Skip to content
Log In

Guide to the Secure Configuration of Amazon Linux 2023

Rules, Groups, and Values defined within the XCCDF Benchmark

  • Uninstall setroubleshoot Package

    The SETroubleshoot service notifies desktop users of SELinux denials. The service provides information around configuration errors, unauthorized intrusions, and other potential errors. The <code>se...
    Rule Low Severity
    Show

  • Ensure SELinux Not Disabled in /etc/default/grub

    SELinux can be disabled at boot time by an argument in <code>/etc/default/grub</code>. Remove any instances of <code>selinux=0</code> from the kernel arguments in that file to prevent SELinux from ...
    Rule Medium Severity
    Show

  • Verify Permissions on shadow File

    To properly set the permissions of /etc/shadow, run the command: 
    $ sudo chmod 0000 /etc/shadow
    Rule Medium Severity
    Show

  • Verify File Permissions Within Some Important Directories

    Some directories contain files whose confidentiality or integrity is notably important and may also be susceptible to misconfiguration over time, particularly if unpackaged software is installed. A...
    Group
    Show

  • Add noexec Option to /tmp

    The <code>noexec</code> mount option can be used to prevent binaries from being executed out of <code>/tmp</code>. Add the <code>noexec</code> option to the fourth column of <code>/etc/fstab</code>...
    Rule Medium Severity
    Show

  • Verify Group Who Owns cron.daily

    To properly set the group owner of /etc/cron.daily, run the command: 
    $ sudo chgrp root /etc/cron.daily
    Rule Medium Severity
    Show

  • Verify Group Who Owns cron.hourly

    To properly set the group owner of /etc/cron.hourly, run the command: 
    $ sudo chgrp root /etc/cron.hourly
    Rule Medium Severity
    Show

  • Record Information on the Use of Privileged Commands

    At a minimum, the audit system should collect the execution of privileged commands for all users and root.
    Group
    Show

  • Action for auditd to take when disk space is low

    The setting for admin_space_left_action in /etc/audit/auditd.conf
    Value
    Show

  • Maximum audit log file size for auditd

    The setting for max_log_file in /etc/audit/auditd.conf
    Value
    Show

Node 2

siemur/test-space

The content of the drawer really is up to you. It could have form fields, definition lists, text lists, labels, charts, progress bars, etc. Spacing recommendation is 24px margins. You can put tabs in here, and can also make the drawer scrollable.

Capacity
Modules