CIS: Amazon Linux 2

This document provides information about the hotfix containing Center for Internet Security (CIS) templates for Amazon Linux 2 with implementation for 265 rules that can be installed on TrueSight Server Automation 21.02.01 or later. 

Before you begin

Before you install this hotfix, perform the following tasks:

  • Ensure that all compliance content provided by BMC in your environment is at least updated to 21.02.01 or later version.
  • For all application servers in your environment, back up the following directory: <Application_Server_installation_directory>/share/sensors
    This directory contains extended object scripts.

Step 1: Downloading and installing the files

  1. Login to the ftp.bmc.com host using the SFTP protocol.

  2. Download the CIS - Amazon Linux 2.zip and extended_objects.zip packages from the following location:

    FTP location

    Click here to expand checksum related infromation

    Verify the downloaded content by using the following checksums:

    File Name

    MD5 Checksum

    CIS - Amazon Linux 2.zip

    122ad7e3737441a9a18e3efa3bbc3135

    extended_objects.zip

    160212521dd7a0ad5734e47c411e284d

  3. Copy the CIS - Amazon Linux 2.zip package to the RCP client server.
  4. Extract the contents of the extended_objects package and move them to a temporary location on all Application Servers.

Step 2: Replacing the extended object scripts on all Application Servers

Perform the following steps on all the Application Servers in your environment:

  1. Navigate to the extended objects script files on the Application Server: <Application_Server_installation_directory >/share/sensors/
  2. Replace the Extended Object script files on your file server, with the extracted Extended Object script files stored in the temporary location on the Application Server:
    <TempLocation_FileServer>/extended_objects/

Step 3: Importing the compliance content

  1. Log on to the TrueSight Server Automation console.
  2. Right-click Component Templates and select Import
  3. In the Import Wizard window, select Import (Version-neutral) and click OK.
  4. Select the CIS - Amazon Linux 2.zip package from the temporary location where you downloaded and click Next.

    image2021-6-21_14-50-34.png

  5. Ensure that the Update objects according to the imported package and Preserve template group path options are selected, and click Next.
  6. Click Next to review the import contents and then click Finish.
    The templates are imported successfully and are shown under CIS Compliance Content > CIS.

    ImportedCISTemplates.png

Rules within the templates

The following are the details of the 265 rules provided in the zip package. It contains the following types of rules:

  • Rules that check for compliance and provide remediation – 200
  • Rules that check for compliance but do not provide remediation – 55
  • Rules that do not check for compliance and do not provide remediation – 10

The following are the details of the rules that are divided into parts:

  • Rules not divided into parts – 180
  • Rules divided into 2 parts – (23 Rules divided into 2 parts) so (23 * 2) = 46
  • Rules divided into 3 parts – (9 Rules divided into 3 parts) so (9 * 3) = 27
  • Rules divided into 6 parts – (2 Rules divided into 6 parts) so (2 * 6) = 12

So, the current rule count according to the CIS - Amazon Linux 2 template after running the compliance job is 265 (180 + 46 + 27+12).

The following table shows the rules that are checked for compliance, but without any remediation.

Rule IDs with compliance checks but no remediation

Comments

3.5.1.1,3.5.2.1

Remediation configures the system to the immutable mode.

6.2.11,6.2.12,6.2.14

Remediation is not available as the package update or configuration information depends upon the organization.

5.4.1.5, 5.4.2, 6.2.2, 6.2.3, 6.2.4, 6.2.5, 6.2.7

Remediation must be performed manually with required permission.

1.8, 4.3, 1.1.11, 1.1.13, 1.1.2, 1.1.6, 1.1.7, 1.2.1, 1.2.2 ,1.6.1.1.3 ,1.6.1.2.2, 1.6.1.3.2,
1.6.1.6 ,2.1.1.3.1 ,3.3.2 ,3.3.3 ,3.6.2 ,4.1.18 ,4.1.3.2 ,4.2.1.2 ,4.2.1.4, 4.2.2.2 ,4.2.2.3,
6.1.1 ,6.2.1 ,6.2.15 ,6.2.16 ,6.2.17 ,6.2.18 ,6.2.19 ,6.2.6 ,5.5 ,5.6

Remediation not provided as it needs manual intervention by a system administrator.

The following table shows the rules that are neither checked for compliance, nor they have any remediation.

Rule IDs without any compliance checks or remediation

Comments

3.5.1.2,3.5.2.2,4.2.2.4,4.2.2.5,5.2.3,5.2.2

Remediation configures the system to the immutable mode.

3.5.1.3,3.5.1.4,3.5.2.3,3.5.2.4

Changing the firewall settings when you are connected to the network can result in being locked out of the system. 

The following table shows the rules in which a property is used.

Property type

Rule where the property is used

Property name

Default values

LOCAL

1.7.1.1

BANNER_LONG_PART1

BLANK

LOCAL

1.7.1.2

BANNER_LONG_PART2

Authorized users only. All activity might be monitored and reported.

LOCAL

1.7.1.3

BANNER_LONG_PART3

Authorized users only. All activity might be monitored and reported.

LOCAL

5.2.14

MAC_ALGOS

hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,umac-128etm@openssh.com,hmac-sha2-512,hmac-sha2-256,umac-128@openssh.com

LOCAL

5.2.16.1

CLIENT_ALIVE_INTERVAL_COUNT

300

LOCAL

5.2.16.2

CLIENT_ALIVE_COUNT_MAX 

3

LOCAL

1.3.2

AIDE_RUN_SCHEDULE 

0 5 * * *

LOCAL

4.1.18

AUDIT_RULES_FILE

/etc/audit/audit.rules

LOCAL

1.6.1.6

EXCLUDE_DAEMONS_LIST

tr,ps,egrep,bash,awk

LOCAL

6.2.5

USER_LIST

Root

LOCAL

6.2.8, 6.2.9, 6.2.10, 6.2.13, 6.2.14 

EXCLUDED_USER_LIST

root,sync,halt,shutdown

LOCAL

6.2.7, 6.2.11, 6.2.12

EXCLUDE_USERS_LIST

"root","sync","halt","shutdown"

LOCAL

6.2.7, 6.2.11, 6.2.12

NON_LOGIN_SHELLS_LIST

"/sbin/nologin","/bin/false"

LOCAL

5.5

SECURE_TERMINALS_LIST

BLANK

LOCAL

5.2.18

SSH_ALLOW_GROUPS, SSH_ALLOW_USERS, SSH_DENY_GROUPS, and SSH_DENY_USERS 

BLANK

LOCAL

2.1.1.2, 2.1.1.3

NTP_DAEMON_ENABLED_NAME

(Default) chrony

The following value is also available in the list:

ntp

LOCAL

2.1.1.2,2.1.1.3

NTP_SERVERS_LIST

BLANK

LOCAL

4.2.1.1, 4.2.1.2, 4.2.1.3, 4.2.1.4, 4.2.1.5, 4.2.2.1, 4.2.2.2, 4.2.2.3, 4.2.2.4, 4.2.2.5

PACKAGE_ENABLED_NAME

(Default) rsyslog
The following value is also available in the list:

syslog-ng

LOCAL

5.6

WHEEL_GROUP_USER_LIST

Root

LOCAL

1.1.1.1, 1.1.1.2, 1.1.1.3, 1.1.1.4, 1.1.1.5, 3.4.1, 3.4.2, 3.4.3, 3.4.4

KERNEL_MODULES

cramfs freevxfs jffs2 hfs hfsplus squashfs udf vfat dccp sctp rds tipc

TARGET

2.1.15

 DEFAULT_MTA

??TARGET.BSA_CONTENT_DEFAULT_MTA??

LOCAL

4.2.1.4

LOGHOSTS_SEND

BLANK

LOCAL

4.1.1.1

AUDIT_MAX_LOG_SIZE

BLANK

TARGET

2.1.2, 2.1.3, 2.1.4, 2.1.5, 2.1.6, 2.1.7, 2.1.8, 2.1.9, 2.1.10, 2.1.11, 2.1.12, 2.1.13, 2.1.14, 2.1.16, 2.1.17

MISSION_CRITICAL_PACKAGES

BLANK

LOCAL

4.3

LOGROTATE_FILES

/var/log/messages /var/log/secure /var/log/maillog /var/log/spooler /var/log/cron

 

Tip: For faster searching, add an asterisk to the end of your partial query. Example: cert*