CIS Amazon Linux 2023 Benchmark for Level 2 - Server
Rules and Groups employed by this XCCDF Profile
-
Enable Kernel Parameter to Ignore Bogus ICMP Error Responses on IPv4 Interfaces
To set the runtime status of the <code>net.ipv4.icmp_ignore_bogus_error_responses</code> kernel parameter, run the following command: <pre>$ sudo sysctl -w net.ipv4.icmp_ignore_bogus_error_response...Rule Unknown Severity -
Enable Kernel Parameter to Use TCP Syncookies on Network Interfaces
To set the runtime status of the <code>net.ipv4.tcp_syncookies</code> kernel parameter, run the following command: <pre>$ sudo sysctl -w net.ipv4.tcp_syncookies=1</pre> To make sure that the settin...Rule Medium Severity -
Network Parameters for Hosts Only
If the system is not going to be used as a router, then setting certain kernel parameters ensure that the host will not perform routing of network traffic.Group -
Disable Kernel Parameter for Sending ICMP Redirects on all IPv4 Interfaces
To set the runtime status of the <code>net.ipv4.conf.all.send_redirects</code> kernel parameter, run the following command: <pre>$ sudo sysctl -w net.ipv4.conf.all.send_redirects=0</pre> To make su...Rule Medium Severity -
Disable Kernel Parameter for Sending ICMP Redirects on all IPv4 Interfaces by Default
To set the runtime status of the <code>net.ipv4.conf.default.send_redirects</code> kernel parameter, run the following command: <pre>$ sudo sysctl -w net.ipv4.conf.default.send_redirects=0</pre> To...Rule Medium Severity -
Disable Kernel Parameter for IP Forwarding on IPv4 Interfaces
To set the runtime status of the <code>net.ipv4.ip_forward</code> kernel parameter, run the following command: <pre>$ sudo sysctl -w net.ipv4.ip_forward=0</pre> To make sure that the setting is per...Rule Medium Severity -
nftables
<code>If firewalld or iptables are being used in your environment, please follow the guidance in their respective section and pass-over the guidance in this section.</code><br><br> nftables is a su...Group -
Install nftables Package
nftables provides a new in-kernel packet classification framework that is based on a network-specific Virtual Machine (VM) and a new nft userspace command line tool. nftables reuses the existing Ne...Rule Medium Severity -
Verify nftables Service is Disabled
nftables is a subsystem of the Linux kernel providing filtering and classification of network packets/datagrams/frames and is the successor to iptables. The <code>nftables</code> service can be dis...Rule Medium Severity -
Ensure a Table Exists for Nftables
Tables in nftables hold chains. Each table only has one address family and only applies to packets of this family. Tables can have one of six families.Rule Medium Severity -
Uncommon Network Protocols
The system includes support for several network protocols which are not commonly used. Although security vulnerabilities in kernel networking code are not frequently discovered, the consequences ca...Group -
Disable DCCP Support
The Datagram Congestion Control Protocol (DCCP) is a relatively new transport layer protocol, designed to support streaming media and telephony. To configure the system to prevent the <code>dccp</...Rule Medium Severity -
Disable RDS Support
The Reliable Datagram Sockets (RDS) protocol is a transport layer protocol designed to provide reliable high-bandwidth, low-latency communications between nodes in a cluster. To configure the syst...Rule Low Severity -
Disable SCTP Support
The Stream Control Transmission Protocol (SCTP) is a transport layer protocol, designed to support the idea of message-oriented communication, with several streams of messages within one connection...Rule Medium Severity -
Disable TIPC Support
The Transparent Inter-Process Communication (TIPC) protocol is designed to provide communications between nodes in a cluster. To configure the system to prevent the <code>tipc</code> kernel module...Rule Low Severity -
File Permissions and Masks
Traditional Unix security relies heavily on file and directory permissions to prevent unauthorized users from reading or modifying files to which they should not have access. <br> <br> Severa...Group -
Verify Permissions on Important Files and Directories
Permissions for many files on a system must be set restrictively to ensure sensitive information is properly protected. This section discusses important permission restrictions which can be verifie...Group -
Verify that All World-Writable Directories Have Sticky Bits Set
When the so-called 'sticky bit' is set on a directory, only the owner of a given file may remove that file from the directory. Without the sticky bit, any user with write access to a directory may ...Rule Medium Severity -
Ensure No World-Writable Files Exist
It is generally a good idea to remove global (other) write access to a file when it is discovered. However, check with documentation for specific applications before making changes. Also, monitor f...Rule Medium Severity -
Ensure All Files Are Owned by a Group
If any file is not group-owned by a group present in /etc/group, the cause of the lack of group-ownership must be investigated. Following this, those files should be deleted or assigned to an appro...Rule Medium Severity
Node 2
The content of the drawer really is up to you. It could have form fields, definition lists, text lists, labels, charts, progress bars, etc. Spacing recommendation is 24px margins. You can put tabs in here, and can also make the drawer scrollable.