{ "format_version": 3, "policy": { "external_id": "32ea3aabace700078a3b7dc793b0d1e2", "name": "CIS Amazon Linux 2 Benchmark v4.0.0 - Level 1 Server", "version": "1.0.1", "description": "Center for Internet Security benchmark — Level 1 server hardening for Amazon Linux 2 (the AL2 line — predecessor to Amazon Linux 2023). Generated from CIS_Amazon_Linux_2_Benchmark_v4.0.0.pdf.", "author": "Center for Internet Security" }, "tests": [ { "external_id": "0f8e5be5ec3d0813c0cdaee2803fdeca", "name": "1.1.1.1 — Ensure cramfs kernel module is not available", "description": "Ensure cramfs kernel module is not available", "rational": "Removing support for unneeded filesystem types reduces the local attack surface of the \nsystem. If this filesystem type is not needed, disable it.", "remediation": "Unload and disable the cramfs kernel module. \n\n1. Run the following commands to unload the cramfs kernel module: \n\n# modprobe -r cramfs 2>/dev/null \n# rmmod cramfs 2>/dev/null \n\n2. Perform the following to disable the cramfs kernel module: \n\nCreate a file ending in .conf with install cramfs /bin/false in the \n/etc/modprobe.d/ directory. \n\nExample: \n\n# printf '%s\\n' \"\" \"install cramfs /bin/false\" >> /etc/modprobe.d/60-\ncramfs.conf \n\nCreate a file ending in .conf with blacklist cramfs in the...", "severity": "Medium", "filter": null, "app_filter": null, "conditions": [ { "type": "condition", "element": "CMD", "input": "lsmod | grep -c '^cramfs ' || true", "selement": "OUTPUT", "condition": "EQUALS", "sinput": "0" } ], "applicability": [ { "type": "applicability", "element": "OS", "input": "", "selement": "CONTENT", "condition": "CONTAINS", "sinput": "Amazon" } ] }, { "external_id": "c6cb59ba605c6de1615460018e39c9b9", "name": "1.1.1.2 — Ensure hfs kernel module is not available", "description": "Ensure hfs kernel module is not available", "rational": "Removing support for unneeded filesystem types reduces the local attack surface of the \nsystem. If this filesystem type is not needed, disable it.", "remediation": "Unload and disable the hfs kernel module. \n\n1. Run the following commands to unload the hfs kernel module: \n\nmodprobe -r hfs 2>/dev/null \nrmmod hfs 2>/dev/null \n\n2. Perform the following to disable the hfs kernel module: \n\nCreate a file ending in .conf with install hfs /bin/false in the /etc/modprobe.d/ \ndirectory. \n\nExample: \n\n# printf '%s\\n' \"\" \"install hfs /bin/false\" >> /etc/modprobe.d/60-hfs.conf \n\nCreate a file ending in .conf with blacklist hfs in the /etc/modprobe.d/ directory. \n\nEx...", "severity": "Medium", "filter": null, "app_filter": null, "conditions": [ { "type": "condition", "element": "CMD", "input": "lsmod | grep -c '^hfs ' || true", "selement": "OUTPUT", "condition": "EQUALS", "sinput": "0" } ], "applicability": [ { "type": "applicability", "element": "OS", "input": "", "selement": "CONTENT", "condition": "CONTAINS", "sinput": "Amazon" } ] }, { "external_id": "4263694038a513537ae4d9edf919acf8", "name": "1.1.1.3 — Ensure hfsplus kernel module is not available", "description": "Ensure hfsplus kernel module is not available", "rational": "Removing support for unneeded filesystem types reduces the local attack surface of the \nsystem. If this filesystem type is not needed, disable it.", "remediation": "Unload and disable the hfsplus kernel module. \n\n1. Run the following commands to unload the hfsplus kernel module: \n\n# modprobe -r hfsplus 2>/dev/null \n# rmmod hfsplus 2>/dev/null \n\n2. Perform the following to disable the hfsplus kernel module: \n\nCreate a file ending in .conf with install hfsplus /bin/false in the \n/etc/modprobe.d/ directory. \n\nExample: \n\n# printf '%s\\n' \"\" \"install hfsplus /bin/false\" >> /etc/modprobe.d/60-\nhfsplus.conf \n\nCreate a file ending in .conf with blacklist hfsplu...", "severity": "Medium", "filter": null, "app_filter": null, "conditions": [ { "type": "condition", "element": "CMD", "input": "lsmod | grep -c '^hfsplus ' || true", "selement": "OUTPUT", "condition": "EQUALS", "sinput": "0" } ], "applicability": [ { "type": "applicability", "element": "OS", "input": "", "selement": "CONTENT", "condition": "CONTAINS", "sinput": "Amazon" } ] }, { "external_id": "8d3ee1d3254d54d5c20a7c6a78211803", "name": "1.1.1.4 — Ensure overlay kernel module is not available", "description": "Ensure overlay kernel module is not available", "rational": "The overlay kernel module has known CVE's: CVE-2023-32629, CVE-2023-2640, and \nCVE-2023-0386. Disabling the overlay kernel module reduces the local attack surface \nby removing support for unnecessary filesystem types and mitigates potential risks \nassociated with unauthorized execution of setuid files, enhancing the overall system \nsecurity.", "remediation": "Unload and disable the overlay kernel module. \n\n1. Run the following commands to unload the overlay kernel module: \n\n# modprobe -r overlay 2>/dev/null \n# rmmod overlay 2>/dev/null \n\n2. Perform the following to disable the overlay kernel module: \n\nCreate a file ending in .conf with install overlay /bin/false in the \n/etc/modprobe.d/ directory \n\nExample: \n\n# printf '%s\\n' \"\" \"install overlay /bin/false\" >> /etc/modprobe.d/60-\noverlay.conf \n\nCreate a file ending in .conf with blacklist overlay...", "severity": "Medium", "filter": null, "app_filter": null, "conditions": [ { "type": "condition", "element": "CMD", "input": "lsmod | grep -c '^overlay ' || true", "selement": "OUTPUT", "condition": "EQUALS", "sinput": "0" } ], "applicability": [ { "type": "applicability", "element": "OS", "input": "", "selement": "CONTENT", "condition": "CONTAINS", "sinput": "Amazon" } ] }, { "external_id": "9ae635e3ea68da3f365da10698f879a2", "name": "1.1.1.5 — Ensure squashfs kernel module is not available", "description": "Ensure squashfs kernel module is not available", "rational": "Removing support for unneeded filesystem types reduces the local attack surface of the \nsystem. If this filesystem type is not needed, disable it.", "remediation": "Unload and disable the squashfs kernel module. \n\n1. Run the following commands to unload the squashfs kernel module: \n\n# modprobe -r squashfs 2>/dev/null \n# rmmod squashfs 2>/dev/null \n\n2. Perform the following to disable the squashfs kernel module: \n\nCreate a file ending in .conf with install squashfs /bin/false in the \n/etc/modprobe.d/ directory. \n\nExample: \n\n# printf '%s\\n' \"\" \"install squashfs /bin/false\" >> /etc/modprobe.d/60-\nsquashfs.conf \n\nCreate a file ending in .conf with blacklis...", "severity": "Medium", "filter": null, "app_filter": null, "conditions": [ { "type": "condition", "element": "CMD", "input": "lsmod | grep -c '^squashfs ' || true", "selement": "OUTPUT", "condition": "EQUALS", "sinput": "0" } ], "applicability": [ { "type": "applicability", "element": "OS", "input": "", "selement": "CONTENT", "condition": "CONTAINS", "sinput": "Amazon" } ] }, { "external_id": "7b61834b272bfc9f3979c3809ef89267", "name": "1.1.1.6 — Ensure udf kernel module is not available", "description": "Ensure udf kernel module is not available", "rational": "Removing support for unneeded filesystem types reduces the local attack surface of the \nsystem. If this filesystem type is not needed, disable it.", "remediation": "Unload and disable the udf kernel module. \n\n1. Run the following commands to unload the udf kernel module: \n\n# modprobe -r udf 2>/dev/null \n# rmmod udf 2>/dev/null \n\n2. Perform the following to disable the udf kernel module: \n\nCreate a file ending in .conf with install udf /bin/false in the /etc/modprobe.d/ \ndirectory \n\nExample: \n\n# printf '%s\\n' \"\" \"install udf /bin/false\" >> /etc/modprobe.d/60-udf.conf \n\nCreate a file ending in .conf with blacklist udf in the /etc/modprobe.d/ directory...", "severity": "Medium", "filter": null, "app_filter": null, "conditions": [ { "type": "condition", "element": "CMD", "input": "lsmod | grep -c '^udf ' || true", "selement": "OUTPUT", "condition": "EQUALS", "sinput": "0" } ], "applicability": [ { "type": "applicability", "element": "OS", "input": "", "selement": "CONTENT", "condition": "CONTAINS", "sinput": "Amazon" } ] }, { "external_id": "1e391cbf1700ffa24142a0b3456ede22", "name": "1.1.1.7 — Ensure unused filesystems kernel modules are not", "description": "Ensure unused filesystems kernel modules are not", "rational": "While loadable filesystem kernel modules are a convenient method of modifying the \nrunning kernel, this can be abused by attackers on a compromised system to prevent \ndetection of their processes or files, allowing them to maintain control over the system. \nMany rootkits make use of loadable filesystem kernel modules in this way. \n\nRemoving support for unneeded filesystem types reduces the loca...", "remediation": "- IF - the module is available in the running kernel: \n\n• Unload the filesystem kernel module from the kernel \n• Create a file ending in .conf with install filesystem kernel modules /bin/false \n\nin the /etc/modprobe.d/ directory \n\n• Create a file ending in .conf with deny list filesystem kernel modules in the \n\n/etc/modprobe.d/ directory \n\nWARNING: unloading, disabling or denylisting filesystem modules that are in use on the \nsystem may be FATAL. It is extremely important to thoroughly rev...", "severity": "Medium", "filter": null, "app_filter": null, "conditions": [ { "type": "condition", "element": "CMD", "input": "findmnt -Dkerno fstype | sort -u", "selement": "OUTPUT", "condition": "NOT EQUALS", "sinput": "" } ], "applicability": [ { "type": "applicability", "element": "OS", "input": "", "selement": "CONTENT", "condition": "CONTAINS", "sinput": "Amazon" } ] }, { "external_id": "fdbc10a4823b2d2c5342d9c3bad492d1", "name": "1.1.2.1.1 — Ensure /tmp is tmpfs or a separate partition", "description": "Ensure /tmp is tmpfs or a separate partition", "rational": "Making /tmp its own file system allows an administrator to set additional mount options \nsuch as the noexec option on the mount, making /tmp useless for an attacker to install \nexecutable code. It would also prevent an attacker from establishing a hard link to a \nsystem setuid program and wait for it to be updated. Once the program was updated, \nthe hard link would be broken, and the attacker w...", "remediation": "First ensure that systemd is correctly configured to ensure that /tmp will be mounted at \nboot time. \n\n# systemctl unmask tmp.mount \n\nFor specific configuration requirements of the /tmp mount for your environment, modify \n/etc/fstab. \n\nExample of using tmpfs with specific mount options: \n\ntmpfs /tmp \n0 \n\ntmpfs defaults,rw,nosuid,nodev,noexec,relatime,size=2G 0 \n\nNote: the size=2G is an example of setting a specific size for tmpfs. \n\nExample of using a volume or disk with specific mount...", "severity": "Medium", "filter": null, "app_filter": null, "conditions": [ { "type": "condition", "element": "SERVICE", "input": "tmp.mount", "selement": "ENABLED", "condition": null, "sinput": null } ], "applicability": [ { "type": "applicability", "element": "OS", "input": "", "selement": "CONTENT", "condition": "CONTAINS", "sinput": "Amazon" } ] }, { "external_id": "5dd8b50e9b69f4020d2178f071ec20b1", "name": "1.1.2.1.2 — Ensure nodev option set on /tmp partition", "description": "Ensure nodev option set on /tmp partition", "rational": "Since the /tmp filesystem is not intended to support devices, set this option to ensure \nthat users cannot create a block or character special devices in /tmp.", "remediation": "- IF - a separate partition exists for /tmp. \n\nEdit the /etc/fstab file and add nodev to the fourth field (mounting options) for the \n/tmp partition. \n\nExample: \n\n /tmp defaults,rw,nosuid,nodev,noexec,relatime 0 0 \n\nRun the following command to remount /tmp with the configured options: \n\n# mount -o remount /tmp", "severity": "Medium", "filter": null, "app_filter": null, "conditions": [ { "type": "condition", "element": "CMD", "input": "findmnt -kn /tmp", "selement": "OUTPUT", "condition": "CONTAINS", "sinput": "nodev" } ], "applicability": [ { "type": "applicability", "element": "OS", "input": "", "selement": "CONTENT", "condition": "CONTAINS", "sinput": "Amazon" } ] }, { "external_id": "d33a552e5f8cc4e27797ef8583a4d062", "name": "1.1.2.1.3 — Ensure nosuid option set on /tmp partition", "description": "Ensure nosuid option set on /tmp partition", "rational": "Since the /tmp filesystem is only intended for temporary file storage, set this option to \nensure that users cannot create setuid files in /tmp.", "remediation": "- IF - a separate partition exists for /tmp. \n\nEdit the /etc/fstab file and add nosuid to the fourth field (mounting options) for the \n/tmp partition. \n\nExample: \n\n /tmp defaults,rw,nosuid,nodev,noexec,relatime 0 0 \n\nRun the following command to remount /tmp with the configured options: \n\n# mount -o remount /tmp", "severity": "Medium", "filter": null, "app_filter": null, "conditions": [ { "type": "condition", "element": "CMD", "input": "findmnt -kn /tmp", "selement": "OUTPUT", "condition": "CONTAINS", "sinput": "nosuid" } ], "applicability": [ { "type": "applicability", "element": "OS", "input": "", "selement": "CONTENT", "condition": "CONTAINS", "sinput": "Amazon" } ] }, { "external_id": "e3429e31e0abca51cd6ce6bc174c9279", "name": "1.1.2.1.4 — Ensure noexec option set on /tmp partition", "description": "Ensure noexec option set on /tmp partition", "rational": "Since the /tmp filesystem is only intended for temporary file storage, set this option to \nensure that users cannot run executable binaries from /tmp.", "remediation": "- IF - a separate partition exists for /tmp. \n\nEdit the /etc/fstab file and add noexec to the fourth field (mounting options) for the \n/tmp partition. \n\nExample: \n\n /tmp defaults,rw,nosuid,nodev,noexec,relatime 0 0 \n\nRun the following command to remount /tmp with the configured options: \n\n# mount -o remount /tmp \n\nPage 53", "severity": "Medium", "filter": null, "app_filter": null, "conditions": [ { "type": "condition", "element": "CMD", "input": "findmnt -kn /tmp", "selement": "OUTPUT", "condition": "CONTAINS", "sinput": "noexec" } ], "applicability": [ { "type": "applicability", "element": "OS", "input": "", "selement": "CONTENT", "condition": "CONTAINS", "sinput": "Amazon" } ] }, { "external_id": "68c6bb11614edb954a31c3530f510148", "name": "1.1.2.2.1 — Ensure /dev/shm is tmpfs", "description": "Ensure /dev/shm is tmpfs", "rational": "Making /dev/shm its own file system as tmpfs allows an administrator to set additional \nmount options such as the noexec option on the mount, making /dev/shm useless for \nan attacker to install executable code. It would also prevent an attacker from \nestablishing a hard link to a system setuid program and wait for it to be updated. Once \nthe program was updated, the hard link would be broken an...", "remediation": "For specific configuration requirements of the /dev/shm mount for your environment, \nmodify /etc/fstab. \n\nExample: \n\ntmpfs /dev/shm \ndefaults,rw,nosuid,nodev,noexec,relatime,size=2G 0 0 \n\ntmpfs", "severity": "Medium", "filter": null, "app_filter": null, "conditions": [ { "type": "condition", "element": "CMD", "input": "findmnt -kn /dev/shm", "selement": "OUTPUT", "condition": "NOT EQUALS", "sinput": "" } ], "applicability": [ { "type": "applicability", "element": "OS", "input": "", "selement": "CONTENT", "condition": "CONTAINS", "sinput": "Amazon" } ] }, { "external_id": "c7a295db307a562dd4a5461ee7d4e1ce", "name": "1.1.2.2.2 — Ensure nodev option set on /dev/shm partition", "description": "Ensure nodev option set on /dev/shm partition", "rational": "Since the /dev/shm filesystem is not intended to support devices, set this option to \nensure that users cannot attempt to create special devices in /dev/shm partitions.", "remediation": "- IF - a separate partition exists for /dev/shm. \n\nEdit the /etc/fstab file and add nodev to the fourth field (mounting options) for the \n/dev/shm partition. See the fstab(5) manual page for more information. \n\nExample: \n\ntmpfs /dev/shm tmpfs defaults,rw,nosuid,nodev,noexec,relatime 0 0 \n\nRun the following command to remount /dev/shm with the configured options: \n\n# mount -o remount /dev/shm \n\nNote: It is recommended to use tmpfs as the device/filesystem type as /dev/shm is \nused as s...", "severity": "Medium", "filter": null, "app_filter": null, "conditions": [ { "type": "condition", "element": "CMD", "input": "findmnt -kn /dev/shm", "selement": "OUTPUT", "condition": "CONTAINS", "sinput": "nodev" } ], "applicability": [ { "type": "applicability", "element": "OS", "input": "", "selement": "CONTENT", "condition": "CONTAINS", "sinput": "Amazon" } ] }, { "external_id": "daad3e34bccfba7bfb106f28c98f721b", "name": "1.1.2.2.3 — Ensure nosuid option set on /dev/shm partition", "description": "Ensure nosuid option set on /dev/shm partition", "rational": "Setting this option on a file system prevents users from introducing privileged programs \nonto the system and allowing non-root users to execute them.", "remediation": "- IF - a separate partition exists for /dev/shm. \n\nEdit the /etc/fstab file and add nosuid to the fourth field (mounting options) for the \n/dev/shm partition. See the fstab(5) manual page for more information. \n\nExample: \n\ntmpfs /dev/shm tmpfs defaults,rw,nosuid,nodev,noexec,relatime 0 0 \n\nRun the following command to remount /dev/shm with the configured options: \n\n# mount -o remount /dev/shm \n\nNote: It is recommended to use tmpfs as the device/filesystem type as /dev/shm is \nused as...", "severity": "Medium", "filter": null, "app_filter": null, "conditions": [ { "type": "condition", "element": "CMD", "input": "findmnt -kn /dev/shm", "selement": "OUTPUT", "condition": "CONTAINS", "sinput": "nosuid" } ], "applicability": [ { "type": "applicability", "element": "OS", "input": "", "selement": "CONTENT", "condition": "CONTAINS", "sinput": "Amazon" } ] }, { "external_id": "b0c8f51ea4fdea0c1f149ca1dcbae5fc", "name": "1.1.2.2.4 — Ensure noexec option set on /dev/shm partition", "description": "Ensure noexec option set on /dev/shm partition", "rational": "Setting this option on a file system prevents users from executing programs from shared \nmemory. This deters users from introducing potentially malicious software on the \nsystem.", "remediation": "- IF - a separate partition exists for /dev/shm. \n\nEdit the /etc/fstab file and add noexec to the fourth field (mounting options) for the \n/dev/shm partition. \n\nExample: \n\ntmpfs /dev/shm tmpfs defaults,rw,nosuid,nodev,noexec,relatime 0 0 \n\nRun the following command to remount /dev/shm with the configured options: \n\n# mount -o remount /dev/shm \n\nNote: It is recommended to use tmpfs as the device/filesystem type as /dev/shm is \nused as shared memory space by applications.", "severity": "Medium", "filter": null, "app_filter": null, "conditions": [ { "type": "condition", "element": "CMD", "input": "findmnt -kn /dev/shm", "selement": "OUTPUT", "condition": "CONTAINS", "sinput": "noexec" } ], "applicability": [ { "type": "applicability", "element": "OS", "input": "", "selement": "CONTENT", "condition": "CONTAINS", "sinput": "Amazon" } ] }, { "external_id": "f3ab2c304975e6636ca2444000f8f89a", "name": "1.1.2.3.2 — Ensure nodev option set on /home partition", "description": "Ensure nodev option set on /home partition", "rational": "Since the /home filesystem is not intended to support devices, set this option to ensure \nthat users cannot create a block or character special devices in /home.", "remediation": "- IF - a separate partition exists for /home. \n\nEdit the /etc/fstab file and add nodev to the fourth field (mounting options) for the \n/home partition. \n\nExample: \n\n /home defaults,rw,nosuid,nodev,relatime 0 0 \n\nRun the following command to remount /home with the configured options: \n\n# mount -o remount /home", "severity": "Medium", "filter": null, "app_filter": null, "conditions": [ { "type": "condition", "element": "CMD", "input": "findmnt -kn /home", "selement": "OUTPUT", "condition": "CONTAINS", "sinput": "nodev" } ], "applicability": [ { "type": "applicability", "element": "OS", "input": "", "selement": "CONTENT", "condition": "CONTAINS", "sinput": "Amazon" } ] }, { "external_id": "5a139e71eb9df835893a4c808f9e76b9", "name": "1.1.2.3.3 — Ensure nosuid option set on /home partition", "description": "Ensure nosuid option set on /home partition", "rational": "Since the /home filesystem is only intended for user file storage, set this option to \nensure that users cannot create setuid files in /home.", "remediation": "- IF - a separate partition exists for /home. \n\nEdit the /etc/fstab file and add nosuid to the fourth field (mounting options) for the \n/home partition. \n\nExample: \n\n /home defaults,rw,nosuid,nodev,relatime 0 0 \n\nRun the following command to remount /home with the configured options: \n\n# mount -o remount /home", "severity": "Medium", "filter": null, "app_filter": null, "conditions": [ { "type": "condition", "element": "CMD", "input": "findmnt -kn /home", "selement": "OUTPUT", "condition": "CONTAINS", "sinput": "nosuid" } ], "applicability": [ { "type": "applicability", "element": "OS", "input": "", "selement": "CONTENT", "condition": "CONTAINS", "sinput": "Amazon" } ] }, { "external_id": "a84a07872663e39c2e60de3f547df4d9", "name": "1.1.2.4.2 — Ensure nodev option set on /var partition", "description": "Ensure nodev option set on /var partition", "rational": "Since the /var filesystem is not intended to support devices, set this option to ensure \nthat users cannot create a block or character special devices in /var.", "remediation": "- IF - a separate partition exists for /var. \n\nEdit the /etc/fstab file and add nodev to the fourth field (mounting options) for the \n/var partition. \n\nExample: \n\n /var defaults,rw,nosuid,nodev,relatime 0 0 \n\nRun the following command to remount /var with the configured options: \n\n# mount -o remount /var", "severity": "Medium", "filter": null, "app_filter": null, "conditions": [ { "type": "condition", "element": "CMD", "input": "findmnt -kn /var", "selement": "OUTPUT", "condition": "CONTAINS", "sinput": "nodev" } ], "applicability": [ { "type": "applicability", "element": "OS", "input": "", "selement": "CONTENT", "condition": "CONTAINS", "sinput": "Amazon" } ] }, { "external_id": "0a2f26cac93f536a1b5f56d766628a41", "name": "1.1.2.4.3 — Ensure nosuid option set on /var partition", "description": "Ensure nosuid option set on /var partition", "rational": "Since the /var filesystem is only intended for variable files such as logs, set this option \nto ensure that users cannot create setuid files in /var.", "remediation": "- IF - a separate partition exists for /var. \n\nEdit the /etc/fstab file and add nosuid to the fourth field (mounting options) for the \n/var partition. \n\nExample: \n\n /var defaults,rw,nosuid,nodev,relatime 0 0 \n\nRun the following command to remount /var with the configured options: \n\n# mount -o remount /var", "severity": "Medium", "filter": null, "app_filter": null, "conditions": [ { "type": "condition", "element": "CMD", "input": "findmnt -kn /var", "selement": "OUTPUT", "condition": "CONTAINS", "sinput": "nosuid" } ], "applicability": [ { "type": "applicability", "element": "OS", "input": "", "selement": "CONTENT", "condition": "CONTAINS", "sinput": "Amazon" } ] }, { "external_id": "b4599e387238733766e9d74ce3b37b98", "name": "1.1.2.5.2 — Ensure nodev option set on /var/tmp partition", "description": "Ensure nodev option set on /var/tmp partition", "rational": "Since the /var/tmp filesystem is not intended to support devices, set this option to \nensure that users cannot create a block or character special devices in /var/tmp.", "remediation": "- IF - a separate partition exists for /var/tmp. \n\nEdit the /etc/fstab file and add nodev to the fourth field (mounting options) for the \n/var/tmp partition. \n\nExample: \n\n /var/tmp defaults,rw,nosuid,nodev,noexec,relatime 0 \n0 \n\nRun the following command to remount /var/tmp with the configured options: \n\n# mount -o remount /var/tmp", "severity": "Medium", "filter": null, "app_filter": null, "conditions": [ { "type": "condition", "element": "CMD", "input": "findmnt -kn /var/tmp", "selement": "OUTPUT", "condition": "CONTAINS", "sinput": "nodev" } ], "applicability": [ { "type": "applicability", "element": "OS", "input": "", "selement": "CONTENT", "condition": "CONTAINS", "sinput": "Amazon" } ] }, { "external_id": "b68952e3b6da4de706af32ce48520901", "name": "1.1.2.5.3 — Ensure nosuid option set on /var/tmp partition", "description": "Ensure nosuid option set on /var/tmp partition", "rational": "Since the /var/tmp filesystem is only intended for temporary file storage, set this option \nto ensure that users cannot create setuid files in /var/tmp.", "remediation": "- IF - a separate partition exists for /var/tmp. \n\nEdit the /etc/fstab file and add nosuid to the fourth field (mounting options) for the \n/var/tmp partition. \n\nExample: \n\n /var/tmp defaults,rw,nosuid,nodev,noexec,relatime 0 \n0 \n\nRun the following command to remount /var/tmp with the configured options: \n\n# mount -o remount /var/tmp", "severity": "Medium", "filter": null, "app_filter": null, "conditions": [ { "type": "condition", "element": "CMD", "input": "findmnt -kn /var/tmp", "selement": "OUTPUT", "condition": "CONTAINS", "sinput": "nosuid" } ], "applicability": [ { "type": "applicability", "element": "OS", "input": "", "selement": "CONTENT", "condition": "CONTAINS", "sinput": "Amazon" } ] }, { "external_id": "adeaf3890a75e9a3de2e69e54efd471b", "name": "1.1.2.5.4 — Ensure noexec option set on /var/tmp partition", "description": "Ensure noexec option set on /var/tmp partition", "rational": "Since the /var/tmp filesystem is only intended for temporary file storage, set this option \nto ensure that users cannot run executable binaries from /var/tmp.", "remediation": "- IF - a separate partition exists for /var/tmp. \n\nEdit the /etc/fstab file and add noexec to the fourth field (mounting options) for the \n/var/tmp partition. \n\nExample: \n\n /var/tmp defaults,rw,nosuid,nodev,noexec,relatime 0 \n0 \n\nRun the following command to remount /var/tmp with the configured options: \n\n# mount -o remount /var/tmp", "severity": "Medium", "filter": null, "app_filter": null, "conditions": [ { "type": "condition", "element": "CMD", "input": "findmnt -kn /var/tmp", "selement": "OUTPUT", "condition": "CONTAINS", "sinput": "noexec" } ], "applicability": [ { "type": "applicability", "element": "OS", "input": "", "selement": "CONTENT", "condition": "CONTAINS", "sinput": "Amazon" } ] }, { "external_id": "28d59a5053aae14c6097cfd847d7da44", "name": "1.1.2.6.2 — Ensure nodev option set on /var/log partition", "description": "Ensure nodev option set on /var/log partition", "rational": "Since the /var/log filesystem is not intended to support devices, set this option to \nensure that users cannot create a block or character special devices in /var/log.", "remediation": "- IF - a separate partition exists for /var/log. \n\nEdit the /etc/fstab file and add nodev to the fourth field (mounting options) for the \n/var/log partition. \n\nExample: \n\n /var/log defaults,rw,nosuid,nodev,noexec,relatime 0 \n0 \n\nRun the following command to remount /var/log with the configured options: \n\n# mount -o remount /var/log", "severity": "Medium", "filter": null, "app_filter": null, "conditions": [ { "type": "condition", "element": "CMD", "input": "findmnt -kn /var/log", "selement": "OUTPUT", "condition": "CONTAINS", "sinput": "nodev" } ], "applicability": [ { "type": "applicability", "element": "OS", "input": "", "selement": "CONTENT", "condition": "CONTAINS", "sinput": "Amazon" } ] }, { "external_id": "677962ae8cfce1613e4dc89a944021ad", "name": "1.1.2.6.3 — Ensure nosuid option set on /var/log partition", "description": "Ensure nosuid option set on /var/log partition", "rational": "Since the /var/log filesystem is only intended for log files, set this option to ensure \nthat users cannot create setuid files in /var/log.", "remediation": "- IF - a separate partition exists for /var/log. \n\nEdit the /etc/fstab file and add nosuid to the fourth field (mounting options) for the \n/var/log partition. \n\nExample: \n\n /var/log defaults,rw,nosuid,nodev,noexec,relatime 0 \n0 \n\nRun the following command to remount /var/log with the configured options: \n\n# mount -o remount /var/log", "severity": "Medium", "filter": null, "app_filter": null, "conditions": [ { "type": "condition", "element": "CMD", "input": "findmnt -kn /var/log", "selement": "OUTPUT", "condition": "CONTAINS", "sinput": "nosuid" } ], "applicability": [ { "type": "applicability", "element": "OS", "input": "", "selement": "CONTENT", "condition": "CONTAINS", "sinput": "Amazon" } ] }, { "external_id": "5e1788a9f9459c35f50cd667a44ca3da", "name": "1.1.2.6.4 — Ensure noexec option set on /var/log partition", "description": "Ensure noexec option set on /var/log partition", "rational": "Since the /var/log filesystem is only intended for log files, set this option to ensure \nthat users cannot run executable binaries from /var/log.", "remediation": "- IF - a separate partition exists for /var/log. \n\nEdit the /etc/fstab file and add noexec to the fourth field (mounting options) for the \n/var/log partition. \n\nExample: \n\n /var/log defaults,rw,nosuid,nodev,noexec,relatime 0 \n0 \n\nRun the following command to remount /var/log with the configured options: \n\n# mount -o remount /var/log", "severity": "Medium", "filter": null, "app_filter": null, "conditions": [ { "type": "condition", "element": "CMD", "input": "findmnt -kn /var/log", "selement": "OUTPUT", "condition": "CONTAINS", "sinput": "noexec" } ], "applicability": [ { "type": "applicability", "element": "OS", "input": "", "selement": "CONTENT", "condition": "CONTAINS", "sinput": "Amazon" } ] }, { "external_id": "e5aa85c71c8ae84ba6d62e532104068e", "name": "1.1.2.7.1 — Ensure separate partition exists for /var/log/audit", "description": "Ensure separate partition exists for /var/log/audit", "rational": "The default installation only creates a single / partition. Since the /var/log/audit \ndirectory contains the audit.log file which can grow quite large, there is a risk of \nresource exhaustion. It will essentially have the whole disk available to fill up and impact \nthe system as a whole. In addition, other operations on the system could fill up the disk \nunrelated to /var/log/audit and cause au...", "remediation": "For new installations, during installation create a custom partition setup and specify a \nseparate partition for /var/log/audit. \n\nFor systems that were previously installed, create a new partition and configure \n/etc/fstab as appropriate. \n\nPage 97", "severity": "Medium", "filter": null, "app_filter": null, "conditions": [ { "type": "condition", "element": "CMD", "input": "findmnt -kn /var/log/audit", "selement": "OUTPUT", "condition": "NOT EQUALS", "sinput": "" } ], "applicability": [ { "type": "applicability", "element": "OS", "input": "", "selement": "CONTENT", "condition": "CONTAINS", "sinput": "Amazon" } ] }, { "external_id": "4172ff46681682eb8dc0b698f2dbd969", "name": "1.1.2.7.2 — Ensure nodev option set on /var/log/audit partition", "description": "Ensure nodev option set on /var/log/audit partition", "rational": "Since the /var/log/audit filesystem is not intended to support devices, set this option \nto ensure that users cannot create a block or character special devices in \n/var/log/audit.", "remediation": "- IF - a separate partition exists for /var/log/audit. \n\nEdit the /etc/fstab file and add nodev to the fourth field (mounting options) for the \n/var/log/audit partition. \n\nExample: \n\n /var/log/audit \ndefaults,rw,nosuid,nodev,noexec,relatime 0 0 \n\nRun the following command to remount /var/log/audit with the configured options: \n\n# mount -o remount /var/log/audit", "severity": "Medium", "filter": null, "app_filter": null, "conditions": [ { "type": "condition", "element": "CMD", "input": "findmnt -kn /var/log/audit", "selement": "OUTPUT", "condition": "CONTAINS", "sinput": "nodev" } ], "applicability": [ { "type": "applicability", "element": "OS", "input": "", "selement": "CONTENT", "condition": "CONTAINS", "sinput": "Amazon" } ] }, { "external_id": "8979c1503997c9c93f289114b7576de7", "name": "1.1.2.7.3 — Ensure nosuid option set on /var/log/audit partition", "description": "Ensure nosuid option set on /var/log/audit partition", "rational": "Since the /var/log/audit filesystem is only intended for variable files such as logs, \nset this option to ensure that users cannot create setuid files in /var/log/audit.", "remediation": "- IF - a separate partition exists for /var/log/audit. \n\nEdit the /etc/fstab file and add nosuid to the fourth field (mounting options) for the \n/var/log/audit partition. \n\nExample: \n\n /var/log/audit \ndefaults,rw,nosuid,nodev,noexec,relatime 0 0 \n\nRun the following command to remount /var/log/audit with the configured options: \n\n# mount -o remount /var/log/audit", "severity": "Medium", "filter": null, "app_filter": null, "conditions": [ { "type": "condition", "element": "CMD", "input": "findmnt -kn /var/log/audit", "selement": "OUTPUT", "condition": "CONTAINS", "sinput": "nosuid" } ], "applicability": [ { "type": "applicability", "element": "OS", "input": "", "selement": "CONTENT", "condition": "CONTAINS", "sinput": "Amazon" } ] }, { "external_id": "16314fdec1446deebbc6727476cb58e2", "name": "1.1.2.7.4 — Ensure noexec option set on /var/log/audit partition", "description": "Ensure noexec option set on /var/log/audit partition", "rational": "Since the /var/log/audit filesystem is only intended for audit logs, set this option to \nensure that users cannot run executable binaries from /var/log/audit.", "remediation": "- IF - a separate partition exists for /var/log/audit. \n\nEdit the /etc/fstab file and add noexec to the fourth field (mounting options) for the \n/var/log/audit partition. \n\nExample: \n\n /var/log/audit \ndefaults,rw,nosuid,nodev,noexec,relatime 0 0 \n\nRun the following command to remount /var/log/audit with the configured options: \n\n# mount -o remount /var/log/audit", "severity": "Medium", "filter": null, "app_filter": null, "conditions": [ { "type": "condition", "element": "CMD", "input": "findmnt -kn /var/log/audit", "selement": "OUTPUT", "condition": "CONTAINS", "sinput": "noexec" } ], "applicability": [ { "type": "applicability", "element": "OS", "input": "", "selement": "CONTENT", "condition": "CONTAINS", "sinput": "Amazon" } ] }, { "external_id": "e93bce3ea33a6071e854c6439b3ef2ef", "name": "1.2.1 — Ensure GPG keys are configured", "description": "Ensure GPG keys are configured", "rational": "It is important to ensure that updates are obtained from a valid source to protect against \nspoofing that could lead to the inadvertent installation of malware on the system. To this \nend, verify that GPG keys are configured correctly for your system.", "remediation": "Update your package manager GPG keys in accordance with site policy.", "severity": "Medium", "filter": null, "app_filter": null, "conditions": [ { "type": "condition", "element": "PACKAGE", "input": "gpg-pubkey)", "selement": "EXISTS", "condition": "", "sinput": "" } ], "applicability": [ { "type": "applicability", "element": "OS", "input": "", "selement": "CONTENT", "condition": "CONTAINS", "sinput": "Amazon" } ] }, { "external_id": "3cb9887b494978483839712b05d68f6d", "name": "1.2.2 — Ensure gpgcheck is globally activated", "description": "Ensure gpgcheck is globally activated", "rational": "It is important to ensure that an RPM's package signature is always checked prior to \ninstallation to ensure that the software is obtained from a trusted source.", "remediation": "Edit /etc/yum.conf and set gpgcheck=1 in the [main] section. \n\nExample: \n\n# sed -i 's/^gpgcheck\\s*=\\s*.*/gpgcheck=1/' /etc/yum.conf \n\nEdit any failing files in /etc/yum.repos.d/* and set all instances starting with \ngpgcheck to 1. \n\nExample: \n\n# find /etc/yum.repos.d/ -name \"*.repo\" -exec echo \"Checking:\" {} \\; -exec \nsed -ri 's/^gpgcheck\\s*=\\s*.*/gpgcheck=1/' {} \\;", "severity": "Medium", "filter": null, "app_filter": null, "conditions": [ { "type": "condition", "element": "CMD", "input": "grep -P -- '^\\h*gpgcheck\\b' /etc/yum.conf", "selement": "OUTPUT", "condition": "NOT EQUALS", "sinput": "" } ], "applicability": [ { "type": "applicability", "element": "OS", "input": "", "selement": "CONTENT", "condition": "CONTAINS", "sinput": "Amazon" } ] }, { "external_id": "039a439fcdab68edb33d58b656021817", "name": "1.2.4 — Ensure package manager repositories are configured", "description": "Ensure package manager repositories are configured", "rational": "If a system's package repositories are misconfigured, important patches may not be \nidentified or a rogue repository could introduce compromised software.", "remediation": "Configure your package manager repositories according to site policy.", "severity": "Medium", "filter": null, "app_filter": null, "conditions": [ { "type": "condition", "element": "CMD", "input": "yum repolist", "selement": "OUTPUT", "condition": "NOT EQUALS", "sinput": "" } ], "applicability": [ { "type": "applicability", "element": "OS", "input": "", "selement": "CONTENT", "condition": "CONTAINS", "sinput": "Amazon" } ] }, { "external_id": "edfd0ccafce4106b8c198299a15aacb7", "name": "1.2.5 — Ensure updates, patches, and additional security software", "description": "Ensure updates, patches, and additional security software", "rational": "Newer patches may contain security enhancements that would not be available through \nthe latest full update. As a result, it is recommended that the latest software patches be \nused to take advantage of the latest functionality. As with any software installation, \norganizations need to determine if a given update meets their requirements and verify \nthe compatibility and supportability of any a...", "remediation": "Use your package manager to update all packages on the system according to site \npolicy. \n\nThe following command will install all available updates: \n\n# yum update \n\nOnce the update process is complete, verify if reboot is required to load changes. \n\nneeds-restarting -r", "severity": "Medium", "filter": null, "app_filter": null, "conditions": [ { "type": "condition", "element": "CMD", "input": "yum check-update", "selement": "OUTPUT", "condition": "NOT EQUALS", "sinput": "" } ], "applicability": [ { "type": "applicability", "element": "OS", "input": "", "selement": "CONTENT", "condition": "CONTAINS", "sinput": "Amazon" } ] }, { "external_id": "5988cde1132776172b01bd3efb206c5e", "name": "1.3.1 — Ensure authentication required for single user mode", "description": "Ensure authentication required for single user mode", "rational": "Requiring authentication in single user mode (rescue mode) prevents an unauthorized \nuser from rebooting the system into single user to gain root privileges without \ncredentials.", "remediation": "Edit /usr/lib/systemd/system/rescue.service and \n/usr/lib/systemd/system/emergency.service and set ExecStart to use \n/sbin/sulogin or /usr/sbin/sulogin: \n\nExecStart=-/bin/sh -c \"/sbin/sulogin; /usr/bin/systemctl --fail --no-block \ndefault\"", "severity": "Medium", "filter": null, "app_filter": null, "conditions": [ { "type": "condition", "element": "FILE", "input": "/usr/lib/systemd/system/rescue.service", "selement": "CONTENT", "condition": "CONTAINS", "sinput": "/sbin/sulogin" } ], "applicability": [ { "type": "applicability", "element": "OS", "input": "", "selement": "CONTENT", "condition": "CONTAINS", "sinput": "Amazon" } ] }, { "external_id": "50d2ec6bd5ae047abb45c083c914ded4", "name": "1.4.1.1 — Ensure SELinux is installed", "description": "Ensure SELinux is installed", "rational": "Without a Mandatory Access Control system installed only the default Discretionary \nAccess Control system will be available.", "remediation": "Run the following command to install SELinux: \n\n# yum install libselinux", "severity": "Medium", "filter": null, "app_filter": null, "conditions": [ { "type": "condition", "element": "PACKAGE", "input": "libselinux", "selement": "EXISTS", "condition": "", "sinput": "" } ], "applicability": [ { "type": "applicability", "element": "OS", "input": "", "selement": "CONTENT", "condition": "CONTAINS", "sinput": "Amazon" } ] }, { "external_id": "185917776dc864ccc174e2620077a059", "name": "1.4.1.2 — Ensure SELinux is not disabled in bootloader configuration", "description": "Ensure SELinux is not disabled in bootloader configuration", "rational": "SELinux must be enabled at boot time in your grub configuration to ensure that the \ncontrols it provides are not overridden.", "remediation": "Run the following command to remove the selinux=0 and enforcing=0 parameters: \n\ngrubby --update-kernel ALL --remove-args \"selinux=0 enforcing=0\" \n\nRun the following command to remove the selinux=0 and enforcing=0 parameters if \nthey were created by the deprecated grub2-mkconfig command: \n\n# grep -Prsq -- '^\\h*linux\\d*\\h+([^#\\n\\r]+\\h+)?(selinux|enforcing)=0\\b' \\ \n/boot/grub2 /boot/efi && grub2-mkconfig -o \\ \n\"$(grep -Psrl -- '^\\h*linux\\d*\\h+' /boot/grub2/grub* /boot/efi/**/grub*)\"", "severity": "Medium", "filter": null, "app_filter": null, "conditions": [ { "type": "condition", "element": "CMD", "input": "grubby --info=ALL | grep -Po '(selinux|enforcing)=0\\b'", "selement": "OUTPUT", "condition": "NOT EQUALS", "sinput": "" } ], "applicability": [ { "type": "applicability", "element": "OS", "input": "", "selement": "CONTENT", "condition": "CONTAINS", "sinput": "Amazon" } ] }, { "external_id": "41951d01d1ce91ea68981c456199b2f2", "name": "1.4.1.3 — Ensure SELinux policy is configured", "description": "Ensure SELinux policy is configured", "rational": "Security configuration requirements vary from site to site. Some sites may mandate a \npolicy that is stricter than the default policy, which is perfectly acceptable. This item is \nintended to ensure that at least the default recommendations are met.", "remediation": "Edit /etc/selinux/config and add set the SELINUXTYPE line to targeted or mls: \n\nExample: \n\nSELINUXTYPE=targeted", "severity": "Medium", "filter": null, "app_filter": null, "conditions": [ { "type": "condition", "element": "CMD", "input": "grep -Psi -- '^\\h*SELINUXTYPE\\h*=\\h*(targeted|mls)\\b' /etc/selinux/config", "selement": "OUTPUT", "condition": "NOT EQUALS", "sinput": "" } ], "applicability": [ { "type": "applicability", "element": "OS", "input": "", "selement": "CONTENT", "condition": "CONTAINS", "sinput": "Amazon" } ] }, { "external_id": "d3af6c163e2c1c5c1f7335b47f91faa6", "name": "1.4.1.4 — Ensure the SELinux mode is not disabled", "description": "Ensure the SELinux mode is not disabled", "rational": "Running SELinux in disabled mode is strongly discouraged; not only does the system \navoid enforcing the SELinux policy, it also avoids labeling any persistent objects such \nas files, making it difficult to enable SELinux in the future.", "remediation": "1. Edit /etc/selinux/config and update the SELINUX parameter to either \n\nSELINUX=enforcing or SELINUX=permissive: \n\nExample: \n\nSELINUX=enforcing \n\n2. Update the SELinux running state to either enforcing or permissive: \n\nIf SELinux is currently disabled: \n\nRun the following command to create /.autorelabel: \n\n# touch /.autorelabel \n\nRun the following command to reboot the system: \n\n# reboot \n\nWARNING: The autorelabel may be a long running process and require \nsignificant downtime. This should...", "severity": "Medium", "filter": null, "app_filter": null, "conditions": [ { "type": "condition", "element": "CMD", "input": "grep -Psi -- '^\\h*SELINUX=(enforcing|permissive)\\b' /etc/selinux/config", "selement": "OUTPUT", "condition": "NOT EQUALS", "sinput": "" } ], "applicability": [ { "type": "applicability", "element": "OS", "input": "", "selement": "CONTENT", "condition": "CONTAINS", "sinput": "Amazon" } ] }, { "external_id": "5e26821fac74e6134b6df99ec17c8fec", "name": "1.4.1.7 — Ensure the MCS Translation Service (mcstrans) is not", "description": "Ensure the MCS Translation Service (mcstrans) is not", "rational": "Since this service is not used very often, remove it to reduce the amount of potentially \nvulnerable code running on the system.", "remediation": "Run the following command to uninstall mcstrans: \n\n# yum remove mcstrans", "severity": "Medium", "filter": null, "app_filter": null, "conditions": [ { "type": "condition", "element": "PACKAGE", "input": "mcstrans", "selement": "NOT EXISTS", "condition": "", "sinput": "" } ], "applicability": [ { "type": "applicability", "element": "OS", "input": "", "selement": "CONTENT", "condition": "CONTAINS", "sinput": "Amazon" } ] }, { "external_id": "366a5b6c9d0f9b5aeb8139cc3b1b844d", "name": "1.5.1 — Ensure core file size is configured", "description": "Ensure core file size is configured", "rational": "Setting a hard limit on core dumps prevents users from overriding the soft variable. \n\nA core dump includes a memory image taken at the time the operating system \nterminates an application. The memory image could contain sensitive data and is \ngenerally useful only for developers trying to debug problems.", "remediation": "1. Run the following command to comment out any entries that include a hard \n\nvalue for core greater than 0 in /etc/security/limits.conf and any file(s) in \nthe /etc/security/limits.d/ directory. \n\nExample: \n\n# sed -ri '/^\\s*[^#\\n\\r]+\\s+hard\\s+core\\s+([1-9][0-9]*)/s/^/# /' \n/etc/security/limits.conf /etc/security/limits.d/* \n\n2. Create or edit a file in /etc/security/limits.d/ and add the following line: \n\n* hard core 0 \n\nExample: \n\n# printf '%s\\n' \"\" \"* hard core 0\" >> /etc/security/limit...", "severity": "Medium", "filter": null, "app_filter": null, "conditions": [ { "type": "condition", "element": "CMD", "input": "grep -Psi -- '^\\h*\\*\\h+hard\\h+core\\b' /etc/security/limits.conf", "selement": "OUTPUT", "condition": "NOT EQUALS", "sinput": "" } ], "applicability": [ { "type": "applicability", "element": "OS", "input": "", "selement": "CONTENT", "condition": "CONTAINS", "sinput": "Amazon" } ] }, { "external_id": "b6cf0e739eb9e0967fba70d0fdf1f4d5", "name": "1.5.2 — Ensure fs.protected_hardlinks is configured", "description": "Ensure fs.protected_hardlinks is configured", "rational": "Disallowing hardlinks mitigates vulnerabilities based on unsecure file systems accessed \nby privileged programs. This reduces the risk of an exploitation vector exploiting unsafe \nuse of open or creat.", "remediation": "1. Run the following command to comment out fs.protected_hardlinks lines \nreturned by the audit procedure that are not fs.protected_hardlinks = 1: \n\n# sed -ri '^\\s*fs.protected_hardlinks\\s*=\\s*0/s/^/#/g' \n\"path/to/file/in/audit/filename\" \n\nExample: \n\n# sed -ri '/^\\s*fs.protected_hardlinks\\s*=\\s*0/s/^/#/g' /etc/sysctl.d/99-\nsysctl.conf \n\n2. Create or edit a file in the /etc/sysctl.d/ directory ending in .conf and edit or \n\nadd the following line: \n\nfs.protected_hardlinks = 1 \n\nExample: \n\n# [...", "severity": "Medium", "filter": null, "app_filter": null, "conditions": [ { "type": "condition", "element": "CMD", "input": "sysctl -n fs.protected_hardlinks", "selement": "OUTPUT", "condition": "EQUALS", "sinput": "1" } ], "applicability": [ { "type": "applicability", "element": "OS", "input": "", "selement": "CONTENT", "condition": "CONTAINS", "sinput": "Amazon" } ] }, { "external_id": "90b435bb04701023f62a0a05f88b664a", "name": "1.5.3 — Ensure fs.protected_symlinks is configured", "description": "Ensure fs.protected_symlinks is configured", "rational": "Disallowing symlinks mitigates vulnerabilities based on unsecure file systems accessed \nby privileged programs. This reduces the risk of an exploitation vector exploiting unsafe \nuse of open or creat.", "remediation": "1. Run the following command to comment out fs.protected_symlinks lines \nreturned by the audit procedure that are not fs.protected_symlinks = 1: \n\n# sed -ri '^\\s*fs.protected_symlinks\\s*=\\s*0/s/^/#/g' \n\"path/to/file/in/audit/filename\" \n\nExample: \n\n# sed -ri '/^\\s*fs.protected_symlinks\\s*=\\s*0/s/^/#/g' /etc/sysctl.d/99-\nsysctl.conf \n\n2. Create or edit a file in the /etc/sysctl.d/ directory ending in .conf and edit or \n\nadd the following line: \n\nfs.protected_symlinks = 1 \n\nExample: \n\n# [ ! -d...", "severity": "Medium", "filter": null, "app_filter": null, "conditions": [ { "type": "condition", "element": "CMD", "input": "sysctl -n fs.protected_symlinks", "selement": "OUTPUT", "condition": "EQUALS", "sinput": "1" } ], "applicability": [ { "type": "applicability", "element": "OS", "input": "", "selement": "CONTENT", "condition": "CONTAINS", "sinput": "Amazon" } ] }, { "external_id": "8f23dcfeb7baad26c9d52625b1256ca2", "name": "1.5.4 — Ensure fs.suid_dumpable is configured", "description": "Ensure fs.suid_dumpable is configured", "rational": "core dumps may contain sensitive in-memory data like password hashes or keys. An \nattacker could potentially exploit this to gain access to such data.", "remediation": "1. Run the following command to comment out fs.suid_dumpable lines returned \n\nby the audit procedure that are not fs.suid_dumpable = 0: \n\n# sed -ri '^\\s*fs.suid_dumpable\\s*=\\s*1/s/^/#/g' \n\"path/to/file/in/audit/filename\" \n\nExample: \n\n# sed -ri '/^\\s*fs.suid_dumpable\\s*=\\s*1/s/^/#/g' /etc/sysctl.d/99-\nsysctl.conf \n\n2. Create or edit a file in the /etc/sysctl.d/ directory ending in .conf and edit or \n\nadd the following line: \n\nfs.suid_dumpable = 0 \n\nExample: \n\n# [ ! -d \"/etc/sysctl.d/\" ] && m...", "severity": "Medium", "filter": null, "app_filter": null, "conditions": [ { "type": "condition", "element": "CMD", "input": "sysctl -n fs.suid_dumpable", "selement": "OUTPUT", "condition": "EQUALS", "sinput": "0" } ], "applicability": [ { "type": "applicability", "element": "OS", "input": "", "selement": "CONTENT", "condition": "CONTAINS", "sinput": "Amazon" } ] }, { "external_id": "23dca617a9097c8dcdd746049f0c138b", "name": "1.5.5 — Ensure kernel.dmesg_restrict is configured", "description": "Ensure kernel.dmesg_restrict is configured", "rational": "Restricting access to the kernel message buffer limits access to only root. This prevents \nattackers from gaining additional system information as a non-privileged user.", "remediation": "1. Run the following command to comment out kernel.dmesg_restrict lines \nreturned by the audit procedure that are not kernel.dmesg_restrict = 1: \n\n# sed -ri '^\\s*kernel.dmesg_restrict\\s*=\\s*0/s/^/#/g' \n\"path/to/file/in/audit/filename\" \n\nExample: \n\n# sed -ri '/^\\s*kernel.dmesg_restrict\\s*=\\s*0/s/^/#/g' /etc/sysctl.d/99-\nsysctl.conf \n\n2. Create or edit a file in the /etc/sysctl.d/ directory ending in .conf and edit or \n\nadd the following line: \n\nkernel.dmesg_restrict = 1 \n\nExample: \n\n# [ ! -d...", "severity": "Medium", "filter": null, "app_filter": null, "conditions": [ { "type": "condition", "element": "CMD", "input": "sysctl -n kernel.dmesg_restrict", "selement": "OUTPUT", "condition": "EQUALS", "sinput": "1" } ], "applicability": [ { "type": "applicability", "element": "OS", "input": "", "selement": "CONTENT", "condition": "CONTAINS", "sinput": "Amazon" } ] }, { "external_id": "d3ee15f96f3044daac704db956984664", "name": "1.5.6 — Ensure kernel.kptr_restrict is configured", "description": "Ensure kernel.kptr_restrict is configured", "rational": "Masking the kernel symbols in /proc/kallsyms reduces the ability of an attacker using \nthem to learn more about what to attack on your system.", "remediation": "1. Run the following command to comment out kernel.kptr_restrict lines \n\nreturned by the audit procedure that are not kernel.kptr_restrict = 2 or \nkernel.kptr_restrict = 1: \n\n# sed -ri '^\\s*kernel.kptr_restrict\\s*=\\s*(0|[3-9])/s/^/#/g' \n\"path/to/file/in/audit/filename\" \n\nExample: \n\n# sed -ri '/^\\s*kernel.kptr_restrict\\s*=\\s*(0|[3-9])/s/^/#/g' \n/etc/sysctl.d/99-sysctl.conf \n\n2. Create or edit a file in the /etc/sysctl.d/ directory ending in .conf and edit or \n\nadd the following line: \n\nkerne...", "severity": "Medium", "filter": null, "app_filter": null, "conditions": [ { "type": "condition", "element": "CMD", "input": "sysctl -n kernel.kptr_restrict", "selement": "OUTPUT", "condition": "EQUALS", "sinput": "2" } ], "applicability": [ { "type": "applicability", "element": "OS", "input": "", "selement": "CONTENT", "condition": "CONTAINS", "sinput": "Amazon" } ] }, { "external_id": "643fe39453a3d6689328ddd78d4eba04", "name": "1.5.7 — Ensure kernel.yama.ptrace_scope is configured", "description": "Ensure kernel.yama.ptrace_scope is configured", "rational": "If one application is compromised, it would be possible for an attacker to attach to other \nrunning processes (e.g. Bash, Firefox, SSH sessions, GPG agent, etc) to extract \nadditional credentials and continue to expand the scope of their attack. \n\nEnabling restricted mode will limit the ability of a compromised process to \nPTRACE_ATTACH on other processes running under the same user. With restr...", "remediation": "1. Run the following command to comment out kernel.yama.ptrace_scope lines \nreturned by the audit procedure that are not kernel.yama.ptrace_scope = 1, \nkernel.yama.ptrace_scope = 2, or kernel.yama.ptrace_scope = 3: \n\n# sed -ri '^\\s*kernel.yama.ptrace_scope\\s*=\\s*0/s/^/#/g' \n\"path/to/file/in/audit/filename\" \n\nExample: \n\n# sed -ri '/^\\s*kernel.yama.ptrace_scope\\s*=\\s*0/s/^/#/g' /etc/sysctl.d/99-\nsysctl.conf \n\n2. Create or edit a file in the /etc/sysctl.d/ directory ending in .conf and edit or...", "severity": "Medium", "filter": null, "app_filter": null, "conditions": [ { "type": "condition", "element": "CMD", "input": "sysctl -n kernel.yama.ptrace_scope", "selement": "OUTPUT", "condition": "EQUALS", "sinput": "1" } ], "applicability": [ { "type": "applicability", "element": "OS", "input": "", "selement": "CONTENT", "condition": "CONTAINS", "sinput": "Amazon" } ] }, { "external_id": "525fd4a765ff1ac0d7de024027de61f4", "name": "1.5.8 — Ensure kernel.randomize_va_space is configured", "description": "Ensure kernel.randomize_va_space is configured", "rational": "Randomly placing virtual memory regions will make it difficult to write memory page \nexploits as the memory placement will be consistently shifting.", "remediation": "1. Run the following command to comment out kernel.randomize_va_space lines \nreturned by the audit procedure that are not kernel.randomize_va_space = 2: \n\n# sed -ri '^\\s*kernel.randomize_va_space\\s*=\\s*[0,1]/s/^/#/g' \n\"path/to/file/in/audit/filename\" \n\nExample: \n\n# sed -ri '/^\\s*kernel.randomize_va_space\\s*=\\s*[0,1]/s/^/#/g' \n/etc/sysctl.d/99-sysctl.conf \n\n2. Create or edit a file in the /etc/sysctl.d/ directory ending in .conf and edit or \n\nadd the following line: \n\nkernel.randomize_va_spa...", "severity": "Medium", "filter": null, "app_filter": null, "conditions": [ { "type": "condition", "element": "CMD", "input": "sysctl -n kernel.randomize_va_space", "selement": "OUTPUT", "condition": "EQUALS", "sinput": "2" } ], "applicability": [ { "type": "applicability", "element": "OS", "input": "", "selement": "CONTENT", "condition": "CONTAINS", "sinput": "Amazon" } ] }, { "external_id": "d89d1bbe978af7d1f358803e1779a685", "name": "1.5.9 — Ensure systemd-coredump ProcessSizeMax is configured", "description": "Ensure systemd-coredump ProcessSizeMax is configured", "rational": "A core dump includes a memory image taken at the time the operating system \nterminates an application. The memory image could contain sensitive data and is \ngenerally useful only for developers trying to debug problems, increasing the risk to the \nsystem.", "remediation": "Create or edit the file /etc/systemd/coredump.conf and edit or add the following line: \n\nProcessSizeMax=0", "severity": "Medium", "filter": null, "app_filter": null, "conditions": [ { "type": "condition", "element": "CMD", "input": "grep -Pi -- '^\\h*ProcessSizeMax\\b' /etc/systemd/coredump.conf", "selement": "OUTPUT", "condition": "NOT EQUALS", "sinput": "" } ], "applicability": [ { "type": "applicability", "element": "OS", "input": "", "selement": "CONTENT", "condition": "CONTAINS", "sinput": "Amazon" } ] }, { "external_id": "1a1422bf7a12bd3d777635c4a36b43f4", "name": "1.5.10 — Ensure systemd-coredump Storage is configured", "description": "Ensure systemd-coredump Storage is configured", "rational": "A core dump includes a memory image taken at the time the operating system \nterminates an application. The memory image could contain sensitive data and is \ngenerally useful only for developers trying to debug problems.", "remediation": "Create or edit the file /etc/systemd/coredump.conf and edit or add the following line: \n\nStorage=none", "severity": "Medium", "filter": null, "app_filter": null, "conditions": [ { "type": "condition", "element": "CMD", "input": "grep -Pi -- '^\\h*Storage\\b' /etc/systemd/coredump.conf", "selement": "OUTPUT", "condition": "NOT EQUALS", "sinput": "" } ], "applicability": [ { "type": "applicability", "element": "OS", "input": "", "selement": "CONTENT", "condition": "CONTAINS", "sinput": "Amazon" } ] }, { "external_id": "e64a85319af8648f9ddb80e3ea89ad28", "name": "1.6.1 — Ensure message of the day is configured properly", "description": "Ensure message of the day is configured properly", "rational": "Warning messages inform users who are attempting to login to the system of their legal \nstatus regarding the system and must include the name of the organization that owns \nthe system and any monitoring policies that are in place. Displaying OS and patch level \ninformation in login banners also has the side effect of providing detailed system \ninformation to attackers attempting to target speci...", "remediation": "Edit the files in /etc/update-motd.d/ and remove any instances of \\m , \\r , \\s , \\v or \nreferences to the OS platform \n\n- IF - required by local site policy, add the site specific \"Message Of The Day\" to a file in \n/etc/update-motd.d/: \n\nExample: \n\n# printf '%s\\n' \"Authorized users only. All activity may be monitored and \nreported.\" > /etc/update-motd.d/30-banner", "severity": "Medium", "filter": null, "app_filter": null, "conditions": [ { "type": "condition", "element": "CMD", "input": "cat /etc/motd", "selement": "OUTPUT", "condition": "NOT EQUALS", "sinput": "" } ], "applicability": [ { "type": "applicability", "element": "OS", "input": "", "selement": "CONTENT", "condition": "CONTAINS", "sinput": "Amazon" } ] }, { "external_id": "0933b8de40d43ff32b740035a054adf6", "name": "1.6.2 — Ensure local login warning banner is configured properly", "description": "Ensure local login warning banner is configured properly", "rational": "Warning messages inform users who are attempting to login to the system of their legal \nstatus regarding the system and must include the name of the organization that owns \nthe system and any monitoring policies that are in place. Displaying OS and patch level \ninformation in login banners also has the side effect of providing detailed system \ninformation to attackers attempting to target speci...", "remediation": "Edit the /etc/issue file with the appropriate contents according to your site policy, \nremove any instances of \\m , \\r , \\s , \\v or references to the OS platform \n\nExample: \n\n# echo \"Authorized users only. All activity may be monitored and reported.\" > \n/etc/issue", "severity": "Medium", "filter": null, "app_filter": null, "conditions": [ { "type": "condition", "element": "CMD", "input": "cat /etc/issue", "selement": "OUTPUT", "condition": "NOT EQUALS", "sinput": "" } ], "applicability": [ { "type": "applicability", "element": "OS", "input": "", "selement": "CONTENT", "condition": "CONTAINS", "sinput": "Amazon" } ] }, { "external_id": "6dd541435b2cb992a47f17103d610544", "name": "1.6.3 — Ensure remote login warning banner is configured properly", "description": "Ensure remote login warning banner is configured properly", "rational": "Warning messages inform users who are attempting to login to the system of their legal \nstatus regarding the system and must include the name of the organization that owns \nthe system and any monitoring policies that are in place. Displaying OS and patch level \ninformation in login banners also has the side effect of providing detailed system \ninformation to attackers attempting to target speci...", "remediation": "Edit the /etc/issue.net file with the appropriate contents according to your site policy, \nremove any instances of \\m , \\r , \\s , \\v or references to the OS platform \n\nExample: \n\n# echo \"Authorized users only. All activity may be monitored and reported.\" > \n/etc/issue.net", "severity": "Medium", "filter": null, "app_filter": null, "conditions": [ { "type": "condition", "element": "CMD", "input": "cat /etc/issue.net", "selement": "OUTPUT", "condition": "NOT EQUALS", "sinput": "" } ], "applicability": [ { "type": "applicability", "element": "OS", "input": "", "selement": "CONTENT", "condition": "CONTAINS", "sinput": "Amazon" } ] }, { "external_id": "6cc930959ab7db7fa089769bb7440948", "name": "1.6.4 — Ensure access to /etc/motd is configured", "description": "Ensure access to /etc/motd is configured", "rational": "-IF- the /etc/motd file does not have the correct access configured, it could be \nmodified by unauthorized users with incorrect or misleading information.", "remediation": "Run the following commands to set mode, owner, and group on /etc/motd: \n\n# chown root:root $(readlink -e /etc/motd) \n# chmod u-x,go-wx $(readlink -e /etc/motd) \n\n-OR- \n\nRun the following command to remove the /etc/motd file: \n\n# rm /etc/motd", "severity": "Medium", "filter": null, "app_filter": null, "conditions": [ { "type": "condition", "element": "CMD", "input": "[ -e /etc/motd ] && stat -Lc 'Access: (%#a/%A) Uid: ( %u/ %U) Gid: { %g/", "selement": "OUTPUT", "condition": "NOT EQUALS", "sinput": "" } ], "applicability": [ { "type": "applicability", "element": "OS", "input": "", "selement": "CONTENT", "condition": "CONTAINS", "sinput": "Amazon" } ] }, { "external_id": "fa32f643703540753a83100efd2606f4", "name": "1.6.5 — Ensure access to /etc/issue is configured", "description": "Ensure access to /etc/issue is configured", "rational": "-IF- the /etc/issue file does not have the correct access configured, it could be \nmodified by unauthorized users with incorrect or misleading information.", "remediation": "Run the following commands to set mode, owner, and group on /etc/issue: \n\n# chown root:root $(readlink -e /etc/issue) \n# chmod u-x,go-wx $(readlink -e /etc/issue)", "severity": "Medium", "filter": null, "app_filter": null, "conditions": [ { "type": "condition", "element": "CMD", "input": "stat -Lc 'Access: (%#a/%A) Uid: ( %u/ %U) Gid: { %g/ %G)' /etc/issue", "selement": "OUTPUT", "condition": "NOT EQUALS", "sinput": "" } ], "applicability": [ { "type": "applicability", "element": "OS", "input": "", "selement": "CONTENT", "condition": "CONTAINS", "sinput": "Amazon" } ] }, { "external_id": "53a25c485d4dc2c9f71a339d003e3609", "name": "1.6.6 — Ensure access to /etc/issue.net is configured", "description": "Ensure access to /etc/issue.net is configured", "rational": "-IF- the /etc/issue.net file does not have the correct access configured, it could be \nmodified by unauthorized users with incorrect or misleading information.", "remediation": "Run the following commands to set mode, owner, and group on /etc/issue.net: \n\n# chown root:root $(readlink -e /etc/issue.net) \n# chmod u-x,go-wx $(readlink -e /etc/issue.net)", "severity": "Medium", "filter": null, "app_filter": null, "conditions": [ { "type": "condition", "element": "CMD", "input": "stat -Lc 'Access: (%#a/%A) Uid: ( %u/ %U) Gid: { %g/ %G)' /etc/issue.net", "selement": "OUTPUT", "condition": "NOT EQUALS", "sinput": "" } ], "applicability": [ { "type": "applicability", "element": "OS", "input": "", "selement": "CONTENT", "condition": "CONTAINS", "sinput": "Amazon" } ] }, { "external_id": "2b0af320afe97df203f4c2fa8dfd02cd", "name": "2.1.1 — Ensure time synchronization is in use", "description": "Ensure time synchronization is in use", "rational": "Time synchronization is important to support time sensitive security mechanisms like \nKerberos and also ensures log files have consistent time records across the enterprise, \nwhich aids in forensic investigations.", "remediation": "Run the following command to install chrony: \n\n# yum install chrony", "severity": "Medium", "filter": null, "app_filter": null, "conditions": [ { "type": "condition", "element": "PACKAGE", "input": "chrony", "selement": "EXISTS", "condition": "", "sinput": "" } ], "applicability": [ { "type": "applicability", "element": "OS", "input": "", "selement": "CONTENT", "condition": "CONTAINS", "sinput": "Amazon" } ] }, { "external_id": "8a48d79d6fd9ca550a33c90e355a927b", "name": "2.1.2 — Ensure chrony is configured", "description": "Ensure chrony is configured", "rational": "If chrony is in use on the system proper configuration is vital to ensuring time \nsynchronization is working properly.", "remediation": "Add or edit server or pool lines to a file ending in .conf in the /etc/chrony.d/` directory \nas appropriate: \n\nExample: \n\nserver ", "severity": "Medium", "filter": null, "app_filter": null, "conditions": [ { "type": "condition", "element": "CMD", "input": "grep -Prs -- '^\\h*(server|pool)\\h+[^#\\n\\r]+' /etc/chrony.d", "selement": "OUTPUT", "condition": "NOT EQUALS", "sinput": "" } ], "applicability": [ { "type": "applicability", "element": "OS", "input": "", "selement": "CONTENT", "condition": "CONTAINS", "sinput": "Amazon" } ] }, { "external_id": "eb0c03e1d7839a70328bc4e711fecacf", "name": "2.1.3 — Ensure chrony is not run as the root user", "description": "Ensure chrony is not run as the root user", "rational": "Services should not be set to run as the root user", "remediation": "Edit the file /etc/sysconfig/chronyd and add or modify the following line: \n\nOPTIONS=\"-u chrony\" \n\nRun the following command to reload the chronyd.service configuration: \n\n# systemctl try-reload-or-restart chronyd.service", "severity": "Medium", "filter": null, "app_filter": null, "conditions": [ { "type": "condition", "element": "CMD", "input": "grep -Psi -- '^\\h*OPTIONS=\\\"?\\h+-u\\h+root\\b' /etc/sysconfig/chronyd", "selement": "OUTPUT", "condition": "NOT EQUALS", "sinput": "" } ], "applicability": [ { "type": "applicability", "element": "OS", "input": "", "selement": "CONTENT", "condition": "CONTAINS", "sinput": "Amazon" } ] }, { "external_id": "b79383d0ec57ded6a15fbe837e0affb3", "name": "2.2.1 — Ensure autofs services are not in use", "description": "Ensure autofs services are not in use", "rational": "With automounting enabled anyone with physical access could attach a USB drive or \ndisc and have its contents available in system even if they lacked permissions to mount \nit themselves.", "remediation": "Run the following commands to stop autofs.service and remove autofs package: \n\n# systemctl stop autofs.service \n# yum remove autofs \n\n-OR- \n\n-IF- the autofs package is required as a dependency: \n\nRun the following commands to stop and mask autofs.service: \n\n# systemctl stop autofs.service \n# systemctl mask autofs.service", "severity": "Medium", "filter": null, "app_filter": null, "conditions": [ { "type": "condition", "element": "PACKAGE", "input": "autofs", "selement": "NOT EXISTS", "condition": "", "sinput": "" } ], "applicability": [ { "type": "applicability", "element": "OS", "input": "", "selement": "CONTENT", "condition": "CONTAINS", "sinput": "Amazon" } ] }, { "external_id": "26262bb6f10d9b0ea65c80907146863a", "name": "2.2.2 — Ensure avahi daemon services are not in use", "description": "Ensure avahi daemon services are not in use", "rational": "Automatic discovery of network services is not normally required for system \nfunctionality. It is recommended to remove this package to reduce the potential attack \nsurface.", "remediation": "Run the following commands to stop avahi-daemon.socket and avahi-\ndaemon.service, and remove the avahi package: \n\n# systemctl stop avahi-daemon.socket avahi-daemon.service \n# yum remove avahi \n\n-OR- \n\n-IF- the avahi package is required as a dependency: \n\nRun the following commands to stop and mask the avahi-daemon.socket and avahi-\ndaemon.service: \n\n# systemctl stop avahi-daemon.socket avahi-daemon.service \n# systemctl mask avahi-daemon.socket avahi-daemon.service", "severity": "Medium", "filter": null, "app_filter": null, "conditions": [ { "type": "condition", "element": "PACKAGE", "input": "avahi", "selement": "NOT EXISTS", "condition": "", "sinput": "" } ], "applicability": [ { "type": "applicability", "element": "OS", "input": "", "selement": "CONTENT", "condition": "CONTAINS", "sinput": "Amazon" } ] }, { "external_id": "e6f253f01cab1e4dba749f0d6531109c", "name": "2.2.3 — Ensure dhcp server services are not in use", "description": "Ensure dhcp server services are not in use", "rational": "Unless a system is specifically set up to act as a DHCP server, it is recommended that \nthe dhcp-server package be removed to reduce the potential attack surface.", "remediation": "Run the following commands to stop dhcpd.service and dhcpd6.service and \nremove dhcp package: \n\n# systemctl stop dhcpd.service dhcpd6.service \n# yum remove dhcp \n\n-OR- \n\n-IF- the dhcp package is required as a dependency: \n\nRun the following commands to stop and mask dhcpd.service and dhcpd6.service: \n\n# systemctl stop dhcpd.service dhcpd6.service \n# systemctl mask dhcpd.service dhcpd6.service", "severity": "Medium", "filter": null, "app_filter": null, "conditions": [ { "type": "condition", "element": "PACKAGE", "input": "dhcp", "selement": "NOT EXISTS", "condition": "", "sinput": "" } ], "applicability": [ { "type": "applicability", "element": "OS", "input": "", "selement": "CONTENT", "condition": "CONTAINS", "sinput": "Amazon" } ] }, { "external_id": "4ebcb91c8fff2aeb82beaa1d66e8f447", "name": "2.2.4 — Ensure dns server services are not in use", "description": "Ensure dns server services are not in use", "rational": "Unless a system is specifically designated to act as a DNS server, it is recommended \nthat the package be removed to reduce the potential attack surface.", "remediation": "Run the following commands to stop named.service and remove bind package: \n\n# systemctl stop named.service \n# yum remove bind \n\n-OR- \n\n-IF- the bind package is required as a dependency: \n\nRun the following commands to stop and mask named.service: \n\n# systemctl stop named.service \n# systemctl mask named.service", "severity": "Medium", "filter": null, "app_filter": null, "conditions": [ { "type": "condition", "element": "PACKAGE", "input": "bind", "selement": "NOT EXISTS", "condition": "", "sinput": "" } ], "applicability": [ { "type": "applicability", "element": "OS", "input": "", "selement": "CONTENT", "condition": "CONTAINS", "sinput": "Amazon" } ] }, { "external_id": "2bb864dd498ef64ff075250d35b5fb49", "name": "2.2.5 — Ensure dnsmasq services are not in use", "description": "Ensure dnsmasq services are not in use", "rational": "Unless a system is specifically designated to act as a DNS caching, DNS forwarding \nand/or DHCP server, it is recommended that the package be removed to reduce the \npotential attack surface.", "remediation": "Run the following commands to stop dnsmasq.service and remove dnsmasq package: \n\n# systemctl stop dnsmasq.service \n# yum remove dnsmasq \n\n-OR- \n\n-IF- the dnsmasq package is required as a dependency: \n\nRun the following commands to stop and mask the dnsmasq.service: \n\n# systemctl stop dnsmasq.service \n# systemctl mask dnsmasq.service", "severity": "Medium", "filter": null, "app_filter": null, "conditions": [ { "type": "condition", "element": "PACKAGE", "input": "dnsmasq", "selement": "NOT EXISTS", "condition": "", "sinput": "" } ], "applicability": [ { "type": "applicability", "element": "OS", "input": "", "selement": "CONTENT", "condition": "CONTAINS", "sinput": "Amazon" } ] }, { "external_id": "16ed4ce39bb57e501b6a1dde679946be", "name": "2.2.6 — Ensure samba file server services are not in use", "description": "Ensure samba file server services are not in use", "rational": "If there is no need to mount directories and file systems to Windows systems, then this \npackage can be removed to reduce the potential attack surface.", "remediation": "Run the following command to stop smb.service and remove samba package: \n\n# systemctl stop smb.service \n# yum remove samba \n\n-OR- \n\n-IF- the samba package is required as a dependency: \n\nRun the following commands to stop and mask the smb.service: \n\n# systemctl stop smb.service \n# systemctl mask smb.service", "severity": "Medium", "filter": null, "app_filter": null, "conditions": [ { "type": "condition", "element": "PACKAGE", "input": "samba", "selement": "NOT EXISTS", "condition": "", "sinput": "" } ], "applicability": [ { "type": "applicability", "element": "OS", "input": "", "selement": "CONTENT", "condition": "CONTAINS", "sinput": "Amazon" } ] }, { "external_id": "1b1069332fb1d335efb3c3f92e556514", "name": "2.2.7 — Ensure ftp server services are not in use", "description": "Ensure ftp server services are not in use", "rational": "Unless there is a need to run the system as a FTP server, it is recommended that the \npackage be removed to reduce the potential attack surface.", "remediation": "Run the following commands to stop vsftpd.service and remove vsftpd package: \n\n# systemctl stop vsftpd.service \n# yum remove vsftpd \n\n-OR- \n\n-IF- the vsftpd package is required as a dependency: \n\nRun the following commands to stop and mask the vsftpd.service: \n\n# systemctl stop vsftpd.service \n# systemctl mask vsftpd.service \n\nNote: Other ftp server packages may exist. If not required and authorized by local site \npolicy, they should also be removed. If the package is required for a dependenc...", "severity": "Medium", "filter": null, "app_filter": null, "conditions": [ { "type": "condition", "element": "PACKAGE", "input": "vsftpd", "selement": "NOT EXISTS", "condition": "", "sinput": "" } ], "applicability": [ { "type": "applicability", "element": "OS", "input": "", "selement": "CONTENT", "condition": "CONTAINS", "sinput": "Amazon" } ] }, { "external_id": "0b0fd0076ed7dfbc384cc0a01e8a7d54", "name": "2.2.8 — Ensure message access server services are not in use", "description": "Ensure message access server services are not in use", "rational": "Unless POP3 and/or IMAP servers are to be provided by this system, it is \nrecommended that the package be removed to reduce the potential attack surface. \n\nNote: Several IMAP/POP3 servers exist and can use other service names. These \nshould also be audited and the packages removed if not required.", "remediation": "Run the following commands to stop dovecot.socket, dovecot.service, and cyrus-\nimapd.service, and remove dovecot and cyrus-imapd packages: \n\n# systemctl stop dovecot.socket dovecot.service cyrus-imapd.service \n# yum remove dovecot cyrus-imapd \n\n-OR- \n\n-IF- a package is installed and is required for dependencies: \n\nRun the following commands to stop and mask dovecot.socket, dovecot.service, \nand cyrus-imapd.service: \n\n# systemctl stop dovecot.socket dovecot.service cyrus-imapd.service \n# syste...", "severity": "Medium", "filter": null, "app_filter": null, "conditions": [ { "type": "condition", "element": "PACKAGE", "input": "dovecot", "selement": "NOT EXISTS", "condition": "", "sinput": "" } ], "applicability": [ { "type": "applicability", "element": "OS", "input": "", "selement": "CONTENT", "condition": "CONTAINS", "sinput": "Amazon" } ] }, { "external_id": "cdbcdbea96c0f7d207ae2e4146583de3", "name": "2.2.9 — Ensure network file system services are not in use", "description": "Ensure network file system services are not in use", "rational": "If the system does not require access to network shares or the ability to provide network \nfile system services for other host's network shares, it is recommended that the nfs-\nutils package be removed to reduce the attack surface of the system.", "remediation": "Run the following command to stop nfs-server.service and remove nfs-utils \npackage: \n\n# systemctl stop nfs-server.service \n# yum remove nfs-utils \n\n-OR- \n\n-IF- the nfs-utils package is required as a dependency: \n\nRun the following commands to stop and mask the nfs-server.service: \n\n# systemctl stop nfs-server.service \n# systemctl mask nfs-server.service", "severity": "Medium", "filter": null, "app_filter": null, "conditions": [ { "type": "condition", "element": "PACKAGE", "input": "nfs-utils", "selement": "NOT EXISTS", "condition": "", "sinput": "" } ], "applicability": [ { "type": "applicability", "element": "OS", "input": "", "selement": "CONTENT", "condition": "CONTAINS", "sinput": "Amazon" } ] }, { "external_id": "50d95c399769ec65345bf5e2520398c3", "name": "2.2.10 — Ensure nis server services are not in use", "description": "Ensure nis server services are not in use", "rational": "The NIS service is inherently an insecure system that has been vulnerable to DOS \nattacks, buffer overflows and has poor authentication for querying NIS maps. NIS \ngenerally has been replaced by such protocols as Lightweight Directory Access \nProtocol (LDAP). It is recommended that the service be removed.", "remediation": "Run the following commands to stop ypserv.service and remove ypserv package: \n\n# systemctl stop ypserv.service \n# yum remove ypserv \n\n-OR- \n\n-IF- the ypserv package is required as a dependency: \n\nRun the following commands to stop and mask ypserv.service: \n\n# systemctl stop ypserv.service \n# systemctl mask ypserv.service", "severity": "Medium", "filter": null, "app_filter": null, "conditions": [ { "type": "condition", "element": "PACKAGE", "input": "ypserv", "selement": "NOT EXISTS", "condition": "", "sinput": "" } ], "applicability": [ { "type": "applicability", "element": "OS", "input": "", "selement": "CONTENT", "condition": "CONTAINS", "sinput": "Amazon" } ] }, { "external_id": "00a0fa5dbe43d1c3547d96c42dfd41b9", "name": "2.2.11 — Ensure print server services are not in use", "description": "Ensure print server services are not in use", "rational": "If the system does not need to print jobs or accept print jobs from other systems, it is \nrecommended that CUPS be removed to reduce the potential attack surface.", "remediation": "Run the following commands to stop cups.socket and cups.service, and remove the \ncups package: \n\n# systemctl stop cups.socket cups.service \n# yum remove cups \n\n-OR- \n\n-IF- the cups package is required as a dependency: \n\nRun the following commands to stop and mask the cups.socket and cups.service: \n\n# systemctl stop cups.socket cups.service \n# systemctl mask cups.socket cups.service", "severity": "Medium", "filter": null, "app_filter": null, "conditions": [ { "type": "condition", "element": "PACKAGE", "input": "cups", "selement": "NOT EXISTS", "condition": "", "sinput": "" } ], "applicability": [ { "type": "applicability", "element": "OS", "input": "", "selement": "CONTENT", "condition": "CONTAINS", "sinput": "Amazon" } ] }, { "external_id": "d9bb8cf3fa347e502b373e32f953696d", "name": "2.2.12 — Ensure rpcbind services are not in use", "description": "Ensure rpcbind services are not in use", "rational": "A small request (~82 bytes via UDP) sent to the Portmapper generates a large \nresponse (7x to 28x amplification), which makes it a suitable tool for DDoS attacks. If \nrpcbind is not required, it is recommended to remove rpcbind package to reduce the \npotential attack surface.", "remediation": "Run the following commands to stop rpcbind.socket and rpcbind.service, and \nremove the rpcbind package: \n\n# systemctl stop rpcbind.socket rpcbind.service \n# yum remove rpcbind \n\n-OR- \n\n-IF- the rpcbind package is required as a dependency: \n\nRun the following commands to stop and mask the rpcbind.socket and \nrpcbind.service: \n\n# systemctl stop rpcbind.socket rpcbind.service \n# systemctl mask rpcbind.socket rpcbind.service", "severity": "Medium", "filter": null, "app_filter": null, "conditions": [ { "type": "condition", "element": "PACKAGE", "input": "rpcbind", "selement": "NOT EXISTS", "condition": "", "sinput": "" } ], "applicability": [ { "type": "applicability", "element": "OS", "input": "", "selement": "CONTENT", "condition": "CONTAINS", "sinput": "Amazon" } ] }, { "external_id": "9a8d37ee8adbdf72bc5e899b7db1c3ce", "name": "2.2.13 — Ensure rsync services are not in use", "description": "Ensure rsync services are not in use", "rational": "Unless required, the rsync package should be removed to reduce the potential attack \nsurface. \n\nThe rsyncd.service presents a security risk as it uses unencrypted protocols for \ncommunication.", "remediation": "Run the following commands to stop rsyncd.socket and rsyncd.service, and \nremove the rsync package: \n\n# systemctl stop rsyncd.socket rsyncd.service \n# yum remove rsync \n\n-OR- \n\n-IF- the rsync package is required as a dependency: \n\nRun the following commands to stop and mask the rsyncd.socket and \nrsyncd.service: \n\n# systemctl stop rsyncd.socket rsyncd.service \n# systemctl mask rsyncd.socket rsyncd.service", "severity": "Medium", "filter": null, "app_filter": null, "conditions": [ { "type": "condition", "element": "PACKAGE", "input": "rsync", "selement": "NOT EXISTS", "condition": "", "sinput": "" } ], "applicability": [ { "type": "applicability", "element": "OS", "input": "", "selement": "CONTENT", "condition": "CONTAINS", "sinput": "Amazon" } ] }, { "external_id": "f32b25fe0ed7360fa4ca77d0313387ed", "name": "2.2.14 — Ensure snmp services are not in use", "description": "Ensure snmp services are not in use", "rational": "The SNMP server can communicate using SNMPv1, which transmits data in the clear \nand does not require authentication to execute commands. SNMPv3 replaces the \nsimple/clear text password sharing used in SNMPv2 with more securely encoded \nparameters. If the the SNMP service is not required, the net-snmp package should be \nremoved to reduce the attack surface of the system. \n\nNote: If SNMP is requ...", "remediation": "Run the following commands to stop snmpd.service and remove net-snmp package: \n\n# systemctl stop snmpd.service \n# yum remove net-snmp \n\n-OR- If the package is required for dependencies: \n\nRun the following commands to stop and mask the snmpd.service: \n\n# systemctl stop snmpd.service \n# systemctl mask snmpd.service", "severity": "Medium", "filter": null, "app_filter": null, "conditions": [ { "type": "condition", "element": "PACKAGE", "input": "net-snmp", "selement": "NOT EXISTS", "condition": "", "sinput": "" } ], "applicability": [ { "type": "applicability", "element": "OS", "input": "", "selement": "CONTENT", "condition": "CONTAINS", "sinput": "Amazon" } ] }, { "external_id": "62928585aa0e126adb0730c02ef7f44a", "name": "2.2.15 — Ensure telnet server services are not in use", "description": "Ensure telnet server services are not in use", "rational": "The telnet protocol is insecure and unencrypted. The use of an unencrypted \ntransmission medium could allow a user with access to sniff network traffic the ability to \nsteal credentials. The ssh package provides an encrypted session and stronger \nsecurity.", "remediation": "Run the following commands to stop telnet.socket and remove the telnet-server \npackage: \n\n# systemctl stop telnet.socket \n# yum remove telnet-server \n\n-OR- \n\n-IF- a package is installed and is required for dependencies: \n\nRun the following commands to stop and mask telnet.socket: \n\n# systemctl stop telnet.socket \n# systemctl mask telnet.socket", "severity": "Medium", "filter": null, "app_filter": null, "conditions": [ { "type": "condition", "element": "PACKAGE", "input": "telnet-server", "selement": "NOT EXISTS", "condition": "", "sinput": "" } ], "applicability": [ { "type": "applicability", "element": "OS", "input": "", "selement": "CONTENT", "condition": "CONTAINS", "sinput": "Amazon" } ] }, { "external_id": "72967d9fae7017c829f12128ed3c0e65", "name": "2.2.16 — Ensure tftp server services are not in use", "description": "Ensure tftp server services are not in use", "rational": "Unless there is a need to run the system as a TFTP server, it is recommended that the \npackage be removed to reduce the potential attack surface. \n\nTFTP does not have built-in encryption, access control or authentication. This makes it \nvery easy for an attacker to exploit TFTP to gain access to files", "remediation": "Run the following commands to stop tftp.socket and tftp.service, and remove the \ntftp-server package: \n\n# systemctl stop tftp.socket tftp.service \n# yum remove tftp-server \n\n-OR- \n\n-IF- the tftp-server package is required as a dependency: \n\nRun the following commands to stop and mask tftp.socket and tftp.service: \n\n# systemctl stop tftp.socket tftp.service \n# systemctl mask tftp.socket tftp.service", "severity": "Medium", "filter": null, "app_filter": null, "conditions": [ { "type": "condition", "element": "PACKAGE", "input": "tftp-server", "selement": "NOT EXISTS", "condition": "", "sinput": "" } ], "applicability": [ { "type": "applicability", "element": "OS", "input": "", "selement": "CONTENT", "condition": "CONTAINS", "sinput": "Amazon" } ] }, { "external_id": "70d1580afa9a83788ce736fc6a0b85a3", "name": "2.2.17 — Ensure web proxy server services are not in use", "description": "Ensure web proxy server services are not in use", "rational": "Unless a system is specifically set up to act as a proxy server, it is recommended that \nthe squid package be removed to reduce the potential attack surface. \n\nNote: Several HTTP proxy servers exist. These should be checked and removed unless \nrequired.", "remediation": "Run the following commands to stop squid.service and remove the squid package: \n\n# systemctl stop squid.service \n# yum remove squid \n\n-OR- If the squid package is required as a dependency: \n\nRun the following commands to stop and mask the squid.service: \n\n# systemctl stop squid.service \n# systemctl mask squid.service", "severity": "Medium", "filter": null, "app_filter": null, "conditions": [ { "type": "condition", "element": "PACKAGE", "input": "squid", "selement": "NOT EXISTS", "condition": "", "sinput": "" } ], "applicability": [ { "type": "applicability", "element": "OS", "input": "", "selement": "CONTENT", "condition": "CONTAINS", "sinput": "Amazon" } ] }, { "external_id": "0bf287c88719775cdd55807e8f3bea9d", "name": "2.2.18 — Ensure web server services are not in use", "description": "Ensure web server services are not in use", "rational": "Unless there is a local site approved requirement to run a web server service on the \nsystem, web server packages should be removed to reduce the potential attack surface.", "remediation": "Run the following commands to stop httpd.socket, httpd.service, and \nnginx.service, and remove httpd and nginx packages: \n\n# systemctl stop httpd.socket httpd.service nginx.service \n# yum remove httpd nginx \n\n-OR- \n\n-IF- a package is installed and is required for dependencies: \n\nRun the following commands to stop and mask httpd.socket, httpd.service, and \nnginx.service: \n\n# systemctl stop httpd.socket httpd.service nginx.service \n# systemctl mask httpd.socket httpd.service nginx.service \n\nNot...", "severity": "Medium", "filter": null, "app_filter": null, "conditions": [ { "type": "condition", "element": "PACKAGE", "input": "httpd", "selement": "NOT EXISTS", "condition": "", "sinput": "" } ], "applicability": [ { "type": "applicability", "element": "OS", "input": "", "selement": "CONTENT", "condition": "CONTAINS", "sinput": "Amazon" } ] }, { "external_id": "4d400e42109b57e35ced6eae2ede2f82", "name": "2.2.19 — Ensure xinetd services are not in use", "description": "Ensure xinetd services are not in use", "rational": "Unless your organization specifically requires xinetd services, it is recommended that \nthe package be removed to reduce the attack surface are of the system.", "remediation": "Run the following commands to stop xinetd.service, and remove the xinetd \npackage: \n\n# systemctl stop xinetd.service \n# yum remove xinetd \n\n-OR- \n\n-IF- the xinetd package is required as a dependency: \n\nRun the following commands to stop and mask the xinetd.service: \n\n# systemctl stop xinetd.service \n# systemctl mask xinetd.service", "severity": "Medium", "filter": null, "app_filter": null, "conditions": [ { "type": "condition", "element": "PACKAGE", "input": "xinetd", "selement": "NOT EXISTS", "condition": "", "sinput": "" } ], "applicability": [ { "type": "applicability", "element": "OS", "input": "", "selement": "CONTENT", "condition": "CONTAINS", "sinput": "Amazon" } ] }, { "external_id": "9fa5a571448e43032283f57872a2925d", "name": "2.2.21 — Ensure mail transfer agents are configured for local-only", "description": "Ensure mail transfer agents are configured for local-only", "rational": "The software for all Mail Transfer Agents is complex and most have a long history of \nsecurity issues. While it is important to ensure that the system can process local mail \nmessages, it is not necessary to have the MTA's daemon listening on a port unless the \nserver is intended to be a mail server that receives and processes mail from other \nsystems.", "remediation": "Edit /etc/postfix/main.cf and add the following line to the RECEIVING MAIL \nsection. If the line already exists, change it to look like the line below: \n\ninet_interfaces = loopback-only \n\nRun the following command to restart postfix: \n\n# systemctl restart postfix \n\nNote: \n\n• This remediation is designed around the postfix mail server. \n• Depending on your environment you may have an alternative MTA installed such \nas sendmail. If this is the case consult the documentation for your installed...", "severity": "Medium", "filter": null, "app_filter": null, "conditions": [ { "type": "condition", "element": "CMD", "input": "ss -plntu | grep -P -- ':25\\b' | grep -Pv --", "selement": "OUTPUT", "condition": "NOT EQUALS", "sinput": "" } ], "applicability": [ { "type": "applicability", "element": "OS", "input": "", "selement": "CONTENT", "condition": "CONTAINS", "sinput": "Amazon" } ] }, { "external_id": "75ffdc00c8603d567f7ac9c269852a65", "name": "2.2.22 — Ensure only approved services are listening on a network", "description": "Ensure only approved services are listening on a network", "rational": "Services listening on the system pose a potential risk as an attack vector. These \nservices should be reviewed, and if not required, the service should be stopped, and the \npackage containing the service should be removed. If required packages have a \ndependency, the service should be stopped and masked to reduce the attack surface of \nthe system.", "remediation": "Run the following commands to stop the service and remove the package containing \nthe service: \n\n# systemctl stop .socket .service \n# yum remove \n\n-OR- If required packages have a dependency: \n\nRun the following commands to stop and mask the service and socket: \n\n# systemctl stop .socket .service \n# systemctl mask .socket .service \n\nNote: replace with the appropriate service name.", "severity": "Medium", "filter": null, "app_filter": null, "conditions": [ { "type": "condition", "element": "CMD", "input": "ss -plntu", "selement": "OUTPUT", "condition": "NOT EQUALS", "sinput": "" } ], "applicability": [ { "type": "applicability", "element": "OS", "input": "", "selement": "CONTENT", "condition": "CONTAINS", "sinput": "Amazon" } ] }, { "external_id": "45e475e492ffc19f5594e35645af05af", "name": "2.3.1 — Ensure ftp client is not installed", "description": "Ensure ftp client is not installed", "rational": "FTP does not protect the confidentiality of data or authentication credentials. It is \nrecommended SFTP be used if file transfer is required. Unless there is a need to run \nthe system as a FTP server (for example, to allow anonymous downloads), it is \nrecommended that the package be removed to reduce the potential attack surface.", "remediation": "Run the following command to remove ftp: \n\n# yum remove ftp", "severity": "Medium", "filter": null, "app_filter": null, "conditions": [ { "type": "condition", "element": "PACKAGE", "input": "ftp", "selement": "NOT EXISTS", "condition": "", "sinput": "" } ], "applicability": [ { "type": "applicability", "element": "OS", "input": "", "selement": "CONTENT", "condition": "CONTAINS", "sinput": "Amazon" } ] }, { "external_id": "02b761719291ee9fbe912da8c47f5f39", "name": "2.3.3 — Ensure nis client is not installed", "description": "Ensure nis client is not installed", "rational": "The NIS service is inherently an insecure system that has been vulnerable to DOS \nattacks, buffer overflows and has poor authentication for querying NIS maps. NIS \ngenerally has been replaced by such protocols as Lightweight Directory Access \nProtocol (LDAP). It is recommended that the service be removed.", "remediation": "Run the following command to remove the ypbind package: \n\n# yum remove ypbind", "severity": "Medium", "filter": null, "app_filter": null, "conditions": [ { "type": "condition", "element": "PACKAGE", "input": "ypbind", "selement": "NOT EXISTS", "condition": "", "sinput": "" } ], "applicability": [ { "type": "applicability", "element": "OS", "input": "", "selement": "CONTENT", "condition": "CONTAINS", "sinput": "Amazon" } ] }, { "external_id": "cfb8c0009c6c53c155f42ed7dc356341", "name": "2.3.4 — Ensure telnet client is not installed", "description": "Ensure telnet client is not installed", "rational": "The telnet protocol is insecure and unencrypted. The use of an unencrypted \ntransmission medium could allow an unauthorized user to steal credentials. The ssh \npackage provides an encrypted session and stronger security and is included in most \nLinux distributions.", "remediation": "Run the following command to remove the telnet package: \n\n# yum remove telnet", "severity": "Medium", "filter": null, "app_filter": null, "conditions": [ { "type": "condition", "element": "PACKAGE", "input": "telnet", "selement": "NOT EXISTS", "condition": "", "sinput": "" } ], "applicability": [ { "type": "applicability", "element": "OS", "input": "", "selement": "CONTENT", "condition": "CONTAINS", "sinput": "Amazon" } ] }, { "external_id": "6d2f9c539af38f2fac8137a2c3931bb2", "name": "2.3.5 — Ensure tftp client is not installed", "description": "Ensure tftp client is not installed", "rational": "TFTP does not have built-in encryption, access control or authentication. This makes it \nvery easy for an attacker to exploit TFTP to gain access to files", "remediation": "Run the following command to remove tftp: \n\n# yum remove tftp", "severity": "Medium", "filter": null, "app_filter": null, "conditions": [ { "type": "condition", "element": "PACKAGE", "input": "tftp", "selement": "NOT EXISTS", "condition": "", "sinput": "" } ], "applicability": [ { "type": "applicability", "element": "OS", "input": "", "selement": "CONTENT", "condition": "CONTAINS", "sinput": "Amazon" } ] }, { "external_id": "f4b71a4ac4d1717ba73296f331b3b4b1", "name": "3.1.1 — Ensure IPv6 status is identified", "description": "Ensure IPv6 status is identified", "rational": "IETF RFC 4038 recommends that applications are built with an assumption of dual \nstack. It is recommended that IPv6 be enabled and configured in accordance with \nBenchmark recommendations. \n\n- IF - dual stack and IPv6 are not used in your environment, IPv6 may be disabled to \nreduce the attack surface of the system, and recommendations pertaining to IPv6 can \nbe skipped. \n\nNote: It is recommend...", "remediation": "Enable or disable IPv6 in accordance with system requirements and local site policy", "severity": "Medium", "filter": null, "app_filter": null, "conditions": [ { "type": "condition", "element": "CMD", "input": "!/usr/bin/env bash", "selement": "OUTPUT", "condition": "NOT EQUALS", "sinput": "" } ], "applicability": [ { "type": "applicability", "element": "OS", "input": "", "selement": "CONTENT", "condition": "CONTAINS", "sinput": "Amazon" } ] }, { "external_id": "c12b50728e62d3fa2d8092bcc25a2b36", "name": "3.1.2 — Ensure wireless interfaces are not available", "description": "Ensure wireless interfaces are not available", "rational": "- IF - wireless is not to be used, wireless devices can be disabled to reduce the potential \nattack surface.", "remediation": "Run the following script to disable any wireless interfaces: \n\n#!/usr/bin/env bash \n\n{ \n module_fix() \n { \n if ! modprobe -n -v \"$l_mname\" | grep -P -- '^\\h*install \n\\/bin\\/(true|false)'; then \n echo -e \" - setting module: \\\"$l_mname\\\" to be un-loadable\" \n echo -e \"install $l_mname /bin/false\" >> \n/etc/modprobe.d/\"$l_mname\".conf \n fi \n if lsmod | grep \"$l_mname\" > /dev/null 2>&1; then \n echo -e \" - unloading module \\\"$l_mname\\\"\" \n modprobe -r...", "severity": "Medium", "filter": null, "app_filter": null, "conditions": [ { "type": "condition", "element": "CMD", "input": "!/usr/bin/env bash", "selement": "OUTPUT", "condition": "NOT EQUALS", "sinput": "" } ], "applicability": [ { "type": "applicability", "element": "OS", "input": "", "selement": "CONTENT", "condition": "CONTAINS", "sinput": "Amazon" } ] }, { "external_id": "ee2d8d1f44f75240e97935f75e040425", "name": "3.1.3 — Ensure bluetooth services are not in use", "description": "Ensure bluetooth services are not in use", "rational": "An attacker may be able to find a way to access or corrupt your data. One example of \nthis type of activity is bluesnarfing, which refers to attackers using a Bluetooth \nconnection to steal information off of your Bluetooth device. Also, viruses or other \nmalicious code can take advantage of Bluetooth technology to infect other devices. If \nyou are infected, your data may be corrupted, compromi...", "remediation": "Run the following commands to stop bluetooth.service, and remove the bluez \npackage: \n\n# systemctl stop bluetooth.service \n# dnf remove bluez \n\n- OR - \n\n- IF - the bluez package is required as a dependency: \n\nRun the following commands to stop and mask bluetooth.service: \n\n# systemctl stop bluetooth.service \n# systemctl mask bluetooth.service \n\nNote: A reboot may be required", "severity": "Medium", "filter": null, "app_filter": null, "conditions": [ { "type": "condition", "element": "PACKAGE", "input": "bluez", "selement": "NOT EXISTS", "condition": "", "sinput": "" } ], "applicability": [ { "type": "applicability", "element": "OS", "input": "", "selement": "CONTENT", "condition": "CONTAINS", "sinput": "Amazon" } ] }, { "external_id": "6d45034ebf6502c6bb77b1d9a33134df", "name": "3.2.1 — Ensure can kernel module is not available", "description": "Ensure can kernel module is not available", "rational": "Removing support for unneeded protocols reduces the local attack surface of the \nsystem. If this protocol is not needed, disable it.", "remediation": "Unload and disable the can kernel module. \n\n1. Run the following commands to unload the can kernel module: \n\n# modprobe -r can 2>/dev/null \n# rmmod can 2>/dev/null \n\n2. Perform the following to disable the can kernel module: \n\nCreate a file ending in .conf with install can /bin/false in the /etc/modprobe.d/ \ndirectory \n\nExample: \n\n# printf '\\n%s\\n' \"install can /bin/false\" >> /etc/modprobe.d/60-can.conf \n\nCreate a file ending in .conf with blacklist can in the /etc/modprobe.d/ directory \n\nE...", "severity": "Medium", "filter": null, "app_filter": null, "conditions": [ { "type": "condition", "element": "CMD", "input": "lsmod | grep -c '^can ' || true", "selement": "OUTPUT", "condition": "EQUALS", "sinput": "0" } ], "applicability": [ { "type": "applicability", "element": "OS", "input": "", "selement": "CONTENT", "condition": "CONTAINS", "sinput": "Amazon" } ] }, { "external_id": "d13a7e183269dba86104cd5994c73786", "name": "3.2.2 — Ensure sctp kernel module is not available", "description": "Ensure sctp kernel module is not available", "rational": "Removing support for unneeded protocols reduces the local attack surface of the \nsystem. If this protocol is not needed, disable it.", "remediation": "Unload and disable the sctp kernel module. \n\n1. Run the following commands to unload the sctp kernel module: \n\n# modprobe -r sctp 2>/dev/null \n# rmmod sctp 2>/dev/null \n\n2. Perform the following to disable the sctp kernel module: \n\nCreate a file ending in .conf with install sctp /bin/false in the \n/etc/modprobe.d/ directory \n\nExample: \n\n# printf '\\n%s\\n' \"install sctp /bin/false\" >> /etc/modprobe.d/60-sctp.conf \n\nCreate a file ending in .conf with blacklist sctp in the /etc/modprobe.d/ dire...", "severity": "Medium", "filter": null, "app_filter": null, "conditions": [ { "type": "condition", "element": "CMD", "input": "lsmod | grep -c '^sctp ' || true", "selement": "OUTPUT", "condition": "EQUALS", "sinput": "0" } ], "applicability": [ { "type": "applicability", "element": "OS", "input": "", "selement": "CONTENT", "condition": "CONTAINS", "sinput": "Amazon" } ] }, { "external_id": "fc15c7d9ea4845ca063eacf24452c31f", "name": "3.2.3 — Ensure tipc kernel module is not available", "description": "Ensure tipc kernel module is not available", "rational": "Removing support for unneeded protocols reduces the local attack surface of the \nsystem. If this protocol is not needed, disable it.", "remediation": "Unload and disable the tipc kernel module. \n\n1. Run the following commands to unload the tipc kernel module: \n\n# modprobe -r tipc 2>/dev/null \n# rmmod tipc 2>/dev/null \n\n2. Perform the following to disable the tipc kernel module: \n\nCreate a file ending in .conf with install tipc /bin/false in the \n/etc/modprobe.d/ directory \n\nExample: \n\n# printf '\\n%s\\n' \"install tipc /bin/false\" >> /etc/modprobe.d/60-tipc.conf \n\nCreate a file ending in .conf with blacklist tipc in the /etc/modprobe.d/ dire...", "severity": "Medium", "filter": null, "app_filter": null, "conditions": [ { "type": "condition", "element": "CMD", "input": "lsmod | grep -c '^tipc ' || true", "selement": "OUTPUT", "condition": "EQUALS", "sinput": "0" } ], "applicability": [ { "type": "applicability", "element": "OS", "input": "", "selement": "CONTENT", "condition": "CONTAINS", "sinput": "Amazon" } ] }, { "external_id": "f118c0e8f8664da9a7e4137eea9133ec", "name": "3.3.1.1 — Ensure net.ipv4.ip_forward is configured", "description": "Ensure net.ipv4.ip_forward is configured", "rational": "Routing protocol daemons are typically used on routers to exchange network topology \ninformation with other routers. If this software is used when not required, system \nnetwork information may be unnecessarily transmitted across the network. \n\nSetting net.ipv4.ip_forward to 0 ensures that a system with multiple interfaces (for \nexample, a hard proxy), will not be able to forward IPv4 packets.", "remediation": "1. Run the following command to comment out net.ipv4.ip_forward lines \nreturned by the audit procedure that are not net.ipv4.ip_forward = 0: \n\n# sed -ri '^\\s*net.ipv4.ip_forward\\s*=\\s*1/s/^/#/g' \n\"path/to/file/in/audit/filename\" \n\nExample: \n\n# sed -ri '/^\\s*net.ipv4.ip_forward\\s*=\\s*1/s/^/#/g' /etc/sysctl.d/99-\nsysctl.conf \n\n2. Create or edit a file in the /etc/sysctl.d/ directory ending in .conf and edit or \n\nadd the following line: \n\nnet.ipv4.ip_forward = 0 \n\nExample: \n\n# [ ! -d \"/etc/sys...", "severity": "Medium", "filter": null, "app_filter": null, "conditions": [ { "type": "condition", "element": "CMD", "input": "sysctl -n net.ipv4.ip_forward", "selement": "OUTPUT", "condition": "EQUALS", "sinput": "0" } ], "applicability": [ { "type": "applicability", "element": "OS", "input": "", "selement": "CONTENT", "condition": "CONTAINS", "sinput": "Amazon" } ] }, { "external_id": "6b763816299467ee256cb5f407d4f35f", "name": "3.3.1.2 — Ensure net.ipv4.conf.all.forwarding is configured", "description": "Ensure net.ipv4.conf.all.forwarding is configured", "rational": "Routing protocol daemons are typically used on routers to exchange network topology \ninformation with other routers. If this capability is used when not required, system \nnetwork information may be unnecessarily transmitted across the network.", "remediation": "1. Run the following command to comment out net.ipv4.conf.all.forwarding \n\nlines returned by the audit procedure that are not \nnet.ipv4.conf.all.forwarding=0: \n\n# sed -ri '^\\s*net.ipv4.conf.all.forwarding\\s*=\\s*1/s/^/#/g' \n\"path/to/file/in/audit/filename\" \n\nExample: \n\n# sed -ri '/^\\s*net.ipv4.conf.all.forwarding\\s*=\\s*1/s/^/#/g' \n/etc/sysctl.d/99-sysctl.conf \n\n2. Create or edit a file in the /etc/sysctl.d/ directory ending in .conf and edit or \n\nadd the following line: \n\nnet.ipv4.conf.all.f...", "severity": "Medium", "filter": null, "app_filter": null, "conditions": [ { "type": "condition", "element": "CMD", "input": "sysctl -n net.ipv4.conf.all.forwarding", "selement": "OUTPUT", "condition": "EQUALS", "sinput": "0" } ], "applicability": [ { "type": "applicability", "element": "OS", "input": "", "selement": "CONTENT", "condition": "CONTAINS", "sinput": "Amazon" } ] }, { "external_id": "ade7d906f60bb424271bc852b3a2f5ae", "name": "3.3.1.3 — Ensure net.ipv4.conf.default.forwarding is configured", "description": "Ensure net.ipv4.conf.default.forwarding is configured", "rational": "Routing protocol daemons are typically used on routers to exchange network topology \ninformation with other routers. If this capability is used when not required, system \nnetwork information may be unnecessarily transmitted across the network.", "remediation": "1. Run the following command to comment out \n\nnet.ipv4.conf.default.forwarding lines returned by the audit procedure \nthat are not net.ipv4.conf.default.forwarding = 0: \n\n# sed -ri '^\\s*net.ipv4.conf.default.forwarding\\s*=\\s*1/s/^/#/g' \n\"path/to/file/in/audit/filename\" \n\nExample: \n\n# sed -ri '/^\\s*net.ipv4.conf.default.forwarding\\s*=\\s*1/s/^/#/g' \n/etc/sysctl.d/99-sysctl.conf \n\n2. Create or edit a file in the /etc/sysctl.d/ directory ending in .conf and edit or \n\nadd the following line: \n\nn...", "severity": "Medium", "filter": null, "app_filter": null, "conditions": [ { "type": "condition", "element": "CMD", "input": "sysctl -n net.ipv4.conf.default.forwarding", "selement": "OUTPUT", "condition": "EQUALS", "sinput": "0" } ], "applicability": [ { "type": "applicability", "element": "OS", "input": "", "selement": "CONTENT", "condition": "CONTAINS", "sinput": "Amazon" } ] }, { "external_id": "ff9abd3d97cd563fc8eb4c53b57d54ec", "name": "3.3.1.4 — Ensure net.ipv4.conf.all.send_redirects is configured", "description": "Ensure net.ipv4.conf.all.send_redirects is configured", "rational": "An attacker could use a compromised host to send invalid ICMP redirects to other \nrouter devices in an attempt to corrupt routing and have users access a system set up \nby the attacker as opposed to a valid system.", "remediation": "1. Run the following command to comment out \n\nnet.ipv4.conf.all.send_redirects lines returned by the audit procedure \nthat are not net.ipv4.conf.all.send_redirects = 0: \n\n# sed -ri '^\\s*net.ipv4.conf.all.send_redirects\\s*=\\s*1/s/^/#/g' \n\"path/to/file/in/audit/filename\" \n\nExample: \n\n# sed -ri '/^\\s*net.ipv4.conf.all.send_redirects\\s*=\\s*1/s/^/#/g' \n/etc/sysctl.d/99-sysctl.conf \n\n2. Create or edit a file in the /etc/sysctl.d/ directory ending in .conf and edit or \n\nadd the following line: \n\nn...", "severity": "Medium", "filter": null, "app_filter": null, "conditions": [ { "type": "condition", "element": "CMD", "input": "sysctl -n net.ipv4.conf.all.send_redirects", "selement": "OUTPUT", "condition": "EQUALS", "sinput": "0" } ], "applicability": [ { "type": "applicability", "element": "OS", "input": "", "selement": "CONTENT", "condition": "CONTAINS", "sinput": "Amazon" } ] }, { "external_id": "6747d57e072ed64d8263c094c0b6f898", "name": "3.3.1.5 — Ensure net.ipv4.conf.default.send_redirects is configured", "description": "Ensure net.ipv4.conf.default.send_redirects is configured", "rational": "An attacker could use a compromised host to send invalid ICMP redirects to other \nrouter devices in an attempt to corrupt routing and have users access a system set up \nby the attacker as opposed to a valid system.", "remediation": "1. Run the following command to comment out \n\nnet.ipv4.conf.default.send_redirects lines returned by the audit \nprocedure that are not net.ipv4.conf.default.send_redirects = 0: \n\n# sed -ri '^\\s*net.ipv4.conf.default.send_redirects\\s*=\\s*1/s/^/#/g' \n\"path/to/file/in/audit/filename\" \n\nExample: \n\n# sed -ri '/^\\s*net.ipv4.conf.default.send_redirects\\s*=\\s*1/s/^/#/g' \n/etc/sysctl.d/99-sysctl.conf \n\n2. Create or edit a file in the /etc/sysctl.d/ directory ending in .conf and edit or \n\nadd the fol...", "severity": "Medium", "filter": null, "app_filter": null, "conditions": [ { "type": "condition", "element": "CMD", "input": "sysctl -n net.ipv4.conf.default.send_redirects", "selement": "OUTPUT", "condition": "EQUALS", "sinput": "0" } ], "applicability": [ { "type": "applicability", "element": "OS", "input": "", "selement": "CONTENT", "condition": "CONTAINS", "sinput": "Amazon" } ] }, { "external_id": "d24285fd28907f0106f5a0cabab21668", "name": "3.3.1.6 — Ensure net.ipv4.icmp_ignore_bogus_error_responses is", "description": "Ensure net.ipv4.icmp_ignore_bogus_error_responses is", "rational": "Some routers (and some attackers) will send responses that violate RFC-1122 and \nattempt to fill up a log file system with many useless error messages.", "remediation": "1. Run the following command to comment out \n\nnet.ipv4.icmp_ignore_bogus_error_responses lines returned by the audit \nprocedure that are not net.ipv4.icmp_ignore_bogus_error_responses = 1: \n\n# sed -ri '/^\\s*net.ipv4.icmp_ignore_bogus_error_responses\\s*=\\s*0/s/^/#/g' \\ \n\"path/to/file/in/audit/filename\" \n\nExample: \n\n# sed -ri '/^\\s*net.ipv4.icmp_ignore_bogus_error_responses\\s*=\\s*0/s/^/#/g' \\ \n/etc/sysctl.d/99-sysctl.conf \n\n2. Create or edit a file in the /etc/sysctl.d/ directory ending in .c...", "severity": "Medium", "filter": null, "app_filter": null, "conditions": [ { "type": "condition", "element": "CMD", "input": "sysctl -n net.ipv4.icmp_ignore_bogus_error_responses", "selement": "OUTPUT", "condition": "EQUALS", "sinput": "1" } ], "applicability": [ { "type": "applicability", "element": "OS", "input": "", "selement": "CONTENT", "condition": "CONTAINS", "sinput": "Amazon" } ] }, { "external_id": "bb14e24d2e5f923caff9b59653414d98", "name": "3.3.1.7 — Ensure net.ipv4.icmp_echo_ignore_broadcasts is", "description": "Ensure net.ipv4.icmp_echo_ignore_broadcasts is", "rational": "Accepting ICMP echo and timestamp requests with broadcast or multicast destinations \nfor your network could be used to trick your host into starting (or participating) in a \nSmurf attack. A Smurf attack relies on an attacker sending large amounts of ICMP \nbroadcast messages with a spoofed source address. All hosts receiving this message \nand responding would send echo-reply messages back to the...", "remediation": "1. Run the following command to comment out \n\nnet.ipv4.icmp_echo_ignore_broadcasts lines returned by the audit \nprocedure that are not net.ipv4.icmp_echo_ignore_broadcasts = 1: \n\n# sed -ri '^\\s*net.ipv4.icmp_echo_ignore_broadcasts\\s*=\\s*0/s/^/#/g' \\ \n\"path/to/file/in/audit/filename\" \n\nExample: \n\n# sed -ri '/^\\s*net.ipv4.icmp_echo_ignore_broadcasts\\s*=\\s*0/s/^/#/g' \\ \n/etc/sysctl.d/99-sysctl.conf \n\n2. Create or edit a file in the /etc/sysctl.d/ directory ending in .conf and edit or \n\nadd the...", "severity": "Medium", "filter": null, "app_filter": null, "conditions": [ { "type": "condition", "element": "CMD", "input": "sysctl -n net.ipv4.icmp_echo_ignore_broadcasts", "selement": "OUTPUT", "condition": "EQUALS", "sinput": "1" } ], "applicability": [ { "type": "applicability", "element": "OS", "input": "", "selement": "CONTENT", "condition": "CONTAINS", "sinput": "Amazon" } ] }, { "external_id": "a9a0c0e1b6a0c9a9cd2bb9258a61c7d3", "name": "3.3.1.8 — Ensure net.ipv4.conf.all.accept_redirects is configured", "description": "Ensure net.ipv4.conf.all.accept_redirects is configured", "rational": "ICMP redirect messages are packets that convey routing information and tell your host \n(acting as a router) to send packets via an alternate path. It is a way of allowing an \noutside routing device to update your system routing tables. \n\nBy setting net.ipv4.conf.all.accept_redirects to 0, the system will not accept \nany IPv4 ICMP redirect messages, and therefore, won't allow outsiders to update...", "remediation": "1. Run the following command to comment out \n\nnet.ipv4.conf.all.accept_redirects lines returned by the audit procedure \nthat are not net.ipv4.conf.all.accept_redirects = 0: \n\n# sed -ri '^\\s*net.ipv4.conf.all.accept_redirects\\s*=\\s*1/s/^/#/g' \n\"path/to/file/in/audit/filename\" \n\nExample: \n\n# sed -ri '/^\\s*net.ipv4.conf.all.accept_redirects\\s*=\\s*1/s/^/#/g' \n/etc/sysctl.d/99-sysctl.conf \n\n2. Create or edit a file in the /etc/sysctl.d/ directory ending in .conf and edit or \n\nadd the following l...", "severity": "Medium", "filter": null, "app_filter": null, "conditions": [ { "type": "condition", "element": "CMD", "input": "sysctl -n net.ipv4.conf.all.accept_redirects", "selement": "OUTPUT", "condition": "EQUALS", "sinput": "0" } ], "applicability": [ { "type": "applicability", "element": "OS", "input": "", "selement": "CONTENT", "condition": "CONTAINS", "sinput": "Amazon" } ] }, { "external_id": "ee5175c6ea9dca9e68c63436fc9242f4", "name": "3.3.1.9 — Ensure net.ipv4.conf.default.accept_redirects is", "description": "Ensure net.ipv4.conf.default.accept_redirects is", "rational": "ICMP redirect messages are packets that convey routing information and tell your host \n(acting as a router) to send packets via an alternate path. It is a way of allowing an \noutside routing device to update your system routing tables. \n\nBy setting net.ipv4.conf.all.accept_redirects to 0, the system will not accept \nIPv4 ICMP redirect messages on a newly added network interface.", "remediation": "1. Run the following command to comment out \n\nnet.ipv4.conf.default.accept_redirects lines returned by the audit \nprocedure that are not net.ipv4.conf.default.accept_redirects = 0: \n\n# sed -ri '^\\s*net.ipv4.conf.default.accept_redirects\\s*=\\s*1/s/^/#/g' \n\"path/to/file/in/audit/filename\" \n\nExample: \n\n# sed -ri '/^\\s*net.ipv4.conf.default.accept_redirects\\s*=\\s*1/s/^/#/g' \n/etc/sysctl.d/99-sysctl.conf \n\n2. Create or edit a file in the /etc/sysctl.d/ directory ending in .conf and edit or \n\nadd...", "severity": "Medium", "filter": null, "app_filter": null, "conditions": [ { "type": "condition", "element": "CMD", "input": "sysctl -n net.ipv4.conf.default.accept_redirects", "selement": "OUTPUT", "condition": "EQUALS", "sinput": "0" } ], "applicability": [ { "type": "applicability", "element": "OS", "input": "", "selement": "CONTENT", "condition": "CONTAINS", "sinput": "Amazon" } ] }, { "external_id": "f9650941393b4f6e49556b876d78447e", "name": "3.3.1.10 — Ensure net.ipv4.conf.all.secure_redirects is configured", "description": "Ensure net.ipv4.conf.all.secure_redirects is configured", "rational": "It is still possible for even known gateways to be compromised. \n\nSetting net.ipv4.conf.all.secure_redirects to 0 the system will not accept any \nIPv4 routing table updates by possibly compromised known gateways.", "remediation": "1. Run the following command to comment out \n\nnet.ipv4.conf.all.secure_redirects lines returned by the audit procedure \nthat are not net.ipv4.conf.all.secure_redirects = 0: \n\n# sed -ri '^\\s*net.ipv4.conf.all.secure_redirects\\s*=\\s*1/s/^/#/g' \n\"path/to/file/in/audit/filename\" \n\nExample: \n\n# sed -ri '/^\\s*net.ipv4.conf.all.secure_redirects\\s*=\\s*1/s/^/#/g' \n/etc/sysctl.d/99-sysctl.conf \n\n2. Create or edit a file in the /etc/sysctl.d/ directory ending in .conf and edit or \n\nadd the following l...", "severity": "Medium", "filter": null, "app_filter": null, "conditions": [ { "type": "condition", "element": "CMD", "input": "sysctl -n net.ipv4.conf.all.secure_redirects", "selement": "OUTPUT", "condition": "EQUALS", "sinput": "0" } ], "applicability": [ { "type": "applicability", "element": "OS", "input": "", "selement": "CONTENT", "condition": "CONTAINS", "sinput": "Amazon" } ] }, { "external_id": "fe873598d27d329676ffd3607ba3463d", "name": "3.3.1.11 — Ensure net.ipv4.conf.default.secure_redirects is", "description": "Ensure net.ipv4.conf.default.secure_redirects is", "rational": "It is still possible for even known gateways to be compromised. \n\nSetting net.ipv4.conf.default.secure_redirects to 0 the system the system will \nnot accept IPv4 routing table updates by possibly compromised known gateways on a \nnewly added network interface.", "remediation": "1. Run the following command to comment out \n\nnet.ipv4.conf.default.secure_redirects lines returned by the audit \nprocedure that are not net.ipv4.conf.default.secure_redirects = 0: \n\n# sed -ri '^\\s*net.ipv4.conf.default.secure_redirects\\s*=\\s*1/s/^/#/g' \n\"path/to/file/in/audit/filename\" \n\nExample: \n\n# sed -ri '/^\\s*net.ipv4.conf.default.secure_redirects\\s*=\\s*1/s/^/#/g' \n/etc/sysctl.d/99-sysctl.conf \n\n2. Create or edit a file in the /etc/sysctl.d/ directory ending in .conf and edit or \n\nadd...", "severity": "Medium", "filter": null, "app_filter": null, "conditions": [ { "type": "condition", "element": "CMD", "input": "sysctl -n net.ipv4.conf.default.secure_redirects", "selement": "OUTPUT", "condition": "EQUALS", "sinput": "0" } ], "applicability": [ { "type": "applicability", "element": "OS", "input": "", "selement": "CONTENT", "condition": "CONTAINS", "sinput": "Amazon" } ] }, { "external_id": "6da6ddc372a52e64a3ea076205d9f49f", "name": "3.3.1.12 — Ensure net.ipv4.conf.all.rp_filter is configured", "description": "Ensure net.ipv4.conf.all.rp_filter is configured", "rational": "Setting net.ipv4.conf.all.rp_filter to 1 is a good way to deter attackers from \nsending your system bogus packets that cannot be responded to. One instance where \nthis feature breaks down is if asymmetrical routing is employed. This would occur when \nusing dynamic routing protocols (bgp, ospf, etc) on your system. If you are using \nasymmetrical routing on your system, you will not be able to en...", "remediation": "1. Run the following command to comment out net.ipv4.conf.all.rp_filter \n\nlines returned by the audit procedure that are not \nnet.ipv4.conf.all.rp_filter = 1: \n\n# sed -ri '^\\s*net.ipv4.conf.all.rp_filter\\s*=\\s*[0,2,3]/s/^/#/g' \n\"path/to/file/in/audit/filename\" \n\nExample: \n\n# sed -ri '/^\\s*net.ipv4.conf.all.rp_filter\\s*=\\s*[0,2,3]/s/^/#/g' \n/etc/sysctl.d/99-sysctl.conf \n\n2. Create or edit a file in the /etc/sysctl.d/ directory ending in .conf and edit or \n\nadd the following line: \n\nnet.ipv4....", "severity": "Medium", "filter": null, "app_filter": null, "conditions": [ { "type": "condition", "element": "CMD", "input": "sysctl -n net.ipv4.conf.all.rp_filter", "selement": "OUTPUT", "condition": "EQUALS", "sinput": "1" } ], "applicability": [ { "type": "applicability", "element": "OS", "input": "", "selement": "CONTENT", "condition": "CONTAINS", "sinput": "Amazon" } ] }, { "external_id": "34e267cafbaa428ad6b59a4aa8226d45", "name": "3.3.1.13 — Ensure net.ipv4.conf.default.rp_filter is configured", "description": "Ensure net.ipv4.conf.default.rp_filter is configured", "rational": "Setting net.ipv4.conf.default.rp_filter to 1 is a good way to deter attackers \nfrom sending your system bogus packets that cannot be responded to. One instance \nwhere this feature breaks down is if asymmetrical routing is employed. This would occur \nwhen using dynamic routing protocols (bgp, ospf, etc) on your system. If you are using \nasymmetrical routing on your system, you will not be able t...", "remediation": "1. Run the following command to comment out \n\nnet.ipv4.conf.default.rp_filter lines returned by the audit procedure that \nare not net.ipv4.conf.default.rp_filter = 1: \n\n# sed -ri '^\\s*net.ipv4.conf.default.rp_filter\\s*=\\s*[0,2,3]/s/^/#/g' \n\"path/to/file/in/audit/filename\" \n\nExample: \n\n# sed -ri '/^\\s*net.ipv4.conf.default.rp_filter\\s*=\\s*[0,2,3]/s/^/#/g' \n/etc/sysctl.d/99-sysctl.conf \n\n2. Create or edit a file in the /etc/sysctl.d/ directory ending in .conf and edit or \n\nadd the following l...", "severity": "Medium", "filter": null, "app_filter": null, "conditions": [ { "type": "condition", "element": "CMD", "input": "sysctl -n net.ipv4.conf.default.rp_filter", "selement": "OUTPUT", "condition": "EQUALS", "sinput": "1" } ], "applicability": [ { "type": "applicability", "element": "OS", "input": "", "selement": "CONTENT", "condition": "CONTAINS", "sinput": "Amazon" } ] }, { "external_id": "813872163a8bf922fdf93e22eb8d4fe1", "name": "3.3.1.14 — Ensure net.ipv4.conf.all.accept_source_route is", "description": "Ensure net.ipv4.conf.all.accept_source_route is", "rational": "Setting net.ipv4.conf.all.accept_source_route to 0 disables the system from \naccepting source routed packets. Assume this system was capable of routing packets to \nInternet routable addresses on one interface and private addresses on another \ninterface. Assume that the private addresses were not routable to the Internet routable \naddresses and vice versa. Under normal routing circumstances, an...", "remediation": "1. Run the following command to comment out \n\nnet.ipv4.conf.all.accept_source_route lines returned by the audit \nprocedure that are not net.ipv4.conf.all.accept_source_route = 0: \n\n# sed -ri '^\\s*net.ipv4.conf.all.accept_source_route\\s*=\\s*1/s/^/#/g' \n\"path/to/file/in/audit/filename\" \n\nExample: \n\n# sed -ri '/^\\s*net.ipv4.conf.all.accept_source_route\\s*=\\s*1/s/^/#/g' \n/etc/sysctl.d/99-sysctl.conf \n\n2. Create or edit a file in the /etc/sysctl.d/ directory ending in .conf and edit or \n\nadd the...", "severity": "Medium", "filter": null, "app_filter": null, "conditions": [ { "type": "condition", "element": "CMD", "input": "sysctl -n net.ipv4.conf.all.accept_source_route", "selement": "OUTPUT", "condition": "EQUALS", "sinput": "0" } ], "applicability": [ { "type": "applicability", "element": "OS", "input": "", "selement": "CONTENT", "condition": "CONTAINS", "sinput": "Amazon" } ] }, { "external_id": "6f29c7d3533b6ed2d76443407d2aba4b", "name": "3.3.1.15 — Ensure net.ipv4.conf.default.accept_source_route is", "description": "Ensure net.ipv4.conf.default.accept_source_route is", "rational": "Setting net.ipv4.conf.default.accept_source_route to 0 disables the system \nfrom accepting source routed packets. Assume this system was capable of routing \npackets to Internet routable addresses on one interface and private addresses on \nanother interface. Assume that the private addresses were not routable to the Internet \nroutable addresses and vice versa. Under normal routing circumstances,...", "remediation": "1. Run the following command to comment out \n\nnet.ipv4.conf.default.accept_source_route lines returned by the audit \nprocedure that are not net.ipv4.conf.default.accept_source_route = 0: \n\n# sed -ri '^\\s*net.ipv4.conf.default.accept_source_route\\s*=\\s*1/s/^/#/g' \n\"path/to/file/in/audit/filename\" \n\nExample: \n\n# sed -ri '/^\\s*net.ipv4.conf.default.accept_source_route\\s*=\\s*1/s/^/#/g' \n/etc/sysctl.d/99-sysctl.conf \n\n2. Create or edit a file in the /etc/sysctl.d/ directory ending in .conf and e...", "severity": "Medium", "filter": null, "app_filter": null, "conditions": [ { "type": "condition", "element": "CMD", "input": "sysctl -n net.ipv4.conf.default.accept_source_route", "selement": "OUTPUT", "condition": "EQUALS", "sinput": "0" } ], "applicability": [ { "type": "applicability", "element": "OS", "input": "", "selement": "CONTENT", "condition": "CONTAINS", "sinput": "Amazon" } ] }, { "external_id": "b8de2c00d0e518a970abea1f8a5025a0", "name": "3.3.1.16 — Ensure net.ipv4.conf.all.log_martians is configured", "description": "Ensure net.ipv4.conf.all.log_martians is configured", "rational": "Setting net.ipv4.conf.all.log_martians to 1 enables this feature. Logging these \npackets allows an administrator to investigate the possibility that an attacker is sending \nspoofed packets to their system.", "remediation": "1. Run the following command to comment out \n\nnet.ipv4.conf.all.log_martians lines returned by the audit procedure that \nare not net.ipv4.conf.all.log_martians = 1: \n\n# sed -ri '^\\s*net.ipv4.conf.all.log_martians\\s*=\\s*0/s/^/#/g' \n\"path/to/file/in/audit/filename\" \n\nExample: \n\n# sed -ri '/^\\s*net.ipv4.conf.all.log_martians\\s*=\\s*0/s/^/#/g' \n/etc/sysctl.d/99-sysctl.conf \n\n2. Create or edit a file in the /etc/sysctl.d/ directory ending in .conf and edit or \n\nadd the following line: \n\nnet.ipv4....", "severity": "Medium", "filter": null, "app_filter": null, "conditions": [ { "type": "condition", "element": "CMD", "input": "sysctl -n net.ipv4.conf.all.log_martians", "selement": "OUTPUT", "condition": "EQUALS", "sinput": "1" } ], "applicability": [ { "type": "applicability", "element": "OS", "input": "", "selement": "CONTENT", "condition": "CONTAINS", "sinput": "Amazon" } ] }, { "external_id": "da3c35f94a9e5e7c6d09a5d3eab6d93b", "name": "3.3.1.17 — Ensure net.ipv4.conf.default.log_martians is configured", "description": "Ensure net.ipv4.conf.default.log_martians is configured", "rational": "Setting net.ipv4.conf.default.log_martians to 1 enables this feature. Logging \nthese packets allows an administrator to investigate the possibility that an attacker is \nsending spoofed packets to their system.", "remediation": "1. Run the following command to comment out \n\nnet.ipv4.conf.default.log_martians lines returned by the audit procedure \nthat are not net.ipv4.conf.default.log_martians = 1: \n\n# sed -ri '^\\s*net.ipv4.conf.default.log_martians\\s*=\\s*0/s/^/#/g' \n\"path/to/file/in/audit/filename\" \n\nExample: \n\n# sed -ri '/^\\s*net.ipv4.conf.default.log_martians\\s*=\\s*0/s/^/#/g' \n/etc/sysctl.d/99-sysctl.conf \n\n2. Create or edit a file in the /etc/sysctl.d/ directory ending in .conf and edit or \n\nadd the following l...", "severity": "Medium", "filter": null, "app_filter": null, "conditions": [ { "type": "condition", "element": "CMD", "input": "sysctl -n net.ipv4.conf.default.log_martians", "selement": "OUTPUT", "condition": "EQUALS", "sinput": "1" } ], "applicability": [ { "type": "applicability", "element": "OS", "input": "", "selement": "CONTENT", "condition": "CONTAINS", "sinput": "Amazon" } ] }, { "external_id": "0297c20f6f08fedbe4b5c5017d0013eb", "name": "3.3.1.18 — Ensure net.ipv4.tcp_syncookies is configured", "description": "Ensure net.ipv4.tcp_syncookies is configured", "rational": "Attackers use SYN flood attacks to perform a denial of service attacked on a system by \nsending many SYN packets without completing the three way handshake. This will \nquickly use up slots in the kernel's half-open connection queue and prevent legitimate \nconnections from succeeding. Setting net.ipv4.tcp_syncookies to 1 enables SYN \ncookies, allowing the system to keep accepting valid connectio...", "remediation": "1. Run the following command to comment out net.ipv4.tcp_syncookies lines \nreturned by the audit procedure that are not net.ipv4.tcp_syncookies = 1: \n\n# sed -ri '^\\s*net.ipv4.tcp_syncookies\\s*=\\s*0/s/^/#/g' \n\"path/to/file/in/audit/filename\" \n\nExample: \n\n# sed -ri '/^\\s*net.ipv4.tcp_syncookies\\s*=\\s*0/s/^/#/g' /etc/sysctl.d/99-\nsysctl.conf \n\n2. Create or edit a file in the /etc/sysctl.d/ directory ending in .conf and edit or \n\nadd the following line: \n\nnet.ipv4.tcp_syncookies = 1 \n\nExample:...", "severity": "Medium", "filter": null, "app_filter": null, "conditions": [ { "type": "condition", "element": "CMD", "input": "sysctl -n net.ipv4.tcp_syncookies", "selement": "OUTPUT", "condition": "EQUALS", "sinput": "1" } ], "applicability": [ { "type": "applicability", "element": "OS", "input": "", "selement": "CONTENT", "condition": "CONTAINS", "sinput": "Amazon" } ] }, { "external_id": "605ec92742c132e9b71eecaa58adaddf", "name": "3.3.2.1 — Ensure net.ipv6.conf.all.forwarding is configured", "description": "Ensure net.ipv6.conf.all.forwarding is configured", "rational": "Routing protocol daemons are typically used on routers to exchange network topology \ninformation with other routers. If this software is used when not required, system \nnetwork information may be unnecessarily transmitted across the network. \n\nSetting net.ipv6.conf.all.forwarding to 0 ensures that a system with multiple \ninterfaces (for example, a hard proxy), will not be able to forward IPv6 p...", "remediation": "1. Run the following command to comment out net.ipv6.conf.all.forwarding \n\nlines returned by the audit procedure that are not \nnet.ipv6.conf.all.forwarding = 0: \n\n# sed -ri '^\\s*net.ipv6.conf.all.forwarding\\s*=\\s*1/s/^/#/g' \n\"path/to/file/in/audit/filename\" \n\nExample: \n\n# sed -ri '/^\\s*net.ipv6.conf.all.forwarding\\s*=\\s*1/s/^/#/g' \n/etc/sysctl.d/99-sysctl.conf \n\n2. Create or edit a file in the /etc/sysctl.d/ directory ending in .conf and edit or \n\nadd the following line: \n\nnet.ipv6.conf.all...", "severity": "Medium", "filter": null, "app_filter": null, "conditions": [ { "type": "condition", "element": "CMD", "input": "sysctl -n net.ipv6.conf.all.forwarding", "selement": "OUTPUT", "condition": "EQUALS", "sinput": "0" } ], "applicability": [ { "type": "applicability", "element": "OS", "input": "", "selement": "CONTENT", "condition": "CONTAINS", "sinput": "Amazon" } ] }, { "external_id": "79167f8775fdbe44bccd4ec41f9d024c", "name": "3.3.2.2 — Ensure net.ipv6.conf.default.forwarding is configured", "description": "Ensure net.ipv6.conf.default.forwarding is configured", "rational": "Routing protocol daemons are typically used on routers to exchange network topology \ninformation with other routers. If this software is used when not required, system \nnetwork information may be unnecessarily transmitted across the network.", "remediation": "1. Run the following command to comment out \n\nnet.ipv6.conf.default.forwarding lines returned by the audit procedure \nthat are not net.ipv6.conf.default.forwarding = 0: \n\n# sed -ri '^\\s*net.ipv6.conf.default.forwarding\\s*=\\s*1/s/^/#/g' \n\"path/to/file/in/audit/filename\" \n\nExample: \n\n# sed -ri '/^\\s*net.ipv6.conf.default.forwarding\\s*=\\s*1/s/^/#/g' \n/etc/sysctl.d/99-sysctl.conf \n\n2. Create or edit a file in the /etc/sysctl.d/ directory ending in .conf and edit or \n\nadd the following line: \n\nn...", "severity": "Medium", "filter": null, "app_filter": null, "conditions": [ { "type": "condition", "element": "CMD", "input": "sysctl -n net.ipv6.conf.default.forwarding", "selement": "OUTPUT", "condition": "EQUALS", "sinput": "0" } ], "applicability": [ { "type": "applicability", "element": "OS", "input": "", "selement": "CONTENT", "condition": "CONTAINS", "sinput": "Amazon" } ] }, { "external_id": "62ad645fddd75e930665bdccb135284c", "name": "3.3.2.3 — Ensure net.ipv6.conf.all.accept_redirects is configured", "description": "Ensure net.ipv6.conf.all.accept_redirects is configured", "rational": "ICMP redirect messages are packets that convey routing information and tell your host \n(acting as a router) to send packets via an alternate path. It is a way of allowing an \noutside routing device to update your system routing tables. \n\nBy setting net.ipv6.conf.all.accept_redirects to 0, the system will not accept \nany IPv6 ICMP redirect messages, and therefore, won't allow outsiders to update...", "remediation": "1. Run the following command to comment out \n\nnet.ipv6.conf.all.accept_redirects lines returned by the audit procedure \nthat are not net.ipv6.conf.all.accept_redirects = 0: \n\n# sed -ri '^\\s*net.ipv6.conf.all.accept_redirects\\s*=\\s*1/s/^/#/g' \n\"path/to/file/in/audit/filename\" \n\nExample: \n\n# sed -ri '/^\\s*net.ipv6.conf.all.accept_redirects\\s*=\\s*1/s/^/#/g' \n/etc/sysctl.d/99-sysctl.conf \n\n2. Create or edit a file in the /etc/sysctl.d/ directory ending in .conf and edit or \n\nadd the following l...", "severity": "Medium", "filter": null, "app_filter": null, "conditions": [ { "type": "condition", "element": "CMD", "input": "sysctl -n net.ipv6.conf.all.accept_redirects", "selement": "OUTPUT", "condition": "EQUALS", "sinput": "0" } ], "applicability": [ { "type": "applicability", "element": "OS", "input": "", "selement": "CONTENT", "condition": "CONTAINS", "sinput": "Amazon" } ] }, { "external_id": "98133afaea3613778a8c31eb01126032", "name": "3.3.2.4 — Ensure net.ipv6.conf.default.accept_redirects is", "description": "Ensure net.ipv6.conf.default.accept_redirects is", "rational": "ICMP redirect messages are packets that convey routing information and tell your host \n(acting as a router) to send packets via an alternate path. It is a way of allowing an \noutside routing device to update your system routing tables. \n\nBy setting net.ipv6.conf.default.accept_redirects to 0, the system will not \naccept IPv6 ICMP redirect messages on a newly added network interface.", "remediation": "1. Run the following command to comment out \n\nnet.ipv6.conf.default.accept_redirects lines returned by the audit \nprocedure that are not net.ipv6.conf.default.accept_redirects = 0: \n\n# sed -ri '^\\s*net.ipv6.conf.default.accept_redirects\\s*=\\s*1/s/^/#/g' \n\"path/to/file/in/audit/filename\" \n\nExample: \n\n# sed -ri '/^\\s*net.ipv6.conf.default.accept_redirects\\s*=\\s*1/s/^/#/g' \n/etc/sysctl.d/99-sysctl.conf \n\n2. Create or edit a file in the /etc/sysctl.d/ directory ending in .conf and edit or \n\nadd...", "severity": "Medium", "filter": null, "app_filter": null, "conditions": [ { "type": "condition", "element": "CMD", "input": "sysctl -n net.ipv6.conf.default.accept_redirects", "selement": "OUTPUT", "condition": "EQUALS", "sinput": "0" } ], "applicability": [ { "type": "applicability", "element": "OS", "input": "", "selement": "CONTENT", "condition": "CONTAINS", "sinput": "Amazon" } ] }, { "external_id": "026ba0549e155f60769491d3d49e3683", "name": "3.3.2.5 — Ensure net.ipv6.conf.all.accept_source_route is", "description": "Ensure net.ipv6.conf.all.accept_source_route is", "rational": "Setting net.ipv6.conf.all.accept_source_route to 0 disables the system from \naccepting source routed packets. Assume this system was capable of routing packets to \nInternet routable addresses on one interface and private addresses on another \ninterface. Assume that the private addresses were not routable to the Internet routable \naddresses and vice versa. Under normal routing circumstances, an...", "remediation": "1. Run the following command to comment out \n\nnet.ipv6.conf.all.accept_source_route lines returned by the audit \nprocedure that are not net.ipv6.conf.all.accept_source_route = 0: \n\n# sed -ri '^\\s*net.ipv6.conf.all.accept_source_route\\s*=\\s*1/s/^/#/g' \n\"path/to/file/in/audit/filename\" \n\nExample: \n\n# sed -ri '/^\\s*net.ipv6.conf.all.accept_source_route\\s*=\\s*1/s/^/#/g' \n/etc/sysctl.d/99-sysctl.conf \n\n2. Create or edit a file in the /etc/sysctl.d/ directory ending in .conf and edit or \n\nadd the...", "severity": "Medium", "filter": null, "app_filter": null, "conditions": [ { "type": "condition", "element": "CMD", "input": "sysctl -n net.ipv6.conf.all.accept_source_route", "selement": "OUTPUT", "condition": "EQUALS", "sinput": "0" } ], "applicability": [ { "type": "applicability", "element": "OS", "input": "", "selement": "CONTENT", "condition": "CONTAINS", "sinput": "Amazon" } ] }, { "external_id": "36bd72ed8ec43fbd3f4bd784f8e613f7", "name": "3.3.2.6 — Ensure net.ipv6.conf.default.accept_source_route is", "description": "Ensure net.ipv6.conf.default.accept_source_route is", "rational": "Setting net.ipv6.conf.default.accept_source_route to 0 disables the system \nfrom accepting source routed packets. Assume this system was capable of routing \npackets to Internet routable addresses on one interface and private addresses on \nanother interface. Assume that the private addresses were not routable to the Internet \nroutable addresses and vice versa. Under normal routing circumstances,...", "remediation": "1. Run the following command to comment out \n\nnet.ipv6.conf.default.accept_source_route lines returned by the audit \nprocedure that are not net.ipv6.conf.default.accept_source_route = 0: \n\n# sed -ri '^\\s*net.ipv6.conf.default.accept_source_route\\s*=\\s*1/s/^/#/g' \\ \n\"path/to/file/in/audit/filename\" \n\nExample: \n\n# sed -ri '/^\\s*net.ipv6.conf.default.accept_source_route\\s*=\\s*1/s/^/#/g' \\ \n/etc/sysctl.d/99-sysctl.conf \n\n2. Create or edit a file in the /etc/sysctl.d/ directory ending in .conf a...", "severity": "Medium", "filter": null, "app_filter": null, "conditions": [ { "type": "condition", "element": "CMD", "input": "sysctl -n net.ipv6.conf.default.accept_source_route", "selement": "OUTPUT", "condition": "EQUALS", "sinput": "0" } ], "applicability": [ { "type": "applicability", "element": "OS", "input": "", "selement": "CONTENT", "condition": "CONTAINS", "sinput": "Amazon" } ] }, { "external_id": "65768dd586ae865f1d3204dd6a890715", "name": "3.3.2.7 — Ensure net.ipv6.conf.all.accept_ra is configured", "description": "Ensure net.ipv6.conf.all.accept_ra is configured", "rational": "It is recommended that systems do not accept router advertisements as they could be \ntricked into routing traffic to compromised machines. Setting hard routes within the \nsystem (usually a single default route to a trusted router) protects the system from bad \nroutes.", "remediation": "1. Run the following command to comment out net.ipv6.conf.all.accept_ra \n\nlines returned by the audit procedure that are not \nnet.ipv6.conf.all.accept_ra = 0: \n\n# sed -ri '^\\s*net.ipv6.conf.all.accept_ra\\s*=\\s*1/s/^/#/g' \n\"path/to/file/in/audit/filename\" \n\nExample: \n\n# sed -ri '/^\\s*net.ipv6.conf.all.accept_ra\\s*=\\s*1/s/^/#/g' \n/etc/sysctl.d/99-sysctl.conf \n\n2. Create or edit a file in the /etc/sysctl.d/ directory ending in .conf and edit or \n\nadd the following line: \n\nnet.ipv6.conf.all.acc...", "severity": "Medium", "filter": null, "app_filter": null, "conditions": [ { "type": "condition", "element": "CMD", "input": "sysctl -n net.ipv6.conf.all.accept_ra", "selement": "OUTPUT", "condition": "EQUALS", "sinput": "0" } ], "applicability": [ { "type": "applicability", "element": "OS", "input": "", "selement": "CONTENT", "condition": "CONTAINS", "sinput": "Amazon" } ] }, { "external_id": "cf73c59870ae3d6b46bb13ddd585cd38", "name": "3.3.2.8 — Ensure net.ipv6.conf.default.accept_ra is configured", "description": "Ensure net.ipv6.conf.default.accept_ra is configured", "rational": "It is recommended that systems do not accept router advertisements as they could be \ntricked into routing traffic to compromised machines. Setting hard routes within the \nsystem (usually a single default route to a trusted router) protects the system from bad \nroutes.", "remediation": "1. Run the following command to comment out \n\nnet.ipv6.conf.default.accept_ra lines returned by the audit procedure that \nare not net.ipv6.conf.default.accept_ra = 0: \n\n# sed -ri '^\\s*net.ipv6.conf.default.accept_ra\\s*=\\s*1/s/^/#/g' \n\"path/to/file/in/audit/filename\" \n\nExample: \n\n# sed -ri '/^\\s*net.ipv6.conf.default.accept_ra\\s*=\\s*1/s/^/#/g' \n/etc/sysctl.d/99-sysctl.conf \n\n2. Create or edit a file in the /etc/sysctl.d/ directory ending in .conf and edit or \n\nadd the following line: \n\nnet.i...", "severity": "Medium", "filter": null, "app_filter": null, "conditions": [ { "type": "condition", "element": "CMD", "input": "sysctl -n net.ipv6.conf.default.accept_ra", "selement": "OUTPUT", "condition": "EQUALS", "sinput": "0" } ], "applicability": [ { "type": "applicability", "element": "OS", "input": "", "selement": "CONTENT", "condition": "CONTAINS", "sinput": "Amazon" } ] }, { "external_id": "ab9f9d58beb3712b3134429c4628b20d", "name": "5.1.1.1 — Ensure cron daemon is enabled and active", "description": "Ensure cron daemon is enabled and active", "rational": "While there may not be user jobs that need to be run on the system, the system does \nhave maintenance jobs that may include security monitoring that have to run, and cron \nis used to execute them. \n\nNote: IF systemd timers are configured and used for scheduled tasks, this \nrecommendation may be skipped", "remediation": "Run the following commands to unmask, enable, and start crond: \n\n# systemctl unmask crond \n# systemctl --now enable crond", "severity": "Medium", "filter": null, "app_filter": null, "conditions": [ { "type": "condition", "element": "SERVICE", "input": "crond", "selement": "ENABLED", "condition": null, "sinput": null } ], "applicability": [ { "type": "applicability", "element": "OS", "input": "", "selement": "CONTENT", "condition": "CONTAINS", "sinput": "Amazon" } ] }, { "external_id": "48f4a40beb69bf7460700082647ccc3c", "name": "5.1.1.2 — Ensure access to /etc/crontab is configured", "description": "Ensure access to /etc/crontab is configured", "rational": "This file contains information on what system jobs are run by cron. Write access to \nthese files could provide unprivileged users with the ability to elevate their privileges. \nRead access to these files could provide users with the ability to gain insight on system \njobs that run on the system and could provide them a way to gain unauthorized \nprivileged access.", "remediation": "Run the following commands to set ownership and permissions on /etc/crontab: \n\n# chown root:root /etc/crontab \n# chmod og-rwx /etc/crontab", "severity": "Medium", "filter": null, "app_filter": null, "conditions": [ { "type": "condition", "element": "CMD", "input": "stat -Lc 'Access: (%a/%A) Uid: ( %u/ %U) Gid: ( %g/ %G)' /etc/crontab", "selement": "OUTPUT", "condition": "NOT EQUALS", "sinput": "" } ], "applicability": [ { "type": "applicability", "element": "OS", "input": "", "selement": "CONTENT", "condition": "CONTAINS", "sinput": "Amazon" } ] }, { "external_id": "75f80143466a558f31569cc3a739508b", "name": "5.1.1.3 — Ensure access to /etc/cron.hourly is configured", "description": "Ensure access to /etc/cron.hourly is configured", "rational": "Granting write access to this directory for non-privileged users could provide them the \nmeans for gaining unauthorized elevated privileges. Granting read access to this \ndirectory could give an unprivileged user insight in how to gain elevated privileges or \ncircumvent auditing controls.", "remediation": "Run the following commands to set ownership and permissions on the \n/etc/cron.hourly directory: \n\n# chown root:root /etc/cron.hourly/ \n# chmod og-rwx /etc/cron.hourly/", "severity": "Medium", "filter": null, "app_filter": null, "conditions": [ { "type": "condition", "element": "CMD", "input": "stat -Lc 'Access: (%a/%A) Uid: ( %u/ %U) Gid: ( %g/ %G)' /etc/cron.hourly/", "selement": "OUTPUT", "condition": "NOT EQUALS", "sinput": "" } ], "applicability": [ { "type": "applicability", "element": "OS", "input": "", "selement": "CONTENT", "condition": "CONTAINS", "sinput": "Amazon" } ] }, { "external_id": "7d78142af081d8aedd7a77ff4bfc56a4", "name": "5.1.1.4 — Ensure access to /etc/cron.daily is configured", "description": "Ensure access to /etc/cron.daily is configured", "rational": "Granting write access to this directory for non-privileged users could provide them the \nmeans for gaining unauthorized elevated privileges. Granting read access to this \ndirectory could give an unprivileged user insight in how to gain elevated privileges or \ncircumvent auditing controls.", "remediation": "Run the following commands to set ownership and permissions on the \n/etc/cron.daily directory: \n\n# chown root:root /etc/cron.daily/ \n# chmod og-rwx /etc/cron.daily/", "severity": "Medium", "filter": null, "app_filter": null, "conditions": [ { "type": "condition", "element": "CMD", "input": "stat -Lc 'Access: (%a/%A) Uid: ( %u/ %U) Gid: ( %g/ %G)' /etc/cron.daily/", "selement": "OUTPUT", "condition": "NOT EQUALS", "sinput": "" } ], "applicability": [ { "type": "applicability", "element": "OS", "input": "", "selement": "CONTENT", "condition": "CONTAINS", "sinput": "Amazon" } ] }, { "external_id": "76b4ef2c4089c18e9f9c28b45aeb4382", "name": "5.1.1.5 — Ensure access to /etc/cron.weekly is configured", "description": "Ensure access to /etc/cron.weekly is configured", "rational": "Granting write access to this directory for non-privileged users could provide them the \nmeans for gaining unauthorized elevated privileges. Granting read access to this \ndirectory could give an unprivileged user insight in how to gain elevated privileges or \ncircumvent auditing controls.", "remediation": "Run the following commands to set ownership and permissions on the \n/etc/cron.weekly directory: \n\n# chown root:root /etc/cron.weekly/ \n# chmod og-rwx /etc/cron.weekly/", "severity": "Medium", "filter": null, "app_filter": null, "conditions": [ { "type": "condition", "element": "CMD", "input": "stat -Lc 'Access: (%a/%A) Uid: ( %u/ %U) Gid: ( %g/ %G)' /etc/cron.weekly/", "selement": "OUTPUT", "condition": "NOT EQUALS", "sinput": "" } ], "applicability": [ { "type": "applicability", "element": "OS", "input": "", "selement": "CONTENT", "condition": "CONTAINS", "sinput": "Amazon" } ] }, { "external_id": "b1122ef8b666ee6848cba6a504affef2", "name": "5.1.1.6 — Ensure access to /etc/cron.monthly is configured", "description": "Ensure access to /etc/cron.monthly is configured", "rational": "Granting write access to this directory for non-privileged users could provide them the \nmeans for gaining unauthorized elevated privileges. Granting read access to this \ndirectory could give an unprivileged user insight in how to gain elevated privileges or \ncircumvent auditing controls.", "remediation": "Run the following commands to set ownership and permissions on the \n/etc/cron.monthly directory: \n\n# chown root:root /etc/cron.monthly/ \n# chmod og-rwx /etc/cron.monthly/", "severity": "Medium", "filter": null, "app_filter": null, "conditions": [ { "type": "condition", "element": "CMD", "input": "stat -Lc 'Access: (%a/%A) Uid: ( %u/ %U) Gid: ( %g/ %G)' /etc/cron.monthly/", "selement": "OUTPUT", "condition": "NOT EQUALS", "sinput": "" } ], "applicability": [ { "type": "applicability", "element": "OS", "input": "", "selement": "CONTENT", "condition": "CONTAINS", "sinput": "Amazon" } ] }, { "external_id": "faa69ef5b8be7ae149661b7792786bde", "name": "5.1.1.7 — Ensure access to /etc/cron.d is configured", "description": "Ensure access to /etc/cron.d is configured", "rational": "Granting write access to this directory for non-privileged users could provide them the \nmeans for gaining unauthorized elevated privileges. Granting read access to this \ndirectory could give an unprivileged user insight in how to gain elevated privileges or \ncircumvent auditing controls.", "remediation": "Run the following commands to set ownership and permissions on the /etc/cron.d \ndirectory: \n\n# chown root:root /etc/cron.d/ \n# chmod og-rwx /etc/cron.d/", "severity": "Medium", "filter": null, "app_filter": null, "conditions": [ { "type": "condition", "element": "CMD", "input": "stat -Lc 'Access: (%a/%A) Uid: ( %u/ %U) Gid: ( %g/ %G)' /etc/cron.d/", "selement": "OUTPUT", "condition": "NOT EQUALS", "sinput": "" } ], "applicability": [ { "type": "applicability", "element": "OS", "input": "", "selement": "CONTENT", "condition": "CONTAINS", "sinput": "Amazon" } ] }, { "external_id": "4b3ee30db6c3692ca00381e2cbdda7d5", "name": "5.1.1.8 — Ensure access to crontab is configured", "description": "Ensure access to crontab is configured", "rational": "On many systems, only the system administrator is authorized to schedule cron jobs. \nUsing the cron.allow file to control who can run cron jobs enforces this policy. It is \neasier to manage an allow list than a deny list. In a deny list, you could potentially add a \nuser ID to the system and forget to add it to the deny files.", "remediation": "- IF - cron is installed on the system: \n\nRun the following script to: \n\n• Create /etc/cron.allow if it doesn't exist \n• Change owner to user root \n• Change group owner to group root - OR - group crontab if it exists \n• Change mode to 640 or more restrictive \n\nPage 434 \n\n\f#!/usr/bin/env bash \n\n{ \n [ ! -e \"/etc/cron.allow\" ] && touch /etc/cron.allow \n chmod u-x,g-wx,o-rwx /etc/cron.allow \n if grep -Pq -- '^\\h*crontab\\:' /etc/group; then \n chown root:crontab /etc/cron.allow \n e...", "severity": "Medium", "filter": null, "app_filter": null, "conditions": [ { "type": "condition", "element": "CMD", "input": "stat -Lc 'Access: (%a/%A) Owner: (%U) Group: (%G)' /etc/cron.allow", "selement": "OUTPUT", "condition": "NOT EQUALS", "sinput": "" } ], "applicability": [ { "type": "applicability", "element": "OS", "input": "", "selement": "CONTENT", "condition": "CONTAINS", "sinput": "Amazon" } ] }, { "external_id": "e449f5df302c2f49620611f3b4794572", "name": "5.1.2.1 — Ensure access to at is configured", "description": "Ensure access to at is configured", "rational": "On many systems, only the system administrator is authorized to schedule at jobs. \nUsing the at.allow file to control who can run at jobs enforces this policy. It is easier \nto manage an allow list than a deny list. In a deny list, you could potentially add a user \nID to the system and forget to add it to the deny files. \n\nPage 438", "remediation": "- IF - at is installed on the system: \n\nRun the following script to: \n\n• /etc/at.allow: \n\no Create the file if it doesn't exist \no Change owner or user root \no \n\nIf group daemon exists, change to group daemon, else change group to \nroot \n\no Change mode to 640 or more restrictive \n\n• \n\n- IF - /etc/at.deny exists: \n\no Change owner or user root \no \n\nIf group daemon exists, change to group daemon, else change group to \nroot \n\no Change mode to 640 or more restrictive \n\n#!/usr/bin/env bash...", "severity": "Medium", "filter": null, "app_filter": null, "conditions": [ { "type": "condition", "element": "CMD", "input": "stat -Lc 'Access: (%a/%A) Owner: (%U) Group: (%G)' /etc/at.allow", "selement": "OUTPUT", "condition": "NOT EQUALS", "sinput": "" } ], "applicability": [ { "type": "applicability", "element": "OS", "input": "", "selement": "CONTENT", "condition": "CONTAINS", "sinput": "Amazon" } ] }, { "external_id": "4936e67cdc21de5745ed6dc8f86151cd", "name": "5.2.1 — Ensure access to /etc/ssh/sshd_config is configured", "description": "Ensure access to /etc/ssh/sshd_config is configured", "rational": "configuration specifications for sshd need to be protected from unauthorized changes \nby non-privileged users.", "remediation": "Run the following commeand to update access to /etc/ssh/sshd_config as mode \n0600 or more restrictive, owner as the user root and the group owner as the group \nroot: \n\n# chown root:root /etc/ssh/sshd_config \n# chmod u-x,go-rwx /etc/ssh/sshd_config", "severity": "Medium", "filter": null, "app_filter": null, "conditions": [ { "type": "condition", "element": "CMD", "input": "stat -Lc 'File: \"%n\" Mode: \"%#a\" Owner: \"%U\" Group: \"%G\"'", "selement": "OUTPUT", "condition": "NOT EQUALS", "sinput": "" } ], "applicability": [ { "type": "applicability", "element": "OS", "input": "", "selement": "CONTENT", "condition": "CONTAINS", "sinput": "Amazon" } ] }, { "external_id": "99614e1ed412bcb5ac52afff7c5851a8", "name": "5.2.2 — Ensure access to SSH private host key files is configured", "description": "Ensure access to SSH private host key files is configured", "rational": "If an unauthorized user obtains the private SSH host key file, the host could be \nimpersonated", "remediation": "Update the access to the private keys being used by the open SSH server. \n\n• Mode 0640, owned by the user root and group owned by the \n\ngroup ssh_keys. \n\n- OR - \n\n• Mode 0600, owned by the user root and group owned by the \n\ngroup root. \n\nRun the following script to update the access on the private keys used by the open SSH \nserver: \n\n#!/usr/bin/env bash \n\n{ \n l_sshd_cmd=\"$(readlink -e /usr/sbin/sshd || readlink -e /sbin/sshd)\" \n l_keygen=\"$(readlink -e /usr/bin/ssh-keygen || readlink -e...", "severity": "Medium", "filter": null, "app_filter": null, "conditions": [ { "type": "condition", "element": "CMD", "input": "!/usr/bin/env bash", "selement": "OUTPUT", "condition": "NOT EQUALS", "sinput": "" } ], "applicability": [ { "type": "applicability", "element": "OS", "input": "", "selement": "CONTENT", "condition": "CONTAINS", "sinput": "Amazon" } ] }, { "external_id": "e42b6a756a048c24609e610a5e491f34", "name": "5.2.3 — Ensure access to SSH public host key files is configured", "description": "Ensure access to SSH public host key files is configured", "rational": "If a public host key file is modified by an unauthorized user, the SSH service may be \ncompromised. \n\nPage 449", "remediation": "Update the access to the public keys being used by the open SSH server. \n\n• mode to 0644. \n• owner to the user root. \n• group owner to the group root. \n\nRun the following script to update the access on the public keys used by the open SSH \nserver: \n\n#!/usr/bin/env bash \n\n{ \n l_sshd_cmd=\"$(readlink -e /usr/sbin/sshd || readlink -e /sbin/sshd)\" \n l_keygen=\"$(readlink -e /usr/bin/ssh-keygen || readlink -e /bin/ssh-\nkeygen)\" \n while IFS= read -r l_file; do \n if \"$l_keygen\" -lf &>/d...", "severity": "Medium", "filter": null, "app_filter": null, "conditions": [ { "type": "condition", "element": "CMD", "input": "!/usr/bin/env bash", "selement": "OUTPUT", "condition": "NOT EQUALS", "sinput": "" } ], "applicability": [ { "type": "applicability", "element": "OS", "input": "", "selement": "CONTENT", "condition": "CONTAINS", "sinput": "Amazon" } ] }, { "external_id": "fa19ddda5a99dfc642122ff000f81a81", "name": "5.2.4 — Ensure sshd access is configured", "description": "Ensure sshd access is configured", "rational": "Restricting which users can remotely access the system via SSH will help ensure that \nonly authorized users access the system.", "remediation": "Edit the /etc/ssh/sshd_config file to set one or more of the parameters above any \nMatch set statements as follows: \n\nAllowUsers \n - AND/OR - \nAllowGroups \n\nNote: It is easier to manage an allow list than a deny list. In a deny list, \nyou could potentially add a user or group and forget to add it to the deny \nlist.", "severity": "Medium", "filter": null, "app_filter": null, "conditions": [ { "type": "condition", "element": "CMD", "input": "sshd -T | grep -Pi -- '^\\h*(allow|deny)(users|groups)\\h+\\H+'", "selement": "OUTPUT", "condition": "NOT EQUALS", "sinput": "" } ], "applicability": [ { "type": "applicability", "element": "OS", "input": "", "selement": "CONTENT", "condition": "CONTAINS", "sinput": "Amazon" } ] }, { "external_id": "48bb02cfdeab4c085189a1f0b3e41a43", "name": "5.2.5 — Ensure sshd Banner is configured", "description": "Ensure sshd Banner is configured", "rational": "Banners are used to warn connecting users of the particular site's policy regarding \nconnection. Presenting a warning message prior to the normal user login may assist the \nprosecution of trespassers on the computer system. \n\nNot having a properly configured SSH banner, or leaving it at the default value, can \nexpose an organization to legal and compliance risks by failing to provide users with...", "remediation": "1. Edit the /etc/ssh/sshd_config file to set the Banner parameter above any \n\nMatch entries as follows: \n\nBanner /etc/issue.net \n\n2. Edit the file being called by the Banner argument with the appropriate contents \n\naccording to your site policy, remove any instances of \\m , \\r , \\s , \\v or \nreferences to the OS platform \n\nExample: \n\n# printf '%s\\n' \"Authorized users only. All activity may be monitored and \nreported.\" > \"$(sshd -T | awk '$1 == \"banner\" {print $2}')\"", "severity": "Medium", "filter": null, "app_filter": null, "conditions": [ { "type": "condition", "element": "CMD", "input": "sshd -T | grep -Pi -- '^banner\\h+\\/\\H+'", "selement": "OUTPUT", "condition": "NOT EQUALS", "sinput": "" } ], "applicability": [ { "type": "applicability", "element": "OS", "input": "", "selement": "CONTENT", "condition": "CONTAINS", "sinput": "Amazon" } ] }, { "external_id": "6de507978552d23a0158c2cf020bf778", "name": "5.2.6 — Ensure sshd Ciphers are configured", "description": "Ensure sshd Ciphers are configured", "rational": "Weak ciphers that are used for authentication to the cryptographic module cannot be \nrelied upon to provide confidentiality or integrity, and system data may be compromised.", "remediation": "1. Edit the /etc/ssh/sshd_config file and add/modify the Ciphers line to contain a \n\ncomma separated allow list of the site approved (strong) Ciphers. \n\nExample: \n\nCiphers chacha20-poly1305@openssh.com,aes128-ctr,aes192-ctr,aes256-\nctr,aes128-gcm@openssh.com,aes256-gcm@openssh.com \n\n2. If CVE-2023-48795 has not been reviewed and addressed, also remove \n\nchacha20-poly1305@openssh.com from the comma separated allow list.", "severity": "Medium", "filter": null, "app_filter": null, "conditions": [ { "type": "condition", "element": "CMD", "input": "!/usr/bin/env bash", "selement": "OUTPUT", "condition": "NOT EQUALS", "sinput": "" } ], "applicability": [ { "type": "applicability", "element": "OS", "input": "", "selement": "CONTENT", "condition": "CONTAINS", "sinput": "Amazon" } ] }, { "external_id": "5fac2c3fa18731742e637486b044466e", "name": "5.2.7 — Ensure sshd ClientAliveInterval and ClientAliveCountMax", "description": "Ensure sshd ClientAliveInterval and ClientAliveCountMax", "rational": "In order to prevent resource exhaustion, appropriate values should be set for both \nClientAliveInterval and ClientAliveCountMax. Specifically, looking at the source \ncode, ClientAliveCountMax must be greater than zero in order to utilize the ability of \nSSH to drop idle connections. If connections are allowed to stay open indefinitely, this \ncan potentially be used as a DDOS attack or simple re...", "remediation": "Edit the /etc/ssh/sshd_config file to set the ClientAliveInterval and \nClientAliveCountMax parameters to a value greater than 0, and follows local site \npolicy above any Match entries. \n\nExample: \n\nClientAliveInterval 15 \nClientAliveCountMax 3", "severity": "Medium", "filter": null, "app_filter": null, "conditions": [ { "type": "condition", "element": "CMD", "input": "sshd -T | grep -Pi -- '(clientaliveinterval|clientalivecountmax)'", "selement": "OUTPUT", "condition": "NOT EQUALS", "sinput": "" } ], "applicability": [ { "type": "applicability", "element": "OS", "input": "", "selement": "CONTENT", "condition": "CONTAINS", "sinput": "Amazon" } ] }, { "external_id": "98d6782883d3723960a81df41554b5c0", "name": "5.2.10 — Ensure sshd HostbasedAuthentication is disabled", "description": "Ensure sshd HostbasedAuthentication is disabled", "rational": "Even though the .rhosts files are ineffective if support is disabled in /etc/pam.conf, \ndisabling the ability to use .rhosts files in SSH provides an additional layer of \nprotection.", "remediation": "Edit the /etc/ssh/sshd_config file to set the HostbasedAuthentication parameter \nto no above any Match entries as follows: \n\nHostbasedAuthentication no", "severity": "Medium", "filter": null, "app_filter": null, "conditions": [ { "type": "condition", "element": "CMD", "input": "sshd -T | grep hostbasedauthentication", "selement": "OUTPUT", "condition": "NOT EQUALS", "sinput": "" } ], "applicability": [ { "type": "applicability", "element": "OS", "input": "", "selement": "CONTENT", "condition": "CONTAINS", "sinput": "Amazon" } ] }, { "external_id": "f1435ccf891233e812f2623ac3454b8b", "name": "5.2.11 — Ensure sshd IgnoreRhosts is enabled", "description": "Ensure sshd IgnoreRhosts is enabled", "rational": "Setting this parameter forces users to enter a password when authenticating with SSH.", "remediation": "Edit the /etc/ssh/sshd_config file to set the IgnoreRhosts parameter to yes as \nfollows: \n\nIgnoreRhosts yes", "severity": "Medium", "filter": null, "app_filter": null, "conditions": [ { "type": "condition", "element": "CMD", "input": "sshd -T | grep ignorerhosts", "selement": "OUTPUT", "condition": "NOT EQUALS", "sinput": "" } ], "applicability": [ { "type": "applicability", "element": "OS", "input": "", "selement": "CONTENT", "condition": "CONTAINS", "sinput": "Amazon" } ] }, { "external_id": "1d3cfa0a16b3b71b9187356fc9b08a04", "name": "5.2.12 — Ensure sshd KexAlgorithms is configured", "description": "Ensure sshd KexAlgorithms is configured", "rational": "Key exchange methods that are considered weak should be removed. A key exchange \nmethod may be weak because too few bits are used, or the hashing algorithm is \nconsidered too weak. Using weak algorithms could expose connections to man-in-the-\nmiddle attacks", "remediation": "Edit the /etc/ssh/sshd_config file and add/modify the KexAlgorithms line to contain \na comma separated allow list of the site approved (strong) KexAlgorithms: \n\nExample: \n\nKexAlgorithms curve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-\nnistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-\nsha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,diffie-\nhellman-group14-sha256", "severity": "Medium", "filter": null, "app_filter": null, "conditions": [ { "type": "condition", "element": "CMD", "input": "!/usr/bin/env bash", "selement": "OUTPUT", "condition": "NOT EQUALS", "sinput": "" } ], "applicability": [ { "type": "applicability", "element": "OS", "input": "", "selement": "CONTENT", "condition": "CONTAINS", "sinput": "Amazon" } ] }, { "external_id": "1379af7cd0f888e652cf5c2493510081", "name": "5.2.13 — Ensure sshd LoginGraceTime is configured", "description": "Ensure sshd LoginGraceTime is configured", "rational": "Setting the LoginGraceTime parameter to a low number will minimize the risk of \nsuccessful brute force attacks to the SSH server. It will also limit the number of \nconcurrent unauthenticated connections While the recommended setting is 60 seconds \n(1 Minute), set the number based on site policy.", "remediation": "Edit the /etc/ssh/sshd_config file to set the LoginGraceTime parameter to 60 \nseconds or less as follows: \n\nLoginGraceTime 60", "severity": "Medium", "filter": null, "app_filter": null, "conditions": [ { "type": "condition", "element": "CMD", "input": "sshd -T | grep logingracetime", "selement": "OUTPUT", "condition": "NOT EQUALS", "sinput": "" } ], "applicability": [ { "type": "applicability", "element": "OS", "input": "", "selement": "CONTENT", "condition": "CONTAINS", "sinput": "Amazon" } ] }, { "external_id": "444c933539407405a623ea10075def7f", "name": "5.2.14 — Ensure sshd LogLevel is configured", "description": "Ensure sshd LogLevel is configured", "rational": "The INFO level is the basic level that only records login activity of SSH users. In many \nsituations, such as Incident Response, it is important to determine when a particular \nuser was active on a system. The logout record can eliminate those users who \ndisconnected, which helps narrow the field. \n\nThe VERBOSE level specifies that login and logout activity as well as the key fingerprint \nfor a...", "remediation": "Edit the /etc/ssh/sshd_config file to set the LogLevel parameter to VERBOSE or \nINFO above any Match entries as follows: \n\nLogLevel VERBOSE \n - OR - \nLogLevel INFO", "severity": "Medium", "filter": null, "app_filter": null, "conditions": [ { "type": "condition", "element": "CMD", "input": "sshd -T | grep loglevel", "selement": "OUTPUT", "condition": "NOT EQUALS", "sinput": "" } ], "applicability": [ { "type": "applicability", "element": "OS", "input": "", "selement": "CONTENT", "condition": "CONTAINS", "sinput": "Amazon" } ] }, { "external_id": "052a91051bcfd45d6cf4bda3a3b7786b", "name": "5.2.15 — Ensure sshd MACs are configured", "description": "Ensure sshd MACs are configured", "rational": "MD5 and 96-bit MAC algorithms are considered weak and have been shown to increase \nexploitability in SSH downgrade attacks. Weak algorithms continue to have a great deal \nof attention as a weak spot that can be exploited with expanded computing power. An \nattacker that breaks the algorithm could take advantage of a MiTM position to decrypt \nthe SSH tunnel and capture credentials and information.", "remediation": "1. Edit the /etc/ssh/sshd_config file and add/modify the MACs line to contain a \n\ncomma separated allow list of the site unapproved (strong) MACs: \n\nExample: \n\nMACs hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-sha1-\netm@openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-sha1 \n\n2. - IF - CVE-2023-48795 has not been reviewed and addressed, the following etm \nMACs should be added to the exclude list: hmac-sha1-etm@openssh.com,hmac-\nsha2-256-etm@openssh.com,hmac-sha2-512-etm@opens...", "severity": "Medium", "filter": null, "app_filter": null, "conditions": [ { "type": "condition", "element": "CMD", "input": "!/usr/bin/env bash", "selement": "OUTPUT", "condition": "NOT EQUALS", "sinput": "" } ], "applicability": [ { "type": "applicability", "element": "OS", "input": "", "selement": "CONTENT", "condition": "CONTAINS", "sinput": "Amazon" } ] }, { "external_id": "5b91ded18da40cf803e66283e140b9c4", "name": "5.2.16 — Ensure sshd MaxAuthTries is configured", "description": "Ensure sshd MaxAuthTries is configured", "rational": "Setting the MaxAuthTries parameter to a low number will minimize the risk of \nsuccessful brute force attacks to the SSH server. While the recommended setting is 4, \nset the number based on site policy.", "remediation": "Edit the /etc/ssh/sshd_config file to set the MaxAuthTries parameter to 4 or less \nabove any Match entries as follows: \n\nMaxAuthTries 4", "severity": "Medium", "filter": null, "app_filter": null, "conditions": [ { "type": "condition", "element": "CMD", "input": "sshd -T | grep maxauthtries", "selement": "OUTPUT", "condition": "NOT EQUALS", "sinput": "" } ], "applicability": [ { "type": "applicability", "element": "OS", "input": "", "selement": "CONTENT", "condition": "CONTAINS", "sinput": "Amazon" } ] }, { "external_id": "e8cdd9254bc1c139ee204dce557d92b9", "name": "5.2.17 — Ensure sshd MaxSessions is configured", "description": "Ensure sshd MaxSessions is configured", "rational": "To protect a system from denial of service due to a large number of concurrent \nsessions, use the rate limiting function of MaxSessions to protect availability of sshd \nlogins and prevent overwhelming the daemon.", "remediation": "Edit the /etc/ssh/sshd_config file to set the MaxSessions parameter to 10 or less \nabove any Match entries as follows: \n\nMaxSessions 10", "severity": "Medium", "filter": null, "app_filter": null, "conditions": [ { "type": "condition", "element": "CMD", "input": "sshd -T | grep maxsessions", "selement": "OUTPUT", "condition": "NOT EQUALS", "sinput": "" } ], "applicability": [ { "type": "applicability", "element": "OS", "input": "", "selement": "CONTENT", "condition": "CONTAINS", "sinput": "Amazon" } ] }, { "external_id": "2f2e1ad2cc1eaf7e85c7b0b983805587", "name": "5.2.18 — Ensure sshd MaxStartups is configured", "description": "Ensure sshd MaxStartups is configured", "rational": "To protect a system from denial of service due to a large number of pending \nauthentication connection attempts, use the rate limiting function of MaxStartups to \nprotect availability of sshd logins and prevent overwhelming the daemon.", "remediation": "Edit the /etc/ssh/sshd_config file to set the MaxStartups parameter to 10:30:60 or \nmore restrictive as follows: \n\nMaxStartups 10:30:60", "severity": "Medium", "filter": null, "app_filter": null, "conditions": [ { "type": "condition", "element": "CMD", "input": "sshd -T | awk '$1 ~ /^\\s*maxstartups/{split($2, a, \":\");{if(a[1] > 10 ||", "selement": "OUTPUT", "condition": "NOT EQUALS", "sinput": "" } ], "applicability": [ { "type": "applicability", "element": "OS", "input": "", "selement": "CONTENT", "condition": "CONTAINS", "sinput": "Amazon" } ] }, { "external_id": "a85a7b4cae6de8f9cdd85f2ed29b53b4", "name": "5.2.19 — Ensure sshd PermitEmptyPasswords is disabled", "description": "Ensure sshd PermitEmptyPasswords is disabled", "rational": "Disallowing remote shell access to accounts that have an empty password reduces the \nprobability of unauthorized access to the system.", "remediation": "Edit /etc/ssh/sshd_config and set the PermitEmptyPasswords parameter to no \nabove any Match entries as follows: \n\nPermitEmptyPasswords no", "severity": "Medium", "filter": null, "app_filter": null, "conditions": [ { "type": "condition", "element": "CMD", "input": "sshd -T | grep permitemptypasswords", "selement": "OUTPUT", "condition": "NOT EQUALS", "sinput": "" } ], "applicability": [ { "type": "applicability", "element": "OS", "input": "", "selement": "CONTENT", "condition": "CONTAINS", "sinput": "Amazon" } ] }, { "external_id": "e124e69f3187bd14b7c96e35fed646a1", "name": "5.2.20 — Ensure sshd PermitRootLogin is disabled", "description": "Ensure sshd PermitRootLogin is disabled", "rational": "Disallowing root logins over SSH requires system admins to authenticate using their \nown individual account, then escalating to root. This limits opportunity for non-\nrepudiation and provides a clear audit trail in the event of a security incident.", "remediation": "Edit the /etc/ssh/sshd_config file to set the PermitRootLogin parameter to no \nabove any Match entries as follows: \n\nPermitRootLogin no", "severity": "Medium", "filter": null, "app_filter": null, "conditions": [ { "type": "condition", "element": "CMD", "input": "sshd -T | grep permitrootlogin", "selement": "OUTPUT", "condition": "NOT EQUALS", "sinput": "" } ], "applicability": [ { "type": "applicability", "element": "OS", "input": "", "selement": "CONTENT", "condition": "CONTAINS", "sinput": "Amazon" } ] }, { "external_id": "7f114215c703b3fce51c3c02114fe929", "name": "5.2.21 — Ensure sshd PermitUserEnvironment is disabled", "description": "Ensure sshd PermitUserEnvironment is disabled", "rational": "Permitting users the ability to set environment variables through the SSH daemon could \npotentially allow users to bypass security controls (e.g. setting an execution path that \nhas SSH executing trojan'd programs)", "remediation": "Edit the /etc/ssh/sshd_config file to set the PermitUserEnvironment parameter to \nno as follows: \n\nPermitUserEnvironment no", "severity": "Medium", "filter": null, "app_filter": null, "conditions": [ { "type": "condition", "element": "CMD", "input": "sshd -T | grep permituserenvironment", "selement": "OUTPUT", "condition": "NOT EQUALS", "sinput": "" } ], "applicability": [ { "type": "applicability", "element": "OS", "input": "", "selement": "CONTENT", "condition": "CONTAINS", "sinput": "Amazon" } ] }, { "external_id": "27e00dfb06924c4c9ca62a3fbca90a64", "name": "5.2.22 — Ensure sshd UsePAM is enabled", "description": "Ensure sshd UsePAM is enabled", "rational": "When usePAM is set to yes, PAM runs through account and session types properly. This \nis important if you want to restrict access to services based off of IP, time or other \nfactors of the account. Additionally, you can make sure users inherit certain \nenvironment variables on login or disallow access to the server.", "remediation": "Edit the /etc/ssh/sshd_config file to set the UsePAM parameter to yes as follows: \n\nUsePAM yes", "severity": "Medium", "filter": null, "app_filter": null, "conditions": [ { "type": "condition", "element": "CMD", "input": "sshd -T | grep usepam", "selement": "OUTPUT", "condition": "NOT EQUALS", "sinput": "" } ], "applicability": [ { "type": "applicability", "element": "OS", "input": "", "selement": "CONTENT", "condition": "CONTAINS", "sinput": "Amazon" } ] }, { "external_id": "315eba4e1e91c26c64a1f48493b460e0", "name": "5.3.1 — Ensure sudo is installed", "description": "Ensure sudo is installed", "rational": "sudo supports a plug-in architecture for security policies and input/output logging. Third \nparties can develop and distribute their own policy and I/O logging plug-ins to work \nseamlessly with the sudo front end. The default security policy is sudoers, which is \nconfigured via the file /etc/sudoers and any entries in /etc/sudoers.d. \n\nThe security policy determines what privileges, if any, a u...", "remediation": "Run the following command to install sudo \n\n# yum install sudo", "severity": "Medium", "filter": null, "app_filter": null, "conditions": [ { "type": "condition", "element": "PACKAGE", "input": "sudo", "selement": "EXISTS", "condition": "", "sinput": "" } ], "applicability": [ { "type": "applicability", "element": "OS", "input": "", "selement": "CONTENT", "condition": "CONTAINS", "sinput": "Amazon" } ] }, { "external_id": "e8be35430e2860a5d2aeaba6ced8468f", "name": "5.3.2 — Ensure sudo commands use pty", "description": "Ensure sudo commands use pty", "rational": "Attackers can run a malicious program using sudo which would fork a background \nprocess that remains even when the main program has finished executing.", "remediation": "Edit the file /etc/sudoers with visudo or a file in /etc/sudoers.d/ with visudo -f \n and add the following line: \n\nDefaults use_pty \n\nNote: \n\n• sudo will read each file in /etc/sudoers.d, skipping file names that end in ~ or \ncontain a . character to avoid causing problems with package manager or editor \ntemporary/backup files. \n\n• Files are parsed in sorted lexical order. That is, /etc/sudoers.d/01_first will \n\nbe parsed before /etc/sudoers.d/10_second. \n\n• Be aware that bec...", "severity": "Medium", "filter": null, "app_filter": null, "conditions": [ { "type": "condition", "element": "CMD", "input": "grep -rPi '^\\h*Defaults\\h+([^#\\n\\r]+,)?use_pty(,\\h*\\h+\\h*)*\\h*(#.*)?$'", "selement": "OUTPUT", "condition": "NOT EQUALS", "sinput": "" } ], "applicability": [ { "type": "applicability", "element": "OS", "input": "", "selement": "CONTENT", "condition": "CONTAINS", "sinput": "Amazon" } ] }, { "external_id": "b6f5b492b32e615dd37965127fd1a234", "name": "5.3.3 — Ensure sudo log file exists", "description": "Ensure sudo log file exists", "rational": "Defining a dedicated log file for sudo simplifies auditing of sudo commands and creation \nof auditd rules for sudo.", "remediation": "Edit the file /etc/sudoers or a file in /etc/sudoers.d/ with visudo or visudo -f and add the following line: \n\nDefaults logfile=\"\" \n\nExample \n\nDefaults logfile=\"/var/log/sudo.log\" \n\nNote: \n\n• sudo will read each file in /etc/sudoers.d, skipping file names that end in ~ or \ncontain a . character to avoid causing problems with package manager or editor \ntemporary/backup files. \n\n• Files are parsed in sorted lexical order. That is, /etc/sudoers.d/01_fi...", "severity": "Medium", "filter": null, "app_filter": null, "conditions": [ { "type": "condition", "element": "CMD", "input": "grep -rPsi", "selement": "OUTPUT", "condition": "NOT EQUALS", "sinput": "" } ], "applicability": [ { "type": "applicability", "element": "OS", "input": "", "selement": "CONTENT", "condition": "CONTAINS", "sinput": "Amazon" } ] }, { "external_id": "9a8383923bc0a64780e31683ac61deea", "name": "5.3.5 — Ensure re-authentication for privilege escalation is not", "description": "Ensure re-authentication for privilege escalation is not", "rational": "Without re-authentication, users may access resources or perform tasks for which they \ndo not have authorization. \n\nWhen operating systems provide the capability to escalate a functional capability, it is \ncritical the user re-authenticate.", "remediation": "Configure the operating system to require users to reauthenticate for privilege \nescalation. \n\nBased on the outcome of the audit procedure, use visudo -f to edit \nthe relevant sudoers file. \n\nRemove any occurrences of !authenticate tags in the file(s).", "severity": "Medium", "filter": null, "app_filter": null, "conditions": [ { "type": "condition", "element": "CMD", "input": "grep -r \"^[^#].*\\!authenticate\" /etc/sudoers*", "selement": "OUTPUT", "condition": "NOT EQUALS", "sinput": "" } ], "applicability": [ { "type": "applicability", "element": "OS", "input": "", "selement": "CONTENT", "condition": "CONTAINS", "sinput": "Amazon" } ] }, { "external_id": "75e4b6ba9c83d278b1d2ca1be02f9c5f", "name": "5.3.6 — Ensure sudo authentication timeout is configured correctly", "description": "Ensure sudo authentication timeout is configured correctly", "rational": "Setting a timeout value reduces the window of opportunity for unauthorized privileged \naccess to another user.", "remediation": "If the currently configured timeout is larger than 15 minutes, edit the file listed in the \naudit section with visudo -f and modify the entry \ntimestamp_timeout= to 15 minutes or less as per your site policy. The value is in \nminutes. This particular entry may appear on its own, or on the same line as \nenv_reset. See the following two examples: \n\nDefaults env_reset, timestamp_timeout=15 \nDefaults timestamp_timeout=15 \nDefaults env_reset", "severity": "Medium", "filter": null, "app_filter": null, "conditions": [ { "type": "condition", "element": "CMD", "input": "grep -roP \"timestamp_timeout=\\K[0-9]*\" /etc/sudoers*", "selement": "OUTPUT", "condition": "NOT EQUALS", "sinput": "" } ], "applicability": [ { "type": "applicability", "element": "OS", "input": "", "selement": "CONTENT", "condition": "CONTAINS", "sinput": "Amazon" } ] }, { "external_id": "3c3f19253b4e0223aa906da40ea7aa9b", "name": "5.3.7 — Ensure access to the su command is restricted", "description": "Ensure access to the su command is restricted", "rational": "Restricting the use of su , and using sudo in its place, provides system administrators \nbetter control of the escalation of user privileges to execute privileged commands. The \nsudo utility also provides a better logging and audit mechanism, as it can log each \ncommand executed via sudo , whereas su can only record that a user executed the su \nprogram.", "remediation": "Create an empty group that will be specified for use of the su command. The group \nshould be named according to site policy. \n\nExample: \n\n# groupadd sugroup \n\nAdd the following line to the /etc/pam.d/su file, specifying the empty group: \n\nauth required pam_wheel.so use_uid group=sugroup", "severity": "Medium", "filter": null, "app_filter": null, "conditions": [ { "type": "condition", "element": "FILE", "input": "/etc/group", "selement": "CONTENT", "condition": "CONTAINS", "sinput": "" } ], "applicability": [ { "type": "applicability", "element": "OS", "input": "", "selement": "CONTENT", "condition": "CONTAINS", "sinput": "Amazon" } ] }, { "external_id": "345a004a4ccf5a6483dc1316828b552a", "name": "5.4.1.1 — Ensure latest version of pam is installed", "description": "Ensure latest version of pam is installed", "rational": "To ensure the system has full functionality and access to the options covered by this \nBenchmark, pam-1.3.1-25 or latter is required", "remediation": "- IF - the version of PAM on the system is less that version pam-1.1.8-23.: \n\nRun the following command to update to the latest version of PAM: \n\n# yum upgrade pam \n\nPage 512", "severity": "Medium", "filter": null, "app_filter": null, "conditions": [ { "type": "condition", "element": "PACKAGE", "input": "pam", "selement": "EXISTS", "condition": "", "sinput": "" } ], "applicability": [ { "type": "applicability", "element": "OS", "input": "", "selement": "CONTENT", "condition": "CONTAINS", "sinput": "Amazon" } ] }, { "external_id": "52d2d395e6383cc6a7a3f8eaaf16326c", "name": "5.4.1.2 — Ensure libpwquality is installed", "description": "Ensure libpwquality is installed", "rational": "Strong passwords reduce the risk of systems being hacked through brute force \nmethods.", "remediation": "Run the following command to install libpwquality: \n\n# yum install libpwquality", "severity": "Medium", "filter": null, "app_filter": null, "conditions": [ { "type": "condition", "element": "PACKAGE", "input": "libpwquality", "selement": "EXISTS", "condition": "", "sinput": "" } ], "applicability": [ { "type": "applicability", "element": "OS", "input": "", "selement": "CONTENT", "condition": "CONTAINS", "sinput": "Amazon" } ] }, { "external_id": "81a154125dc095d51d484530a6ddf317", "name": "5.4.2.1.1 — Ensure pam_faillock module is enabled", "description": "Ensure pam_faillock module is enabled", "rational": "Locking out user IDs after n unsuccessful consecutive login attempts mitigates brute \nforce password attacks against your systems.", "remediation": "Edit the files /etc/pam.d/system-auth and /etc/pam.d/password-auth: \n\nAdd the following lines to the auth section: \n\nauth required pam_faillock.so preauth silent audit deny=5 \nunlock_time=900 even_deny_root \nauth [default=die] pam_faillock.so authfail audit deny=5 \nunlock_time=900 even_deny_root \n\nThe auth sections should look similar to the following example: \n\nWARNING: The ordering on the lines in the auth section is important. The preauth line \nneeds to below the line au...", "severity": "Medium", "filter": null, "app_filter": null, "conditions": [ { "type": "condition", "element": "CMD", "input": "grep -P -- '\\bpam_faillock.so\\b' /etc/pam.d/{password,system}-auth", "selement": "OUTPUT", "condition": "NOT EQUALS", "sinput": "" } ], "applicability": [ { "type": "applicability", "element": "OS", "input": "", "selement": "CONTENT", "condition": "CONTAINS", "sinput": "Amazon" } ] }, { "external_id": "0043dd6c895a42fc56419374796dad16", "name": "5.4.2.1.2 — Ensure password failed attempts lockout is configured", "description": "Ensure password failed attempts lockout is configured", "rational": "Locking out user IDs after n unsuccessful consecutive login attempts mitigates brute \nforce password attacks against your systems.", "remediation": "Edit the files /etc/pam.d/system-auth and /etc/pam.d/password-auth: \n\nAdd the following lines to the auth section: \n\nauth required pam_faillock.so preauth silent audit deny=5 \nunlock_time=900 even_deny_root \nauth required pam_faillock.so authfail audit deny=5 \nunlock_time=900 even_deny_root \n\nThe auth sections should look similar to the following example: \n\nExample: \n\nauth required pam_env.so \nauth required pam_faillock.so preauth silent audit d...", "severity": "Medium", "filter": null, "app_filter": null, "conditions": [ { "type": "condition", "element": "CMD", "input": "grep -Pi --", "selement": "OUTPUT", "condition": "NOT EQUALS", "sinput": "" } ], "applicability": [ { "type": "applicability", "element": "OS", "input": "", "selement": "CONTENT", "condition": "CONTAINS", "sinput": "Amazon" } ] }, { "external_id": "f5f0379bce86971be22cf7ffdd18c5ec", "name": "5.4.2.1.3 — Ensure password unlock time is configured", "description": "Ensure password unlock time is configured", "rational": "Locking out user IDs after n unsuccessful consecutive login attempts mitigates brute \nforce password attacks against your systems.", "remediation": "Edit the files /etc/pam.d/system-auth and /etc/pam.d/password-auth: \n\nEdit the files /etc/pam.d/system-auth and /etc/pam.d/password-auth: \n\nAdd the following lines to the auth section: \n\nauth required pam_faillock.so preauth silent audit deny=5 \nunlock_time=900 even_deny_root \nauth required pam_faillock.so authfail audit deny=5 \nunlock_time=900 even_deny_root \n\nThe auth sections should look similar to the following example: \n\nExample: \n\nauth required pam_en...", "severity": "Medium", "filter": null, "app_filter": null, "conditions": [ { "type": "condition", "element": "CMD", "input": "grep -Pi --", "selement": "OUTPUT", "condition": "NOT EQUALS", "sinput": "" } ], "applicability": [ { "type": "applicability", "element": "OS", "input": "", "selement": "CONTENT", "condition": "CONTAINS", "sinput": "Amazon" } ] }, { "external_id": "0c3e48d31ea5dc55dcc04604c03fdd40", "name": "5.4.2.2.1 — Ensure pam_pwquality module is enabled", "description": "Ensure pam_pwquality module is enabled", "rational": "Use of a unique, complex passwords helps to increase the time and resources required \nto compromise the password.", "remediation": "Edit the files /etc/pam.d/system-auth and /etc/pam.d/password-auth: \n\nAdd the following line to the password section: \n\npassword requisite pam_pwquality.so try_first_pass local_users_only \n\nExample password section: \n\npassword requisite pam_pwquality.so try_first_pass local_users_only \nretry=3 #<- added pam_pwquality.so line \npassword required pam_pwhistory.so remember=24 enforce_for_root \ntry_first_pass use_authtok \npassword sufficient pam_unix.so sha512 shadow try_f...", "severity": "Medium", "filter": null, "app_filter": null, "conditions": [ { "type": "condition", "element": "CMD", "input": "grep -P -- '\\bpam_pwquality\\.so\\b' /etc/pam.d/{password,system}-auth", "selement": "OUTPUT", "condition": "NOT EQUALS", "sinput": "" } ], "applicability": [ { "type": "applicability", "element": "OS", "input": "", "selement": "CONTENT", "condition": "CONTAINS", "sinput": "Amazon" } ] }, { "external_id": "69959325d6638d2e585f4a5e2379d00f", "name": "5.4.2.2.2 — Ensure password number of changed characters is", "description": "Ensure password number of changed characters is", "rational": "Use of a complex password helps to increase the time and resources required to \ncompromise the password. Password complexity, or strength, is a measure of the \neffectiveness of a password in resisting attempts at guessing and brute-force attacks. \n\nPassword complexity is one factor of several that determines how long it takes to crack \na password. The more complex the password, the greater the...", "remediation": "Edit or add the following line in /etc/security/pwquality.conf to a value of 2 or \nmore and meets local site policy: \n\ndifok = 2 \n\nExample: \n\n# sed -ri 's/^\\s*difok\\s*=/# &/' /etc/security/pwquality.conf \n# printf '\\n%s' \"difok = 2\" >> /etc/security/pwquality.conf \n\nRun the following script to remove setting difok on the pam_pwquality.so module in \nthe PAM files: \n\n#!/usr/bin/env bash \n\n{ \n for l_pam_file in system-auth password-auth; do \n sed -ri \n's/(^\\s*password\\s+(requisite|required...", "severity": "Medium", "filter": null, "app_filter": null, "conditions": [ { "type": "condition", "element": "CMD", "input": "grep -Psi -- '^\\h*difok\\h*=\\h*([2-9]|[1-9][0-9]+)\\b'", "selement": "OUTPUT", "condition": "NOT EQUALS", "sinput": "" } ], "applicability": [ { "type": "applicability", "element": "OS", "input": "", "selement": "CONTENT", "condition": "CONTAINS", "sinput": "Amazon" } ] }, { "external_id": "347ce98e624ef612f7bbf951ce8e00f6", "name": "5.4.2.2.3 — Ensure password length is configured", "description": "Ensure password length is configured", "rational": "Strong passwords protect systems from being hacked through brute force methods.", "remediation": "Edit the file /etc/security/pwquality.conf and add or modify the following line to \nset password length of 14 or more characters. Ensure that password length conforms to \nlocal site policy: \n\nminlen = 14 \n\nRun the following script to remove setting minlen on the pam_pwquality.so module in \nthe PAM files: \n\n#!/usr/bin/env bash \n\n{ \n for l_pam_file in system-auth password-auth; do \n sed -ri \n's/(^\\s*password\\s+(requisite|required|sufficient)\\s+pam_pwquality\\.so.*)(\\s+\nminlen\\s*=\\s*[0-9]+)...", "severity": "Medium", "filter": null, "app_filter": null, "conditions": [ { "type": "condition", "element": "CMD", "input": "grep -Psi -- '^\\h*minlen\\h*=\\h*(1[4-9]|[2-9][0-9]|[1-9][0-9]{2,})\\b'", "selement": "OUTPUT", "condition": "NOT EQUALS", "sinput": "" } ], "applicability": [ { "type": "applicability", "element": "OS", "input": "", "selement": "CONTENT", "condition": "CONTAINS", "sinput": "Amazon" } ] }, { "external_id": "fc5b5c3fb162032309f46d8d35690ed5", "name": "5.4.2.2.4 — Ensure password complexity is configured", "description": "Ensure password complexity is configured", "rational": "Strong passwords protect systems from being hacked through brute force methods. \n\nPage 532", "remediation": "Edit /etc/security/pwquality.conf and add or modify the following line to set: \n\nminclass = 4 \n\n--AND/OR-- \n\ndcredit = -_N> \nucredit = \nocredit = \nlcredit = \n\nExample: \n\n# printf '\\n%s' \"minclass = 4\" >> /etc/security/pwquality.conf \n\n--AND/OR-- \n\n# printf '%s\\n' \"dcredit = -1\" \"ucredit = -1\" \"ocredit = -1\" \"lcredit = -1\" \n>> /etc/security/pwquality.conf \n\nRun the following script to remove setting minclass, dcredit, ucredit, lcredit, and \nocredit on the pam_pwquality.so module in...", "severity": "Medium", "filter": null, "app_filter": null, "conditions": [ { "type": "condition", "element": "CMD", "input": "grep -Psi -- '^\\h*(minclass|[dulo]credit)\\b' /etc/security/pwquality.conf", "selement": "OUTPUT", "condition": "NOT EQUALS", "sinput": "" } ], "applicability": [ { "type": "applicability", "element": "OS", "input": "", "selement": "CONTENT", "condition": "CONTAINS", "sinput": "Amazon" } ] }, { "external_id": "835952ee4cd2d49f2f3b448b731ad238", "name": "5.4.2.2.5 — Ensure password same consecutive characters is", "description": "Ensure password same consecutive characters is", "rational": "Use of a complex password helps to increase the time and resources required to \ncompromise the password. Password complexity, or strength, is a measure of the \neffectiveness of a password in resisting attempts at guessing and brute-force attacks. \n\nPassword complexity is one factor of several that determines how long it takes to crack \na password. The more complex the password, the greater the...", "remediation": "Edit /etc/security/pwquality.conf and add or modify the following line to set \nmaxrepeat to 3 or less and not 0. Ensure setting conforms to local site policy: \n\nmaxrepeat = 3 \n\nRun the following script to remove setting maxrepeat on the pam_pwquality.so \nmodule in the PAM files: \n\n#!/usr/bin/env bash \n\n{ \n for l_pam_file in system-auth password-auth; do \n sed -ri \n's/(^\\s*password\\s+(requisite|required|sufficient)\\s+pam_pwquality\\.so.*)(\\s+\nmaxrepeat\\s*=\\s*\\S+)(.*$)/\\1\\4/' /etc/pam.d/\"$...", "severity": "Medium", "filter": null, "app_filter": null, "conditions": [ { "type": "condition", "element": "CMD", "input": "grep -Psi -- '^\\h*maxrepeat\\h*=\\h*[1-3]\\b' /etc/security/pwquality.conf", "selement": "OUTPUT", "condition": "NOT EQUALS", "sinput": "" } ], "applicability": [ { "type": "applicability", "element": "OS", "input": "", "selement": "CONTENT", "condition": "CONTAINS", "sinput": "Amazon" } ] }, { "external_id": "6a433bd943947d3ff179d0666a4d6df3", "name": "5.4.2.2.6 — Ensure password dictionary check is enabled", "description": "Ensure password dictionary check is enabled", "rational": "If the operating system allows the user to select passwords based on dictionary words, \nthis increases the chances of password compromise by increasing the opportunity for \nsuccessful guesses, and brute-force attacks.", "remediation": "Edit /etc/security/pwquality.conf and comment out or remove any instance of \ndictcheck = 0: \n\nExample: \n\n# sed -ri 's/^\\s*dictcheck\\s*=/# &/' /etc/security/pwquality.conf \n\nRun the following script to remove setting dictcheck on the pam_pwquality.so \nmodule in the PAM files: \n\n#!/usr/bin/env bash \n\n{ \n for l_pam_file in system-auth password-auth; do \n sed -ri \n's/(^\\s*password\\s+(requisite|required|sufficient)\\s+pam_pwquality\\.so.*)(\\s+\ndictcheck\\s*=\\s*\\S+)(.*$)/\\1\\4/' /etc/pam.d/\"$l_pa...", "severity": "Medium", "filter": null, "app_filter": null, "conditions": [ { "type": "condition", "element": "CMD", "input": "grep -Psi -- '^\\h*dictcheck\\h*=\\h*0\\b' /etc/security/pwquality.conf", "selement": "OUTPUT", "condition": "NOT EQUALS", "sinput": "" } ], "applicability": [ { "type": "applicability", "element": "OS", "input": "", "selement": "CONTENT", "condition": "CONTAINS", "sinput": "Amazon" } ] }, { "external_id": "f9d9e4a1053f7034b8d2cf09692e7b27", "name": "5.4.2.3.1 — Ensure pam_pwhistory module is enabled", "description": "Ensure pam_pwhistory module is enabled", "rational": "Requiring users not to reuse their passwords make it less likely that an attacker will be \nable to guess the password or use a compromised password.", "remediation": "Edit the files /etc/pam.d/system-auth and /etc/pam.d/password-auth: \n\nAdd the following line to the password section: \n\npassword required pam_pwhistory.so remember=24 enforce_for_root \ntry_first_pass use_authtok \n\nExample password section: \n\npassword requisite pam_pwquality.so try_first_pass local_users_only \nretry=3 \npassword required pam_pwhistory.so remember=24 enforce_for_root \ntry_first_pass use_authtok \npassword sufficient pam_unix.so sha512 shadow try_first_pas...", "severity": "Medium", "filter": null, "app_filter": null, "conditions": [ { "type": "condition", "element": "CMD", "input": "grep -P -- '\\bpam_pwhistory\\.so\\b' /etc/pam.d/{password,system}-auth", "selement": "OUTPUT", "condition": "NOT EQUALS", "sinput": "" } ], "applicability": [ { "type": "applicability", "element": "OS", "input": "", "selement": "CONTENT", "condition": "CONTAINS", "sinput": "Amazon" } ] }, { "external_id": "bba12874c57cc058c6edb10cd4ea1bad", "name": "5.4.2.3.2 — Ensure password history remember is configured", "description": "Ensure password history remember is configured", "rational": "Requiring users not to reuse their passwords make it less likely that an attacker will be \nable to guess the password or use a compromised password. \n\nNote: These change only apply to accounts configured on the local system.", "remediation": "Edit the files /etc/pam.d/system-auth and /etc/pam.d/password-auth: \n\nAdd the following line to the password section: \n\npassword required pam_pwhistory.so remember=24 enforce_for_root \ntry_first_pass use_authtok \n\nExample password section: \n\npassword requisite pam_pwquality.so try_first_pass local_users_only \nretry=3 \npassword required pam_pwhistory.so remember=24 enforce_for_root \ntry_first_pass use_authtok \npassword sufficient pam_unix.so sha512 shadow try_first...", "severity": "Medium", "filter": null, "app_filter": null, "conditions": [ { "type": "condition", "element": "CMD", "input": "grep -Pi --", "selement": "OUTPUT", "condition": "NOT EQUALS", "sinput": "" } ], "applicability": [ { "type": "applicability", "element": "OS", "input": "", "selement": "CONTENT", "condition": "CONTAINS", "sinput": "Amazon" } ] }, { "external_id": "a7527555444f208554c358aaccb71232", "name": "5.4.2.3.3 — Ensure password history is enforced for the root user", "description": "Ensure password history is enforced for the root user", "rational": "Requiring users not to reuse their passwords make it less likely that an attacker will be \nable to guess the password or use a compromised password \n\nNote: These change only apply to accounts configured on the local system.", "remediation": "Edit the files /etc/pam.d/system-auth and /etc/pam.d/password-auth: \n\nAdd the following line to the password section: \n\npassword required pam_pwhistory.so remember=24 enforce_for_root \ntry_first_pass use_authtok \n\nExample password section: \n\npassword requisite pam_pwquality.so try_first_pass local_users_only \nretry=3 #<- added pam_pwquality.so line \npassword required pam_pwhistory.so remember=24 enforce_for_root \ntry_first_pass use_authtok \npassword sufficient pam...", "severity": "Medium", "filter": null, "app_filter": null, "conditions": [ { "type": "condition", "element": "CMD", "input": "grep -Pi --", "selement": "OUTPUT", "condition": "NOT EQUALS", "sinput": "" } ], "applicability": [ { "type": "applicability", "element": "OS", "input": "", "selement": "CONTENT", "condition": "CONTAINS", "sinput": "Amazon" } ] }, { "external_id": "a5570d6d46b0ee7a5540c5403a842dd4", "name": "5.4.2.3.4 — Ensure pam_pwhistory includes use_authtok", "description": "Ensure pam_pwhistory includes use_authtok", "rational": "use_authtok allows multiple pam modules to confirm a new password before it is \naccepted.", "remediation": "Edit the files /etc/pam.d/system-auth and /etc/pam.d/password-auth: \n\nAdd the following line to the password section: \n\npassword required pam_pwhistory.so remember=24 enforce_for_root \ntry_first_pass use_authtok \n\nExample password section: \n\npassword requisite pam_pwquality.so try_first_pass local_users_only \nretry=3 #<- added pam_pwquality.so line \npassword required pam_pwhistory.so remember=24 enforce_for_root \ntry_first_pass use_authtok \npassword sufficient pam...", "severity": "Medium", "filter": null, "app_filter": null, "conditions": [ { "type": "condition", "element": "CMD", "input": "grep -P --", "selement": "OUTPUT", "condition": "NOT EQUALS", "sinput": "" } ], "applicability": [ { "type": "applicability", "element": "OS", "input": "", "selement": "CONTENT", "condition": "CONTAINS", "sinput": "Amazon" } ] }, { "external_id": "0097e7aa819dd0b0b2ccf9c498ffd683", "name": "5.4.2.4.1 — Ensure pam_unix does not include nullok", "description": "Ensure pam_unix does not include nullok", "rational": "Using a strong password is essential to helping protect personal and sensitive \ninformation from unauthorized access", "remediation": "Run the following command to remove the nullok option from all lines in the \n/ect/pam.d/password-auth and /etc/pam.d/system-auth files: \n\n# sed -ri 's/^(.*)(\\s+nullok\\s*)(.*$)/\\1 \\3/' /etc/pam.d/{password,system}-\nauth", "severity": "Medium", "filter": null, "app_filter": null, "conditions": [ { "type": "condition", "element": "CMD", "input": "grep -Ps -- '^\\h*([^#\\n\\r]+)\\h+pam_unix\\.so\\b'", "selement": "OUTPUT", "condition": "NOT EQUALS", "sinput": "" } ], "applicability": [ { "type": "applicability", "element": "OS", "input": "", "selement": "CONTENT", "condition": "CONTAINS", "sinput": "Amazon" } ] }, { "external_id": "3b310b028bab9f53cccaeff549b0f77b", "name": "5.4.2.4.2 — Ensure pam_unix does not include remember", "description": "Ensure pam_unix does not include remember", "rational": "The remember=n argument should be removed to ensure a strong password hashing \nalgorithm is being used. A stronger hash provides additional protection to the system by \nincreasing the level of effort needed for an attacker to successfully determine local \nuser's old passwords stored in /etc/security/opasswd.", "remediation": "Edit the files /etc/pam.d/system-auth and /etc/pam.d/password-auth: \n\nEdit the following lines and remove the remember= option: \n\nauth sufficient pam_unix.so try_first_pass \naccount required pam_unix.so \npassword sufficient pam_unix.so sha512 shadow try_first_pass use_authtok \nsession required pam_unix.so", "severity": "Medium", "filter": null, "app_filter": null, "conditions": [ { "type": "condition", "element": "FILE", "input": "/etc/pam.d/{password,system}-auth", "selement": "CONTENT", "condition": "CONTAINS", "sinput": "^\\h*password\\h+([^#\\n\\r]+\\h+)?pam_unix\\.so\\b" } ], "applicability": [ { "type": "applicability", "element": "OS", "input": "", "selement": "CONTENT", "condition": "CONTAINS", "sinput": "Amazon" } ] }, { "external_id": "3c4725aec61d0226c3dd7617db3b803a", "name": "5.4.2.4.3 — Ensure pam_unix includes a strong password hashing", "description": "Ensure pam_unix includes a strong password hashing", "rational": "The SHA-512 algorithm provides a stronger hash than other algorithms used by Linux \nfor password hash generation. A stronger hash provides additional protection to the \nsystem by increasing the level of effort needed for an attacker to successfully determine \nlocal user passwords. \n\nNote: These changes only apply to the local system.", "remediation": "Note: This only effects local users and passwords created after updating \nthe files to use sha512. If it is determined that the password algorithm \nbeing used is not sha512, once it is changed, it is recommended that all \nuser ID's be immediately expired and forced to change their passwords on \nnext login. \n\nEdit the files /etc/pam.d/system-auth and /etc/pam.d/password-auth: \n\nEdit the following lines and: \n\n• Add the sha512 argument \n• Remove all md5, bigcrypt, sha256, and blowfish argumen...", "severity": "Medium", "filter": null, "app_filter": null, "conditions": [ { "type": "condition", "element": "CMD", "input": "grep -P --", "selement": "OUTPUT", "condition": "NOT EQUALS", "sinput": "" } ], "applicability": [ { "type": "applicability", "element": "OS", "input": "", "selement": "CONTENT", "condition": "CONTAINS", "sinput": "Amazon" } ] }, { "external_id": "2b0b212124d65f7d0dc545cdde52f353", "name": "5.4.2.4.4 — Ensure pam_unix includes use_authtok", "description": "Ensure pam_unix includes use_authtok", "rational": "use_authtok allows multiple pam modules to confirm a new password before it is \naccepted.", "remediation": "Edit the files /etc/pam.d/system-auth and /etc/pam.d/password-auth: \n\nEdit the following line and add the use_authtok argument: \n\npassword sufficient pam_unix.so sha512 shadow try_first_pass use_authtok", "severity": "Medium", "filter": null, "app_filter": null, "conditions": [ { "type": "condition", "element": "CMD", "input": "grep -P --", "selement": "OUTPUT", "condition": "NOT EQUALS", "sinput": "" } ], "applicability": [ { "type": "applicability", "element": "OS", "input": "", "selement": "CONTENT", "condition": "CONTAINS", "sinput": "Amazon" } ] }, { "external_id": "1d216d8ec925cdcc0a3420bc6285b28d", "name": "5.5.1.1 — Ensure password expiration is configured", "description": "Ensure password expiration is configured", "rational": "The window of opportunity for an attacker to leverage compromised credentials or \nsuccessfully compromise credentials via an online brute force attack is limited by the \nage of the password. Therefore, reducing the maximum age of a password also reduces \nan attacker's window of opportunity. \n\nWe recommend a yearly password change. This is primarily because for all their good \nintentions users w...", "remediation": "Set the PASS_MAX_DAYS parameter to conform to site policy in /etc/login.defs : \n\nPASS_MAX_DAYS 365 \n\nModify user parameters for all users with a password set to match: \n\n# chage --maxdays 365 \n\nEdit /etc/login.defs and set PASS_MAX_DAYS to a value greater than 0 that follows \nlocal site policy: \n\nExample: \n\nPASS_MAX_DAYS 365 \n\nRun the following command to modify user parameters for all users with a password set \nto a maximum age no greater than 365 or less than 1 that follows local sit...", "severity": "Medium", "filter": null, "app_filter": null, "conditions": [ { "type": "condition", "element": "CMD", "input": "grep -Pi -- '^\\h*PASS_MAX_DAYS\\h+\\d+\\b' /etc/login.defs", "selement": "OUTPUT", "condition": "NOT EQUALS", "sinput": "" } ], "applicability": [ { "type": "applicability", "element": "OS", "input": "", "selement": "CONTENT", "condition": "CONTAINS", "sinput": "Amazon" } ] }, { "external_id": "22e63c2276af0c00b77fbe61bee0b1d1", "name": "5.5.1.2 — Ensure minimum password days is configured", "description": "Ensure minimum password days is configured", "rational": "Users may have favorite passwords that they like to use because they are easy to \nremember and they believe that their password choice is secure from compromise. \nUnfortunately, passwords are compromised and if an attacker is targeting a specific \nindividual user account, with foreknowledge of data about that user, reuse of old, \npotentially compromised passwords, may cause a security breach....", "remediation": "Edit /etc/login.defs and set PASS_MIN_DAYS to a value greater than 0 that follows \nlocal site policy: \n\nExample: \n\nPASS_MIN_DAYS 1 \n\nRun the following command to modify user parameters for all users with a password set \nto a minimum days greater than zero that follows local site policy: \n\n# chage --mindays \n\nExample: \n\n# awk -F: '($2~/^\\$.+\\$/) {if($4 < 1)system (\"chage --mindays 1 \" $1)}' \n/etc/shadow", "severity": "Medium", "filter": null, "app_filter": null, "conditions": [ { "type": "condition", "element": "CMD", "input": "grep -Pi -- '^\\h*PASS_MIN_DAYS\\h+\\d+\\b' /etc/login.defs", "selement": "OUTPUT", "condition": "NOT EQUALS", "sinput": "" } ], "applicability": [ { "type": "applicability", "element": "OS", "input": "", "selement": "CONTENT", "condition": "CONTAINS", "sinput": "Amazon" } ] }, { "external_id": "a150e06931d41161d7aaa0ee1ad493de", "name": "5.5.1.3 — Ensure password expiration warning days is configured", "description": "Ensure password expiration warning days is configured", "rational": "Providing an advance warning that a password will be expiring gives users time to think \nof a secure password. Users caught unaware may choose a simple password or write it \ndown where it may be discovered.", "remediation": "Edit /etc/login.defs and set PASS_WARN_AGE to a value of 7 or more that follows \nlocal site policy: \n\nExample: \n\nPASS_WARN_AGE 7 \n\nRun the following command to modify user parameters for all users with a password set \nto a minimum warning to 7 or more days that follows local site policy: \n\n# chage --warndays \n\nExample: \n\n# awk -F: '($2~/^\\$.+\\$/) {if($6 < 7)system (\"chage --warndays 7 \" $1)}' \n/etc/shadow", "severity": "Medium", "filter": null, "app_filter": null, "conditions": [ { "type": "condition", "element": "CMD", "input": "grep -Pi -- '^\\h*PASS_WARN_AGE\\h+\\d+\\b' /etc/login.defs", "selement": "OUTPUT", "condition": "NOT EQUALS", "sinput": "" } ], "applicability": [ { "type": "applicability", "element": "OS", "input": "", "selement": "CONTENT", "condition": "CONTAINS", "sinput": "Amazon" } ] }, { "external_id": "b3153aa88832894fafa17ab292043e90", "name": "5.5.1.4 — Ensure strong password hashing algorithm is configured", "description": "Ensure strong password hashing algorithm is configured", "rational": "The SHA-512 and yescrypt algorithms provide a stronger hash than other algorithms \nused by Linux for password hash generation. A stronger hash provides additional \nprotection to the system by increasing the level of effort needed for an attacker to \nsuccessfully determine local group passwords. \n\nPage 569", "remediation": "Edit /etc/login.defs and set the ENCRYPT_METHOD to SHA512 or YESCRYPT: \n\nENCRYPT_METHOD \n\nExample: \n\nENCRYPT_METHOD YESCRYPT \n\nNote: \n\n• This only effects local groups' passwords created after updating the file to use \n\n• \n\n• \n\nsha512 or yescrypt. \nIf it is determined that the password algorithm being used is not sha512 or \nyescrypt, once it is changed, it is recommended that all group passwords be \nupdated to use the stronger hashing algorithm. \nIt is recommended that th...", "severity": "Medium", "filter": null, "app_filter": null, "conditions": [ { "type": "condition", "element": "CMD", "input": "grep -Pi -- '^\\h*ENCRYPT_METHOD\\h+(SHA512|YESCRYPT)\\b' /etc/login.defs", "selement": "OUTPUT", "condition": "NOT EQUALS", "sinput": "" } ], "applicability": [ { "type": "applicability", "element": "OS", "input": "", "selement": "CONTENT", "condition": "CONTAINS", "sinput": "Amazon" } ] }, { "external_id": "57d7ad094a92f54ece41b52a4568a31c", "name": "5.5.1.5 — Ensure inactive password lock is configured", "description": "Ensure inactive password lock is configured", "rational": "Inactive accounts pose a threat to system security since the users are not logging in to \nnotice failed login attempts or other anomalies.", "remediation": "Run the following command to set the default password inactivity period to 45 days or \nless that meets local site policy: \n\n# useradd -D -f \n\nExample: \n\n# useradd -D -f 45 \n\nRun the following command to modify user parameters for all users with a password set \nto a inactive age of 45 days or less that follows local site policy: \n\n# chage --inactive \n\nExample: \n\n# awk -F: '($2~/^\\$.+\\$/) {if($7 > 45 || $7 < 0)system (\"chage --inactive 45 \n\" $1)}' /etc/shadow", "severity": "Medium", "filter": null, "app_filter": null, "conditions": [ { "type": "condition", "element": "CMD", "input": "useradd -D | grep INACTIVE", "selement": "OUTPUT", "condition": "NOT EQUALS", "sinput": "" } ], "applicability": [ { "type": "applicability", "element": "OS", "input": "", "selement": "CONTENT", "condition": "CONTAINS", "sinput": "Amazon" } ] }, { "external_id": "29240b8fc9db192be4ae806faadc5d18", "name": "5.5.1.6 — Ensure all users last password change date is in the past", "description": "Ensure all users last password change date is in the past", "rational": "If a user's recorded password change date is in the future, then they could bypass any \nset password expiration.", "remediation": "Investigate any users with a password change date in the future and correct them. \nLocking the account, expiring the password, or resetting the password manually may be \nappropriate.", "severity": "Medium", "filter": null, "app_filter": null, "conditions": [ { "type": "condition", "element": "CMD", "input": "!/usr/bin/env bash", "selement": "OUTPUT", "condition": "NOT EQUALS", "sinput": "" } ], "applicability": [ { "type": "applicability", "element": "OS", "input": "", "selement": "CONTENT", "condition": "CONTAINS", "sinput": "Amazon" } ] }, { "external_id": "d8ecd4a73b3e80bdfafd63f5a32f21be", "name": "5.5.2.1 — Ensure root is the only UID 0 account", "description": "Ensure root is the only UID 0 account", "rational": "This access must be limited to only the default root account and only from the system \nconsole. Administrative access must be through an unprivileged account using an \napproved mechanism as noted in Item 5.6 Ensure access to the su command is \nrestricted.", "remediation": "Run the following command to change the root account UID to 0: \n\n# usermod -u 0 root \n\nModify any users other than root with UID 0 and assign them a new UID.", "severity": "Medium", "filter": null, "app_filter": null, "conditions": [ { "type": "condition", "element": "CMD", "input": "awk -F: '($3 == 0) { print $1 }' /etc/passwd", "selement": "OUTPUT", "condition": "NOT EQUALS", "sinput": "" } ], "applicability": [ { "type": "applicability", "element": "OS", "input": "", "selement": "CONTENT", "condition": "CONTAINS", "sinput": "Amazon" } ] }, { "external_id": "6563ddbff5de58e3188b1a146ad20866", "name": "5.5.2.2 — Ensure root is the only GID 0 account", "description": "Ensure root is the only GID 0 account", "rational": "Using GID 0 for the root account helps prevent root -owned files from accidentally \nbecoming accessible to non-privileged users.", "remediation": "Run the following command to set the root user's GID to 0: \n\n# usermod -g 0 root \n\nRun the following command to set the root group's GID to 0: \n\n# groupmod -g 0 root \n\nRemove any users other than the root user with GID 0 or assign them a new GID if \nappropriate.", "severity": "Medium", "filter": null, "app_filter": null, "conditions": [ { "type": "condition", "element": "CMD", "input": "awk -F: '($1 !~ /^(sync|shutdown|halt|operator)/ && $4==\"0\") {print", "selement": "OUTPUT", "condition": "NOT EQUALS", "sinput": "" } ], "applicability": [ { "type": "applicability", "element": "OS", "input": "", "selement": "CONTENT", "condition": "CONTAINS", "sinput": "Amazon" } ] }, { "external_id": "248e2ea8254a2ced6d4bb66926bf6268", "name": "5.5.2.3 — Ensure group root is the only GID 0 group", "description": "Ensure group root is the only GID 0 group", "rational": "Using GID 0 for the root group helps prevent root group owned files from accidentally \nbecoming accessible to non-privileged users.", "remediation": "Run the following command to set the root group's GID to 0: \n\n# groupmod -g 0 root \n\nRemove any groups other than the root group with GID 0 or assign them a new GID if \nappropriate.", "severity": "Medium", "filter": null, "app_filter": null, "conditions": [ { "type": "condition", "element": "CMD", "input": "awk -F: '$3==\"0\"{print $1\":\"$3}' /etc/group", "selement": "OUTPUT", "condition": "NOT EQUALS", "sinput": "" } ], "applicability": [ { "type": "applicability", "element": "OS", "input": "", "selement": "CONTENT", "condition": "CONTAINS", "sinput": "Amazon" } ] }, { "external_id": "032a35428ef199e7c892841f9e3bfd91", "name": "5.5.2.4 — Ensure root account access is controlled", "description": "Ensure root account access is controlled", "rational": "Access to root should be secured at all times.", "remediation": "Run the following command to set a password for the root user: \n\n# passwd root \n\n- OR - \n\nRun the following command to lock the root user account: \n\n# usermod -L root", "severity": "Medium", "filter": null, "app_filter": null, "conditions": [ { "type": "condition", "element": "CMD", "input": "passwd -S root | awk '$2 ~ /^(P|L)/ {print \"User: \\\"\" $1 \"\\\" Password is", "selement": "OUTPUT", "condition": "NOT EQUALS", "sinput": "" } ], "applicability": [ { "type": "applicability", "element": "OS", "input": "", "selement": "CONTENT", "condition": "CONTAINS", "sinput": "Amazon" } ] }, { "external_id": "f43fc96d68f10d30e19de680eecca60e", "name": "5.5.2.5 — Ensure root path integrity", "description": "Ensure root path integrity", "rational": "Including the current working directory (.) or other writable directory in root's \nexecutable path makes it likely that an attacker can gain superuser access by forcing an \nadministrator operating as root to execute a Trojan horse program. \n\nPage 584", "remediation": "Correct or justify any: \n\n• Locations that are not directories \n• Empty directories (::) \n• Trailing (:) \n• Current working directory (.) \n• Non root owned directories \n• Directories that less restrictive than mode 0755", "severity": "Medium", "filter": null, "app_filter": null, "conditions": [ { "type": "condition", "element": "CMD", "input": "!/usr/bin/env bash", "selement": "OUTPUT", "condition": "NOT EQUALS", "sinput": "" } ], "applicability": [ { "type": "applicability", "element": "OS", "input": "", "selement": "CONTENT", "condition": "CONTAINS", "sinput": "Amazon" } ] }, { "external_id": "88af0cef038f60782fef70050566f5bb", "name": "5.5.2.6 — Ensure root user umask is configured", "description": "Ensure root user umask is configured", "rational": "Setting a secure value for umask ensures that users make a conscious choice about \ntheir file permissions. A permissive umask value could result in directories or files with \nexcessive permissions that can be read and/or written to by unauthorized users.", "remediation": "Edit /root/.bash_profile and /root/.bashrc and either: \n\n• \n\nremove, comment out, or update any line with umask. \n\n- OR - \n\n• update any line that includes umask to a value of 0027 or more restrictive. \n\nExample: \n\numask 027 \n\nNote: the Recommendation \"Ensure default user umask is configured\" includes \nguidance to set the default umask", "severity": "Medium", "filter": null, "app_filter": null, "conditions": [ { "type": "condition", "element": "CMD", "input": "grep -Psi -- '^\\h*umask\\h+((\\d{1,2}(\\d[^7]|[^2-", "selement": "OUTPUT", "condition": "NOT EQUALS", "sinput": "" } ], "applicability": [ { "type": "applicability", "element": "OS", "input": "", "selement": "CONTENT", "condition": "CONTAINS", "sinput": "Amazon" } ] }, { "external_id": "bb0440d68c1ce5b268cd4d28deae3cba", "name": "5.5.2.7 — Ensure system accounts do not have a valid login shell", "description": "Ensure system accounts do not have a valid login shell", "rational": "It is important to make sure that accounts that are not being used by regular users are \nprevented from being used to provide an interactive shell. By default, most distributions \nset the password field for these accounts to an invalid string, but it is also recommended \nthat the shell field in the password file be set to the nologin shell. This prevents the \naccount from potentially being used...", "remediation": "Run the following command to set the shell for any service accounts returned by the \naudit to nologin: \n\n# usermod -s $(command -v nologin) \n\nExample script: \n\n#!/usr/bin/env bash \n\n{ \n l_valid_shells=\"^($(awk -F\\/ '($NF != \"nologin\" && $NF != \"false\") \n{print}' /etc/shells | sed -rn '/^\\//{s,/,\\\\\\\\/,g;p}' | paste -s -d '|' - \n))$\" \n awk -v pat=\"$l_valid_shells\" -F: \n'($1!~/^(root|halt|sync|shutdown|nfsnobody)$/ && ($3<'\"$(awk \n'/^\\s*UID_MIN/{print $2}' /etc/login.defs)\"' || $3 ==...", "severity": "Medium", "filter": null, "app_filter": null, "conditions": [ { "type": "condition", "element": "CMD", "input": "!/usr/bin/env bash", "selement": "OUTPUT", "condition": "NOT EQUALS", "sinput": "" } ], "applicability": [ { "type": "applicability", "element": "OS", "input": "", "selement": "CONTENT", "condition": "CONTAINS", "sinput": "Amazon" } ] }, { "external_id": "34d120dcd2743488097621e62d172d6e", "name": "5.5.2.8 — Ensure accounts without a valid login shell are locked", "description": "Ensure accounts without a valid login shell are locked", "rational": "It is important to make sure that accounts that are not intended for interactive use are \nprevented from being used interactively. By default, most distributions set the password \nfield for these accounts to an invalid string, but it is also recommended that these \naccounts are locked. This prevents these accounts from potentially being used to run \nany commands.", "remediation": "Run the following command to lock any non-root accounts without a valid login shell \nreturned by the audit: \n\n# usermod -L \n\nExample script:: \n\n#!/usr/bin/env bash \n\n{ \n l_valid_shells=\"^($(awk -F\\/ '($NF != \"nologin\" && $NF != \"false\") \n{print}' /etc/shells | sed -rn '/^\\//{s,/,\\\\\\\\/,g;p}' | paste -s -d '|' - \n))$\" \n while IFS= read -r l_user; do \n passwd -S \"$l_user\" | awk '$2 !~ /^L/ {system (\"usermod -L \" $1)}' \n done < <(awk -v pat=\"$l_valid_shells\" -F: '($1 != \"root\" &...", "severity": "Medium", "filter": null, "app_filter": null, "conditions": [ { "type": "condition", "element": "CMD", "input": "!/usr/bin/env bash", "selement": "OUTPUT", "condition": "NOT EQUALS", "sinput": "" } ], "applicability": [ { "type": "applicability", "element": "OS", "input": "", "selement": "CONTENT", "condition": "CONTAINS", "sinput": "Amazon" } ] }, { "external_id": "fa6a935d53f51d84a67059c293655f59", "name": "5.5.3.2 — Ensure default user shell timeout is configured", "description": "Ensure default user shell timeout is configured", "rational": "Setting a timeout value reduces the window of opportunity for unauthorized user access \nto another user's shell session that has been left unattended. It also ends the inactive \nsession and releases the resources associated with that session.", "remediation": "Review /etc/bashrc, /etc/profile, and all files ending in *.sh in the \n/etc/profile.d/ directory and remove or edit all TMOUT=_n_ entries to follow local site \npolicy. TMOUT should not exceed 900 or be equal to 0. \n\nConfigure TMOUT in one of the following files: \n\n• A file in the /etc/profile.d/ directory ending in .sh \n• /etc/profile \n• /etc/bashrc \n\nExample command to set TMOUT to 900 seconds in a file in /etc/profile.d/: \n\n# printf '%s\\n' \"# Set TMOUT to 900 seconds\" \"typeset -xr TMOUT=...", "severity": "Medium", "filter": null, "app_filter": null, "conditions": [ { "type": "condition", "element": "CMD", "input": "!/usr/bin/env bash", "selement": "OUTPUT", "condition": "NOT EQUALS", "sinput": "" } ], "applicability": [ { "type": "applicability", "element": "OS", "input": "", "selement": "CONTENT", "condition": "CONTAINS", "sinput": "Amazon" } ] }, { "external_id": "ea295f9081d9434af7edaf17c08f48b9", "name": "5.5.3.3 — Ensure default user umask is configured", "description": "Ensure default user umask is configured", "rational": "Setting a secure default value for umask ensures that users make a conscious choice \nabout their file permissions. A permissive umask value could result in directories or files \nwith excessive permissions that can be read and/or written to by unauthorized users. \n\nSatisfies: SRG-OS-000480-GPOS-00228, SRG-OS-000480-GPOS-00227", "remediation": "1. Run the following script to comment out all occurrences of umask that are less \nrestrictive than 027 in files ending in *.sh in the /etc/profile.d/ directory: \n\n#!/usr/bin/env bash \n\n{ \n while IFS= read -r -d $'\\0' l_file; do \n sed -ri '/^\\s*umask\\s+0?(0[01][0-7]|0[0-7][^7]|[^0][0-7][0-\n7])(\\s*|\\s+.*)$/s/^/# /' \"$l_file\" \n done < <(find /etc/profile.d/ -type f -name '*.sh' -print0) \n} \n\n2. Create or edit a file in /etc/profile.d/ ending in *.sh and add or modify the \n\nfollowing...", "severity": "Medium", "filter": null, "app_filter": null, "conditions": [ { "type": "condition", "element": "CMD", "input": "grep -Psi -- '^\\h*umask\\b' /etc/profile.d/*.sh", "selement": "OUTPUT", "condition": "NOT EQUALS", "sinput": "" } ], "applicability": [ { "type": "applicability", "element": "OS", "input": "", "selement": "CONTENT", "condition": "CONTAINS", "sinput": "Amazon" } ] }, { "external_id": "86829d0741d26de1cd0a595de19f7a88", "name": "6.1.1.1 — Ensure journald service is active", "description": "Ensure journald service is active", "rational": "If the systemd-journald service is not enabled to start on boot, the system will not \ncapture logging events.", "remediation": "Run the following commands to unmask, enable, and start systemd-\njournald.service \n\n# systemctl unmask systemd-journald.service \n# systemctl --now enable systemd-journald.service", "severity": "Medium", "filter": null, "app_filter": null, "conditions": [ { "type": "condition", "element": "SERVICE", "input": "systemd-journald", "selement": "ACTIVE", "condition": null, "sinput": null } ], "applicability": [ { "type": "applicability", "element": "OS", "input": "", "selement": "CONTENT", "condition": "CONTAINS", "sinput": "Amazon" } ] }, { "external_id": "a9af7e4fc4df34b88a8e706f521df733", "name": "6.1.1.2 — Ensure systemd-journal-remote service is not in use", "description": "Ensure systemd-journal-remote service is not in use", "rational": "If a client is configured to also receive data, thus turning it into a server, the client \nsystem is acting outside it's operational boundary.", "remediation": "Run the following commands to stop and mask systemd-journal-remote.socket and \nsystemd-journal-remote.service: \n\n# systemctl stop systemd-journal-remote.socket systemd-journal-remote.service \n# systemctl mask systemd-journal-remote.socket systemd-journal-remote.service", "severity": "Medium", "filter": null, "app_filter": null, "conditions": [ { "type": "condition", "element": "CMD", "input": "systemctl show systemd-journal-remote.socket systemd-journal-remote.service", "selement": "OUTPUT", "condition": "NOT EQUALS", "sinput": "" } ], "applicability": [ { "type": "applicability", "element": "OS", "input": "", "selement": "CONTENT", "condition": "CONTAINS", "sinput": "Amazon" } ] }, { "external_id": "5e23fac8044cd50d68406956c44155c6", "name": "6.1.1.3 — Ensure journald Compress is configured", "description": "Ensure journald Compress is configured", "rational": "Uncompressed large files may unexpectedly fill a filesystem leading to resource \nunavailability. Compressing logs prior to write can prevent sudden, unexpected \nfilesystem impacts.", "remediation": "Note: Drop-in configuration files have higher precedence and override the main \nconfiguration file. Files in the *.conf.d/ configuration subdirectories are sorted by their \nfilename in lexicographic order, regardless of in which of the subdirectories they reside. \nWhen multiple files specify the same option, for options which accept just a single value, \nthe entry in the file sorted last takes precedence, and for options which accept a list of \nvalues, entries are collected as they occur in t...", "severity": "Medium", "filter": null, "app_filter": null, "conditions": [ { "type": "condition", "element": "CMD", "input": "!/usr/bin/env bash", "selement": "OUTPUT", "condition": "NOT EQUALS", "sinput": "" } ], "applicability": [ { "type": "applicability", "element": "OS", "input": "", "selement": "CONTENT", "condition": "CONTAINS", "sinput": "Amazon" } ] }, { "external_id": "6acc61c9e3dccd9ed2def553285827d7", "name": "6.1.1.4 — Ensure journald Storage is configured", "description": "Ensure journald Storage is configured", "rational": "Writing log data to disk will provide the ability to forensically reconstruct events which \nmay have impacted the operations or security of a system even after a system crash or \nreboot.", "remediation": "Note: Drop-in configuration files have higher precedence and override the main \nconfiguration file. Files in the *.conf.d/ configuration subdirectories are sorted by their \nfilename in lexicographic order, regardless of in which of the subdirectories they reside. \nWhen multiple files specify the same option, for options which accept just a single value, \nthe entry in the file sorted last takes precedence, and for options which accept a list of \nvalues, entries are collected as they occur in t...", "severity": "Medium", "filter": null, "app_filter": null, "conditions": [ { "type": "condition", "element": "CMD", "input": "!/usr/bin/env bash", "selement": "OUTPUT", "condition": "NOT EQUALS", "sinput": "" } ], "applicability": [ { "type": "applicability", "element": "OS", "input": "", "selement": "CONTENT", "condition": "CONTAINS", "sinput": "Amazon" } ] }, { "external_id": "71326a2a87486b9f4aa5a5bce47e7e34", "name": "6.1.1.5 — Ensure journald ForwardToSyslog is configured", "description": "Ensure journald ForwardToSyslog is configured", "rational": "rsyslog is the recommended method for capturing logs. All system logs should be sent \nto it for further processing. \n\nPage 619", "remediation": "Note: Drop-in configuration files have higher precedence and override the main \nconfiguration file. Files in the *.conf.d/ configuration subdirectories are sorted by their \nfilename in lexicographic order, regardless of in which of the subdirectories they reside. \nWhen multiple files specify the same option, for options which accept just a single value, \nthe entry in the file sorted last takes precedence, and for options which accept a list of \nvalues, entries are collected as they occur in t...", "severity": "Medium", "filter": null, "app_filter": null, "conditions": [ { "type": "condition", "element": "CMD", "input": "!/usr/bin/env bash", "selement": "OUTPUT", "condition": "NOT EQUALS", "sinput": "" } ], "applicability": [ { "type": "applicability", "element": "OS", "input": "", "selement": "CONTENT", "condition": "CONTAINS", "sinput": "Amazon" } ] }, { "external_id": "4ffc5f320c99cd7a40de50a938ae36dc", "name": "6.1.1.6 — Ensure journald log file rotation is configured", "description": "Ensure journald log file rotation is configured", "rational": "By keeping the log files smaller and more manageable, a system administrator can \neasily archive these files to another system and spend less time looking through \ninordinately large log files. \n\nPage 623", "remediation": "1. Edit /etc/systemd/journald.conf or a file ending in .conf the \n\n/etc/systemd/journald.conf.d/ directory. Set the following parameters in \nthe [Journal] section to ensure logs are rotated according to site policy. The \nsettings should be carefully understood as there are specific edge cases and \nprioritization of parameters. \n\nExample Configuration: \n\n[Journal] \nSystemMaxUse=1G \nSystemKeepFree=500M \nRuntimeMaxUse=200M \nRuntimeKeepFree=50M \nMaxFileSec=1month \n\n2. - IF - The same option was...", "severity": "Medium", "filter": null, "app_filter": null, "conditions": [ { "type": "condition", "element": "CMD", "input": "!/usr/bin/env bash", "selement": "OUTPUT", "condition": "NOT EQUALS", "sinput": "" } ], "applicability": [ { "type": "applicability", "element": "OS", "input": "", "selement": "CONTENT", "condition": "CONTAINS", "sinput": "Amazon" } ] }, { "external_id": "240149db29b048a650e85fb66504239e", "name": "6.1.1.7 — Ensure journald log file access is configured", "description": "Ensure journald log file access is configured", "rational": "It is important to ensure that log files have the correct permissions to ensure that \nsensitive data is archived and protected. \n\nPage 627", "remediation": "If the default configuration is not appropriate for the site specific requirements, copy \n/usr/lib/tmpfiles.d/systemd.conf to /etc/tmpfiles.d/systemd.conf and \nmodify as required. Requirements is either 0640 or site policy if that is less restrictive.", "severity": "Medium", "filter": null, "app_filter": null, "conditions": [ { "type": "condition", "element": "CMD", "input": "!/usr/bin/env bash", "selement": "OUTPUT", "condition": "NOT EQUALS", "sinput": "" } ], "applicability": [ { "type": "applicability", "element": "OS", "input": "", "selement": "CONTENT", "condition": "CONTAINS", "sinput": "Amazon" } ] }, { "external_id": "b8e689dc238b4b92194acabfa5893588", "name": "6.1.2.1 — Ensure rsyslog is installed", "description": "Ensure rsyslog is installed", "rational": "The security enhancements of rsyslog such as connection-oriented (i.e. TCP) \ntransmission of logs, the option to log to database formats, and the encryption of log \ndata en route to a central logging server) justify installing and configuring the package.", "remediation": "Run the following command to install rsyslog: \n\n# yum install rsyslog", "severity": "Medium", "filter": null, "app_filter": null, "conditions": [ { "type": "condition", "element": "PACKAGE", "input": "rsyslog", "selement": "EXISTS", "condition": "", "sinput": "" } ], "applicability": [ { "type": "applicability", "element": "OS", "input": "", "selement": "CONTENT", "condition": "CONTAINS", "sinput": "Amazon" } ] }, { "external_id": "5b6009bdbc2acd52e14287a5b0ce2ca3", "name": "6.1.2.2 — Ensure rsyslog service is enabled and active", "description": "Ensure rsyslog service is enabled and active", "rational": "If the rsyslog service is not enabled to start on boot, the system will not capture \nlogging events. \n\nNote: This recommendation only applies if rsyslog is the chosen method for client side \nlogging. Do not apply this recommendation if journald is used.", "remediation": "- IF - rsyslog is being used for logging on the system: \n\nRun the following commands to unmask, enable, and start rsyslog.service: \n\n# systemctl unmask rsyslog.service \n# systemctl enable rsyslog.service \n# systemctl start rsyslog.service", "severity": "Medium", "filter": null, "app_filter": null, "conditions": [ { "type": "condition", "element": "SERVICE", "input": "rsyslog", "selement": "ENABLED", "condition": null, "sinput": null } ], "applicability": [ { "type": "applicability", "element": "OS", "input": "", "selement": "CONTENT", "condition": "CONTAINS", "sinput": "Amazon" } ] }, { "external_id": "85856ebcd6ec3ccc41e18ce40fe40207", "name": "6.1.2.3 — Ensure rsyslog log file creation mode is configured", "description": "Ensure rsyslog log file creation mode is configured", "rational": "It is important to ensure that log files have the correct permissions to ensure that \nsensitive data is archived and protected.", "remediation": "Edit either /etc/rsyslog.conf or a dedicated .conf file in /etc/rsyslog.d/ and set \n$FileCreateMode to 0640 or more restrictive: \n\n$FileCreateMode 0640 \n\nRestart the service: \n\n# systemctl restart rsyslog", "severity": "Medium", "filter": null, "app_filter": null, "conditions": [ { "type": "condition", "element": "FILE", "input": "/etc/rsyslog.conf", "selement": "CONTENT", "condition": "CONTAINS", "sinput": "^\\h*\\$FileCreateMode\\h+0[0,2,4,6][0,2,4]0\\b" } ], "applicability": [ { "type": "applicability", "element": "OS", "input": "", "selement": "CONTENT", "condition": "CONTAINS", "sinput": "Amazon" } ] }, { "external_id": "526963e9ba190ad614b116d10fa561fb", "name": "6.1.2.4 — Ensure rsyslog logging is configured", "description": "Ensure rsyslog logging is configured", "rational": "A great deal of important security-related information is sent via rsyslog (e.g., \nsuccessful and failed su attempts, failed login attempts, root login attempts, etc.).", "remediation": "Edit the following lines in the /etc/rsyslog.conf and /etc/rsyslog.d/*.conf files \nas appropriate for your environment. \n\nNote: The below configuration is shown for example purposes only. Due care should be \ngiven to how the organization wishes to store log data. \n\n*.emerg :omusrmsg:* \nauth,authpriv.* /var/log/secure \nmail.* -/var/log/mail \nmail.info -/var/log/mail.info \nma...", "severity": "Medium", "filter": null, "app_filter": null, "conditions": [ { "type": "condition", "element": "CMD", "input": "ls -l /var/log/", "selement": "OUTPUT", "condition": "NOT EQUALS", "sinput": "" } ], "applicability": [ { "type": "applicability", "element": "OS", "input": "", "selement": "CONTENT", "condition": "CONTAINS", "sinput": "Amazon" } ] }, { "external_id": "690710e2d58ada7a9eafb90908506f95", "name": "6.1.2.5 — Ensure rsyslog is configured to send logs to a remote log", "description": "Ensure rsyslog is configured to send logs to a remote log", "rational": "Storing log data on a remote host protects log integrity from local attacks. If an attacker \ngains root access on the local system, they could tamper with or remove log data that is \nstored on the local system.", "remediation": "Edit the /etc/rsyslog.conf and /etc/rsyslog.d/*.conf files and add the following \nline (where loghost.example.com is the name of your central log host). The target \ndirective may either be a fully qualified domain name or an IP address. \n\nExample: \n\n*.* action(type=\"omfwd\" target=\"loghost.example.com\" port=\"514\" \nprotocol=\"tcp\" \n action.resumeRetryCount=\"100\" \n queue.type=\"LinkedList\" queue.size=\"1000\") \n\nRun the following command to reload rsyslog.service: \n\n# systemctl r...", "severity": "Medium", "filter": null, "app_filter": null, "conditions": [ { "type": "condition", "element": "CMD", "input": "grep \"^*.*[^I][^I]*@@\" /etc/rsyslog.conf /etc/rsyslog.d/*.conf", "selement": "OUTPUT", "condition": "NOT EQUALS", "sinput": "" } ], "applicability": [ { "type": "applicability", "element": "OS", "input": "", "selement": "CONTENT", "condition": "CONTAINS", "sinput": "Amazon" } ] }, { "external_id": "57240a7d64226a59dbd6e1e08be20ac4", "name": "6.1.2.6 — Ensure rsyslog is not configured to receive logs from a", "description": "Ensure rsyslog is not configured to receive logs from a", "rational": "If a client is configured to also receive data, thus turning it into a server, the client \nsystem is acting outside its operational boundary.", "remediation": "Should there be any active log server configuration found in the auditing section, modify \nthose files and remove the specific lines highlighted by the audit. Verify none of the \nfollowing entries are present in any of /etc/rsyslog.conf or \n/etc/rsyslog.d/*.conf. \n\nadvanced format \n\nmodule(load=\"imtcp\") \ninput(type=\"imtcp\" port=\"514\") \n\ndeprecated legacy format \n\n$ModLoad imtcp \n$InputTCPServerRun \n\nRestart the service: \n\n# systemctl restart rsyslog", "severity": "Medium", "filter": null, "app_filter": null, "conditions": [ { "type": "condition", "element": "CMD", "input": "grep -Psi -- '^\\h*module\\(load=\\\"?imtcp\\\"?\\)' /etc/rsyslog.conf", "selement": "OUTPUT", "condition": "NOT EQUALS", "sinput": "" } ], "applicability": [ { "type": "applicability", "element": "OS", "input": "", "selement": "CONTENT", "condition": "CONTAINS", "sinput": "Amazon" } ] }, { "external_id": "7180f6d8d9d6ad1246a86af697d07e83", "name": "6.1.3.1 — Ensure access to all logfiles has been configured", "description": "Ensure access to all logfiles has been configured", "rational": "It is important that log files have the correct permissions to ensure that sensitive data is \nprotected and that only the appropriate users / groups have access to them.", "remediation": "Run the following script to update permissions and ownership on files in /var/log. \n\nAlthough the script is not destructive, ensure that the output is captured in the event that \nthe remediation causes issues. \n\nPage 648 \n\n\f#!/usr/bin/env bash \n\n{ \n a_output2=() \n f_file_test_fix() \n { \n a_out2=() \n maxperm=\"$( printf '%o' $(( 0777 & ~$perm_mask)) )\" \n if [ $(( $l_mode & $perm_mask )) -gt 0 ]; then \n a_out2+=(\" o Mode: \\\"$l_mode\\\" should be \\\"$maxperm\\\" or more...", "severity": "Medium", "filter": null, "app_filter": null, "conditions": [ { "type": "condition", "element": "CMD", "input": "!/usr/bin/env bash", "selement": "OUTPUT", "condition": "NOT EQUALS", "sinput": "" } ], "applicability": [ { "type": "applicability", "element": "OS", "input": "", "selement": "CONTENT", "condition": "CONTAINS", "sinput": "Amazon" } ] }, { "external_id": "df973683754cbb1a05567967e2bfdea1", "name": "6.3.1 — Ensure AIDE is installed", "description": "Ensure AIDE is installed", "rational": "By monitoring the filesystem state compromised files can be detected to prevent or limit \nthe exposure of accidental or malicious misconfigurations or modified binaries.", "remediation": "Run the following command to install aide: \n\n# yum install aide \n\nConfigure aide as appropriate for your environment. Consult the aide documentation \nfor options. \n\nInitialize aide: \n\nRun the following commands: \n\n# aide --init \n# mv /var/lib/aide/aide.db.new.gz /var/lib/aide/aide.db.gz \n\nPage 776", "severity": "Medium", "filter": null, "app_filter": null, "conditions": [ { "type": "condition", "element": "PACKAGE", "input": "aide", "selement": "EXISTS", "condition": "", "sinput": "" } ], "applicability": [ { "type": "applicability", "element": "OS", "input": "", "selement": "CONTENT", "condition": "CONTAINS", "sinput": "Amazon" } ] }, { "external_id": "775d6748c7d88005c40280fe49a04b9f", "name": "6.3.2 — Ensure filesystem integrity is regularly checked", "description": "Ensure filesystem integrity is regularly checked", "rational": "Periodic file checking allows the system administrator to determine on a regular basis if \ncritical files have been changed in an unauthorized fashion. \n\nSatisfies: SRG-OS-000363-GPOS-00150, SRG-OS-000446-GPOS-00200, SRG-OS-\n000447-GPOS-00201", "remediation": "- IF - cron will be used to schedule and run aide check \n\nRun the following command: \n\n# crontab -u root -e \n\nAdd the following line to the crontab: \n\n0 5 * * * /usr/sbin/aide --check \n\n- OR - \n\n- IF - aidecheck.service and aidecheck.timer will be used to schedule and run aide \ncheck: \n\nCreate or edit the file /etc/systemd/system/aidecheck.service and add the \nfollowing lines: \n\n[Unit] \nDescription=Aide Check \n\n[Service] \nType=simple \nExecStart=/usr/sbin/aide --check \n\n[Install] \nWantedBy=mul...", "severity": "Medium", "filter": null, "app_filter": null, "conditions": [ { "type": "condition", "element": "SERVICE", "input": "aidecheck", "selement": "ENABLED", "condition": null, "sinput": null } ], "applicability": [ { "type": "applicability", "element": "OS", "input": "", "selement": "CONTENT", "condition": "CONTAINS", "sinput": "Amazon" } ] }, { "external_id": "103c37d98f9ee33bc18cb99a4f98ca6d", "name": "6.3.3 — Ensure cryptographic mechanisms are used to protect the", "description": "Ensure cryptographic mechanisms are used to protect the", "rational": "Protecting the integrity of the tools used for auditing purposes is a critical step toward \nensuring the integrity of audit information. Audit information includes all information \n(e.g., audit records, audit settings, and audit reports) needed to successfully audit \ninformation system activity. \n\nAttackers may replace the audit tools or inject code into the existing tools with the \npurpose of...", "remediation": "Run the following command to determine the absolute path to the non-symlinked \nversion on the audit tools: \n\n# readlink -e /sbin \n\nThe output will be either /usr/sbin - OR - /sbin. Ensure the correct path is used. \n\nEdit /etc/aide.conf and add or update the following selection lines replacing \nwith the correct path returned in the command above: \n\n# Audit Tools \n/auditctl p+i+n+u+g+s+b+acl+xattrs+sha512 \n/auditd p+i+n+u+g+s+b+acl+xattrs+sha512 \n/ausearch p+i+n+u+g+...", "severity": "Medium", "filter": null, "app_filter": null, "conditions": [ { "type": "condition", "element": "CMD", "input": "printf '%s\\n' \"\" \"$(readlink -e /sbin || readlink -e /usr/sbin)\" \"\"", "selement": "OUTPUT", "condition": "NOT EQUALS", "sinput": "" } ], "applicability": [ { "type": "applicability", "element": "OS", "input": "", "selement": "CONTENT", "condition": "CONTAINS", "sinput": "Amazon" } ] }, { "external_id": "b851e4c7e53cb7640062683299a0b5a5", "name": "7.1.1 — Ensure access to /etc/passwd is configured", "description": "Ensure access to /etc/passwd is configured", "rational": "It is critical to ensure that the /etc/passwd file is protected from unauthorized write \naccess. Although it is protected by default, the file permissions could be changed either \ninadvertently or through malicious actions.", "remediation": "Run the following commands to remove excess permissions, set owner, and set group \non /etc/passwd: \n\n# chmod u-x,go-wx /etc/passwd \n# chown root:root /etc/passwd", "severity": "Medium", "filter": null, "app_filter": null, "conditions": [ { "type": "condition", "element": "CMD", "input": "stat -Lc 'Access: (%#a/%A) Uid: ( %u/ %U) Gid: ( %g/ %G)' /etc/passwd", "selement": "OUTPUT", "condition": "NOT EQUALS", "sinput": "" } ], "applicability": [ { "type": "applicability", "element": "OS", "input": "", "selement": "CONTENT", "condition": "CONTAINS", "sinput": "Amazon" } ] }, { "external_id": "682aa6d4a6b6bd62ec3d7b067926b303", "name": "7.1.2 — Ensure access to /etc/passwd- is configured", "description": "Ensure access to /etc/passwd- is configured", "rational": "It is critical to ensure that the /etc/passwd- file is protected from unauthorized access. \nAlthough it is protected by default, the file permissions could be changed either \ninadvertently or through malicious actions.", "remediation": "Run the following commands to remove excess permissions, set owner, and set group \non /etc/passwd-: \n\n# chmod u-x,go-wx /etc/passwd- \n# chown root:root /etc/passwd-", "severity": "Medium", "filter": null, "app_filter": null, "conditions": [ { "type": "condition", "element": "CMD", "input": "stat -Lc 'Access: (%#a/%A) Uid: ( %u/ %U) Gid: { %g/ %G)' /etc/passwd-", "selement": "OUTPUT", "condition": "NOT EQUALS", "sinput": "" } ], "applicability": [ { "type": "applicability", "element": "OS", "input": "", "selement": "CONTENT", "condition": "CONTAINS", "sinput": "Amazon" } ] }, { "external_id": "c85ab404165c5d0c68f380734c149e4e", "name": "7.1.3 — Ensure access to /etc/group is configured", "description": "Ensure access to /etc/group is configured", "rational": "The /etc/group file needs to be protected from unauthorized changes by non-\nprivileged users, but needs to be readable as this information is used with many non-\nprivileged programs.", "remediation": "Run the following commands to remove excess permissions, set owner, and set group \non /etc/group: \n\n# chmod u-x,go-wx /etc/group \n# chown root:root /etc/group", "severity": "Medium", "filter": null, "app_filter": null, "conditions": [ { "type": "condition", "element": "CMD", "input": "stat -Lc 'Access: (%#a/%A) Uid: ( %u/ %U) Gid: ( %g/ %G)' /etc/group", "selement": "OUTPUT", "condition": "NOT EQUALS", "sinput": "" } ], "applicability": [ { "type": "applicability", "element": "OS", "input": "", "selement": "CONTENT", "condition": "CONTAINS", "sinput": "Amazon" } ] }, { "external_id": "450377e07ff8c85c37995cca143b6528", "name": "7.1.4 — Ensure access to /etc/group- is configured", "description": "Ensure access to /etc/group- is configured", "rational": "It is critical to ensure that the /etc/group- file is protected from unauthorized access. \nAlthough it is protected by default, the file permissions could be changed either \ninadvertently or through malicious actions.", "remediation": "Run the following commands to remove excess permissions, set owner, and set group \non /etc/group-: \n\n# chmod u-x,go-wx /etc/group- \n# chown root:root /etc/group-", "severity": "Medium", "filter": null, "app_filter": null, "conditions": [ { "type": "condition", "element": "CMD", "input": "stat -Lc 'Access: (%#a/%A) Uid: ( %u/ %U) Gid: ( %g/ %G)' /etc/group-", "selement": "OUTPUT", "condition": "NOT EQUALS", "sinput": "" } ], "applicability": [ { "type": "applicability", "element": "OS", "input": "", "selement": "CONTENT", "condition": "CONTAINS", "sinput": "Amazon" } ] }, { "external_id": "300ec4f7a00393b03f3ca4509ecb6ae4", "name": "7.1.5 — Ensure access to /etc/shadow is configured", "description": "Ensure access to /etc/shadow is configured", "rational": "If attackers can gain read access to the /etc/shadow file, they can easily run a \npassword cracking program against the hashed password to break it. Other security \ninformation that is stored in the /etc/shadow file (such as expiration) could also be \nuseful to subvert the user accounts.", "remediation": "Run the following commands to set mode, owner, and group on /etc/shadow: \n\n# chown root:root /etc/shadow \n# chmod 0000 /etc/shadow", "severity": "Medium", "filter": null, "app_filter": null, "conditions": [ { "type": "condition", "element": "CMD", "input": "stat -Lc 'Access: (%#a/%A) Uid: ( %u/ %U) Gid: ( %g/ %G)' /etc/shadow", "selement": "OUTPUT", "condition": "NOT EQUALS", "sinput": "" } ], "applicability": [ { "type": "applicability", "element": "OS", "input": "", "selement": "CONTENT", "condition": "CONTAINS", "sinput": "Amazon" } ] }, { "external_id": "d7ad70d995eff8b3f2b2c530e3e15c17", "name": "7.1.6 — Ensure access to /etc/shadow- is configured", "description": "Ensure access to /etc/shadow- is configured", "rational": "It is critical to ensure that the /etc/shadow- file is protected from unauthorized access. \nAlthough it is protected by default, the file permissions could be changed either \ninadvertently or through malicious actions.", "remediation": "Run the following commands to set mode, owner, and group on /etc/shadow-: \n\n# chown root:root /etc/shadow- \n# chmod 0000 /etc/shadow-", "severity": "Medium", "filter": null, "app_filter": null, "conditions": [ { "type": "condition", "element": "CMD", "input": "stat -Lc 'Access: (%#a/%A) Uid: ( %u/ %U) Gid: ( %g/ %G)' /etc/shadow-", "selement": "OUTPUT", "condition": "NOT EQUALS", "sinput": "" } ], "applicability": [ { "type": "applicability", "element": "OS", "input": "", "selement": "CONTENT", "condition": "CONTAINS", "sinput": "Amazon" } ] }, { "external_id": "e88d93c56129c0ebfa8192234382c93b", "name": "7.1.7 — Ensure access to /etc/gshadow is configured", "description": "Ensure access to /etc/gshadow is configured", "rational": "If attackers can gain read access to the /etc/gshadow file, they can easily run a \npassword cracking program against the hashed password to break it. Other security \ninformation that is stored in the /etc/gshadow file (such as group administrators) could \nalso be useful to subvert the group.", "remediation": "Run the following commands to set mode, owner, and group on /etc/gshadow: \n\n# chown root:root /etc/gshadow \n# chmod 0000 /etc/gshadow", "severity": "Medium", "filter": null, "app_filter": null, "conditions": [ { "type": "condition", "element": "CMD", "input": "stat -Lc 'Access: (%#a/%A) Uid: ( %u/ %U) Gid: ( %g/ %G)' /etc/gshadow", "selement": "OUTPUT", "condition": "NOT EQUALS", "sinput": "" } ], "applicability": [ { "type": "applicability", "element": "OS", "input": "", "selement": "CONTENT", "condition": "CONTAINS", "sinput": "Amazon" } ] }, { "external_id": "c0fd6033b1f598a643e788af81b271c6", "name": "7.1.8 — Ensure access to /etc/gshadow- is configured", "description": "Ensure access to /etc/gshadow- is configured", "rational": "It is critical to ensure that the /etc/gshadow- file is protected from unauthorized \naccess. Although it is protected by default, the file permissions could be changed either \ninadvertently or through malicious actions.", "remediation": "Run the following commands to set mode, owner, and group on /etc/gshadow-: \n\n# chown root:root /etc/gshadow- \n# chmod 0000 /etc/gshadow-", "severity": "Medium", "filter": null, "app_filter": null, "conditions": [ { "type": "condition", "element": "CMD", "input": "stat -Lc 'Access: (%#a/%A) Uid: ( %u/ %U) Gid: ( %g/ %G)' /etc/gshadow-", "selement": "OUTPUT", "condition": "NOT EQUALS", "sinput": "" } ], "applicability": [ { "type": "applicability", "element": "OS", "input": "", "selement": "CONTENT", "condition": "CONTAINS", "sinput": "Amazon" } ] }, { "external_id": "7724158041f86cd8efdb8121f8b77300", "name": "7.1.9 — Ensure access to /etc/shells is configured", "description": "Ensure access to /etc/shells is configured", "rational": "It is critical to ensure that the /etc/shells file is protected from unauthorized access. \nAlthough it is protected by default, the file permissions could be changed either \ninadvertently or through malicious actions.", "remediation": "Run the following commands to remove excess permissions, set owner, and set group \non /etc/shells: \n\n# chmod u-x,go-wx /etc/shells \n# chown root:root /etc/shells", "severity": "Medium", "filter": null, "app_filter": null, "conditions": [ { "type": "condition", "element": "CMD", "input": "stat -Lc 'Access: (%#a/%A) Uid: ( %u/ %U) Gid: ( %g/ %G)' /etc/shells", "selement": "OUTPUT", "condition": "NOT EQUALS", "sinput": "" } ], "applicability": [ { "type": "applicability", "element": "OS", "input": "", "selement": "CONTENT", "condition": "CONTAINS", "sinput": "Amazon" } ] }, { "external_id": "4455c89cf9820ccf631d891dbf575669", "name": "7.1.10 — Ensure access to /etc/security/opasswd is configured", "description": "Ensure access to /etc/security/opasswd is configured", "rational": "It is critical to ensure that /etc/security/opasswd is protected from unauthorized \naccess. Although it is protected by default, the file permissions could be changed either \ninadvertently or through malicious actions.", "remediation": "Run the following commands to remove excess permissions, set owner, and set group \non /etc/security/opasswd and /etc/security/opasswd.old is they exist: \n\n# [ -e \"/etc/security/opasswd\" ] && chmod u-x,go-rwx /etc/security/opasswd \n# [ -e \"/etc/security/opasswd\" ] && chown root:root /etc/security/opasswd \n# [ -e \"/etc/security/opasswd.old\" ] && chmod u-x,go-rwx \n/etc/security/opasswd.old \n# [ -e \"/etc/security/opasswd.old\" ] && chown root:root \n/etc/security/opasswd.old", "severity": "Medium", "filter": null, "app_filter": null, "conditions": [ { "type": "condition", "element": "CMD", "input": "[ -e \"/etc/security/opasswd\" ] && stat -Lc '%n Access: (%#a/%A) Uid: (", "selement": "OUTPUT", "condition": "NOT EQUALS", "sinput": "" } ], "applicability": [ { "type": "applicability", "element": "OS", "input": "", "selement": "CONTENT", "condition": "CONTAINS", "sinput": "Amazon" } ] }, { "external_id": "92b08ce2b7851d77ec1b1a565e9a6d9f", "name": "7.1.11 — Ensure world writable files and directories are secured", "description": "Ensure world writable files and directories are secured", "rational": "Data in world-writable files can be modified and compromised by any user on the \nsystem. World writable files may also indicate an incorrectly written script or program \nthat could potentially be the cause of a larger compromise to the system's integrity. \n\nThis feature prevents the ability to delete or rename files in world writable directories \n(such as /tmp ) that are owned by another user....", "remediation": "• World Writable Files: \n\no \n\nIt is recommended that write access is removed from other with the \ncommand ( chmod o-w ), but always consult relevant vendor \ndocumentation to avoid breaking any application dependencies on a given \nfile. \n\n• World Writable Directories: \n\no Set the sticky bit on all world writable directories with the command ( \n\nchmod a+t ) \n\nRun the following script to: \n\n• Remove other write permission from any world writable files \n• Add the...", "severity": "Medium", "filter": null, "app_filter": null, "conditions": [ { "type": "condition", "element": "CMD", "input": "!/usr/bin/env bash", "selement": "OUTPUT", "condition": "NOT EQUALS", "sinput": "" } ], "applicability": [ { "type": "applicability", "element": "OS", "input": "", "selement": "CONTENT", "condition": "CONTAINS", "sinput": "Amazon" } ] }, { "external_id": "66109dccdb700fc8aa825adaa47742d2", "name": "7.1.12 — Ensure no files or directories without an owner and a group", "description": "Ensure no files or directories without an owner and a group", "rational": "A new user or group who is assigned a deleted user's user ID or group ID may then end \nup \"owning\" a deleted user or group's files, and thus have more access on the system \nthan was intended. \n\nPage 811", "remediation": "Remove or set ownership and group ownership of these files and/or directories to an \nactive user on the system as appropriate.", "severity": "Medium", "filter": null, "app_filter": null, "conditions": [ { "type": "condition", "element": "CMD", "input": "!/usr/bin/env bash", "selement": "OUTPUT", "condition": "NOT EQUALS", "sinput": "" } ], "applicability": [ { "type": "applicability", "element": "OS", "input": "", "selement": "CONTENT", "condition": "CONTAINS", "sinput": "Amazon" } ] }, { "external_id": "7e6a2dfdacedcb1deb54b92c35d28f1c", "name": "7.1.13 — Ensure SUID and SGID files are reviewed", "description": "Ensure SUID and SGID files are reviewed", "rational": "There are valid reasons for SUID and SGID programs, but it is important to identify and \nreview such programs to ensure they are legitimate. Review the files returned by the \naction in the audit section and check to see if system binaries have a different \nchecksum than what from the package. This is an indication that the binary may have \nbeen replaced. \n\nPage 814", "remediation": "Ensure that no rogue SUID or SGID programs have been introduced into the system. \nReview the files returned by the action in the Audit section and confirm the integrity of \nthese binaries. \n\nPage 815", "severity": "Medium", "filter": null, "app_filter": null, "conditions": [ { "type": "condition", "element": "CMD", "input": "findmnt -kn -Dkerno", "selement": "OUTPUT", "condition": "NOT EQUALS", "sinput": "" } ], "applicability": [ { "type": "applicability", "element": "OS", "input": "", "selement": "CONTENT", "condition": "CONTAINS", "sinput": "Amazon" } ] }, { "external_id": "98bcb18e3f6326de309354b9f07346fb", "name": "7.2.1 — Ensure accounts in /etc/passwd use shadowed passwords", "description": "Ensure accounts in /etc/passwd use shadowed passwords", "rational": "The /etc/passwd file also contains information like user ID's and group ID's that are \nused by many system programs. Therefore, the /etc/passwd file must remain world \nreadable. In spite of encoding the password with a randomly-generated one-way hash \nfunction, an attacker could still break the system if they got access to the /etc/passwd \nfile. This can be mitigated by using shadowed passwords...", "remediation": "Run the following command to set accounts to use shadowed passwords and migrate \npasswords in /etc/passwd to /etc/shadow: \n\n# pwconv \n\nInvestigate to determine if the account is logged in and what it is being used for, to \ndetermine if it needs to be forced off. \n\nPage 818", "severity": "Medium", "filter": null, "app_filter": null, "conditions": [ { "type": "condition", "element": "CMD", "input": "awk -F: '($2 != \"x\" ) { print \"User: \\\"\" $1 \"\\\" is not set to shadowed", "selement": "OUTPUT", "condition": "NOT EQUALS", "sinput": "" } ], "applicability": [ { "type": "applicability", "element": "OS", "input": "", "selement": "CONTENT", "condition": "CONTAINS", "sinput": "Amazon" } ] }, { "external_id": "507edebbde1e9eb8f9290deb3b5081f2", "name": "7.2.2 — Ensure /etc/shadow password fields are not empty", "description": "Ensure /etc/shadow password fields are not empty", "rational": "All accounts must have passwords or be locked to prevent the account from being used \nby an unauthorized user.", "remediation": "If any accounts in the /etc/shadow file do not have a password, run the following \ncommand to lock the account until it can be determined why it does not have a \npassword: \n\n# passwd -l \n\nAlso, check to see if the account is logged in and investigate what it is being used for to \ndetermine if it needs to be forced off.", "severity": "Medium", "filter": null, "app_filter": null, "conditions": [ { "type": "condition", "element": "CMD", "input": "awk -F: '($2 == \"\" ) { print $1 \" does not have a password \"}' /etc/shadow", "selement": "OUTPUT", "condition": "NOT EQUALS", "sinput": "" } ], "applicability": [ { "type": "applicability", "element": "OS", "input": "", "selement": "CONTENT", "condition": "CONTAINS", "sinput": "Amazon" } ] }, { "external_id": "b9c7507deebd00ace16a788a19f05985", "name": "7.2.3 — Ensure all groups in /etc/passwd exist in /etc/group", "description": "Ensure all groups in /etc/passwd exist in /etc/group", "rational": "Groups defined in the /etc/passwd file but not in the /etc/group file pose a threat to \nsystem security since group permissions are not properly managed.", "remediation": "Analyze the output of the Audit step above and perform the appropriate action to correct \nany discrepancies found.", "severity": "Medium", "filter": null, "app_filter": null, "conditions": [ { "type": "condition", "element": "CMD", "input": "!/usr/bin/env bash", "selement": "OUTPUT", "condition": "NOT EQUALS", "sinput": "" } ], "applicability": [ { "type": "applicability", "element": "OS", "input": "", "selement": "CONTENT", "condition": "CONTAINS", "sinput": "Amazon" } ] }, { "external_id": "b81472e7edff918de4922936d3792256", "name": "7.2.4 — Ensure no duplicate UIDs exist", "description": "Ensure no duplicate UIDs exist", "rational": "Users must be assigned unique UIDs for accountability and to ensure appropriate \naccess protections. \n\nSatisfies: SRG-OS-000104-GPOS-00051, SRG-OS-000121-GPOS-00062, SRG-OS-\n000042-GPOS-00020", "remediation": "Based on the results of the audit script, establish unique UIDs and review all files owned \nby the shared UIDs to determine which UID they are supposed to belong to.", "severity": "Medium", "filter": null, "app_filter": null, "conditions": [ { "type": "condition", "element": "CMD", "input": "!/usr/bin/env bash", "selement": "OUTPUT", "condition": "NOT EQUALS", "sinput": "" } ], "applicability": [ { "type": "applicability", "element": "OS", "input": "", "selement": "CONTENT", "condition": "CONTAINS", "sinput": "Amazon" } ] }, { "external_id": "80b12f5d8e9c75e135f4d3a1f69eb6b6", "name": "7.2.5 — Ensure no duplicate GIDs exist", "description": "Ensure no duplicate GIDs exist", "rational": "User groups must be assigned unique GIDs for accountability and to ensure appropriate \naccess protections.", "remediation": "Based on the results of the audit script, establish unique GIDs and review all files \nowned by the shared GID to determine which group they are supposed to belong to.", "severity": "Medium", "filter": null, "app_filter": null, "conditions": [ { "type": "condition", "element": "CMD", "input": "!/usr/bin/env bash", "selement": "OUTPUT", "condition": "NOT EQUALS", "sinput": "" } ], "applicability": [ { "type": "applicability", "element": "OS", "input": "", "selement": "CONTENT", "condition": "CONTAINS", "sinput": "Amazon" } ] }, { "external_id": "dc9f9a2dac30b2361638e71c745629fc", "name": "7.2.6 — Ensure no duplicate user names exist", "description": "Ensure no duplicate user names exist", "rational": "If a user is assigned a duplicate user name, it will create and have access to files with \nthe first UID for that username in /etc/passwd . For example, if \"test4\" has a UID of \n1000 and a subsequent \"test4\" entry has a UID of 2000, logging in as \"test4\" will use \nUID 1000. Effectively, the UID is shared, which is a security problem.", "remediation": "Based on the results of the audit script, establish unique user names for the users. File \nownerships will automatically reflect the change as long as the users have unique UIDs.", "severity": "Medium", "filter": null, "app_filter": null, "conditions": [ { "type": "condition", "element": "CMD", "input": "!/usr/bin/env bash", "selement": "OUTPUT", "condition": "NOT EQUALS", "sinput": "" } ], "applicability": [ { "type": "applicability", "element": "OS", "input": "", "selement": "CONTENT", "condition": "CONTAINS", "sinput": "Amazon" } ] }, { "external_id": "250ae13dfe840c7a2856d6d5e2f3f611", "name": "7.2.7 — Ensure no duplicate group names exist", "description": "Ensure no duplicate group names exist", "rational": "If a group is assigned a duplicate group name, it will create and have access to files \nwith the first GID for that group in /etc/group . Effectively, the GID is shared, which is \na security problem.", "remediation": "Based on the results of the audit script, establish unique names for the user groups. File \ngroup ownerships will automatically reflect the change as long as the groups have \nunique GIDs.", "severity": "Medium", "filter": null, "app_filter": null, "conditions": [ { "type": "condition", "element": "CMD", "input": "!/usr/bin/env bash", "selement": "OUTPUT", "condition": "NOT EQUALS", "sinput": "" } ], "applicability": [ { "type": "applicability", "element": "OS", "input": "", "selement": "CONTENT", "condition": "CONTAINS", "sinput": "Amazon" } ] }, { "external_id": "850d28c2c0c89ee5d794078c74361989", "name": "7.2.8 — Ensure local interactive user home directories are", "description": "Ensure local interactive user home directories are", "rational": "Since the user is accountable for files stored in the user home directory, the user must \nbe the owner of the directory. Group or world-writable user home directories may enable \nmalicious users to steal or modify other users' data or to gain another user's system \nprivileges. If the user's home directory does not exist or is unassigned, the user will be \nplaced in \"/\" and will not be able to w...", "remediation": "If a local interactive users' home directory is undefined and/or doesn't exist, follow local \nsite policy and perform one of the following: \n\n• Lock the user account \n• Remove the user from the system \n• Create a directory for the user. If undefined, edit /etc/passwd and add the \n\nabsolute path to the directory to the last field of the user. \n\nRun the following script to: \n\n• Remove excessive permissions from local interactive users home directories \n• Update the home directory's owner...", "severity": "Medium", "filter": null, "app_filter": null, "conditions": [ { "type": "condition", "element": "CMD", "input": "!/usr/bin/env bash", "selement": "OUTPUT", "condition": "NOT EQUALS", "sinput": "" } ], "applicability": [ { "type": "applicability", "element": "OS", "input": "", "selement": "CONTENT", "condition": "CONTAINS", "sinput": "Amazon" } ] }, { "external_id": "4f416f727de1b06fde2b470d564c16d3", "name": "7.2.9 — Ensure local interactive user dot files access is configured", "description": "Ensure local interactive user dot files access is configured", "rational": "User configuration files with excessive or incorrect access may enable malicious users \nto steal or modify other users' data or to gain another user's system privileges.", "remediation": "Making global modifications to users' files without alerting the user community can result \nin unexpected outages and unhappy users. Therefore, it is recommended that a \nmonitoring policy be established to report user dot file permissions and determine the \naction to be taken in accordance with site policy. \n\nThe following script will: \n\n• \n\nremove excessive permissions on dot files within interactive users' home \ndirectories \n\n• change ownership of dot files within interactive users' home d...", "severity": "Medium", "filter": null, "app_filter": null, "conditions": [ { "type": "condition", "element": "CMD", "input": "!/usr/bin/env bash", "selement": "OUTPUT", "condition": "NOT EQUALS", "sinput": "" } ], "applicability": [ { "type": "applicability", "element": "OS", "input": "", "selement": "CONTENT", "condition": "CONTAINS", "sinput": "Amazon" } ] } ] }