TickYouOff
Sign in
Back
🔒

Amazon Linux 2023 STIG Hardening

Medium 21 items · 2 hours
testuser's avatar
testuser Published 1 month ago
Security

This checklist translates the Amazon Linux 2023 STIG into practical, actionable tasks for system administrators and security teams. Use it to harden Amazon Linux hosts, meet DoD-aligned controls, and prepare systems for audits or scans.

Source: https://ncp.nist.gov/checklist/1313

Progress
0 / 21
  1. Apply all available OS updates and security patches — Include kernel and package updates; reboot if required.
  2. Enable and configure automatic security updates — Use dnf-automatic or a managed patching solution and test before production.
  3. Disable unused services and daemons
  4. List active services and identify unneeded ones — Use systemctl list-units --type=service to inventory running services.
  5. Stop and disable identified unused services — Use systemctl stop/disable or mask for services not required by role.
  6. Mask services that must remain unavailable — Use systemctl mask to prevent activation by dependencies.
  7. Secure SSH configuration
  8. Disable root SSH login — Set PermitRootLogin no in /etc/ssh/sshd_config.
  9. Enforce key-based authentication and disable password auth — Set PasswordAuthentication no and deploy authorized_keys for admins.
  10. Restrict SSH algorithms and ciphers to approved list — Use only protocol 2 and modern ciphers per policy.
  11. Configure firewall to restrict inbound traffic — Use firewalld or nftables; allow only required ports and sources.
  12. Configure and enable auditd to capture security events — Ensure audit rules persist and logs are retained per retention policy.
  13. Configure centralized logging or forward logs to a SIEM — Use rsyslog/remote logging or a cloud logging service for retention and analysis.
  14. Enforce strong password and account policies — Set complexity, minimum length, lockout, and expiration in PAM and /etc/login.defs.
  15. Disable or remove unnecessary packages — Uninstall packages not required for the host role to reduce attack surface.
  16. Set secure permissions on /etc/passwd and /etc/shadow — Ensure /etc/shadow is owned by root and not world-readable.
  17. Disable unused kernel modules and apply sysctl hardening — Harden net.ipv4 settings and disable IP forwarding if not needed.
  18. Find and review SUID/SGID binaries — Locate SUID/SGID files and remove or restrict ones that are unnecessary.
  19. Enable FIPS mode or apply approved crypto policies — Enable only if required by policy; test applications for compatibility.
  20. Ensure time synchronization is configured and secured — Use chrony, restrict NTP servers, and ensure RTC sync if required.
  21. Run vulnerability scans and record findings — Use OpenSCAP or authorized scanners and remediate high-risk findings.
Sign in to save
📝 My Notes