Created
July 13, 2021 16:21
-
-
Save aborruso/b27acbb257beb41ff3a17c29d5bd56e4 to your computer and use it in GitHub Desktop.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Severity | Date | Finding | Target | Template | Rules Package | ARN | Rule | AWS agent ID | AMI ID | Auto Scaling Group | Hostname | IPv4 Addresses | Asset Type | Confidence | Description | Indicator of Compromise | Numeric Severity | Recommendation | Service | Assessment Run ARN | Rules Package ARN | CVSS2 Score | CVSS2 Vector | CVSS3 Score | CVSS3 Vector | CIS Weight | Last Update | |
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| Informational | 1623439052221 | Instance i-01aae074f79eaa71f is not compliant with rule 1.7.1.3 Ensure remote login warning banner is configured properly, 2.2.0 CIS CentOS Linux 7 Benchmark. Applicable profiles: Level 1 - Server, Level 2 - Workstation, Level 2 - Server, Level 1 - Workstation. | FOD QA Single Server | FOD QA Single Server Quick | CIS Operating System Security Configuration Benchmarks-1.0 | arn:aws:inspector:us-east-1:133124267079:target/0-2ySrzz0j/template/0-bmzg5uDv/run/0-LTXQE8O5/finding/0-TykK9h92 | 1.7.1.3 Ensure remote login warning banner is configured properly | i-01aae074f79eaa71f | ami-00ecf57a | qahobserver4b100 | ec2-instance | 10 | Description The contents of the /etc/issue.net file are displayed to users prior to login for remote connections from configured services. Unix-based systems have typically displayed information about the OS release and patch level upon logging in to the system. This information can be useful to developers who are developing software for a particular OS platform. If mingetty(8) supports the following options, they display operating system information: \m - machine architecture ( uname -m ) \r - operating system release ( uname -r ) \s - operating system name \v - operating system version ( uname -v ) Rationale Warning messages inform users who are attempting to login to the system of their legal status regarding the system and must include the name of the organization that owns the system and any monitoring policies that are in place. Displaying OS and patch level information in login banners also has the side effect of providing detailed system information to attackers attempting to target specific exploits of a system. Authorized users can easily get this information by running the " uname -a " command once they have logged in. | Edit the /etc/issue.net file with the appropriate contents according to your site policy, remove any instances of \m , \r , \s , or \v : # echo "Authorized uses only. All activity may be monitored and reported." > /etc/issue.net | Inspector | arn:aws:inspector:us-east-1:133124267079:target/0-2ySrzz0j/template/0-bmzg5uDv/run/0-LTXQE8O5 | arn:aws:inspector:us-east-1:316112463485:rulespackage/0-rExsr2X8 | NOT_SCORED | 1623439052221 | |||||||||
| High | 1623439054230 | Instance i-01aae074f79eaa71f is not compliant with rule 5.2.8 Ensure SSH root login is disabled, 2.2.0 CIS CentOS Linux 7 Benchmark. Applicable profiles: Level 1 - Server, Level 2 - Workstation, Level 2 - Server, Level 1 - Workstation. | FOD QA Single Server | FOD QA Single Server Quick | CIS Operating System Security Configuration Benchmarks-1.0 | arn:aws:inspector:us-east-1:133124267079:target/0-2ySrzz0j/template/0-bmzg5uDv/run/0-LTXQE8O5/finding/0-ZTO7a8qo | 5.2.8 Ensure SSH root login is disabled | i-01aae074f79eaa71f | ami-00ecf57a | qahobserver4b100 | ec2-instance | 10 | Description The PermitRootLogin parameter specifies if the root user can log in using ssh(1). The default is no. Rationale Disallowing root logins over SSH requires system admins to authenticate using their own individual account, then escalating to root via sudo or su . This in turn limits opportunity for non-repudiation and provides a clear audit trail in the event of a security incident | 9 | Edit the /etc/ssh/sshd_config file to set the parameter as follows: PermitRootLogin no | Inspector | arn:aws:inspector:us-east-1:133124267079:target/0-2ySrzz0j/template/0-bmzg5uDv/run/0-LTXQE8O5 | arn:aws:inspector:us-east-1:316112463485:rulespackage/0-rExsr2X8 | SCORED | 1623439054230 | ||||||||
| High | 1623439051625 | Instance i-01aae074f79eaa71f is not compliant with rule 5.1.8 Ensure atcron is restricted to authorized users, 2.2.0 CIS CentOS Linux 7 Benchmark. Applicable profiles: Level 1 - Server, Level 2 - Workstation, Level 2 - Server, Level 1 - Workstation. | FOD QA Single Server | FOD QA Single Server Quick | CIS Operating System Security Configuration Benchmarks-1.0 | arn:aws:inspector:us-east-1:133124267079:target/0-2ySrzz0j/template/0-bmzg5uDv/run/0-LTXQE8O5/finding/0-AewVbsqq | 5.1.8 Ensure at/cron is restricted to authorized users | i-01aae074f79eaa71f | ami-00ecf57a | qahobserver4b100 | ec2-instance | 10 | Description Configure /etc/cron.allow and /etc/at.allow to allow specific users to use these services. If /etc/cron.allow or /etc/at.allow do not exist, then /etc/at.deny and /etc/cron.deny are checked. Any user not specifically defined in those files is allowed to use at and cron. By removing the files, only users in /etc/cron.allow and /etc/at.allow are allowed to use at and cron. Note that even though a given user is not listed in cron.allow , cron jobs can still be run as that user. The cron.allow file only controls administrative access to the crontab command for scheduling and modifying cron jobs. Rationale On many systems, only the system administrator is authorized to schedule cron jobs. Using the cron.allow file to control who can run cron jobs enforces this policy. It is easier to manage an allow list than a deny list. In a deny list, you could potentially add a user ID to the system and forget to add it to the deny files. | 9 | Run the following commands to remove /etc/cron.deny and /etc/at.deny and create and set permissions and ownership for /etc/cron.allow and /etc/at.allow : # rm /etc/cron.deny# rm /etc/at.deny# touch /etc/cron.allow# touch /etc/at.allow# chmod og-rwx /etc/cron.allow# chmod og-rwx /etc/at.allow# chown root:root /etc/cron.allow# chown root:root /etc/at.allow | Inspector | arn:aws:inspector:us-east-1:133124267079:target/0-2ySrzz0j/template/0-bmzg5uDv/run/0-LTXQE8O5 | arn:aws:inspector:us-east-1:316112463485:rulespackage/0-rExsr2X8 | SCORED | 1623439051625 | ||||||||
| High | 1623439055983 | Instance i-01aae074f79eaa71f is not compliant with rule 1.6.1.2 Ensure the SELinux state is enforcing, 2.2.0 CIS CentOS Linux 7 Benchmark. Applicable profiles: Level 2 - Workstation, Level 2 - Server. | FOD QA Single Server | FOD QA Single Server Quick | CIS Operating System Security Configuration Benchmarks-1.0 | arn:aws:inspector:us-east-1:133124267079:target/0-2ySrzz0j/template/0-bmzg5uDv/run/0-LTXQE8O5/finding/0-wSd2qTga | 1.6.1.2 Ensure the SELinux state is enforcing | i-01aae074f79eaa71f | ami-00ecf57a | qahobserver4b100 | ec2-instance | 10 | Description Set SELinux to enable when the system is booted. Rationale SELinux must be enabled at boot time in to ensure that the controls it provides are in effect at all times. | 9 | Edit the /etc/selinux/config file to set the SELINUX parameter: SELINUX=enforcing | Inspector | arn:aws:inspector:us-east-1:133124267079:target/0-2ySrzz0j/template/0-bmzg5uDv/run/0-LTXQE8O5 | arn:aws:inspector:us-east-1:316112463485:rulespackage/0-rExsr2X8 | SCORED | 1623439055983 | ||||||||
| High | 1623439052671 | Instance i-01aae074f79eaa71f is not compliant with rule 5.1.7 Ensure permissions on etccron.d are configured, 2.2.0 CIS CentOS Linux 7 Benchmark. Applicable profiles: Level 1 - Server, Level 2 - Workstation, Level 2 - Server, Level 1 - Workstation. | FOD QA Single Server | FOD QA Single Server Quick | CIS Operating System Security Configuration Benchmarks-1.0 | arn:aws:inspector:us-east-1:133124267079:target/0-2ySrzz0j/template/0-bmzg5uDv/run/0-LTXQE8O5/finding/0-s1cd0CzJ | 5.1.7 Ensure permissions on /etc/cron.d are configured | i-01aae074f79eaa71f | ami-00ecf57a | qahobserver4b100 | ec2-instance | 10 | Description The /etc/cron.d directory contains system cron jobs that need to run in a similar manner to the hourly, daily weekly and monthly jobs from /etc/crontab , but require more granular control as to when they run. The files in this directory cannot be manipulated by the crontab command, but are instead edited by system administrators using a text editor. The commands below restrict read/write and search access to user and group root, preventing regular users from accessing this directory. Rationale Granting write access to this directory for non-privileged users could provide them the means for gaining unauthorized elevated privileges. Granting read access to this directory could give an unprivileged user insight in how to gain elevated privileges or circumvent auditing controls. | 9 | Run the following commands to set ownership and permissions on /etc/cron.d : # chown root:root /etc/cron.d# chmod og-rwx /etc/cron.d | Inspector | arn:aws:inspector:us-east-1:133124267079:target/0-2ySrzz0j/template/0-bmzg5uDv/run/0-LTXQE8O5 | arn:aws:inspector:us-east-1:316112463485:rulespackage/0-rExsr2X8 | SCORED | 1623439052671 | ||||||||
| High | 1623439054972 | Instance i-01aae074f79eaa71f is not compliant with rule 6.2.8 Ensure users home directories permissions are 750 or more restrictive, 2.2.0 CIS CentOS Linux 7 Benchmark. Applicable profiles: Level 1 - Server, Level 2 - Workstation, Level 2 - Server, Level 1 - Workstation. | FOD QA Single Server | FOD QA Single Server Quick | CIS Operating System Security Configuration Benchmarks-1.0 | arn:aws:inspector:us-east-1:133124267079:target/0-2ySrzz0j/template/0-bmzg5uDv/run/0-LTXQE8O5/finding/0-BaGCMeq8 | 6.2.8 Ensure users' home directories permissions are 750 or more restrictive | i-01aae074f79eaa71f | ami-00ecf57a | qahobserver4b100 | ec2-instance | 10 | Description While the system administrator can establish secure permissions for users' home directories, the users can easily override these. Rationale Group or world-writable user home directories may enable malicious users to steal or modify other users' data or to gain another user's system privileges. | 9 | Making global modifications to user home directories without alerting the user community can result in unexpected outages and unhappy users. Therefore, it is recommended that a monitoring policy be established to report user file permissions and determine the action to be taken in accordance with site policy. | Inspector | arn:aws:inspector:us-east-1:133124267079:target/0-2ySrzz0j/template/0-bmzg5uDv/run/0-LTXQE8O5 | arn:aws:inspector:us-east-1:316112463485:rulespackage/0-rExsr2X8 | SCORED | 1623439054972 | ||||||||
| High | 1623439051524 | Instance i-01aae074f79eaa71f is not compliant with rule 1.1.21 Ensure sticky bit is set on all world-writable directories, 2.2.0 CIS CentOS Linux 7 Benchmark. Applicable profiles: Level 1 - Server, Level 2 - Workstation, Level 2 - Server, Level 1 - Workstation. | FOD QA Single Server | FOD QA Single Server Quick | CIS Operating System Security Configuration Benchmarks-1.0 | arn:aws:inspector:us-east-1:133124267079:target/0-2ySrzz0j/template/0-bmzg5uDv/run/0-LTXQE8O5/finding/0-rF83Z7oQ | 1.1.21 Ensure sticky bit is set on all world-writable directories | i-01aae074f79eaa71f | ami-00ecf57a | qahobserver4b100 | ec2-instance | 10 | Description Setting the sticky bit on world writable directories prevents users from deleting or renaming files in that directory that are not owned by them. Rationale This feature prevents the ability to delete or rename files in world writable directories (such as /tmp ) that are owned by another user. | 9 | Run the following command to set the sticky bit on all world writable directories: # df --local -P | awk if (NR!=1) print $6 | xargs -I '{}' find '{}' -xdev -type d -perm -0002 2>/dev/null | xargs chmod a+t | Inspector | arn:aws:inspector:us-east-1:133124267079:target/0-2ySrzz0j/template/0-bmzg5uDv/run/0-LTXQE8O5 | arn:aws:inspector:us-east-1:316112463485:rulespackage/0-rExsr2X8 | SCORED | 1623439051524 | ||||||||
| High | 1623439054435 | Instance i-01aae074f79eaa71f is not compliant with rule 5.2.14 Ensure SSH LoginGraceTime is set to one minute or less, 2.2.0 CIS CentOS Linux 7 Benchmark. Applicable profiles: Level 1 - Server, Level 2 - Workstation, Level 2 - Server, Level 1 - Workstation. | FOD QA Single Server | FOD QA Single Server Quick | CIS Operating System Security Configuration Benchmarks-1.0 | arn:aws:inspector:us-east-1:133124267079:target/0-2ySrzz0j/template/0-bmzg5uDv/run/0-LTXQE8O5/finding/0-AfiGcBfz | 5.2.14 Ensure SSH LoginGraceTime is set to one minute or less | i-01aae074f79eaa71f | ami-00ecf57a | qahobserver4b100 | ec2-instance | 10 | Description The LoginGraceTime parameter specifies the time allowed for successful authentication to the SSH server. The longer the Grace period is the more open unauthenticated connections can exist. Like other session controls in this session the Grace Period should be limited to appropriate organizational limits to ensure the service is available for needed access. Rationale Setting the LoginGraceTime parameter to a low number will minimize the risk of successful brute force attacks to the SSH server. It will also limit the number of concurrent unauthenticated connections While the recommended setting is 60 seconds (1 Minute), set the number based on site policy. | 9 | Edit the /etc/ssh/sshd_config file to set the parameter as follows: LoginGraceTime 60 | Inspector | arn:aws:inspector:us-east-1:133124267079:target/0-2ySrzz0j/template/0-bmzg5uDv/run/0-LTXQE8O5 | arn:aws:inspector:us-east-1:316112463485:rulespackage/0-rExsr2X8 | SCORED | 1623439054435 | ||||||||
| High | 1623439055460 | Instance i-01aae074f79eaa71f is not compliant with rule 6.2.7 Ensure all users home directories exist, 2.2.0 CIS CentOS Linux 7 Benchmark. Applicable profiles: Level 1 - Server, Level 2 - Workstation, Level 2 - Server, Level 1 - Workstation. | FOD QA Single Server | FOD QA Single Server Quick | CIS Operating System Security Configuration Benchmarks-1.0 | arn:aws:inspector:us-east-1:133124267079:target/0-2ySrzz0j/template/0-bmzg5uDv/run/0-LTXQE8O5/finding/0-X3BVmxaE | 6.2.7 Ensure all users' home directories exist | i-01aae074f79eaa71f | ami-00ecf57a | qahobserver4b100 | ec2-instance | 10 | Description Users can be defined in /etc/passwd without a home directory or with a home directory that does not actually exist. Rationale If the user's home directory does not exist or is unassigned, the user will be placed in "/" and will not be able to write any files or have local environment variables set. | 9 | If any users' home directories do not exist, create them and make sure the respective user owns the directory. Users without an assigned home directory should be removed or assigned a home directory as appropriate. | Inspector | arn:aws:inspector:us-east-1:133124267079:target/0-2ySrzz0j/template/0-bmzg5uDv/run/0-LTXQE8O5 | arn:aws:inspector:us-east-1:316112463485:rulespackage/0-rExsr2X8 | SCORED | 1623439055460 | ||||||||
| High | 1623439055711 | Instance i-01aae074f79eaa71f is not compliant with rule 6.1.10 Ensure no world writable files exist, 2.2.0 CIS CentOS Linux 7 Benchmark. Applicable profiles: Level 1 - Server, Level 2 - Workstation, Level 2 - Server, Level 1 - Workstation. | FOD QA Single Server | FOD QA Single Server Quick | CIS Operating System Security Configuration Benchmarks-1.0 | arn:aws:inspector:us-east-1:133124267079:target/0-2ySrzz0j/template/0-bmzg5uDv/run/0-LTXQE8O5/finding/0-rgoAxmWn | 6.1.10 Ensure no world writable files exist | i-01aae074f79eaa71f | ami-00ecf57a | qahobserver4b100 | ec2-instance | 10 | Description Unix-based systems support variable settings to control access to files. World writable files are the least secure. See the chmod(2) man page for more information. Rationale Data in world-writable files can be modified and compromised by any user on the system. World writable files may also indicate an incorrectly written script or program that could potentially be the cause of a larger compromise to the system's integrity. | 9 | Removing write access for the "other" category ( chmod o-w <filename> ) is advisable, but always consult relevant vendor documentation to avoid breaking any application dependencies on a given file. | Inspector | arn:aws:inspector:us-east-1:133124267079:target/0-2ySrzz0j/template/0-bmzg5uDv/run/0-LTXQE8O5 | arn:aws:inspector:us-east-1:316112463485:rulespackage/0-rExsr2X8 | SCORED | 1623439055711 | ||||||||
| High | 1623439053204 | Instance i-01aae074f79eaa71f is not compliant with rule 4.2.1.4 Ensure rsyslog is configured to send logs to a remote log host, 2.2.0 CIS CentOS Linux 7 Benchmark. Applicable profiles: Level 1 - Server, Level 2 - Workstation, Level 2 - Server, Level 1 - Workstation. | FOD QA Single Server | FOD QA Single Server Quick | CIS Operating System Security Configuration Benchmarks-1.0 | arn:aws:inspector:us-east-1:133124267079:target/0-2ySrzz0j/template/0-bmzg5uDv/run/0-LTXQE8O5/finding/0-qxNKjNHv | 4.2.1.4 Ensure rsyslog is configured to send logs to a remote log host | i-01aae074f79eaa71f | ami-00ecf57a | qahobserver4b100 | ec2-instance | 10 | Description The rsyslog utility supports the ability to send logs it gathers to a remote log host running syslogd(8) or to receive messages from remote hosts, reducing administrative overhead. Rationale Storing log data on a remote host protects log integrity from local attacks. If an attacker gains root access on the local system, they could tamper with or remove log data that is stored on the local system | 9 | Edit the /etc/rsyslog.conf file and add the following line (where loghost.example.com is the name of your central log host). *.* @@loghost.example.com Run the following command to restart rsyslog : # pkill -HUP rsyslogd | Inspector | arn:aws:inspector:us-east-1:133124267079:target/0-2ySrzz0j/template/0-bmzg5uDv/run/0-LTXQE8O5 | arn:aws:inspector:us-east-1:316112463485:rulespackage/0-rExsr2X8 | SCORED | 1623439053204 | ||||||||
| High | 1623439052645 | Instance i-01aae074f79eaa71f is not compliant with rule 1.1.12 Ensure separate partition exists for varlogaudit, 2.2.0 CIS CentOS Linux 7 Benchmark. Applicable profiles: Level 2 - Workstation, Level 2 - Server. | FOD QA Single Server | FOD QA Single Server Quick | CIS Operating System Security Configuration Benchmarks-1.0 | arn:aws:inspector:us-east-1:133124267079:target/0-2ySrzz0j/template/0-bmzg5uDv/run/0-LTXQE8O5/finding/0-Ptci9p5n | 1.1.12 Ensure separate partition exists for /var/log/audit | i-01aae074f79eaa71f | ami-00ecf57a | qahobserver4b100 | ec2-instance | 10 | Description The auditing daemon, auditd , stores log data in the /var/log/audit directory. Rationale There are two important reasons to ensure that data gathered by auditd is stored on a separate partition: protection against resource exhaustion (since the audit.log file can grow quite large) and protection of audit data. The audit daemon calculates how much free space is left and performs actions based on the results. If other processes (such as syslog ) consume space in the same partition as auditd , it may not perform as desired. | 9 | For new installations, during installation create a custom partition setup and specify a separate partition for /var/log/audit . For systems that were previously installed, create a new partition and configure /etc/fstab as appropriate. Impact: Resizing filesystems is a common activity in cloud-hosted servers. Separate filesystem partitions may prevent successful resizing, or may require the installation of additional tools solely for the purpose of resizing operations. The use of these additional tools may introduce their own security considerations. | Inspector | arn:aws:inspector:us-east-1:133124267079:target/0-2ySrzz0j/template/0-bmzg5uDv/run/0-LTXQE8O5 | arn:aws:inspector:us-east-1:316112463485:rulespackage/0-rExsr2X8 | SCORED | 1623439052645 | ||||||||
| High | 1623439055497 | Instance i-01aae074f79eaa71f is not compliant with rule 1.1.1.2 Ensure mounting of freevxfs filesystems is disabled, 2.2.0 CIS CentOS Linux 7 Benchmark. Applicable profiles: Level 1 - Server, Level 2 - Workstation, Level 2 - Server, Level 1 - Workstation. | FOD QA Single Server | FOD QA Single Server Quick | CIS Operating System Security Configuration Benchmarks-1.0 | arn:aws:inspector:us-east-1:133124267079:target/0-2ySrzz0j/template/0-bmzg5uDv/run/0-LTXQE8O5/finding/0-iQww1qgN | 1.1.1.2 Ensure mounting of freevxfs filesystems is disabled | i-01aae074f79eaa71f | ami-00ecf57a | qahobserver4b100 | ec2-instance | 10 | Description The freevxfs filesystem type is a free version of the Veritas type filesystem. This is the primary filesystem type for HP-UX operating systems. Rationale Removing support for unneeded filesystem types reduces the local attack surface of the system. If this filesystem type is not needed, disable it. | 9 | Edit or create the file /etc/modprobe.d/CIS.conf and add the following line: install freevxfs /bin/true | Inspector | arn:aws:inspector:us-east-1:133124267079:target/0-2ySrzz0j/template/0-bmzg5uDv/run/0-LTXQE8O5 | arn:aws:inspector:us-east-1:316112463485:rulespackage/0-rExsr2X8 | SCORED | 1623439055497 | ||||||||
| High | 1623439053076 | Instance i-01aae074f79eaa71f is not compliant with rule 4.1.15 Ensure changes to system administration scope sudoers is collected, 2.2.0 CIS CentOS Linux 7 Benchmark. Applicable profiles: Level 2 - Workstation, Level 2 - Server. | FOD QA Single Server | FOD QA Single Server Quick | CIS Operating System Security Configuration Benchmarks-1.0 | arn:aws:inspector:us-east-1:133124267079:target/0-2ySrzz0j/template/0-bmzg5uDv/run/0-LTXQE8O5/finding/0-86RqnogU | 4.1.15 Ensure changes to system administration scope (sudoers) is collected | i-01aae074f79eaa71f | ami-00ecf57a | qahobserver4b100 | ec2-instance | 10 | Description Monitor scope changes for system administrations. If the system has been properly configured to force system administrators to log in as themselves first and then use the sudo command to execute privileged commands, it is possible to monitor changes in scope. The file /etc/sudoers will be written to when the file or its attributes have changed. The audit records will be tagged with the identifier "scope." Rationale Changes in the /etc/sudoers file can indicate that an unauthorized change has been made to scope of system administrator activity. | 9 | Add the following line to the /etc/audit/audit.rules file: -w /etc/sudoers -p wa -k scope-w /etc/sudoers.d/ -p wa -k scope | Inspector | arn:aws:inspector:us-east-1:133124267079:target/0-2ySrzz0j/template/0-bmzg5uDv/run/0-LTXQE8O5 | arn:aws:inspector:us-east-1:316112463485:rulespackage/0-rExsr2X8 | SCORED | 1623439053076 | ||||||||
| High | 1623439051890 | Instance i-01aae074f79eaa71f is not compliant with rule 4.1.16 Ensure system administrator actions sudolog are collected, 2.2.0 CIS CentOS Linux 7 Benchmark. Applicable profiles: Level 2 - Workstation, Level 2 - Server. | FOD QA Single Server | FOD QA Single Server Quick | CIS Operating System Security Configuration Benchmarks-1.0 | arn:aws:inspector:us-east-1:133124267079:target/0-2ySrzz0j/template/0-bmzg5uDv/run/0-LTXQE8O5/finding/0-W1Is5MYY | 4.1.16 Ensure system administrator actions (sudolog) are collected | i-01aae074f79eaa71f | ami-00ecf57a | qahobserver4b100 | ec2-instance | 10 | Description Monitor the sudo log file. If the system has been properly configured to disable the use of the su command and force all administrators to have to log in first and then use sudo to execute privileged commands, then all administrator commands will be logged to /var/log/sudo.log . Any time a command is executed, an audit event will be triggered as the /var/log/sudo.log file will be opened for write and the executed administration command will be written to the log. Rationale Changes in /var/log/sudo.log indicate that an administrator has executed a command or the log file itself has been tampered with. Administrators will want to correlate the events written to the audit trail with the records written to /var/log/sudo.log to verify if unauthorized commands have been executed. | 9 | Add the following lines to the /etc/audit/audit.rules file: -w /var/log/sudo.log -p wa -k actions | Inspector | arn:aws:inspector:us-east-1:133124267079:target/0-2ySrzz0j/template/0-bmzg5uDv/run/0-LTXQE8O5 | arn:aws:inspector:us-east-1:316112463485:rulespackage/0-rExsr2X8 | SCORED | 1623439051890 | ||||||||
| Informational | 1623439056360 | On instance i-01aae074f79eaa71f, TCP port 80 which is associated with 'HTTP' is reachable from a Peered VPC | FOD QA Single Server | FOD QA Single Server Quick | Network Reachability-1.1 | arn:aws:inspector:us-east-1:133124267079:target/0-2ySrzz0j/template/0-bmzg5uDv/run/0-LTXQE8O5/finding/0-jw6AmaR3 | Recognized port with no listener reachable from a Peered VPC | i-01aae074f79eaa71f | ami-00ecf57a | qahobserver4b100 | ec2-instance | 10 | On this instance, TCP port 80, which is associated with HTTP, is reachable from a Peered VPC with no process listening. The instance i-01aae074f79eaa71f is located in VPC vpc-1033c37e and has an attached ENI eni-09529e193cdc9a8bb which uses network ACL acl-ee33c380. The port is reachable from a Peered VPC through Security Group sg-eb55aaa3 and VPC Peering Connection pcx-0234f99fdab23555c | You can edit the Security Group sg-eb55aaa3 to remove access from a Peered VPC on port 80 | Inspector | arn:aws:inspector:us-east-1:133124267079:target/0-2ySrzz0j/template/0-bmzg5uDv/run/0-LTXQE8O5 | arn:aws:inspector:us-east-1:316112463485:rulespackage/0-PmNV0Tcd | 1623439056360 | ||||||||||
| High | 1623439054445 | Instance i-01aae074f79eaa71f is not compliant with rule 4.2.4 Ensure permissions on all logfiles are configured, 2.2.0 CIS CentOS Linux 7 Benchmark. Applicable profiles: Level 1 - Server, Level 2 - Workstation, Level 2 - Server, Level 1 - Workstation. | FOD QA Single Server | FOD QA Single Server Quick | CIS Operating System Security Configuration Benchmarks-1.0 | arn:aws:inspector:us-east-1:133124267079:target/0-2ySrzz0j/template/0-bmzg5uDv/run/0-LTXQE8O5/finding/0-STo4USQi | 4.2.4 Ensure permissions on all logfiles are configured | i-01aae074f79eaa71f | ami-00ecf57a | qahobserver4b100 | ec2-instance | 10 | Description Log files stored in /var/log/ contain logged information from many services on the system, or on log hosts others as well. Rationale It is important to ensure that log files have the correct permissions to ensure that sensitive data is archived and protected. | 9 | Run the following command to set permissions on all existing log files: # find -L /var/log -type f -exec chmod g-wx,o-rwx {} + | Inspector | arn:aws:inspector:us-east-1:133124267079:target/0-2ySrzz0j/template/0-bmzg5uDv/run/0-LTXQE8O5 | arn:aws:inspector:us-east-1:316112463485:rulespackage/0-rExsr2X8 | SCORED | 1623439054445 | ||||||||
| High | 1623439055112 | Instance i-01aae074f79eaa71f is not compliant with rule 4.1.6 Ensure events that modify the systems network environment are collected, 2.2.0 CIS CentOS Linux 7 Benchmark. Applicable profiles: Level 2 - Workstation, Level 2 - Server. | FOD QA Single Server | FOD QA Single Server Quick | CIS Operating System Security Configuration Benchmarks-1.0 | arn:aws:inspector:us-east-1:133124267079:target/0-2ySrzz0j/template/0-bmzg5uDv/run/0-LTXQE8O5/finding/0-cWDffP5h | 4.1.6 Ensure events that modify the system's network environment are collected | i-01aae074f79eaa71f | ami-00ecf57a | qahobserver4b100 | ec2-instance | 10 | Description Record changes to network environment files or system calls. The below parameters monitor the sethostname (set the systems host name) or setdomainname (set the systems domainname) system calls, and write an audit event on system call exit. The other parameters monitor the /etc/issue and /etc/issue.net files (messages displayed pre-login), /etc/hosts (file containing host names and associated IP addresses) and /etc/sysconfig/network (directory containing network interface scripts and configurations) files. Rationale Monitoring sethostname and setdomainname will identify potential unauthorized changes to host and domainname of a system. The changing of these names could potentially break security parameters that are set based on those names. The /etc/hosts file is monitored for changes in the file that can indicate an unauthorized intruder is trying to change machine associations with IP addresses and trick users and processes into connecting to unintended machines. Monitoring /etc/issue and /etc/issue.net is important, as intruders could put disinformation into those files and trick users into providing information to the intruder. Monitoring /etc/sysconfig/network is important as it can show if network interfaces or scripts are being modified in a way that can lead to the machine becoming unavailable or compromised. All audit records will be tagged with the identifier "system-locale." | 9 | For 32 bit systems add the following lines to the /etc/audit/audit.rules file: -a always,exit -F arch=b32 -S sethostname -S setdomainname -k system-locale-w /etc/issue -p wa -k system-locale-w /etc/issue.net -p wa -k system-locale-w /etc/hosts -p wa -k system-locale-w /etc/sysconfig/network -p wa -k system-locale For 64 bit systems add the following lines to the /etc/audit/audit.rules file: -a always,exit -F arch=b64 -S sethostname -S setdomainname -k system-locale-a always,exit -F arch=b32 -S sethostname -S setdomainname -k system-locale-w /etc/issue -p wa -k system-locale-w /etc/issue.net -p wa -k system-locale-w /etc/hosts -p wa -k system-locale-w /etc/sysconfig/network -p wa -k system-locale | Inspector | arn:aws:inspector:us-east-1:133124267079:target/0-2ySrzz0j/template/0-bmzg5uDv/run/0-LTXQE8O5 | arn:aws:inspector:us-east-1:316112463485:rulespackage/0-rExsr2X8 | SCORED | 1623439055112 | ||||||||
| High | 1623439051119 | Instance i-01aae074f79eaa71f is not compliant with rule 1.1.1.3 Ensure mounting of jffs2 filesystems is disabled, 2.2.0 CIS CentOS Linux 7 Benchmark. Applicable profiles: Level 1 - Server, Level 2 - Workstation, Level 2 - Server, Level 1 - Workstation. | FOD QA Single Server | FOD QA Single Server Quick | CIS Operating System Security Configuration Benchmarks-1.0 | arn:aws:inspector:us-east-1:133124267079:target/0-2ySrzz0j/template/0-bmzg5uDv/run/0-LTXQE8O5/finding/0-pdZmllDb | 1.1.1.3 Ensure mounting of jffs2 filesystems is disabled | i-01aae074f79eaa71f | ami-00ecf57a | qahobserver4b100 | ec2-instance | 10 | Description The jffs2 (journaling flash filesystem 2) filesystem type is a log-structured filesystem used in flash memory devices. Rationale Removing support for unneeded filesystem types reduces the local attack surface of the system. If this filesystem type is not needed, disable it. | 9 | Edit or create the file /etc/modprobe.d/CIS.conf and add the following line: install jffs2 /bin/true | Inspector | arn:aws:inspector:us-east-1:133124267079:target/0-2ySrzz0j/template/0-bmzg5uDv/run/0-LTXQE8O5 | arn:aws:inspector:us-east-1:316112463485:rulespackage/0-rExsr2X8 | SCORED | 1623439051119 | ||||||||
| High | 1623439053094 | Instance i-01aae074f79eaa71f is not compliant with rule 5.4.1.4 Ensure inactive password lock is 30 days or less, 2.2.0 CIS CentOS Linux 7 Benchmark. Applicable profiles: Level 1 - Server, Level 2 - Workstation, Level 2 - Server, Level 1 - Workstation. | FOD QA Single Server | FOD QA Single Server Quick | CIS Operating System Security Configuration Benchmarks-1.0 | arn:aws:inspector:us-east-1:133124267079:target/0-2ySrzz0j/template/0-bmzg5uDv/run/0-LTXQE8O5/finding/0-KlI6SDaz | 5.4.1.4 Ensure inactive password lock is 30 days or less | i-01aae074f79eaa71f | ami-00ecf57a | qahobserver4b100 | ec2-instance | 10 | Description User accounts that have been inactive for over a given period of time can be automatically disabled. It is recommended that accounts that are inactive for 30 days after password expiration be disabled. Rationale Inactive accounts pose a threat to system security since the users are not logging in to notice failed login attempts or other anomalies. | 9 | Run the following command to set the default password inactivity period to 30 days: # useradd -D -f 30 Modify user parameters for all users with a password set to match: # chage --inactive 30 <user> | Inspector | arn:aws:inspector:us-east-1:133124267079:target/0-2ySrzz0j/template/0-bmzg5uDv/run/0-LTXQE8O5 | arn:aws:inspector:us-east-1:316112463485:rulespackage/0-rExsr2X8 | SCORED | 1623439053094 | ||||||||
| High | 1623439052984 | Instance i-01aae074f79eaa71f is not compliant with rule 1.6.1.6 Ensure no unconfined daemons exist, 2.2.0 CIS CentOS Linux 7 Benchmark. Applicable profiles: Level 2 - Workstation, Level 2 - Server. | FOD QA Single Server | FOD QA Single Server Quick | CIS Operating System Security Configuration Benchmarks-1.0 | arn:aws:inspector:us-east-1:133124267079:target/0-2ySrzz0j/template/0-bmzg5uDv/run/0-LTXQE8O5/finding/0-poHnKvEQ | 1.6.1.6 Ensure no unconfined daemons exist | i-01aae074f79eaa71f | ami-00ecf57a | qahobserver4b100 | ec2-instance | 10 | Description Daemons that are not defined in SELinux policy will inherit the security context of their parent process. Rationale Since daemons are launched and descend from the init process, they will inherit the security context label initrc_t . This could cause the unintended consequence of giving the process more permission than it requires. | 9 | Investigate any unconfined daemons found during the audit action. They may need to have an existing security context assigned to them or a policy built for them. | Inspector | arn:aws:inspector:us-east-1:133124267079:target/0-2ySrzz0j/template/0-bmzg5uDv/run/0-LTXQE8O5 | arn:aws:inspector:us-east-1:316112463485:rulespackage/0-rExsr2X8 | SCORED | 1623439052984 | ||||||||
| High | 1623439054822 | Instance i-01aae074f79eaa71f is not compliant with rule 5.2.5 Ensure SSH MaxAuthTries is set to 4 or less, 2.2.0 CIS CentOS Linux 7 Benchmark. Applicable profiles: Level 1 - Server, Level 2 - Workstation, Level 2 - Server, Level 1 - Workstation. | FOD QA Single Server | FOD QA Single Server Quick | CIS Operating System Security Configuration Benchmarks-1.0 | arn:aws:inspector:us-east-1:133124267079:target/0-2ySrzz0j/template/0-bmzg5uDv/run/0-LTXQE8O5/finding/0-IJe2rNjc | 5.2.5 Ensure SSH MaxAuthTries is set to 4 or less | i-01aae074f79eaa71f | ami-00ecf57a | qahobserver4b100 | ec2-instance | 10 | Description The MaxAuthTries parameter specifies the maximum number of authentication attempts permitted per connection. When the login failure count reaches half the number, error messages will be written to the syslog file detailing the login failure. Rationale Setting the MaxAuthTries parameter to a low number will minimize the risk of successful brute force attacks to the SSH server. While the recommended setting is 4, set the number based on site policy. | 9 | Edit the /etc/ssh/sshd_config file to set the parameter as follows: MaxAuthTries 4 | Inspector | arn:aws:inspector:us-east-1:133124267079:target/0-2ySrzz0j/template/0-bmzg5uDv/run/0-LTXQE8O5 | arn:aws:inspector:us-east-1:316112463485:rulespackage/0-rExsr2X8 | SCORED | 1623439054822 | ||||||||
| High | 1623439053770 | Instance i-01aae074f79eaa71f is not compliant with rule 4.1.11 Ensure unsuccessful unauthorized file access attempts are collected, 2.2.0 CIS CentOS Linux 7 Benchmark. Applicable profiles: Level 2 - Workstation, Level 2 - Server. | FOD QA Single Server | FOD QA Single Server Quick | CIS Operating System Security Configuration Benchmarks-1.0 | arn:aws:inspector:us-east-1:133124267079:target/0-2ySrzz0j/template/0-bmzg5uDv/run/0-LTXQE8O5/finding/0-I0622Yaa | 4.1.11 Ensure unsuccessful unauthorized file access attempts are collected | i-01aae074f79eaa71f | ami-00ecf57a | qahobserver4b100 | ec2-instance | 10 | Description Monitor for unsuccessful attempts to access files. The parameters below are associated with system calls that control creation ( creat ), opening ( open , openat ) and truncation ( truncate , ftruncate ) of files. An audit log record will only be written if the user is a non-privileged user (auid > = 1000), is not a Daemon event (auid=4294967295) and if the system call returned EACCES (permission denied to the file) or EPERM (some other permanent error associated with the specific system call). All audit records will be tagged with the identifier "access." Rationale Failed attempts to open, create or truncate files could be an indication that an individual or process is trying to gain unauthorized access to the system. | 9 | For 32 bit systems add the following lines to the /etc/audit/audit.rules file: -a always,exit -F arch=b32 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -k access-a always,exit -F arch=b32 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -k access For 64 bit systems add the following lines to the /etc/audit/audit.rules file: -a always,exit -F arch=b64 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -k access-a always,exit -F arch=b32 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -k access-a always,exit -F arch=b64 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -k access-a always,exit -F arch=b32 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -k access | Inspector | arn:aws:inspector:us-east-1:133124267079:target/0-2ySrzz0j/template/0-bmzg5uDv/run/0-LTXQE8O5 | arn:aws:inspector:us-east-1:316112463485:rulespackage/0-rExsr2X8 | SCORED | 1623439053770 | ||||||||
| High | 1623439053278 | Instance i-01aae074f79eaa71f is not compliant with rule 4.1.4 Ensure events that modify date and time information are collected, 2.2.0 CIS CentOS Linux 7 Benchmark. Applicable profiles: Level 2 - Workstation, Level 2 - Server. | FOD QA Single Server | FOD QA Single Server Quick | CIS Operating System Security Configuration Benchmarks-1.0 | arn:aws:inspector:us-east-1:133124267079:target/0-2ySrzz0j/template/0-bmzg5uDv/run/0-LTXQE8O5/finding/0-sLrev47I | 4.1.4 Ensure events that modify date and time information are collected | i-01aae074f79eaa71f | ami-00ecf57a | qahobserver4b100 | ec2-instance | 10 | Description Capture events where the system date and/or time has been modified. The parameters in this section are set to determine if the adjtimex (tune kernel clock), settimeofday (Set time, using timeval and timezone structures) stime (using seconds since 1/1/1970) or clock_settime (allows for the setting of several internal clocks and timers) system calls have been executed and always write an audit record to the /var/log/audit.log file upon exit, tagging the records with the identifier "time-change" Rationale Unexpected changes in system date and/or time could be a sign of malicious activity on the system. | 9 | For 32 bit systems add the following lines to the /etc/audit/audit.rules file: -a always,exit -F arch=b32 -S adjtimex -S settimeofday -S stime -k time-change-a always,exit -F arch=b32 -S clock_settime -k time-change-w /etc/localtime -p wa -k time-change For 64 bit systems add the following lines to the /etc/audit/audit.rules file: -a always,exit -F arch=b64 -S adjtimex -S settimeofday -k time-change-a always,exit -F arch=b32 -S adjtimex -S settimeofday -S stime -k time-change-a always,exit -F arch=b64 -S clock_settime -k time-change-a always,exit -F arch=b32 -S clock_settime -k time-change-w /etc/localtime -p wa -k time-change | Inspector | arn:aws:inspector:us-east-1:133124267079:target/0-2ySrzz0j/template/0-bmzg5uDv/run/0-LTXQE8O5 | arn:aws:inspector:us-east-1:316112463485:rulespackage/0-rExsr2X8 | SCORED | 1623439053278 | ||||||||
| High | 1623439055101 | Instance i-01aae074f79eaa71f is not compliant with rule 5.3.1 Ensure password creation requirements are configured, 2.2.0 CIS CentOS Linux 7 Benchmark. Applicable profiles: Level 1 - Server, Level 2 - Workstation, Level 2 - Server, Level 1 - Workstation. | FOD QA Single Server | FOD QA Single Server Quick | CIS Operating System Security Configuration Benchmarks-1.0 | arn:aws:inspector:us-east-1:133124267079:target/0-2ySrzz0j/template/0-bmzg5uDv/run/0-LTXQE8O5/finding/0-6rRm5EzJ | 5.3.1 Ensure password creation requirements are configured | i-01aae074f79eaa71f | ami-00ecf57a | qahobserver4b100 | ec2-instance | 10 | Description The pam_pwquality.so module checks the strength of passwords. It performs checks such as making sure a password is not a dictionary word, it is a certain length, contains a mix of characters (e.g. alphabet, numeric, other) and more. The following are definitions of the pam_pwquality .so options. try_first_pass - retrieve the password from a previous stacked PAM module. If not available, then prompt the user for a password.retry=3 - Allow 3 tries before sending back a failure. The following options are set in the /etc/security/pwquality.conf file: minlen=14 - password must be 14 characters or moredcredit=-1 - provide at least one digitucredit=-1 - provide at least one uppercase characterocredit=-1 - provide at least one special characterlcredit=-1 - provide at least one lowercase character The settings shown above are one possible policy. Alter these values to conform to your own organization's password policies. Rationale Strong passwords protect systems from being hacked through brute force methods. | 9 | Edit the /etc/pam.d/password-auth and /etc/pam.d/system-auth files to include the appropriate options for pam_pwquality.so and to conform to site policy: password requisite pam_pwquality.so try_first_pass retry=3 Edit /etc/security/pwquality.conf to add or update the following settings to conform to site policy: minlen=14dcredit=-1ucredit=-1ocredit=-1lcredit=-1 | Inspector | arn:aws:inspector:us-east-1:133124267079:target/0-2ySrzz0j/template/0-bmzg5uDv/run/0-LTXQE8O5 | arn:aws:inspector:us-east-1:316112463485:rulespackage/0-rExsr2X8 | SCORED | 1623439055101 | ||||||||
| Informational | 1623439051926 | Instance i-01aae074f79eaa71f is not compliant with rule 3.5.2 Ensure SCTP is disabled, 2.2.0 CIS CentOS Linux 7 Benchmark. Applicable profiles: Level 1 - Server, Level 2 - Workstation, Level 2 - Server, Level 1 - Workstation. | FOD QA Single Server | FOD QA Single Server Quick | CIS Operating System Security Configuration Benchmarks-1.0 | arn:aws:inspector:us-east-1:133124267079:target/0-2ySrzz0j/template/0-bmzg5uDv/run/0-LTXQE8O5/finding/0-k6O2BF1V | 3.5.2 Ensure SCTP is disabled | i-01aae074f79eaa71f | ami-00ecf57a | qahobserver4b100 | ec2-instance | 10 | Description The Stream Control Transmission Protocol (SCTP) is a transport layer protocol used to support message oriented communication, with several streams of messages in one connection. It serves a similar function as TCP and UDP, incorporating features of both. It is message-oriented like UDP, and ensures reliable in-sequence transport of messages with congestion control like TCP. Rationale If the protocol is not being used, it is recommended that kernel module not be loaded, disabling the service to reduce the potential attack surface. | Edit or create the file /etc/modprobe.d/CIS.conf and add the following line: install sctp /bin/true | Inspector | arn:aws:inspector:us-east-1:133124267079:target/0-2ySrzz0j/template/0-bmzg5uDv/run/0-LTXQE8O5 | arn:aws:inspector:us-east-1:316112463485:rulespackage/0-rExsr2X8 | NOT_SCORED | 1623439051926 | |||||||||
| High | 1623439056319 | Instance i-01aae074f79eaa71f is not compliant with rule 5.2.12 Ensure only approved MAC algorithms are used, 2.2.0 CIS CentOS Linux 7 Benchmark. Applicable profiles: Level 1 - Server, Level 2 - Workstation, Level 2 - Server, Level 1 - Workstation. | FOD QA Single Server | FOD QA Single Server Quick | CIS Operating System Security Configuration Benchmarks-1.0 | arn:aws:inspector:us-east-1:133124267079:target/0-2ySrzz0j/template/0-bmzg5uDv/run/0-LTXQE8O5/finding/0-1sCn1Kuc | 5.2.12 Ensure only approved MAC algorithms are used | i-01aae074f79eaa71f | ami-00ecf57a | qahobserver4b100 | ec2-instance | 10 | Description This variable limits the types of MAC algorithms that SSH can use during communication. Rationale MD5 and 96-bit MAC algorithms are considered weak and have been shown to increase exploitability in SSH downgrade attacks. Weak algorithms continue to have a great deal of attention as a weak spot that can be exploited with expanded computing power. An attacker that breaks the algorithm could take advantage of a MiTM position to decrypt the SSH tunnel and capture credentials and information | 9 | Edit the /etc/ssh/sshd_config file to set the parameter in accordance with site policy. The following includes all supported and accepted MACs: MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-512,hmac-sha2-256,umac-128@openssh.com | Inspector | arn:aws:inspector:us-east-1:133124267079:target/0-2ySrzz0j/template/0-bmzg5uDv/run/0-LTXQE8O5 | arn:aws:inspector:us-east-1:316112463485:rulespackage/0-rExsr2X8 | SCORED | 1623439056319 | ||||||||
| High | 1623439056058 | Instance i-01aae074f79eaa71f is not compliant with rule 6.1.12 Ensure no ungrouped files or directories exist, 2.2.0 CIS CentOS Linux 7 Benchmark. Applicable profiles: Level 1 - Server, Level 2 - Workstation, Level 2 - Server, Level 1 - Workstation. | FOD QA Single Server | FOD QA Single Server Quick | CIS Operating System Security Configuration Benchmarks-1.0 | arn:aws:inspector:us-east-1:133124267079:target/0-2ySrzz0j/template/0-bmzg5uDv/run/0-LTXQE8O5/finding/0-iutletVO | 6.1.12 Ensure no ungrouped files or directories exist | i-01aae074f79eaa71f | ami-00ecf57a | qahobserver4b100 | ec2-instance | 10 | Description Sometimes when administrators delete users or groups from the system they neglect to remove all files owned by those users or groups. Rationale A new user who is assigned the deleted user's user ID or group ID may then end up "owning" these files, and thus have more access on the system than was intended. | 9 | Locate files that are owned by users or groups not listed in the system configuration files, and reset the ownership of these files to some active user on the system as appropriate. | Inspector | arn:aws:inspector:us-east-1:133124267079:target/0-2ySrzz0j/template/0-bmzg5uDv/run/0-LTXQE8O5 | arn:aws:inspector:us-east-1:316112463485:rulespackage/0-rExsr2X8 | SCORED | 1623439056058 | ||||||||
| Informational | 1623439056484 | On instance i-01aae074f79eaa71f, TCP port 80 which is associated with 'HTTP' is reachable from a Peered VPC | FOD QA Single Server | FOD QA Single Server Quick | Network Reachability-1.1 | arn:aws:inspector:us-east-1:133124267079:target/0-2ySrzz0j/template/0-bmzg5uDv/run/0-LTXQE8O5/finding/0-S3yuWnZ7 | Recognized port with no listener reachable from a Peered VPC | i-01aae074f79eaa71f | ami-00ecf57a | qahobserver4b100 | ec2-instance | 10 | On this instance, TCP port 80, which is associated with HTTP, is reachable from a Peered VPC with no process listening. The instance i-01aae074f79eaa71f is located in VPC vpc-1033c37e and has an attached ENI eni-09529e193cdc9a8bb which uses network ACL acl-ee33c380. The port is reachable from a Peered VPC through Security Group sg-eb55aaa3 and VPC Peering Connection pcx-02fbbf3a349b89e31 | You can edit the Security Group sg-eb55aaa3 to remove access from a Peered VPC on port 80 | Inspector | arn:aws:inspector:us-east-1:133124267079:target/0-2ySrzz0j/template/0-bmzg5uDv/run/0-LTXQE8O5 | arn:aws:inspector:us-east-1:316112463485:rulespackage/0-PmNV0Tcd | 1623439056484 | ||||||||||
| High | 1623439052617 | Instance i-01aae074f79eaa71f is not compliant with rule 4.1.17 Ensure kernel module loading and unloading is collected, 2.2.0 CIS CentOS Linux 7 Benchmark. Applicable profiles: Level 2 - Workstation, Level 2 - Server. | FOD QA Single Server | FOD QA Single Server Quick | CIS Operating System Security Configuration Benchmarks-1.0 | arn:aws:inspector:us-east-1:133124267079:target/0-2ySrzz0j/template/0-bmzg5uDv/run/0-LTXQE8O5/finding/0-JOMfV01f | 4.1.17 Ensure kernel module loading and unloading is collected | i-01aae074f79eaa71f | ami-00ecf57a | qahobserver4b100 | ec2-instance | 10 | Description Monitor the loading and unloading of kernel modules. The programs insmod (install a kernel module), rmmod (remove a kernel module), and modprobe (a more sophisticated program to load and unload modules, as well as some other features) control loading and unloading of modules. The init_module (load a module) and delete_module (delete a module) system calls control loading and unloading of modules. Any execution of the loading and unloading module programs and system calls will trigger an audit record with an identifier of "modules". Rationale Monitoring the use of insmod , rmmod and modprobe could provide system administrators with evidence that an unauthorized user loaded or unloaded a kernel module, possibly compromising the security of the system. Monitoring of the init_module and delete_module system calls would reflect an unauthorized user attempting to use a different program to load and unload modules. | 9 | For 32 bit systems add the following lines to the /etc/audit/audit.rules file: -w /sbin/insmod -p x -k modules-w /sbin/rmmod -p x -k modules-w /sbin/modprobe -p x -k modules-a always,exit arch=b32 -S init_module -S delete_module -k modules For 64 bit systems add the following lines to the /etc/audit/audit.rules file: -w /sbin/insmod -p x -k modules-w /sbin/rmmod -p x -k modules-w /sbin/modprobe -p x -k modules-a always,exit arch=b64 -S init_module -S delete_module -k modules | Inspector | arn:aws:inspector:us-east-1:133124267079:target/0-2ySrzz0j/template/0-bmzg5uDv/run/0-LTXQE8O5 | arn:aws:inspector:us-east-1:316112463485:rulespackage/0-rExsr2X8 | SCORED | 1623439052617 | ||||||||
| High | 1623439052445 | Instance i-01aae074f79eaa71f is not compliant with rule 3.6.5 Ensure firewall rules exist for all open ports, 2.2.0 CIS CentOS Linux 7 Benchmark. Applicable profiles: Level 1 - Server, Level 2 - Workstation, Level 2 - Server, Level 1 - Workstation. | FOD QA Single Server | FOD QA Single Server Quick | CIS Operating System Security Configuration Benchmarks-1.0 | arn:aws:inspector:us-east-1:133124267079:target/0-2ySrzz0j/template/0-bmzg5uDv/run/0-LTXQE8O5/finding/0-dAvJWeHK | 3.6.5 Ensure firewall rules exist for all open ports | i-01aae074f79eaa71f | ami-00ecf57a | qahobserver4b100 | ec2-instance | 10 | Description Any ports that have been opened on non-loopback addresses need firewall rules to govern traffic. Rationale Without a firewall rule configured for open ports default firewall policy will drop all packets to these ports. | 9 | For each port identified in the audit which does not have a firewall rule establish a proper rule for accepting inbound connections: # iptables -A INPUT -p <protocol> --dport <port> -m state --state NEW -j ACCEPT | Inspector | arn:aws:inspector:us-east-1:133124267079:target/0-2ySrzz0j/template/0-bmzg5uDv/run/0-LTXQE8O5 | arn:aws:inspector:us-east-1:316112463485:rulespackage/0-rExsr2X8 | SCORED | 1623439052445 | ||||||||
| High | 1623439055354 | Instance i-01aae074f79eaa71f is not compliant with rule 5.2.10 Ensure SSH PermitUserEnvironment is disabled, 2.2.0 CIS CentOS Linux 7 Benchmark. Applicable profiles: Level 1 - Server, Level 2 - Workstation, Level 2 - Server, Level 1 - Workstation. | FOD QA Single Server | FOD QA Single Server Quick | CIS Operating System Security Configuration Benchmarks-1.0 | arn:aws:inspector:us-east-1:133124267079:target/0-2ySrzz0j/template/0-bmzg5uDv/run/0-LTXQE8O5/finding/0-HiC6KJZ9 | 5.2.10 Ensure SSH PermitUserEnvironment is disabled | i-01aae074f79eaa71f | ami-00ecf57a | qahobserver4b100 | ec2-instance | 10 | Description The PermitUserEnvironment option allows users to present environment options to the ssh daemon. Rationale Permitting users the ability to set environment variables through the SSH daemon could potentially allow users to bypass security controls (e.g. setting an execution path that has ssh executing trojan'd programs) | 9 | Edit the /etc/ssh/sshd_config file to set the parameter as follows: PermitUserEnvironment no | Inspector | arn:aws:inspector:us-east-1:133124267079:target/0-2ySrzz0j/template/0-bmzg5uDv/run/0-LTXQE8O5 | arn:aws:inspector:us-east-1:316112463485:rulespackage/0-rExsr2X8 | SCORED | 1623439055354 | ||||||||
| High | 1623439052547 | Instance i-01aae074f79eaa71f is not compliant with rule 4.1.1.2 Ensure system is disabled when audit logs are full, 2.2.0 CIS CentOS Linux 7 Benchmark. Applicable profiles: Level 2 - Workstation, Level 2 - Server. | FOD QA Single Server | FOD QA Single Server Quick | CIS Operating System Security Configuration Benchmarks-1.0 | arn:aws:inspector:us-east-1:133124267079:target/0-2ySrzz0j/template/0-bmzg5uDv/run/0-LTXQE8O5/finding/0-QaNHj4uP | 4.1.1.2 Ensure system is disabled when audit logs are full | i-01aae074f79eaa71f | ami-00ecf57a | qahobserver4b100 | ec2-instance | 10 | Description The auditd daemon can be configured to halt the system when the audit logs are full. Rationale In high security contexts, the risk of detecting unauthorized access or nonrepudiation exceeds the benefit of the system's availability. | 9 | Set the following parameters in /etc/audit/auditd.conf: space_left_action = emailaction_mail_acct = rootadmin_space_left_action = halt | Inspector | arn:aws:inspector:us-east-1:133124267079:target/0-2ySrzz0j/template/0-bmzg5uDv/run/0-LTXQE8O5 | arn:aws:inspector:us-east-1:316112463485:rulespackage/0-rExsr2X8 | SCORED | 1623439052547 | ||||||||
| High | 1623439055296 | Instance i-01aae074f79eaa71f is not compliant with rule 4.1.18 Ensure the audit configuration is immutable, 2.2.0 CIS CentOS Linux 7 Benchmark. Applicable profiles: Level 2 - Workstation, Level 2 - Server. | FOD QA Single Server | FOD QA Single Server Quick | CIS Operating System Security Configuration Benchmarks-1.0 | arn:aws:inspector:us-east-1:133124267079:target/0-2ySrzz0j/template/0-bmzg5uDv/run/0-LTXQE8O5/finding/0-3y5uNSd3 | 4.1.18 Ensure the audit configuration is immutable | i-01aae074f79eaa71f | ami-00ecf57a | qahobserver4b100 | ec2-instance | 10 | Description Set system audit so that audit rules cannot be modified with auditctl . Setting the flag "-e 2" forces audit to be put in immutable mode. Audit changes can only be made on system reboot. Rationale In immutable mode, unauthorized users cannot execute changes to the audit system to potentially hide malicious activity and then put the audit rules back. Users would most likely notice a system reboot and that could alert administrators of an attempt to make unauthorized audit changes. | 9 | Add the following line to the end of the /etc/audit/audit.rules file. -e 2 | Inspector | arn:aws:inspector:us-east-1:133124267079:target/0-2ySrzz0j/template/0-bmzg5uDv/run/0-LTXQE8O5 | arn:aws:inspector:us-east-1:316112463485:rulespackage/0-rExsr2X8 | SCORED | 1623439055296 | ||||||||
| High | 1623439053184 | Instance i-01aae074f79eaa71f is not compliant with rule 5.2.9 Ensure SSH PermitEmptyPasswords is disabled, 2.2.0 CIS CentOS Linux 7 Benchmark. Applicable profiles: Level 1 - Server, Level 2 - Workstation, Level 2 - Server, Level 1 - Workstation. | FOD QA Single Server | FOD QA Single Server Quick | CIS Operating System Security Configuration Benchmarks-1.0 | arn:aws:inspector:us-east-1:133124267079:target/0-2ySrzz0j/template/0-bmzg5uDv/run/0-LTXQE8O5/finding/0-dHEGrFhJ | 5.2.9 Ensure SSH PermitEmptyPasswords is disabled | i-01aae074f79eaa71f | ami-00ecf57a | qahobserver4b100 | ec2-instance | 10 | Description The PermitEmptyPasswords parameter specifies if the SSH server allows login to accounts with empty password strings. Rationale Disallowing remote shell access to accounts that have an empty password reduces the probability of unauthorized access to the system | 9 | Edit the /etc/ssh/sshd_config file to set the parameter as follows: PermitEmptyPasswords no | Inspector | arn:aws:inspector:us-east-1:133124267079:target/0-2ySrzz0j/template/0-bmzg5uDv/run/0-LTXQE8O5 | arn:aws:inspector:us-east-1:316112463485:rulespackage/0-rExsr2X8 | SCORED | 1623439053184 | ||||||||
| Medium | 1623439056874 | No password complexity mechanism or restrictions are configured on instance i-01aae074f79eaa71f in your assessment target. This allows users to set simple passwords, thereby increasing the chances of unauthorized users gaining access and misusing accounts. | FOD QA Single Server | FOD QA Single Server Quick | Security Best Practices-1.0 | arn:aws:inspector:us-east-1:133124267079:target/0-2ySrzz0j/template/0-bmzg5uDv/run/0-LTXQE8O5/finding/0-8qeIl6jA | Configure Password Complexity | i-01aae074f79eaa71f | ami-00ecf57a | qahobserver4b100 | ec2-instance | 10 | This rule helps determine whether a password complexity mechanism is configured on your EC2 instances. | 6 | If you are using passwords, it is recommended that you configure all EC2 instances in your assessment target to require a level of password complexity. You can do this by using **pam_cracklib.so** "lcredit","ucredit","dcredit", and "ocredit" settings. See man pam_cracklib for more information. | Inspector | arn:aws:inspector:us-east-1:133124267079:target/0-2ySrzz0j/template/0-bmzg5uDv/run/0-LTXQE8O5 | arn:aws:inspector:us-east-1:316112463485:rulespackage/0-R01qwB5Q | 1623439056874 | |||||||||
| Low | 1623439056689 | On instance i-01aae074f79eaa71f, process 'sshd' is listening on TCP port 22 which is associated with 'SSH' and is reachable from a Peered VPC | FOD QA Single Server | FOD QA Single Server Quick | Network Reachability-1.1 | arn:aws:inspector:us-east-1:133124267079:target/0-2ySrzz0j/template/0-bmzg5uDv/run/0-LTXQE8O5/finding/0-sgywZEDR | Recognized port with listener reachable from a Peered VPC | i-01aae074f79eaa71f | ami-00ecf57a | qahobserver4b100 | ec2-instance | 10 | On this instance, TCP port 22, which is associated with SSH, is reachable from a Peered VPC with a process listening on the port. The process has name ‘sshd’, process id 1702, and uses binary /usr/sbin/sshd. The instance i-01aae074f79eaa71f is located in VPC vpc-1033c37e and has an attached ENI eni-09529e193cdc9a8bb which uses network ACL acl-ee33c380. The port is reachable from a Peered VPC through Security Group sg-eb55aaa3 and VPC Peering Connection pcx-0234f99fdab23555c | 3 | You can edit the Security Group sg-eb55aaa3 to remove access from a Peered VPC on port 22 | Inspector | arn:aws:inspector:us-east-1:133124267079:target/0-2ySrzz0j/template/0-bmzg5uDv/run/0-LTXQE8O5 | arn:aws:inspector:us-east-1:316112463485:rulespackage/0-PmNV0Tcd | 1623439056689 | |||||||||
| Informational | 1623439056439 | On instance i-01aae074f79eaa71f, TCP port 80 which is associated with 'HTTP' is reachable from a Peered VPC | FOD QA Single Server | FOD QA Single Server Quick | Network Reachability-1.1 | arn:aws:inspector:us-east-1:133124267079:target/0-2ySrzz0j/template/0-bmzg5uDv/run/0-LTXQE8O5/finding/0-mE5clYcf | Recognized port with no listener reachable from a Peered VPC | i-01aae074f79eaa71f | ami-00ecf57a | qahobserver4b100 | ec2-instance | 10 | On this instance, TCP port 80, which is associated with HTTP, is reachable from a Peered VPC with no process listening. The instance i-01aae074f79eaa71f is located in VPC vpc-1033c37e and has an attached ENI eni-09529e193cdc9a8bb which uses network ACL acl-ee33c380. The port is reachable from a Peered VPC through Security Group sg-eb55aaa3 and VPC Peering Connection pcx-29479b40 | You can edit the Security Group sg-eb55aaa3 to remove access from a Peered VPC on port 80 | Inspector | arn:aws:inspector:us-east-1:133124267079:target/0-2ySrzz0j/template/0-bmzg5uDv/run/0-LTXQE8O5 | arn:aws:inspector:us-east-1:316112463485:rulespackage/0-PmNV0Tcd | 1623439056439 | ||||||||||
| High | 1623439050926 | Instance i-01aae074f79eaa71f is not compliant with rule 4.1.14 Ensure file deletion events by users are collected, 2.2.0 CIS CentOS Linux 7 Benchmark. Applicable profiles: Level 2 - Workstation, Level 2 - Server. | FOD QA Single Server | FOD QA Single Server Quick | CIS Operating System Security Configuration Benchmarks-1.0 | arn:aws:inspector:us-east-1:133124267079:target/0-2ySrzz0j/template/0-bmzg5uDv/run/0-LTXQE8O5/finding/0-2xuHqjHU | 4.1.14 Ensure file deletion events by users are collected | i-01aae074f79eaa71f | ami-00ecf57a | qahobserver4b100 | ec2-instance | 10 | Description Monitor the use of system calls associated with the deletion or renaming of files and file attributes. This configuration statement sets up monitoring for the unlink (remove a file), unlinkat (remove a file attribute), rename (rename a file) and renameat (rename a file attribute) system calls and tags them with the identifier "delete". Rationale Monitoring these calls from non-privileged users could provide a system administrator with evidence that inappropriate removal of files and file attributes associated with protected files is occurring. While this audit option will look at all events, system administrators will want to look for specific privileged files that are being deleted or altered. | 9 | For 32 bit systems add the following lines to the /etc/audit/audit.rules file: -a always,exit -F arch=b32 -S unlink -S unlinkat -S rename -S renameat -F auid>=1000 -F auid!=4294967295 -k delete For 64 bit systems add the following lines to the /etc/audit/audit.rules file: -a always,exit -F arch=b64 -S unlink -S unlinkat -S rename -S renameat -F auid>=1000 -F auid!=4294967295 -k delete-a always,exit -F arch=b32 -S unlink -S unlinkat -S rename -S renameat -F auid>=1000 -F auid!=4294967295 -k delete | Inspector | arn:aws:inspector:us-east-1:133124267079:target/0-2ySrzz0j/template/0-bmzg5uDv/run/0-LTXQE8O5 | arn:aws:inspector:us-east-1:316112463485:rulespackage/0-rExsr2X8 | SCORED | 1623439050926 | ||||||||
| Informational | 1623439056544 | Aggregate network exposure: On instance i-01aae074f79eaa71f, ports are reachable from a Peered VPC through ENI eni-09529e193cdc9a8bb and security group sg-eb55aaa3 | FOD QA Single Server | FOD QA Single Server Quick | Network Reachability-1.1 | arn:aws:inspector:us-east-1:133124267079:target/0-2ySrzz0j/template/0-bmzg5uDv/run/0-LTXQE8O5/finding/0-oZqsYu05 | Network exposure from a Peered VPC | i-01aae074f79eaa71f | ami-00ecf57a | qahobserver4b100 | ec2-instance | 10 | On instance i-01aae074f79eaa71f, ENI eni-09529e193cdc9a8bb and security group sg-eb55aaa3 allow access from a Peered VPC to tcp ports [[22 - 22], [80 - 80], [388 - 388], [2021 - 2021], [5901 - 5901], [8080 - 8080]] and udp ports [[53 - 53]]. ENI eni-09529e193cdc9a8bb is located in VPC vpc-1033c37e with access control list acl-ee33c380. These ports are reachable from a Peered VPC through VPC Peering Connection pcx-02fbbf3a349b89e31 | You can edit the Security Group sg-eb55aaa3 to remove access from a Peered VPC | Inspector | arn:aws:inspector:us-east-1:133124267079:target/0-2ySrzz0j/template/0-bmzg5uDv/run/0-LTXQE8O5 | arn:aws:inspector:us-east-1:316112463485:rulespackage/0-PmNV0Tcd | 1623439056544 | ||||||||||
| High | 1623439052420 | Instance i-01aae074f79eaa71f is not compliant with rule 3.6.2 Ensure default deny firewall policy, 2.2.0 CIS CentOS Linux 7 Benchmark. Applicable profiles: Level 1 - Server, Level 2 - Workstation, Level 2 - Server, Level 1 - Workstation. | FOD QA Single Server | FOD QA Single Server Quick | CIS Operating System Security Configuration Benchmarks-1.0 | arn:aws:inspector:us-east-1:133124267079:target/0-2ySrzz0j/template/0-bmzg5uDv/run/0-LTXQE8O5/finding/0-qNpFBacu | 3.6.2 Ensure default deny firewall policy | i-01aae074f79eaa71f | ami-00ecf57a | qahobserver4b100 | ec2-instance | 10 | Description A default deny all policy on connections ensures that any unconfigured network usage will be rejected. Rationale With a default accept policy the firewall will accept any packet that is not configured to be denied. It is easier to white list acceptable usage than to black list unacceptable usage. | 9 | Run the following commands to implement a default DROP policy: # iptables -P INPUT DROP# iptables -P OUTPUT DROP# iptables -P FORWARD DROP | Inspector | arn:aws:inspector:us-east-1:133124267079:target/0-2ySrzz0j/template/0-bmzg5uDv/run/0-LTXQE8O5 | arn:aws:inspector:us-east-1:316112463485:rulespackage/0-rExsr2X8 | SCORED | 1623439052420 | ||||||||
| High | 1623439053615 | Instance i-01aae074f79eaa71f is not compliant with rule 1.3.1 Ensure AIDE is installed, 2.2.0 CIS CentOS Linux 7 Benchmark. Applicable profiles: Level 1 - Server, Level 2 - Workstation, Level 2 - Server, Level 1 - Workstation. | FOD QA Single Server | FOD QA Single Server Quick | CIS Operating System Security Configuration Benchmarks-1.0 | arn:aws:inspector:us-east-1:133124267079:target/0-2ySrzz0j/template/0-bmzg5uDv/run/0-LTXQE8O5/finding/0-0E58sXuY | 1.3.1 Ensure AIDE is installed | i-01aae074f79eaa71f | ami-00ecf57a | qahobserver4b100 | ec2-instance | 10 | Description AIDE takes a snapshot of filesystem state including modification times, permissions, and file hashes which can then be used to compare against the current state of the filesystem to detect modifications to the system. Rationale By monitoring the filesystem state compromised files can be detected to prevent or limit the exposure of accidental or malicious misconfigurations or modified binaries. | 9 | Run the following command to install aide : # yum install aide Configure AIDE as appropriate for your environment. Consult the AIDE documentation for options. Initialize AIDE: # aide --init# mv /var/lib/aide/aide.db.new.gz /var/lib/aide/aide.db.gz | Inspector | arn:aws:inspector:us-east-1:133124267079:target/0-2ySrzz0j/template/0-bmzg5uDv/run/0-LTXQE8O5 | arn:aws:inspector:us-east-1:316112463485:rulespackage/0-rExsr2X8 | SCORED | 1623439053615 | ||||||||
| High | 1623439051475 | Instance i-01aae074f79eaa71f is not compliant with rule 5.1.4 Ensure permissions on etccron.daily are configured, 2.2.0 CIS CentOS Linux 7 Benchmark. Applicable profiles: Level 1 - Server, Level 2 - Workstation, Level 2 - Server, Level 1 - Workstation. | FOD QA Single Server | FOD QA Single Server Quick | CIS Operating System Security Configuration Benchmarks-1.0 | arn:aws:inspector:us-east-1:133124267079:target/0-2ySrzz0j/template/0-bmzg5uDv/run/0-LTXQE8O5/finding/0-73yy6xBt | 5.1.4 Ensure permissions on /etc/cron.daily are configured | i-01aae074f79eaa71f | ami-00ecf57a | qahobserver4b100 | ec2-instance | 10 | Description The /etc/cron.daily directory contains system cron jobs that need to run on a daily basis. The files in this directory cannot be manipulated by the crontab command, but are instead edited by system administrators using a text editor. The commands below restrict read/write and search access to user and group root, preventing regular users from accessing this directory. Rationale Granting write access to this directory for non-privileged users could provide them the means for gaining unauthorized elevated privileges. Granting read access to this directory could give an unprivileged user insight in how to gain elevated privileges or circumvent auditing controls. | 9 | Run the following commands to set ownership and permissions on /etc/cron.daily : # chown root:root /etc/cron.daily# chmod og-rwx /etc/cron.daily | Inspector | arn:aws:inspector:us-east-1:133124267079:target/0-2ySrzz0j/template/0-bmzg5uDv/run/0-LTXQE8O5 | arn:aws:inspector:us-east-1:316112463485:rulespackage/0-rExsr2X8 | SCORED | 1623439051475 | ||||||||
| High | 1623439055890 | Instance i-01aae074f79eaa71f is not compliant with rule 5.3.2 Ensure lockout for failed password attempts is configured, 2.2.0 CIS CentOS Linux 7 Benchmark. Applicable profiles: Level 1 - Server, Level 2 - Workstation, Level 2 - Server, Level 1 - Workstation. | FOD QA Single Server | FOD QA Single Server Quick | CIS Operating System Security Configuration Benchmarks-1.0 | arn:aws:inspector:us-east-1:133124267079:target/0-2ySrzz0j/template/0-bmzg5uDv/run/0-LTXQE8O5/finding/0-8I40lKtd | 5.3.2 Ensure lockout for failed password attempts is configured | i-01aae074f79eaa71f | ami-00ecf57a | qahobserver4b100 | ec2-instance | 10 | Description Lock out users after n unsuccessful consecutive login attempts. The first sets of changes are made to the PAM configuration files. The second set of changes are applied to the program specific PAM configuration file. The second set of changes must be applied to each program that will lock out users. Check the documentation for each secondary program for instructions on how to configure them to work with PAM. Set the lockout number to the policy in effect at your site. Rationale Locking out user IDs after n unsuccessful consecutive login attempts mitigates brute force password attacks against your systems. | 9 | Edit the /etc/pam.d/password-auth and /etc/pam.d/system-auth files and add the following pam_faillock.so lines surrounding a pam_unix.so line modify the pam_unix.so is [success=1 default=bad] as listed in both: auth required pam_faillock.so preauth audit silent deny=5 unlock_time=900auth [success=1 default=bad] pam_unix.soauth [default=die] pam_faillock.so authfail audit deny=5 unlock_time=900auth sufficient pam_faillock.so authsucc audit deny=5 unlock_time=900 | Inspector | arn:aws:inspector:us-east-1:133124267079:target/0-2ySrzz0j/template/0-bmzg5uDv/run/0-LTXQE8O5 | arn:aws:inspector:us-east-1:316112463485:rulespackage/0-rExsr2X8 | SCORED | 1623439055890 | ||||||||
| High | 1623439051240 | Instance i-01aae074f79eaa71f is not compliant with rule 1.2.3 Ensure gpgcheck is globally activated, 2.2.0 CIS CentOS Linux 7 Benchmark. Applicable profiles: Level 1 - Server, Level 2 - Workstation, Level 2 - Server, Level 1 - Workstation. | FOD QA Single Server | FOD QA Single Server Quick | CIS Operating System Security Configuration Benchmarks-1.0 | arn:aws:inspector:us-east-1:133124267079:target/0-2ySrzz0j/template/0-bmzg5uDv/run/0-LTXQE8O5/finding/0-coFky3ey | 1.2.3 Ensure gpgcheck is globally activated | i-01aae074f79eaa71f | ami-00ecf57a | qahobserver4b100 | ec2-instance | 10 | Description The gpgcheck option, found in the main section of the /etc/yum.conf and individual /etc/yum/repos.d/* files determines if an RPM package's signature is checked prior to its installation. Rationale It is important to ensure that an RPM's package signature is always checked prior to installation to ensure that the software is obtained from a trusted source. | 9 | Edit /etc/yum.conf and set ' gpgcheck=1 ' in the [main] section. Edit any failing files in /etc/yum.repos.d/* and set all instances of gpgcheck to ' 1 '. | Inspector | arn:aws:inspector:us-east-1:133124267079:target/0-2ySrzz0j/template/0-bmzg5uDv/run/0-LTXQE8O5 | arn:aws:inspector:us-east-1:316112463485:rulespackage/0-rExsr2X8 | SCORED | 1623439051240 | ||||||||
| High | 1623439054146 | Instance i-01aae074f79eaa71f is not compliant with rule 4.1.9 Ensure session initiation information is collected, 2.2.0 CIS CentOS Linux 7 Benchmark. Applicable profiles: Level 2 - Workstation, Level 2 - Server. | FOD QA Single Server | FOD QA Single Server Quick | CIS Operating System Security Configuration Benchmarks-1.0 | arn:aws:inspector:us-east-1:133124267079:target/0-2ySrzz0j/template/0-bmzg5uDv/run/0-LTXQE8O5/finding/0-rUzMI0T4 | 4.1.9 Ensure session initiation information is collected | i-01aae074f79eaa71f | ami-00ecf57a | qahobserver4b100 | ec2-instance | 10 | Description Monitor session initiation events. The parameters in this section track changes to the files associated with session events. The file /var/run/utmp file tracks all currently logged in users. The /var/log/wtmp file tracks logins, logouts, shutdown, and reboot events. All audit records will be tagged with the identifier "session." The file /var/log/btmp keeps track of failed login attempts and can be read by entering the command /usr/bin/last -f /var/log/btmp . All audit records will be tagged with the identifier "logins." Rationale Monitoring these files for changes could alert a system administrator to logins occurring at unusual hours, which could indicate intruder activity (i.e. a user logging in at a time when they do not normally log in). | 9 | Add the following lines to the /etc/audit/audit.rules file: -w /var/run/utmp -p wa -k session-w /var/log/wtmp -p wa -k logins-w /var/log/btmp -p wa -k logins | Inspector | arn:aws:inspector:us-east-1:133124267079:target/0-2ySrzz0j/template/0-bmzg5uDv/run/0-LTXQE8O5 | arn:aws:inspector:us-east-1:316112463485:rulespackage/0-rExsr2X8 | SCORED | 1623439054146 | ||||||||
| High | 1623439052353 | Instance i-01aae074f79eaa71f is not compliant with rule 2.3.4 Ensure telnet client is not installed, 2.2.0 CIS CentOS Linux 7 Benchmark. Applicable profiles: Level 1 - Server, Level 2 - Workstation, Level 2 - Server, Level 1 - Workstation. | FOD QA Single Server | FOD QA Single Server Quick | CIS Operating System Security Configuration Benchmarks-1.0 | arn:aws:inspector:us-east-1:133124267079:target/0-2ySrzz0j/template/0-bmzg5uDv/run/0-LTXQE8O5/finding/0-7sOkbQLp | 2.3.4 Ensure telnet client is not installed | i-01aae074f79eaa71f | ami-00ecf57a | qahobserver4b100 | ec2-instance | 10 | Description The telnet package contains the telnet client, which allows users to start connections to other systems via the telnet protocol. Rationale The telnet protocol is insecure and unencrypted. The use of an unencrypted transmission medium could allow an unauthorized user to steal credentials. The ssh package provides an encrypted session and stronger security and is included in most Linux distributions. | 9 | Run the following command to uninstall telnet : # yum remove telnet Impact: Many insecure service clients are used as troubleshooting tools and in testing environments. Uninstalling them can inhibit capability to test and troubleshoot. If they are required it is advisable to remove the clients after use to prevent accidental or intentional misuse. | Inspector | arn:aws:inspector:us-east-1:133124267079:target/0-2ySrzz0j/template/0-bmzg5uDv/run/0-LTXQE8O5 | arn:aws:inspector:us-east-1:316112463485:rulespackage/0-rExsr2X8 | SCORED | 1623439052353 | ||||||||
| Informational | 1623439052067 | Instance i-01aae074f79eaa71f is not compliant with rule 1.7.1.2 Ensure local login warning banner is configured properly, 2.2.0 CIS CentOS Linux 7 Benchmark. Applicable profiles: Level 1 - Server, Level 2 - Workstation, Level 2 - Server, Level 1 - Workstation. | FOD QA Single Server | FOD QA Single Server Quick | CIS Operating System Security Configuration Benchmarks-1.0 | arn:aws:inspector:us-east-1:133124267079:target/0-2ySrzz0j/template/0-bmzg5uDv/run/0-LTXQE8O5/finding/0-BGz1Owuc | 1.7.1.2 Ensure local login warning banner is configured properly | i-01aae074f79eaa71f | ami-00ecf57a | qahobserver4b100 | ec2-instance | 10 | Description The contents of the /etc/issue file are displayed to users prior to login for local terminals. Unix-based systems have typically displayed information about the OS release and patch level upon logging in to the system. This information can be useful to developers who are developing software for a particular OS platform. If mingetty(8) supports the following options, they display operating system information: \m - machine architecture ( uname -m ) \r - operating system release ( uname -r ) \s - operating system name \v - operating system version ( uname -v ) Rationale Warning messages inform users who are attempting to login to the system of their legal status regarding the system and must include the name of the organization that owns the system and any monitoring policies that are in place. Displaying OS and patch level information in login banners also has the side effect of providing detailed system information to attackers attempting to target specific exploits of a system. Authorized users can easily get this information by running the " uname -a " command once they have logged in. | Edit the /etc/issue file with the appropriate contents according to your site policy, remove any instances of \m , \r , \s , or \v : # echo "Authorized uses only. All activity may be monitored and reported." > /etc/issue | Inspector | arn:aws:inspector:us-east-1:133124267079:target/0-2ySrzz0j/template/0-bmzg5uDv/run/0-LTXQE8O5 | arn:aws:inspector:us-east-1:316112463485:rulespackage/0-rExsr2X8 | NOT_SCORED | 1623439052067 | |||||||||
| High | 1623439055574 | Instance i-01aae074f79eaa71f is not compliant with rule 4.1.1.3 Ensure audit logs are not automatically deleted, 2.2.0 CIS CentOS Linux 7 Benchmark. Applicable profiles: Level 2 - Workstation, Level 2 - Server. | FOD QA Single Server | FOD QA Single Server Quick | CIS Operating System Security Configuration Benchmarks-1.0 | arn:aws:inspector:us-east-1:133124267079:target/0-2ySrzz0j/template/0-bmzg5uDv/run/0-LTXQE8O5/finding/0-zHFO2ULn | 4.1.1.3 Ensure audit logs are not automatically deleted | i-01aae074f79eaa71f | ami-00ecf57a | qahobserver4b100 | ec2-instance | 10 | Description The max_log_file_action setting determines how to handle the audit log file reaching the max file size. A value of keep_logs will rotate the logs but never delete old logs. Rationale In high security contexts, the benefits of maintaining a long audit history exceed the cost of storing the audit history. | 9 | Set the following parameter in /etc/audit/auditd.conf: max_log_file_action = keep_logs | Inspector | arn:aws:inspector:us-east-1:133124267079:target/0-2ySrzz0j/template/0-bmzg5uDv/run/0-LTXQE8O5 | arn:aws:inspector:us-east-1:316112463485:rulespackage/0-rExsr2X8 | SCORED | 1623439055574 | ||||||||
| High | 1623439053481 | Instance i-01aae074f79eaa71f is not compliant with rule 1.4.2 Ensure bootloader password is set, 2.2.0 CIS CentOS Linux 7 Benchmark. Applicable profiles: Level 1 - Server, Level 2 - Workstation, Level 2 - Server, Level 1 - Workstation. | FOD QA Single Server | FOD QA Single Server Quick | CIS Operating System Security Configuration Benchmarks-1.0 | arn:aws:inspector:us-east-1:133124267079:target/0-2ySrzz0j/template/0-bmzg5uDv/run/0-LTXQE8O5/finding/0-HNagObHF | 1.4.2 Ensure bootloader password is set | i-01aae074f79eaa71f | ami-00ecf57a | qahobserver4b100 | ec2-instance | 10 | Description Setting the boot loader password will require that anyone rebooting the system must enter a password before being able to set command line boot parameters Rationale Requiring a boot password upon execution of the boot loader will prevent an unauthorized user from entering boot parameters or changing the boot partition. This prevents users from weakening security (e.g. turning off SELinux at boot time). | 9 | Create an encrypted password with grub-mkpasswd-pbkdf2 : # grub2-mkpasswd-pbkdf2Enter password: <password>Reenter password: <password>Your PBKDF2 is <encrypted-password> Add the following into /etc/grub.d/01_users or a custom /etc/grub.d configuration file: cat <<EOFset superusers="<username>"password_pbkdf2 <username> <encrypted-password>EOF Run the following command to update the grub2 configuration: # grub2-mkconfig > /boot/grub2/grub.cfg | Inspector | arn:aws:inspector:us-east-1:133124267079:target/0-2ySrzz0j/template/0-bmzg5uDv/run/0-LTXQE8O5 | arn:aws:inspector:us-east-1:316112463485:rulespackage/0-rExsr2X8 | SCORED | 1623439053481 | ||||||||
| Informational | 1623439054114 | Instance i-01aae074f79eaa71f is not compliant with rule 3.5.1 Ensure DCCP is disabled, 2.2.0 CIS CentOS Linux 7 Benchmark. Applicable profiles: Level 1 - Server, Level 2 - Workstation, Level 2 - Server, Level 1 - Workstation. | FOD QA Single Server | FOD QA Single Server Quick | CIS Operating System Security Configuration Benchmarks-1.0 | arn:aws:inspector:us-east-1:133124267079:target/0-2ySrzz0j/template/0-bmzg5uDv/run/0-LTXQE8O5/finding/0-KyCq90QG | 3.5.1 Ensure DCCP is disabled | i-01aae074f79eaa71f | ami-00ecf57a | qahobserver4b100 | ec2-instance | 10 | Description The Datagram Congestion Control Protocol (DCCP) is a transport layer protocol that supports streaming media and telephony. DCCP provides a way to gain access to congestion control, without having to do it at the application layer, but does not provide in-sequence delivery. Rationale If the protocol is not required, it is recommended that the drivers not be installed to reduce the potential attack surface. | Edit or create the file /etc/modprobe.d/CIS.conf and add the following line: install dccp /bin/true | Inspector | arn:aws:inspector:us-east-1:133124267079:target/0-2ySrzz0j/template/0-bmzg5uDv/run/0-LTXQE8O5 | arn:aws:inspector:us-east-1:316112463485:rulespackage/0-rExsr2X8 | NOT_SCORED | 1623439054114 | |||||||||
| High | 1623439052284 | Instance i-01aae074f79eaa71f is not compliant with rule 3.2.3 Ensure secure ICMP redirects are not accepted, 2.2.0 CIS CentOS Linux 7 Benchmark. Applicable profiles: Level 1 - Server, Level 2 - Workstation, Level 2 - Server, Level 1 - Workstation. | FOD QA Single Server | FOD QA Single Server Quick | CIS Operating System Security Configuration Benchmarks-1.0 | arn:aws:inspector:us-east-1:133124267079:target/0-2ySrzz0j/template/0-bmzg5uDv/run/0-LTXQE8O5/finding/0-y2Kl4UIv | 3.2.3 Ensure secure ICMP redirects are not accepted | i-01aae074f79eaa71f | ami-00ecf57a | qahobserver4b100 | ec2-instance | 10 | Description Secure ICMP redirects are the same as ICMP redirects, except they come from gateways listed on the default gateway list. It is assumed that these gateways are known to your system, and that they are likely to be secure. Rationale It is still possible for even known gateways to be compromised. Setting net.ipv4.conf.all.secure_redirects to 0 protects the system from routing table updates by possibly compromised known gateways. | 9 | Set the following parameters in the /etc/sysctl.conf file: net.ipv4.conf.all.secure_redirects = 0net.ipv4.conf.default.secure_redirects = 0 Run the following commands to set the active kernel parameters: # sysctl -w net.ipv4.conf.all.secure_redirects=0# sysctl -w net.ipv4.conf.default.secure_redirects=0# sysctl -w net.ipv4.route.flush=1 | Inspector | arn:aws:inspector:us-east-1:133124267079:target/0-2ySrzz0j/template/0-bmzg5uDv/run/0-LTXQE8O5 | arn:aws:inspector:us-east-1:316112463485:rulespackage/0-rExsr2X8 | SCORED | 1623439052284 | ||||||||
| High | 1623439053910 | Instance i-01aae074f79eaa71f is not compliant with rule 3.1.2 Ensure packet redirect sending is disabled, 2.2.0 CIS CentOS Linux 7 Benchmark. Applicable profiles: Level 1 - Server, Level 2 - Workstation, Level 2 - Server, Level 1 - Workstation. | FOD QA Single Server | FOD QA Single Server Quick | CIS Operating System Security Configuration Benchmarks-1.0 | arn:aws:inspector:us-east-1:133124267079:target/0-2ySrzz0j/template/0-bmzg5uDv/run/0-LTXQE8O5/finding/0-pKRnsGHn | 3.1.2 Ensure packet redirect sending is disabled | i-01aae074f79eaa71f | ami-00ecf57a | qahobserver4b100 | ec2-instance | 10 | Description ICMP Redirects are used to send routing information to other hosts. As a host itself does not act as a router (in a host only configuration), there is no need to send redirects. Rationale An attacker could use a compromised host to send invalid ICMP redirects to other router devices in an attempt to corrupt routing and have users access a system set up by the attacker as opposed to a valid system. | 9 | Set the following parameters in the /etc/sysctl.conf file: net.ipv4.conf.all.send_redirects = 0net.ipv4.conf.default.send_redirects = 0 Run the following commands to set the active kernel parameters: # sysctl -w net.ipv4.conf.all.send_redirects=0# sysctl -w net.ipv4.conf.default.send_redirects=0# sysctl -w net.ipv4.route.flush=1 | Inspector | arn:aws:inspector:us-east-1:133124267079:target/0-2ySrzz0j/template/0-bmzg5uDv/run/0-LTXQE8O5 | arn:aws:inspector:us-east-1:316112463485:rulespackage/0-rExsr2X8 | SCORED | 1623439053910 | ||||||||
| Informational | 1623439051201 | Instance i-01aae074f79eaa71f is not compliant with rule 1.7.1.4 Ensure permissions on etcmotd are configured, 2.2.0 CIS CentOS Linux 7 Benchmark. Applicable profiles: Level 1 - Server, Level 2 - Workstation, Level 2 - Server, Level 1 - Workstation. | FOD QA Single Server | FOD QA Single Server Quick | CIS Operating System Security Configuration Benchmarks-1.0 | arn:aws:inspector:us-east-1:133124267079:target/0-2ySrzz0j/template/0-bmzg5uDv/run/0-LTXQE8O5/finding/0-ZfzhWQ4O | 1.7.1.4 Ensure permissions on /etc/motd are configured | i-01aae074f79eaa71f | ami-00ecf57a | qahobserver4b100 | ec2-instance | 10 | Description The contents of the /etc/motd file are displayed to users after login and function as a message of the day for authenticated users. Rationale If the /etc/motd file does not have the correct ownership it could be modified by unauthorized users with incorrect or misleading information. | Run the following commands to set permissions on /etc/motd : # chown root:root /etc/motd# chmod 644 /etc/motd | Inspector | arn:aws:inspector:us-east-1:133124267079:target/0-2ySrzz0j/template/0-bmzg5uDv/run/0-LTXQE8O5 | arn:aws:inspector:us-east-1:316112463485:rulespackage/0-rExsr2X8 | NOT_SCORED | 1623439051201 | |||||||||
| High | 1623439052262 | Instance i-01aae074f79eaa71f is not compliant with rule 5.1.2 Ensure permissions on etccrontab are configured, 2.2.0 CIS CentOS Linux 7 Benchmark. Applicable profiles: Level 1 - Server, Level 2 - Workstation, Level 2 - Server, Level 1 - Workstation. | FOD QA Single Server | FOD QA Single Server Quick | CIS Operating System Security Configuration Benchmarks-1.0 | arn:aws:inspector:us-east-1:133124267079:target/0-2ySrzz0j/template/0-bmzg5uDv/run/0-LTXQE8O5/finding/0-o6ARgEag | 5.1.2 Ensure permissions on /etc/crontab are configured | i-01aae074f79eaa71f | ami-00ecf57a | qahobserver4b100 | ec2-instance | 10 | Description The /etc/crontab file is used by cron to control its own jobs. The commands in this item make sure that root is the user and group owner of the file and that only the owner can access the file. Rationale This file contains information on what system jobs are run by cron. Write access to these files could provide unprivileged users with the ability to elevate their privileges. Read access to these files could provide users with the ability to gain insight on system jobs that run on the system and could provide them a way to gain unauthorized privileged access. | 9 | Run the following commands to set ownership and permissions on /etc/crontab : # chown root:root /etc/crontab# chmod og-rwx /etc/crontab | Inspector | arn:aws:inspector:us-east-1:133124267079:target/0-2ySrzz0j/template/0-bmzg5uDv/run/0-LTXQE8O5 | arn:aws:inspector:us-east-1:316112463485:rulespackage/0-rExsr2X8 | SCORED | 1623439052262 | ||||||||
| Low | 1623439056596 | On instance i-01aae074f79eaa71f, process 'sshd' is listening on TCP port 22 which is associated with 'SSH' and is reachable from a Peered VPC | FOD QA Single Server | FOD QA Single Server Quick | Network Reachability-1.1 | arn:aws:inspector:us-east-1:133124267079:target/0-2ySrzz0j/template/0-bmzg5uDv/run/0-LTXQE8O5/finding/0-xozUph1t | Recognized port with listener reachable from a Peered VPC | i-01aae074f79eaa71f | ami-00ecf57a | qahobserver4b100 | ec2-instance | 10 | On this instance, TCP port 22, which is associated with SSH, is reachable from a Peered VPC with a process listening on the port. The process has name ‘sshd’, process id 1702, and uses binary /usr/sbin/sshd. The instance i-01aae074f79eaa71f is located in VPC vpc-1033c37e and has an attached ENI eni-09529e193cdc9a8bb which uses network ACL acl-ee33c380. The port is reachable from a Peered VPC through Security Group sg-eb55aaa3 and VPC Peering Connection pcx-eb34aa82 | 3 | You can edit the Security Group sg-eb55aaa3 to remove access from a Peered VPC on port 22 | Inspector | arn:aws:inspector:us-east-1:133124267079:target/0-2ySrzz0j/template/0-bmzg5uDv/run/0-LTXQE8O5 | arn:aws:inspector:us-east-1:316112463485:rulespackage/0-PmNV0Tcd | 1623439056596 | |||||||||
| Medium | 1623439056844 | Instance i-01aae074f79eaa71f is configured to support password authentication over SSH. Password authentication is susceptible to brute-force attacks and should be disabled in favor of key-based authentication where possible. | FOD QA Single Server | FOD QA Single Server Quick | Security Best Practices-1.0 | arn:aws:inspector:us-east-1:133124267079:target/0-2ySrzz0j/template/0-bmzg5uDv/run/0-LTXQE8O5/finding/0-AkYpSIDc | Disable Password Authentication Over SSH | i-01aae074f79eaa71f | ami-00ecf57a | qahobserver4b100 | ec2-instance | 10 | This rule helps determine whether your EC2 instances are configured to support password authentication over the SSH protocol. | 6 | It is recommended that you disable password authentication over SSH on your EC2 instances and enable support for key-based authentication instead. This significantly reduces the likelihood of a successful brute-force attack. For more information see [https://aws.amazon.com/articles/1233/](https://aws.amazon.com/articles/1233/). If password authentication is supported, it is important to restrict access to the SSH server to trusted IP addresses. | Inspector | arn:aws:inspector:us-east-1:133124267079:target/0-2ySrzz0j/template/0-bmzg5uDv/run/0-LTXQE8O5 | arn:aws:inspector:us-east-1:316112463485:rulespackage/0-R01qwB5Q | 1623439056844 | |||||||||
| High | 1623439055799 | Instance i-01aae074f79eaa71f is not compliant with rule 4.1.12 Ensure use of privileged commands is collected, 2.2.0 CIS CentOS Linux 7 Benchmark. Applicable profiles: Level 2 - Workstation, Level 2 - Server. | FOD QA Single Server | FOD QA Single Server Quick | CIS Operating System Security Configuration Benchmarks-1.0 | arn:aws:inspector:us-east-1:133124267079:target/0-2ySrzz0j/template/0-bmzg5uDv/run/0-LTXQE8O5/finding/0-Nvog1ETZ | 4.1.12 Ensure use of privileged commands is collected | i-01aae074f79eaa71f | ami-00ecf57a | qahobserver4b100 | ec2-instance | 10 | Description Monitor privileged programs (those that have the setuid and/or setgid bit set on execution) to determine if unprivileged users are running these commands. Rationale Execution of privileged commands by non-privileged users could be an indication of someone trying to gain unauthorized access to the system. | 9 | To remediate this issue, the system administrator will have to execute a find command to locate all the privileged programs and then add an audit line for each one of them. The audit parameters associated with this are as follows: -F path=" $1 " - will populate each file name found through the find command and processed by awk. -F perm=x - will write an audit record if the file is executed. -F auid>=1000 - will write a record if the user executing the command is not a privileged user. -F auid!= 4294967295 - will ignore Daemon events All audit records should be tagged with the identifier "privileged". Run the following command replacing <partition> with a list of partitions where programs can be executed from on your system: # find <partition> -xdev \( -perm -4000 -o -perm -2000 \) -type f | awk '{print "-a always,exit -F path=" $1 " -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged" }' Add all resulting lines to the /etc/audit/audit.rules file. | Inspector | arn:aws:inspector:us-east-1:133124267079:target/0-2ySrzz0j/template/0-bmzg5uDv/run/0-LTXQE8O5 | arn:aws:inspector:us-east-1:316112463485:rulespackage/0-rExsr2X8 | SCORED | 1623439055799 | ||||||||
| High | 1623439051312 | Instance i-01aae074f79eaa71f is not compliant with rule 5.2.4 Ensure SSH X11 forwarding is disabled, 2.2.0 CIS CentOS Linux 7 Benchmark. Applicable profiles: Level 1 - Server, Level 2 - Workstation, Level 2 - Server, Level 1 - Workstation. | FOD QA Single Server | FOD QA Single Server Quick | CIS Operating System Security Configuration Benchmarks-1.0 | arn:aws:inspector:us-east-1:133124267079:target/0-2ySrzz0j/template/0-bmzg5uDv/run/0-LTXQE8O5/finding/0-ZaYQk4Bu | 5.2.4 Ensure SSH X11 forwarding is disabled | i-01aae074f79eaa71f | ami-00ecf57a | qahobserver4b100 | ec2-instance | 10 | Description The X11Forwarding parameter provides the ability to tunnel X11 traffic through the connection to enable remote graphic connections. Rationale Disable X11 forwarding unless there is an operational requirement to use X11 applications directly. There is a small risk that the remote X11 servers of users who are logged in via SSH with X11 forwarding could be compromised by other users on the X11 server. Note that even if X11 forwarding is disabled, users can always install their own forwarders. | 9 | Edit the /etc/ssh/sshd_config file to set the parameter as follows: X11Forwarding no | Inspector | arn:aws:inspector:us-east-1:133124267079:target/0-2ySrzz0j/template/0-bmzg5uDv/run/0-LTXQE8O5 | arn:aws:inspector:us-east-1:316112463485:rulespackage/0-rExsr2X8 | SCORED | 1623439051312 | ||||||||
| High | 1623439051011 | Instance i-01aae074f79eaa71f is not compliant with rule 1.1.14 Ensure nodev option set on home partition, 2.2.0 CIS CentOS Linux 7 Benchmark. Applicable profiles: Level 1 - Server, Level 2 - Workstation, Level 2 - Server, Level 1 - Workstation. | FOD QA Single Server | FOD QA Single Server Quick | CIS Operating System Security Configuration Benchmarks-1.0 | arn:aws:inspector:us-east-1:133124267079:target/0-2ySrzz0j/template/0-bmzg5uDv/run/0-LTXQE8O5/finding/0-bIBkI4oY | 1.1.14 Ensure nodev option set on /home partition | i-01aae074f79eaa71f | ami-00ecf57a | qahobserver4b100 | ec2-instance | 10 | Description The nodev mount option specifies that the filesystem cannot contain special devices. Rationale Since the user partitions are not intended to support devices, set this option to ensure that users cannot attempt to create block or character special devices. | 9 | Edit the /etc/fstab file and add nodev to the fourth field (mounting options) for the /home partition. See the fstab(5) manual page for more information. # mount -o remount,nodev /home | Inspector | arn:aws:inspector:us-east-1:133124267079:target/0-2ySrzz0j/template/0-bmzg5uDv/run/0-LTXQE8O5 | arn:aws:inspector:us-east-1:316112463485:rulespackage/0-rExsr2X8 | SCORED | 1623439051011 | ||||||||
| High | 1623439053396 | Instance i-01aae074f79eaa71f is not compliant with rule 1.1.11 Ensure separate partition exists for varlog, 2.2.0 CIS CentOS Linux 7 Benchmark. Applicable profiles: Level 2 - Workstation, Level 2 - Server. | FOD QA Single Server | FOD QA Single Server Quick | CIS Operating System Security Configuration Benchmarks-1.0 | arn:aws:inspector:us-east-1:133124267079:target/0-2ySrzz0j/template/0-bmzg5uDv/run/0-LTXQE8O5/finding/0-0H1QCz3j | 1.1.11 Ensure separate partition exists for /var/log | i-01aae074f79eaa71f | ami-00ecf57a | qahobserver4b100 | ec2-instance | 10 | Description The /var/log directory is used by system services to store log data . Rationale There are two important reasons to ensure that system logs are stored on a separate partition: protection against resource exhaustion (since logs can grow quite large) and protection of audit data. | 9 | For new installations, during installation create a custom partition setup and specify a separate partition for /var/log . For systems that were previously installed, create a new partition and configure /etc/fstab as appropriate. Impact: Resizing filesystems is a common activity in cloud-hosted servers. Separate filesystem partitions may prevent successful resizing, or may require the installation of additional tools solely for the purpose of resizing operations. The use of these additional tools may introduce their own security considerations. | Inspector | arn:aws:inspector:us-east-1:133124267079:target/0-2ySrzz0j/template/0-bmzg5uDv/run/0-LTXQE8O5 | arn:aws:inspector:us-east-1:316112463485:rulespackage/0-rExsr2X8 | SCORED | 1623439053396 | ||||||||
| High | 1623439052341 | Instance i-01aae074f79eaa71f is not compliant with rule 1.3.2 Ensure filesystem integrity is regularly checked, 2.2.0 CIS CentOS Linux 7 Benchmark. Applicable profiles: Level 1 - Server, Level 2 - Workstation, Level 2 - Server, Level 1 - Workstation. | FOD QA Single Server | FOD QA Single Server Quick | CIS Operating System Security Configuration Benchmarks-1.0 | arn:aws:inspector:us-east-1:133124267079:target/0-2ySrzz0j/template/0-bmzg5uDv/run/0-LTXQE8O5/finding/0-OvcrrcJj | 1.3.2 Ensure filesystem integrity is regularly checked | i-01aae074f79eaa71f | ami-00ecf57a | qahobserver4b100 | ec2-instance | 10 | Description Periodic checking of the filesystem integrity is needed to detect changes to the filesystem. Rationale Periodic file checking allows the system administrator to determine on a regular basis if critical files have been changed in an unauthorized fashion. | 9 | Run the following command: # crontab -u root -e Add the following line to the crontab: 0 5 * * * /usr/sbin/aide --check | Inspector | arn:aws:inspector:us-east-1:133124267079:target/0-2ySrzz0j/template/0-bmzg5uDv/run/0-LTXQE8O5 | arn:aws:inspector:us-east-1:316112463485:rulespackage/0-rExsr2X8 | SCORED | 1623439052341 | ||||||||
| High | 1623439053688 | Instance i-01aae074f79eaa71f is not compliant with rule 1.1.2 Ensure separate partition exists for tmp, 2.2.0 CIS CentOS Linux 7 Benchmark. Applicable profiles: Level 2 - Workstation, Level 2 - Server. | FOD QA Single Server | FOD QA Single Server Quick | CIS Operating System Security Configuration Benchmarks-1.0 | arn:aws:inspector:us-east-1:133124267079:target/0-2ySrzz0j/template/0-bmzg5uDv/run/0-LTXQE8O5/finding/0-bxt2ssq1 | 1.1.2 Ensure separate partition exists for /tmp | i-01aae074f79eaa71f | ami-00ecf57a | qahobserver4b100 | ec2-instance | 10 | Description The /tmp directory is a world-writable directory used for temporary storage by all users and some applications. Rationale Since the /tmp directory is intended to be world-writable, there is a risk of resource exhaustion if it is not bound to a separate partition. In addition, making /tmp its own file system allows an administrator to set the noexec option on the mount, making /tmp useless for an attacker to install executable code. It would also prevent an attacker from establishing a hardlink to a system setuid program and wait for it to be updated. Once the program was updated, the hardlink would be broken and the attacker would have his own copy of the program. If the program happened to have a security vulnerability, the attacker could continue to exploit the known flaw. | 9 | For new installations, during installation create a custom partition setup and specify a separate partition for /tmp . For systems that were previously installed, create a new partition for /tmp if not using tmpfs . Run the following commands to enable systemd /tmp mounting: systemctl unmask tmp.mountsystemctl enable tmp.mount Edit /etc/systemd/system/local-fs.target.wants/tmp.mount to configure the /tmp mount: [Mount]What=tmpfsWhere=/tmpType=tmpfsOptions=mode=1777,strictatime,noexec,nodev,nosuid Impact: Resizing filesystems is a common activity in cloud-hosted servers. Separate filesystem partitions may prevent successful resizing, or may require the installation of additional tools solely for the purpose of resizing operations. The use of these additional tools may introduce their own security considerations. | Inspector | arn:aws:inspector:us-east-1:133124267079:target/0-2ySrzz0j/template/0-bmzg5uDv/run/0-LTXQE8O5 | arn:aws:inspector:us-east-1:316112463485:rulespackage/0-rExsr2X8 | SCORED | 1623439053688 | ||||||||
| Informational | 1623439054205 | Instance i-01aae074f79eaa71f is not compliant with rule 3.3.3 Ensure IPv6 is disabled, 2.2.0 CIS CentOS Linux 7 Benchmark. Applicable profiles: Level 1 - Server, Level 2 - Workstation, Level 2 - Server, Level 1 - Workstation. | FOD QA Single Server | FOD QA Single Server Quick | CIS Operating System Security Configuration Benchmarks-1.0 | arn:aws:inspector:us-east-1:133124267079:target/0-2ySrzz0j/template/0-bmzg5uDv/run/0-LTXQE8O5/finding/0-7rOwa40k | 3.3.3 Ensure IPv6 is disabled | i-01aae074f79eaa71f | ami-00ecf57a | qahobserver4b100 | ec2-instance | 10 | Description Although IPv6 has many advantages over IPv4, few organizations have implemented IPv6. Rationale If IPv6 is not to be used, it is recommended that it be disabled to reduce the attack surface of the system. | Create the file /etc/modprobe.d/CIS.conf and add the following line: options ipv6 disable=1 | Inspector | arn:aws:inspector:us-east-1:133124267079:target/0-2ySrzz0j/template/0-bmzg5uDv/run/0-LTXQE8O5 | arn:aws:inspector:us-east-1:316112463485:rulespackage/0-rExsr2X8 | NOT_SCORED | 1623439054205 | |||||||||
| High | 1623439055333 | Instance i-01aae074f79eaa71f is not compliant with rule 4.1.7 Ensure events that modify the systems Mandatory Access Controls are collected, 2.2.0 CIS CentOS Linux 7 Benchmark. Applicable profiles: Level 2 - Workstation, Level 2 - Server. | FOD QA Single Server | FOD QA Single Server Quick | CIS Operating System Security Configuration Benchmarks-1.0 | arn:aws:inspector:us-east-1:133124267079:target/0-2ySrzz0j/template/0-bmzg5uDv/run/0-LTXQE8O5/finding/0-6S2n8lvN | 4.1.7 Ensure events that modify the system's Mandatory Access Controls are collected | i-01aae074f79eaa71f | ami-00ecf57a | qahobserver4b100 | ec2-instance | 10 | Description Monitor SELinux mandatory access controls. The parameters below monitor any write access (potential additional, deletion or modification of files in the directory) or attribute changes to the /etc/selinux or directory. Rationale Changes to files in these directories could indicate that an unauthorized user is attempting to modify access controls and change security contexts, leading to a compromise of the system. | 9 | Add the following line to the /etc/audit/audit.rules file: -w /etc/selinux/ -p wa -k MAC-policy | Inspector | arn:aws:inspector:us-east-1:133124267079:target/0-2ySrzz0j/template/0-bmzg5uDv/run/0-LTXQE8O5 | arn:aws:inspector:us-east-1:316112463485:rulespackage/0-rExsr2X8 | SCORED | 1623439055333 | ||||||||
| High | 1623439051718 | Instance i-01aae074f79eaa71f is not compliant with rule 3.3.1 Ensure IPv6 router advertisements are not accepted, 2.2.0 CIS CentOS Linux 7 Benchmark. Applicable profiles: Level 1 - Server, Level 2 - Workstation, Level 2 - Server, Level 1 - Workstation. | FOD QA Single Server | FOD QA Single Server Quick | CIS Operating System Security Configuration Benchmarks-1.0 | arn:aws:inspector:us-east-1:133124267079:target/0-2ySrzz0j/template/0-bmzg5uDv/run/0-LTXQE8O5/finding/0-sEuOIFe4 | 3.3.1 Ensure IPv6 router advertisements are not accepted | i-01aae074f79eaa71f | ami-00ecf57a | qahobserver4b100 | ec2-instance | 10 | Description This setting disables the system's ability to accept IPv6 router advertisements. Rationale It is recommended that systems not accept router advertisements as they could be tricked into routing traffic to compromised machines. Setting hard routes within the system (usually a single default route to a trusted router) protects the system from bad routes. | 9 | Set the following parameters in the /etc/sysctl.conf file: net.ipv6.conf.all.accept_ra = 0net.ipv6.conf.default.accept_ra = 0 Run the following commands to set the active kernel parameters: # sysctl -w net.ipv6.conf.all.accept_ra=0# sysctl -w net.ipv6.conf.default.accept_ra=0# sysctl -w net.ipv6.route.flush=1 | Inspector | arn:aws:inspector:us-east-1:133124267079:target/0-2ySrzz0j/template/0-bmzg5uDv/run/0-LTXQE8O5 | arn:aws:inspector:us-east-1:316112463485:rulespackage/0-rExsr2X8 | SCORED | 1623439051718 | ||||||||
| High | 1623439054021 | Instance i-01aae074f79eaa71f is not compliant with rule 5.4.5 Ensure default user shell timeout is 900 seconds or less, 2.2.0 CIS CentOS Linux 7 Benchmark. Applicable profiles: Level 1 - Server, Level 2 - Server. | FOD QA Single Server | FOD QA Single Server Quick | CIS Operating System Security Configuration Benchmarks-1.0 | arn:aws:inspector:us-east-1:133124267079:target/0-2ySrzz0j/template/0-bmzg5uDv/run/0-LTXQE8O5/finding/0-Bd6u1RF1 | 5.4.5 Ensure default user shell timeout is 900 seconds or less | i-01aae074f79eaa71f | ami-00ecf57a | qahobserver4b100 | ec2-instance | 10 | Description The default TMOUT determines the shell timeout for users. The TMOUT value is measured in seconds. Rationale Having no timeout value associated with a shell could allow an unauthorized user access to another user's shell session (e.g. user walks away from their computer and doesn't lock the screen). Setting a timeout value at least reduces the risk of this happening. | 9 | Edit the /etc/bashrc and /etc/profile files (and the appropriate files for any other shell supported on your system) and add or edit any umask parameters as follows: TMOUT=600 | Inspector | arn:aws:inspector:us-east-1:133124267079:target/0-2ySrzz0j/template/0-bmzg5uDv/run/0-LTXQE8O5 | arn:aws:inspector:us-east-1:316112463485:rulespackage/0-rExsr2X8 | SCORED | 1623439054021 | ||||||||
| High | 1623439054618 | Instance i-01aae074f79eaa71f is not compliant with rule 1.1.1.6 Ensure mounting of squashfs filesystems is disabled, 2.2.0 CIS CentOS Linux 7 Benchmark. Applicable profiles: Level 1 - Server, Level 2 - Workstation, Level 2 - Server, Level 1 - Workstation. | FOD QA Single Server | FOD QA Single Server Quick | CIS Operating System Security Configuration Benchmarks-1.0 | arn:aws:inspector:us-east-1:133124267079:target/0-2ySrzz0j/template/0-bmzg5uDv/run/0-LTXQE8O5/finding/0-sxrSX0wT | 1.1.1.6 Ensure mounting of squashfs filesystems is disabled | i-01aae074f79eaa71f | ami-00ecf57a | qahobserver4b100 | ec2-instance | 10 | Description The squashfs filesystem type is a compressed read-only Linux filesystem embedded in small footprint systems (similar to cramfs ). A squashfs image can be used without having to first decompress the image. Rationale Removing support for unneeded filesystem types reduces the local attack surface of the system. If this filesystem type is not needed, disable it. | 9 | Edit or create the file /etc/modprobe.d/CIS.conf and add the following line: install squashfs /bin/true | Inspector | arn:aws:inspector:us-east-1:133124267079:target/0-2ySrzz0j/template/0-bmzg5uDv/run/0-LTXQE8O5 | arn:aws:inspector:us-east-1:316112463485:rulespackage/0-rExsr2X8 | SCORED | 1623439054618 | ||||||||
| High | 1623439052569 | Instance i-01aae074f79eaa71f is not compliant with rule 5.2.3 Ensure SSH LogLevel is set to INFO, 2.2.0 CIS CentOS Linux 7 Benchmark. Applicable profiles: Level 1 - Server, Level 2 - Workstation, Level 2 - Server, Level 1 - Workstation. | FOD QA Single Server | FOD QA Single Server Quick | CIS Operating System Security Configuration Benchmarks-1.0 | arn:aws:inspector:us-east-1:133124267079:target/0-2ySrzz0j/template/0-bmzg5uDv/run/0-LTXQE8O5/finding/0-AIY6IYzW | 5.2.3 Ensure SSH LogLevel is set to INFO | i-01aae074f79eaa71f | ami-00ecf57a | qahobserver4b100 | ec2-instance | 10 | Description The INFO parameter specifies that login and logout activity will be logged. Rationale SSH provides several logging levels with varying amounts of verbosity. DEBUG is specifically not recommended other than strictly for debugging SSH communications since it provides so much data that it is difficult to identify important security information. INFO level is the basic level that only records login activity of SSH users. In many situations, such as Incident Response, it is important to determine when a particular user was active on a system. The logout record can eliminate those users who disconnected, which helps narrow the field. | 9 | Edit the /etc/ssh/sshd_config file to set the parameter as follows: LogLevel INFO | Inspector | arn:aws:inspector:us-east-1:133124267079:target/0-2ySrzz0j/template/0-bmzg5uDv/run/0-LTXQE8O5 | arn:aws:inspector:us-east-1:316112463485:rulespackage/0-rExsr2X8 | SCORED | 1623439052569 | ||||||||
| High | 1623439051378 | Instance i-01aae074f79eaa71f is not compliant with rule 4.1.8 Ensure login and logout events are collected, 2.2.0 CIS CentOS Linux 7 Benchmark. Applicable profiles: Level 2 - Workstation, Level 2 - Server. | FOD QA Single Server | FOD QA Single Server Quick | CIS Operating System Security Configuration Benchmarks-1.0 | arn:aws:inspector:us-east-1:133124267079:target/0-2ySrzz0j/template/0-bmzg5uDv/run/0-LTXQE8O5/finding/0-Qf0eXd4x | 4.1.8 Ensure login and logout events are collected | i-01aae074f79eaa71f | ami-00ecf57a | qahobserver4b100 | ec2-instance | 10 | Description Monitor login and logout events. The parameters below track changes to files associated with login/logout events. The file /var/log/lastlog maintain records of the last time a user successfully logged in. The /var/run/failock directory maintains records of login failures via the pam_faillock module. Rationale Monitoring login/logout events could provide a system administrator with information associated with brute force attacks against user logins. | 9 | Add the following lines to the /etc/audit/audit.rules file: -w /var/log/lastlog -p wa -k logins-w /var/run/faillock/ -p wa -k logins | Inspector | arn:aws:inspector:us-east-1:133124267079:target/0-2ySrzz0j/template/0-bmzg5uDv/run/0-LTXQE8O5 | arn:aws:inspector:us-east-1:316112463485:rulespackage/0-rExsr2X8 | SCORED | 1623439051378 | ||||||||
| High | 1623439054335 | Instance i-01aae074f79eaa71f is not compliant with rule 3.4.3 Ensure etchosts.deny is configured, 2.2.0 CIS CentOS Linux 7 Benchmark. Applicable profiles: Level 1 - Server, Level 2 - Workstation, Level 2 - Server, Level 1 - Workstation. | FOD QA Single Server | FOD QA Single Server Quick | CIS Operating System Security Configuration Benchmarks-1.0 | arn:aws:inspector:us-east-1:133124267079:target/0-2ySrzz0j/template/0-bmzg5uDv/run/0-LTXQE8O5/finding/0-01lcV2H9 | 3.4.3 Ensure /etc/hosts.deny is configured | i-01aae074f79eaa71f | ami-00ecf57a | qahobserver4b100 | ec2-instance | 10 | Description The /etc/hosts.deny file specifies which IP addresses are not permitted to connect to the host. It is intended to be used in conjunction with the /etc/hosts.allow file. Rationale The /etc/hosts.deny file serves as a failsafe so that any host not specified in /etc/hosts.allow is denied access to the system. | 9 | Run the following command to create /etc/hosts.deny : # echo "ALL: ALL" >> /etc/hosts.deny | Inspector | arn:aws:inspector:us-east-1:133124267079:target/0-2ySrzz0j/template/0-bmzg5uDv/run/0-LTXQE8O5 | arn:aws:inspector:us-east-1:316112463485:rulespackage/0-rExsr2X8 | SCORED | 1623439054335 | ||||||||
| High | 1623439051546 | Instance i-01aae074f79eaa71f is not compliant with rule 5.3.3 Ensure password reuse is limited, 2.2.0 CIS CentOS Linux 7 Benchmark. Applicable profiles: Level 1 - Server, Level 2 - Workstation, Level 2 - Server, Level 1 - Workstation. | FOD QA Single Server | FOD QA Single Server Quick | CIS Operating System Security Configuration Benchmarks-1.0 | arn:aws:inspector:us-east-1:133124267079:target/0-2ySrzz0j/template/0-bmzg5uDv/run/0-LTXQE8O5/finding/0-wDIZnyee | 5.3.3 Ensure password reuse is limited | i-01aae074f79eaa71f | ami-00ecf57a | qahobserver4b100 | ec2-instance | 10 | Description The /etc/security/opasswd file stores the users' old passwords and can be checked to ensure that users are not recycling recent passwords. Rationale Forcing users not to reuse their past 5 passwords make it less likely that an attacker will be able to guess the password. Note that these change only apply to accounts configured on the local system. | 9 | Edit the /etc/pam.d/password-auth and /etc/pam.d/system-auth files to include the remember option and conform to site policy as shown: password sufficient pam_unix.so remember=5 | Inspector | arn:aws:inspector:us-east-1:133124267079:target/0-2ySrzz0j/template/0-bmzg5uDv/run/0-LTXQE8O5 | arn:aws:inspector:us-east-1:316112463485:rulespackage/0-rExsr2X8 | SCORED | 1623439051546 | ||||||||
| High | 1623439053515 | Instance i-01aae074f79eaa71f is not compliant with rule 5.4.1.2 Ensure minimum days between password changes is 7 or more, 2.2.0 CIS CentOS Linux 7 Benchmark. Applicable profiles: Level 1 - Server, Level 2 - Workstation, Level 2 - Server, Level 1 - Workstation. | FOD QA Single Server | FOD QA Single Server Quick | CIS Operating System Security Configuration Benchmarks-1.0 | arn:aws:inspector:us-east-1:133124267079:target/0-2ySrzz0j/template/0-bmzg5uDv/run/0-LTXQE8O5/finding/0-dK07xbYR | 5.4.1.2 Ensure minimum days between password changes is 7 or more | i-01aae074f79eaa71f | ami-00ecf57a | qahobserver4b100 | ec2-instance | 10 | Description The PASS_MIN_DAYS parameter in /etc/login.defs allows an administrator to prevent users from changing their password until a minimum number of days have passed since the last time the user changed their password. It is recommended that PASS_MIN_DAYS parameter be set to 7 or more days. Rationale By restricting the frequency of password changes, an administrator can prevent users from repeatedly changing their password in an attempt to circumvent password reuse controls. | 9 | Set the PASS_MIN_DAYS parameter to 7 in /etc/login.defs : PASS_MIN_DAYS 7 Modify user parameters for all users with a password set to match: # chage --mindays 7 <user> | Inspector | arn:aws:inspector:us-east-1:133124267079:target/0-2ySrzz0j/template/0-bmzg5uDv/run/0-LTXQE8O5 | arn:aws:inspector:us-east-1:316112463485:rulespackage/0-rExsr2X8 | SCORED | 1623439053515 | ||||||||
| High | 1623439054794 | Instance i-01aae074f79eaa71f is not compliant with rule 1.1.7 Ensure separate partition exists for vartmp, 2.2.0 CIS CentOS Linux 7 Benchmark. Applicable profiles: Level 2 - Workstation, Level 2 - Server. | FOD QA Single Server | FOD QA Single Server Quick | CIS Operating System Security Configuration Benchmarks-1.0 | arn:aws:inspector:us-east-1:133124267079:target/0-2ySrzz0j/template/0-bmzg5uDv/run/0-LTXQE8O5/finding/0-f9rjvQFL | 1.1.7 Ensure separate partition exists for /var/tmp | i-01aae074f79eaa71f | ami-00ecf57a | qahobserver4b100 | ec2-instance | 10 | Description The /var/tmp directory is a world-writable directory used for temporary storage by all users and some applications. Rationale Since the /var/tmp directory is intended to be world-writable, there is a risk of resource exhaustion if it is not bound to a separate partition. In addition, making /var/tmp its own file system allows an administrator to set the noexec option on the mount, making /var/tmp useless for an attacker to install executable code. It would also prevent an attacker from establishing a hardlink to a system setuid program and wait for it to be updated. Once the program was updated, the hardlink would be broken and the attacker would have his own copy of the program. If the program happened to have a security vulnerability, the attacker could continue to exploit the known flaw. | 9 | For new installations, during installation create a custom partition setup and specify a separate partition for /var/tmp . For systems that were previously installed, create a new partition and configure /etc/fstab as appropriate. Impact: Resizing filesystems is a common activity in cloud-hosted servers. Separate filesystem partitions may prevent successful resizing, or may require the installation of additional tools solely for the purpose of resizing operations. The use of these additional tools may introduce their own security considerations. | Inspector | arn:aws:inspector:us-east-1:133124267079:target/0-2ySrzz0j/template/0-bmzg5uDv/run/0-LTXQE8O5 | arn:aws:inspector:us-east-1:316112463485:rulespackage/0-rExsr2X8 | SCORED | 1623439054794 | ||||||||
| High | 1623439055279 | Instance i-01aae074f79eaa71f is not compliant with rule 5.2.15 Ensure SSH access is limited, 2.2.0 CIS CentOS Linux 7 Benchmark. Applicable profiles: Level 1 - Server, Level 2 - Workstation, Level 2 - Server, Level 1 - Workstation. | FOD QA Single Server | FOD QA Single Server Quick | CIS Operating System Security Configuration Benchmarks-1.0 | arn:aws:inspector:us-east-1:133124267079:target/0-2ySrzz0j/template/0-bmzg5uDv/run/0-LTXQE8O5/finding/0-H5dp2RJS | 5.2.15 Ensure SSH access is limited | i-01aae074f79eaa71f | ami-00ecf57a | qahobserver4b100 | ec2-instance | 10 | Description There are several options available to limit which users and group can access the system via SSH. It is recommended that at least one of the following options be leveraged: AllowUsers The AllowUsers variable gives the system administrator the option of allowing specific users to ssh into the system. The list consists of space separated user names. Numeric user IDs are not recognized with this variable. If a system administrator wants to restrict user access further by only allowing the allowed users to log in from a particular host, the entry can be specified in the form of user@host. AllowGroups The AllowGroups variable gives the system administrator the option of allowing specific groups of users to ssh into the system. The list consists of space separated group names. Numeric group IDs are not recognized with this variable. DenyUsers The DenyUsers variable gives the system administrator the option of denying specific users to ssh into the system. The list consists of space separated user names. Numeric user IDs are not recognized with this variable. If a system administrator wants to restrict user access further by specifically denying a user's access from a particular host, the entry can be specified in the form of user@host. DenyGroups The DenyGroups variable gives the system administrator the option of denying specific groups of users to ssh into the system. The list consists of space separated group names. Numeric group IDs are not recognized with this variable. Rationale Restricting which users can remotely access the system via SSH will help ensure that only authorized users access the system. | 9 | Edit the /etc/ssh/sshd_config file to set one or more of the parameter as follows: AllowUsers <userlist>AllowGroups <grouplist>DenyUsers <userlist>DenyGroups <grouplist> | Inspector | arn:aws:inspector:us-east-1:133124267079:target/0-2ySrzz0j/template/0-bmzg5uDv/run/0-LTXQE8O5 | arn:aws:inspector:us-east-1:316112463485:rulespackage/0-rExsr2X8 | SCORED | 1623439055279 | ||||||||
| Informational | 1623439054689 | Instance i-01aae074f79eaa71f is not compliant with rule 3.5.4 Ensure TIPC is disabled, 2.2.0 CIS CentOS Linux 7 Benchmark. Applicable profiles: Level 1 - Server, Level 2 - Workstation, Level 2 - Server, Level 1 - Workstation. | FOD QA Single Server | FOD QA Single Server Quick | CIS Operating System Security Configuration Benchmarks-1.0 | arn:aws:inspector:us-east-1:133124267079:target/0-2ySrzz0j/template/0-bmzg5uDv/run/0-LTXQE8O5/finding/0-78yjEsO2 | 3.5.4 Ensure TIPC is disabled | i-01aae074f79eaa71f | ami-00ecf57a | qahobserver4b100 | ec2-instance | 10 | Description The Transparent Inter-Process Communication (TIPC) protocol is designed to provide communication between cluster nodes. Rationale If the protocol is not being used, it is recommended that kernel module not be loaded, disabling the service to reduce the potential attack surface. | Edit or create the file /etc/modprobe.d/CIS.conf and add the following line: install tipc /bin/true | Inspector | arn:aws:inspector:us-east-1:133124267079:target/0-2ySrzz0j/template/0-bmzg5uDv/run/0-LTXQE8O5 | arn:aws:inspector:us-east-1:316112463485:rulespackage/0-rExsr2X8 | NOT_SCORED | 1623439054689 | |||||||||
| High | 1623439052117 | Instance i-01aae074f79eaa71f is not compliant with rule 3.2.2 Ensure ICMP redirects are not accepted, 2.2.0 CIS CentOS Linux 7 Benchmark. Applicable profiles: Level 1 - Server, Level 2 - Workstation, Level 2 - Server, Level 1 - Workstation. | FOD QA Single Server | FOD QA Single Server Quick | CIS Operating System Security Configuration Benchmarks-1.0 | arn:aws:inspector:us-east-1:133124267079:target/0-2ySrzz0j/template/0-bmzg5uDv/run/0-LTXQE8O5/finding/0-bAinPvoc | 3.2.2 Ensure ICMP redirects are not accepted | i-01aae074f79eaa71f | ami-00ecf57a | qahobserver4b100 | ec2-instance | 10 | Description ICMP redirect messages are packets that convey routing information and tell your host (acting as a router) to send packets via an alternate path. It is a way of allowing an outside routing device to update your system routing tables. By setting net.ipv4.conf.all.accept_redirects to 0, the system will not accept any ICMP redirect messages, and therefore, won't allow outsiders to update the system's routing tables. Rationale Attackers could use bogus ICMP redirect messages to maliciously alter the system routing tables and get them to send packets to incorrect networks and allow your system packets to be captured. | 9 | Set the following parameters in the /etc/sysctl.conf file: net.ipv4.conf.all.accept_redirects = 0net.ipv4.conf.default.accept_redirects = 0 Run the following commands to set the active kernel parameters: # sysctl -w net.ipv4.conf.all.accept_redirects=0# sysctl -w net.ipv4.conf.default.accept_redirects=0# sysctl -w net.ipv4.route.flush=1 | Inspector | arn:aws:inspector:us-east-1:133124267079:target/0-2ySrzz0j/template/0-bmzg5uDv/run/0-LTXQE8O5 | arn:aws:inspector:us-east-1:316112463485:rulespackage/0-rExsr2X8 | SCORED | 1623439052117 | ||||||||
| High | 1623439051654 | Instance i-01aae074f79eaa71f is not compliant with rule 4.1.3 Ensure auditing for processes that start prior to auditd is enabled, 2.2.0 CIS CentOS Linux 7 Benchmark. Applicable profiles: Level 2 - Workstation, Level 2 - Server. | FOD QA Single Server | FOD QA Single Server Quick | CIS Operating System Security Configuration Benchmarks-1.0 | arn:aws:inspector:us-east-1:133124267079:target/0-2ySrzz0j/template/0-bmzg5uDv/run/0-LTXQE8O5/finding/0-zQeY0lcS | 4.1.3 Ensure auditing for processes that start prior to auditd is enabled | i-01aae074f79eaa71f | ami-00ecf57a | qahobserver4b100 | ec2-instance | 10 | Description Configure grub so that processes that are capable of being audited can be audited even if they start up prior to auditd startup. Rationale Audit events need to be captured on processes that start up prior to auditd , so that potential malicious activity cannot go undetected. | 9 | Edit /etc/default/grub and add audit=1 to GRUB_CMDLINE_LINUX : GRUB_CMDLINE_LINUX="audit=1" Run the following command to update the grub2 configuration: # grub2-mkconfig > /boot/grub2/grub.cfg | Inspector | arn:aws:inspector:us-east-1:133124267079:target/0-2ySrzz0j/template/0-bmzg5uDv/run/0-LTXQE8O5 | arn:aws:inspector:us-east-1:316112463485:rulespackage/0-rExsr2X8 | SCORED | 1623439051654 | ||||||||
| Informational | 1623439056386 | On instance i-01aae074f79eaa71f, TCP port 80 which is associated with 'HTTP' is reachable from a Peered VPC | FOD QA Single Server | FOD QA Single Server Quick | Network Reachability-1.1 | arn:aws:inspector:us-east-1:133124267079:target/0-2ySrzz0j/template/0-bmzg5uDv/run/0-LTXQE8O5/finding/0-3GTnXtax | Recognized port with no listener reachable from a Peered VPC | i-01aae074f79eaa71f | ami-00ecf57a | qahobserver4b100 | ec2-instance | 10 | On this instance, TCP port 80, which is associated with HTTP, is reachable from a Peered VPC with no process listening. The instance i-01aae074f79eaa71f is located in VPC vpc-1033c37e and has an attached ENI eni-09529e193cdc9a8bb which uses network ACL acl-ee33c380. The port is reachable from a Peered VPC through Security Group sg-eb55aaa3 and VPC Peering Connection pcx-eb34aa82 | You can edit the Security Group sg-eb55aaa3 to remove access from a Peered VPC on port 80 | Inspector | arn:aws:inspector:us-east-1:133124267079:target/0-2ySrzz0j/template/0-bmzg5uDv/run/0-LTXQE8O5 | arn:aws:inspector:us-east-1:316112463485:rulespackage/0-PmNV0Tcd | 1623439056386 | ||||||||||
| Low | 1623439056708 | On instance i-01aae074f79eaa71f, process 'sshd' is listening on TCP port 22 which is associated with 'SSH' and is reachable from a Peered VPC | FOD QA Single Server | FOD QA Single Server Quick | Network Reachability-1.1 | arn:aws:inspector:us-east-1:133124267079:target/0-2ySrzz0j/template/0-bmzg5uDv/run/0-LTXQE8O5/finding/0-TN92Q28G | Recognized port with listener reachable from a Peered VPC | i-01aae074f79eaa71f | ami-00ecf57a | qahobserver4b100 | ec2-instance | 10 | On this instance, TCP port 22, which is associated with SSH, is reachable from a Peered VPC with a process listening on the port. The process has name ‘sshd’, process id 1702, and uses binary /usr/sbin/sshd. The instance i-01aae074f79eaa71f is located in VPC vpc-1033c37e and has an attached ENI eni-09529e193cdc9a8bb which uses network ACL acl-ee33c380. The port is reachable from a Peered VPC through Security Group sg-eb55aaa3 and VPC Peering Connection pcx-02fbbf3a349b89e31 | 3 | You can edit the Security Group sg-eb55aaa3 to remove access from a Peered VPC on port 22 | Inspector | arn:aws:inspector:us-east-1:133124267079:target/0-2ySrzz0j/template/0-bmzg5uDv/run/0-LTXQE8O5 | arn:aws:inspector:us-east-1:316112463485:rulespackage/0-PmNV0Tcd | 1623439056708 | |||||||||
| High | 1623439051998 | Instance i-01aae074f79eaa71f is not compliant with rule 4.1.13 Ensure successful file system mounts are collected, 2.2.0 CIS CentOS Linux 7 Benchmark. Applicable profiles: Level 2 - Workstation, Level 2 - Server. | FOD QA Single Server | FOD QA Single Server Quick | CIS Operating System Security Configuration Benchmarks-1.0 | arn:aws:inspector:us-east-1:133124267079:target/0-2ySrzz0j/template/0-bmzg5uDv/run/0-LTXQE8O5/finding/0-EmYg5Fmc | 4.1.13 Ensure successful file system mounts are collected | i-01aae074f79eaa71f | ami-00ecf57a | qahobserver4b100 | ec2-instance | 10 | Description Monitor the use of the mount system call. The mount (and umount ) system call controls the mounting and unmounting of file systems. The parameters below configure the system to create an audit record when the mount system call is used by a non-privileged user Rationale It is highly unusual for a non privileged user to mount file systems to the system. While tracking mount commands gives the system administrator evidence that external media may have been mounted (based on a review of the source of the mount and confirming it's an external media type), it does not conclusively indicate that data was exported to the media. System administrators who wish to determine if data were exported, would also have to track successful open , creat and truncate system calls requiring write access to a file under the mount point of the external media file system. This could give a fair indication that a write occurred. The only way to truly prove it, would be to track successful writes to the external media. Tracking write system calls could quickly fill up the audit log and is not recommended. Recommendations on configuration options to track data export to media is beyond the scope of this document. | 9 | For 32 bit systems add the following lines to the /etc/audit/audit.rules file: -a always,exit -F arch=b32 -S mount -F auid>=1000 -F auid!=4294967295 -k mounts For 64 bit systems add the following lines to the /etc/audit/audit.rules file: -a always,exit -F arch=b64 -S mount -F auid>=1000 -F auid!=4294967295 -k mounts-a always,exit -F arch=b32 -S mount -F auid>=1000 -F auid!=4294967295 -k mounts | Inspector | arn:aws:inspector:us-east-1:133124267079:target/0-2ySrzz0j/template/0-bmzg5uDv/run/0-LTXQE8O5 | arn:aws:inspector:us-east-1:316112463485:rulespackage/0-rExsr2X8 | SCORED | 1623439051998 | ||||||||
| High | 1623439056086 | Instance i-01aae074f79eaa71f is not compliant with rule 5.2.6 Ensure SSH IgnoreRhosts is enabled, 2.2.0 CIS CentOS Linux 7 Benchmark. Applicable profiles: Level 1 - Server, Level 2 - Workstation, Level 2 - Server, Level 1 - Workstation. | FOD QA Single Server | FOD QA Single Server Quick | CIS Operating System Security Configuration Benchmarks-1.0 | arn:aws:inspector:us-east-1:133124267079:target/0-2ySrzz0j/template/0-bmzg5uDv/run/0-LTXQE8O5/finding/0-1CxMERJV | 5.2.6 Ensure SSH IgnoreRhosts is enabled | i-01aae074f79eaa71f | ami-00ecf57a | qahobserver4b100 | ec2-instance | 10 | Description The IgnoreRhosts parameter specifies that .rhosts and .shosts files will not be used in RhostsRSAAuthentication or HostbasedAuthentication . Rationale Setting this parameter forces users to enter a password when authenticating with ssh. | 9 | Edit the /etc/ssh/sshd_config file to set the parameter as follows: IgnoreRhosts yes | Inspector | arn:aws:inspector:us-east-1:133124267079:target/0-2ySrzz0j/template/0-bmzg5uDv/run/0-LTXQE8O5 | arn:aws:inspector:us-east-1:316112463485:rulespackage/0-rExsr2X8 | SCORED | 1623439056086 | ||||||||
| High | 1623439054756 | Instance i-01aae074f79eaa71f is not compliant with rule 5.6 Ensure access to the su command is restricted, 2.2.0 CIS CentOS Linux 7 Benchmark. Applicable profiles: Level 1 - Server, Level 2 - Workstation, Level 2 - Server, Level 1 - Workstation. | FOD QA Single Server | FOD QA Single Server Quick | CIS Operating System Security Configuration Benchmarks-1.0 | arn:aws:inspector:us-east-1:133124267079:target/0-2ySrzz0j/template/0-bmzg5uDv/run/0-LTXQE8O5/finding/0-MFRnynGq | 5.6 Ensure access to the su command is restricted | i-01aae074f79eaa71f | ami-00ecf57a | qahobserver4b100 | ec2-instance | 10 | Description The su command allows a user to run a command or shell as another user. The program has been superseded by sudo , which allows for more granular control over privileged access. Normally, the su command can be executed by any user. By uncommenting the pam_wheel.so statement in /etc/pam.d/su , the su command will only allow users in the wheel group to execute su . Rationale Restricting the use of su , and using sudo in its place, provides system administrators better control of the escalation of user privileges to execute privileged commands. The sudo utility also provides a better logging and audit mechanism, as it can log each command executed via sudo , whereas su can only record that a user executed the su program. | 9 | Add the following line to the /etc/pam.d/su file: auth required pam_wheel.so use_uid Create a comma separated list of users in the wheel statement in the /etc/group file: wheel:x:10:root,<user list> | Inspector | arn:aws:inspector:us-east-1:133124267079:target/0-2ySrzz0j/template/0-bmzg5uDv/run/0-LTXQE8O5 | arn:aws:inspector:us-east-1:316112463485:rulespackage/0-rExsr2X8 | SCORED | 1623439054756 | ||||||||
| High | 1623439051103 | Instance i-01aae074f79eaa71f is not compliant with rule 3.2.4 Ensure suspicious packets are logged, 2.2.0 CIS CentOS Linux 7 Benchmark. Applicable profiles: Level 1 - Server, Level 2 - Workstation, Level 2 - Server, Level 1 - Workstation. | FOD QA Single Server | FOD QA Single Server Quick | CIS Operating System Security Configuration Benchmarks-1.0 | arn:aws:inspector:us-east-1:133124267079:target/0-2ySrzz0j/template/0-bmzg5uDv/run/0-LTXQE8O5/finding/0-v8dMEi5l | 3.2.4 Ensure suspicious packets are logged | i-01aae074f79eaa71f | ami-00ecf57a | qahobserver4b100 | ec2-instance | 10 | Description When enabled, this feature logs packets with un-routable source addresses to the kernel log. Rationale Enabling this feature and logging these packets allows an administrator to investigate the possibility that an attacker is sending spoofed packets to their system. | 9 | Set the following parameters in the /etc/sysctl.conf file: net.ipv4.conf.all.log_martians = 1net.ipv4.conf.default.log_martians = 1 Run the following commands to set the active kernel parameters: # sysctl -w net.ipv4.conf.all.log_martians=1# sysctl -w net.ipv4.conf.default.log_martians=1# sysctl -w net.ipv4.route.flush=1 | Inspector | arn:aws:inspector:us-east-1:133124267079:target/0-2ySrzz0j/template/0-bmzg5uDv/run/0-LTXQE8O5 | arn:aws:inspector:us-east-1:316112463485:rulespackage/0-rExsr2X8 | SCORED | 1623439051103 | ||||||||
| Low | 1623439056728 | On instance i-01aae074f79eaa71f, process 'sshd' is listening on TCP port 22 which is associated with 'SSH' and is reachable from a Peered VPC | FOD QA Single Server | FOD QA Single Server Quick | Network Reachability-1.1 | arn:aws:inspector:us-east-1:133124267079:target/0-2ySrzz0j/template/0-bmzg5uDv/run/0-LTXQE8O5/finding/0-KNyCJWNY | Recognized port with listener reachable from a Peered VPC | i-01aae074f79eaa71f | ami-00ecf57a | qahobserver4b100 | ec2-instance | 10 | On this instance, TCP port 22, which is associated with SSH, is reachable from a Peered VPC with a process listening on the port. The process has name ‘sshd’, process id 1702, and uses binary /usr/sbin/sshd. The instance i-01aae074f79eaa71f is located in VPC vpc-1033c37e and has an attached ENI eni-09529e193cdc9a8bb which uses network ACL acl-ee33c380. The port is reachable from a Peered VPC through Security Group sg-eb55aaa3 and VPC Peering Connection pcx-29479b40 | 3 | You can edit the Security Group sg-eb55aaa3 to remove access from a Peered VPC on port 22 | Inspector | arn:aws:inspector:us-east-1:133124267079:target/0-2ySrzz0j/template/0-bmzg5uDv/run/0-LTXQE8O5 | arn:aws:inspector:us-east-1:316112463485:rulespackage/0-PmNV0Tcd | 1623439056728 | |||||||||
| High | 1623439051848 | Instance i-01aae074f79eaa71f is not compliant with rule 5.1.6 Ensure permissions on etccron.monthly are configured, 2.2.0 CIS CentOS Linux 7 Benchmark. Applicable profiles: Level 1 - Server, Level 2 - Workstation, Level 2 - Server, Level 1 - Workstation. | FOD QA Single Server | FOD QA Single Server Quick | CIS Operating System Security Configuration Benchmarks-1.0 | arn:aws:inspector:us-east-1:133124267079:target/0-2ySrzz0j/template/0-bmzg5uDv/run/0-LTXQE8O5/finding/0-KoHbFbza | 5.1.6 Ensure permissions on /etc/cron.monthly are configured | i-01aae074f79eaa71f | ami-00ecf57a | qahobserver4b100 | ec2-instance | 10 | Description The /etc/cron.monthly directory contains system cron jobs that need to run on a monthly basis. The files in this directory cannot be manipulated by the crontab command, but are instead edited by system administrators using a text editor. The commands below restrict read/write and search access to user and group root, preventing regular users from accessing this directory. Rationale Granting write access to this directory for non-privileged users could provide them the means for gaining unauthorized elevated privileges. Granting read access to this directory could give an unprivileged user insight in how to gain elevated privileges or circumvent auditing controls. | 9 | Run the following commands to set ownership and permissions on /etc/cron.monthly : # chown root:root /etc/cron.monthly# chmod og-rwx /etc/cron.monthly | Inspector | arn:aws:inspector:us-east-1:133124267079:target/0-2ySrzz0j/template/0-bmzg5uDv/run/0-LTXQE8O5 | arn:aws:inspector:us-east-1:316112463485:rulespackage/0-rExsr2X8 | SCORED | 1623439051848 | ||||||||
| High | 1623439051824 | Instance i-01aae074f79eaa71f is not compliant with rule 3.6.3 Ensure loopback traffic is configured, 2.2.0 CIS CentOS Linux 7 Benchmark. Applicable profiles: Level 1 - Server, Level 2 - Workstation, Level 2 - Server, Level 1 - Workstation. | FOD QA Single Server | FOD QA Single Server Quick | CIS Operating System Security Configuration Benchmarks-1.0 | arn:aws:inspector:us-east-1:133124267079:target/0-2ySrzz0j/template/0-bmzg5uDv/run/0-LTXQE8O5/finding/0-NfJmIXhl | 3.6.3 Ensure loopback traffic is configured | i-01aae074f79eaa71f | ami-00ecf57a | qahobserver4b100 | ec2-instance | 10 | Description Configure the loopback interface to accept traffic. Configure all other interfaces to deny traffic to the loopback network (127.0.0.0/8). Rationale Loopback traffic is generated between processes on machine and is typically critical to operation of the system. The loopback interface is the only place that loopback network (127.0.0.0/8) traffic should be seen, all other interfaces should ignore traffic on this network as an anti-spoofing measure. | 9 | Run the following commands to implement the loopback rules: # iptables -A INPUT -i lo -j ACCEPT# iptables -A OUTPUT -o lo -j ACCEPT# iptables -A INPUT -s 127.0.0.0/8 -j DROP | Inspector | arn:aws:inspector:us-east-1:133124267079:target/0-2ySrzz0j/template/0-bmzg5uDv/run/0-LTXQE8O5 | arn:aws:inspector:us-east-1:316112463485:rulespackage/0-rExsr2X8 | SCORED | 1623439051824 | ||||||||
| High | 1623439054883 | Instance i-01aae074f79eaa71f is not compliant with rule 5.2.16 Ensure SSH warning banner is configured, 2.2.0 CIS CentOS Linux 7 Benchmark. Applicable profiles: Level 1 - Server, Level 2 - Workstation, Level 2 - Server, Level 1 - Workstation. | FOD QA Single Server | FOD QA Single Server Quick | CIS Operating System Security Configuration Benchmarks-1.0 | arn:aws:inspector:us-east-1:133124267079:target/0-2ySrzz0j/template/0-bmzg5uDv/run/0-LTXQE8O5/finding/0-k7D4ESum | 5.2.16 Ensure SSH warning banner is configured | i-01aae074f79eaa71f | ami-00ecf57a | qahobserver4b100 | ec2-instance | 10 | Description The Banner parameter specifies a file whose contents must be sent to the remote user before authentication is permitted. By default, no banner is displayed. Rationale Banners are used to warn connecting users of the particular site's policy regarding connection. Presenting a warning message prior to the normal user login may assist the prosecution of trespassers on the computer system. | 9 | Edit the /etc/ssh/sshd_config file to set the parameter as follows: Banner /etc/issue.net | Inspector | arn:aws:inspector:us-east-1:133124267079:target/0-2ySrzz0j/template/0-bmzg5uDv/run/0-LTXQE8O5 | arn:aws:inspector:us-east-1:316112463485:rulespackage/0-rExsr2X8 | SCORED | 1623439054883 | ||||||||
| High | 1623439052901 | Instance i-01aae074f79eaa71f is not compliant with rule 5.2.11 Ensure only approved ciphers are used, 2.2.0 CIS CentOS Linux 7 Benchmark. Applicable profiles: Level 1 - Server, Level 2 - Workstation, Level 2 - Server, Level 1 - Workstation. | FOD QA Single Server | FOD QA Single Server Quick | CIS Operating System Security Configuration Benchmarks-1.0 | arn:aws:inspector:us-east-1:133124267079:target/0-2ySrzz0j/template/0-bmzg5uDv/run/0-LTXQE8O5/finding/0-7dFDiVeq | 5.2.11 Ensure only approved ciphers are used | i-01aae074f79eaa71f | ami-00ecf57a | qahobserver4b100 | ec2-instance | 10 | Description This variable limits the types of ciphers that SSH can use during communication. Rationale Based on research conducted at various institutions, it was determined that the symmetric portion of the SSH Transport Protocol (as described in RFC 4253) has security weaknesses that allowed recovery of up to 32 bits of plaintext from a block of ciphertext that was encrypted with the Cipher Block Chaining (CBD) method. From that research, new Counter mode algorithms (as described in RFC4344) were designed that are not vulnerable to these types of attacks and these algorithms are now recommended for standard use. | 9 | Edit the /etc/ssh/sshd_config file to set the parameter as follows: Ciphers aes256-ctr,aes192-ctr,aes128-ctr | Inspector | arn:aws:inspector:us-east-1:133124267079:target/0-2ySrzz0j/template/0-bmzg5uDv/run/0-LTXQE8O5 | arn:aws:inspector:us-east-1:316112463485:rulespackage/0-rExsr2X8 | SCORED | 1623439052901 | ||||||||
| High | 1623439054549 | Instance i-01aae074f79eaa71f is not compliant with rule 1.1.1.7 Ensure mounting of udf filesystems is disabled, 2.2.0 CIS CentOS Linux 7 Benchmark. Applicable profiles: Level 1 - Server, Level 2 - Workstation, Level 2 - Server, Level 1 - Workstation. | FOD QA Single Server | FOD QA Single Server Quick | CIS Operating System Security Configuration Benchmarks-1.0 | arn:aws:inspector:us-east-1:133124267079:target/0-2ySrzz0j/template/0-bmzg5uDv/run/0-LTXQE8O5/finding/0-CQhMPwZk | 1.1.1.7 Ensure mounting of udf filesystems is disabled | i-01aae074f79eaa71f | ami-00ecf57a | qahobserver4b100 | ec2-instance | 10 | Description The udf filesystem type is the universal disk format used to implement ISO/IEC 13346 and ECMA-167 specifications. This is an open vendor filesystem type for data storage on a broad range of media. This filesystem type is necessary to support writing DVDs and newer optical disc formats. Rationale Removing support for unneeded filesystem types reduces the local attack surface of the system. If this filesystem type is not needed, disable it. | 9 | Edit or create the file /etc/modprobe.d/CIS.conf and add the following line: install udf /bin/true | Inspector | arn:aws:inspector:us-east-1:133124267079:target/0-2ySrzz0j/template/0-bmzg5uDv/run/0-LTXQE8O5 | arn:aws:inspector:us-east-1:316112463485:rulespackage/0-rExsr2X8 | SCORED | 1623439054549 | ||||||||
| High | 1623439055451 | Instance i-01aae074f79eaa71f is not compliant with rule 6.2.9 Ensure users own their home directories, 2.2.0 CIS CentOS Linux 7 Benchmark. Applicable profiles: Level 1 - Server, Level 2 - Workstation, Level 2 - Server, Level 1 - Workstation. | FOD QA Single Server | FOD QA Single Server Quick | CIS Operating System Security Configuration Benchmarks-1.0 | arn:aws:inspector:us-east-1:133124267079:target/0-2ySrzz0j/template/0-bmzg5uDv/run/0-LTXQE8O5/finding/0-BRk6gs5u | 6.2.9 Ensure users own their home directories | i-01aae074f79eaa71f | ami-00ecf57a | qahobserver4b100 | ec2-instance | 10 | Description The user home directory is space defined for the particular user to set local environment variables and to store personal files. Rationale Since the user is accountable for files stored in the user home directory, the user must be the owner of the directory. | 9 | Change the ownership of any home directories that are not owned by the defined user to the correct user. | Inspector | arn:aws:inspector:us-east-1:133124267079:target/0-2ySrzz0j/template/0-bmzg5uDv/run/0-LTXQE8O5 | arn:aws:inspector:us-east-1:316112463485:rulespackage/0-rExsr2X8 | SCORED | 1623439055451 | ||||||||
| High | 1623439055141 | Instance i-01aae074f79eaa71f is not compliant with rule 1.5.1 Ensure core dumps are restricted, 2.2.0 CIS CentOS Linux 7 Benchmark. Applicable profiles: Level 1 - Server, Level 2 - Workstation, Level 2 - Server, Level 1 - Workstation. | FOD QA Single Server | FOD QA Single Server Quick | CIS Operating System Security Configuration Benchmarks-1.0 | arn:aws:inspector:us-east-1:133124267079:target/0-2ySrzz0j/template/0-bmzg5uDv/run/0-LTXQE8O5/finding/0-iIymXw0c | 1.5.1 Ensure core dumps are restricted | i-01aae074f79eaa71f | ami-00ecf57a | qahobserver4b100 | ec2-instance | 10 | Description A core dump is the memory of an executable program. It is generally used to determine why a program aborted. It can also be used to glean confidential information from a core file. The system provides the ability to set a soft limit for core dumps, but this can be overridden by the user. Rationale Setting a hard limit on core dumps prevents users from overriding the soft variable. If core dumps are required, consider setting limits for user groups (see limits.conf(5) ). In addition, setting the fs.suid_dumpable variable to 0 will prevent setuid programs from dumping core. | 9 | Add the following line to the /etc/security/limits.conf file or a /etc/security/limits.d/* file: * hard core 0 Set the following parameter in the /etc/sysctl.conf file: fs.suid_dumpable = 0 Run the following command to set the active kernel parameter: # sysctl -w fs.suid_dumpable=0 | Inspector | arn:aws:inspector:us-east-1:133124267079:target/0-2ySrzz0j/template/0-bmzg5uDv/run/0-LTXQE8O5 | arn:aws:inspector:us-east-1:316112463485:rulespackage/0-rExsr2X8 | SCORED | 1623439055141 | ||||||||
| High | 1623439051587 | Instance i-01aae074f79eaa71f is not compliant with rule 5.4.4 Ensure default user umask is 027 or more restrictive, 2.2.0 CIS CentOS Linux 7 Benchmark. Applicable profiles: Level 1 - Server, Level 2 - Workstation, Level 2 - Server, Level 1 - Workstation. | FOD QA Single Server | FOD QA Single Server Quick | CIS Operating System Security Configuration Benchmarks-1.0 | arn:aws:inspector:us-east-1:133124267079:target/0-2ySrzz0j/template/0-bmzg5uDv/run/0-LTXQE8O5/finding/0-ot9Um1ca | 5.4.4 Ensure default user umask is 027 or more restrictive | i-01aae074f79eaa71f | ami-00ecf57a | qahobserver4b100 | ec2-instance | 10 | Description The default umask determines the permissions of files created by users. The user creating the file has the discretion of making their files and directories readable by others via the chmod command. Users who wish to allow their files and directories to be readable by others by default may choose a different default umask by inserting the umask command into the standard shell configuration files ( .profile , .bashrc , etc.) in their home directories. Rationale Setting a very secure default value for umask ensures that users make a conscious choice about their file permissions. A default umask setting of 077 causes files and directories created by users to not be readable by any other user on the system. A umask of 027 would make files and directories readable by users in the same Unix group, while a umask of 022 would make files readable by every user on the system. | 9 | Edit the /etc/bashrc and /etc/profile files (and the appropriate files for any other shell supported on your system) and add or edit any umask parameters as follows: umask 027 | Inspector | arn:aws:inspector:us-east-1:133124267079:target/0-2ySrzz0j/template/0-bmzg5uDv/run/0-LTXQE8O5 | arn:aws:inspector:us-east-1:316112463485:rulespackage/0-rExsr2X8 | SCORED | 1623439051587 | ||||||||
| High | 1623439051791 | Instance i-01aae074f79eaa71f is not compliant with rule 1.1.1.8 Ensure mounting of FAT filesystems is disabled, 2.2.0 CIS CentOS Linux 7 Benchmark. Applicable profiles: Level 1 - Server, Level 2 - Workstation, Level 2 - Server. | FOD QA Single Server | FOD QA Single Server Quick | CIS Operating System Security Configuration Benchmarks-1.0 | arn:aws:inspector:us-east-1:133124267079:target/0-2ySrzz0j/template/0-bmzg5uDv/run/0-LTXQE8O5/finding/0-mG8EVqWp | 1.1.1.8 Ensure mounting of FAT filesystems is disabled | i-01aae074f79eaa71f | ami-00ecf57a | qahobserver4b100 | ec2-instance | 10 | Description The FAT filesystem format is primarily used on older windows systems and portable USB drives or flash modules. It comes in three types FAT12 , FAT16 , and FAT32 all of which are supported by the vfat kernel module. Rationale Removing support for unneeded filesystem types reduces the local attack surface of the system. If this filesystem type is not needed, disable it. | 9 | Edit or create the file /etc/modprobe.d/CIS.conf and add the following line: install vfat /bin/true Impact: FAT filesystems are often used on portable USB sticks and other flash media are commonly used to transfer files between workstations, removing VFAT support may prevent the ability to transfer files in this way. | Inspector | arn:aws:inspector:us-east-1:133124267079:target/0-2ySrzz0j/template/0-bmzg5uDv/run/0-LTXQE8O5 | arn:aws:inspector:us-east-1:316112463485:rulespackage/0-rExsr2X8 | SCORED | 1623439051791 | ||||||||
| High | 1623439053833 | Instance i-01aae074f79eaa71f is not compliant with rule 2.2.1.2 Ensure ntp is configured, 2.2.0 CIS CentOS Linux 7 Benchmark. Applicable profiles: Level 1 - Server, Level 2 - Workstation, Level 2 - Server, Level 1 - Workstation. | FOD QA Single Server | FOD QA Single Server Quick | CIS Operating System Security Configuration Benchmarks-1.0 | arn:aws:inspector:us-east-1:133124267079:target/0-2ySrzz0j/template/0-bmzg5uDv/run/0-LTXQE8O5/finding/0-GG0OWX1i | 2.2.1.2 Ensure ntp is configured | i-01aae074f79eaa71f | ami-00ecf57a | qahobserver4b100 | ec2-instance | 10 | Description ntp is a daemon which implements the Network Time Protocol (NTP). It is designed to synchronize system clocks across a variety of systems and use a source that is highly accurate. More information on NTP can be found at http://www.ntp.org. ntp can be configured to be a client and/or a server. This recommendation only applies if ntp is in use on the system. Rationale If ntp is in use on the system proper configuration is vital to ensuring time synchronization is working properly. | 9 | Add or edit restrict lines in /etc/ntp.conf to match the following: restrict -4 default kod nomodify notrap nopeer noqueryrestrict -6 default kod nomodify notrap nopeer noquery Add or edit server lines to /etc/ntp.conf as appropriate: server <remote-server> Add or edit the OPTIONS in /etc/sysconfig/ntpd to include ' -u ntp:ntp ': OPTIONS="-u ntp:ntp" | Inspector | arn:aws:inspector:us-east-1:133124267079:target/0-2ySrzz0j/template/0-bmzg5uDv/run/0-LTXQE8O5 | arn:aws:inspector:us-east-1:316112463485:rulespackage/0-rExsr2X8 | SCORED | 1623439053833 | ||||||||
| High | 1623439053026 | Instance i-01aae074f79eaa71f is not compliant with rule 1.1.1.1 Ensure mounting of cramfs filesystems is disabled, 2.2.0 CIS CentOS Linux 7 Benchmark. Applicable profiles: Level 1 - Server, Level 2 - Workstation, Level 2 - Server, Level 1 - Workstation. | FOD QA Single Server | FOD QA Single Server Quick | CIS Operating System Security Configuration Benchmarks-1.0 | arn:aws:inspector:us-east-1:133124267079:target/0-2ySrzz0j/template/0-bmzg5uDv/run/0-LTXQE8O5/finding/0-wMXSsO5u | 1.1.1.1 Ensure mounting of cramfs filesystems is disabled | i-01aae074f79eaa71f | ami-00ecf57a | qahobserver4b100 | ec2-instance | 10 | Description The cramfs filesystem type is a compressed read-only Linux filesystem embedded in small footprint systems. A cramfs image can be used without having to first decompress the image. Rationale Removing support for unneeded filesystem types reduces the local attack surface of the server. If this filesystem type is not needed, disable it. | 9 | Edit or create the file /etc/modprobe.d/CIS.conf and add the following line: install cramfs /bin/true | Inspector | arn:aws:inspector:us-east-1:133124267079:target/0-2ySrzz0j/template/0-bmzg5uDv/run/0-LTXQE8O5 | arn:aws:inspector:us-east-1:316112463485:rulespackage/0-rExsr2X8 | SCORED | 1623439053026 | ||||||||
| High | 1623439052293 | Instance i-01aae074f79eaa71f is not compliant with rule 1.1.6 Ensure separate partition exists for var, 2.2.0 CIS CentOS Linux 7 Benchmark. Applicable profiles: Level 2 - Workstation, Level 2 - Server. | FOD QA Single Server | FOD QA Single Server Quick | CIS Operating System Security Configuration Benchmarks-1.0 | arn:aws:inspector:us-east-1:133124267079:target/0-2ySrzz0j/template/0-bmzg5uDv/run/0-LTXQE8O5/finding/0-ATcegQWk | 1.1.6 Ensure separate partition exists for /var | i-01aae074f79eaa71f | ami-00ecf57a | qahobserver4b100 | ec2-instance | 10 | Description The /var directory is used by daemons and other system services to temporarily store dynamic data. Some directories created by these processes may be world-writable. Rationale Since the /var directory may contain world-writable files and directories, there is a risk of resource exhaustion if it is not bound to a separate partition. | 9 | For new installations, during installation create a custom partition setup and specify a separate partition for /var . For systems that were previously installed, create a new partition and configure /etc/fstab as appropriate. Impact: Resizing filesystems is a common activity in cloud-hosted servers. Separate filesystem partitions may prevent successful resizing, or may require the installation of additional tools solely for the purpose of resizing operations. The use of these additional tools may introduce their own security considerations. | Inspector | arn:aws:inspector:us-east-1:133124267079:target/0-2ySrzz0j/template/0-bmzg5uDv/run/0-LTXQE8O5 | arn:aws:inspector:us-east-1:316112463485:rulespackage/0-rExsr2X8 | SCORED | 1623439052293 | ||||||||
| Medium | 1623439056782 | Instance i-01aae074f79eaa71f is configured to allow users to log in with root credentials over SSH, without having to use a command authenticated by a public key. This increases the likelihood of a successful brute-force attack. | FOD QA Single Server | FOD QA Single Server Quick | Security Best Practices-1.0 | arn:aws:inspector:us-east-1:133124267079:target/0-2ySrzz0j/template/0-bmzg5uDv/run/0-LTXQE8O5/finding/0-nMqU62gd | Disable root login over SSH | i-01aae074f79eaa71f | ami-00ecf57a | qahobserver4b100 | ec2-instance | 10 | This rule helps determine whether the SSH daemon is configured to permit logging in to your EC2 instance as root. | 6 | To reduce the likelihood of a successful brute-force attack, we recommend that you configure your EC2 instance to prevent root account logins over SSH. To disable SSH root account logins, set PermitRootLogin to 'no' in /etc/ssh/sshd_config and restart sshd. When logged in as a non-root user, you can use sudo to escalate privileges when necessary. If you want to allow public key authentication with a command associated with the key, you can set **PermitRootLogin** to 'forced-commands-only'. | Inspector | arn:aws:inspector:us-east-1:133124267079:target/0-2ySrzz0j/template/0-bmzg5uDv/run/0-LTXQE8O5 | arn:aws:inspector:us-east-1:316112463485:rulespackage/0-R01qwB5Q | 1623439056782 | |||||||||
| High | 1623439053881 | Instance i-01aae074f79eaa71f is not compliant with rule 5.2.7 Ensure SSH HostbasedAuthentication is disabled, 2.2.0 CIS CentOS Linux 7 Benchmark. Applicable profiles: Level 1 - Server, Level 2 - Workstation, Level 2 - Server, Level 1 - Workstation. | FOD QA Single Server | FOD QA Single Server Quick | CIS Operating System Security Configuration Benchmarks-1.0 | arn:aws:inspector:us-east-1:133124267079:target/0-2ySrzz0j/template/0-bmzg5uDv/run/0-LTXQE8O5/finding/0-FM7sjM9y | 5.2.7 Ensure SSH HostbasedAuthentication is disabled | i-01aae074f79eaa71f | ami-00ecf57a | qahobserver4b100 | ec2-instance | 10 | Description The HostbasedAuthentication parameter specifies if authentication is allowed through trusted hosts via the user of .rhosts , or /etc/hosts.equiv , along with successful public key client host authentication. This option only applies to SSH Protocol Version 2. Rationale Even though the .rhosts files are ineffective if support is disabled in /etc/pam.conf , disabling the ability to use .rhosts files in SSH provides an additional layer of protection . | 9 | Edit the /etc/ssh/sshd_config file to set the parameter as follows: HostbasedAuthentication no | Inspector | arn:aws:inspector:us-east-1:133124267079:target/0-2ySrzz0j/template/0-bmzg5uDv/run/0-LTXQE8O5 | arn:aws:inspector:us-east-1:316112463485:rulespackage/0-rExsr2X8 | SCORED | 1623439053881 | ||||||||
| High | 1623439050896 | Instance i-01aae074f79eaa71f is vulnerable to CVE-2019-8912 | FOD QA Single Server | FOD QA Single Server Quick | Common Vulnerabilities and Exposures-1.1 | arn:aws:inspector:us-east-1:133124267079:target/0-2ySrzz0j/template/0-bmzg5uDv/run/0-LTXQE8O5/finding/0-gOn3DVI5 | CVE-2019-8912 | i-01aae074f79eaa71f | ami-00ecf57a | qahobserver4b100 | ec2-instance | 10 | In the Linux kernel through 4.20.11, af_alg_release() in crypto/af_alg.c neglects to set a NULL value for a certain structure member, which leads to a use-after-free in sockfs_setattr. | 9 | Use your Operating System's update feature to update package kernel-0:3.10.0-1160.31.1.el7. For more information see <a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-8912" target="_blank">https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-8912</a> | Inspector | arn:aws:inspector:us-east-1:133124267079:target/0-2ySrzz0j/template/0-bmzg5uDv/run/0-LTXQE8O5 | arn:aws:inspector:us-east-1:316112463485:rulespackage/0-gEjTy7T7 | 7.2 | AV:L/AC:L/Au:N/C:C/I:C/A:C | 7.8 | CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H | 1623439050896 | |||||
| High | 1623439054260 | Instance i-01aae074f79eaa71f is not compliant with rule 1.1.1.4 Ensure mounting of hfs filesystems is disabled, 2.2.0 CIS CentOS Linux 7 Benchmark. Applicable profiles: Level 1 - Server, Level 2 - Workstation, Level 2 - Server, Level 1 - Workstation. | FOD QA Single Server | FOD QA Single Server Quick | CIS Operating System Security Configuration Benchmarks-1.0 | arn:aws:inspector:us-east-1:133124267079:target/0-2ySrzz0j/template/0-bmzg5uDv/run/0-LTXQE8O5/finding/0-YWJlDETK | 1.1.1.4 Ensure mounting of hfs filesystems is disabled | i-01aae074f79eaa71f | ami-00ecf57a | qahobserver4b100 | ec2-instance | 10 | Description The hfs filesystem type is a hierarchical filesystem that allows you to mount Mac OS filesystems. Rationale Removing support for unneeded filesystem types reduces the local attack surface of the system. If this filesystem type is not needed, disable it. | 9 | Edit or create the file /etc/modprobe.d/CIS.conf and add the following line: install hfs /bin/true | Inspector | arn:aws:inspector:us-east-1:133124267079:target/0-2ySrzz0j/template/0-bmzg5uDv/run/0-LTXQE8O5 | arn:aws:inspector:us-east-1:316112463485:rulespackage/0-rExsr2X8 | SCORED | 1623439054260 | ||||||||
| High | 1623439053934 | Instance i-01aae074f79eaa71f is not compliant with rule 5.4.2 Ensure system accounts are non-login, 2.2.0 CIS CentOS Linux 7 Benchmark. Applicable profiles: Level 1 - Server, Level 2 - Workstation, Level 2 - Server, Level 1 - Workstation. | FOD QA Single Server | FOD QA Single Server Quick | CIS Operating System Security Configuration Benchmarks-1.0 | arn:aws:inspector:us-east-1:133124267079:target/0-2ySrzz0j/template/0-bmzg5uDv/run/0-LTXQE8O5/finding/0-EvOv0zhx | 5.4.2 Ensure system accounts are non-login | i-01aae074f79eaa71f | ami-00ecf57a | qahobserver4b100 | ec2-instance | 10 | Description There are a number of accounts provided with CentOS 7 that are used to manage applications and are not intended to provide an interactive shell. Rationale It is important to make sure that accounts that are not being used by regular users are prevented from being used to provide an interactive shell. By default CentOS 7 sets the password field for these accounts to an invalid string, but it is also recommended that the shell field in the password file be set to /sbin/nologin . This prevents the account from potentially being used to run any commands. | 9 | Set the shell for any accounts returned by the audit script to /sbin/nologin : # usermod -s /sbin/nologin <user> The following script will automatically set all user shells required to /sbin/nologin and lock the sync , shutdown , and halt users: #!/bin/bashfor user in `awk -F: '($3 < 1000) {print $1 }' /etc/passwd` ; do if [ $user != "root" ]; then usermod -L $user if [ $user != "sync" ] && [ $user != "shutdown" ] && [ $user != "halt" ]; then usermod -s /sbin/nologin $user fi fidone | Inspector | arn:aws:inspector:us-east-1:133124267079:target/0-2ySrzz0j/template/0-bmzg5uDv/run/0-LTXQE8O5 | arn:aws:inspector:us-east-1:316112463485:rulespackage/0-rExsr2X8 | SCORED | 1623439053934 | ||||||||
| High | 1623439056148 | Instance i-01aae074f79eaa71f is not compliant with rule 1.1.1.5 Ensure mounting of hfsplus filesystems is disabled, 2.2.0 CIS CentOS Linux 7 Benchmark. Applicable profiles: Level 1 - Server, Level 2 - Workstation, Level 2 - Server, Level 1 - Workstation. | FOD QA Single Server | FOD QA Single Server Quick | CIS Operating System Security Configuration Benchmarks-1.0 | arn:aws:inspector:us-east-1:133124267079:target/0-2ySrzz0j/template/0-bmzg5uDv/run/0-LTXQE8O5/finding/0-xkkWFvcO | 1.1.1.5 Ensure mounting of hfsplus filesystems is disabled | i-01aae074f79eaa71f | ami-00ecf57a | qahobserver4b100 | ec2-instance | 10 | Description The hfsplus filesystem type is a hierarchical filesystem designed to replace hfs that allows you to mount Mac OS filesystems. Rationale Removing support for unneeded filesystem types reduces the local attack surface of the system. If this filesystem type is not needed, disable it. | 9 | Edit or create the file /etc/modprobe.d/CIS.conf and add the following line: install hfsplus /bin/true | Inspector | arn:aws:inspector:us-east-1:133124267079:target/0-2ySrzz0j/template/0-bmzg5uDv/run/0-LTXQE8O5 | arn:aws:inspector:us-east-1:316112463485:rulespackage/0-rExsr2X8 | SCORED | 1623439056148 | ||||||||
| High | 1623439052838 | Instance i-01aae074f79eaa71f is not compliant with rule 3.3.2 Ensure IPv6 redirects are not accepted, 2.2.0 CIS CentOS Linux 7 Benchmark. Applicable profiles: Level 1 - Server, Level 2 - Workstation, Level 2 - Server, Level 1 - Workstation. | FOD QA Single Server | FOD QA Single Server Quick | CIS Operating System Security Configuration Benchmarks-1.0 | arn:aws:inspector:us-east-1:133124267079:target/0-2ySrzz0j/template/0-bmzg5uDv/run/0-LTXQE8O5/finding/0-Z0e2BbHg | 3.3.2 Ensure IPv6 redirects are not accepted | i-01aae074f79eaa71f | ami-00ecf57a | qahobserver4b100 | ec2-instance | 10 | Description This setting prevents the system from accepting ICMP redirects. ICMP redirects tell the system about alternate routes for sending traffic. Rationale It is recommended that systems not accept ICMP redirects as they could be tricked into routing traffic to compromised machines. Setting hard routes within the system (usually a single default route to a trusted router) protects the system from bad routes. | 9 | Set the following parameters in the /etc/sysctl.conf file: net.ipv6.conf.all.accept_redirects = 0net.ipv6.conf.default.accept_redirects = 0 Run the following commands to set the active kernel parameters: # sysctl -w net.ipv6.conf.all.accept_redirects=0# sysctl -w net.ipv6.conf.default.accept_redirects=0# sysctl -w net.ipv6.route.flush=1 | Inspector | arn:aws:inspector:us-east-1:133124267079:target/0-2ySrzz0j/template/0-bmzg5uDv/run/0-LTXQE8O5 | arn:aws:inspector:us-east-1:316112463485:rulespackage/0-rExsr2X8 | SCORED | 1623439052838 | ||||||||
| High | 1623439054596 | Instance i-01aae074f79eaa71f is not compliant with rule 4.2.1.3 Ensure rsyslog default file permissions configured, 2.2.0 CIS CentOS Linux 7 Benchmark. Applicable profiles: Level 1 - Server, Level 2 - Workstation, Level 2 - Server, Level 1 - Workstation. | FOD QA Single Server | FOD QA Single Server Quick | CIS Operating System Security Configuration Benchmarks-1.0 | arn:aws:inspector:us-east-1:133124267079:target/0-2ySrzz0j/template/0-bmzg5uDv/run/0-LTXQE8O5/finding/0-V4lkIHSH | 4.2.1.3 Ensure rsyslog default file permissions configured | i-01aae074f79eaa71f | ami-00ecf57a | qahobserver4b100 | ec2-instance | 10 | Description rsyslog will create logfiles that do not already exist on the system. This setting controls what permissions will be applied to these newly created files. Rationale It is important to ensure that log files have the correct permissions to ensure that sensitive data is archived and protected. | 9 | Edit the /etc/rsyslog.conf and set $FileCreateMode to 0640 or more restrictive: $FileCreateMode 0640 | Inspector | arn:aws:inspector:us-east-1:133124267079:target/0-2ySrzz0j/template/0-bmzg5uDv/run/0-LTXQE8O5 | arn:aws:inspector:us-east-1:316112463485:rulespackage/0-rExsr2X8 | SCORED | 1623439054596 | ||||||||
| High | 1623439052769 | Instance i-01aae074f79eaa71f is not compliant with rule 5.4.1.1 Ensure password expiration is 90 days or less, 2.2.0 CIS CentOS Linux 7 Benchmark. Applicable profiles: Level 1 - Server, Level 2 - Workstation, Level 2 - Server, Level 1 - Workstation. | FOD QA Single Server | FOD QA Single Server Quick | CIS Operating System Security Configuration Benchmarks-1.0 | arn:aws:inspector:us-east-1:133124267079:target/0-2ySrzz0j/template/0-bmzg5uDv/run/0-LTXQE8O5/finding/0-3jknpnS2 | 5.4.1.1 Ensure password expiration is 90 days or less | i-01aae074f79eaa71f | ami-00ecf57a | qahobserver4b100 | ec2-instance | 10 | Description The PASS_MAX_DAYS parameter in /etc/login.defs allows an administrator to force passwords to expire once they reach a defined age. It is recommended that the PASS_MAX_DAYS parameter be set to less than or equal to 90 days. Rationale The window of opportunity for an attacker to leverage compromised credentials or successfully compromise credentials via an online brute force attack is limited by the age of the password. Therefore, reducing the maximum age of a password also reduces an attacker's window of opportunity. | 9 | Set the PASS_MAX_DAYS parameter to 90 in /etc/login.defs : PASS_MAX_DAYS 90 Modify user parameters for all users with a password set to match: # chage --maxdays 90 <user> | Inspector | arn:aws:inspector:us-east-1:133124267079:target/0-2ySrzz0j/template/0-bmzg5uDv/run/0-LTXQE8O5 | arn:aws:inspector:us-east-1:316112463485:rulespackage/0-rExsr2X8 | SCORED | 1623439052769 | ||||||||
| High | 1623439056229 | Instance i-01aae074f79eaa71f is not compliant with rule 5.1.3 Ensure permissions on etccron.hourly are configured, 2.2.0 CIS CentOS Linux 7 Benchmark. Applicable profiles: Level 1 - Server, Level 2 - Workstation, Level 2 - Server, Level 1 - Workstation. | FOD QA Single Server | FOD QA Single Server Quick | CIS Operating System Security Configuration Benchmarks-1.0 | arn:aws:inspector:us-east-1:133124267079:target/0-2ySrzz0j/template/0-bmzg5uDv/run/0-LTXQE8O5/finding/0-OObUwIl0 | 5.1.3 Ensure permissions on /etc/cron.hourly are configured | i-01aae074f79eaa71f | ami-00ecf57a | qahobserver4b100 | ec2-instance | 10 | Description This directory contains system cron jobs that need to run on an hourly basis. The files in this directory cannot be manipulated by the crontab command, but are instead edited by system administrators using a text editor. The commands below restrict read/write and search access to user and group root, preventing regular users from accessing this directory. Rationale Granting write access to this directory for non-privileged users could provide them the means for gaining unauthorized elevated privileges. Granting read access to this directory could give an unprivileged user insight in how to gain elevated privileges or circumvent auditing controls. | 9 | Run the following commands to set ownership and permissions on /etc/cron.hourly : # chown root:root /etc/cron.hourly# chmod og-rwx /etc/cron.hourly | Inspector | arn:aws:inspector:us-east-1:133124267079:target/0-2ySrzz0j/template/0-bmzg5uDv/run/0-LTXQE8O5 | arn:aws:inspector:us-east-1:316112463485:rulespackage/0-rExsr2X8 | SCORED | 1623439056229 | ||||||||
| High | 1623439055684 | Instance i-01aae074f79eaa71f is not compliant with rule 5.2.13 Ensure SSH Idle Timeout Interval is configured, 2.2.0 CIS CentOS Linux 7 Benchmark. Applicable profiles: Level 1 - Server, Level 2 - Workstation, Level 2 - Server, Level 1 - Workstation. | FOD QA Single Server | FOD QA Single Server Quick | CIS Operating System Security Configuration Benchmarks-1.0 | arn:aws:inspector:us-east-1:133124267079:target/0-2ySrzz0j/template/0-bmzg5uDv/run/0-LTXQE8O5/finding/0-N5544o2u | 5.2.13 Ensure SSH Idle Timeout Interval is configured | i-01aae074f79eaa71f | ami-00ecf57a | qahobserver4b100 | ec2-instance | 10 | Description The two options ClientAliveInterval and ClientAliveCountMax control the timeout of ssh sessions. When the ClientAliveInterval variable is set, ssh sessions that have no activity for the specified length of time are terminated. When the ClientAliveCountMax variable is set, sshd will send client alive messages at every ClientAliveInterval interval. When the number of consecutive client alive messages are sent with no response from the client, the ssh session is terminated. For example, if the ClientAliveInterval is set to 15 seconds and the ClientAliveCountMax is set to 3, the client ssh session will be terminated after 45 seconds of idle time. Rationale Having no timeout value associated with a connection could allow an unauthorized user access to another user's ssh session (e.g. user walks away from their computer and doesn't lock the screen). Setting a timeout value at least reduces the risk of this happening.. While the recommended setting is 300 seconds (5 minutes), set this timeout value based on site policy. The recommended setting for ClientAliveCountMax is 0. In this case, the client session will be terminated after 5 minutes of idle time and no keepalive messages will be sent. | 9 | Edit the /etc/ssh/sshd_config file to set the parameters as follows: ClientAliveInterval 300ClientAliveCountMax 0 | Inspector | arn:aws:inspector:us-east-1:133124267079:target/0-2ySrzz0j/template/0-bmzg5uDv/run/0-LTXQE8O5 | arn:aws:inspector:us-east-1:316112463485:rulespackage/0-rExsr2X8 | SCORED | 1623439055684 | ||||||||
| High | 1623439055031 | Instance i-01aae074f79eaa71f is not compliant with rule 5.1.5 Ensure permissions on etccron.weekly are configured, 2.2.0 CIS CentOS Linux 7 Benchmark. Applicable profiles: Level 1 - Server, Level 2 - Workstation, Level 2 - Server, Level 1 - Workstation. | FOD QA Single Server | FOD QA Single Server Quick | CIS Operating System Security Configuration Benchmarks-1.0 | arn:aws:inspector:us-east-1:133124267079:target/0-2ySrzz0j/template/0-bmzg5uDv/run/0-LTXQE8O5/finding/0-vo3qCB9j | 5.1.5 Ensure permissions on /etc/cron.weekly are configured | i-01aae074f79eaa71f | ami-00ecf57a | qahobserver4b100 | ec2-instance | 10 | Description The /etc/cron.weekly directory contains system cron jobs that need to run on a weekly basis. The files in this directory cannot be manipulated by the crontab command, but are instead edited by system administrators using a text editor. The commands below restrict read/write and search access to user and group root, preventing regular users from accessing this directory. Rationale Granting write access to this directory for non-privileged users could provide them the means for gaining unauthorized elevated privileges. Granting read access to this directory could give an unprivileged user insight in how to gain elevated privileges or circumvent auditing controls. | 9 | Run the following commands to set ownership and permissions on /etc/cron.weekly : # chown root:root /etc/cron.weekly# chmod og-rwx /etc/cron.weekly | Inspector | arn:aws:inspector:us-east-1:133124267079:target/0-2ySrzz0j/template/0-bmzg5uDv/run/0-LTXQE8O5 | arn:aws:inspector:us-east-1:316112463485:rulespackage/0-rExsr2X8 | SCORED | 1623439055031 | ||||||||
| High | 1623439052752 | Instance i-01aae074f79eaa71f is not compliant with rule 4.1.5 Ensure events that modify usergroup information are collected, 2.2.0 CIS CentOS Linux 7 Benchmark. Applicable profiles: Level 2 - Workstation, Level 2 - Server. | FOD QA Single Server | FOD QA Single Server Quick | CIS Operating System Security Configuration Benchmarks-1.0 | arn:aws:inspector:us-east-1:133124267079:target/0-2ySrzz0j/template/0-bmzg5uDv/run/0-LTXQE8O5/finding/0-Kam0UigS | 4.1.5 Ensure events that modify user/group information are collected | i-01aae074f79eaa71f | ami-00ecf57a | qahobserver4b100 | ec2-instance | 10 | Description Record events affecting the group , passwd (user IDs), shadow and gshadow (passwords) or /etc/security/opasswd (old passwords, based on remember parameter in the PAM configuration) files. The parameters in this section will watch the files to see if they have been opened for write or have had attribute changes (e.g. permissions) and tag them with the identifier "identity" in the audit log file. Rationale Unexpected changes to these files could be an indication that the system has been compromised and that an unauthorized user is attempting to hide their activities or compromise additional accounts. | 9 | Add the following lines to the /etc/audit/audit.rules file: -w /etc/group -p wa -k identity-w /etc/passwd -p wa -k identity-w /etc/gshadow -p wa -k identity-w /etc/shadow -p wa -k identity-w /etc/security/opasswd -p wa -k identity | Inspector | arn:aws:inspector:us-east-1:133124267079:target/0-2ySrzz0j/template/0-bmzg5uDv/run/0-LTXQE8O5 | arn:aws:inspector:us-east-1:316112463485:rulespackage/0-rExsr2X8 | SCORED | 1623439052752 | ||||||||
| High | 1623439055672 | Instance i-01aae074f79eaa71f is not compliant with rule 1.4.1 Ensure permissions on bootloader config are configured, 2.2.0 CIS CentOS Linux 7 Benchmark. Applicable profiles: Level 1 - Server, Level 2 - Workstation, Level 2 - Server, Level 1 - Workstation. | FOD QA Single Server | FOD QA Single Server Quick | CIS Operating System Security Configuration Benchmarks-1.0 | arn:aws:inspector:us-east-1:133124267079:target/0-2ySrzz0j/template/0-bmzg5uDv/run/0-LTXQE8O5/finding/0-O8nNCaYa | 1.4.1 Ensure permissions on bootloader config are configured | i-01aae074f79eaa71f | ami-00ecf57a | qahobserver4b100 | ec2-instance | 10 | Description The grub configuration file contains information on boot settings and passwords for unlocking boot options. The grub configuration is usually located at /boot/grub2/grub.cfg and linked as /etc/grub2.conf . Rationale Setting the permissions to read and write for root only prevents non-root users from seeing the boot parameters or changing them. Non-root users who read the boot parameters may be able to identify weaknesses in security upon boot and be able to exploit them. | 9 | Run the following commands to set permissions on your grub configuration: # chown root:root /boot/grub2/grub.cfg# chmod og-rwx /boot/grub2/grub.cfg | Inspector | arn:aws:inspector:us-east-1:133124267079:target/0-2ySrzz0j/template/0-bmzg5uDv/run/0-LTXQE8O5 | arn:aws:inspector:us-east-1:316112463485:rulespackage/0-rExsr2X8 | SCORED | 1623439055672 | ||||||||
| High | 1623439055389 | Instance i-01aae074f79eaa71f is not compliant with rule 4.1.10 Ensure discretionary access control permission modification events are collected, 2.2.0 CIS CentOS Linux 7 Benchmark. Applicable profiles: Level 2 - Workstation, Level 2 - Server. | FOD QA Single Server | FOD QA Single Server Quick | CIS Operating System Security Configuration Benchmarks-1.0 | arn:aws:inspector:us-east-1:133124267079:target/0-2ySrzz0j/template/0-bmzg5uDv/run/0-LTXQE8O5/finding/0-izsLIFRp | 4.1.10 Ensure discretionary access control permission modification events are collected | i-01aae074f79eaa71f | ami-00ecf57a | qahobserver4b100 | ec2-instance | 10 | Description Monitor changes to file permissions, attributes, ownership and group. The parameters in this section track changes for system calls that affect file permissions and attributes. The chmod , fchmod and fchmodat system calls affect the permissions associated with a file. The chown , fchown , fchownat and lchown system calls affect owner and group attributes on a file. The setxattr , lsetxattr , fsetxattr (set extended file attributes) and removexattr , lremovexattr , fremovexattr (remove extended file attributes) control extended file attributes. In all cases, an audit record will only be written for non-system user ids (auid >= 1000) and will ignore Daemon events (auid = 4294967295). All audit records will be tagged with the identifier "perm_mod." Rationale Monitoring for changes in file attributes could alert a system administrator to activity that could indicate intruder activity or policy violation. | 9 | For 32 bit systems add the following lines to the /etc/audit/audit.rules file: -a always,exit -F arch=b32 -S chmod -S fchmod -S fchmodat -F auid>=1000 -F auid!=4294967295 -k perm_mod-a always,exit -F arch=b32 -S chown -S fchown -S fchownat -S lchown -F auid>=1000 -F auid!=4294967295 -k perm_mod-a always,exit -F arch=b32 -S setxattr -S lsetxattr -S fsetxattr -S removexattr -S lremovexattr -S fremovexattr -F auid>=1000 -F auid!=4294967295 -k perm_mod For 64 bit systems add the following lines to the /etc/audit/audit.rules file: -a always,exit -F arch=b64 -S chmod -S fchmod -S fchmodat -F auid>=1000 -F auid!=4294967295 -k perm_mod-a always,exit -F arch=b32 -S chmod -S fchmod -S fchmodat -F auid>=1000 -F auid!=4294967295 -k perm_mod-a always,exit -F arch=b64 -S chown -S fchown -S fchownat -S lchown -F auid>=1000 -F auid!=4294967295 -k perm_mod-a always,exit -F arch=b32 -S chown -S fchown -S fchownat -S lchown -F auid>=1000 -F auid!=4294967295 -k perm_mod-a always,exit -F arch=b64 -S setxattr -S lsetxattr -S fsetxattr -S removexattr -S lremovexattr -S fremovexattr -F auid>=1000 -F auid!=4294967295 -k perm_mod-a always,exit -F arch=b32 -S setxattr -S lsetxattr -S fsetxattr -S removexattr -S lremovexattr -S fremovexattr -F auid>=1000 -F auid!=4294967295 -k perm_mod | Inspector | arn:aws:inspector:us-east-1:133124267079:target/0-2ySrzz0j/template/0-bmzg5uDv/run/0-LTXQE8O5 | arn:aws:inspector:us-east-1:316112463485:rulespackage/0-rExsr2X8 | SCORED | 1623439055389 | ||||||||
| Informational | 1623439054050 | Instance i-01aae074f79eaa71f is not compliant with rule 3.5.3 Ensure RDS is disabled, 2.2.0 CIS CentOS Linux 7 Benchmark. Applicable profiles: Level 1 - Server, Level 2 - Workstation, Level 2 - Server, Level 1 - Workstation. | FOD QA Single Server | FOD QA Single Server Quick | CIS Operating System Security Configuration Benchmarks-1.0 | arn:aws:inspector:us-east-1:133124267079:target/0-2ySrzz0j/template/0-bmzg5uDv/run/0-LTXQE8O5/finding/0-2EJ0Imek | 3.5.3 Ensure RDS is disabled | i-01aae074f79eaa71f | ami-00ecf57a | qahobserver4b100 | ec2-instance | 10 | Description The Reliable Datagram Sockets (RDS) protocol is a transport layer protocol designed to provide low-latency, high-bandwidth communications between cluster nodes. It was developed by the Oracle Corporation. Rationale If the protocol is not being used, it is recommended that kernel module not be loaded, disabling the service to reduce the potential attack surface. | Edit or create the file /etc/modprobe.d/CIS.conf and add the following line: install rds /bin/true | Inspector | arn:aws:inspector:us-east-1:133124267079:target/0-2ySrzz0j/template/0-bmzg5uDv/run/0-LTXQE8O5 | arn:aws:inspector:us-east-1:316112463485:rulespackage/0-rExsr2X8 | NOT_SCORED | 1623439054050 | |||||||||
| High | 1623439055176 | Instance i-01aae074f79eaa71f is not compliant with rule 6.1.11 Ensure no unowned files or directories exist, 2.2.0 CIS CentOS Linux 7 Benchmark. Applicable profiles: Level 1 - Server, Level 2 - Workstation, Level 2 - Server, Level 1 - Workstation. | FOD QA Single Server | FOD QA Single Server Quick | CIS Operating System Security Configuration Benchmarks-1.0 | arn:aws:inspector:us-east-1:133124267079:target/0-2ySrzz0j/template/0-bmzg5uDv/run/0-LTXQE8O5/finding/0-ctjrqgfV | 6.1.11 Ensure no unowned files or directories exist | i-01aae074f79eaa71f | ami-00ecf57a | qahobserver4b100 | ec2-instance | 10 | Description Sometimes when administrators delete users from the password file they neglect to remove all files owned by those users from the system. Rationale A new user who is assigned the deleted user's user ID or group ID may then end up "owning" these files, and thus have more access on the system than was intended. | 9 | Locate files that are owned by users or groups not listed in the system configuration files, and reset the ownership of these files to some active user on the system as appropriate. | Inspector | arn:aws:inspector:us-east-1:133124267079:target/0-2ySrzz0j/template/0-bmzg5uDv/run/0-LTXQE8O5 | arn:aws:inspector:us-east-1:316112463485:rulespackage/0-rExsr2X8 | SCORED | 1623439055176 | ||||||||
| High | 1623439053305 | Instance i-01aae074f79eaa71f is not compliant with rule 1.1.17 Ensure noexec option set on devshm partition, 2.2.0 CIS CentOS Linux 7 Benchmark. Applicable profiles: Level 1 - Server, Level 2 - Workstation, Level 2 - Server, Level 1 - Workstation. | FOD QA Single Server | FOD QA Single Server Quick | CIS Operating System Security Configuration Benchmarks-1.0 | arn:aws:inspector:us-east-1:133124267079:target/0-2ySrzz0j/template/0-bmzg5uDv/run/0-LTXQE8O5/finding/0-iaBbiSBx | 1.1.17 Ensure noexec option set on /dev/shm partition | i-01aae074f79eaa71f | ami-00ecf57a | qahobserver4b100 | ec2-instance | 10 | Description The noexec mount option specifies that the filesystem cannot contain executable binaries. Rationale Setting this option on a file system prevents users from executing programs from shared memory. This deters users from introducing potentially malicious software on the system. | 9 | Edit the /etc/fstab file and add noexec to the fourth field (mounting options) for the /dev/shm partition. See the fstab(5) manual page for more information. Run the following command to remount /dev/shm : # mount -o remount,noexec /dev/shm | Inspector | arn:aws:inspector:us-east-1:133124267079:target/0-2ySrzz0j/template/0-bmzg5uDv/run/0-LTXQE8O5 | arn:aws:inspector:us-east-1:316112463485:rulespackage/0-rExsr2X8 | SCORED | 1623439053305 |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment