CIS Amazon Linux 2 STIG v1.0.0 L3

Audit Details

Name: CIS Amazon Linux 2 STIG v1.0.0 L3

Updated: 10/15/2024

Authority: CIS

Plugin: Unix

Revision: 1.22

Estimated Item Count: 168

File Details

Filename: CIS_Amazon_Linux_2_STIG_v1.0.0_L3.audit

Size: 475 kB

MD5: 3039aa2e8586a457ad0d846fc0fcfa22

SHA256: d41d5328e03f32e18e6fc1730f2a48db4b38948ece8f74cae43b436462325982

Audit Items

Description	Categories
1.1.3 Ensure separate file system for /tmp	SYSTEM AND COMMUNICATIONS PROTECTION
1.1.21 Ensure all world-writable directories are group-owned.
1.2.4 Ensure software packages have been digitally signed by a Certificate Authority (CA)	SYSTEM AND INFORMATION INTEGRITY
1.2.5 Ensure the version of the operating system is an active vendor supported release.	SYSTEM AND INFORMATION INTEGRITY
1.3.3 Ensure AIDE is configured to verify ACLs	ACCESS CONTROL
1.3.4 Ensure AIDE is configured to verify XATTRS	ACCESS CONTROL
1.3.5 Ensure AIDE is configured to use FIPS 140-2	ACCESS CONTROL
1.4.3 Ensure boot loader does not allow removable media
1.4.4 Ensure UEFI requires authentication for single-user and maintenance modes - password	CONFIGURATION MANAGEMENT
1.4.4 Ensure UEFI requires authentication for single-user and maintenance modes - superusers	CONFIGURATION MANAGEMENT
1.5.4 Ensure the Ctrl-Alt-Delete key sequence is disabled.	CONFIGURATION MANAGEMENT
1.5.5 Ensure kernel core dumps are disabled.	CONFIGURATION MANAGEMENT
1.5.6 Ensure NIST FIPS-validated cryptography is configured - enabled	SYSTEM AND COMMUNICATIONS PROTECTION
1.5.6 Ensure NIST FIPS-validated cryptography is configured - grub	SYSTEM AND COMMUNICATIONS PROTECTION
1.5.6 Ensure NIST FIPS-validated cryptography is configured - installed	SYSTEM AND COMMUNICATIONS PROTECTION
1.5.7 Ensure DNS is servers are configured - empty resolv	CONFIGURATION MANAGEMENT
1.5.7 Ensure DNS is servers are configured - nameserver 1	SYSTEM AND COMMUNICATIONS PROTECTION
1.5.7 Ensure DNS is servers are configured - nameserver 2	SYSTEM AND COMMUNICATIONS PROTECTION
1.7.1.7 Ensure the Standard Mandatory DoD Notice and Consent Banner are configured - issue	ACCESS CONTROL
1.7.1.7 Ensure the Standard Mandatory DoD Notice and Consent Banner are configured - sshd_config	ACCESS CONTROL
1.9 Ensure anti-virus is installed and running	SYSTEM AND INFORMATION INTEGRITY
1.10 Ensure required packages for multifactor authentication are installed - esc	IDENTIFICATION AND AUTHENTICATION
1.10 Ensure required packages for multifactor authentication are installed - pam_pkcs11	IDENTIFICATION AND AUTHENTICATION
1.11 Ensure host-based intrusion detection tool is used - MFEhiplsm package	SYSTEM AND INFORMATION INTEGRITY
1.11 Ensure host-based intrusion detection tool is used - MFEhiplsm process	SYSTEM AND INFORMATION INTEGRITY
2.1.1 Ensure the rsh package has been removed	CONFIGURATION MANAGEMENT
2.1.2 Ensure the ypserv package has been removed	CONFIGURATION MANAGEMENT
2.1.3 Ensure the TFTP server has not been installed	CONFIGURATION MANAGEMENT
2.1.4 Ensure TFTP daemon is configured to operate in secure mode.	CONFIGURATION MANAGEMENT
2.2.1.4 Ensure NTP 'maxpoll' is set - maxpoll is set.	AUDIT AND ACCOUNTABILITY
2.2.2.1 Ensure the screen package is installed.	ACCESS CONTROL
2.2.2.2 Ensure GNOME Screen Lock is Enabled.	ACCESS CONTROL
2.2.2.3 Ensure GNOME Screensaver period of inactivity is configured.	ACCESS CONTROL
2.2.2.4 Ensure GNOME Idle activation is set.	ACCESS CONTROL
2.2.2.5 Ensure GNOME Lock Delay is configured	ACCESS CONTROL
2.2.2.6 Ensure automatic logon via GUI is not allowed	CONFIGURATION MANAGEMENT
2.2.2.7 Ensure unrestricted logon is not allowed	CONFIGURATION MANAGEMENT
2.2.2.8 Ensure overriding the screensaver lock-delay setting is prevented	ACCESS CONTROL
2.2.2.9 Ensure session idle-delay settings is enforced	ACCESS CONTROL
2.2.2.10 Ensure screensaver lock-enabled is set.	ACCESS CONTROL
2.2.2.11 Ensure the screensaver idle-activation-enabled setting	ACCESS CONTROL
2.2.24 Ensure default SNMP community strings don't exist	IDENTIFICATION AND AUTHENTICATION
2.2.25 Ensure unrestricted mail relaying is prevented.	CONFIGURATION MANAGEMENT
2.2.26 Ensure ldap_tls_cacert is set for LDAP - config	CONFIGURATION MANAGEMENT
2.2.26 Ensure ldap_tls_cacert is set for LDAP - file	CONFIGURATION MANAGEMENT
2.2.27 Ensure ldap_id_use_start_tls is set for LDAP.	SYSTEM AND COMMUNICATIONS PROTECTION
2.2.28 Ensure ldap_tls_reqcert is set for LDAP	SYSTEM AND COMMUNICATIONS PROTECTION
2.2.29 Ensure nosuid option is set for NFS	ACCESS CONTROL, CONFIGURATION MANAGEMENT
2.2.30 Ensure NFS is configured to use RPCSEC_GSS.	CONFIGURATION MANAGEMENT
2.2.31 Ensure noexec option is configured for NFS.	CONFIGURATION MANAGEMENT

Detections

Analytics

CIS Amazon Linux 2 STIG v1.0.0 L3

Audit Details

File Details

Audit Items