/audit.rules": + +-w /etc/security/opasswd -p wa -k identity + +To load the rules to the kernel immediately, use the following command: + +$ sudo augenrules --loadVerify Amazon Linux 2023 generates audit records for all account creations, modifications, disabling, and termination events that affect "/etc/security/opasswd" with the following command: + +$ sudo auditctl -l | egrep '(/etc/security/opasswd)' +-w /etc/security/opasswd -p wa -k identity + +If the command does not return a line, or the line is commented out, this is a finding.SRG-OS-000326-GPOS-00126<GroupDescription></GroupDescription>AZLX-23-002110Amazon Linux 2023 must audit uses of the "execve" system call.<VulnDiscussion>Misuse of privileged functions, either intentionally or unintentionally by authorized users, or by unauthorized external entities that have compromised information system accounts, is a serious and ongoing concern and can have significant adverse impacts on organizations. Auditing the use of privileged functions is one way to detect such misuse and identify the risk from insider threats and the advanced persistent threat. + +Satisfies: SRG-OS-000326-GPOS-00126, SRG-OS-000327-GPOS-00127</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Amazon Linux 2023DISADPMS TargetAmazon Linux 20235700CCI-002233CCI-002234Configure Amazon Linux 2023 to audit the execution of the "execve" system call. + +Add or update the following file system rules to "/etc/audit/rules.d/audit.rules": + +-a always,exit -F arch=b64 -S execve -C uid!=euid -F euid=0 -k execpriv +-a always,exit -F arch=b64 -S execve -C gid!=egid -F egid=0 -k execpriv + +To load the rules to the kernel immediately, use the following command: + +$ sudo augenrules --loadVerify Amazon Linux 2023 is configured to audit the execution of the "execve" system call with the following command: + +$ sudo auditctl -l | grep execve +-a always,exit -F arch=b64 -S execve -C uid!=euid -F euid=0 -k execpriv +-a always,exit -F arch=b64 -S execve -C gid!=egid -F egid=0 -k execpriv + +If the command does not return all lines, or the lines are commented out, this is a finding.SRG-OS-000037-GPOS-00015<GroupDescription></GroupDescription>AZLX-23-002115Amazon Linux 2023 must audit all uses of the chmod, fchmod, and fchmodat system calls.<VulnDiscussion>Without generating audit records specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. + +Audit records can be generated from various components within the information system (e.g., module or policy filter). + +When a user logs on, the auid is set to the uid of the account being authenticated. Daemons are not user sessions and have the loginuid set to -1. The auid representation is an unsigned 32-bit integer, which equals 4294967295. The audit system interprets -1, 4294967295, and "unset" in the same way. + +The system call rules are loaded into a matching engine that intercepts each system call made by all programs on the system. Therefore, it is very important to use system call rules only when absolutely necessary since these affect performance. The more rules, the bigger the performance hit. The performance can be helped, however, by combining system calls into one rule whenever possible. + +Satisfies: SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPOS-00031, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000471-GPOS-00215, SRG-OS-000064-GPOS-00033, SRG-OS-000466-GPOS-00210, SRG-OS-000458-GPOS-00203</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Amazon Linux 2023DISADPMS TargetAmazon Linux 20235700CCI-000130CCI-000135CCI-000169CCI-002884CCI-000172Configure Amazon Linux 2023 to generate audit records upon successful/unsuccessful attempts to use the "chmod", "fchmod", and "fchmodat" syscalls. + +Add or update the following rule in "/etc/audit/rules.d/audit.rules": + +-a always,exit -F arch=b64 -S chmod,fchmod,fchmodat -F auid>=1000 -F auid!=unset -k perm_mod + +To load the rule to the kernel immediately, use the following command: + +$ sudo augenrules --loadVerify Amazon Linux 2023 is configured to audit the execution of the "chmod", "fchmod", and "fchmodat" system calls with the following command: + +$ sudo auditctl -l | grep chmod +-a always,exit -F arch=b64 -S chmod,fchmod,fchmodat -F auid>=1000 -F auid!=unset -k perm_mod + +If the command does not return the expected line, or the line is commented out, this is a finding.SRG-OS-000037-GPOS-00015<GroupDescription></GroupDescription>AZLX-23-002120Amazon Linux 2023 must audit all uses of the chown, fchown, fchownat, and lchown system calls.<VulnDiscussion>Without generating audit records specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. + +Audit records can be generated from various components within the information system (e.g., module or policy filter). + +When a user logs on, the auid is set to the uid of the account being authenticated. Daemons are not user sessions and have the loginuid set to -1. The auid representation is an unsigned 32-bit integer, which equals 4294967295. The audit system interprets -1, 4294967295, and "unset" in the same way. + +The system call rules are loaded into a matching engine that intercepts each system call made by all programs on the system. Therefore, it is very important to use system call rules only when absolutely necessary since these affect performance. The more rules, the bigger the performance hit. The performance can be helped, however, by combining system calls into one rule whenever possible. + +Satisfies: SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPOS-00031, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000471-GPOS-00215, SRG-OS-000064-GPOS-00033, SRG-OS-000466-GPOS-00210, SRG-OS-000458-GPOS-00203</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Amazon Linux 2023DISADPMS TargetAmazon Linux 20235700CCI-000130CCI-000135CCI-000169CCI-002884CCI-000172Configure Amazon Linux 2023 to generate audit records upon successful/unsuccessful attempts to use the "chown", "fchown", "fchownat", and "lchown" system calls. + +Add or update the following rule in "/etc/audit/rules.d/audit.rules": + +-a always,exit -F arch=b64 -S chown,fchown,fchownat,lchown -F auid>=1000 -F auid!=unset -k perm_mod + +To load the rule to the kernel immediately, use the following command: + +$ sudo augenrules --loadVerify Amazon Linux 2023 is configured to audit the execution of the "chown", "fchown", "fchownat", and "lchown" system calls with the following command: + +$ sudo auditctl -l | grep chown +-a always,exit -F arch=b64 -S chown,fchown,fchownat,lchown -F auid>=1000 -F auid!=unset -k perm_mod + +If the command does not return the expected line, or the line is commented out, this is a finding.SRG-OS-000037-GPOS-00015<GroupDescription></GroupDescription>AZLX-23-002125Amazon Linux 2023 must audit all uses of the setxattr, fsetxattr, lsetxattr, removexattr, fremovexattr, and lremovexattr system calls.<VulnDiscussion>Without generating audit records specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. + +Audit records can be generated from various components within the information system (e.g., module or policy filter). + +When a user logs on, the auid is set to the uid of the account being authenticated. Daemons are not user sessions and have the loginuid set to -1. The auid representation is an unsigned 32-bit integer, which equals 4294967295. The audit system interprets -1, 4294967295, and "unset" in the same way. + +The system call rules are loaded into a matching engine that intercepts each system call made by all programs on the system. Therefore, it is very important to use system call rules only when absolutely necessary since these affect performance. The more rules, the bigger the performance hit. The performance can be helped, however, by combining system calls into one rule whenever possible. + +Satisfies: SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPOS-00031, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000471-GPOS-00215, SRG-OS-000064-GPOS-00033, SRG-OS-000466-GPOS-00210, SRG-OS-000471-GPOS-00216, SRG-OS-000458-GPOS-00203, SRG-OS-000474-GPOS-00219</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Amazon Linux 2023DISADPMS TargetAmazon Linux 20235700CCI-000130CCI-000135CCI-000169CCI-002884CCI-000172Configure Amazon Linux 2023 to audit the execution of the "setxattr", "fsetxattr", "lsetxattr", "removexattr", "fremovexattr", and "lremovexattr" system calls by adding or updating the following lines to "/etc/audit/rules.d/audit.rules": + +-a always,exit -F arch=b64 -S setxattr,fsetxattr,lsetxattr,removexattr,fremovexattr,lremovexattr -F auid>=1000 -F auid!=unset -k perm_mod + +-a always,exit -F arch=b64 -S setxattr,fsetxattr,lsetxattr,removexattr,fremovexattr,lremovexattr -F auid=0 -k perm_mod + +To load the rules to the kernel immediately, use the following command: + +$ sudo augenrules --loadVerify Amazon Linux 2023 is configured to audit the execution of the "setxattr", "fsetxattr", "lsetxattr", "removexattr", "fremovexattr", and "lremovexattr" system calls with the following command: + +$ sudo auditctl -l | grep xattr +-a always,exit -F arch=b64 -S setxattr,fsetxattr,lsetxattr,removexattr,fremovexattr,lremovexattr -F auid>=1000 -F auid!=unset -k perm_mod + +-a always,exit -F arch=b64 -S setxattr,fsetxattr,lsetxattr,removexattr,fremovexattr,lremovexattr -F auid=0 -k perm_mod + +If the audit rules are not defined for the "setxattr", "fsetxattr", "lsetxattr", "removexattr", "fremovexattr", and "lremovexattr" system calls, or any of the lines returned are commented out, this is a finding.SRG-OS-000037-GPOS-00015<GroupDescription></GroupDescription>AZLX-23-002130Amazon Linux 2023 must audit all uses of the truncate, ftruncate, creat, open, openat, and open_by_handle_at system calls.<VulnDiscussion>Without generating audit records specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. + +Audit records can be generated from various components within the information system (e.g., module or policy filter). + +When a user logs on, the auid is set to the uid of the account being authenticated. Daemons are not user sessions and have the loginuid set to -1. The auid representation is an unsigned 32-bit integer, which equals 4294967295. The audit system interprets -1, 4294967295, and "unset" in the same way. + +The system call rules are loaded into a matching engine that intercepts each system call made by all programs on the system. Therefore, it is very important to use system call rules only when absolutely necessary since these affect performance. The more rules, the bigger the performance hit. The performance can be helped, however, by combining system calls into one rule whenever possible. + +Satisfies: SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPOS-00031, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000471-GPOS-00215, SRG-OS-000064-GPOS-00033, SRG-OS-000466-GPOS-00210, SRG-OS-000458-GPOS-00203</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Amazon Linux 2023DISADPMS TargetAmazon Linux 20235700CCI-000130CCI-000135CCI-000169CCI-002884CCI-000172Configure Amazon Linux 2023 to generate an audit event for any successful/unsuccessful use of the "truncate", "ftruncate", "creat", "open", "openat", and "open_by_handle_at" system calls by adding or updating the following rules in the "/etc/audit/rules.d/audit.rules" file: + +-a always,exit -F arch=b64 -S truncate,ftruncate,creat,open,openat,open_by_handle_at -F exit=-EPERM -F auid>=1000 -F auid!=unset -k perm_access + +-a always,exit -F arch=b64 -S truncate,ftruncate,creat,open,openat,open_by_handle_at -F exit=-EACCES -F auid>=1000 -F auid!=unset -k perm_access + +To load the rules to the kernel immediately, use the following command: + +$ sudo augenrules --loadVerify Amazon Linux 2023 is configured to audit successful/unsuccessful attempts to use the "truncate", "ftruncate", "creat", "open", "openat", and "open_by_handle_at" system calls with the following command: + +$ sudo auditctl -l | grep 'open\|truncate\|creat' +-a always,exit -F arch=b64 -S truncate,ftruncate,creat,open,openat,open_by_handle_at -F exit=-EPERM -F auid>=1000 -F auid!=unset -k perm_access + +-a always,exit -F arch=b64 -S truncate,ftruncate,creat,open,openat,open_by_handle_at -F exit=-EACCES -F auid>=1000 -F auid!=unset -k perm_access + +If the output does not produce rules containing "-F exit=-EPERM", this is a finding. + +If the output does not produce rules containing "-F exit=-EACCES", this is a finding. + +If the command does not return an audit rule for "truncate", "ftruncate", "creat", "open", "openat", and "open_by_handle_at" or any of the lines returned are commented out, this is a finding.SRG-OS-000037-GPOS-00015<GroupDescription></GroupDescription>AZLX-23-002135Amazon Linux 2023 must audit all uses of the init_module and finit_module system calls.<VulnDiscussion>Without generating audit records specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. + +Audit records can be generated from various components within the information system (e.g., module or policy filter). + +When a user logs on, the auid is set to the uid of the account being authenticated. Daemons are not user sessions and have the loginuid set to -1. The auid representation is an unsigned 32-bit integer, which equals 4294967295. The audit system interprets -1, 4294967295, and "unset" in the same way. + +The system call rules are loaded into a matching engine that intercepts each system call made by all programs on the system. Therefore, it is very important to use system call rules only when absolutely necessary since these affect performance. The more rules, the bigger the performance hit. The performance can be helped, however, by combining system calls into one rule whenever possible. + +Satisfies: SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPOS-00031, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000471-GPOS-00215, SRG-OS-000064-GPOS-00033, SRG-OS-000466-GPOS-00210, SRG-OS-000458-GPOS-00203</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Amazon Linux 2023DISADPMS TargetAmazon Linux 20235700CCI-000130CCI-000135CCI-000169CCI-002884CCI-000172Configure Amazon Linux 2023 to generate an audit event for any successful/unsuccessful use of the "init_module" and "finit_module" system calls by adding or updating the following rule in the "/etc/audit/rules.d/audit.rules" file: + +-a always,exit -F arch=b64 -S init_module,finit_module -F auid>=1000 -F auid!=unset -k module_chng + +To load the rule to the kernel immediately, use the following command: + +$ sudo augenrules --loadVerify Amazon Linux 2023 is configured to audit the execution of the "init_module" and "finit_module" system calls with the following command: + +$ sudo auditctl -l | grep init_module +-a always,exit -F arch=b64 -S init_module,finit_module -F auid>=1000 -F auid!=unset -k module_chng + +If audit rule is not defined for the "delete_module" system call, or the line returned is commented out, this is a finding.SRG-OS-000037-GPOS-00015<GroupDescription></GroupDescription>AZLX-23-002140Amazon Linux 2023 must audit all uses of the create_module system call.<VulnDiscussion>Without generating audit records specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. + +Audit records can be generated from various components within the information system (e.g., module or policy filter). + +When a user logs on, the auid is set to the uid of the account being authenticated. Daemons are not user sessions and have the loginuid set to -1. The auid representation is an unsigned 32-bit integer, which equals 4294967295. The audit system interprets -1, 4294967295, and "unset" in the same way. + +The system call rules are loaded into a matching engine that intercepts each system call made by all programs on the system. Therefore, it is very important to use system call rules only when absolutely necessary since these affect performance. The more rules, the bigger the performance hit. The performance can be helped, however, by combining system calls into one rule whenever possible. + +Satisfies: SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPOS-00031, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000471-GPOS-00215, SRG-OS-000064-GPOS-00033, SRG-OS-000466-GPOS-00210, SRG-OS-000458-GPOS-00203</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Amazon Linux 2023DISADPMS TargetAmazon Linux 20235700CCI-000130CCI-000135CCI-000169CCI-002884CCI-000172Configure Amazon Linux 2023 to generate audit records when successful/unsuccessful attempts to use the "create_module" syscall occur. + +Add or update the following rule in "/etc/audit/rules.d/audit.rules": + +-a always,exit -F arch=b64 -S create_module -F auid>=1000 -F auid!=unset -k module-change + +To load the rule to the kernel immediately, use the following command: + +$ sudo augenrules --loadVerify Amazon Linux 2023 generates audit records when successful/unsuccessful attempts to use the "create_module" syscall occur with the following command: + +$ sudo auditctl -l | grep "create_module" +-a always,exit -F arch=b64 -S create_module -F auid>=1000 -F auid!=-1 -F key=module-change + +If audit rule is not defined for the "create_module" syscall, this is a finding.SRG-OS-000037-GPOS-00015<GroupDescription></GroupDescription>AZLX-23-002145Amazon Linux 2023 must audit all uses of the kmod command.<VulnDiscussion>Without generating audit records specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. + +Audit records can be generated from various components within the information system (e.g., module or policy filter). + +When a user logs on, the auid is set to the uid of the account being authenticated. Daemons are not user sessions and have the loginuid set to -1. The auid representation is an unsigned 32-bit integer, which equals 4294967295. The audit system interprets -1, 4294967295, and "unset" in the same way. + +The system call rules are loaded into a matching engine that intercepts each system call made by all programs on the system. Therefore, it is very important to use system call rules only when absolutely necessary since these affect performance. The more rules, the bigger the performance hit. The performance can be helped, however, by combining system calls into one rule whenever possible. + +Satisfies: SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPOS-00031, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000471-GPOS-00215, SRG-OS-000064-GPOS-00033, SRG-OS-000466-GPOS-00210, SRG-OS-000458-GPOS-00203</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Amazon Linux 2023DISADPMS TargetAmazon Linux 20235700CCI-000130CCI-000135CCI-000169CCI-002884CCI-000172Configure Amazon Linux 2023 to generate audit records upon successful/unsuccessful attempts to use the "kmod" command by adding or updating the following rule in "/etc/audit/rules.d/audit.rules": + +-a always,exit -F path=/usr/bin/kmod -F perm=x -F auid>=1000 -F auid!=unset -k modules + +To load the rules to the kernel immediately, use the following command: + +$ sudo augenrules --loadVerify Amazon Linux 2023 generates audit records when successful/unsuccessful attempts to use the "kmod" command occur. + +Check the auditing rules in "/etc/audit/audit.rules" with the following command: + +$ sudo auditctl -l | grep kmod +-a always,exit -F path=/usr/bin/kmod -F perm=x -F auid>=1000 -F auid!=unset -k modules + +If the command does not return a line, or the line is commented out, this is a finding.SRG-OS-000037-GPOS-00015<GroupDescription></GroupDescription>AZLX-23-002150Amazon Linux 2023 must audit all uses of the rename, unlink, rmdir, renameat, and unlinkat system calls.<VulnDiscussion>Without generating audit records specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. + +Audit records can be generated from various components within the information system (e.g., module or policy filter). + +When a user logs on, the auid is set to the uid of the account being authenticated. Daemons are not user sessions and have the loginuid set to -1. The auid representation is an unsigned 32-bit integer, which equals 4294967295. The audit system interprets -1, 4294967295, and "unset" in the same way. + +The system call rules are loaded into a matching engine that intercepts each system call made by all programs on the system. Therefore, it is very important to use system call rules only when absolutely necessary since these affect performance. The more rules, the bigger the performance hit. The performance can be helped, however, by combining system calls into one rule whenever possible. + +Satisfies: SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPOS-00031, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000471-GPOS-00215, SRG-OS-000466-GPOS-00210, SRG-OS-000467-GPOS-00211, SRG-OS-000468-GPOS-00212</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Amazon Linux 2023DISADPMS TargetAmazon Linux 20235700CCI-000130CCI-000135CCI-000169CCI-002884CCI-000172Configure Amazon Linux 2023 to generate an audit event for any successful/unsuccessful use of the "rename", "unlink", "rmdir", "renameat", and "unlinkat" system calls by adding or updating the following rule in the "/etc/audit/rules.d/audit.rules" file: + +-a always,exit -F arch=b64 -S rename,unlink,rmdir,renameat,unlinkat -F auid>=1000 -F auid!=unset -k delete + +To load the rule to the kernel immediately, use the following command: + +$ sudo augenrules --loadVerify Amazon Linux 2023 is configured to audit successful/unsuccessful attempts to use the "rename", "unlink", "rmdir", "renameat", and "unlinkat" system calls with the following command: + +$ sudo auditctl -l | grep 'rename\|unlink\|rmdir' +-a always,exit -F arch=b64 -S rename,unlink,rmdir,renameat,unlinkat -F auid>=1000 -F auid!=unset -k delete + +If the command does not return an audit rule for "rename", "unlink", "rmdir", "renameat", and "unlinkat" or any of the lines returned are commented out, this is a finding.SRG-OS-000037-GPOS-00015<GroupDescription></GroupDescription>AZLX-23-002155Amazon Linux 2023 must audit all uses of the chcon command.<VulnDiscussion>Without generating audit records specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. + +Audit records can be generated from various components within the information system (e.g., module or policy filter). + +When a user logs on, the auid is set to the uid of the account being authenticated. Daemons are not user sessions and have the loginuid set to -1. The auid representation is an unsigned 32-bit integer, which equals 4294967295. The audit system interprets -1, 4294967295, and "unset" in the same way. + +The system call rules are loaded into a matching engine that intercepts each system call made by all programs on the system. Therefore, it is very important to use system call rules only when absolutely necessary since these affect performance. The more rules, the bigger the performance hit. The performance can be helped, however, by combining system calls into one rule whenever possible. + +Satisfies: SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPOS-00031, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000468-GPOS-00212, SRG-OS-000471-GPOS-00215, SRG-OS-000463-GPOS-00207, SRG-OS-000465-GPOS-00209</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Amazon Linux 2023DISADPMS TargetAmazon Linux 20235700CCI-000130CCI-000135CCI-000169CCI-002884CCI-000172Configure Amazon Linux 2023 to generate audit records upon successful/unsuccessful attempts to use the "chcon" command by adding or updating the following rule in "/etc/audit/rules.d/audit.rules": + +-a always,exit -F path=/usr/bin/chcon -F perm=x -F auid>=1000 -F auid!=unset -k perm_mod + +To load the rules to the kernel immediately, use the following command: + +$ sudo augenrules --loadVerify Amazon Linux 2023 is configured to audit the execution of the "chcon" command with the following command: + +$ sudo auditctl -l | grep chcon +-a always,exit -F path=/usr/bin/chcon -F perm=x -F auid>=1000 -F auid!=unset -k perm_mod + +If the command does not return a line, or the line is commented out, this is a finding.SRG-OS-000392-GPOS-00172<GroupDescription></GroupDescription>AZLX-23-002160Amazon Linux 2023 must generate audit records for all account creations, modifications, disabling, and termination events that affect /var/log/faillock.<VulnDiscussion>Without generating audit records specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. + +Satisfies: SRG-OS-000392-GPOS-00172, SRG-OS-000470-GPOS-00214, SRG-OS-000473-GPOS-00218</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Amazon Linux 2023DISADPMS TargetAmazon Linux 20235700CCI-002884CCI-000172Configure Amazon Linux 2023 to generate audit records for all account creations, modifications, disabling, and termination events that affect "/var/log/faillock". + +Add or update the following file system rule to "/etc/audit/rules.d/audit.rules": + +-w /var/log/faillock -p wa -k logins + +To load the rules to the kernel immediately, use the following command: + +$ sudo augenrules --loadVerify Amazon Linux 2023 generates audit records for all account creations, modifications, disabling, and termination events that affect "/var/log/faillock" with the following command: + +$ sudo auditctl -l | grep /var/log/faillock +-w /var/log/faillock -p wa -k logins + +If the command does not return a line, or the line is commented out, this is a finding.SRG-OS-000037-GPOS-00015<GroupDescription></GroupDescription>AZLX-23-002165Amazon Linux 2023 must generate audit records for all account creations, modifications, disabling, and termination events that affect /var/log/lastlog.<VulnDiscussion>Without generating audit records specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. + +Satisfies: SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPOS-00031, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000471-GPOS-00215, SRG-OS-000473-GPOS-00218, SRG-OS-000470-GPOS-00214</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Amazon Linux 2023DISADPMS TargetAmazon Linux 20235700CCI-000130CCI-000135CCI-000169CCI-002884CCI-000172Configure Amazon Linux 2023 to generate audit records for all account creations, modifications, disabling, and termination events that affect "/var/log/lastlog". + +Add or update the following file system rule to "/etc/audit/rules.d/audit.rules": + +-w /var/log/lastlog -p wa -k logins + +To load the rules to the kernel immediately, use the following command: + +$ sudo augenrules --loadVerify Amazon Linux 2023 generates audit records for all account creations, modifications, disabling, and termination events that affect "/var/log/lastlog" with the following command: + +$ sudo auditctl -l | grep /var/log/lastlog +-w /var/log/lastlog -p wa -k logins + +If the command does not return a line, or the line is commented out, this is a finding.SRG-OS-000477-GPOS-00222<GroupDescription></GroupDescription>AZLX-23-002175Amazon Linux 2023 must audit all uses of the init command.<VulnDiscussion>Misuse of the init command may cause availability issues for the system.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Amazon Linux 2023DISADPMS TargetAmazon Linux 20235700CCI-000172Configure Amazon Linux 2023 so that the audit system generates an audit event for any successful/unsuccessful uses of the "init" command by adding or updating the following rule in the "/etc/audit/rules.d/audit.rules" file: + +-a always,exit -F path=/usr/sbin/init -F perm=x -F auid>=1000 -F auid!=unset -k privileged-init + +To load the rules to the kernel immediately, use the following command: + +$ sudo augenrules --loadVerify Amazon Linux 2023 is configured to audit the execution of the "init" command with the following command: + +$ sudo auditctl -l | grep init +-a always,exit -F path=/usr/sbin/init -F perm=x -F auid>=1000 -F auid!=unset -k privileged-init + +If the command does not return a line, or the line is commented out, this is a finding.SRG-OS-000477-GPOS-00222<GroupDescription></GroupDescription>AZLX-23-002180Amazon Linux 2023 must audit all uses of the reboot command.<VulnDiscussion>Misuse of the reboot command may cause availability issues for the system.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Amazon Linux 2023DISADPMS TargetAmazon Linux 20235700CCI-000172Configure Amazon Linux 2023 so that the audit system generates an audit event for any successful/unsuccessful uses of the "reboot" command by adding or updating the following rule in the "/etc/audit/rules.d/audit.rules" file: + +-a always,exit -F path=/usr/sbin/reboot -F perm=x -F auid>=1000 -F auid!=unset -k privileged-reboot + +To load the rules to the kernel immediately, use the following command: + +$ sudo augenrules --loadVerify Amazon Linux 2023 is configured to audit the execution of the "reboot" command with the following command: + +$ sudo auditctl -l | grep reboot +-a always,exit -F path=/usr/sbin/reboot -F perm=x -F auid>=1000 -F auid!=unset -k privileged-reboot + +If the command does not return a line, or the line is commented out, this is a finding.SRG-OS-000477-GPOS-00222<GroupDescription></GroupDescription>AZLX-23-002185Amazon Linux 2023 must audit all uses of the shutdown command.<VulnDiscussion>Misuse of the shutdown command may cause availability issues for the system.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Amazon Linux 2023DISADPMS TargetAmazon Linux 20235700CCI-000172Configure Amazon Linux 2023 so that the audit system generates an audit event for any successful/unsuccessful uses of the "shutdown" command by adding or updating the following rule in the "/etc/audit/rules.d/audit.rules" file: + +-a always,exit -F path=/usr/sbin/shutdown -F perm=x -F auid>=1000 -F auid!=unset -k privileged-shutdown + +To load the rules to the kernel immediately, use the following command: + +$ sudo augenrules --loadVerify Amazon Linux 2023 is configured to audit the execution of the "shutdown" command with the following command: + +$ sudo auditctl -l | grep shutdown +-a always,exit -F path=/usr/sbin/shutdown -F perm=x -F auid>=1000 -F auid!=unset -k privileged-shutdown + +If the command does not return a line, or the line is commented out, this is a finding.SRG-OS-000256-GPOS-00097<GroupDescription></GroupDescription>AZLX-23-002190Amazon Linux 2023 audit tools must have a mode of "0755" or less permissive.<VulnDiscussion>Protecting audit information also includes identifying and protecting the tools used to view and manipulate log data. Therefore, protecting audit tools is necessary to prevent unauthorized operation on audit information. + +Operating systems providing tools to interface with audit information will leverage user permissions and roles identifying the user accessing the tools and the corresponding rights the user enjoys to make access decisions regarding the access to audit tools. + +Audit tools include, but are not limited to, vendor-provided and open source audit tools needed to successfully view and manipulate audit information system activity and records. Audit tools include custom queries and report generators.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Amazon Linux 2023DISADPMS TargetAmazon Linux 20235700CCI-001493Configure Amazon Linux 2023 audit tools to have a mode of "0755" by running the following command: + +$ sudo chmod 0755 [audit_tool] + +Replace "[audit_tool]" with each audit tool that has a more permissive mode than "0755".Verify Amazon Linux 2023 audit tools have a mode of "0755" or less with the following command: + +$ stat -c "%a %n" /sbin/auditctl /sbin/aureport /sbin/ausearch /sbin/autrace /sbin/auditd /sbin/rsyslogd /sbin/augenrules +755 /sbin/auditctl +755 /sbin/aureport +755 /sbin/ausearch +750 /sbin/autrace +755 /sbin/auditd +755 /sbin/rsyslogd +755 /sbin/augenrules + +If any of the audit tool files have a mode more permissive than "0755", this is a finding.SRG-OS-000256-GPOS-00097<GroupDescription></GroupDescription>AZLX-23-002195Amazon Linux 2023 audit tools must be owned by root.<VulnDiscussion>Protecting audit information also includes identifying and protecting the tools used to view and manipulate log data. Therefore, protecting audit tools is necessary to prevent unauthorized operation on audit information. + +Operating systems providing tools to interface with audit information will leverage user permissions and roles identifying the user accessing the tools and the corresponding rights the user enjoys to make access decisions regarding the access to audit tools. + +Audit tools include, but are not limited to, vendor-provided and open source audit tools needed to successfully view and manipulate audit information system activity and records. Audit tools include custom queries and report generators.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Amazon Linux 2023DISADPMS TargetAmazon Linux 20235700CCI-001493Configure Amazon Linux 2023 audit tools to be owned by "root" by running the following command: + +$ sudo chown root [audit_tool] + +Replace "[audit_tool]" with each audit tool not owned by "root".Verify Amazon Linux 2023 audit tools are owned by "root" with the following command: + +$ sudo stat -c "%U %n" /sbin/auditctl /sbin/aureport /sbin/ausearch /sbin/autrace /sbin/auditd /sbin/rsyslogd /sbin/augenrules +root /sbin/auditctl +root /sbin/aureport +root /sbin/ausearch +root /sbin/autrace +root /sbin/auditd +root /sbin/rsyslogd +root /sbin/augenrules + +If any audit tools do not have an owner of "root", this is a finding.SRG-OS-000256-GPOS-00097<GroupDescription></GroupDescription>AZLX-23-002200Amazon Linux 2023 audit tools must be group-owned by root.<VulnDiscussion>Protecting audit information also includes identifying and protecting the tools used to view and manipulate log data. Therefore, protecting audit tools is necessary to prevent unauthorized operation on audit information. + +Operating systems providing tools to interface with audit information will leverage user permissions and roles identifying the user accessing the tools and the corresponding rights the user enjoys to make access decisions regarding the access to audit tools. + +Audit tools include, but are not limited to, vendor-provided and open source audit tools needed to successfully view and manipulate audit information system activity and records. Audit tools include custom queries and report generators.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Amazon Linux 2023DISADPMS TargetAmazon Linux 20235700CCI-001493Configure Amazon Linux 2023 audit tools to be group-owned by "root" by running the following command: + +$ sudo chgrp root [audit_tool] + +Replace "[audit_tool]" with each audit tool not group-owned by "root".Verify Amazon Linux 2023 audit tools are group owned by "root" with the following command: + +$ sudo stat -c "%G %n" /sbin/auditctl /sbin/aureport /sbin/ausearch /sbin/autrace /sbin/auditd /sbin/rsyslogd /sbin/augenrules +root /sbin/auditctl +root /sbin/aureport +root /sbin/ausearch +root /sbin/autrace +root /sbin/auditd +root /sbin/rsyslogd +root /sbin/augenrules + +If any audit tools do not have a group owner of "root", this is a finding.SRG-OS-000004-GPOS-00004<GroupDescription></GroupDescription>AZLX-23-002205Amazon Linux 2023 must generate audit records for all account creations, modifications, disabling, and termination events that affect /etc/passwd.<VulnDiscussion>Once an attacker establishes access to a system, the attacker often attempts to create a persistent method of reestablishing access. One way to accomplish this is for the attacker to create an account. Auditing account creation actions provides logging that can be used for forensic purposes. + +Satisfies: SRG-OS-000004-GPOS-00004, SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPOS-00031, SRG-OS-000304-GPOS-00121, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000470-GPOS-00214, SRG-OS-000471-GPOS-00215, SRG-OS-000239-GPOS-00089, SRG-OS-000240-GPOS-00090, SRG-OS-000241-GPOS-00091, SRG-OS-000303-GPOS-00120, SRG-OS-000466-GPOS-00210, SRG-OS-000476-GPOS-00221, SRG-OS-000274-GPOS-00104, SRG-OS-000275-GPOS-00105, SRG-OS-000276-GPOS-00106, SRG-OS-000277-GPOS-00107</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Amazon Linux 2023DISADPMS TargetAmazon Linux 20235700CCI-000018CCI-000130CCI-000135CCI-000169CCI-000015CCI-002884CCI-000172CCI-001403CCI-001404CCI-001405CCI-002130Configure Amazon Linux 2023 to generate audit records for all account creations, modifications, disabling, and termination events that affect "/etc/passwd". + +Enable the auditd daemon so that it can start at boot time: + +$ sudo systemctl enable auditd + +Add or update the following file system rule to "/etc/audit/rules.d/audit.rules": +-w /etc/passwd -p wa -k identity + +Then, restart the auditd service for the changes to take effect: + +$ sudo service auditd restartVerify Amazon Linux 2023 generates audit records for all account creations, modifications, disabling, and termination events that affect "/etc/passwd" with the following command: + +$ sudo auditctl -l | egrep '(/etc/passwd)' +-w /etc/passwd -p wa -k identity + +If the command does not return a line, or the line is commented out, this is a finding.SRG-OS-000037-GPOS-00015<GroupDescription></GroupDescription>AZLX-23-002210Amazon Linux 2023 must audit all successful/unsuccessful uses of the chage command.<VulnDiscussion>Reconstruction of harmful events or forensic analysis is not possible if audit records do not contain enough information. + +At a minimum, the organization must audit the full-text recording of privileged commands. The organization must maintain audit trails in sufficient detail to reconstruct events to determine the cause and impact of compromise. + +Satisfies: SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPOS-00031, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000471-GPOS-00215, SRG-OS-000064-GPOS-00033, SRG-OS-000466-GPOS-00210, SRG-OS-000458-GPOS-00203</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Amazon Linux 2023DISADPMS TargetAmazon Linux 20235700CCI-000130CCI-000135CCI-000169CCI-002884CCI-000172Configure Amazon Linux 2023 so that the audit service generates an audit event for any successful/unsuccessful uses of the "chage" command by adding or updating the following rule in the "/etc/audit/rules.d/audit.rules" file: + +-a always,exit -F path=/usr/bin/chage -F perm=x -F auid>=1000 -F auid!=unset -k privileged-chage + +To load the rules to the kernel immediately, use the following command: + +$ sudo augenrules --loadVerify Amazon Linux 2023 is configured so that an audit event is generated for any successful/unsuccessful use of the "chage" command by performing the following command to check the file system rules in "/etc/audit/audit.rules": + +$ sudo grep -w chage /etc/audit/audit.rules +-a always,exit -F path=/usr/bin/chage -F perm=x -F auid>=1000 -F auid!=unset -k privileged-chage + +If the command does not return a line, or the line is commented out, this is a finding.SRG-OS-000046-GPOS-00022<GroupDescription></GroupDescription>AZLX-23-002215Amazon Linux 2023 must alert the information system security officer (ISSO) and system administrator (SA), at a minimum, in the event of an audit processing failure.<VulnDiscussion>It is critical for the appropriate personnel to be aware if a system is at risk of failing to process audit logs as required. Without this notification, the security personnel may be unaware of an impending failure of the audit capability, and system operation may be adversely affected. + +Audit processing failures include software/hardware errors, failures in the audit capturing mechanisms, and audit storage capacity being reached or exceeded. + +This requirement applies to each audit data storage repository (i.e., distinct information system component where audit records are stored), the centralized audit storage capacity of organizations (i.e., all audit data storage repositories combined), or both.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Amazon Linux 2023DISADPMS TargetAmazon Linux 20235700CCI-000139Configure Amazon Linux 2023 so that the "auditd" service notifies the SA and ISSO in the event of an audit processing failure. + +Edit the following line in "/etc/audit/auditd.conf" to ensure administrators are notified via email for those situations: + +action_mail_acct = rootVerify Amazon Linux 2023 is configured to notify the SA and ISSO, at a minimum, in the event of an audit processing failure with the following command: + +$ sudo grep action_mail_acct /etc/audit/auditd.conf +action_mail_acct = root + +If the value of the "action_mail_acct" keyword is not set to "root" and/or other accounts for security personnel, the "action_mail_acct" keyword is missing, or the retuned line is commented out, ask the SA to indicate how they and the ISSO are notified of an audit process failure. If there is no evidence of the proper personnel being notified of an audit processing failure, this is a finding.SRG-OS-000342-GPOS-00133<GroupDescription></GroupDescription>AZLX-23-002220Amazon Linux 2023 must off-load audit records onto a different system in the event the audit storage volume is full.<VulnDiscussion>Information stored in one location is vulnerable to accidental or incidental deletion or alteration. + +Off-loading is a common process in information systems with limited audit storage capacity.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Amazon Linux 2023DISADPMS TargetAmazon Linux 20235700CCI-001851Configure Amazon Linux 2023 to off-load audit logs in the event the audit storage volume becomes full. + +Add or update the following line (depending on configuration "disk_full_action" can be set to "SYSLOG" or "SINGLE" depending on configuration) in "/etc/audit/auditd.conf" file: + +disk_full_action = SYSLOGVerify Amazon Linux 2023 takes the appropriate action when the audit storage volume is full using the following command: + +$ sudo grep disk_full_action /etc/audit/auditd.conf +disk_full_action = SYSLOG + +If the value of the "disk_full_action" option is not "SYSLOG", "SINGLE", or "HALT", or the line is commented out, ask the system administrator to indicate how the system takes appropriate action when an audit storage volume is full. If there is no evidence of appropriate action, this is a finding.SRG-OS-000057-GPOS-00027<GroupDescription></GroupDescription>AZLX-23-002225Amazon Linux 2023 audit logs must be group-owned by root or by a restricted logging group to prevent unauthorized read access.<VulnDiscussion>Unauthorized disclosure of audit records can reveal system and configuration data to attackers, thus compromising its confidentiality. + +Audit information includes all information (e.g., audit records, audit settings, audit reports) needed to successfully audit operating system activity. + +Satisfies: SRG-OS-000057-GPOS-00027, SRG-OS-000058-GPOS-00028, SRG-OS-000059-GPOS-00029, SRG-OS-000206-GPOS-00084</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Amazon Linux 2023DISADPMS TargetAmazon Linux 20235700CCI-000162CCI-000163CCI-000164CCI-001314Configure Amazon Linux 2023 so that audit logs are group-owned by "root" or a restricted logging group. + +Change the group of the directory of "/var/log/audit" to be owned by a correct group. + +Identify the group that is configured to own audit log: + +$ sudo grep -P '^[ ]*log_group[ ]+=.*$' /etc/audit/auditd.conf + +Change the ownership to that group: + +$ sudo chgrp ${GROUP} /var/log/auditVerify Amazon Linux 2023 audit logs are group-owned by "root" or a restricted logging group. + +First determine if a group other than "root" has been assigned to the audit logs with the following command: + +$ sudo grep log_group /etc/audit/auditd.conf +log_group = root + +Then determine where the audit logs are stored with the following command: + +$ sudo grep -iw log_file /etc/audit/auditd.conf +log_file = /var/log/audit/audit.log + +Then using the location of the audit log file, determine if the audit log is group-owned by "root" using the following command: + +$ sudo stat -c "%G %n" /var/log/audit/audit.log +root /var/log/audit/audit.log + +If the audit log is not group-owned by "root" or the configured alternative logging group, this is a finding.SRG-OS-000057-GPOS-00027<GroupDescription></GroupDescription>AZLX-23-002230Amazon Linux 2023 audit log directory must be owned by root to prevent unauthorized read access.<VulnDiscussion>Unauthorized disclosure of audit records can reveal system and configuration data to attackers, thus compromising its confidentiality. + +Audit information includes all information (e.g., audit records, audit settings, audit reports) needed to successfully audit operating system activity. + +Satisfies: SRG-OS-000057-GPOS-00027, SRG-OS-000058-GPOS-00028, SRG-OS-000059-GPOS-00029, SRG-OS-000206-GPOS-00084</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Amazon Linux 2023DISADPMS TargetAmazon Linux 20235700CCI-000162CCI-000163CCI-000164CCI-001314Configure Amazon Linux 2023 so that the audit logs directory is protected from unauthorized read access by setting the correct owner as "root" with the following command: + +$ sudo chown root /var/log/auditVerify Amazon Linux 2023 audit logs directory is owned by "root". + +First determine where the audit logs are stored with the following command: + +$ sudo grep -iw log_file /etc/audit/auditd.conf +log_file = /var/log/audit/audit.log + +Then using the location of the audit log file, determine if the audit log directory is owned by "root" using the following command: + +$ sudo ls -ld /var/log/audit +drwx------ 2 root root 23 Jun 11 11:56 /var/log/audit + +If the audit log directory is not owned by "root", this is a finding.SRG-OS-000057-GPOS-00027<GroupDescription></GroupDescription>AZLX-23-002235Amazon Linux 2023 audit logs file must have mode "0600" or less permissive to prevent unauthorized access to the audit log.<VulnDiscussion>Unauthorized disclosure of audit records can reveal system and configuration data to attackers, thus compromising its confidentiality. + +Audit information includes all information (e.g., audit records, audit settings, audit reports) needed to successfully audit operating system activity. + +Satisfies: SRG-OS-000057-GPOS-00027, SRG-OS-000058-GPOS-00028, SRG-OS-000059-GPOS-00029, SRG-OS-000206-GPOS-00084</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Amazon Linux 2023DISADPMS TargetAmazon Linux 20235700CCI-000162CCI-000163CCI-000164CCI-001314Configure Amazon Linux 2023 so that the audit logs have a mode of "0600". + +Replace "[audit_log_file]" to the correct audit log path, by default this location is "/var/log/audit/audit.log". + +$ sudo chmod 0600 /var/log/audit/[audit_log_file] + +Check the group that owns the system audit logs: + +$ sudo grep -iw log_group /etc/audit/auditd.conf + +If the log_group is not defined or it is set to root, configure the permissions as follows: + +$ sudo chmod 0640 $log_file +$ sudo chmod 0440 $log_file.* + +Otherwise, configure the permissions as follows: + +$ sudo chmod 0600 $log_file +$ sudo chmod 0400 $log_file.*Verify Amazon Linux 2023 audit logs have a mode of "0600". + +First determine where the audit logs are stored with the following command: + +$ sudo grep -iw log_file /etc/audit/auditd.conf +log_file = /var/log/audit/audit.log + +Then using the location of the audit log file, determine if the audit log files as a mode of "0640" with the following command: + +$ sudo find /var/log/audit/ -type f -exec stat -c '%a %n' {} \; +600 /var/log/audit/audit.log + +If the audit logs have a mode more permissive than "0600", this is a finding.SRG-OS-000063-GPOS-00032<GroupDescription></GroupDescription>AZLX-23-002240Amazon Linux 2023 must allow only the information system security manager (ISSM) (or individuals or roles appointed by the ISSM) to select which auditable events are to be audited.<VulnDiscussion>Without the capability to restrict which roles and individuals can select which events are audited, unauthorized personnel may be able to prevent the auditing of critical events. Misconfigured audits may degrade the system's performance by overwhelming the audit log. Misconfigured audits may also make it more difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Amazon Linux 2023DISADPMS TargetAmazon Linux 20235700CCI-000171Configure Amazon Linux 2023 so that files in "/etc/audit/rules.d/" and the "/etc/audit/auditd.conf" file have a mode of "0640" or less permissive with the following commands: + +$ sudo chmod 0640 /etc/audit/rules.d/audit.rules +$ sudo chmod 0640 /etc/audit/rules.d/[customrulesfile].rules +$ sudo chmod 0640 /etc/audit/auditd.confVerify Amazon Linux 2023 is configured so that files in "/etc/audit/rules.d/" and the "/etc/audit/auditd.conf" file have a mode of "0640" or less permissive by using the following commands: + +$ sudo find /etc/audit/rules.d/ /etc/audit/audit.rules /etc/audit/auditd.conf -type f -exec stat -c "%a %n" {} \; +600 /etc/audit/rules.d/audit.rules +640 /etc/audit/audit.rules +640 /etc/audit/auditd.conf + +If the files in the "/etc/audit/rules.d/" directory or the "/etc/audit/auditd.conf" file have a mode more permissive than "0640", this is a finding.SRG-OS-000037-GPOS-00015<GroupDescription></GroupDescription>AZLX-23-002245Amazon Linux 2023 must audit all uses of the sudo command.<VulnDiscussion>Without generating audit records specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. + +Audit records can be generated from various components within the information system (e.g., module or policy filter). + +Satisfies: SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPOS-00031, SRG-OS-000064-GPOS-00033, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000466-GPOS-00210, SRG-OS-000471-GPOS-00215</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Amazon Linux 2023DISADPMS TargetAmazon Linux 20235700CCI-000130CCI-000135CCI-000169CCI-000172CCI-002884Configure Amazon Linux 2023 so that the audit system generates an audit event for any successful/unsuccessful use of the "sudo" command by adding or updating the following rule in the "/etc/audit/rules.d/audit.rules" file: + +-a always,exit -F path=/usr/bin/sudo -F perm=x -F auid>=1000 -F auid!=unset -k priv_cmd + +To load the rules to the kernel immediately, use the following command: + +$ sudo augenrules --loadVerify Amazon Linux 2023 is configured to audit the execution of the "sudo" command with the following command: + +$ sudo auditctl -l | grep '/usr/bin/sudo\b' +-a always,exit -S all -F path=/usr/bin/sudo -F perm=x -F auid>=1000 -F auid!=-1 -F key=priv_cmd + +If the command does not return a line, or the line is commented out, this is a finding.SRG-OS-000004-GPOS-00004<GroupDescription></GroupDescription>AZLX-23-002250Amazon Linux 2023 must generate audit records for all account creations, modifications, disabling, and termination events that affect /etc/passwd.<VulnDiscussion>In addition to auditing new user and group accounts, these watches will alert the system administrator(s) (SAs) to any modifications. Any unexpected users, groups, or modifications should be investigated for legitimacy. + +Satisfies: SRG-OS-000004-GPOS-00004, SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPOS-00031, SRG-OS-000304-GPOS-00121, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000470-GPOS-00214, SRG-OS-000471-GPOS-00215, SRG-OS-000239-GPOS-00089, SRG-OS-000240-GPOS-00090, SRG-OS-000241-GPOS-00091, SRG-OS-000303-GPOS-00120, SRG-OS-000466-GPOS-00210, SRG-OS-000476-GPOS-00221, SRG-OS-000274-GPOS-00104, SRG-OS-000275-GPOS-00105, SRG-OS-000276-GPOS-00106, SRG-OS-000277-GPOS-00107</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Amazon Linux 2023DISADPMS TargetAmazon Linux 20235700CCI-000018CCI-000130CCI-000135CCI-000169CCI-000015CCI-002884CCI-000172CCI-001403CCI-001404CCI-001405CCI-002130Configure Amazon Linux 2023 to generate audit records for all account creations, modifications, disabling, and termination events that affect "/etc/passwd". + +Add or update the following file system rule to "/etc/audit/rules.d/audit.rules": + +-w /etc/passwd -p wa -k identity + +To load the rules to the kernel immediately, use the following command: + +$ sudo augenrules --loadVerify Amazon Linux 2023 generates audit records for all account creations, modifications, disabling, and termination events that affect "/etc/passwd" with the following command: + +$ sudo auditctl -l | egrep '(/etc/passwd)' +-w /etc/passwd -p wa -k identity + +If the command does not return a line, or the line is commented out, this is a finding.SRG-OS-000004-GPOS-00004<GroupDescription></GroupDescription>AZLX-23-002255Amazon Linux 2023 must generate audit records for all account creations, modifications, disabling, and termination events that affect /etc/shadow.<VulnDiscussion>In addition to auditing new user and group accounts, these watches will alert the system administrator(s) (SAs) to any modifications. Any unexpected users, groups, or modifications should be investigated for legitimacy. + +Satisfies: SRG-OS-000004-GPOS-00004, SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPOS-00031, SRG-OS-000304-GPOS-00121, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000470-GPOS-00214, SRG-OS-000471-GPOS-00215, SRG-OS-000239-GPOS-00089, SRG-OS-000240-GPOS-00090, SRG-OS-000241-GPOS-00091, SRG-OS-000303-GPOS-00120, SRG-OS-000466-GPOS-00210, SRG-OS-000476-GPOS-00221, SRG-OS-000275-GPOS-00105</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Amazon Linux 2023DISADPMS TargetAmazon Linux 20235700CCI-000018CCI-000130CCI-000135CCI-000169CCI-000015CCI-002884CCI-000172CCI-001403CCI-001404CCI-001405CCI-002130Configure Amazon Linux 2023 to generate audit records for all account creations, modifications, disabling, and termination events that affect "/etc/shadow". + +Add or update the following file system rule to "/etc/audit/rules.d/audit.rules": + +-w /etc/shadow -p wa -k identity + +To load the rules to the kernel immediately, use the following command: + +$ sudo augenrules --loadVerify Amazon Linux 2023 generates audit records for all account creations, modifications, disabling, and termination events that affect "/etc/shadow with the following command: + +$ sudo auditctl -l | egrep '(/etc/shadow)' +-w /etc/shadow -p wa -k identity + +If the command does not return a line, or the line is commented out, this is a finding.SRG-OS-000255-GPOS-00096<GroupDescription></GroupDescription>AZLX-23-002260Amazon Linux 2023 must produce audit records containing information to establish the identity of any individual or process associated with the event.<VulnDiscussion>Without information that establishes the identity of the subjects (i.e., users or processes acting on behalf of users) associated with the events, security personnel cannot determine responsibility for the potentially harmful event.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Amazon Linux 2023DISADPMS TargetAmazon Linux 20235700CCI-001487Configure Amazon Linux 2023 so that the audit system resolves audit information before writing to disk. + +Edit the /etc/audit/auditd.conf file and add or update the "log_format" option: + +log_format = ENRICHED + +The audit daemon must be restarted for changes to take effect.Verify Amazon Linux 2023 is configured so that the audit system resolves audit information before writing to disk, with the following command: + +$ sudo grep log_format /etc/audit/auditd.conf +log_format = ENRICHED + +If the "log_format" option is not "ENRICHED", or the line is commented out, this is a finding.SRG-OS-000206-GPOS-00084<GroupDescription></GroupDescription>AZLX-23-002265Amazon Linux 2023 audit logs must be group-owned by root or by a restricted logging group to prevent unauthorized read access.<VulnDiscussion>Only authorized personnel should be aware of errors and the details of the errors. Error messages are an indicator of an organization's operational state or can identify Amazon Linux 2023 or platform. Additionally, Personally Identifiable Information (PII) and operational information must not be revealed through error messages to unauthorized personnel or their designated representatives. + +The structure and content of error messages must be carefully considered by the organization and development team. The extent to which the information system is able to identify and handle error conditions is guided by organizational policy and operational requirements.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Amazon Linux 2023DISADPMS TargetAmazon Linux 20235700CCI-001314Configure Amazon Linux 2023 to change the group of the directory of "/var/log/audit" to be owned by a correct group. + +Identify the group that is configured to own audit log: + +$ sudo grep -P '^[ ]*log_group[ ]+=.*$' /etc/audit/auditd.conf + +Change the ownership to that group: + +$ sudo chgrp ${GROUP} /var/log/auditVerify Amazon Linux 2023 is configured so that the audit logs are group-owned by "root" or a restricted logging group. + +First determine if a group other than "root" has been assigned to the audit logs with the following command: + +$ sudo grep log_group /etc/audit/auditd.conf + +Then determine where the audit logs are stored with the following command: + +$ sudo grep -iw log_file /etc/audit/auditd.conf +log_file = /var/log/audit/audit.log + +Then using the location of the audit log file, determine if the audit log is group-owned by "root" using the following command: + +$ sudo stat -c "%G %n" /var/log/audit/audit.log +root /var/log/audit/audit.log + +If the audit log is not group-owned by "root" or the configured alternative logging group, this is a finding.SRG-OS-000206-GPOS-00084<GroupDescription></GroupDescription>AZLX-23-002270Amazon Linux 2023 must ensure the audit log directory be owned by root to prevent unauthorized read access.<VulnDiscussion>Only authorized personnel should be aware of errors and the details of the errors. Error messages are an indicator of an organization's operational state or can identify Amazon Linux 2023 or platform. Additionally, Personally Identifiable Information (PII) and operational information must not be revealed through error messages to unauthorized personnel or their designated representatives. + +The structure and content of error messages must be carefully considered by the organization and development team. The extent to which the information system is able to identify and handle error conditions is guided by organizational policy and operational requirements.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Amazon Linux 2023DISADPMS TargetAmazon Linux 20235700CCI-001314Configure Amazon Linux 2023 audit logs to be protected from unauthorized read access by setting the correct owner as "root" with the following command: + +$ sudo chown root /var/log/auditVerify Amazon Linux 2023 is configured so that the audit logs directory is owned by "root". + +First determine where the audit logs are stored with the following command: + +$ sudo grep -iw log_file /etc/audit/auditd.conf +log_file = /var/log/audit/audit.log + +Then using the location of the audit log file, determine if the audit log directory is owned by "root" using the following command: + +sudo stat -c '%U %n' /var/log/audit +root /var/log/audit + +If the audit log directory is not owned by "root", this is a finding.SRG-OS-000206-GPOS-00084<GroupDescription></GroupDescription>AZLX-23-002275Amazon Linux 2023 audit logs file must have mode "0600" or less permissive to prevent unauthorized access to the audit log.<VulnDiscussion>Only authorized personnel should be aware of errors and the details of the errors. Error messages are an indicator of an organization's operational state or can identify Amazon Linux 2023 or platform. Additionally, Personally Identifiable Information (PII) and operational information must not be revealed through error messages to unauthorized personnel or their designated representatives. + +The structure and content of error messages must be carefully considered by the organization and development team. The extent to which the information system is able to identify and handle error conditions is guided by organizational policy and operational requirements.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Amazon Linux 2023DISADPMS TargetAmazon Linux 20235700CCI-001314Configure Amazon Linux 2023 audit logs to have a mode of "0600" with the following command: + +Replace "[audit_log_file]" to the correct audit log path, by default this location is "/var/log/audit/audit.log". + +$ sudo chmod 0600 /var/log/audit/[audit_log_file] + +Check the group that owns the system audit logs: + +$ sudo grep -m 1 -q ^log_group /etc/audit/auditd.conf + +If the log_group is not defined or it is set to root, configure the permissions as follows: + +$ sudo chmod 0640 $log_file +$ sudo chmod 0440 $log_file.* + +Otherwise, configure the permissions as follows: + +$ sudo chmod 0600 $log_file +$ sudo chmod 0400 $log_file.*Verify Amazon Linux 2023 is configured so that the audit logs have a mode of "0600". + +First determine where the audit logs are stored with the following command: + +$ sudo grep -iw log_file /etc/audit/auditd.conf +log_file = /var/log/audit/audit.log + +Then using the location of the audit log file, determine if the audit log files as a mode of "0640" with the following command: + +$ sudo find /var/log/audit/ -type f -exec stat -c '%a %n' {} \; +600 /var/log/audit/audit.log + +If the audit logs have a mode more permissive than "0600", this is a finding.SRG-OS-000259-GPOS-00100<GroupDescription></GroupDescription>AZLX-23-002280Amazon Linux 2023 library directories must be group-owned by root or a system account.<VulnDiscussion>If Amazon Linux 2023 were to allow any user to make changes to software libraries, then those changes might be implemented without undergoing the appropriate testing and approvals that are part of a robust change management process. + +This requirement applies to operating systems with software libraries that are accessible and configurable, as in the case of interpreted languages. Software libraries also include privileged programs which execute with escalated privileges. Only qualified and authorized individuals shall be allowed to obtain access to information system components for purposes of initiating changes, including upgrades and modifications.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Amazon Linux 2023DISADPMS TargetAmazon Linux 20235700CCI-001499Configure Amazon Linux 2023 systemwide shared library directories (/lib, /lib64, /usr/lib and /usr/lib64) to be protected from unauthorized access. + +Run the following command, replacing "[DIRECTORY]" with any library directory not group-owned by "root". + +$ sudo chgrp root [DIRECTORY]Verify Amazon Linux 2023 systemwide shared library directories are group-owned by "root" with the following command: + +$ sudo find /lib /lib64 /usr/lib /usr/lib64 ! -group root -type d -exec stat -c "%n %G" '{}' \; + +If any systemwide shared library directory is returned and is not group-owned by a required system account, this is a finding.SRG-OS-000259-GPOS-00100<GroupDescription></GroupDescription>AZLX-23-002285Amazon Linux 2023 library directories must have mode "755" or less permissive.<VulnDiscussion>If Amazon Linux 2023 were to allow any user to make changes to software libraries, then those changes might be implemented without undergoing the appropriate testing and approvals that are part of a robust change management process. + +This requirement applies to operating systems with software libraries that are accessible and configurable, as in the case of interpreted languages. Software libraries also include privileged programs which execute with escalated privileges. Only qualified and authorized individuals shall be allowed to obtain access to information system components for purposes of initiating changes, including upgrades and modifications.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Amazon Linux 2023DISADPMS TargetAmazon Linux 20235700CCI-001499Configure Amazon Linux 2023 systemwide shared library directories (/lib, /lib64, /usr/lib and /usr/lib64) to be protected from unauthorized access. + +Run the following command, replacing "[DIRECTORY]" with any library directory with a mode more permissive than "755". + +$ sudo chmod 755 [DIRECTORY]Verify Amazon Linux 2023 systemwide shared library directories have mode "755" or less permissive with the following command: + +$ sudo find -L /lib /lib64 /usr/lib /usr/lib64 -perm /022 -type d -exec ls -l {} \; + +If any systemwide shared library file is found to be group-writable or world-writable, this is a finding.SRG-OS-000259-GPOS-00100<GroupDescription></GroupDescription>AZLX-23-002290Amazon Linux 2023 library files must have mode "755" or less permissive.<VulnDiscussion>If Amazon Linux 2023 were to allow any user to make changes to software libraries, then those changes might be implemented without undergoing the appropriate testing and approvals that are part of a robust change management process. + +This requirement applies to operating systems with software libraries that are accessible and configurable, as in the case of interpreted languages. Software libraries also include privileged programs that execute with escalated privileges. Only qualified and authorized individuals will be allowed to obtain access to information system components for purposes of initiating changes, including upgrades and modifications.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Amazon Linux 2023DISADPMS TargetAmazon Linux 20235700CCI-001499Configure Amazon Linux 2023 library files to be protected from unauthorized access. Run the following command, replacing "[FILE]" with any library file with a mode more permissive than "755". + +$ sudo chmod 755 [FILE]Verify Amazon Linux 2023 systemwide shared library files contained in the following directories have mode "755" or less permissive with the following command: + +$ sudo find -L /lib /lib64 /usr/lib /usr/lib64 -perm /022 -type f -exec ls -l {} \; + +If any systemwide shared library file is found to be group-writable or world-writable, this is a finding.SRG-OS-000259-GPOS-00100<GroupDescription></GroupDescription>AZLX-23-002295Amazon Linux 2023 library files must be owned by root.<VulnDiscussion>If Amazon Linux 2023 were to allow any user to make changes to software libraries, then those changes might be implemented without undergoing the appropriate testing and approvals that are part of a robust change management process. + +This requirement applies to operating systems with software libraries that are accessible and configurable, as in the case of interpreted languages. Software libraries also include privileged programs that execute with escalated privileges. Only qualified and authorized individuals shall be allowed to obtain access to information system components for purposes of initiating changes, including upgrades and modifications.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Amazon Linux 2023DISADPMS TargetAmazon Linux 20235700CCI-001499Configure Amazon Linux 2023 systemwide shared library files (/lib, /lib64, /usr/lib and /usr/lib64) to be protected from unauthorized access. + +Run the following command, replacing "[FILE]" with any library file not owned by "root". + +$ sudo chown root [FILE]Verify Amazon Linux 2023 systemwide shared library files are owned by "root" with the following command: + +$ sudo find -L /lib /lib64 /usr/lib /usr/lib64 ! -user root -exec ls -l {} \; + +If any systemwide shared library file is not owned by root, this is a finding.SRG-OS-000259-GPOS-00100<GroupDescription></GroupDescription>AZLX-23-002300Amazon Linux 2023 library files must be group-owned by root or a system account.<VulnDiscussion>If Amazon Linux 2023 were to allow any user to make changes to software libraries, then those changes might be implemented without undergoing the appropriate testing and approvals that are part of a robust change management process. + +This requirement applies to operating systems with software libraries that are accessible and configurable, as in the case of interpreted languages. Software libraries also include privileged programs which execute with escalated privileges. Only qualified and authorized individuals shall be allowed to obtain access to information system components for purposes of initiating changes, including upgrades and modifications.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Amazon Linux 2023DISADPMS TargetAmazon Linux 20235700CCI-001499Configure Amazon Linux 2023 systemwide shared library files (/lib, /lib64, /usr/lib and /usr/lib64) to be protected from unauthorized access. + +Run the following command, replacing "[FILE]" with any library file not group-owned by "root". + +$ sudo chgrp root [FILE]Verify Amazon Linux 2023 systemwide shared library files are group-owned by "root" with the following command: + +$ sudo find -L /lib /lib64 /usr/lib /usr/lib64 ! -group root -exec ls -l {} \; + +If any systemwide shared library file is returned and is not group-owned by a required system account, this is a finding.SRG-OS-000259-GPOS-00100<GroupDescription></GroupDescription>AZLX-23-002305Amazon Linux 2023 library directories must be owned by root.<VulnDiscussion>If Amazon Linux 2023 were to allow any user to make changes to software libraries, then those changes might be implemented without undergoing the appropriate testing and approvals that are part of a robust change management process. + +This requirement applies to operating systems with software libraries that are accessible and configurable, as in the case of interpreted languages. Software libraries also include privileged programs which execute with escalated privileges. Only qualified and authorized individuals shall be allowed to obtain access to information system components for purposes of initiating changes, including upgrades and modifications.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Amazon Linux 2023DISADPMS TargetAmazon Linux 20235700CCI-001499Configure Amazon Linux 2023 systemwide shared library directories within (/lib, /lib64, /usr/lib and /usr/lib64) to be protected from unauthorized access. + +Run the following command, replacing "[DIRECTORY]" with any library directory not owned by "root". + +$ sudo chown root [DIRECTORY]Verify Amazon Linux 2023 systemwide shared library directories are owned by "root" with the following command: + +$ sudo find /lib /lib64 /usr/lib /usr/lib64 ! -user root -type d -exec stat -c "%n %U" '{}' \; + +If any systemwide shared library directory is not owned by root, this is a finding.SRG-OS-000206-GPOS-00084<GroupDescription></GroupDescription>AZLX-23-002315Amazon Linux 2023 must ensure the /var/log directory have mode "0755" or less permissive.<VulnDiscussion>Only authorized personnel should be aware of errors and the details of the errors. Error messages are an indicator of an organization's operational state or can identify Amazon Linux 2023 or platform. Additionally, Personally Identifiable Information (PII) and operational information must not be revealed through error messages to unauthorized personnel or their designated representatives. + +The structure and content of error messages must be carefully considered by the organization and development team. The extent to which the information system is able to identify and handle error conditions is guided by organizational policy and operational requirements.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Amazon Linux 2023DISADPMS TargetAmazon Linux 20235700CCI-001314Configure Amazon Linux 2023 so that the "/var/log" directory has a mode of "0755" by running the following command: + +$ sudo chmod 0755 /var/logVerify Amazon Linux 2023 is configured so that the "/var/log" directory has a mode of "0755" or less permissive with the following command: + +$ stat -c '%a %n' /var/log +755 /var/log + +If "/var/log" does not have a mode of "0755" or less permissive, this is a finding.SRG-OS-000206-GPOS-00084<GroupDescription></GroupDescription>AZLX-23-002320Amazon Linux 2023 must ensure the /var/log directory be owned by root.<VulnDiscussion>Only authorized personnel should be aware of errors and the details of the errors. Error messages are an indicator of an organization's operational state or can identify Amazon Linux 2023 or platform. Additionally, Personally Identifiable Information (PII) and operational information must not be revealed through error messages to unauthorized personnel or their designated representatives. + +The structure and content of error messages must be carefully considered by the organization and development team. The extent to which the information system is able to identify and handle error conditions is guided by organizational policy and operational requirements.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Amazon Linux 2023DISADPMS TargetAmazon Linux 20235700CCI-001314Configure Amazon Linux 2023 so that the directory "/var/log" is owned by "root" with the following command: + +$ sudo chown root /var/logVerify Amazon Linux 2023 is configured so that the "/var/log" directory is owned by root with the following command: + +$ stat -c "%U %n" /var/log +root /var/log + +If "/var/log" does not have an owner of "root", this is a finding.SRG-OS-000206-GPOS-00084<GroupDescription></GroupDescription>AZLX-23-002325Amazon Linux 2023 must ensure the /var/log directory be group-owned by root.<VulnDiscussion>Only authorized personnel should be aware of errors and the details of the errors. Error messages are an indicator of an organization's operational state or can identify Amazon Linux 2023 or platform. Additionally, Personally Identifiable Information (PII) and operational information must not be revealed through error messages to unauthorized personnel or their designated representatives. + +The structure and content of error messages must be carefully considered by the organization and development team. The extent to which the information system is able to identify and handle error conditions is guided by organizational policy and operational requirements.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Amazon Linux 2023DISADPMS TargetAmazon Linux 20235700CCI-001314Configure Amazon Linux 2023 so that the "/var/log" is group-owned "root" with the following command: + +$ sudo chgrp root /var/logVerify Amazon Linux 2023 is configured so the "/var/log" directory is group-owned by root with the following command: + +$ stat -c "%G %n" /var/log +root /var/log + +If "/var/log" does not have a group owner of "root", this is a finding.SRG-OS-000206-GPOS-00084<GroupDescription></GroupDescription>AZLX-23-002330Amazon Linux 2023 must ensure the /var/log/messages file have mode "0640" or less permissive.<VulnDiscussion>Only authorized personnel should be aware of errors and the details of the errors. Error messages are an indicator of an organization's operational state or can identify Amazon Linux 2023 or platform. Additionally, Personally Identifiable Information (PII) and operational information must not be revealed through error messages to unauthorized personnel or their designated representatives. + +The structure and content of error messages must be carefully considered by the organization and development team. The extent to which the information system is able to identify and handle error conditions is guided by organizational policy and operational requirements.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Amazon Linux 2023DISADPMS TargetAmazon Linux 20235700CCI-001314Configure Amazon Linux 2023 so that the "/var/log/messages" file has a mode of "0640" with the following command: + +$ sudo chmod 0640 /var/log/messagesVerify Amazon Linux 2023 is configured so that the "/var/log/messages" file has a mode of "0640" or less permissive with the following command: + +$ stat -c '%a %n' /var/log/messages +600 /var/log/messages + +If "/var/log/messages" does not have a mode of "0640" or less permissive, this is a finding.SRG-OS-000206-GPOS-00084<GroupDescription></GroupDescription>AZLX-23-002335Amazon Linux 2023 must ensure the /var/log/messages file be group-owned by root.<VulnDiscussion>Only authorized personnel should be aware of errors and the details of the errors. Error messages are an indicator of an organization's operational state or can identify Amazon Linux 2023 or platform. Additionally, Personally Identifiable Information (PII) and operational information must not be revealed through error messages to unauthorized personnel or their designated representatives. + +The structure and content of error messages must be carefully considered by the organization and development team. The extent to which the information system is able to identify and handle error conditions is guided by organizational policy and operational requirements.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Amazon Linux 2023DISADPMS TargetAmazon Linux 20235700CCI-001314Configure Amazon Linux 2023 so that the "/var/log/messages" file is group-owned "root" with the following command: + +$ sudo chgrp root /var/log/messagesVerify Amazon Linux 2023 is configured so that the "/var/log/messages" file is group-owned by root with the following command: + +$ stat -c "%G %n" /var/log/messages +root /var/log/messages + +If "/var/log/messages" does not have a group owner of "root", this is a finding.SRG-OS-000206-GPOS-00084<GroupDescription></GroupDescription>AZLX-23-002340Amazon Linux 2023 must ensure the /var/log/messages file be owned by root.<VulnDiscussion>Only authorized personnel should be aware of errors and the details of the errors. Error messages are an indicator of an organization's operational state or can identify Amazon Linux 2023 or platform. Additionally, Personally Identifiable Information (PII) and operational information must not be revealed through error messages to unauthorized personnel or their designated representatives. + +The structure and content of error messages must be carefully considered by the organization and development team. The extent to which the information system is able to identify and handle error conditions is guided by organizational policy and operational requirements.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Amazon Linux 2023DISADPMS TargetAmazon Linux 20235700CCI-001314Configure Amazon Linux 2023 so that the "/var/log/messages" file is owned by "root" with the following command: + +$ sudo chown root /var/log/messagesVerify Amazon Linux 2023 is configured so that the "/var/log/messages" file is owned by root with the following command: + +$ stat -c "%U %n" /var/log/messages +root /var/log/messages + +If "/var/log/messages" does not have an owner of "root", this is a finding.SRG-OS-000259-GPOS-00100<GroupDescription></GroupDescription>AZLX-23-002345Amazon Linux 2023 system commands must be owned by root.<VulnDiscussion>If Amazon Linux 2023 were to allow any user to make changes to software libraries, then those changes might be implemented without undergoing the appropriate testing and approvals that are part of a robust change management process. + +This requirement applies to operating systems with software libraries that are accessible and configurable, as in the case of interpreted languages. Software libraries also include privileged programs which execute with escalated privileges. Only qualified and authorized individuals shall be allowed to obtain access to information system components for purposes of initiating changes, including upgrades and modifications.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Amazon Linux 2023DISADPMS TargetAmazon Linux 20235700CCI-001499Configure Amazon Linux 2023 so that system commands are protected from unauthorized access. + +Run the following command, replacing "[FILE]" with any system command file not owned by "root". + +$ sudo chown root [FILE]Verify Amazon Linux 2023 system commands contained in the following directories are owned by "root" with the following command: + +$ sudo find -L /bin /sbin /usr/bin /usr/sbin /usr/libexec /usr/local/bin /usr/local/sbin ! -user root -exec ls -l {} \; + +If any system commands are found to not be owned by root, this is a finding.SRG-OS-000259-GPOS-00100<GroupDescription></GroupDescription>AZLX-23-002350Amazon Linux 2023 system commands must be group-owned by root or a system account.<VulnDiscussion>If Amazon Linux 2023 were to allow any user to make changes to software libraries, then those changes might be implemented without undergoing the appropriate testing and approvals that are part of a robust change management process. + +This requirement applies to operating systems with software libraries that are accessible and configurable, as in the case of interpreted languages. Software libraries also include privileged programs which execute with escalated privileges. Only qualified and authorized individuals shall be allowed to obtain access to information system components for purposes of initiating changes, including upgrades and modifications.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Amazon Linux 2023DISADPMS TargetAmazon Linux 20235700CCI-001499Configure Amazon Linux 2023 so that system commands are protected from unauthorized access. + +Run the following command, replacing "[FILE]" with any system command file not group-owned by "root" or a required system account. + +$ sudo chgrp root [FILE]Verify Amazon Linux 2023 system commands contained in the following directories are group-owned by "root", or a required system account, with the following command: + +$ sudo find -L /bin /sbin /usr/bin /usr/sbin /usr/local/bin /usr/local/sbin ! -group root -exec ls -l {} \; + +If any system commands are returned and is not group-owned by a required system account, this is a finding.SRG-OS-000069-GPOS-00037<GroupDescription></GroupDescription>AZLX-23-002355Amazon Linux 2023 must enforce password complexity by requiring that at least one uppercase character be used.<VulnDiscussion>Use of a complex password helps to increase the time and resources required to compromise the password. Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks. + +Password complexity is one factor of several that determines how long it takes to crack a password. The more complex the password, the greater the number of possible combinations that need to be tested before the password is compromised. + +Satisfies: SRG-OS-000069-GPOS-00037, SRG-OS-000725-GPOS-00180</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Amazon Linux 2023DISADPMS TargetAmazon Linux 20235700CCI-004066CCI-004064Configure Amazon Linux 2023 to enforce password complexity by requiring that at least one uppercase character be used by setting the "ucredit" option. + +Add or update the following line in the "/etc/security/pwquality.conf" file or a configuration file in the "/etc/security/pwquality.conf.d/" directory to contain the "ucredit" parameter: + +ucredit = -1 + +Remove any configurations that conflict with the above value.Verify Amazon Linux 2023 enforces password complexity by requiring that at least one uppercase character with the following command: + +$ sudo grep ucredit /etc/security/pwquality.conf /etc/security/pwquality.conf.d/*.conf +ucredit = -1 + +If the value of "ucredit" is a positive number or is commented out, this is a finding.SRG-OS-000070-GPOS-00038<GroupDescription></GroupDescription>AZLX-23-002360Amazon Linux 2023 must enforce password complexity by requiring that at least one lowercase character be used.<VulnDiscussion>Use of a complex password helps to increase the time and resources required to compromise the password. Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks. + +Password complexity is one factor of several that determines how long it takes to crack a password. The more complex the password, the greater the number of possible combinations that need to be tested before the password is compromised. + +Satisfies: SRG-OS-000070-GPOS-00038, SRG-OS-000725-GPOS-00180</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Amazon Linux 2023DISADPMS TargetAmazon Linux 20235700CCI-004066CCI-004064Configure Amazon Linux 2023 to enforce password complexity by requiring that at least one lowercase character be used by setting the "lcredit" option. + +Add or update the following line in the "/etc/security/pwquality.conf" file or a configuration file in the "/etc/security/pwquality.conf.d/" directory to contain the "lcredit" parameter: + +lcredit = -1 + +Remove any configurations that conflict with the above value.Verify Amazon Linux 2023 enforces password complexity by requiring that at least one lowercase character with the following command: + +$ sudo grep lcredit /etc/security/pwquality.conf /etc/security/pwquality.conf.d/*.conf +lcredit = -1 + +If the value of "lcredit" is a positive number or is commented out, this is a finding.SRG-OS-000071-GPOS-00039<GroupDescription></GroupDescription>AZLX-23-002365Amazon Linux 2023 must enforce password complexity by requiring that at least one numeric character be used.<VulnDiscussion>Use of a complex password helps to increase the time and resources required to compromise the password. Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks. + +Password complexity is one factor of several that determines how long it takes to crack a password. The more complex the password, the greater the number of possible combinations that need to be tested before the password is compromised. + +Satisfies: SRG-OS-000071-GPOS-00039, SRG-OS-000725-GPOS-00180</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Amazon Linux 2023DISADPMS TargetAmazon Linux 20235700CCI-004066CCI-004064Configure Amazon Linux 2023 to enforce password complexity by requiring that at least one numeric character be used by setting the "dcredit" option. + +Add or update the following line in the "/etc/security/pwquality.conf" file or a configuration file in the "/etc/security/pwquality.conf.d/" directory to contain the "dcredit" parameter: + +dcredit = -1 + +Remove any configurations that conflict with the above value.Verify Amazon Linux 2023 enforces password complexity by requiring that at least one numeric character with the following command: + +$ sudo grep dcredit /etc/security/pwquality.conf /etc/security/pwquality.conf.d/*.conf +dcredit = -1 + +If the value of "dcredit" is a positive number or is commented out, this is a finding.SRG-OS-000072-GPOS-00040<GroupDescription></GroupDescription>AZLX-23-002370Amazon Linux 2023 must require the change of at least 50 percent of the total number of characters when passwords are changed.<VulnDiscussion>If Amazon Linux 2023 allows the user to consecutively reuse extensive portions of passwords, this increases the chances of password compromise by increasing the window of opportunity for attempts at guessing and brute-force attacks. + +The number of changed characters refers to the number of changes required with respect to the total number of positions in the current password. In other words, characters may be the same within the two passwords; however, the positions of the like characters must be different. + +If the password length is an odd number then number of changed characters must be rounded up. For example, a password length of 15 characters must require the change of at least 8 characters. + +Satisfies: SRG-OS-000072-GPOS-00040, SRG-OS-000725-GPOS-00180</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Amazon Linux 2023DISADPMS TargetAmazon Linux 20235700CCI-004066CCI-004064Configure Amazon Linux 2023 to require the change of at least eight (with a 15 character password) of the total number of characters when passwords are changed by setting the "difok" option. + +Add or update the following line in the "/etc/security/pwquality.conf" file or a configuration file in the "/etc/security/pwquality.conf.d/" directory to contain the "difok" parameter: + +difok = 8 + +Remove any configurations that conflict with the above value. This value can be customized based on desired password length.Verify Amazon Linux 2023 enforces password complexity by requiring that at least a change of at least eight characters when passwords are changed with the following command: + +$ sudo grep difok /etc/security/pwquality.conf /etc/security/pwquality.conf.d/*.conf +difok = 8 + +If the value of "difok" is set to less than "8", or is commented out, this is a finding.SRG-OS-000078-GPOS-00046<GroupDescription></GroupDescription>AZLX-23-002375Amazon Linux 2023 must enforce a minimum 15-character password length.<VulnDiscussion>The shorter the password, the lower the number of possible combinations that need to be tested before the password is compromised. + +Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks. Password length is one factor of several that helps to determine strength and how long it takes to crack a password. Use of more characters in a password helps to exponentially increase the time and/or resources required to compromise the password. + +Satisfies: SRG-OS-000078-GPOS-00046, SRG-OS-000725-GPOS-00180</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Amazon Linux 2023DISADPMS TargetAmazon Linux 20235700CCI-004066CCI-004064Configure Amazon Linux 2023 to enforce a minimum 15-character password length. + +Add or update the following line in the "/etc/security/pwquality.conf" file or a configuration file in the "/etc/security/pwquality.conf.d/" directory to contain the "minlen" parameter: + +minlen = 15 + +Remove any configurations that conflict with the above value.Verify Amazon Linux 2023 enforces a minimum 15-character password length with the following command: + +$ sudo grep -rs minlen /etc/security/pwquality.conf /etc/security/pwquality.conf.d/*.conf +/etc/security/pwquality.conf: minlen = 15 + +If the command does not return a "minlen" value of 15 or greater, or the line is commented out, this is a finding. + +If conflicting results are returned, this is a finding.SRG-OS-000266-GPOS-00101<GroupDescription></GroupDescription>AZLX-23-002380Amazon Linux 2023 must enforce password complexity by requiring that at least one special character be used.<VulnDiscussion>Use of a complex password helps to increase the time and resources required to compromise the password. Password complexity or strength is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks. + +Password complexity is one factor in determining how long it takes to crack a password. The more complex the password, the greater the number of possible combinations that need to be tested before the password is compromised. + +Special characters are those characters that are not alphanumeric. Examples include: ~ ! @ # $ % ^ *. + +Satisfies: SRG-OS-000266-GPOS-00101, SRG-OS-000725-GPOS-00180</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Amazon Linux 2023DISADPMS TargetAmazon Linux 20235700CCI-004066CCI-004064Configure Amazon Linux 2023 to enforce password complexity by requiring at least one special character be used by setting the "ocredit" option. + +Add or update the following line in the "/etc/security/pwquality.conf" file or a configuration file in the "/etc/security/pwquality.conf.d/" directory to contain the "ocredit" parameter: + +ocredit = -1Verify Amazon Linux 2023 enforces password complexity by requiring at least one special character with the following command: + +$ sudo grep -rs ocredit /etc/security/pwquality.conf /etc/security/pwquality.conf.d/*.conf +/etc/security/pwquality.conf: ocredit = -1 + +If the value of "ocredit" is a positive number or is commented out, this is a finding.SRG-OS-000072-GPOS-00040<GroupDescription></GroupDescription>AZLX-23-002385Amazon Linux 2023 must enforce password complexity rules for the root account.<VulnDiscussion>Use of a complex password helps to increase the time and resources required to compromise the password. Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks. + +Password complexity is one factor of several that determines how long it takes to crack a password. The more complex the password, the greater the number of possible combinations that need to be tested before the password is compromised. + +Satisfies: SRG-OS-000072-GPOS-00040, SRG-OS-000071-GPOS-00039, SRG-OS-000070-GPOS-00038, SRG-OS-000266-GPOS-00101, SRG-OS-000078-GPOS-00046, SRG-OS-000069-GPOS-00037</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Amazon Linux 2023DISADPMS TargetAmazon Linux 20235700CCI-004066Configure Amazon Linux 2023 to enforce password complexity on the root account. + +Add or update the following line in the "/etc/security/pwquality.conf" file or a configuration file in the "/etc/security/pwquality.conf.d/" directory to contain the "enforce_for_root" parameter: + +enforce_for_rootVerify Amazon Linux 2023 enforces password complexity rules for the root account with the following command: + +$ sudo grep -rs enforce_for_root /etc/security/pwquality.conf /etc/security/pwquality.conf.d/*.conf +/etc/security/pwquality.conf:enforce_for_root + +If "enforce_for_root" is commented or missing, this is a finding.SRG-OS-000480-GPOS-00225<GroupDescription></GroupDescription>AZLX-23-002390Amazon Linux 2023 must prevent the use of dictionary words for passwords.<VulnDiscussion>Use of a complex password helps to increase the time and resources required to compromise the password. Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks. If Amazon Linux 2023 allows the user to select passwords based on dictionary words, this increases the chances of password compromise by increasing the opportunity for successful guesses, and brute-force attacks. + +Satisfies: SRG-OS-000480-GPOS-00225, SRG-OS-000710-GPOS-00160</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Amazon Linux 2023DISADPMS TargetAmazon Linux 20235700CCI-000366CCI-004061Configure Amazon Linux 2023 to prevent the use of dictionary words for passwords. + +Add or update the following line in the "/etc/security/pwquality.conf" file or a configuration file in the /etc/pwquality.conf.d/ directory to contain the "dictcheck" parameter: + +dictcheck=1Verify Amazon Linux 2023 prevents the use of dictionary words for passwords with the following command: + +$ sudo grep -rs dictcheck /etc/security/pwquality.conf /etc/pwquality.conf.d/*.conf +/etc/security/pwquality.conf:dictcheck=1 + +If the "dictcheck" parameter is not set to "1", is commented out, or is missing, this is a finding.SRG-OS-000027-GPOS-00008<GroupDescription></GroupDescription>AZLX-23-002395Amazon Linux 2023 must limit the number of concurrent sessions to ten for all accounts and/or account types.<VulnDiscussion>Operating system management includes the ability to control the number of users and user sessions that utilize an operating system. Limiting the number of allowed users and sessions per user is helpful in reducing the risks related to denial-of-service (DoS) attacks. + +This requirement addresses concurrent sessions for information system accounts and does not address concurrent sessions by single users via multiple system accounts. The maximum number of concurrent sessions should be defined based on mission needs and the operational environment for each system.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Amazon Linux 2023DISADPMS TargetAmazon Linux 20235700CCI-000054Configure Amazon Linux 2023 to limit the number of concurrent sessions to "10" for all accounts and/or account types. + +Add the following line to the top of the /etc/security/limits.conf or in a ".conf" file defined in /etc/security/limits.d/: + +* hard maxlogins 10Verify Amazon Linux 2023 limits the number of concurrent sessions to "10" for all accounts and/or account types with the following command: + +$ sudo grep -r -s '^[^#].*maxlogins' /etc/security/limits.conf /etc/security/limits.d/*.conf +* hard maxlogins 10 + +This can be set as a global domain (with the * wildcard) but may be set differently for multiple domains. + +If the "maxlogins" item is missing, commented out, or the value is set greater than "10" and is not documented with the information system security officer (ISSO) as an operational requirement for all domains that have the "maxlogins" item assigned, this is a finding.SRG-OS-000163-GPOS-00072<GroupDescription></GroupDescription>AZLX-23-002396Amazon Linux 2023 must automatically exit interactive command shell user sessions after 15 minutes of inactivity.<VulnDiscussion>Terminating an idle interactive command shell user session within a short time period reduces the window of opportunity for unauthorized personnel to take control of it when left unattended in a virtual terminal or physical console.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Amazon Linux 2023DISADPMS TargetAmazon Linux 20235700CCI-000057CCI-001133Configure Amazon Linux 2023 to exit interactive command shell user sessions after 10 minutes of inactivity. + +Add or edit the following line in "/etc/profile.d/tmout.sh": + +#!/bin/bash + +declare -xr TMOUT=600Verify Amazon Linux 2023 is configured to exit interactive command shell user sessions after 10 minutes of inactivity or less with the following command: + +$ sudo grep -i tmout /etc/profile /etc/profile.d/*.sh +/etc/profile.d/tmout.sh:declare -xr TMOUT=600 + +If "TMOUT" is not set to "600" or less in a script located in the "/etc/'profile.d/ directory, is missing or is commented out, this is a finding.SRG-OS-000075-GPOS-00043<GroupDescription></GroupDescription>AZLX-23-002400Amazon Linux 2023 must enforce 24 hours/1 day as the minimum password lifetime.<VulnDiscussion>Enforcing a minimum password lifetime helps to prevent repeated password changes to defeat the password reuse or history enforcement requirement. If users are allowed to immediately and continually change their password, then the password could be repeatedly changed in a short period of time to defeat the organization's policy regarding password reuse.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Amazon Linux 2023DISADPMS TargetAmazon Linux 20235700CCI-004066Configure Amazon Linux 2023 to enforce 24 hours as the minimum password lifetime for new user accounts. + +Add the following line in "/etc/login.defs" (or modify the line to have the required value): + +PASS_MIN_DAYS 1Verify Amazon Linux 2023 enforces 24 hours as the minimum password lifetime for new user accounts with the following command: + +$ sudo grep -i pass_min_days /etc/login.defs +PASS_MIN_DAYS 1 + +If the "PASS_MIN_DAYS" parameter value is not "1" or greater, or is commented out, this is a finding.SRG-OS-000480-GPOS-00226<GroupDescription></GroupDescription>AZLX-23-002405Amazon Linux 2023 must enforce a delay of at least four seconds between logon prompts following a failed logon attempt.<VulnDiscussion>Increasing the time between a failed authentication attempt and re-prompting to enter credentials helps to slow a single-threaded brute force attack.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Amazon Linux 2023DISADPMS TargetAmazon Linux 20235700CCI-000366Configure Amazon Linux 2023 to enforce a delay of at least four seconds between logon prompts following a failed console logon attempt. + +Modify the "/etc/login.defs" file to set the "FAIL_DELAY" parameter to "4" or greater: + +FAIL_DELAY 4Verify Amazon Linux 2023 enforces a delay of at least four seconds between console logon prompts following a failed logon attempt with the following command: + +$ sudo grep -i fail_delay /etc/login.defs +FAIL_DELAY 4 + +If the value of "FAIL_DELAY" is not set to "4" or greater, the line is commented out, or the line is missing, this is a finding.SRG-OS-000480-GPOS-00228<GroupDescription></GroupDescription>AZLX-23-002410Amazon Linux 2023 must define default permissions for all authenticated users in such a way that the user can only read and modify their own files.<VulnDiscussion>Setting the most restrictive default permissions ensures that when new accounts are created, they do not have unnecessary access. + +Satisfies: SRG-OS-000480-GPOS-00228, SRG-OS-000480-GPOS-00230</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Amazon Linux 2023DISADPMS TargetAmazon Linux 20235700CCI-000366Configure Amazon Linux 2023 to define default permissions for all authenticated users in such a way that the user can only read and modify their own files. + +Add or edit the lines for the "UMASK" parameter in the "/etc/login.defs" file to "077": + +UMASK 077Verify Amazon Linux 2023 defines default permissions for all authenticated users in such a way that the user can only read and modify their own files with the following command: + +Note: If the value of the "UMASK" parameter is set to "000" in "/etc/login.defs" file, the Severity is raised to a CAT I. + +# grep -i umask /etc/login.defs +UMASK 077 + +If the value for the "UMASK" parameter is not "077", or the "UMASK" parameter is missing or is commented out, this is a finding.SRG-OS-000002-GPOS-00002<GroupDescription></GroupDescription>AZLX-23-002415Amazon Linux 2023 must automatically remove or disable temporary user accounts after 72 hours.<VulnDiscussion>If temporary user accounts remain active when no longer needed or for an excessive period, these accounts may be used to gain unauthorized access. To mitigate this risk, automated termination of all temporary accounts must be set upon account creation.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Amazon Linux 2023DISADPMS TargetAmazon Linux 20235700CCI-000016Configure Amazon Linux 2023 temporary accounts to have an expiration date of 72 hours. + +If a temporary account must be created configure the system to terminate the account after a 72 hour time period with the following command to set an expiration date on it. Substitute "system_account_name" with the account to be created. + +$ sudo chage -E $(date -d +3days +%Y-%m-%d) system_account_nameVerify Amazon Linux 2023 temporary accounts have been provisioned with an expiration date of 72 hours. + +For every existing temporary account, run the following command to obtain its account expiration information. + +$ sudo chage -l system_account_name + +Verify each of these accounts has an expiration date set within 72 hours. + +If any temporary accounts have no expiration date set or do not expire within 72 hours, this is a finding.SRG-OS-000021-GPOS-00005<GroupDescription></GroupDescription>AZLX-23-002420Amazon Linux 2023 must automatically lock an account when three unsuccessful logon attempts occur.<VulnDiscussion>By limiting the number of failed logon attempts, the risk of unauthorized system access via user password guessing, otherwise known as brute-force attacks, is reduced. Limits are imposed by locking the account. + +Amazon Linux 2023 can utilize the "pam_faillock.so" for this purpose. Note that manual changes to the listed files may be overwritten by the "authselect" program. + +From "Pam_Faillock" man pages: Note that the default directory that "pam_faillock" uses is usually cleared on system boot so the access will be re-enabled after system reboot. If that is undesirable, a different tally directory must be set with the "dir" option.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Amazon Linux 2023DISADPMS TargetAmazon Linux 20235700CCI-000044Configure Amazon Linux 2023 to lock an account when three unsuccessful logon attempts occur. + +Add/Modify the appropriate sections of the "/etc/pam.d/system-auth" and "/etc/pam.d/password-auth" files to match the following lines: + +auth required pam_faillock.so preauth dir=/var/log/faillock silent audit deny=3 even_deny_root fail_interval=900 unlock_time=0 +auth required pam_faillock.so authfail dir=/var/log/faillock unlock_time=0 +account required pam_faillock.so + +The "sssd" service must be restarted for the changes to take effect. To restart the "sssd" service, run the following command: + +$ sudo systemctl restart sssd.serviceVerify Amazon Linux 2023 locks an account after three unsuccessful logon attempts with the following commands: + +Note: If the system administrator demonstrates the use of an approved centralized account management method that locks an account after three unsuccessful logon attempts within a period of 15 minutes, this requirement is met by that method. + +$ sudo grep pam_faillock.so /etc/pam.d/password-auth +auth required pam_faillock.so preauth dir=/var/log/faillock silent audit deny=3 even_deny_root fail_interval=900 unlock_time=0 +auth required pam_faillock.so authfail dir=/var/log/faillock unlock_time=0 +account required pam_faillock.so + +If the "deny" option is not set to "3" or less (but not "0") on the "preauth" line with the "pam_faillock.so" module, or is missing from this line, if any of the lines are commented out, or are missing, this is a finding.SRG-OS-000076-GPOS-00044<GroupDescription></GroupDescription>AZLX-23-002425Amazon Linux 2023 must be able to enforce a 60-day maximum password lifetime restriction.<VulnDiscussion>Any password, no matter how complex, can eventually be cracked. Therefore, passwords need to be changed periodically. If Amazon Linux 2023 does not limit the lifetime of passwords and force users to change their passwords, there is the risk that Amazon Linux 2023 passwords could be compromised.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Amazon Linux 2023DISADPMS TargetAmazon Linux 20235700CCI-004066Configure Amazon Linux 2023 to set noncompliant accounts to enforce a 60-day maximum password lifetime restriction. + +$ sudo chage -M 60 [user]Verify Amazon Linux 2023 enforces the maximum time period for existing passwords is restricted to 60 days with the following commands: + +$ sudo awk -F: '$5 > 60 {print $1 " " $5}' /etc/shadow + +$ sudo awk -F: '$5 <= 0 {print $1 " " $5}' /etc/shadow + +If any results are returned that are not associated with a system account, this is a finding.SRG-OS-000118-GPOS-00060<GroupDescription></GroupDescription>AZLX-23-002430Amazon Linux 2023 must disable account identifiers (individuals, groups, roles, and devices) after 35 days of inactivity.<VulnDiscussion>Inactive identifiers pose a risk to systems and applications because attackers may exploit an inactive identifier and potentially obtain undetected access to the system. Owners of inactive accounts will not notice if unauthorized access to their user account has been obtained. + +Operating systems need to track periods of inactivity and disable application identifiers after 35 days of inactivity. + +Satisfies: SRG-OS-000118-GPOS-00060, SRG-OS-000590-GPOS-00110</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Amazon Linux 2023DISADPMS TargetAmazon Linux 20235700CCI-003627CCI-003628Configure Amazon Linux 2023 to disable account identifiers after 35 days of inactivity after the password expiration. + +Run the following command to change the configuration for useradd: + +$ sudo useradd -D -f 35 + +The recommendation is 35 days, but a lower value is acceptable.Verify Amazon Linux 2023 account identifiers (individuals, groups, roles, and devices) are disabled after 35 days of inactivity with the following command: + +Check the account inactivity value by performing the following command: + +$ sudo grep -i inactive /etc/default/useradd +INACTIVE=35 + +If "INACTIVE" is set to "-1", a value greater than "35", or is commented out, this is a finding.SRG-OS-000123-GPOS-00064<GroupDescription></GroupDescription>AZLX-23-002435Amazon Linux 2023 must automatically expire temporary accounts within 72 hours.<VulnDiscussion>Temporary accounts are privileged or nonprivileged accounts that are established during pressing circumstances, such as new software or hardware configuration or an incident response, where the need for prompt account activation requires bypassing normal account authorization procedures. If any inactive temporary accounts are left enabled on the system and are not either manually removed or automatically expired within 72 hours, the security posture of the system will be degraded and exposed to exploitation by unauthorized users or insider threat actors. + +Temporary accounts are different from emergency accounts. Emergency accounts, also known as "last resort" or "break glass" accounts, are local logon accounts enabled on the system for emergency use by authorized system administrators to manage a system when standard logon methods are failing or not available. Emergency accounts are not subject to manual removal or scheduled expiration requirements. + +The automatic expiration of temporary accounts may be extended as needed by the circumstances but it must not be extended indefinitely. A documented permanent account must be established for privileged users who need long-term maintenance accounts.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Amazon Linux 2023DISADPMS TargetAmazon Linux 20235700CCI-001682Configure Amazon Linux 2023 to expire temporary accounts after 72 hours with the following command: + +$ sudo chage -E $(date -d +3days +%Y-%m-%d) <temporary_account_name> +Verify Amazon Linux 2023 temporary accounts have been provisioned with an expiration date of 72 hours. + +For every existing temporary account, run the following command to obtain its account expiration information: + +$ sudo chage -l <temporary_account_name> | grep -i "account expires" + +Verify each of these accounts has an expiration date set within 72 hours. + +If any temporary accounts have no expiration date set or do not expire within 72 hours, this is a finding.SRG-OS-000312-GPOS-00123<GroupDescription></GroupDescription>AZLX-23-002440Amazon Linux 2023 must restrict the use of the "su" command.<VulnDiscussion>The "su" program allows to run commands with a substitute user and group ID. It is commonly used to run commands as the root user. Limiting access to such commands is considered a good security practice.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Amazon Linux 2023DISADPMS TargetAmazon Linux 20235700CCI-002165Configure Amazon Linux 2023 to require users to be in the "wheel" group to run "su" command. + +In file "/etc/pam.d/su", uncomment the following line: + +"#auth required pam_wheel.so use_uid" + +$ sudo sed '/^[[:space:]]*#[[:space:]]*auth[[:space:]]\+required[[:space:]]\+pam_wheel\.so[[:space:]]\+use_uid$/s/^[[:space:]]*#//' -i /etc/pam.d/su + +If necessary, create a "wheel" group and add administrative users to the group.Verify Amazon Linux 2023 requires uses to be members of the "wheel" group with the following command: + +$ grep pam_wheel /etc/pam.d/su +auth required pam_wheel.so use_uid + +If a line for "pam_wheel.so" does not exist, or is commented out, this is a finding.SRG-OS-000445-GPOS-00199<GroupDescription></GroupDescription>AZLX-23-002445Amazon Linux 2023 must enable the SELinux targeted policy.<VulnDiscussion>Setting the SELinux policy to "targeted" or a more specialized policy ensures the system will confine processes that are likely to be targeted for exploitation, such as network or system services. + +Note: During the development or debugging of SELinux modules, it is common to temporarily place nonproduction systems in "permissive" mode. In such temporary cases, SELinux policies should be developed, and once work is completed, the system should be reconfigured to "targeted".</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Amazon Linux 2023DISADPMS TargetAmazon Linux 20235700CCI-002696Configure Amazon Linux 2023 to use the targeted SELINUX policy. + +Edit the file "/etc/selinux/config" and add or modify the following line: + + SELINUXTYPE=targeted + +A reboot is required for the changes to take effect.Verify Amazon Linux 2023 SELINUX is using the targeted policy with the following command: + +$ sestatus | grep policy +Loaded policy name: targeted + +If the loaded policy name is not "targeted", this is a finding.SRG-OS-000134-GPOS-00068<GroupDescription></GroupDescription>AZLX-23-002450Amazon Linux 2023 must use a Linux Security Module configured to enforce limits on system services.<VulnDiscussion>An isolation boundary provides access control and protects the integrity of the hardware, software, and firmware that perform security functions. + +Security functions are the hardware, software, and/or firmware of the information system responsible for enforcing the system security policy and supporting the isolation of code and data on which the protection is based. Operating systems implement code separation (i.e., separation of security functions from nonsecurity functions) in a number of ways, including through the provision of security kernels via processor rings or processor modes. For nonkernel code, security function isolation is often achieved through file system protections that serve to protect the code on disk and address space protections that protect executing code. + +Developers and implementers can increase the assurance in security functions by employing well-defined security policy models; structured, disciplined, and rigorous hardware and software development techniques; and sound system/security engineering principles. Implementation may include isolation of memory space and libraries. Operating systems restrict access to security functions through the use of access control mechanisms and by implementing least privilege capabilities. + +Satisfies: SRG-OS-000134-GPOS-00068, SRG-OS-000445-GPOS-00199</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Amazon Linux 2023DISADPMS TargetAmazon Linux 20235700CCI-001084CCI-002696Configure Amazon Linux 2023 to verify correct operation of security functions. + +Edit the file "/etc/selinux/config" and add or modify the following line: + +SELINUX=enforcing + +A reboot is required for the changes to take effect.Verify Amazon Linux 2023 verifies the correct operation of security functions through the use of SELinux with the following command: + +$ getenforce +Enforcing + +If SELINUX is not set to "Enforcing", this is a finding.SRG-OS-000329-GPOS-00128<GroupDescription></GroupDescription>AZLX-23-002455Amazon Linux 2023 must automatically lock an account when three unsuccessful logon attempts occur.<VulnDiscussion>By limiting the number of failed logon attempts, the risk of unauthorized system access via user password guessing, otherwise known as brute-forcing, is reduced. Limits are imposed by locking the account.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Amazon Linux 2023DISADPMS TargetAmazon Linux 20235700CCI-002238Configure Amazon Linux 2023 to lock an account when three unsuccessful logon attempts occur. + +Add/modify the "/etc/security/faillock.conf" file to match the following line: + +deny = 3Verify Amazon Linux 2023 is configured to lock an account after three unsuccessful logon attempts with the command: + +$ grep 'deny =' /etc/security/faillock.conf +deny = 3 + +If the "deny" option is not set to "3" or less (but not "0"), is missing or commented out, this is a finding.SRG-OS-000329-GPOS-00128<GroupDescription></GroupDescription>AZLX-23-002460Amazon Linux 2023 must automatically lock the root account until the root account is released by an administrator when three unsuccessful logon attempts occur during a 15-minute time period.<VulnDiscussion>By limiting the number of failed logon attempts, the risk of unauthorized system access via user password guessing, otherwise known as brute-forcing, is reduced. Limits are imposed by locking the account.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Amazon Linux 2023DISADPMS TargetAmazon Linux 20235700CCI-002238Configure Amazon Linux 2023 to lock out the "root" account after a number of incorrect login attempts using "pam_faillock.so", first enable the feature using the following command: + +$ sudo authselect enable-feature with-faillock + +Then edit the "/etc/security/faillock.conf" file as follows: + +add or uncomment the following line: +even_deny_rootVerify Amazon Linux 2023 is configured to lock the root account after three unsuccessful logon attempts with the command: + +$ grep even_deny_root /etc/security/faillock.conf +even_deny_root + +If the "even_deny_root" option is not set, is missing or commented out, this is a finding.SRG-OS-000329-GPOS-00128<GroupDescription></GroupDescription>AZLX-23-002465Amazon Linux 2023 must automatically lock an account until the locked account is released by an administrator when three unsuccessful logon attempts in 15 minutes occur.<VulnDiscussion>By limiting the number of failed logon attempts, the risk of unauthorized system access via user password guessing, otherwise known as brute-forcing, is reduced. Limits are imposed by locking the account.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Amazon Linux 2023DISADPMS TargetAmazon Linux 20235700CCI-002238Configure Amazon Linux 2023 to automatically lock an account after three unsuccessful logon attempts in 15-minutes. + +First, ensure that the system is configured with authselect, i.e., using sssd profiles: + +$ sudo authselect select sssd [--force] + +Then, enable the faillock feature: + +$ sudo authselect enable-feature with-faillock + +Then edit the "/etc/security/faillock.conf" file as follows: + +fail_interval = 900Note: If the system administrator demonstrates the use of an approved centralized account management method that locks an account after three unsuccessful logon attempts within a period of 15 minutes, this requirement is not applicable. + +Verify Amazon Linux 2023 locks an account after three unsuccessful logon attempts within a period of 15 minutes with the following command: + +$ grep fail_interval /etc/security/faillock.conf +fail_interval = 900 + +If the "fail_interval" option is not set to "900" or less (but not "0"), the line is commented out, or the line is missing, this is a finding.SRG-OS-000329-GPOS-00128<GroupDescription></GroupDescription>AZLX-23-002470Amazon Linux 2023 must maintain an account lock until the locked account is released by an administrator.<VulnDiscussion>By limiting the number of failed logon attempts, the risk of unauthorized system access via user password guessing, otherwise known as brute-forcing, is reduced. Limits are imposed by locking the account.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Amazon Linux 2023DISADPMS TargetAmazon Linux 20235700CCI-002238Configure Amazon Linux 2023 to lock an account until released by an administrator after three unsuccessful logon attempts with the command: + +$ authselect enable-feature with-faillock + +Then edit the "/etc/security/faillock.conf" file as follows: + +unlock_time = 0Verify Amazon Linux 2023 is configured to lock an account until released by an administrator after three unsuccessful logon attempts with the command: + +$ grep 'unlock_time =' /etc/security/faillock.conf +unlock_time = 0 + +If the "unlock_time" option is not set to "0", the line is missing, or commented out, this is a finding.SRG-OS-000096-GPOS-00050<GroupDescription></GroupDescription>AZLX-23-002475Amazon Linux 2023 must be configured to prohibit or restrict the use of functions, ports, protocols, and/or services, as defined in the Ports, Protocols, and Services Management Category Assurance List (PPSM CAL) and vulnerability assessments.<VulnDiscussion>To prevent unauthorized connection of devices, unauthorized transfer of information, or unauthorized tunneling (i.e., embedding of data types within data types), organizations must disable or restrict unused or unnecessary physical and logical ports/protocols on information systems. + +Operating systems are capable of providing a variety of functions and services. Some of the functions and services provided by default may not be necessary to support essential organizational operations. Additionally, it is sometimes convenient to provide multiple services from a single component (e.g., VPN and IPS); however, doing so increases risk over limiting the services provided by any one component. + +To support the requirements and principles of least functionality, Amazon Linux 2023 must support the organizational requirements, providing only essential capabilities and limiting the use of ports, protocols, and/or services to only those required, authorized, and approved to conduct official business or to address authorized quality of life issues. + +Satisfies: SRG-OS-000096-GPOS-00050, SRG-OS-000297-GPOS-00115</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Amazon Linux 2023DISADPMS TargetAmazon Linux 20235700CCI-000382CCI-002314Configure Amazon Linux 2023 to Prohibit/Restrict Functions, Ports, Protocols, Services. Use firewall-cmd to manage firewalld. + +For example, to block a specific port (8080), use: +sudo firewall-cmd --permanent --remove-port=8080/tcpVerify Amazon Linux 2023 firewall is configured to block unregistered ports, protocols, and services. + +Inspect the list of enabled firewall ports and verify they are configured correctly by running the following command: + +$ sudo firewall-cmd --list-all + +Ask the system administrator for the site or program PPSM Component Local Service Assessment (CLSA). Verify the services allowed by the firewall match the PPSM CLSA. + +If there are additional ports, protocols, or services that are not in the PPSM CLSA, or there are ports, protocols, or services that are prohibited by the PPSM CAL, or there are no firewall rules configured, this is a finding.SRG-OS-000104-GPOS-00051<GroupDescription></GroupDescription>AZLX-23-002480Amazon Linux 2023 must insure all interactive users have a primary group that exists.<VulnDiscussion>If a user is assigned the group identifier (GID) of a group that does not exist on the system, and a group with the GID is subsequently created, the user may have unintended rights to any files associated with the group. + +Satisfies: SRG-OS-000104-GPOS-00051, SRG-OS-000121-GPOS-00062, SRG-OS-000042-GPOS-00020</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Amazon Linux 2023DISADPMS TargetAmazon Linux 20235700CCI-000764CCI-000804CCI-000135Configure Amazon Linux 2023 so that all GIDs are referenced in "/etc/passwd" are defined in "/etc/group". + +Edit the file "/etc/passwd" and ensure that every user's GID is a valid GID.Verify Amazon Linux 2023 interactive users have a valid GID with the following command: + +$ sudo pwck -qr + +If the system has any interactive users with duplicate GIDs, this is a finding.SRG-OS-000104-GPOS-00051<GroupDescription></GroupDescription>AZLX-23-002485Amazon Linux 2023 must ensure all interactive users have unique User IDs (UIDs).<VulnDiscussion>To ensure accountability and prevent unauthenticated access, interactive users must be identified and authenticated to prevent potential misuse and compromise of the system. + +Satisfies: SRG-OS-000104-GPOS-00051, SRG-OS-000121-GPOS-00062, SRG-OS-000042-GPOS-00020</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Amazon Linux 2023DISADPMS TargetAmazon Linux 20235700CCI-000764CCI-000804CCI-000135Configure Amazon Linux 2023 to contain no duplicate UIDs for interactive users. + +Edit the file "/etc/passwd" and provide each interactive user account that has a duplicate UID with a unique UID.Verify Amazon Linux 2023 contains no duplicate UIDs for interactive users with the following command: + +$ sudo awk -F ":" 'list[$3]++{print $1, $3}' /etc/passwd + +If output is produced and the accounts listed are interactive user accounts, this is a finding.SRG-OS-000069-GPOS-00037<GroupDescription></GroupDescription>AZLX-23-002489Amazon Linux 2023 must ensure the password complexity module is enabled in the password-auth file.<VulnDiscussion>Enabling PAM password complexity permits enforcement of strong passwords and consequently makes the system less prone to dictionary attacks.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Amazon Linux 2023DISADPMS TargetAmazon Linux 20235700CCI-004066CCI-000192CCI-000193Configure Amazon Linux 2023 to use "pwquality" to enforce password complexity rules. + +Add the following line to the "/etc/pam.d/password-auth" file (or modify the line to have the required value): + +password required pam_pwquality.soVerify Amazon Linux 2023 uses "pwquality" to enforce the password complexity rules in the password-auth file with the following command: + +$ grep pam_pwquality /etc/pam.d/password-auth +password required pam_pwquality.so + +If the command does not return a line containing the value "pam_pwquality.so", or the line is commented out, this is a finding. + +If the system administrator can demonstrate that the required configuration is contained in a PAM configuration file included or substacked from the system-auth file, this is not a finding.SRG-OS-000073-GPOS-00041<GroupDescription></GroupDescription>AZLX-23-002490Amazon Linux 2023 password-auth must be configured to use a sufficient number of hashing rounds.<VulnDiscussion>Unapproved mechanisms, used for authentication to the cryptographic module are not verified and therefore, cannot be relied upon to provide confidentiality or integrity, and DOD data may be compromised. + +Operating systems utilizing encryption are required to use FIPS-compliant mechanisms for authenticating to cryptographic modules. + +FIPS 140-2/140-3 is the current standard for validating that mechanisms used to access cryptographic modules utilize authentication that meets DOD requirements. This allows for Security Levels 1, 2, 3, or 4 for use on a general purpose computing system. + +Satisfies: SRG-OS-000073-GPOS-00041, SRG-OS-000120-GPOS-00061</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Amazon Linux 2023DISADPMS TargetAmazon Linux 20235700CCI-004062CCI-000803Configure Amazon Linux 2023 to use 100000 hashing rounds for hashing passwords. + +Add or modify the following line in "/etc/pam.d/password-auth" and set "rounds" to "100000". + +password sufficient pam_unix.so sha512 rounds=100000Verify Amazon Linux 2023 has the required number of rounds for the password hashing algorithm is configured in password-auth with the following command: + +$ sudo grep rounds /etc/pam.d/password-auth +password sufficient pam_unix.so sha512 rounds=100000 + +If a matching line is not returned or "rounds" is less than "100000", this a finding.SRG-OS-000073-GPOS-00041<GroupDescription></GroupDescription>AZLX-23-002495Amazon Linux 2023 system-auth must be configured to use a sufficient number of hashing rounds.<VulnDiscussion>Unapproved mechanisms used for authentication to the cryptographic module are not verified and therefore, cannot be relied upon to provide confidentiality or integrity, and DOD data may be compromised. + +Operating systems utilizing encryption are required to use FIPS-compliant mechanisms for authenticating to cryptographic modules. + +FIPS 140-2/140-3 is the current standard for validating that mechanisms used to access cryptographic modules utilize authentication that meets DOD requirements. This allows for Security Levels 1, 2, 3, or 4 for use on a general purpose computing system. + +Satisfies: SRG-OS-000073-GPOS-00041, SRG-OS-000120-GPOS-00061</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Amazon Linux 2023DISADPMS TargetAmazon Linux 20235700CCI-004062CCI-000803Configure Amazon Linux 2023 to use 100000 hashing rounds for hashing passwords. + +Add or modify the following line in "/etc/pam.d/system-auth" and set "rounds" to "100000". + +password sufficient pam_unix.so sha512 rounds=100000Verify Amazon Linux 2023 has the required number of rounds for the password hashing algorithm is configured in system-auth with the following command: + +$ sudo grep rounds /etc/pam.d/system-auth +password sufficient pam_unix.so sha512 rounds=100000 + +If a matching line is not returned or "rounds" is less than "100000", this a finding.SRG-OS-000138-GPOS-00069<GroupDescription></GroupDescription>AZLX-23-002500Amazon Linux 2023 must ensure a sticky bit be set on all public directories.<VulnDiscussion>Preventing unauthorized information transfers mitigates the risk of information, including encrypted representations of information, produced by the actions of prior users/roles (or the actions of processes acting on behalf of prior users/roles) from being available to any current users/roles (or current processes) that obtain access to shared system resources (e.g., registers, main memory, hard disks) after those resources have been released back to information systems. The control of information in shared resources is also commonly referred to as object reuse and residual information protection. + +This requirement generally applies to the design of an information technology product, but it can also apply to the configuration of particular information system components that are, or use, such products. This can be verified by acceptance/validation processes in DOD or other government agencies. + +There may be shared resources with configurable protections (e.g., files in storage) that may be assessed on specific information system components.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Amazon Linux 2023DISADPMS TargetAmazon Linux 20235700CCI-001090Configure Amazon Linux 2023 world-writable directories to have the sticky bit set to prevent unauthorized and unintended information transferred via shared system resources. + +Set the sticky bit on all world-writable directories using the following command: + +$ sudo find / -type d -perm -0002 ! -perm -1000 -exec chmod +t {} +Verify Amazon Linux 2023 world-writable directories have the sticky bit set. + +Determine if all world-writable directories have the sticky bit set by running the following command: + +$ sudo find / -type d -perm -0002 ! -perm -1000 -exec ls -ld {} + + +If any output is returned, these directories are world-writable and do not have the sticky bit set, and this is a finding.SRG-OS-000138-GPOS-00069<GroupDescription></GroupDescription>AZLX-23-002505Amazon Linux 2023 must ensure all world-writable directories be owned by root, sys, bin, or an application user.<VulnDiscussion>Preventing unauthorized information transfers mitigates the risk of information, including encrypted representations of information, produced by the actions of prior users/roles (or the actions of processes acting on behalf of prior users/roles) from being available to any current users/roles (or current processes) that obtain access to shared system resources (e.g., registers, main memory, hard disks) after those resources have been released back to information systems. The control of information in shared resources is also commonly referred to as object reuse and residual information protection. + +This requirement generally applies to the design of an information technology product, but it can also apply to the configuration of particular information system components that are, or use, such products. This can be verified by acceptance/validation processes in DOD or other government agencies. + +There may be shared resources with configurable protections (e.g., files in storage) that may be assessed on specific information system components.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Amazon Linux 2023DISADPMS TargetAmazon Linux 20235700CCI-001090Configure Amazon Linux 2023 public directories to be owned by root or a system account to prevent unauthorized and unintended information transferred via shared system resources. + +Set the owner of all public directories as root or a system account using the following command: + +$ sudo find / -xdev -type d -perm -0002 ! -user root ! -uid +999 -exec chown root:root {} +Verify Amazon Linux 2023 world writable directories are owned by root, a system account, or an application account with the following command: + +$ sudo find / -xdev -type d -perm -0002 ! -user root ! -uid +999 -exec ls -ld {} + + +If there is output, this is a finding.SRG-OS-000163-GPOS-00072<GroupDescription></GroupDescription>AZLX-23-002510Amazon Linux 2023 must terminate idle user sessions.<VulnDiscussion>Terminating an idle session within a short time period reduces the window of opportunity for unauthorized personnel to take control of a management session enabled on the console or console port that has been left unattended. In addition, quickly terminating an idle session will also free up resources committed by the managed network element. + +Terminating network connections associated with communications sessions includes, for example, de-allocating associated TCP/IP address/port pairs at Amazon Linux 2023 level, and de-allocating networking assignments at the application level if multiple application sessions are using a single operating system-level network connection. This does not mean that Amazon Linux 2023 terminates all sessions or network access; it only ends the inactive session and releases the resources associated with that session.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Amazon Linux 2023DISADPMS TargetAmazon Linux 20235700CCI-001133Configure Amazon Linux 2023 to log out idle sessions by editing the /etc/systemd/logind.conf file with the following line: + +StopIdleSessionSec=900 + +The "logind" service must be restarted for the changes to take effect. To restart the "logind" service, run the following command: + +$ sudo systemctl restart systemd-logindVerify Amazon Linux 2023 logs out sessions that are idle for 15 minutes with the following command: + +$ sudo grep -i ^StopIdleSessionSec /etc/systemd/logind.conf +StopIdleSessionSec=900 + +If "StopIdleSessionSec" is not configured to "900" seconds, is commented out, or is missing, this is a finding.SRG-OS-000037-GPOS-00015<GroupDescription></GroupDescription>AZLX-23-002515Amazon Linux 2023 must enable auditing of processes that start prior to the audit daemon.<VulnDiscussion>Without the capability to generate audit records, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. + +If auditing is enabled late in the startup process, the actions of some startup processes may not be audited. Some audit systems also maintain state information only available if auditing is enabled before a given process is created. + +Satisfies: SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPOS-00031, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000471-GPOS-00215, SRG-OS-000473-GPOS-00218, SRG-OS-000254-GPOS-00095</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Amazon Linux 2023DISADPMS TargetAmazon Linux 20235700CCI-000130CCI-000135CCI-000169CCI-002884CCI-000172CCI-001464Configure Amazon Linux 2023 so that GRUB 2 enables auditing of processes that start prior to the audit daemon with the following command: + +$ sudo grubby --update-kernel=ALL --args="audit=1" + +Add or modify the following line in "/etc/default/grub" to ensure the configuration survives kernel updates: + +GRUB_CMDLINE_LINUX="audit=1"Verify Amazon Linux 2023 is configured so that GRUB 2 enables auditing of processes that start prior to the audit daemon with the following commands: + +Check that the current GRUB 2 configuration enables auditing: + +$ sudo grubby --info=ALL | grep args | grep -v 'audit=1' + +If any output is returned, this is a finding. + +Check that auditing is enabled by default to persist in kernel updates: + +$ grep audit /etc/default/grub +GRUB_CMDLINE_LINUX="audit=1" + +If "audit" is not set to "1", is missing, or is commented out, this is a finding.SRG-OS-000254-GPOS-00095<GroupDescription></GroupDescription>AZLX-23-002520Amazon Linux 2023 must allocate an audit_backlog_limit of sufficient size to capture processes that start prior to the audit daemon.<VulnDiscussion>Without the capability to generate audit records, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. + +If auditing is enabled late in the startup process, the actions of some startup processes may not be audited. Some audit systems also maintain state information only available if auditing is enabled before a given process is created. + +Audit records can be generated from various components within the information system (e.g., module or policy filter). + +Allocating an audit_backlog_limit of sufficient size is critical in maintaining a stable boot process. With an insufficient limit allocated, the system is susceptible to boot failures and crashes. + +Satisfies: SRG-OS-000254-GPOS-00095, SRG-OS-000341-GPOS-00132</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Amazon Linux 2023DISADPMS TargetAmazon Linux 20235700CCI-001464CCI-001849Configure Amazon Linux 2023 to allocate sufficient audit_backlog_limit to capture processes that start prior to the audit daemon with the following command: + +$ sudo grubby --update-kernel=ALL --args=audit_backlog_limit=8192Verify Amazon Linux 2023 allocates a sufficient audit_backlog_limit to capture processes that start prior to the audit daemon with the following command: + +$ sudo grubby --info=ALL | grep args | grep -v 'audit_backlog_limit=8192' + +If the command returns any outputs, and audit_backlog_limit is less than "8192", this is a finding.SRG-OS-000312-GPOS-00123<GroupDescription></GroupDescription>AZLX-23-002535Amazon Linux 2023 must enable discretionary access control on hardlinks.<VulnDiscussion>By enabling the fs.protected_hardlinks kernel parameter, users can no longer create soft or hard links to files they do not own. Disallowing such hardlinks mitigates vulnerabilities based on insecure file system accessed by privileged programs, avoiding an exploitation vector exploiting unsafe use of open() or creat(). + +Satisfies: SRG-OS-000312-GPOS-00123, SRG-OS-000324-GPOS-00125</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Amazon Linux 2023DISADPMS TargetAmazon Linux 20235700CCI-002165CCI-002235Configure Amazon Linux 2023 to enable DAC on hardlinks with the following: + +Add or edit the following line in a system configuration file in the "/etc/sysctl.d/" directory: + +fs.protected_hardlinks = 1 + +Load settings from all system configuration files with the following command: + +$ sudo sysctl --systemVerify Amazon Linux 2023 is configured to enable DAC on hardlinks. + +Check the status of the fs.protected_hardlinks kernel parameter with the following command: + +$ sudo sysctl fs.protected_hardlinks +fs.protected_hardlinks = 1 + +If "fs.protected_hardlinks" is not set to "1" or is missing, this is a finding.SRG-OS-000312-GPOS-00123<GroupDescription></GroupDescription>AZLX-23-002540Amazon Linux 2023 must enable kernel parameters to enforce discretionary access control on symlinks.<VulnDiscussion>By enabling the fs.protected_symlinks kernel parameter, symbolic links are permitted to be followed only when outside a sticky world-writable directory, or when the user identifier (UID) of the link and follower match, or when the directory owner matches the symlink's owner. Disallowing such symlinks helps mitigate vulnerabilities based on insecure file system accessed by privileged programs, avoiding an exploitation vector exploiting unsafe use of open() or creat(). + +Satisfies: SRG-OS-000312-GPOS-00123, SRG-OS-000324-GPOS-00125</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Amazon Linux 2023DISADPMS TargetAmazon Linux 20235700CCI-002165CCI-002235Configure Amazon Linux 2023 to enable DAC on symlinks with the following: + +Add or edit the following line in a system configuration file in the "/etc/sysctl.d/" directory: + +fs.protected_symlinks = 1 + +Load settings from all system configuration files with the following command: + +$ sudo sysctl --systemVerify Amazon Linux 2023 is configured to enable DAC on symlinks. + +Check the status of the fs.protected_symlinks kernel parameter with the following command: + +$ sudo sysctl fs.protected_symlinks +fs.protected_symlinks = 1 + +If "fs.protected_symlinks " is not set to "1" or is missing, this is a finding.SRG-OS-000324-GPOS-00125<GroupDescription></GroupDescription>AZLX-23-002555Amazon Linux 2023 debug-shell systemd service must be disabled.<VulnDiscussion>The debug-shell requires no authentication and provides root privileges to anyone who has physical access to the machine. While this feature is disabled by default, masking it adds an additional layer of assurance that it will not be enabled via a dependency in systemd. This also prevents attackers with physical access from trivially bypassing security on the machine through valid troubleshooting configurations and gaining root access when the system is rebooted.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Amazon Linux 2023DISADPMS TargetAmazon Linux 20235700CCI-002235Configure Amazon Linux 2023 to mask the debug-shell systemd service with the following command: + +$ sudo systemctl disable --now debug-shell.service +$ sudo systemctl mask --now debug-shell.serviceVerify Amazon Linux 2023 is configured to mask the debug-shell systemd service with the following command: + +$ sudo systemctl status debug-shell.service +O debug-shell.service + Loaded: masked (Reason: Unit debug-shell.service is masked.) + Active: inactive (dead) + +If the "debug-shell.service" is loaded and not masked, this is a finding.SRG-OS-000355-GPOS-00143<GroupDescription></GroupDescription>AZLX-23-002560Amazon Linux 2023 chrony must be configured with a maximum interval of 24 hours between requests sent to a USNO server or a time server designated for the appropriate DOD network.<VulnDiscussion>Inaccurate time stamps make it more difficult to correlate events and can lead to an inaccurate analysis. Determining the correct time a particular event occurred on a system is critical when conducting forensic analysis and investigating system events. Sources outside the configured acceptable allowance (drift) may be inaccurate.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Amazon Linux 2023DISADPMS TargetAmazon Linux 20235700CCI-004923Configure Amazon Linux 2023 to compare internal information system clocks at least every 24 hours with an NTP server. Ensure the following line is added or updated in /etc/chrony.conf: + +server DOD.ntp.server iburst maxpoll 16Verify Amazon Linux 2023 chrony service specifies a maximum interval of 24 hours between requests sent to a USNO server with the following command: + +Note: <USNO/DOD Server> is used in place of a time source IP address. + +$ sudo grep maxpoll /etc/chrony.conf +server <USNO/DOD Server> iburst maxpoll 16 + +If the "maxpoll" option is not configured, commented out, or set to a number greater than 16 or the line is commented out then this is a finding. + +Verify Amazon Linux 2023 chrony service is configured to use authoritative USNO or appropriate DOD time source with the following command: + +$ sudo grep -i server /etc/chrony.conf +server <USNO/DOD Server> + +If the parameter "server" is not set, or is not set to an authoritative USNO/DOD time source, then this is a finding.SRG-OS-000356-GPOS-00144<GroupDescription></GroupDescription>AZLX-23-002565Amazon Linux 2023 must synchronize internal information system clocks to the authoritative time source at least every 24 hours.<VulnDiscussion>Inaccurate time stamps make it more difficult to correlate events and can lead to an inaccurate analysis. Determining the correct time a particular event occurred on a system is critical when conducting forensic analysis and investigating system events. Sources outside the configured acceptable allowance (drift) may be inaccurate. + +Synchronizing internal information system clocks provides uniformity of time stamps for information systems with multiple system clocks and systems connected over a network. + +Depending on the infrastructure being used the "pool" directive may not be supported. + +Satisfies: SRG-OS-000356-GPOS-00144, SRG-OS-000785-GPOS-00250, SRG-OS-000359-GPOS-00146</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Amazon Linux 2023DISADPMS TargetAmazon Linux 20235700CCI-004926CCI-004922CCI-001890Configure Amazon Linux 2023 chrony service to securely compare internal information system clocks at least every 24 hours with an NTP server by adding/modifying the following line in the /etc/chrony.conf file. + +server [ntp.server.name] iburst maxpoll 16Verify Amazon Linux 2023 is securely comparing internal information system clocks at least every 24 hours with an NTP server with the following commands: + +$ sudo grep maxpoll /etc/chrony.conf +server 0.us.pool.ntp.mil iburst maxpoll 16 + +If the "maxpoll" option is set to a number greater than 16 or the line is commented out, this is a finding. + +Verify the "chrony.conf" file is configured to an authoritative DOD time source by running the following command: + +$ sudo grep -i server /etc/chrony.conf +server 0.us.pool.ntp.mil + +If the parameter "server" is not set, or is not set to an authoritative DOD time source, this is a finding.SRG-OS-000363-GPOS-00150<GroupDescription></GroupDescription>AZLX-23-002570Amazon Linux 2023 must routinely check the baseline configuration for unauthorized changes and notify the system administrator when anomalies in the operation of any security functions are discovered.<VulnDiscussion>Unauthorized changes to the baseline configuration could make the system vulnerable to various attacks or allow unauthorized access to Amazon Linux 2023. Changes to operating system configurations can have unintended side effects, some of which may be relevant to security. + +Detecting such changes and providing an automated response can help avoid unintended, negative consequences that could ultimately affect the security state of Amazon Linux 2023. Amazon Linux 2023's information management officer (IMO)/information system security officer (ISSO) and system administrators (SAs) must be notified via email and/or monitoring system trap when there is an unauthorized modification of a configuration item. + +Notifications provided by information systems include messages to local computer consoles, and/or hardware indications, such as lights. + +This capability must take into account operational requirements for availability for selecting an appropriate response. The organization may choose to shut down or restart the information system upon security function anomaly detection.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Amazon Linux 2023DISADPMS TargetAmazon Linux 20235700CCI-001744Configure Amazon Linux 2023 so that the file integrity tool runs automatically on the system at least weekly and notifies designated personnel if baseline configurations are changed in an unauthorized manner. The AIDE tool can be configured to email designated personnel with the use of the cron system. + +The following example output is generic. It will set cron to run AIDE daily and to send email at the completion of the analysis. + +$ sudo more /etc/cron.daily/aide +#!/bin/bash +/usr/sbin/aide --check | /bin/mail -s "$HOSTNAME - Daily aide integrity check run" root@sysname.milVerify Amazon Linux 2023 routinely executes a file integrity scan for changes to the system baseline. The command used in the example will use a daily occurrence. + +Check the cron directories for scripts controlling the execution and notification of results of the file integrity application. For example, if AIDE is installed on the system, use the following commands: + +$ sudo ls -al /etc/cron.* | grep aide +-rwxr-xr-x 1 root root 29 Nov 22 2015 aide + +$ grep aide /etc/crontab /var/spool/cron/root +/etc/crontab: 30 04 * * * root usr/sbin/aide +/var/spool/cron/root: 30 04 * * * root usr/sbin/aide + +$ sudo more /etc/cron.daily/aide +#!/bin/bash +/usr/sbin/aide --check | /bin/mail -s "$HOSTNAME - Daily aide integrity check run" root@sysname.mil + +If the file integrity application does not exist, or a script file controlling the execution of the file integrity application does not exist, or the file integrity application does not notify designated personnel of changes, this is a finding.SRG-OS-000366-GPOS-00153<GroupDescription></GroupDescription>AZLX-23-002575Amazon Linux 2023 must prevent the loading of a new kernel for later execution.<VulnDiscussion>Changes to any software components can have significant effects on the overall security of Amazon Linux 2023. This requirement ensures the software has not been tampered with and that it has been provided by a trusted vendor. + +All software packages must be signed with a cryptographic key recognized and approved by the organization. + +Verifying the authenticity of software prior to installation validates the integrity of the software package received from a vendor. This verifies the software has not been tampered with and that it has been provided by a trusted vendor.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Amazon Linux 2023DISADPMS TargetAmazon Linux 20235700CCI-003992Configure Amazon Linux 2023 to disable kernel image loading. + +Add or edit the following line in a system configuration file in the "/etc/sysctl.d/" directory: + +kernel.kexec_load_disabled = 1 + +Load settings from all system configuration files with the following command: + +$ sudo sysctl --systemVerify Amazon Linux 2023 is configured to disable kernel image loading. + +Check the status of the kernel.kexec_load_disabled kernel parameter with the following command: + +$ sudo sysctl kernel.kexec_load_disabled +kernel.kexec_load_disabled = 1 + +If "kernel.kexec_load_disabled" is not set to "1" or is missing, this is a finding.SRG-OS-000368-GPOS-00154<GroupDescription></GroupDescription>AZLX-23-002580Amazon Linux 2023 must prevent files with the setuid and setgid bit set from being executed on the /boot/efi directory.<VulnDiscussion>The "nosuid" mount option causes the system not to execute "setuid" and "setgid" files with owner privileges. This option must be used for mounting any file system not containing approved "setuid" and "setguid" files. Executing files from untrusted file systems increases the opportunity for nonprivileged users to attain unauthorized administrative access.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Amazon Linux 2023DISADPMS TargetAmazon Linux 20235700CCI-001764Configure Amazon Linux 2023 so that the /boot/efi directory is mounted with the "nosuid" option. + +Modify "/etc/fstab" to use the "nosuid" option on the "/boot/efi" directory.Verify Amazon Linux 2023 is configured so that the /boot/efi directory is mounted with the "nosuid" option with the following command: + +$ mount | grep '\s/boot/efi\s' + +/dev/sda1 on /boot/efi type vfat (rw,nosuid,relatime,fmask=0077,dmask=0077,codepage=437,iocharset=ascii,shortname=winnt,errors=remount-ro) + +If the /boot/efi file system does not have the "nosuid" option set, this is a finding.SRG-OS-000368-GPOS-00154<GroupDescription></GroupDescription>AZLX-23-002585Amazon Linux 2023 must mount /dev/shm with the nodev option.<VulnDiscussion>The "nodev" mount option causes the system to not interpret character or block special devices. Executing character or block special devices from untrusted file systems increases the opportunity for nonprivileged users to attain unauthorized administrative access.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Amazon Linux 2023DISADPMS TargetAmazon Linux 20235700CCI-001764Configure Amazon Linux 2023 so that "/dev/shm" is mounted with the "nodev" option. + +Modify "/etc/fstab" to use the "nodev" option on the "/dev/shm" file system.Verify Amazon Linux 2023 is configured so that "/dev/shm" is mounted with the "nodev" option with the following command: + +$ mount | grep /dev/shm +tmpfs on /dev/shm type tmpfs (rw,nodev,nosuid,noexec,seclabel) + +If the /dev/shm file system is mounted without the "nodev" option, this is a finding.SRG-OS-000368-GPOS-00154<GroupDescription></GroupDescription>AZLX-23-002590Amazon Linux 2023 must mount /dev/shm with the nosuid option.<VulnDiscussion>The "nosuid" mount option causes the system to not execute "setuid" and "setgid" files with owner privileges. This option must be used for mounting any file system not containing approved "setuid" and "setguid" files. Executing files from untrusted file systems increases the opportunity for nonprivileged users to attain unauthorized administrative access.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Amazon Linux 2023DISADPMS TargetAmazon Linux 20235700CCI-001764Configure Amazon Linux 2023 so that "/dev/shm" is mounted with the "nosuid" option. + +Modify "/etc/fstab" to use the "nosuid" option on the "/dev/shm" file system.Verify Amazon Linux 2023 is configured so that "/dev/shm" is mounted with the "nosuid" option with the following command: + +$ mount | grep /dev/shm +tmpfs on /dev/shm type tmpfs (rw,nodev,nosuid,noexec,seclabel) + +If the /dev/shm file system is mounted without the "noexec" option, this is a finding.SRG-OS-000375-GPOS-00160<GroupDescription></GroupDescription>AZLX-23-002595Amazon Linux 2023 must ensure the pcscd service is active.<VulnDiscussion>The information system ensures that even if the information system is compromised, that compromise will not affect credentials stored on the authentication device. + +The daemon program for pcsc-lite and the MuscleCard framework is pcscd. It is a resource manager that coordinates communications with smart card readers and smart cards and cryptographic tokens connected to the system.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Amazon Linux 2023DISADPMS TargetAmazon Linux 20235700CCI-004046Configure Amazon Linux 2023 so that the "pcscd" service is active with the following command: + +$ sudo systemctl enable --now pcscdVerify Amazon Linux 2023 is configured so that the "pcscd" service is active with the following command: + +$ systemctl is-active pcscd +active + +If the pcscdservice is not active, this is a finding.SRG-OS-000378-GPOS-00163<GroupDescription></GroupDescription>AZLX-23-002600Amazon Linux 2023 file system automount function must be disabled unless required.<VulnDiscussion>Without authenticating devices, unidentified or unknown devices may be introduced, thereby facilitating malicious activity. + +Peripherals include, but are not limited to, such devices as flash drives, external storage, and printers.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Amazon Linux 2023DISADPMS TargetAmazon Linux 20235700CCI-001958Configure Amazon Linux 2023 to disable the ability to automount devices. + +The autofs service can be disabled with the following command: + +$ sudo systemctl mask --now autofs.serviceVerify Amazon Linux 2023 disables the file system automount function with the following command: + +$ sudo systemctl is-enabled autofs +masked + +If the returned value is not "masked", "disabled", "Failed to get unit file state for autofs.service for autofs", or "enabled", and is not documented as operational requirement with the information system security officer (ISSO), this is a finding.SRG-OS-000420-GPOS-00186<GroupDescription></GroupDescription>AZLX-23-002605Amazon Linux 2023 must protect against or limit the effects of denial-of-service (DoS) attacks by ensuring rate-limiting measures are configured on impacted network interfaces.<VulnDiscussion>DoS is a condition when a resource is not available for legitimate users. When this occurs, the organization either cannot accomplish its mission or must operate at degraded capacity. + +This requirement addresses the configuration of Amazon Linux 2023 to mitigate the impact of DoS attacks that have occurred or are ongoing on system availability. For each system, known and potential DoS attacks must be identified and solutions for each type implemented. A variety of technologies exist to limit or, in some cases, eliminate the effects of DoS attacks (e.g., limiting processes or establishing memory partitions). Employing increased capacity and bandwidth, combined with service redundancy, may reduce the susceptibility to some DoS attacks.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Amazon Linux 2023DISADPMS TargetAmazon Linux 20235700CCI-002385Configure Amazon Linux 2023 to use the AWS ALB rate limiting feature using its built-in rate limiting capabilities. This allows the user to set rate limits at the ALB level, which will apply to all traffic passing through the load balancer.Verify Amazon Linux 2023 is implementing rate-limiting measures on network interfaces to protect against DoS attacks. + +Access the AWS Management Console: + +Sign in to the AWS Management Console and navigate to the EC2 service. + +To locate the Application Load Balancer (ALB) in the EC2 dashboard, go to the "Load Balancers" section and find the ALB. + +Check the ALB configuration: Click on the ALB to view its details. The listener configuration for the ALB is located in the "Listener" tab. + +Look for the rate limiting settings: Scroll down to the "Rules" section. If rate limiting is enabled, a rule with the "Rate Limit" action will be displayed.SRG-OS-000433-GPOS-00192<GroupDescription></GroupDescription>AZLX-23-002610Amazon Linux 2023 must implement nonexecutable data to protect its memory from unauthorized code execution.<VulnDiscussion>The no-execute (NX) feature uses the segmentation feature on all x86 systems to prevent execution in memory higher than a certain address. It writes an address as a limit in the code segment descriptor, to control where code can be executed, on a per-process basis. When the kernel places a process's memory regions such as the stack and heap higher than this address, the hardware prevents execution in that address range. This is enabled by default on the latest Red Hat and Fedora systems if supported by the hardware.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Amazon Linux 2023DISADPMS TargetAmazon Linux 20235700CCI-002824Configure Amazon Linux 2023 NX support to be enabled by opening a support case via the AWS Console to investigate why NX support is not detected.Verify Amazon Linux 2023 NX support is enabled with the following command: + +$ sudo dmesg | grep '[NX|DX]*protection' +[ 0.000000] NX (Execute Disable) protection: active + +If "dmesg" does not show "NX (Execute Disable) protection" active, this is a finding.SRG-OS-000437-GPOS-00194<GroupDescription></GroupDescription>AZLX-23-002615Amazon Linux 2023 must remove all software components after updated versions have been installed.<VulnDiscussion>Previous versions of software components that are not removed from the information system after updates have been installed may be exploited by some adversaries.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Amazon Linux 2023DISADPMS TargetAmazon Linux 20235700CCI-002617Configure Amazon Linux 2023 to remove all software components after updated versions have been installed. + +Set the "clean_requirements_on_remove" option to "1" in the "/etc/dnf/dnf.conf" file: + +clean_requirements_on_remove=1Verify Amazon Linux 2023 removes all software components after updated versions have been installed with the following command: + +$ grep clean /etc/dnf/dnf.conf +clean_requirements_on_remove=1 + +If "clean_requirements_on_remove" is not set to "1", "True", or "yes", this is a finding.SRG-OS-000021-GPOS-00005<GroupDescription></GroupDescription>AZLX-23-002620Amazon Linux 2023 must configure the use of the pam_faillock.so module in the /etc/pam.d/system-auth file.<VulnDiscussion>If the pam_faillock.so module is not loaded, the system will not correctly lockout accounts to prevent password guessing attacks.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Amazon Linux 2023DISADPMS TargetAmazon Linux 20235700CCI-000044Configure Amazon Linux 2023 to include the use of the pam_faillock.so module in the /etc/pam.d/system-auth file. + +Add/modify the appropriate sections of the "/etc/pam.d/system-auth" file to match the following lines: +Note: The "preauth" line must be listed before pam_unix.so. + +auth required pam_faillock.so preauth +auth required pam_faillock.so authfail +account required pam_faillock.soVerify Amazon Linux 2023 is configured so that the pam_faillock.so module is present in the "/etc/pam.d/system-auth" file: + +$ grep pam_faillock.so /etc/pam.d/system-auth +auth required pam_faillock.so preauth +auth required pam_faillock.so authfail +account required pam_faillock.so + +If the pam_faillock.so module is not present in the "/etc/pam.d/system-auth" file with the "preauth" line listed before pam_unix.so, this is a finding.SRG-OS-000462-GPOS-00206<GroupDescription></GroupDescription>AZLX-23-005000Amazon Linux 2023 audit system must protect logon user identifiers (UIDs) from unauthorized change.<VulnDiscussion>If modification of login UIDs is not prevented, they can be changed by nonprivileged users and make auditing complicated or impossible. + +Satisfies: SRG-OS-000462-GPOS-00206, SRG-OS-000475-GPOS-00220, SRG-OS-000057-GPOS-00027, SRG-OS-000058-GPOS-00028, SRG-OS-000059-GPOS-00029</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Amazon Linux 2023DISADPMS TargetAmazon Linux 20235700CCI-000172CCI-000162CCI-000163CCI-000164Configure Amazon Linux 2023 auditing to prevent modification of login UIDs once they are set by adding the following line to /etc/audit/rules.d/audit.rules: + +--loginuid-immutable + +To load the rules to the kernel immediately, use the following command: + +$ sudo augenrules --loadVerify Amazon Linux 2023 is configured so that the audit system prevents unauthorized changes to login UIDs with the following command: + +$ sudo grep -i immutable /etc/audit/audit.rules +--loginuid-immutable + +If the "--loginuid-immutable" option is not returned in the "/etc/audit/audit.rules", or the line is commented out, this is a finding. \ No newline at end of file From 792a0c06e781ba76a9a4a72d91f35075f03cc150 Mon Sep 17 00:00:00 2001 From: Eric-Domeier Date: Sun, 14 Dec 2025 23:50:58 -0500 Subject: [PATCH 5/7] Fix issue with system with kernel evaluating to false, add Amazon linux to templates. --- products/al2023/product.yml | 3 + products/al2023/profiles/standard.profile | 12 ++++ products/al2023/profiles/stig.profile | 30 ++++++++- products/al2023/transforms/constants.xslt | 3 +- shared/applicability/os_linux.yml | 4 ++ .../applicability/oval/system_with_kernel.xml | 9 ++- shared/applicability/system_with_kernel.yml | 4 ++ shared/checks/oval/installed_OS_is_al2023.xml | 62 +++++++++++++------ .../ansible.template | 2 +- .../bash.template | 2 +- .../kubernetes.template | 2 +- 11 files changed, 107 insertions(+), 26 deletions(-) create mode 100644 products/al2023/profiles/standard.profile diff --git a/products/al2023/product.yml b/products/al2023/product.yml index 32cf5501a2e8..85107c124440 100644 --- a/products/al2023/product.yml +++ b/products/al2023/product.yml @@ -2,6 +2,9 @@ product: al2023 full_name: Amazon Linux 2023 type: platform +families: + - amzn + benchmark_id: AL-2023 benchmark_root: "../../linux_os/guide" components_root: "../../components" diff --git a/products/al2023/profiles/standard.profile b/products/al2023/profiles/standard.profile new file mode 100644 index 000000000000..52155cb5c223 --- /dev/null +++ b/products/al2023/profiles/standard.profile @@ -0,0 +1,12 @@ +--- +documentation_complete: true + +title: 'Standard System Security Profile for Amazon Linux 2023' + +description: |- + This profile contains rules to ensure standard security baseline + of a Amazon Linux 2023 system. Regardless of your system's workload + all of these checks should pass. + +selections: + - accounts_password_minlen_login_defs \ No newline at end of file diff --git a/products/al2023/profiles/stig.profile b/products/al2023/profiles/stig.profile index d1960eba7bb2..2d9008c066b4 100644 --- a/products/al2023/profiles/stig.profile +++ b/products/al2023/profiles/stig.profile @@ -18,4 +18,32 @@ description: |- and related documents. selections: - - stig_al2023:all \ No newline at end of file + - stig_al2023:all + - audit_rules_time_adjtimex + - audit_rules_time_settimeofday + - audit_rules_time_stime + - audit_rules_time_clock_settime + - audit_rules_time_watch_localtime + - audit_rules_usergroup_modification + - audit_rules_networkconfig_modification + - audit_rules_mac_modification + - audit_rules_dac_modification_chmod + - audit_rules_dac_modification_chown + - audit_rules_dac_modification_fchmod + - audit_rules_dac_modification_fchmodat + - audit_rules_dac_modification_fchown + - audit_rules_dac_modification_fchownat + - audit_rules_dac_modification_fremovexattr + - audit_rules_dac_modification_fsetxattr + - audit_rules_dac_modification_lchown + - audit_rules_dac_modification_lremovexattr + - audit_rules_dac_modification_lsetxattr + - audit_rules_dac_modification_removexattr + - audit_rules_dac_modification_setxattr + - audit_rules_unsuccessful_file_modification + - audit_rules_privileged_commands + - audit_rules_media_export + - audit_rules_file_deletion_events + - audit_rules_sysadmin_actions + - audit_rules_kernel_module_loading + - audit_rules_immutable_login_uids \ No newline at end of file diff --git a/products/al2023/transforms/constants.xslt b/products/al2023/transforms/constants.xslt index 9f9b98071415..6b8ec3fe0c1b 100644 --- a/products/al2023/transforms/constants.xslt +++ b/products/al2023/transforms/constants.xslt @@ -3,7 +3,8 @@ Amazon Linux 2023 -AL 2023 +AL2023 +AL_STIG al2023 https://www.cisecurity.org/benchmark/amazon_linux/ diff --git a/shared/applicability/os_linux.yml b/shared/applicability/os_linux.yml index bd923dcd2b6e..698becdda980 100644 --- a/shared/applicability/os_linux.yml +++ b/shared/applicability/os_linux.yml @@ -20,3 +20,7 @@ args: os_name: "SUSE Linux Enterprise Server" os_id: 'sles' os_id_ansible: "SLES" + al: + os_name: "Amazon Linux" + os_id: "amzn" + os_id_ansible: "Amazon" diff --git a/shared/applicability/oval/system_with_kernel.xml b/shared/applicability/oval/system_with_kernel.xml index d1cbf79c4d20..0cdcda027b09 100644 --- a/shared/applicability/oval/system_with_kernel.xml +++ b/shared/applicability/oval/system_with_kernel.xml @@ -11,14 +11,21 @@ {{% endif %}} + {{% if 'debian' in product or 'ubuntu' in product %}} {{{ oval_test_package_installed(package="linux-base", test_id="inventory_test_kernel_installed") }}} + {{% elif 'sle' in product or 'slmicro' in product %}} {{{ oval_test_package_installed(package="kernel-default", test_id="inventory_test_kernel_installed") }}} {{{ oval_test_package_installed(package="kernel-default-base", test_id="inventory_test_kernel_default_base_installed") }}} -{{% else %}} + +{{% elif product == "fedora" or "rhel" in product %}} {{{ oval_test_package_installed(package="kernel-core", test_id="inventory_test_kernel_installed") }}} + +{{% else %}} +{{{ oval_test_package_installed(package="kernel", test_id="inventory_test_kernel_installed") }}} {{% endif %}} + {{% if "ol" in families %}} {{{ oval_test_package_installed(package="kernel-uek", test_id="inventory_test_kernel_uek_installed") }}} {{% endif %}} diff --git a/shared/applicability/system_with_kernel.yml b/shared/applicability/system_with_kernel.yml index 07793b1a1a2f..a041bed790b4 100644 --- a/shared/applicability/system_with_kernel.yml +++ b/shared/applicability/system_with_kernel.yml @@ -22,6 +22,8 @@ bash_conditional: "rpm --quiet -q kernel-default || rpm --quiet -q kernel-defaul bash_conditional: "rpm --quiet -q kernel || rpm --quiet -q kernel-uek" {{% elif product == "fedora" or "rhel" in product %}} bash_conditional: "rpm --quiet -q kernel-core" +{{% elif "amazon" in product or product == "al2023" %}} +bash_conditional: "rpm --quiet -q kernel || rpm --quiet -q kernel-modules" {{% else %}} bash_conditional: "rpm --quiet -q kernel" {{% endif %}} @@ -40,6 +42,8 @@ ansible_conditional: '("kernel-default" in ansible_facts.packages or "kernel-def ansible_conditional: '("kernel" in ansible_facts.packages or "kernel-uek" in ansible_facts.packages)' {{% elif product == "fedora" or "rhel" in product %}} ansible_conditional: '"kernel-core" in ansible_facts.packages' +{{% elif "amazon" in product or product == "al2023" %}} +ansible_conditional: '("kernel" in ansible_facts.packages or "kernel-modules" in ansible_facts.packages)' {{% else %}} ansible_conditional: '"kernel" in ansible_facts.packages' {{% endif %}} diff --git a/shared/checks/oval/installed_OS_is_al2023.xml b/shared/checks/oval/installed_OS_is_al2023.xml index 0755643adbec..b3f751ae8d75 100644 --- a/shared/checks/oval/installed_OS_is_al2023.xml +++ b/shared/checks/oval/installed_OS_is_al2023.xml @@ -1,5 +1,5 @@ - + Amazon Linux 2023 @@ -8,36 +8,58 @@ The operating system installed on the system is Amazon Linux 2023 + - - - + + + + + - - - + + + - + + /etc/os-release - ^ID=\"(\w+)\"$ + ID="?amzn"? 1 - - amzn - - - - + + + + - + + /etc/os-release - ^VERSION_ID=\"(\w+)\"$ + VERSION_ID="?2023"? 1 - - 2023 - diff --git a/shared/templates/audit_rules_privileged_commands/ansible.template b/shared/templates/audit_rules_privileged_commands/ansible.template index 3985b04d4439..d5cdb2db93c0 100644 --- a/shared/templates/audit_rules_privileged_commands/ansible.template +++ b/shared/templates/audit_rules_privileged_commands/ansible.template @@ -1,4 +1,4 @@ -{{%- if product in ["almalinux9", "debian12", "debian13", "fedora", "ol7", "ol8", "ol9", "ol10", "rhel8", "rhel9", "rhel10", "sle12", "sle15", "slmicro5", "slmicro6", "ubuntu2204", "ubuntu2404"] %}} +{{%- if product in ["al2023", "almalinux9", "debian12", "debian13", "fedora", "ol7", "ol8", "ol9", "ol10", "rhel8", "rhel9", "rhel10", "sle12", "sle15", "slmicro5", "slmicro6", "ubuntu2204", "ubuntu2404"] %}} {{%- set perm_x=" -F perm=x" %}} {{%- endif %}} # platform = multi_platform_rhel,multi_platform_fedora,multi_platform_ol,multi_platform_rhv,multi_platform_sle,multi_platform_slmicro,multi_platform_ubuntu,multi_platform_almalinux diff --git a/shared/templates/audit_rules_privileged_commands/bash.template b/shared/templates/audit_rules_privileged_commands/bash.template index 393a9fa57615..736ea6b06ed2 100644 --- a/shared/templates/audit_rules_privileged_commands/bash.template +++ b/shared/templates/audit_rules_privileged_commands/bash.template @@ -1,4 +1,4 @@ -{{%- if product in ["almalinux9", "debian12", "debian13", "fedora", "ol7", "ol8", "ol9", "ol10", "rhel8", "rhel9", "rhel10", "sle12", "sle15", "slmicro5", "slmicro6", "ubuntu2204", "ubuntu2404"] %}} +{{%- if product in ["al2023", "almalinux9", "debian12", "debian13", "fedora", "ol7", "ol8", "ol9", "ol10", "rhel8", "rhel9", "rhel10", "sle12", "sle15", "slmicro5", "slmicro6", "ubuntu2204", "ubuntu2404"] %}} {{%- set perm_x=" -F perm=x" %}} {{%- endif %}} # platform = multi_platform_all diff --git a/shared/templates/audit_rules_privileged_commands/kubernetes.template b/shared/templates/audit_rules_privileged_commands/kubernetes.template index 3f5dcedc474d..f71e856d298e 100644 --- a/shared/templates/audit_rules_privileged_commands/kubernetes.template +++ b/shared/templates/audit_rules_privileged_commands/kubernetes.template @@ -4,7 +4,7 @@ # complexity = low # disruption = medium -{{%- if product in ["almalinux9", "debian12", "debian13", "fedora", "ol7", "ol8", "ol9", "ol10", "rhel8", "rhel9", "rhel10", "sle12", "sle15", "slmicro5", "slmicro6", "ubuntu2204", "ubuntu2404"] %}} +{{%- if product in ["al2023", "almalinux9", "debian12", "debian13", "fedora", "ol7", "ol8", "ol9", "ol10", "rhel8", "rhel9", "rhel10", "sle12", "sle15", "slmicro5", "slmicro6", "ubuntu2204", "ubuntu2404"] %}} {{%- set perm_x="%20-F%20perm%3Dx" %}} {{%- endif %}} From 3fd77eb58f6b9522dfa5541ecc2bdf89d0cc4b70 Mon Sep 17 00:00:00 2001 From: Eric-Domeier Date: Mon, 15 Dec 2025 07:56:18 -0500 Subject: [PATCH 6/7] Attempt to fix linting, eof gate check fails --- controls/stig_al2023.yml | 3514 +++++++++++---------- products/al2023/profiles/standard.profile | 2 +- products/al2023/profiles/stig.profile | 2 +- 3 files changed, 1776 insertions(+), 1742 deletions(-) diff --git a/controls/stig_al2023.yml b/controls/stig_al2023.yml index f728d37363e8..cd8071a2ce9c 100644 --- a/controls/stig_al2023.yml +++ b/controls/stig_al2023.yml @@ -1,5 +1,5 @@ -policy: 'Amazon Linux 2023 Security Technical Implementation Guide' -title: 'Amazon Linux 2023 Security Technical Implementation Guide' +policy: "Amazon Linux 2023 Security Technical Implementation Guide" +title: "Amazon Linux 2023 Security Technical Implementation Guide" id: stig_al2023 source: https://www.cyber.mil/stigs/downloads/ version: V1R1 @@ -7,1743 +7,1777 @@ reference_type: stigid product: al2023 levels: -- id: high -- id: medium -- id: low + - id: high + - id: medium + - id: low controls: -- id: AZLX-23-000100 - levels: - - high - title: Amazon Linux 2023 local disk partitions must implement cryptographic - mechanisms to prevent unauthorized disclosure or modification of all - information that requires at rest protection. - rules: - - encrypt_partitions - status: automated - -- id: AZLX-23-000110 - levels: - - medium - title: Amazon Linux 2023 must ensure cryptographic verification of vendor - software packages. - rules: [] - status: pending -- id: AZLX-23-000115 - levels: - - high - title: Amazon Linux 2023 must check the GPG signature of locally installed - software packages before installation. - rules: - - ensure_gpgcheck_local_packages - status: automated - -- id: AZLX-23-000120 - levels: - - high - title: Amazon Linux 2023 must check the GPG signature of software packages - originating from external software repositories before installation. - rules: - - ensure_gpgcheck_globally_activated - status: automated - -- id: AZLX-23-000125 - levels: - - high - title: Amazon Linux 2023 must have GPG signature verification enabled for all - software repositories. - rules: - - ensure_gpgcheck_never_disabled - status: automated - -- id: AZLX-23-000130 - levels: - - high - title: Amazon Linux 2023 must be a vendor-supported release. - rules: - - installed_OS_is_vendor_supported - status: automated - -- id: AZLX-23-000135 - levels: - - medium - title: Amazon Linux 2023 systemd-journald service must be enabled. - rules: - - service_systemd-journald_enabled - status: automated - -- id: AZLX-23-000200 - levels: - - medium - title: Amazon Linux 2023 must restrict access to the kernel message buffer. - rules: - - sysctl_kernel_dmesg_restrict - status: automated - -- id: AZLX-23-000205 - levels: - - medium - title: Amazon Linux 2023 must prevent kernel profiling by nonprivileged users. - rules: - - sysctl_kernel_perf_event_paranoid - status: automated - -- id: AZLX-23-000210 - levels: - - medium - title: Amazon Linux 2023 must restrict exposed kernel pointer addresses - access. - rules: - - sysctl_kernel_kptr_restrict - status: automated - -- id: AZLX-23-000215 - levels: - - medium - title: Amazon Linux 2023 must disable access to network bpf system call from - nonprivileged processes. - rules: - - sysctl_kernel_unprivileged_bpf_disabled - status: automated - -- id: AZLX-23-000220 - levels: - - medium - title: Amazon Linux 2023 must restrict usage of ptrace to descendant - processes. - rules: - - sysctl_kernel_yama_ptrace_scope - status: automated - -- id: AZLX-23-000225 - levels: - - medium - title: Amazon Linux 2023 must implement address space layout randomization - (ASLR) to protect its memory from unauthorized code execution. - rules: - - sysctl_kernel_randomize_va_space - status: automated - -- id: AZLX-23-000300 - levels: - - high - title: Amazon Linux 2023 must not have the vsftpd package installed. - rules: - - package_vsftpd_removed - status: automated - -- id: AZLX-23-000305 - levels: - - medium - title: Amazon Linux 2023 must not have the sendmail package installed. - rules: - - package_sendmail_removed - status: automated - -- id: AZLX-23-000310 - levels: - - medium - title: Amazon Linux 2023 must not have the nfs-utils package installed. - rules: - - package_nfs-utils_removed - status: automated - -- id: AZLX-23-000315 - levels: - - medium - title: Amazon Linux 2023 must not have the telnet-server package installed. - rules: - - package_telnet-server_removed - status: automated - -- id: AZLX-23-000320 - levels: - - medium - title: Amazon Linux 2023 must not have the gssproxy package installed. - rules: - - package_gssproxy_removed - status: automated - -- id: AZLX-23-001000 - levels: - - medium - title: Amazon Linux 2023 must have the sudo package installed. - rules: - - package_sudo_installed - status: automated - -- id: AZLX-23-001005 - levels: - - medium - title: Amazon Linux 2023 must not be configured to bypass password - requirements for privilege escalation. - rules: - - disallow_bypass_password_sudo - status: automated - -- id: AZLX-23-001010 - levels: - - medium - title: Amazon Linux 2023 must require reauthentication when using the "sudo" - command. - rules: - - sudo_require_reauthentication - - var_sudo_timestamp_timeout=always_prompt - status: automated - -- id: AZLX-23-001015 - levels: - - medium - title: Amazon Linux 2023 must require users to reauthenticate for privilege - escalation. - rules: - - sudo_remove_no_authenticate - status: automated - -- id: AZLX-23-001020 - levels: - - medium - title: Amazon Linux 2023 must require users to provide a password for - privilege escalation. - rules: - - sudo_remove_nopasswd - status: automated - -- id: AZLX-23-001025 - levels: - - medium - title: Amazon Linux 2023 must have the audit package installed. - rules: - - package_audit_installed - status: automated - -- id: AZLX-23-001030 - levels: - - medium - title: Amazon Linux 2023 must produce audit records containing information to - establish what type of events occurred. - rules: - - service_auditd_enabled - status: automated - -- id: AZLX-23-001035 - levels: - - medium - title: Amazon Linux 2023 audispd-plugins package must be installed. - rules: - - package_audispd-plugins_installed - status: automated - -- id: AZLX-23-001040 - levels: - - medium - title: Amazon Linux 2023 must have the rsyslog package installed. - rules: - - service_rsyslog_enabled - status: automated - -- id: AZLX-23-001045 - levels: - - medium - title: Amazon Linux 2023 must monitor remote access methods. - rules: - - rsyslog_remote_access_monitoring - status: automated - -- id: AZLX-23-001050 - levels: - - medium - title: Amazon Linux 2023 must have the chrony package installed. - rules: - - package_chrony_installed - status: automated - -- id: AZLX-23-001055 - levels: - - medium - title: Amazon Linux 2023 chronyd service must be enabled. - rules: - - service_chronyd_enabled - status: automated - -- id: AZLX-23-001060 - levels: - - medium - title: Amazon Linux 2023 must have the Advanced Intrusion Detection - Environment (AIDE) package installed. - rules: - - package_aide_installed - - aide_build_database - status: automated - -- id: AZLX-23-001065 - levels: - - medium - title: Amazon Linux 2023 must routinely check the baseline configuration for - unauthorized changes and notify the system administrator when anomalies in - the operation of any security functions are discovered. - rules: [] - status: pending -- id: AZLX-23-001070 - levels: - - medium - title: Amazon Linux 2023 must use cryptographic mechanisms to protect the - integrity of audit tools. - rules: - - aide_check_audit_tools - status: automated - -- id: AZLX-23-001075 - levels: - - medium - title: Amazon Linux 2023 must have the firewalld package installed. - rules: - - package_firewalld_installed - status: automated - -- id: AZLX-23-001080 - levels: - - medium - title: Amazon Linux 2023 must have the firewalld servicew active. - rules: - - service_firewalld_enabled - status: automated - -- id: AZLX-23-001085 - levels: - - medium - title: Amazon Linux 2023 must be configured to disable nonessential - capabilities. - rules: - - firewalld_sshd_port_enabled - status: automated - -- id: AZLX-23-001090 - levels: - - medium - title: Amazon Linux 2023 must manage excess capacity, bandwidth, or other - redundancy to limit the effects of information flooding types of - denial-of-service (DoS) attacks. - rules: - - firewalld-backend - status: automated - -- id: AZLX-23-001095 - levels: - - medium - title: Amazon Linux 2023 must have the s-nail package installed. - rules: - - package_s-nail_installed - status: automated - -- id: AZLX-23-001105 - levels: - - medium - title: Amazon Linux 2023 must have the libreswan package installed. - rules: - - package_libreswan_installed - status: automated - -- id: AZLX-23-001110 - levels: - - medium - title: Amazon Linux 2023 must have the policycoreutils package installed. - rules: - - package_policycoreutils_installed - status: automated - -- id: AZLX-23-001115 - levels: - - medium - title: Amazon Linux 2023 must have the pcsc-lite package installed. - rules: - - package_pcsc-lite_installed - status: automated - -- id: AZLX-23-001120 - levels: - - medium - title: Amazon Linux 2023 must have the packages required for encrypting - off-loaded audit logs installed. - rules: [] - status: pending -- id: AZLX-23-001125 - levels: - - medium - title: Amazon Linux 2023 must have the opensc package installed. - rules: - - package_opensc_installed - status: automated - -- id: AZLX-23-001130 - levels: - - medium - title: Amazon Linux 2023 must have the openssl-pkcs11 package installed. - rules: - - install_smartcard_packages - status: automated - -- id: AZLX-23-001180 - levels: - - medium - title: Amazon Linux 2023 must have SSH installed. - rules: - - package_openssh-server_installed - status: automated - -- id: AZLX-23-001185 - levels: - - medium - title: Amazon Linux 2023 must implement SSH to protect the confidentiality and - integrity of transmitted and received information, as well as information - during preparation for transmission. - rules: - - service_sshd_enabled - status: automated - -- id: AZLX-23-001195 - levels: - - medium - title: Amazon Linux 2023 must have the crypto-policies package installed. - rules: [] - status: pending -- id: AZLX-23-001200 - levels: - - medium - title: Amazon Linux 2023 SSH server must be configured to use systemwide - crypto policies. - rules: - - file_sshd_50_redhat_exists - - sshd_include_crypto_policy - status: automated - -- id: AZLX-23-001205 - levels: - - medium - title: Amazon Linux 2023 server must be configured to use only DOD-approved - encryption ciphers employing FIPS 140-2/140-3 validated cryptographic hash - algorithms to protect the confidentiality of SSH server connections. - status: pending - -- id: AZLX-23-001210 - levels: - - medium - title: Amazon Linux 2023 SSH server must be configured to use only Message - Authentication Codes (MACs) employing FIPS 140-2/140-3 validated - cryptographic hash algorithms to protect the confidentiality of SSH server - connections. - rules: [] - status: pending -- id: AZLX-23-001215 - levels: - - medium - title: Amazon Linux 2023 SSH daemon must not allow Generic Security Service - Application Program Interface (GSSAPI) authentication. - rules: - - sshd_disable_gssapi_auth - status: automated - -- id: AZLX-23-001220 - levels: - - medium - title: Amazon Linux 2023 SSH daemon must not allow Kerberos authentication. - rules: - - sshd_disable_kerb_auth - status: automated - -- id: AZLX-23-001225 - levels: - - medium - title: Amazon Linux 2023 must force a frequent session key renegotiation for - SSH connections to the server. - rules: - - sshd_rekey_limit - - var_rekey_limit_size=1G - - var_rekey_limit_time=1hour - status: automated - -- id: AZLX-23-001230 - levels: - - medium - title: Amazon Linux 2023 SSHD must accept public key authentication. - rules: - - sshd_enable_pubkey_auth - status: automated - -- id: AZLX-23-001235 - levels: - - high - title: Amazon Linux 2023 SSHD must not allow blank passwords. - rules: - - sshd_disable_empty_passwords - status: automated - -- id: AZLX-23-001240 - levels: - - medium - title: Amazon Linux 2023 must not permit direct logons to the root account - using remote access via SSH. - rules: - - sshd_disable_root_login - status: automated - -- id: AZLX-23-001245 - levels: - - medium - title: Amazon Linux 2023 must be configured so that all network connections - associated with SSH traffic are terminated after 10 minutes of becoming - unresponsive. - rules: - - sshd_set_idle_timeout - - sshd_idle_timeout_value=10_minutes - status: automated - -- id: AZLX-23-001250 - levels: - - medium - title: Amazon Linux 2023 must be configured so that all network connections - associated with SSH traffic terminate after becoming unresponsive. - rules: - - sshd_set_keepalive - - var_sshd_set_keepalive=1 - status: automated - -- id: AZLX-23-001255 - levels: - - high - title: Amazon Linux 2023 must enable the Pluggable Authentication Module (PAM) - interface for SSHD. - rules: - - sshd_enable_pam - status: automated - -- id: AZLX-23-001260 - levels: - - medium - title: Amazon Linux 2023 must implement DOD-approved encryption in the OpenSSL - package. - rules: [] - status: pending -- id: AZLX-23-001265 - levels: - - medium - title: Amazon Linux 2023 must implement DOD-approved TLS encryption in the - OpenSSL package. - rules: [] - status: pending -- id: AZLX-23-001270 - levels: - - medium - title: Amazon Linux 2023 must implement a FIPS 140-2/140-3 compliant - systemwide cryptographic policy. - rules: [] - status: pending -- id: AZLX-23-001275 - levels: - - medium - title: Amazon Linux 2023 must implement DOD-approved encryption to protect the - confidentiality of remote access sessions. - rules: - - harden_sshd_ciphers_opensshserver_conf_crypto_policy - - sshd_approved_ciphers=stig_rhel9 - status: automated -- id: AZLX-23-001280 - levels: - - high - title: Amazon Linux 2023 must enable FIPS mode. - rules: - - enable_fips_mode - - sysctl_crypto_fips_enabled - - var_system_crypto_policy=fips - - enable_dracut_fips_module - status: automated - -- id: AZLX-23-001285 - levels: - - medium - title: Amazon Linux 2023 crypto policy must not be overridden. - rules: [] - status: pending -- id: AZLX-23-001290 - levels: - - medium - title: Amazon Linux 2023 must enable certificate-based smart card - authentication. - rules: - - sssd_enable_smartcards - status: automated - -- id: AZLX-23-001295 - levels: - - medium - title: Amazon Linux 2023 must map the authenticated identity to the user or - group account for PKI-based authentication. - rules: - - sssd_enable_certmap - status: automated - -- id: AZLX-23-001300 - levels: - - medium - title: Amazon Linux 2023 must implement certificate status checking for - multifactor authentication. - rules: - - sssd_certificate_verification - - var_sssd_certificate_verification_digest_function=sha512 - status: automated - -- id: AZLX-23-001305 - levels: - - medium - title: Amazon Linux 2023 must prohibit the use of cached authenticators after - one day. - rules: - - sssd_offline_cred_expiration - status: automated - -- id: AZLX-23-001310 - levels: - - medium - title: Amazon Linux 2023, for PKI-based authentication, must validate - certificates by constructing a certification path (which includes status - information) to an accepted trust anchor. - rules: [] - status: pending -- id: AZLX-23-001315 - levels: - - medium - title: Amazon Linux 2023, for PKI-based authentication, must enforce - authorized access to the corresponding private key. - rules: - - ssh_keys_passphrase_protected - status: automated - -- id: AZLX-23-002000 - levels: - - medium - title: Amazon Linux 2023 must display the Standard Mandatory DOD Notice and - Consent Banner before granting local or remote access to the system. - rules: - - banner_etc_issue - - login_banner_text=dod_banners - status: automated - -- id: AZLX-23-002005 - levels: - - medium - title: Amazon Linux 2023 must display the Standard Mandatory DOD Notice and - Consent Banner before granting local or remote access to the system via a - SSH logon. - rules: - - sshd_enable_warning_banner - status: automated - -- id: AZLX-23-002015 - levels: - - medium - title: Amazon Linux 2023 must allocate audit record storage capacity to store - at least one week's worth of audit records, when audit records are not - immediately sent to a central audit record storage facility. - rules: - - auditd_audispd_configure_sufficiently_large_partition - status: automated - -- id: AZLX-23-002020 - levels: - - low - title: Amazon Linux 2023 must use a separate file system for the system audit - data path. - rules: - - partition_for_var_log_audit - status: automated - -- id: AZLX-23-002025 - levels: - - medium - title: Amazon Linux 2023 must label all off-loaded audit logs before sending - them to the central log server. - rules: - - auditd_name_format - - var_auditd_name_format=stig - status: automated - -- id: AZLX-23-002030 - levels: - - medium - title: Amazon Linux 2023 must take appropriate action when the internal event - queue is full. - rules: - - auditd_overflow_action - status: automated - -- id: AZLX-23-002035 - levels: - - medium - title: Amazon Linux 2023 must take action when allocated audit record storage - volume reaches 75 percent of the repository maximum audit record storage - capacity. - rules: - - auditd_data_retention_space_left_percentage - - var_auditd_space_left_percentage=25pc - status: automated - -- id: AZLX-23-002040 - levels: - - medium - title: Amazon Linux 2023 must notify the system administrator (SA) and - information system security officer (ISSO) (at a minimum) when allocated - audit record storage volume 75 percent utilization. - rules: - - auditd_data_retention_space_left_action - - var_auditd_space_left_action=email - status: automated - -- id: AZLX-23-002045 - levels: - - medium - title: Amazon Linux 2023 must take action when allocated audit record storage - volume reaches 95 percent of the audit record storage capacity. - rules: - - auditd_data_retention_admin_space_left_percentage - - var_auditd_admin_space_left_percentage=5pc - status: automated - -- id: AZLX-23-002050 - levels: - - medium - title: Amazon Linux 2023 must take action when allocated audit record storage - volume reaches 95 percent of the repository maximum audit record storage - capacity. - rules: - - auditd_data_retention_admin_space_left_action - - var_auditd_admin_space_left_action=single - status: automated - -- id: AZLX-23-002055 - levels: - - medium - title: Amazon Linux 2023 must immediately notify the system administrator (SA) - and information system security officer (ISSO), at a minimum, of an audit - processing failure event. - rules: - - auditd_data_retention_action_mail_acct - - var_auditd_action_mail_acct=root - status: automated - -- id: AZLX-23-002060 - levels: - - medium - title: Amazon Linux 2023 must be configured to off-load audit records onto a - different system from the system being audited via syslog. - rules: [] - status: pending -- id: AZLX-23-002065 - levels: - - medium - title: Amazon Linux 2023 must authenticate the remote logging server for - off-loading audit logs via rsyslog. - rules: - - rsyslog_encrypt_offload_actionsendstreamdriverauthmode - status: automated - -- id: AZLX-23-002070 - levels: - - medium - title: Amazon Linux 2023 must encrypt the transfer of audit records off-loaded - onto a different system or media from the system being audited via rsyslog. - rules: - - rsyslog_encrypt_offload_actionsendstreamdrivermode - status: automated - -- id: AZLX-23-002075 - levels: - - medium - title: Amazon Linux 2023 must encrypt via the gtls driver the transfer of - audit records off-loaded onto a different system or media from the system - being audited via rsyslog. - rules: - - rsyslog_encrypt_offload_defaultnetstreamdriver - status: automated - -- id: AZLX-23-002080 - levels: - - medium - title: Amazon Linux 2023 must be configured to off-load audit records onto a - different system from the system being audited via syslog. - rules: - - rsyslog_remote_loghost - status: automated - -- id: AZLX-23-002085 - levels: - - medium - title: Amazon Linux 2023 must generate audit records for all account - creations, modifications, disabling, and termination events that affect - /etc/sudoers. - rules: - - audit_rules_sudoers - status: automated - -- id: AZLX-23-002090 - levels: - - medium - title: Amazon Linux 2023 must generate audit records for all account - creations, modifications, disabling, and termination events that affect - /etc/sudoers.d/ directory. - rules: [] - status: pending -- id: AZLX-23-002095 - levels: - - medium - title: Amazon Linux 2023 must generate audit records for all account - creations, modifications, disabling, and termination events that affect - /etc/group. - rules: - - audit_rules_usergroup_modification_group - status: automated - -- id: AZLX-23-002100 - levels: - - medium - title: Amazon Linux 2023 must generate audit records for all account - creations, modifications, disabling, and termination events that affect - /etc/gshadow. - rules: - - audit_rules_usergroup_modification_gshadow - status: automated - -- id: AZLX-23-002105 - levels: - - medium - title: Amazon Linux 2023 must generate audit records for all account - creations, modifications, disabling, and termination events that affect - /etc/opasswd. - rules: - - audit_rules_usergroup_modification_opasswd - status: automated - -- id: AZLX-23-002110 - levels: - - medium - title: Amazon Linux 2023 must audit uses of the "execve" system call. - rules: - - audit_rules_suid_privilege_function - status: automated - -- id: AZLX-23-002115 - levels: - - medium - title: Amazon Linux 2023 must audit all uses of the chmod, fchmod, and - fchmodat system calls. - rules: - - audit_rules_dac_modification_chmod - - audit_rules_dac_modification_fchmod - - audit_rules_dac_modification_fchmodat - status: automated - -- id: AZLX-23-002120 - levels: - - medium - title: Amazon Linux 2023 must audit all uses of the chown, fchown, fchownat, - and lchown system calls. - rules: - - audit_rules_dac_modification_chown - - audit_rules_dac_modification_fchown - - audit_rules_dac_modification_fchownat - - audit_rules_dac_modification_lchown - status: automated - -- id: AZLX-23-002125 - levels: - - medium - title: Amazon Linux 2023 must audit all uses of the setxattr, fsetxattr, - lsetxattr, removexattr, fremovexattr, and lremovexattr system calls. - rules: - - audit_rules_dac_modification_setxattr - - audit_rules_dac_modification_fsetxattr - - audit_rules_dac_modification_lsetxattr - - audit_rules_dac_modification_removexattr - - audit_rules_dac_modification_fremovexattr - - audit_rules_dac_modification_lremovexattr - status: automated - -- id: AZLX-23-002130 - levels: - - medium - title: Amazon Linux 2023 must audit all uses of the truncate, ftruncate, - creat, open, openat, and open_by_handle_at system calls. - rules: - - audit_rules_unsuccessful_file_modification_creat - - audit_rules_unsuccessful_file_modification_truncate - - audit_rules_unsuccessful_file_modification_ftruncate - - audit_rules_unsuccessful_file_modification_open - - audit_rules_unsuccessful_file_modification_openat - - audit_rules_unsuccessful_file_modification_open_by_handle_at - status: automated - -- id: AZLX-23-002135 - levels: - - medium - title: Amazon Linux 2023 must audit all uses of the init_module and - finit_module system calls. - rules: - - audit_rules_kernel_module_loading_finit - - audit_rules_kernel_module_loading_init - status: automated - -- id: AZLX-23-002140 - levels: - - medium - title: Amazon Linux 2023 must audit all uses of the create_module system call. - rules: - - audit_rules_execution_semanage - status: automated - -- id: AZLX-23-002145 - levels: - - medium - title: Amazon Linux 2023 must audit all uses of the kmod command. - rules: - - audit_rules_privileged_commands_kmod - status: automated - -- id: AZLX-23-002150 - levels: - - medium - title: Amazon Linux 2023 must audit all uses of the rename, unlink, rmdir, - renameat, and unlinkat system calls. - rules: - - audit_rules_file_deletion_events_rename - - audit_rules_file_deletion_events_unlink - - audit_rules_file_deletion_events_rmdir - - audit_rules_file_deletion_events_renameat - - audit_rules_file_deletion_events_unlinkat - status: automated - -- id: AZLX-23-002155 - levels: - - medium - title: Amazon Linux 2023 must audit all uses of the chcon command. - rules: - - audit_rules_execution_chcon - status: automated - -- id: AZLX-23-002160 - levels: - - medium - title: Amazon Linux 2023 must generate audit records for all account - creations, modifications, disabling, and termination events that affect - /var/log/faillock. - rules: - - audit_rules_login_events_faillock - status: automated - -- id: AZLX-23-002165 - levels: - - medium - title: Amazon Linux 2023 must generate audit records for all account - creations, modifications, disabling, and termination events that affect - /var/log/lastlog. - rules: - - audit_rules_login_events_lastlog - status: automated - -- id: AZLX-23-002175 - levels: - - medium - title: Amazon Linux 2023 must audit all uses of the init command. - rules: - - audit_privileged_commands_init - status: automated - -- id: AZLX-23-002180 - levels: - - medium - title: Amazon Linux 2023 must audit all uses of the reboot command. - rules: - - audit_privileged_commands_reboot - status: automated - -- id: AZLX-23-002185 - levels: - - medium - title: Amazon Linux 2023 must audit all uses of the shutdown command. - rules: - - audit_privileged_commands_shutdown - status: automated - -- id: AZLX-23-002190 - levels: - - medium - title: Amazon Linux 2023 audit tools must have a mode of "0755" or less - permissive. - rules: - - file_audit_tools_permissions - status: automated - -- id: AZLX-23-002195 - levels: - - medium - title: Amazon Linux 2023 audit tools must be owned by root. - rules: - - file_audit_tools_ownership - status: automated - -- id: AZLX-23-002200 - levels: - - medium - title: Amazon Linux 2023 audit tools must be group-owned by root. - rules: - - file_audit_tools_group_ownership - status: automated - -- id: AZLX-23-002205 - levels: - - medium - title: Amazon Linux 2023 must generate audit records for all account - creations, modifications, disabling, and termination events that affect - /etc/passwd. - rules: [] - status: pending -- id: AZLX-23-002210 - levels: - - medium - title: Amazon Linux 2023 must audit all successful/unsuccessful uses of the - chage command. - rules: - - audit_rules_privileged_commands_chage - status: automated - -- id: AZLX-23-002215 - levels: - - medium - title: Amazon Linux 2023 must alert the information system security officer - (ISSO) and system administrator (SA), at a minimum, in the event of an audit - processing failure. - rules: [] - status: pending -- id: AZLX-23-002220 - levels: - - medium - title: Amazon Linux 2023 must off-load audit records onto a different system - in the event the audit storage volume is full. - rules: - - auditd_data_disk_full_action_stig - - var_auditd_disk_full_action=halt - status: automated - -- id: AZLX-23-002225 - levels: - - medium - title: Amazon Linux 2023 audit logs must be group-owned by root or by a - restricted logging group to prevent unauthorized read access. - rules: [] - status: pending -- id: AZLX-23-002230 - levels: - - medium - title: Amazon Linux 2023 audit log directory must be owned by root to prevent - unauthorized read access. - rules: [] - status: pending -- id: AZLX-23-002235 - levels: - - medium - title: Amazon Linux 2023 audit logs file must have mode "0600" or less - permissive to prevent unauthorized access to the audit log. - rules: [] - status: pending -- id: AZLX-23-002240 - levels: - - medium - title: Amazon Linux 2023 must allow only the information system security - manager (ISSM) (or individuals or roles appointed by the ISSM) to select - which auditable events are to be audited. - rules: - - file_permissions_audit_configuration - status: automated - -- id: AZLX-23-002245 - levels: - - medium - title: Amazon Linux 2023 must audit all uses of the sudo command. - rules: - - audit_rules_privileged_commands_sudo - status: automated - -- id: AZLX-23-002250 - levels: - - medium - title: Amazon Linux 2023 must generate audit records for all account - creations, modifications, disabling, and termination events that affect - /etc/passwd. - rules: - - audit_rules_usergroup_modification_passwd - status: automated - -- id: AZLX-23-002255 - levels: - - medium - title: Amazon Linux 2023 must generate audit records for all account - creations, modifications, disabling, and termination events that affect - /etc/shadow. - rules: - - audit_rules_usergroup_modification_shadow - status: automated - -- id: AZLX-23-002260 - levels: - - medium - title: Amazon Linux 2023 must produce audit records containing information to - establish the identity of any individual or process associated with the - event. - rules: - - auditd_log_format - status: automated - -- id: AZLX-23-002265 - levels: - - medium - title: Amazon Linux 2023 audit logs must be group-owned by root or by a - restricted logging group to prevent unauthorized read access. - rules: - - directory_group_ownership_var_log_audit - status: automated - -- id: AZLX-23-002270 - levels: - - medium - title: Amazon Linux 2023 must ensure the audit log directory be owned by root - to prevent unauthorized read access. - rules: - - directory_ownership_var_log_audit - status: automated - -- id: AZLX-23-002275 - levels: - - medium - title: Amazon Linux 2023 audit logs file must have mode "0600" or less - permissive to prevent unauthorized access to the audit log. - rules: - - file_permissions_var_log_audit - status: automated - -- id: AZLX-23-002280 - levels: - - medium - title: Amazon Linux 2023 library directories must be group-owned by root or a - system account. - rules: - - dir_group_ownership_library_dirs - status: automated - -- id: AZLX-23-002285 - levels: - - medium - title: Amazon Linux 2023 library directories must have mode "755" or less - permissive. - rules: - - dir_permissions_library_dirs - status: automated - -- id: AZLX-23-002290 - levels: - - medium - title: Amazon Linux 2023 library files must have mode "755" or less - permissive. - rules: - - file_permissions_library_dirs - status: automated - -- id: AZLX-23-002295 - levels: - - medium - title: Amazon Linux 2023 library files must be owned by root. - rules: - - file_ownership_library_dirs - status: automated - -- id: AZLX-23-002300 - levels: - - medium - title: Amazon Linux 2023 library files must be group-owned by root or a system - account. - rules: - - root_permissions_syslibrary_files - status: automated - -- id: AZLX-23-002305 - levels: - - medium - title: Amazon Linux 2023 library directories must be owned by root. - rules: - - dir_ownership_library_dirs - status: automated - -- id: AZLX-23-002315 - levels: - - medium - title: Amazon Linux 2023 must ensure the /var/log directory have mode "0755" - or less permissive. - rules: - - file_permissions_var_log - status: automated - -- id: AZLX-23-002320 - levels: - - medium - title: Amazon Linux 2023 must ensure the /var/log directory be owned by root. - rules: - - file_owner_var_log - status: automated - -- id: AZLX-23-002325 - levels: - - medium - title: Amazon Linux 2023 must ensure the /var/log directory be group-owned by - root. - rules: - - file_groupowner_var_log - status: automated - -- id: AZLX-23-002330 - levels: - - medium - title: Amazon Linux 2023 must ensure the /var/log/messages file have mode - "0640" or less permissive. - rules: - - file_permissions_var_log_messages - status: automated - -- id: AZLX-23-002335 - levels: - - medium - title: Amazon Linux 2023 must ensure the /var/log/messages file be group-owned - by root. - rules: - - file_groupowner_var_log_messages - status: automated - -- id: AZLX-23-002340 - levels: - - medium - title: Amazon Linux 2023 must ensure the /var/log/messages file be owned by - root. - rules: - - file_owner_var_log_messages - status: automated - -- id: AZLX-23-002345 - levels: - - medium - title: Amazon Linux 2023 system commands must be owned by root. - rules: - - file_ownership_binary_dirs - status: automated - -- id: AZLX-23-002350 - levels: - - medium - title: Amazon Linux 2023 system commands must be group-owned by root or a - system account. - rules: - - file_groupownership_system_commands_dirs - status: automated - -- id: AZLX-23-002355 - levels: - - medium - title: Amazon Linux 2023 must enforce password complexity by requiring that at - least one uppercase character be used. - rules: - - accounts_password_pam_ucredit - - var_password_pam_ucredit=1 - status: automated - -- id: AZLX-23-002360 - levels: - - medium - title: Amazon Linux 2023 must enforce password complexity by requiring that at - least one lowercase character be used. - rules: - - accounts_password_pam_lcredit - - var_password_pam_lcredit=1 - status: automated - -- id: AZLX-23-002365 - levels: - - medium - title: Amazon Linux 2023 must enforce password complexity by requiring that at - least one numeric character be used. - rules: - - accounts_password_pam_dcredit - - var_password_pam_dcredit=1 - status: automated - -- id: AZLX-23-002370 - levels: - - medium - title: Amazon Linux 2023 must require the change of at least 50 percent of the - total number of characters when passwords are changed. - rules: - - accounts_password_pam_difok - - var_password_pam_difok=8 - status: automated - -- id: AZLX-23-002375 - levels: - - medium - title: Amazon Linux 2023 must enforce a minimum 15-character password length. - rules: - - accounts_password_pam_minlen - - var_password_pam_minlen=15 - status: automated - -- id: AZLX-23-002380 - levels: - - medium - title: Amazon Linux 2023 must enforce password complexity by requiring that at - least one special character be used. - rules: - - accounts_password_pam_ocredit - - var_password_pam_ocredit=1 - status: automated - -- id: AZLX-23-002385 - levels: - - medium - title: Amazon Linux 2023 must enforce password complexity rules for the root - account. - rules: - - accounts_password_pam_enforce_root - status: automated - -- id: AZLX-23-002390 - levels: - - medium - title: Amazon Linux 2023 must prevent the use of dictionary words for - passwords. - rules: - - accounts_password_pam_dictcheck - - var_password_pam_dictcheck=1 - status: automated - -- id: AZLX-23-002395 - levels: - - low - title: Amazon Linux 2023 must limit the number of concurrent sessions to ten - for all accounts and/or account types. - rules: - - accounts_max_concurrent_login_sessions - - var_accounts_max_concurrent_login_sessions=10 - status: automated - -- id: AZLX-23-002396 - levels: - - medium - title: Amazon Linux 2023 must automatically exit interactive command shell - user sessions after 15 minutes of inactivity. - rules: - - accounts_tmout - - var_accounts_tmout=10_min - status: automated - -- id: AZLX-23-002400 - levels: - - medium - title: Amazon Linux 2023 must enforce 24 hours/1 day as the minimum password - lifetime. - rules: - - accounts_minimum_age_login_defs - status: automated - -- id: AZLX-23-002405 - levels: - - medium - title: Amazon Linux 2023 must enforce a delay of at least four seconds between - logon prompts following a failed logon attempt. - rules: - - accounts_logon_fail_delay - - var_accounts_fail_delay=4 - status: automated - -- id: AZLX-23-002410 - levels: - - medium - title: Amazon Linux 2023 must define default permissions for all authenticated - users in such a way that the user can only read and modify their own files. - rules: - - accounts_umask_etc_login_defs - status: automated - -- id: AZLX-23-002415 - levels: - - medium - title: Amazon Linux 2023 must automatically remove or disable temporary user - accounts after 72 hours. - rules: [] - status: pending -- id: AZLX-23-002420 - levels: - - medium - title: Amazon Linux 2023 must automatically lock an account when three - unsuccessful logon attempts occur. - rules: [] - status: pending -- id: AZLX-23-002425 - levels: - - medium - title: Amazon Linux 2023 must be able to enforce a 60-day maximum password - lifetime restriction. - rules: - - accounts_password_set_max_life_existing - - var_accounts_maximum_age_login_defs=60 - status: automated - -- id: AZLX-23-002430 - levels: - - medium - title: Amazon Linux 2023 must disable account identifiers (individuals, - groups, roles, and devices) after 35 days of inactivity. - rules: - - account_disable_post_pw_expiration - - var_account_disable_post_pw_expiration=35 - status: automated - -- id: AZLX-23-002435 - levels: - - medium - title: Amazon Linux 2023 must automatically expire temporary accounts within - 72 hours. - rules: - - account_temp_expire_date - status: automated - -- id: AZLX-23-002440 - levels: - - medium - title: Amazon Linux 2023 must restrict the use of the "su" command. - rules: - - use_pam_wheel_for_su - status: automated - -- id: AZLX-23-002445 - levels: - - medium - title: Amazon Linux 2023 must enable the SELinux targeted policy. - rules: - - selinux_policytype - - var_selinux_policy_name=targeted - status: automated - -- id: AZLX-23-002450 - levels: - - high - title: Amazon Linux 2023 must use a Linux Security Module configured to - enforce limits on system services. - rules: - - selinux_state - - var_selinux_state=enforcing - status: automated - -- id: AZLX-23-002455 - levels: - - medium - title: Amazon Linux 2023 must automatically lock an account when three - unsuccessful logon attempts occur. - rules: - - accounts_passwords_pam_faillock_deny - - var_accounts_passwords_pam_faillock_deny=3 - status: automated - -- id: AZLX-23-002460 - levels: - - medium - title: Amazon Linux 2023 must automatically lock the root account until the - root account is released by an administrator when three unsuccessful logon - attempts occur during a 15-minute time period. - rules: - - accounts_passwords_pam_faillock_deny_root - status: automated - -- id: AZLX-23-002465 - levels: - - medium - title: Amazon Linux 2023 must automatically lock an account until the locked - account is released by an administrator when three unsuccessful logon - attempts in 15 minutes occur. - rules: - - accounts_passwords_pam_faillock_interval - - var_accounts_passwords_pam_faillock_fail_interval=900 - status: automated - -- id: AZLX-23-002470 - levels: - - medium - title: Amazon Linux 2023 must maintain an account lock until the locked - account is released by an administrator. - rules: - - accounts_passwords_pam_faillock_unlock_time - - var_accounts_passwords_pam_faillock_unlock_time=never - status: automated - -- id: AZLX-23-002475 - levels: - - medium - title: Amazon Linux 2023 must be configured to prohibit or restrict the use of - functions, ports, protocols, and/or services, as defined in the Ports, - Protocols, and Services Management Category Assurance List (PPSM CAL) and - vulnerability assessments. - rules: - - configured_firewalld_default_deny - status: automated - -- id: AZLX-23-002480 - levels: - - medium - title: Amazon Linux 2023 must insure all interactive users have a primary - group that exists. - rules: - - gid_passwd_group_same - status: automated - -- id: AZLX-23-002485 - levels: - - medium - title: Amazon Linux 2023 must ensure all interactive users have unique User - IDs (UIDs). - rules: - - account_unique_id - status: automated - -- id: AZLX-23-002489 - levels: - - medium - title: Amazon Linux 2023 must ensure the password complexity module is enabled - in the password-auth file. - rules: - - accounts_password_pam_pwquality_password_auth - status: automated - -- id: AZLX-23-002490 - levels: - - medium - title: Amazon Linux 2023 password-auth must be configured to use a sufficient - number of hashing rounds. - rules: - - accounts_password_pam_unix_rounds_password_auth - - var_password_pam_unix_rounds=100000 - status: automated - -- id: AZLX-23-002495 - levels: - - medium - title: Amazon Linux 2023 system-auth must be configured to use a sufficient - number of hashing rounds. - rules: - - accounts_password_pam_unix_rounds_system_auth - status: automated - -- id: AZLX-23-002500 - levels: - - medium - title: Amazon Linux 2023 must ensure a sticky bit be set on all public - directories. - rules: - - dir_perms_world_writable_sticky_bits - status: automated - -- id: AZLX-23-002505 - levels: - - medium - title: Amazon Linux 2023 must ensure all world-writable directories be owned - by root, sys, bin, or an application user. - rules: - - dir_perms_world_writable_root_owned - status: automated - -- id: AZLX-23-002510 - levels: - - medium - title: Amazon Linux 2023 must terminate idle user sessions. - rules: - - logind_session_timeout - - var_logind_session_timeout=15_minutes - status: automated - -- id: AZLX-23-002515 - levels: - - low - title: Amazon Linux 2023 must enable auditing of processes that start prior to - the audit daemon. - rules: - - grub2_audit_argument - status: automated - -- id: AZLX-23-002520 - levels: - - low - title: Amazon Linux 2023 must allocate an audit_backlog_limit of sufficient - size to capture processes that start prior to the audit daemon. - rules: - - grub2_audit_backlog_limit_argument - status: automated - -- id: AZLX-23-002535 - levels: - - medium - title: Amazon Linux 2023 must enable discretionary access control on - hardlinks. - rules: - - sysctl_fs_protected_hardlinks - status: automated - -- id: AZLX-23-002540 - levels: - - medium - title: Amazon Linux 2023 must enable kernel parameters to enforce - discretionary access control on symlinks. - rules: - - sysctl_fs_protected_symlinks - status: automated - -- id: AZLX-23-002555 - levels: - - medium - title: Amazon Linux 2023 debug-shell systemd service must be disabled. - status: automated - rules: - - service_debug-shell_disabled - -- id: AZLX-23-002560 - levels: - - medium - title: Amazon Linux 2023 chrony must be configured with a maximum interval of - 24 hours between requests sent to a USNO server or a time server designated - for the appropriate DOD network. - rules: [] - status: pending -- id: AZLX-23-002565 - levels: - - medium - title: Amazon Linux 2023 must synchronize internal information system clocks - to the authoritative time source at least every 24 hours. - rules: - - chronyd_or_ntpd_set_maxpoll - - chronyd_server_directive - - chronyd_specify_remote_server - - var_multiple_time_servers=stig - - var_time_service_set_maxpoll=18_hours - status: automated - -- id: AZLX-23-002570 - levels: - - medium - title: Amazon Linux 2023 must routinely check the baseline configuration for - unauthorized changes and notify the system administrator when anomalies in - the operation of any security functions are discovered. - rules: - - aide_periodic_cron_checking - - aide_scan_notification - status: automated - -- id: AZLX-23-002575 - levels: - - medium - title: Amazon Linux 2023 must prevent the loading of a new kernel for later - execution. - rules: - - sysctl_kernel_kexec_load_disabled - status: automated - -- id: AZLX-23-002580 - levels: - - medium - title: Amazon Linux 2023 must prevent files with the setuid and setgid bit set - from being executed on the /boot/efi directory. - rules: - - mount_option_boot_efi_nosuid - status: automated - -- id: AZLX-23-002585 - levels: - - medium - title: Amazon Linux 2023 must mount /dev/shm with the nodev option. - rules: - - mount_option_dev_shm_nodev - status: automated - -- id: AZLX-23-002590 - levels: - - medium - title: Amazon Linux 2023 must mount /dev/shm with the nosuid option. - rules: - - mount_option_dev_shm_nosuid - status: automated - -- id: AZLX-23-002595 - levels: - - medium - title: Amazon Linux 2023 must ensure the pcscd service is active. - rules: - - service_pcscd_enabled - status: automated - -- id: AZLX-23-002600 - levels: - - medium - title: Amazon Linux 2023 file system automount function must be disabled - unless required. - rules: - - service_autofs_disabled - status: automated - -- id: AZLX-23-002605 - levels: - - medium - title: Amazon Linux 2023 must protect against or limit the effects of - denial-of-service (DoS) attacks by ensuring rate-limiting measures are - configured on impacted network interfaces. - rules: [] - status: pending -- id: AZLX-23-002610 - levels: - - medium - title: Amazon Linux 2023 must implement nonexecutable data to protect its - memory from unauthorized code execution. - rules: [] - status: pending -- id: AZLX-23-002615 - levels: - - low - title: Amazon Linux 2023 must remove all software components after updated - versions have been installed. - rules: - - clean_components_post_updating - status: automated - -- id: AZLX-23-002620 - levels: - - medium - title: Amazon Linux 2023 must configure the use of the pam_faillock.so module - in the /etc/pam.d/system-auth file. - rules: - - account_password_pam_faillock_system_auth - status: automated - -- id: AZLX-23-005000 - levels: - - medium - title: Amazon Linux 2023 audit system must protect logon user identifiers - (UIDs) from unauthorized change. - rules: - - audit_rules_immutable_login_uids - status: automated - -- id: needed_rules - levels: - - medium - rules: - - enable_authselect - - var_authselect_profile=sssd - + - id: AZLX-23-000100 + levels: + - high + title: Amazon Linux 2023 local disk partitions must implement cryptographic mechanisms to prevent unauthorized disclosure or modification of all information that requires at rest protection. + rules: + - encrypt_partitions + status: automated + + - id: AZLX-23-000110 + levels: + - medium + title: Amazon Linux 2023 must ensure cryptographic verification of vendor + software packages. + rules: [] + status: pending + + - id: AZLX-23-000115 + levels: + - high + title: Amazon Linux 2023 must check the GPG signature of locally installed + software packages before installation. + rules: + - ensure_gpgcheck_local_packages + status: automated + + - id: AZLX-23-000120 + levels: + - high + title: Amazon Linux 2023 must check the GPG signature of software packages + originating from external software repositories before installation. + rules: + - ensure_gpgcheck_globally_activated + status: automated + + - id: AZLX-23-000125 + levels: + - high + title: + Amazon Linux 2023 must have GPG signature verification enabled for all + software repositories. + rules: + - ensure_gpgcheck_never_disabled + status: automated + + - id: AZLX-23-000130 + levels: + - high + title: Amazon Linux 2023 must be a vendor-supported release. + rules: + - installed_OS_is_vendor_supported + status: automated + + - id: AZLX-23-000135 + levels: + - medium + title: Amazon Linux 2023 systemd-journald service must be enabled. + rules: + - service_systemd-journald_enabled + status: automated + + - id: AZLX-23-000200 + levels: + - medium + title: Amazon Linux 2023 must restrict access to the kernel message buffer. + rules: + - sysctl_kernel_dmesg_restrict + status: automated + + - id: AZLX-23-000205 + levels: + - medium + title: Amazon Linux 2023 must prevent kernel profiling by nonprivileged users. + rules: + - sysctl_kernel_perf_event_paranoid + status: automated + + - id: AZLX-23-000210 + levels: + - medium + title: Amazon Linux 2023 must restrict exposed kernel pointer addresses + access. + rules: + - sysctl_kernel_kptr_restrict + status: automated + + - id: AZLX-23-000215 + levels: + - medium + title: Amazon Linux 2023 must disable access to network bpf system call from + nonprivileged processes. + rules: + - sysctl_kernel_unprivileged_bpf_disabled + status: automated + + - id: AZLX-23-000220 + levels: + - medium + title: Amazon Linux 2023 must restrict usage of ptrace to descendant + processes. + rules: + - sysctl_kernel_yama_ptrace_scope + status: automated + + - id: AZLX-23-000225 + levels: + - medium + title: Amazon Linux 2023 must implement address space layout randomization + (ASLR) to protect its memory from unauthorized code execution. + rules: + - sysctl_kernel_randomize_va_space + status: automated + + - id: AZLX-23-000300 + levels: + - high + title: Amazon Linux 2023 must not have the vsftpd package installed. + rules: + - package_vsftpd_removed + status: automated + + - id: AZLX-23-000305 + levels: + - medium + title: Amazon Linux 2023 must not have the sendmail package installed. + rules: + - package_sendmail_removed + status: automated + + - id: AZLX-23-000310 + levels: + - medium + title: Amazon Linux 2023 must not have the nfs-utils package installed. + rules: + - package_nfs-utils_removed + status: automated + + - id: AZLX-23-000315 + levels: + - medium + title: Amazon Linux 2023 must not have the telnet-server package installed. + rules: + - package_telnet-server_removed + status: automated + + - id: AZLX-23-000320 + levels: + - medium + title: Amazon Linux 2023 must not have the gssproxy package installed. + rules: + - package_gssproxy_removed + status: automated + + - id: AZLX-23-001000 + levels: + - medium + title: Amazon Linux 2023 must have the sudo package installed. + rules: + - package_sudo_installed + status: automated + + - id: AZLX-23-001005 + levels: + - medium + title: Amazon Linux 2023 must not be configured to bypass password + requirements for privilege escalation. + rules: + - disallow_bypass_password_sudo + status: automated + + - id: AZLX-23-001010 + levels: + - medium + title: Amazon Linux 2023 must require reauthentication when using the "sudo" + command. + rules: + - sudo_require_reauthentication + - var_sudo_timestamp_timeout=always_prompt + status: automated + + - id: AZLX-23-001015 + levels: + - medium + title: Amazon Linux 2023 must require users to reauthenticate for privilege + escalation. + rules: + - sudo_remove_no_authenticate + status: automated + + - id: AZLX-23-001020 + levels: + - medium + title: Amazon Linux 2023 must require users to provide a password for + privilege escalation. + rules: + - sudo_remove_nopasswd + status: automated + + - id: AZLX-23-001025 + levels: + - medium + title: Amazon Linux 2023 must have the audit package installed. + rules: + - package_audit_installed + status: automated + + - id: AZLX-23-001030 + levels: + - medium + title: + Amazon Linux 2023 must produce audit records containing information to + establish what type of events occurred. + rules: + - service_auditd_enabled + status: automated + + - id: AZLX-23-001035 + levels: + - medium + title: Amazon Linux 2023 audispd-plugins package must be installed. + rules: + - package_audispd-plugins_installed + status: automated + + - id: AZLX-23-001040 + levels: + - medium + title: Amazon Linux 2023 must have the rsyslog package installed. + rules: + - service_rsyslog_enabled + status: automated + + - id: AZLX-23-001045 + levels: + - medium + title: Amazon Linux 2023 must monitor remote access methods. + rules: + - rsyslog_remote_access_monitoring + status: automated + + - id: AZLX-23-001050 + levels: + - medium + title: Amazon Linux 2023 must have the chrony package installed. + rules: + - package_chrony_installed + status: automated + + - id: AZLX-23-001055 + levels: + - medium + title: Amazon Linux 2023 chronyd service must be enabled. + rules: + - service_chronyd_enabled + status: automated + + - id: AZLX-23-001060 + levels: + - medium + title: Amazon Linux 2023 must have the Advanced Intrusion Detection + Environment (AIDE) package installed. + rules: + - package_aide_installed + - aide_build_database + status: automated + + - id: AZLX-23-001065 + levels: + - medium + title: Amazon Linux 2023 must routinely check the baseline configuration for + unauthorized changes and notify the system administrator when anomalies in + the operation of any security functions are discovered. + rules: [] + status: pending + - id: AZLX-23-001070 + levels: + - medium + title: Amazon Linux 2023 must use cryptographic mechanisms to protect the + integrity of audit tools. + rules: + - aide_check_audit_tools + status: automated + + - id: AZLX-23-001075 + levels: + - medium + title: Amazon Linux 2023 must have the firewalld package installed. + rules: + - package_firewalld_installed + status: automated + + - id: AZLX-23-001080 + levels: + - medium + title: Amazon Linux 2023 must have the firewalld servicew active. + rules: + - service_firewalld_enabled + status: automated + + - id: AZLX-23-001085 + levels: + - medium + title: Amazon Linux 2023 must be configured to disable nonessential + capabilities. + rules: + - firewalld_sshd_port_enabled + status: automated + + - id: AZLX-23-001090 + levels: + - medium + title: Amazon Linux 2023 must manage excess capacity, bandwidth, or other + redundancy to limit the effects of information flooding types of + denial-of-service (DoS) attacks. + rules: + - firewalld-backend + status: automated + + - id: AZLX-23-001095 + levels: + - medium + title: Amazon Linux 2023 must have the s-nail package installed. + rules: + - package_s-nail_installed + status: automated + + - id: AZLX-23-001105 + levels: + - medium + title: Amazon Linux 2023 must have the libreswan package installed. + rules: + - package_libreswan_installed + status: automated + + - id: AZLX-23-001110 + levels: + - medium + title: Amazon Linux 2023 must have the policycoreutils package installed. + rules: + - package_policycoreutils_installed + status: automated + + - id: AZLX-23-001115 + levels: + - medium + title: Amazon Linux 2023 must have the pcsc-lite package installed. + rules: + - package_pcsc-lite_installed + status: automated + + - id: AZLX-23-001120 + levels: + - medium + title: Amazon Linux 2023 must have the packages required for encrypting + off-loaded audit logs installed. + rules: [] + status: pending + - id: AZLX-23-001125 + levels: + - medium + title: Amazon Linux 2023 must have the opensc package installed. + rules: + - package_opensc_installed + status: automated + + - id: AZLX-23-001130 + levels: + - medium + title: Amazon Linux 2023 must have the openssl-pkcs11 package installed. + rules: + - install_smartcard_packages + status: automated + + - id: AZLX-23-001180 + levels: + - medium + title: Amazon Linux 2023 must have SSH installed. + rules: + - package_openssh-server_installed + status: automated + + - id: AZLX-23-001185 + levels: + - medium + title: + Amazon Linux 2023 must implement SSH to protect the confidentiality and + integrity of transmitted and received information, as well as information + during preparation for transmission. + rules: + - service_sshd_enabled + status: automated + + - id: AZLX-23-001195 + levels: + - medium + title: Amazon Linux 2023 must have the crypto-policies package installed. + rules: [] + status: pending + - id: AZLX-23-001200 + levels: + - medium + title: Amazon Linux 2023 SSH server must be configured to use systemwide + crypto policies. + rules: + - file_sshd_50_redhat_exists + - sshd_include_crypto_policy + status: automated + + - id: AZLX-23-001205 + levels: + - medium + title: Amazon Linux 2023 server must be configured to use only DOD-approved + encryption ciphers employing FIPS 140-2/140-3 validated cryptographic hash + algorithms to protect the confidentiality of SSH server connections. + status: pending + + - id: AZLX-23-001210 + levels: + - medium + title: Amazon Linux 2023 SSH server must be configured to use only Message + Authentication Codes (MACs) employing FIPS 140-2/140-3 validated + cryptographic hash algorithms to protect the confidentiality of SSH server + connections. + rules: [] + status: pending + - id: AZLX-23-001215 + levels: + - medium + title: Amazon Linux 2023 SSH daemon must not allow Generic Security Service + Application Program Interface (GSSAPI) authentication. + rules: + - sshd_disable_gssapi_auth + status: automated + + - id: AZLX-23-001220 + levels: + - medium + title: Amazon Linux 2023 SSH daemon must not allow Kerberos authentication. + rules: + - sshd_disable_kerb_auth + status: automated + + - id: AZLX-23-001225 + levels: + - medium + title: Amazon Linux 2023 must force a frequent session key renegotiation for + SSH connections to the server. + rules: + - sshd_rekey_limit + - var_rekey_limit_size=1G + - var_rekey_limit_time=1hour + status: automated + + - id: AZLX-23-001230 + levels: + - medium + title: Amazon Linux 2023 SSHD must accept public key authentication. + rules: + - sshd_enable_pubkey_auth + status: automated + + - id: AZLX-23-001235 + levels: + - high + title: Amazon Linux 2023 SSHD must not allow blank passwords. + rules: + - sshd_disable_empty_passwords + status: automated + + - id: AZLX-23-001240 + levels: + - medium + title: Amazon Linux 2023 must not permit direct logons to the root account + using remote access via SSH. + rules: + - sshd_disable_root_login + status: automated + + - id: AZLX-23-001245 + levels: + - medium + title: Amazon Linux 2023 must be configured so that all network connections + associated with SSH traffic are terminated after 10 minutes of becoming + unresponsive. + rules: + - sshd_set_idle_timeout + - sshd_idle_timeout_value=10_minutes + status: automated + + - id: AZLX-23-001250 + levels: + - medium + title: Amazon Linux 2023 must be configured so that all network connections + associated with SSH traffic terminate after becoming unresponsive. + rules: + - sshd_set_keepalive + - var_sshd_set_keepalive=1 + status: automated + + - id: AZLX-23-001255 + levels: + - high + title: + Amazon Linux 2023 must enable the Pluggable Authentication Module (PAM) + interface for SSHD. + rules: + - sshd_enable_pam + status: automated + + - id: AZLX-23-001260 + levels: + - medium + title: + Amazon Linux 2023 must implement DOD-approved encryption in the OpenSSL + package. + rules: [] + status: pending + - id: AZLX-23-001265 + levels: + - medium + title: Amazon Linux 2023 must implement DOD-approved TLS encryption in the + OpenSSL package. + rules: [] + status: pending + - id: AZLX-23-001270 + levels: + - medium + title: Amazon Linux 2023 must implement a FIPS 140-2/140-3 compliant + systemwide cryptographic policy. + rules: [] + status: pending + - id: AZLX-23-001275 + levels: + - medium + title: + Amazon Linux 2023 must implement DOD-approved encryption to protect the + confidentiality of remote access sessions. + rules: + - harden_sshd_ciphers_opensshserver_conf_crypto_policy + - sshd_approved_ciphers=stig_rhel9 + status: automated + - id: AZLX-23-001280 + levels: + - high + title: Amazon Linux 2023 must enable FIPS mode. + rules: + - enable_fips_mode + - sysctl_crypto_fips_enabled + - var_system_crypto_policy=fips + - enable_dracut_fips_module + status: automated + + - id: AZLX-23-001285 + levels: + - medium + title: Amazon Linux 2023 crypto policy must not be overridden. + rules: [] + status: pending + - id: AZLX-23-001290 + levels: + - medium + title: Amazon Linux 2023 must enable certificate-based smart card + authentication. + rules: + - sssd_enable_smartcards + status: automated + + - id: AZLX-23-001295 + levels: + - medium + title: Amazon Linux 2023 must map the authenticated identity to the user or + group account for PKI-based authentication. + rules: + - sssd_enable_certmap + status: automated + + - id: AZLX-23-001300 + levels: + - medium + title: Amazon Linux 2023 must implement certificate status checking for + multifactor authentication. + rules: + - sssd_certificate_verification + - var_sssd_certificate_verification_digest_function=sha512 + status: automated + + - id: AZLX-23-001305 + levels: + - medium + title: + Amazon Linux 2023 must prohibit the use of cached authenticators after + one day. + rules: + - sssd_offline_cred_expiration + status: automated + + - id: AZLX-23-001310 + levels: + - medium + title: Amazon Linux 2023, for PKI-based authentication, must validate + certificates by constructing a certification path (which includes status + information) to an accepted trust anchor. + rules: [] + status: pending + - id: AZLX-23-001315 + levels: + - medium + title: Amazon Linux 2023, for PKI-based authentication, must enforce + authorized access to the corresponding private key. + rules: + - ssh_keys_passphrase_protected + status: automated + + - id: AZLX-23-002000 + levels: + - medium + title: Amazon Linux 2023 must display the Standard Mandatory DOD Notice and + Consent Banner before granting local or remote access to the system. + rules: + - banner_etc_issue + - login_banner_text=dod_banners + status: automated + + - id: AZLX-23-002005 + levels: + - medium + title: Amazon Linux 2023 must display the Standard Mandatory DOD Notice and + Consent Banner before granting local or remote access to the system via a + SSH logon. + rules: + - sshd_enable_warning_banner + status: automated + + - id: AZLX-23-002015 + levels: + - medium + title: + Amazon Linux 2023 must allocate audit record storage capacity to store + at least one week's worth of audit records, when audit records are not + immediately sent to a central audit record storage facility. + rules: + - auditd_audispd_configure_sufficiently_large_partition + status: automated + + - id: AZLX-23-002020 + levels: + - low + title: + Amazon Linux 2023 must use a separate file system for the system audit + data path. + rules: + - partition_for_var_log_audit + status: automated + + - id: AZLX-23-002025 + levels: + - medium + title: Amazon Linux 2023 must label all off-loaded audit logs before sending + them to the central log server. + rules: + - auditd_name_format + - var_auditd_name_format=stig + status: automated + + - id: AZLX-23-002030 + levels: + - medium + title: + Amazon Linux 2023 must take appropriate action when the internal event + queue is full. + rules: + - auditd_overflow_action + status: automated + + - id: AZLX-23-002035 + levels: + - medium + title: + Amazon Linux 2023 must take action when allocated audit record storage + volume reaches 75 percent of the repository maximum audit record storage + capacity. + rules: + - auditd_data_retention_space_left_percentage + - var_auditd_space_left_percentage=25pc + status: automated + + - id: AZLX-23-002040 + levels: + - medium + title: Amazon Linux 2023 must notify the system administrator (SA) and + information system security officer (ISSO) (at a minimum) when allocated + audit record storage volume 75 percent utilization. + rules: + - auditd_data_retention_space_left_action + - var_auditd_space_left_action=email + status: automated + + - id: AZLX-23-002045 + levels: + - medium + title: + Amazon Linux 2023 must take action when allocated audit record storage + volume reaches 95 percent of the audit record storage capacity. + rules: + - auditd_data_retention_admin_space_left_percentage + - var_auditd_admin_space_left_percentage=5pc + status: automated + + - id: AZLX-23-002050 + levels: + - medium + title: + Amazon Linux 2023 must take action when allocated audit record storage + volume reaches 95 percent of the repository maximum audit record storage + capacity. + rules: + - auditd_data_retention_admin_space_left_action + - var_auditd_admin_space_left_action=single + status: automated + + - id: AZLX-23-002055 + levels: + - medium + title: + Amazon Linux 2023 must immediately notify the system administrator (SA) + and information system security officer (ISSO), at a minimum, of an audit + processing failure event. + rules: + - auditd_data_retention_action_mail_acct + - var_auditd_action_mail_acct=root + status: automated + + - id: AZLX-23-002060 + levels: + - medium + title: Amazon Linux 2023 must be configured to off-load audit records onto a + different system from the system being audited via syslog. + rules: [] + status: pending + - id: AZLX-23-002065 + levels: + - medium + title: Amazon Linux 2023 must authenticate the remote logging server for + off-loading audit logs via rsyslog. + rules: + - rsyslog_encrypt_offload_actionsendstreamdriverauthmode + status: automated + + - id: AZLX-23-002070 + levels: + - medium + title: + Amazon Linux 2023 must encrypt the transfer of audit records off-loaded + onto a different system or media from the system being audited via rsyslog. + rules: + - rsyslog_encrypt_offload_actionsendstreamdrivermode + status: automated + + - id: AZLX-23-002075 + levels: + - medium + title: Amazon Linux 2023 must encrypt via the gtls driver the transfer of + audit records off-loaded onto a different system or media from the system + being audited via rsyslog. + rules: + - rsyslog_encrypt_offload_defaultnetstreamdriver + status: automated + + - id: AZLX-23-002080 + levels: + - medium + title: Amazon Linux 2023 must be configured to off-load audit records onto a + different system from the system being audited via syslog. + rules: + - rsyslog_remote_loghost + status: automated + + - id: AZLX-23-002085 + levels: + - medium + title: Amazon Linux 2023 must generate audit records for all account + creations, modifications, disabling, and termination events that affect + /etc/sudoers. + rules: + - audit_rules_sudoers + status: automated + + - id: AZLX-23-002090 + levels: + - medium + title: Amazon Linux 2023 must generate audit records for all account + creations, modifications, disabling, and termination events that affect + /etc/sudoers.d/ directory. + rules: [] + status: pending + - id: AZLX-23-002095 + levels: + - medium + title: Amazon Linux 2023 must generate audit records for all account + creations, modifications, disabling, and termination events that affect + /etc/group. + rules: + - audit_rules_usergroup_modification_group + status: automated + + - id: AZLX-23-002100 + levels: + - medium + title: Amazon Linux 2023 must generate audit records for all account + creations, modifications, disabling, and termination events that affect + /etc/gshadow. + rules: + - audit_rules_usergroup_modification_gshadow + status: automated + + - id: AZLX-23-002105 + levels: + - medium + title: Amazon Linux 2023 must generate audit records for all account + creations, modifications, disabling, and termination events that affect + /etc/opasswd. + rules: + - audit_rules_usergroup_modification_opasswd + status: automated + + - id: AZLX-23-002110 + levels: + - medium + title: Amazon Linux 2023 must audit uses of the "execve" system call. + rules: + - audit_rules_suid_privilege_function + status: automated + + - id: AZLX-23-002115 + levels: + - medium + title: Amazon Linux 2023 must audit all uses of the chmod, fchmod, and + fchmodat system calls. + rules: + - audit_rules_dac_modification_chmod + - audit_rules_dac_modification_fchmod + - audit_rules_dac_modification_fchmodat + status: automated + + - id: AZLX-23-002120 + levels: + - medium + title: Amazon Linux 2023 must audit all uses of the chown, fchown, fchownat, + and lchown system calls. + rules: + - audit_rules_dac_modification_chown + - audit_rules_dac_modification_fchown + - audit_rules_dac_modification_fchownat + - audit_rules_dac_modification_lchown + status: automated + + - id: AZLX-23-002125 + levels: + - medium + title: Amazon Linux 2023 must audit all uses of the setxattr, fsetxattr, + lsetxattr, removexattr, fremovexattr, and lremovexattr system calls. + rules: + - audit_rules_dac_modification_setxattr + - audit_rules_dac_modification_fsetxattr + - audit_rules_dac_modification_lsetxattr + - audit_rules_dac_modification_removexattr + - audit_rules_dac_modification_fremovexattr + - audit_rules_dac_modification_lremovexattr + status: automated + + - id: AZLX-23-002130 + levels: + - medium + title: Amazon Linux 2023 must audit all uses of the truncate, ftruncate, + creat, open, openat, and open_by_handle_at system calls. + rules: + - audit_rules_unsuccessful_file_modification_creat + - audit_rules_unsuccessful_file_modification_truncate + - audit_rules_unsuccessful_file_modification_ftruncate + - audit_rules_unsuccessful_file_modification_open + - audit_rules_unsuccessful_file_modification_openat + - audit_rules_unsuccessful_file_modification_open_by_handle_at + status: automated + + - id: AZLX-23-002135 + levels: + - medium + title: Amazon Linux 2023 must audit all uses of the init_module and + finit_module system calls. + rules: + - audit_rules_kernel_module_loading_finit + - audit_rules_kernel_module_loading_init + status: automated + + - id: AZLX-23-002140 + levels: + - medium + title: Amazon Linux 2023 must audit all uses of the create_module system call. + rules: + - audit_rules_execution_semanage + status: automated + + - id: AZLX-23-002145 + levels: + - medium + title: Amazon Linux 2023 must audit all uses of the kmod command. + rules: + - audit_rules_privileged_commands_kmod + status: automated + + - id: AZLX-23-002150 + levels: + - medium + title: Amazon Linux 2023 must audit all uses of the rename, unlink, rmdir, + renameat, and unlinkat system calls. + rules: + - audit_rules_file_deletion_events_rename + - audit_rules_file_deletion_events_unlink + - audit_rules_file_deletion_events_rmdir + - audit_rules_file_deletion_events_renameat + - audit_rules_file_deletion_events_unlinkat + status: automated + + - id: AZLX-23-002155 + levels: + - medium + title: Amazon Linux 2023 must audit all uses of the chcon command. + rules: + - audit_rules_execution_chcon + status: automated + + - id: AZLX-23-002160 + levels: + - medium + title: Amazon Linux 2023 must generate audit records for all account + creations, modifications, disabling, and termination events that affect + /var/log/faillock. + rules: + - audit_rules_login_events_faillock + status: automated + + - id: AZLX-23-002165 + levels: + - medium + title: Amazon Linux 2023 must generate audit records for all account + creations, modifications, disabling, and termination events that affect + /var/log/lastlog. + rules: + - audit_rules_login_events_lastlog + status: automated + + - id: AZLX-23-002175 + levels: + - medium + title: Amazon Linux 2023 must audit all uses of the init command. + rules: + - audit_privileged_commands_init + status: automated + + - id: AZLX-23-002180 + levels: + - medium + title: Amazon Linux 2023 must audit all uses of the reboot command. + rules: + - audit_privileged_commands_reboot + status: automated + + - id: AZLX-23-002185 + levels: + - medium + title: Amazon Linux 2023 must audit all uses of the shutdown command. + rules: + - audit_privileged_commands_shutdown + status: automated + + - id: AZLX-23-002190 + levels: + - medium + title: Amazon Linux 2023 audit tools must have a mode of "0755" or less + permissive. + rules: + - file_audit_tools_permissions + status: automated + + - id: AZLX-23-002195 + levels: + - medium + title: Amazon Linux 2023 audit tools must be owned by root. + rules: + - file_audit_tools_ownership + status: automated + + - id: AZLX-23-002200 + levels: + - medium + title: Amazon Linux 2023 audit tools must be group-owned by root. + rules: + - file_audit_tools_group_ownership + status: automated + + - id: AZLX-23-002205 + levels: + - medium + title: Amazon Linux 2023 must generate audit records for all account + creations, modifications, disabling, and termination events that affect + /etc/passwd. + rules: [] + status: pending + - id: AZLX-23-002210 + levels: + - medium + title: Amazon Linux 2023 must audit all successful/unsuccessful uses of the + chage command. + rules: + - audit_rules_privileged_commands_chage + status: automated + + - id: AZLX-23-002215 + levels: + - medium + title: Amazon Linux 2023 must alert the information system security officer + (ISSO) and system administrator (SA), at a minimum, in the event of an audit + processing failure. + rules: [] + status: pending + - id: AZLX-23-002220 + levels: + - medium + title: Amazon Linux 2023 must off-load audit records onto a different system + in the event the audit storage volume is full. + rules: + - auditd_data_disk_full_action_stig + - var_auditd_disk_full_action=halt + status: automated + + - id: AZLX-23-002225 + levels: + - medium + title: Amazon Linux 2023 audit logs must be group-owned by root or by a + restricted logging group to prevent unauthorized read access. + rules: [] + status: pending + - id: AZLX-23-002230 + levels: + - medium + title: + Amazon Linux 2023 audit log directory must be owned by root to prevent + unauthorized read access. + rules: [] + status: pending + - id: AZLX-23-002235 + levels: + - medium + title: Amazon Linux 2023 audit logs file must have mode "0600" or less + permissive to prevent unauthorized access to the audit log. + rules: [] + status: pending + - id: AZLX-23-002240 + levels: + - medium + title: Amazon Linux 2023 must allow only the information system security + manager (ISSM) (or individuals or roles appointed by the ISSM) to select + which auditable events are to be audited. + rules: + - file_permissions_audit_configuration + status: automated + + - id: AZLX-23-002245 + levels: + - medium + title: Amazon Linux 2023 must audit all uses of the sudo command. + rules: + - audit_rules_privileged_commands_sudo + status: automated + + - id: AZLX-23-002250 + levels: + - medium + title: Amazon Linux 2023 must generate audit records for all account + creations, modifications, disabling, and termination events that affect + /etc/passwd. + rules: + - audit_rules_usergroup_modification_passwd + status: automated + + - id: AZLX-23-002255 + levels: + - medium + title: Amazon Linux 2023 must generate audit records for all account + creations, modifications, disabling, and termination events that affect + /etc/shadow. + rules: + - audit_rules_usergroup_modification_shadow + status: automated + + - id: AZLX-23-002260 + levels: + - medium + title: + Amazon Linux 2023 must produce audit records containing information to + establish the identity of any individual or process associated with the + event. + rules: + - auditd_log_format + status: automated + + - id: AZLX-23-002265 + levels: + - medium + title: Amazon Linux 2023 audit logs must be group-owned by root or by a + restricted logging group to prevent unauthorized read access. + rules: + - directory_group_ownership_var_log_audit + status: automated + + - id: AZLX-23-002270 + levels: + - medium + title: + Amazon Linux 2023 must ensure the audit log directory be owned by root + to prevent unauthorized read access. + rules: + - directory_ownership_var_log_audit + status: automated + + - id: AZLX-23-002275 + levels: + - medium + title: Amazon Linux 2023 audit logs file must have mode "0600" or less + permissive to prevent unauthorized access to the audit log. + rules: + - file_permissions_var_log_audit + status: automated + + - id: AZLX-23-002280 + levels: + - medium + title: + Amazon Linux 2023 library directories must be group-owned by root or a + system account. + rules: + - dir_group_ownership_library_dirs + status: automated + + - id: AZLX-23-002285 + levels: + - medium + title: Amazon Linux 2023 library directories must have mode "755" or less + permissive. + rules: + - dir_permissions_library_dirs + status: automated + + - id: AZLX-23-002290 + levels: + - medium + title: Amazon Linux 2023 library files must have mode "755" or less + permissive. + rules: + - file_permissions_library_dirs + status: automated + + - id: AZLX-23-002295 + levels: + - medium + title: Amazon Linux 2023 library files must be owned by root. + rules: + - file_ownership_library_dirs + status: automated + + - id: AZLX-23-002300 + levels: + - medium + title: + Amazon Linux 2023 library files must be group-owned by root or a system + account. + rules: + - root_permissions_syslibrary_files + status: automated + + - id: AZLX-23-002305 + levels: + - medium + title: Amazon Linux 2023 library directories must be owned by root. + rules: + - dir_ownership_library_dirs + status: automated + + - id: AZLX-23-002315 + levels: + - medium + title: Amazon Linux 2023 must ensure the /var/log directory have mode "0755" + or less permissive. + rules: + - file_permissions_var_log + status: automated + + - id: AZLX-23-002320 + levels: + - medium + title: Amazon Linux 2023 must ensure the /var/log directory be owned by root. + rules: + - file_owner_var_log + status: automated + + - id: AZLX-23-002325 + levels: + - medium + title: + Amazon Linux 2023 must ensure the /var/log directory be group-owned by + root. + rules: + - file_groupowner_var_log + status: automated + + - id: AZLX-23-002330 + levels: + - medium + title: Amazon Linux 2023 must ensure the /var/log/messages file have mode + "0640" or less permissive. + rules: + - file_permissions_var_log_messages + status: automated + + - id: AZLX-23-002335 + levels: + - medium + title: + Amazon Linux 2023 must ensure the /var/log/messages file be group-owned + by root. + rules: + - file_groupowner_var_log_messages + status: automated + + - id: AZLX-23-002340 + levels: + - medium + title: Amazon Linux 2023 must ensure the /var/log/messages file be owned by + root. + rules: + - file_owner_var_log_messages + status: automated + + - id: AZLX-23-002345 + levels: + - medium + title: Amazon Linux 2023 system commands must be owned by root. + rules: + - file_ownership_binary_dirs + status: automated + + - id: AZLX-23-002350 + levels: + - medium + title: Amazon Linux 2023 system commands must be group-owned by root or a + system account. + rules: + - file_groupownership_system_commands_dirs + status: automated + + - id: AZLX-23-002355 + levels: + - medium + title: + Amazon Linux 2023 must enforce password complexity by requiring that at + least one uppercase character be used. + rules: + - accounts_password_pam_ucredit + - var_password_pam_ucredit=1 + status: automated + + - id: AZLX-23-002360 + levels: + - medium + title: + Amazon Linux 2023 must enforce password complexity by requiring that at + least one lowercase character be used. + rules: + - accounts_password_pam_lcredit + - var_password_pam_lcredit=1 + status: automated + + - id: AZLX-23-002365 + levels: + - medium + title: + Amazon Linux 2023 must enforce password complexity by requiring that at + least one numeric character be used. + rules: + - accounts_password_pam_dcredit + - var_password_pam_dcredit=1 + status: automated + + - id: AZLX-23-002370 + levels: + - medium + title: + Amazon Linux 2023 must require the change of at least 50 percent of the + total number of characters when passwords are changed. + rules: + - accounts_password_pam_difok + - var_password_pam_difok=8 + status: automated + + - id: AZLX-23-002375 + levels: + - medium + title: Amazon Linux 2023 must enforce a minimum 15-character password length. + rules: + - accounts_password_pam_minlen + - var_password_pam_minlen=15 + status: automated + + - id: AZLX-23-002380 + levels: + - medium + title: + Amazon Linux 2023 must enforce password complexity by requiring that at + least one special character be used. + rules: + - accounts_password_pam_ocredit + - var_password_pam_ocredit=1 + status: automated + + - id: AZLX-23-002385 + levels: + - medium + title: Amazon Linux 2023 must enforce password complexity rules for the root + account. + rules: + - accounts_password_pam_enforce_root + status: automated + + - id: AZLX-23-002390 + levels: + - medium + title: Amazon Linux 2023 must prevent the use of dictionary words for + passwords. + rules: + - accounts_password_pam_dictcheck + - var_password_pam_dictcheck=1 + status: automated + + - id: AZLX-23-002395 + levels: + - low + title: Amazon Linux 2023 must limit the number of concurrent sessions to ten + for all accounts and/or account types. + rules: + - accounts_max_concurrent_login_sessions + - var_accounts_max_concurrent_login_sessions=10 + status: automated + + - id: AZLX-23-002396 + levels: + - medium + title: Amazon Linux 2023 must automatically exit interactive command shell + user sessions after 15 minutes of inactivity. + rules: + - accounts_tmout + - var_accounts_tmout=10_min + status: automated + + - id: AZLX-23-002400 + levels: + - medium + title: Amazon Linux 2023 must enforce 24 hours/1 day as the minimum password + lifetime. + rules: + - accounts_minimum_age_login_defs + status: automated + + - id: AZLX-23-002405 + levels: + - medium + title: + Amazon Linux 2023 must enforce a delay of at least four seconds between + logon prompts following a failed logon attempt. + rules: + - accounts_logon_fail_delay + - var_accounts_fail_delay=4 + status: automated + + - id: AZLX-23-002410 + levels: + - medium + title: + Amazon Linux 2023 must define default permissions for all authenticated + users in such a way that the user can only read and modify their own files. + rules: + - accounts_umask_etc_login_defs + status: automated + + - id: AZLX-23-002415 + levels: + - medium + title: Amazon Linux 2023 must automatically remove or disable temporary user + accounts after 72 hours. + rules: [] + status: pending + - id: AZLX-23-002420 + levels: + - medium + title: Amazon Linux 2023 must automatically lock an account when three + unsuccessful logon attempts occur. + rules: [] + status: pending + - id: AZLX-23-002425 + levels: + - medium + title: Amazon Linux 2023 must be able to enforce a 60-day maximum password + lifetime restriction. + rules: + - accounts_password_set_max_life_existing + - var_accounts_maximum_age_login_defs=60 + status: automated + + - id: AZLX-23-002430 + levels: + - medium + title: Amazon Linux 2023 must disable account identifiers (individuals, + groups, roles, and devices) after 35 days of inactivity. + rules: + - account_disable_post_pw_expiration + - var_account_disable_post_pw_expiration=35 + status: automated + + - id: AZLX-23-002435 + levels: + - medium + title: Amazon Linux 2023 must automatically expire temporary accounts within + 72 hours. + rules: + - account_temp_expire_date + status: automated + + - id: AZLX-23-002440 + levels: + - medium + title: Amazon Linux 2023 must restrict the use of the "su" command. + rules: + - use_pam_wheel_for_su + status: automated + + - id: AZLX-23-002445 + levels: + - medium + title: Amazon Linux 2023 must enable the SELinux targeted policy. + rules: + - selinux_policytype + - var_selinux_policy_name=targeted + status: automated + + - id: AZLX-23-002450 + levels: + - high + title: Amazon Linux 2023 must use a Linux Security Module configured to + enforce limits on system services. + rules: + - selinux_state + - var_selinux_state=enforcing + status: automated + + - id: AZLX-23-002455 + levels: + - medium + title: Amazon Linux 2023 must automatically lock an account when three + unsuccessful logon attempts occur. + rules: + - accounts_passwords_pam_faillock_deny + - var_accounts_passwords_pam_faillock_deny=3 + status: automated + + - id: AZLX-23-002460 + levels: + - medium + title: Amazon Linux 2023 must automatically lock the root account until the + root account is released by an administrator when three unsuccessful logon + attempts occur during a 15-minute time period. + rules: + - accounts_passwords_pam_faillock_deny_root + status: automated + + - id: AZLX-23-002465 + levels: + - medium + title: Amazon Linux 2023 must automatically lock an account until the locked + account is released by an administrator when three unsuccessful logon + attempts in 15 minutes occur. + rules: + - accounts_passwords_pam_faillock_interval + - var_accounts_passwords_pam_faillock_fail_interval=900 + status: automated + + - id: AZLX-23-002470 + levels: + - medium + title: Amazon Linux 2023 must maintain an account lock until the locked + account is released by an administrator. + rules: + - accounts_passwords_pam_faillock_unlock_time + - var_accounts_passwords_pam_faillock_unlock_time=never + status: automated + + - id: AZLX-23-002475 + levels: + - medium + title: + Amazon Linux 2023 must be configured to prohibit or restrict the use of + functions, ports, protocols, and/or services, as defined in the Ports, + Protocols, and Services Management Category Assurance List (PPSM CAL) and + vulnerability assessments. + rules: + - configured_firewalld_default_deny + status: automated + + - id: AZLX-23-002480 + levels: + - medium + title: Amazon Linux 2023 must insure all interactive users have a primary + group that exists. + rules: + - gid_passwd_group_same + status: automated + + - id: AZLX-23-002485 + levels: + - medium + title: Amazon Linux 2023 must ensure all interactive users have unique User + IDs (UIDs). + rules: + - account_unique_id + status: automated + + - id: AZLX-23-002489 + levels: + - medium + title: + Amazon Linux 2023 must ensure the password complexity module is enabled + in the password-auth file. + rules: + - accounts_password_pam_pwquality_password_auth + status: automated + + - id: AZLX-23-002490 + levels: + - medium + title: + Amazon Linux 2023 password-auth must be configured to use a sufficient + number of hashing rounds. + rules: + - accounts_password_pam_unix_rounds_password_auth + - var_password_pam_unix_rounds=100000 + status: automated + + - id: AZLX-23-002495 + levels: + - medium + title: Amazon Linux 2023 system-auth must be configured to use a sufficient + number of hashing rounds. + rules: + - accounts_password_pam_unix_rounds_system_auth + status: automated + + - id: AZLX-23-002500 + levels: + - medium + title: Amazon Linux 2023 must ensure a sticky bit be set on all public + directories. + rules: + - dir_perms_world_writable_sticky_bits + status: automated + + - id: AZLX-23-002505 + levels: + - medium + title: Amazon Linux 2023 must ensure all world-writable directories be owned + by root, sys, bin, or an application user. + rules: + - dir_perms_world_writable_root_owned + status: automated + + - id: AZLX-23-002510 + levels: + - medium + title: Amazon Linux 2023 must terminate idle user sessions. + rules: + - logind_session_timeout + - var_logind_session_timeout=15_minutes + status: automated + + - id: AZLX-23-002515 + levels: + - low + title: + Amazon Linux 2023 must enable auditing of processes that start prior to + the audit daemon. + rules: + - grub2_audit_argument + status: automated + + - id: AZLX-23-002520 + levels: + - low + title: Amazon Linux 2023 must allocate an audit_backlog_limit of sufficient + size to capture processes that start prior to the audit daemon. + rules: + - grub2_audit_backlog_limit_argument + status: automated + + - id: AZLX-23-002535 + levels: + - medium + title: Amazon Linux 2023 must enable discretionary access control on + hardlinks. + rules: + - sysctl_fs_protected_hardlinks + status: automated + + - id: AZLX-23-002540 + levels: + - medium + title: Amazon Linux 2023 must enable kernel parameters to enforce + discretionary access control on symlinks. + rules: + - sysctl_fs_protected_symlinks + status: automated + + - id: AZLX-23-002555 + levels: + - medium + title: Amazon Linux 2023 debug-shell systemd service must be disabled. + status: automated + rules: + - service_debug-shell_disabled + + - id: AZLX-23-002560 + levels: + - medium + title: + Amazon Linux 2023 chrony must be configured with a maximum interval of + 24 hours between requests sent to a USNO server or a time server designated + for the appropriate DOD network. + rules: [] + status: pending + - id: AZLX-23-002565 + levels: + - medium + title: Amazon Linux 2023 must synchronize internal information system clocks + to the authoritative time source at least every 24 hours. + rules: + - chronyd_or_ntpd_set_maxpoll + - chronyd_server_directive + - chronyd_specify_remote_server + - var_multiple_time_servers=stig + - var_time_service_set_maxpoll=18_hours + status: automated + + - id: AZLX-23-002570 + levels: + - medium + title: Amazon Linux 2023 must routinely check the baseline configuration for + unauthorized changes and notify the system administrator when anomalies in + the operation of any security functions are discovered. + rules: + - aide_periodic_cron_checking + - aide_scan_notification + status: automated + + - id: AZLX-23-002575 + levels: + - medium + title: Amazon Linux 2023 must prevent the loading of a new kernel for later + execution. + rules: + - sysctl_kernel_kexec_load_disabled + status: automated + + - id: AZLX-23-002580 + levels: + - medium + title: + Amazon Linux 2023 must prevent files with the setuid and setgid bit set + from being executed on the /boot/efi directory. + rules: + - mount_option_boot_efi_nosuid + status: automated + + - id: AZLX-23-002585 + levels: + - medium + title: Amazon Linux 2023 must mount /dev/shm with the nodev option. + rules: + - mount_option_dev_shm_nodev + status: automated + + - id: AZLX-23-002590 + levels: + - medium + title: Amazon Linux 2023 must mount /dev/shm with the nosuid option. + rules: + - mount_option_dev_shm_nosuid + status: automated + + - id: AZLX-23-002595 + levels: + - medium + title: Amazon Linux 2023 must ensure the pcscd service is active. + rules: + - service_pcscd_enabled + status: automated + + - id: AZLX-23-002600 + levels: + - medium + title: Amazon Linux 2023 file system automount function must be disabled + unless required. + rules: + - service_autofs_disabled + status: automated + + - id: AZLX-23-002605 + levels: + - medium + title: Amazon Linux 2023 must protect against or limit the effects of + denial-of-service (DoS) attacks by ensuring rate-limiting measures are + configured on impacted network interfaces. + rules: [] + status: pending + - id: AZLX-23-002610 + levels: + - medium + title: Amazon Linux 2023 must implement nonexecutable data to protect its + memory from unauthorized code execution. + rules: [] + status: pending + - id: AZLX-23-002615 + levels: + - low + title: Amazon Linux 2023 must remove all software components after updated + versions have been installed. + rules: + - clean_components_post_updating + status: automated + + - id: AZLX-23-002620 + levels: + - medium + title: + Amazon Linux 2023 must configure the use of the pam_faillock.so module + in the /etc/pam.d/system-auth file. + rules: + - account_password_pam_faillock_system_auth + status: automated + + - id: AZLX-23-005000 + levels: + - medium + title: Amazon Linux 2023 audit system must protect logon user identifiers + (UIDs) from unauthorized change. + rules: + - audit_rules_immutable_login_uids + status: automated + + - id: needed_rules + levels: + - medium + rules: + - enable_authselect + - var_authselect_profile=sssd diff --git a/products/al2023/profiles/standard.profile b/products/al2023/profiles/standard.profile index 52155cb5c223..2b6e3513c753 100644 --- a/products/al2023/profiles/standard.profile +++ b/products/al2023/profiles/standard.profile @@ -9,4 +9,4 @@ description: |- all of these checks should pass. selections: - - accounts_password_minlen_login_defs \ No newline at end of file + - accounts_password_minlen_login_defs diff --git a/products/al2023/profiles/stig.profile b/products/al2023/profiles/stig.profile index 2d9008c066b4..6fb208d642ee 100644 --- a/products/al2023/profiles/stig.profile +++ b/products/al2023/profiles/stig.profile @@ -46,4 +46,4 @@ selections: - audit_rules_file_deletion_events - audit_rules_sysadmin_actions - audit_rules_kernel_module_loading - - audit_rules_immutable_login_uids \ No newline at end of file + - audit_rules_immutable_login_uids From f8b96a254fc902f979bedb93e2d6ae806ad82ff0 Mon Sep 17 00:00:00 2001 From: Eric-Domeier Date: Mon, 15 Dec 2025 19:53:23 -0500 Subject: [PATCH 7/7] Fix spaces --- products/al2023/profiles/stig.profile | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/products/al2023/profiles/stig.profile b/products/al2023/profiles/stig.profile index 6fb208d642ee..5de9f30dedb3 100644 --- a/products/al2023/profiles/stig.profile +++ b/products/al2023/profiles/stig.profile @@ -10,11 +10,11 @@ reference: https://www.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-syst title: 'DISA STIG for Amazon Linux 2023' description: |- - This profile contains configuration checks that align to the + This profile contains configuration checks that align to the DISA STIG (Security Technical Implementation Guide) for Amazon Linux 2023. - - DISA STIGs are the configuration standards for DOD IA and IA-enabled - devices/systems. The requirements are derived from the NIST 800-53 + + DISA STIGs are the configuration standards for DOD IA and IA-enabled + devices/systems. The requirements are derived from the NIST 800-53 and related documents. selections: