CIS Amazon Linux 2 STIG v1.0.0 L3

Audit Details

Name: CIS Amazon Linux 2 STIG v1.0.0 L3

Updated: 11/14/2022

Authority: CIS

Plugin: Unix

Revision: 1.10

Estimated Item Count: 168

File Details

Filename: CIS_Amazon_Linux_2_STIG_v1.0.0_L3.audit

Size: 459 kB

MD5: 16e5b3461ed301ab45de0339c4ddd87c
SHA256: e7220ade9ac4fc96150a0f71533fdbeeeb48a94e7cbaa106e15475bb38f9f954

Audit Changelog

 
Revision 1.10

Nov 14, 2022

Functional Update
  • 4.1.21 Ensure auditing of all privileged functions - setgid 32 bit
  • 4.1.21 Ensure auditing of all privileged functions - setgid 64 bit
  • 4.1.21 Ensure auditing of all privileged functions - setuid 32 bit
  • 4.1.21 Ensure auditing of all privileged functions - setuid 64 bit
Revision 1.9

Oct 18, 2022

Functional Update
  • 1.3.3 Ensure AIDE is configured to verify ACLs
  • 1.3.4 Ensure AIDE is configured to verify XATTRS
  • 1.3.5 Ensure AIDE is configured to use FIPS 140-2
  • 4.5 Ensure system notification is sent out when voume is 75% full
Informational Update
  • 1.1.21 Ensure all world-writable directories are group-owned.
  • 1.3.3 Ensure AIDE is configured to verify ACLs
  • 1.3.4 Ensure AIDE is configured to verify XATTRS
  • 1.3.5 Ensure AIDE is configured to use FIPS 140-2
Miscellaneous
  • References updated.
Added
  • 1.1.3 Ensure separate file system for /tmp
  • 1.10 Ensure required packages for multifactor authentication are installed - esc
  • 1.10 Ensure required packages for multifactor authentication are installed - pam_pkcs11
  • 4.1.2.10 Ensure audit ssh-keysign command.
Removed
  • 1.1.3 Ensure seperate file system for /tmp
  • 1.10 Ensure required packages for multifactor atuentication are installed - esc
  • 1.10 Ensure required packages for multifactor atuentication are installed - pam_pkcs11
  • 4.1.2.10 Enusre audit ssh-keysign command.
Revision 1.8

Apr 25, 2022

Miscellaneous
  • References updated.
Revision 1.7

Mar 29, 2022

Miscellaneous
  • Metadata updated.
  • References updated.
Revision 1.6

Mar 1, 2022

Informational Update
  • 6.2.20 Ensure all local interactive user home directories are group-owned
Miscellaneous
  • Metadata updated.
  • References updated.
Added
  • 4.8 Ensure off-load of audit logs - direction
Removed
  • 4.8 Enure off-load of audit logs - direction
Revision 1.5

Jun 17, 2021

Miscellaneous
  • Metadata updated.
  • References updated.
Revision 1.4

Dec 14, 2020

Functional Update
  • 6.2.25 Ensure users' 'dot' files have '0740' or less set.
Revision 1.3

Oct 5, 2020

Functional Update
  • 1.1.3 Ensure seperate file system for /tmp
  • 1.4.4 Ensure UEFI requires authentication for single-user and maintenance modes - password
  • 1.4.4 Ensure UEFI requires authentication for single-user and maintenance modes - superusers
  • 1.5.6 Ensure NIST FIPS-validated cryptography is configured - grub
  • 1.5.7 Ensure DNS is servers are configured - empty resolv
  • 1.5.7 Ensure DNS is servers are configured - nameserver 1
  • 1.5.7 Ensure DNS is servers are configured - nameserver 2
  • 1.9 Ensure anti-virus is installed and running
  • 2.1.4 Ensure TFTP daemon is configured to operate in secure mode.
  • 2.2.1.4 Ensure NTP 'maxpoll' is set - maxpoll is set.
  • 2.2.2.1 Ensure the screen package is installed.
  • 2.2.2.10 Ensure screensaver lock-enabled is set.
  • 2.2.2.11 Ensure the screensaver idle-activation-enabled setting
  • 2.2.2.2 Ensure GNOME Screen Lock is Enabled.
  • 2.2.2.3 Ensure GNOME Screensaver period of inactivity is configured.
  • 2.2.2.4 Ensure GNOME Idle activation is set.
  • 2.2.2.5 Ensure GNOME Lock Delay is configured
  • 2.2.2.6 Ensure automatic logon via GUI is not allowed
  • 2.2.2.7 Ensure unrestricted logon is not allowed
  • 2.2.2.8 Ensure overriding the screensaver lock-delay setting is prevented
  • 2.2.2.9 Ensure session idle-delay settings is enforced
  • 2.2.25 Ensure unrestricted mail relaying is prevented.
  • 2.2.26 Ensure ldap_tls_cacert is set for LDAP - config
  • 2.2.26 Ensure ldap_tls_cacert is set for LDAP - file
  • 2.2.27 Ensure ldap_id_use_start_tls is set for LDAP.
  • 2.2.28 Ensure ldap_tls_reqcert is set for LDAP
  • 3.7 Ensure IP tunnels are not configured.
  • 4.1.2.14 Ensure audit of the rmdir syscall - 64 bit
  • 4.1.2.15 Ensure audit of unlink syscall - 64 bit
  • 4.1.2.16 Ensure audit unlinkat syscall - 64 bit
  • 4.1.2.17 Ensure audit of the create_module syscall - 64 bit
  • 4.1.2.18 Ensure audit of the finit_module syscall - 64 bit
  • 4.1.2.25 Ensure audit of the mount command and syscall - 64 bit
  • 4.1.21 Ensure auditing of all privileged functions - setgid 64 bit
  • 4.1.21 Ensure auditing of all privileged functions - setuid 64 bit
  • 4.2.2.6 Ensure rsyslog imudp and imrelp aren't loaded.
  • 4.5 Ensure system notification is sent out when voume is 75% full
  • 5.10 Ensure enable smartcard authentication is set to true
Miscellaneous
  • Platform check updated.
Revision 1.2

Sep 30, 2020

Functional Update
  • 5.4.10 Ensure default user umask is 077
Revision 1.1

Sep 29, 2020

Miscellaneous
  • References updated.