Amazon Linux 2023 Non EKS Baseline Approved Compliance Deviations

Purpose

This document serves as reference for tracking approved compliance deviations for Amazon Linux 2023 Non EKS AMI in QNET Cloud.

Audit Policy

Policy Name	CIS Amazon 2023 Benchmark v1.0.0 - 26-06-2023
STIG Version	Amazon Linux 2023 Server CIS L1/L2 v1.0.0
URL	https://www.tenable.com/audits/CIS_Amazon_Linux_2023_v1.0.0_L1_Server
Last Compliance Reviewed Date	14 Jun 2024
Last Updated in Tenable

Table

Plug-In / Finding ID	Risk/Severity Level	Systems Impacted (All instances, web instances only, etc.)	CIS or DISA Title	Overview of the Risk (From Tenable Scan)	Operational/Business Impact (Describe the impact to the business if the check is not turned off.)	Technical Issues (Describe the technical issues that are caused by this control being in place)	Mitigating/Compensating Controls (Describe what additional steps, processes or features that have been put in place to provide the same security level)	ISSO Approval & Date
1012926	High	All Instances	5.1.1.6 Ensure rsyslog is configured to send logs to a remote log host	Information RSyslog supports the ability to send log events it gathers to a remote log host or to receive messages from remote hosts, thus enabling centralized log management. Rationale: Storing log data on a remote host protects log integrity from local attacks. If an attacker gains root access on the local system, they could tamper with or remove log data that is stored on the local system. Steps to Remediate Edit the /etc/rsyslog.conf and /etc/rsyslog.d/.conf files and add the following line (where loghost.example.com is the name of your central log host). The target directive may either be a fully qualified domain name or an IP address. .* action(type='omfwd' target='192.168.2.100' port='514' protocol='tcp' action.resumeRetryCount='100' queue.type='LinkedList' queue.size='1000') Run the following command to reload the rsyslogd configuration: # systemctl restart rsyslog	In our build job, we have configured to use Splunk Client to capture the logs and the logs are captured under /var/log/splunkcontrol.log directory. We use the Splunk Client to forward the logs to the Splunk log server.	We use the Splunk client to send logs to the Splunk log server.	No compensating control, Splunk is utilized.	Brandon Tennessee Jun 14, 2024
1007851	Medium	All Instances	1.2.1 Ensure GPG keys are configured	Information: The RPM Package Manager implements GPG key signing to verify package integrity during and after installation. Rationale: It is important to ensure that updates are obtained from a valid source to protect against spoofing that could lead to the inadvertent installation of malware on the system. To this end, verify that GPG keys are configured correctly for your system. NOTE: Nessus has provided the target output to assist in reviewing the benchmark to ensure target compliance. Result: WARNING Actual Value: All of the following must pass to satisfy this requirement: ------------------------- WARNING - Manual Review Required - List all GPG key URLs The command '/usr/bin/grep -r gpgkey /etc/yum.repos.d/* /etc/dnf/dnf.conf' returned : /etc/yum.repos.d/amazonlinux.repo:gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-amazon-linux-2023 /etc/yum.repos.d/amazonlinux.repo:gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-amazon-linux-2023 /etc/yum.repos.d/amazonlinux.repo:gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-amazon-linux-2023 /etc/yum.repos.d/kernel-livepatch.repo:gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-amazon-linux-2023 /etc/yum.repos.d/kernel-livepatch.repo:gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-amazon-linux-2023 /etc/yum.repos.d/newrelic-infra.repo:gpgkey=https://download.newrelic.com/infrastructure_agent/keys/newrelic_rpm_key_current.gpg ------------------------- WARNING - Manual Review Required - List installed GPG keys The command 'for RPM_PACKAGE in $(rpm -q gpg-pubkey); do echo \\"\\"RPM: ${RPM_PACKAGE}\\"\\"; RPM_SUMMARY=$(rpm -q --queryformat \\"\\"%{SUMMARY}\\"\\" \\"\\"${RPM_PACKAGE}\\"\\"); RPM_PACKAGER=$(rpm -q --queryformat \\"\\"%{PACKAGER}\\"\\" \\"\\"${RPM_PACKAGE}\\"\\"); RPM_DATE=$(date +%Y-%m-%d -d \\"\\"1970-1-1+$((0x$(rpm -q --queryformat \\"\\"%{RELEASE}\\"\\" \\"\\"${RPM_PACKAGE}\\"\\") ))sec\\"\\"); RPM_KEY_ID=$(rpm -q --queryformat \\"\\"%{VERSION}\\"\\" \\"\\"${RPM_PACKAGE}\\"\\"); echo \\"\\"Packager: ${RPM_PACKAGER}\\"\\" && echo \\"\\"Summary: ${RPM_SUMMARY}\\"\\" && echo \\"\\"Creation date: ${RPM_DATE}\\"\\" && echo \\"\\"Key ID: ${RPM_KEY_ID}\\"\\" && echo \\"\\"\\"\\"; done' returned : RPM: gpg-pubkey-d832c631-6515c85e Packager: Amazon Linux <amazon-linux@amazon.com> Summary: Amazon Linux <amazon-linux@amazon.com> public key Creation date: 2023-09-28 Key ID: d832c631 RPM: gpg-pubkey-798bc818-649dd305 Packager: CrowdStrike, Inc. (falcon-sensor installer key) <support@crowdstrike.com> Summary: CrowdStrike, Inc. (falcon-sensor installer key) <support@crowdstrike.com> public key Creation date: 2023-06-29 Key ID: 798bc818 RPM: gpg-pubkey-8ecce87c-5810f0da Packager: infrastructure-eng <infrastructure-eng@newrelic.com> Summary: infrastructure-eng <infrastructure-eng@newrelic.com> public key Creation date: 2016-10-26 Key ID: 8ecce87c ------------------------- WARNING - Manual Review Required - Query locally available GPG keys The command 'for PACKAGE in $(find /etc/pki/rpm-gpg/ -type f -exec rpm -qf {} \; \| sort -u); do rpm -q --queryformat \\"\\"%{NAME}-%{VERSION} %{PACKAGER} %{SUMMARY}\\n\\"\\" \\"\\"${PACKAGE}\\"\\"; done' returned : system-release-2023.4.20240416 Amazon Linux Amazon Linux release files Policy Value: WARNING Solution: Update your package manager GPG keys in accordance with site policy.	No changes necessary.	The required settings has already been configured. Nessus expects manual review of the configuration.	No mitigation necessary. As the repository is configured as expected.	Brandon Tennessee Jun 14, 2024
1012542	Medium	All Instances	1.2.3 Ensure package manager repositories are configured	Information: Systems need to have the respective package manager repositories configured to ensure that the system is able to receive the latest patches and updates. Rationale: If a system's package repositories are misconfigured, important patches may not be identified or a rogue repository could introduce compromised software. NOTE: Nessus has provided the target output to assist in reviewing the benchmark to ensure target compliance. Result: WARNING Actual Value: The command '/usr/bin/dnf repolist' returned : repo id repo name amazonlinux Amazon Linux 2023 repository kernel-livepatch Amazon Linux 2023 Kernel Livepatch repository newrelic-infra New Relic Infrastructure Policy Value: cmd: /usr/bin/dnf repolist expect: Manual Review Required system: Linux Solution: Configure your package manager repositories according to site policy.	No changes necessary.	The required settings has already been configured for amazonlinux, kernel-livepatch and newrelic-infra repository. Nessus expects manual review of the configuration.	No mitigation necessary. As the repository is configured as expected.	Brandon Tennessee Jun 14, 2024
1012879	High	All Instances	1.2.4 Ensure repo_gpgcheck is globally activated	Information: The repo_gpgcheck option, found in the main section of the /etc/dnf/dnf.conf and individual /etc/yum.repos.d/* files, will perform a GPG signature check on the repodata. Rationale: It is important to ensure that the repository data signature is always checked prior to installation to ensure that the software is not tampered with in any way. Impact: Not all repositories, notably RedHat, support repo_gpgcheck. Take care to set this value to false (default) for particular repositories that do not support it. If enabled on repositories that do not support repo_gpgcheck installation of packages will fail. Policy: FAILED Output All of the following must pass to satisfy this requirement: ------------------------- PASSED - Global configuration Compliant file(s): /etc/dnf/dnf.conf - regex '^[\s]repo_gpgcheck[\s]=' found - expect '^[\s]repo_gpgcheck[\s]=[\s]1[\s]$' found in the following lines: 9: repo_gpgcheck=1 ------------------------- FAILED - Per repository configuration The command script with multiple lines returned : /etc/yum.repos.d/amazonlinux.repo /etc/yum.repos.d/kernel-livepatch.repo Fail	By default repo_gpgcheck is disabled on repositories provided on base AMI from AWS. Enabling gpgcheck on the default repos prevented host to download and receive updates, This is known issue and tracked in outstanding issues for AL2023. https://github.com/amazonlinux/amazon-linux-2023/issues/336	The required settings has already been configred.	As per AWS , the default repos don't have metadata signing enabled at this time. The packages themselves are signed, and communicating with the repos is done via https. GPG check is enabled on other repos and in dnf config cat /etc/dnf/dnf.conf [main] gpgcheck=True installonly_limit=3 clean_requirements_on_remove=True best=False skip_if_unavailable=True repo_gpgcheck=1	Brandon Tennessee Jun 14, 2024
1009609	High	All Instances	1.6.1.6 Ensure no unconfined services exist	Information: Unconfined processes run in unconfined domains Rationale: For unconfined processes, SELinux policy rules are applied, but policy rules exist that allow processes running in unconfined domains almost all access. Processes running in unconfined domains fall back to using DAC rules exclusively. If an unconfined process is compromised, SELinux does not prevent an attacker from gaining access to system resources and data, but of course, DAC rules are still used. SELinux is a security enhancement on top of DAC rules - it does not replace them Result: FAILED Actual Value: The command '/usr/bin/ps -eZ \| /usr/bin/grep unconfined_service_t \| /usr/bin/awk -F: '{ print $NF } END {if (NR == 0) print \\"\\"none\\"\\"}'' returned : 00 systemd-inhibit 02 amazon-cloudwat 00 newrelic-infra- 00 acpid 02 newrelic-infra 00 amazon-ssm-agen 00 ds_agent 00 ssm-agent-worke 00 falcond 27 falcon-sensor-b 47 ds_agent 00 ds_am 24 ds_am 01 splunkd 00 splunkd Policy Value: cmd: /usr/bin/ps -eZ \| /usr/bin/grep unconfined_service_t \| /usr/bin/awk -F: '{ print $NF } END {if (NR == 0) print \\"\\"none\\"\\"}' expect: none system: Linux Solution: Investigate any unconfined processes found during the audit action. They may need to have an existing security context assigned to them or a policy built for them.	All the processes in question are related to cloud environment.	The agents listed in the report are all valid running daemons and there is no SELinux policies provided from the vendor. Trend micro and crowdstrike must not be confined to maintain the functionality of the agent.	No mitigation necessary the processes listed are all legitimate.	Brandon Tennessee Jun 14, 2024
1012581	High	All Instances	2.1.2 Ensure chrony is configured	Information: chrony is a daemon which implements the Network Time Protocol (NTP) and is designed to synchronize system clocks across a variety of systems and use a source that is highly accurate. More information on chrony can be found at http://chrony.tuxfamily.org/. chrony can be configured to be a client and/or a server. Rationale: If chrony is in use on the system proper configuration is vital to ensuring time synchronization is working properly. Result: FAILED Actual Value: The file \\"\\"/etc/chrony.conf\\"\\" does not contain \\"\\"^[\s](server\|pool)[\s]+10.0.0.2\\"\\" Policy Value: expect: ^[\s](server\|pool)[\s]+10.0.0.2 file: /etc/chrony.conf regex: ^[\s]*(server\|pool)[\s]+10.0.0.2 system: Linux Solution: Add or edit server or pool lines to file ending in .conf in the /etc/chrony.d as appropriate: Example: server <remote-server>	The check is looking for specific IP addresses for time servers.	The chrony source settings configured as recommended by AWS and config query all sources from /run/chrony.d/*.sources file $ cat /run/chrony.d/link-local-ipv4.sources # https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/set-time.html server 169.254.169.123 prefer iburst minpoll 4 maxpoll 4	None.	Brandon Tennessee Jun 14, 2024
1012628	Medium	All Instances	2.4 Ensure nonessential services listening on the system are removed or masked	Information: A network port is identified by its number, the associated IP address, and the type of the communication protocol such as TCP or UDP. A listening port is a network port on which an application or process listens on, acting as a communication endpoint. Each listening port can be open or closed (filtered) using a firewall. In general terms, an open port is a network port that accepts incoming packets from remote locations. Rationale: Services listening on the system pose a potential risk as an attack vector. These services should be reviewed, and if not required, the service should be stopped, and the package containing the service should be removed. If required packages have a dependency, the service should be stopped and masked to reduce the attack surface of the system. NOTE: Nessus has provided the target output to assist in reviewing the benchmark to ensure target compliance. Result: WARNING Actual Value: The command '/usr/sbin/ss -plntu' returned : Policy Value: cmd: /usr/sbin/ss -plntu expect: Manual Review Required system: Linux	No changes necessary.	The services identified are legitimate. Nessus expects manual review of the configuration.	None.	Brandon Tennessee Jun 14, 2024
1012631	Medium	All Instances	3.1.1 Ensure IPv6 status is identified	Information: Internet Protocol Version 6 (IPv6) is the most recent version of Internet Protocol (IP). It's designed to supply IP addressing and additional security to support the predicted growth of connected devices. IPv6 is based on 128-bit addressing and can support 340 undecillion addresses, which is 340 followed by 36 zeroes. Features of IPv6 Hierarchical addressing and routing infrastructure Stateful and Stateless configuration Support for quality of service (QoS) An ideal protocol for neighboring node interaction Impact: IETF RFC 4038 recommends that applications are built with an assumption of dual stack. When enabled, IPv6 will require additional configuration to reduce risk to the system. NOTE: Nessus has provided the target output to assist in reviewing the benchmark to ensure target compliance. Result: WARNING Actual Value: Non-compliant file(s): /sys/module/ipv6/parameters/disable - regex '.' found - expect 'Manual Review Required' not found in the following lines: 1: 0 Policy Value: expect: Manual Review Required file: /sys/module/ipv6/parameters/disable regex: . system: Linux Solution: Enable or disable IPv6 in accordance with system requirements and local site policy Default Value: IPv6 is enabled	No changes necessary.	The required settings has already been configured for IPv6 and enabled by default on AMI from AWS Market place. Nessus expects IPv6 must be set to disabled if not implemented.	No mitigation necessary as IPv6 is enabled.	Brandon Tennessee Jun 14, 2024
1012566	Medium	All Instances	3.4.2.5 Ensure firewalld drops unnecessary services and ports	Information: Services and ports can be accepted or explicitly rejected or dropped by a zone. For every zone, you can set a default behavior that handles incoming traffic that is not further specified. Such behavior is defined by setting the target of the zone. There are three options - default, ACCEPT, REJECT, and DROP. ACCEPT - you accept all incoming packets except those disabled by a specific rule. REJECT - you disable all incoming packets except those that you have allowed in specific rules and the source machine is informed about the rejection. DROP - you disable all incoming packets except those that you have allowed in specific rules and no information sent to the source machine. Rationale: To reduce the attack surface of a system, all services and ports should be blocked unless required NOTE: Nessus has provided the target output to assist in reviewing the benchmark to ensure target compliance. Result: WARNING Actual Value: The command 'systemctl is-enabled firewalld.service \| /usr/bin/grep -q 'enabled' && /usr/bin/firewall-cmd --list-all --zone=\\"\\"$(firewall-cmd --list-all \| /usr/bin/awk '/$active$/ { print $1 }')\\"\\" \| /usr/bin/grep -P -- '^\h(services:\|ports:)'' returned : Failed to get unit file state for firewalld.service: No such file or directory Policy Value: cmd: systemctl is-enabled firewalld.service \| /usr/bin/grep -q 'enabled' && /usr/bin/firewall-cmd --list-all --zone=\\"\\"$(firewall-cmd --list-all \| /usr/bin/awk '/$active$/ { print $1 }')\\"\\" \| /usr/bin/grep -P -- '^\h(services:\|ports:)' expect: Manual Review Required system: Linux	Nessus expects rules must exists for firewalld, when firewalld is installed and enabled.	Nftable is implemented to manage the inet (IPv4, IPv6) inbound, outbound and forward rules inplace of firewalld. As firewalld is not installed, hence this is not applicable.	We use AWS Security Groups to manage inbound and outbound rules. Additionally, the recommended rules has already been configured for nftables.	Brandon Tennessee Jun 14, 2024
1012567	Medium	All Instances	3.4.2.6 Ensure nftables established connections are configured	Information: Configure the firewall rules for new outbound and established connections Rationale: If rules are not in place for established connections, all packets will be dropped by the default policy preventing network usage. NOTE: Nessus has provided the target output to assist in reviewing the benchmark to ensure target compliance. Result: WARNING Actual Value: The command 'systemctl is-enabled nftables.service \| /usr/bin/grep -q 'enabled' && /usr/sbin/nft list ruleset \| /usr/bin/awk '/hook input/,/}/' \| /usr/bin/grep 'ct state'' returned : ip protocol tcp ct state established accept ip protocol udp ct state established accept ip protocol icmp ct state established accept Policy Value: cmd: systemctl is-enabled nftables.service \| /usr/bin/grep -q 'enabled' && /usr/sbin/nft list ruleset \| /usr/bin/awk '/hook input/,/}/' \| /usr/bin/grep 'ct state' expect: Manual Review Required system: Linux Solution: If NFTables utility is in use on your system: Configure nftables in accordance with site policy. The following commands will implement a policy to allow all established connections: # systemctl is-enabled nftables.service \| grep -q 'enabled' && nft add rule inet filter input ip protocol tcp ct state established accept # systemctl is-enabled nftables.service \| grep -q 'enabled' && nft add rule inet filter input ip protocol udp ct state established accept # systemctl is-enabled nftables.service \| grep -q 'enabled' && nft add rule inet filter input ip protocol icmp ct state established accept	No changes necessary.	The required settings has already been configured. Nessus expects manual review of the configuration.	No mitigation necessary. As nftables rules are configured as expected.	Brandon Tennessee Jun 14, 2024
1012885	High	All Instances	4.2.4 Ensure SSH access is limited	Information: There are several options available to limit which users and group can access the system via SSH. It is recommended that at least one of the following options be leveraged: AllowUsers AllowGroups DenyUsers DenyGroups Rationale: Restricting which users can remotely access the system via SSH will help ensure that only authorized users access the system. Result: FAILED Actual Value: All of the following must pass to satisfy this requirement: ------------------------- FAILED - sshd output The command script with multiple lines returned : port 22: Fail ------------------------- FAILED - sshd_config No matching files were found Less than 1 matches of regex found Policy Value: FAILED Solution: Edit or create a file ending in *.conf in the /etc/ssh/sshd_config.d/ directory or the /etc/ssh/sshd_config file and set one or more of the parameters as follows:	sshd_config does not support define restricted Active Directory users and groups, and instead defined in the sudoers file.	This configuration item is a local method to control user access to a host based on the SSH client. It is a list of users that are permitted or denied based on their user account. QNET does not use local accounts or local access to provide user authentication to a server. QNET uses REALMD/SSSD to integrate with Active Directory. All access control mechanisms are configured inside Active Directory.	We do not perform this at the SSH level. We authenticate at the host level through AD.	Brandon Tennessee Jun 14, 2024
1012779	High	All Instances	4.6.6 Ensure root password is set	Information: There are a number of methods to access the root account directly. Without a password set any user would be able to gain access and thus control over the entire system. Rationale: Access to root should be secured at all times. Impact: If there are any automated processes that relies on access to the root account without authentication, they will fail after remediation. Result: FAILED Actual Value: The command '/usr/bin/passwd -S root' returned : root LK 2009-12-22 -1 -1 -1 -1 (Alternate authentication scheme in use.) Policy Value: cmd: /usr/bin/passwd -S root expect: Password set system: Linux Solution: Set the root password with: # passwd root	Implementing root password present significant challenges due to maintain the password securely and querying the password when required for one ore more Instances.	At this time, there is no automation in place to support root password rotation and to sharing it securely with server POCs.	Root login is disabled via ssh config and sudo is granted for elevated access	Brandon Tennessee Jun 14, 2024
1012829	High	All Instances	5.1.3 Ensure all logfiles have appropriate permissions and ownership	Information: Log files contain information from many services on the local system, or in the event of a centralized log server, others system's logs as well. In general log files are found in /var/log/, although application can be configured to store logs elsewhere. Should your application store its logs in another location, ensure to run the same test on that location. Rationale: It is important that log files have the correct permissions to ensure that sensitive data is protected and that only the appropriate users / groups have access to them. Result: FAILED Actual Value: The command script with multiple lines returned : - Start check - logfiles have appropriate permissions and ownership - Audit Results: Fail - File: \\"\\"/var/log/chrony/statistics.log\\"\\" mode: \\"\\"644\\"\\" - File: \\"\\"/var/log/chrony/tracking.log\\"\\" mode: \\"\\"644\\"\\" - File: \\"\\"/var/log/chrony/measurements.log\\"\\" mode: \\"\\"644\\"\\" - File: \\"\\"/var/log/splunkforwarder.log\\"\\" mode: \\"\\"644\\"\\" - File: \\"\\"/var/log/splunkforwarder.log\\"\\" ownership: \\"\\"splunk splunk\\"\\" - File: \\"\\"/var/log/launch.txt\\"\\" mode: \\"\\"644\\"\\" - End check - logfiles have appropriate permissions and ownership Policy Value: cmd: multiple line script dont_echo_cmd: NO expect: \\ Pass \\ system: Linux Solution: Run the following script to update permissions and ownership on files in /var/log. Although the script is not destructive, ensure that the output of the audit procedure is captured in the event that the remediation causes issues.	Splunk log collection requires custom FACLs. Some logs require group or world read access for command functionality. Others are getting reset to system defaults when logrotation occurs.	The manner in which the AWS AMI is configured does not allow us to do anything but change the permissions on the files after the server is booted. Since the configuration of the logging subsystem is set inside the marketplace AMI the settings will always revert when a new AMI is built. We modify the permissions at each new server launch.	No compensating, Splunk is utilized.	Brandon Tennessee Jun 14, 2024
1012573	High	All Instances	5.2.2.2 Ensure audit logs are not automatically deleted	Information: The max_log_file_action setting determines how to handle the audit log file reaching the max file size. A value of keep_logs will rotate the logs but never delete old logs. Rationale: In high security contexts, the benefits of maintaining a long audit history exceed the cost of storing the audit history. Result: FAILED Actual Value: Non-compliant file(s): /etc/audit/auditd.conf - regex '^[\s]max_log_file_action[\s]=' found - expect '^[\s]max_log_file_action[\s]=[\s][Kk][Ee][Ee][Pp]_[Ll][Oo][Gg][Ss][\ s]$' not found in the following lines: 17: max_log_file_action = ROTATE Policy Value: expect: ^[\s]max_log_file_action[\s]=[\s][Kk][Ee][Ee][Pp]_[Ll][Oo][Gg][Ss][\s]$ file: /etc/audit/auditd.conf regex: ^[\s]max_log_file_action[\s]= system: Linux Solution: Set the following parameter in /etc/audit/auditd.conf: max_log_file_action = keep_logs	QNET uses Splunk Client to send logs to the Splunk log server before deletion. $ grep max_log_file /etc/audit/auditd.conf max_log_file = 32 max_log_file_action = ROTATE	This suggests to retain all log files and never delete. We use centralized Splunk logging and do not to keep local log files on each server permanently.	No compensating control, Splunk is utilized.	Brandon Tennessee Jun 14, 2024
1012882	High	All Instances	5.2.2.3 Ensure system is disabled when audit logs are full	Information: The auditd daemon can be configured to halt the system when the audit logs are full. The admin_space_left_action parameter tells the system what action to take when the system has detected that it is low on disk space. Valid values are ignore, syslog, suspend, single, and halt. Rationale: In high security contexts, the risk of detecting unauthorized access or nonrepudiation exceeds the benefit of the system's availability. Impact: If the admin_space_left_action parameter is set to halt the audit daemon will shutdown the system when the disk partition containing the audit logs becomes full. Result: FAILED Actual Value: All of the following must pass to satisfy this requirement: ------------------------- FAILED - space_left_action Non-compliant file(s): /etc/audit/auditd.conf - regex '^[\s](?i)space_left_action(?-i)[\s]=[\s]' found - expect '^[\s](?i)space_left_action(?-i)[\s]=[\s](?i)email(?-i)[\s]$' not found in the following lines: 19: space_left_action = SYSLOG ------------------------- PASSED - action_mail_acct Compliant file(s): /etc/audit/auditd.conf - regex '^[\s](?i)action_mail_acct(?-i)[\s]=' found - expect '^[\s](?i)action_mail_acct(?-i)[\s]=[\s](?i)root(?-i)[\s]$' found in the following lines: 21: action_mail_acct = root ------------------------- FAILED - admin_space_left_action Non-compliant file(s): /etc/audit/auditd.conf - regex '^[\s]admin_space_left_action[\s]=' found - expect '^[\s]admin_space_left_action[\s]=[\s]([Hh][Aa][Ll][Tt]\|[Ss][Ii][Nn][Gg][Ll][Ee])[\s]*$' not found in the following lines: 23: admin_space_left_action = SUSPEND Policy Value: FAILED Solution: Set the following parameters in /etc/audit/auditd.conf	QNET uses Splunk Client to send logs to the Splunk log server before deletion. system settings are the following: [ hostname ]# grep space_left_action /etc/audit/auditd.conf space_left_action = email action_mail_acct = root admin_space_left_action = SUSPEND	QNET uses the Splunk client to send logs to the Splunk log server.	No compensating control, Splunk is utilized.	Brandon Tennessee Jun 14, 2024
1012935	Medium	All Instances	5.3 Ensure logrotate is configured	Information: The system includes the capability of rotating log files regularly to avoid filling up the system with logs or making the logs unmanageably large. The file /etc/logrotate.d/syslog is the configuration file used to rotate log files created by syslog or rsyslog. Rationale: By keeping the log files smaller and more manageable, a system administrator can easily archive these files to another system and spend less time looking through inordinately large log files. NOTE: Nessus has not performed this check. Please review the benchmark to ensure target compliance. Result: WARNING Actual Value: Policy Value: WARNING Solution: Edit /etc/logrotate.conf and /etc/logrotate.d/* to ensure logs are rotated according to site policy.	No changes necessary.	The log rotation settings has already been configured. The output of the files are as follows: $ cat /etc/logrotate.conf # see \\"man logrotate\\" for details # rotate log files weekly weekly # keep 4 weeks worth of backlogs rotate 4 $ cat /etc/logrotate.d/dnf /var/log/hawkey.log { missingok notifempty rotate 4 weekly create }	No mitigation is necessary as the log rotation values are already been configured.	Brandon Tennessee Jun 14, 2024
1012877	High	All Instances	6.1.10 Audit system file permissions	Information: The RPM package manager has a number of useful options. One of these, the -V for RPM option, can be used to verify that system packages are correctly installed. The -V option can be used to verify a particular package or to verify all system packages. If no output is returned, the package is installed correctly. The following table describes the meaning of output from the verify option: Rationale: It is important to confirm that packaged system files and directories are maintained with the permissions they were intended to have from the OS vendor. Result: FAILED Actual Value: The command 'rpm -Va --nomtime --nosize --nomd5 --nolinkto \| /usr/bin/awk '{ print } END { if (NR==0) print \\"\\"none\\"\\" }'' returned : Policy Value: cmd: rpm -Va --nomtime --nosize --nomd5 --nolinkto \| /usr/bin/awk '{ print } END { if (NR==0) print \\"\\"none\\"\\" }' expect: none system: Linux Solution: Correct any discrepancies found and rerun the audit until output is clean or risk is mitigated or accepted.	Resetting all of these files to vendor default will impact the ability of splunk to collect logs for off system retention.	All the files reported by tenable have been carefully reviewed and modified to make the system functional and secure setback has been used to set permissions enabling splunk collection of log files. Examples [root]# getfacl /var/log/ getfacl: Removing leading '/' from absolute path names # file: var/log/ # owner: root # group: root user::rwx group::r-x group:splunk:r-x mask::r-x other::r-x default:user::rwx default:group::r-x default:group:splunk:r-x default:mask::r-x default:other::r-x [root]# getfacl /var/log/secure getfacl: Removing leading '/' from absolute path names # file: var/log/secure # owner: root # group: root user::rw- group::r-x group:splunk:r-- mask::r-x other::---	No further mitigation is necessary.	Brandon Tennessee Jun 14, 2024
1012841	Medium	All Instances	6.1.13 Ensure SUID and SGID files are reviewed	Information: The owner of a file can set the file's permissions to run with the owner's or group's permissions, even if the user running the program is not the owner or a member of the group. The most common reason for a SUID or SGID program is to enable users to perform functions (such as changing their password) that require root privileges. Rationale: There are valid reasons for SUID and SGID programs, but it is important to identify and review such programs to ensure they are legitimate. Review the files returned by the action in the audit section and check to see if system binaries have a different checksum than what from the package. This is an indication that the binary may have been replaced. NOTE: Nessus has provided the target output to assist in reviewing the benchmark to ensure target compliance. Result: WARNING Actual Value: The following 24 files are SUID or SGID: /usr/bin/sudo owner: root, group: root, permissions: 4111 /usr/bin/at owner: root, group: root, permissions: 4755 /usr/bin/chage owner: root, group: root, permissions: 4755 /usr/bin/gpasswd owner: root, group: root, permissions: 4755 /usr/bin/newgrp owner: root, group: root, permissions: 4755 /usr/bin/su owner: root, group: root, permissions: 4755 /usr/bin/write owner: root, group: tty, permissions: 2755 /usr/bin/mount owner: root, group: root, permissions: 4755 /usr/bin/umount owner: root, group: root, permissions: 4755 /usr/bin/staprun owner: root, group: stapusr, permissions: 4110 /usr/bin/passwd owner: root, group: root, permissions: 4755 /usr/bin/screen owner: root, group: screen, permissions: 2755 /usr/bin/pkexec owner: root, group: root, permissions: 4755 /usr/bin/crontab owner: root, group: root, permissions: 4755 /usr/sbin/postdrop owner: root, group: postdrop, permissions: 2755 /usr/sbin/postlog owner: root, group: postdrop, permissions: 2755 /usr/sbin/postqueue owner: root, group: postdrop, permissions: 2755 /usr/sbin/mount.nfs owner: root, group: root, permissions: 4755 /usr/sbin/grub2-set-bootflag owner: root, group: root, permissions: 4755 /usr/sbin/pam_timestamp_check owner: root, group: root, permissions: 4755 /usr/sbin/unix_chkpwd owner: root, group: root, permissions: 4755 /usr/lib/polkit-1/polkit-agent-helper-1 owner: root, group: root, permissions: 4755 /usr/libexec/utempter/utempter owner: root, group: utmp, permissions: 2711 /usr/libexec/openssh/ssh-keysign owner: root, group: ssh_keys, permissions: 2555 Policy Value: name: find_suid_sgid_files system: Linux timeout: 7200 Solution: Ensure that no rogue SUID or SGID programs have been introduced into the system. Review the files returned by the action in the Audit section and confirm the integrity of these binaries.	No changes necessary.	The programs listed are legitimate and permissions are configured as expected.	Auditd rules are configured to audit permission changes (chmod, fchmod, fchmodat) by regular users	Brandon Tennessee Jun 14, 2024

Revisions

Date	Version	Change Description
29 Dec 2023	1.0	Initial Release