CIS Amazon Linux 2023 Benchmark for Level 1 - Server
Rules and Groups employed by this XCCDF Profile
-
Set Password Expiration Parameters
The file <code>/etc/login.defs</code> controls several password-related settings. Programs such as <code>passwd</code>, <code>su</code>, and <code>login</code> consult <code>/etc/login.defs</code> ...Group -
Set Password Maximum Age
To specify password maximum age for new accounts, edit the file <code>/etc/login.defs</code> and add or correct the following line: <pre>PASS_MAX_DAYS <xccdf-1.2:sub idref="xccdf_org.ssgproject.con...Rule Medium Severity -
Set Password Minimum Age
To specify password minimum age for new accounts, edit the file <code>/etc/login.defs</code> and add or correct the following line: <pre>PASS_MIN_DAYS <xccdf-1.2:sub idref="xccdf_org.ssgproject.con...Rule Medium Severity -
Set Existing Passwords Maximum Age
Configure non-compliant accounts to enforce a <xccdf-1.2:sub idref="xccdf_org.ssgproject.content_value_var_accounts_maximum_age_login_defs" use="legacy"></xccdf-1.2:sub>-day maximum password lifeti...Rule Medium Severity -
Set Existing Passwords Minimum Age
Configure non-compliant accounts to enforce a 24 hours/1 day minimum password lifetime by running the following command:$ sudo chage -m 1 USERRule Medium Severity -
Set Existing Passwords Warning Age
To configure how many days prior to password expiration that a warning will be issued to users, run the command: <pre>$ sudo chage --warndays <xccdf-1.2:sub idref="xccdf_org.ssgproject.content_valu...Rule Medium Severity -
Set Password Warning Age
To specify how many days prior to password expiration that a warning will be issued to users, edit the file <code>/etc/login.defs</code> and add or correct the following line: <pre>PASS_WARN_AGE <...Rule Medium Severity -
Set existing passwords a period of inactivity before they been locked
Configure user accounts that have been inactive for over a given period of time to be automatically disabled by running the following command: <pre>$ sudo chage --inactive 30<i>USER</i> </...Rule Medium Severity -
Verify Proper Storage and Existence of Password Hashes
By default, password hashes for local accounts are stored in the second field (colon-separated) in <code>/etc/shadow</code>. This file should be readable only by processes running with root credent...Group -
Verify All Account Password Hashes are Shadowed
If any password hashes are stored in <code>/etc/passwd</code> (in the second field, instead of an <code>x</code> or <code>*</code>), the cause of this misconfiguration should be investigated. The a...Rule Medium Severity -
Ensure all users last password change date is in the past
All users should have a password change date in the past.Rule Medium Severity -
All GIDs referenced in /etc/passwd must be defined in /etc/group
Add a group to the system for each GID referenced without a corresponding group.Rule Low Severity -
Ensure There Are No Accounts With Blank or Null Passwords
Check the "/etc/shadow" file for blank passwords with the following command: <pre>$ sudo awk -F: '!$2 {print $1}' /etc/shadow</pre> If the command returns any results, this is a finding. Configure ...Rule High Severity -
Verify No .forward Files Exist
The.forwardfile specifies an email address to forward the user's mail to.Rule Medium Severity -
Restrict Root Logins
Direct root logins should be allowed only for emergency use. In normal situations, the administrator should access the system via a unique unprivileged account, and then use <code>su</code> or <cod...Group -
Verify Only Root Has UID 0
If any account other than root has a UID of 0, this misconfiguration should be investigated and the accounts other than root should be removed or have their UID changed. <br> If the account is asso...Rule High Severity -
Verify Root Has A Primary GID 0
Therootuser should have a primary group of 0.Rule High Severity -
Ensure the Group Used by pam_wheel.so Module Exists on System and is Empty
Ensure that the group <code><xccdf-1.2:sub idref="xccdf_org.ssgproject.content_value_var_pam_wheel_group_for_su" use="legacy"></xccdf-1.2:sub></code> referenced by <code>var_pam_wheel_group_for_su<...Rule Medium Severity -
Ensure Authentication Required for Single User Mode
Single user mode is used for recovery when the system detects an issue during boot or by manual selection from the bootloader.Rule Medium Severity -
Ensure that System Accounts Are Locked
Some accounts are not associated with a human user of the system, and exist to perform some administrative functions. An attacker should not be able to log into these accounts. <br> <br> S...Rule Medium Severity
Node 2
The content of the drawer really is up to you. It could have form fields, definition lists, text lists, labels, charts, progress bars, etc. Spacing recommendation is 24px margins. You can put tabs in here, and can also make the drawer scrollable.