diff --git a/controls/cis_al2023.yml b/controls/cis_al2023.yml new file mode 100644 index 000000000000..4c0a0ef29672 --- /dev/null +++ b/controls/cis_al2023.yml @@ -0,0 +1,2140 @@ +--- +policy: 'CIS Benchmark for Amazon Linux 2023' +title: 'CIS Benchmark for Amazon Linux 2023' +id: cis_al2023 +version: '1.0.0' +source: https://www.cisecurity.org/benchmark/amazon_linux +levels: + - id: l1_server + - id: l2_server + inherits_from: + - l1_server +reference_type: cis +product: al2023 + +controls: + - id: 1.1.1.1 + title: Ensure mounting of squashfs filesystems is disabled (Automated) + levels: + - l2_server + status: automated + rules: + - kernel_module_squashfs_disabled + + - id: 1.1.1.2 + title: Ensure mounting of udf filesystems is disabled (Automated) + levels: + - l2_server + status: automated + rules: + - kernel_module_udf_disabled + + - id: 1.1.1.3 + title: Ensure mounting of cramfs filesystems is disabled (Automated) + levels: + - l1_server + status: automated + rules: + - kernel_module_cramfs_disabled + + - id: 1.1.1.4 + title: Ensure mounting of freevxfs filesystems is disabled (Automated) + levels: + - l1_server + status: automated + rules: + - kernel_module_freevxfs_disabled + + - id: 1.1.1.5 + title: Ensure mounting of jffs2 filesystems is disabled (Automated) + levels: + - l1_server + status: automated + rules: + - kernel_module_jffs2_disabled + + - id: 1.1.1.6 + title: Ensure mounting of hfs filesystems is disabled (Automated) + levels: + - l1_server + status: automated + rules: + - kernel_module_hfs_disabled + + - id: 1.1.1.7 + title: Ensure mounting of hfsplus filesystems is disabled (Automated) + levels: + - l1_server + status: automated + rules: + - kernel_module_hfsplus_disabled + + - id: 1.1.2.1 + title: Ensure /tmp is a separate partition (Automated) + levels: + - l1_server + status: automated + rules: + - partition_for_tmp + + - id: 1.1.2.2 + title: Ensure nodev option set on /tmp partition (Automated) + levels: + - l1_server + status: automated + rules: + - mount_option_tmp_nodev + + - id: 1.1.2.3 + title: Ensure noexec option set on /tmp partition (Automated) + levels: + - l1_server + status: automated + rules: + - mount_option_tmp_noexec + + - id: 1.1.2.4 + title: Ensure nosuid option set on /tmp partition (Automated) + levels: + - l1_server + status: automated + rules: + - mount_option_tmp_nosuid + + - id: 1.1.3.1 + title: Ensure separate partition exists for /var (Automated) + levels: + - l2_server + status: automated + rules: + - partition_for_var + + - id: 1.1.3.2 + title: Ensure nodev option set on /var partition (Automated) + levels: + - l1_server + status: automated + rules: + - mount_option_var_nodev + + - id: 1.1.3.3 + title: Ensure nosuid option set on /var partition (Automated) + levels: + - l1_server + status: automated + rules: + - mount_option_var_nosuid + + - id: 1.1.4.1 + title: Ensure separate partition exists for /var/tmp (Automated) + levels: + - l2_server + status: automated + rules: + - partition_for_var_tmp + + - id: 1.1.4.2 + title: Ensure noexec option set on /var/tmp partition (Automated) + levels: + - l1_server + status: automated + rules: + - mount_option_var_tmp_noexec + + - id: 1.1.4.3 + title: Ensure nosuid option set on /var/tmp partition (Automated) + levels: + - l1_server + status: automated + rules: + - mount_option_var_tmp_nosuid + + - id: 1.1.4.4 + title: Ensure nodev option set on /var/tmp partition (Automated) + levels: + - l1_server + status: automated + rules: + - mount_option_var_tmp_nodev + + - id: 1.1.5.1 + title: Ensure separate partition exists for /var/log (Automated) + levels: + - l2_server + status: automated + rules: + - partition_for_var_log + + - id: 1.1.5.2 + title: Ensure nodev option set on /var/log partition (Automated) + levels: + - l1_server + status: automated + rules: + - mount_option_var_log_nodev + + - id: 1.1.5.3 + title: Ensure noexec option set on /var/log partition (Automated) + levels: + - l1_server + status: automated + rules: + - mount_option_var_log_noexec + + - id: 1.1.5.4 + title: Ensure nosuid option set on /var/log partition (Automated) + levels: + - l1_server + status: automated + rules: + - mount_option_var_log_nosuid + + - id: 1.1.6.1 + title: Ensure separate partition exists for /var/log/audit (Automated) + levels: + - l2_server + status: automated + rules: + - partition_for_var_log_audit + + - id: 1.1.6.2 + title: Ensure noexec option set on /var/log/audit partition (Automated) + levels: + - l1_server + status: automated + rules: + - mount_option_var_log_audit_noexec + + - id: 1.1.6.3 + title: Ensure nodev option set on /var/log/audit partition (Automated) + levels: + - l1_server + status: automated + rules: + - mount_option_var_log_audit_nodev + + - id: 1.1.6.4 + title: Ensure nosuid option set on /var/log/audit partition (Automated) + levels: + - l1_server + status: automated + rules: + - mount_option_var_log_audit_nosuid + + - id: 1.1.7.1 + title: Ensure separate partition exists for /home (Automated) + levels: + - l2_server + status: automated + rules: + - partition_for_home + + - id: 1.1.7.2 + title: Ensure nodev option set on /home partition (Automated) + levels: + - l1_server + status: automated + rules: + - mount_option_home_nodev + + - id: 1.1.7.3 + title: Ensure nosuid option set on /home partition (Automated) + levels: + - l1_server + status: automated + rules: + - mount_option_home_nosuid + + - id: 1.1.8.1 + title: Ensure /dev/shm is a separate partition (Automated) + levels: + - l1_server + status: automated + rules: + - partition_for_dev_shm + + - id: 1.1.8.2 + title: Ensure nodev option set on /dev/shm partition (Automated) + levels: + - l1_server + status: automated + rules: + - mount_option_dev_shm_nodev + + - id: 1.1.8.3 + title: Ensure noexec option set on /dev/shm partition (Automated) + levels: + - l1_server + status: automated + rules: + - mount_option_dev_shm_noexec + + - id: 1.1.8.4 + title: Ensure nosuid option set on /dev/shm partition (Automated) + levels: + - l1_server + status: automated + rules: + - mount_option_dev_shm_nosuid + + - id: 1.1.9 + title: Disable USB Storage (Automated) + levels: + - l1_server + status: automated + rules: + - kernel_module_usb-storage_disabled + + - id: 1.2.1 + title: Ensure GPG keys are configured (Manual) + levels: + - l1_server + status: manual + related_rules: + - ensure_redhat_gpgkey_installed + + - id: 1.2.2 + title: Ensure gpgcheck is globally activated (Automated) + levels: + - l1_server + status: automated + rules: + - ensure_gpgcheck_globally_activated + + - id: 1.2.3 + title: Ensure package manager repositories are configured (Manual) + levels: + - l1_server + status: manual + + - id: 1.2.4 + title: Ensure repo_gpgcheck is globally activated (Manual) + levels: + - l2_server + status: manual + + - id: 1.3.1 + title: Ensure AIDE is installed (Automated) + levels: + - l1_server + status: automated + rules: + - package_aide_installed + - aide_build_database + + - id: 1.3.2 + title: Ensure filesystem integrity is regularly checked (Automated) + levels: + - l1_server + status: automated + rules: + - aide_periodic_cron_checking + + - id: 1.3.3 + title: Ensure cryptographic mechanisms are used to protect the integrity of audit tools (Automated) + levels: + - l1_server + status: automated + rules: + - aide_check_audit_tools + related_rules: + - aide_use_fips_hashes + + - id: 1.4.1 + title: Ensure permissions on bootloader config are configured (Automated) + levels: + - l1_server + status: automated + rules: + - file_groupowner_grub2_cfg + - file_owner_grub2_cfg + - file_permissions_grub2_cfg + - file_groupowner_user_cfg + - file_owner_user_cfg + - file_permissions_user_cfg + related_rules: + - file_groupowner_efi_grub2_cfg + - file_owner_efi_grub2_cfg + - file_permissions_efi_grub2_cfg + - file_groupowner_efi_user_cfg + - file_owner_efi_user_cfg + - file_permissions_efi_user_cfg + + - id: 1.5.1 + title: Ensure address space layout randomization (ASLR) is enabled (Automated) + levels: + - l1_server + status: automated + rules: + - sysctl_kernel_randomize_va_space + + - id: 1.5.2 + title: Ensure ptrace_scope is restricted (Automated) + levels: + - l1_server + status: automated + rules: + - sysctl_kernel_yama_ptrace_scope + + - id: 1.5.3 + title: Ensure core dump storage is disabled (Automated) + levels: + - l1_server + status: automated + rules: + - coredump_disable_storage + + - id: 1.5.4 + title: Ensure core dump backtraces are disabled (Automated) + levels: + - l1_server + status: automated + rules: + - coredump_disable_backtraces + + - id: 1.6.1.1 + title: Ensure SELinux is installed (Automated) + levels: + - l1_server + status: automated + rules: + - package_libselinux_installed + + - id: 1.6.1.2 + title: Ensure SELinux is not disabled in bootloader configuration (Automated) + levels: + - l1_server + status: automated + rules: + - grub2_enable_selinux + + - id: 1.6.1.3 + title: Ensure SELinux policy is configured (Automated) + levels: + - l1_server + status: automated + rules: + - var_selinux_policy_name=targeted + - selinux_policytype + + - id: 1.6.1.4 + title: Ensure the SELinux mode is not disabled (Automated) + levels: + - l1_server + status: automated + rules: + - selinux_not_disabled + + - id: 1.6.1.5 + title: Ensure the SELinux mode is enforcing (Automated) + levels: + - l2_server + status: automated + rules: + - var_selinux_state=enforcing + - selinux_state + + - id: 1.6.1.6 + title: Ensure no unconfined services exist (Automated) + levels: + - l1_server + status: automated + rules: + - selinux_confinement_of_daemons + + - id: 1.6.1.7 + title: Ensure SETroubleshoot is not installed (Automated) + levels: + - l1_server + status: automated + rules: + - package_setroubleshoot_removed + + - id: 1.6.1.8 + title: Ensure the MCS Translation Service (mcstrans) is not installed (Automated) + levels: + - l1_server + status: automated + rules: + - package_mcstrans_removed + + - id: 1.7.1 + title: Ensure message of the day is configured properly (Automated) + levels: + - l1_server + status: automated + rules: + - banner_etc_motd + - motd_banner_text=cis_banners + + - id: 1.7.2 + title: Ensure local login warning banner is configured properly (Automated) + levels: + - l1_server + status: automated + rules: + - banner_etc_issue + - login_banner_text=cis_banners + + - id: 1.7.3 + title: Ensure remote login warning banner is configured properly (Automated) + levels: + - l1_server + status: automated + rules: + - banner_etc_issue_net + - remote_login_banner_text=cis_banners + + - id: 1.7.4 + title: Ensure permissions on /etc/motd are configured (Automated) + levels: + - l1_server + status: automated + rules: + - file_groupowner_etc_motd + - file_owner_etc_motd + - file_permissions_etc_motd + + - id: 1.7.5 + title: Ensure permissions on /etc/issue are configured (Automated) + levels: + - l1_server + status: automated + rules: + - file_groupowner_etc_issue + - file_owner_etc_issue + - file_permissions_etc_issue + + - id: 1.7.6 + title: Ensure permissions on /etc/issue.net are configured (Automated) + levels: + - l1_server + status: automated + rules: + - file_groupowner_etc_issue_net + - file_owner_etc_issue_net + - file_permissions_etc_issue_net + + - id: 1.8 + title: Ensure updates, patches, and additional security software are installed (Manual) + levels: + - l1_server + status: manual + related_rules: + - security_patches_up_to_date + + - id: "1.9" + title: Ensure system-wide crypto policy is not legacy (Automated) + levels: + - l1_server + status: automated + rules: + - configure_crypto_policy + - var_system_crypto_policy=default_policy + + - id: 2.1.1 + title: Ensure time synchronization is in use (Automated) + levels: + - l1_server + status: automated + related_rules: + - package_chrony_installed + + - id: 2.1.2 + title: Ensure chrony is configured (Automated) + levels: + - l1_server + status: automated + rules: + - chronyd_specify_remote_server + - chronyd_run_as_chrony_user + - var_multiple_time_servers=amazon + + - id: 2.2.1 + title: Ensure xorg-x11-server-common is not installed (Automated) + levels: + - l2_server + status: automated + rules: + - package_xorg-x11-server-common_removed + + - id: 2.2.2 + title: Ensure avahi is not installed (Automated) + levels: + - l1_server + status: automated + rules: + - package_avahi_removed + related_rules: + - service_avahi-daemon_disabled + + - id: 2.2.3 + title: Ensure a print server is not installed (Automated) + levels: + - l1_server + status: automated + rules: + - package_cups_removed + related_rules: + - service_cups_disabled + + - id: 2.2.4 + title: Ensure a dhcp server is not installed (Automated) + levels: + - l1_server + status: automated + rules: + - package_dhcp_removed + + - id: 2.2.5 + title: Ensure a dns server is not installed (Automated) + levels: + - l1_server + status: automated + rules: + - package_bind_removed + + - id: 2.2.6 + title: Ensure an ftp server is not installed (Automated) + levels: + - l1_server + status: automated + rules: + - package_vsftpd_removed + + - id: 2.2.7 + title: Ensure a tftp server is not installed (Automated) + levels: + - l1_server + status: automated + rules: + - package_tftp-server_removed + + - id: 2.2.8 + title: Ensure a web server is not installed (Automated) + levels: + - l1_server + status: automated + rules: + - package_httpd_removed + - package_nginx_removed + + - id: 2.2.9 + title: Ensure IMAP and POP3 server is not installed (Automated) + levels: + - l1_server + status: automated + rules: + - package_dovecot_removed + - package_cyrus-imapd_removed + + - id: 2.2.10 + title: Ensure Samba is not installed (Automated) + levels: + - l1_server + status: automated + rules: + - package_samba_removed + + - id: 2.2.11 + title: Ensure HTTP Proxy Server is not installed (Automated) + levels: + - l1_server + status: automated + rules: + - package_squid_removed + + - id: 2.2.12 + title: Ensure net-snmp is not installed or the snmpd service is not enabled (Automated) + levels: + - l1_server + status: automated + rules: + - package_net-snmp_removed + + - id: 2.2.13 + title: Ensure telnet-server is not installed (Automated) + levels: + - l1_server + status: automated + rules: + - package_telnet-server_removed + + - id: 2.2.14 + title: Ensure dnsmasq is not installed (Automated) + levels: + - l1_server + status: automated + rules: + - package_dnsmasq_removed + + - id: 2.2.15 + title: Ensure mail transfer agent is configured for local-only mode (Automated) + levels: + - l1_server + status: automated + rules: + - postfix_network_listening_disabled + - var_postfix_inet_interfaces=loopback-only + - has_nonlocal_mta + + - id: 2.2.16 + title: Ensure nfs-utils is not installed or the nfs-server service is masked (Automated) + levels: + - l1_server + status: automated + rules: + - service_nfs_disabled + related_rules: + - package_nfs-utils_removed + # The nfs-utils package is required for systems with GUI or by some libvirt packages + + - id: 2.2.17 + title: Ensure rpcbind is not installed or the rpcbind services are masked (Automated) + levels: + - l1_server + status: automated + rules: + - service_rpcbind_disabled + related_rules: + - package_rpcbind_removed + + - id: 2.2.18 + title: Ensure rsync-daemon is not installed or the rsyncd service is masked (Automated) + levels: + - l1_server + status: automated + rules: + - package_rsync_removed + related_rules: + - service_rsyncd_disabled + + - id: 2.3.1 + title: Ensure telnet client is not installed (Automated) + levels: + - l1_server + status: automated + rules: + - package_telnet_removed + + - id: 2.3.2 + title: Ensure LDAP client is not installed (Automated) + levels: + - l1_server + status: automated + rules: + - package_openldap-clients_removed + + - id: 2.3.3 + title: Ensure FTP client is not installed (Automated) + levels: + - l1_server + status: automated + rules: + - package_ftp_removed + + - id: 2.4 + title: Ensure nonessential services listening on the system are removed or masked (Manual) + levels: + - l1_server + status: manual + + - id: 3.1.1 + title: Ensure IPv6 status is identified (Manual) + levels: + - l1_server + status: manual + + - id: 3.1.2 + title: Ensure DCCP is disabled (Automated) + levels: + - l2_server + status: automated + rules: + - kernel_module_dccp_disabled + + - id: 3.1.3 + title: Ensure SCTP is disabled (Automated) + levels: + - l2_server + status: automated + rules: + - kernel_module_sctp_disabled + + - id: 3.1.4 + title: Ensure RDS is disabled (Automated) + levels: + - l2_server + status: automated + rules: + - kernel_module_rds_disabled + + - id: 3.1.5 + title: Ensure TIPC is disabled (Automated) + levels: + - l2_server + status: automated + rules: + - kernel_module_tipc_disabled + + - id: 3.2.1 + title: Ensure IP forwarding is disabled (Automated) + levels: + - l1_server + status: automated + rules: + - sysctl_net_ipv4_ip_forward + - sysctl_net_ipv6_conf_all_forwarding + - sysctl_net_ipv6_conf_all_forwarding_value=disabled + + - id: 3.2.2 + title: Ensure packet redirect sending is disabled (Automated) + levels: + - l1_server + status: automated + rules: + - sysctl_net_ipv4_conf_all_send_redirects + - sysctl_net_ipv4_conf_default_send_redirects + + - id: 3.3.1 + title: Ensure source routed packets are not accepted (Automated) + levels: + - l1_server + status: automated + rules: + - sysctl_net_ipv4_conf_all_accept_source_route + - sysctl_net_ipv4_conf_all_accept_source_route_value=disabled + - sysctl_net_ipv4_conf_default_accept_source_route + - sysctl_net_ipv4_conf_default_accept_source_route_value=disabled + - sysctl_net_ipv6_conf_all_accept_source_route + - sysctl_net_ipv6_conf_all_accept_source_route_value=disabled + - sysctl_net_ipv6_conf_default_accept_source_route + - sysctl_net_ipv6_conf_default_accept_source_route_value=disabled + + - id: 3.3.2 + title: Ensure ICMP redirects are not accepted (Automated) + levels: + - l1_server + status: automated + rules: + - sysctl_net_ipv4_conf_all_accept_redirects + - sysctl_net_ipv4_conf_all_accept_redirects_value=disabled + - sysctl_net_ipv4_conf_default_accept_redirects + - sysctl_net_ipv4_conf_default_accept_redirects_value=disabled + - sysctl_net_ipv6_conf_all_accept_redirects + - sysctl_net_ipv6_conf_all_accept_redirects_value=disabled + - sysctl_net_ipv6_conf_default_accept_redirects + - sysctl_net_ipv6_conf_default_accept_redirects_value=disabled + + - id: 3.3.3 + title: Ensure secure ICMP redirects are not accepted (Automated) + levels: + - l1_server + status: automated + rules: + - sysctl_net_ipv4_conf_all_secure_redirects + - sysctl_net_ipv4_conf_all_secure_redirects_value=disabled + - sysctl_net_ipv4_conf_default_secure_redirects + - sysctl_net_ipv4_conf_default_secure_redirects_value=disabled + + - id: 3.3.4 + title: Ensure suspicious packets are logged (Automated) + levels: + - l1_server + status: automated + rules: + - sysctl_net_ipv4_conf_all_log_martians + - sysctl_net_ipv4_conf_all_log_martians_value=enabled + - sysctl_net_ipv4_conf_default_log_martians + - sysctl_net_ipv4_conf_default_log_martians_value=enabled + + - id: 3.3.5 + title: Ensure broadcast ICMP requests are ignored (Automated) + levels: + - l1_server + status: automated + rules: + - sysctl_net_ipv4_icmp_echo_ignore_broadcasts + - sysctl_net_ipv4_icmp_echo_ignore_broadcasts_value=enabled + + - id: 3.3.6 + title: Ensure bogus ICMP responses are ignored (Automated) + levels: + - l1_server + status: automated + rules: + - sysctl_net_ipv4_icmp_ignore_bogus_error_responses + - sysctl_net_ipv4_icmp_ignore_bogus_error_responses_value=enabled + + - id: 3.3.7 + title: Ensure Reverse Path Filtering is enabled (Automated) + levels: + - l1_server + status: automated + rules: + - sysctl_net_ipv4_conf_all_rp_filter + - sysctl_net_ipv4_conf_all_rp_filter_value=enabled + - sysctl_net_ipv4_conf_default_rp_filter + - sysctl_net_ipv4_conf_default_rp_filter_value=enabled + + - id: 3.3.8 + title: Ensure TCP SYN Cookies is enabled (Automated) + levels: + - l1_server + status: automated + rules: + - sysctl_net_ipv4_tcp_syncookies + - sysctl_net_ipv4_tcp_syncookies_value=enabled + + - id: 3.3.9 + title: Ensure IPv6 router advertisements are not accepted (Automated) + levels: + - l1_server + status: automated + rules: + - sysctl_net_ipv6_conf_all_accept_ra + - sysctl_net_ipv6_conf_all_accept_ra_value=disabled + - sysctl_net_ipv6_conf_default_accept_ra + - sysctl_net_ipv6_conf_default_accept_ra_value=disabled + + - id: 3.4.1.1 + title: Ensure nftables is installed (Automated) + levels: + - l2_server + status: automated + rules: + - package_nftables_installed + + - id: 3.4.1.2 + title: Ensure a single firewall configuration utility is in use (Automated) + levels: + - l2_server + status: automated + rules: + - service_firewalld_enabled + - package_firewalld_installed + - service_nftables_disabled + + - id: 3.4.2.1 + title: Ensure firewalld default zone is set (Automated) + levels: + - l2_server + status: automated + rules: + - set_firewalld_default_zone + + - id: 3.4.2.2 + title: Ensure at least one nftables table exists (Automated) + levels: + - l2_server + status: supported + rules: + - set_nftables_table + - var_nftables_family=inet + - var_nftables_table=firewalld + + - id: 3.4.2.3 + title: Ensure nftables base chains exist (Automated) + levels: + - l2_server + status: supported + related_rules: + - set_nftables_base_chain + - var_nftables_table=firewalld + - var_nftables_family=inet + - var_nftables_base_chain_names=chain_names + - var_nftables_base_chain_types=chain_types + - var_nftables_base_chain_hooks=chain_hooks + - var_nftables_base_chain_priorities=chain_priorities + - var_nftables_base_chain_policies=chain_policies + + - id: 3.4.2.4 + title: Ensure host based firewall loopback traffic is configured (Automated) + levels: + - l2_server + status: automated + rules: + - firewalld_loopback_traffic_trusted + - firewalld_loopback_traffic_restricted + + - id: 3.4.2.5 + title: Ensure firewalld drops unnecessary services and ports (Manual) + levels: + - l2_server + status: manual + related_rules: + - configure_firewalld_ports + + - id: 3.4.2.6 + title: Ensure nftables established connections are configured (Manual) + levels: + - l2_server + status: manual + + - id: 3.4.2.7 + title: Ensure nftables default deny firewall policy (Automated) + levels: + - l2_server + status: supported + related_rules: + - nftables_ensure_default_deny_policy + + - id: 4.1.1 + title: Ensure cron daemon is installed and enabled (Automated) + levels: + - l1_server + status: automated + rules: + - service_crond_enabled + + - id: 4.1.2 + title: Ensure permissions on /etc/crontab are configured (Automated) + levels: + - l1_server + status: automated + rules: + - file_groupowner_crontab + - file_owner_crontab + - file_permissions_crontab + + - id: 4.1.3 + title: Ensure permissions on /etc/cron.hourly are configured (Automated) + levels: + - l1_server + status: automated + rules: + - file_groupowner_cron_hourly + - file_owner_cron_hourly + - file_permissions_cron_hourly + + - id: 4.1.4 + title: Ensure permissions on /etc/cron.daily are configured (Automated) + levels: + - l1_server + status: automated + rules: + - file_groupowner_cron_daily + - file_owner_cron_daily + - file_permissions_cron_daily + + - id: 4.1.5 + title: Ensure permissions on /etc/cron.weekly are configured (Automated) + levels: + - l1_server + status: automated + rules: + - file_groupowner_cron_weekly + - file_owner_cron_weekly + - file_permissions_cron_weekly + + - id: 4.1.6 + title: Ensure permissions on /etc/cron.monthly are configured (Automated) + levels: + - l1_server + status: automated + rules: + - file_groupowner_cron_monthly + - file_owner_cron_monthly + - file_permissions_cron_monthly + + - id: 4.1.7 + title: Ensure permissions on /etc/cron.d are configured (Automated) + levels: + - l1_server + status: automated + rules: + - file_groupowner_cron_d + - file_owner_cron_d + - file_permissions_cron_d + + - id: 4.1.8 + title: Ensure cron is restricted to authorized users (Automated) + levels: + - l1_server + status: automated + rules: + - file_cron_deny_not_exist + - file_cron_allow_exists + - file_groupowner_cron_allow + - file_owner_cron_allow + - file_permissions_cron_allow + + - id: 4.1.9 + title: Ensure at is restricted to authorized users (Automated) + levels: + - l1_server + status: automated + rules: + - file_at_deny_not_exist + - file_groupowner_at_allow + - file_owner_at_allow + - file_permissions_at_allow + + - id: 4.2.1 + title: Ensure permissions on /etc/ssh/sshd_config are configured (Automated) + levels: + - l1_server + status: automated + rules: + - file_groupowner_sshd_config + - file_owner_sshd_config + - file_permissions_sshd_config + + - id: 4.2.2 + title: Ensure permissions on SSH private host key files are configured (Automated) + levels: + - l1_server + status: automated + rules: + - file_permissions_sshd_private_key + - file_ownership_sshd_private_key + - file_groupownership_sshd_private_key + + - id: 4.2.3 + title: Ensure permissions on SSH public host key files are configured (Automated) + levels: + - l1_server + status: automated + rules: + - file_permissions_sshd_pub_key + - file_ownership_sshd_pub_key + - file_groupownership_sshd_pub_key + + - id: 4.2.4 + title: Ensure SSH access is limited (Automated) + levels: + - l1_server + status: automated + rules: + - sshd_limit_user_access + + - id: 4.2.5 + title: Ensure SSH LogLevel is appropriate (Automated) + levels: + - l1_server + status: automated + rules: + - sshd_set_loglevel_verbose + related_rules: + - sshd_set_loglevel_info + + - id: 4.2.6 + title: Ensure SSH PAM is enabled (Automated) + levels: + - l1_server + status: automated + rules: + - sshd_enable_pam + + - id: 4.2.7 + title: Ensure SSH root login is disabled (Automated) + levels: + - l1_server + status: automated + rules: + - sshd_disable_root_login + + - id: 4.2.8 + title: Ensure SSH HostbasedAuthentication is disabled (Automated) + levels: + - l1_server + status: automated + rules: + - disable_host_auth + + - id: 4.2.9 + title: Ensure SSH PermitEmptyPasswords is disabled (Automated) + levels: + - l1_server + status: automated + rules: + - sshd_disable_empty_passwords + + - id: 4.2.10 + title: Ensure SSH PermitUserEnvironment is disabled (Automated) + levels: + - l1_server + status: automated + rules: + - sshd_do_not_permit_user_env + + - id: 4.2.11 + title: Ensure SSH IgnoreRhosts is enabled (Automated) + levels: + - l1_server + status: automated + rules: + - sshd_disable_rhosts + + - id: 4.2.12 + title: Ensure SSH X11 forwarding is disabled (Automated) + levels: + - l2_server + status: automated + rules: + - sshd_disable_x11_forwarding + + - id: 4.2.13 + title: Ensure SSH AllowTcpForwarding is disabled (Automated) + levels: + - l2_server + status: automated + rules: + - sshd_disable_tcp_forwarding + + - id: 4.2.14 + title: Ensure system-wide crypto policy is not over-ridden (Automated) + levels: + - l1_server + status: automated + rules: + - configure_ssh_crypto_policy + + - id: 4.2.15 + title: Ensure SSH warning banner is configured (Automated) + levels: + - l1_server + status: automated + rules: + - sshd_enable_warning_banner_net + related_rules: + - sshd_enable_warning_banner + + - id: 4.2.16 + title: Ensure SSH MaxAuthTries is set to 4 or less (Automated) + levels: + - l1_server + status: automated + rules: + - sshd_max_auth_tries_value=4 + - sshd_set_max_auth_tries + + - id: 4.2.17 + title: Ensure SSH MaxStartups is configured (Automated) + levels: + - l1_server + status: automated + rules: + - sshd_set_maxstartups + - var_sshd_set_maxstartups=10:30:60 + + - id: 4.2.18 + title: Ensure SSH MaxSessions is set to 10 or less (Automated) + levels: + - l1_server + status: automated + rules: + - sshd_set_max_sessions + - var_sshd_max_sessions=10 + + - id: 4.2.19 + title: Ensure SSH LoginGraceTime is set to one minute or less (Automated) + levels: + - l1_server + status: automated + rules: + - sshd_set_login_grace_time + - var_sshd_set_login_grace_time=60 + + - id: 4.2.20 + title: Ensure SSH Idle Timeout Interval is configured (Automated) + levels: + - l1_server + status: automated + rules: + - sshd_idle_timeout_value=15_minutes + - sshd_set_idle_timeout + - sshd_set_keepalive + - var_sshd_set_keepalive=0 + + - id: 4.3.1 + title: Ensure sudo is installed (Automated) + levels: + - l1_server + status: automated + rules: + - package_sudo_installed + + - id: 4.3.2 + title: Ensure sudo commands use pty (Automated) + levels: + - l1_server + status: automated + rules: + - sudo_add_use_pty + + - id: 4.3.3 + title: Ensure sudo log file exists (Automated) + levels: + - l1_server + status: automated + rules: + - sudo_custom_logfile + + - id: 4.3.4 + title: Ensure re-authentication for privilege escalation is not disabled globally (Automated) + levels: + - l1_server + status: automated + rules: + - sudo_require_reauthentication + + - id: 4.3.5 + title: Ensure sudo authentication timeout is configured correctly (Automated) + levels: + - l1_server + status: automated + rules: + - sudo_require_reauthentication + + - id: 4.3.6 + title: Ensure access to the su command is restricted (Automated) + levels: + - l1_server + status: automated + rules: + - var_pam_wheel_group_for_su=cis + - use_pam_wheel_group_for_su + - ensure_pam_wheel_group_empty + + - id: 4.4.1 + title: Ensure custom authselect profile is used (Manual) + levels: + - l1_server + status: manual + rules: + - no_empty_passwords + + - id: 4.4.2 + title: Ensure authselect includes with-faillock (Automated) + levels: + - l1_server + status: automated + rules: + - accounts_passwords_pam_faillock_deny + + - id: 4.5.1 + title: Ensure password creation requirements are configured (Automated) + levels: + - l1_server + status: automated + rules: + - accounts_password_pam_minclass + - accounts_password_pam_minlen + - accounts_password_pam_retry + - var_password_pam_minclass=4 + - var_password_pam_minlen=14 + + - id: 4.5.2 + title: Ensure lockout for failed password attempts is configured (Automated) + levels: + - l1_server + status: automated + rules: + - accounts_passwords_pam_faillock_deny + - var_accounts_passwords_pam_faillock_deny=3 + - accounts_passwords_pam_faillock_unlock_time + - var_accounts_passwords_pam_faillock_unlock_time=900 + + - id: 4.5.3 + title: Ensure password reuse is limited (Automated) + levels: + - l1_server + status: automated + rules: + - accounts_password_pam_pwhistory_remember_password_auth + - accounts_password_pam_pwhistory_remember_system_auth + - var_password_pam_remember_control_flag=requisite_or_required + - var_password_pam_remember=5 + + - id: 4.5.4 + title: Ensure password hashing algorithm is SHA-512 (Automated) + levels: + - l1_server + status: automated + rules: + - set_password_hashing_algorithm_systemauth + - set_password_hashing_algorithm_passwordauth + - set_password_hashing_algorithm_logindefs + - var_password_hashing_algorithm=SHA512 + + - id: 4.6.1.1 + title: Ensure password expiration is 365 days or less (Automated) + levels: + - l1_server + status: automated + rules: + - accounts_maximum_age_login_defs + - var_accounts_maximum_age_login_defs=365 + - accounts_password_set_max_life_existing + + - id: 4.6.1.2 + title: Ensure minimum days between password changes is configured (Automated) + levels: + - l1_server + status: automated + rules: + - accounts_minimum_age_login_defs + - var_accounts_minimum_age_login_defs=1 + - accounts_password_set_min_life_existing + + - id: 4.6.1.3 + title: Ensure password expiration warning days is 7 or more (Automated) + levels: + - l1_server + status: automated + rules: + - accounts_password_warn_age_login_defs + - var_accounts_password_warn_age_login_defs=7 + - accounts_password_set_warn_age_existing + + - id: 4.6.1.4 + title: Ensure inactive password lock is 30 days or less (Automated) + levels: + - l1_server + status: automated + rules: + - account_disable_post_pw_expiration + - var_account_disable_post_pw_expiration=30 + - accounts_set_post_pw_existing + + - id: 4.6.1.5 + title: Ensure all users last password change date is in the past (Automated) + levels: + - l1_server + status: automated + rules: + - accounts_password_last_change_is_in_past + + - id: 4.6.2 + title: Ensure system accounts are secured (Automated) + levels: + - l1_server + status: automated + rules: + - no_password_auth_for_systemaccounts + - no_shelllogin_for_systemaccounts + + - id: 4.6.3 + title: Ensure default user shell timeout is 900 seconds or less (Automated) + levels: + - l1_server + status: automated + rules: + - accounts_tmout + - var_accounts_tmout=15_min + + - id: 4.6.4 + title: Ensure default group for the root account is GID 0 (Automated) + levels: + - l1_server + status: automated + rules: + - accounts_root_gid_zero + + - id: 4.6.5 + title: Ensure default user umask is 027 or more restrictive (Automated) + levels: + - l1_server + status: automated + rules: + - accounts_umask_etc_bashrc + - accounts_umask_etc_login_defs + - accounts_umask_etc_profile + - var_accounts_user_umask=027 + + - id: 4.6.6 + title: Ensure root password is set (Manual) + levels: + - l1_server + status: manual + + - id: 5.1.1.1 + title: Ensure rsyslog is installed (Manual) + levels: + - l1_server + status: manual + + - id: 5.1.1.2 + title: Ensure rsyslog service is enabled (Manual) + levels: + - l1_server + status: manual + + - id: 5.1.1.3 + title: Ensure journald is configured to send logs to rsyslog (Manual) + levels: + - l1_server + status: manual + + - id: 5.1.1.4 + title: Ensure rsyslog default file permissions are configured (Automated) + levels: + - l1_server + status: automated + rules: + - rsyslog_filecreatemode + + - id: 5.1.1.5 + title: Ensure logging is configured (Manual) + levels: + - l1_server + status: manual + + - id: 5.1.1.6 + title: Ensure rsyslog is configured to send logs to a remote log host (Manual) + levels: + - l1_server + status: manual + related_rules: + - rsyslog_remote_loghost + + - id: 5.1.1.7 + title: Ensure rsyslog is not configured to receive logs from a remote client (Automated) + levels: + - l1_server + status: automated + rules: + - rsyslog_nolisten + + - id: 5.1.2.1.1 + title: Ensure systemd-journal-remote is installed (Manual) + levels: + - l1_server + status: manual + + - id: 5.1.2.1.2 + title: Ensure systemd-journal-remote is configured (Manual) + levels: + - l1_server + status: manual + + - id: 5.1.2.1.3 + title: Ensure systemd-journal-remote is enabled (Manual) + levels: + - l1_server + status: manual + + - id: 5.1.2.1.4 + title: Ensure journald is not configured to receive logs from a remote client (Automated) + levels: + - l1_server + status: automated + rules: + - socket_systemd-journal-remote_disabled + + - id: 5.1.2.2 + title: Ensure journald service is enabled (Automated) + levels: + - l1_server + status: automated + rules: + - service_systemd-journald_enabled + + - id: 5.1.2.3 + title: Ensure journald is configured to compress large log files (Automated) + levels: + - l1_server + status: automated + rules: + - journald_compress + + - id: 5.1.2.4 + title: Ensure journald is configured to write logfiles to persistent disk (Automated) + levels: + - l1_server + status: automated + rules: + - journald_storage + + - id: 5.1.2.5 + title: Ensure journald is not configured to send logs to rsyslog (Manual) + levels: + - l1_server + status: manual + + - id: 5.1.2.6 + title: Ensure journald log rotation is configured per site policy (Manual) + levels: + - l1_server + status: manual + + - id: 5.1.2.7 + title: Ensure journald default file permissions configured (Manual) + levels: + - l1_server + status: manual + + - id: 5.2.1.1 + title: Ensure auditd is installed (Automated) + levels: + - l2_server + status: automated + rules: + - package_audit_installed + + - id: 5.2.1.2 + title: Ensure auditing for processes that start prior to auditd is enabled (Automated) + levels: + - l2_server + status: automated + rules: + - grub2_audit_argument + + - id: 5.2.1.3 + title: Ensure audit_backlog_limit is sufficient (Automated) + levels: + - l2_server + status: automated + rules: + - grub2_audit_backlog_limit_argument + + - id: 5.2.1.4 + title: Ensure auditd service is enabled (Automated) + levels: + - l2_server + status: automated + rules: + - service_auditd_enabled + + - id: 5.2.2.1 + title: Ensure audit log storage size is configured (Automated) + levels: + - l2_server + status: automated + rules: + - auditd_data_retention_max_log_file + - var_auditd_max_log_file=6 + + - id: 5.2.2.2 + title: Ensure audit logs are not automatically deleted (Automated) + levels: + - l2_server + status: automated + rules: + - auditd_data_retention_max_log_file_action + - var_auditd_max_log_file_action=keep_logs + + - id: 5.2.2.3 + title: Ensure system is disabled when audit logs are full (Automated) + levels: + - l2_server + status: automated + rules: + - auditd_data_retention_action_mail_acct + - auditd_data_retention_admin_space_left_action + - auditd_data_retention_space_left_action + - var_auditd_action_mail_acct=root + - var_auditd_admin_space_left_action=halt + - var_auditd_space_left_action=email + + - id: 5.2.3.1 + title: Ensure changes to system administration scope (sudoers) is collected (Automated) + levels: + - l2_server + status: automated + rules: + - audit_rules_sysadmin_actions + + - id: 5.2.3.2 + title: Ensure actions as another user are always logged (Automated) + levels: + - l2_server + status: automated + rules: + - audit_rules_suid_auid_privilege_function + + - id: 5.2.3.3 + title: Ensure events that modify the sudo log file are collected (Automated) + levels: + - l2_server + status: automated + rules: + - audit_sudo_log_events + + - id: 5.2.3.4 + title: Ensure events that modify date and time information are collected (Automated) + levels: + - l2_server + status: automated + rules: + - audit_rules_time_adjtimex + - audit_rules_time_settimeofday + - audit_rules_time_clock_settime + - audit_rules_time_stime + - audit_rules_time_watch_localtime + + - id: 5.2.3.5 + title: Ensure events that modify the system's network environment are collected (Automated) + levels: + - l2_server + status: automated + rules: + - audit_rules_networkconfig_modification + + - id: 5.2.3.6 + title: Ensure use of privileged commands are collected (Automated) + levels: + - l2_server + status: automated + rules: + - audit_rules_privileged_commands + + - id: 5.2.3.7 + title: Ensure unsuccessful file access attempts are collected (Automated) + levels: + - l2_server + status: automated + rules: + - audit_rules_unsuccessful_file_modification_creat + - audit_rules_unsuccessful_file_modification_ftruncate + - audit_rules_unsuccessful_file_modification_open + - audit_rules_unsuccessful_file_modification_openat + - audit_rules_unsuccessful_file_modification_truncate + + - id: 5.2.3.8 + title: Ensure events that modify user/group information are collected (Automated) + levels: + - l2_server + status: automated + rules: + - audit_rules_usergroup_modification_group + - audit_rules_usergroup_modification_gshadow + - audit_rules_usergroup_modification_opasswd + - audit_rules_usergroup_modification_passwd + - audit_rules_usergroup_modification_shadow + + - id: 5.2.3.9 + title: Ensure discretionary access control permission modification events are collected (Automated) + levels: + - l2_server + status: automated + rules: + - audit_rules_dac_modification_chmod + - audit_rules_dac_modification_chown + - audit_rules_dac_modification_fchmod + - audit_rules_dac_modification_fchmodat + - audit_rules_dac_modification_fchown + - audit_rules_dac_modification_fchownat + - audit_rules_dac_modification_fremovexattr + - audit_rules_dac_modification_fsetxattr + - audit_rules_dac_modification_lchown + - audit_rules_dac_modification_lremovexattr + - audit_rules_dac_modification_lsetxattr + - audit_rules_dac_modification_removexattr + - audit_rules_dac_modification_setxattr + + - id: 5.2.3.10 + title: Ensure successful file system mounts are collected (Automated) + levels: + - l2_server + status: automated + rules: + - audit_rules_media_export + + - id: 5.2.3.11 + title: Ensure session initiation information is collected (Automated) + levels: + - l2_server + status: automated + rules: + - audit_rules_session_events + + - id: 5.2.3.12 + title: Ensure login and logout events are collected (Automated) + levels: + - l2_server + status: automated + rules: + - audit_rules_login_events_faillock + - audit_rules_login_events_lastlog + - var_accounts_passwords_pam_faillock_dir=run + + - id: 5.2.3.13 + title: Ensure file deletion events by users are collected (Automated) + levels: + - l2_server + status: automated + rules: + - audit_rules_file_deletion_events_rename + - audit_rules_file_deletion_events_renameat + - audit_rules_file_deletion_events_unlink + - audit_rules_file_deletion_events_unlinkat + + - id: 5.2.3.14 + title: Ensure events that modify the system's Mandatory Access Controls are collected (Automated) + levels: + - l2_server + status: automated + rules: + - audit_rules_mac_modification + - audit_rules_mac_modification_usr_share + + - id: 5.2.3.15 + title: Ensure successful and unsuccessful attempts to use the chcon command are recorded (Automated) + levels: + - l2_server + status: automated + rules: + - audit_rules_execution_chcon + + - id: 5.2.3.16 + title: Ensure successful and unsuccessful attempts to use the setfacl command are recorded (Automated) + levels: + - l2_server + status: automated + rules: + - audit_rules_execution_setfacl + + - id: 5.2.3.17 + title: Ensure successful and unsuccessful attempts to use the chacl command are recorded (Automated) + levels: + - l2_server + status: automated + rules: + - audit_rules_execution_chacl + + - id: 5.2.3.18 + title: Ensure successful and unsuccessful attempts to use the usermod command are recorded (Automated) + levels: + - l2_server + status: automated + rules: + - audit_rules_privileged_commands_usermod + + - id: 5.2.3.19 + title: Ensure kernel module loading unloading and modification is collected (Automated) + levels: + - l2_server + status: automated + rules: + - audit_rules_kernel_module_loading_create + - audit_rules_kernel_module_loading_delete + - audit_rules_kernel_module_loading_finit + - audit_rules_kernel_module_loading_init + - audit_rules_kernel_module_loading_query + - audit_rules_privileged_commands_kmod + + - id: 5.2.3.20 + title: Ensure the audit configuration is immutable (Automated) + levels: + - l2_server + status: automated + rules: + - audit_rules_immutable + + - id: 5.2.3.21 + title: Ensure the running and on disk configuration is the same (Manual) + levels: + - l2_server + status: manual + + - id: 5.2.4.1 + title: Ensure audit log files are mode 0640 or less permissive (Automated) + levels: + - l2_server + status: automated + rules: + - file_permissions_var_log_audit + + - id: 5.2.4.2 + title: Ensure only authorized users own audit log files (Automated) + levels: + - l2_server + status: automated + rules: + - file_ownership_var_log_audit_stig + + - id: 5.2.4.3 + title: Ensure only authorized groups are assigned ownership of audit log files (Automated) + levels: + - l2_server + status: automated + rules: + - file_group_ownership_var_log_audit + + - id: 5.2.4.4 + title: Ensure the audit log directory is 0750 or more restrictive (Automated) + levels: + - l2_server + status: automated + rules: + - directory_permissions_var_log_audit + + - id: 5.2.4.5 + title: Ensure audit configuration files are 640 or more restrictive (Automated) + levels: + - l2_server + status: automated + rules: + - file_permissions_audit_configuration + + - id: 5.2.4.6 + title: Ensure audit configuration files are owned by root (Automated) + levels: + - l2_server + status: automated + rules: + - file_ownership_audit_configuration + + - id: 5.2.4.7 + title: Ensure audit configuration files belong to group root (Automated) + levels: + - l2_server + status: automated + rules: + - file_groupownership_audit_configuration + + - id: 5.2.4.8 + title: Ensure audit tools are 755 or more restrictive (Automated) + levels: + - l2_server + status: automated + rules: + - file_permissions_audit_binaries + + - id: 5.2.4.9 + title: Ensure audit tools are owned by root (Automated) + levels: + - l2_server + status: automated + rules: + - file_ownership_audit_binaries + + - id: 5.2.4.10 + title: Ensure audit tools belong to group root (Automated) + levels: + - l2_server + status: automated + rules: + - file_groupownership_audit_binaries + + - id: 5.3 + title: Ensure logrotate is configured (Manual) + levels: + - l1_server + status: manual + related_rules: + - ensure_logrotate_activated + - package_logrotate_installed + - timer_logrotate_enabled + + - id: 6.1.1 + title: Ensure permissions on /etc/passwd are configured (Automated) + levels: + - l1_server + status: automated + rules: + - file_groupowner_etc_passwd + - file_owner_etc_passwd + - file_permissions_etc_passwd + + - id: 6.1.2 + title: Ensure permissions on /etc/passwd are configured (Automated) + levels: + - l1_server + status: automated + rules: + - file_groupowner_etc_passwd + - file_owner_etc_passwd + - file_permissions_etc_passwd + + - id: 6.1.3 + title: Ensure permissions on /etc/passwd- are configured (Automated) + levels: + - l1_server + status: automated + rules: + - file_groupowner_backup_etc_passwd + - file_owner_backup_etc_passwd + - file_permissions_backup_etc_passwd + + - id: 6.1.4 + title: Ensure permissions on /etc/group are configured (Automated) + levels: + - l1_server + status: automated + rules: + - file_groupowner_etc_group + - file_owner_etc_group + - file_permissions_etc_group + + - id: 6.1.5 + title: Ensure permissions on /etc/group- are configured (Automated) + levels: + - l1_server + status: automated + rules: + - file_groupowner_backup_etc_group + - file_owner_backup_etc_group + - file_permissions_backup_etc_group + + - id: 6.1.6 + title: Ensure permissions on /etc/shadow are configured (Automated) + levels: + - l1_server + status: automated + rules: + - file_owner_etc_shadow + - file_groupowner_etc_shadow + - file_permissions_etc_shadow + + - id: 6.1.7 + title: Ensure permissions on /etc/shadow- are configured (Automated) + levels: + - l1_server + status: automated + rules: + - file_groupowner_backup_etc_shadow + - file_owner_backup_etc_shadow + - file_permissions_backup_etc_shadow + + - id: 6.1.8 + title: Ensure permissions on /etc/gshadow are configured (Automated) + levels: + - l1_server + status: automated + rules: + - file_groupowner_etc_gshadow + - file_owner_etc_gshadow + - file_permissions_etc_gshadow + + - id: 6.1.9 + title: Ensure permissions on /etc/gshadow- are configured (Automated) + levels: + - l1_server + status: automated + rules: + - file_groupowner_backup_etc_gshadow + - file_owner_backup_etc_gshadow + - file_permissions_backup_etc_gshadow + + - id: 6.1.10 + title: Audit system file permissions (Manual) + levels: + - l2_server + status: manual + related_rules: + - rpm_verify_permissions + - rpm_verify_ownership + + - id: 6.1.11 + title: Ensure world writable files and directories are secured (Automated) + levels: + - l1_server + status: automated + rules: + - file_permissions_unauthorized_world_writable + - dir_perms_world_writable_sticky_bits + + - id: 6.1.12 + title: Ensure no unowned or ungrouped files or directories exist (Automated) + levels: + - l1_server + status: automated + rules: + - no_files_unowned_by_user + - file_permissions_ungroupowned + + - id: 6.1.13 + title: Ensure SUID and SGID files are reviewed (Manual) + levels: + - l1_server + status: manual + related_rules: + - file_permissions_unauthorized_suid + + - id: 6.2.1 + title: Ensure accounts in /etc/passwd use shadowed passwords (Automated) + levels: + - l1_server + status: automated + rules: + - accounts_password_all_shadowed + + - id: 6.2.2 + title: Ensure /etc/shadow password fields are not empty (Automated) + levels: + - l1_server + status: automated + rules: + - no_empty_passwords_etc_shadow + + - id: 6.2.3 + title: Ensure all groups in /etc/passwd exist in /etc/group (Automated) + levels: + - l1_server + status: automated + rules: + - gid_passwd_group_same + + - id: 6.2.4 + title: Ensure no duplicate UIDs exist (Automated) + levels: + - l1_server + status: automated + rules: + - account_unique_id + + - id: 6.2.5 + title: Ensure no duplicate GIDs exist (Automated) + levels: + - l1_server + status: automated + rules: + - group_unique_id + + - id: 6.2.6 + title: Ensure no duplicate user names exist (Automated) + levels: + - l1_server + status: automated + rules: + - account_unique_name + + - id: 6.2.7 + title: Ensure no duplicate group names exist (Automated) + levels: + - l1_server + status: automated + rules: + - group_unique_name + + - id: 6.2.8 + title: Ensure root PATH Integrity (Automated) + levels: + - l1_server + status: automated + rules: + - accounts_root_path_dirs_no_write + - root_path_no_dot + + - id: 6.2.9 + title: Ensure root is the only UID 0 account (Automated) + levels: + - l1_server + status: automated + rules: + - accounts_no_uid_except_zero + + - id: 6.2.10 + title: Ensure local interactive user home directories are configured (Automated) + levels: + - l1_server + status: automated + rules: + - accounts_user_interactive_home_directory_exists + - file_ownership_home_directories + - file_groupownership_home_directories + - file_permissions_home_directories + + - id: 6.2.11 + title: Ensure local interactive user dot files access is configured (Automated) + levels: + - l1_server + status: automated + rules: + - no_netrc_files + - no_forward_files + - no_rsh_trust_files + - accounts_user_dot_no_world_writable_programs diff --git a/linux_os/guide/services/ntp/var_multiple_time_servers.var b/linux_os/guide/services/ntp/var_multiple_time_servers.var index fb3ce1c21223..6940424d0fe8 100644 --- a/linux_os/guide/services/ntp/var_multiple_time_servers.var +++ b/linux_os/guide/services/ntp/var_multiple_time_servers.var @@ -17,3 +17,4 @@ options: ol: "0.pool.ntp.org,1.pool.ntp.org,2.pool.ntp.org,3.pool.ntp.org" suse: "0.suse.pool.ntp.org,1.suse.pool.ntp.org,2.suse.pool.ntp.org,3.suse.pool.ntp.org" alinux: "0.ntp.cloud.aliyuncs.com,1.ntp.aliyun.com,2.ntp1.aliyun.com,3.ntp1.cloud.aliyuncs.com" + amazon: "0.amazon.pool.ntp.org,1.amazon.pool.ntp.org,2.amazon.pool.ntp.org,3.amazon.pool.ntp.org" diff --git a/products/al2023/product.yml b/products/al2023/product.yml index b7d744f1ce33..912db967894f 100644 --- a/products/al2023/product.yml +++ b/products/al2023/product.yml @@ -18,7 +18,7 @@ pkg_manager: "dnf" init_system: "systemd" reference_uris: - cis: 'https://benchmarks.cisecurity.org/tools2/linux/CIS_Amazon Linux 2023_Benchmark_v1.0.pdf' + cis: 'https://www.cisecurity.org/benchmark/amazon_linux/' # EFI and non-EFI configs are stored in same path, see https://fedoraproject.org/wiki/Changes/UnifyGrubConfig #grub2_boot_path: "/boot/grub2" This is defined elsewhere now. diff --git a/products/al2023/profiles/cis_server_l1.profile b/products/al2023/profiles/cis_server_l1.profile new file mode 100644 index 000000000000..d4149ece6b4a --- /dev/null +++ b/products/al2023/profiles/cis_server_l1.profile @@ -0,0 +1,19 @@ +documentation_complete: true + +metadata: + version: 1.0.0 + +reference: https://www.cisecurity.org/benchmark/amazon_linux/ + +title: 'CIS Amazon Linux 2023 Benchmark for Level 1 - Server' + +description: |- + This profile defines a baseline that aligns to the "Level 1 - Server" + configuration from the Center for Internet Security® Amazon + Linux 2023 Benchmark™, v1.0.0, released 2023-06-26. + + This profile includes Center for Internet Security® + Amazon Linux 2023 CIS Benchmarks™ content. + +selections: + - cis_al2023:all:l1_server diff --git a/products/al2023/profiles/cis_server_l2.profile b/products/al2023/profiles/cis_server_l2.profile new file mode 100644 index 000000000000..3d3fbc504897 --- /dev/null +++ b/products/al2023/profiles/cis_server_l2.profile @@ -0,0 +1,19 @@ +documentation_complete: true + +metadata: + version: 1.0.0 + +reference: https://www.cisecurity.org/benchmark/amazon_linux/ + +title: 'CIS Amazon Linux 2023 Benchmark for Level 2 - Server' + +description: |- + This profile defines a baseline that aligns to the "Level 2 - Server" + configuration from the Center for Internet Security® Amazon + Linux 2023 Benchmark™, v1.0.0, released 2023-06-26. + + This profile includes Center for Internet Security® + Amazon Linux 2023 CIS Benchmarks™ content. + +selections: + - cis_al2023:all:l2_server