| 2.2.8 Ensure NFS and RPC are not enabled - nfs-server | CIS Amazon Linux 2 STIG v1.0.0 L1 | Unix | CONFIGURATION MANAGEMENT |
| 2.3.4 Ensure telnet client is not installed | CIS Amazon Linux 2 STIG v1.0.0 L1 | Unix | IDENTIFICATION AND AUTHENTICATION |
| 3.1.2 Ensure packet redirect sending is disabled - /etc/sysctl.conf /etc/sysctl.d/* net.ipv4.conf.all.send_redirects=0 | CIS Amazon Linux 2 STIG v1.0.0 L1 | Unix | CONFIGURATION MANAGEMENT |
| 3.1.2 Ensure packet redirect sending is disabled - sysctl net.ipv4.conf.default.send_redirects=0 | CIS Amazon Linux 2 STIG v1.0.0 L1 | Unix | CONFIGURATION MANAGEMENT |
| 3.2.1 Ensure source routed packets are not accepted - sysctl net.ipv4.conf.all.accept_source_route=0 | CIS Amazon Linux 2 STIG v1.0.0 L1 | Unix | CONFIGURATION MANAGEMENT |
| 3.2.1 Ensure source routed packets are not accepted - sysctl net.ipv6.conf.default.accept_source_route=0 | CIS Amazon Linux 2 STIG v1.0.0 L1 | Unix | CONFIGURATION MANAGEMENT |
| 3.2.2 Ensure ICMP redirects are not accepted - /etc/sysctl.conf /etc/sysctl.d/* net.ipv6.conf.default.accept_redirects=0 | CIS Amazon Linux 2 STIG v1.0.0 L1 | Unix | CONFIGURATION MANAGEMENT |
| 3.2.2 Ensure ICMP redirects are not accepted - sysctl net.ipv4.conf.all.accept_redirects=0 | CIS Amazon Linux 2 STIG v1.0.0 L1 | Unix | CONFIGURATION MANAGEMENT |
| 3.2.2 Ensure ICMP redirects are not accepted - sysctl net.ipv4.conf.default.accept_redirects=0 | CIS Amazon Linux 2 STIG v1.0.0 L1 | Unix | CONFIGURATION MANAGEMENT |
| 3.2.3 Ensure secure ICMP redirects are not accepted - /etc/sysctl.conf /etc/sysctl.d/* net.ipv4.conf.default.secure_redirects=0 | CIS Amazon Linux 2 STIG v1.0.0 L1 | Unix | CONFIGURATION MANAGEMENT |
| 3.2.3 Ensure secure ICMP redirects are not accepted - sysctl net.ipv4.conf.all.secure_redirects=0 | CIS Amazon Linux 2 STIG v1.0.0 L1 | Unix | CONFIGURATION MANAGEMENT |
| 3.2.4 Ensure suspicious packets are logged - sysctl net.ipv4.conf.default.log_martians=1 | CIS Amazon Linux 2 STIG v1.0.0 L1 | Unix | AUDIT AND ACCOUNTABILITY |
| 3.2.6 Ensure bogus ICMP responses are ignored - /etc/sysctl.conf /etc/sysctl.d/* | CIS Amazon Linux 2 STIG v1.0.0 L1 | Unix | CONFIGURATION MANAGEMENT |
| 3.2.9 Ensure IPv6 router advertisements are not accepted - sysctl net.ipv6.conf.all.accept_ra=0 | CIS Amazon Linux 2 STIG v1.0.0 L1 | Unix | CONFIGURATION MANAGEMENT |
| 3.2.9 Ensure IPv6 router advertisements are not accepted - sysctl net.ipv6.conf.default.accept_ra=0 | CIS Amazon Linux 2 STIG v1.0.0 L1 | Unix | CONFIGURATION MANAGEMENT |
| 3.3.3 Ensure /etc/hosts.deny is configured | CIS Amazon Linux 2 STIG v1.0.0 L1 | Unix | SYSTEM AND COMMUNICATIONS PROTECTION |
| 3.5.1.2.1 Ensure default deny firewall policy - Chain INPUT | CIS Amazon Linux 2 STIG v1.0.0 L1 | Unix | SYSTEM AND COMMUNICATIONS PROTECTION |
| 3.5.1.2.1 Ensure default deny firewall policy - Chain OUTPUT | CIS Amazon Linux 2 STIG v1.0.0 L1 | Unix | SYSTEM AND COMMUNICATIONS PROTECTION |
| 3.5.1.2.2 Ensure loopback traffic is configured - OUTPUT | CIS Amazon Linux 2 STIG v1.0.0 L1 | Unix | SYSTEM AND COMMUNICATIONS PROTECTION |
| 3.5.1.2.3 Ensure outbound and established connections are configured | CIS Amazon Linux 2 STIG v1.0.0 L1 | Unix | SYSTEM AND COMMUNICATIONS PROTECTION |
| 3.5.1.3.1 Ensure IPv6 default deny firewall policy - Chain OUTPUT | CIS Amazon Linux 2 STIG v1.0.0 L1 | Unix | SYSTEM AND COMMUNICATIONS PROTECTION |
| 3.5.1.3.2 Ensure IPv6 loopback traffic is configured - OUTPUT | CIS Amazon Linux 2 STIG v1.0.0 L1 | Unix | SYSTEM AND COMMUNICATIONS PROTECTION |
| 3.5.1.3.4 Ensure IPv6 firewall rules exist for all open ports | CIS Amazon Linux 2 STIG v1.0.0 L1 | Unix | SYSTEM AND COMMUNICATIONS PROTECTION |
| 4.2.2.1 Ensure rsyslog service is enabled | CIS Amazon Linux 2 STIG v1.0.0 L1 | Unix | AUDIT AND ACCOUNTABILITY |
| 4.2.2.2 Ensure logging is configured - '*.=warning;*.=err -/var/log/warn' | CIS Amazon Linux 2 STIG v1.0.0 L1 | Unix | |
| 4.2.2.2 Ensure logging is configured - 'cron.* /var/log/cron' | CIS Amazon Linux 2 STIG v1.0.0 L1 | Unix | |
| 4.2.2.2 Ensure logging is configured - 'local0,local1.* -/var/log/localmessages' | CIS Amazon Linux 2 STIG v1.0.0 L1 | Unix | |
| 4.2.2.2 Ensure logging is configured - 'local4,local5.* -/var/log/localmessages' | CIS Amazon Linux 2 STIG v1.0.0 L1 | Unix | |
| 4.2.2.2 Ensure logging is configured - 'mail.warning -/var/log/mail.warn' | CIS Amazon Linux 2 STIG v1.0.0 L1 | Unix | |
| 4.2.2.5 Ensure rsyslog is not configured to receive logs from a remote client | CIS Amazon Linux 2 STIG v1.0.0 L1 | Unix | AUDIT AND ACCOUNTABILITY, CONFIGURATION MANAGEMENT |
| 4.2.3.1 Ensure syslog-ng service is enabled | CIS Amazon Linux 2 STIG v1.0.0 L1 | Unix | AUDIT AND ACCOUNTABILITY |
| 4.2.3.4 Ensure syslog-ng is configured to send logs to a remote log host - log src | CIS Amazon Linux 2 STIG v1.0.0 L1 | Unix | AUDIT AND ACCOUNTABILITY |
| 4.2.3.5 Ensure remote syslog-ng messages are only accepted on designated log hosts | CIS Amazon Linux 2 STIG v1.0.0 L1 | Unix | AUDIT AND ACCOUNTABILITY |
| 5.1.8 Ensure at/cron is restricted to authorized users - cron.allow exist | CIS Amazon Linux 2 STIG v1.0.0 L1 | Unix | CONFIGURATION MANAGEMENT |
| 5.2.13 Ensure SSH PermitEmptyPasswords is disabled | CIS Amazon Linux 2 STIG v1.0.0 L1 | Unix | IDENTIFICATION AND AUTHENTICATION |
| 5.3.2 Ensure lockout for failed password attempts is configured - password-auth 'auth [default=die] pam_faillock.so authfail audit deny=5 unlock_time=900' | CIS Amazon Linux 2 STIG v1.0.0 L1 | Unix | CONFIGURATION MANAGEMENT |
| 5.3.2 Ensure lockout for failed password attempts is configured - password-auth 'auth [success=1 default=bad] pam_unix.so' | CIS Amazon Linux 2 STIG v1.0.0 L1 | Unix | CONFIGURATION MANAGEMENT |
| 5.3.2 Ensure lockout for failed password attempts is configured - system-auth 'auth [default=die] pam_faillock.so authfail audit deny=5 unlock_time=900' | CIS Amazon Linux 2 STIG v1.0.0 L1 | Unix | CONFIGURATION MANAGEMENT |
| 5.4.1.3 Ensure password expiration warning days is 7 or more - users | CIS Amazon Linux 2 STIG v1.0.0 L1 | Unix | IDENTIFICATION AND AUTHENTICATION |
| 5.4.1.4 Ensure inactive password lock is 30 days or less - users | CIS Amazon Linux 2 STIG v1.0.0 L1 | Unix | IDENTIFICATION AND AUTHENTICATION |
| 5.4.1.5 Ensure all users last password change date is in the past | CIS Amazon Linux 2 STIG v1.0.0 L1 | Unix | CONFIGURATION MANAGEMENT |
| 5.6 Ensure access to the su command is restricted - /etc/pam.d/su | CIS Amazon Linux 2 STIG v1.0.0 L1 | Unix | CONFIGURATION MANAGEMENT |
| 6.1.13 Audit SUID executables | CIS Amazon Linux 2 STIG v1.0.0 L1 | Unix | AUDIT AND ACCOUNTABILITY |
| 6.2.6 Ensure root PATH Integrity | CIS Amazon Linux 2 STIG v1.0.0 L1 | Unix | CONFIGURATION MANAGEMENT |
| 6.2.7 Ensure all users' home directories exist | CIS Amazon Linux 2 STIG v1.0.0 L1 | Unix | CONFIGURATION MANAGEMENT |
| 6.2.10 Ensure users' dot files are not group or world writable | CIS Amazon Linux 2 STIG v1.0.0 L1 | Unix | ACCESS CONTROL |
| Check chrony installed | CIS Amazon Linux 2 STIG v1.0.0 L1 | Unix | |
| Check NTP installed | CIS Amazon Linux 2 STIG v1.0.0 L1 | Unix | |
| New format module load imtcp | CIS Amazon Linux 2 STIG v1.0.0 L1 | Unix | |
| Old format InputTCPServerRun | CIS Amazon Linux 2 STIG v1.0.0 L1 | Unix | |
