CIS Amazon Linux 2 STIG v1.0.0 L3

Warning! Audit Deprecated

This audit file has been deprecated and will be removed in a future update.

View Next Version

Audit Details

Name: CIS Amazon Linux 2 STIG v1.0.0 L3

Updated: 6/24/2025

Authority: CIS

Plugin: Unix

Revision: 1.23

Estimated Item Count: 168

File Details

Filename: CIS_Amazon_Linux_2_STIG_v1.0.0_L3.audit

Size: 405 kB

MD5: fb33514214f934e40d31d5994ca6a017
SHA256: 1f4707d649bdb969e5a79186f2e37c1f1614192eb90656cf475e93aff3b869f6

Audit Items

DescriptionCategories
1.1.3 Ensure separate file system for /tmp
1.1.21 Ensure all world-writable directories are group-owned.
1.2.4 Ensure software packages have been digitally signed by a Certificate Authority (CA)
1.2.5 Ensure the version of the operating system is an active vendor supported release.
1.3.3 Ensure AIDE is configured to verify ACLs
1.3.4 Ensure AIDE is configured to verify XATTRS
1.3.5 Ensure AIDE is configured to use FIPS 140-2
1.4.3 Ensure boot loader does not allow removable media
1.4.4 Ensure UEFI requires authentication for single-user and maintenance modes - password
1.4.4 Ensure UEFI requires authentication for single-user and maintenance modes - superusers
1.5.4 Ensure the Ctrl-Alt-Delete key sequence is disabled.
1.5.5 Ensure kernel core dumps are disabled.
1.5.6 Ensure NIST FIPS-validated cryptography is configured - enabled
1.5.6 Ensure NIST FIPS-validated cryptography is configured - grub
1.5.6 Ensure NIST FIPS-validated cryptography is configured - installed
1.5.7 Ensure DNS is servers are configured - empty resolv

SYSTEM AND COMMUNICATIONS PROTECTION

1.5.7 Ensure DNS is servers are configured - nameserver 1

SYSTEM AND COMMUNICATIONS PROTECTION

1.5.7 Ensure DNS is servers are configured - nameserver 2

SYSTEM AND COMMUNICATIONS PROTECTION

1.7.1.7 Ensure the Standard Mandatory DoD Notice and Consent Banner are configured - issue
1.7.1.7 Ensure the Standard Mandatory DoD Notice and Consent Banner are configured - sshd_config
1.9 Ensure anti-virus is installed and running
1.10 Ensure required packages for multifactor authentication are installed - esc
1.10 Ensure required packages for multifactor authentication are installed - pam_pkcs11
1.11 Ensure host-based intrusion detection tool is used - MFEhiplsm package
1.11 Ensure host-based intrusion detection tool is used - MFEhiplsm process
2.1.1 Ensure the rsh package has been removed
2.1.2 Ensure the ypserv package has been removed
2.1.3 Ensure the TFTP server has not been installed
2.1.4 Ensure TFTP daemon is configured to operate in secure mode.
2.2.1.4 Ensure NTP 'maxpoll' is set - maxpoll is set.
2.2.2.1 Ensure the screen package is installed.
2.2.2.2 Ensure GNOME Screen Lock is Enabled.
2.2.2.3 Ensure GNOME Screensaver period of inactivity is configured.
2.2.2.4 Ensure GNOME Idle activation is set.
2.2.2.5 Ensure GNOME Lock Delay is configured
2.2.2.6 Ensure automatic logon via GUI is not allowed
2.2.2.7 Ensure unrestricted logon is not allowed
2.2.2.8 Ensure overriding the screensaver lock-delay setting is prevented
2.2.2.9 Ensure session idle-delay settings is enforced
2.2.2.10 Ensure screensaver lock-enabled is set.
2.2.2.11 Ensure the screensaver idle-activation-enabled setting
2.2.24 Ensure default SNMP community strings don't exist
2.2.25 Ensure unrestricted mail relaying is prevented.
2.2.26 Ensure ldap_tls_cacert is set for LDAP - config
2.2.26 Ensure ldap_tls_cacert is set for LDAP - file
2.2.27 Ensure ldap_id_use_start_tls is set for LDAP.
2.2.28 Ensure ldap_tls_reqcert is set for LDAP
2.2.29 Ensure nosuid option is set for NFS
2.2.30 Ensure NFS is configured to use RPCSEC_GSS.
2.2.31 Ensure noexec option is configured for NFS.