Amazon Linux 2023 STIG SCAP Benchmark V1R0 (SCAP)

c

Amazon Linux 2023 must check the GPG signature of locally installed software packages before installation.

RMF Control
Severity: H
CCI: CCI-003992
Version: AZLX-23-000115
Vuln IDs: V-273996
Rule IDs: SV-273996r1119976_rule

Changes to any software components can have significant effects on the overall security of Amazon Linux 2023. This requirement ensures the software has not been tampered with and that it has been provided by a trusted vendor. All software packages must be signed with a cryptographic key recognized and approved by the organization. Verifying the authenticity of software prior to installation validates the integrity of the software package received from a vendor. This verifies the software has not been tampered with and that it has been provided by a trusted vendor.

Fix: F-77992r1119975_fix

Configure Amazon Linux 2023 to always check the GPG signature of local software packages before installation. Add or update the following line in the [main] section of the /etc/dnf/dnf.conf file: localpkg_gpgcheck=1

c

Amazon Linux 2023 must check the GPG signature of software packages originating from external software repositories before installation.

RMF Control
Severity: H
CCI: CCI-003992
Version: AZLX-23-000120
Vuln IDs: V-273997
Rule IDs: SV-273997r1119979_rule

Changes to any software components can have significant effects on the overall security of Amazon Linux 2023. This requirement ensures the software has not been tampered with and that it has been provided by a trusted vendor. All software packages must be signed with a cryptographic key recognized and approved by the organization. Verifying the authenticity of software prior to installation validates the integrity of the software package received from a vendor. This verifies the software has not been tampered with and that it has been provided by a trusted vendor.

Fix: F-77993r1119978_fix

Configure Amazon Linux 2023 to always check the GPG signature of software packages originating from external software repositories before installation. Add or update the following line in the [main] section of the /etc/dnf/dnf.conf file: gpgcheck=1

c

Amazon Linux 2023 must have GPG signature verification enabled for all software repositories.

RMF Control
Severity: H
CCI: CCI-003992
Version: AZLX-23-000125
Vuln IDs: V-273998
Rule IDs: SV-273998r1119982_rule

Changes to any software components can have significant effects on the overall security of Amazon Linux 2023. This requirement ensures the software has not been tampered with and that it has been provided by a trusted vendor. All software packages must be signed with a cryptographic key recognized and approved by the organization. Verifying the authenticity of software prior to installation validates the integrity of the software package received from a vendor. This verifies the software has not been tampered with and that it has been provided by a trusted vendor.

Fix: F-77994r1119981_fix

Configure Amazon Linux 2023 to verify the signature of packages from a repository prior to installation by setting the following option in the "/etc/yum.repos.d/[your_repo_name].repo" file: gpgcheck=1

c

Amazon Linux 2023 must be a vendor-supported release.

RMF Control: SI-2
Severity: H
CCI: CCI-002605
Version: AZLX-23-000130
Vuln IDs: V-273999
Rule IDs: SV-273999r1155171_rule

An operating system release is considered "supported" if the vendor continues to provide security patches for the product. With an unsupported release, it will not be possible to resolve security issues discovered in the system software. Amazon Linux 2023 (AL2023) was released in March 2023 and will be supported until June 30, 2029. Standard support ends June 30, 2027. Maintenance (security and critical fixes only) ends June 30, 2029. To check the support status and dates of individual packages, use the following command: $ sudo dnf supportinfo --pkg To get information on all currently installed packages, use: $ sudo dnf supportinfo --show installed

Fix: F-77995r1119984_fix

Configure Amazon Linux 2023 to be a vendor supported release. Upgrade to a supported version of Amazon Linux 2023.

b

Amazon Linux 2023 systemd-journald service must be enabled.

RMF Control: SC-24
Severity: M
CCI: CCI-001665
Version: AZLX-23-000135
Vuln IDs: V-274000
Rule IDs: SV-274000r1119988_rule

Failure to a known state can address safety or security in accordance with the mission/business needs of the organization. Failure to a known secure state helps prevent a loss of confidentiality, integrity, or availability in the event of a failure of the information system or a component of the system. Preserving operating system state information helps to facilitate operating system restart and return to the operational mode of the organization with least disruption to mission/business processes.

Fix: F-77996r1119987_fix

Configure Amazon Linux 2023 to enable the systemd-journald service with the following command: $ sudo systemctl enable --now systemd-journald

b

Amazon Linux 2023 must restrict access to the kernel message buffer.

RMF Control: SC-2
Severity: M
CCI: CCI-001082
Version: AZLX-23-000200
Vuln IDs: V-274001
Rule IDs: SV-274001r1198253_rule

Preventing unauthorized information transfers mitigates the risk of information, including encrypted representations of information, produced by the actions of prior users/roles (or the actions of processes acting on behalf of prior users/roles) from being available to any current users/roles (or current processes) that obtain access to shared system resources (e.g., registers, main memory, hard disks) after those resources have been released back to information systems. The control of information in shared resources is also commonly referred to as object reuse and residual information protection. This requirement generally applies to the design of an information technology product, but it can also apply to the configuration of particular information system components that are, or use, such products. This can be verified by acceptance/validation processes in DOD or other government agencies. There may be shared resources with configurable protections (e.g., files in storage) that may be assessed on specific information system components. Restricting access to the kernel message buffer limits access to only root. This prevents attackers from gaining additional system information as a nonprivileged user. Satisfies: SRG-OS-000132-GPOS-00067, SRG-OS-000138-GPOS-00069

Fix: F-77997r1119990_fix

Configure Amazon Linux 2023 to restrict access to the kernel message buffer. Add or edit the following line in a system configuration file, in the "/etc/sysctl.d/" directory: kernel.dmesg_restrict = 1 Load settings from all system configuration files with the following command: $ sudo sysctl --system

b

Amazon Linux 2023 must prevent kernel profiling by nonprivileged users.

RMF Control: SC-2
Severity: M
CCI: CCI-001082
Version: AZLX-23-000205
Vuln IDs: V-274002
Rule IDs: SV-274002r1198253_rule

Preventing unauthorized information transfers mitigates the risk of information, including encrypted representations of information, produced by the actions of prior users/roles (or the actions of processes acting on behalf of prior users/roles) from being available to any current users/roles (or current processes) that obtain access to shared system resources (e.g., registers, main memory, hard disks) after those resources have been released back to information systems. The control of information in shared resources is also commonly referred to as object reuse and residual information protection. This requirement generally applies to the design of an information technology product, but it can also apply to the configuration of particular information system components that are, or use, such products. This can be verified by acceptance/validation processes in DOD or other government agencies. There may be shared resources with configurable protections (e.g., files in storage) that may be assessed on specific information system components. Setting the kernel.perf_event_paranoid kernel parameter to "2" prevents attackers from gaining additional system information as a nonprivileged user. Satisfies: SRG-OS-000132-GPOS-00067, SRG-OS-000138-GPOS-00069

Fix: F-77998r1119993_fix

Configure Amazon Linux 2023 to prevent kernel profiling by nonprivileged users. Add or edit the following line in a system configuration file, in the "/etc/sysctl.d/" directory: kernel.perf_event_paranoid = 2 Load settings from all system configuration files with the following command: $ sudo sysctl --system

b

Amazon Linux 2023 must restrict exposed kernel pointer addresses access.

RMF Control: SC-2
Severity: M
CCI: CCI-001082
Version: AZLX-23-000210
Vuln IDs: V-274003
Rule IDs: SV-274003r1198253_rule

Exposing kernel pointers (through procfs or "seq_printf()") exposes kernel writeable structures, which may contain functions pointers. If a write vulnerability occurs in the kernel, allowing write access to any of this structure, the kernel can be compromised. This option disallows any program without the CAP_SYSLOG capability to get the addresses of kernel pointers by replacing them with "0". Satisfies: SRG-OS-000132-GPOS-00067, SRG-OS-000433-GPOS-00192

Fix: F-77999r1119996_fix

Configure Amazon Linux 2023 to restrict exposed kernel pointer addresses access. Add or edit the following line in a system configuration file in the "/etc/sysctl.d/" directory: kernel.kptr_restrict = 1 Reload settings from all system configuration files with the following command: $ sudo sysctl --system

b

Amazon Linux 2023 must disable access to network bpf system call from nonprivileged processes.

RMF Control: SC-2
Severity: M
CCI: CCI-001082
Version: AZLX-23-000215
Vuln IDs: V-274004
Rule IDs: SV-274004r1198253_rule

Loading and accessing the packet filters programs and maps using the bpf() system call has the potential of revealing sensitive information about the kernel state.

Fix: F-78000r1119999_fix

Configure Amazon Linux 2023 to prevent privilege escalation through the kernel by disabling access to the bpf syscall by adding the following line to a file, in the "/etc/sysctl.d" directory: kernel.unprivileged_bpf_disabled = 1 The system configuration files must be reloaded for the changes to take effect. To reload the contents of the files, run the following command: $ sudo sysctl --system

b

Amazon Linux 2023 must restrict usage of ptrace to descendant processes.

RMF Control: SC-2
Severity: M
CCI: CCI-001082
Version: AZLX-23-000220
Vuln IDs: V-274005
Rule IDs: SV-274005r1198253_rule

Unrestricted usage of ptrace allows compromised binaries to run ptrace on other processes of the user. Like this, the attacker can steal sensitive information from the target processes (e.g., SSH sessions, web browser, etc.) without any additional assistance from the user (i.e., without resorting to phishing).

Fix: F-78001r1120002_fix

Configure Amazon Linux 2023 to restrict usage of ptrace to descendant processes by adding the following line to a file, in the "/etc/sysctl.d" directory: kernel.yama.ptrace_scope = 1 The system configuration files need to be reloaded for the changes to take effect. To reload the contents of the files, run the following command: $ sudo sysctl --system

b

Amazon Linux 2023 must implement address space layout randomization (ASLR) to protect its memory from unauthorized code execution.

RMF Control: SI-16
Severity: M
CCI: CCI-002824
Version: AZLX-23-000225
Vuln IDs: V-274006
Rule IDs: SV-274006r1120006_rule

ASLR makes it more difficult for an attacker to predict the location of attack code they have introduced into a process' address space during an attempt at exploitation. Additionally, ASLR makes it more difficult for an attacker to know the location of existing code to repurpose it using return oriented programming (ROP) techniques.

Fix: F-78002r1120005_fix

Configure Amazon Linux 2023 to enable ASLR to enhance memory protection. Enable ASLR by setting the kernel parameter with the following command: echo 2 | sudo tee /proc/sys/kernel/randomize_va_space Add or edit the following line in a system configuration file in the "/etc/sysctl.d/" directory: kernel.randomize_va_space = 2 Reload settings from all system configuration files with the following command: $ sudo sysctl --system

c

Amazon Linux 2023 must not have the vsftpd package installed.

RMF Control: IA-5
Severity: H
CCI: CCI-000197
Version: AZLX-23-000300
Vuln IDs: V-274007
Rule IDs: SV-274007r1120009_rule

It is detrimental for operating systems to provide, or install by default, functionality exceeding requirements or mission objectives. These unnecessary capabilities or services are often overlooked and therefore, may remain unsecured. They increase the risk to the platform by providing additional attack vectors. Operating systems are capable of providing a variety of functions and services. Some of the functions and services, provided by default, may not be necessary to support essential organizational operations (e.g., key missions, functions). Examples of nonessential capabilities include, but are not limited to, games, software packages, tools, and demonstration software, not related to requirements or providing a wide array of functionality not required for every mission, but which cannot be disabled. Satisfies: SRG-OS-000074-GPOS-00042, SRG-OS-000095-GPOS-00049

Fix: F-78003r1120008_fix

Configure Amazon Linux 2023 to not have the vsftpd package installed with the following command: $ sudo dnf -y remove vsftpd

b

Amazon Linux 2023 must not have the sendmail package installed.

RMF Control: CM-7
Severity: M
CCI: CCI-000381
Version: AZLX-23-000305
Vuln IDs: V-274008
Rule IDs: SV-274008r1120012_rule

It is detrimental for operating systems to provide, or install by default, functionality exceeding requirements or mission objectives. These unnecessary capabilities or services are often overlooked and therefore, may remain unsecured. They increase the risk to the platform by providing additional attack vectors. Operating systems are capable of providing a variety of functions and services. Some of the functions and services, provided by default, may not be necessary to support essential organizational operations (e.g., key missions, functions). Examples of nonessential capabilities include, but are not limited to, games, software packages, tools, and demonstration software, not related to requirements or providing a wide array of functionality not required for every mission, but which cannot be disabled.

Fix: F-78004r1120011_fix

Configure Amazon Linux 2023 to not have the sendmail package installed with the following command: $ sudo dnf -y remove sendmail

b

Amazon Linux 2023 must not have the nfs-utils package installed.

RMF Control: CM-7
Severity: M
CCI: CCI-000381
Version: AZLX-23-000310
Vuln IDs: V-274009
Rule IDs: SV-274009r1120015_rule

It is detrimental for operating systems to provide, or install by default, functionality exceeding requirements or mission objectives. These unnecessary capabilities or services are often overlooked and therefore, may remain unsecured. They increase the risk to the platform by providing additional attack vectors. Operating systems are capable of providing a variety of functions and services. Some of the functions and services, provided by default, may not be necessary to support essential organizational operations (e.g., key missions, functions). Examples of nonessential capabilities include, but are not limited to, games, software packages, tools, and demonstration software, not related to requirements or providing a wide array of functionality not required for every mission, but which cannot be disabled.

Fix: F-78005r1120014_fix

Configure Amazon Linux 2023 to not have the nfs-utils package installed with the following command: $ sudo dnf -y remove nfs-utils

b

Amazon Linux 2023 must not have the telnet-server package installed.

RMF Control: CM-7
Severity: M
CCI: CCI-000381
Version: AZLX-23-000315
Vuln IDs: V-274010
Rule IDs: SV-274010r1120018_rule

It is detrimental for operating systems to provide, or install by default, functionality exceeding requirements or mission objectives. These unnecessary capabilities or services are often overlooked and therefore, may remain unsecured. They increase the risk to the platform by providing additional attack vectors. Operating systems are capable of providing a variety of functions and services. Some of the functions and services, provided by default, may not be necessary to support essential organizational operations (e.g., key missions, functions). Examples of nonessential capabilities include, but are not limited to, games, software packages, tools, and demonstration software, not related to requirements or providing a wide array of functionality not required for every mission, but which cannot be disabled.

Fix: F-78006r1120017_fix

Configure Amazon Linux 2023 to not have the telnet-server package installed with the following command: $ sudo dnf -y remove telnet-server

b

Amazon Linux 2023 must not have the gssproxy package installed.

RMF Control: CM-7
Severity: M
CCI: CCI-000381
Version: AZLX-23-000320
Vuln IDs: V-274011
Rule IDs: SV-274011r1184000_rule

It is detrimental for operating systems to provide, or install by default, functionality exceeding requirements or mission objectives. These unnecessary capabilities or services are often overlooked and therefore may remain unsecured. They increase the risk to the platform by providing additional attack vectors. Operating systems are capable of providing a variety of functions and services. Some of the functions and services, provided by default, may not be necessary to support essential organizational operations (e.g., key missions, functions). Examples of nonessential capabilities include, but are not limited to, games, software packages, tools, and demonstration software, not related to requirements or providing a wide array of functionality not required for every mission, but which cannot be disabled.

Fix: F-78007r1120020_fix

Configure Amazon Linux 2023 to not have the gssproxy package installed. The gssproxy package can be removed with the following command: $ sudo dnf -y remove gssproxy

b

Amazon Linux 2023 must have the sudo package installed.

RMF Control: AC-6
Severity: M
CCI: CCI-002235
Version: AZLX-23-001000
Vuln IDs: V-274012
Rule IDs: SV-274012r1120710_rule

The "sudo" program is designed to allow a system administrator to give limited root privileges to users and log root activity. The basic philosophy is to give as few privileges as possible but still allow system users to get their work done.

Fix: F-78008r1120023_fix

Configure Amazon Linux 2023 to have the sudo package installed with the following command: $ sudo dnf install -y sudo

b

Amazon Linux 2023 must not be configured to bypass password requirements for privilege escalation.

RMF Control: AC-3
Severity: M
CCI: CCI-002165
Version: AZLX-23-001005
Vuln IDs: V-274013
Rule IDs: SV-274013r1120027_rule

Without reauthentication, users may access resources or perform tasks for which they do not have authorization. When operating systems provide the capability to escalate a functional capability, it is critical the user reauthenticate.

Fix: F-78009r1120026_fix

Configure Amazon Linux 2023 to require users to supply a password for privilege escalation. Remove any occurrences of "pam_succeed_if " in the "/etc/pam.d/sudo" file.

b

Amazon Linux 2023 must require users to reauthenticate for privilege escalation.

RMF Control: IA-11
Severity: M
CCI: CCI-002038
Version: AZLX-23-001015
Vuln IDs: V-274015
Rule IDs: SV-274015r1120033_rule

Without reauthentication, users may access resources or perform tasks for which they do not have authorization.

Fix: F-78011r1120032_fix

Configure Amazon Linux 2023 to not allow users to execute privileged actions without authenticating. Remove any occurrence of "!authenticate" found in "/etc/sudoers" file or files in the "/etc/sudoers.d" directory. $ sudo sed -i '/\!authenticate/ s/^/# /g' /etc/sudoers /etc/sudoers.d/*

b

Amazon Linux 2023 must have the audit package installed.

RMF Control: AU-12
Severity: M
CCI: CCI-000169
Version: AZLX-23-001025
Vuln IDs: V-274017
Rule IDs: SV-274017r1120039_rule

Successful incident response and auditing relies on timely, accurate system information and analysis to allow the organization to identify and respond to potential incidents in a proficient manner. If Amazon Linux 2023 does not provide the ability to centrally review Amazon Linux 2023 logs, forensic analysis is negatively impacted. Segregation of logging data to multiple disparate computer systems is counterproductive and makes log analysis and log event alarming difficult to implement and manage, particularly when the system has multiple logging components writing to different locations or systems. To support the centralized capability, Amazon Linux 2023 must be able to provide the information in a format that can be extracted and used, allowing the application performing the centralization of the log records to meet this requirement. Satisfies: SRG-OS-000062-GPOS-00031, SRG-OS-000042-GPOS-00021, SRG-OS-000037-GPOS-00015, SRG-OS-000038-GPOS-00016, SRG-OS-000039-GPOS-00017, SRG-OS-000040-GPOS-00018, SRG-OS-000041-GPOS-00019, SRG-OS-000051-GPOS-00024, SRG-OS-000054-GPOS-00025, SRG-OS-000122-GPOS-00063, SRG-OS-000254-GPOS-00095, SRG-OS-000255-GPOS-00096, SRG-OS-000337-GPOS-00129, SRG-OS-000348-GPOS-00136, SRG-OS-000349-GPOS-00137, SRG-OS-000350-GPOS-00138, SRG-OS-000351-GPOS-00139, SRG-OS-000352-GPOS-00140, SRG-OS-000353-GPOS-00141, SRG-OS-000354-GPOS-00142, SRG-OS-000358-GPOS-00145, SRG-OS-000365-GPOS-00152, SRG-OS-000392-GPOS-00172, SRG-OS-000475-GPOS-00220, SRG-OS-000055-GPOS-00026

Fix: F-78013r1120038_fix

Configure Amazon Linux 2023 so that the audit service to produce audit records containing the information needed to establish when (date and time) an event occurred. Install the audit service (if the audit service is not already installed) with the following command: $ sudo dnf install -y audit

b

Amazon Linux 2023 must produce audit records containing information to establish what type of events occurred.

RMF Control: AU-3
Severity: M
CCI: CCI-000130
Version: AZLX-23-001030
Vuln IDs: V-274018
Rule IDs: SV-274018r1120042_rule

Without establishing what type of events occurred, it would be difficult to establish, correlate, and investigate the events leading up to an outage or attack. Audit record content that may be necessary to satisfy this requirement includes, for example, time stamps, source and destination addresses, user/process identifiers, event descriptions, success/fail indications, filenames involved, and access control or flow control rules invoked. Associating event types with detected events in Amazon Linux 2023 audit logs provides a means of investigating an attack; recognizing resource utilization or capacity thresholds; or identifying an improperly configured operating system. Satisfies: SRG-OS-000037-GPOS-00015, SRG-OS-000038-GPOS-00016, SRG-OS-000039-GPOS-00017, SRG-OS-000040-GPOS-00018, SRG-OS-000041-GPOS-00019, SRG-OS-000062-GPOS-00031, SRG-OS-000042-GPOS-00021, SRG-OS-000051-GPOS-00024, SRG-OS-000054-GPOS-00025, SRG-OS-000122-GPOS-00063, SRG-OS-000254-GPOS-00095, SRG-OS-000255-GPOS-00096, SRG-OS-000337-GPOS-00129, SRG-OS-000348-GPOS-00136, SRG-OS-000349-GPOS-00137, SRG-OS-000350-GPOS-00138, SRG-OS-000351-GPOS-00139, SRG-OS-000352-GPOS-00140, SRG-OS-000353-GPOS-00141, SRG-OS-000354-GPOS-00142, SRG-OS-000358-GPOS-00145, SRG-OS-000365-GPOS-00152, SRG-OS-000392-GPOS-00172, SRG-OS-000475-GPOS-00220, SRG-OS-000755-GPOS-00220

Fix: F-78014r1120041_fix

Configure Amazon Linux 2023 so that the audit service to produce audit records containing the information needed to establish when an event occurred with the following commands: $ sudo systemctl enable auditd.service $ sudo systemctl start auditd.service

b

Amazon Linux 2023 audispd-plugins package must be installed.

RMF Control: AU-4
Severity: M
CCI: CCI-001851
Version: AZLX-23-001035
Vuln IDs: V-274019
Rule IDs: SV-274019r1120045_rule

The "audispd-plugins" package provides plugins for the real-time interface to the audit subsystem, "audispd". These plugins can, for example, relay events to remote machines or analyze events for suspicious behavior.

Fix: F-78015r1120044_fix

Configure Amazon Linux 2023 to have the audispd-plugins package installed. Install the audispd-plugins package with the following command: $ sudo dnf install -y audispd-plugins

b

Amazon Linux 2023 must have the rsyslog package installed.

RMF Control: AU-6
Severity: M
CCI: CCI-000154
Version: AZLX-23-001040
Vuln IDs: V-274020
Rule IDs: SV-274020r1193303_rule

Successful incident response and auditing relies on timely, accurate system information and analysis allow the organization to identify and respond to potential incidents in a proficient manner. If Amazon Linux 2023 does not provide the ability to centrally review Amazon Linux 2023 logs, forensic analysis is negatively impacted. Segregation of logging data to multiple disparate computer systems is counterproductive and makes log analysis and log event alarming difficult to implement and manage, particularly when the system has multiple logging components writing to different locations or systems. To support the centralized capability, Amazon Linux 2023 must be able to provide the information in a format that can be extracted and used, allowing the application performing the centralization of the log records to meet this requirement. Satisfies: SRG-OS-000051-GPOS-00024, SRG-OS-000479-GPOS-00224

Fix: F-78016r1120047_fix

Configure Amazon Linux 2023 to monitor all remote access methods by installing rsyslog with the following command: $ sudo dnf install -y rsyslog Enable the log service with the following command: $ sudo systemctl enable --now rsyslog

b

Amazon Linux 2023 must monitor remote access methods.

RMF Control: AC-17
Severity: M
CCI: CCI-000067
Version: AZLX-23-001045
Vuln IDs: V-274021
Rule IDs: SV-274021r1120695_rule

Remote access services, such as those providing remote access to network devices and information systems, which lack automated monitoring capabilities, increase risk and make remote user access management difficult at best.

Fix: F-78017r1120050_fix

Configure Amazon Linux 2023 to monitor all remote access methods by installing rsyslog with the following command: $ sudo yum install rsyslog Then add or update the following lines to the "/etc/rsyslog.conf" file: auth.*;authpriv.*;daemon.* /var/log/secure The "rsyslog" service must be restarted for the changes to take effect. To restart the "rsyslog" service, run the following command: $ sudo systemctl restart rsyslog.service

b

Amazon Linux 2023 must have the chrony package installed.

RMF Control
Severity: M
CCI: CCI-004923
Version: AZLX-23-001050
Vuln IDs: V-274022
Rule IDs: SV-274022r1120054_rule

Inaccurate time stamps make it more difficult to correlate events and can lead to an inaccurate analysis. Determining the correct time a particular event occurred on a system is critical when conducting forensic analysis and investigating system events. Sources outside the configured acceptable allowance (drift) may be inaccurate.

Fix: F-78018r1120053_fix

Configure Amazon Linux 2023 to have the chrony package installed. The chrony package can be installed with the following command: $ sudo dnf install -y chrony

b

Amazon Linux 2023 chronyd service must be enabled.

RMF Control
Severity: M
CCI: CCI-004923
Version: AZLX-23-001055
Vuln IDs: V-274023
Rule IDs: SV-274023r1120057_rule

Inaccurate time stamps make it more difficult to correlate events and can lead to an inaccurate analysis. Determining the correct time a particular event occurred on a system is critical when conducting forensic analysis and investigating system events. Sources outside the configured acceptable allowance (drift) may be inaccurate.

Fix: F-78019r1120056_fix

Configure Amazon Linux 2023 to have the chronyd service set to active with the following command: $ sudo systemctl enable --now chronyd

b

Amazon Linux 2023 must have the Advanced Intrusion Detection Environment (AIDE) package installed.

RMF Control: CM-3
Severity: M
CCI: CCI-001744
Version: AZLX-23-001060
Vuln IDs: V-274024
Rule IDs: SV-274024r1190697_rule

If security functions are not verified, they may not operate correctly and the failure may go unnoticed. Security function is defined as the hardware, software, and/or firmware of the information system responsible for enforcing the system security policy and supporting the isolation of code and data on which the protection is based. Security functionality includes, but is not limited to, establishing system accounts, configuring access authorizations (i.e., permissions, privileges), setting events to be audited, and setting intrusion detection parameters. Satisfies: SRG-OS-000363-GPOS-00150, SRG-OS-000445-GPOS-00199, SRG-OS-000358-GPOS-00145

Fix: F-78020r1190696_fix

Configure Amazon Linux 2023 to have the AIDE package installed. Install AIDE: $ sudo dnf install -y aide Initialize AIDE: $ sudo /usr/sbin/aide --init The new database must be renamed to be read by AIDE: $ sudo mv /var/lib/aide/aide.db.new.gz /var/lib/aide/aide.db.gz Perform a manual check: $ sudo /usr/sbin/aide --check Example output: 2023-06-05 10:16:08 -0600 (AIDE 0.16) AIDE found NO differences between database and filesystem. Looks okay!!

b

Amazon Linux 2023 must use cryptographic mechanisms to protect the integrity of audit tools.

RMF Control: AU-9
Severity: M
CCI: CCI-001493
Version: AZLX-23-001070
Vuln IDs: V-274026
Rule IDs: SV-274026r1120066_rule

Protecting the integrity of the tools used for auditing purposes is a critical step toward ensuring the integrity of audit information. Audit information includes all information (e.g., audit records, audit settings, and audit reports) needed to successfully audit information system activity. Audit tools include, but are not limited to, vendor-provided and open-source audit tools needed to successfully view and manipulate audit information system activity and records. Audit tools include custom queries and report generators. It is not uncommon for attackers to replace the audit tools or inject code into the existing tools to provide the capability to hide or erase system activity from the audit logs. To address this risk, audit tools must be cryptographically signed to provide the capability to identify when the audit tools have been modified, manipulated, or replaced. An example is a checksum hash of the file or files. Satisfies: SRG-OS-000256-GPOS-00097, SRG-OS-000257-GPOS-00098, SRG-OS-000258-GPOS-00099, SRG-OS-000278-GPOS-00108

Fix: F-78022r1120065_fix

Configure Amazon Linux 2023 to protect the integrity of the AIDE audit tools. Add or update the following lines to "/etc/aide.conf", to protect the integrity of the audit tools. /usr/sbin/auditctl p+i+n+u+g+s+b+acl+xattrs+sha512 /usr/sbin/auditd p+i+n+u+g+s+b+acl+xattrs+sha512 /usr/sbin/ausearch p+i+n+u+g+s+b+acl+xattrs+sha512 /usr/sbin/aureport p+i+n+u+g+s+b+acl+xattrs+sha512 /usr/sbin/autrace p+i+n+u+g+s+b+acl+xattrs+sha512 /usr/sbin/augenrules p+i+n+u+g+s+b+acl+xattrs+sha512

b

Amazon Linux 2023 must have the firewalld package installed.

RMF Control: CM-7
Severity: M
CCI: CCI-000382
Version: AZLX-23-001075
Vuln IDs: V-274027
Rule IDs: SV-274027r1120069_rule

To prevent unauthorized connection of devices, unauthorized transfer of information, or unauthorized tunneling (i.e., embedding of data types within data types), organizations must disable or restrict unused or unnecessary physical and logical ports/protocols on information systems. Operating systems are capable of providing a wide variety of functions and services. Some of the functions and services provided by default may not be necessary to support essential organizational operations. Additionally, it is sometimes convenient to provide multiple services from a single component (e.g., VPN and IPS); however, doing so increases risk over limiting the services provided by any one component. To support the requirements and principles of least functionality, Amazon Linux 2023 must support the organizational requirements, providing only essential capabilities and limiting the use of ports, protocols, and/or services to only those required, authorized, and approved to conduct official business or to address authorized quality of life issues. Satisfies: SRG-OS-000096-GPOS-00050, SRG-OS-000297-GPOS-00115, SRG-OS-000298-GPOS-00116, SRG-OS-000480-GPOS-00232, SRG-OS-000304-GPOS-00121

Fix: F-78023r1120068_fix

Configure Amazon Linux 2023 to have the firewalld package installed with the following command: $ sudo dnf install -y firewalld

b

Amazon Linux 2023 must have the firewalld service active.

RMF Control: CM-7
Severity: M
CCI: CCI-000382
Version: AZLX-23-001080
Vuln IDs: V-274028
Rule IDs: SV-274028r1190806_rule

To prevent unauthorized connection of devices, unauthorized transfer of information, or unauthorized tunneling (i.e., embedding of data types within data types), organizations must disable or restrict unused or unnecessary physical and logical ports/protocols on information systems. Operating systems are capable of providing a variety of functions and services. Some of the functions and services provided by default may not be necessary to support essential organizational operations. Additionally, it is sometimes convenient to provide multiple services from a single component (e.g., VPN and IPS); however, doing so increases risk over limiting the services provided by any one component. To support the requirements and principles of least functionality, Amazon Linux 2023 must support the organizational requirements, providing only essential capabilities and limiting the use of ports, protocols, and/or services to only those required, authorized, and approved to conduct official business or to address authorized quality of life issues. Satisfies: SRG-OS-000096-GPOS-00050, SRG-OS-000297-GPOS-00115, SRG-OS-000298-GPOS-00116, SRG-OS-000480-GPOS-00232, SRG-OS-000304-GPOS-00121

Fix: F-78024r1120071_fix

Configure Amazon Linux 2023 to enable the firewalld service with the following command: $ sudo systemctl enable --now firewalld

b

Amazon Linux 2023 must manage excess capacity, bandwidth, or other redundancy to limit the effects of information flooding types of denial-of-service (DoS) attacks.

RMF Control: SC-5
Severity: M
CCI: CCI-001095
Version: AZLX-23-001090
Vuln IDs: V-274030
Rule IDs: SV-274030r1120078_rule

DoS is a condition when a resource is not available for legitimate users. When this occurs, the organization either cannot accomplish its mission or must operate at degraded capacity. Managing excess capacity ensures that sufficient capacity is available to counter flooding attacks. Employing increased capacity and service redundancy may reduce the susceptibility to some DoS attacks. Managing excess capacity may include, for example, establishing selected usage priorities, quotas, or partitioning.

Fix: F-78026r1120077_fix

Configure Amazon Linux 2023 to manage excess capacity, bandwidth, or other redundancy to limit the effects of information flooding types of DoS attacks. Configure "nftables" to be the default "firewallbackend" for "firewalld" by adding or editing the following line in "etc/firewalld/firewalld.conf": FirewallBackend=nftables Establish rate-limiting rules based on organization-defined types of DoS attacks on impacted network interfaces.

b

Amazon Linux 2023 must have the s-nail package installed.

RMF Control: CM-3
Severity: M
CCI: CCI-001744
Version: AZLX-23-001095
Vuln IDs: V-274031
Rule IDs: SV-274031r1120081_rule

The "s-nail" package provides the mail command required to allow sending email notifications of unauthorized configuration changes to designated personnel.

Fix: F-78027r1120080_fix

Configure Amazon Linux 2023 to have the s-nail package installed with the following command: $ sudo dnf install -y s-nail

b

Amazon Linux 2023 must have the libreswan package installed.

RMF Control: IA-7
Severity: M
CCI: CCI-000803
Version: AZLX-23-001105
Vuln IDs: V-274032
Rule IDs: SV-274032r1184010_rule

Unapproved mechanisms that are used for authentication to the cryptographic module are not verified and therefore, cannot be relied upon to provide confidentiality or integrity, and DOD data may be compromised. Operating systems utilizing encryption are required to use FIPS-compliant mechanisms for authenticating to cryptographic modules. FIPS 140-2/140-3 is the current standard for validating that mechanisms used to access cryptographic modules utilize authentication that meets DOD requirements. This allows for Security Levels 1, 2, 3, or 4 for use on a general purpose computing system.

Fix: F-78028r1120083_fix

Configure Amazon Linux 2023 to have the libreswan package installed with the following command: $ sudo dnf install -y libreswan

b

Amazon Linux 2023 must have the pcsc-lite package installed.

RMF Control
Severity: M
CCI: CCI-004046
Version: AZLX-23-001115
Vuln IDs: V-274034
Rule IDs: SV-274034r1120090_rule

The pcsc-lite package must be installed if it is to be available for multifactor authentication using smart cards.

Fix: F-78030r1120089_fix

Configure Amazon Linux 2023 to have the pcsc-lite package installed with the following command: $ sudo dnf install -y pcsc-lite

b

Amazon Linux 2023 must have the packages required for encrypting off-loaded audit logs installed.

RMF Control: IA-7
Severity: M
CCI: CCI-000803
Version: AZLX-23-001120
Vuln IDs: V-274035
Rule IDs: SV-274035r1120093_rule

Unapproved mechanisms used for authentication to the cryptographic module are not verified and therefore, cannot be relied upon to provide confidentiality or integrity, and DOD data may be compromised. Operating systems utilizing encryption are required to use FIPS-compliant mechanisms for authenticating to cryptographic modules. FIPS 140-2/140-3 is the current standard for validating that mechanisms used to access cryptographic modules utilize authentication that meets DOD requirements. This allows for Security Levels 1, 2, 3, or 4 for use on a general purpose computing system.

Fix: F-78031r1120092_fix

Configure Amazon Linux 2023 to have the rsyslog-openssl package installed with the following command: $ sudo dnf install -y rsyslog-openssl

b

Amazon Linux 2023 must have the opensc package installed.

RMF Control
Severity: M
CCI: CCI-004046
Version: AZLX-23-001125
Vuln IDs: V-274036
Rule IDs: SV-274036r1120096_rule

The use of PIV credentials facilitates standardization and reduces the risk of unauthorized access. The DOD has mandated the use of the Common Access Card (CAC) to support identity management and personal authentication for systems covered under Homeland Security Presidential Directive (HSPD) 12, as well as making the CAC a primary component of layered protection for national security systems. Satisfies: SRG-OS-000375-GPOS-00160, SRG-OS-000376-GPOS-00161

Fix: F-78032r1120095_fix

Configure Amazon Linux 2023 to have the opensc package installed with the following command: $ sudo dnf install -y opensc

b

Amazon Linux 2023 must have the openssl-pkcs11 package installed.

RMF Control
Severity: M
CCI: CCI-004046
Version: AZLX-23-001130
Vuln IDs: V-274037
Rule IDs: SV-274037r1120099_rule

Without the use of multifactor authentication, the ease of access to privileged functions is greatly increased. Multifactor authentication requires using two or more factors to achieve authentication. A privileged account is defined as an information system account with authorizations of a privileged user. The DOD Common Access Card (CAC) with DOD-approved PKI is an example of multifactor authentication. Satisfies: SRG-OS-000375-GPOS-00160, SRG-OS-000376-GPOS-00161, SRG-OS-000377-GPOS-00162

Fix: F-78033r1120098_fix

Configure Amazon Linux 2023 to have the openssl-pkcs11 package installed with the following command: $ sudo dnf install -y openssl-pkcs11

c

Amazon Linux 2023 must have the crypto-policies package installed.

RMF Control: SC-13
Severity: H
CCI: CCI-002450
Version: AZLX-23-001195
Vuln IDs: V-274040
Rule IDs: SV-274040r1184011_rule

Centralized cryptographic policies simplify applying secure ciphers across an operating system and the applications that run on that operating system. Use of weak or untested encryption algorithms undermines the purposes of utilizing encryption to protect data. Satisfies: SRG-OS-000396-GPOS-00176, SRG-OS-000393-GPOS-00173, SRG-OS-000394-GPOS-00174, SRG-OS-000424-GPOS-00188

Fix: F-78036r1120107_fix

Configure Amazon Linux 2023 to have the crypto-policies package installed with the following command: $ sudo dnf install -y crypto-policies

c

Amazon Linux 2023 server must be configured to use only DOD-approved encryption ciphers employing FIPS 140-2/140-3 validated cryptographic hash algorithms to protect the confidentiality of SSH server connections.

RMF Control: AC-17
Severity: H
CCI: CCI-001453
Version: AZLX-23-001205
Vuln IDs: V-274042
Rule IDs: SV-274042r1184013_rule

Without cryptographic integrity protections, information can be altered by unauthorized users without detection. Remote access (e.g., RDP) is access to DOD nonpublic information systems by an authorized user (or an information system) communicating through an external, nonorganization-controlled network. Remote access methods include, for example, dial-up, broadband, and wireless. Cryptographic mechanisms used for protecting the integrity of information include, for example, signed hash functions using asymmetric cryptography enabling distribution of the public key to verify the hash information while maintaining the confidentiality of the secret key used to generate the hash. Amazon Server 2023 incorporates systemwide crypto policies by default. The SSH configuration file has no effect on the ciphers, MACs, or algorithms unless specifically defined in the /etc/sysconfig/sshd file. The employed algorithms can be viewed in the /etc/crypto-policies/back-ends/opensshserver.config file.

Fix: F-78038r1120113_fix

Configure Amazon Linux 2023 so that the SSH server uses only ciphers employing FIPS 140-2/140-3 approved algorithms. Reinstall crypto-policies with the following command: $ sudo dnf -y reinstall crypto-policies Set the crypto-policy to FIPS with the following command: $ sudo update-crypto-policies --set FIPS Setting system policy to FIPS Note: Systemwide crypto policies are applied on application startup. It is recommended to restart the system for the change of policies to fully take place.

c

Amazon Linux 2023 SSH server must be configured to use only Message Authentication Codes (MACs) employing FIPS 140-2/140-3 validated cryptographic hash algorithms to protect the confidentiality of SSH server connections.

RMF Control: AC-17
Severity: H
CCI: CCI-001453
Version: AZLX-23-001210
Vuln IDs: V-274043
Rule IDs: SV-274043r1184014_rule

Without cryptographic integrity protections, information can be altered by unauthorized users without detection. Remote access (e.g., RDP) is access to DOD nonpublic information systems by an authorized user (or an information system) communicating through an external, nonorganization-controlled network. Remote access methods include, for example, dial-up, broadband, and wireless. Cryptographic mechanisms used for protecting the integrity of information include, for example, signed hash functions using asymmetric cryptography enabling distribution of the public key to verify the hash information while maintaining the confidentiality of the secret key used to generate the hash. Amazon Linux 2023 incorporates systemwide crypto policies by default. The SSH configuration file has no effect on the ciphers, MACs, or algorithms unless specifically defined in the /etc/sysconfig/sshd file. The employed algorithms can be viewed in the /etc/crypto-policies/back-ends/opensshserver.config file.

Fix: F-78039r1120116_fix

Configure Amazon Linux 2023 so that the SSH server uses only MACs employing FIPS 140-2/140-3 approved algorithms. Reinstall crypto-policies with the following command: $ sudo dnf -y reinstall crypto-policies Set the crypto-policy to FIPS with the following command: $ sudo update-crypto-policies --set FIPS Setting system policy to FIPS Note: Systemwide crypto policies are applied on application startup. It is recommended to restart the system for the change of policies to fully take place.

b

Amazon Linux 2023 SSH daemon must not allow Generic Security Service Application Program Interface (GSSAPI) authentication.

RMF Control: CM-5
Severity: M
CCI: CCI-001813
Version: AZLX-23-001215
Vuln IDs: V-274044
Rule IDs: SV-274044r1120120_rule

GSSAPI authentication is used to provide additional authentication mechanisms to applications. Allowing GSSAPI authentication through SSH exposes the system's GSSAPI to remote hosts, increasing the attack surface of the system.

Fix: F-78040r1120119_fix

Configure Amazon Linux 2023 so that the SSH daemon does not allow GSSAPI authentication. Add or uncomment the following line to "/etc/ssh/sshd_config" or to a file in "/etc/ssh/sshd_config.d" and set the value to "no": GSSAPIAuthentication no The SSH service must be restarted for changes to take effect: $ sudo systemctl restart sshd.service

b

Amazon Linux 2023 SSH daemon must not allow Kerberos authentication.

RMF Control: CM-5
Severity: M
CCI: CCI-001813
Version: AZLX-23-001220
Vuln IDs: V-274045
Rule IDs: SV-274045r1120123_rule

Kerberos authentication for SSH is often implemented using Generic Security Service Application Program Interface (GSSAPI). If Kerberos is enabled through SSH, the SSH daemon provides a means of access to the system's Kerberos implementation. Vulnerabilities in the system's Kerberos implementations may be subject to exploitation.

Fix: F-78041r1120122_fix

Configure Amazon Linux 2023 so that the SSH daemon does not allow Kerberos authentication. Add the following line in "/etc/ssh/sshd_config" or to a file in "/etc/ssh/sshd_config.d" or uncomment the line and set the value to "no": KerberosAuthentication no The SSH service must be restarted for changes to take effect: $ sudo systemctl restart sshd.service

b

Amazon Linux 2023 SSHD must accept public key authentication.

RMF Control: IA-2
Severity: M
CCI: CCI-000765
Version: AZLX-23-001230
Vuln IDs: V-274047
Rule IDs: SV-274047r1120129_rule

Without the use of multifactor authentication, the ease of access to privileged functions is greatly increased. Multifactor authentication requires using two or more factors to achieve authentication. Factors include: 1. Something a user knows (e.g., password/PIN); 2. Something a user has (e.g., cryptographic identification device, token); and 3. Something a user is (e.g., biometric). A privileged account is defined as an information system account with authorizations of a privileged user. Network access is defined as access to an information system by a user (or a process acting on behalf of a user) communicating through a network (e.g., local area network, wide area network, or the internet). The DOD Common Access Card (CAC) with DOD-approved PKI is an example of multifactor authentication. Satisfies: SRG-OS-000105-GPOS-00052, SRG-OS-000106-GPOS-00053, SRG-OS-000107-GPOS-00054, SRG-OS-000108-GPOS-00055

Fix: F-78043r1120128_fix

Configure Amazon Linux 2023 to use public key authentication for SSHD by adding or modifying the following line in "/etc/ssh/sshd_config" or in a file in "/etc/ssh/sshd_config.d". PubkeyAuthentication yes Restart the SSH daemon for the settings to take effect: $ sudo systemctl restart sshd.service

b

Amazon Linux 2023 SSHD must not allow blank passwords.

RMF Control: IA-2
Severity: M
CCI: CCI-000766
Version: AZLX-23-001235
Vuln IDs: V-274048
Rule IDs: SV-274048r1120132_rule

If an account has an empty password, anyone could log on and run commands with the privileges of that account. Accounts with empty passwords must never be used in operational environments. Satisfies: SRG-OS-000106-GPOS-00053, SRG-OS-000480-GPOS-00229

Fix: F-78044r1120131_fix

Configure Amazon Linux 2023 to prevent SSH users from logging on with blank passwords. Edit the following line in "etc/ssh/sshd_config" or in a file in "/etc/ssh/sshd_config.d": PermitEmptyPasswords no Restart the SSH daemon for the settings to take effect: $ sudo systemctl restart sshd.service

b

Amazon Linux 2023 must not permit direct logons to the root account using remote access via SSH.

RMF Control
Severity: M
CCI: CCI-004045
Version: AZLX-23-001240
Vuln IDs: V-274049
Rule IDs: SV-274049r1120747_rule

To ensure individual accountability and prevent unauthorized access, organizational users must be individually identified and authenticated. Additionally, an additional layer of security is gained by extending the policy of not logging directly on as root, even though the communications channel may be encrypted. A group authenticator is a generic account used by multiple individuals. Use of a group authenticator alone does not uniquely identify individual users. Examples of the group authenticator are the Unix OS "root" user account, the Windows "Administrator" account, the "sa" account, or a "helpdesk" account. For example, the Unix and Windows operating systems offer a "switch user" capability allowing users to authenticate with their individual credentials and, when needed, switch" to the administrator role. This method provides for unique individual authentication prior to using a group authenticator. Users (and any processes acting on behalf of users) need to be uniquely identified and authenticated for all accesses other than those accesses explicitly identified and documented by the organization, which outlines specific user actions that can be performed on Amazon Linux 2023 without identification or authentication. Requiring individuals to be authenticated with an individual authenticator prior to using a group authenticator allows for traceability of actions, as well as adding an additional level of protection of the actions that can be taken with group account knowledge.

Fix: F-78045r1120134_fix

Configure Amazon Linux 2023 to prevent SSH users from logging on directly as root add or modify the following line in "/etc/ssh/sshd_config" or in a file in "/etc/ssh/sshd_config.d". PermitRootLogin no Restart the SSH daemon for the settings to take effect: $ sudo systemctl restart sshd.service

b

Amazon Linux 2023 must be configured so that all network connections associated with SSH traffic are terminated after 10 minutes of becoming unresponsive.

RMF Control: SC-10
Severity: M
CCI: CCI-001133
Version: AZLX-23-001245
Vuln IDs: V-274050
Rule IDs: SV-274050r1120138_rule

Terminating an idle session within a short time period reduces the window of opportunity for unauthorized personnel to take control of a management session enabled on the console or console port that has been left unattended. In addition, quickly terminating an idle session will also free up resources committed by the managed network element. Terminating network connections associated with communications sessions includes, for example, de-allocating associated TCP/IP address/port pairs at Amazon Linux 2023 level, and de-allocating networking assignments at the application level if multiple application sessions are using a single operating system-level network connection. This does not mean that Amazon Linux 2023 terminates all sessions or network access; it only ends the inactive session and releases the resources associated with that session. Satisfies: SRG-OS-000163-GPOS-00072, SRG-OS-000279-GPOS-00109, SRG-OS-000395-GPOS-00175

Fix: F-78046r1120137_fix

Configure Amazon Linux 2023 SSH server to terminate a user session automatically after the SSH client has been unresponsive for 10 minutes. Note: This setting must be applied in conjunction with "ClientAliveCountMax 1" to function correctly. Modify or append the following lines in the "/etc/ssh/sshd_config" or a dropfile in "/etc/ssh/sshd_config.d" file: ClientAliveInterval 600 For the changes to take effect, the SSH daemon must be restarted. $ sudo systemctl restart sshd.service

b

Amazon Linux 2023 must be configured so that all network connections associated with SSH traffic terminate after becoming unresponsive.

RMF Control: SC-10
Severity: M
CCI: CCI-001133
Version: AZLX-23-001250
Vuln IDs: V-274051
Rule IDs: SV-274051r1120141_rule

Terminating an idle session within a short time period reduces the window of opportunity for unauthorized personnel to take control of a management session enabled on the console or console port that has been left unattended. In addition, quickly terminating an idle session will also free up resources committed by the managed network element. Terminating network connections associated with communications sessions includes, for example, de-allocating associated TCP/IP address/port pairs at Amazon Linux 2023 level, and de-allocating networking assignments at the application level if multiple application sessions are using a single operating system-level network connection. This does not mean that Amazon Linux 2023 terminates all sessions or network access; it only ends the inactive session and releases the resources associated with that session. Satisfies: SRG-OS-000163-GPOS-00072, SRG-OS-000279-GPOS-00109

Fix: F-78047r1120140_fix

Configure Amazon Linux 2023 SSHD to terminate a user session automatically after the SSH client has become unresponsive. Note: This setting must be applied in conjunction with AZLX-23-000820 to function correctly. Modify or append the following lines in the "/etc/ssh/sshd_config" file or a dropfile in "/etc/ssh/sshd_config.d": ClientAliveCountMax 1 For the changes to take effect, the SSH daemon must be restarted. $ sudo systemctl restart sshd.service

c

Amazon Linux 2023 crypto policy must not be overridden.

RMF Control: SC-13
Severity: H
CCI: CCI-002450
Version: AZLX-23-001285
Vuln IDs: V-274058
Rule IDs: SV-274058r1186176_rule

Centralized cryptographic policies simplify applying secure ciphers across an operating system and the applications that run on that operating system. Use of weak or untested encryption algorithms undermines the purposes of utilizing encryption to protect data. Satisfies: SRG-OS-000396-GPOS-00176, SRG-OS-000393-GPOS-00173, SRG-OS-000394-GPOS-00174, SRG-OS-000424-GPOS-00188, SRG-OS-000073-GPOS-00041, SRG-OS-000120-GPOS-00061

Fix: F-78054r1120161_fix

Configure Amazon Linux 2023 to correctly implement the systemwide cryptographic policies by reinstalling the crypto-policies package contents. Reinstall crypto-policies with the following command: $ sudo dnf -y reinstall crypto-policies Set the crypto-policy to FIPS with the following command: $ sudo update-crypto-policies --set FIPS Setting system policy to FIPS Note: Systemwide crypto policies are applied on application startup. It is recommended to restart the system for the change of policies to fully take place.

b

Amazon Linux 2023 must enable certificate-based smart card authentication.

RMF Control
Severity: M
CCI: CCI-004046
Version: AZLX-23-001290
Vuln IDs: V-274059
Rule IDs: SV-274059r1120165_rule

Without the use of multifactor authentication, the ease of access to privileged functions is greatly increased. Multifactor authentication requires using two or more factors to achieve authentication. A privileged account is defined as an information system account with authorizations of a privileged user. The DOD Common Access Card (CAC) with DOD-approved PKI is an example of multifactor authentication. Satisfies: SRG-OS-000375-GPOS-00160, SRG-OS-000705-GPOS-00150

Fix: F-78055r1120164_fix

Configure Amazon Linux 2023 to have smart cards enabled in SSSD. Edit the file "/etc/sssd/sssd.conf" or a configuration file in "/etc/sssd/conf.d" and add or edit the following line: pam_cert_auth = True

b

Amazon Linux 2023 must implement certificate status checking for multifactor authentication.

RMF Control
Severity: M
CCI: CCI-004046
Version: AZLX-23-001300
Vuln IDs: V-274061
Rule IDs: SV-274061r1120171_rule

Using an authentication device, such as a DOD Common Access Card (CAC) or token that is separate from the information system, ensures that even if the information system is compromised, credentials stored on the authentication device will not be affected. Multifactor solutions that require devices separate from information systems gaining access include, for example, hardware tokens providing time-based or challenge-response authenticators and smart cards such as the U.S. Government Personal Identity Verification (PIV) card and the DOD CAC. Amazon Linux 2023 includes multiple options for configuring certificate status checking, but for this requirement focuses on the System Security Services Daemon (SSSD). By default, SSSD performs Online Certificate Status Protocol (OCSP) checking and certificate verification using a sha256 digest function. Satisfies: SRG-OS-000375-GPOS-00160, SRG-OS-000377-GPOS-00162

Fix: F-78057r1120170_fix

Configure Amazon Linux 2023 to implement certificate status checking for multifactor authentication. Review the "/etc/sssd/conf.d/certificate_verification.conf" file to determine if the system is configured to prevent OCSP or certificate verification. Add the following line to the "/etc/sssd/conf.d/certificate_verification.conf" file: certificate_verification = ocsp_dgst=sha512 Set the correct ownership and permissions on the "/etc/sssd/conf.d/certificate_verification.conf" file by running these commands: $ sudo chown root:root "/etc/sssd/conf.d/certificate_verification.conf" $ sudo chmod 600 "/etc/sssd/conf.d/certificate_verification.conf" The "sssd" service must be restarted for the changes to take effect. To restart the "sssd" service, run the following command: $ sudo systemctl restart sssd.service

b

Amazon Linux 2023 must prohibit the use of cached authenticators after one day.

RMF Control: IA-5
Severity: M
CCI: CCI-002007
Version: AZLX-23-001305
Vuln IDs: V-274062
Rule IDs: SV-274062r1120174_rule

If cached authentication information is out-of-date, the validity of the authentication information may be questionable.

Fix: F-78058r1120173_fix

Configure Amazon Linux 2023 SSSD service to prohibit the use of cached authentications after one day. Add or change the following line in "/etc/sssd/sssd.conf" just below the line [pam]: offline_credentials_expiration = 1

b

Amazon Linux 2023 must display the Standard Mandatory DOD Notice and Consent Banner before granting local or remote access to the system via a SSH logon.

RMF Control: AC-8
Severity: M
CCI: CCI-001384
Version: AZLX-23-002005
Vuln IDs: V-274066
Rule IDs: SV-274066r1120186_rule

Display of a standardized and approved use notification before granting access to the publicly accessible operating system ensures privacy and security notification verbiage used is consistent with applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance. System use notifications are required only for access via logon interfaces with human users and are not required when such human interfaces do not exist. The banner must be formatted in accordance with applicable DOD policy. Use the following verbiage for operating systems that can accommodate banners of 1300 characters: "You are accessing a U.S. Government (USG) Information System (IS) that is provided for USG-authorized use only. By using this IS (which includes any device attached to this IS), you consent to the following conditions: -The USG routinely intercepts and monitors communications on this IS for purposes including, but not limited to, penetration testing, COMSEC monitoring, network operations and defense, personnel misconduct (PM), law enforcement (LE), and counterintelligence (CI) investigations. -At any time, the USG may inspect and seize data stored on this IS. -Communications using, or data stored on, this IS are not private, are subject to routine monitoring, interception, and search, and may be disclosed or used for any USG-authorized purpose. -This IS includes security measures (e.g., authentication and access controls) to protect USG interests--not for your personal benefit or privacy. -Notwithstanding the above, using this IS does not constitute consent to PM, LE or CI investigative searching or monitoring of the content of privileged communications, or work product, related to personal representation or services by attorneys, psychotherapists, or clergy, and their assistants. Such communications and work product are private and confidential. See User Agreement for details." Use the following verbiage for operating systems that have severe limitations on the number of characters that can be displayed in the banner: "I've read & consent to terms in IS user agreem't."

Fix: F-78062r1120185_fix

Configure Amazon Linux 2023 to display the Standard Mandatory DOD Notice and Consent Banner before granting access to the system via ssh. Edit the "etc/ssh/sshd_config" file or a file in "/etc/ssh/sshd_config.d" to uncomment the banner keyword and configure it to point to a file that will contain the logon banner (this file may be named differently or be in a different location if using a version of SSH that is provided by a third-party vendor). An example configuration line is: Banner /etc/issue

b

Amazon Linux 2023 must allocate audit record storage capacity to store at least one week's worth of audit records, when audit records are not immediately sent to a central audit record storage facility.

RMF Control: AU-4
Severity: M
CCI: CCI-001849
Version: AZLX-23-002015
Vuln IDs: V-274067
Rule IDs: SV-274067r1120653_rule

To ensure operating systems have a sufficient storage capacity in which to write the audit logs, operating systems must be able to allocate audit record storage capacity.

Fix: F-78063r1120652_fix

Configure Amazon Linux 2023 to provide adequate storage for at least one-week of audit logs when audit records are not immediately sent to a central audit record storage facility. If the storage partition is not large enough for at least one week of audit logs, then either: 1. Resize the partition to ensure there is enough storage capacity. 2. Create a new partition for the audit logs.

a

Amazon Linux 2023 must use a separate file system for the system audit data path.

RMF Control: AU-4
Severity: L
CCI: CCI-001849
Version: AZLX-23-002020
Vuln IDs: V-274068
Rule IDs: SV-274068r1120192_rule

Placing "/var/log/audit" in its own partition enables better separation between audit files and other system files and helps ensure that auditing cannot be halted due to the partition running out of space.

Fix: F-78064r1120191_fix

Configure Amazon Linux 2023 to have a separate file system/partition for the system audit data path. Migrate the system audit data path onto a separate partition.

b

Amazon Linux 2023 must label all off-loaded audit logs before sending them to the central log server.

RMF Control: AU-4
Severity: M
CCI: CCI-001851
Version: AZLX-23-002025
Vuln IDs: V-274069
Rule IDs: SV-274069r1120195_rule

Enriched logging is needed to determine who, what, and when events occur on a system. Without this, determining root cause of an event will be much more difficult.

Fix: F-78065r1120194_fix

Configure Amazon Linux 2023 to be configured so that the Audit Daemon labels all off-loaded audit logs. Edit the /etc/audit/auditd.conf file and add or update the "name_format" option: name_format = hostname The audit daemon must be restarted for changes to take effect.

b

Amazon Linux 2023 must take appropriate action when the internal event queue is full.

RMF Control: AU-4
Severity: M
CCI: CCI-001851
Version: AZLX-23-002030
Vuln IDs: V-274070
Rule IDs: SV-274070r1120198_rule

The audit system should have an action setup in the event the internal event queue becomes full so that no data is lost. Information stored in one location is vulnerable to accidental or incidental deletion or alteration.

Fix: F-78066r1120197_fix

Configure Amazon Linux 2023 so that the audit system takes an appropriate action when the internal event queue is full. Edit the /etc/audit/auditd.conf file and add or update the "overflow_action" option: overflow_action = syslog The audit daemon must be restarted for changes to take effect.

b

Amazon Linux 2023 must take action when allocated audit record storage volume reaches 75 percent of the repository maximum audit record storage capacity.

RMF Control: AU-5
Severity: M
CCI: CCI-001855
Version: AZLX-23-002035
Vuln IDs: V-274071
Rule IDs: SV-274071r1184023_rule

If security personnel are not notified immediately when storage volume reaches 75 percent utilization, they are unable to plan for audit record storage capacity expansion.

Fix: F-78067r1184022_fix

Configure Amazon Linux 2023 to take action when the audit log storage volume reaches 75 percent of the maximum storage capacity. Edit "/etc/audit/auditd.conf" and ensure the parameter "space_left = 25%" is configured.

b

Amazon Linux 2023 must notify the system administrator (SA) and information system security officer (ISSO) (at a minimum) when allocated audit record storage volume 75 percent utilization.

RMF Control: AU-5
Severity: M
CCI: CCI-001855
Version: AZLX-23-002040
Vuln IDs: V-274072
Rule IDs: SV-274072r1120204_rule

If security personnel are not notified immediately when storage volume reaches 75 percent utilization, they are unable to plan for audit record storage capacity expansion.

Fix: F-78068r1120203_fix

Configure Amazon Linux 2023 to initiate an action to notify the SA and ISSO (at a minimum) when allocated audit record storage volume reaches 75 percent of the repository maximum audit record storage capacity by adding/modifying the following line in the /etc/audit/auditd.conf file. space_left_action = email

b

Amazon Linux 2023 must take action when allocated audit record storage volume reaches 95 percent of the audit record storage capacity.

RMF Control: AU-5
Severity: M
CCI: CCI-001855
Version: AZLX-23-002045
Vuln IDs: V-274073
Rule IDs: SV-274073r1120207_rule

If action is not taken when storage volume reaches 95 percent utilization, the auditing system may fail when the storage volume reaches capacity.

Fix: F-78069r1120206_fix

Configure Amazon Linux 2023 to initiate an action when allocated audit record storage volume reaches 95 percent of the repository maximum audit record storage capacity by adding/modifying the following line in the /etc/audit/auditd.conf file. admin_space_left = 5%

b

Amazon Linux 2023 must take action when allocated audit record storage volume reaches 95 percent of the repository maximum audit record storage capacity.

RMF Control: AU-5
Severity: M
CCI: CCI-001855
Version: AZLX-23-002050
Vuln IDs: V-274074
Rule IDs: SV-274074r1120210_rule

If action is not taken when storage volume reaches 95 percent utilization, the auditing system may fail when the storage volume reaches capacity.

Fix: F-78070r1120209_fix

Configure Amazon Linux 2023 so that the auditd service takes action in the event of allocated audit record storage volume reaching 95 percent of the repository maximum audit record storage capacity. Edit the following line in "/etc/audit/auditd.conf" to ensure that the system is forced into single user mode in the event the audit record storage volume is about to reach maximum capacity: admin_space_left_action = single The audit daemon must be restarted for changes to take effect.

b

Amazon Linux 2023 must authenticate the remote logging server for off-loading audit logs via rsyslog.

RMF Control: AU-4
Severity: M
CCI: CCI-001851
Version: AZLX-23-002065
Vuln IDs: V-274077
Rule IDs: SV-274077r1120219_rule

Information stored in one location is vulnerable to accidental or incidental deletion or alteration.

Fix: F-78073r1120218_fix

Configure Amazon Linux 2023 to authenticate the remote logging server for off-loading audit logs by setting the following option in "/etc/rsyslog.conf" or "/etc/rsyslog.d/[customfile].conf": $ActionSendStreamDriverAuthMode x509/name

b

Amazon Linux 2023 must encrypt the transfer of audit records off-loaded onto a different system or media from the system being audited via rsyslog.

RMF Control: AU-4
Severity: M
CCI: CCI-001851
Version: AZLX-23-002070
Vuln IDs: V-274078
Rule IDs: SV-274078r1120222_rule

Information stored in one location is vulnerable to accidental or incidental deletion or alteration.

Fix: F-78074r1120221_fix

Configure Amazon Linux 2023 to encrypt off-loaded audit records via rsyslog by setting the following options in "/etc/rsyslog.conf" or "/etc/rsyslog.d/[customfile].conf": $ActionSendStreamDriverMode 1

b

Amazon Linux 2023 must encrypt via the gtls driver the transfer of audit records off-loaded onto a different system or media from the system being audited via rsyslog.

RMF Control: AU-4
Severity: M
CCI: CCI-001851
Version: AZLX-23-002075
Vuln IDs: V-274079
Rule IDs: SV-274079r1120724_rule

Information stored in one location is vulnerable to accidental or incidental deletion or alteration. Off-loading is a common process in information systems with limited audit storage capacity. Support for both internet and Unix domain sockets enables this utility to support both local and remote logging. Coupling this utility with "gnutls" (a secure communications library implementing the SSL, TLS, and DTLS protocols) creates a method to securely encrypt and off-load auditing.

Fix: F-78075r1120224_fix

Configure Amazon Linux 2023 to use the ossl driver to encrypt offloaded audit records by setting the following options in "/etc/rsyslog.conf" or "/etc/rsyslog.d/[customfile].conf": $DefaultNetstreamDriver ossl

b

Amazon Linux 2023 must generate audit records for all account creations, modifications, disabling, and termination events that affect /etc/sudoers.

RMF Control: AC-2
Severity: M
CCI: CCI-000018
Version: AZLX-23-002085
Vuln IDs: V-274081
Rule IDs: SV-274081r1120231_rule

The actions taken by system administrators must be audited to keep a record of what was executed on the system, as well as for accountability purposes. Editing the sudoers file may be sign of an attacker trying to establish persistent methods to a system, auditing the editing of the sudoers files mitigates this risk. Satisfies: SRG-OS-000004-GPOS-00004, SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPOS-00031, SRG-OS-000304-GPOS-00121, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000470-GPOS-00214, SRG-OS-000471-GPOS-00215, SRG-OS-000239-GPOS-00089, SRG-OS-000240-GPOS-00090, SRG-OS-000241-GPOS-00091, SRG-OS-000303-GPOS-00120, SRG-OS-000466-GPOS-00210, SRG-OS-000476-GPOS-00221

Fix: F-78077r1120230_fix

Configure Amazon Linux 2023 to generate audit records for all account creations, modifications, disabling, and termination events that affect "/etc/sudoers". Add or update the following file system rule to "/etc/audit/rules.d/audit.rules": -w /etc/sudoers -p wa -k identity To load the rules to the kernel immediately, use the following command: $ sudo augenrules --load

b

Amazon Linux 2023 must generate audit records for all account creations, modifications, disabling, and termination events that affect /etc/sudoers.d/ directory.

RMF Control: AC-2
Severity: M
CCI: CCI-000018
Version: AZLX-23-002090
Vuln IDs: V-274082
Rule IDs: SV-274082r1120234_rule

The actions taken by system administrators must be audited to keep a record of what was executed on the system, as well as for accountability purposes. Editing the sudoers file may be sign of an attacker trying to establish persistent methods to a system, auditing the editing of the sudoers files mitigates this risk. Satisfies: SRG-OS-000004-GPOS-00004, SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPOS-00031, SRG-OS-000304-GPOS-00121, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000470-GPOS-00214, SRG-OS-000471-GPOS-00215, SRG-OS-000239-GPOS-00089, SRG-OS-000240-GPOS-00090, SRG-OS-000241-GPOS-00091, SRG-OS-000303-GPOS-00120, SRG-OS-000466-GPOS-00210, SRG-OS-000476-GPOS-00221

Fix: F-78078r1120233_fix

Configure Amazon Linux 2023 to generate audit records for all account creations, modifications, disabling, and termination events that affect "/etc/sudoers.d/". Add or update the following file system rule to "/etc/audit/rules.d/audit.rules": -w /etc/sudoers.d/ -p wa -k identity To load the rules to the kernel immediately, use the following command: $ sudo augenrules --load

b

Amazon Linux 2023 must generate audit records for all account creations, modifications, disabling, and termination events that affect /etc/group.

RMF Control: AC-2
Severity: M
CCI: CCI-000018
Version: AZLX-23-002095
Vuln IDs: V-274083
Rule IDs: SV-274083r1120237_rule

In addition to auditing new user and group accounts, these watches will alert the system administrator(s) to any modifications. Any unexpected users, groups, or modifications must be investigated for legitimacy. Satisfies: SRG-OS-000004-GPOS-00004, SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPOS-00031, SRG-OS-000304-GPOS-00121, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000470-GPOS-00214, SRG-OS-000471-GPOS-00215, SRG-OS-000239-GPOS-00089, SRG-OS-000240-GPOS-00090, SRG-OS-000241-GPOS-00091, SRG-OS-000303-GPOS-00120, SRG-OS-000466-GPOS-00210, SRG-OS-000476-GPOS-00221

Fix: F-78079r1120236_fix

Configure Amazon Linux 2023 to generate audit records for all account creations, modifications, disabling, and termination events that affect "/etc/group". Add or update the following file system rule to "/etc/audit/rules.d/audit.rules": -w /etc/group -p wa -k identity To load the rules to the kernel immediately, use the following command: $ sudo augenrules --load

b

Amazon Linux 2023 must generate audit records for all account creations, modifications, disabling, and termination events that affect /etc/gshadow.

RMF Control: AC-2
Severity: M
CCI: CCI-000018
Version: AZLX-23-002100
Vuln IDs: V-274084
Rule IDs: SV-274084r1120240_rule

In addition to auditing new user and group accounts, these watches will alert the system administrator(s) to any modifications. Any unexpected users, groups, or modifications must be investigated for legitimacy. Satisfies: SRG-OS-000004-GPOS-00004, SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPOS-00031, SRG-OS-000304-GPOS-00121, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000470-GPOS-00214, SRG-OS-000471-GPOS-00215, SRG-OS-000239-GPOS-00089, SRG-OS-000240-GPOS-00090, SRG-OS-000241-GPOS-00091, SRG-OS-000303-GPOS-00120, SRG-OS-000466-GPOS-00210, SRG-OS-000476-GPOS-00221

Fix: F-78080r1120239_fix

Configure Amazon Linux 2023 to generate audit records for all account creations, modifications, disabling, and termination events that affect "/etc/gshadow". Add or update the following file system rule to "/etc/audit/rules.d/audit.rules": -w /etc/gshadow -p wa -k identity To load the rules to the kernel immediately, use the following command: $ sudo augenrules --load

b

Amazon Linux 2023 must generate audit records for all account creations, modifications, disabling, and termination events that affect /etc/opasswd.

RMF Control: AC-2
Severity: M
CCI: CCI-000018
Version: AZLX-23-002105
Vuln IDs: V-274085
Rule IDs: SV-274085r1120243_rule

In addition to auditing new user and group accounts, these watches will alert the system administrator(s) to any modifications. Any unexpected users, groups, or modifications must be investigated for legitimacy. Satisfies: SRG-OS-000004-GPOS-00004, SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPOS-00031, SRG-OS-000304-GPOS-00121, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000470-GPOS-00214, SRG-OS-000471-GPOS-00215, SRG-OS-000239-GPOS-00089, SRG-OS-000240-GPOS-00090, SRG-OS-000241-GPOS-00091, SRG-OS-000303-GPOS-00120, SRG-OS-000466-GPOS-00210, SRG-OS-000476-GPOS-00221

Fix: F-78081r1120242_fix

Configure Amazon Linux 2023 to generate audit records for all account creations, modifications, disabling, and termination events that affect "/etc/security/opasswd". Add or update the following file system rule to "/etc/audit/rules.d/audit.rules": -w /etc/security/opasswd -p wa -k identity To load the rules to the kernel immediately, use the following command: $ sudo augenrules --load

b

Amazon Linux 2023 must audit uses of the "execve" system call.

RMF Control: AC-6
Severity: M
CCI: CCI-002233
Version: AZLX-23-002110
Vuln IDs: V-274086
Rule IDs: SV-274086r1120246_rule

Misuse of privileged functions, either intentionally or unintentionally by authorized users, or by unauthorized external entities that have compromised information system accounts, is a serious and ongoing concern and can have significant adverse impacts on organizations. Auditing the use of privileged functions is one way to detect such misuse and identify the risk from insider threats and the advanced persistent threat. Satisfies: SRG-OS-000326-GPOS-00126, SRG-OS-000327-GPOS-00127

Fix: F-78082r1120245_fix

Configure Amazon Linux 2023 to audit the execution of the "execve" system call. Add or update the following file system rules to "/etc/audit/rules.d/audit.rules": -a always,exit -F arch=b64 -S execve -C uid!=euid -F euid=0 -k execpriv -a always,exit -F arch=b64 -S execve -C gid!=egid -F egid=0 -k execpriv To load the rules to the kernel immediately, use the following command: $ sudo augenrules --load

b

Amazon Linux 2023 must audit all uses of the chmod, fchmod, and fchmodat system calls.

RMF Control: AU-3
Severity: M
CCI: CCI-000130
Version: AZLX-23-002115
Vuln IDs: V-274087
Rule IDs: SV-274087r1120249_rule

Without generating audit records specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. Audit records can be generated from various components within the information system (e.g., module or policy filter). When a user logs on, the auid is set to the uid of the account being authenticated. Daemons are not user sessions and have the loginuid set to -1. The auid representation is an unsigned 32-bit integer, which equals 4294967295. The audit system interprets -1, 4294967295, and "unset" in the same way. The system call rules are loaded into a matching engine that intercepts each system call made by all programs on the system. Therefore, it is very important to use system call rules only when absolutely necessary since these affect performance. The more rules, the bigger the performance hit. The performance can be helped, however, by combining system calls into one rule whenever possible. Satisfies: SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPOS-00031, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000471-GPOS-00215, SRG-OS-000064-GPOS-00033, SRG-OS-000466-GPOS-00210, SRG-OS-000458-GPOS-00203

Fix: F-78083r1120248_fix

Configure Amazon Linux 2023 to generate audit records upon successful/unsuccessful attempts to use the "chmod", "fchmod", and "fchmodat" syscalls. Add or update the following rule in "/etc/audit/rules.d/audit.rules": -a always,exit -F arch=b64 -S chmod,fchmod,fchmodat -F auid>=1000 -F auid!=unset -k perm_mod To load the rule to the kernel immediately, use the following command: $ sudo augenrules --load

b

Amazon Linux 2023 must audit all uses of the chown, fchown, fchownat, and lchown system calls.

RMF Control: AU-3
Severity: M
CCI: CCI-000130
Version: AZLX-23-002120
Vuln IDs: V-274088
Rule IDs: SV-274088r1120252_rule

Without generating audit records specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. Audit records can be generated from various components within the information system (e.g., module or policy filter). When a user logs on, the auid is set to the uid of the account being authenticated. Daemons are not user sessions and have the loginuid set to -1. The auid representation is an unsigned 32-bit integer, which equals 4294967295. The audit system interprets -1, 4294967295, and "unset" in the same way. The system call rules are loaded into a matching engine that intercepts each system call made by all programs on the system. Therefore, it is very important to use system call rules only when absolutely necessary since these affect performance. The more rules, the bigger the performance hit. The performance can be helped, however, by combining system calls into one rule whenever possible. Satisfies: SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPOS-00031, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000471-GPOS-00215, SRG-OS-000064-GPOS-00033, SRG-OS-000466-GPOS-00210, SRG-OS-000458-GPOS-00203

Fix: F-78084r1120251_fix

Configure Amazon Linux 2023 to generate audit records upon successful/unsuccessful attempts to use the "chown", "fchown", "fchownat", and "lchown" system calls. Add or update the following rule in "/etc/audit/rules.d/audit.rules": -a always,exit -F arch=b64 -S chown,fchown,fchownat,lchown -F auid>=1000 -F auid!=unset -k perm_mod To load the rule to the kernel immediately, use the following command: $ sudo augenrules --load

b

Amazon Linux 2023 must audit all uses of the setxattr, fsetxattr, lsetxattr, removexattr, fremovexattr, and lremovexattr system calls.

RMF Control: AU-3
Severity: M
CCI: CCI-000130
Version: AZLX-23-002125
Vuln IDs: V-274089
Rule IDs: SV-274089r1120255_rule

Without generating audit records specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. Audit records can be generated from various components within the information system (e.g., module or policy filter). When a user logs on, the auid is set to the uid of the account being authenticated. Daemons are not user sessions and have the loginuid set to -1. The auid representation is an unsigned 32-bit integer, which equals 4294967295. The audit system interprets -1, 4294967295, and "unset" in the same way. The system call rules are loaded into a matching engine that intercepts each system call made by all programs on the system. Therefore, it is very important to use system call rules only when absolutely necessary since these affect performance. The more rules, the bigger the performance hit. The performance can be helped, however, by combining system calls into one rule whenever possible. Satisfies: SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPOS-00031, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000471-GPOS-00215, SRG-OS-000064-GPOS-00033, SRG-OS-000466-GPOS-00210, SRG-OS-000471-GPOS-00216, SRG-OS-000458-GPOS-00203, SRG-OS-000474-GPOS-00219

Fix: F-78085r1120254_fix

Configure Amazon Linux 2023 to audit the execution of the "setxattr", "fsetxattr", "lsetxattr", "removexattr", "fremovexattr", and "lremovexattr" system calls by adding or updating the following lines to "/etc/audit/rules.d/audit.rules": -a always,exit -F arch=b64 -S setxattr,fsetxattr,lsetxattr,removexattr,fremovexattr,lremovexattr -F auid>=1000 -F auid!=unset -k perm_mod -a always,exit -F arch=b64 -S setxattr,fsetxattr,lsetxattr,removexattr,fremovexattr,lremovexattr -F auid=0 -k perm_mod To load the rules to the kernel immediately, use the following command: $ sudo augenrules --load

b

Amazon Linux 2023 must audit all uses of the truncate, ftruncate, creat, open, openat, and open_by_handle_at system calls.

RMF Control: AU-3
Severity: M
CCI: CCI-000130
Version: AZLX-23-002130
Vuln IDs: V-274090
Rule IDs: SV-274090r1120258_rule

Without generating audit records specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. Audit records can be generated from various components within the information system (e.g., module or policy filter). When a user logs on, the auid is set to the uid of the account being authenticated. Daemons are not user sessions and have the loginuid set to -1. The auid representation is an unsigned 32-bit integer, which equals 4294967295. The audit system interprets -1, 4294967295, and "unset" in the same way. The system call rules are loaded into a matching engine that intercepts each system call made by all programs on the system. Therefore, it is very important to use system call rules only when absolutely necessary since these affect performance. The more rules, the bigger the performance hit. The performance can be helped, however, by combining system calls into one rule whenever possible. Satisfies: SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPOS-00031, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000471-GPOS-00215, SRG-OS-000064-GPOS-00033, SRG-OS-000466-GPOS-00210, SRG-OS-000458-GPOS-00203

Fix: F-78086r1120257_fix

Configure Amazon Linux 2023 to generate an audit event for any successful/unsuccessful use of the "truncate", "ftruncate", "creat", "open", "openat", and "open_by_handle_at" system calls by adding or updating the following rules in the "/etc/audit/rules.d/audit.rules" file: -a always,exit -F arch=b64 -S truncate,ftruncate,creat,open,openat,open_by_handle_at -F exit=-EPERM -F auid>=1000 -F auid!=unset -k perm_access -a always,exit -F arch=b64 -S truncate,ftruncate,creat,open,openat,open_by_handle_at -F exit=-EACCES -F auid>=1000 -F auid!=unset -k perm_access To load the rules to the kernel immediately, use the following command: $ sudo augenrules --load

b

Amazon Linux 2023 must audit all uses of the init_module and finit_module system calls.

RMF Control: AU-3
Severity: M
CCI: CCI-000130
Version: AZLX-23-002135
Vuln IDs: V-274091
Rule IDs: SV-274091r1120261_rule

Without generating audit records specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. Audit records can be generated from various components within the information system (e.g., module or policy filter). When a user logs on, the auid is set to the uid of the account being authenticated. Daemons are not user sessions and have the loginuid set to -1. The auid representation is an unsigned 32-bit integer, which equals 4294967295. The audit system interprets -1, 4294967295, and "unset" in the same way. The system call rules are loaded into a matching engine that intercepts each system call made by all programs on the system. Therefore, it is very important to use system call rules only when absolutely necessary since these affect performance. The more rules, the bigger the performance hit. The performance can be helped, however, by combining system calls into one rule whenever possible. Satisfies: SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPOS-00031, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000471-GPOS-00215, SRG-OS-000064-GPOS-00033, SRG-OS-000466-GPOS-00210, SRG-OS-000458-GPOS-00203

Fix: F-78087r1120260_fix

Configure Amazon Linux 2023 to generate an audit event for any successful/unsuccessful use of the "init_module" and "finit_module" system calls by adding or updating the following rule in the "/etc/audit/rules.d/audit.rules" file: -a always,exit -F arch=b64 -S init_module,finit_module -F auid>=1000 -F auid!=unset -k module_chng To load the rule to the kernel immediately, use the following command: $ sudo augenrules --load

b

Amazon Linux 2023 must audit all uses of the create_module system call.

RMF Control: AU-3
Severity: M
CCI: CCI-000130
Version: AZLX-23-002140
Vuln IDs: V-274092
Rule IDs: SV-274092r1120264_rule

Without generating audit records specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. Audit records can be generated from various components within the information system (e.g., module or policy filter). When a user logs on, the auid is set to the uid of the account being authenticated. Daemons are not user sessions and have the loginuid set to -1. The auid representation is an unsigned 32-bit integer, which equals 4294967295. The audit system interprets -1, 4294967295, and "unset" in the same way. The system call rules are loaded into a matching engine that intercepts each system call made by all programs on the system. Therefore, it is very important to use system call rules only when absolutely necessary since these affect performance. The more rules, the bigger the performance hit. The performance can be helped, however, by combining system calls into one rule whenever possible. Satisfies: SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPOS-00031, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000471-GPOS-00215, SRG-OS-000064-GPOS-00033, SRG-OS-000466-GPOS-00210, SRG-OS-000458-GPOS-00203

Fix: F-78088r1120263_fix

Configure Amazon Linux 2023 to generate audit records when successful/unsuccessful attempts to use the "create_module" syscall occur. Add or update the following rule in "/etc/audit/rules.d/audit.rules": -a always,exit -F arch=b64 -S create_module -F auid>=1000 -F auid!=unset -k module-change To load the rule to the kernel immediately, use the following command: $ sudo augenrules --load

b

Amazon Linux 2023 must audit all uses of the kmod command.

RMF Control: AU-3
Severity: M
CCI: CCI-000130
Version: AZLX-23-002145
Vuln IDs: V-274093
Rule IDs: SV-274093r1120267_rule

Without generating audit records specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. Audit records can be generated from various components within the information system (e.g., module or policy filter). When a user logs on, the auid is set to the uid of the account being authenticated. Daemons are not user sessions and have the loginuid set to -1. The auid representation is an unsigned 32-bit integer, which equals 4294967295. The audit system interprets -1, 4294967295, and "unset" in the same way. The system call rules are loaded into a matching engine that intercepts each system call made by all programs on the system. Therefore, it is very important to use system call rules only when absolutely necessary since these affect performance. The more rules, the bigger the performance hit. The performance can be helped, however, by combining system calls into one rule whenever possible. Satisfies: SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPOS-00031, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000471-GPOS-00215, SRG-OS-000064-GPOS-00033, SRG-OS-000466-GPOS-00210, SRG-OS-000458-GPOS-00203

Fix: F-78089r1120266_fix

Configure Amazon Linux 2023 to generate audit records upon successful/unsuccessful attempts to use the "kmod" command by adding or updating the following rule in "/etc/audit/rules.d/audit.rules": -a always,exit -F path=/usr/bin/kmod -F perm=x -F auid>=1000 -F auid!=unset -k modules To load the rules to the kernel immediately, use the following command: $ sudo augenrules --load

b

Amazon Linux 2023 must audit all uses of the rename, unlink, rmdir, renameat, and unlinkat system calls.

RMF Control: AU-3
Severity: M
CCI: CCI-000130
Version: AZLX-23-002150
Vuln IDs: V-274094
Rule IDs: SV-274094r1120270_rule

Without generating audit records specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. Audit records can be generated from various components within the information system (e.g., module or policy filter). When a user logs on, the auid is set to the uid of the account being authenticated. Daemons are not user sessions and have the loginuid set to -1. The auid representation is an unsigned 32-bit integer, which equals 4294967295. The audit system interprets -1, 4294967295, and "unset" in the same way. The system call rules are loaded into a matching engine that intercepts each system call made by all programs on the system. Therefore, it is very important to use system call rules only when absolutely necessary since these affect performance. The more rules, the bigger the performance hit. The performance can be helped, however, by combining system calls into one rule whenever possible. Satisfies: SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPOS-00031, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000471-GPOS-00215, SRG-OS-000466-GPOS-00210, SRG-OS-000467-GPOS-00211, SRG-OS-000468-GPOS-00212

Fix: F-78090r1120269_fix

Configure Amazon Linux 2023 to generate an audit event for any successful/unsuccessful use of the "rename", "unlink", "rmdir", "renameat", and "unlinkat" system calls by adding or updating the following rule in the "/etc/audit/rules.d/audit.rules" file: -a always,exit -F arch=b64 -S rename,unlink,rmdir,renameat,unlinkat -F auid>=1000 -F auid!=unset -k delete To load the rule to the kernel immediately, use the following command: $ sudo augenrules --load

b

Amazon Linux 2023 must audit all uses of the chcon command.

RMF Control: AU-3
Severity: M
CCI: CCI-000130
Version: AZLX-23-002155
Vuln IDs: V-274095
Rule IDs: SV-274095r1120273_rule

Without generating audit records specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. Audit records can be generated from various components within the information system (e.g., module or policy filter). When a user logs on, the auid is set to the uid of the account being authenticated. Daemons are not user sessions and have the loginuid set to -1. The auid representation is an unsigned 32-bit integer, which equals 4294967295. The audit system interprets -1, 4294967295, and "unset" in the same way. The system call rules are loaded into a matching engine that intercepts each system call made by all programs on the system. Therefore, it is very important to use system call rules only when absolutely necessary since these affect performance. The more rules, the bigger the performance hit. The performance can be helped, however, by combining system calls into one rule whenever possible. Satisfies: SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPOS-00031, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000468-GPOS-00212, SRG-OS-000471-GPOS-00215, SRG-OS-000463-GPOS-00207, SRG-OS-000465-GPOS-00209

Fix: F-78091r1120272_fix

Configure Amazon Linux 2023 to generate audit records upon successful/unsuccessful attempts to use the "chcon" command by adding or updating the following rule in "/etc/audit/rules.d/audit.rules": -a always,exit -F path=/usr/bin/chcon -F perm=x -F auid>=1000 -F auid!=unset -k perm_mod To load the rules to the kernel immediately, use the following command: $ sudo augenrules --load

b

Amazon Linux 2023 must generate audit records for all account creations, modifications, disabling, and termination events that affect /var/log/faillock.

RMF Control: MA-4
Severity: M
CCI: CCI-002884
Version: AZLX-23-002160
Vuln IDs: V-274096
Rule IDs: SV-274096r1120276_rule

Without generating audit records specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. Satisfies: SRG-OS-000392-GPOS-00172, SRG-OS-000470-GPOS-00214, SRG-OS-000473-GPOS-00218

Fix: F-78092r1120275_fix

Configure Amazon Linux 2023 to generate audit records for all account creations, modifications, disabling, and termination events that affect "/var/log/faillock". Add or update the following file system rule to "/etc/audit/rules.d/audit.rules": -w /var/log/faillock -p wa -k logins To load the rules to the kernel immediately, use the following command: $ sudo augenrules --load

b

Amazon Linux 2023 must generate audit records for all account creations, modifications, disabling, and termination events that affect /var/log/lastlog.

RMF Control: AU-3
Severity: M
CCI: CCI-000130
Version: AZLX-23-002165
Vuln IDs: V-274097
Rule IDs: SV-274097r1120279_rule

Without generating audit records specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. Satisfies: SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPOS-00031, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000471-GPOS-00215, SRG-OS-000473-GPOS-00218, SRG-OS-000470-GPOS-00214

Fix: F-78093r1120278_fix

Configure Amazon Linux 2023 to generate audit records for all account creations, modifications, disabling, and termination events that affect "/var/log/lastlog". Add or update the following file system rule to "/etc/audit/rules.d/audit.rules": -w /var/log/lastlog -p wa -k logins To load the rules to the kernel immediately, use the following command: $ sudo augenrules --load

b

Amazon Linux 2023 must audit all uses of the init command.

RMF Control: AU-12
Severity: M
CCI: CCI-000172
Version: AZLX-23-002175
Vuln IDs: V-274098
Rule IDs: SV-274098r1120282_rule

Misuse of the init command may cause availability issues for the system.

Fix: F-78094r1120281_fix

Configure Amazon Linux 2023 so that the audit system generates an audit event for any successful/unsuccessful uses of the "init" command by adding or updating the following rule in the "/etc/audit/rules.d/audit.rules" file: -a always,exit -F path=/usr/sbin/init -F perm=x -F auid>=1000 -F auid!=unset -k privileged-init To load the rules to the kernel immediately, use the following command: $ sudo augenrules --load

b

Amazon Linux 2023 must audit all uses of the reboot command.

RMF Control: AU-12
Severity: M
CCI: CCI-000172
Version: AZLX-23-002180
Vuln IDs: V-274099
Rule IDs: SV-274099r1120285_rule

Misuse of the reboot command may cause availability issues for the system.

Fix: F-78095r1120284_fix

Configure Amazon Linux 2023 so that the audit system generates an audit event for any successful/unsuccessful uses of the "reboot" command by adding or updating the following rule in the "/etc/audit/rules.d/audit.rules" file: -a always,exit -F path=/usr/sbin/reboot -F perm=x -F auid>=1000 -F auid!=unset -k privileged-reboot To load the rules to the kernel immediately, use the following command: $ sudo augenrules --load

b

Amazon Linux 2023 must audit all uses of the shutdown command.

RMF Control: AU-12
Severity: M
CCI: CCI-000172
Version: AZLX-23-002185
Vuln IDs: V-274100
Rule IDs: SV-274100r1120288_rule

Misuse of the shutdown command may cause availability issues for the system.

Fix: F-78096r1120287_fix

Configure Amazon Linux 2023 so that the audit system generates an audit event for any successful/unsuccessful uses of the "shutdown" command by adding or updating the following rule in the "/etc/audit/rules.d/audit.rules" file: -a always,exit -F path=/usr/sbin/shutdown -F perm=x -F auid>=1000 -F auid!=unset -k privileged-shutdown To load the rules to the kernel immediately, use the following command: $ sudo augenrules --load

b

Amazon Linux 2023 audit tools must have a mode of "0755" or less permissive.

RMF Control: AU-9
Severity: M
CCI: CCI-001493
Version: AZLX-23-002190
Vuln IDs: V-274101
Rule IDs: SV-274101r1120291_rule

Protecting audit information also includes identifying and protecting the tools used to view and manipulate log data. Therefore, protecting audit tools is necessary to prevent unauthorized operation on audit information. Operating systems providing tools to interface with audit information will leverage user permissions and roles identifying the user accessing the tools and the corresponding rights the user enjoys to make access decisions regarding the access to audit tools. Audit tools include, but are not limited to, vendor-provided and open source audit tools needed to successfully view and manipulate audit information system activity and records. Audit tools include custom queries and report generators.

Fix: F-78097r1120290_fix

Configure Amazon Linux 2023 audit tools to have a mode of "0755" by running the following command: $ sudo chmod 0755 [audit_tool] Replace "[audit_tool]" with each audit tool that has a more permissive mode than "0755".

b

Amazon Linux 2023 audit tools must be owned by root.

RMF Control: AU-9
Severity: M
CCI: CCI-001493
Version: AZLX-23-002195
Vuln IDs: V-274102
Rule IDs: SV-274102r1120294_rule

Protecting audit information also includes identifying and protecting the tools used to view and manipulate log data. Therefore, protecting audit tools is necessary to prevent unauthorized operation on audit information. Operating systems providing tools to interface with audit information will leverage user permissions and roles identifying the user accessing the tools and the corresponding rights the user enjoys to make access decisions regarding the access to audit tools. Audit tools include, but are not limited to, vendor-provided and open source audit tools needed to successfully view and manipulate audit information system activity and records. Audit tools include custom queries and report generators.

Fix: F-78098r1120293_fix

Configure Amazon Linux 2023 audit tools to be owned by "root" by running the following command: $ sudo chown root [audit_tool] Replace "[audit_tool]" with each audit tool not owned by "root".

b

Amazon Linux 2023 audit tools must be group-owned by root.

RMF Control: AU-9
Severity: M
CCI: CCI-001493
Version: AZLX-23-002200
Vuln IDs: V-274103
Rule IDs: SV-274103r1120297_rule

Protecting audit information also includes identifying and protecting the tools used to view and manipulate log data. Therefore, protecting audit tools is necessary to prevent unauthorized operation on audit information. Operating systems providing tools to interface with audit information will leverage user permissions and roles identifying the user accessing the tools and the corresponding rights the user enjoys to make access decisions regarding the access to audit tools. Audit tools include, but are not limited to, vendor-provided and open source audit tools needed to successfully view and manipulate audit information system activity and records. Audit tools include custom queries and report generators.

Fix: F-78099r1120296_fix

Configure Amazon Linux 2023 audit tools to be group-owned by "root" by running the following command: $ sudo chgrp root [audit_tool] Replace "[audit_tool]" with each audit tool not group-owned by "root".

b

Amazon Linux 2023 must generate audit records for all account creations, modifications, disabling, and termination events that affect /etc/passwd.

RMF Control: AC-2
Severity: M
CCI: CCI-000018
Version: AZLX-23-002205
Vuln IDs: V-274104
Rule IDs: SV-274104r1120300_rule

Once an attacker establishes access to a system, the attacker often attempts to create a persistent method of reestablishing access. One way to accomplish this is for the attacker to create an account. Auditing account creation actions provides logging that can be used for forensic purposes. Satisfies: SRG-OS-000004-GPOS-00004, SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPOS-00031, SRG-OS-000304-GPOS-00121, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000470-GPOS-00214, SRG-OS-000471-GPOS-00215, SRG-OS-000239-GPOS-00089, SRG-OS-000240-GPOS-00090, SRG-OS-000241-GPOS-00091, SRG-OS-000303-GPOS-00120, SRG-OS-000466-GPOS-00210, SRG-OS-000476-GPOS-00221, SRG-OS-000274-GPOS-00104, SRG-OS-000275-GPOS-00105, SRG-OS-000276-GPOS-00106, SRG-OS-000277-GPOS-00107

Fix: F-78100r1120299_fix

Configure Amazon Linux 2023 to generate audit records for all account creations, modifications, disabling, and termination events that affect "/etc/passwd". Enable the auditd daemon so that it can start at boot time: $ sudo systemctl enable auditd Add or update the following file system rule to "/etc/audit/rules.d/audit.rules": -w /etc/passwd -p wa -k identity Then, restart the auditd service for the changes to take effect: $ sudo service auditd restart

b

Amazon Linux 2023 must audit all successful/unsuccessful uses of the chage command.

RMF Control: AU-3
Severity: M
CCI: CCI-000130
Version: AZLX-23-002210
Vuln IDs: V-274105
Rule IDs: SV-274105r1120661_rule

Reconstruction of harmful events or forensic analysis is not possible if audit records do not contain enough information. At a minimum, the organization must audit the full-text recording of privileged commands. The organization must maintain audit trails in sufficient detail to reconstruct events to determine the cause and impact of compromise. Satisfies: SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPOS-00031, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000471-GPOS-00215, SRG-OS-000064-GPOS-00033, SRG-OS-000466-GPOS-00210, SRG-OS-000458-GPOS-00203

Fix: F-78101r1120302_fix

Configure Amazon Linux 2023 so that the audit service generates an audit event for any successful/unsuccessful uses of the "chage" command by adding or updating the following rule in the "/etc/audit/rules.d/audit.rules" file: -a always,exit -F path=/usr/bin/chage -F perm=x -F auid>=1000 -F auid!=unset -k privileged-chage To load the rules to the kernel immediately, use the following command: $ sudo augenrules --load

b

Amazon Linux 2023 must off-load audit records onto a different system in the event the audit storage volume is full.

RMF Control: AU-4
Severity: M
CCI: CCI-001851
Version: AZLX-23-002220
Vuln IDs: V-274107
Rule IDs: SV-274107r1120309_rule

Information stored in one location is vulnerable to accidental or incidental deletion or alteration. Off-loading is a common process in information systems with limited audit storage capacity.

Fix: F-78103r1120308_fix

Configure Amazon Linux 2023 to off-load audit logs in the event the audit storage volume becomes full. Add or update the following line (depending on configuration "disk_full_action" can be set to "SYSLOG" or "SINGLE" depending on configuration) in "/etc/audit/auditd.conf" file: disk_full_action = SYSLOG

b

Amazon Linux 2023 audit logs must be group-owned by root or by a restricted logging group to prevent unauthorized read access.

RMF Control: AU-9
Severity: M
CCI: CCI-000162
Version: AZLX-23-002225
Vuln IDs: V-274108
Rule IDs: SV-274108r1120312_rule

Unauthorized disclosure of audit records can reveal system and configuration data to attackers, thus compromising its confidentiality. Audit information includes all information (e.g., audit records, audit settings, audit reports) needed to successfully audit operating system activity. Satisfies: SRG-OS-000057-GPOS-00027, SRG-OS-000058-GPOS-00028, SRG-OS-000059-GPOS-00029, SRG-OS-000206-GPOS-00084

Fix: F-78104r1120311_fix

Configure Amazon Linux 2023 so that audit logs are group-owned by "root" or a restricted logging group. Change the group of the directory of "/var/log/audit" to be owned by a correct group. Identify the group that is configured to own audit log: $ sudo grep -P '^[ ]*log_group[ ]+=.*$' /etc/audit/auditd.conf Change the ownership to that group: $ sudo chgrp ${GROUP} /var/log/audit

b

Amazon Linux 2023 audit logs file must have mode "0600" or less permissive to prevent unauthorized access to the audit log.

RMF Control: AU-9
Severity: M
CCI: CCI-000162
Version: AZLX-23-002235
Vuln IDs: V-274110
Rule IDs: SV-274110r1120318_rule

Unauthorized disclosure of audit records can reveal system and configuration data to attackers, thus compromising its confidentiality. Audit information includes all information (e.g., audit records, audit settings, audit reports) needed to successfully audit operating system activity. Satisfies: SRG-OS-000057-GPOS-00027, SRG-OS-000058-GPOS-00028, SRG-OS-000059-GPOS-00029, SRG-OS-000206-GPOS-00084

Fix: F-78106r1120317_fix

Configure Amazon Linux 2023 so that the audit logs have a mode of "0600". Replace "[audit_log_file]" to the correct audit log path, by default this location is "/var/log/audit/audit.log". $ sudo chmod 0600 /var/log/audit/[audit_log_file] Check the group that owns the system audit logs: $ sudo grep -iw log_group /etc/audit/auditd.conf If the log_group is not defined or it is set to root, configure the permissions as follows: $ sudo chmod 0640 $log_file $ sudo chmod 0440 $log_file.* Otherwise, configure the permissions as follows: $ sudo chmod 0600 $log_file $ sudo chmod 0400 $log_file.*

b

Amazon Linux 2023 must allow only the information system security manager (ISSM) (or individuals or roles appointed by the ISSM) to select which auditable events are to be audited.

RMF Control: AU-12
Severity: M
CCI: CCI-000171
Version: AZLX-23-002240
Vuln IDs: V-274111
Rule IDs: SV-274111r1120321_rule

Without the capability to restrict which roles and individuals can select which events are audited, unauthorized personnel may be able to prevent the auditing of critical events. Misconfigured audits may degrade the system's performance by overwhelming the audit log. Misconfigured audits may also make it more difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one.

Fix: F-78107r1120320_fix

Configure Amazon Linux 2023 so that files in "/etc/audit/rules.d/" and the "/etc/audit/auditd.conf" file have a mode of "0640" or less permissive with the following commands: $ sudo chmod 0640 /etc/audit/rules.d/audit.rules $ sudo chmod 0640 /etc/audit/rules.d/[customrulesfile].rules $ sudo chmod 0640 /etc/audit/auditd.conf

b

Amazon Linux 2023 must audit all uses of the sudo command.

RMF Control: AU-3
Severity: M
CCI: CCI-000130
Version: AZLX-23-002245
Vuln IDs: V-274112
Rule IDs: SV-274112r1120324_rule

Without generating audit records specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. Audit records can be generated from various components within the information system (e.g., module or policy filter). Satisfies: SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPOS-00031, SRG-OS-000064-GPOS-00033, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000466-GPOS-00210, SRG-OS-000471-GPOS-00215

Fix: F-78108r1120323_fix

Configure Amazon Linux 2023 so that the audit system generates an audit event for any successful/unsuccessful use of the "sudo" command by adding or updating the following rule in the "/etc/audit/rules.d/audit.rules" file: -a always,exit -F path=/usr/bin/sudo -F perm=x -F auid>=1000 -F auid!=unset -k priv_cmd To load the rules to the kernel immediately, use the following command: $ sudo augenrules --load

b

Amazon Linux 2023 must generate audit records for all account creations, modifications, disabling, and termination events that affect /etc/passwd.

RMF Control: AC-2
Severity: M
CCI: CCI-000018
Version: AZLX-23-002250
Vuln IDs: V-274113
Rule IDs: SV-274113r1120327_rule

In addition to auditing new user and group accounts, these watches will alert the system administrator(s) (SAs) to any modifications. Any unexpected users, groups, or modifications should be investigated for legitimacy. Satisfies: SRG-OS-000004-GPOS-00004, SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPOS-00031, SRG-OS-000304-GPOS-00121, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000470-GPOS-00214, SRG-OS-000471-GPOS-00215, SRG-OS-000239-GPOS-00089, SRG-OS-000240-GPOS-00090, SRG-OS-000241-GPOS-00091, SRG-OS-000303-GPOS-00120, SRG-OS-000466-GPOS-00210, SRG-OS-000476-GPOS-00221, SRG-OS-000274-GPOS-00104, SRG-OS-000275-GPOS-00105, SRG-OS-000276-GPOS-00106, SRG-OS-000277-GPOS-00107

Fix: F-78109r1120326_fix

Configure Amazon Linux 2023 to generate audit records for all account creations, modifications, disabling, and termination events that affect "/etc/passwd". Add or update the following file system rule to "/etc/audit/rules.d/audit.rules": -w /etc/passwd -p wa -k identity To load the rules to the kernel immediately, use the following command: $ sudo augenrules --load

b

Amazon Linux 2023 must generate audit records for all account creations, modifications, disabling, and termination events that affect /etc/shadow.

RMF Control: AC-2
Severity: M
CCI: CCI-000018
Version: AZLX-23-002255
Vuln IDs: V-274114
Rule IDs: SV-274114r1120330_rule

In addition to auditing new user and group accounts, these watches will alert the system administrator(s) (SAs) to any modifications. Any unexpected users, groups, or modifications should be investigated for legitimacy. Satisfies: SRG-OS-000004-GPOS-00004, SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPOS-00031, SRG-OS-000304-GPOS-00121, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000470-GPOS-00214, SRG-OS-000471-GPOS-00215, SRG-OS-000239-GPOS-00089, SRG-OS-000240-GPOS-00090, SRG-OS-000241-GPOS-00091, SRG-OS-000303-GPOS-00120, SRG-OS-000466-GPOS-00210, SRG-OS-000476-GPOS-00221, SRG-OS-000275-GPOS-00105

Fix: F-78110r1120329_fix

Configure Amazon Linux 2023 to generate audit records for all account creations, modifications, disabling, and termination events that affect "/etc/shadow". Add or update the following file system rule to "/etc/audit/rules.d/audit.rules": -w /etc/shadow -p wa -k identity To load the rules to the kernel immediately, use the following command: $ sudo augenrules --load

b

Amazon Linux 2023 must produce audit records containing information to establish the identity of any individual or process associated with the event.

RMF Control: AU-3
Severity: M
CCI: CCI-001487
Version: AZLX-23-002260
Vuln IDs: V-274115
Rule IDs: SV-274115r1120333_rule

Without information that establishes the identity of the subjects (i.e., users or processes acting on behalf of users) associated with the events, security personnel cannot determine responsibility for the potentially harmful event.

Fix: F-78111r1120332_fix

Configure Amazon Linux 2023 so that the audit system resolves audit information before writing to disk. Edit the /etc/audit/auditd.conf file and add or update the "log_format" option: log_format = ENRICHED The audit daemon must be restarted for changes to take effect.

b

Amazon Linux 2023 audit logs must be group-owned by root or by a restricted logging group to prevent unauthorized read access.

RMF Control: SI-11
Severity: M
CCI: CCI-001314
Version: AZLX-23-002265
Vuln IDs: V-274116
Rule IDs: SV-274116r1120336_rule

Only authorized personnel should be aware of errors and the details of the errors. Error messages are an indicator of an organization's operational state or can identify Amazon Linux 2023 or platform. Additionally, Personally Identifiable Information (PII) and operational information must not be revealed through error messages to unauthorized personnel or their designated representatives. The structure and content of error messages must be carefully considered by the organization and development team. The extent to which the information system is able to identify and handle error conditions is guided by organizational policy and operational requirements.

Fix: F-78112r1120335_fix

Configure Amazon Linux 2023 to change the group of the directory of "/var/log/audit" to be owned by a correct group. Identify the group that is configured to own audit log: $ sudo grep -P '^[ ]*log_group[ ]+=.*$' /etc/audit/auditd.conf Change the ownership to that group: $ sudo chgrp ${GROUP} /var/log/audit

b

Amazon Linux 2023 must ensure the audit log directory be owned by root to prevent unauthorized read access.

RMF Control: SI-11
Severity: M
CCI: CCI-001314
Version: AZLX-23-002270
Vuln IDs: V-274117
Rule IDs: SV-274117r1120339_rule

Only authorized personnel should be aware of errors and the details of the errors. Error messages are an indicator of an organization's operational state or can identify Amazon Linux 2023 or platform. Additionally, Personally Identifiable Information (PII) and operational information must not be revealed through error messages to unauthorized personnel or their designated representatives. The structure and content of error messages must be carefully considered by the organization and development team. The extent to which the information system is able to identify and handle error conditions is guided by organizational policy and operational requirements.

Fix: F-78113r1120338_fix

Configure Amazon Linux 2023 audit logs to be protected from unauthorized read access by setting the correct owner as "root" with the following command: $ sudo chown root /var/log/audit

b

Amazon Linux 2023 library directories must be group-owned by root or a system account.

RMF Control: CM-5
Severity: M
CCI: CCI-001499
Version: AZLX-23-002280
Vuln IDs: V-274119
Rule IDs: SV-274119r1120345_rule

If Amazon Linux 2023 were to allow any user to make changes to software libraries, then those changes might be implemented without undergoing the appropriate testing and approvals that are part of a robust change management process. This requirement applies to operating systems with software libraries that are accessible and configurable, as in the case of interpreted languages. Software libraries also include privileged programs which execute with escalated privileges. Only qualified and authorized individuals shall be allowed to obtain access to information system components for purposes of initiating changes, including upgrades and modifications.

Fix: F-78115r1120344_fix

Configure Amazon Linux 2023 systemwide shared library directories (/lib, /lib64, /usr/lib and /usr/lib64) to be protected from unauthorized access. Run the following command, replacing "[DIRECTORY]" with any library directory not group-owned by "root". $ sudo chgrp root [DIRECTORY]

b

Amazon Linux 2023 library directories must have mode "755" or less permissive.

RMF Control: CM-5
Severity: M
CCI: CCI-001499
Version: AZLX-23-002285
Vuln IDs: V-274120
Rule IDs: SV-274120r1120348_rule

If Amazon Linux 2023 were to allow any user to make changes to software libraries, then those changes might be implemented without undergoing the appropriate testing and approvals that are part of a robust change management process. This requirement applies to operating systems with software libraries that are accessible and configurable, as in the case of interpreted languages. Software libraries also include privileged programs which execute with escalated privileges. Only qualified and authorized individuals shall be allowed to obtain access to information system components for purposes of initiating changes, including upgrades and modifications.

Fix: F-78116r1120347_fix

Configure Amazon Linux 2023 systemwide shared library directories (/lib, /lib64, /usr/lib and /usr/lib64) to be protected from unauthorized access. Run the following command, replacing "[DIRECTORY]" with any library directory with a mode more permissive than "755". $ sudo chmod 755 [DIRECTORY]

b

Amazon Linux 2023 library files must have mode "755" or less permissive.

RMF Control: CM-5
Severity: M
CCI: CCI-001499
Version: AZLX-23-002290
Vuln IDs: V-274121
Rule IDs: SV-274121r1155161_rule

If Amazon Linux 2023 were to allow any user to make changes to software libraries, then those changes might be implemented without undergoing the appropriate testing and approvals that are part of a robust change management process. This requirement applies to operating systems with software libraries that are accessible and configurable, as in the case of interpreted languages. Software libraries also include privileged programs that execute with escalated privileges. Only qualified and authorized individuals will be allowed to obtain access to information system components for purposes of initiating changes, including upgrades and modifications.

Fix: F-78117r1155160_fix

Configure Amazon Linux 2023 systemwide shared library files contained in the directories "/lib", "/lib64", "/usr/lib", and "/usr/lib64" have mode 0755 or less permissive with the following command. $ sudo find /lib /lib64 /usr/lib /usr/lib64 -type f -name '*.so*' -perm /022 -exec chmod go-w {} +

b

Amazon Linux 2023 library files must be owned by root.

RMF Control: CM-5
Severity: M
CCI: CCI-001499
Version: AZLX-23-002295
Vuln IDs: V-274122
Rule IDs: SV-274122r1155164_rule

If Amazon Linux 2023 were to allow any user to make changes to software libraries, then those changes might be implemented without undergoing the appropriate testing and approvals that are part of a robust change management process. This requirement applies to operating systems with software libraries that are accessible and configurable, as in the case of interpreted languages. Software libraries also include privileged programs that execute with escalated privileges. Only qualified and authorized individuals shall be allowed to obtain access to information system components for purposes of initiating changes, including upgrades and modifications.

Fix: F-78118r1155163_fix

Configure Amazon Linux 2023 systemwide shared library files contained in the directories "/lib", "/lib64", "/usr/lib", and "/usr/lib64" to be owned by root with the following command: $ sudo find /lib /lib64 /usr/lib /usr/lib64 -type f -name '*.so*' ! -user root -exec chown root {} +

b

Amazon Linux 2023 library files must be group-owned by root or a system account.

RMF Control: CM-5
Severity: M
CCI: CCI-001499
Version: AZLX-23-002300
Vuln IDs: V-274123
Rule IDs: SV-274123r1155167_rule

If Amazon Linux 2023 were to allow any user to make changes to software libraries, then those changes might be implemented without undergoing the appropriate testing and approvals that are part of a robust change management process. This requirement applies to operating systems with software libraries that are accessible and configurable, as in the case of interpreted languages. Software libraries also include privileged programs which execute with escalated privileges. Only qualified and authorized individuals shall be allowed to obtain access to information system components for purposes of initiating changes, including upgrades and modifications.

Fix: F-78119r1155166_fix

Configure Amazon Linux 2023 systemwide shared library files contained in the directories "/lib", "/lib64", "/usr/lib", and "/usr/lib64" to be group owned by root with the following command: $ sudo find /lib /lib64 /usr/lib /usr/lib64 -type f -name '*.so*' ! -group root -exec chown :root {} +

b

Amazon Linux 2023 library directories must be owned by root.

RMF Control: CM-5
Severity: M
CCI: CCI-001499
Version: AZLX-23-002305
Vuln IDs: V-274124
Rule IDs: SV-274124r1120360_rule

If Amazon Linux 2023 were to allow any user to make changes to software libraries, then those changes might be implemented without undergoing the appropriate testing and approvals that are part of a robust change management process. This requirement applies to operating systems with software libraries that are accessible and configurable, as in the case of interpreted languages. Software libraries also include privileged programs which execute with escalated privileges. Only qualified and authorized individuals shall be allowed to obtain access to information system components for purposes of initiating changes, including upgrades and modifications.

Fix: F-78120r1120359_fix

Configure Amazon Linux 2023 systemwide shared library directories within (/lib, /lib64, /usr/lib and /usr/lib64) to be protected from unauthorized access. Run the following command, replacing "[DIRECTORY]" with any library directory not owned by "root". $ sudo chown root [DIRECTORY]

b

Amazon Linux 2023 must ensure the /var/log directory have mode "0755" or less permissive.

RMF Control: SI-11
Severity: M
CCI: CCI-001314
Version: AZLX-23-002315
Vuln IDs: V-274125
Rule IDs: SV-274125r1120363_rule

Only authorized personnel should be aware of errors and the details of the errors. Error messages are an indicator of an organization's operational state or can identify Amazon Linux 2023 or platform. Additionally, Personally Identifiable Information (PII) and operational information must not be revealed through error messages to unauthorized personnel or their designated representatives. The structure and content of error messages must be carefully considered by the organization and development team. The extent to which the information system is able to identify and handle error conditions is guided by organizational policy and operational requirements.

Fix: F-78121r1120362_fix

Configure Amazon Linux 2023 so that the "/var/log" directory has a mode of "0755" by running the following command: $ sudo chmod 0755 /var/log

b

Amazon Linux 2023 must ensure the /var/log directory be owned by root.

RMF Control: SI-11
Severity: M
CCI: CCI-001314
Version: AZLX-23-002320
Vuln IDs: V-274126
Rule IDs: SV-274126r1120366_rule

Only authorized personnel should be aware of errors and the details of the errors. Error messages are an indicator of an organization's operational state or can identify Amazon Linux 2023 or platform. Additionally, Personally Identifiable Information (PII) and operational information must not be revealed through error messages to unauthorized personnel or their designated representatives. The structure and content of error messages must be carefully considered by the organization and development team. The extent to which the information system is able to identify and handle error conditions is guided by organizational policy and operational requirements.

Fix: F-78122r1120365_fix

Configure Amazon Linux 2023 so that the directory "/var/log" is owned by "root" with the following command: $ sudo chown root /var/log

b

Amazon Linux 2023 must ensure the /var/log directory be group-owned by root.

RMF Control: SI-11
Severity: M
CCI: CCI-001314
Version: AZLX-23-002325
Vuln IDs: V-274127
Rule IDs: SV-274127r1120369_rule

Only authorized personnel should be aware of errors and the details of the errors. Error messages are an indicator of an organization's operational state or can identify Amazon Linux 2023 or platform. Additionally, Personally Identifiable Information (PII) and operational information must not be revealed through error messages to unauthorized personnel or their designated representatives. The structure and content of error messages must be carefully considered by the organization and development team. The extent to which the information system is able to identify and handle error conditions is guided by organizational policy and operational requirements.

Fix: F-78123r1120368_fix

Configure Amazon Linux 2023 so that the "/var/log" is group-owned "root" with the following command: $ sudo chgrp root /var/log

b

Amazon Linux 2023 must ensure the /var/log/messages file have mode "0640" or less permissive.

RMF Control: SI-11
Severity: M
CCI: CCI-001314
Version: AZLX-23-002330
Vuln IDs: V-274128
Rule IDs: SV-274128r1120372_rule

Only authorized personnel should be aware of errors and the details of the errors. Error messages are an indicator of an organization's operational state or can identify Amazon Linux 2023 or platform. Additionally, Personally Identifiable Information (PII) and operational information must not be revealed through error messages to unauthorized personnel or their designated representatives. The structure and content of error messages must be carefully considered by the organization and development team. The extent to which the information system is able to identify and handle error conditions is guided by organizational policy and operational requirements.

Fix: F-78124r1120371_fix

Configure Amazon Linux 2023 so that the "/var/log/messages" file has a mode of "0640" with the following command: $ sudo chmod 0640 /var/log/messages

b

Amazon Linux 2023 must ensure the /var/log/messages file be group-owned by root.

RMF Control: SI-11
Severity: M
CCI: CCI-001314
Version: AZLX-23-002335
Vuln IDs: V-274129
Rule IDs: SV-274129r1120375_rule

Only authorized personnel should be aware of errors and the details of the errors. Error messages are an indicator of an organization's operational state or can identify Amazon Linux 2023 or platform. Additionally, Personally Identifiable Information (PII) and operational information must not be revealed through error messages to unauthorized personnel or their designated representatives. The structure and content of error messages must be carefully considered by the organization and development team. The extent to which the information system is able to identify and handle error conditions is guided by organizational policy and operational requirements.

Fix: F-78125r1120374_fix

Configure Amazon Linux 2023 so that the "/var/log/messages" file is group-owned "root" with the following command: $ sudo chgrp root /var/log/messages

b

Amazon Linux 2023 must ensure the /var/log/messages file be owned by root.

RMF Control: SI-11
Severity: M
CCI: CCI-001314
Version: AZLX-23-002340
Vuln IDs: V-274130
Rule IDs: SV-274130r1120378_rule

Only authorized personnel should be aware of errors and the details of the errors. Error messages are an indicator of an organization's operational state or can identify Amazon Linux 2023 or platform. Additionally, Personally Identifiable Information (PII) and operational information must not be revealed through error messages to unauthorized personnel or their designated representatives. The structure and content of error messages must be carefully considered by the organization and development team. The extent to which the information system is able to identify and handle error conditions is guided by organizational policy and operational requirements.

Fix: F-78126r1120377_fix

Configure Amazon Linux 2023 so that the "/var/log/messages" file is owned by "root" with the following command: $ sudo chown root /var/log/messages

b

Amazon Linux 2023 system commands must be owned by root.

RMF Control: CM-5
Severity: M
CCI: CCI-001499
Version: AZLX-23-002345
Vuln IDs: V-274131
Rule IDs: SV-274131r1120381_rule

If Amazon Linux 2023 were to allow any user to make changes to software libraries, then those changes might be implemented without undergoing the appropriate testing and approvals that are part of a robust change management process. This requirement applies to operating systems with software libraries that are accessible and configurable, as in the case of interpreted languages. Software libraries also include privileged programs which execute with escalated privileges. Only qualified and authorized individuals shall be allowed to obtain access to information system components for purposes of initiating changes, including upgrades and modifications.

Fix: F-78127r1120380_fix

Configure Amazon Linux 2023 so that system commands are protected from unauthorized access. Run the following command, replacing "[FILE]" with any system command file not owned by "root". $ sudo chown root [FILE]

b

Amazon Linux 2023 system commands must be group-owned by root or a system account.

RMF Control: CM-5
Severity: M
CCI: CCI-001499
Version: AZLX-23-002350
Vuln IDs: V-274132
Rule IDs: SV-274132r1120384_rule

If Amazon Linux 2023 were to allow any user to make changes to software libraries, then those changes might be implemented without undergoing the appropriate testing and approvals that are part of a robust change management process. This requirement applies to operating systems with software libraries that are accessible and configurable, as in the case of interpreted languages. Software libraries also include privileged programs which execute with escalated privileges. Only qualified and authorized individuals shall be allowed to obtain access to information system components for purposes of initiating changes, including upgrades and modifications.

Fix: F-78128r1120383_fix

Configure Amazon Linux 2023 so that system commands are protected from unauthorized access. Run the following command, replacing "[FILE]" with any system command file not group-owned by "root" or a required system account. $ sudo chgrp root [FILE]

b

Amazon Linux 2023 must enforce password complexity by requiring that at least one uppercase character be used.

RMF Control
Severity: M
CCI: CCI-004066
Version: AZLX-23-002355
Vuln IDs: V-274133
Rule IDs: SV-274133r1120387_rule

Use of a complex password helps to increase the time and resources required to compromise the password. Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks. Password complexity is one factor of several that determines how long it takes to crack a password. The more complex the password, the greater the number of possible combinations that need to be tested before the password is compromised. Satisfies: SRG-OS-000069-GPOS-00037, SRG-OS-000725-GPOS-00180

Fix: F-78129r1120386_fix

Configure Amazon Linux 2023 to enforce password complexity by requiring that at least one uppercase character be used by setting the "ucredit" option. Add or update the following line in the "/etc/security/pwquality.conf" file or a configuration file in the "/etc/security/pwquality.conf.d/" directory to contain the "ucredit" parameter: ucredit = -1 Remove any configurations that conflict with the above value.

b

Amazon Linux 2023 must enforce password complexity by requiring that at least one lowercase character be used.

RMF Control
Severity: M
CCI: CCI-004066
Version: AZLX-23-002360
Vuln IDs: V-274134
Rule IDs: SV-274134r1120390_rule

Use of a complex password helps to increase the time and resources required to compromise the password. Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks. Password complexity is one factor of several that determines how long it takes to crack a password. The more complex the password, the greater the number of possible combinations that need to be tested before the password is compromised. Satisfies: SRG-OS-000070-GPOS-00038, SRG-OS-000725-GPOS-00180

Fix: F-78130r1120389_fix

Configure Amazon Linux 2023 to enforce password complexity by requiring that at least one lowercase character be used by setting the "lcredit" option. Add or update the following line in the "/etc/security/pwquality.conf" file or a configuration file in the "/etc/security/pwquality.conf.d/" directory to contain the "lcredit" parameter: lcredit = -1 Remove any configurations that conflict with the above value.

b

Amazon Linux 2023 must enforce password complexity by requiring that at least one numeric character be used.

RMF Control
Severity: M
CCI: CCI-004066
Version: AZLX-23-002365
Vuln IDs: V-274135
Rule IDs: SV-274135r1120393_rule

Use of a complex password helps to increase the time and resources required to compromise the password. Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks. Password complexity is one factor of several that determines how long it takes to crack a password. The more complex the password, the greater the number of possible combinations that need to be tested before the password is compromised. Satisfies: SRG-OS-000071-GPOS-00039, SRG-OS-000725-GPOS-00180

Fix: F-78131r1120392_fix

Configure Amazon Linux 2023 to enforce password complexity by requiring that at least one numeric character be used by setting the "dcredit" option. Add or update the following line in the "/etc/security/pwquality.conf" file or a configuration file in the "/etc/security/pwquality.conf.d/" directory to contain the "dcredit" parameter: dcredit = -1 Remove any configurations that conflict with the above value.

b

Amazon Linux 2023 must require the change of at least 50 percent of the total number of characters when passwords are changed.

RMF Control
Severity: M
CCI: CCI-004066
Version: AZLX-23-002370
Vuln IDs: V-274136
Rule IDs: SV-274136r1120697_rule

If Amazon Linux 2023 allows the user to consecutively reuse extensive portions of passwords, this increases the chances of password compromise by increasing the window of opportunity for attempts at guessing and brute-force attacks. The number of changed characters refers to the number of changes required with respect to the total number of positions in the current password. In other words, characters may be the same within the two passwords; however, the positions of the like characters must be different. If the password length is an odd number then number of changed characters must be rounded up. For example, a password length of 15 characters must require the change of at least 8 characters. Satisfies: SRG-OS-000072-GPOS-00040, SRG-OS-000725-GPOS-00180

Fix: F-78132r1120696_fix

Configure Amazon Linux 2023 to require the change of at least eight (with a 15 character password) of the total number of characters when passwords are changed by setting the "difok" option. Add or update the following line in the "/etc/security/pwquality.conf" file or a configuration file in the "/etc/security/pwquality.conf.d/" directory to contain the "difok" parameter: difok = 8 Remove any configurations that conflict with the above value. This value can be customized based on desired password length.

b

Amazon Linux 2023 must enforce a minimum 15-character password length.

RMF Control
Severity: M
CCI: CCI-004066
Version: AZLX-23-002375
Vuln IDs: V-274137
Rule IDs: SV-274137r1120725_rule

The shorter the password, the lower the number of possible combinations that need to be tested before the password is compromised. Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks. Password length is one factor of several that helps to determine strength and how long it takes to crack a password. Use of more characters in a password helps to exponentially increase the time and/or resources required to compromise the password. Satisfies: SRG-OS-000078-GPOS-00046, SRG-OS-000725-GPOS-00180

Fix: F-78133r1120398_fix

Configure Amazon Linux 2023 to enforce a minimum 15-character password length. Add or update the following line in the "/etc/security/pwquality.conf" file or a configuration file in the "/etc/security/pwquality.conf.d/" directory to contain the "minlen" parameter: minlen = 15 Remove any configurations that conflict with the above value.

b

Amazon Linux 2023 must enforce password complexity by requiring that at least one special character be used.

RMF Control
Severity: M
CCI: CCI-004066
Version: AZLX-23-002380
Vuln IDs: V-274138
Rule IDs: SV-274138r1120402_rule

Use of a complex password helps to increase the time and resources required to compromise the password. Password complexity or strength is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks. Password complexity is one factor in determining how long it takes to crack a password. The more complex the password, the greater the number of possible combinations that need to be tested before the password is compromised. Special characters are those characters that are not alphanumeric. Examples include: ~ ! @ # $ % ^ *. Satisfies: SRG-OS-000266-GPOS-00101, SRG-OS-000725-GPOS-00180

Fix: F-78134r1120401_fix

Configure Amazon Linux 2023 to enforce password complexity by requiring at least one special character be used by setting the "ocredit" option. Add or update the following line in the "/etc/security/pwquality.conf" file or a configuration file in the "/etc/security/pwquality.conf.d/" directory to contain the "ocredit" parameter: ocredit = -1

b

Amazon Linux 2023 must enforce password complexity rules for the root account.

RMF Control
Severity: M
CCI: CCI-004066
Version: AZLX-23-002385
Vuln IDs: V-274139
Rule IDs: SV-274139r1120405_rule

Use of a complex password helps to increase the time and resources required to compromise the password. Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks. Password complexity is one factor of several that determines how long it takes to crack a password. The more complex the password, the greater the number of possible combinations that need to be tested before the password is compromised. Satisfies: SRG-OS-000072-GPOS-00040, SRG-OS-000071-GPOS-00039, SRG-OS-000070-GPOS-00038, SRG-OS-000266-GPOS-00101, SRG-OS-000078-GPOS-00046, SRG-OS-000069-GPOS-00037

Fix: F-78135r1120404_fix

Configure Amazon Linux 2023 to enforce password complexity on the root account. Add or update the following line in the "/etc/security/pwquality.conf" file or a configuration file in the "/etc/security/pwquality.conf.d/" directory to contain the "enforce_for_root" parameter: enforce_for_root

b

Amazon Linux 2023 must prevent the use of dictionary words for passwords.

RMF Control: CM-6
Severity: M
CCI: CCI-000366
Version: AZLX-23-002390
Vuln IDs: V-274140
Rule IDs: SV-274140r1120408_rule

Use of a complex password helps to increase the time and resources required to compromise the password. Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks. If Amazon Linux 2023 allows the user to select passwords based on dictionary words, this increases the chances of password compromise by increasing the opportunity for successful guesses, and brute-force attacks. Satisfies: SRG-OS-000480-GPOS-00225, SRG-OS-000710-GPOS-00160

Fix: F-78136r1120407_fix

Configure Amazon Linux 2023 to prevent the use of dictionary words for passwords. Add or update the following line in the "/etc/security/pwquality.conf" file or a configuration file in the /etc/pwquality.conf.d/ directory to contain the "dictcheck" parameter: dictcheck=1

a

Amazon Linux 2023 must limit the number of concurrent sessions to ten for all accounts and/or account types.

RMF Control: AC-10
Severity: L
CCI: CCI-000054
Version: AZLX-23-002395
Vuln IDs: V-274141
Rule IDs: SV-274141r1120411_rule

Operating system management includes the ability to control the number of users and user sessions that utilize an operating system. Limiting the number of allowed users and sessions per user is helpful in reducing the risks related to denial-of-service (DoS) attacks. This requirement addresses concurrent sessions for information system accounts and does not address concurrent sessions by single users via multiple system accounts. The maximum number of concurrent sessions should be defined based on mission needs and the operational environment for each system.

Fix: F-78137r1120410_fix

Configure Amazon Linux 2023 to limit the number of concurrent sessions to "10" for all accounts and/or account types. Add the following line to the top of the /etc/security/limits.conf or in a ".conf" file defined in /etc/security/limits.d/: * hard maxlogins 10

b

Amazon Linux 2023 must automatically exit interactive command shell user sessions after 15 minutes of inactivity.

RMF Control: AC-11
Severity: M
CCI: CCI-000057
Version: AZLX-23-002396
Vuln IDs: V-274142
Rule IDs: SV-274142r1120414_rule

Terminating an idle interactive command shell user session within a short time period reduces the window of opportunity for unauthorized personnel to take control of it when left unattended in a virtual terminal or physical console.

Fix: F-78138r1120413_fix

Configure Amazon Linux 2023 to exit interactive command shell user sessions after 10 minutes of inactivity. Add or edit the following line in "/etc/profile.d/tmout.sh": #!/bin/bash declare -xr TMOUT=600

b

Amazon Linux 2023 must enforce 24 hours/1 day as the minimum password lifetime.

RMF Control
Severity: M
CCI: CCI-004066
Version: AZLX-23-002400
Vuln IDs: V-274143
Rule IDs: SV-274143r1120417_rule

Enforcing a minimum password lifetime helps to prevent repeated password changes to defeat the password reuse or history enforcement requirement. If users are allowed to immediately and continually change their password, then the password could be repeatedly changed in a short period of time to defeat the organization's policy regarding password reuse.

Fix: F-78139r1120416_fix

Configure Amazon Linux 2023 to enforce 24 hours as the minimum password lifetime for new user accounts. Add the following line in "/etc/login.defs" (or modify the line to have the required value): PASS_MIN_DAYS 1

b

Amazon Linux 2023 must enforce a delay of at least four seconds between logon prompts following a failed logon attempt.

RMF Control: CM-6
Severity: M
CCI: CCI-000366
Version: AZLX-23-002405
Vuln IDs: V-274144
Rule IDs: SV-274144r1120420_rule

Increasing the time between a failed authentication attempt and re-prompting to enter credentials helps to slow a single-threaded brute force attack.

Fix: F-78140r1120419_fix

Configure Amazon Linux 2023 to enforce a delay of at least four seconds between logon prompts following a failed console logon attempt. Modify the "/etc/login.defs" file to set the "FAIL_DELAY" parameter to "4" or greater: FAIL_DELAY 4

b

Amazon Linux 2023 must define default permissions for all authenticated users in such a way that the user can only read and modify their own files.

RMF Control: CM-6
Severity: M
CCI: CCI-000366
Version: AZLX-23-002410
Vuln IDs: V-274145
Rule IDs: SV-274145r1120423_rule

Setting the most restrictive default permissions ensures that when new accounts are created, they do not have unnecessary access. Satisfies: SRG-OS-000480-GPOS-00228, SRG-OS-000480-GPOS-00230

Fix: F-78141r1120422_fix

Configure Amazon Linux 2023 to define default permissions for all authenticated users in such a way that the user can only read and modify their own files. Add or edit the lines for the "UMASK" parameter in the "/etc/login.defs" file to "077": UMASK 077

b

Amazon Linux 2023 must be able to enforce a 60-day maximum password lifetime restriction.

RMF Control
Severity: M
CCI: CCI-004066
Version: AZLX-23-002425
Vuln IDs: V-274148
Rule IDs: SV-274148r1120432_rule

Any password, no matter how complex, can eventually be cracked. Therefore, passwords need to be changed periodically. If Amazon Linux 2023 does not limit the lifetime of passwords and force users to change their passwords, there is the risk that Amazon Linux 2023 passwords could be compromised.

Fix: F-78144r1120431_fix

Configure Amazon Linux 2023 to set noncompliant accounts to enforce a 60-day maximum password lifetime restriction. $ sudo chage -M 60 [user]

b

Amazon Linux 2023 must disable account identifiers (individuals, groups, roles, and devices) after 35 days of inactivity.

RMF Control
Severity: M
CCI: CCI-003627
Version: AZLX-23-002430
Vuln IDs: V-274149
Rule IDs: SV-274149r1120435_rule

Inactive identifiers pose a risk to systems and applications because attackers may exploit an inactive identifier and potentially obtain undetected access to the system. Owners of inactive accounts will not notice if unauthorized access to their user account has been obtained. Operating systems need to track periods of inactivity and disable application identifiers after 35 days of inactivity. Satisfies: SRG-OS-000118-GPOS-00060, SRG-OS-000590-GPOS-00110

Fix: F-78145r1120434_fix

Configure Amazon Linux 2023 to disable account identifiers after 35 days of inactivity after the password expiration. Run the following command to change the configuration for useradd: $ sudo useradd -D -f 35 The recommendation is 35 days, but a lower value is acceptable.

b

Amazon Linux 2023 must restrict the use of the "su" command.

RMF Control: AC-3
Severity: M
CCI: CCI-002165
Version: AZLX-23-002440
Vuln IDs: V-274151
Rule IDs: SV-274151r1120441_rule

The "su" program allows to run commands with a substitute user and group ID. It is commonly used to run commands as the root user. Limiting access to such commands is considered a good security practice.

Fix: F-78147r1120440_fix

Configure Amazon Linux 2023 to require users to be in the "wheel" group to run "su" command. In file "/etc/pam.d/su", uncomment the following line: "#auth required pam_wheel.so use_uid" $ sudo sed '/^[[:space:]]*#[[:space:]]*auth[[:space:]]\+required[[:space:]]\+pam_wheel\.so[[:space:]]\+use_uid$/s/^[[:space:]]*#//' -i /etc/pam.d/su If necessary, create a "wheel" group and add administrative users to the group.

b

Amazon Linux 2023 must enable the SELinux targeted policy.

RMF Control: SI-6
Severity: M
CCI: CCI-002696
Version: AZLX-23-002445
Vuln IDs: V-274152
Rule IDs: SV-274152r1120738_rule

Setting the SELinux policy to "targeted" or a more specialized policy ensures the system will confine processes that are likely to be targeted for exploitation, such as network or system services. Note: During the development or debugging of SELinux modules, it is common to temporarily place nonproduction systems in "permissive" mode. In such temporary cases, SELinux policies should be developed, and once work is completed, the system should be reconfigured to "targeted".

Fix: F-78148r1120737_fix

Configure Amazon Linux 2023 to use the targeted SELINUX policy. Edit the file "/etc/selinux/config" and add or modify the following line: SELINUXTYPE=targeted A reboot is required for the changes to take effect.

c

Amazon Linux 2023 must use a Linux Security Module configured to enforce limits on system services.

RMF Control: SC-3
Severity: H
CCI: CCI-001084
Version: AZLX-23-002450
Vuln IDs: V-274153
Rule IDs: SV-274153r1120713_rule

An isolation boundary provides access control and protects the integrity of the hardware, software, and firmware that perform security functions. Security functions are the hardware, software, and/or firmware of the information system responsible for enforcing the system security policy and supporting the isolation of code and data on which the protection is based. Operating systems implement code separation (i.e., separation of security functions from nonsecurity functions) in a number of ways, including through the provision of security kernels via processor rings or processor modes. For nonkernel code, security function isolation is often achieved through file system protections that serve to protect the code on disk and address space protections that protect executing code. Developers and implementers can increase the assurance in security functions by employing well-defined security policy models; structured, disciplined, and rigorous hardware and software development techniques; and sound system/security engineering principles. Implementation may include isolation of memory space and libraries. Operating systems restrict access to security functions through the use of access control mechanisms and by implementing least privilege capabilities. Satisfies: SRG-OS-000134-GPOS-00068, SRG-OS-000445-GPOS-00199

Fix: F-78149r1120446_fix

Configure Amazon Linux 2023 to verify correct operation of security functions. Edit the file "/etc/selinux/config" and add or modify the following line: SELINUX=enforcing A reboot is required for the changes to take effect.

b

Amazon Linux 2023 must automatically lock an account when three unsuccessful logon attempts occur.

RMF Control: AC-7
Severity: M
CCI: CCI-002238
Version: AZLX-23-002455
Vuln IDs: V-274154
Rule IDs: SV-274154r1120450_rule

By limiting the number of failed logon attempts, the risk of unauthorized system access via user password guessing, otherwise known as brute-forcing, is reduced. Limits are imposed by locking the account.

Fix: F-78150r1120449_fix

Configure Amazon Linux 2023 to lock an account when three unsuccessful logon attempts occur. Add/modify the "/etc/security/faillock.conf" file to match the following line: deny = 3

b

Amazon Linux 2023 must automatically lock the root account until the root account is released by an administrator when three unsuccessful logon attempts occur during a 15-minute time period.

RMF Control: AC-7
Severity: M
CCI: CCI-002238
Version: AZLX-23-002460
Vuln IDs: V-274155
Rule IDs: SV-274155r1120453_rule

By limiting the number of failed logon attempts, the risk of unauthorized system access via user password guessing, otherwise known as brute-forcing, is reduced. Limits are imposed by locking the account.

Fix: F-78151r1120452_fix

Configure Amazon Linux 2023 to lock out the "root" account after a number of incorrect login attempts using "pam_faillock.so", first enable the feature using the following command: $ sudo authselect enable-feature with-faillock Then edit the "/etc/security/faillock.conf" file as follows: add or uncomment the following line: even_deny_root

b

Amazon Linux 2023 must automatically lock an account until the locked account is released by an administrator when three unsuccessful logon attempts in 15 minutes occur.

RMF Control: AC-7
Severity: M
CCI: CCI-002238
Version: AZLX-23-002465
Vuln IDs: V-274156
Rule IDs: SV-274156r1184029_rule

By limiting the number of failed logon attempts, the risk of unauthorized system access via user password guessing, otherwise known as brute-forcing, is reduced. Limits are imposed by locking the account.

Fix: F-78152r1120455_fix

Configure Amazon Linux 2023 to automatically lock an account after three unsuccessful logon attempts in 15-minutes. First, ensure that the system is configured with authselect, i.e., using sssd profiles: $ sudo authselect select sssd [--force] Then, enable the faillock feature: $ sudo authselect enable-feature with-faillock Then edit the "/etc/security/faillock.conf" file as follows: fail_interval = 900

b

Amazon Linux 2023 must maintain an account lock until the locked account is released by an administrator.

RMF Control: AC-7
Severity: M
CCI: CCI-002238
Version: AZLX-23-002470
Vuln IDs: V-274157
Rule IDs: SV-274157r1120459_rule

By limiting the number of failed logon attempts, the risk of unauthorized system access via user password guessing, otherwise known as brute-forcing, is reduced. Limits are imposed by locking the account.

Fix: F-78153r1120458_fix

Configure Amazon Linux 2023 to lock an account until released by an administrator after three unsuccessful logon attempts with the command: $ authselect enable-feature with-faillock Then edit the "/etc/security/faillock.conf" file as follows: unlock_time = 0

b

Amazon Linux 2023 must insure all interactive users have a primary group that exists.

RMF Control: IA-2
Severity: M
CCI: CCI-000764
Version: AZLX-23-002480
Vuln IDs: V-274159
Rule IDs: SV-274159r1120465_rule

If a user is assigned the group identifier (GID) of a group that does not exist on the system, and a group with the GID is subsequently created, the user may have unintended rights to any files associated with the group. Satisfies: SRG-OS-000104-GPOS-00051, SRG-OS-000121-GPOS-00062, SRG-OS-000042-GPOS-00020

Fix: F-78155r1120464_fix

Configure Amazon Linux 2023 so that all GIDs are referenced in "/etc/passwd" are defined in "/etc/group". Edit the file "/etc/passwd" and ensure that every user's GID is a valid GID.

b

Amazon Linux 2023 must ensure all interactive users have unique User IDs (UIDs).

RMF Control: IA-2
Severity: M
CCI: CCI-000764
Version: AZLX-23-002485
Vuln IDs: V-274160
Rule IDs: SV-274160r1120663_rule

To ensure accountability and prevent unauthenticated access, interactive users must be identified and authenticated to prevent potential misuse and compromise of the system. Satisfies: SRG-OS-000104-GPOS-00051, SRG-OS-000121-GPOS-00062, SRG-OS-000042-GPOS-00020

Fix: F-78156r1120467_fix

Configure Amazon Linux 2023 to contain no duplicate UIDs for interactive users. Edit the file "/etc/passwd" and provide each interactive user account that has a duplicate UID with a unique UID.

b

Amazon Linux 2023 must ensure the password complexity module is enabled in the password-auth file.

RMF Control
Severity: M
CCI: CCI-004066
Version: AZLX-23-002489
Vuln IDs: V-274161
Rule IDs: SV-274161r1120471_rule

Enabling PAM password complexity permits enforcement of strong passwords and consequently makes the system less prone to dictionary attacks.

Fix: F-78157r1120470_fix

Configure Amazon Linux 2023 to use "pwquality" to enforce password complexity rules. Add the following line to the "/etc/pam.d/password-auth" file (or modify the line to have the required value): password required pam_pwquality.so

b

Amazon Linux 2023 password-auth must be configured to use a sufficient number of hashing rounds.

RMF Control
Severity: M
CCI: CCI-004062
Version: AZLX-23-002490
Vuln IDs: V-274162
Rule IDs: SV-274162r1120474_rule

Unapproved mechanisms, used for authentication to the cryptographic module are not verified and therefore, cannot be relied upon to provide confidentiality or integrity, and DOD data may be compromised. Operating systems utilizing encryption are required to use FIPS-compliant mechanisms for authenticating to cryptographic modules. FIPS 140-2/140-3 is the current standard for validating that mechanisms used to access cryptographic modules utilize authentication that meets DOD requirements. This allows for Security Levels 1, 2, 3, or 4 for use on a general purpose computing system. Satisfies: SRG-OS-000073-GPOS-00041, SRG-OS-000120-GPOS-00061

Fix: F-78158r1120473_fix

Configure Amazon Linux 2023 to use 100000 hashing rounds for hashing passwords. Add or modify the following line in "/etc/pam.d/password-auth" and set "rounds" to "100000". password sufficient pam_unix.so sha512 rounds=100000

b

Amazon Linux 2023 system-auth must be configured to use a sufficient number of hashing rounds.

RMF Control
Severity: M
CCI: CCI-004062
Version: AZLX-23-002495
Vuln IDs: V-274163
Rule IDs: SV-274163r1120477_rule

Unapproved mechanisms used for authentication to the cryptographic module are not verified and therefore, cannot be relied upon to provide confidentiality or integrity, and DOD data may be compromised. Operating systems utilizing encryption are required to use FIPS-compliant mechanisms for authenticating to cryptographic modules. FIPS 140-2/140-3 is the current standard for validating that mechanisms used to access cryptographic modules utilize authentication that meets DOD requirements. This allows for Security Levels 1, 2, 3, or 4 for use on a general purpose computing system. Satisfies: SRG-OS-000073-GPOS-00041, SRG-OS-000120-GPOS-00061

Fix: F-78159r1120476_fix

Configure Amazon Linux 2023 to use 100000 hashing rounds for hashing passwords. Add or modify the following line in "/etc/pam.d/system-auth" and set "rounds" to "100000". password sufficient pam_unix.so sha512 rounds=100000

b

Amazon Linux 2023 must terminate idle user sessions.

RMF Control: SC-10
Severity: M
CCI: CCI-001133
Version: AZLX-23-002510
Vuln IDs: V-274166
Rule IDs: SV-274166r1155170_rule

Terminating an idle session within a short time period reduces the window of opportunity for unauthorized personnel to take control of a management session enabled on the console or console port that has been left unattended. In addition, quickly terminating an idle session will also free up resources committed by the managed network element. Terminating network connections associated with communications sessions includes, for example, de-allocating associated TCP/IP address/port pairs at Amazon Linux 2023 level, and de-allocating networking assignments at the application level if multiple application sessions are using a single operating system-level network connection. This does not mean that Amazon Linux 2023 terminates all sessions or network access; it only ends the inactive session and releases the resources associated with that session.

Fix: F-78162r1155169_fix

Configure Amazon Linux 2023 to log out idle sessions by editing the /etc/systemd/logind.conf file with the following line: StopIdleSessionSec=600 The "logind" service must be restarted for the changes to take effect. To restart the "logind" service, run the following command: $ sudo systemctl restart systemd-logind

b

Amazon Linux 2023 must allocate an audit_backlog_limit of sufficient size to capture processes that start prior to the audit daemon.

RMF Control: AU-14
Severity: M
CCI: CCI-001464
Version: AZLX-23-002520
Vuln IDs: V-274168
Rule IDs: SV-274168r1120492_rule

Without the capability to generate audit records, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. If auditing is enabled late in the startup process, the actions of some startup processes may not be audited. Some audit systems also maintain state information only available if auditing is enabled before a given process is created. Audit records can be generated from various components within the information system (e.g., module or policy filter). Allocating an audit_backlog_limit of sufficient size is critical in maintaining a stable boot process. With an insufficient limit allocated, the system is susceptible to boot failures and crashes. Satisfies: SRG-OS-000254-GPOS-00095, SRG-OS-000341-GPOS-00132

Fix: F-78164r1120491_fix

Configure Amazon Linux 2023 to allocate sufficient audit_backlog_limit to capture processes that start prior to the audit daemon with the following command: $ sudo grubby --update-kernel=ALL --args=audit_backlog_limit=8192

b

Amazon Linux 2023 must enable discretionary access control on hardlinks.

RMF Control: AC-3
Severity: M
CCI: CCI-002165
Version: AZLX-23-002535
Vuln IDs: V-274169
Rule IDs: SV-274169r1120495_rule

By enabling the fs.protected_hardlinks kernel parameter, users can no longer create soft or hard links to files they do not own. Disallowing such hardlinks mitigates vulnerabilities based on insecure file system accessed by privileged programs, avoiding an exploitation vector exploiting unsafe use of open() or creat(). Satisfies: SRG-OS-000312-GPOS-00123, SRG-OS-000324-GPOS-00125

Fix: F-78165r1120494_fix

Configure Amazon Linux 2023 to enable DAC on hardlinks with the following: Add or edit the following line in a system configuration file in the "/etc/sysctl.d/" directory: fs.protected_hardlinks = 1 Load settings from all system configuration files with the following command: $ sudo sysctl --system

b

Amazon Linux 2023 must enable kernel parameters to enforce discretionary access control on symlinks.

RMF Control: AC-3
Severity: M
CCI: CCI-002165
Version: AZLX-23-002540
Vuln IDs: V-274170
Rule IDs: SV-274170r1120498_rule

By enabling the fs.protected_symlinks kernel parameter, symbolic links are permitted to be followed only when outside a sticky world-writable directory, or when the user identifier (UID) of the link and follower match, or when the directory owner matches the symlink's owner. Disallowing such symlinks helps mitigate vulnerabilities based on insecure file system accessed by privileged programs, avoiding an exploitation vector exploiting unsafe use of open() or creat(). Satisfies: SRG-OS-000312-GPOS-00123, SRG-OS-000324-GPOS-00125

Fix: F-78166r1120497_fix

Configure Amazon Linux 2023 to enable DAC on symlinks with the following: Add or edit the following line in a system configuration file in the "/etc/sysctl.d/" directory: fs.protected_symlinks = 1 Load settings from all system configuration files with the following command: $ sudo sysctl --system

b

Amazon Linux 2023 debug-shell systemd service must be disabled.

RMF Control: AC-6
Severity: M
CCI: CCI-002235
Version: AZLX-23-002555
Vuln IDs: V-274173
Rule IDs: SV-274173r1120507_rule

The debug-shell requires no authentication and provides root privileges to anyone who has physical access to the machine. While this feature is disabled by default, masking it adds an additional layer of assurance that it will not be enabled via a dependency in systemd. This also prevents attackers with physical access from trivially bypassing security on the machine through valid troubleshooting configurations and gaining root access when the system is rebooted.

Fix: F-78169r1120506_fix

Configure Amazon Linux 2023 to mask the debug-shell systemd service with the following command: $ sudo systemctl disable --now debug-shell.service $ sudo systemctl mask --now debug-shell.service

b

Amazon Linux 2023 must prevent the loading of a new kernel for later execution.

RMF Control
Severity: M
CCI: CCI-003992
Version: AZLX-23-002575
Vuln IDs: V-274177
Rule IDs: SV-274177r1120519_rule

Changes to any software components can have significant effects on the overall security of Amazon Linux 2023. This requirement ensures the software has not been tampered with and that it has been provided by a trusted vendor. All software packages must be signed with a cryptographic key recognized and approved by the organization. Verifying the authenticity of software prior to installation validates the integrity of the software package received from a vendor. This verifies the software has not been tampered with and that it has been provided by a trusted vendor.

Fix: F-78173r1120518_fix

Configure Amazon Linux 2023 to disable kernel image loading. Add or edit the following line in a system configuration file in the "/etc/sysctl.d/" directory: kernel.kexec_load_disabled = 1 Load settings from all system configuration files with the following command: $ sudo sysctl --system

b

Amazon Linux 2023 must mount /dev/shm with the nodev option.

RMF Control: CM-7
Severity: M
CCI: CCI-001764
Version: AZLX-23-002585
Vuln IDs: V-274179
Rule IDs: SV-274179r1120525_rule

The "nodev" mount option causes the system to not interpret character or block special devices. Executing character or block special devices from untrusted file systems increases the opportunity for nonprivileged users to attain unauthorized administrative access.

Fix: F-78175r1120524_fix

Configure Amazon Linux 2023 so that "/dev/shm" is mounted with the "nodev" option. Modify "/etc/fstab" to use the "nodev" option on the "/dev/shm" file system.

b

Amazon Linux 2023 must mount /dev/shm with the nosuid option.

RMF Control: CM-7
Severity: M
CCI: CCI-001764
Version: AZLX-23-002590
Vuln IDs: V-274180
Rule IDs: SV-274180r1198347_rule

The "nosuid" mount option causes the system to not execute "setuid" and "setgid" files with owner privileges. This option must be used for mounting any file system not containing approved "setuid" and "setguid" files. Executing files from untrusted file systems increases the opportunity for nonprivileged users to attain unauthorized administrative access.

Fix: F-78176r1120527_fix

Configure Amazon Linux 2023 so that "/dev/shm" is mounted with the "nosuid" option. Modify "/etc/fstab" to use the "nosuid" option on the "/dev/shm" file system.

b

Amazon Linux 2023 must ensure the pcscd service is active.

RMF Control
Severity: M
CCI: CCI-004046
Version: AZLX-23-002595
Vuln IDs: V-274181
Rule IDs: SV-274181r1120531_rule

The information system ensures that even if the information system is compromised, that compromise will not affect credentials stored on the authentication device. The daemon program for pcsc-lite and the MuscleCard framework is pcscd. It is a resource manager that coordinates communications with smart card readers and smart cards and cryptographic tokens connected to the system.

Fix: F-78177r1120530_fix

Configure Amazon Linux 2023 so that the "pcscd" service is active with the following command: $ sudo systemctl enable --now pcscd

b

Amazon Linux 2023 must remove all software components after updated versions have been installed.

RMF Control: SI-2
Severity: M
CCI: CCI-002617
Version: AZLX-23-002615
Vuln IDs: V-274185
Rule IDs: SV-274185r1120543_rule

Previous versions of software components that are not removed from the information system after updates have been installed may be exploited by some adversaries.

Fix: F-78181r1120542_fix

Configure Amazon Linux 2023 to remove all software components after updated versions have been installed. Set the "clean_requirements_on_remove" option to "1" in the "/etc/dnf/dnf.conf" file: clean_requirements_on_remove=1

b

Amazon Linux 2023 audit system must protect logon user identifiers (UIDs) from unauthorized change.

RMF Control: AU-12
Severity: M
CCI: CCI-000172
Version: AZLX-23-005000
Vuln IDs: V-274187
Rule IDs: SV-274187r1120715_rule

If modification of login UIDs is not prevented, they can be changed by nonprivileged users and make auditing complicated or impossible. Satisfies: SRG-OS-000462-GPOS-00206, SRG-OS-000475-GPOS-00220, SRG-OS-000057-GPOS-00027, SRG-OS-000058-GPOS-00028, SRG-OS-000059-GPOS-00029

Fix: F-78183r1120548_fix

Configure Amazon Linux 2023 auditing to prevent modification of login UIDs once they are set by adding the following line to /etc/audit/rules.d/audit.rules: --loginuid-immutable To load the rules to the kernel immediately, use the following command: $ sudo augenrules --load

c

Amazon Linux 2023 must implement DOD-approved encryption in the bind package.

RMF Control: SC-8
Severity: H
CCI: CCI-002418
Version: AZLX-23-001286
Vuln IDs: V-283440
Rule IDs: SV-283440r1192648_rule

Without cryptographic integrity protections, information can be altered by unauthorized users without detection. Cryptographic mechanisms used for protecting the integrity of information include, for example, signed hash functions using asymmetric cryptography enabling distribution of the public key to verify the hash information while maintaining the confidentiality of the secret key used to generate the hash. Amazon Linux 2023 incorporates system-wide crypto policies by default. The employed algorithms can be viewed in the /etc/crypto-policies/back-ends/ directory. Satisfies: SRG-OS-000423-GPOS-00187, SRG-OS-000426-GPOS-00190

Fix: F-87910r1188392_fix

Configure Amazon Linux 2023 so that BIND uses the system crypto policy. Add the following line to the "options" section in "/etc/named.conf": include "/etc/crypto-policies/back-ends/bind.config";