CIS Amazon Linux 2 STIG v1.0.0 L3

Audit Details

Name: CIS Amazon Linux 2 STIG v1.0.0 L3

Updated: 4/25/2022

Authority: CIS

Plugin: Unix

Revision: 1.8

Estimated Item Count: 168

File Details

Filename: CIS_Amazon_Linux_2_STIG_v1.0.0_L3.audit

Size: 448 kB

MD5: e854881a95c0f4ceb002eb8cab632af7
SHA256: 24f725d282621eacc6c75e40f26745cef1480ef515f9b6c2d26f30172f6bae01

Audit Items

DescriptionCategories
1.1.3 Ensure seperate file system for /tmp

CONFIGURATION MANAGEMENT

1.1.21 Ensure all world-writable directories are group-owned.

CONFIGURATION MANAGEMENT

1.2.4 Ensure software packages have been digitally signed by a Certificate Authority (CA)

SYSTEM AND INFORMATION INTEGRITY

1.2.5 Ensure the version of the operating system is an active vendor supported release.

SYSTEM AND INFORMATION INTEGRITY

1.3.3 Ensure AIDE is configured to verify ACLs

SYSTEM AND INFORMATION INTEGRITY

1.3.4 Ensure AIDE is configured to verify XATTRS

SYSTEM AND INFORMATION INTEGRITY

1.3.5 Ensure AIDE is configured to use FIPS 140-2

SYSTEM AND COMMUNICATIONS PROTECTION

1.4.3 Ensure boot loader does not allow removable media

SYSTEM AND INFORMATION INTEGRITY

1.4.4 Ensure UEFI requires authentication for single-user and maintenance modes - password

ACCESS CONTROL

1.4.4 Ensure UEFI requires authentication for single-user and maintenance modes - superusers
1.5.4 Ensure the Ctrl-Alt-Delete key sequence is disabled.
1.5.5 Ensure kernel core dumps are disabled.

CONFIGURATION MANAGEMENT

1.5.6 Ensure NIST FIPS-validated cryptography is configured - enabled

SYSTEM AND COMMUNICATIONS PROTECTION

1.5.6 Ensure NIST FIPS-validated cryptography is configured - grub
1.5.6 Ensure NIST FIPS-validated cryptography is configured - installed
1.5.7 Ensure DNS is servers are configured - empty resolv

CONFIGURATION MANAGEMENT

1.5.7 Ensure DNS is servers are configured - nameserver 1

SYSTEM AND COMMUNICATIONS PROTECTION

1.5.7 Ensure DNS is servers are configured - nameserver 2

SYSTEM AND COMMUNICATIONS PROTECTION

1.7.1.7 Ensure the Standard Mandatory DoD Notice and Consent Banner are configured - issue

ACCESS CONTROL

1.7.1.7 Ensure the Standard Mandatory DoD Notice and Consent Banner are configured - sshd_config

ACCESS CONTROL

1.9 Ensure anti-virus is installed and running
1.10 Ensure required packages for multifactor atuentication are installed - esc
1.10 Ensure required packages for multifactor atuentication are installed - pam_pkcs11
1.11 Ensure host-based intrusion detection tool is used - MFEhiplsm package
1.11 Ensure host-based intrusion detection tool is used - MFEhiplsm process
2.1.1 Ensure the rsh package has been removed
2.1.2 Ensure the ypserv package has been removed
2.1.3 Ensure the TFTP server has not been installed
2.1.4 Ensure TFTP daemon is configured to operate in secure mode.

ACCESS CONTROL

2.2.1.4 Ensure NTP 'maxpoll' is set - maxpoll is set.

AUDIT AND ACCOUNTABILITY

2.2.2.1 Ensure the screen package is installed.
2.2.2.2 Ensure GNOME Screen Lock is Enabled.

ACCESS CONTROL

2.2.2.3 Ensure GNOME Screensaver period of inactivity is configured.

ACCESS CONTROL

2.2.2.4 Ensure GNOME Idle activation is set.

ACCESS CONTROL

2.2.2.5 Ensure GNOME Lock Delay is configured

ACCESS CONTROL

2.2.2.6 Ensure automatic logon via GUI is not allowed

CONFIGURATION MANAGEMENT

2.2.2.7 Ensure unrestricted logon is not allowed

CONFIGURATION MANAGEMENT

2.2.2.8 Ensure overriding the screensaver lock-delay setting is prevented

ACCESS CONTROL

2.2.2.9 Ensure session idle-delay settings is enforced

ACCESS CONTROL

2.2.2.10 Ensure screensaver lock-enabled is set.

ACCESS CONTROL

2.2.2.11 Ensure the screensaver idle-activation-enabled setting

ACCESS CONTROL

2.2.24 Ensure default SNMP community strings don't exist

IDENTIFICATION AND AUTHENTICATION

2.2.25 Ensure unrestricted mail relaying is prevented.

CONFIGURATION MANAGEMENT

2.2.26 Ensure ldap_tls_cacert is set for LDAP - config

SYSTEM AND COMMUNICATIONS PROTECTION

2.2.26 Ensure ldap_tls_cacert is set for LDAP - file
2.2.27 Ensure ldap_id_use_start_tls is set for LDAP.

SYSTEM AND COMMUNICATIONS PROTECTION

2.2.28 Ensure ldap_tls_reqcert is set for LDAP

SYSTEM AND COMMUNICATIONS PROTECTION

2.2.29 Ensure nosuid option is set for NFS

ACCESS CONTROL, CONFIGURATION MANAGEMENT

2.2.30 Ensure NFS is configured to use RPCSEC_GSS.
2.2.31 Ensure noexec option is configured for NFS.

CONFIGURATION MANAGEMENT