CIS Amazon Linux 2023 Server L1 v1.0.0

Audit Details

Name: CIS Amazon Linux 2023 Server L1 v1.0.0

Updated: 8/26/2024

Authority: CIS

Plugin: Unix

Revision: 1.14

Estimated Item Count: 180

File Details

Filename: CIS_Amazon_Linux_2023_v1.0.0_L1_Server.audit

Size: 697 kB

MD5: a9f4a9f3fa5f6cf6a46f0c8f3f9a023f

SHA256: d1c1fe1c461ed290af1d7955736683a68a49b7c8ab9194ce21bfb45fb9a1ba66

Audit Changelog


Revision 1.14 Aug 26, 2024 Functional Update 4.6.6 Ensure root password is set Miscellaneous References updated.
Revision 1.13 Jul 31, 2024 Miscellaneous Variables updated.
Revision 1.12 Jul 19, 2024 Functional Update 4.6.2 Ensure system accounts are secured
Revision 1.11 Jul 9, 2024 Functional Update 4.1.9 Ensure at is restricted to authorized users
Revision 1.10 Jun 17, 2024 Miscellaneous Metadata updated.
Revision 1.9 Jun 6, 2024 Functional Update 1.1.1.3 Ensure mounting of cramfs filesystems is disabled 1.1.1.4 Ensure mounting of freevxfs filesystems is disabled 1.1.1.5 Ensure mounting of jffs2 filesystems is disabled 1.1.1.6 Ensure mounting of hfs filesystems is disabled 1.1.1.7 Ensure mounting of hfsplus filesystems is disabled 1.1.2.1 Ensure /tmp is a separate partition 1.1.2.2 Ensure nodev option set on /tmp partition 1.1.2.3 Ensure noexec option set on /tmp partition 1.1.2.4 Ensure nosuid option set on /tmp partition 1.1.3.2 Ensure nodev option set on /var partition 1.1.3.3 Ensure nosuid option set on /var partition 1.1.4.2 Ensure noexec option set on /var/tmp partition 1.1.4.3 Ensure nosuid option set on /var/tmp partition 1.1.4.4 Ensure nodev option set on /var/tmp partition 1.1.5.2 Ensure nodev option set on /var/log partition 1.1.5.3 Ensure noexec option set on /var/log partition 1.1.5.4 Ensure nosuid option set on /var/log partition 1.1.6.2 Ensure noexec option set on /var/log/audit partition 1.1.6.3 Ensure nodev option set on /var/log/audit partition 1.1.6.4 Ensure nosuid option set on /var/log/audit partition 1.1.7.2 Ensure nodev option set on /home partition 1.1.7.3 Ensure nosuid option set on /home partition 1.1.8.1 Ensure /dev/shm is a separate partition 1.1.8.2 Ensure nodev option set on /dev/shm partition 1.1.8.3 Ensure noexec option set on /dev/shm partition 1.1.8.4 Ensure nosuid option set on /dev/shm partition 1.1.9 Ensure usb-storage is disabled 1.2.1 Ensure GPG keys are configured 1.2.2 Ensure gpgcheck is globally activated 1.2.3 Ensure package manager repositories are configured 1.3.1 Ensure AIDE is installed 1.3.2 Ensure filesystem integrity is regularly checked 1.3.3 Ensure cryptographic mechanisms are used to protect the integrity of audit tools 1.5.1 Ensure address space layout randomization (ASLR) is enabled 1.5.2 Ensure ptrace_scope is restricted 1.5.3 Ensure core dump storage is disabled 1.5.4 Ensure core dump backtraces are disabled 1.6.1.1 Ensure SELinux is installed 1.6.1.2 Ensure SELinux is not disabled in bootloader configuration 1.6.1.3 Ensure SELinux policy is configured 1.6.1.4 Ensure the SELinux mode is not disabled 1.6.1.6 Ensure no unconfined services exist 1.6.1.7 Ensure SETroubleshoot is not installed 1.6.1.8 Ensure the MCS Translation Service (mcstrans) is not installed 1.7.1 Ensure message of the day is configured properly 1.7.2 Ensure local login warning banner is configured properly 1.7.3 Ensure remote login warning banner is configured properly 1.7.4 Ensure permissions on /etc/motd are configured 1.7.5 Ensure permissions on /etc/issue are configured 1.7.6 Ensure permissions on /etc/issue.net are configured 1.8 Ensure updates, patches, and additional security software are installed 1.9 Ensure system-wide crypto policy is not legacy 2.1.1 Ensure time synchronization is in use 2.1.2 Ensure chrony is configured 2.2.10 Ensure Samba is not installed 2.2.11 Ensure HTTP Proxy Server is not installed 2.2.12 Ensure net-snmp is not installed or the snmpd service is not enabled 2.2.13 Ensure telnet-server is not installed 2.2.14 Ensure dnsmasq is not installed 2.2.15 Ensure mail transfer agent is configured for local-only mode 2.2.18 Ensure rsync-daemon is not installed or the rsyncd service is masked 2.2.2 Ensure avahi is not installed 2.2.3 Ensure a print server is not installed 2.2.4 Ensure a dhcp server is not installed 2.2.5 Ensure a dns server is not installed 2.2.6 Ensure an ftp server is not installed 2.2.7 Ensure a tftp server is not installed 2.2.8 Ensure a web server is not installed 2.2.9 Ensure IMAP and POP3 server is not installed 2.3.1 Ensure telnet client is not installed 2.3.2 Ensure LDAP client is not installed 2.3.3 Ensure FTP client is not installed 2.4 Ensure nonessential services listening on the system are removed or masked 3.1.1 Ensure IPv6 status is identified 3.2.1 Ensure IP forwarding is disabled 3.2.2 Ensure packet redirect sending is disabled 3.3.1 Ensure source routed packets are not accepted 3.3.2 Ensure ICMP redirects are not accepted 3.3.3 Ensure secure ICMP redirects are not accepted 3.3.4 Ensure suspicious packets are logged 3.3.5 Ensure broadcast ICMP requests are ignored 3.3.6 Ensure bogus ICMP responses are ignored 3.3.7 Ensure Reverse Path Filtering is enabled 3.3.8 Ensure TCP SYN Cookies is enabled 3.3.9 Ensure IPv6 router advertisements are not accepted 4.1.1 Ensure cron daemon is installed and enabled 4.1.2 Ensure permissions on /etc/crontab are configured 4.1.3 Ensure permissions on /etc/cron.hourly are configured 4.1.4 Ensure permissions on /etc/cron.daily are configured 4.1.5 Ensure permissions on /etc/cron.weekly are configured 4.1.6 Ensure permissions on /etc/cron.monthly are configured 4.1.7 Ensure permissions on /etc/cron.d are configured 4.1.8 Ensure cron is restricted to authorized users 4.1.9 Ensure at is restricted to authorized users 4.2.1 Ensure permissions on /etc/ssh/sshd_config are configured 4.2.10 Ensure SSH PermitUserEnvironment is disabled 4.2.11 Ensure SSH IgnoreRhosts is enabled 4.2.14 Ensure system-wide crypto policy is not over-ridden 4.2.15 Ensure SSH warning banner is configured 4.2.16 Ensure SSH MaxAuthTries is set to 4 or less 4.2.17 Ensure SSH MaxStartups is configured 4.2.18 Ensure SSH MaxSessions is set to 10 or less 4.2.19 Ensure SSH LoginGraceTime is set to one minute or less 4.2.2 Ensure permissions on SSH private host key files are configured 4.2.20 Ensure SSH Idle Timeout Interval is configured 4.2.3 Ensure permissions on SSH public host key files are configured 4.2.4 Ensure SSH access is limited 4.2.5 Ensure SSH LogLevel is appropriate 4.2.6 Ensure SSH PAM is enabled 4.2.7 Ensure SSH root login is disabled 4.2.8 Ensure SSH HostbasedAuthentication is disabled 4.2.9 Ensure SSH PermitEmptyPasswords is disabled 4.3.1 Ensure sudo is installed 4.3.2 Ensure sudo commands use pty 4.3.3 Ensure sudo log file exists 4.3.4 Ensure re-authentication for privilege escalation is not disabled globally 4.3.5 Ensure sudo authentication timeout is configured correctly 4.3.6 Ensure access to the su command is restricted 4.4.1 Ensure custom authselect profile is used 4.4.2 Ensure authselect includes with-faillock 4.5.1 Ensure password creation requirements are configured 4.5.2 Ensure lockout for failed password attempts is configured 4.5.3 Ensure password reuse is limited 4.5.4 Ensure password hashing algorithm is SHA-512 4.6.1.1 Ensure password expiration is 365 days or less 4.6.1.3 Ensure password expiration warning days is 7 or more 4.6.1.4 Ensure inactive password lock is 30 days or less 4.6.1.5 Ensure all users last password change date is in the past 4.6.2 Ensure system accounts are secured 4.6.3 Ensure default user shell timeout is 900 seconds or less 4.6.4 Ensure default group for the root account is GID 0 4.6.5 Ensure default user umask is 027 or more restrictive 4.6.6 Ensure root password is set 5.1.1.1 Ensure rsyslog is installed 5.1.1.2 Ensure rsyslog service is enabled 5.1.1.3 Ensure journald is configured to send logs to rsyslog 5.1.1.4 Ensure rsyslog default file permissions are configured 5.1.1.5 Ensure logging is configured 5.1.1.6 Ensure rsyslog is configured to send logs to a remote log host 5.1.1.7 Ensure rsyslog is not configured to receive logs from a remote client 5.1.2.1.1 Ensure systemd-journal-remote is installed 5.1.2.1.2 Ensure systemd-journal-remote is configured 5.1.2.1.3 Ensure systemd-journal-remote is enabled 5.1.2.1.4 Ensure journald is not configured to receive logs from a remote client 5.1.2.2 Ensure journald service is enabled 5.1.2.3 Ensure journald is configured to compress large log files 5.1.2.4 Ensure journald is configured to write logfiles to persistent disk 5.1.2.5 Ensure journald is not configured to send logs to rsyslog 5.1.2.6 Ensure journald log rotation is configured per site policy 5.1.2.7 Ensure journald default file permissions configured 6.1.1 Ensure permissions on /etc/passwd are configured 6.1.11 Ensure world writable files and directories are secured 6.1.12 Ensure no unowned or ungrouped files or directories exist 6.1.13 Ensure SUID and SGID files are reviewed 6.1.2 Ensure permissions on /etc/passwd are configured 6.1.3 Ensure permissions on /etc/passwd- are configured 6.1.4 Ensure permissions on /etc/group are configured 6.1.5 Ensure permissions on /etc/group- are configured 6.1.6 Ensure permissions on /etc/shadow are configured 6.1.7 Ensure permissions on /etc/shadow- are configured 6.1.8 Ensure permissions on /etc/gshadow are configured 6.1.9 Ensure permissions on /etc/gshadow- are configured 6.2.1 Ensure accounts in /etc/passwd use shadowed passwords 6.2.10 Ensure local interactive user home directories are configured 6.2.2 Ensure /etc/shadow password fields are not empty 6.2.3 Ensure all groups in /etc/passwd exist in /etc/group 6.2.4 Ensure no duplicate UIDs exist 6.2.5 Ensure no duplicate GIDs exist 6.2.6 Ensure no duplicate user names exist 6.2.7 Ensure no duplicate group names exist 6.2.8 Ensure root PATH Integrity 6.2.9 Ensure root is the only UID 0 account Informational Update 1.1.1.3 Ensure mounting of cramfs filesystems is disabled 1.1.1.4 Ensure mounting of freevxfs filesystems is disabled 1.1.1.5 Ensure mounting of jffs2 filesystems is disabled 1.1.1.6 Ensure mounting of hfs filesystems is disabled 1.1.1.7 Ensure mounting of hfsplus filesystems is disabled 1.1.2.1 Ensure /tmp is a separate partition 1.1.2.2 Ensure nodev option set on /tmp partition 1.1.2.3 Ensure noexec option set on /tmp partition 1.1.2.4 Ensure nosuid option set on /tmp partition 1.1.3.2 Ensure nodev option set on /var partition 1.1.3.3 Ensure nosuid option set on /var partition 1.1.4.2 Ensure noexec option set on /var/tmp partition 1.1.4.3 Ensure nosuid option set on /var/tmp partition 1.1.4.4 Ensure nodev option set on /var/tmp partition 1.1.5.2 Ensure nodev option set on /var/log partition 1.1.5.3 Ensure noexec option set on /var/log partition 1.1.5.4 Ensure nosuid option set on /var/log partition 1.1.6.2 Ensure noexec option set on /var/log/audit partition 1.1.6.3 Ensure nodev option set on /var/log/audit partition 1.1.6.4 Ensure nosuid option set on /var/log/audit partition 1.1.7.2 Ensure nodev option set on /home partition 1.1.7.3 Ensure nosuid option set on /home partition 1.1.8.1 Ensure /dev/shm is a separate partition 1.1.8.2 Ensure nodev option set on /dev/shm partition 1.1.8.3 Ensure noexec option set on /dev/shm partition 1.1.8.4 Ensure nosuid option set on /dev/shm partition 1.1.9 Ensure usb-storage is disabled 1.2.1 Ensure GPG keys are configured 1.2.2 Ensure gpgcheck is globally activated 1.2.3 Ensure package manager repositories are configured 1.3.1 Ensure AIDE is installed 1.3.2 Ensure filesystem integrity is regularly checked 1.3.3 Ensure cryptographic mechanisms are used to protect the integrity of audit tools 1.4.1 Ensure permissions on bootloader config are configured 1.5.1 Ensure address space layout randomization (ASLR) is enabled 1.5.2 Ensure ptrace_scope is restricted 1.5.3 Ensure core dump storage is disabled 1.5.4 Ensure core dump backtraces are disabled 1.6.1.1 Ensure SELinux is installed 1.6.1.2 Ensure SELinux is not disabled in bootloader configuration 1.6.1.3 Ensure SELinux policy is configured 1.6.1.4 Ensure the SELinux mode is not disabled 1.6.1.6 Ensure no unconfined services exist 1.6.1.7 Ensure SETroubleshoot is not installed 1.6.1.8 Ensure the MCS Translation Service (mcstrans) is not installed 1.7.1 Ensure message of the day is configured properly 1.7.2 Ensure local login warning banner is configured properly 1.7.3 Ensure remote login warning banner is configured properly 1.7.4 Ensure permissions on /etc/motd are configured 1.7.5 Ensure permissions on /etc/issue are configured 1.7.6 Ensure permissions on /etc/issue.net are configured 1.8 Ensure updates, patches, and additional security software are installed 1.9 Ensure system-wide crypto policy is not legacy 2.1.1 Ensure time synchronization is in use 2.1.2 Ensure chrony is configured 2.2.10 Ensure Samba is not installed 2.2.11 Ensure HTTP Proxy Server is not installed 2.2.12 Ensure net-snmp is not installed or the snmpd service is not enabled 2.2.13 Ensure telnet-server is not installed 2.2.14 Ensure dnsmasq is not installed 2.2.15 Ensure mail transfer agent is configured for local-only mode 2.2.18 Ensure rsync-daemon is not installed or the rsyncd service is masked 2.2.2 Ensure avahi is not installed 2.2.3 Ensure a print server is not installed 2.2.4 Ensure a dhcp server is not installed 2.2.5 Ensure a dns server is not installed 2.2.6 Ensure an ftp server is not installed 2.2.7 Ensure a tftp server is not installed 2.2.8 Ensure a web server is not installed 2.2.9 Ensure IMAP and POP3 server is not installed 2.3.1 Ensure telnet client is not installed 2.3.2 Ensure LDAP client is not installed 2.3.3 Ensure FTP client is not installed 2.4 Ensure nonessential services listening on the system are removed or masked 3.1.1 Ensure IPv6 status is identified 3.2.1 Ensure IP forwarding is disabled 3.2.2 Ensure packet redirect sending is disabled 3.3.1 Ensure source routed packets are not accepted 3.3.2 Ensure ICMP redirects are not accepted 3.3.3 Ensure secure ICMP redirects are not accepted 3.3.4 Ensure suspicious packets are logged 3.3.5 Ensure broadcast ICMP requests are ignored 3.3.6 Ensure bogus ICMP responses are ignored 3.3.7 Ensure Reverse Path Filtering is enabled 3.3.8 Ensure TCP SYN Cookies is enabled 3.3.9 Ensure IPv6 router advertisements are not accepted 4.1.1 Ensure cron daemon is installed and enabled 4.1.2 Ensure permissions on /etc/crontab are configured 4.1.3 Ensure permissions on /etc/cron.hourly are configured 4.1.4 Ensure permissions on /etc/cron.daily are configured 4.1.5 Ensure permissions on /etc/cron.weekly are configured 4.1.6 Ensure permissions on /etc/cron.monthly are configured 4.1.7 Ensure permissions on /etc/cron.d are configured 4.1.8 Ensure cron is restricted to authorized users 4.1.9 Ensure at is restricted to authorized users 4.2.1 Ensure permissions on /etc/ssh/sshd_config are configured 4.2.10 Ensure SSH PermitUserEnvironment is disabled 4.2.11 Ensure SSH IgnoreRhosts is enabled 4.2.14 Ensure system-wide crypto policy is not over-ridden 4.2.15 Ensure SSH warning banner is configured 4.2.16 Ensure SSH MaxAuthTries is set to 4 or less 4.2.17 Ensure SSH MaxStartups is configured 4.2.18 Ensure SSH MaxSessions is set to 10 or less 4.2.19 Ensure SSH LoginGraceTime is set to one minute or less 4.2.2 Ensure permissions on SSH private host key files are configured 4.2.20 Ensure SSH Idle Timeout Interval is configured 4.2.3 Ensure permissions on SSH public host key files are configured 4.2.4 Ensure SSH access is limited 4.2.5 Ensure SSH LogLevel is appropriate 4.2.6 Ensure SSH PAM is enabled 4.2.7 Ensure SSH root login is disabled 4.2.8 Ensure SSH HostbasedAuthentication is disabled 4.2.9 Ensure SSH PermitEmptyPasswords is disabled 4.3.1 Ensure sudo is installed 4.3.2 Ensure sudo commands use pty 4.3.3 Ensure sudo log file exists 4.3.4 Ensure re-authentication for privilege escalation is not disabled globally 4.3.5 Ensure sudo authentication timeout is configured correctly 4.3.6 Ensure access to the su command is restricted 4.4.1 Ensure custom authselect profile is used 4.4.2 Ensure authselect includes with-faillock 4.5.1 Ensure password creation requirements are configured 4.5.2 Ensure lockout for failed password attempts is configured 4.5.3 Ensure password reuse is limited 4.5.4 Ensure password hashing algorithm is SHA-512 4.6.1.1 Ensure password expiration is 365 days or less 4.6.1.3 Ensure password expiration warning days is 7 or more 4.6.1.4 Ensure inactive password lock is 30 days or less 4.6.1.5 Ensure all users last password change date is in the past 4.6.2 Ensure system accounts are secured 4.6.3 Ensure default user shell timeout is 900 seconds or less 4.6.4 Ensure default group for the root account is GID 0 4.6.5 Ensure default user umask is 027 or more restrictive 4.6.6 Ensure root password is set 5.1.1.1 Ensure rsyslog is installed 5.1.1.2 Ensure rsyslog service is enabled 5.1.1.3 Ensure journald is configured to send logs to rsyslog 5.1.1.4 Ensure rsyslog default file permissions are configured 5.1.1.5 Ensure logging is configured 5.1.1.6 Ensure rsyslog is configured to send logs to a remote log host 5.1.1.7 Ensure rsyslog is not configured to receive logs from a remote client 5.1.2.1.1 Ensure systemd-journal-remote is installed 5.1.2.1.2 Ensure systemd-journal-remote is configured 5.1.2.1.3 Ensure systemd-journal-remote is enabled 5.1.2.1.4 Ensure journald is not configured to receive logs from a remote client 5.1.2.2 Ensure journald service is enabled 5.1.2.3 Ensure journald is configured to compress large log files 5.1.2.4 Ensure journald is configured to write logfiles to persistent disk 5.1.2.5 Ensure journald is not configured to send logs to rsyslog 5.1.2.6 Ensure journald log rotation is configured per site policy 5.1.2.7 Ensure journald default file permissions configured 5.1.3 Ensure all logfiles have appropriate permissions and ownership 5.3 Ensure logrotate is configured 6.1.1 Ensure permissions on /etc/passwd are configured 6.1.11 Ensure world writable files and directories are secured 6.1.12 Ensure no unowned or ungrouped files or directories exist 6.1.13 Ensure SUID and SGID files are reviewed 6.1.2 Ensure permissions on /etc/passwd are configured 6.1.3 Ensure permissions on /etc/passwd- are configured 6.1.4 Ensure permissions on /etc/group are configured 6.1.5 Ensure permissions on /etc/group- are configured 6.1.6 Ensure permissions on /etc/shadow are configured 6.1.7 Ensure permissions on /etc/shadow- are configured 6.1.8 Ensure permissions on /etc/gshadow are configured 6.1.9 Ensure permissions on /etc/gshadow- are configured 6.2.1 Ensure accounts in /etc/passwd use shadowed passwords 6.2.10 Ensure local interactive user home directories are configured 6.2.11 Ensure local interactive user dot files access is configured 6.2.2 Ensure /etc/shadow password fields are not empty 6.2.3 Ensure all groups in /etc/passwd exist in /etc/group 6.2.4 Ensure no duplicate UIDs exist 6.2.5 Ensure no duplicate GIDs exist 6.2.6 Ensure no duplicate user names exist 6.2.7 Ensure no duplicate group names exist 6.2.8 Ensure root PATH Integrity 6.2.9 Ensure root is the only UID 0 account Miscellaneous Metadata updated. References updated. Variables updated. Added 2.2.16 Ensure nfs-utils is not installed or the nfs-server service is masked 2.2.17 Ensure rpcbind is not installed or the rpcbind services are masked 4.6.1.2 Ensure minimum days between password changes is configured Removed 2.2.16 Ensure nfs-utils is not installed or the nfs-server service is masked 2.2.17 Ensure rpcbind is not installed or the rpcbind services are masked 4.6.1.2 Ensure minimum days between password changes is configured
Revision 1.8 Apr 22, 2024 Functional Update 5.1.1.6 Ensure rsyslog is configured to send logs to a remote log host
Revision 1.7 Apr 18, 2024 Functional Update 4.6.1.2 Ensure minimum days between password changes is configured
Revision 1.6 Mar 18, 2024 Functional Update 1.4.1 Ensure permissions on bootloader config are configured 4.2.2 Ensure permissions on SSH private host key files are configured 4.2.3 Ensure permissions on SSH public host key files are configured 5.1.3 Ensure all logfiles have appropriate permissions and ownership 6.2.11 Ensure local interactive user dot files access is configured
Revision 1.5 Feb 5, 2024 Functional Update 4.2.20 Ensure SSH Idle Timeout Interval is configured

Detections

Analytics

CIS Amazon Linux 2023 Server L1 v1.0.0

Audit Details

File Details

Audit Changelog

Revision 1.14

Functional Update

Miscellaneous

Revision 1.13

Miscellaneous

Revision 1.12

Functional Update

Revision 1.11

Functional Update

Revision 1.10

Miscellaneous

Revision 1.9

Functional Update

Informational Update

Miscellaneous

Added

Removed

Revision 1.8

Functional Update

Revision 1.7

Functional Update

Revision 1.6

Functional Update

Revision 1.5

Functional Update

Detections

Analytics

CIS Amazon Linux 2023 Server L1 v1.0.0 Download File

Audit Details

File Details

Audit Changelog

Functional Update

Miscellaneous

Miscellaneous

Functional Update

Functional Update

Miscellaneous

Functional Update

Informational Update

Miscellaneous

Added

Removed

Functional Update

Functional Update

Functional Update

Functional Update

CIS Amazon Linux 2023 Server L1 v1.0.0