| V-273994 | | Amazon Linux 2023 local disk partitions must implement cryptographic mechanisms to prevent unauthorized disclosure or modification of all information that requires at rest protection. | Information at rest refers to the state of information when it is located on a secondary storage device (e.g., disk drive and tape drive, when used fo... |
| V-273996 | | Amazon Linux 2023 must check the GPG signature of locally installed software packages before installation. | Changes to any software components can have significant effects on the overall security of Amazon Linux 2023. This requirement ensures the software ha... |
| V-273997 | | Amazon Linux 2023 must check the GPG signature of software packages originating from external software repositories before installation. | Changes to any software components can have significant effects on the overall security of Amazon Linux 2023. This requirement ensures the software ha... |
| V-273998 | | Amazon Linux 2023 must have GPG signature verification enabled for all software repositories. | Changes to any software components can have significant effects on the overall security of Amazon Linux 2023. This requirement ensures the software ha... |
| V-273999 | | Amazon Linux 2023 must be a vendor-supported release. | An operating system release is considered "supported" if the vendor continues to provide security patches for the product. With an unsupported release... |
| V-274007 | | Amazon Linux 2023 must not have the vsftpd package installed. | It is detrimental for operating systems to provide, or install by default, functionality exceeding requirements or mission objectives. These unnecessa... |
| V-274038 | | Amazon Linux 2023 must have SSH installed. | Without protection of the transmitted information, confidentiality and integrity may be compromised because unprotected communications can be intercep... |
| V-274039 | | Amazon Linux 2023 must implement SSH to protect the confidentiality and integrity of transmitted and received information, as well as information during preparation for transmission. | Encrypting information for transmission protects information from unauthorized disclosure and modification. Cryptographic mechanisms implemented to pr... |
| V-274040 | | Amazon Linux 2023 must have the crypto-policies package installed. | Centralized cryptographic policies simplify applying secure ciphers across an operating system and the applications that run on that operating system.... |
| V-274042 | | Amazon Linux 2023 server must be configured to use only DOD-approved encryption ciphers employing FIPS 140-2/140-3 validated cryptographic hash algorithms to protect the confidentiality of SSH server connections. | Without cryptographic integrity protections, information can be altered by unauthorized users without detection.
Remote access (e.g., RDP) is access ... |
| V-274043 | | Amazon Linux 2023 SSH server must be configured to use only Message Authentication Codes (MACs) employing FIPS 140-2/140-3 validated cryptographic hash algorithms to protect the confidentiality of SSH server connections. | Without cryptographic integrity protections, information can be altered by unauthorized users without detection.
Remote access (e.g., RDP) is access ... |
| V-274046 | | Amazon Linux 2023 must force a frequent session key renegotiation for SSH connections to the server. | Without protection of the transmitted information, confidentiality and integrity may be compromised because unprotected communications can be intercep... |
| V-274052 | | Amazon Linux 2023 must enable the Pluggable Authentication Module (PAM) interface for SSHD. | If maintenance tools are used by unauthorized personnel, they may accidentally or intentionally damage or compromise the system. The act of managing s... |
| V-274057 | | Amazon Linux 2023 must enable FIPS mode. | Use of weak or untested encryption algorithms undermines the purposes of utilizing encryption to protect data. Amazon Linux 2023 must implement crypto... |
| V-274058 | | Amazon Linux 2023 crypto policy must not be overridden. | Centralized cryptographic policies simplify applying secure ciphers across an operating system and the applications that run on that operating system.... |
| V-274153 | | Amazon Linux 2023 must use a Linux Security Module configured to enforce limits on system services. | An isolation boundary provides access control and protects the integrity of the hardware, software, and firmware that perform security functions.
Sec... |
| V-283440 | | Amazon Linux 2023 must implement DOD-approved encryption in the bind package. | Without cryptographic integrity protections, information can be altered by unauthorized users without detection.
Cryptographic mechanisms used for pr... |
| V-283441 | | Amazon Linux 2023 must enable FIPS mode. | Use of weak or untested encryption algorithms undermines the purposes of utilizing encryption to protect data. The operating system must implement cry... |
| V-283442 | | The Amazon Linux 2023 SSH client must be configured to use only DOD-approved encryption ciphers employing FIPS 140-3-validated cryptographic hash algorithms to protect the confidentiality of SSH client connections. | Without cryptographic integrity protections, information can be altered by unauthorized users without detection.
Remote access (e.g., RDP) is access... |
| V-283443 | | The Amazon Linux 2023 SSH client must be configured to use only DOD-approved Message Authentication Codes (MACs) employing FIPS 140-3-validated cryptographic hash algorithms to protect the confidentiality of SSH client connections. | Without cryptographic integrity protections, information can be altered by unauthorized users without detection.
Remote access (e.g., RDP) is access... |
| V-283452 | | Amazon Linux 2023 must implement a FIPS 140-2/140-3 compliant systemwide cryptographic policy. | Centralized cryptographic policies simplify applying secure ciphers across an operating system and the applications that run on that operating system.... |
| V-273995 | | Amazon Linux 2023 must ensure cryptographic verification of vendor software packages. | Cryptographic verification of vendor software packages ensures that all software packages are obtained from a valid source and protects against spoofi... |
| V-274000 | | Amazon Linux 2023 systemd-journald service must be enabled. | Failure to a known state can address safety or security in accordance with the mission/business needs of the organization. Failure to a known secure s... |
| V-274001 | | Amazon Linux 2023 must restrict access to the kernel message buffer. | Preventing unauthorized information transfers mitigates the risk of information, including encrypted representations of information, produced by the a... |
| V-274002 | | Amazon Linux 2023 must prevent kernel profiling by nonprivileged users. | Preventing unauthorized information transfers mitigates the risk of information, including encrypted representations of information, produced by the a... |
| V-274003 | | Amazon Linux 2023 must restrict exposed kernel pointer addresses access. | Exposing kernel pointers (through procfs or "seq_printf()") exposes kernel writeable structures, which may contain functions pointers. If a write vuln... |
| V-274004 | | Amazon Linux 2023 must disable access to network bpf system call from nonprivileged processes. | Loading and accessing the packet filters programs and maps using the bpf() system call has the potential of revealing sensitive information about the ... |
| V-274005 | | Amazon Linux 2023 must restrict usage of ptrace to descendant processes. | Unrestricted usage of ptrace allows compromised binaries to run ptrace on other processes of the user. Like this, the attacker can steal sensitive inf... |
| V-274006 | | Amazon Linux 2023 must implement address space layout randomization (ASLR) to protect its memory from unauthorized code execution. | ASLR makes it more difficult for an attacker to predict the location of attack code they have introduced into a process' address space during an attem... |
| V-274008 | | Amazon Linux 2023 must not have the sendmail package installed. | It is detrimental for operating systems to provide, or install by default, functionality exceeding requirements or mission objectives. These unnecessa... |
| V-274009 | | Amazon Linux 2023 must not have the nfs-utils package installed. | It is detrimental for operating systems to provide, or install by default, functionality exceeding requirements or mission objectives. These unnecessa... |
| V-274010 | | Amazon Linux 2023 must not have the telnet-server package installed. | It is detrimental for operating systems to provide, or install by default, functionality exceeding requirements or mission objectives. These unnecessa... |
| V-274011 | | Amazon Linux 2023 must not have the gssproxy package installed. | It is detrimental for operating systems to provide, or install by default, functionality exceeding requirements or mission objectives. These unnecessa... |
| V-274012 | | Amazon Linux 2023 must have the sudo package installed. | The "sudo" program is designed to allow a system administrator to give limited root privileges to users and log root activity. The basic philosophy is... |
| V-274013 | | Amazon Linux 2023 must not be configured to bypass password requirements for privilege escalation. | Without reauthentication, users may access resources or perform tasks for which they do not have authorization. When operating systems provide the cap... |
| V-274014 | | Amazon Linux 2023 must require reauthentication when using the "sudo" command. | Without reauthentication, users may access resources or perform tasks for which they do not have authorization.... |
| V-274015 | | Amazon Linux 2023 must require users to reauthenticate for privilege escalation. | Without reauthentication, users may access resources or perform tasks for which they do not have authorization.... |
| V-274016 | | Amazon Linux 2023 must require users to provide a password for privilege escalation. | Without reauthentication, users may access resources or perform tasks for which they do not have authorization.... |
| V-274017 | | Amazon Linux 2023 must have the audit package installed. | Successful incident response and auditing relies on timely, accurate system information and analysis to allow the organization to identify and respond... |
| V-274018 | | Amazon Linux 2023 must produce audit records containing information to establish what type of events occurred. | Without establishing what type of events occurred, it would be difficult to establish, correlate, and investigate the events leading up to an outage o... |
| V-274019 | | Amazon Linux 2023 audispd-plugins package must be installed. | The "audispd-plugins" package provides plugins for the real-time interface to the audit subsystem, "audispd". These plugins can, for example, relay ev... |
| V-274020 | | Amazon Linux 2023 must have the rsyslog package installed. | Successful incident response and auditing relies on timely, accurate system information and analysis allow the organization to identify and respond to... |
| V-274021 | | Amazon Linux 2023 must monitor remote access methods. | Remote access services, such as those providing remote access to network devices and information systems, which lack automated monitoring capabilities... |
| V-274022 | | Amazon Linux 2023 must have the chrony package installed. | Inaccurate time stamps make it more difficult to correlate events and can lead to an inaccurate analysis. Determining the correct time a particular ev... |
| V-274023 | | Amazon Linux 2023 chronyd service must be enabled. | Inaccurate time stamps make it more difficult to correlate events and can lead to an inaccurate analysis. Determining the correct time a particular ev... |
| V-274024 | | Amazon Linux 2023 must have the Advanced Intrusion Detection Environment (AIDE) package installed. | If security functions are not verified, they may not operate correctly and the failure may go unnoticed. Security function is defined as the hardware,... |
| V-274025 | | Amazon Linux 2023 must routinely check the baseline configuration for unauthorized changes and notify the system administrator (SA) when anomalies in the operation of any security functions are discovered. | Unauthorized changes to the baseline configuration could make the system vulnerable to various attacks or allow unauthorized access to Amazon Linux 20... |
| V-274026 | | Amazon Linux 2023 must use cryptographic mechanisms to protect the integrity of audit tools. | Protecting the integrity of the tools used for auditing purposes is a critical step toward ensuring the integrity of audit information. Audit informat... |
| V-274027 | | Amazon Linux 2023 must have the firewalld package installed. | To prevent unauthorized connection of devices, unauthorized transfer of information, or unauthorized tunneling (i.e., embedding of data types within d... |
| V-274028 | | Amazon Linux 2023 must have the firewalld service active. | To prevent unauthorized connection of devices, unauthorized transfer of information, or unauthorized tunneling (i.e., embedding of data types within d... |
| V-274030 | | Amazon Linux 2023 must manage excess capacity, bandwidth, or other redundancy to limit the effects of information flooding types of denial-of-service (DoS) attacks. | DoS is a condition when a resource is not available for legitimate users. When this occurs, the organization either cannot accomplish its mission or m... |
| V-274031 | | Amazon Linux 2023 must have the s-nail package installed. | The "s-nail" package provides the mail command required to allow sending email notifications of unauthorized configuration changes to designated perso... |
| V-274032 | | Amazon Linux 2023 must have the libreswan package installed. | Unapproved mechanisms that are used for authentication to the cryptographic module are not verified and therefore, cannot be relied upon to provide co... |
| V-274033 | | Amazon Linux 2023 must have the policycoreutils package installed. | An isolation boundary provides access control and protects the integrity of the hardware, software, and firmware that perform security functions.
Sec... |
| V-274034 | | Amazon Linux 2023 must have the pcsc-lite package installed. | The pcsc-lite package must be installed if it is to be available for multifactor authentication using smart cards.... |
| V-274035 | | Amazon Linux 2023 must have the packages required for encrypting off-loaded audit logs installed. | Unapproved mechanisms used for authentication to the cryptographic module are not verified and therefore, cannot be relied upon to provide confidentia... |
| V-274036 | | Amazon Linux 2023 must have the opensc package installed. | The use of PIV credentials facilitates standardization and reduces the risk of unauthorized access.
The DOD has mandated the use of the Common Access... |
| V-274037 | | Amazon Linux 2023 must have the openssl-pkcs11 package installed. | Without the use of multifactor authentication, the ease of access to privileged functions is greatly increased. Multifactor authentication requires us... |
| V-274044 | | Amazon Linux 2023 SSH daemon must not allow Generic Security Service Application Program Interface (GSSAPI) authentication. | GSSAPI authentication is used to provide additional authentication mechanisms to applications. Allowing GSSAPI authentication through SSH exposes the ... |
| V-274045 | | Amazon Linux 2023 SSH daemon must not allow Kerberos authentication. | Kerberos authentication for SSH is often implemented using Generic Security Service Application Program Interface (GSSAPI). If Kerberos is enabled thr... |
| V-274047 | | Amazon Linux 2023 SSHD must accept public key authentication. | Without the use of multifactor authentication, the ease of access to privileged functions is greatly increased.
Multifactor authentication requires u... |
| V-274048 | | Amazon Linux 2023 SSHD must not allow blank passwords. | If an account has an empty password, anyone could log on and run commands with the privileges of that account. Accounts with empty passwords must neve... |
| V-274049 | | Amazon Linux 2023 must not permit direct logons to the root account using remote access via SSH. | To ensure individual accountability and prevent unauthorized access, organizational users must be individually identified and authenticated. Additiona... |
| V-274050 | | Amazon Linux 2023 must be configured so that all network connections associated with SSH traffic are terminated after 10 minutes of becoming unresponsive. | Terminating an idle session within a short time period reduces the window of opportunity for unauthorized personnel to take control of a management se... |
| V-274051 | | Amazon Linux 2023 must be configured so that all network connections associated with SSH traffic terminate after becoming unresponsive. | Terminating an idle session within a short time period reduces the window of opportunity for unauthorized personnel to take control of a management se... |
| V-274059 | | Amazon Linux 2023 must enable certificate-based smart card authentication. | Without the use of multifactor authentication, the ease of access to privileged functions is greatly increased. Multifactor authentication requires us... |
| V-274060 | | Amazon Linux 2023 must map the authenticated identity to the user or group account for PKI-based authentication. | Without mapping the certificate used to authenticate to the user account, the ability to determine the identity of the individual user or group will n... |
| V-274061 | | Amazon Linux 2023 must implement certificate status checking for multifactor authentication. | Using an authentication device, such as a DOD Common Access Card (CAC) or token that is separate from the information system, ensures that even if the... |
| V-274062 | | Amazon Linux 2023 must prohibit the use of cached authenticators after one day. | If cached authentication information is out-of-date, the validity of the authentication information may be questionable.... |
| V-274063 | | Amazon Linux 2023, for PKI-based authentication, must validate certificates by constructing a certification path (which includes status information) to an accepted trust anchor. | Without path validation, an informed trust decision by the relying party cannot be made when presented with any certificate not already explicitly tru... |
| V-274064 | | Amazon Linux 2023, for PKI-based authentication, must enforce authorized access to the corresponding private key. | If the private key is discovered, an attacker can use the key to authenticate as an authorized user and gain access to the network infrastructure.
Th... |
| V-274065 | | Amazon Linux 2023 must display the Standard Mandatory DOD Notice and Consent Banner before granting local or remote access to the system. | Display of a standardized and approved use notification before granting access to Amazon Linux 2023 ensures privacy and security notification verbiage... |
| V-274066 | | Amazon Linux 2023 must display the Standard Mandatory DOD Notice and Consent Banner before granting local or remote access to the system via a SSH logon. | Display of a standardized and approved use notification before granting access to the publicly accessible operating system ensures privacy and securit... |
| V-274067 | | Amazon Linux 2023 must allocate audit record storage capacity to store at least one week's worth of audit records, when audit records are not immediately sent to a central audit record storage facility. | To ensure operating systems have a sufficient storage capacity in which to write the audit logs, operating systems must be able to allocate audit reco... |
| V-274069 | | Amazon Linux 2023 must label all off-loaded audit logs before sending them to the central log server. | Enriched logging is needed to determine who, what, and when events occur on a system. Without this, determining root cause of an event will be much mo... |
| V-274070 | | Amazon Linux 2023 must take appropriate action when the internal event queue is full. | The audit system should have an action setup in the event the internal event queue becomes full so that no data is lost. Information stored in one loc... |
| V-274071 | | Amazon Linux 2023 must take action when allocated audit record storage volume reaches 75 percent of the repository maximum audit record storage capacity. | If security personnel are not notified immediately when storage volume reaches 75 percent utilization, they are unable to plan for audit record storag... |
| V-274072 | | Amazon Linux 2023 must notify the system administrator (SA) and information system security officer (ISSO) (at a minimum) when allocated audit record storage volume 75 percent utilization. | If security personnel are not notified immediately when storage volume reaches 75 percent utilization, they are unable to plan for audit record storag... |
| V-274073 | | Amazon Linux 2023 must take action when allocated audit record storage volume reaches 95 percent of the audit record storage capacity. | If action is not taken when storage volume reaches 95 percent utilization, the auditing system may fail when the storage volume reaches capacity.... |
| V-274074 | | Amazon Linux 2023 must take action when allocated audit record storage volume reaches 95 percent of the repository maximum audit record storage capacity. | If action is not taken when storage volume reaches 95 percent utilization, the auditing system may fail when the storage volume reaches capacity.... |
| V-274075 | | Amazon Linux 2023 must immediately notify the system administrator (SA) and information system security officer (ISSO), at a minimum, of an audit processing failure event. | It is critical for the appropriate personnel to be aware if a system is at risk of failing to process audit logs as required. Without this notificatio... |
| V-274076 | | Amazon Linux 2023 must be configured to off-load audit records onto a different system from the system being audited via syslog. | The auditd service does not include the ability to send audit records to a centralized server for management directly. However, it can use a plug-in f... |
| V-274077 | | Amazon Linux 2023 must authenticate the remote logging server for off-loading audit logs via rsyslog. | Information stored in one location is vulnerable to accidental or incidental deletion or alteration.... |
| V-274078 | | Amazon Linux 2023 must encrypt the transfer of audit records off-loaded onto a different system or media from the system being audited via rsyslog. | Information stored in one location is vulnerable to accidental or incidental deletion or alteration.... |
| V-274079 | | Amazon Linux 2023 must encrypt via the gtls driver the transfer of audit records off-loaded onto a different system or media from the system being audited via rsyslog. | Information stored in one location is vulnerable to accidental or incidental deletion or alteration.
Off-loading is a common process in information s... |
| V-274081 | | Amazon Linux 2023 must generate audit records for all account creations, modifications, disabling, and termination events that affect /etc/sudoers. | The actions taken by system administrators must be audited to keep a record of what was executed on the system, as well as for accountability purposes... |
| V-274082 | | Amazon Linux 2023 must generate audit records for all account creations, modifications, disabling, and termination events that affect /etc/sudoers.d/ directory. | The actions taken by system administrators must be audited to keep a record of what was executed on the system, as well as for accountability purposes... |
| V-274083 | | Amazon Linux 2023 must generate audit records for all account creations, modifications, disabling, and termination events that affect /etc/group. | In addition to auditing new user and group accounts, these watches will alert the system administrator(s) to any modifications. Any unexpected users, ... |
| V-274084 | | Amazon Linux 2023 must generate audit records for all account creations, modifications, disabling, and termination events that affect /etc/gshadow. | In addition to auditing new user and group accounts, these watches will alert the system administrator(s) to any modifications. Any unexpected users, ... |
| V-274085 | | Amazon Linux 2023 must generate audit records for all account creations, modifications, disabling, and termination events that affect /etc/opasswd. | In addition to auditing new user and group accounts, these watches will alert the system administrator(s) to any modifications. Any unexpected users, ... |
| V-274086 | | Amazon Linux 2023 must audit uses of the "execve" system call. | Misuse of privileged functions, either intentionally or unintentionally by authorized users, or by unauthorized external entities that have compromise... |
| V-274087 | | Amazon Linux 2023 must audit all uses of the chmod, fchmod, and fchmodat system calls. | Without generating audit records specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and in... |
| V-274088 | | Amazon Linux 2023 must audit all uses of the chown, fchown, fchownat, and lchown system calls. | Without generating audit records specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and in... |
| V-274089 | | Amazon Linux 2023 must audit all uses of the setxattr, fsetxattr, lsetxattr, removexattr, fremovexattr, and lremovexattr system calls. | Without generating audit records specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and in... |
| V-274090 | | Amazon Linux 2023 must audit all uses of the truncate, ftruncate, creat, open, openat, and open_by_handle_at system calls. | Without generating audit records specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and in... |
| V-274091 | | Amazon Linux 2023 must audit all uses of the init_module and finit_module system calls. | Without generating audit records specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and in... |
| V-274092 | | Amazon Linux 2023 must audit all uses of the create_module system call. | Without generating audit records specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and in... |
| V-274093 | | Amazon Linux 2023 must audit all uses of the kmod command. | Without generating audit records specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and in... |
| V-274094 | | Amazon Linux 2023 must audit all uses of the rename, unlink, rmdir, renameat, and unlinkat system calls. | Without generating audit records specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and in... |
| V-274095 | | Amazon Linux 2023 must audit all uses of the chcon command. | Without generating audit records specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and in... |
| V-274096 | | Amazon Linux 2023 must generate audit records for all account creations, modifications, disabling, and termination events that affect /var/log/faillock. | Without generating audit records specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and in... |
| V-274097 | | Amazon Linux 2023 must generate audit records for all account creations, modifications, disabling, and termination events that affect /var/log/lastlog. | Without generating audit records specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and in... |
| V-274098 | | Amazon Linux 2023 must audit all uses of the init command. | Misuse of the init command may cause availability issues for the system.... |
| V-274099 | | Amazon Linux 2023 must audit all uses of the reboot command. | Misuse of the reboot command may cause availability issues for the system.... |
| V-274100 | | Amazon Linux 2023 must audit all uses of the shutdown command. | Misuse of the shutdown command may cause availability issues for the system.... |
| V-274101 | | Amazon Linux 2023 audit tools must have a mode of "0755" or less permissive. | Protecting audit information also includes identifying and protecting the tools used to view and manipulate log data. Therefore, protecting audit tool... |
| V-274102 | | Amazon Linux 2023 audit tools must be owned by root. | Protecting audit information also includes identifying and protecting the tools used to view and manipulate log data. Therefore, protecting audit tool... |
| V-274103 | | Amazon Linux 2023 audit tools must be group-owned by root. | Protecting audit information also includes identifying and protecting the tools used to view and manipulate log data. Therefore, protecting audit tool... |
| V-274104 | | Amazon Linux 2023 must generate audit records for all account creations, modifications, disabling, and termination events that affect /etc/passwd. | Once an attacker establishes access to a system, the attacker often attempts to create a persistent method of reestablishing access. One way to accomp... |
| V-274105 | | Amazon Linux 2023 must audit all successful/unsuccessful uses of the chage command. | Reconstruction of harmful events or forensic analysis is not possible if audit records do not contain enough information.
At a minimum, the organizat... |
| V-274107 | | Amazon Linux 2023 must off-load audit records onto a different system in the event the audit storage volume is full. | Information stored in one location is vulnerable to accidental or incidental deletion or alteration.
Off-loading is a common process in information s... |
| V-274108 | | Amazon Linux 2023 audit logs must be group-owned by root or by a restricted logging group to prevent unauthorized read access. | Unauthorized disclosure of audit records can reveal system and configuration data to attackers, thus compromising its confidentiality.
Audit informat... |
| V-274109 | | Amazon Linux 2023 audit log directory must be owned by root to prevent unauthorized read access. | Unauthorized disclosure of audit records can reveal system and configuration data to attackers, thus compromising its confidentiality.
Audit informat... |
| V-274110 | | Amazon Linux 2023 audit logs file must have mode "0600" or less permissive to prevent unauthorized access to the audit log. | Unauthorized disclosure of audit records can reveal system and configuration data to attackers, thus compromising its confidentiality.
Audit informat... |
| V-274111 | | Amazon Linux 2023 must allow only the information system security manager (ISSM) (or individuals or roles appointed by the ISSM) to select which auditable events are to be audited. | Without the capability to restrict which roles and individuals can select which events are audited, unauthorized personnel may be able to prevent the ... |
| V-274112 | | Amazon Linux 2023 must audit all uses of the sudo command. | Without generating audit records specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and in... |
| V-274113 | | Amazon Linux 2023 must generate audit records for all account creations, modifications, disabling, and termination events that affect /etc/passwd. | In addition to auditing new user and group accounts, these watches will alert the system administrator(s) (SAs) to any modifications. Any unexpected u... |
| V-274114 | | Amazon Linux 2023 must generate audit records for all account creations, modifications, disabling, and termination events that affect /etc/shadow. | In addition to auditing new user and group accounts, these watches will alert the system administrator(s) (SAs) to any modifications. Any unexpected u... |
| V-274115 | | Amazon Linux 2023 must produce audit records containing information to establish the identity of any individual or process associated with the event. | Without information that establishes the identity of the subjects (i.e., users or processes acting on behalf of users) associated with the events, sec... |
| V-274116 | | Amazon Linux 2023 audit logs must be group-owned by root or by a restricted logging group to prevent unauthorized read access. | Only authorized personnel should be aware of errors and the details of the errors. Error messages are an indicator of an organization's operational st... |
| V-274117 | | Amazon Linux 2023 must ensure the audit log directory be owned by root to prevent unauthorized read access. | Only authorized personnel should be aware of errors and the details of the errors. Error messages are an indicator of an organization's operational st... |
| V-274119 | | Amazon Linux 2023 library directories must be group-owned by root or a system account. | If Amazon Linux 2023 were to allow any user to make changes to software libraries, then those changes might be implemented without undergoing the appr... |
| V-274120 | | Amazon Linux 2023 library directories must have mode "755" or less permissive. | If Amazon Linux 2023 were to allow any user to make changes to software libraries, then those changes might be implemented without undergoing the appr... |
| V-274121 | | Amazon Linux 2023 library files must have mode "755" or less permissive. | If Amazon Linux 2023 were to allow any user to make changes to software libraries, then those changes might be implemented without undergoing the appr... |
| V-274122 | | Amazon Linux 2023 library files must be owned by root. | If Amazon Linux 2023 were to allow any user to make changes to software libraries, then those changes might be implemented without undergoing the appr... |
| V-274123 | | Amazon Linux 2023 library files must be group-owned by root or a system account. | If Amazon Linux 2023 were to allow any user to make changes to software libraries, then those changes might be implemented without undergoing the appr... |
| V-274124 | | Amazon Linux 2023 library directories must be owned by root. | If Amazon Linux 2023 were to allow any user to make changes to software libraries, then those changes might be implemented without undergoing the appr... |
| V-274125 | | Amazon Linux 2023 must ensure the /var/log directory have mode "0755" or less permissive. | Only authorized personnel should be aware of errors and the details of the errors. Error messages are an indicator of an organization's operational st... |
| V-274126 | | Amazon Linux 2023 must ensure the /var/log directory be owned by root. | Only authorized personnel should be aware of errors and the details of the errors. Error messages are an indicator of an organization's operational st... |
| V-274127 | | Amazon Linux 2023 must ensure the /var/log directory be group-owned by root. | Only authorized personnel should be aware of errors and the details of the errors. Error messages are an indicator of an organization's operational st... |
| V-274128 | | Amazon Linux 2023 must ensure the /var/log/messages file have mode "0640" or less permissive. | Only authorized personnel should be aware of errors and the details of the errors. Error messages are an indicator of an organization's operational st... |
| V-274129 | | Amazon Linux 2023 must ensure the /var/log/messages file be group-owned by root. | Only authorized personnel should be aware of errors and the details of the errors. Error messages are an indicator of an organization's operational st... |
| V-274130 | | Amazon Linux 2023 must ensure the /var/log/messages file be owned by root. | Only authorized personnel should be aware of errors and the details of the errors. Error messages are an indicator of an organization's operational st... |
| V-274131 | | Amazon Linux 2023 system commands must be owned by root. | If Amazon Linux 2023 were to allow any user to make changes to software libraries, then those changes might be implemented without undergoing the appr... |
| V-274132 | | Amazon Linux 2023 system commands must be group-owned by root or a system account. | If Amazon Linux 2023 were to allow any user to make changes to software libraries, then those changes might be implemented without undergoing the appr... |
| V-274133 | | Amazon Linux 2023 must enforce password complexity by requiring that at least one uppercase character be used. | Use of a complex password helps to increase the time and resources required to compromise the password. Password complexity, or strength, is a measure... |
| V-274134 | | Amazon Linux 2023 must enforce password complexity by requiring that at least one lowercase character be used. | Use of a complex password helps to increase the time and resources required to compromise the password. Password complexity, or strength, is a measure... |
| V-274135 | | Amazon Linux 2023 must enforce password complexity by requiring that at least one numeric character be used. | Use of a complex password helps to increase the time and resources required to compromise the password. Password complexity, or strength, is a measure... |
| V-274136 | | Amazon Linux 2023 must require the change of at least 50 percent of the total number of characters when passwords are changed. | If Amazon Linux 2023 allows the user to consecutively reuse extensive portions of passwords, this increases the chances of password compromise by incr... |
| V-274137 | | Amazon Linux 2023 must enforce a minimum 15-character password length. | The shorter the password, the lower the number of possible combinations that need to be tested before the password is compromised.
Password complexit... |
| V-274138 | | Amazon Linux 2023 must enforce password complexity by requiring that at least one special character be used. | Use of a complex password helps to increase the time and resources required to compromise the password. Password complexity or strength is a measure o... |
| V-274139 | | Amazon Linux 2023 must enforce password complexity rules for the root account. | Use of a complex password helps to increase the time and resources required to compromise the password. Password complexity, or strength, is a measure... |
| V-274140 | | Amazon Linux 2023 must prevent the use of dictionary words for passwords. | Use of a complex password helps to increase the time and resources required to compromise the password. Password complexity, or strength, is a measure... |
| V-274142 | | Amazon Linux 2023 must automatically exit interactive command shell user sessions after 15 minutes of inactivity. | Terminating an idle interactive command shell user session within a short time period reduces the window of opportunity for unauthorized personnel to ... |
| V-274143 | | Amazon Linux 2023 must enforce 24 hours/1 day as the minimum password lifetime. | Enforcing a minimum password lifetime helps to prevent repeated password changes to defeat the password reuse or history enforcement requirement. If u... |
| V-274144 | | Amazon Linux 2023 must enforce a delay of at least four seconds between logon prompts following a failed logon attempt. | Increasing the time between a failed authentication attempt and re-prompting to enter credentials helps to slow a single-threaded brute force attack.... |
| V-274145 | | Amazon Linux 2023 must define default permissions for all authenticated users in such a way that the user can only read and modify their own files. | Setting the most restrictive default permissions ensures that when new accounts are created, they do not have unnecessary access.
Satisfies: SRG-OS-0... |
| V-274146 | | Amazon Linux 2023 must automatically remove or disable temporary user accounts after 72 hours. | If temporary user accounts remain active when no longer needed or for an excessive period, these accounts may be used to gain unauthorized access. To ... |
| V-274147 | | Amazon Linux 2023 must automatically lock an account when three unsuccessful logon attempts occur. | By limiting the number of failed logon attempts, the risk of unauthorized system access via user password guessing, otherwise known as brute-force att... |
| V-274148 | | Amazon Linux 2023 must be able to enforce a 60-day maximum password lifetime restriction. | Any password, no matter how complex, can eventually be cracked. Therefore, passwords need to be changed periodically. If Amazon Linux 2023 does not li... |
| V-274149 | | Amazon Linux 2023 must disable account identifiers (individuals, groups, roles, and devices) after 35 days of inactivity. | Inactive identifiers pose a risk to systems and applications because attackers may exploit an inactive identifier and potentially obtain undetected ac... |
| V-274150 | | Amazon Linux 2023 must automatically expire temporary accounts within 72 hours. | Temporary accounts are privileged or nonprivileged accounts that are established during pressing circumstances, such as new software or hardware confi... |
| V-274151 | | Amazon Linux 2023 must restrict the use of the "su" command. | The "su" program allows to run commands with a substitute user and group ID. It is commonly used to run commands as the root user. Limiting access to ... |
| V-274152 | | Amazon Linux 2023 must enable the SELinux targeted policy. | Setting the SELinux policy to "targeted" or a more specialized policy ensures the system will confine processes that are likely to be targeted for exp... |
| V-274154 | | Amazon Linux 2023 must automatically lock an account when three unsuccessful logon attempts occur. | By limiting the number of failed logon attempts, the risk of unauthorized system access via user password guessing, otherwise known as brute-forcing, ... |
| V-274155 | | Amazon Linux 2023 must automatically lock the root account until the root account is released by an administrator when three unsuccessful logon attempts occur during a 15-minute time period. | By limiting the number of failed logon attempts, the risk of unauthorized system access via user password guessing, otherwise known as brute-forcing, ... |
| V-274156 | | Amazon Linux 2023 must automatically lock an account until the locked account is released by an administrator when three unsuccessful logon attempts in 15 minutes occur. | By limiting the number of failed logon attempts, the risk of unauthorized system access via user password guessing, otherwise known as brute-forcing, ... |
| V-274157 | | Amazon Linux 2023 must maintain an account lock until the locked account is released by an administrator. | By limiting the number of failed logon attempts, the risk of unauthorized system access via user password guessing, otherwise known as brute-forcing, ... |
| V-274158 | | Amazon Linux 2023 must be configured to prohibit or restrict the use of functions, ports, protocols, and/or services, as defined in the Ports, Protocols, and Services Management Category Assurance List (PPSM CAL) and vulnerability assessments. | To prevent unauthorized connection of devices, unauthorized transfer of information, or unauthorized tunneling (i.e., embedding of data types within d... |
| V-274159 | | Amazon Linux 2023 must insure all interactive users have a primary group that exists. | If a user is assigned the group identifier (GID) of a group that does not exist on the system, and a group with the GID is subsequently created, the u... |
| V-274160 | | Amazon Linux 2023 must ensure all interactive users have unique User IDs (UIDs). | To ensure accountability and prevent unauthenticated access, interactive users must be identified and authenticated to prevent potential misuse and co... |
| V-274161 | | Amazon Linux 2023 must ensure the password complexity module is enabled in the password-auth file. | Enabling PAM password complexity permits enforcement of strong passwords and consequently makes the system less prone to dictionary attacks.... |
| V-274162 | | Amazon Linux 2023 password-auth must be configured to use a sufficient number of hashing rounds. | Unapproved mechanisms, used for authentication to the cryptographic module are not verified and therefore, cannot be relied upon to provide confidenti... |
| V-274163 | | Amazon Linux 2023 system-auth must be configured to use a sufficient number of hashing rounds. | Unapproved mechanisms used for authentication to the cryptographic module are not verified and therefore, cannot be relied upon to provide confidentia... |
| V-274164 | | Amazon Linux 2023 must ensure a sticky bit be set on all public directories. | Preventing unauthorized information transfers mitigates the risk of information, including encrypted representations of information, produced by the a... |
| V-274165 | | Amazon Linux 2023 must ensure all world-writable directories be owned by root, sys, bin, or an application user. | Preventing unauthorized information transfers mitigates the risk of information, including encrypted representations of information, produced by the a... |
| V-274166 | | Amazon Linux 2023 must terminate idle user sessions. | Terminating an idle session within a short time period reduces the window of opportunity for unauthorized personnel to take control of a management se... |
| V-274167 | | Amazon Linux 2023 must enable auditing of processes that start prior to the audit daemon. | Without the capability to generate audit records, it would be difficult to establish, correlate, and investigate the events relating to an incident or... |
| V-274168 | | Amazon Linux 2023 must allocate an audit_backlog_limit of sufficient size to capture processes that start prior to the audit daemon. | Without the capability to generate audit records, it would be difficult to establish, correlate, and investigate the events relating to an incident or... |
| V-274169 | | Amazon Linux 2023 must enable discretionary access control on hardlinks. | By enabling the fs.protected_hardlinks kernel parameter, users can no longer create soft or hard links to files they do not own. Disallowing such hard... |
| V-274170 | | Amazon Linux 2023 must enable kernel parameters to enforce discretionary access control on symlinks. | By enabling the fs.protected_symlinks kernel parameter, symbolic links are permitted to be followed only when outside a sticky world-writable director... |
| V-274173 | | Amazon Linux 2023 debug-shell systemd service must be disabled. | The debug-shell requires no authentication and provides root privileges to anyone who has physical access to the machine. While this feature is disabl... |
| V-274175 | | Amazon Linux 2023 must synchronize internal information system clocks to the authoritative time source at least every 24 hours. | Inaccurate time stamps make it more difficult to correlate events and can lead to an inaccurate analysis. Determining the correct time a particular ev... |
| V-274177 | | Amazon Linux 2023 must prevent the loading of a new kernel for later execution. | Changes to any software components can have significant effects on the overall security of Amazon Linux 2023. This requirement ensures the software ha... |
| V-274178 | | Amazon Linux 2023 must prevent files with the setuid and setgid bit set from being executed on the /boot/efi directory. | The "nosuid" mount option causes the system not to execute "setuid" and "setgid" files with owner privileges. This option must be used for mounting an... |
| V-274179 | | Amazon Linux 2023 must mount /dev/shm with the nodev option. | The "nodev" mount option causes the system to not interpret character or block special devices. Executing character or block special devices from untr... |
| V-274180 | | Amazon Linux 2023 must mount /dev/shm with the nosuid option. | The "nosuid" mount option causes the system to not execute "setuid" and "setgid" files with owner privileges. This option must be used for mounting an... |
| V-274181 | | Amazon Linux 2023 must ensure the pcscd service is active. | The information system ensures that even if the information system is compromised, that compromise will not affect credentials stored on the authentic... |
| V-274182 | | Amazon Linux 2023 file system automount function must be disabled unless required. | Without authenticating devices, unidentified or unknown devices may be introduced, thereby facilitating malicious activity.
Peripherals include, but ... |
| V-274183 | | Amazon Linux 2023 must protect against or limit the effects of denial-of-service (DoS) attacks by ensuring rate-limiting measures are configured on impacted network interfaces. | DoS is a condition when a resource is not available for legitimate users. When this occurs, the organization either cannot accomplish its mission or m... |
| V-274184 | | Amazon Linux 2023 must implement nonexecutable data to protect its memory from unauthorized code execution. | The no-execute (NX) feature uses the segmentation feature on all x86 systems to prevent execution in memory higher than a certain address. It writes a... |
| V-274185 | | Amazon Linux 2023 must remove all software components after updated versions have been installed. | Previous versions of software components that are not removed from the information system after updates have been installed may be exploited by some a... |
| V-274186 | | Amazon Linux 2023 must configure the use of the pam_faillock.so module in the /etc/pam.d/system-auth file. | If the pam_faillock.so module is not loaded, the system will not correctly lockout accounts to prevent password guessing attacks.... |
| V-274187 | | Amazon Linux 2023 audit system must protect logon user identifiers (UIDs) from unauthorized change. | If modification of login UIDs is not prevented, they can be changed by nonprivileged users and make auditing complicated or impossible.
Satisfies: SR... |
| V-274068 | | Amazon Linux 2023 must use a separate file system for the system audit data path. | Placing "/var/log/audit" in its own partition enables better separation between audit files and other system files and helps ensure that auditing cann... |
| V-274080 | | Amazon Linux 2023 must be configured to off-load audit records onto a different system from the system being audited via syslog. | The auditd service does not include the ability to send audit records to a centralized server for management directly. However, it can use a plug-in f... |
| V-274141 | | Amazon Linux 2023 must limit the number of concurrent sessions to ten for all accounts and/or account types. | Operating system management includes the ability to control the number of users and user sessions that utilize an operating system. Limiting the numbe... |
