Skip to content
Log In

CIS Amazon Linux 2023 Benchmark for Level 2 - Server

Rules and Groups employed by this XCCDF Profile

  • Web Server

    The web server is responsible for providing access to content via the HTTP protocol. Web servers represent a significant security risk because: <br> <br> <ul> <li>The HTTP port is commo...
    Group
    Show

  • Disable Apache if Possible

    If Apache was installed and activated, but the system does not need to act as a web server, then it should be disabled and removed from the system.
    Group
    Show

  • Uninstall httpd Package

    The httpd package can be removed with the following command: 
    $ sudo dnf remove httpd
    Rule Unknown Severity
    Show

  • Disable NGINX if Possible

    If NGINX was installed and activated, but the system does not need to act as a web server, then it should be removed from the system.
    Group
    Show

  • Uninstall nginx Package

    The nginx package can be removed with the following command: 
    $ sudo dnf remove nginx
    Rule Unknown Severity
    Show

  • IMAP and POP3 Server

    Dovecot provides IMAP and POP3 services. It is not installed by default. The project page at <a href="http://www.dovecot.org">http://www.dovecot.org</a> contains more detailed information abou...
    Group
    Show

  • Disable Cyrus IMAP

    If the system does not need to operate as an IMAP or POP3 server, the Cyrus IMAP software should be removed.
    Group
    Show

  • Uninstall cyrus-imapd Package

    The cyrus-imapd package can be removed with the following command: 
    $ sudo dnf remove cyrus-imapd
    Rule Unknown Severity
    Show

  • Disable Dovecot

    If the system does not need to operate as an IMAP or POP3 server, the dovecot software should be disabled and removed.
    Group
    Show

  • Uninstall dovecot Package

    The dovecot package can be removed with the following command: 
    $ sudo dnf remove dovecot
    Rule Unknown Severity
    Show

  • LDAP

    LDAP is a popular directory service, that is, a standardized way of looking up information from a central database. Amazon Linux 2023 includes software that enables a system to act as both an LDAP ...
    Group
    Show

  • Configure OpenLDAP Clients

    This section provides information on which security settings are important to configure in OpenLDAP clients by manually editing the appropriate configuration files. Amazon Linux 2023 provides an a...
    Group
    Show

  • Ensure LDAP client is not installed

    The Lightweight Directory Access Protocol (LDAP) is a service that provides a method for looking up information from a central database. The <code>openldap-clients</code> package can be removed wit...
    Rule Low Severity
    Show

  • Mail Server Software

    Mail servers are used to send and receive email over the network. Mail is a very common service, and Mail Transfer Agents (MTAs) are obvious targets of network attack. Ensure that systems are not r...
    Group
    Show

  • Ensure Mail Transfer Agent is not Listening on any non-loopback Address

    Mail Transfer Agents (MTA), such as sendmail and Postfix, are used to listen for incoming mail and transfer the messages to the appropriate user or mail server. If the system is not intended to be ...
    Rule Medium Severity
    Show

  • Configure SMTP For Mail Clients

    This section discusses settings for Postfix in a submission-only e-mail configuration.
    Group
    Show

  • Disable Postfix Network Listening

    Edit the file <code>/etc/postfix/main.cf</code> to ensure that only the following <code>inet_interfaces</code> line appears: <pre>inet_interfaces = <xccdf-1.2:sub idref="xccdf_org.ssgproject.conten...
    Rule Medium Severity
    Show

  • NFS and RPC

    The Network File System is a popular distributed filesystem for the Unix environment, and is very widely deployed. This section discusses the circumstances under which it is possible to disable NF...
    Group
    Show

  • Disable All NFS Services if Possible

    If there is not a reason for the system to operate as either an NFS client or an NFS server, follow all instructions in this section to disable subsystems required by NFS.
    Group
    Show

  • Disable Services Used Only by NFS

    If NFS is not needed, disable the NFS client daemons nfslock, rpcgssd, and rpcidmapd. <br> <br> All of these daemons run with elevated privileges, and many listen for network connections. I...
    Group
    Show

  • Disable rpcbind Service

    The rpcbind utility maps RPC services to the ports on which they listen. RPC processes notify rpcbind when they start, registering the ports they are listening on and the RPC program numbers they e...
    Rule Low Severity
    Show

  • Configure NFS Clients

    The steps in this section are appropriate for systems which operate as NFS clients.
    Group
    Show

  • Disable NFS Server Daemons

    There is no need to run the NFS server daemons <code>nfs</code> and <code>rpcsvcgssd</code> except on a small number of properly secured systems designated as NFS servers. Ensure that these daemons...
    Group
    Show

  • Disable Network File System (nfs)

    The Network File System (NFS) service allows remote hosts to mount and interact with shared filesystems on the local system. If the local system is not designated as a NFS server then this service ...
    Rule Unknown Severity
    Show

  • Network Time Protocol

    The Network Time Protocol is used to manage the system clock over a network. Computer clocks are not very accurate, so time will drift unpredictably on unmanaged systems. Central time protocols can...
    Group
    Show

  • A remote time server for Chrony is configured

    <code>Chrony</code> is a daemon which implements the Network Time Protocol (NTP). It is designed to synchronize system clocks across a variety of systems and use a source that is highly accurate. M...
    Rule Medium Severity
    Show

  • Ensure that chronyd is running under chrony user account

    chrony is a daemon which implements the Network Time Protocol (NTP). It is designed to synchronize system clocks across a variety of systems and use a source that is highly accurate. More informati...
    Rule Medium Severity
    Show

  • Obsolete Services

    This section discusses a number of network-visible services which have historically caused problems for system security, and for which disabling or severely limiting the service has been the best a...
    Group
    Show

  • Uninstall rsync Package

    The rsyncd service can be used to synchronize files between systems over network links. The <code>rsync</code> package can be removed with the following command: <pre> $ sudo dnf remove rsync</pre>...
    Rule Medium Severity
    Show

  • Rlogin, Rsh, and Rexec

    The Berkeley r-commands are legacy services which allow cleartext remote access and have an insecure trust model.
    Group
    Show

  • Remove Rsh Trust Files

    The files <code>/etc/hosts.equiv</code> and <code>~/.rhosts</code> (in each user's home directory) list remote hosts and users that are trusted by the local system when using the rshd daemon. To re...
    Rule High Severity
    Show

  • Telnet

    The telnet protocol does not provide confidentiality or integrity for information transmitted on the network. This includes authentication information such as passwords. Organizations which use tel...
    Group
    Show

  • Uninstall telnet-server Package

    The telnet-server package can be removed with the following command: 
    $ sudo dnf remove telnet-server
    Rule High Severity
    Show

  • Remove telnet Clients

    The telnet client allows users to start connections to other systems via the telnet protocol.
    Rule Low Severity
    Show

  • TFTP Server

    TFTP is a lightweight version of the FTP protocol which has traditionally been used to configure networking equipment. However, TFTP provides little security, and modern versions of networking oper...
    Group
    Show

  • Uninstall tftp-server Package

    The tftp-server package can be removed with the following command: 
     $ sudo dnf remove tftp-server
    Rule High Severity
    Show

  • Print Support

    The Common Unix Printing System (CUPS) service provides both local and network printing support. A system running the CUPS service can accept print jobs from other systems, process them, and send t...
    Group
    Show

  • Uninstall CUPS Package

    The cups package can be removed with the following command: 
    $ sudo dnf remove cups
    Rule Unknown Severity
    Show

  • Proxy Server

    A proxy server is a very desirable target for a potential adversary because much (or all) sensitive data for a given infrastructure may flow through it. Therefore, if one is required, the system ac...
    Group
    Show

  • Disable Squid if Possible

    If Squid was installed and activated, but the system does not need to act as a proxy server, then it should be disabled and removed.
    Group
    Show

  • Uninstall squid Package

    The squid package can be removed with the following command: 
     $ sudo dnf remove squid
    Rule Unknown Severity
    Show

  • Samba(SMB) Microsoft Windows File Sharing Server

    When properly configured, the Samba service allows Linux systems to provide file and print sharing to Microsoft Windows systems. There are two software packages that provide Samba support. The firs...
    Group
    Show

  • Disable Samba if Possible

    Even after the Samba server package has been installed, it will remain disabled. Do not enable this service unless it is absolutely necessary to provide Microsoft Windows file and print sharing fun...
    Group
    Show

  • Uninstall Samba Package

    The samba package can be removed with the following command: 
     $ sudo dnf remove samba
    Rule Unknown Severity
    Show

  • SNMP Server

    The Simple Network Management Protocol allows administrators to monitor the state of network devices, including computers. Older versions of SNMP were well-known for weak security, such as plaintex...
    Group
    Show

  • Disable SNMP Server if Possible

    The system includes an SNMP daemon that allows for its remote monitoring, though it not installed by default. If it was installed and activated but is not needed, the software should be disabled an...
    Group
    Show

  • Uninstall net-snmp Package

    The net-snmp package provides the snmpd service. The net-snmp package can be removed with the following command: 
    $ sudo dnf remove net-snmp
    Rule Unknown Severity
    Show

  • Disable snmpd Service

    The snmpd service can be disabled with the following command: 
    $ sudo systemctl mask --now snmpd.service
    Rule Low Severity
    Show

  • SSH Server

    The SSH protocol is recommended for remote login and remote file transfer. SSH provides confidentiality and integrity for data exchanged between two systems, as well as server authentication, throu...
    Group
    Show

  • Verify Group Who Owns SSH Server config file

    To properly set the group owner of /etc/ssh/sshd_config, run the command: 
    $ sudo chgrp root /etc/ssh/sshd_config
    Rule Medium Severity
    Show

Node 2

siemur/test-space

The content of the drawer really is up to you. It could have form fields, definition lists, text lists, labels, charts, progress bars, etc. Spacing recommendation is 24px margins. You can put tabs in here, and can also make the drawer scrollable.

Capacity
Modules