Guide to the Secure Configuration of Amazon Linux 2023
Rules, Groups, and Values defined within the XCCDF Benchmark
-
Configure the Use of the pam_faillock.so Module in the /etc/pam.d/password-auth File.
The pam_faillock.so module must be loaded in preauth in /etc/pam.d/password-auth.Rule Medium Severity -
Configure the Use of the pam_faillock.so Module in the /etc/pam.d/system-auth File.
The pam_faillock.so module must be loaded in preauth in /etc/pam.d/system-auth.Rule Medium Severity -
Limit Password Reuse: password-auth
Do not allow users to reuse recent passwords. This can be accomplished by using the <code>remember</code> option for the <code>pam_pwhistory</code> PAM module. <br> <br> On systems with n...Rule Medium Severity -
Limit Password Reuse: system-auth
Do not allow users to reuse recent passwords. This can be accomplished by using the <code>remember</code> option for the <code>pam_pwhistory</code> PAM module. <br> <br> On systems with n...Rule Medium Severity -
Lock Accounts After Failed Password Attempts
This rule configures the system to lock out accounts after a number of incorrect login attempts using <code>pam_faillock.so</code>. pam_faillock.so module requires multiple entries in pam files. Th...Rule Medium Severity -
Set Lockout Time for Failed Password Attempts
This rule configures the system to lock out accounts during a specified time period after a number of incorrect login attempts using <code>pam_faillock.so</code>. Ensure that the file <code>/etc/s...Rule Medium Severity -
Set Password Quality Requirements
The default <code>pam_pwquality</code> PAM module provides strength checking for passwords. It performs a number of checks, such as making sure passwords are not similar to dictionary words, are of...Group -
Set Password Quality Requirements with pam_pwquality
The <code>pam_pwquality</code> PAM module can be configured to meet requirements for a variety of policies. <br> <br> For example, to configure <code>pam_pwquality</code> to require at lea...Group -
minclass
Minimum number of categories of characters that must exist in a passwordValue -
minlen
Minimum number of characters in passwordValue -
retry
Number of retry attempts before erroring outValue -
Ensure PAM Enforces Password Requirements - Minimum Different Categories
The pam_pwquality module's <code>minclass</code> parameter controls requirements for usage of different character classes, or types, of character that must exist in a password before it is consider...Rule Medium Severity -
Verify No .forward Files Exist
The.forwardfile specifies an email address to forward the user's mail to.Rule Medium Severity -
Ensure PAM Enforces Password Requirements - Minimum Length
The pam_pwquality module's <code>minlen</code> parameter controls requirements for minimum characters required in a password. Add <code>minlen=<xccdf-1.2:sub idref="xccdf_org.ssgproject.content_val...Rule Medium Severity -
Ensure PAM Enforces Password Requirements - Authentication Retry Prompts Permitted Per-Session
To configure the number of retry prompts that are permitted per-session: Edit the <code>pam_pwquality.so</code> statement in <code>/etc/pam.d/system-auth</code> to show <code>retry=<xccdf-1.2:s...Rule Medium Severity -
Set Password Hashing Algorithm
The system's default algorithm for storing password hashes in/etc/shadowis SHA-512. This can be configured in several locations.Group -
Set Password Hashing Algorithm in /etc/login.defs
In <code>/etc/login.defs</code>, add or update the following line to ensure the system will use <xccdf-1.2:sub idref="xccdf_org.ssgproject.content_value_var_password_hashing_algorithm" use="legacy"...Rule Medium Severity -
Set PAM''s Password Hashing Algorithm - password-auth
The PAM system service can be configured to only store encrypted representations of passwords. In <code>/etc/pam.d/password-auth</code>, the <code>password</code> section of the file controls which...Rule Medium Severity -
Set PAM''s Password Hashing Algorithm
The PAM system service can be configured to only store encrypted representations of passwords. In "/etc/pam.d/system-auth", the <code>password</code> section of the file controls which PAM modules ...Rule Medium Severity -
Ensure All User Initialization Files Have Mode 0740 Or Less Permissive
Set the mode of the user initialization files to0740with the following command:$ sudo chmod 0740 /home/USER/.INIT_FILERule Medium Severity
Node 2
The content of the drawer really is up to you. It could have form fields, definition lists, text lists, labels, charts, progress bars, etc. Spacing recommendation is 24px margins. You can put tabs in here, and can also make the drawer scrollable.