Amazon Linux 2023 STIG V1R2

This is not the latest version of the STIG. This is provided for archival purposes. See the latest STIG.

View as one page
STIG IDTitle
AZLX-23-000100Amazon Linux 2023 local disk partitions must implement cryptographic mechanisms to prevent unauthorized disclosure or modification of all information that requires at rest protection.
AZLX-23-000110Amazon Linux 2023 must ensure cryptographic verification of vendor software packages.
AZLX-23-000115Amazon Linux 2023 must check the GPG signature of locally installed software packages before installation.
AZLX-23-000120Amazon Linux 2023 must check the GPG signature of software packages originating from external software repositories before installation.
AZLX-23-000125Amazon Linux 2023 must have GPG signature verification enabled for all software repositories.
AZLX-23-000130Amazon Linux 2023 must be a vendor-supported release.
AZLX-23-000135Amazon Linux 2023 systemd-journald service must be enabled.
AZLX-23-000200Amazon Linux 2023 must restrict access to the kernel message buffer.
AZLX-23-000205Amazon Linux 2023 must prevent kernel profiling by nonprivileged users.
AZLX-23-000210Amazon Linux 2023 must restrict exposed kernel pointer addresses access.
AZLX-23-000215Amazon Linux 2023 must disable access to network bpf system call from nonprivileged processes.
AZLX-23-000220Amazon Linux 2023 must restrict usage of ptrace to descendant processes.
AZLX-23-000225Amazon Linux 2023 must implement address space layout randomization (ASLR) to protect its memory from unauthorized code execution.
AZLX-23-000300Amazon Linux 2023 must not have the vsftpd package installed.
AZLX-23-000305Amazon Linux 2023 must not have the sendmail package installed.
AZLX-23-000310Amazon Linux 2023 must not have the nfs-utils package installed.
AZLX-23-000315Amazon Linux 2023 must not have the telnet-server package installed.
AZLX-23-000320Amazon Linux 2023 must not have the gssproxy package installed.
AZLX-23-001000Amazon Linux 2023 must have the sudo package installed.
AZLX-23-001005Amazon Linux 2023 must not be configured to bypass password requirements for privilege escalation.
AZLX-23-001010Amazon Linux 2023 must require reauthentication when using the "sudo" command.
AZLX-23-001015Amazon Linux 2023 must require users to reauthenticate for privilege escalation.
AZLX-23-001020Amazon Linux 2023 must require users to provide a password for privilege escalation.
AZLX-23-001025Amazon Linux 2023 must have the audit package installed.
AZLX-23-001030Amazon Linux 2023 must produce audit records containing information to establish what type of events occurred.
AZLX-23-001035Amazon Linux 2023 audispd-plugins package must be installed.
AZLX-23-001040Amazon Linux 2023 must have the rsyslog package installed.
AZLX-23-001045Amazon Linux 2023 must monitor remote access methods.
AZLX-23-001050Amazon Linux 2023 must have the chrony package installed.
AZLX-23-001055Amazon Linux 2023 chronyd service must be enabled.
AZLX-23-001060Amazon Linux 2023 must have the Advanced Intrusion Detection Environment (AIDE) package installed.
AZLX-23-001065Amazon Linux 2023 must routinely check the baseline configuration for unauthorized changes and notify the system administrator when anomalies in the operation of any security functions are discovered.
AZLX-23-001070Amazon Linux 2023 must use cryptographic mechanisms to protect the integrity of audit tools.
AZLX-23-001075Amazon Linux 2023 must have the firewalld package installed.
AZLX-23-001080Amazon Linux 2023 must have the firewalld servicew active.
AZLX-23-001085Amazon Linux 2023 must be configured to disable nonessential capabilities.
AZLX-23-001090Amazon Linux 2023 must manage excess capacity, bandwidth, or other redundancy to limit the effects of information flooding types of denial-of-service (DoS) attacks.
AZLX-23-001095Amazon Linux 2023 must have the s-nail package installed.
AZLX-23-001105Amazon Linux 2023 must have the libreswan package installed.
AZLX-23-001110Amazon Linux 2023 must have the policycoreutils package installed.
AZLX-23-001115Amazon Linux 2023 must have the pcsc-lite package installed.
AZLX-23-001120Amazon Linux 2023 must have the packages required for encrypting off-loaded audit logs installed.
AZLX-23-001125Amazon Linux 2023 must have the opensc package installed.
AZLX-23-001130Amazon Linux 2023 must have the openssl-pkcs11 package installed.
AZLX-23-001180Amazon Linux 2023 must have SSH installed.
AZLX-23-001185Amazon Linux 2023 must implement SSH to protect the confidentiality and integrity of transmitted and received information, as well as information during preparation for transmission.
AZLX-23-001195Amazon Linux 2023 must have the crypto-policies package installed.
AZLX-23-001200Amazon Linux 2023 SSH server must be configured to use systemwide crypto policies.
AZLX-23-001205Amazon Linux 2023 server must be configured to use only DOD-approved encryption ciphers employing FIPS 140-2/140-3 validated cryptographic hash algorithms to protect the confidentiality of SSH server connections.
AZLX-23-001210Amazon Linux 2023 SSH server must be configured to use only Message Authentication Codes (MACs) employing FIPS 140-2/140-3 validated cryptographic hash algorithms to protect the confidentiality of SSH server connections.
AZLX-23-001215Amazon Linux 2023 SSH daemon must not allow Generic Security Service Application Program Interface (GSSAPI) authentication.
AZLX-23-001220Amazon Linux 2023 SSH daemon must not allow Kerberos authentication.
AZLX-23-001225Amazon Linux 2023 must force a frequent session key renegotiation for SSH connections to the server.
AZLX-23-001230Amazon Linux 2023 SSHD must accept public key authentication.
AZLX-23-001235Amazon Linux 2023 SSHD must not allow blank passwords.
AZLX-23-001240Amazon Linux 2023 must not permit direct logons to the root account using remote access via SSH.
AZLX-23-001245Amazon Linux 2023 must be configured so that all network connections associated with SSH traffic are terminated after 10 minutes of becoming unresponsive.
AZLX-23-001250Amazon Linux 2023 must be configured so that all network connections associated with SSH traffic terminate after becoming unresponsive.
AZLX-23-001255Amazon Linux 2023 must enable the Pluggable Authentication Module (PAM) interface for SSHD.
AZLX-23-001260Amazon Linux 2023 must implement DOD-approved encryption in the OpenSSL package.
AZLX-23-001265Amazon Linux 2023 must implement DOD-approved TLS encryption in the OpenSSL package.
AZLX-23-001270Amazon Linux 2023 must implement a FIPS 140-2/140-3 compliant systemwide cryptographic policy.
AZLX-23-001275Amazon Linux 2023 must implement DOD-approved encryption to protect the confidentiality of remote access sessions.
AZLX-23-001280Amazon Linux 2023 must enable FIPS mode.
AZLX-23-001285Amazon Linux 2023 crypto policy must not be overridden.
AZLX-23-001290Amazon Linux 2023 must enable certificate-based smart card authentication.
AZLX-23-001295Amazon Linux 2023 must map the authenticated identity to the user or group account for PKI-based authentication.
AZLX-23-001300Amazon Linux 2023 must implement certificate status checking for multifactor authentication.
AZLX-23-001305Amazon Linux 2023 must prohibit the use of cached authenticators after one day.
AZLX-23-001310Amazon Linux 2023, for PKI-based authentication, must validate certificates by constructing a certification path (which includes status information) to an accepted trust anchor.
AZLX-23-001315Amazon Linux 2023, for PKI-based authentication, must enforce authorized access to the corresponding private key.
AZLX-23-002000Amazon Linux 2023 must display the Standard Mandatory DOD Notice and Consent Banner before granting local or remote access to the system.
AZLX-23-002005Amazon Linux 2023 must display the Standard Mandatory DOD Notice and Consent Banner before granting local or remote access to the system via a SSH logon.
AZLX-23-002015Amazon Linux 2023 must allocate audit record storage capacity to store at least one week's worth of audit records, when audit records are not immediately sent to a central audit record storage facility.
AZLX-23-002020Amazon Linux 2023 must use a separate file system for the system audit data path.
AZLX-23-002025Amazon Linux 2023 must label all off-loaded audit logs before sending them to the central log server.
AZLX-23-002030Amazon Linux 2023 must take appropriate action when the internal event queue is full.
AZLX-23-002035Amazon Linux 2023 must take action when allocated audit record storage volume reaches 75 percent of the repository maximum audit record storage capacity.
AZLX-23-002040Amazon Linux 2023 must notify the system administrator (SA) and information system security officer (ISSO) (at a minimum) when allocated audit record storage volume 75 percent utilization.
AZLX-23-002045Amazon Linux 2023 must take action when allocated audit record storage volume reaches 95 percent of the audit record storage capacity.
AZLX-23-002050Amazon Linux 2023 must take action when allocated audit record storage volume reaches 95 percent of the repository maximum audit record storage capacity.
AZLX-23-002055Amazon Linux 2023 must immediately notify the system administrator (SA) and information system security officer (ISSO), at a minimum, of an audit processing failure event.
AZLX-23-002060Amazon Linux 2023 must be configured to off-load audit records onto a different system from the system being audited via syslog.
AZLX-23-002065Amazon Linux 2023 must authenticate the remote logging server for off-loading audit logs via rsyslog.
AZLX-23-002070Amazon Linux 2023 must encrypt the transfer of audit records off-loaded onto a different system or media from the system being audited via rsyslog.
AZLX-23-002075Amazon Linux 2023 must encrypt via the gtls driver the transfer of audit records off-loaded onto a different system or media from the system being audited via rsyslog.
AZLX-23-002080Amazon Linux 2023 must be configured to off-load audit records onto a different system from the system being audited via syslog.
AZLX-23-002085Amazon Linux 2023 must generate audit records for all account creations, modifications, disabling, and termination events that affect /etc/sudoers.
AZLX-23-002090Amazon Linux 2023 must generate audit records for all account creations, modifications, disabling, and termination events that affect /etc/sudoers.d/ directory.
AZLX-23-002095Amazon Linux 2023 must generate audit records for all account creations, modifications, disabling, and termination events that affect /etc/group.
AZLX-23-002100Amazon Linux 2023 must generate audit records for all account creations, modifications, disabling, and termination events that affect /etc/gshadow.
AZLX-23-002105Amazon Linux 2023 must generate audit records for all account creations, modifications, disabling, and termination events that affect /etc/opasswd.
AZLX-23-002110Amazon Linux 2023 must audit uses of the "execve" system call.
AZLX-23-002115Amazon Linux 2023 must audit all uses of the chmod, fchmod, and fchmodat system calls.
AZLX-23-002120Amazon Linux 2023 must audit all uses of the chown, fchown, fchownat, and lchown system calls.
AZLX-23-002125Amazon Linux 2023 must audit all uses of the setxattr, fsetxattr, lsetxattr, removexattr, fremovexattr, and lremovexattr system calls.
AZLX-23-002130Amazon Linux 2023 must audit all uses of the truncate, ftruncate, creat, open, openat, and open_by_handle_at system calls.
AZLX-23-002135Amazon Linux 2023 must audit all uses of the init_module and finit_module system calls.
AZLX-23-002140Amazon Linux 2023 must audit all uses of the create_module system call.
AZLX-23-002145Amazon Linux 2023 must audit all uses of the kmod command.
AZLX-23-002150Amazon Linux 2023 must audit all uses of the rename, unlink, rmdir, renameat, and unlinkat system calls.
AZLX-23-002155Amazon Linux 2023 must audit all uses of the chcon command.
AZLX-23-002160Amazon Linux 2023 must generate audit records for all account creations, modifications, disabling, and termination events that affect /var/log/faillock.
AZLX-23-002165Amazon Linux 2023 must generate audit records for all account creations, modifications, disabling, and termination events that affect /var/log/lastlog.
AZLX-23-002175Amazon Linux 2023 must audit all uses of the init command.
AZLX-23-002180Amazon Linux 2023 must audit all uses of the reboot command.
AZLX-23-002185Amazon Linux 2023 must audit all uses of the shutdown command.
AZLX-23-002190Amazon Linux 2023 audit tools must have a mode of "0755" or less permissive.
AZLX-23-002195Amazon Linux 2023 audit tools must be owned by root.
AZLX-23-002200Amazon Linux 2023 audit tools must be group-owned by root.
AZLX-23-002205Amazon Linux 2023 must generate audit records for all account creations, modifications, disabling, and termination events that affect /etc/passwd.
AZLX-23-002210Amazon Linux 2023 must audit all successful/unsuccessful uses of the chage command.
AZLX-23-002215Amazon Linux 2023 must alert the information system security officer (ISSO) and system administrator (SA), at a minimum, in the event of an audit processing failure.
AZLX-23-002220Amazon Linux 2023 must off-load audit records onto a different system in the event the audit storage volume is full.
AZLX-23-002225Amazon Linux 2023 audit logs must be group-owned by root or by a restricted logging group to prevent unauthorized read access.
AZLX-23-002230Amazon Linux 2023 audit log directory must be owned by root to prevent unauthorized read access.
AZLX-23-002235Amazon Linux 2023 audit logs file must have mode "0600" or less permissive to prevent unauthorized access to the audit log.
AZLX-23-002240Amazon Linux 2023 must allow only the information system security manager (ISSM) (or individuals or roles appointed by the ISSM) to select which auditable events are to be audited.
AZLX-23-002245Amazon Linux 2023 must audit all uses of the sudo command.
AZLX-23-002250Amazon Linux 2023 must generate audit records for all account creations, modifications, disabling, and termination events that affect /etc/passwd.
AZLX-23-002255Amazon Linux 2023 must generate audit records for all account creations, modifications, disabling, and termination events that affect /etc/shadow.
AZLX-23-002260Amazon Linux 2023 must produce audit records containing information to establish the identity of any individual or process associated with the event.
AZLX-23-002265Amazon Linux 2023 audit logs must be group-owned by root or by a restricted logging group to prevent unauthorized read access.
AZLX-23-002270Amazon Linux 2023 must ensure the audit log directory be owned by root to prevent unauthorized read access.
AZLX-23-002275Amazon Linux 2023 audit logs file must have mode "0600" or less permissive to prevent unauthorized access to the audit log.
AZLX-23-002280Amazon Linux 2023 library directories must be group-owned by root or a system account.
AZLX-23-002285Amazon Linux 2023 library directories must have mode "755" or less permissive.
AZLX-23-002290Amazon Linux 2023 library files must have mode "755" or less permissive.
AZLX-23-002295Amazon Linux 2023 library files must be owned by root.
AZLX-23-002300Amazon Linux 2023 library files must be group-owned by root or a system account.
AZLX-23-002305Amazon Linux 2023 library directories must be owned by root.
AZLX-23-002315Amazon Linux 2023 must ensure the /var/log directory have mode "0755" or less permissive.
AZLX-23-002320Amazon Linux 2023 must ensure the /var/log directory be owned by root.
AZLX-23-002325Amazon Linux 2023 must ensure the /var/log directory be group-owned by root.
AZLX-23-002330Amazon Linux 2023 must ensure the /var/log/messages file have mode "0640" or less permissive.
AZLX-23-002335Amazon Linux 2023 must ensure the /var/log/messages file be group-owned by root.
AZLX-23-002340Amazon Linux 2023 must ensure the /var/log/messages file be owned by root.
AZLX-23-002345Amazon Linux 2023 system commands must be owned by root.
AZLX-23-002350Amazon Linux 2023 system commands must be group-owned by root or a system account.
AZLX-23-002355Amazon Linux 2023 must enforce password complexity by requiring that at least one uppercase character be used.
AZLX-23-002360Amazon Linux 2023 must enforce password complexity by requiring that at least one lowercase character be used.
AZLX-23-002365Amazon Linux 2023 must enforce password complexity by requiring that at least one numeric character be used.
AZLX-23-002370Amazon Linux 2023 must require the change of at least 50 percent of the total number of characters when passwords are changed.
AZLX-23-002375Amazon Linux 2023 must enforce a minimum 15-character password length.
AZLX-23-002380Amazon Linux 2023 must enforce password complexity by requiring that at least one special character be used.
AZLX-23-002385Amazon Linux 2023 must enforce password complexity rules for the root account.
AZLX-23-002390Amazon Linux 2023 must prevent the use of dictionary words for passwords.
AZLX-23-002395Amazon Linux 2023 must limit the number of concurrent sessions to ten for all accounts and/or account types.
AZLX-23-002396Amazon Linux 2023 must automatically exit interactive command shell user sessions after 15 minutes of inactivity.
AZLX-23-002400Amazon Linux 2023 must enforce 24 hours/1 day as the minimum password lifetime.
AZLX-23-002405Amazon Linux 2023 must enforce a delay of at least four seconds between logon prompts following a failed logon attempt.
AZLX-23-002410Amazon Linux 2023 must define default permissions for all authenticated users in such a way that the user can only read and modify their own files.
AZLX-23-002415Amazon Linux 2023 must automatically remove or disable temporary user accounts after 72 hours.
AZLX-23-002420Amazon Linux 2023 must automatically lock an account when three unsuccessful logon attempts occur.
AZLX-23-002425Amazon Linux 2023 must be able to enforce a 60-day maximum password lifetime restriction.
AZLX-23-002430Amazon Linux 2023 must disable account identifiers (individuals, groups, roles, and devices) after 35 days of inactivity.
AZLX-23-002435Amazon Linux 2023 must automatically expire temporary accounts within 72 hours.
AZLX-23-002440Amazon Linux 2023 must restrict the use of the "su" command.
AZLX-23-002445Amazon Linux 2023 must enable the SELinux targeted policy.
AZLX-23-002450Amazon Linux 2023 must use a Linux Security Module configured to enforce limits on system services.
AZLX-23-002455Amazon Linux 2023 must automatically lock an account when three unsuccessful logon attempts occur.
AZLX-23-002460Amazon Linux 2023 must automatically lock the root account until the root account is released by an administrator when three unsuccessful logon attempts occur during a 15-minute time period.
AZLX-23-002465Amazon Linux 2023 must automatically lock an account until the locked account is released by an administrator when three unsuccessful logon attempts in 15 minutes occur.
AZLX-23-002470Amazon Linux 2023 must maintain an account lock until the locked account is released by an administrator.
AZLX-23-002475Amazon Linux 2023 must be configured to prohibit or restrict the use of functions, ports, protocols, and/or services, as defined in the Ports, Protocols, and Services Management Category Assurance List (PPSM CAL) and vulnerability assessments.
AZLX-23-002480Amazon Linux 2023 must insure all interactive users have a primary group that exists.
AZLX-23-002485Amazon Linux 2023 must ensure all interactive users have unique User IDs (UIDs).
AZLX-23-002489Amazon Linux 2023 must ensure the password complexity module is enabled in the password-auth file.
AZLX-23-002490Amazon Linux 2023 password-auth must be configured to use a sufficient number of hashing rounds.
AZLX-23-002495Amazon Linux 2023 system-auth must be configured to use a sufficient number of hashing rounds.
AZLX-23-002500Amazon Linux 2023 must ensure a sticky bit be set on all public directories.
AZLX-23-002505Amazon Linux 2023 must ensure all world-writable directories be owned by root, sys, bin, or an application user.
AZLX-23-002510Amazon Linux 2023 must terminate idle user sessions.
AZLX-23-002515Amazon Linux 2023 must enable auditing of processes that start prior to the audit daemon.
AZLX-23-002520Amazon Linux 2023 must allocate an audit_backlog_limit of sufficient size to capture processes that start prior to the audit daemon.
AZLX-23-002535Amazon Linux 2023 must enable discretionary access control on hardlinks.
AZLX-23-002540Amazon Linux 2023 must enable kernel parameters to enforce discretionary access control on symlinks.
AZLX-23-002555Amazon Linux 2023 debug-shell systemd service must be disabled.
AZLX-23-002560Amazon Linux 2023 chrony must be configured with a maximum interval of 24 hours between requests sent to a USNO server or a time server designated for the appropriate DOD network.
AZLX-23-002565Amazon Linux 2023 must synchronize internal information system clocks to the authoritative time source at least every 24 hours.
AZLX-23-002570Amazon Linux 2023 must routinely check the baseline configuration for unauthorized changes and notify the system administrator when anomalies in the operation of any security functions are discovered.
AZLX-23-002575Amazon Linux 2023 must prevent the loading of a new kernel for later execution.
AZLX-23-002580Amazon Linux 2023 must prevent files with the setuid and setgid bit set from being executed on the /boot/efi directory.
AZLX-23-002585Amazon Linux 2023 must mount /dev/shm with the nodev option.
AZLX-23-002590Amazon Linux 2023 must mount /dev/shm with the nosuid option.
AZLX-23-002595Amazon Linux 2023 must ensure the pcscd service is active.
AZLX-23-002600Amazon Linux 2023 file system automount function must be disabled unless required.
AZLX-23-002605Amazon Linux 2023 must protect against or limit the effects of denial-of-service (DoS) attacks by ensuring rate-limiting measures are configured on impacted network interfaces.
AZLX-23-002610Amazon Linux 2023 must implement nonexecutable data to protect its memory from unauthorized code execution.
AZLX-23-002615Amazon Linux 2023 must remove all software components after updated versions have been installed.
AZLX-23-002620Amazon Linux 2023 must configure the use of the pam_faillock.so module in the /etc/pam.d/system-auth file.
AZLX-23-005000Amazon Linux 2023 audit system must protect logon user identifiers (UIDs) from unauthorized change.
This website is not created by, run, approved, or endorsed by the U.S. Department of Defense. Use at your own risk. This website is created by open-source software.