{ "format_version": 3, "policy": { "external_id": "8bdcb1d9698171a10519ddd6296e0f5d", "name": "CIS Amazon Linux 2023 Benchmark v1.0.0 - Level 1 Server", "version": "1.0.1", "description": "Center for Internet Security benchmark — Level 1 server hardening for Amazon Linux 2023. Generated from CIS_Amazon_Linux_2023_Benchmark_v1.0.0.pdf.", "author": "Center for Internet Security" }, "tests": [ { "external_id": "0a54b52519d03e2b9c6db03c73776cf1", "name": "1.1.2.1 — Ensure /tmp is a separate partition", "description": "Ensure /tmp is a separate partition", "rational": "Making /tmp its own file system allows an administrator to set additional mount options \nsuch as the noexec option on the mount, making /tmp useless for an attacker to install \nexecutable code. It would also prevent an attacker from establishing a hard link to a \nsystem setuid program and wait for it to be updated. Once the program was updated, \nthe hard link would be broken and the attacker wo...", "remediation": "First ensure that systemd is correctly configured to ensure that /tmp will be mounted at \nboot time. \n\n# systemctl unmask tmp.mount \n\nFor specific configuration requirements of the /tmp mount for your environment, modify \n/etc/fstab. \nExample of using tmpfs with specific mount options: \n\ntmpfs /tmp \n0 \n\ntmpfs defaults,rw,nosuid,nodev,noexec,relatime,size=2G 0 \n\nExample of using a volume or disk with specific mount options. The source location of \nthe volume or disk will vary depending o...", "severity": "Medium", "filter": null, "app_filter": null, "conditions": [ { "type": "condition", "element": "SERVICE", "input": "tmp.mount", "selement": "ENABLED", "condition": null, "sinput": null } ], "applicability": [ { "type": "applicability", "element": "OS", "input": "", "selement": "CONTENT", "condition": "CONTAINS", "sinput": "Amazon" } ] }, { "external_id": "35f3528120d7978b33e26f597529c73e", "name": "1.1.2.2 — Ensure nodev option set on /tmp partition", "description": "Ensure nodev option set on /tmp partition", "rational": "Since the /tmp filesystem is not intended to support devices, set this option to ensure \nthat users cannot create a block or character special devices in /tmp.", "remediation": "Edit the /etc/fstab file and add nodev to the fourth field (mounting options) for the /tmp \npartition. \nExample: \n\n /tmp defaults,rw,nosuid,nodev,noexec,relatime 0 0 \n\nRun the following command to remount /tmp with the configured options: \n\n# mount -o remount /tmp", "severity": "Medium", "filter": null, "app_filter": null, "conditions": [ { "type": "condition", "element": "CMD", "input": "findmnt -kn /tmp", "selement": "OUTPUT", "condition": "CONTAINS", "sinput": "nodev" } ], "applicability": [ { "type": "applicability", "element": "OS", "input": "", "selement": "CONTENT", "condition": "CONTAINS", "sinput": "Amazon" } ] }, { "external_id": "ee5e2cf542f30d8fe082da0ea514bd6e", "name": "1.1.2.3 — Ensure noexec option set on /tmp partition", "description": "Ensure noexec option set on /tmp partition", "rational": "Since the /tmp filesystem is only intended for temporary file storage, set this option to \nensure that users cannot run executable binaries from /tmp.", "remediation": "Edit the /etc/fstab file and add noexec to the fourth field (mounting options) for the \n/tmp partition. \nExample: \n\n /tmp defaults,rw,nosuid,nodev,noexec,relatime 0 0 \n\nRun the following command to remount /tmp with the configured options: \n\n# mount -o remount /tmp", "severity": "Medium", "filter": null, "app_filter": null, "conditions": [ { "type": "condition", "element": "CMD", "input": "findmnt -kn /tmp", "selement": "OUTPUT", "condition": "CONTAINS", "sinput": "noexec" } ], "applicability": [ { "type": "applicability", "element": "OS", "input": "", "selement": "CONTENT", "condition": "CONTAINS", "sinput": "Amazon" } ] }, { "external_id": "bdd6412440d35687f07a9c3de7e9587a", "name": "1.1.2.4 — Ensure nosuid option set on /tmp partition", "description": "Ensure nosuid option set on /tmp partition", "rational": "Since the /tmp filesystem is only intended for temporary file storage, set this option to \nensure that users cannot create setuid files in /tmp.", "remediation": "Edit the /etc/fstab file and add nosuid to the fourth field (mounting options) for the \n/tmp partition. \nExample: \n\n /tmp defaults,rw,nosuid,nodev,noexec,relatime 0 0 \n\nRun the following command to remount /tmp with the configured options: \n\n# mount -o remount /tmp", "severity": "Medium", "filter": null, "app_filter": null, "conditions": [ { "type": "condition", "element": "CMD", "input": "findmnt -kn /tmp", "selement": "OUTPUT", "condition": "CONTAINS", "sinput": "nosuid" } ], "applicability": [ { "type": "applicability", "element": "OS", "input": "", "selement": "CONTENT", "condition": "CONTAINS", "sinput": "Amazon" } ] }, { "external_id": "e4ac9b880a0dfe9d285a4e5c500a9276", "name": "1.1.3.2 — Ensure nodev option set on /var partition", "description": "Ensure nodev option set on /var partition", "rational": "Since the /var filesystem is not intended to support devices, set this option to ensure \nthat users cannot create a block or character special devices in /var.", "remediation": "Edit the /etc/fstab file and add nodev to the fourth field (mounting options) for the /var \npartition. \nExample: \n\n /var defaults,rw,nosuid,nodev,noexec,relatime 0 0 \n\nRun the following command to remount /var with the configured options: \n\n# mount -o remount /var", "severity": "Medium", "filter": null, "app_filter": null, "conditions": [ { "type": "condition", "element": "CMD", "input": "findmnt -kn --kernel", "selement": "OUTPUT", "condition": "CONTAINS", "sinput": "nodev" } ], "applicability": [ { "type": "applicability", "element": "OS", "input": "", "selement": "CONTENT", "condition": "CONTAINS", "sinput": "Amazon" } ] }, { "external_id": "0aae81bc26a78e0de89d287c33fe44e8", "name": "1.1.3.3 — Ensure nosuid option set on /var partition", "description": "Ensure nosuid option set on /var partition", "rational": "Since the /var filesystem is only intended for variable files such as logs, set this option \nto ensure that users cannot create setuid files in /var.", "remediation": "Edit the /etc/fstab file and add nosuid to the fourth field (mounting options) for the \n/var partition. \nExample: \n\n /var defaults,rw,nosuid,nodev,noexec,relatime 0 0 \n\nRun the following command to remount /var with the configured options: \n\n# mount -o remount /var", "severity": "Medium", "filter": null, "app_filter": null, "conditions": [ { "type": "condition", "element": "CMD", "input": "findmnt -kn --kernel", "selement": "OUTPUT", "condition": "CONTAINS", "sinput": "nosuid" } ], "applicability": [ { "type": "applicability", "element": "OS", "input": "", "selement": "CONTENT", "condition": "CONTAINS", "sinput": "Amazon" } ] }, { "external_id": "47983299567ad8c0750988bf3d407826", "name": "1.1.4.1 — Ensure separate partition exists for /var/tmp", "description": "Ensure separate partition exists for /var/tmp", "rational": "The reasoning for mounting /var/tmp on a separate partition is as follows. \n\nProtection from resource exhaustion \n\nThe default installation only creates a single / partition. Since the /var/tmp directory \nmay contain world-writable files and directories, there is a risk of resource exhaustion. It \nwill essentially have the whole disk available to fill up and impact the system as a whole. \nIn ad...", "remediation": "For new installations, during installation create a custom partition setup and specify a \nseparate partition for /var/tmp. \nFor systems that were previously installed, create a new partition and configure \n/etc/fstab as appropriate.", "severity": "Medium", "filter": null, "app_filter": null, "conditions": [ { "type": "condition", "element": "CMD", "input": "findmnt -kn --kernel", "selement": "OUTPUT", "condition": "NOT EQUALS", "sinput": "" } ], "applicability": [ { "type": "applicability", "element": "OS", "input": "", "selement": "CONTENT", "condition": "CONTAINS", "sinput": "Amazon" } ] }, { "external_id": "013d59fc3eaedc6f11e97ea68360be5c", "name": "1.1.4.3 — Ensure nosuid option set on /var/tmp partition", "description": "Ensure nosuid option set on /var/tmp partition", "rational": "Since the /var/tmp filesystem is only intended for temporary file storage, set this option \nto ensure that users cannot create setuid files in /var/tmp.", "remediation": "Edit the /etc/fstab file and add nosuid to the fourth field (mounting options) for the \n/var/tmp partition. \nExample: \n\n /var/tmp defaults,rw,nosuid,nodev,noexec,relatime 0 \n0 \n\nRun the following command to remount /var/tmp with the configured options: \n\n# mount -o remount /var/tmp", "severity": "Medium", "filter": null, "app_filter": null, "conditions": [ { "type": "condition", "element": "CMD", "input": "findmnt -kn --kernel", "selement": "OUTPUT", "condition": "CONTAINS", "sinput": "nosuid" } ], "applicability": [ { "type": "applicability", "element": "OS", "input": "", "selement": "CONTENT", "condition": "CONTAINS", "sinput": "Amazon" } ] }, { "external_id": "6ac53dfd9df0117333c8696841f0827c", "name": "1.1.4.4 — Ensure nodev option set on /var/tmp partition", "description": "Ensure nodev option set on /var/tmp partition", "rational": "Since the /var/tmp filesystem is not intended to support devices, set this option to \nensure that users cannot create a block or character special devices in /var/tmp.", "remediation": "Edit the /etc/fstab file and add nodev to the fourth field (mounting options) for the \n/var/tmp partition. \nExample: \n\n /var/tmp defaults,rw,nosuid,nodev,noexec,relatime 0 \n0 \n\nRun the following command to remount /var/tmp with the configured options: \n\n# mount -o remount /var/tmp", "severity": "Medium", "filter": null, "app_filter": null, "conditions": [ { "type": "condition", "element": "CMD", "input": "findmnt -kn --kernel", "selement": "OUTPUT", "condition": "CONTAINS", "sinput": "nodev" } ], "applicability": [ { "type": "applicability", "element": "OS", "input": "", "selement": "CONTENT", "condition": "CONTAINS", "sinput": "Amazon" } ] }, { "external_id": "cd36767702872b8d57e2e32399a89b6f", "name": "1.1.5.2 — Ensure nodev option set on /var/log partition", "description": "Ensure nodev option set on /var/log partition", "rational": "Since the /var/log filesystem is not intended to support devices, set this option to \nensure that users cannot create a block or character special devices in /var/log.", "remediation": "Edit the /etc/fstab file and add nodev to the fourth field (mounting options) for the \n/var/log partition. \nExample: \n\n /var/log defaults,rw,nosuid,nodev,noexec,relatime 0 \n0 \n\nRun the following command to remount /var/log with the configured options: \n\n# mount -o remount /var/log", "severity": "Medium", "filter": null, "app_filter": null, "conditions": [ { "type": "condition", "element": "CMD", "input": "findmnt -kn --kernel", "selement": "OUTPUT", "condition": "CONTAINS", "sinput": "nodev" } ], "applicability": [ { "type": "applicability", "element": "OS", "input": "", "selement": "CONTENT", "condition": "CONTAINS", "sinput": "Amazon" } ] }, { "external_id": "8f77f181790a3cc008701d385220e2f7", "name": "1.1.5.3 — Ensure noexec option set on /var/log partition", "description": "Ensure noexec option set on /var/log partition", "rational": "Since the /var/log filesystem is only intended for log files, set this option to ensure that \nusers cannot run executable binaries from /var/log.", "remediation": "Edit the /etc/fstab file and add noexec to the fourth field (mounting options) for the \n/var/log partition. \nExample: \n\n /var/log defaults,rw,nosuid,nodev,noexec,relatime 0 \n0 \n\nRun the following command to remount /var/log with the configured options: \n\n# mount -o remount /var/log", "severity": "Medium", "filter": null, "app_filter": null, "conditions": [ { "type": "condition", "element": "CMD", "input": "findmnt -kn --kernel", "selement": "OUTPUT", "condition": "CONTAINS", "sinput": "noexec" } ], "applicability": [ { "type": "applicability", "element": "OS", "input": "", "selement": "CONTENT", "condition": "CONTAINS", "sinput": "Amazon" } ] }, { "external_id": "5cddc14d5021ed1bcc1c0e8adc38974f", "name": "1.1.5.4 — Ensure nosuid option set on /var/log partition", "description": "Ensure nosuid option set on /var/log partition", "rational": "Since the /var/log filesystem is only intended for log files, set this option to ensure that \nusers cannot create setuid files in /var/log.", "remediation": "Edit the /etc/fstab file and add nosuid to the fourth field (mounting options) for the \n/var/log partition. \nExample: \n\n /var/log defaults,rw,nosuid,nodev,noexec,relatime 0 \n0 \n\nRun the following command to remount /var/log with the configured options: \n\n# mount -o remount /var/log", "severity": "Medium", "filter": null, "app_filter": null, "conditions": [ { "type": "condition", "element": "CMD", "input": "findmnt -kn --kernel", "selement": "OUTPUT", "condition": "CONTAINS", "sinput": "nosuid" } ], "applicability": [ { "type": "applicability", "element": "OS", "input": "", "selement": "CONTENT", "condition": "CONTAINS", "sinput": "Amazon" } ] }, { "external_id": "8661b5be7bc4e31e99f4ff0f6a4ac384", "name": "1.1.7.2 — Ensure nodev option set on /home partition", "description": "Ensure nodev option set on /home partition", "rational": "Since the /home filesystem is not intended to support devices, set this option to ensure \nthat users cannot create a block or character special devices in /var.", "remediation": "Edit the /etc/fstab file and add nodev to the fourth field (mounting options) for the \n/home partition. \nExample: \n\n /home defaults,rw,nosuid,nodev,noexec,relatime 0 0 \n\nRun the following command to remount /home with the configured options: \n\n# mount -o remount /home", "severity": "Medium", "filter": null, "app_filter": null, "conditions": [ { "type": "condition", "element": "CMD", "input": "findmnt -kn --kernel", "selement": "OUTPUT", "condition": "CONTAINS", "sinput": "nodev" } ], "applicability": [ { "type": "applicability", "element": "OS", "input": "", "selement": "CONTENT", "condition": "CONTAINS", "sinput": "Amazon" } ] }, { "external_id": "a2ab31d16cb3811fc9dff7fefd99c621", "name": "1.1.7.3 — Ensure nosuid option set on /home partition", "description": "Ensure nosuid option set on /home partition", "rational": "Since the /home filesystem is only intended for user file storage, set this option to ensure \nthat users cannot create setuid files in /home.", "remediation": "Edit the /etc/fstab file and add nosuid to the fourth field (mounting options) for the \n/home partition. \nExample: \n\n /home defaults,rw,nosuid,nodev,noexec,relatime 0 0 \n\nRun the following command to remount /home with the configured options: \n\n# mount -o remount /home", "severity": "Medium", "filter": null, "app_filter": null, "conditions": [ { "type": "condition", "element": "CMD", "input": "findmnt -kn --kernel", "selement": "OUTPUT", "condition": "CONTAINS", "sinput": "nosuid" } ], "applicability": [ { "type": "applicability", "element": "OS", "input": "", "selement": "CONTENT", "condition": "CONTAINS", "sinput": "Amazon" } ] }, { "external_id": "5da8b977c87eefd9e8a55b25615e80ab", "name": "1.1.8.1 — Ensure /dev/shm is a separate partition", "description": "Ensure /dev/shm is a separate partition", "rational": "Making /dev/shm its own file system allows an administrator to set additional mount \noptions such as the noexec option on the mount, making /dev/shm useless for an \nattacker to install executable code. It would also prevent an attacker from establishing a \nhard link to a system setuid program and wait for it to be updated. Once the program \nwas updated, the hard link would be broken and the att...", "remediation": "For specific configuration requirements of the /dev/shm mount for your environment, \nmodify /etc/fstab. \nExample of using tmpfs with specific mount options: \n\ntmpfs /dev/shm \ndefaults,rw,nosuid,nodev,noexec,relatime,size=2G 0 0 \n\ntmpfs", "severity": "Medium", "filter": null, "app_filter": null, "conditions": [ { "type": "condition", "element": "CMD", "input": "findmnt -kn --kernel", "selement": "OUTPUT", "condition": "NOT EQUALS", "sinput": "" } ], "applicability": [ { "type": "applicability", "element": "OS", "input": "", "selement": "CONTENT", "condition": "CONTAINS", "sinput": "Amazon" } ] }, { "external_id": "015e4371caec2c6cdc20b9651d7474c3", "name": "1.1.9 — Ensure usb-storage is disabled", "description": "Ensure usb-storage is disabled", "rational": "Restricting USB access on the system will decrease the physical attack surface for a \ndevice and diminish the possible vectors to introduce malware.", "remediation": "Run the following script to disable usb-storage: \n\n#!/usr/bin/env bash \n\n{ \n l_mname=\"usb-storage\" # set module name \n # Check if the module exists on the system \n if [ -z \"$(modprobe -n -v \"$l_mname\" 2>&1 | grep -Pi -- \n\"\\h*modprobe:\\h+FATAL:\\h+Module\\h+$l_mname\\h+not\\h+found\\h+in\\h+directory\")\" \n]; then \n # Remediate loadable \n l_loadable=\"$(modprobe -n -v \"$l_mname\")\" \n [ \"$(wc -l <<< \"$l_loadable\")\" -gt \"1\" ] && l_loadable=\"$(grep -P -- \n\"(^\\h*install|\\b$l_mname)\\b\" <...", "severity": "Medium", "filter": null, "app_filter": null, "conditions": [ { "type": "condition", "element": "CMD", "input": "!/usr/bin/env bash", "selement": "OUTPUT", "condition": "NOT EQUALS", "sinput": "" } ], "applicability": [ { "type": "applicability", "element": "OS", "input": "", "selement": "CONTENT", "condition": "CONTAINS", "sinput": "Amazon" } ] }, { "external_id": "eae0939b20e9cec6ac955446ce7a5c23", "name": "1.2.2 — Ensure gpgcheck is globally activated", "description": "Ensure gpgcheck is globally activated", "rational": "It is important to ensure that an RPM's package signature is always checked prior to \ninstallation to ensure that the software is obtained from a trusted source.", "remediation": "Edit /etc/dnf/dnf.conf and set gpgcheck=1 in the [main] section. \nExample: \n\n# sed -i 's/^gpgcheck\\s*=\\s*.*/gpgcheck=1/' /etc/dnf/dnf.conf \n\nEdit any failing files in /etc/yum.repos.d/* and set all instances starting with gpgcheck \nto 1. \nExample: \n\n# find /etc/yum.repos.d/ -name \"*.repo\" -exec echo \"Checking:\" {} \\; -exec \nsed -i 's/^gpgcheck\\s*=\\s*.*/gpgcheck=1/' {} \\;", "severity": "Medium", "filter": null, "app_filter": null, "conditions": [ { "type": "condition", "element": "FILE", "input": "/etc/dnf/dnf.conf", "selement": "CONTENT", "condition": "CONTAINS", "sinput": "^gpgcheck" } ], "applicability": [ { "type": "applicability", "element": "OS", "input": "", "selement": "CONTENT", "condition": "CONTAINS", "sinput": "Amazon" } ] }, { "external_id": "57de7f28d58b0e57ddf80c41236f47d6", "name": "1.3.1 — Ensure AIDE is installed", "description": "Ensure AIDE is installed", "rational": "By monitoring the filesystem state compromised files can be detected to prevent or limit \nthe exposure of accidental or malicious misconfigurations or modified binaries.", "remediation": "Run the following command to install AIDE: \n\n# dnf install aide \n\nConfigure AIDE as appropriate for your environment. Consult the AIDE documentation \nfor options. \nInitialize AIDE: \nRun the following commands: \n\n# aide --init \n# mv /var/lib/aide/aide.db.new.gz /var/lib/aide/aide.db.gz", "severity": "Medium", "filter": null, "app_filter": null, "conditions": [ { "type": "condition", "element": "PACKAGE", "input": "aide", "selement": "EXISTS", "condition": "", "sinput": "" } ], "applicability": [ { "type": "applicability", "element": "OS", "input": "", "selement": "CONTENT", "condition": "CONTAINS", "sinput": "Amazon" } ] }, { "external_id": "0417c1632b63e4a7c93f71d8b734b551", "name": "1.3.2 — Ensure filesystem integrity is regularly checked", "description": "Ensure filesystem integrity is regularly checked", "rational": "Periodic file checking allows the system administrator to determine on a regular basis if \ncritical files have been changed in an unauthorized fashion.", "remediation": "If cron will be used to schedule and run aide check \nRun the following command: \n\n# crontab -u root -e \n\nAdd the following line to the crontab: \n\n0 5 * * * /usr/sbin/aide --check \n\nOR if aidecheck.service and aidecheck.timer will be used to schedule and run aide \ncheck: \nCreate or edit the file /etc/systemd/system/aidecheck.service and add the following \nlines: \n\n[Unit] \nDescription=Aide Check \n\n[Service] \nType=simple \nExecStart=/usr/sbin/aide --check \n\n[Install] \nWantedBy=multi-user.target...", "severity": "Medium", "filter": null, "app_filter": null, "conditions": [ { "type": "condition", "element": "SERVICE", "input": "aidecheck", "selement": "ENABLED", "condition": null, "sinput": null } ], "applicability": [ { "type": "applicability", "element": "OS", "input": "", "selement": "CONTENT", "condition": "CONTAINS", "sinput": "Amazon" } ] }, { "external_id": "6d71512e62a5c5c849866557a0e4832b", "name": "1.5.2 — Ensure ptrace_scope is restricted", "description": "Ensure ptrace_scope is restricted", "rational": "If one application is compromised, it would be possible for an attacker to attach to other \nrunning processes (e.g. Bash, Firefox, SSH sessions, GPG agent, etc) to extract \nadditional credentials and continue to expand the scope of their attack. \n\nEnabling restricted mode will limit the ability of a compromised process to \nPTRACE_ATTACH on other processes running under the same user. With restr...", "remediation": "Set the following parameter in /etc/sysctl.conf or a file in /etc/sysctl.d/ ending in \n.conf: \n\n• kernel.yama.ptrace_scope = 1 \n\nExample: \n# printf \" \nkernel.yama.ptrace_scope = 1 \n\" >> /etc/sysctl.d/60-kernel_sysctl.conf \n\nRun the following command to set the active kernel parameter: \n\n# sysctl -w kernel.yama.ptrace_scope=1 \n\nNote: If these settings appear in a conically later file, or later in the same file, these \nsettings will be overwritten", "severity": "Medium", "filter": null, "app_filter": null, "conditions": [ { "type": "condition", "element": "CMD", "input": "!/usr/bin/env bash", "selement": "OUTPUT", "condition": "NOT EQUALS", "sinput": "" } ], "applicability": [ { "type": "applicability", "element": "OS", "input": "", "selement": "CONTENT", "condition": "CONTAINS", "sinput": "Amazon" } ] }, { "external_id": "be8253778810faa0efc5d94629bceabe", "name": "1.5.3 — Ensure core dump storage is disabled", "description": "Ensure core dump storage is disabled", "rational": "A core dump includes a memory image taken at the time the operating system \nterminates an application. The memory image could contain sensitive data and is \ngenerally useful only for developers trying to debug problems.", "remediation": "Edit /etc/systemd/coredump.conf and edit or add the following line: \n\nStorage=none", "severity": "Medium", "filter": null, "app_filter": null, "conditions": [ { "type": "condition", "element": "FILE", "input": "/etc/systemd/coredump.conf", "selement": "CONTENT", "condition": "CONTAINS", "sinput": "^\\s*storage\\s*=\\s*none" } ], "applicability": [ { "type": "applicability", "element": "OS", "input": "", "selement": "CONTENT", "condition": "CONTAINS", "sinput": "Amazon" } ] }, { "external_id": "ffed4b8cd5f0394aac4d18b71faab151", "name": "1.5.4 — Ensure core dump backtraces are disabled", "description": "Ensure core dump backtraces are disabled", "rational": "A core dump includes a memory image taken at the time the operating system \nterminates an application. The memory image could contain sensitive data and is \ngenerally useful only for developers trying to debug problems, increasing the risk to the \nsystem.", "remediation": "Edit or add the following line in /etc/systemd/coredump.conf: \n\nProcessSizeMax=0", "severity": "Medium", "filter": null, "app_filter": null, "conditions": [ { "type": "condition", "element": "CMD", "input": "grep -Pi '^\\h*ProcessSizeMax\\h*=\\h*0\\b' /etc/systemd/coredump.conf || echo", "selement": "OUTPUT", "condition": "NOT EQUALS", "sinput": "" } ], "applicability": [ { "type": "applicability", "element": "OS", "input": "", "selement": "CONTENT", "condition": "CONTAINS", "sinput": "Amazon" } ] }, { "external_id": "c6436f18c183b756a8edd28a72051bf8", "name": "1.6.1.1 — Ensure SELinux is installed", "description": "Ensure SELinux is installed", "rational": "Without a Mandatory Access Control system installed only the default Discretionary \nAccess Control system will be available.", "remediation": "Run the following command to install SELinux: \n\n# dnf install libselinux", "severity": "Medium", "filter": null, "app_filter": null, "conditions": [ { "type": "condition", "element": "PACKAGE", "input": "libselinux", "selement": "EXISTS", "condition": "", "sinput": "" } ], "applicability": [ { "type": "applicability", "element": "OS", "input": "", "selement": "CONTENT", "condition": "CONTAINS", "sinput": "Amazon" } ] }, { "external_id": "6ebae4b7e1792a8a8ab2a4bb14ce378b", "name": "1.6.1.3 — Ensure SELinux policy is configured", "description": "Ensure SELinux policy is configured", "rational": "Security configuration requirements vary from site to site. Some sites may mandate a \npolicy that is stricter than the default policy, which is perfectly acceptable. This item is \nintended to ensure that at least the default recommendations are met.", "remediation": "Edit the /etc/selinux/config file to set the SELINUXTYPE parameter: \n\nSELINUXTYPE=targeted", "severity": "Medium", "filter": null, "app_filter": null, "conditions": [ { "type": "condition", "element": "FILE", "input": "/etc/selinux/config", "selement": "CONTENT", "condition": "CONTAINS", "sinput": "^\\s*SELINUXTYPE=(targeted|mls)\\b" } ], "applicability": [ { "type": "applicability", "element": "OS", "input": "", "selement": "CONTENT", "condition": "CONTAINS", "sinput": "Amazon" } ] }, { "external_id": "ff1beb9d2d2d598edccef0d4f90d683c", "name": "1.6.1.4 — Ensure the SELinux mode is not disabled", "description": "Ensure the SELinux mode is not disabled", "rational": "Running SELinux in disabled mode is strongly discouraged; not only does the system \navoid enforcing the SELinux policy, it also avoids labeling any persistent objects such \nas files, making it difficult to enable SELinux in the future. \n\nPage 167", "remediation": "Run one of the following commands to set SELinux's running mode: \nTo set SELinux mode to Enforcing: \n\n# setenforce 1 \n\nOR \nTo set SELinux mode to Permissive: \n\n# setenforce 0 \n\nEdit the /etc/selinux/config file to set the SELINUX parameter: \nFor Enforcing mode: \n\nSELINUX=enforcing \n\nOR \nFor Permissive mode: \n\nSELINUX=permissive", "severity": "Medium", "filter": null, "app_filter": null, "conditions": [ { "type": "condition", "element": "FILE", "input": "/etc/selinux/config", "selement": "CONTENT", "condition": "CONTAINS", "sinput": "^\\s*SELINUX=(enforcing|permissive)" } ], "applicability": [ { "type": "applicability", "element": "OS", "input": "", "selement": "CONTENT", "condition": "CONTAINS", "sinput": "Amazon" } ] }, { "external_id": "971145a933b26ad4c0a6d5c1b63936a0", "name": "1.6.1.7 — Ensure SETroubleshoot is not installed", "description": "Ensure SETroubleshoot is not installed", "rational": "The SETroubleshoot service is an unnecessary daemon to have running on a server, \nespecially if X Windows is disabled.", "remediation": "Run the following command to uninstall setroubleshoot: \n\n# dnf remove setroubleshoot", "severity": "Medium", "filter": null, "app_filter": null, "conditions": [ { "type": "condition", "element": "PACKAGE", "input": "setroubleshoot", "selement": "NOT EXISTS", "condition": "", "sinput": "" } ], "applicability": [ { "type": "applicability", "element": "OS", "input": "", "selement": "CONTENT", "condition": "CONTAINS", "sinput": "Amazon" } ] }, { "external_id": "ed0dac9cbed92d020ebb557b2a80c5c5", "name": "1.9 — Ensure system-wide crypto policy is not legacy", "description": "Ensure system-wide crypto policy is not legacy", "rational": "If the Legacy system-wide crypto policy is selected, it includes support for TLS 1.0, TLS \n1.1, and SSH2 protocols or later. The algorithms DSA, 3DES, and RC4 are allowed, \nwhile RSA and Diffie-Hellman parameters are accepted if larger than 1023-bits. \n\nThese legacy protocols and algorithms can make the system vulnerable to attacks, \nincluding those listed in RFC 7457", "remediation": "Run the following command to change the system-wide crypto policy \n\n# update-crypto-policies --set \n\nExample: \n\n# update-crypto-policies --set DEFAULT \n\nRun the following to make the updated system-wide crypto policy active \n\n# update-crypto-policies", "severity": "Medium", "filter": null, "app_filter": null, "conditions": [ { "type": "condition", "element": "FILE", "input": "/etc/crypto-policies/config", "selement": "CONTENT", "condition": "CONTAINS", "sinput": "^\\s*LEGACY\\s*(\\s+#.*)?$" } ], "applicability": [ { "type": "applicability", "element": "OS", "input": "", "selement": "CONTENT", "condition": "CONTAINS", "sinput": "Amazon" } ] }, { "external_id": "1c223117cb3e57f22f6697575ee2f10e", "name": "2.1.1 — Ensure time synchronization is in use", "description": "Ensure time synchronization is in use", "rational": "Time synchronization is important to support time sensitive security mechanisms like \nKerberos and also ensures log files have consistent time records across the enterprise, \nwhich aids in forensic investigations.", "remediation": "Run the following command to install chrony: \n\n# dnf install chrony", "severity": "Medium", "filter": null, "app_filter": null, "conditions": [ { "type": "condition", "element": "PACKAGE", "input": "chrony", "selement": "EXISTS", "condition": "", "sinput": "" } ], "applicability": [ { "type": "applicability", "element": "OS", "input": "", "selement": "CONTENT", "condition": "CONTAINS", "sinput": "Amazon" } ] }, { "external_id": "c57f1ad1c10ceff05d4b3656ca63e803", "name": "2.1.2 — Ensure chrony is configured", "description": "Ensure chrony is configured", "rational": "If chrony is in use on the system proper configuration is vital to ensuring time \nsynchronization is working properly.", "remediation": "Add or edit server or pool lines to file ending in .conf in the /etc/chrony.d as \nappropriate: \nExample: \n\nserver ", "severity": "Medium", "filter": null, "app_filter": null, "conditions": [ { "type": "condition", "element": "CMD", "input": "grep -Pr -- '^\\h*(server|pool)\\h+[^#\\n\\r]+' /etc/chrony.d/", "selement": "OUTPUT", "condition": "NOT EQUALS", "sinput": "" } ], "applicability": [ { "type": "applicability", "element": "OS", "input": "", "selement": "CONTENT", "condition": "CONTAINS", "sinput": "Amazon" } ] }, { "external_id": "de56e8d52a1d4f35d800b72584ed1198", "name": "2.2.2 — Ensure avahi is not installed", "description": "Ensure avahi is not installed", "rational": "Automatic discovery of network services is not normally required for system \nfunctionality. It is recommended to remove this package to reduce the potential attack \nsurface.", "remediation": "Run the following commands to stop, and remove avahi: \n\n# systemctl stop avahi-daemon.socket avahi-daemon.service \n# dnf remove avahi", "severity": "Medium", "filter": null, "app_filter": null, "conditions": [ { "type": "condition", "element": "PACKAGE", "input": "avahi", "selement": "NOT EXISTS", "condition": "", "sinput": "" } ], "applicability": [ { "type": "applicability", "element": "OS", "input": "", "selement": "CONTENT", "condition": "CONTAINS", "sinput": "Amazon" } ] }, { "external_id": "da81105383c9266e88babdd571a44e70", "name": "2.2.3 — Ensure a print server is not installed", "description": "Ensure a print server is not installed", "rational": "If the system does not need to print jobs or accept print jobs from other systems, it is \nrecommended that CUPS be removed to reduce the potential attack surface. \n\nNote: Removing CUPS will prevent printing from the system", "remediation": "Run the following command to remove cups: \n\n# dnf remove cups", "severity": "Medium", "filter": null, "app_filter": null, "conditions": [ { "type": "condition", "element": "PACKAGE", "input": "cups", "selement": "NOT EXISTS", "condition": "", "sinput": "" } ], "applicability": [ { "type": "applicability", "element": "OS", "input": "", "selement": "CONTENT", "condition": "CONTAINS", "sinput": "Amazon" } ] }, { "external_id": "c53ebd2a3a4465b39da461b70fc6f40d", "name": "2.2.4 — Ensure a dhcp server is not installed", "description": "Ensure a dhcp server is not installed", "rational": "Unless a system is specifically set up to act as a DHCP server, it is recommended that \nthe dhcp-server package be removed to reduce the potential attack surface.", "remediation": "Run the following command to remove dhcp: \n\n# dnf remove dhcp-server", "severity": "Medium", "filter": null, "app_filter": null, "conditions": [ { "type": "condition", "element": "PACKAGE", "input": "dhcp-server", "selement": "NOT EXISTS", "condition": "", "sinput": "" } ], "applicability": [ { "type": "applicability", "element": "OS", "input": "", "selement": "CONTENT", "condition": "CONTAINS", "sinput": "Amazon" } ] }, { "external_id": "2f844818bd9024e50384e08e084a6c85", "name": "2.2.5 — Ensure a dns server is not installed", "description": "Ensure a dns server is not installed", "rational": "Unless a system is specifically designated to act as a DNS server, it is recommended \nthat the package be removed to reduce the potential attack surface.", "remediation": "Run the following command to remove bind: \n\n# dnf remove bind", "severity": "Medium", "filter": null, "app_filter": null, "conditions": [ { "type": "condition", "element": "PACKAGE", "input": "bind", "selement": "NOT EXISTS", "condition": "", "sinput": "" } ], "applicability": [ { "type": "applicability", "element": "OS", "input": "", "selement": "CONTENT", "condition": "CONTAINS", "sinput": "Amazon" } ] }, { "external_id": "00c31a25f5a1aa1a8574d13a9baee62a", "name": "2.2.6 — Ensure an ftp server is not installed", "description": "Ensure an ftp server is not installed", "rational": "Unless there is a need to run the system as a FTP server, it is recommended that the \npackage be removed to reduce the potential attack surface.", "remediation": "Run the following command to remove vsftpd: \n\n# dnf remove vsftpd", "severity": "Medium", "filter": null, "app_filter": null, "conditions": [ { "type": "condition", "element": "PACKAGE", "input": "vsftpd", "selement": "NOT EXISTS", "condition": "", "sinput": "" } ], "applicability": [ { "type": "applicability", "element": "OS", "input": "", "selement": "CONTENT", "condition": "CONTAINS", "sinput": "Amazon" } ] }, { "external_id": "920a49c141e8e7738fc4a2f03cf7b50d", "name": "2.2.7 — Ensure a tftp server is not installed", "description": "Ensure a tftp server is not installed", "rational": "Unless there is a need to run the system as a TFTP server, it is recommended that the \npackage be removed to reduce the potential attack surface. \n\nTFTP does not have built-in encryption, access control or authentication. This makes it \nvery easy for an attacker to exploit TFTP to gain access to files", "remediation": "Run the following command to remove tftp-server: \n\n# dnf remove tftp-server", "severity": "Medium", "filter": null, "app_filter": null, "conditions": [ { "type": "condition", "element": "PACKAGE", "input": "tftp-server", "selement": "NOT EXISTS", "condition": "", "sinput": "" } ], "applicability": [ { "type": "applicability", "element": "OS", "input": "", "selement": "CONTENT", "condition": "CONTAINS", "sinput": "Amazon" } ] }, { "external_id": "4502386b569008b378203a58ce7ac98d", "name": "2.2.8 — Ensure a web server is not installed", "description": "Ensure a web server is not installed", "rational": "Unless there is a need to run the system as a web server, it is recommended that the \npackages be removed to reduce the potential attack surface. \n\nNote: Several http servers exist. They should also be audited, and removed, if not \nrequired.", "remediation": "Run the following command to remove httpd and nginx: \n\n# dnf remove httpd nginx", "severity": "Medium", "filter": null, "app_filter": null, "conditions": [ { "type": "condition", "element": "PACKAGE", "input": "httpd", "selement": "NOT EXISTS", "condition": "", "sinput": "" } ], "applicability": [ { "type": "applicability", "element": "OS", "input": "", "selement": "CONTENT", "condition": "CONTAINS", "sinput": "Amazon" } ] }, { "external_id": "7a62e30b2ebf07cf40996f83ce3a6e9b", "name": "2.2.9 — Ensure IMAP and POP3 server is not installed", "description": "Ensure IMAP and POP3 server is not installed", "rational": "Unless POP3 and/or IMAP servers are to be provided by this system, it is \nrecommended that the package be removed to reduce the potential attack surface. \n\nNote: Several IMAP/POP3 servers exist and can use other service names. These \nshould also be audited and the packages removed if not required.", "remediation": "Run the following command to remove dovecot and cyrus-imapd: \n\n# dnf remove dovecot cyrus-imapd", "severity": "Medium", "filter": null, "app_filter": null, "conditions": [ { "type": "condition", "element": "PACKAGE", "input": "dovecot", "selement": "NOT EXISTS", "condition": "", "sinput": "" } ], "applicability": [ { "type": "applicability", "element": "OS", "input": "", "selement": "CONTENT", "condition": "CONTAINS", "sinput": "Amazon" } ] }, { "external_id": "8620e5b3bc2f4c2af49c0c0edc193a11", "name": "2.2.10 — Ensure Samba is not installed", "description": "Ensure Samba is not installed", "rational": "If there is no need to mount directories and file systems to Windows systems, then this \npackage can be removed to reduce the potential attack surface.", "remediation": "Run the following command to remove samba: \n\n# dnf remove samba", "severity": "Medium", "filter": null, "app_filter": null, "conditions": [ { "type": "condition", "element": "PACKAGE", "input": "samba", "selement": "NOT EXISTS", "condition": "", "sinput": "" } ], "applicability": [ { "type": "applicability", "element": "OS", "input": "", "selement": "CONTENT", "condition": "CONTAINS", "sinput": "Amazon" } ] }, { "external_id": "5f16d43a35961537b613987bc7a77e6c", "name": "2.2.11 — Ensure HTTP Proxy Server is not installed", "description": "Ensure HTTP Proxy Server is not installed", "rational": "Unless a system is specifically set up to act as a proxy server, it is recommended that \nthe squid package be removed to reduce the potential attack surface. \n\nNote: Several HTTP proxy servers exist. These should be checked and removed unless \nrequired.", "remediation": "Run the following command to remove the squid package: \n\n# dnf remove squid", "severity": "Medium", "filter": null, "app_filter": null, "conditions": [ { "type": "condition", "element": "PACKAGE", "input": "squid", "selement": "NOT EXISTS", "condition": "", "sinput": "" } ], "applicability": [ { "type": "applicability", "element": "OS", "input": "", "selement": "CONTENT", "condition": "CONTAINS", "sinput": "Amazon" } ] }, { "external_id": "d50881134e643ce69d3049c832404242", "name": "2.2.13 — Ensure telnet-server is not installed", "description": "Ensure telnet-server is not installed", "rational": "The telnet protocol is insecure and unencrypted. The use of an unencrypted \ntransmission medium could allow a user with access to sniff network traffic the ability to \nsteal credentials. The ssh package provides an encrypted session and stronger \nsecurity.", "remediation": "Run the following command to remove the telnet-server package: \n\n# dnf remove telnet-server", "severity": "Medium", "filter": null, "app_filter": null, "conditions": [ { "type": "condition", "element": "PACKAGE", "input": "telnet-server", "selement": "NOT EXISTS", "condition": "", "sinput": "" } ], "applicability": [ { "type": "applicability", "element": "OS", "input": "", "selement": "CONTENT", "condition": "CONTAINS", "sinput": "Amazon" } ] }, { "external_id": "f0d1a979069a7caa7bf19af632b81f08", "name": "2.2.14 — Ensure dnsmasq is not installed", "description": "Ensure dnsmasq is not installed", "rational": "Unless a system is specifically designated to act as a DNS caching, DNS forwarding \nand/or DHCP server, it is recommended that the package be removed to reduce the \npotential attack surface.", "remediation": "Run the following command to remove dnsmasq: \n\n# dnf remove dnsmasq", "severity": "Medium", "filter": null, "app_filter": null, "conditions": [ { "type": "condition", "element": "PACKAGE", "input": "dnsmasq", "selement": "NOT EXISTS", "condition": "", "sinput": "" } ], "applicability": [ { "type": "applicability", "element": "OS", "input": "", "selement": "CONTENT", "condition": "CONTAINS", "sinput": "Amazon" } ] }, { "external_id": "850953e2053be71ed1bf40734bed9a0d", "name": "2.3.1 — Ensure telnet client is not installed", "description": "Ensure telnet client is not installed", "rational": "The telnet protocol is insecure and unencrypted. The use of an unencrypted \ntransmission medium could allow an unauthorized user to steal credentials. The ssh \npackage provides an encrypted session and stronger security and is included in most \nLinux distributions.", "remediation": "Run the following command to remove the telnet package: \n\n# dnf remove telnet", "severity": "Medium", "filter": null, "app_filter": null, "conditions": [ { "type": "condition", "element": "PACKAGE", "input": "telnet", "selement": "NOT EXISTS", "condition": "", "sinput": "" } ], "applicability": [ { "type": "applicability", "element": "OS", "input": "", "selement": "CONTENT", "condition": "CONTAINS", "sinput": "Amazon" } ] }, { "external_id": "b24389c0ca4697bc4cdff57d0c7031e6", "name": "2.3.2 — Ensure LDAP client is not installed", "description": "Ensure LDAP client is not installed", "rational": "If the system will not need to act as an LDAP client, it is recommended that the software \nbe removed to reduce the potential attack surface.", "remediation": "Run the following command to remove the openldap-clients package: \n\n# dnf remove openldap-clients", "severity": "Medium", "filter": null, "app_filter": null, "conditions": [ { "type": "condition", "element": "PACKAGE", "input": "openldap-clients", "selement": "NOT EXISTS", "condition": "", "sinput": "" } ], "applicability": [ { "type": "applicability", "element": "OS", "input": "", "selement": "CONTENT", "condition": "CONTAINS", "sinput": "Amazon" } ] }, { "external_id": "8ff42334b29ee0f6173ec87af05b7d9c", "name": "2.3.3 — Ensure FTP client is not installed", "description": "Ensure FTP client is not installed", "rational": "FTP does not protect the confidentiality of data or authentication credentials. It is \nrecommended SFTP be used if file transfer is required. Unless there is a need to run \nthe system as a FTP server (for example, to allow anonymous downloads), it is \nrecommended that the package be removed to reduce the potential attack surface.", "remediation": "Run the following command to remove ftp: \n\n# dnf remove ftp", "severity": "Medium", "filter": null, "app_filter": null, "conditions": [ { "type": "condition", "element": "PACKAGE", "input": "ftp", "selement": "NOT EXISTS", "condition": "", "sinput": "" } ], "applicability": [ { "type": "applicability", "element": "OS", "input": "", "selement": "CONTENT", "condition": "CONTAINS", "sinput": "Amazon" } ] }, { "external_id": "352c5be6e4d1c78413457f5b79e11169", "name": "3.2.1 — Ensure IP forwarding is disabled", "description": "Ensure IP forwarding is disabled", "rational": "Setting net.ipv4.ip_forward and net.ipv6.conf.all.forwarding to 0 ensures that a \nsystem with multiple interfaces (for example, a hard proxy), will never be able to forward \npackets, and therefore, never serve as a router.", "remediation": "Set the following parameter in /etc/sysctl.conf or a file in /etc/sysctl.d/ ending in \n.conf: \n\n• net.ipv4.ip_forward = 0 \n\nExample: \n# printf \" \nnet.ipv4.ip_forward = 0 \n\" >> /etc/sysctl.d/60-netipv4_sysctl.conf \n\nRun the following command to set the active kernel parameters: \n\n# { \n sysctl -w net.ipv4.ip_forward=0 \n sysctl -w net.ipv4.route.flush=1 \n} \n\n-IF- IPv6 is enabled on the system: \nSet the following parameter in /etc/sysctl.conf or a file in /etc/sysctl.d/ ending in \n.conf: \n\n•...", "severity": "Medium", "filter": null, "app_filter": null, "conditions": [ { "type": "condition", "element": "CMD", "input": "!/usr/bin/env bash", "selement": "OUTPUT", "condition": "NOT EQUALS", "sinput": "" } ], "applicability": [ { "type": "applicability", "element": "OS", "input": "", "selement": "CONTENT", "condition": "CONTAINS", "sinput": "Amazon" } ] }, { "external_id": "f656fe9085037bf2d9ccb454d74e9da4", "name": "3.2.2 — Ensure packet redirect sending is disabled", "description": "Ensure packet redirect sending is disabled", "rational": "An attacker could use a compromised host to send invalid ICMP redirects to other \nrouter devices in an attempt to corrupt routing and have users access a system set up \nby the attacker as opposed to a valid system.", "remediation": "Set the following parameters in /etc/sysctl.conf or a file in /etc/sysctl.d/ ending in \n.conf: \n\n• net.ipv4.conf.all.send_redirects = 0 \n• net.ipv4.conf.default.send_redirects = 0 \n\nExample: \n# printf \" \nnet.ipv4.conf.all.send_redirects = 0 \nnet.ipv4.conf.default.send_redirects = 0 \n\" >> /etc/sysctl.d/60-netipv4_sysctl.conf \n\nRun the following command to set the active kernel parameters: \n\n# { \n sysctl -w net.ipv4.conf.all.send_redirects=0 \n sysctl -w net.ipv4.conf.default.send_redirect...", "severity": "Medium", "filter": null, "app_filter": null, "conditions": [ { "type": "condition", "element": "CMD", "input": "!/usr/bin/env bash", "selement": "OUTPUT", "condition": "NOT EQUALS", "sinput": "" } ], "applicability": [ { "type": "applicability", "element": "OS", "input": "", "selement": "CONTENT", "condition": "CONTAINS", "sinput": "Amazon" } ] }, { "external_id": "76b332cb053c25e38cac5a08df0415a5", "name": "3.3.2 — Ensure ICMP redirects are not accepted", "description": "Ensure ICMP redirects are not accepted", "rational": "ICMP redirect messages are packets that convey routing information and tell your host \n(acting as a router) to send packets via an alternate path. It is a way of allowing an \noutside routing device to update your system routing tables. By setting \nnet.ipv4.conf.all.accept_redirects, net.ipv4.conf.default.accept_redirects, \nnet.ipv6.conf.all.accept_redirects, and net.ipv6.conf.default.accept_red...", "remediation": "Set the following parameters in /etc/sysctl.conf or a file in /etc/sysctl.d/ ending in \n.conf: \n\n• net.ipv4.conf.all.accept_redirects = 0 \n• net.ipv4.conf.default.accept_redirects = 0 \n\nExample: \n# printf \" \nnet.ipv4.conf.all.accept_redirects = 0 \nnet.ipv4.conf.default.accept_redirects = 0 \n\" >> /etc/sysctl.d/60-netipv4_sysctl.conf \n\nRun the following command to set the active kernel parameters: \n\n# { \n sysctl -w net.ipv4.conf.all.accept_redirects=0 \n sysctl -w net.ipv4.conf.default.acc...", "severity": "Medium", "filter": null, "app_filter": null, "conditions": [ { "type": "condition", "element": "CMD", "input": "!/usr/bin/env bash", "selement": "OUTPUT", "condition": "NOT EQUALS", "sinput": "" } ], "applicability": [ { "type": "applicability", "element": "OS", "input": "", "selement": "CONTENT", "condition": "CONTAINS", "sinput": "Amazon" } ] }, { "external_id": "0c0d0460c5b1acd3a661bc439df2cc01", "name": "3.3.4 — Ensure suspicious packets are logged", "description": "Ensure suspicious packets are logged", "rational": "Setting net.ipv4.conf.all.log_martians and net.ipv4.conf.default.log_martians \nto 1` enables this feature. Logging these packets allows an administrator to investigate \nthe possibility that an attacker is sending spoofed packets to their system.", "remediation": "Set the following parameters in /etc/sysctl.conf or a file in /etc/sysctl.d/ ending in \n.conf: \n\n• net.ipv4.conf.all.log_martians = 1 \n• net.ipv4.conf.default.log_martians = 1 \n\nExample: \n# printf \" \nnet.ipv4.conf.all.log_martians = 1 \nnet.ipv4.conf.default.log_martians = 1 \n\" >> /etc/sysctl.d/60-netipv4_sysctl.conf \n\nRun the following command to set the active kernel parameters: \n\n# { \n sysctl -w net.ipv4.conf.all.log_martians=1 \n sysctl -w net.ipv4.conf.default.log_martians=1 \n sysc...", "severity": "Medium", "filter": null, "app_filter": null, "conditions": [ { "type": "condition", "element": "CMD", "input": "!/usr/bin/env bash", "selement": "OUTPUT", "condition": "NOT EQUALS", "sinput": "" } ], "applicability": [ { "type": "applicability", "element": "OS", "input": "", "selement": "CONTENT", "condition": "CONTAINS", "sinput": "Amazon" } ] }, { "external_id": "ba3dc6fa65adc60e20bb0c089b44e840", "name": "3.3.5 — Ensure broadcast ICMP requests are ignored", "description": "Ensure broadcast ICMP requests are ignored", "rational": "Accepting ICMP echo and timestamp requests with broadcast or multicast destinations \nfor your network could be used to trick your host into starting (or participating) in a \nSmurf attack. A Smurf attack relies on an attacker sending large amounts of ICMP \nbroadcast messages with a spoofed source address. All hosts receiving this message \nand responding would send echo-reply messages back to the...", "remediation": "Set the following parameter in /etc/sysctl.conf or a file in /etc/sysctl.d/ ending in \n.conf: \n\n• net.ipv4.icmp_echo_ignore_broadcasts = 1 \n\nExample: \n# printf \" \nnet.ipv4.icmp_echo_ignore_broadcasts = 1 \n\" >> /etc/sysctl.d/60-netipv4_sysctl.conf \n\nRun the following command to set the active kernel parameters: \n\n# { \n sysctl -w net.ipv4.icmp_echo_ignore_broadcasts=1 \n sysctl -w net.ipv4.route.flush=1 \n} \n\nNote: If these settings appear in a conically later file, or later in the same file...", "severity": "Medium", "filter": null, "app_filter": null, "conditions": [ { "type": "condition", "element": "CMD", "input": "!/usr/bin/env bash", "selement": "OUTPUT", "condition": "NOT EQUALS", "sinput": "" } ], "applicability": [ { "type": "applicability", "element": "OS", "input": "", "selement": "CONTENT", "condition": "CONTAINS", "sinput": "Amazon" } ] }, { "external_id": "d68bd615c41de6925cd2efc370dfee28", "name": "3.3.6 — Ensure bogus ICMP responses are ignored", "description": "Ensure bogus ICMP responses are ignored", "rational": "Some routers (and some attackers) will send responses that violate RFC-1122 and \nattempt to fill up a log file system with many useless error messages.", "remediation": "Set the following parameter in /etc/sysctl.conf or a file in /etc/sysctl.d/ ending in \n.conf: \n\n• net.ipv4.icmp_ignore_bogus_error_responses = 1 \n\nExample: \n# printf \" \nnet.ipv4.icmp_ignore_bogus_error_responses = 1 \n\" >> /etc/sysctl.d/60-netipv4_sysctl.conf \n\nRun the following command to set the active kernel parameters: \n\n# { \n sysctl -w net.ipv4.icmp_ignore_bogus_error_responses=1 \n sysctl -w net.ipv4.route.flush=1 \n} \n\nNote: If these settings appear in a conically later file, or late...", "severity": "Medium", "filter": null, "app_filter": null, "conditions": [ { "type": "condition", "element": "CMD", "input": "!/usr/bin/env bash", "selement": "OUTPUT", "condition": "NOT EQUALS", "sinput": "" } ], "applicability": [ { "type": "applicability", "element": "OS", "input": "", "selement": "CONTENT", "condition": "CONTAINS", "sinput": "Amazon" } ] }, { "external_id": "9c0629193df072ee994d2023afb278c2", "name": "3.3.7 — Ensure Reverse Path Filtering is enabled", "description": "Ensure Reverse Path Filtering is enabled", "rational": "Setting net.ipv4.conf.all.rp_filter and net.ipv4.conf.default.rp_filter to 1 is a \ngood way to deter attackers from sending your system bogus packets that cannot be \nresponded to. One instance where this feature breaks down is if asymmetrical routing is \nemployed. This would occur when using dynamic routing protocols (bgp, ospf, etc) on \nyour system. If you are using asymmetrical routing on you...", "remediation": "Set the following parameters in /etc/sysctl.conf or a file in /etc/sysctl.d/ ending in \n.conf: \n\n• net.ipv4.conf.all.rp_filter = 1 \n• net.ipv4.conf.default.rp_filter = 1 \n\nExample: \n# printf \" \nnet.ipv4.conf.all.rp_filter = 1 \nnet.ipv4.conf.default.rp_filter = 1 \n\" >> /etc/sysctl.d/60-netipv4_sysctl.conf \n\nRun the following commands to set the active kernel parameters: \n\n# { \n sysctl -w net.ipv4.conf.all.rp_filter=1 \n sysctl -w net.ipv4.conf.default.rp_filter=1 \n sysctl -w net.ipv4.ro...", "severity": "Medium", "filter": null, "app_filter": null, "conditions": [ { "type": "condition", "element": "CMD", "input": "!/usr/bin/env bash", "selement": "OUTPUT", "condition": "NOT EQUALS", "sinput": "" } ], "applicability": [ { "type": "applicability", "element": "OS", "input": "", "selement": "CONTENT", "condition": "CONTAINS", "sinput": "Amazon" } ] }, { "external_id": "7977cff980db753443d719be5df3cbff", "name": "3.3.8 — Ensure TCP SYN Cookies is enabled", "description": "Ensure TCP SYN Cookies is enabled", "rational": "Attackers use SYN flood attacks to perform a denial of service attacked on a system by \nsending many SYN packets without completing the three way handshake. This will \nquickly use up slots in the kernel's half-open connection queue and prevent legitimate \nconnections from succeeding. Setting net.ipv4.tcp_syncookies to 1 enables SYN \ncookies, allowing the system to keep accepting valid connectio...", "remediation": "Set the following parameter in /etc/sysctl.conf or a file in /etc/sysctl.d/ ending in \n.conf: \n\n• net.ipv4.tcp_syncookies = 1 \n\nExample: \n# printf \" \nnet.ipv4.tcp_syncookies = 1 \n\" >> /etc/sysctl.d/60-netipv4_sysctl.conf \n\nRun the following command to set the active kernel parameters: \n\n# { \n sysctl -w net.ipv4.tcp_syncookies=1 \n sysctl -w net.ipv4.route.flush=1 \n} \n\nNote: If these settings appear in a conically later file, or later in the same file, these \nsettings will be overwritten", "severity": "Medium", "filter": null, "app_filter": null, "conditions": [ { "type": "condition", "element": "CMD", "input": "!/usr/bin/env bash", "selement": "OUTPUT", "condition": "NOT EQUALS", "sinput": "" } ], "applicability": [ { "type": "applicability", "element": "OS", "input": "", "selement": "CONTENT", "condition": "CONTAINS", "sinput": "Amazon" } ] }, { "external_id": "5b9d68adb75e0aafb75316d7c640e09b", "name": "4.1.1 — Ensure cron daemon is installed and enabled", "description": "Ensure cron daemon is installed and enabled", "rational": "While there may not be user jobs that need to be run on the system, the system does \nhave maintenance jobs that may include security monitoring that have to run, and cron \nis used to execute them.", "remediation": "-- IF -- Cron is being used to execute batch jobs on the system: \nRun the following command to install and enable cron: \n\n# dnf install cronie \n# systemctl --now enable crond", "severity": "Medium", "filter": null, "app_filter": null, "conditions": [ { "type": "condition", "element": "PACKAGE", "input": "cronie", "selement": "EXISTS", "condition": "", "sinput": "" } ], "applicability": [ { "type": "applicability", "element": "OS", "input": "", "selement": "CONTENT", "condition": "CONTAINS", "sinput": "Amazon" } ] }, { "external_id": "2e4ed0aff89c9ab388b7dd0167731fa1", "name": "4.1.8 — Ensure cron is restricted to authorized users", "description": "Ensure cron is restricted to authorized users", "rational": "On many systems, only the system administrator is authorized to schedule cron jobs. \nUsing the cron.allow file to control who can run cron jobs enforces this policy. It is \neasier to manage an allow list than a deny list. In a deny list, you could potentially add a \nuser ID to the system and forget to add it to the deny files.", "remediation": "-- IF -- Cron is being used to execute batch jobs on the system: \nRun the following script to remove /etc/cron.deny, create /etc/cron.allow, and set the \nfile mode on /etc/cron.allow: \n\n#!/usr/bin/env bash \n\n{ \n if rpm -q cronie >/dev/null; then \n [ -e /etc/cron.deny ] && rm -f /etc/cron.deny \n [ ! -e /etc/cron.allow ] && touch /etc/cron.allow \n chown root:root /etc/cron.allow \n chmod u-x,go-rwx /etc/cron.allow \n else \n echo \"cron is not installed on the system\"...", "severity": "Medium", "filter": null, "app_filter": null, "conditions": [ { "type": "condition", "element": "PACKAGE", "input": "cronie", "selement": "NOT EXISTS", "condition": "", "sinput": "" } ], "applicability": [ { "type": "applicability", "element": "OS", "input": "", "selement": "CONTENT", "condition": "CONTAINS", "sinput": "Amazon" } ] }, { "external_id": "98933633af0cd7b740f723b7a1f96445", "name": "4.1.9 — Ensure at is restricted to authorized users", "description": "Ensure at is restricted to authorized users", "rational": "On many systems, only the system administrator is authorized to schedule at jobs. \nUsing the at.allow file to control who can run at jobs enforces this policy. It is easier to \nmanage an allow list than a deny list. In a deny list, you could potentially add a user ID \nto the system and forget to add it to the deny files. \n\nPage 370", "remediation": "Run the following script to remove /etc/at.deny, create /etc/at.allow, and set the file \nmode for /etc/at.allow: \n\n#!/usr/bin/env bash \n\n{ \n if rpm -q at >/dev/null; then \n [ -e /etc/at.deny ] && rm -f /etc/at.deny \n [ ! -e /etc/at.allow ] && touch /etc/at.allow \n chown root:root /etc/at.allow \n chmod u-x,go-rwx /etc/at.allow \n else \n echo \"at is not installed on the system\" \n fi \n} \n\nOR Run the following command to remove at: \n\n# dnf remove at", "severity": "Medium", "filter": null, "app_filter": null, "conditions": [ { "type": "condition", "element": "PACKAGE", "input": "at", "selement": "NOT EXISTS", "condition": "", "sinput": "" } ], "applicability": [ { "type": "applicability", "element": "OS", "input": "", "selement": "CONTENT", "condition": "CONTAINS", "sinput": "Amazon" } ] }, { "external_id": "c547c5a5aa69c6e6d6fb8e7079a4c760", "name": "4.2.4 — Ensure SSH access is limited", "description": "Ensure SSH access is limited", "rational": "Restricting which users can remotely access the system via SSH will help ensure that \nonly authorized users access the system. \n\nPage 384", "remediation": "Edit or create a file ending in *.conf in the /etc/ssh/sshd_config.d/ directory or the \n/etc/ssh/sshd_config file and set one or more of the parameters as follows: \n\nAllowUsers \n\n-OR- \n\nAllowGroups \n\n-OR- \n\nDenyUsers \n\n-OR- \n\nDenyGroups ", "severity": "Medium", "filter": null, "app_filter": null, "conditions": [ { "type": "condition", "element": "CMD", "input": "sshd -T -C user=root -C host=\"$(hostname)\" -C addr=\"$(grep $(hostname)", "selement": "OUTPUT", "condition": "NOT EQUALS", "sinput": "" } ], "applicability": [ { "type": "applicability", "element": "OS", "input": "", "selement": "CONTENT", "condition": "CONTAINS", "sinput": "Amazon" } ] }, { "external_id": "1ca9e24e2da0159a57a9e80870e06c39", "name": "4.2.5 — Ensure SSH LogLevel is appropriate", "description": "Ensure SSH LogLevel is appropriate", "rational": "SSH provides several logging levels with varying amounts of verbosity. DEBUG is \nspecifically not recommended other than strictly for debugging SSH communications \nsince it provides so much data that it is difficult to identify important security information.", "remediation": "Edit or create a file ending in *.conf in the /etc/ssh/sshd_config.d/ directory or the \n/etc/ssh/sshd_config file and set the LogLevel parameter as follows: \n\nLogLevel VERBOSE \n\nOR \n\nLogLevel INFO \n\nRun the following command to comment out any LogLevel parameter entries in files \nending in *.conf in the /etc/ssh/sshd_config.d/ directory or the \n/etc/ssh/sshd_config file that include any setting other than VERBOSE or INFO: \n\n# grep -Pi '^\\h*LogLevel\\b' /etc/ssh/sshd_config \n/etc/ssh/sshd_confi...", "severity": "Medium", "filter": null, "app_filter": null, "conditions": [ { "type": "condition", "element": "CMD", "input": "sshd -T -C user=root -C host=\"$(hostname)\" -C addr=\"$(grep $(hostname)", "selement": "OUTPUT", "condition": "NOT EQUALS", "sinput": "" } ], "applicability": [ { "type": "applicability", "element": "OS", "input": "", "selement": "CONTENT", "condition": "CONTAINS", "sinput": "Amazon" } ] }, { "external_id": "e17001e6c39e826e8dfb91652f969234", "name": "4.2.6 — Ensure SSH PAM is enabled", "description": "Ensure SSH PAM is enabled", "rational": "When usePAM is set to yes, PAM runs through account and session types properly. \nThis is important if you want to restrict access to services based off of IP, time or other \nfactors of the account. Additionally, you can make sure users inherit certain \nenvironment variables on login or disallow access to the server", "remediation": "Edit or create a file in the directory /etc/ssh/sshd_config.d/ ending in *.conf or the \n/etc/ssh/sshd_config file and set the parameter as follows: \n\nUsePAM yes \n\nRun the following command to comment out any UsePAM parameter entries in files \nending in *.conf in the /etc/ssh/sshd_config.d/ directory or the \n/etc/ssh/sshd_config file that include any setting other than yes \n\n# grep -Pi '^\\h*UsePAM\\b' /etc/ssh/sshd_config /etc/ssh/sshd_config.d/*.conf \n| grep -Evi 'yes' | while read -r l_out; d...", "severity": "Medium", "filter": null, "app_filter": null, "conditions": [ { "type": "condition", "element": "CMD", "input": "sshd -T -C user=root -C host=\"$(hostname)\" -C addr=\"$(grep $(hostname)", "selement": "OUTPUT", "condition": "NOT EQUALS", "sinput": "" } ], "applicability": [ { "type": "applicability", "element": "OS", "input": "", "selement": "CONTENT", "condition": "CONTAINS", "sinput": "Amazon" } ] }, { "external_id": "c62142dee70aeccd46602de3c29c8b85", "name": "4.2.7 — Ensure SSH root login is disabled", "description": "Ensure SSH root login is disabled", "rational": "Disallowing root logins over SSH requires system admins to authenticate using their \nown individual account, then escalating to root via sudo or su. This in turn limits \nopportunity for non-repudiation and provides a clear audit trail in the event of a security \nincident", "remediation": "Edit or create a file ending in *.conf in the /etc/ssh/sshd_config.d/ directory or the \n/etc/ssh/sshd_config file and set the PermitRootLogin parameter as follows: \n\nPermitRootLogin no \n\nRun the following command to comment out any PermitRootLogin parameter entries in \nfiles ending in *.conf in the /etc/ssh/sshd_config.d/ directory or the \n/etc/ssh/sshd_config file that include any setting other than no \n\n# grep -Pi '^\\h*PermitRootLogin\\b' /etc/ssh/sshd_config \n/etc/ssh/sshd_config.d/*.conf |...", "severity": "Medium", "filter": null, "app_filter": null, "conditions": [ { "type": "condition", "element": "FILE", "input": "/etc/ssh/sshd_config", "selement": "CONTENT", "condition": "NOT CONTAINS", "sinput": "^\\h*PermitRootLogin\\b" } ], "applicability": [ { "type": "applicability", "element": "OS", "input": "", "selement": "CONTENT", "condition": "CONTAINS", "sinput": "Amazon" } ] }, { "external_id": "7dd051ba29c3cc544b0ee4a9d690b790", "name": "4.2.11 — Ensure SSH IgnoreRhosts is enabled", "description": "Ensure SSH IgnoreRhosts is enabled", "rational": "Setting this parameter forces users to enter a password when authenticating with ssh.", "remediation": "Edit or create a file ending in *.conf in the /etc/ssh/sshd_config.d/ directory or the \n/etc/ssh/sshd_config file and set the IgnoreRhosts parameter as follows: \n\nIgnoreRhosts yes \n\nRun the following command to comment out any IgnoreRhosts parameter entries in files \nending in *.conf in the /etc/ssh/sshd_config.d/ directory or the \n/etc/ssh/sshd_config file that include any setting other than yes \n\n# grep -Pi '^\\h*IgnoreRhosts\\b' /etc/ssh/sshd_config \n/etc/ssh/sshd_config.d/*.conf | grep -Evi...", "severity": "Medium", "filter": null, "app_filter": null, "conditions": [ { "type": "condition", "element": "FILE", "input": "/etc/ssh/sshd_config", "selement": "CONTENT", "condition": "NOT CONTAINS", "sinput": "^\\h*ignorerhosts\\b" } ], "applicability": [ { "type": "applicability", "element": "OS", "input": "", "selement": "CONTENT", "condition": "CONTAINS", "sinput": "Amazon" } ] }, { "external_id": "c3b5e0ca8617c69b42347c1dfa25d854", "name": "4.2.13 — Ensure SSH AllowTcpForwarding is disabled", "description": "Ensure SSH AllowTcpForwarding is disabled", "rational": "Leaving port forwarding enabled can expose the organization to security risks and back-\ndoors. \n\nSSH connections are protected with strong encryption. This makes their contents \ninvisible to most deployed network monitoring and traffic filtering solutions. This \ninvisibility carries considerable risk potential if it is used for malicious purposes such as \ndata exfiltration. Cybercriminals or ma...", "remediation": "Edit or create a file ending in *.conf in the /etc/ssh/sshd_config.d/ directory or the \n/etc/ssh/sshd_config file and set the AllowTcpForwarding parameter as follows: \n\nAllowTcpForwarding no \n\nRun the following command to comment out any AllowTcpForwarding parameter entries \nin files ending in *.conf in the /etc/ssh/sshd_config.d/ directory or the \n/etc/ssh/sshd_config file that include any setting other than no: \n\n# grep -Pi '^\\h*AllowTcpForwarding\\b' /etc/ssh/sshd_config \n/etc/ssh/sshd_conf...", "severity": "Medium", "filter": null, "app_filter": null, "conditions": [ { "type": "condition", "element": "FILE", "input": "/etc/ssh/sshd_config", "selement": "CONTENT", "condition": "NOT CONTAINS", "sinput": "^\\h*AllowTcpForwarding\\b" } ], "applicability": [ { "type": "applicability", "element": "OS", "input": "", "selement": "CONTENT", "condition": "CONTAINS", "sinput": "Amazon" } ] }, { "external_id": "d0506f2d17dbb9abc7d2e848677c953a", "name": "4.2.15 — Ensure SSH warning banner is configured", "description": "Ensure SSH warning banner is configured", "rational": "Banners are used to warn connecting users of the particular site's policy regarding \nconnection. Presenting a warning message prior to the normal user login may assist the \nprosecution of trespassers on the computer system.", "remediation": "Edit or create a file ending in *.conf in the /etc/ssh/sshd_config.d/ directory or the \n/etc/ssh/sshd_config file and set the Banner parameter as follows: \n\nBanner /etc/issue.net", "severity": "Medium", "filter": null, "app_filter": null, "conditions": [ { "type": "condition", "element": "CMD", "input": "sshd -T -C user=root -C host=\"$(hostname)\" -C addr=\"$(grep $(hostname)", "selement": "OUTPUT", "condition": "NOT EQUALS", "sinput": "" } ], "applicability": [ { "type": "applicability", "element": "OS", "input": "", "selement": "CONTENT", "condition": "CONTAINS", "sinput": "Amazon" } ] }, { "external_id": "743efbcd30ff7ae33243375750e9033d", "name": "4.2.16 — Ensure SSH MaxAuthTries is set to 4 or less", "description": "Ensure SSH MaxAuthTries is set to 4 or less", "rational": "Setting the MaxAuthTries parameter to a low number will minimize the risk of successful \nbrute force attacks to the SSH server. While the recommended setting is 4, set the \nnumber based on site policy.", "remediation": "Edit or create a file ending in *.conf in the /etc/ssh/sshd_config.d/ directory or the \n/etc/ssh/sshd_config file and set the MaxAuthTries parameter as follows: \n\nMaxAuthTries 4 \n\nRun the following command to comment out any MaxAuthTries parameter entries in files \nending in *.conf in the /etc/ssh/sshd_config.d/ directory or the \n/etc/ssh/sshd_config file that include any setting greater than 4: \n\n# grep -Pi '^\\h*maxauthtries\\h+([5-9]|[1-9][0-9]+)' /etc/ssh/sshd_config \n/etc/ssh/sshd_config.d...", "severity": "Medium", "filter": null, "app_filter": null, "conditions": [ { "type": "condition", "element": "FILE", "input": "/etc/ssh/sshd_config", "selement": "CONTENT", "condition": "CONTAINS", "sinput": "^\\h*maxauthtries\\h+([5-9]|[1-9][0-9]+)" } ], "applicability": [ { "type": "applicability", "element": "OS", "input": "", "selement": "CONTENT", "condition": "CONTAINS", "sinput": "Amazon" } ] }, { "external_id": "2ea172957f1f123ea973c912b8dd319f", "name": "4.2.17 — Ensure SSH MaxStartups is configured", "description": "Ensure SSH MaxStartups is configured", "rational": "To protect a system from denial of service due to a large number of pending \nauthentication connection attempts, use the rate limiting function of MaxStartups to \nprotect availability of sshd logins and prevent overwhelming the daemon.", "remediation": "Edit or create a file ending in *.conf in the /etc/ssh/sshd_config.d/ directory or the \n/etc/ssh/sshd_config file and set the MaxStartups parameter as follows: \n\nMaxStartups 10:30:60 \n\nRun the following command to comment out any MaxStartups parameter entries in files \nending in *.conf in the /etc/ssh/sshd_config.d/ directory or the \n/etc/ssh/sshd_config file that include any setting greater than 10:30:60: \n\n# grep -Pi '^\\s*maxstartups\\s+(((1[1-9]|[1-9][0-9][0-9]+):([0-9]+):([0-\n9]+))|(([0-9]...", "severity": "Medium", "filter": null, "app_filter": null, "conditions": [ { "type": "condition", "element": "CMD", "input": "sshd -T -C user=root -C host=\"$(hostname)\" -C addr=\"$(grep $(hostname)", "selement": "OUTPUT", "condition": "NOT EQUALS", "sinput": "" } ], "applicability": [ { "type": "applicability", "element": "OS", "input": "", "selement": "CONTENT", "condition": "CONTAINS", "sinput": "Amazon" } ] }, { "external_id": "9a7c930200e53bbc14db7115ad63b89e", "name": "4.2.18 — Ensure SSH MaxSessions is set to 10 or less", "description": "Ensure SSH MaxSessions is set to 10 or less", "rational": "To protect a system from denial of service due to a large number of concurrent \nsessions, use the rate limiting function of MaxSessions to protect availability of sshd \nlogins and prevent overwhelming the daemon.", "remediation": "Edit or create a file ending in *.conf in the /etc/ssh/sshd_config.d/ directory or the \n/etc/ssh/sshd_config file and set the MaxSessions parameter as follows: \n\nMaxSessions 10 \n\nRun the following command to comment out any MaxSessions parameter entries in files \nending in *.conf in the /etc/ssh/sshd_config.d/ directory or the \n/etc/ssh/sshd_config file that include any setting greater than 10 \n\n# grep -Pi '^\\s*MaxSessions\\s+(1[1-9]|[2-9][0-9]|[1-9][0-9][0-9]+)' \n/etc/ssh/sshd_config /etc/ssh...", "severity": "Medium", "filter": null, "app_filter": null, "conditions": [ { "type": "condition", "element": "CMD", "input": "sshd -T -C user=root -C host=\"$(hostname)\" -C addr=\"$(grep $(hostname)", "selement": "OUTPUT", "condition": "NOT EQUALS", "sinput": "" } ], "applicability": [ { "type": "applicability", "element": "OS", "input": "", "selement": "CONTENT", "condition": "CONTAINS", "sinput": "Amazon" } ] }, { "external_id": "a22c5bf2561091c617d378cd10442aa9", "name": "4.3.1 — Ensure sudo is installed", "description": "Ensure sudo is installed", "rational": "sudo supports a plug-in architecture for security policies and input/output logging. Third \nparties can develop and distribute their own policy and I/O logging plug-ins to work \nseamlessly with the sudo front end. The default security policy is sudoers, which is \nconfigured via the file /etc/sudoers and any entries in /etc/sudoers.d. \n\nThe security policy determines what privileges, if any, a u...", "remediation": "Run the following command to install sudo \n\n# dnf install sudo", "severity": "Medium", "filter": null, "app_filter": null, "conditions": [ { "type": "condition", "element": "PACKAGE", "input": "sudo", "selement": "EXISTS", "condition": "", "sinput": "" } ], "applicability": [ { "type": "applicability", "element": "OS", "input": "", "selement": "CONTENT", "condition": "CONTAINS", "sinput": "Amazon" } ] }, { "external_id": "98044225479db2a09d647755047ca93c", "name": "4.3.2 — Ensure sudo commands use pty", "description": "Ensure sudo commands use pty", "rational": "Attackers can run a malicious program using sudo which would fork a background \nprocess that remains even when the main program has finished executing.", "remediation": "Edit the file /etc/sudoers with visudo or a file in /etc/sudoers.d/ with visudo -f \n and add the following line: \n\nDefaults use_pty \n\nNote: \n\n• sudo will read each file in /etc/sudoers.d, skipping file names that end in ~ or \n\ncontain a . character to avoid causing problems with package manager or editor \ntemporary/backup files. \n\n• Files are parsed in sorted lexical order. That is, /etc/sudoers.d/01_first will be \n\nparsed before /etc/sudoers.d/10_second. \n\n• Be aware that be...", "severity": "Medium", "filter": null, "app_filter": null, "conditions": [ { "type": "condition", "element": "CMD", "input": "grep -rPi '^\\h*Defaults\\h+([^#\\n\\r]+,)?use_pty(,\\h*\\h+\\h*)*\\h*(#.*)?$'", "selement": "OUTPUT", "condition": "NOT EQUALS", "sinput": "" } ], "applicability": [ { "type": "applicability", "element": "OS", "input": "", "selement": "CONTENT", "condition": "CONTAINS", "sinput": "Amazon" } ] }, { "external_id": "dbb2b5fcc8041df7fb9e1b0d17b56f64", "name": "4.3.3 — Ensure sudo log file exists", "description": "Ensure sudo log file exists", "rational": "A sudo log file simplifies auditing of sudo commands", "remediation": "Edit the file /etc/sudoers or a file in /etc/sudoers.d/ with visudo or visudo -f and add the following line: \n\nDefaults logfile=\"\" \n\nExample \n\nDefaults logfile=\"/var/log/sudo.log\"", "severity": "Medium", "filter": null, "app_filter": null, "conditions": [ { "type": "condition", "element": "CMD", "input": "grep -rPsi", "selement": "OUTPUT", "condition": "NOT EQUALS", "sinput": "" } ], "applicability": [ { "type": "applicability", "element": "OS", "input": "", "selement": "CONTENT", "condition": "CONTAINS", "sinput": "Amazon" } ] }, { "external_id": "60859b13aa15b3c2e88b486acba472a9", "name": "4.3.6 — Ensure access to the su command is restricted", "description": "Ensure access to the su command is restricted", "rational": "Restricting the use of su , and using sudo in its place, provides system administrators \nbetter control of the escalation of user privileges to execute privileged commands. The \nsudo utility also provides a better logging and audit mechanism, as it can log each \ncommand executed via sudo , whereas su can only record that a user executed the su \nprogram.", "remediation": "Create an empty group that will be specified for use of the su command. The group \nshould be named according to site policy. \nExample: \n\n# groupadd sugroup \n\nAdd the following line to the /etc/pam.d/su file, specifying the empty group: \n\nauth required pam_wheel.so use_uid group=sugroup", "severity": "Medium", "filter": null, "app_filter": null, "conditions": [ { "type": "condition", "element": "FILE", "input": "/etc/group", "selement": "CONTENT", "condition": "CONTAINS", "sinput": "" } ], "applicability": [ { "type": "applicability", "element": "OS", "input": "", "selement": "CONTENT", "condition": "CONTAINS", "sinput": "Amazon" } ] }, { "external_id": "822548181b95755eddf6cbfd32cc6f07", "name": "4.4.2 — Ensure authselect includes with-faillock", "description": "Ensure authselect includes with-faillock", "rational": "Locking out user IDs after n unsuccessful consecutive login attempts mitigates brute \nforce password attacks against your systems.", "remediation": "Run the following commands to include the with-faillock option to the current \nauthselect profile: \n\n# authselect enable-feature with-faillock \n# authselect apply-changes", "severity": "Medium", "filter": null, "app_filter": null, "conditions": [ { "type": "condition", "element": "CMD", "input": "grep pam_faillock.so /etc/pam.d/password-auth /etc/pam.d/system-auth", "selement": "OUTPUT", "condition": "NOT EQUALS", "sinput": "" } ], "applicability": [ { "type": "applicability", "element": "OS", "input": "", "selement": "CONTENT", "condition": "CONTAINS", "sinput": "Amazon" } ] }, { "external_id": "62dba3759ce378d4ec602767f0cb63d1", "name": "4.5.3 — Ensure password reuse is limited", "description": "Ensure password reuse is limited", "rational": "Forcing users not to reuse their past 5 passwords make it less likely that an attacker will \nbe able to guess the password. \n\nNote: These change only apply to accounts configured on the local system.", "remediation": "Set remembered password history to conform to site policy. \nRun the following script to add or modify the pam_pwhistory.so and pam_unix.so lines to \ninclude the remember option: \n\n#!/usr/bin/env bash \n\n{ \n file=\"/etc/authselect/$(head -1 /etc/authselect/authselect.conf | grep \n'custom/')/system-auth\" \n if ! grep -Pq -- \n'^\\h*password\\h+(requisite|required|sufficient)\\h+pam_pwhistory\\.so\\h+([^#\\n\\\nr]+\\h+)?remember=([5-9]|[1-9][0-9]+)\\b.*$' \"$file\"; then \n if grep -Pq -- \n'^\\h*password\\h+(...", "severity": "Medium", "filter": null, "app_filter": null, "conditions": [ { "type": "condition", "element": "CMD", "input": "grep -P", "selement": "OUTPUT", "condition": "NOT EQUALS", "sinput": "" } ], "applicability": [ { "type": "applicability", "element": "OS", "input": "", "selement": "CONTENT", "condition": "CONTAINS", "sinput": "Amazon" } ] }, { "external_id": "ddf8a22b8ca3859c61aaa1aec8c031dc", "name": "4.6.2 — Ensure system accounts are secured", "description": "Ensure system accounts are secured", "rational": "It is important to make sure that accounts that are not being used by regular users are \nprevented from being used to provide an interactive shell. By default, most distributions \nset the password field for these accounts to an invalid string, but it is also recommended \nthat the shell field in the password file be set to the nologin shell. This prevents the \naccount from potentially being used...", "remediation": "System accounts \n\nSet the shell for any accounts returned by the audit to nologin: \n\n# usermod -s $(command -v nologin) \n\nDisabled accounts \n\nLock any non root accounts returned by the audit: \n\n# usermod -L \n\nLarge scale changes \n\nThe following command will set all system accounts to nologin: \n\n# awk -F: '($1!~/^(root|halt|sync|shutdown|nfsnobody)$/ && ($3<'\"$(awk \n'/^\\s*UID_MIN/{print $2}' /etc/login.defs)\"' || $3 == 65534)) { print $1 }' \n/etc/passwd | while read user; do user...", "severity": "Medium", "filter": null, "app_filter": null, "conditions": [ { "type": "condition", "element": "CMD", "input": "awk -F: '($1!~/^(root|halt|sync|shutdown|nfsnobody)$/ && ($3<'\"$(awk", "selement": "OUTPUT", "condition": "NOT EQUALS", "sinput": "" } ], "applicability": [ { "type": "applicability", "element": "OS", "input": "", "selement": "CONTENT", "condition": "CONTAINS", "sinput": "Amazon" } ] }, { "external_id": "4a0925fb980983739eee522fbe91e818", "name": "5.1.2.2 — Ensure journald service is enabled", "description": "Ensure journald service is enabled", "rational": "If the systemd-journald service is not enabled to start on boot, the system will not \ncapture logging events.", "remediation": "By default the systemd-journald service does not have an [Install] section and thus \ncannot be enabled / disabled. It is meant to be referenced as Requires or Wants by other \nunit files. As such, if the status of systemd-journald is not static, investigate why.", "severity": "Medium", "filter": null, "app_filter": null, "conditions": [ { "type": "condition", "element": "SERVICE", "input": "systemd-journald", "selement": "ENABLED", "condition": null, "sinput": null } ], "applicability": [ { "type": "applicability", "element": "OS", "input": "", "selement": "CONTENT", "condition": "CONTAINS", "sinput": "Amazon" } ] }, { "external_id": "a7d17f2b7427d68fb3877da4256e217f", "name": "6.2.4 — Ensure no duplicate UIDs exist", "description": "Ensure no duplicate UIDs exist", "rational": "Users must be assigned unique UIDs for accountability and to ensure appropriate \naccess protections.", "remediation": "Based on the results of the audit script, establish unique UIDs and review all files owned \nby the shared UIDs to determine which UID they are supposed to belong to.", "severity": "Medium", "filter": null, "app_filter": null, "conditions": [ { "type": "condition", "element": "CMD", "input": "!/bin/bash", "selement": "OUTPUT", "condition": "NOT EQUALS", "sinput": "" } ], "applicability": [ { "type": "applicability", "element": "OS", "input": "", "selement": "CONTENT", "condition": "CONTAINS", "sinput": "Amazon" } ] }, { "external_id": "a259caae3bc191ea0d166eeeea830423", "name": "6.2.5 — Ensure no duplicate GIDs exist", "description": "Ensure no duplicate GIDs exist", "rational": "User groups must be assigned unique GIDs for accountability and to ensure appropriate \naccess protections.", "remediation": "Based on the results of the audit script, establish unique GIDs and review all files \nowned by the shared GID to determine which group they are supposed to belong to.", "severity": "Medium", "filter": null, "app_filter": null, "conditions": [ { "type": "condition", "element": "CMD", "input": "!/bin/bash", "selement": "OUTPUT", "condition": "NOT EQUALS", "sinput": "" } ], "applicability": [ { "type": "applicability", "element": "OS", "input": "", "selement": "CONTENT", "condition": "CONTAINS", "sinput": "Amazon" } ] }, { "external_id": "a63741b965f2b694be97060c5f0da1be", "name": "6.2.6 — Ensure no duplicate user names exist", "description": "Ensure no duplicate user names exist", "rational": "If a user is assigned a duplicate user name, it will create and have access to files with \nthe first UID for that username in /etc/passwd . For example, if \"test4\" has a UID of \n1000 and a subsequent \"test4\" entry has a UID of 2000, logging in as \"test4\" will use \nUID 1000. Effectively, the UID is shared, which is a security problem.", "remediation": "Based on the results of the audit script, establish unique user names for the users. File \nownerships will automatically reflect the change as long as the users have unique UIDs.", "severity": "Medium", "filter": null, "app_filter": null, "conditions": [ { "type": "condition", "element": "CMD", "input": "!/bin/bash", "selement": "OUTPUT", "condition": "NOT EQUALS", "sinput": "" } ], "applicability": [ { "type": "applicability", "element": "OS", "input": "", "selement": "CONTENT", "condition": "CONTAINS", "sinput": "Amazon" } ] }, { "external_id": "65e50951b748bee9d9b3af2ea733d7bb", "name": "6.2.7 — Ensure no duplicate group names exist", "description": "Ensure no duplicate group names exist", "rational": "If a group is assigned a duplicate group name, it will create and have access to files \nwith the first GID for that group in /etc/group . Effectively, the GID is shared, which is a \nsecurity problem.", "remediation": "Based on the results of the audit script, establish unique names for the user groups. File \ngroup ownerships will automatically reflect the change as long as the groups have \nunique GIDs.", "severity": "Medium", "filter": null, "app_filter": null, "conditions": [ { "type": "condition", "element": "CMD", "input": "!/bin/bash", "selement": "OUTPUT", "condition": "NOT EQUALS", "sinput": "" } ], "applicability": [ { "type": "applicability", "element": "OS", "input": "", "selement": "CONTENT", "condition": "CONTAINS", "sinput": "Amazon" } ] }, { "external_id": "17196660a9590a27ba4db21733fbf409", "name": "6.2.8 — Ensure root PATH Integrity", "description": "Ensure root PATH Integrity", "rational": "Including the current working directory (.) or other writable directory in root's executable \npath makes it likely that an attacker can gain superuser access by forcing an \nadministrator operating as root to execute a Trojan horse program.", "remediation": "Correct or justify any items discovered in the Audit step.", "severity": "Medium", "filter": null, "app_filter": null, "conditions": [ { "type": "condition", "element": "CMD", "input": "!/bin/bash", "selement": "OUTPUT", "condition": "NOT EQUALS", "sinput": "" } ], "applicability": [ { "type": "applicability", "element": "OS", "input": "", "selement": "CONTENT", "condition": "CONTAINS", "sinput": "Amazon" } ] }, { "external_id": "75dcc25e30cd0e2d51f9d67b08094ba0", "name": "6.2.9 — Ensure root is the only UID 0 account", "description": "Ensure root is the only UID 0 account", "rational": "This access must be limited to only the default root account and only from the system \nconsole. Administrative access must be through an unprivileged account using an \napproved mechanism as noted in Item 5.6 Ensure access to the su command is \nrestricted.", "remediation": "Remove any users other than root with UID 0 or assign them a new UID if appropriate.", "severity": "Medium", "filter": null, "app_filter": null, "conditions": [ { "type": "condition", "element": "CMD", "input": "awk -F: '($3 == 0) { print $1 }' /etc/passwd", "selement": "OUTPUT", "condition": "NOT EQUALS", "sinput": "" } ], "applicability": [ { "type": "applicability", "element": "OS", "input": "", "selement": "CONTENT", "condition": "CONTAINS", "sinput": "Amazon" } ] } ] }