Guide to the Secure Configuration of Amazon Linux 2023

• GnuTLS library
• OpenSSL library
• NSS library
• OpenJDK
• Libkrb5
• BIND
• OpenSSH

$ sudo dnf install sudo

gpgcheck=1

$ sudo chgrp root /etc/issue

$ sudo chgrp root /etc/issue.net

$ sudo chgrp root /etc/motd

$ sudo chown root /etc/issue 

$ sudo chown root /etc/issue.net 

$ sudo chown root /etc/motd 

$ sudo chmod 0644 /etc/issue

$ sudo chmod 0644 /etc/issue.net

$ sudo chmod 0644 /etc/motd

$ sudo chage -I NUM_DAYS USER
        

$ sudo chage -M 180 -m 7 -W 7 USER

typeset -xr TMOUT=
        

declare -xr TMOUT=
        

/etc/passwd

$ sudo chgrp USER_GROUP /home/USER/.INIT_FILE
        

$ sudo chown USER /home/USER/.*

$ sudo mkdir /home/USER
        

$ sudo chgrp USER_GROUP /home/USER
        

$ sudo chown USER /home/USER
        

$ sudo chmod 0740 /home/USER/.INIT_FILE
        

$ sudo chmod 0750 /home/USER
        

# echo $PATH

$ sudo chgrp root /boot/grub2/grub.cfg

$ sudo chgrp root /boot/grub2/user.cfg

$ sudo chown root /boot/grub2/grub.cfg 

$ sudo chown root /boot/grub2/user.cfg 

$ sudo chmod 600 /boot/grub2/grub.cfg

$ sudo chmod 600 /boot/grub2/user.cfg

$ ls -l LOGFILE
        

$ sudo chgrp root LOGFILE
        

$ ls -l LOGFILE
        

$ sudo chown root LOGFILE
        

$ ls -l LOGFILE
        

$ sudo chmod 640 LOGFILE
        

$ sudo systemctl enable systemd-journald.service

$ModLoad imtcp
$InputTCPServerRun port
$ModLoad imudp
$UDPServerRun port
$ModLoad imrelp
$InputRELPServerRun port
        

module(load="imtcp")
module(load="imudp")
input(type="imtcp" port="514")
input(type="imudp" port="514")

*.* @
        

*.* @@
        

*.* :omrelp:
        

• drop
  

  Any incoming network packets are dropped, there is no reply. Only outgoing network connections are possible.

• block
  

  Any incoming network connections are rejected with an icmp-host-prohibited message for IPv4 and icmp6-adm-prohibited for IPv6. Only network connections initiated from within the system are possible.

• public
  

  For use in public areas. You do not trust the other computers on the network to not harm your computer. Only selected incoming connections are accepted.

• external
  

  For use on external networks with masquerading enabled especially for routers. You do not trust the other computers on the network to not harm your computer. Only selected incoming connections are accepted.

• dmz
  

  For computers in your demilitarized zone that are publicly-accessible with limited access to your internal network. Only selected incoming connections are accepted.

• work
  

  For use in work areas. You mostly trust the other computers on networks to not harm your computer. Only selected incoming connections are accepted.

• home
  

  For use in home areas. You mostly trust the other computers on networks to not harm your computer. Only selected incoming connections are accepted.

• internal
  

  For use on internal networks. You mostly trust the other computers on the networks to not harm your computer. Only selected incoming connections are accepted.

• trusted
  

  All network connections are accepted.

# firewall-cmd --zone=public --list-all

# firewall-cmd --zone=public --list-all
public
  interfaces:
  services: mdns dhcpv6-client ssh
  ports:
  forward-ports:
  icmp-blocks: source-quench

# firewall-cmd --get-service

# firewall-cmd --get-service
amanda-client bacula bacula-client dhcp dhcpv6 dhcpv6-client dns ftp
high-availability http https imaps ipp ipp-client ipsec kerberos kpasswd
ldap ldaps libvirt libvirt-tls mdns mountd ms-wbt mysql nfs ntp openvpn
pmcd pmproxy pmwebapi pmwebapis pop3s postgresql proxy-dhcp radius rpc-bind
samba samba-client smtp ssh telnet tftp tftp-client transmission-client
vnc-server wbem-https

# firewall-cmd --get-service --permanent

$ sudo dnf install nftables

systemctl disable nftables

install dccp /bin/false

install rds /bin/false

install sctp /bin/false

install tipc /bin/false

$ sudo chmod +t DIR
        

$ findmnt -n -l -k -it $(awk '/nodev/ { print $2 }' /proc/filesystems | paste -sd,)

$ sudo find MOUNTPOINT -xdev -nogroup 2>/dev/null

$ findmnt -n -l -k -it $(awk '/nodev/ { print $2 }' /proc/filesystems | paste -sd,)

$ sudo find MOUNTPOINT -xdev -nouser 2>/dev/null

install cramfs /bin/false

install freevxfs /bin/false

install hfs /bin/false

install hfsplus /bin/false

install jffs2 /bin/false

install squashfs /bin/false

install udf /bin/false

install usb-storage /bin/false

$ sudo sysctl -w kernel.yama.ptrace_scope=1

kernel.yama.ptrace_scope = 1

$ sudo chgrp root /etc/at.allow

$ sudo chgrp root /etc/cron.allow

$ sudo chown root /etc/at.allow 

$ sudo chown root /etc/cron.allow 

$ sudo chmod 0640 /etc/at.allow

$ sudo chmod 0640 /etc/cron.allow

$ sudo dnf remove dhcp

$ sudo dnf remove bind

 $ sudo dnf remove vsftpd

$ sudo dnf remove httpd

$ sudo dnf remove nginx

$ sudo dnf remove cyrus-imapd

$ sudo dnf remove dovecot

$ sudo dnf remove openldap-clients

inet_interfaces = 
        

$ sudo rm /etc/hosts.equiv

$ rm ~/.rhosts

$ sudo dnf remove telnet-server

 $ sudo dnf remove tftp-server

 $ sudo dnf remove squid

 $ sudo dnf remove samba

$ sudo dnf remove net-snmp

$ sudo systemctl mask --now snmpd.service

ClientAliveInterval 
        

HostbasedAuthentication no

PermitEmptyPasswords no

IgnoreRhosts yes

PermitRootLogin no

AllowTcpForwarding no

X11Forwarding no

PermitUserEnvironment no

UsePAM yes

Banner /etc/issue.net

LogLevel VERBOSE

MaxAuthTries 
        

MaxSessions 
        

MaxStartups 
        

$ sudo dnf groupremove "X Window System"

$ sudo dnf remove xorg-x11-server-common

-a always,exit -F arch=b32 -S chmod -F auid>=1000 -F auid!=unset -F key=perm_mod

-a always,exit -F arch=b64 -S chmod -F auid>=1000 -F auid!=unset -F key=perm_mod

-a always,exit -F arch=b32 -S chmod -F auid>=1000 -F auid!=unset -F key=perm_mod

-a always,exit -F arch=b64 -S chmod -F auid>=1000 -F auid!=unset -F key=perm_mod

-a always,exit -F arch=b32 -S chown -F auid>=1000 -F auid!=unset -F key=perm_mod

-a always,exit -F arch=b64 -S chown -F auid>=1000 -F auid!=unset -F key=perm_mod

-a always,exit -F arch=b32 -S chown -F auid>=1000 -F auid!=unset -F key=perm_mod

-a always,exit -F arch=b64 -S chown -F auid>=1000 -F auid!=unset -F key=perm_mod

-a always,exit -F arch=b32 -S fchmod -F auid>=1000 -F auid!=unset -F key=perm_mod

-a always,exit -F arch=b64 -S fchmod -F auid>=1000 -F auid!=unset -F key=perm_mod

-a always,exit -F arch=b32 -S fchmod -F auid>=1000 -F auid!=unset -F key=perm_mod

-a always,exit -F arch=b64 -S fchmod -F auid>=1000 -F auid!=unset -F key=perm_mod

-a always,exit -F arch=b32 -S fchmodat -F auid>=1000 -F auid!=unset -F key=perm_mod

-a always,exit -F arch=b64 -S fchmodat -F auid>=1000 -F auid!=unset -F key=perm_mod

-a always,exit -F arch=b32 -S fchmodat -F auid>=1000 -F auid!=unset -F key=perm_mod

-a always,exit -F arch=b64 -S fchmodat -F auid>=1000 -F auid!=unset -F key=perm_mod

-a always,exit -F arch=b32 -S fchown -F auid>=1000 -F auid!=unset -F key=perm_mod

-a always,exit -F arch=b64 -S fchown -F auid>=1000 -F auid!=unset -F key=perm_mod

-a always,exit -F arch=b32 -S fchown -F auid>=1000 -F auid!=unset -F key=perm_mod

-a always,exit -F arch=b64 -S fchown -F auid>=1000 -F auid!=unset -F key=perm_mod

-a always,exit -F arch=b32 -S fchownat -F auid>=1000 -F auid!=unset -F key=perm_mod

-a always,exit -F arch=b64 -S fchownat -F auid>=1000 -F auid!=unset -F key=perm_mod

-a always,exit -F arch=b32 -S fchownat -F auid>=1000 -F auid!=unset -F key=perm_mod

-a always,exit -F arch=b64 -S fchownat -F auid>=1000 -F auid!=unset -F key=perm_mod

-a always,exit -F arch=b32 -S fremovexattr -F auid>=1000 -F auid!=unset -F key=perm_mod

-a always,exit -F arch=b64 -S fremovexattr -F auid>=1000 -F auid!=unset -F key=perm_mod

-a always,exit -F arch=b32 -S fremovexattr -F auid>=1000 -F auid!=unset -F key=perm_mod

-a always,exit -F arch=b64 -S fremovexattr -F auid>=1000 -F auid!=unset -F key=perm_mod

-a always,exit -F arch=b32 -S fsetxattr -F auid>=1000 -F auid!=unset -F key=perm_mod

-a always,exit -F arch=b64 -S fsetxattr -F auid>=1000 -F auid!=unset -F key=perm_mod

-a always,exit -F arch=b32 -S fsetxattr -F auid>=1000 -F auid!=unset -F key=perm_mod

-a always,exit -F arch=b64 -S fsetxattr -F auid>=1000 -F auid!=unset -F key=perm_mod

-a always,exit -F arch=b32 -S lchown -F auid>=1000 -F auid!=unset -F key=perm_mod

-a always,exit -F arch=b64 -S lchown -F auid>=1000 -F auid!=unset -F key=perm_mod

-a always,exit -F arch=b32 -S lchown -F auid>=1000 -F auid!=unset -F key=perm_mod

-a always,exit -F arch=b64 -S lchown -F auid>=1000 -F auid!=unset -F key=perm_mod