CIS Amazon Linux 2 STIG v1.0.0 L3

Audit Details

Name: CIS Amazon Linux 2 STIG v1.0.0 L3

Updated: 10/3/2023

Authority: CIS

Plugin: Unix

Revision: 1.17

Estimated Item Count: 168

File Details

Filename: CIS_Amazon_Linux_2_STIG_v1.0.0_L3.audit

Size: 471 kB

MD5: 67debedae73a38cc7bae01b46c1a6d16
SHA256: 2a80a309de37959bd2598ac95c4bb47be5351f9034e21284019960b1072f6ba9

Audit Items

DescriptionCategories
1.1.3 Ensure separate file system for /tmp

SYSTEM AND COMMUNICATIONS PROTECTION

1.1.21 Ensure all world-writable directories are group-owned.

CONFIGURATION MANAGEMENT

1.2.4 Ensure software packages have been digitally signed by a Certificate Authority (CA)

SYSTEM AND INFORMATION INTEGRITY

1.2.5 Ensure the version of the operating system is an active vendor supported release.

SYSTEM AND INFORMATION INTEGRITY

1.3.3 Ensure AIDE is configured to verify ACLs

ACCESS CONTROL

1.3.4 Ensure AIDE is configured to verify XATTRS

ACCESS CONTROL

1.3.5 Ensure AIDE is configured to use FIPS 140-2

ACCESS CONTROL

1.4.3 Ensure boot loader does not allow removable media

SYSTEM AND INFORMATION INTEGRITY

1.4.4 Ensure UEFI requires authentication for single-user and maintenance modes - password

CONFIGURATION MANAGEMENT

1.4.4 Ensure UEFI requires authentication for single-user and maintenance modes - superusers

CONFIGURATION MANAGEMENT

1.5.4 Ensure the Ctrl-Alt-Delete key sequence is disabled.

CONFIGURATION MANAGEMENT

1.5.5 Ensure kernel core dumps are disabled.

CONFIGURATION MANAGEMENT

1.5.6 Ensure NIST FIPS-validated cryptography is configured - enabled

SYSTEM AND COMMUNICATIONS PROTECTION

1.5.6 Ensure NIST FIPS-validated cryptography is configured - grub

SYSTEM AND COMMUNICATIONS PROTECTION

1.5.6 Ensure NIST FIPS-validated cryptography is configured - installed

SYSTEM AND COMMUNICATIONS PROTECTION

1.5.7 Ensure DNS is servers are configured - empty resolv

CONFIGURATION MANAGEMENT

1.5.7 Ensure DNS is servers are configured - nameserver 1

SYSTEM AND COMMUNICATIONS PROTECTION

1.5.7 Ensure DNS is servers are configured - nameserver 2

SYSTEM AND COMMUNICATIONS PROTECTION

1.7.1.7 Ensure the Standard Mandatory DoD Notice and Consent Banner are configured - issue

ACCESS CONTROL

1.7.1.7 Ensure the Standard Mandatory DoD Notice and Consent Banner are configured - sshd_config

ACCESS CONTROL

1.9 Ensure anti-virus is installed and running

SYSTEM AND INFORMATION INTEGRITY

1.10 Ensure required packages for multifactor authentication are installed - esc

IDENTIFICATION AND AUTHENTICATION

1.10 Ensure required packages for multifactor authentication are installed - pam_pkcs11

IDENTIFICATION AND AUTHENTICATION

1.11 Ensure host-based intrusion detection tool is used - MFEhiplsm package

SYSTEM AND INFORMATION INTEGRITY

1.11 Ensure host-based intrusion detection tool is used - MFEhiplsm process

SYSTEM AND INFORMATION INTEGRITY

2.1.1 Ensure the rsh package has been removed

CONFIGURATION MANAGEMENT

2.1.2 Ensure the ypserv package has been removed

CONFIGURATION MANAGEMENT, SYSTEM AND INFORMATION INTEGRITY

2.1.3 Ensure the TFTP server has not been installed

SYSTEM AND INFORMATION INTEGRITY

2.1.4 Ensure TFTP daemon is configured to operate in secure mode.

SYSTEM AND INFORMATION INTEGRITY

2.2.1.4 Ensure NTP 'maxpoll' is set - maxpoll is set.

AUDIT AND ACCOUNTABILITY

2.2.2.1 Ensure the screen package is installed.

ACCESS CONTROL

2.2.2.2 Ensure GNOME Screen Lock is Enabled.

ACCESS CONTROL

2.2.2.3 Ensure GNOME Screensaver period of inactivity is configured.

ACCESS CONTROL

2.2.2.4 Ensure GNOME Idle activation is set.

ACCESS CONTROL

2.2.2.5 Ensure GNOME Lock Delay is configured

ACCESS CONTROL

2.2.2.6 Ensure automatic logon via GUI is not allowed

CONFIGURATION MANAGEMENT

2.2.2.7 Ensure unrestricted logon is not allowed

CONFIGURATION MANAGEMENT

2.2.2.8 Ensure overriding the screensaver lock-delay setting is prevented

ACCESS CONTROL

2.2.2.9 Ensure session idle-delay settings is enforced

ACCESS CONTROL

2.2.2.10 Ensure screensaver lock-enabled is set.

ACCESS CONTROL

2.2.2.11 Ensure the screensaver idle-activation-enabled setting

ACCESS CONTROL

2.2.24 Ensure default SNMP community strings don't exist

IDENTIFICATION AND AUTHENTICATION

2.2.25 Ensure unrestricted mail relaying is prevented.

CONFIGURATION MANAGEMENT

2.2.26 Ensure ldap_tls_cacert is set for LDAP - config

SYSTEM AND INFORMATION INTEGRITY

2.2.26 Ensure ldap_tls_cacert is set for LDAP - file

SYSTEM AND INFORMATION INTEGRITY

2.2.27 Ensure ldap_id_use_start_tls is set for LDAP.

SYSTEM AND COMMUNICATIONS PROTECTION

2.2.28 Ensure ldap_tls_reqcert is set for LDAP

SYSTEM AND COMMUNICATIONS PROTECTION

2.2.29 Ensure nosuid option is set for NFS

ACCESS CONTROL, CONFIGURATION MANAGEMENT

2.2.30 Ensure NFS is configured to use RPCSEC_GSS.

SYSTEM AND INFORMATION INTEGRITY

2.2.31 Ensure noexec option is configured for NFS.

CONFIGURATION MANAGEMENT