Amazon Linux 2023 Security Technical Implementation Guide - V1R2
- Version/Release: V1R2
- Published: 2025-11-20
- Released: 2026-01-05
-
Expand All:
- Severity:
-
Sort:
Compare
Select any two versions of this STIG to compare the individual requirements
View
Select any old version/release of this STIG to view the previous requirements
- RMF Control
- SC-28
- Severity
- High
- CCI
- CCI-001199
- Version
- AZLX-23-000100
- Vuln IDs
-
- V-273994
- Rule IDs
-
- SV-273994r1119970_rule
Checks: C-78085r1119968_chk
Verify Amazon Linux 2023 is configured so that all partitions are encrypted with the following command: $ sudo blkid /dev/xvda1: UUID="ed0acbe9-bd05-495e-a9ac-cb615b29327d" TYPE="crypto_LUKS" Every persistent disk partition present must be of "Type" "crypto_LUKS". If any partitions other than the boot partition, bios partition or pseudo file systems (such as /proc or /sys) are not type "crypto_LUKS", this is a finding.
Fix: F-77990r1119969_fix
Configure Amazon Linux 2023 to protect the confidentiality and integrity of all information at rest. Encrypting a partition in an already installed system is more difficult, because existing partitions will need to be resized and changed. To encrypt an entire partition, dedicate a partition for encryption in the partition layout.
- RMF Control
- Severity
- Medium
- CCI
- CCI-003992
- Version
- AZLX-23-000110
- Vuln IDs
-
- V-273995
- Rule IDs
-
- SV-273995r1119973_rule
Checks: C-78086r1119971_chk
Verify Amazon Linux 2023 package-signing keys are installed on the system and verify their fingerprints match vendor values. Note: For Amazon Linux 2023 software packages, AWS uses GPG keys defined in key file "/etc/pki/rpm-gpg/RPM-GPG-KEY-amazon-linux-2023" by default. List Amazon Linux GPG keys installed on the system: $ sudo rpm -q gpg-pubkey --qf "%{NAME}-%{VERSION}-%{RELEASE} %{SUMMARY}\n" gpg-pubkey-d832c631-6515c85e Amazon Linux <amazon-linux@amazon.com> public key If there is no Amazon Linux GPG key installed, this is a finding. Extract the fingerprint from the key with this command: $ sudo gpg -q --keyid-format short --with-fingerprint /etc/pki/rpm-gpg/RPM-GPG-KEY-amazon-linux-2023 pub rsa4096/D832C631 2022-12-08 [SC] Key fingerprint = B21C 50FA 44A9 9720 EAA7 2F7F E951 904A D832 C631 uid Amazon Linux <amazon-linux@amazon.com> Compare the Key fingerprint with the key fingerprint from Amazon Documentation and instructions at https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/verify-keys.html If key fingerprints do not match, or the key file is missing, this is a finding.
Fix: F-77991r1119972_fix
Configure Amazon Linux 2023 to have the public key for verifying RPM packages to be installed with the "system-release" package. Install the system-release installation with the following command: $ sudo dnf install -y system-release Ensure cryptographic verification of software packages is enabled by editing /etc/dnf/dnf.conf and under '[main]' in the configuration file add: gpgcheck=1
- RMF Control
- Severity
- High
- CCI
- CCI-003992
- Version
- AZLX-23-000115
- Vuln IDs
-
- V-273996
- Rule IDs
-
- SV-273996r1119976_rule
Checks: C-78087r1119974_chk
Verify Amazon Linux 2023 is configured so that dnf always checks the GPG signature of locally installed software packages before installation: $ grep localpkg_gpgcheck /etc/dnf/dnf.conf localpkg_gpgcheck=1 If "localpkg_gpgcheck" is not set to "1" or "True", or if the option is missing or commented out, ask the system administrator how the GPG signatures of local software packages are being verified. If there is no process to verify GPG signatures approved by the organization, this is a finding.
Fix: F-77992r1119975_fix
Configure Amazon Linux 2023 to always check the GPG signature of local software packages before installation. Add or update the following line in the [main] section of the /etc/dnf/dnf.conf file: localpkg_gpgcheck=1
- RMF Control
- Severity
- High
- CCI
- CCI-003992
- Version
- AZLX-23-000120
- Vuln IDs
-
- V-273997
- Rule IDs
-
- SV-273997r1119979_rule
Checks: C-78088r1119977_chk
Verify Amazon Linux 2023 is configured so that dnf always checks the GPG signature of software packages originating from external software repositories before installation: $ grep -w gpgcheck /etc/dnf/dnf.conf gpgcheck=1 If "gpgcheck" is not set to "1" or "True", or if the option is missing or commented out, ask the system administrator how the GPG signatures of software packages are being verified. If there is no process to verify GPG signatures approved by the organization, this is a finding.
Fix: F-77993r1119978_fix
Configure Amazon Linux 2023 to always check the GPG signature of software packages originating from external software repositories before installation. Add or update the following line in the [main] section of the /etc/dnf/dnf.conf file: gpgcheck=1
- RMF Control
- Severity
- High
- CCI
- CCI-003992
- Version
- AZLX-23-000125
- Vuln IDs
-
- V-273998
- Rule IDs
-
- SV-273998r1119982_rule
Checks: C-78089r1119980_chk
Verify Amazon Linux 2023 software repositories enforce a signature check on the packages prior to allowing installation with the following command: $ grep -w gpgcheck /etc/yum.repos.d/*.repo | more /etc/yum.repos.d/amazonlinux.repo:gpgcheck=1 /etc/yum.repos.d/amazonlinux.repo:gpgcheck=1 /etc/yum.repos.d/amazonlinux.repo:gpgcheck=1 /etc/yum.repos.d/kernel-livepatch.repo:gpgcheck=1 /etc/yum.repos.d/kernel-livepatch.repo:gpgcheck=1 If any repository has "gpgcheck=0" or "False", or if the option is commented out, this is a finding.
Fix: F-77994r1119981_fix
Configure Amazon Linux 2023 to verify the signature of packages from a repository prior to installation by setting the following option in the "/etc/yum.repos.d/[your_repo_name].repo" file: gpgcheck=1
- RMF Control
- SI-2
- Severity
- High
- CCI
- CCI-002605
- Version
- AZLX-23-000130
- Vuln IDs
-
- V-273999
- Rule IDs
-
- SV-273999r1155171_rule
Checks: C-78090r1119983_chk
Verify Amazon Linux 2023 is a vendor-supported version with the following command: $ cat /etc/amazon-linux-release Amazon Linux release 2023.6.20250203 (Amazon Linux) If the installed version of Amazon Linux 2023 is not supported, this is a finding.
Fix: F-77995r1119984_fix
Configure Amazon Linux 2023 to be a vendor supported release. Upgrade to a supported version of Amazon Linux 2023.
- RMF Control
- SC-24
- Severity
- Medium
- CCI
- CCI-001665
- Version
- AZLX-23-000135
- Vuln IDs
-
- V-274000
- Rule IDs
-
- SV-274000r1119988_rule
Checks: C-78091r1119986_chk
Verify Amazon Linux 2023 is configured so that "systemd-journald" is active with the following command: $ systemctl is-active systemd-journald active If the systemd-journald service is not active, this is a finding.
Fix: F-77996r1119987_fix
Configure Amazon Linux 2023 to enable the systemd-journald service with the following command: $ sudo systemctl enable --now systemd-journald
- RMF Control
- SC-2
- Severity
- Medium
- CCI
- CCI-001082
- Version
- AZLX-23-000200
- Vuln IDs
-
- V-274001
- Rule IDs
-
- SV-274001r1119991_rule
Checks: C-78092r1119989_chk
Verify Amazon Linux 2023 is configured to restrict access to the kernel message buffer with the following commands: Check the status of the kernel.dmesg_restrict kernel parameter. $ sudo sysctl kernel.dmesg_restrict kernel.dmesg_restrict = 1 If "kernel.dmesg_restrict" is not set to "1" or is missing, this is a finding.
Fix: F-77997r1119990_fix
Configure Amazon Linux 2023 to restrict access to the kernel message buffer. Add or edit the following line in a system configuration file, in the "/etc/sysctl.d/" directory: kernel.dmesg_restrict = 1 Load settings from all system configuration files with the following command: $ sudo sysctl --system
- RMF Control
- SC-2
- Severity
- Medium
- CCI
- CCI-001082
- Version
- AZLX-23-000205
- Vuln IDs
-
- V-274002
- Rule IDs
-
- SV-274002r1119994_rule
Checks: C-78093r1119992_chk
Verify Amazon Linux 2023 is configured to prevent kernel profiling by nonprivileged users with the following commands: Check the status of the kernel.perf_event_paranoid kernel parameter. $ sudo sysctl kernel.perf_event_paranoid kernel.perf_event_paranoid = 2 If "kernel.perf_event_paranoid" is not set to "2" or is missing, this is a finding.
Fix: F-77998r1119993_fix
Configure Amazon Linux 2023 to prevent kernel profiling by nonprivileged users. Add or edit the following line in a system configuration file, in the "/etc/sysctl.d/" directory: kernel.perf_event_paranoid = 2 Load settings from all system configuration files with the following command: $ sudo sysctl --system
- RMF Control
- SC-2
- Severity
- Medium
- CCI
- CCI-001082
- Version
- AZLX-23-000210
- Vuln IDs
-
- V-274003
- Rule IDs
-
- SV-274003r1119997_rule
Checks: C-78094r1119995_chk
Verify Amazon Linux 2023 restricts exposed kernel pointer addresses access by validating the runtime status of the Amazon Linux 2023 kernel.kptr_restrict kernel parameter with the following command: $ sudo sysctl kernel.kptr_restrict kernel.kptr_restrict = 1 If "kernel.kptr_restrict" is not set to "1" or is missing, this is a finding.
Fix: F-77999r1119996_fix
Configure Amazon Linux 2023 to restrict exposed kernel pointer addresses access. Add or edit the following line in a system configuration file in the "/etc/sysctl.d/" directory: kernel.kptr_restrict = 1 Reload settings from all system configuration files with the following command: $ sudo sysctl --system
- RMF Control
- SC-2
- Severity
- Medium
- CCI
- CCI-001082
- Version
- AZLX-23-000215
- Vuln IDs
-
- V-274004
- Rule IDs
-
- SV-274004r1120000_rule
Checks: C-78095r1119998_chk
Verify Amazon Linux 2023 prevents privilege escalation through the kernel by disabling access to the bpf system call with the following commands: $ sudo sysctl kernel.unprivileged_bpf_disabled kernel.unprivileged_bpf_disabled = 1 If the returned line does not have a value of "1", or a line is not returned, this is a finding.
Fix: F-78000r1119999_fix
Configure Amazon Linux 2023 to prevent privilege escalation through the kernel by disabling access to the bpf syscall by adding the following line to a file, in the "/etc/sysctl.d" directory: kernel.unprivileged_bpf_disabled = 1 The system configuration files must be reloaded for the changes to take effect. To reload the contents of the files, run the following command: $ sudo sysctl --system
- RMF Control
- SC-2
- Severity
- Medium
- CCI
- CCI-001082
- Version
- AZLX-23-000220
- Vuln IDs
-
- V-274005
- Rule IDs
-
- SV-274005r1120003_rule
Checks: C-78096r1120001_chk
Verify Amazon Linux 2023 restricts usage of ptrace to descendant processes with the following commands: $ sudo sysctl kernel.yama.ptrace_scope kernel.yama.ptrace_scope = 1 If the returned line does not have a value of "1", or a line is not returned, this is a finding.
Fix: F-78001r1120002_fix
Configure Amazon Linux 2023 to restrict usage of ptrace to descendant processes by adding the following line to a file, in the "/etc/sysctl.d" directory: kernel.yama.ptrace_scope = 1 The system configuration files need to be reloaded for the changes to take effect. To reload the contents of the files, run the following command: $ sudo sysctl --system
- RMF Control
- SI-16
- Severity
- Medium
- CCI
- CCI-002824
- Version
- AZLX-23-000225
- Vuln IDs
-
- V-274006
- Rule IDs
-
- SV-274006r1120006_rule
Checks: C-78097r1120004_chk
Verify Amazon Linux 2023 is implementing ASLR with the following command: $ sysctl kernel.randomize_va_space kernel.randomize_va_space = 2 Check that the configuration files are present to enable this kernel parameter. Verify the configuration of the kernel.kptr_restrict kernel parameter with the following command: $ sudo /usr/lib/systemd/systemd-sysctl --cat-config | egrep -v '^(#|;)' | grep -F kernel.randomize_va_space | tail -1 kernel.randomize_va_space = 2 If "kernel.randomize_va_space" is not set to "2" or is missing, this is a finding.
Fix: F-78002r1120005_fix
Configure Amazon Linux 2023 to enable ASLR to enhance memory protection. Enable ASLR by setting the kernel parameter with the following command: echo 2 | sudo tee /proc/sys/kernel/randomize_va_space Add or edit the following line in a system configuration file in the "/etc/sysctl.d/" directory: kernel.randomize_va_space = 2 Reload settings from all system configuration files with the following command: $ sudo sysctl --system
- RMF Control
- IA-5
- Severity
- High
- CCI
- CCI-000197
- Version
- AZLX-23-000300
- Vuln IDs
-
- V-274007
- Rule IDs
-
- SV-274007r1120009_rule
Checks: C-78098r1120007_chk
Verify Amazon Linux 2023 does not have the vsftpd package installed with the following command: $ dnf list --installed vsftpd Error: No matching Packages to list If the "vsftpd" package is installed, this is a finding.
Fix: F-78003r1120008_fix
Configure Amazon Linux 2023 to not have the vsftpd package installed with the following command: $ sudo dnf -y remove vsftpd
- RMF Control
- CM-7
- Severity
- Medium
- CCI
- CCI-000381
- Version
- AZLX-23-000305
- Vuln IDs
-
- V-274008
- Rule IDs
-
- SV-274008r1120012_rule
Checks: C-78099r1120010_chk
Verify Amazon Linux 2023 does not have the sendmail package installed with the following command: $ dnf list --installed sendmail Error: No matching Packages to list If the "sendmail" package is installed, this is a finding.
Fix: F-78004r1120011_fix
Configure Amazon Linux 2023 to not have the sendmail package installed with the following command: $ sudo dnf -y remove sendmail
- RMF Control
- CM-7
- Severity
- Medium
- CCI
- CCI-000381
- Version
- AZLX-23-000310
- Vuln IDs
-
- V-274009
- Rule IDs
-
- SV-274009r1120015_rule
Checks: C-78100r1120013_chk
Verify Amazon Linux 2023 does not have the nfs-utils package installed with the following command: $ dnf list --installed nfs-utils Error: No matching Packages to list If the "nfs-utils" package is installed, this is a finding.
Fix: F-78005r1120014_fix
Configure Amazon Linux 2023 to not have the nfs-utils package installed with the following command: $ sudo dnf -y remove nfs-utils
- RMF Control
- CM-7
- Severity
- Medium
- CCI
- CCI-000381
- Version
- AZLX-23-000315
- Vuln IDs
-
- V-274010
- Rule IDs
-
- SV-274010r1120018_rule
Checks: C-78101r1120016_chk
Verify Amazon Linux 2023 does not have the telnet-server package installed with the following command: $ dnf list --installed telnet-server Error: No matching Packages to list If the "telnet-server" package is installed, this is a finding.
Fix: F-78006r1120017_fix
Configure Amazon Linux 2023 to not have the telnet-server package installed with the following command: $ sudo dnf -y remove telnet-server
- RMF Control
- CM-7
- Severity
- Medium
- CCI
- CCI-000381
- Version
- AZLX-23-000320
- Vuln IDs
-
- V-274011
- Rule IDs
-
- SV-274011r1120021_rule
Checks: C-78102r1120019_chk
Verify Amazon Linux 2023 does not have the gssproxy package installed with the following command: $ dnf list --installed gssproxy Error: No matching Packages to list If the "gssproxy" package is installed, this is a finding.
Fix: F-78007r1120020_fix
Configure Amazon Linux 2023 to not have the gssproxy package installed. The gssproxy package can be removed with the following command: $ sudo dnf -y remove gssproxy
- RMF Control
- AC-6
- Severity
- Medium
- CCI
- CCI-002235
- Version
- AZLX-23-001000
- Vuln IDs
-
- V-274012
- Rule IDs
-
- SV-274012r1120710_rule
Checks: C-78103r1120709_chk
Verify Amazon Linux 2023 has the sudo package installed with the following command: $ dnf list --installed sudo Installed Packages sudo.x86_64 1.9.15-1.p5.amzn2023.0.1 @System If the "sudo" package is not installed, this is a finding.
Fix: F-78008r1120023_fix
Configure Amazon Linux 2023 to have the sudo package installed with the following command: $ sudo dnf install -y sudo
- RMF Control
- AC-3
- Severity
- Medium
- CCI
- CCI-002165
- Version
- AZLX-23-001005
- Vuln IDs
-
- V-274013
- Rule IDs
-
- SV-274013r1120027_rule
Checks: C-78104r1120025_chk
Verify Amazon Linux 2023 is not configured to bypass password requirements for privilege escalation with the following command: $ sudo grep pam_succeed_if /etc/pam.d/sudo If any occurrences of "pam_succeed_if" are returned, this is a finding.
Fix: F-78009r1120026_fix
Configure Amazon Linux 2023 to require users to supply a password for privilege escalation. Remove any occurrences of "pam_succeed_if " in the "/etc/pam.d/sudo" file.
- RMF Control
- IA-11
- Severity
- Medium
- CCI
- CCI-002038
- Version
- AZLX-23-001010
- Vuln IDs
-
- V-274014
- Rule IDs
-
- SV-274014r1120030_rule
Checks: C-78105r1120028_chk
Verify Amazon Linux 2023 requires reauthentication when using the "sudo" command to elevate privileges with the following command: $ sudo grep -ir 'timestamp_timeout' /etc/sudoers /etc/sudoers.d/ /etc/sudoers:Defaults timestamp_timeout=0 If results are returned from more than one file location, this is a finding. If "timestamp_timeout" is set to a negative number, is commented out, or no results are returned, this is a finding.
Fix: F-78010r1120029_fix
Configure Amazon Linux 2023 to reauthenticate "sudo" commands after the specified timeout: Add the following line to "/etc/sudoers" or a file in "/etc/sudoers.d": Defaults timestamp_timeout=0
- RMF Control
- IA-11
- Severity
- Medium
- CCI
- CCI-002038
- Version
- AZLX-23-001015
- Vuln IDs
-
- V-274015
- Rule IDs
-
- SV-274015r1120033_rule
Checks: C-78106r1120031_chk
Verify Amazon Linux 2023 requires users to reauthenticate for privilege escalation. Ensure that "/etc/sudoers" has no occurrences of "!authenticate" with the following command: $ sudo grep -ir '!authenticate' /etc/sudoers /etc/sudoers.d/ If any occurrences of "!authenticate" are returned, this is a finding.
Fix: F-78011r1120032_fix
Configure Amazon Linux 2023 to not allow users to execute privileged actions without authenticating. Remove any occurrence of "!authenticate" found in "/etc/sudoers" file or files in the "/etc/sudoers.d" directory. $ sudo sed -i '/\!authenticate/ s/^/# /g' /etc/sudoers /etc/sudoers.d/*
- RMF Control
- CM-6
- Severity
- Medium
- CCI
- CCI-000366
- Version
- AZLX-23-001020
- Vuln IDs
-
- V-274016
- Rule IDs
-
- SV-274016r1120036_rule
Checks: C-78107r1120034_chk
Verify Amazon Linux 2023 requires users to provide a password for privilege escalation. Ensure that "/etc/sudoers" has no occurrences of "NOPASSWD" with the following command: $ sudo grep -ri nopasswd /etc/sudoers /etc/sudoers.d/ If any occurrences of "NOPASSWD" are returned, this is a finding.
Fix: F-78012r1120035_fix
Configure Amazon Linux 2023 to not allow users to execute privileged actions without authenticating with a password. Remove any occurrence of "NOPASSWD" found in "/etc/sudoers" file or files in the "/etc/sudoers.d" directory. $ sudo sed -i '/NOPASSWD/ s/^/# /g' /etc/sudoers /etc/sudoers.d/*
- RMF Control
- AU-12
- Severity
- Medium
- CCI
- CCI-000169
- Version
- AZLX-23-001025
- Vuln IDs
-
- V-274017
- Rule IDs
-
- SV-274017r1120039_rule
Checks: C-78108r1120037_chk
Verify Amazon Linux 2023 has the audit package installed with the following command: $ dnf list --installed audit Installed Packages audit.x86_64 3.0.6-1.amzn2023.0.2 @System If the "audit" package is not installed, this is a finding.
Fix: F-78013r1120038_fix
Configure Amazon Linux 2023 so that the audit service to produce audit records containing the information needed to establish when (date and time) an event occurred. Install the audit service (if the audit service is not already installed) with the following command: $ sudo dnf install -y audit
- RMF Control
- AU-3
- Severity
- Medium
- CCI
- CCI-000130
- Version
- AZLX-23-001030
- Vuln IDs
-
- V-274018
- Rule IDs
-
- SV-274018r1120042_rule
Checks: C-78109r1120040_chk
Verify Amazon Linux 2023 is configured to produce audit records with the following command: $ sudo systemctl status auditd.service auditd.service - Security Auditing Service Loaded:loaded (/usr/lib/systemd/system/auditd.service; enabled; preset: enabled) Active: active (running) since Wed 2024-01-131 12:56:56 EST; 1 weeks 0 days ago If the audit service is not "active" and "running", this is a finding.
Fix: F-78014r1120041_fix
Configure Amazon Linux 2023 so that the audit service to produce audit records containing the information needed to establish when an event occurred with the following commands: $ sudo systemctl enable auditd.service $ sudo systemctl start auditd.service
- RMF Control
- AU-4
- Severity
- Medium
- CCI
- CCI-001851
- Version
- AZLX-23-001035
- Vuln IDs
-
- V-274019
- Rule IDs
-
- SV-274019r1120045_rule
Checks: C-78110r1120043_chk
Verify Amazon Linux 2023 has the audispd-plugins package installed with the following command: $ sudo dnf list --installed audispd-plugins Installed Packages audispd-plugins.x86_64 3.0.6-1.amzn2023.0.2 @amazonlinux If the "audispd-plugins" package is not installed, this is a finding.
Fix: F-78015r1120044_fix
Configure Amazon Linux 2023 to have the audispd-plugins package installed. Install the audispd-plugins package with the following command: $ sudo dnf install -y audispd-plugins
- RMF Control
- AU-6
- Severity
- Medium
- CCI
- CCI-000154
- Version
- AZLX-23-001040
- Vuln IDs
-
- V-274020
- Rule IDs
-
- SV-274020r1155173_rule
Checks: C-78111r1155172_chk
Verify Amazon Linux 2023 is configured to collect system failure events with the following command: $ dnf list --installed rsyslog Installed Packages rsyslog.x86_64 8.2204.0-3.amzn2023.0.4 @amazonlinux If the "rsyslog" package is not installed, this is a finding. Check that the log service is enabled with the following command: systemctl is-enabled rsyslog enabled If the command above returns "disabled", this is a finding.
Fix: F-78016r1120047_fix
Configure Amazon Linux 2023 to monitor all remote access methods by installing rsyslog with the following command: $ sudo dnf install -y rsyslog Enable the log service with the following command: $ sudo systemctl enable --now rsyslog
- RMF Control
- AC-17
- Severity
- Medium
- CCI
- CCI-000067
- Version
- AZLX-23-001045
- Vuln IDs
-
- V-274021
- Rule IDs
-
- SV-274021r1120695_rule
Checks: C-78112r1120049_chk
Verify Amazon Linux 2023 monitors all remote access methods. Check that remote access methods are being logged by running the following command: $ sudo grep -E '(auth.*|authpriv.*|daemon.*)' /etc/rsyslog.conf auth.*;authpriv.*;daemon.* /var/log/secure If "auth.*", "authpriv.*", or "daemon.*" are not configured to be logged, this is a finding.
Fix: F-78017r1120050_fix
Configure Amazon Linux 2023 to monitor all remote access methods by installing rsyslog with the following command: $ sudo yum install rsyslog Then add or update the following lines to the "/etc/rsyslog.conf" file: auth.*;authpriv.*;daemon.* /var/log/secure The "rsyslog" service must be restarted for the changes to take effect. To restart the "rsyslog" service, run the following command: $ sudo systemctl restart rsyslog.service
- RMF Control
- Severity
- Medium
- CCI
- CCI-004923
- Version
- AZLX-23-001050
- Vuln IDs
-
- V-274022
- Rule IDs
-
- SV-274022r1120054_rule
Checks: C-78113r1120052_chk
Verify Amazon Linux 2023 has the chrony package installed with the following command: $ sudo dnf list --installed chrony Installed Packages chrony.x86_64 4.3-1.amzn2023.0.5 @System If the "chrony" package is not installed, this is a finding.
Fix: F-78018r1120053_fix
Configure Amazon Linux 2023 to have the chrony package installed. The chrony package can be installed with the following command: $ sudo dnf install -y chrony
- RMF Control
- Severity
- Medium
- CCI
- CCI-004923
- Version
- AZLX-23-001055
- Vuln IDs
-
- V-274023
- Rule IDs
-
- SV-274023r1120057_rule
Checks: C-78114r1120055_chk
Verify Amazon Linux 2023 has the chronyd service set to active with the following command: $ systemctl is-active chronyd active If the chronyd service is not active, this is a finding.
Fix: F-78019r1120056_fix
Configure Amazon Linux 2023 to have the chronyd service set to active with the following command: $ sudo systemctl enable --now chronyd
- RMF Control
- CM-3
- Severity
- Medium
- CCI
- CCI-001744
- Version
- AZLX-23-001060
- Vuln IDs
-
- V-274024
- Rule IDs
-
- SV-274024r1120060_rule
Checks: C-78115r1120058_chk
Verify Amazon Linux 2023 has the AIDE package installed with the following command: $ dnf list --installed aide Installed Packages aide.x86_64 0.18.6-1.amzn2023.0.1 @amazonlinux If AIDE is not installed, ask the system administrator (SA) how file integrity checks are performed on the system. If there is no application installed to perform integrity checks, this is a finding. If AIDE is installed, check if it has been initialized with the following command: $ sudo /usr/sbin/aide --check If the output is "Couldn't open file /var/lib/aide/aide.db.gz for reading", this is a finding.
Fix: F-78020r1120059_fix
Configure Amazon Linux 2023 to have the AIDE package installed. Install AIDE with the following commands: Install AIDE: $ sudo dnf install -y aide Initialize AIDE: $ sudo /usr/sbin/aide --init sudo mv /var/lib/aide/aide.db.new.gz /var/lib/aide/aide.db.gz Perform a manual check: $ sudo /usr/sbin/aide --check Example output: 2023-06-05 10:16:08 -0600 (AIDE 0.16) AIDE found NO differences between database and filesystem. Looks okay!!
- RMF Control
- CM-3
- Severity
- Medium
- CCI
- CCI-001744
- Version
- AZLX-23-001065
- Vuln IDs
-
- V-274025
- Rule IDs
-
- SV-274025r1120723_rule
Checks: C-78116r1120061_chk
Verify Amazon Linux 2023 routinely executes a file integrity scan for changes to the system baseline. The commands used in the example will use a daily occurrence. Check the cron directories for scripts controlling the execution and notification of results of the file integrity application. For example, if Advanced Intrusion Detection Environment (AIDE) is installed on the system, use the following commands: $ ls -al /etc/cron.daily | grep aide -rwxr-xr-x 1 root root 29 Nov 22 2015 aide $ sudo grep aide /etc/crontab /var/spool/cron/root /etc/crontab: 30 04 * * * root usr/sbin/aide /var/spool/cron/root: 30 04 * * * root usr/sbin/aide $ sudo more /etc/cron.daily/aide #!/bin/bash /usr/sbin/aide --check | /bin/mail -s "$HOSTNAME - Daily aide integrity check run" root@sysname.mil If the file integrity application does not exist, or a script file controlling the execution of the file integrity application does not exist, or the file integrity application does not notify designated personnel of changes, this is a finding.
Fix: F-78021r1120722_fix
Configure Amazon Linux 2023 so that the file integrity tool runs automatically on the system at least weekly and notifies designated personnel if baseline configurations are changed in an unauthorized manner. The AIDE tool can be configured to email designated personnel with the use of the cron system. The following example output is generic. It will set cron to run AIDE daily and to send email at the completion of the analysis. $ sudo more /etc/cron.daily/aide #!/bin/bash /usr/sbin/aide --check | /bin/mail -s "$HOSTNAME - Daily aide integrity check run" root@sysname.mil
- RMF Control
- AU-9
- Severity
- Medium
- CCI
- CCI-001493
- Version
- AZLX-23-001070
- Vuln IDs
-
- V-274026
- Rule IDs
-
- SV-274026r1120066_rule
Checks: C-78117r1120064_chk
Verify Amazon Linux 2023 is properly configured to protect the integrity of the Advanced Intrusion Detection Environment (AIDE) audit tools with the following command: $ sudo grep /usr/sbin/au /etc/aide.conf /usr/sbin/auditctl p+i+n+u+g+s+b+acl+xattrs+sha512 /usr/sbin/auditd p+i+n+u+g+s+b+acl+xattrs+sha512 /usr/sbin/ausearch p+i+n+u+g+s+b+acl+xattrs+sha512 /usr/sbin/aureport p+i+n+u+g+s+b+acl+xattrs+sha512 /usr/sbin/autrace p+i+n+u+g+s+b+acl+xattrs+sha512 /usr/sbin/augenrules p+i+n+u+g+s+b+acl+xattrs+sha512 If AIDE is not installed, ask the system administrator (SA) how file integrity checks are performed on the system. If any of the audit tools listed above do not have a corresponding line, ask the SA to indicate what cryptographic mechanisms are being used to protect the integrity of the audit tools. If there is no evidence of integrity protection, this is a finding.
Fix: F-78022r1120065_fix
Configure Amazon Linux 2023 to protect the integrity of the AIDE audit tools. Add or update the following lines to "/etc/aide.conf", to protect the integrity of the audit tools. /usr/sbin/auditctl p+i+n+u+g+s+b+acl+xattrs+sha512 /usr/sbin/auditd p+i+n+u+g+s+b+acl+xattrs+sha512 /usr/sbin/ausearch p+i+n+u+g+s+b+acl+xattrs+sha512 /usr/sbin/aureport p+i+n+u+g+s+b+acl+xattrs+sha512 /usr/sbin/autrace p+i+n+u+g+s+b+acl+xattrs+sha512 /usr/sbin/augenrules p+i+n+u+g+s+b+acl+xattrs+sha512
- RMF Control
- CM-7
- Severity
- Medium
- CCI
- CCI-000382
- Version
- AZLX-23-001075
- Vuln IDs
-
- V-274027
- Rule IDs
-
- SV-274027r1120069_rule
Checks: C-78118r1120067_chk
Verify Amazon Linux 2023 has the firewalld package installed with the following command: $ dnf list --installed firewalld Installed Packages firewalld.noarch 1.2.3-1.amzn2023 @amazonlinux If the "firewalld" package is not installed, this is a finding.
Fix: F-78023r1120068_fix
Configure Amazon Linux 2023 to have the firewalld package installed with the following command: $ sudo dnf install -y firewalld
- RMF Control
- CM-7
- Severity
- Medium
- CCI
- CCI-000382
- Version
- AZLX-23-001080
- Vuln IDs
-
- V-274028
- Rule IDs
-
- SV-274028r1120072_rule
Checks: C-78119r1120070_chk
Verify Amazon Linux 2023 firewalld service is active with the following command: $ systemctl is-active firewalld active If the "firewalld" service is not active, this is a finding.
Fix: F-78024r1120071_fix
Configure Amazon Linux 2023 to enable the firewalld service with the following command: $ sudo systemctl enable --now firewalld
- RMF Control
- CM-7
- Severity
- Medium
- CCI
- CCI-000381
- Version
- AZLX-23-001085
- Vuln IDs
-
- V-274029
- Rule IDs
-
- SV-274029r1120075_rule
Checks: C-78120r1120073_chk
Verify Amazon Linux 2023 is configured to disable nonessential capabilities. Inspect the list of enabled firewall ports and verify they are configured correctly by running the following command: $ sudo firewall-cmd --list-all Ask the system administrator for the site or program Ports, Protocols, and Services Management Component Local Service Assessment (PPSM CLSA). Verify the services allowed by the firewall match the PPSM CLSA. If there are additional ports, protocols, or services that are not in the PPSM CLSA, or there are ports, protocols, or services that are prohibited by the PPSM Category Assurance List (CAL), or there are no firewall rules configured, this is a finding.
Fix: F-78025r1120074_fix
Configure Amazon Linux 2023 to allow approved settings and/or running services to comply with the PPSM CLSA for the site or program and the PPSM CAL. To open a port for a service, configure firewalld using the following command: $ sudo firewall-cmd --permanent --add-port=port_number/tcp or $ sudo firewall-cmd --permanent --add-service=service_name
- RMF Control
- SC-5
- Severity
- Medium
- CCI
- CCI-001095
- Version
- AZLX-23-001090
- Vuln IDs
-
- V-274030
- Rule IDs
-
- SV-274030r1120078_rule
Checks: C-78121r1120076_chk
Verify Amazon Linux 2023 manages excess capacity, bandwidth, or other redundancy to limit the effects of information flooding types of DoS attacks. Verify nftables is configured to allow rate limits on any connection to the system with the following command: $ sudo grep -i firewallbackend /etc/firewalld/firewalld.conf FirewallBackend=nftables
Fix: F-78026r1120077_fix
Configure Amazon Linux 2023 to manage excess capacity, bandwidth, or other redundancy to limit the effects of information flooding types of DoS attacks. Configure "nftables" to be the default "firewallbackend" for "firewalld" by adding or editing the following line in "etc/firewalld/firewalld.conf": FirewallBackend=nftables Establish rate-limiting rules based on organization-defined types of DoS attacks on impacted network interfaces.
- RMF Control
- CM-3
- Severity
- Medium
- CCI
- CCI-001744
- Version
- AZLX-23-001095
- Vuln IDs
-
- V-274031
- Rule IDs
-
- SV-274031r1120081_rule
Checks: C-78122r1120079_chk
Verify Amazon Linux 2023 has the "s-nail" package is installed on the system with the following command: $ dnf list --installed s-nail Installed Packages s-nail.x86_64 14.9.24-6.amzn2023 @amazonlinux If the "s-nail" package is not installed, this is a finding.
Fix: F-78027r1120080_fix
Configure Amazon Linux 2023 to have the s-nail package installed with the following command: $ sudo dnf install -y s-nail
- RMF Control
- IA-7
- Severity
- Medium
- CCI
- CCI-000803
- Version
- AZLX-23-001105
- Vuln IDs
-
- V-274032
- Rule IDs
-
- SV-274032r1120084_rule
Checks: C-78123r1120082_chk
Verify Amazon Linux 2023 has the libreswan package installed with the following command: $ dnf list --installed libreswan Installed Packages libreswan.x86_64 4.12-3.amzn2023.0.2 @amazonlinux If the "libreswan" package is not installed, this is a finding.
Fix: F-78028r1120083_fix
Configure Amazon Linux 2023 to have the libreswan package installed with the following command: $ sudo dnf install -y libreswan
- RMF Control
- SC-3
- Severity
- Medium
- CCI
- CCI-001084
- Version
- AZLX-23-001110
- Vuln IDs
-
- V-274033
- Rule IDs
-
- SV-274033r1120087_rule
Checks: C-78124r1120085_chk
Verify Amazon Linux 2023 has the policycoreutils package installed with the following command: $ dnf list --installed policycoreutils Installed Packages policycoreutils.x86_64 3.4-6.amzn2023.0.2 @System If the "policycoreutils" package is not installed, this is a finding.
Fix: F-78029r1120086_fix
Configure Amazon Linux 2023 to have the policycoreutils package installed with the following command: $ sudo dnf install -y policycoreutils
- RMF Control
- Severity
- Medium
- CCI
- CCI-004046
- Version
- AZLX-23-001115
- Vuln IDs
-
- V-274034
- Rule IDs
-
- SV-274034r1120090_rule
Checks: C-78125r1120088_chk
Verify Amazon Linux 2023 has the pcsc-lite package installed with the following command: $ dnf list --installed pcsc-lite Installed Packages pcsc-lite.x86_64 1.9.1-1.amzn2023.0.4 @amazonlinux If the "pcsc-lite" package is not installed, this is a finding.
Fix: F-78030r1120089_fix
Configure Amazon Linux 2023 to have the pcsc-lite package installed with the following command: $ sudo dnf install -y pcsc-lite
- RMF Control
- IA-7
- Severity
- Medium
- CCI
- CCI-000803
- Version
- AZLX-23-001120
- Vuln IDs
-
- V-274035
- Rule IDs
-
- SV-274035r1120093_rule
Checks: C-78126r1120091_chk
Verify Amazon Linux 2023 has the rsyslog-openssl package installed with the following command: $ dnf list --installed rsyslog-openssl Installed Packages rsyslog-openssl.x86_64 8.2204.0-3.amzn2023.0.4 @amazonlinux If the "rsyslog-openssl" package is not installed, this is a finding.
Fix: F-78031r1120092_fix
Configure Amazon Linux 2023 to have the rsyslog-openssl package installed with the following command: $ sudo dnf install -y rsyslog-openssl
- RMF Control
- Severity
- Medium
- CCI
- CCI-004046
- Version
- AZLX-23-001125
- Vuln IDs
-
- V-274036
- Rule IDs
-
- SV-274036r1120096_rule
Checks: C-78127r1120094_chk
Verify Amazon Linux 2023 has the opensc package installed with the following command: $ sudo dnf list --installed opensc Installed Packages opensc.x86_64 0.24.0-1.amzn2023.0.4 @amazonlinux If the "opensc" package is not installed, this is a finding.
Fix: F-78032r1120095_fix
Configure Amazon Linux 2023 to have the opensc package installed with the following command: $ sudo dnf install -y opensc
- RMF Control
- Severity
- Medium
- CCI
- CCI-004046
- Version
- AZLX-23-001130
- Vuln IDs
-
- V-274037
- Rule IDs
-
- SV-274037r1120099_rule
Checks: C-78128r1120097_chk
Verify Amazon Linux 2023 has the openssl-pkcs11 package installed with the following command: $ dnf list --installed openssl-pkcs11 Installed Packages openssl-pkcs11.x86_64 0.4.12-3.amzn2023.0.1 @System If the "openssl-pkcs11" package is not installed, this is a finding.
Fix: F-78033r1120098_fix
Configure Amazon Linux 2023 to have the openssl-pkcs11 package installed with the following command: $ sudo dnf install -y openssl-pkcs11
- RMF Control
- IA-2
- Severity
- High
- CCI
- CCI-001941
- Version
- AZLX-23-001180
- Vuln IDs
-
- V-274038
- Rule IDs
-
- SV-274038r1120102_rule
Checks: C-78129r1120100_chk
Verify Amazon Linux 2023 has the openssh-server package installed with the following command: $ dnf list --installed openssh-server Installed Packages openssh-server.x86_64 8.7p1-8.amzn2023.0.13 @amazonlinux If the "openssh-server" package is not installed, this is a finding.
Fix: F-78034r1120101_fix
Configure Amazon Linux 2023 to have the openssh-server package installed with the following command: $ sudo dnf install -y openssh-server
- RMF Control
- IA-2
- Severity
- High
- CCI
- CCI-001941
- Version
- AZLX-23-001185
- Vuln IDs
-
- V-274039
- Rule IDs
-
- SV-274039r1120105_rule
Checks: C-78130r1120103_chk
Verify Amazon Linux 2023 has "sshd" set to active with the following command: $ systemctl is-active sshd active If the "sshd" service is not active, this is a finding.
Fix: F-78035r1120104_fix
Configure Amazon Linux 2023 to enable the sshd service run the following command: $ sudo systemctl enable --now sshd
- RMF Control
- SC-13
- Severity
- Medium
- CCI
- CCI-002450
- Version
- AZLX-23-001195
- Vuln IDs
-
- V-274040
- Rule IDs
-
- SV-274040r1120108_rule
Checks: C-78131r1120106_chk
Verify Amazon Linux 2023 crypto-policies package is installed with the following command: $ dnf list --installed crypto-policies Installed Packages crypto-policies.noarch 20240828-2.git626aa59.amzn2023.0.1 @System If the "crypto-policies" package is not installed, this is a finding.
Fix: F-78036r1120107_fix
Configure Amazon Linux 2023 to have the crypto-policies package installed with the following command: $ sudo dnf install -y crypto-policies
- RMF Control
- AC-17
- Severity
- Medium
- CCI
- CCI-001453
- Version
- AZLX-23-001200
- Vuln IDs
-
- V-274041
- Rule IDs
-
- SV-274041r1120111_rule
Checks: C-78132r1120109_chk
Verify Amazon Linux 2023 employs systemwide crypto policies for SSH with the following command: $ sudo /usr/sbin/sshd -dd 2>&1 | awk '/filename/ {print $4}' | tr -d '\r' | tr '\n' ' ' | xargs sudo grep -iH '^\s*include' /etc/ssh/sshd_config:Include /etc/ssh/sshd_config.d/*.conf /etc/ssh/sshd_config.d/50-redhat.conf:Include /etc/crypto-policies/back-ends/opensshserver.config If "Include /etc/ssh/sshd_config.d/*.conf" or "Include /etc/crypto-policies/back-ends/opensshserver.config" are not included in the system sshd config or the file /etc/ssh/sshd_config.d/50-redhat.conf is missing, this is a finding.
Fix: F-78037r1120110_fix
Configure Amazon Linux 2023 so that the SSH daemon uses systemwide crypto policies by running the following commands: $ sudo dnf reinstall -y openssh-server
- RMF Control
- AC-17
- Severity
- Medium
- CCI
- CCI-001453
- Version
- AZLX-23-001205
- Vuln IDs
-
- V-274042
- Rule IDs
-
- SV-274042r1120114_rule
Checks: C-78133r1120112_chk
Verify Amazon Linux 2023 SSH server is configured to use only ciphers employing FIPS 140-2/140-3 approved algorithms with the following command: $ sudo grep -i Ciphers /etc/crypto-policies/back-ends/opensshserver.config Ciphers aes256-gcm@openssh.com,aes256-ctr,aes128-gcm@openssh.com,aes128-ctr If the cipher entries in the "opensshserver.config" file have any ciphers other than "aes256-gcm@openssh.com,aes256-ctr,aes128-gcm@openssh.com,aes128-ctr", or they are missing or commented out, this is a finding.
Fix: F-78038r1120113_fix
Configure Amazon Linux 2023 so that the SSH server uses only ciphers employing FIPS 140-2/140-3 approved algorithms. Reinstall crypto-policies with the following command: $ sudo dnf -y reinstall crypto-policies Set the crypto-policy to FIPS with the following command: $ sudo update-crypto-policies --set FIPS Setting system policy to FIPS Note: Systemwide crypto policies are applied on application startup. It is recommended to restart the system for the change of policies to fully take place.
- RMF Control
- AC-17
- Severity
- Medium
- CCI
- CCI-001453
- Version
- AZLX-23-001210
- Vuln IDs
-
- V-274043
- Rule IDs
-
- SV-274043r1120117_rule
Checks: C-78134r1120115_chk
Verify Amazon Linux 2023 SSH server is configured to use only MACs employing FIPS 140-2/140-3 approved algorithms. To verify the MACs in the systemwide SSH configuration file, use the following command: $ sudo grep -i MACs /etc/crypto-policies/back-ends/opensshserver.config MACs hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-sha2-256,hmac-sha2-512 If the MACs entries in the "opensshserver.config" file have any hashes other than "hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-sha2-256,hmac-sha2-512", or they are missing or commented out, this is a finding.
Fix: F-78039r1120116_fix
Configure Amazon Linux 2023 so that the SSH server uses only MACs employing FIPS 140-2/140-3 approved algorithms. Reinstall crypto-policies with the following command: $ sudo dnf -y reinstall crypto-policies Set the crypto-policy to FIPS with the following command: $ sudo update-crypto-policies --set FIPS Setting system policy to FIPS Note: Systemwide crypto policies are applied on application startup. It is recommended to restart the system for the change of policies to fully take place.
- RMF Control
- CM-5
- Severity
- Medium
- CCI
- CCI-001813
- Version
- AZLX-23-001215
- Vuln IDs
-
- V-274044
- Rule IDs
-
- SV-274044r1120120_rule
Checks: C-78135r1120118_chk
Verify Amazon Linux 2023 is configured so that the SSH daemon does not allow GSSAPI authentication with the following command: $ sudo /usr/sbin/sshd -dd 2>&1 | awk '/filename/ {print $4}' | tr -d '\r' | tr '\n' ' ' | xargs sudo grep -iH '^\s*gssapiauthentication' /etc/ssh/sshd_config.d/50-redhat.conf:GSSAPIAuthentication no If the value is returned as "yes", the returned line is commented out, no output is returned, and the use of GSSAPI authentication has not been documented with the information system security officer (ISSO), this is a finding. If the required value is not set, this is a finding.
Fix: F-78040r1120119_fix
Configure Amazon Linux 2023 so that the SSH daemon does not allow GSSAPI authentication. Add or uncomment the following line to "/etc/ssh/sshd_config" or to a file in "/etc/ssh/sshd_config.d" and set the value to "no": GSSAPIAuthentication no The SSH service must be restarted for changes to take effect: $ sudo systemctl restart sshd.service
- RMF Control
- CM-5
- Severity
- Medium
- CCI
- CCI-001813
- Version
- AZLX-23-001220
- Vuln IDs
-
- V-274045
- Rule IDs
-
- SV-274045r1120123_rule
Checks: C-78136r1120121_chk
Verify Amazon Linux 2023 is configured so that the SSH daemon does not allow Kerberos authentication with the following command: $ [ec2-user@ip-172-31-12-63 ~]$ sudo /usr/sbin/sshd -dd 2>&1 | awk '/filename/ {print $4}' | tr -d '\r' | tr '\n' ' ' | xargs sudo grep -iH '^\s*kerberosauthentication' /etc/ssh/sshd_config.d/93-KerberosAuthentication.conf:KerberosAuthentication no If the value is returned as "yes", the returned line is commented out, no output is returned, and the use of Kerberos authentication has not been documented with the information system security officer (ISSO), this is a finding.
Fix: F-78041r1120122_fix
Configure Amazon Linux 2023 so that the SSH daemon does not allow Kerberos authentication. Add the following line in "/etc/ssh/sshd_config" or to a file in "/etc/ssh/sshd_config.d" or uncomment the line and set the value to "no": KerberosAuthentication no The SSH service must be restarted for changes to take effect: $ sudo systemctl restart sshd.service
- RMF Control
- SC-8
- Severity
- High
- CCI
- CCI-002418
- Version
- AZLX-23-001225
- Vuln IDs
-
- V-274046
- Rule IDs
-
- SV-274046r1120126_rule
Checks: C-78137r1120124_chk
Verify Amazon Linux 2023 is configured so that the SSH forces frequent session key renegotiation with the following command: $ sudo /usr/sbin/sshd -dd 2>&1 | awk '/filename/ {print $4}' | tr -d '\r' | tr '\n' ' ' | xargs sudo grep -iH '^\s*rekeylimit' RekeyLimit 1G 1h If "RekeyLimit" does not have a maximum data amount and maximum time defined, is missing, or is commented out, this is a finding.
Fix: F-78042r1120125_fix
Configure Amazon Linux 2023 to force a frequent session key renegotiation for SSH connections to the server by adding or modifying the following line in the "/etc/ssh/sshd_config" file or in a file in "/etc/ssh/sshd_config.d": RekeyLimit 1G 1h Restart the SSH daemon for the settings to take effect. $ sudo systemctl restart sshd.service
- RMF Control
- IA-2
- Severity
- Medium
- CCI
- CCI-000765
- Version
- AZLX-23-001230
- Vuln IDs
-
- V-274047
- Rule IDs
-
- SV-274047r1120129_rule
Checks: C-78138r1120127_chk
Verify Amazon Linux 2023 is configured so that the SSH daemon accepts public key encryption with the following command: $ sudo grep -ir PubkeyAuthentication /etc/ssh/sshd_config /etc/ssh/sshd_config.d/ /etc/ssh/sshd_config:#PubkeyAuthentication yes /etc/ssh/sshd_config.d/90-PubkeyAuth:PubkeyAuthentication yes If "PubkeyAuthentication" is set to no, the line is commented out, or the line is missing, this is a finding.
Fix: F-78043r1120128_fix
Configure Amazon Linux 2023 to use public key authentication for SSHD by adding or modifying the following line in "/etc/ssh/sshd_config" or in a file in "/etc/ssh/sshd_config.d". PubkeyAuthentication yes Restart the SSH daemon for the settings to take effect: $ sudo systemctl restart sshd.service
- RMF Control
- IA-2
- Severity
- Medium
- CCI
- CCI-000766
- Version
- AZLX-23-001235
- Vuln IDs
-
- V-274048
- Rule IDs
-
- SV-274048r1120132_rule
Checks: C-78139r1120130_chk
Verify Amazon Linux 2023 remote access using SSH prevents logging on with a blank password with the following command: $ sudo grep -ir PermitEmptyPasswords /etc/ssh/sshd_config /etc/ssh/sshd_config.d/ /etc/ssh/sshd_config:PermitEmptyPasswords no If the "PermitEmptyPassword" keyword is set to "yes", is missing, or is commented out, this is a finding.
Fix: F-78044r1120131_fix
Configure Amazon Linux 2023 to prevent SSH users from logging on with blank passwords. Edit the following line in "etc/ssh/sshd_config" or in a file in "/etc/ssh/sshd_config.d": PermitEmptyPasswords no Restart the SSH daemon for the settings to take effect: $ sudo systemctl restart sshd.service
- RMF Control
- Severity
- Medium
- CCI
- CCI-004045
- Version
- AZLX-23-001240
- Vuln IDs
-
- V-274049
- Rule IDs
-
- SV-274049r1120747_rule
Checks: C-78140r1120133_chk
Verify Amazon Linux 2023 remote access using SSH prevents users from logging on directly as "root" with the following command: $ sudo grep -ir PermitRootLogin /etc/ssh/sshd_config /etc/ssh/sshd_config.d/ /etc/ssh/sshd_config:PermitRootLogin no If the "PermitRootLogin" keyword is set to "yes", is missing, or is commented out, this is a finding.
Fix: F-78045r1120134_fix
Configure Amazon Linux 2023 to prevent SSH users from logging on directly as root add or modify the following line in "/etc/ssh/sshd_config" or in a file in "/etc/ssh/sshd_config.d". PermitRootLogin no Restart the SSH daemon for the settings to take effect: $ sudo systemctl restart sshd.service
- RMF Control
- SC-10
- Severity
- Medium
- CCI
- CCI-001133
- Version
- AZLX-23-001245
- Vuln IDs
-
- V-274050
- Rule IDs
-
- SV-274050r1120138_rule
Checks: C-78141r1120136_chk
Verify Amazon Linux 2023 has the "ClientAliveInterval" variable set to a value of "600" or less by performing the following command: $ sudo /usr/sbin/sshd -dd 2>&1 | awk '/filename/ {print $4}' | tr -d '\r' | tr '\n' ' ' | xargs sudo grep -iH '^\s*clientaliveinterval' /etc/ssh/sshd_config.d/91-ClientAliveInterval.conf:ClientAliveInterval 600 If "ClientAliveInterval" does not exist, does not have a value of "600" or less in "/etc/ssh/sshd_config" or a dropfile in "/etc/ssh/sshd_config.d", or is commented out, this is a finding.
Fix: F-78046r1120137_fix
Configure Amazon Linux 2023 SSH server to terminate a user session automatically after the SSH client has been unresponsive for 10 minutes. Note: This setting must be applied in conjunction with "ClientAliveCountMax 1" to function correctly. Modify or append the following lines in the "/etc/ssh/sshd_config" or a dropfile in "/etc/ssh/sshd_config.d" file: ClientAliveInterval 600 For the changes to take effect, the SSH daemon must be restarted. $ sudo systemctl restart sshd.service
- RMF Control
- SC-10
- Severity
- Medium
- CCI
- CCI-001133
- Version
- AZLX-23-001250
- Vuln IDs
-
- V-274051
- Rule IDs
-
- SV-274051r1120141_rule
Checks: C-78142r1120139_chk
Verify Amazon Linux 2023 SSHD has the "ClientAliveCountMax" set to "1" by performing the following command: $ sudo /usr/sbin/sshd -dd 2>&1 | awk '/filename/ {print $4}' | tr -d '\r' | tr '\n' ' ' | xargs sudo grep -iH '^\s*clientalivecountmax' /etc/ssh/sshd_config.d/92-ClientAliveCountMax.conf:ClientAliveCountMax 1 If "ClientAliveCountMax" do not exist, is not set to a value of "1" in "/etc/ssh/sshd_config" or a dropfile in "/etc/ssh/sshd_config.d" , or is commented out, this is a finding.
Fix: F-78047r1120140_fix
Configure Amazon Linux 2023 SSHD to terminate a user session automatically after the SSH client has become unresponsive. Note: This setting must be applied in conjunction with AZLX-23-000820 to function correctly. Modify or append the following lines in the "/etc/ssh/sshd_config" file or a dropfile in "/etc/ssh/sshd_config.d": ClientAliveCountMax 1 For the changes to take effect, the SSH daemon must be restarted. $ sudo systemctl restart sshd.service
- RMF Control
- MA-4
- Severity
- High
- CCI
- CCI-000877
- Version
- AZLX-23-001255
- Vuln IDs
-
- V-274052
- Rule IDs
-
- SV-274052r1120144_rule
Checks: C-78143r1120142_chk
Verify Amazon Linux 2023 SSHD is configured to allow for the UsePAM interface with the following command: $ sudo /usr/sbin/sshd -dd 2>&1 | awk '/filename/ {print $4}' | tr -d '\r' | tr '\n' ' ' | xargs sudo grep -iH '^\s*usepam' /etc/ssh/sshd_config.d/50-redhat.conf:UsePAM yes If the "UsePAM" keyword is set to "no", is missing, or is commented out, this is a finding.
Fix: F-78048r1120143_fix
Configure Amazon Linux 2023 SSHD to use the UsePAM interface. Add or modify the following line in "/etc/ssh/sshd_config": UsePAM yes Restart the SSH daemon for the settings to take effect: $ sudo systemctl restart sshd.service
- RMF Control
- AC-17
- Severity
- Medium
- CCI
- CCI-001453
- Version
- AZLX-23-001260
- Vuln IDs
-
- V-274053
- Rule IDs
-
- SV-274053r1120147_rule
Checks: C-78144r1120145_chk
Verify Amazon Linux 2023 is configured so that the OpenSSL library uses only ciphers employing FIPS 140-2/140-3 approved algorithms with the following command: $ sudo grep -i opensslcnf.config /etc/pki/tls/openssl.cnf .include = /etc/crypto-policies/back-ends/opensslcnf.config If the "opensslcnf.config" is not defined in the "/etc/pki/tls/openssl.cnf" file, this is a finding.
Fix: F-78049r1120146_fix
Configure Amazon Linux 2023 OpenSSL library to use the system wide cryptographic policy. Edit the "/etc/pki/tls/openssl.cnf" and add or modify the following line: .include = /etc/crypto-policies/back-ends/opensslcnf.config
- RMF Control
- AC-17
- Severity
- Medium
- CCI
- CCI-001453
- Version
- AZLX-23-001265
- Vuln IDs
-
- V-274054
- Rule IDs
-
- SV-274054r1120150_rule
Checks: C-78145r1120148_chk
Verify Amazon Linux 2023 is configured so that the OpenSSL library uses TLS 1.2 encryption or stronger with following command: $ grep -i minprotocol /etc/crypto-policies/back-ends/opensslcnf.config TLS.MinProtocol = TLSv1.2 DTLS.MinProtocol = DTLSv1.2 If the "TLS.MinProtocol" is set to anything older than "TLSv1.2" or the "DTLS.MinProtocol" is set to anything older than "DTLSv1.2", this is a finding.
Fix: F-78050r1120149_fix
Configure Amazon Linux 2023 OpenSSL library to use only DOD-approved TLS encryption by editing the following line in the "/etc/crypto-policies/back-ends/opensslcnf.config" file: TLS.MinProtocol = TLSv1.2 DTLS.MinProtocol = DTLSv1.2 A reboot is required for the changes to take effect.
- RMF Control
- IA-7
- Severity
- Medium
- CCI
- CCI-000803
- Version
- AZLX-23-001270
- Vuln IDs
-
- V-274055
- Rule IDs
-
- SV-274055r1120153_rule
Checks: C-78146r1120151_chk
Verify Amazon Linux 2023 is set to use a FIPS 140-2/140-3 compliant systemwide cryptographic policy. $ update-crypto-policies --show FIPS If the systemwide crypto policy is not set to "FIPS", this is a finding. Inspect the contents of the REQUIRE.pmod file (if it exists) to verify only authorized modifications to the current policy are included with the following command: $ cat /etc/crypto-policies/policies/modules/REQUIRE.pmod Note: If subpolicies have been configured, they could be listed in a colon-separated list starting with FIPS as follows FIPS:<SUBPOLICY-NAME>:<SUBPOLICY-NAME>. This is not a finding. If the AD-SUPPORT subpolicy module is included (e.g., "FIPS:AD-SUPPORT"), and Active Directory support is not documented as an operational requirement with the information system security officer (ISSO), this is a finding. If the NO-ENFORCE-EMS subpolicy module is included (e.g., "FIPS:NO-ENFORCE-EMS"), and not enforcing EMS is not documented as an operational requirement with the ISSO, this is a finding. Verify the current minimum crypto-policy configuration with the following commands: $ grep -E 'rsa_size|hash' /etc/crypto-policies/state/CURRENT.pol hash = SHA2-256 SHA2-384 SHA2-512 SHA2-224 SHA3-256 SHA3-384 SHA3-512 SHAKE-256 min_rsa_size = 2048 If the "hash" values do not include at least the following FIPS 140-2/140-3 compliant algorithms "SHA2-256 SHA2-384 SHA2-512 SHA2-224 SHA3-256 SHA3-384 SHA3-512 SHAKE-256", this is a finding. If there are algorithms that include "SHA1" or a hash value less than "256" this is a finding. If the "min_rsa_size" is not set to a value of at least 2048, this is a finding. If these commands do not return any output, this is a finding.
Fix: F-78051r1120152_fix
Configure Amazon Linux 2023 to use a FIPS 140-2/140-3 compliant systemwide cryptographic policy. Create subpolicies for enhancements to the systemwide crypto-policy with the following commands: Create or edit the SCOPES-AND-WILDCARDS policy module in a text editor and insert options that modify the systemwide cryptographic policy as follows: $ sudo vi /etc/crypto-policies/policies/modules/SCOPES-AND-WILDCARDS.pmod Add the following lines to the policy: # Disable CHACHA20-POLY1305 for the TLS protocol (OpenSSL, GnuTLS, NSS, and OpenJDK) cipher@TLS = -CHACHA20-POLY1305 # Disable all CBC mode ciphers for the SSH protocol (libssh and OpenSSH) cipher@SSH = -*-CBC Create or edit the OPENSSH-SUBPOLICY module in a text editor and insert options that modify the systemwide crypto-policy as follows: $ sudo vi /etc/crypto-policies/policies/modules/OPENSSH-SUBPOLICY.pmod Add the following lines to the policy: # Define ciphers for OpenSSH cipher@SSH=AES-256-GCM AES-128-GCM AES-256-CTR AES-128-CTR # Define MACs for OpenSSH mac@SSH=HMAC-SHA2-512 HMAC-SHA2-256 Create or edit the REQUIRE.pmod file and add the following lines to include the subpolicies in the FIPS configuration with the following command: $ sudo vi /etc/crypto-policies/policies/modules/REQUIRE.pmod Add the following lines to REQUIRE.pmod: @OPENSSH-SUBPOLICY @SCOPES-AND-WILDCARDS Apply the policy enhancements to the FIPS systemwide cryptographic policy level with the following command: $ sudo update-crypto-policies --set FIPS Note: If additional subpolicies are being employed, they should be added to the REQUIRE.pmod as well. REQUIRE.pmod is included in the systemwide crypto-policy when it is set. To make the cryptographic settings effective for already running services and applications, restart the system: $ sudo reboot
- RMF Control
- AC-17
- Severity
- High
- CCI
- CCI-000068
- Version
- AZLX-23-001275
- Vuln IDs
-
- V-274056
- Rule IDs
-
- SV-274056r1120156_rule
Checks: C-78147r1120154_chk
Verify Amazon Linux 2023 is configured so that the SSH server uses only ciphers employing FIPS 140-2/140-3 approved algorithms with the following command: $ sudo grep -i ciphers /etc/crypto-policies/back-ends/opensshserver.config Ciphers aes256-gcm@openssh.com,aes256-ctr,aes128-gcm@openssh.com,aes128-ctr If the cipher entries in the "opensshserver.config" file have any ciphers other than "aes256-gcm@openssh.com,aes256-ctr,aes128-gcm@openssh.com,aes128-ctr", they are missing, or commented out, this is a finding.
Fix: F-78052r1120155_fix
Configure Amazon Linux 2023 SSH server to use only ciphers employing FIPS 140-2/140-3 approved algorithms by updating the "/etc/crypto-policies/back-ends/opensshserver.config" file with the following line: Ciphers aes256-gcm@openssh.com,aes256-ctr,aes128-gcm@openssh.com,aes128-ctr A reboot is required for the changes to take effect.
- RMF Control
- AC-17
- Severity
- High
- CCI
- CCI-000068
- Version
- AZLX-23-001280
- Vuln IDs
-
- V-274057
- Rule IDs
-
- SV-274057r1120159_rule
Checks: C-78148r1120157_chk
Verify Amazon Linux 2023 is in FIPS mode with the following command: $ sudo fips-mode-setup --check FIPS mode is enabled. If FIPS mode is not enabled, this is a finding.
Fix: F-78053r1120158_fix
Configure Amazon Linux 2023 to implement FIPS mode with the following commands: $ sudo fips-mode-setup --enable Reboot the system for the changes to take effect.
- RMF Control
- SC-13
- Severity
- Medium
- CCI
- CCI-002450
- Version
- AZLX-23-001285
- Vuln IDs
-
- V-274058
- Rule IDs
-
- SV-274058r1120162_rule
Checks: C-78149r1120160_chk
Verify Amazon Linux 2023 custom crypto policies are loaded correctly with the following command: $ ls -l /etc/crypto-policies/back-ends/ lrwxrwxrwx. 1 root root 40 Mar 7 19:22 bind.config -> /usr/share/crypto-policies/FIPS/bind.txt lrwxrwxrwx. 1 root root 42 Mar 7 19:22 gnutls.config -> /usr/share/crypto-policies/FIPS/gnutls.txt lrwxrwxrwx. 1 root root 40 Mar 7 19:22 java.config -> /usr/share/crypto-policies/FIPS/java.txt lrwxrwxrwx. 1 root root 46 Mar 7 19:22 javasystem.config -> /usr/share/crypto-policies/FIPS/javasystem.txt lrwxrwxrwx. 1 root root 40 Mar 7 19:22 krb5.config -> /usr/share/crypto-policies/FIPS/krb5.txt lrwxrwxrwx. 1 root root 45 Mar 7 19:22 libreswan.config -> /usr/share/crypto-policies/FIPS/libreswan.txt lrwxrwxrwx. 1 root root 42 Mar 7 19:22 libssh.config -> /usr/share/crypto-policies/FIPS/libssh.txt -rw-r--r--. 1 root root 398 Mar 7 19:22 nss.config lrwxrwxrwx. 1 root root 43 Mar 7 19:22 openssh.config -> /usr/share/crypto-policies/FIPS/openssh.txt lrwxrwxrwx. 1 root root 49 Mar 7 19:22 opensshserver.config -> /usr/share/crypto-policies/FIPS/opensshserver.txt lrwxrwxrwx. 1 root root 43 Mar 7 19:22 openssl.config -> /usr/share/crypto-policies/FIPS/openssl.txt lrwxrwxrwx. 1 root root 48 Mar 7 19:22 openssl_fips.config -> /usr/share/crypto-policies/FIPS/openssl_fips.txt lrwxrwxrwx. 1 root root 46 Mar 7 19:22 opensslcnf.config -> /usr/share/crypto-policies/FIPS/opensslcnf.txt If the paths do not point to the respective files under /usr/share/crypto-policies/FIPS path, this is a finding. Note: nss.config must not be hyperlinked.
Fix: F-78054r1120161_fix
Configure Amazon Linux 2023 to correctly implement the systemwide cryptographic policies by reinstalling the crypto-policies package contents. Reinstall crypto-policies with the following command: $ sudo dnf -y reinstall crypto-policies Set the crypto-policy to FIPS with the following command: $ sudo update-crypto-policies --set FIPS Setting system policy to FIPS Note: Systemwide crypto policies are applied on application startup. It is recommended to restart the system for the change of policies to fully take place.
- RMF Control
- Severity
- Medium
- CCI
- CCI-004046
- Version
- AZLX-23-001290
- Vuln IDs
-
- V-274059
- Rule IDs
-
- SV-274059r1120165_rule
Checks: C-78150r1120163_chk
Note: If the system administrator demonstrates the use of an approved alternate multifactor authentication method, this requirement is not applicable. Verify Amazon Linux 2023 has smart cards enabled in System Security Services Daemon (SSSD), run the following command: $ sudo grep -ir pam_cert_auth /etc/sssd/sssd.conf /etc/sssd/conf.d/ /etc/sssd/sssd.conf:pam_cert_auth = True If "pam_cert_auth" is not set to "True", the line is commented out, or the line is missing, this is a finding.
Fix: F-78055r1120164_fix
Configure Amazon Linux 2023 to have smart cards enabled in SSSD. Edit the file "/etc/sssd/sssd.conf" or a configuration file in "/etc/sssd/conf.d" and add or edit the following line: pam_cert_auth = True
- RMF Control
- IA-5
- Severity
- Medium
- CCI
- CCI-000187
- Version
- AZLX-23-001295
- Vuln IDs
-
- V-274060
- Rule IDs
-
- SV-274060r1120168_rule
Checks: C-78151r1120166_chk
Note: If the system administrator (SA) demonstrates the use of an approved alternate multifactor authentication method, this requirement is not applicable. Verify the certificate of the user or group is mapped to the corresponding user or group in the "sssd.conf" file with the following command: $ sudo find /etc/sssd/sssd.conf /etc/sssd/conf.d/ -type f -exec cat {} \; [sssd] config_file_version = 2 services = pam, sudo, ssh domains = testing.test [pam] pam_cert_auth = True offline_credentials_expiration = 1 [domain/testing.test] id_provider = ldap [certmap/testing.test/rule_name] matchrule =<SAN>.*EDIPI@mil maprule = (userCertificate;binary={cert!bin}) domains = testing.test If the certmap section does not exist, ask the SA to indicate how certificates are mapped to accounts. If there is no evidence of certificate mapping, this is a finding.
Fix: F-78056r1120167_fix
Configure Amazon Linux 2023 to map the authenticated identity to the user or group account by adding or modifying the certmap section of the "/etc/sssd/sssd.conf file based on the following example: [certmap/testing.test/rule_name] matchrule =<SAN>.*EDIPI@mil maprule = (userCertificate;binary={cert!bin}) domains = testing.test The "sssd" service must be restarted for the changes to take effect. To restart the "sssd" service, run the following command: $ sudo systemctl restart sssd.service
- RMF Control
- Severity
- Medium
- CCI
- CCI-004046
- Version
- AZLX-23-001300
- Vuln IDs
-
- V-274061
- Rule IDs
-
- SV-274061r1120171_rule
Checks: C-78152r1120169_chk
Note: If the system administrator (SA) demonstrates the use of an approved alternate multifactor authentication method, this requirement is not applicable. Verify Amazon Linux 2023 implements Online Certificate Status Protocol (OCSP) and is using the proper digest value on the system with the following command: $ sudo grep -ir certificate_verification /etc/sssd/sssd.conf /etc/sssd/conf.d/ | grep -v "^#" certificate_verification = ocsp_dgst=sha512 If the certificate_verification line is missing from the [sssd] section, or is missing "ocsp_dgst=sha512", ask the administrator to indicate what type of multifactor authentication is being utilized and how the system implements certificate status checking. If there is no evidence of certificate status checking being used, this is a finding.
Fix: F-78057r1120170_fix
Configure Amazon Linux 2023 to implement certificate status checking for multifactor authentication. Review the "/etc/sssd/conf.d/certificate_verification.conf" file to determine if the system is configured to prevent OCSP or certificate verification. Add the following line to the "/etc/sssd/conf.d/certificate_verification.conf" file: certificate_verification = ocsp_dgst=sha512 Set the correct ownership and permissions on the "/etc/sssd/conf.d/certificate_verification.conf" file by running these commands: $ sudo chown root:root "/etc/sssd/conf.d/certificate_verification.conf" $ sudo chmod 600 "/etc/sssd/conf.d/certificate_verification.conf" The "sssd" service must be restarted for the changes to take effect. To restart the "sssd" service, run the following command: $ sudo systemctl restart sssd.service
- RMF Control
- IA-5
- Severity
- Medium
- CCI
- CCI-002007
- Version
- AZLX-23-001305
- Vuln IDs
-
- V-274062
- Rule IDs
-
- SV-274062r1120174_rule
Checks: C-78153r1120172_chk
Verify Amazon Linux 2023 is configured so that the System Security Services Daemon (SSSD) prohibits the use of cached authentications after one day. Note: Cached authentication settings should be configured even if smart card authentication is not used on the system. Check that SSSD allows cached authentications with the following command: $ sudo grep -ir cache_credentials /etc/sssd/sssd.conf /etc/sssd/conf.d/ /etc/sssd/sssd.conf:cache_credentials = true If "cache_credentials" is set to "false" or missing from the configuration file, this is not a finding and no further checks are required. If "cache_credentials" is set to "true", check that SSSD prohibits the use of cached authentications after one day with the following command: $ sudo grep -ir offline_credentials_expiration /etc/sssd/sssd.conf /etc/sssd/conf.d/ /etc/sssd/sssd.conf:offline_credentials_expiration = 1 If "offline_credentials_expiration" is not set to a value of "1", this is a finding.
Fix: F-78058r1120173_fix
Configure Amazon Linux 2023 SSSD service to prohibit the use of cached authentications after one day. Add or change the following line in "/etc/sssd/sssd.conf" just below the line [pam]: offline_credentials_expiration = 1
- RMF Control
- IA-5
- Severity
- Medium
- CCI
- CCI-000185
- Version
- AZLX-23-001310
- Vuln IDs
-
- V-274063
- Rule IDs
-
- SV-274063r1120712_rule
Checks: C-78154r1120175_chk
Note: If the system administrator (SA) demonstrates the use of an approved alternate multifactor authentication method, this requirement is not applicable. Verify Amazon Linux 2023 for PKI-based authentication has valid certificates by constructing a certification path (which includes status information) to an accepted trust anchor. Check that the system has a valid DOD root CA installed with the following command: $ sudo openssl x509 -text -in /etc/sssd/pki/sssd_auth_ca_db.pem Certificate: Data: Version: 3 (0x2) Serial Number: 1 (0x1) Signature Algorithm: sha256WithRSAEncryption Issuer: C = US, O = U.S. Government, OU = DOD, OU = PKI, CN = DOD Root CA 3 Validity Not Before: Mar 20 18:46:41 2012 GMT Not After : Dec 30 18:46:41 2029 GMT Subject: C = US, O = U.S. Government, OU = DOD, OU = PKI, CN = DOD Root CA 3 Subject Public Key Info: Public Key Algorithm: rsaEncryption If the root ca file is not a DOD-issued certificate with a valid date and installed in the /etc/sssd/pki/sssd_auth_ca_db.pem location, this is a finding.
Fix: F-78059r1120711_fix
Configure Amazon Linux 2023 to have valid certificates by using AWS Certificate Manager (ACM) or another certificate manager to manage SSL/TLS certificates. In the AWS Management Console, request or import the necessary SSL/TLS certificates into ACM. ACM will handle the certificate lifecycle management, including validation and trust chain establishment.
- RMF Control
- IA-5
- Severity
- Medium
- CCI
- CCI-000186
- Version
- AZLX-23-001315
- Vuln IDs
-
- V-274064
- Rule IDs
-
- SV-274064r1120180_rule
Checks: C-78155r1120178_chk
Verify Amazon Linux 2023 SSH private key files have a passcode. For each private key stored on the system, use the following command: $ sudo ssh-keygen -y -f /path/to/file If the contents of the key are displayed, this is a finding.
Fix: F-78060r1120179_fix
Configure Amazon Linux 2023 SSH private key files to have a passcode. Create a new private and public key pair that utilizes a passcode with the following command: $ sudo ssh-keygen -n [passphrase]
- RMF Control
- AC-8
- Severity
- Medium
- CCI
- CCI-000048
- Version
- AZLX-23-002000
- Vuln IDs
-
- V-274065
- Rule IDs
-
- SV-274065r1120699_rule
Checks: C-78156r1120698_chk
Verify Amazon Linux 2023 displays the Standard Mandatory DOD Notice and Consent Banner before granting access to the system over any publicly accessible connection. View the file specified by the banner keyword to check that it matches the text of the Standard Mandatory DOD Notice and Consent Banner with the following command: $ more /etc/issue "You are accessing a U.S. Government (USG) Information System (IS) that is provided for USG-authorized use only. By using this IS (which includes any device attached to this IS), you consent to the following conditions: -The USG routinely intercepts and monitors communications on this IS for purposes including, but not limited to, penetration testing, COMSEC monitoring, network operations and defense, personnel misconduct (PM), law enforcement (LE), and counterintelligence (CI) investigations. -At any time, the USG may inspect and seize data stored on this IS. -Communications using, or data stored on, this IS are not private, are subject to routine monitoring, interception, and search, and may be disclosed or used for any USG-authorized purpose. -This IS includes security measures (e.g., authentication and access controls) to protect USG interests--not for your personal benefit or privacy. -Notwithstanding the above, using this IS does not constitute consent to PM, LE or CI investigative searching or monitoring of the content of privileged communications, or work product, related to personal representation or services by attorneys, psychotherapists, or clergy, and their assistants. Such communications and work product are private and confidential. See User Agreement for details." If the system does not display a logon banner or the banner text does not match the Standard Mandatory DOD Notice and Consent Banner, this is a finding.
Fix: F-78061r1120182_fix
Configure Amazon Linux 2023 to display the Standard Mandatory DOD Notice and Consent Banner before granting access to the system via the ssh. Edit the "/etc/issue" file to replace the default text with the Standard Mandatory DOD Notice and Consent Banner. The DOD-required text is: "You are accessing a U.S. Government (USG) Information System (IS) that is provided for USG-authorized use only. By using this IS (which includes any device attached to this IS), you consent to the following conditions: -The USG routinely intercepts and monitors communications on this IS for purposes including, but not limited to, penetration testing, COMSEC monitoring, network operations and defense, personnel misconduct (PM), law enforcement (LE), and counterintelligence (CI) investigations. -At any time, the USG may inspect and seize data stored on this IS. -Communications using, or data stored on, this IS are not private, are subject to routine monitoring, interception, and search, and may be disclosed or used for any USG-authorized purpose. -This IS includes security measures (e.g., authentication and access controls) to protect USG interests -- not for your personal benefit or privacy. -Notwithstanding the above, using this IS does not constitute consent to PM, LE or CI investigative searching or monitoring of the content of privileged communications, or work product, related to personal representation or services by attorneys, psychotherapists, or clergy, and their assistants. Such communications and work product are private and confidential. See User Agreement for details."
- RMF Control
- AC-8
- Severity
- Medium
- CCI
- CCI-001384
- Version
- AZLX-23-002005
- Vuln IDs
-
- V-274066
- Rule IDs
-
- SV-274066r1120186_rule
Checks: C-78157r1120184_chk
Verify Amazon Linux 2023 displays the Standard Mandatory DOD Notice and Consent Banner before granting access to the system from any SSH connection. Check for the location of the banner file being used with the following command: $ sudo /usr/sbin/sshd -dd 2>&1 | awk '/filename/ {print $4}' | tr -d '\r' | tr '\n' ' ' | xargs sudo grep -iH '^\s*banner' /etc/ssh/sshd_config.d/80-bannerPointer.conf:Banner /etc/issue This command will return the banner keyword and the name of the file that contains the SSH banner (in this case "/etc/issue"). If the line is commented out, this is a finding.
Fix: F-78062r1120185_fix
Configure Amazon Linux 2023 to display the Standard Mandatory DOD Notice and Consent Banner before granting access to the system via ssh. Edit the "etc/ssh/sshd_config" file or a file in "/etc/ssh/sshd_config.d" to uncomment the banner keyword and configure it to point to a file that will contain the logon banner (this file may be named differently or be in a different location if using a version of SSH that is provided by a third-party vendor). An example configuration line is: Banner /etc/issue
- RMF Control
- AU-4
- Severity
- Medium
- CCI
- CCI-001849
- Version
- AZLX-23-002015
- Vuln IDs
-
- V-274067
- Rule IDs
-
- SV-274067r1120653_rule
Checks: C-78158r1120187_chk
Verify Amazon Linux 2023 allocates audit record storage capacity to store at least one week of audit records when audit records are not immediately sent to a central audit record storage facility. Note: The partition size needed to capture a week of audit records is based on the activity level of the system and the total storage capacity available. Typically 10.0 GB of storage space for audit records should be sufficient. Determine which partition the audit records are being written to with the following command: $ sudo grep log_file /etc/audit/auditd.conf log_file = /var/log/audit/audit.log Check the size of the partition that audit records are written to with the following command and verify whether it is sufficiently large: # df -h /var/log/audit/ /dev/sda2 24G 10.4G 13.6G 43% /var/log/audit If the audit record partition is not allocated for sufficient storage capacity, this is a finding.
Fix: F-78063r1120652_fix
Configure Amazon Linux 2023 to provide adequate storage for at least one-week of audit logs when audit records are not immediately sent to a central audit record storage facility. If the storage partition is not large enough for at least one week of audit logs, then either: 1. Resize the partition to ensure there is enough storage capacity. 2. Create a new partition for the audit logs.
- RMF Control
- AU-4
- Severity
- Low
- CCI
- CCI-001849
- Version
- AZLX-23-002020
- Vuln IDs
-
- V-274068
- Rule IDs
-
- SV-274068r1120192_rule
Checks: C-78159r1120190_chk
Verify Amazon Linux 2023 has a separate file system/partition created for the system audit data path with the following command: Note: /var/log/audit is used as the example as it is a common location. $ mount | grep /var/log/audit UUID=2efb2979-45ac-82d7-0ae632d11f51 on /var/log/home type xfs (rw,realtime,seclabel,attr2,inode64)
Fix: F-78064r1120191_fix
Configure Amazon Linux 2023 to have a separate file system/partition for the system audit data path. Migrate the system audit data path onto a separate partition.
- RMF Control
- AU-4
- Severity
- Medium
- CCI
- CCI-001851
- Version
- AZLX-23-002025
- Vuln IDs
-
- V-274069
- Rule IDs
-
- SV-274069r1120195_rule
Checks: C-78160r1120193_chk
Verify Amazon Linux 2023 is configured so that the Audit Daemon labels all off-loaded audit logs with the following command: $ sudo grep name_format /etc/audit/auditd.conf name_format = hostname If the "name_format" option is not "hostname", "fqd", or "numeric", or the line is commented out, this is a finding.
Fix: F-78065r1120194_fix
Configure Amazon Linux 2023 to be configured so that the Audit Daemon labels all off-loaded audit logs. Edit the /etc/audit/auditd.conf file and add or update the "name_format" option: name_format = hostname The audit daemon must be restarted for changes to take effect.
- RMF Control
- AU-4
- Severity
- Medium
- CCI
- CCI-001851
- Version
- AZLX-23-002030
- Vuln IDs
-
- V-274070
- Rule IDs
-
- SV-274070r1120198_rule
Checks: C-78161r1120196_chk
Verify Amazon Linux 2023 audit system is configured to take an appropriate action when the internal event queue is full: $ sudo grep -i overflow_action /etc/audit/auditd.conf overflow_action = syslog If the value of the "overflow_action" option is not set to "syslog", "single", "halt" or the line is commented out, ask the system administrator (SA) to indicate how the audit logs are off-loaded to a different system or media. If there is no evidence that the transfer of the audit logs being off-loaded to another system or media takes appropriate action if the internal event queue becomes full, this is a finding.
Fix: F-78066r1120197_fix
Configure Amazon Linux 2023 so that the audit system takes an appropriate action when the internal event queue is full. Edit the /etc/audit/auditd.conf file and add or update the "overflow_action" option: overflow_action = syslog The audit daemon must be restarted for changes to take effect.
- RMF Control
- AU-5
- Severity
- Medium
- CCI
- CCI-001855
- Version
- AZLX-23-002035
- Vuln IDs
-
- V-274071
- Rule IDs
-
- SV-274071r1120201_rule
Checks: C-78162r1120199_chk
Verify Amazon Linux 2023 takes action when allocated audit record storage volume reaches 75 percent of the repository maximum audit record storage capacity with the following command: $ sudo grep -w space_left /etc/audit/auditd.conf space_left = 25% If the value of the "space_left" keyword is not set to 25 percent of the storage volume allocated to audit logs, or if the line is commented out, ask the system administrator (SA) to indicate how the system is providing real-time alerts to the SA and information system security officer (ISSO). If the "space_left" value is not configured to the correct value, this is a finding.
Fix: F-78067r1120200_fix
Configure Amazon Linux 2023 to take action when the audit log storage volume reaches 75 percent of the maximum storage capacity. Edit /etc/audit/auditd.conf and ensure the parameter "space_left = 25" is configured.
- RMF Control
- AU-5
- Severity
- Medium
- CCI
- CCI-001855
- Version
- AZLX-23-002040
- Vuln IDs
-
- V-274072
- Rule IDs
-
- SV-274072r1120204_rule
Checks: C-78163r1120202_chk
Verify Amazon Linux 2023 notifies the SA and ISSO (at a minimum) when allocated audit record storage volume reaches 75 percent of the repository maximum audit record storage capacity with the following command: $ sudo grep -w space_left_action /etc/audit/auditd.conf space_left_action = email If the value of the "space_left_action" is not set to "email", or if the line is commented out, ask the SA to indicate how the system is providing real-time alerts to the SA and ISSO. If there is no evidence that real-time alerts are configured on the system, this is a finding.
Fix: F-78068r1120203_fix
Configure Amazon Linux 2023 to initiate an action to notify the SA and ISSO (at a minimum) when allocated audit record storage volume reaches 75 percent of the repository maximum audit record storage capacity by adding/modifying the following line in the /etc/audit/auditd.conf file. space_left_action = email
- RMF Control
- AU-5
- Severity
- Medium
- CCI
- CCI-001855
- Version
- AZLX-23-002045
- Vuln IDs
-
- V-274073
- Rule IDs
-
- SV-274073r1120207_rule
Checks: C-78164r1120205_chk
Verify Amazon Linux 2023 takes action when allocated audit record storage volume reaches 95 percent of the repository maximum audit record storage capacity with the following command: $ sudo grep -w admin_space_left /etc/audit/auditd.conf admin_space_left = 5% If the value of the "admin_space_left" keyword is not set to 5 percent of the storage volume allocated to audit logs, or if the line is commented out, ask the system administrator (SA) to indicate how the system is taking action if the allocated storage is about to reach capacity. If the "space_left" value is not configured to the correct value, this is a finding.
Fix: F-78069r1120206_fix
Configure Amazon Linux 2023 to initiate an action when allocated audit record storage volume reaches 95 percent of the repository maximum audit record storage capacity by adding/modifying the following line in the /etc/audit/auditd.conf file. admin_space_left = 5%
- RMF Control
- AU-5
- Severity
- Medium
- CCI
- CCI-001855
- Version
- AZLX-23-002050
- Vuln IDs
-
- V-274074
- Rule IDs
-
- SV-274074r1120210_rule
Checks: C-78165r1120208_chk
Verify Amazon Linux 2023 is configured to take action in the event of allocated audit record storage volume reaches 95 percent of the repository maximum audit record storage capacity with the following command: $ sudo grep admin_space_left_action /etc/audit/auditd.conf admin_space_left_action = single If the value of the "admin_space_left_action" is not set to "single", or if the line is commented out, ask the system administrator (SA) to indicate how the system is providing real-time alerts to the SA and information system security officer (ISSO). If there is no evidence that real-time alerts are configured on the system, this is a finding.
Fix: F-78070r1120209_fix
Configure Amazon Linux 2023 so that the auditd service takes action in the event of allocated audit record storage volume reaching 95 percent of the repository maximum audit record storage capacity. Edit the following line in "/etc/audit/auditd.conf" to ensure that the system is forced into single user mode in the event the audit record storage volume is about to reach maximum capacity: admin_space_left_action = single The audit daemon must be restarted for changes to take effect.
- RMF Control
- AU-5
- Severity
- Medium
- CCI
- CCI-001855
- Version
- AZLX-23-002055
- Vuln IDs
-
- V-274075
- Rule IDs
-
- SV-274075r1120700_rule
Checks: C-78166r1120211_chk
Verify Amazon Linux 2023 is configured to notify the SA and/or ISSO (at a minimum) in the event of an audit processing failure with the following command: $ sudo grep action_mail_acct /etc/audit/auditd.conf action_mail_acct = root If the value of the "action_mail_acct" keyword is not set to "root" and/or other accounts for security personnel, the "action_mail_acct" keyword is missing, or the retuned line is commented out, ask the SA to indicate how they and the ISSO are notified of an audit process failure. If there is no evidence of the proper personnel being notified of an audit processing failure, this is a finding.
Fix: F-78071r1120212_fix
Configure Amazon Linux 2023 to that the auditd service notifies the SA and ISSO in the event of an audit processing failure. Edit the following line in "/etc/audit/auditd.conf" to ensure that administrators are notified via email for those situations: action_mail_acct = root The audit daemon must be restarted for changes to take effect.
- RMF Control
- AU-4
- Severity
- Medium
- CCI
- CCI-001851
- Version
- AZLX-23-002060
- Vuln IDs
-
- V-274076
- Rule IDs
-
- SV-274076r1120216_rule
Checks: C-78167r1120214_chk
Verify Amazon Linux 2023 is configured use the audisp-remote syslog service with the following command: $ sudo grep active /etc/audit/plugins.d/syslog.conf active = yes If the "active" keyword does not have a value of "yes", the line is commented out, or the line is missing, this is a finding.
Fix: F-78072r1120215_fix
Configure Amazon Linux 2023 to use the audisp-remote syslog service. Edit the /etc/audit/plugins.d/syslog.conf file and add or update the "active" option: active = yes The audit daemon must be restarted for changes to take effect.
- RMF Control
- AU-4
- Severity
- Medium
- CCI
- CCI-001851
- Version
- AZLX-23-002065
- Vuln IDs
-
- V-274077
- Rule IDs
-
- SV-274077r1120219_rule
Checks: C-78168r1120217_chk
Verify Amazon Linux 2023 authenticates the remote logging server for off-loading audit logs with the following command: $ sudo grep -i '$ActionSendStreamDriverAuthMode' /etc/rsyslog.conf /etc/rsyslog.d/*.conf /etc/rsyslog.conf:$ActionSendStreamDriverAuthMode x509/name If the value of the "$ActionSendStreamDriverAuthMode" option is not set to "x509/name" or the line is commented out, ask the system administrator (SA) to indicate how the audit logs are off-loaded to a different system or media. If there is no evidence that the transfer of the audit logs being off-loaded to another system or media is encrypted, this is a finding.
Fix: F-78073r1120218_fix
Configure Amazon Linux 2023 to authenticate the remote logging server for off-loading audit logs by setting the following option in "/etc/rsyslog.conf" or "/etc/rsyslog.d/[customfile].conf": $ActionSendStreamDriverAuthMode x509/name
- RMF Control
- AU-4
- Severity
- Medium
- CCI
- CCI-001851
- Version
- AZLX-23-002070
- Vuln IDs
-
- V-274078
- Rule IDs
-
- SV-274078r1120222_rule
Checks: C-78169r1120220_chk
Verify Amazon Linux 2023 encrypts audit records off-loaded onto a different system or media from the system being audited via rsyslog with the following command: $ sudo grep -i '$ActionSendStreamDriverMode' /etc/rsyslog.conf /etc/rsyslog.d/*.conf /etc/rsyslog.conf:$ActionSendStreamDriverMode 1 If the value of the "$ActionSendStreamDriverMode" option is not set to "1" or the line is commented out, this is a finding.
Fix: F-78074r1120221_fix
Configure Amazon Linux 2023 to encrypt off-loaded audit records via rsyslog by setting the following options in "/etc/rsyslog.conf" or "/etc/rsyslog.d/[customfile].conf": $ActionSendStreamDriverMode 1
- RMF Control
- AU-4
- Severity
- Medium
- CCI
- CCI-001851
- Version
- AZLX-23-002075
- Vuln IDs
-
- V-274079
- Rule IDs
-
- SV-274079r1120724_rule
Checks: C-78170r1120223_chk
Verify Amazon Linux 2023 uses the gtls driver to encrypt audit records off-loaded onto a different system or media from the system being audited with the following command: $ sudo grep -i '$DefaultNetstreamDriver' /etc/rsyslog.conf /etc/rsyslog.d/*.conf /etc/rsyslog.conf:$DefaultNetstreamDriver ossl If the value of the "$DefaultNetstreamDriver" option is not set to "ossl" or the line is commented out, this is a finding.
Fix: F-78075r1120224_fix
Configure Amazon Linux 2023 to use the ossl driver to encrypt offloaded audit records by setting the following options in "/etc/rsyslog.conf" or "/etc/rsyslog.d/[customfile].conf": $DefaultNetstreamDriver ossl
- RMF Control
- AU-4
- Severity
- Low
- CCI
- CCI-001851
- Version
- AZLX-23-002080
- Vuln IDs
-
- V-274080
- Rule IDs
-
- SV-274080r1120228_rule
Checks: C-78171r1120226_chk
Verify Amazon Linux 2023 off-loads audit records onto a different system with the following command: $ more /etc/systemd/journal-upload.conf [Upload] URL=192.168.21.2 ServerKeyFile=/etc/ssl/private/journal-upload.pem ServerCertificateFile=/etc/ssl/certs/journal-upload.pem TrustedCertificateFile=/etc/ssl/ca/trusted.pem If all of the entries do not have values, are commented out, or are missing, this is a finding.
Fix: F-78076r1120227_fix
Configure Amazon Linux 2023 to off-load audit records onto a different system or media from the system being audited. If using systemd-journal-upload: Edit "/etc/systemd/journal-upload.conf" with the appropriate configuration: [Upload] URL=https://[server.domain]:[port]
- RMF Control
- AC-2
- Severity
- Medium
- CCI
- CCI-000018
- Version
- AZLX-23-002085
- Vuln IDs
-
- V-274081
- Rule IDs
-
- SV-274081r1120231_rule
Checks: C-78172r1120229_chk
Verify Amazon Linux 2023 generates audit records for all account creations, modifications, disabling, and termination events that affect "/etc/sudoers" with the following command: $ sudo auditctl -l | grep '/etc/sudoers[^.]' -w /etc/sudoers -p wa -k identity If the command does not return a line, or the line is commented out, this is a finding.
Fix: F-78077r1120230_fix
Configure Amazon Linux 2023 to generate audit records for all account creations, modifications, disabling, and termination events that affect "/etc/sudoers". Add or update the following file system rule to "/etc/audit/rules.d/audit.rules": -w /etc/sudoers -p wa -k identity To load the rules to the kernel immediately, use the following command: $ sudo augenrules --load
- RMF Control
- AC-2
- Severity
- Medium
- CCI
- CCI-000018
- Version
- AZLX-23-002090
- Vuln IDs
-
- V-274082
- Rule IDs
-
- SV-274082r1120234_rule
Checks: C-78173r1120232_chk
Verify Amazon Linux 2023 generates audit records for all account creations, modifications, disabling, and termination events that affect "/etc/sudoers.d/" with the following command: $ sudo auditctl -l | grep /etc/sudoers.d -w /etc/sudoers.d/ -p wa -k identity If the command does not return a line, or the line is commented out, this is a finding.
Fix: F-78078r1120233_fix
Configure Amazon Linux 2023 to generate audit records for all account creations, modifications, disabling, and termination events that affect "/etc/sudoers.d/". Add or update the following file system rule to "/etc/audit/rules.d/audit.rules": -w /etc/sudoers.d/ -p wa -k identity To load the rules to the kernel immediately, use the following command: $ sudo augenrules --load
- RMF Control
- AC-2
- Severity
- Medium
- CCI
- CCI-000018
- Version
- AZLX-23-002095
- Vuln IDs
-
- V-274083
- Rule IDs
-
- SV-274083r1120237_rule
Checks: C-78174r1120235_chk
Verify Amazon Linux 2023 generates audit records for all account creations, modifications, disabling, and termination events that affect "/etc/group" with the following command: $ sudo auditctl -l | egrep '(/etc/group)' -w /etc/group -p wa -k identity If the command does not return a line, or the line is commented out, this is a finding.
Fix: F-78079r1120236_fix
Configure Amazon Linux 2023 to generate audit records for all account creations, modifications, disabling, and termination events that affect "/etc/group". Add or update the following file system rule to "/etc/audit/rules.d/audit.rules": -w /etc/group -p wa -k identity To load the rules to the kernel immediately, use the following command: $ sudo augenrules --load
- RMF Control
- AC-2
- Severity
- Medium
- CCI
- CCI-000018
- Version
- AZLX-23-002100
- Vuln IDs
-
- V-274084
- Rule IDs
-
- SV-274084r1120240_rule
Checks: C-78175r1120238_chk
Verify Amazon Linux 2023 generates audit records for all account creations, modifications, disabling, and termination events that affect "/etc/gshadow" with the following command: $ sudo auditctl -l | egrep '(/etc/gshadow)' -w /etc/gshadow -p wa -k identity If the command does not return a line, or the line is commented out, this is a finding.
Fix: F-78080r1120239_fix
Configure Amazon Linux 2023 to generate audit records for all account creations, modifications, disabling, and termination events that affect "/etc/gshadow". Add or update the following file system rule to "/etc/audit/rules.d/audit.rules": -w /etc/gshadow -p wa -k identity To load the rules to the kernel immediately, use the following command: $ sudo augenrules --load
- RMF Control
- AC-2
- Severity
- Medium
- CCI
- CCI-000018
- Version
- AZLX-23-002105
- Vuln IDs
-
- V-274085
- Rule IDs
-
- SV-274085r1120243_rule
Checks: C-78176r1120241_chk
Verify Amazon Linux 2023 generates audit records for all account creations, modifications, disabling, and termination events that affect "/etc/security/opasswd" with the following command: $ sudo auditctl -l | egrep '(/etc/security/opasswd)' -w /etc/security/opasswd -p wa -k identity If the command does not return a line, or the line is commented out, this is a finding.
Fix: F-78081r1120242_fix
Configure Amazon Linux 2023 to generate audit records for all account creations, modifications, disabling, and termination events that affect "/etc/security/opasswd". Add or update the following file system rule to "/etc/audit/rules.d/audit.rules": -w /etc/security/opasswd -p wa -k identity To load the rules to the kernel immediately, use the following command: $ sudo augenrules --load
- RMF Control
- AC-6
- Severity
- Medium
- CCI
- CCI-002233
- Version
- AZLX-23-002110
- Vuln IDs
-
- V-274086
- Rule IDs
-
- SV-274086r1120246_rule
Checks: C-78177r1120244_chk
Verify Amazon Linux 2023 is configured to audit the execution of the "execve" system call with the following command: $ sudo auditctl -l | grep execve -a always,exit -F arch=b64 -S execve -C uid!=euid -F euid=0 -k execpriv -a always,exit -F arch=b64 -S execve -C gid!=egid -F egid=0 -k execpriv If the command does not return all lines, or the lines are commented out, this is a finding.
Fix: F-78082r1120245_fix
Configure Amazon Linux 2023 to audit the execution of the "execve" system call. Add or update the following file system rules to "/etc/audit/rules.d/audit.rules": -a always,exit -F arch=b64 -S execve -C uid!=euid -F euid=0 -k execpriv -a always,exit -F arch=b64 -S execve -C gid!=egid -F egid=0 -k execpriv To load the rules to the kernel immediately, use the following command: $ sudo augenrules --load
- RMF Control
- AU-3
- Severity
- Medium
- CCI
- CCI-000130
- Version
- AZLX-23-002115
- Vuln IDs
-
- V-274087
- Rule IDs
-
- SV-274087r1120249_rule
Checks: C-78178r1120247_chk
Verify Amazon Linux 2023 is configured to audit the execution of the "chmod", "fchmod", and "fchmodat" system calls with the following command: $ sudo auditctl -l | grep chmod -a always,exit -F arch=b64 -S chmod,fchmod,fchmodat -F auid>=1000 -F auid!=unset -k perm_mod If the command does not return the expected line, or the line is commented out, this is a finding.
Fix: F-78083r1120248_fix
Configure Amazon Linux 2023 to generate audit records upon successful/unsuccessful attempts to use the "chmod", "fchmod", and "fchmodat" syscalls. Add or update the following rule in "/etc/audit/rules.d/audit.rules": -a always,exit -F arch=b64 -S chmod,fchmod,fchmodat -F auid>=1000 -F auid!=unset -k perm_mod To load the rule to the kernel immediately, use the following command: $ sudo augenrules --load
- RMF Control
- AU-3
- Severity
- Medium
- CCI
- CCI-000130
- Version
- AZLX-23-002120
- Vuln IDs
-
- V-274088
- Rule IDs
-
- SV-274088r1120252_rule
Checks: C-78179r1120250_chk
Verify Amazon Linux 2023 is configured to audit the execution of the "chown", "fchown", "fchownat", and "lchown" system calls with the following command: $ sudo auditctl -l | grep chown -a always,exit -F arch=b64 -S chown,fchown,fchownat,lchown -F auid>=1000 -F auid!=unset -k perm_mod If the command does not return the expected line, or the line is commented out, this is a finding.
Fix: F-78084r1120251_fix
Configure Amazon Linux 2023 to generate audit records upon successful/unsuccessful attempts to use the "chown", "fchown", "fchownat", and "lchown" system calls. Add or update the following rule in "/etc/audit/rules.d/audit.rules": -a always,exit -F arch=b64 -S chown,fchown,fchownat,lchown -F auid>=1000 -F auid!=unset -k perm_mod To load the rule to the kernel immediately, use the following command: $ sudo augenrules --load
- RMF Control
- AU-3
- Severity
- Medium
- CCI
- CCI-000130
- Version
- AZLX-23-002125
- Vuln IDs
-
- V-274089
- Rule IDs
-
- SV-274089r1120255_rule
Checks: C-78180r1120253_chk
Verify Amazon Linux 2023 is configured to audit the execution of the "setxattr", "fsetxattr", "lsetxattr", "removexattr", "fremovexattr", and "lremovexattr" system calls with the following command: $ sudo auditctl -l | grep xattr -a always,exit -F arch=b64 -S setxattr,fsetxattr,lsetxattr,removexattr,fremovexattr,lremovexattr -F auid>=1000 -F auid!=unset -k perm_mod -a always,exit -F arch=b64 -S setxattr,fsetxattr,lsetxattr,removexattr,fremovexattr,lremovexattr -F auid=0 -k perm_mod If the audit rules are not defined for the "setxattr", "fsetxattr", "lsetxattr", "removexattr", "fremovexattr", and "lremovexattr" system calls, or any of the lines returned are commented out, this is a finding.
Fix: F-78085r1120254_fix
Configure Amazon Linux 2023 to audit the execution of the "setxattr", "fsetxattr", "lsetxattr", "removexattr", "fremovexattr", and "lremovexattr" system calls by adding or updating the following lines to "/etc/audit/rules.d/audit.rules": -a always,exit -F arch=b64 -S setxattr,fsetxattr,lsetxattr,removexattr,fremovexattr,lremovexattr -F auid>=1000 -F auid!=unset -k perm_mod -a always,exit -F arch=b64 -S setxattr,fsetxattr,lsetxattr,removexattr,fremovexattr,lremovexattr -F auid=0 -k perm_mod To load the rules to the kernel immediately, use the following command: $ sudo augenrules --load
- RMF Control
- AU-3
- Severity
- Medium
- CCI
- CCI-000130
- Version
- AZLX-23-002130
- Vuln IDs
-
- V-274090
- Rule IDs
-
- SV-274090r1120258_rule
Checks: C-78181r1120256_chk
Verify Amazon Linux 2023 is configured to audit successful/unsuccessful attempts to use the "truncate", "ftruncate", "creat", "open", "openat", and "open_by_handle_at" system calls with the following command: $ sudo auditctl -l | grep 'open\|truncate\|creat' -a always,exit -F arch=b64 -S truncate,ftruncate,creat,open,openat,open_by_handle_at -F exit=-EPERM -F auid>=1000 -F auid!=unset -k perm_access -a always,exit -F arch=b64 -S truncate,ftruncate,creat,open,openat,open_by_handle_at -F exit=-EACCES -F auid>=1000 -F auid!=unset -k perm_access If the output does not produce rules containing "-F exit=-EPERM", this is a finding. If the output does not produce rules containing "-F exit=-EACCES", this is a finding. If the command does not return an audit rule for "truncate", "ftruncate", "creat", "open", "openat", and "open_by_handle_at" or any of the lines returned are commented out, this is a finding.
Fix: F-78086r1120257_fix
Configure Amazon Linux 2023 to generate an audit event for any successful/unsuccessful use of the "truncate", "ftruncate", "creat", "open", "openat", and "open_by_handle_at" system calls by adding or updating the following rules in the "/etc/audit/rules.d/audit.rules" file: -a always,exit -F arch=b64 -S truncate,ftruncate,creat,open,openat,open_by_handle_at -F exit=-EPERM -F auid>=1000 -F auid!=unset -k perm_access -a always,exit -F arch=b64 -S truncate,ftruncate,creat,open,openat,open_by_handle_at -F exit=-EACCES -F auid>=1000 -F auid!=unset -k perm_access To load the rules to the kernel immediately, use the following command: $ sudo augenrules --load
- RMF Control
- AU-3
- Severity
- Medium
- CCI
- CCI-000130
- Version
- AZLX-23-002135
- Vuln IDs
-
- V-274091
- Rule IDs
-
- SV-274091r1120261_rule
Checks: C-78182r1120259_chk
Verify Amazon Linux 2023 is configured to audit the execution of the "init_module" and "finit_module" system calls with the following command: $ sudo auditctl -l | grep init_module -a always,exit -F arch=b64 -S init_module,finit_module -F auid>=1000 -F auid!=unset -k module_chng If audit rule is not defined for the "delete_module" system call, or the line returned is commented out, this is a finding.
Fix: F-78087r1120260_fix
Configure Amazon Linux 2023 to generate an audit event for any successful/unsuccessful use of the "init_module" and "finit_module" system calls by adding or updating the following rule in the "/etc/audit/rules.d/audit.rules" file: -a always,exit -F arch=b64 -S init_module,finit_module -F auid>=1000 -F auid!=unset -k module_chng To load the rule to the kernel immediately, use the following command: $ sudo augenrules --load
- RMF Control
- AU-3
- Severity
- Medium
- CCI
- CCI-000130
- Version
- AZLX-23-002140
- Vuln IDs
-
- V-274092
- Rule IDs
-
- SV-274092r1120264_rule
Checks: C-78183r1120262_chk
Verify Amazon Linux 2023 generates audit records when successful/unsuccessful attempts to use the "create_module" syscall occur with the following command: $ sudo auditctl -l | grep "create_module" -a always,exit -F arch=b64 -S create_module -F auid>=1000 -F auid!=-1 -F key=module-change If audit rule is not defined for the "create_module" syscall, this is a finding.
Fix: F-78088r1120263_fix
Configure Amazon Linux 2023 to generate audit records when successful/unsuccessful attempts to use the "create_module" syscall occur. Add or update the following rule in "/etc/audit/rules.d/audit.rules": -a always,exit -F arch=b64 -S create_module -F auid>=1000 -F auid!=unset -k module-change To load the rule to the kernel immediately, use the following command: $ sudo augenrules --load
- RMF Control
- AU-3
- Severity
- Medium
- CCI
- CCI-000130
- Version
- AZLX-23-002145
- Vuln IDs
-
- V-274093
- Rule IDs
-
- SV-274093r1120267_rule
Checks: C-78184r1120265_chk
Verify Amazon Linux 2023 generates audit records when successful/unsuccessful attempts to use the "kmod" command occur. Check the auditing rules in "/etc/audit/audit.rules" with the following command: $ sudo auditctl -l | grep kmod -a always,exit -F path=/usr/bin/kmod -F perm=x -F auid>=1000 -F auid!=unset -k modules If the command does not return a line, or the line is commented out, this is a finding.
Fix: F-78089r1120266_fix
Configure Amazon Linux 2023 to generate audit records upon successful/unsuccessful attempts to use the "kmod" command by adding or updating the following rule in "/etc/audit/rules.d/audit.rules": -a always,exit -F path=/usr/bin/kmod -F perm=x -F auid>=1000 -F auid!=unset -k modules To load the rules to the kernel immediately, use the following command: $ sudo augenrules --load
- RMF Control
- AU-3
- Severity
- Medium
- CCI
- CCI-000130
- Version
- AZLX-23-002150
- Vuln IDs
-
- V-274094
- Rule IDs
-
- SV-274094r1120270_rule
Checks: C-78185r1120268_chk
Verify Amazon Linux 2023 is configured to audit successful/unsuccessful attempts to use the "rename", "unlink", "rmdir", "renameat", and "unlinkat" system calls with the following command: $ sudo auditctl -l | grep 'rename\|unlink\|rmdir' -a always,exit -F arch=b64 -S rename,unlink,rmdir,renameat,unlinkat -F auid>=1000 -F auid!=unset -k delete If the command does not return an audit rule for "rename", "unlink", "rmdir", "renameat", and "unlinkat" or any of the lines returned are commented out, this is a finding.
Fix: F-78090r1120269_fix
Configure Amazon Linux 2023 to generate an audit event for any successful/unsuccessful use of the "rename", "unlink", "rmdir", "renameat", and "unlinkat" system calls by adding or updating the following rule in the "/etc/audit/rules.d/audit.rules" file: -a always,exit -F arch=b64 -S rename,unlink,rmdir,renameat,unlinkat -F auid>=1000 -F auid!=unset -k delete To load the rule to the kernel immediately, use the following command: $ sudo augenrules --load
- RMF Control
- AU-3
- Severity
- Medium
- CCI
- CCI-000130
- Version
- AZLX-23-002155
- Vuln IDs
-
- V-274095
- Rule IDs
-
- SV-274095r1120273_rule
Checks: C-78186r1120271_chk
Verify Amazon Linux 2023 is configured to audit the execution of the "chcon" command with the following command: $ sudo auditctl -l | grep chcon -a always,exit -F path=/usr/bin/chcon -F perm=x -F auid>=1000 -F auid!=unset -k perm_mod If the command does not return a line, or the line is commented out, this is a finding.
Fix: F-78091r1120272_fix
Configure Amazon Linux 2023 to generate audit records upon successful/unsuccessful attempts to use the "chcon" command by adding or updating the following rule in "/etc/audit/rules.d/audit.rules": -a always,exit -F path=/usr/bin/chcon -F perm=x -F auid>=1000 -F auid!=unset -k perm_mod To load the rules to the kernel immediately, use the following command: $ sudo augenrules --load
- RMF Control
- MA-4
- Severity
- Medium
- CCI
- CCI-002884
- Version
- AZLX-23-002160
- Vuln IDs
-
- V-274096
- Rule IDs
-
- SV-274096r1120276_rule
Checks: C-78187r1120274_chk
Verify Amazon Linux 2023 generates audit records for all account creations, modifications, disabling, and termination events that affect "/var/log/faillock" with the following command: $ sudo auditctl -l | grep /var/log/faillock -w /var/log/faillock -p wa -k logins If the command does not return a line, or the line is commented out, this is a finding.
Fix: F-78092r1120275_fix
Configure Amazon Linux 2023 to generate audit records for all account creations, modifications, disabling, and termination events that affect "/var/log/faillock". Add or update the following file system rule to "/etc/audit/rules.d/audit.rules": -w /var/log/faillock -p wa -k logins To load the rules to the kernel immediately, use the following command: $ sudo augenrules --load
- RMF Control
- AU-3
- Severity
- Medium
- CCI
- CCI-000130
- Version
- AZLX-23-002165
- Vuln IDs
-
- V-274097
- Rule IDs
-
- SV-274097r1120279_rule
Checks: C-78188r1120277_chk
Verify Amazon Linux 2023 generates audit records for all account creations, modifications, disabling, and termination events that affect "/var/log/lastlog" with the following command: $ sudo auditctl -l | grep /var/log/lastlog -w /var/log/lastlog -p wa -k logins If the command does not return a line, or the line is commented out, this is a finding.
Fix: F-78093r1120278_fix
Configure Amazon Linux 2023 to generate audit records for all account creations, modifications, disabling, and termination events that affect "/var/log/lastlog". Add or update the following file system rule to "/etc/audit/rules.d/audit.rules": -w /var/log/lastlog -p wa -k logins To load the rules to the kernel immediately, use the following command: $ sudo augenrules --load
- RMF Control
- AU-12
- Severity
- Medium
- CCI
- CCI-000172
- Version
- AZLX-23-002175
- Vuln IDs
-
- V-274098
- Rule IDs
-
- SV-274098r1120282_rule
Checks: C-78189r1120280_chk
Verify Amazon Linux 2023 is configured to audit the execution of the "init" command with the following command: $ sudo auditctl -l | grep init -a always,exit -F path=/usr/sbin/init -F perm=x -F auid>=1000 -F auid!=unset -k privileged-init If the command does not return a line, or the line is commented out, this is a finding.
Fix: F-78094r1120281_fix
Configure Amazon Linux 2023 so that the audit system generates an audit event for any successful/unsuccessful uses of the "init" command by adding or updating the following rule in the "/etc/audit/rules.d/audit.rules" file: -a always,exit -F path=/usr/sbin/init -F perm=x -F auid>=1000 -F auid!=unset -k privileged-init To load the rules to the kernel immediately, use the following command: $ sudo augenrules --load
- RMF Control
- AU-12
- Severity
- Medium
- CCI
- CCI-000172
- Version
- AZLX-23-002180
- Vuln IDs
-
- V-274099
- Rule IDs
-
- SV-274099r1120285_rule
Checks: C-78190r1120283_chk
Verify Amazon Linux 2023 is configured to audit the execution of the "reboot" command with the following command: $ sudo auditctl -l | grep reboot -a always,exit -F path=/usr/sbin/reboot -F perm=x -F auid>=1000 -F auid!=unset -k privileged-reboot If the command does not return a line, or the line is commented out, this is a finding.
Fix: F-78095r1120284_fix
Configure Amazon Linux 2023 so that the audit system generates an audit event for any successful/unsuccessful uses of the "reboot" command by adding or updating the following rule in the "/etc/audit/rules.d/audit.rules" file: -a always,exit -F path=/usr/sbin/reboot -F perm=x -F auid>=1000 -F auid!=unset -k privileged-reboot To load the rules to the kernel immediately, use the following command: $ sudo augenrules --load
- RMF Control
- AU-12
- Severity
- Medium
- CCI
- CCI-000172
- Version
- AZLX-23-002185
- Vuln IDs
-
- V-274100
- Rule IDs
-
- SV-274100r1120288_rule
Checks: C-78191r1120286_chk
Verify Amazon Linux 2023 is configured to audit the execution of the "shutdown" command with the following command: $ sudo auditctl -l | grep shutdown -a always,exit -F path=/usr/sbin/shutdown -F perm=x -F auid>=1000 -F auid!=unset -k privileged-shutdown If the command does not return a line, or the line is commented out, this is a finding.
Fix: F-78096r1120287_fix
Configure Amazon Linux 2023 so that the audit system generates an audit event for any successful/unsuccessful uses of the "shutdown" command by adding or updating the following rule in the "/etc/audit/rules.d/audit.rules" file: -a always,exit -F path=/usr/sbin/shutdown -F perm=x -F auid>=1000 -F auid!=unset -k privileged-shutdown To load the rules to the kernel immediately, use the following command: $ sudo augenrules --load
- RMF Control
- AU-9
- Severity
- Medium
- CCI
- CCI-001493
- Version
- AZLX-23-002190
- Vuln IDs
-
- V-274101
- Rule IDs
-
- SV-274101r1120291_rule
Checks: C-78192r1120289_chk
Verify Amazon Linux 2023 audit tools have a mode of "0755" or less with the following command: $ stat -c "%a %n" /sbin/auditctl /sbin/aureport /sbin/ausearch /sbin/autrace /sbin/auditd /sbin/rsyslogd /sbin/augenrules 755 /sbin/auditctl 755 /sbin/aureport 755 /sbin/ausearch 750 /sbin/autrace 755 /sbin/auditd 755 /sbin/rsyslogd 755 /sbin/augenrules If any of the audit tool files have a mode more permissive than "0755", this is a finding.
Fix: F-78097r1120290_fix
Configure Amazon Linux 2023 audit tools to have a mode of "0755" by running the following command: $ sudo chmod 0755 [audit_tool] Replace "[audit_tool]" with each audit tool that has a more permissive mode than "0755".
- RMF Control
- AU-9
- Severity
- Medium
- CCI
- CCI-001493
- Version
- AZLX-23-002195
- Vuln IDs
-
- V-274102
- Rule IDs
-
- SV-274102r1120294_rule
Checks: C-78193r1120292_chk
Verify Amazon Linux 2023 audit tools are owned by "root" with the following command: $ sudo stat -c "%U %n" /sbin/auditctl /sbin/aureport /sbin/ausearch /sbin/autrace /sbin/auditd /sbin/rsyslogd /sbin/augenrules root /sbin/auditctl root /sbin/aureport root /sbin/ausearch root /sbin/autrace root /sbin/auditd root /sbin/rsyslogd root /sbin/augenrules If any audit tools do not have an owner of "root", this is a finding.
Fix: F-78098r1120293_fix
Configure Amazon Linux 2023 audit tools to be owned by "root" by running the following command: $ sudo chown root [audit_tool] Replace "[audit_tool]" with each audit tool not owned by "root".
- RMF Control
- AU-9
- Severity
- Medium
- CCI
- CCI-001493
- Version
- AZLX-23-002200
- Vuln IDs
-
- V-274103
- Rule IDs
-
- SV-274103r1120297_rule
Checks: C-78194r1120295_chk
Verify Amazon Linux 2023 audit tools are group owned by "root" with the following command: $ sudo stat -c "%G %n" /sbin/auditctl /sbin/aureport /sbin/ausearch /sbin/autrace /sbin/auditd /sbin/rsyslogd /sbin/augenrules root /sbin/auditctl root /sbin/aureport root /sbin/ausearch root /sbin/autrace root /sbin/auditd root /sbin/rsyslogd root /sbin/augenrules If any audit tools do not have a group owner of "root", this is a finding.
Fix: F-78099r1120296_fix
Configure Amazon Linux 2023 audit tools to be group-owned by "root" by running the following command: $ sudo chgrp root [audit_tool] Replace "[audit_tool]" with each audit tool not group-owned by "root".
- RMF Control
- AC-2
- Severity
- Medium
- CCI
- CCI-000018
- Version
- AZLX-23-002205
- Vuln IDs
-
- V-274104
- Rule IDs
-
- SV-274104r1120300_rule
Checks: C-78195r1120298_chk
Verify Amazon Linux 2023 generates audit records for all account creations, modifications, disabling, and termination events that affect "/etc/passwd" with the following command: $ sudo auditctl -l | egrep '(/etc/passwd)' -w /etc/passwd -p wa -k identity If the command does not return a line, or the line is commented out, this is a finding.
Fix: F-78100r1120299_fix
Configure Amazon Linux 2023 to generate audit records for all account creations, modifications, disabling, and termination events that affect "/etc/passwd". Enable the auditd daemon so that it can start at boot time: $ sudo systemctl enable auditd Add or update the following file system rule to "/etc/audit/rules.d/audit.rules": -w /etc/passwd -p wa -k identity Then, restart the auditd service for the changes to take effect: $ sudo service auditd restart
- RMF Control
- AU-3
- Severity
- Medium
- CCI
- CCI-000130
- Version
- AZLX-23-002210
- Vuln IDs
-
- V-274105
- Rule IDs
-
- SV-274105r1120661_rule
Checks: C-78196r1120301_chk
Verify Amazon Linux 2023 is configured so that an audit event is generated for any successful/unsuccessful use of the "chage" command by performing the following command to check the file system rules in "/etc/audit/audit.rules": $ sudo grep -w chage /etc/audit/audit.rules -a always,exit -F path=/usr/bin/chage -F perm=x -F auid>=1000 -F auid!=unset -k privileged-chage If the command does not return a line, or the line is commented out, this is a finding.
Fix: F-78101r1120302_fix
Configure Amazon Linux 2023 so that the audit service generates an audit event for any successful/unsuccessful uses of the "chage" command by adding or updating the following rule in the "/etc/audit/rules.d/audit.rules" file: -a always,exit -F path=/usr/bin/chage -F perm=x -F auid>=1000 -F auid!=unset -k privileged-chage To load the rules to the kernel immediately, use the following command: $ sudo augenrules --load
- RMF Control
- AU-5
- Severity
- Medium
- CCI
- CCI-000139
- Version
- AZLX-23-002215
- Vuln IDs
-
- V-274106
- Rule IDs
-
- SV-274106r1120657_rule
Checks: C-78197r1120656_chk
Verify Amazon Linux 2023 is configured to notify the SA and ISSO, at a minimum, in the event of an audit processing failure with the following command: $ sudo grep action_mail_acct /etc/audit/auditd.conf action_mail_acct = root If the value of the "action_mail_acct" keyword is not set to "root" and/or other accounts for security personnel, the "action_mail_acct" keyword is missing, or the retuned line is commented out, ask the SA to indicate how they and the ISSO are notified of an audit process failure. If there is no evidence of the proper personnel being notified of an audit processing failure, this is a finding.
Fix: F-78102r1120305_fix
Configure Amazon Linux 2023 so that the "auditd" service notifies the SA and ISSO in the event of an audit processing failure. Edit the following line in "/etc/audit/auditd.conf" to ensure administrators are notified via email for those situations: action_mail_acct = root
- RMF Control
- AU-4
- Severity
- Medium
- CCI
- CCI-001851
- Version
- AZLX-23-002220
- Vuln IDs
-
- V-274107
- Rule IDs
-
- SV-274107r1120309_rule
Checks: C-78198r1120307_chk
Verify Amazon Linux 2023 takes the appropriate action when the audit storage volume is full using the following command: $ sudo grep disk_full_action /etc/audit/auditd.conf disk_full_action = SYSLOG If the value of the "disk_full_action" option is not "SYSLOG", "SINGLE", or "HALT", or the line is commented out, ask the system administrator to indicate how the system takes appropriate action when an audit storage volume is full. If there is no evidence of appropriate action, this is a finding.
Fix: F-78103r1120308_fix
Configure Amazon Linux 2023 to off-load audit logs in the event the audit storage volume becomes full. Add or update the following line (depending on configuration "disk_full_action" can be set to "SYSLOG" or "SINGLE" depending on configuration) in "/etc/audit/auditd.conf" file: disk_full_action = SYSLOG
- RMF Control
- AU-9
- Severity
- Medium
- CCI
- CCI-000162
- Version
- AZLX-23-002225
- Vuln IDs
-
- V-274108
- Rule IDs
-
- SV-274108r1120312_rule
Checks: C-78199r1120310_chk
Verify Amazon Linux 2023 audit logs are group-owned by "root" or a restricted logging group. First determine if a group other than "root" has been assigned to the audit logs with the following command: $ sudo grep log_group /etc/audit/auditd.conf log_group = root Then determine where the audit logs are stored with the following command: $ sudo grep -iw log_file /etc/audit/auditd.conf log_file = /var/log/audit/audit.log Then using the location of the audit log file, determine if the audit log is group-owned by "root" using the following command: $ sudo stat -c "%G %n" /var/log/audit/audit.log root /var/log/audit/audit.log If the audit log is not group-owned by "root" or the configured alternative logging group, this is a finding.
Fix: F-78104r1120311_fix
Configure Amazon Linux 2023 so that audit logs are group-owned by "root" or a restricted logging group. Change the group of the directory of "/var/log/audit" to be owned by a correct group. Identify the group that is configured to own audit log: $ sudo grep -P '^[ ]*log_group[ ]+=.*$' /etc/audit/auditd.conf Change the ownership to that group: $ sudo chgrp ${GROUP} /var/log/audit
- RMF Control
- AU-9
- Severity
- Medium
- CCI
- CCI-000162
- Version
- AZLX-23-002230
- Vuln IDs
-
- V-274109
- Rule IDs
-
- SV-274109r1120315_rule
Checks: C-78200r1120313_chk
Verify Amazon Linux 2023 audit logs directory is owned by "root". First determine where the audit logs are stored with the following command: $ sudo grep -iw log_file /etc/audit/auditd.conf log_file = /var/log/audit/audit.log Then using the location of the audit log file, determine if the audit log directory is owned by "root" using the following command: $ sudo ls -ld /var/log/audit drwx------ 2 root root 23 Jun 11 11:56 /var/log/audit If the audit log directory is not owned by "root", this is a finding.
Fix: F-78105r1120314_fix
Configure Amazon Linux 2023 so that the audit logs directory is protected from unauthorized read access by setting the correct owner as "root" with the following command: $ sudo chown root /var/log/audit
- RMF Control
- AU-9
- Severity
- Medium
- CCI
- CCI-000162
- Version
- AZLX-23-002235
- Vuln IDs
-
- V-274110
- Rule IDs
-
- SV-274110r1120318_rule
Checks: C-78201r1120316_chk
Verify Amazon Linux 2023 audit logs have a mode of "0600". First determine where the audit logs are stored with the following command: $ sudo grep -iw log_file /etc/audit/auditd.conf log_file = /var/log/audit/audit.log Then using the location of the audit log file, determine if the audit log files as a mode of "0640" with the following command: $ sudo find /var/log/audit/ -type f -exec stat -c '%a %n' {} \; 600 /var/log/audit/audit.log If the audit logs have a mode more permissive than "0600", this is a finding.
Fix: F-78106r1120317_fix
Configure Amazon Linux 2023 so that the audit logs have a mode of "0600". Replace "[audit_log_file]" to the correct audit log path, by default this location is "/var/log/audit/audit.log". $ sudo chmod 0600 /var/log/audit/[audit_log_file] Check the group that owns the system audit logs: $ sudo grep -iw log_group /etc/audit/auditd.conf If the log_group is not defined or it is set to root, configure the permissions as follows: $ sudo chmod 0640 $log_file $ sudo chmod 0440 $log_file.* Otherwise, configure the permissions as follows: $ sudo chmod 0600 $log_file $ sudo chmod 0400 $log_file.*
- RMF Control
- AU-12
- Severity
- Medium
- CCI
- CCI-000171
- Version
- AZLX-23-002240
- Vuln IDs
-
- V-274111
- Rule IDs
-
- SV-274111r1120321_rule
Checks: C-78202r1120319_chk
Verify Amazon Linux 2023 is configured so that files in "/etc/audit/rules.d/" and the "/etc/audit/auditd.conf" file have a mode of "0640" or less permissive by using the following commands: $ sudo find /etc/audit/rules.d/ /etc/audit/audit.rules /etc/audit/auditd.conf -type f -exec stat -c "%a %n" {} \; 600 /etc/audit/rules.d/audit.rules 640 /etc/audit/audit.rules 640 /etc/audit/auditd.conf If the files in the "/etc/audit/rules.d/" directory or the "/etc/audit/auditd.conf" file have a mode more permissive than "0640", this is a finding.
Fix: F-78107r1120320_fix
Configure Amazon Linux 2023 so that files in "/etc/audit/rules.d/" and the "/etc/audit/auditd.conf" file have a mode of "0640" or less permissive with the following commands: $ sudo chmod 0640 /etc/audit/rules.d/audit.rules $ sudo chmod 0640 /etc/audit/rules.d/[customrulesfile].rules $ sudo chmod 0640 /etc/audit/auditd.conf
- RMF Control
- AU-3
- Severity
- Medium
- CCI
- CCI-000130
- Version
- AZLX-23-002245
- Vuln IDs
-
- V-274112
- Rule IDs
-
- SV-274112r1120324_rule
Checks: C-78203r1120322_chk
Verify Amazon Linux 2023 is configured to audit the execution of the "sudo" command with the following command: $ sudo auditctl -l | grep '/usr/bin/sudo\b' -a always,exit -S all -F path=/usr/bin/sudo -F perm=x -F auid>=1000 -F auid!=-1 -F key=priv_cmd If the command does not return a line, or the line is commented out, this is a finding.
Fix: F-78108r1120323_fix
Configure Amazon Linux 2023 so that the audit system generates an audit event for any successful/unsuccessful use of the "sudo" command by adding or updating the following rule in the "/etc/audit/rules.d/audit.rules" file: -a always,exit -F path=/usr/bin/sudo -F perm=x -F auid>=1000 -F auid!=unset -k priv_cmd To load the rules to the kernel immediately, use the following command: $ sudo augenrules --load
- RMF Control
- AC-2
- Severity
- Medium
- CCI
- CCI-000018
- Version
- AZLX-23-002250
- Vuln IDs
-
- V-274113
- Rule IDs
-
- SV-274113r1120327_rule
Checks: C-78204r1120325_chk
Verify Amazon Linux 2023 generates audit records for all account creations, modifications, disabling, and termination events that affect "/etc/passwd" with the following command: $ sudo auditctl -l | egrep '(/etc/passwd)' -w /etc/passwd -p wa -k identity If the command does not return a line, or the line is commented out, this is a finding.
Fix: F-78109r1120326_fix
Configure Amazon Linux 2023 to generate audit records for all account creations, modifications, disabling, and termination events that affect "/etc/passwd". Add or update the following file system rule to "/etc/audit/rules.d/audit.rules": -w /etc/passwd -p wa -k identity To load the rules to the kernel immediately, use the following command: $ sudo augenrules --load
- RMF Control
- AC-2
- Severity
- Medium
- CCI
- CCI-000018
- Version
- AZLX-23-002255
- Vuln IDs
-
- V-274114
- Rule IDs
-
- SV-274114r1120330_rule
Checks: C-78205r1120328_chk
Verify Amazon Linux 2023 generates audit records for all account creations, modifications, disabling, and termination events that affect "/etc/shadow with the following command: $ sudo auditctl -l | egrep '(/etc/shadow)' -w /etc/shadow -p wa -k identity If the command does not return a line, or the line is commented out, this is a finding.
Fix: F-78110r1120329_fix
Configure Amazon Linux 2023 to generate audit records for all account creations, modifications, disabling, and termination events that affect "/etc/shadow". Add or update the following file system rule to "/etc/audit/rules.d/audit.rules": -w /etc/shadow -p wa -k identity To load the rules to the kernel immediately, use the following command: $ sudo augenrules --load
- RMF Control
- AU-3
- Severity
- Medium
- CCI
- CCI-001487
- Version
- AZLX-23-002260
- Vuln IDs
-
- V-274115
- Rule IDs
-
- SV-274115r1120333_rule
Checks: C-78206r1120331_chk
Verify Amazon Linux 2023 is configured so that the audit system resolves audit information before writing to disk, with the following command: $ sudo grep log_format /etc/audit/auditd.conf log_format = ENRICHED If the "log_format" option is not "ENRICHED", or the line is commented out, this is a finding.
Fix: F-78111r1120332_fix
Configure Amazon Linux 2023 so that the audit system resolves audit information before writing to disk. Edit the /etc/audit/auditd.conf file and add or update the "log_format" option: log_format = ENRICHED The audit daemon must be restarted for changes to take effect.
- RMF Control
- SI-11
- Severity
- Medium
- CCI
- CCI-001314
- Version
- AZLX-23-002265
- Vuln IDs
-
- V-274116
- Rule IDs
-
- SV-274116r1120336_rule
Checks: C-78207r1120334_chk
Verify Amazon Linux 2023 is configured so that the audit logs are group-owned by "root" or a restricted logging group. First determine if a group other than "root" has been assigned to the audit logs with the following command: $ sudo grep log_group /etc/audit/auditd.conf Then determine where the audit logs are stored with the following command: $ sudo grep -iw log_file /etc/audit/auditd.conf log_file = /var/log/audit/audit.log Then using the location of the audit log file, determine if the audit log is group-owned by "root" using the following command: $ sudo stat -c "%G %n" /var/log/audit/audit.log root /var/log/audit/audit.log If the audit log is not group-owned by "root" or the configured alternative logging group, this is a finding.
Fix: F-78112r1120335_fix
Configure Amazon Linux 2023 to change the group of the directory of "/var/log/audit" to be owned by a correct group. Identify the group that is configured to own audit log: $ sudo grep -P '^[ ]*log_group[ ]+=.*$' /etc/audit/auditd.conf Change the ownership to that group: $ sudo chgrp ${GROUP} /var/log/audit
- RMF Control
- SI-11
- Severity
- Medium
- CCI
- CCI-001314
- Version
- AZLX-23-002270
- Vuln IDs
-
- V-274117
- Rule IDs
-
- SV-274117r1120339_rule
Checks: C-78208r1120337_chk
Verify Amazon Linux 2023 is configured so that the audit logs directory is owned by "root". First determine where the audit logs are stored with the following command: $ sudo grep -iw log_file /etc/audit/auditd.conf log_file = /var/log/audit/audit.log Then using the location of the audit log file, determine if the audit log directory is owned by "root" using the following command: sudo stat -c '%U %n' /var/log/audit root /var/log/audit If the audit log directory is not owned by "root", this is a finding.
Fix: F-78113r1120338_fix
Configure Amazon Linux 2023 audit logs to be protected from unauthorized read access by setting the correct owner as "root" with the following command: $ sudo chown root /var/log/audit
- RMF Control
- SI-11
- Severity
- Medium
- CCI
- CCI-001314
- Version
- AZLX-23-002275
- Vuln IDs
-
- V-274118
- Rule IDs
-
- SV-274118r1120342_rule
Checks: C-78209r1120340_chk
Verify Amazon Linux 2023 is configured so that the audit logs have a mode of "0600". First determine where the audit logs are stored with the following command: $ sudo grep -iw log_file /etc/audit/auditd.conf log_file = /var/log/audit/audit.log Then using the location of the audit log file, determine if the audit log files as a mode of "0640" with the following command: $ sudo find /var/log/audit/ -type f -exec stat -c '%a %n' {} \; 600 /var/log/audit/audit.log If the audit logs have a mode more permissive than "0600", this is a finding.
Fix: F-78114r1120341_fix
Configure Amazon Linux 2023 audit logs to have a mode of "0600" with the following command: Replace "[audit_log_file]" to the correct audit log path, by default this location is "/var/log/audit/audit.log". $ sudo chmod 0600 /var/log/audit/[audit_log_file] Check the group that owns the system audit logs: $ sudo grep -m 1 -q ^log_group /etc/audit/auditd.conf If the log_group is not defined or it is set to root, configure the permissions as follows: $ sudo chmod 0640 $log_file $ sudo chmod 0440 $log_file.* Otherwise, configure the permissions as follows: $ sudo chmod 0600 $log_file $ sudo chmod 0400 $log_file.*
- RMF Control
- CM-5
- Severity
- Medium
- CCI
- CCI-001499
- Version
- AZLX-23-002280
- Vuln IDs
-
- V-274119
- Rule IDs
-
- SV-274119r1120345_rule
Checks: C-78210r1120343_chk
Verify Amazon Linux 2023 systemwide shared library directories are group-owned by "root" with the following command: $ sudo find /lib /lib64 /usr/lib /usr/lib64 ! -group root -type d -exec stat -c "%n %G" '{}' \; If any systemwide shared library directory is returned and is not group-owned by a required system account, this is a finding.
Fix: F-78115r1120344_fix
Configure Amazon Linux 2023 systemwide shared library directories (/lib, /lib64, /usr/lib and /usr/lib64) to be protected from unauthorized access. Run the following command, replacing "[DIRECTORY]" with any library directory not group-owned by "root". $ sudo chgrp root [DIRECTORY]
- RMF Control
- CM-5
- Severity
- Medium
- CCI
- CCI-001499
- Version
- AZLX-23-002285
- Vuln IDs
-
- V-274120
- Rule IDs
-
- SV-274120r1120348_rule
Checks: C-78211r1120346_chk
Verify Amazon Linux 2023 systemwide shared library directories have mode "755" or less permissive with the following command: $ sudo find -L /lib /lib64 /usr/lib /usr/lib64 -perm /022 -type d -exec ls -l {} \; If any systemwide shared library file is found to be group-writable or world-writable, this is a finding.
Fix: F-78116r1120347_fix
Configure Amazon Linux 2023 systemwide shared library directories (/lib, /lib64, /usr/lib and /usr/lib64) to be protected from unauthorized access. Run the following command, replacing "[DIRECTORY]" with any library directory with a mode more permissive than "755". $ sudo chmod 755 [DIRECTORY]
- RMF Control
- CM-5
- Severity
- Medium
- CCI
- CCI-001499
- Version
- AZLX-23-002290
- Vuln IDs
-
- V-274121
- Rule IDs
-
- SV-274121r1155161_rule
Checks: C-78212r1155159_chk
Verify Amazon Linux 2023 systemwide shared library files contained in the directories "/lib", "/lib64", "/usr/lib", and "/usr/lib64" have mode 0755 or less permissive. Check that the systemwide shared library files have mode 0755 or less permissive with the following command: $ sudo find /lib /lib64 /usr/lib /usr/lib64 -type f -name '*.so*' -perm /022 -exec stat -c "%n %a" {} + If any output is returned, this is a finding.
Fix: F-78117r1155160_fix
Configure Amazon Linux 2023 systemwide shared library files contained in the directories "/lib", "/lib64", "/usr/lib", and "/usr/lib64" have mode 0755 or less permissive with the following command. $ sudo find /lib /lib64 /usr/lib /usr/lib64 -type f -name '*.so*' -perm /022 -exec chmod go-w {} +
- RMF Control
- CM-5
- Severity
- Medium
- CCI
- CCI-001499
- Version
- AZLX-23-002295
- Vuln IDs
-
- V-274122
- Rule IDs
-
- SV-274122r1155164_rule
Checks: C-78213r1155162_chk
Verify Amazon Linux 2023 systemwide shared library files contained in the directories "/lib", "/lib64", "/usr/lib", and "/usr/lib64" are owned by root with the following command: $ sudo find /lib /lib64 /usr/lib /usr/lib64 -type f -name '*.so*' ! -user root -exec stat -c "%n %U" {} + If any output is returned, this is a finding.
Fix: F-78118r1155163_fix
Configure Amazon Linux 2023 systemwide shared library files contained in the directories "/lib", "/lib64", "/usr/lib", and "/usr/lib64" to be owned by root with the following command: $ sudo find /lib /lib64 /usr/lib /usr/lib64 -type f -name '*.so*' ! -user root -exec chown root {} +
- RMF Control
- CM-5
- Severity
- Medium
- CCI
- CCI-001499
- Version
- AZLX-23-002300
- Vuln IDs
-
- V-274123
- Rule IDs
-
- SV-274123r1155167_rule
Checks: C-78214r1155165_chk
Verify Amazon Linux 2023 systemwide shared library files contained in the directories "/lib", "/lib64", "/usr/lib", and "/usr/lib64" are group owned by root with the following command: $ sudo find /lib /lib64 /usr/lib /usr/lib64 -type f -name '*.so*' ! -group root -exec stat -c "%n %G" {} + If any output is returned, this is a finding.
Fix: F-78119r1155166_fix
Configure Amazon Linux 2023 systemwide shared library files contained in the directories "/lib", "/lib64", "/usr/lib", and "/usr/lib64" to be group owned by root with the following command: $ sudo find /lib /lib64 /usr/lib /usr/lib64 -type f -name '*.so*' ! -group root -exec chown :root {} +
- RMF Control
- CM-5
- Severity
- Medium
- CCI
- CCI-001499
- Version
- AZLX-23-002305
- Vuln IDs
-
- V-274124
- Rule IDs
-
- SV-274124r1120360_rule
Checks: C-78215r1120358_chk
Verify Amazon Linux 2023 systemwide shared library directories are owned by "root" with the following command: $ sudo find /lib /lib64 /usr/lib /usr/lib64 ! -user root -type d -exec stat -c "%n %U" '{}' \; If any systemwide shared library directory is not owned by root, this is a finding.
Fix: F-78120r1120359_fix
Configure Amazon Linux 2023 systemwide shared library directories within (/lib, /lib64, /usr/lib and /usr/lib64) to be protected from unauthorized access. Run the following command, replacing "[DIRECTORY]" with any library directory not owned by "root". $ sudo chown root [DIRECTORY]
- RMF Control
- SI-11
- Severity
- Medium
- CCI
- CCI-001314
- Version
- AZLX-23-002315
- Vuln IDs
-
- V-274125
- Rule IDs
-
- SV-274125r1120363_rule
Checks: C-78216r1120361_chk
Verify Amazon Linux 2023 is configured so that the "/var/log" directory has a mode of "0755" or less permissive with the following command: $ stat -c '%a %n' /var/log 755 /var/log If "/var/log" does not have a mode of "0755" or less permissive, this is a finding.
Fix: F-78121r1120362_fix
Configure Amazon Linux 2023 so that the "/var/log" directory has a mode of "0755" by running the following command: $ sudo chmod 0755 /var/log
- RMF Control
- SI-11
- Severity
- Medium
- CCI
- CCI-001314
- Version
- AZLX-23-002320
- Vuln IDs
-
- V-274126
- Rule IDs
-
- SV-274126r1120366_rule
Checks: C-78217r1120364_chk
Verify Amazon Linux 2023 is configured so that the "/var/log" directory is owned by root with the following command: $ stat -c "%U %n" /var/log root /var/log If "/var/log" does not have an owner of "root", this is a finding.
Fix: F-78122r1120365_fix
Configure Amazon Linux 2023 so that the directory "/var/log" is owned by "root" with the following command: $ sudo chown root /var/log
- RMF Control
- SI-11
- Severity
- Medium
- CCI
- CCI-001314
- Version
- AZLX-23-002325
- Vuln IDs
-
- V-274127
- Rule IDs
-
- SV-274127r1120369_rule
Checks: C-78218r1120367_chk
Verify Amazon Linux 2023 is configured so the "/var/log" directory is group-owned by root with the following command: $ stat -c "%G %n" /var/log root /var/log If "/var/log" does not have a group owner of "root", this is a finding.
Fix: F-78123r1120368_fix
Configure Amazon Linux 2023 so that the "/var/log" is group-owned "root" with the following command: $ sudo chgrp root /var/log
- RMF Control
- SI-11
- Severity
- Medium
- CCI
- CCI-001314
- Version
- AZLX-23-002330
- Vuln IDs
-
- V-274128
- Rule IDs
-
- SV-274128r1120372_rule
Checks: C-78219r1120370_chk
Verify Amazon Linux 2023 is configured so that the "/var/log/messages" file has a mode of "0640" or less permissive with the following command: $ stat -c '%a %n' /var/log/messages 600 /var/log/messages If "/var/log/messages" does not have a mode of "0640" or less permissive, this is a finding.
Fix: F-78124r1120371_fix
Configure Amazon Linux 2023 so that the "/var/log/messages" file has a mode of "0640" with the following command: $ sudo chmod 0640 /var/log/messages
- RMF Control
- SI-11
- Severity
- Medium
- CCI
- CCI-001314
- Version
- AZLX-23-002335
- Vuln IDs
-
- V-274129
- Rule IDs
-
- SV-274129r1120375_rule
Checks: C-78220r1120373_chk
Verify Amazon Linux 2023 is configured so that the "/var/log/messages" file is group-owned by root with the following command: $ stat -c "%G %n" /var/log/messages root /var/log/messages If "/var/log/messages" does not have a group owner of "root", this is a finding.
Fix: F-78125r1120374_fix
Configure Amazon Linux 2023 so that the "/var/log/messages" file is group-owned "root" with the following command: $ sudo chgrp root /var/log/messages
- RMF Control
- SI-11
- Severity
- Medium
- CCI
- CCI-001314
- Version
- AZLX-23-002340
- Vuln IDs
-
- V-274130
- Rule IDs
-
- SV-274130r1120378_rule
Checks: C-78221r1120376_chk
Verify Amazon Linux 2023 is configured so that the "/var/log/messages" file is owned by root with the following command: $ stat -c "%U %n" /var/log/messages root /var/log/messages If "/var/log/messages" does not have an owner of "root", this is a finding.
Fix: F-78126r1120377_fix
Configure Amazon Linux 2023 so that the "/var/log/messages" file is owned by "root" with the following command: $ sudo chown root /var/log/messages
- RMF Control
- CM-5
- Severity
- Medium
- CCI
- CCI-001499
- Version
- AZLX-23-002345
- Vuln IDs
-
- V-274131
- Rule IDs
-
- SV-274131r1120381_rule
Checks: C-78222r1120379_chk
Verify Amazon Linux 2023 system commands contained in the following directories are owned by "root" with the following command: $ sudo find -L /bin /sbin /usr/bin /usr/sbin /usr/libexec /usr/local/bin /usr/local/sbin ! -user root -exec ls -l {} \; If any system commands are found to not be owned by root, this is a finding.
Fix: F-78127r1120380_fix
Configure Amazon Linux 2023 so that system commands are protected from unauthorized access. Run the following command, replacing "[FILE]" with any system command file not owned by "root". $ sudo chown root [FILE]
- RMF Control
- CM-5
- Severity
- Medium
- CCI
- CCI-001499
- Version
- AZLX-23-002350
- Vuln IDs
-
- V-274132
- Rule IDs
-
- SV-274132r1120384_rule
Checks: C-78223r1120382_chk
Verify Amazon Linux 2023 system commands contained in the following directories are group-owned by "root", or a required system account, with the following command: $ sudo find -L /bin /sbin /usr/bin /usr/sbin /usr/local/bin /usr/local/sbin ! -group root -exec ls -l {} \; If any system commands are returned and is not group-owned by a required system account, this is a finding.
Fix: F-78128r1120383_fix
Configure Amazon Linux 2023 so that system commands are protected from unauthorized access. Run the following command, replacing "[FILE]" with any system command file not group-owned by "root" or a required system account. $ sudo chgrp root [FILE]
- RMF Control
- Severity
- Medium
- CCI
- CCI-004066
- Version
- AZLX-23-002355
- Vuln IDs
-
- V-274133
- Rule IDs
-
- SV-274133r1120387_rule
Checks: C-78224r1120385_chk
Verify Amazon Linux 2023 enforces password complexity by requiring that at least one uppercase character with the following command: $ sudo grep ucredit /etc/security/pwquality.conf /etc/security/pwquality.conf.d/*.conf ucredit = -1 If the value of "ucredit" is a positive number or is commented out, this is a finding.
Fix: F-78129r1120386_fix
Configure Amazon Linux 2023 to enforce password complexity by requiring that at least one uppercase character be used by setting the "ucredit" option. Add or update the following line in the "/etc/security/pwquality.conf" file or a configuration file in the "/etc/security/pwquality.conf.d/" directory to contain the "ucredit" parameter: ucredit = -1 Remove any configurations that conflict with the above value.
- RMF Control
- Severity
- Medium
- CCI
- CCI-004066
- Version
- AZLX-23-002360
- Vuln IDs
-
- V-274134
- Rule IDs
-
- SV-274134r1120390_rule
Checks: C-78225r1120388_chk
Verify Amazon Linux 2023 enforces password complexity by requiring that at least one lowercase character with the following command: $ sudo grep lcredit /etc/security/pwquality.conf /etc/security/pwquality.conf.d/*.conf lcredit = -1 If the value of "lcredit" is a positive number or is commented out, this is a finding.
Fix: F-78130r1120389_fix
Configure Amazon Linux 2023 to enforce password complexity by requiring that at least one lowercase character be used by setting the "lcredit" option. Add or update the following line in the "/etc/security/pwquality.conf" file or a configuration file in the "/etc/security/pwquality.conf.d/" directory to contain the "lcredit" parameter: lcredit = -1 Remove any configurations that conflict with the above value.
- RMF Control
- Severity
- Medium
- CCI
- CCI-004066
- Version
- AZLX-23-002365
- Vuln IDs
-
- V-274135
- Rule IDs
-
- SV-274135r1120393_rule
Checks: C-78226r1120391_chk
Verify Amazon Linux 2023 enforces password complexity by requiring that at least one numeric character with the following command: $ sudo grep dcredit /etc/security/pwquality.conf /etc/security/pwquality.conf.d/*.conf dcredit = -1 If the value of "dcredit" is a positive number or is commented out, this is a finding.
Fix: F-78131r1120392_fix
Configure Amazon Linux 2023 to enforce password complexity by requiring that at least one numeric character be used by setting the "dcredit" option. Add or update the following line in the "/etc/security/pwquality.conf" file or a configuration file in the "/etc/security/pwquality.conf.d/" directory to contain the "dcredit" parameter: dcredit = -1 Remove any configurations that conflict with the above value.
- RMF Control
- Severity
- Medium
- CCI
- CCI-004066
- Version
- AZLX-23-002370
- Vuln IDs
-
- V-274136
- Rule IDs
-
- SV-274136r1120697_rule
Checks: C-78227r1120394_chk
Verify Amazon Linux 2023 enforces password complexity by requiring that at least a change of at least eight characters when passwords are changed with the following command: $ sudo grep difok /etc/security/pwquality.conf /etc/security/pwquality.conf.d/*.conf difok = 8 If the value of "difok" is set to less than "8", or is commented out, this is a finding.
Fix: F-78132r1120696_fix
Configure Amazon Linux 2023 to require the change of at least eight (with a 15 character password) of the total number of characters when passwords are changed by setting the "difok" option. Add or update the following line in the "/etc/security/pwquality.conf" file or a configuration file in the "/etc/security/pwquality.conf.d/" directory to contain the "difok" parameter: difok = 8 Remove any configurations that conflict with the above value. This value can be customized based on desired password length.
- RMF Control
- Severity
- Medium
- CCI
- CCI-004066
- Version
- AZLX-23-002375
- Vuln IDs
-
- V-274137
- Rule IDs
-
- SV-274137r1120725_rule
Checks: C-78228r1120397_chk
Verify Amazon Linux 2023 enforces a minimum 15-character password length with the following command: $ sudo grep -rs minlen /etc/security/pwquality.conf /etc/security/pwquality.conf.d/*.conf /etc/security/pwquality.conf: minlen = 15 If the command does not return a "minlen" value of 15 or greater, or the line is commented out, this is a finding. If conflicting results are returned, this is a finding.
Fix: F-78133r1120398_fix
Configure Amazon Linux 2023 to enforce a minimum 15-character password length. Add or update the following line in the "/etc/security/pwquality.conf" file or a configuration file in the "/etc/security/pwquality.conf.d/" directory to contain the "minlen" parameter: minlen = 15 Remove any configurations that conflict with the above value.
- RMF Control
- Severity
- Medium
- CCI
- CCI-004066
- Version
- AZLX-23-002380
- Vuln IDs
-
- V-274138
- Rule IDs
-
- SV-274138r1120402_rule
Checks: C-78229r1120400_chk
Verify Amazon Linux 2023 enforces password complexity by requiring at least one special character with the following command: $ sudo grep -rs ocredit /etc/security/pwquality.conf /etc/security/pwquality.conf.d/*.conf /etc/security/pwquality.conf: ocredit = -1 If the value of "ocredit" is a positive number or is commented out, this is a finding.
Fix: F-78134r1120401_fix
Configure Amazon Linux 2023 to enforce password complexity by requiring at least one special character be used by setting the "ocredit" option. Add or update the following line in the "/etc/security/pwquality.conf" file or a configuration file in the "/etc/security/pwquality.conf.d/" directory to contain the "ocredit" parameter: ocredit = -1
- RMF Control
- Severity
- Medium
- CCI
- CCI-004066
- Version
- AZLX-23-002385
- Vuln IDs
-
- V-274139
- Rule IDs
-
- SV-274139r1120405_rule
Checks: C-78230r1120403_chk
Verify Amazon Linux 2023 enforces password complexity rules for the root account with the following command: $ sudo grep -rs enforce_for_root /etc/security/pwquality.conf /etc/security/pwquality.conf.d/*.conf /etc/security/pwquality.conf:enforce_for_root If "enforce_for_root" is commented or missing, this is a finding.
Fix: F-78135r1120404_fix
Configure Amazon Linux 2023 to enforce password complexity on the root account. Add or update the following line in the "/etc/security/pwquality.conf" file or a configuration file in the "/etc/security/pwquality.conf.d/" directory to contain the "enforce_for_root" parameter: enforce_for_root
- RMF Control
- CM-6
- Severity
- Medium
- CCI
- CCI-000366
- Version
- AZLX-23-002390
- Vuln IDs
-
- V-274140
- Rule IDs
-
- SV-274140r1120408_rule
Checks: C-78231r1120406_chk
Verify Amazon Linux 2023 prevents the use of dictionary words for passwords with the following command: $ sudo grep -rs dictcheck /etc/security/pwquality.conf /etc/pwquality.conf.d/*.conf /etc/security/pwquality.conf:dictcheck=1 If the "dictcheck" parameter is not set to "1", is commented out, or is missing, this is a finding.
Fix: F-78136r1120407_fix
Configure Amazon Linux 2023 to prevent the use of dictionary words for passwords. Add or update the following line in the "/etc/security/pwquality.conf" file or a configuration file in the /etc/pwquality.conf.d/ directory to contain the "dictcheck" parameter: dictcheck=1
- RMF Control
- AC-10
- Severity
- Low
- CCI
- CCI-000054
- Version
- AZLX-23-002395
- Vuln IDs
-
- V-274141
- Rule IDs
-
- SV-274141r1120411_rule
Checks: C-78232r1120409_chk
Verify Amazon Linux 2023 limits the number of concurrent sessions to "10" for all accounts and/or account types with the following command: $ sudo grep -r -s '^[^#].*maxlogins' /etc/security/limits.conf /etc/security/limits.d/*.conf * hard maxlogins 10 This can be set as a global domain (with the * wildcard) but may be set differently for multiple domains. If the "maxlogins" item is missing, commented out, or the value is set greater than "10" and is not documented with the information system security officer (ISSO) as an operational requirement for all domains that have the "maxlogins" item assigned, this is a finding.
Fix: F-78137r1120410_fix
Configure Amazon Linux 2023 to limit the number of concurrent sessions to "10" for all accounts and/or account types. Add the following line to the top of the /etc/security/limits.conf or in a ".conf" file defined in /etc/security/limits.d/: * hard maxlogins 10
- RMF Control
- AC-11
- Severity
- Medium
- CCI
- CCI-000057
- Version
- AZLX-23-002396
- Vuln IDs
-
- V-274142
- Rule IDs
-
- SV-274142r1120414_rule
Checks: C-78233r1120412_chk
Verify Amazon Linux 2023 is configured to exit interactive command shell user sessions after 10 minutes of inactivity or less with the following command: $ sudo grep -i tmout /etc/profile /etc/profile.d/*.sh /etc/profile.d/tmout.sh:declare -xr TMOUT=600 If "TMOUT" is not set to "600" or less in a script located in the "/etc/'profile.d/ directory, is missing or is commented out, this is a finding.
Fix: F-78138r1120413_fix
Configure Amazon Linux 2023 to exit interactive command shell user sessions after 10 minutes of inactivity. Add or edit the following line in "/etc/profile.d/tmout.sh": #!/bin/bash declare -xr TMOUT=600
- RMF Control
- Severity
- Medium
- CCI
- CCI-004066
- Version
- AZLX-23-002400
- Vuln IDs
-
- V-274143
- Rule IDs
-
- SV-274143r1120417_rule
Checks: C-78234r1120415_chk
Verify Amazon Linux 2023 enforces 24 hours as the minimum password lifetime for new user accounts with the following command: $ sudo grep -i pass_min_days /etc/login.defs PASS_MIN_DAYS 1 If the "PASS_MIN_DAYS" parameter value is not "1" or greater, or is commented out, this is a finding.
Fix: F-78139r1120416_fix
Configure Amazon Linux 2023 to enforce 24 hours as the minimum password lifetime for new user accounts. Add the following line in "/etc/login.defs" (or modify the line to have the required value): PASS_MIN_DAYS 1
- RMF Control
- CM-6
- Severity
- Medium
- CCI
- CCI-000366
- Version
- AZLX-23-002405
- Vuln IDs
-
- V-274144
- Rule IDs
-
- SV-274144r1120420_rule
Checks: C-78235r1120418_chk
Verify Amazon Linux 2023 enforces a delay of at least four seconds between console logon prompts following a failed logon attempt with the following command: $ sudo grep -i fail_delay /etc/login.defs FAIL_DELAY 4 If the value of "FAIL_DELAY" is not set to "4" or greater, the line is commented out, or the line is missing, this is a finding.
Fix: F-78140r1120419_fix
Configure Amazon Linux 2023 to enforce a delay of at least four seconds between logon prompts following a failed console logon attempt. Modify the "/etc/login.defs" file to set the "FAIL_DELAY" parameter to "4" or greater: FAIL_DELAY 4
- RMF Control
- CM-6
- Severity
- Medium
- CCI
- CCI-000366
- Version
- AZLX-23-002410
- Vuln IDs
-
- V-274145
- Rule IDs
-
- SV-274145r1120423_rule
Checks: C-78236r1120421_chk
Verify Amazon Linux 2023 defines default permissions for all authenticated users in such a way that the user can only read and modify their own files with the following command: Note: If the value of the "UMASK" parameter is set to "000" in "/etc/login.defs" file, the Severity is raised to a CAT I. # grep -i umask /etc/login.defs UMASK 077 If the value for the "UMASK" parameter is not "077", or the "UMASK" parameter is missing or is commented out, this is a finding.
Fix: F-78141r1120422_fix
Configure Amazon Linux 2023 to define default permissions for all authenticated users in such a way that the user can only read and modify their own files. Add or edit the lines for the "UMASK" parameter in the "/etc/login.defs" file to "077": UMASK 077
- RMF Control
- AC-2
- Severity
- Medium
- CCI
- CCI-000016
- Version
- AZLX-23-002415
- Vuln IDs
-
- V-274146
- Rule IDs
-
- SV-274146r1120426_rule
Checks: C-78237r1120424_chk
Verify Amazon Linux 2023 temporary accounts have been provisioned with an expiration date of 72 hours. For every existing temporary account, run the following command to obtain its account expiration information. $ sudo chage -l system_account_name Verify each of these accounts has an expiration date set within 72 hours. If any temporary accounts have no expiration date set or do not expire within 72 hours, this is a finding.
Fix: F-78142r1120425_fix
Configure Amazon Linux 2023 temporary accounts to have an expiration date of 72 hours. If a temporary account must be created configure the system to terminate the account after a 72 hour time period with the following command to set an expiration date on it. Substitute "system_account_name" with the account to be created. $ sudo chage -E $(date -d +3days +%Y-%m-%d) system_account_name
- RMF Control
- AC-7
- Severity
- Medium
- CCI
- CCI-000044
- Version
- AZLX-23-002420
- Vuln IDs
-
- V-274147
- Rule IDs
-
- SV-274147r1120429_rule
Checks: C-78238r1120427_chk
Verify Amazon Linux 2023 locks an account after three unsuccessful logon attempts with the following commands: Note: If the system administrator demonstrates the use of an approved centralized account management method that locks an account after three unsuccessful logon attempts within a period of 15 minutes, this requirement is met by that method. $ sudo grep pam_faillock.so /etc/pam.d/password-auth auth required pam_faillock.so preauth dir=/var/log/faillock silent audit deny=3 even_deny_root fail_interval=900 unlock_time=0 auth required pam_faillock.so authfail dir=/var/log/faillock unlock_time=0 account required pam_faillock.so If the "deny" option is not set to "3" or less (but not "0") on the "preauth" line with the "pam_faillock.so" module, or is missing from this line, if any of the lines are commented out, or are missing, this is a finding.
Fix: F-78143r1120428_fix
Configure Amazon Linux 2023 to lock an account when three unsuccessful logon attempts occur. Add/Modify the appropriate sections of the "/etc/pam.d/system-auth" and "/etc/pam.d/password-auth" files to match the following lines: auth required pam_faillock.so preauth dir=/var/log/faillock silent audit deny=3 even_deny_root fail_interval=900 unlock_time=0 auth required pam_faillock.so authfail dir=/var/log/faillock unlock_time=0 account required pam_faillock.so The "sssd" service must be restarted for the changes to take effect. To restart the "sssd" service, run the following command: $ sudo systemctl restart sssd.service
- RMF Control
- Severity
- Medium
- CCI
- CCI-004066
- Version
- AZLX-23-002425
- Vuln IDs
-
- V-274148
- Rule IDs
-
- SV-274148r1120432_rule
Checks: C-78239r1120430_chk
Verify Amazon Linux 2023 enforces the maximum time period for existing passwords is restricted to 60 days with the following commands: $ sudo awk -F: '$5 > 60 {print $1 " " $5}' /etc/shadow $ sudo awk -F: '$5 <= 0 {print $1 " " $5}' /etc/shadow If any results are returned that are not associated with a system account, this is a finding.
Fix: F-78144r1120431_fix
Configure Amazon Linux 2023 to set noncompliant accounts to enforce a 60-day maximum password lifetime restriction. $ sudo chage -M 60 [user]
- RMF Control
- Severity
- Medium
- CCI
- CCI-003627
- Version
- AZLX-23-002430
- Vuln IDs
-
- V-274149
- Rule IDs
-
- SV-274149r1120435_rule
Checks: C-78240r1120433_chk
Verify Amazon Linux 2023 account identifiers (individuals, groups, roles, and devices) are disabled after 35 days of inactivity with the following command: Check the account inactivity value by performing the following command: $ sudo grep -i inactive /etc/default/useradd INACTIVE=35 If "INACTIVE" is set to "-1", a value greater than "35", or is commented out, this is a finding.
Fix: F-78145r1120434_fix
Configure Amazon Linux 2023 to disable account identifiers after 35 days of inactivity after the password expiration. Run the following command to change the configuration for useradd: $ sudo useradd -D -f 35 The recommendation is 35 days, but a lower value is acceptable.
- RMF Control
- AC-2
- Severity
- Medium
- CCI
- CCI-001682
- Version
- AZLX-23-002435
- Vuln IDs
-
- V-274150
- Rule IDs
-
- SV-274150r1120438_rule
Checks: C-78241r1120436_chk
Verify Amazon Linux 2023 temporary accounts have been provisioned with an expiration date of 72 hours. For every existing temporary account, run the following command to obtain its account expiration information: $ sudo chage -l <temporary_account_name> | grep -i "account expires" Verify each of these accounts has an expiration date set within 72 hours. If any temporary accounts have no expiration date set or do not expire within 72 hours, this is a finding.
Fix: F-78146r1120437_fix
Configure Amazon Linux 2023 to expire temporary accounts after 72 hours with the following command: $ sudo chage -E $(date -d +3days +%Y-%m-%d) <temporary_account_name>
- RMF Control
- AC-3
- Severity
- Medium
- CCI
- CCI-002165
- Version
- AZLX-23-002440
- Vuln IDs
-
- V-274151
- Rule IDs
-
- SV-274151r1120441_rule
Checks: C-78242r1120439_chk
Verify Amazon Linux 2023 requires uses to be members of the "wheel" group with the following command: $ grep pam_wheel /etc/pam.d/su auth required pam_wheel.so use_uid If a line for "pam_wheel.so" does not exist, or is commented out, this is a finding.
Fix: F-78147r1120440_fix
Configure Amazon Linux 2023 to require users to be in the "wheel" group to run "su" command. In file "/etc/pam.d/su", uncomment the following line: "#auth required pam_wheel.so use_uid" $ sudo sed '/^[[:space:]]*#[[:space:]]*auth[[:space:]]\+required[[:space:]]\+pam_wheel\.so[[:space:]]\+use_uid$/s/^[[:space:]]*#//' -i /etc/pam.d/su If necessary, create a "wheel" group and add administrative users to the group.
- RMF Control
- SI-6
- Severity
- Medium
- CCI
- CCI-002696
- Version
- AZLX-23-002445
- Vuln IDs
-
- V-274152
- Rule IDs
-
- SV-274152r1120738_rule
Checks: C-78243r1120442_chk
Verify Amazon Linux 2023 SELINUX is using the targeted policy with the following command: $ sestatus | grep policy Loaded policy name: targeted If the loaded policy name is not "targeted", this is a finding.
Fix: F-78148r1120737_fix
Configure Amazon Linux 2023 to use the targeted SELINUX policy. Edit the file "/etc/selinux/config" and add or modify the following line: SELINUXTYPE=targeted A reboot is required for the changes to take effect.
- RMF Control
- SC-3
- Severity
- High
- CCI
- CCI-001084
- Version
- AZLX-23-002450
- Vuln IDs
-
- V-274153
- Rule IDs
-
- SV-274153r1120713_rule
Checks: C-78244r1120445_chk
Verify Amazon Linux 2023 verifies the correct operation of security functions through the use of SELinux with the following command: $ getenforce Enforcing If SELINUX is not set to "Enforcing", this is a finding.
Fix: F-78149r1120446_fix
Configure Amazon Linux 2023 to verify correct operation of security functions. Edit the file "/etc/selinux/config" and add or modify the following line: SELINUX=enforcing A reboot is required for the changes to take effect.
- RMF Control
- AC-7
- Severity
- Medium
- CCI
- CCI-002238
- Version
- AZLX-23-002455
- Vuln IDs
-
- V-274154
- Rule IDs
-
- SV-274154r1120450_rule
Checks: C-78245r1120448_chk
Verify Amazon Linux 2023 is configured to lock an account after three unsuccessful logon attempts with the command: $ grep 'deny =' /etc/security/faillock.conf deny = 3 If the "deny" option is not set to "3" or less (but not "0"), is missing or commented out, this is a finding.
Fix: F-78150r1120449_fix
Configure Amazon Linux 2023 to lock an account when three unsuccessful logon attempts occur. Add/modify the "/etc/security/faillock.conf" file to match the following line: deny = 3
- RMF Control
- AC-7
- Severity
- Medium
- CCI
- CCI-002238
- Version
- AZLX-23-002460
- Vuln IDs
-
- V-274155
- Rule IDs
-
- SV-274155r1120453_rule
Checks: C-78246r1120451_chk
Verify Amazon Linux 2023 is configured to lock the root account after three unsuccessful logon attempts with the command: $ grep even_deny_root /etc/security/faillock.conf even_deny_root If the "even_deny_root" option is not set, is missing or commented out, this is a finding.
Fix: F-78151r1120452_fix
Configure Amazon Linux 2023 to lock out the "root" account after a number of incorrect login attempts using "pam_faillock.so", first enable the feature using the following command: $ sudo authselect enable-feature with-faillock Then edit the "/etc/security/faillock.conf" file as follows: add or uncomment the following line: even_deny_root
- RMF Control
- AC-7
- Severity
- Medium
- CCI
- CCI-002238
- Version
- AZLX-23-002465
- Vuln IDs
-
- V-274156
- Rule IDs
-
- SV-274156r1120456_rule
Checks: C-78247r1120454_chk
Note: If the system administrator demonstrates the use of an approved centralized account management method that locks an account after three unsuccessful logon attempts within a period of 15 minutes, this requirement is not applicable. Verify Amazon Linux 2023 locks an account after three unsuccessful logon attempts within a period of 15 minutes with the following command: $ grep fail_interval /etc/security/faillock.conf fail_interval = 900 If the "fail_interval" option is not set to "900" or less (but not "0"), the line is commented out, or the line is missing, this is a finding.
Fix: F-78152r1120455_fix
Configure Amazon Linux 2023 to automatically lock an account after three unsuccessful logon attempts in 15-minutes. First, ensure that the system is configured with authselect, i.e., using sssd profiles: $ sudo authselect select sssd [--force] Then, enable the faillock feature: $ sudo authselect enable-feature with-faillock Then edit the "/etc/security/faillock.conf" file as follows: fail_interval = 900
- RMF Control
- AC-7
- Severity
- Medium
- CCI
- CCI-002238
- Version
- AZLX-23-002470
- Vuln IDs
-
- V-274157
- Rule IDs
-
- SV-274157r1120459_rule
Checks: C-78248r1120457_chk
Verify Amazon Linux 2023 is configured to lock an account until released by an administrator after three unsuccessful logon attempts with the command: $ grep 'unlock_time =' /etc/security/faillock.conf unlock_time = 0 If the "unlock_time" option is not set to "0", the line is missing, or commented out, this is a finding.
Fix: F-78153r1120458_fix
Configure Amazon Linux 2023 to lock an account until released by an administrator after three unsuccessful logon attempts with the command: $ authselect enable-feature with-faillock Then edit the "/etc/security/faillock.conf" file as follows: unlock_time = 0
- RMF Control
- CM-7
- Severity
- Medium
- CCI
- CCI-000382
- Version
- AZLX-23-002475
- Vuln IDs
-
- V-274158
- Rule IDs
-
- SV-274158r1120727_rule
Checks: C-78249r1120726_chk
Verify Amazon Linux 2023 firewall is configured to block unregistered ports, protocols, and services. Inspect the list of enabled firewall ports and verify they are configured correctly by running the following command: $ sudo firewall-cmd --list-all Ask the system administrator for the site or program PPSM Component Local Service Assessment (CLSA). Verify the services allowed by the firewall match the PPSM CLSA. If there are additional ports, protocols, or services that are not in the PPSM CLSA, or there are ports, protocols, or services that are prohibited by the PPSM CAL, or there are no firewall rules configured, this is a finding.
Fix: F-78154r1120461_fix
Configure Amazon Linux 2023 to Prohibit/Restrict Functions, Ports, Protocols, Services. Use firewall-cmd to manage firewalld. For example, to block a specific port (8080), use: sudo firewall-cmd --permanent --remove-port=8080/tcp
- RMF Control
- IA-2
- Severity
- Medium
- CCI
- CCI-000764
- Version
- AZLX-23-002480
- Vuln IDs
-
- V-274159
- Rule IDs
-
- SV-274159r1120465_rule
Checks: C-78250r1120463_chk
Verify Amazon Linux 2023 interactive users have a valid GID with the following command: $ sudo pwck -qr If the system has any interactive users with duplicate GIDs, this is a finding.
Fix: F-78155r1120464_fix
Configure Amazon Linux 2023 so that all GIDs are referenced in "/etc/passwd" are defined in "/etc/group". Edit the file "/etc/passwd" and ensure that every user's GID is a valid GID.
- RMF Control
- IA-2
- Severity
- Medium
- CCI
- CCI-000764
- Version
- AZLX-23-002485
- Vuln IDs
-
- V-274160
- Rule IDs
-
- SV-274160r1120663_rule
Checks: C-78251r1120466_chk
Verify Amazon Linux 2023 contains no duplicate UIDs for interactive users with the following command: $ sudo awk -F ":" 'list[$3]++{print $1, $3}' /etc/passwd If output is produced and the accounts listed are interactive user accounts, this is a finding.
Fix: F-78156r1120467_fix
Configure Amazon Linux 2023 to contain no duplicate UIDs for interactive users. Edit the file "/etc/passwd" and provide each interactive user account that has a duplicate UID with a unique UID.
- RMF Control
- Severity
- Medium
- CCI
- CCI-004066
- Version
- AZLX-23-002489
- Vuln IDs
-
- V-274161
- Rule IDs
-
- SV-274161r1120471_rule
Checks: C-78252r1120469_chk
Verify Amazon Linux 2023 uses "pwquality" to enforce the password complexity rules in the password-auth file with the following command: $ grep pam_pwquality /etc/pam.d/password-auth password required pam_pwquality.so If the command does not return a line containing the value "pam_pwquality.so", or the line is commented out, this is a finding. If the system administrator can demonstrate that the required configuration is contained in a PAM configuration file included or substacked from the system-auth file, this is not a finding.
Fix: F-78157r1120470_fix
Configure Amazon Linux 2023 to use "pwquality" to enforce password complexity rules. Add the following line to the "/etc/pam.d/password-auth" file (or modify the line to have the required value): password required pam_pwquality.so
- RMF Control
- Severity
- Medium
- CCI
- CCI-004062
- Version
- AZLX-23-002490
- Vuln IDs
-
- V-274162
- Rule IDs
-
- SV-274162r1120474_rule
Checks: C-78253r1120472_chk
Verify Amazon Linux 2023 has the required number of rounds for the password hashing algorithm is configured in password-auth with the following command: $ sudo grep rounds /etc/pam.d/password-auth password sufficient pam_unix.so sha512 rounds=100000 If a matching line is not returned or "rounds" is less than "100000", this a finding.
Fix: F-78158r1120473_fix
Configure Amazon Linux 2023 to use 100000 hashing rounds for hashing passwords. Add or modify the following line in "/etc/pam.d/password-auth" and set "rounds" to "100000". password sufficient pam_unix.so sha512 rounds=100000
- RMF Control
- Severity
- Medium
- CCI
- CCI-004062
- Version
- AZLX-23-002495
- Vuln IDs
-
- V-274163
- Rule IDs
-
- SV-274163r1120477_rule
Checks: C-78254r1120475_chk
Verify Amazon Linux 2023 has the required number of rounds for the password hashing algorithm is configured in system-auth with the following command: $ sudo grep rounds /etc/pam.d/system-auth password sufficient pam_unix.so sha512 rounds=100000 If a matching line is not returned or "rounds" is less than "100000", this a finding.
Fix: F-78159r1120476_fix
Configure Amazon Linux 2023 to use 100000 hashing rounds for hashing passwords. Add or modify the following line in "/etc/pam.d/system-auth" and set "rounds" to "100000". password sufficient pam_unix.so sha512 rounds=100000
- RMF Control
- SC-4
- Severity
- Medium
- CCI
- CCI-001090
- Version
- AZLX-23-002500
- Vuln IDs
-
- V-274164
- Rule IDs
-
- SV-274164r1137695_rule
Checks: C-78255r1120478_chk
Verify Amazon Linux 2023 world-writable directories have the sticky bit set. Determine if all world-writable directories have the sticky bit set by running the following command: $ sudo find / -type d -perm -0002 ! -perm -1000 -exec ls -ld {} + If any output is returned, these directories are world-writable and do not have the sticky bit set, and this is a finding.
Fix: F-78160r1120479_fix
Configure Amazon Linux 2023 world-writable directories to have the sticky bit set to prevent unauthorized and unintended information transferred via shared system resources. Set the sticky bit on all world-writable directories using the following command: $ sudo find / -type d -perm -0002 ! -perm -1000 -exec chmod +t {} +
- RMF Control
- SC-4
- Severity
- Medium
- CCI
- CCI-001090
- Version
- AZLX-23-002505
- Vuln IDs
-
- V-274165
- Rule IDs
-
- SV-274165r1137695_rule
Checks: C-78256r1120481_chk
Verify Amazon Linux 2023 world writable directories are owned by root, a system account, or an application account with the following command: $ sudo find / -xdev -type d -perm -0002 ! -user root ! -uid +999 -exec ls -ld {} + If there is output, this is a finding.
Fix: F-78161r1120482_fix
Configure Amazon Linux 2023 public directories to be owned by root or a system account to prevent unauthorized and unintended information transferred via shared system resources. Set the owner of all public directories as root or a system account using the following command: $ sudo find / -xdev -type d -perm -0002 ! -user root ! -uid +999 -exec chown root:root {} +
- RMF Control
- SC-10
- Severity
- Medium
- CCI
- CCI-001133
- Version
- AZLX-23-002510
- Vuln IDs
-
- V-274166
- Rule IDs
-
- SV-274166r1155170_rule
Checks: C-78257r1155168_chk
Verify Amazon Linux 2023 logs out sessions that are idle for 10 minutes with the following command: $ sudo grep -i ^StopIdleSessionSec /etc/systemd/logind.conf StopIdleSessionSec=600 If "StopIdleSessionSec" is not configured to "600" seconds, this is a finding.
Fix: F-78162r1155169_fix
Configure Amazon Linux 2023 to log out idle sessions by editing the /etc/systemd/logind.conf file with the following line: StopIdleSessionSec=600 The "logind" service must be restarted for the changes to take effect. To restart the "logind" service, run the following command: $ sudo systemctl restart systemd-logind
- RMF Control
- AU-3
- Severity
- Medium
- CCI
- CCI-000130
- Version
- AZLX-23-002515
- Vuln IDs
-
- V-274167
- Rule IDs
-
- SV-274167r1120489_rule
Checks: C-78258r1120487_chk
Verify Amazon Linux 2023 is configured so that GRUB 2 enables auditing of processes that start prior to the audit daemon with the following commands: Check that the current GRUB 2 configuration enables auditing: $ sudo grubby --info=ALL | grep args | grep -v 'audit=1' If any output is returned, this is a finding. Check that auditing is enabled by default to persist in kernel updates: $ grep audit /etc/default/grub GRUB_CMDLINE_LINUX="audit=1" If "audit" is not set to "1", is missing, or is commented out, this is a finding.
Fix: F-78163r1120488_fix
Configure Amazon Linux 2023 so that GRUB 2 enables auditing of processes that start prior to the audit daemon with the following command: $ sudo grubby --update-kernel=ALL --args="audit=1" Add or modify the following line in "/etc/default/grub" to ensure the configuration survives kernel updates: GRUB_CMDLINE_LINUX="audit=1"
- RMF Control
- AU-14
- Severity
- Medium
- CCI
- CCI-001464
- Version
- AZLX-23-002520
- Vuln IDs
-
- V-274168
- Rule IDs
-
- SV-274168r1120492_rule
Checks: C-78259r1120490_chk
Verify Amazon Linux 2023 allocates a sufficient audit_backlog_limit to capture processes that start prior to the audit daemon with the following command: $ sudo grubby --info=ALL | grep args | grep -v 'audit_backlog_limit=8192' If the command returns any outputs, and audit_backlog_limit is less than "8192", this is a finding.
Fix: F-78164r1120491_fix
Configure Amazon Linux 2023 to allocate sufficient audit_backlog_limit to capture processes that start prior to the audit daemon with the following command: $ sudo grubby --update-kernel=ALL --args=audit_backlog_limit=8192
- RMF Control
- AC-3
- Severity
- Medium
- CCI
- CCI-002165
- Version
- AZLX-23-002535
- Vuln IDs
-
- V-274169
- Rule IDs
-
- SV-274169r1120495_rule
Checks: C-78260r1120493_chk
Verify Amazon Linux 2023 is configured to enable DAC on hardlinks. Check the status of the fs.protected_hardlinks kernel parameter with the following command: $ sudo sysctl fs.protected_hardlinks fs.protected_hardlinks = 1 If "fs.protected_hardlinks" is not set to "1" or is missing, this is a finding.
Fix: F-78165r1120494_fix
Configure Amazon Linux 2023 to enable DAC on hardlinks with the following: Add or edit the following line in a system configuration file in the "/etc/sysctl.d/" directory: fs.protected_hardlinks = 1 Load settings from all system configuration files with the following command: $ sudo sysctl --system
- RMF Control
- AC-3
- Severity
- Medium
- CCI
- CCI-002165
- Version
- AZLX-23-002540
- Vuln IDs
-
- V-274170
- Rule IDs
-
- SV-274170r1120498_rule
Checks: C-78261r1120496_chk
Verify Amazon Linux 2023 is configured to enable DAC on symlinks. Check the status of the fs.protected_symlinks kernel parameter with the following command: $ sudo sysctl fs.protected_symlinks fs.protected_symlinks = 1 If "fs.protected_symlinks " is not set to "1" or is missing, this is a finding.
Fix: F-78166r1120497_fix
Configure Amazon Linux 2023 to enable DAC on symlinks with the following: Add or edit the following line in a system configuration file in the "/etc/sysctl.d/" directory: fs.protected_symlinks = 1 Load settings from all system configuration files with the following command: $ sudo sysctl --system
- RMF Control
- AC-6
- Severity
- Medium
- CCI
- CCI-002235
- Version
- AZLX-23-002555
- Vuln IDs
-
- V-274173
- Rule IDs
-
- SV-274173r1120507_rule
Checks: C-78264r1120505_chk
Verify Amazon Linux 2023 is configured to mask the debug-shell systemd service with the following command: $ sudo systemctl status debug-shell.service O debug-shell.service Loaded: masked (Reason: Unit debug-shell.service is masked.) Active: inactive (dead) If the "debug-shell.service" is loaded and not masked, this is a finding.
Fix: F-78169r1120506_fix
Configure Amazon Linux 2023 to mask the debug-shell systemd service with the following command: $ sudo systemctl disable --now debug-shell.service $ sudo systemctl mask --now debug-shell.service
- RMF Control
- Severity
- Medium
- CCI
- CCI-004923
- Version
- AZLX-23-002560
- Vuln IDs
-
- V-274174
- Rule IDs
-
- SV-274174r1120510_rule
Checks: C-78265r1120508_chk
Verify Amazon Linux 2023 chrony service specifies a maximum interval of 24 hours between requests sent to a USNO server with the following command: Note: <USNO/DOD Server> is used in place of a time source IP address. $ sudo grep maxpoll /etc/chrony.conf server <USNO/DOD Server> iburst maxpoll 16 If the "maxpoll" option is not configured, commented out, or set to a number greater than 16 or the line is commented out then this is a finding. Verify Amazon Linux 2023 chrony service is configured to use authoritative USNO or appropriate DOD time source with the following command: $ sudo grep -i server /etc/chrony.conf server <USNO/DOD Server> If the parameter "server" is not set, or is not set to an authoritative USNO/DOD time source, then this is a finding.
Fix: F-78170r1120509_fix
Configure Amazon Linux 2023 to compare internal information system clocks at least every 24 hours with an NTP server. Ensure the following line is added or updated in /etc/chrony.conf: server DOD.ntp.server iburst maxpoll 16
- RMF Control
- Severity
- Medium
- CCI
- CCI-004926
- Version
- AZLX-23-002565
- Vuln IDs
-
- V-274175
- Rule IDs
-
- SV-274175r1120659_rule
Checks: C-78266r1120658_chk
Verify Amazon Linux 2023 is securely comparing internal information system clocks at least every 24 hours with an NTP server with the following commands: $ sudo grep maxpoll /etc/chrony.conf server 0.us.pool.ntp.mil iburst maxpoll 16 If the "maxpoll" option is set to a number greater than 16 or the line is commented out, this is a finding. Verify the "chrony.conf" file is configured to an authoritative DOD time source by running the following command: $ sudo grep -i server /etc/chrony.conf server 0.us.pool.ntp.mil If the parameter "server" is not set, or is not set to an authoritative DOD time source, this is a finding.
Fix: F-78171r1120512_fix
Configure Amazon Linux 2023 chrony service to securely compare internal information system clocks at least every 24 hours with an NTP server by adding/modifying the following line in the /etc/chrony.conf file. server [ntp.server.name] iburst maxpoll 16
- RMF Control
- CM-3
- Severity
- Medium
- CCI
- CCI-001744
- Version
- AZLX-23-002570
- Vuln IDs
-
- V-274176
- Rule IDs
-
- SV-274176r1120655_rule
Checks: C-78267r1120514_chk
Verify Amazon Linux 2023 routinely executes a file integrity scan for changes to the system baseline. The command used in the example will use a daily occurrence. Check the cron directories for scripts controlling the execution and notification of results of the file integrity application. For example, if AIDE is installed on the system, use the following commands: $ sudo ls -al /etc/cron.* | grep aide -rwxr-xr-x 1 root root 29 Nov 22 2015 aide $ grep aide /etc/crontab /var/spool/cron/root /etc/crontab: 30 04 * * * root usr/sbin/aide /var/spool/cron/root: 30 04 * * * root usr/sbin/aide $ sudo more /etc/cron.daily/aide #!/bin/bash /usr/sbin/aide --check | /bin/mail -s "$HOSTNAME - Daily aide integrity check run" root@sysname.mil If the file integrity application does not exist, or a script file controlling the execution of the file integrity application does not exist, or the file integrity application does not notify designated personnel of changes, this is a finding.
Fix: F-78172r1120654_fix
Configure Amazon Linux 2023 so that the file integrity tool runs automatically on the system at least weekly and notifies designated personnel if baseline configurations are changed in an unauthorized manner. The AIDE tool can be configured to email designated personnel with the use of the cron system. The following example output is generic. It will set cron to run AIDE daily and to send email at the completion of the analysis. $ sudo more /etc/cron.daily/aide #!/bin/bash /usr/sbin/aide --check | /bin/mail -s "$HOSTNAME - Daily aide integrity check run" root@sysname.mil
- RMF Control
- Severity
- Medium
- CCI
- CCI-003992
- Version
- AZLX-23-002575
- Vuln IDs
-
- V-274177
- Rule IDs
-
- SV-274177r1120519_rule
Checks: C-78268r1120517_chk
Verify Amazon Linux 2023 is configured to disable kernel image loading. Check the status of the kernel.kexec_load_disabled kernel parameter with the following command: $ sudo sysctl kernel.kexec_load_disabled kernel.kexec_load_disabled = 1 If "kernel.kexec_load_disabled" is not set to "1" or is missing, this is a finding.
Fix: F-78173r1120518_fix
Configure Amazon Linux 2023 to disable kernel image loading. Add or edit the following line in a system configuration file in the "/etc/sysctl.d/" directory: kernel.kexec_load_disabled = 1 Load settings from all system configuration files with the following command: $ sudo sysctl --system
- RMF Control
- CM-7
- Severity
- Medium
- CCI
- CCI-001764
- Version
- AZLX-23-002580
- Vuln IDs
-
- V-274178
- Rule IDs
-
- SV-274178r1120522_rule
Checks: C-78269r1120520_chk
Verify Amazon Linux 2023 is configured so that the /boot/efi directory is mounted with the "nosuid" option with the following command: $ mount | grep '\s/boot/efi\s' /dev/sda1 on /boot/efi type vfat (rw,nosuid,relatime,fmask=0077,dmask=0077,codepage=437,iocharset=ascii,shortname=winnt,errors=remount-ro) If the /boot/efi file system does not have the "nosuid" option set, this is a finding.
Fix: F-78174r1120521_fix
Configure Amazon Linux 2023 so that the /boot/efi directory is mounted with the "nosuid" option. Modify "/etc/fstab" to use the "nosuid" option on the "/boot/efi" directory.
- RMF Control
- CM-7
- Severity
- Medium
- CCI
- CCI-001764
- Version
- AZLX-23-002585
- Vuln IDs
-
- V-274179
- Rule IDs
-
- SV-274179r1120525_rule
Checks: C-78270r1120523_chk
Verify Amazon Linux 2023 is configured so that "/dev/shm" is mounted with the "nodev" option with the following command: $ mount | grep /dev/shm tmpfs on /dev/shm type tmpfs (rw,nodev,nosuid,noexec,seclabel) If the /dev/shm file system is mounted without the "nodev" option, this is a finding.
Fix: F-78175r1120524_fix
Configure Amazon Linux 2023 so that "/dev/shm" is mounted with the "nodev" option. Modify "/etc/fstab" to use the "nodev" option on the "/dev/shm" file system.
- RMF Control
- CM-7
- Severity
- Medium
- CCI
- CCI-001764
- Version
- AZLX-23-002590
- Vuln IDs
-
- V-274180
- Rule IDs
-
- SV-274180r1120528_rule
Checks: C-78271r1120526_chk
Verify Amazon Linux 2023 is configured so that "/dev/shm" is mounted with the "nosuid" option with the following command: $ mount | grep /dev/shm tmpfs on /dev/shm type tmpfs (rw,nodev,nosuid,noexec,seclabel) If the /dev/shm file system is mounted without the "noexec" option, this is a finding.
Fix: F-78176r1120527_fix
Configure Amazon Linux 2023 so that "/dev/shm" is mounted with the "nosuid" option. Modify "/etc/fstab" to use the "nosuid" option on the "/dev/shm" file system.
- RMF Control
- Severity
- Medium
- CCI
- CCI-004046
- Version
- AZLX-23-002595
- Vuln IDs
-
- V-274181
- Rule IDs
-
- SV-274181r1120531_rule
Checks: C-78272r1120529_chk
Verify Amazon Linux 2023 is configured so that the "pcscd" service is active with the following command: $ systemctl is-active pcscd active If the pcscdservice is not active, this is a finding.
Fix: F-78177r1120530_fix
Configure Amazon Linux 2023 so that the "pcscd" service is active with the following command: $ sudo systemctl enable --now pcscd
- RMF Control
- IA-3
- Severity
- Medium
- CCI
- CCI-001958
- Version
- AZLX-23-002600
- Vuln IDs
-
- V-274182
- Rule IDs
-
- SV-274182r1120729_rule
Checks: C-78273r1120728_chk
Verify Amazon Linux 2023 disables the file system automount function with the following command: $ sudo systemctl is-enabled autofs masked If the returned value is not "masked", "disabled", "Failed to get unit file state for autofs.service for autofs", or "enabled", and is not documented as operational requirement with the information system security officer (ISSO), this is a finding.
Fix: F-78178r1120533_fix
Configure Amazon Linux 2023 to disable the ability to automount devices. The autofs service can be disabled with the following command: $ sudo systemctl mask --now autofs.service
- RMF Control
- SC-5
- Severity
- Medium
- CCI
- CCI-002385
- Version
- AZLX-23-002605
- Vuln IDs
-
- V-274183
- Rule IDs
-
- SV-274183r1120714_rule
Checks: C-78274r1120535_chk
Verify Amazon Linux 2023 is implementing rate-limiting measures on network interfaces to protect against DoS attacks. Access the AWS Management Console: Sign in to the AWS Management Console and navigate to the EC2 service. To locate the Application Load Balancer (ALB) in the EC2 dashboard, go to the "Load Balancers" section and find the ALB. Check the ALB configuration: Click on the ALB to view its details. The listener configuration for the ALB is located in the "Listener" tab. Look for the rate limiting settings: Scroll down to the "Rules" section. If rate limiting is enabled, a rule with the "Rate Limit" action will be displayed.
Fix: F-78179r1120536_fix
Configure Amazon Linux 2023 to use the AWS ALB rate limiting feature using its built-in rate limiting capabilities. This allows the user to set rate limits at the ALB level, which will apply to all traffic passing through the load balancer.
- RMF Control
- SI-16
- Severity
- Medium
- CCI
- CCI-002824
- Version
- AZLX-23-002610
- Vuln IDs
-
- V-274184
- Rule IDs
-
- SV-274184r1120540_rule
Checks: C-78275r1120538_chk
Verify Amazon Linux 2023 NX support is enabled with the following command: $ sudo dmesg | grep '[NX|DX]*protection' [ 0.000000] NX (Execute Disable) protection: active If "dmesg" does not show "NX (Execute Disable) protection" active, this is a finding.
Fix: F-78180r1120539_fix
Configure Amazon Linux 2023 NX support to be enabled by opening a support case via the AWS Console to investigate why NX support is not detected.
- RMF Control
- SI-2
- Severity
- Medium
- CCI
- CCI-002617
- Version
- AZLX-23-002615
- Vuln IDs
-
- V-274185
- Rule IDs
-
- SV-274185r1120543_rule
Checks: C-78276r1120541_chk
Verify Amazon Linux 2023 removes all software components after updated versions have been installed with the following command: $ grep clean /etc/dnf/dnf.conf clean_requirements_on_remove=1 If "clean_requirements_on_remove" is not set to "1", "True", or "yes", this is a finding.
Fix: F-78181r1120542_fix
Configure Amazon Linux 2023 to remove all software components after updated versions have been installed. Set the "clean_requirements_on_remove" option to "1" in the "/etc/dnf/dnf.conf" file: clean_requirements_on_remove=1
- RMF Control
- AC-7
- Severity
- Medium
- CCI
- CCI-000044
- Version
- AZLX-23-002620
- Vuln IDs
-
- V-274186
- Rule IDs
-
- SV-274186r1120546_rule
Checks: C-78277r1120544_chk
Verify Amazon Linux 2023 is configured so that the pam_faillock.so module is present in the "/etc/pam.d/system-auth" file: $ grep pam_faillock.so /etc/pam.d/system-auth auth required pam_faillock.so preauth auth required pam_faillock.so authfail account required pam_faillock.so If the pam_faillock.so module is not present in the "/etc/pam.d/system-auth" file with the "preauth" line listed before pam_unix.so, this is a finding.
Fix: F-78182r1120545_fix
Configure Amazon Linux 2023 to include the use of the pam_faillock.so module in the /etc/pam.d/system-auth file. Add/modify the appropriate sections of the "/etc/pam.d/system-auth" file to match the following lines: Note: The "preauth" line must be listed before pam_unix.so. auth required pam_faillock.so preauth auth required pam_faillock.so authfail account required pam_faillock.so
- RMF Control
- AU-12
- Severity
- Medium
- CCI
- CCI-000172
- Version
- AZLX-23-005000
- Vuln IDs
-
- V-274187
- Rule IDs
-
- SV-274187r1120715_rule
Checks: C-78278r1120547_chk
Verify Amazon Linux 2023 is configured so that the audit system prevents unauthorized changes to login UIDs with the following command: $ sudo grep -i immutable /etc/audit/audit.rules --loginuid-immutable If the "--loginuid-immutable" option is not returned in the "/etc/audit/audit.rules", or the line is commented out, this is a finding.
Fix: F-78183r1120548_fix
Configure Amazon Linux 2023 auditing to prevent modification of login UIDs once they are set by adding the following line to /etc/audit/rules.d/audit.rules: --loginuid-immutable To load the rules to the kernel immediately, use the following command: $ sudo augenrules --load