STIGs Search Compare About

STIGhub

A free tool to search and browse the entire DISA STIG library. Saves up to 75% in security compliance research time.

Navigation

Browse STIGs
Search
Compare Versions

Resources

About
VPAT
DISA STIG Library

Powered by Pylon

© 2026 Beacon Cloud Solutions, Inc. All rights reserved.

← Back to STIGs

Amazon Linux 2023 Security Technical Implementation Guide

Version

V1R3

Benchmark ID

Amazon_Linux_2023_STIG

Total Checks

187

Tags

linux

CAT I: 21CAT II: 163CAT III: 3

This Security Technical Implementation Guide is published as a tool to improve the security of Department of Defense (DOD) information systems. The requirements are derived from the National Institute of Standards and Technology (NIST) 800-53 and related documents. Comments or proposed revisions to this document should be sent via email to the following address: disa.stig_spt@mail.mil.

Export CKL Export CSV Export JSON

Checks (187)

V-273994HIGHAmazon Linux 2023 local disk partitions must implement cryptographic mechanisms to prevent unauthorized disclosure or modification of all information that requires at rest protection.V-273995MEDIUMAmazon Linux 2023 must ensure cryptographic verification of vendor software packages.V-273996HIGHAmazon Linux 2023 must check the GPG signature of locally installed software packages before installation.V-273997HIGHAmazon Linux 2023 must check the GPG signature of software packages originating from external software repositories before installation.V-273998HIGHAmazon Linux 2023 must have GPG signature verification enabled for all software repositories.V-273999HIGHAmazon Linux 2023 must be a vendor-supported release.V-274000MEDIUMAmazon Linux 2023 systemd-journald service must be enabled.V-274001MEDIUMAmazon Linux 2023 must restrict access to the kernel message buffer.V-274002MEDIUMAmazon Linux 2023 must prevent kernel profiling by nonprivileged users.V-274003MEDIUMAmazon Linux 2023 must restrict exposed kernel pointer addresses access.V-274004MEDIUMAmazon Linux 2023 must disable access to network bpf system call from nonprivileged processes.V-274005MEDIUMAmazon Linux 2023 must restrict usage of ptrace to descendant processes.V-274006MEDIUMAmazon Linux 2023 must implement address space layout randomization (ASLR) to protect its memory from unauthorized code execution.V-274007HIGHAmazon Linux 2023 must not have the vsftpd package installed.V-274008MEDIUMAmazon Linux 2023 must not have the sendmail package installed.V-274009MEDIUMAmazon Linux 2023 must not have the nfs-utils package installed.V-274010MEDIUMAmazon Linux 2023 must not have the telnet-server package installed.V-274011MEDIUMAmazon Linux 2023 must not have the gssproxy package installed.V-274012MEDIUMAmazon Linux 2023 must have the sudo package installed.V-274013MEDIUMAmazon Linux 2023 must not be configured to bypass password requirements for privilege escalation.V-274014MEDIUMAmazon Linux 2023 must require reauthentication when using the "sudo" command.V-274015MEDIUMAmazon Linux 2023 must require users to reauthenticate for privilege escalation.V-274016MEDIUMAmazon Linux 2023 must require users to provide a password for privilege escalation.V-274017MEDIUMAmazon Linux 2023 must have the audit package installed.V-274018MEDIUMAmazon Linux 2023 must produce audit records containing information to establish what type of events occurred.V-274019MEDIUMAmazon Linux 2023 audispd-plugins package must be installed.V-274020MEDIUMAmazon Linux 2023 must have the rsyslog package installed.V-274021MEDIUMAmazon Linux 2023 must monitor remote access methods.V-274022MEDIUMAmazon Linux 2023 must have the chrony package installed.V-274023MEDIUMAmazon Linux 2023 chronyd service must be enabled.V-274024MEDIUMAmazon Linux 2023 must have the Advanced Intrusion Detection Environment (AIDE) package installed.V-274025MEDIUMAmazon Linux 2023 must routinely check the baseline configuration for unauthorized changes and notify the system administrator (SA) when anomalies in the operation of any security functions are discovered.V-274026MEDIUMAmazon Linux 2023 must use cryptographic mechanisms to protect the integrity of audit tools.V-274027MEDIUMAmazon Linux 2023 must have the firewalld package installed.V-274028MEDIUMAmazon Linux 2023 must have the firewalld service active.V-274030MEDIUMAmazon Linux 2023 must manage excess capacity, bandwidth, or other redundancy to limit the effects of information flooding types of denial-of-service (DoS) attacks.V-274031MEDIUMAmazon Linux 2023 must have the s-nail package installed.V-274032MEDIUMAmazon Linux 2023 must have the libreswan package installed.V-274033MEDIUMAmazon Linux 2023 must have the policycoreutils package installed.V-274034MEDIUMAmazon Linux 2023 must have the pcsc-lite package installed.V-274035MEDIUMAmazon Linux 2023 must have the packages required for encrypting off-loaded audit logs installed.V-274036MEDIUMAmazon Linux 2023 must have the opensc package installed.V-274037MEDIUMAmazon Linux 2023 must have the openssl-pkcs11 package installed.V-274038HIGHAmazon Linux 2023 must have SSH installed.V-274039HIGHAmazon Linux 2023 must implement SSH to protect the confidentiality and integrity of transmitted and received information, as well as information during preparation for transmission.V-274040HIGHAmazon Linux 2023 must have the crypto-policies package installed.V-274042HIGHAmazon Linux 2023 server must be configured to use only DOD-approved encryption ciphers employing FIPS 140-2/140-3 validated cryptographic hash algorithms to protect the confidentiality of SSH server connections.V-274043HIGHAmazon Linux 2023 SSH server must be configured to use only Message Authentication Codes (MACs) employing FIPS 140-2/140-3 validated cryptographic hash algorithms to protect the confidentiality of SSH server connections.V-274044MEDIUMAmazon Linux 2023 SSH daemon must not allow Generic Security Service Application Program Interface (GSSAPI) authentication.V-274045MEDIUMAmazon Linux 2023 SSH daemon must not allow Kerberos authentication.V-274046HIGHAmazon Linux 2023 must force a frequent session key renegotiation for SSH connections to the server.V-274047MEDIUMAmazon Linux 2023 SSHD must accept public key authentication.V-274048MEDIUMAmazon Linux 2023 SSHD must not allow blank passwords.V-274049MEDIUMAmazon Linux 2023 must not permit direct logons to the root account using remote access via SSH.V-274050MEDIUMAmazon Linux 2023 must be configured so that all network connections associated with SSH traffic are terminated after 10 minutes of becoming unresponsive.V-274051MEDIUMAmazon Linux 2023 must be configured so that all network connections associated with SSH traffic terminate after becoming unresponsive.V-274052HIGHAmazon Linux 2023 must enable the Pluggable Authentication Module (PAM) interface for SSHD.V-274057HIGHAmazon Linux 2023 must enable FIPS mode.V-274058HIGHAmazon Linux 2023 crypto policy must not be overridden.V-274059MEDIUMAmazon Linux 2023 must enable certificate-based smart card authentication.V-274060MEDIUMAmazon Linux 2023 must map the authenticated identity to the user or group account for PKI-based authentication.V-274061MEDIUMAmazon Linux 2023 must implement certificate status checking for multifactor authentication.V-274062MEDIUMAmazon Linux 2023 must prohibit the use of cached authenticators after one day.V-274063MEDIUMAmazon Linux 2023, for PKI-based authentication, must validate certificates by constructing a certification path (which includes status information) to an accepted trust anchor.V-274064MEDIUMAmazon Linux 2023, for PKI-based authentication, must enforce authorized access to the corresponding private key.V-274065MEDIUMAmazon Linux 2023 must display the Standard Mandatory DOD Notice and Consent Banner before granting local or remote access to the system.V-274066MEDIUMAmazon Linux 2023 must display the Standard Mandatory DOD Notice and Consent Banner before granting local or remote access to the system via a SSH logon.V-274067MEDIUMAmazon Linux 2023 must allocate audit record storage capacity to store at least one week's worth of audit records, when audit records are not immediately sent to a central audit record storage facility.V-274068LOWAmazon Linux 2023 must use a separate file system for the system audit data path.V-274069MEDIUMAmazon Linux 2023 must label all off-loaded audit logs before sending them to the central log server.V-274070MEDIUMAmazon Linux 2023 must take appropriate action when the internal event queue is full.V-274071MEDIUMAmazon Linux 2023 must take action when allocated audit record storage volume reaches 75 percent of the repository maximum audit record storage capacity.V-274072MEDIUMAmazon Linux 2023 must notify the system administrator (SA) and information system security officer (ISSO) (at a minimum) when allocated audit record storage volume 75 percent utilization.V-274073MEDIUMAmazon Linux 2023 must take action when allocated audit record storage volume reaches 95 percent of the audit record storage capacity.V-274074MEDIUMAmazon Linux 2023 must take action when allocated audit record storage volume reaches 95 percent of the repository maximum audit record storage capacity.V-274075MEDIUMAmazon Linux 2023 must immediately notify the system administrator (SA) and information system security officer (ISSO), at a minimum, of an audit processing failure event.V-274076MEDIUMAmazon Linux 2023 must be configured to off-load audit records onto a different system from the system being audited via syslog.V-274077MEDIUMAmazon Linux 2023 must authenticate the remote logging server for off-loading audit logs via rsyslog.V-274078MEDIUMAmazon Linux 2023 must encrypt the transfer of audit records off-loaded onto a different system or media from the system being audited via rsyslog.V-274079MEDIUMAmazon Linux 2023 must encrypt via the gtls driver the transfer of audit records off-loaded onto a different system or media from the system being audited via rsyslog.V-274080LOWAmazon Linux 2023 must be configured to off-load audit records onto a different system from the system being audited via syslog.V-274081MEDIUMAmazon Linux 2023 must generate audit records for all account creations, modifications, disabling, and termination events that affect /etc/sudoers.V-274082MEDIUMAmazon Linux 2023 must generate audit records for all account creations, modifications, disabling, and termination events that affect /etc/sudoers.d/ directory.V-274083MEDIUMAmazon Linux 2023 must generate audit records for all account creations, modifications, disabling, and termination events that affect /etc/group.V-274084MEDIUMAmazon Linux 2023 must generate audit records for all account creations, modifications, disabling, and termination events that affect /etc/gshadow.V-274085MEDIUMAmazon Linux 2023 must generate audit records for all account creations, modifications, disabling, and termination events that affect /etc/opasswd.V-274086MEDIUMAmazon Linux 2023 must audit uses of the "execve" system call.V-274087MEDIUMAmazon Linux 2023 must audit all uses of the chmod, fchmod, and fchmodat system calls.V-274088MEDIUMAmazon Linux 2023 must audit all uses of the chown, fchown, fchownat, and lchown system calls.V-274089MEDIUMAmazon Linux 2023 must audit all uses of the setxattr, fsetxattr, lsetxattr, removexattr, fremovexattr, and lremovexattr system calls.V-274090MEDIUMAmazon Linux 2023 must audit all uses of the truncate, ftruncate, creat, open, openat, and open_by_handle_at system calls.V-274091MEDIUMAmazon Linux 2023 must audit all uses of the init_module and finit_module system calls.V-274092MEDIUMAmazon Linux 2023 must audit all uses of the create_module system call.V-274093MEDIUMAmazon Linux 2023 must audit all uses of the kmod command.V-274094MEDIUMAmazon Linux 2023 must audit all uses of the rename, unlink, rmdir, renameat, and unlinkat system calls.V-274095MEDIUMAmazon Linux 2023 must audit all uses of the chcon command.V-274096MEDIUMAmazon Linux 2023 must generate audit records for all account creations, modifications, disabling, and termination events that affect /var/log/faillock.V-274097MEDIUMAmazon Linux 2023 must generate audit records for all account creations, modifications, disabling, and termination events that affect /var/log/lastlog.V-274098MEDIUMAmazon Linux 2023 must audit all uses of the init command.V-274099MEDIUMAmazon Linux 2023 must audit all uses of the reboot command.V-274100MEDIUMAmazon Linux 2023 must audit all uses of the shutdown command.V-274101MEDIUMAmazon Linux 2023 audit tools must have a mode of "0755" or less permissive.V-274102MEDIUMAmazon Linux 2023 audit tools must be owned by root.V-274103MEDIUMAmazon Linux 2023 audit tools must be group-owned by root.V-274104MEDIUMAmazon Linux 2023 must generate audit records for all account creations, modifications, disabling, and termination events that affect /etc/passwd.V-274105MEDIUMAmazon Linux 2023 must audit all successful/unsuccessful uses of the chage command.V-274107MEDIUMAmazon Linux 2023 must off-load audit records onto a different system in the event the audit storage volume is full.V-274108MEDIUMAmazon Linux 2023 audit logs must be group-owned by root or by a restricted logging group to prevent unauthorized read access.V-274109MEDIUMAmazon Linux 2023 audit log directory must be owned by root to prevent unauthorized read access.V-274110MEDIUMAmazon Linux 2023 audit logs file must have mode "0600" or less permissive to prevent unauthorized access to the audit log.V-274111MEDIUMAmazon Linux 2023 must allow only the information system security manager (ISSM) (or individuals or roles appointed by the ISSM) to select which auditable events are to be audited.V-274112MEDIUMAmazon Linux 2023 must audit all uses of the sudo command.V-274113MEDIUMAmazon Linux 2023 must generate audit records for all account creations, modifications, disabling, and termination events that affect /etc/passwd.V-274114MEDIUMAmazon Linux 2023 must generate audit records for all account creations, modifications, disabling, and termination events that affect /etc/shadow.V-274115MEDIUMAmazon Linux 2023 must produce audit records containing information to establish the identity of any individual or process associated with the event.V-274116MEDIUMAmazon Linux 2023 audit logs must be group-owned by root or by a restricted logging group to prevent unauthorized read access.V-274117MEDIUMAmazon Linux 2023 must ensure the audit log directory be owned by root to prevent unauthorized read access.V-274119MEDIUMAmazon Linux 2023 library directories must be group-owned by root or a system account.V-274120MEDIUMAmazon Linux 2023 library directories must have mode "755" or less permissive.V-274121MEDIUMAmazon Linux 2023 library files must have mode "755" or less permissive.V-274122MEDIUMAmazon Linux 2023 library files must be owned by root.V-274123MEDIUMAmazon Linux 2023 library files must be group-owned by root or a system account.V-274124MEDIUMAmazon Linux 2023 library directories must be owned by root.V-274125MEDIUMAmazon Linux 2023 must ensure the /var/log directory have mode "0755" or less permissive.V-274126MEDIUMAmazon Linux 2023 must ensure the /var/log directory be owned by root.V-274127MEDIUMAmazon Linux 2023 must ensure the /var/log directory be group-owned by root.V-274128MEDIUMAmazon Linux 2023 must ensure the /var/log/messages file have mode "0640" or less permissive.V-274129MEDIUMAmazon Linux 2023 must ensure the /var/log/messages file be group-owned by root.V-274130MEDIUMAmazon Linux 2023 must ensure the /var/log/messages file be owned by root.V-274131MEDIUMAmazon Linux 2023 system commands must be owned by root.V-274132MEDIUMAmazon Linux 2023 system commands must be group-owned by root or a system account.V-274133MEDIUMAmazon Linux 2023 must enforce password complexity by requiring that at least one uppercase character be used.V-274134MEDIUMAmazon Linux 2023 must enforce password complexity by requiring that at least one lowercase character be used.V-274135MEDIUMAmazon Linux 2023 must enforce password complexity by requiring that at least one numeric character be used.V-274136MEDIUMAmazon Linux 2023 must require the change of at least 50 percent of the total number of characters when passwords are changed.V-274137MEDIUMAmazon Linux 2023 must enforce a minimum 15-character password length.V-274138MEDIUMAmazon Linux 2023 must enforce password complexity by requiring that at least one special character be used.V-274139MEDIUMAmazon Linux 2023 must enforce password complexity rules for the root account.V-274140MEDIUMAmazon Linux 2023 must prevent the use of dictionary words for passwords.V-274141LOWAmazon Linux 2023 must limit the number of concurrent sessions to ten for all accounts and/or account types.V-274142MEDIUMAmazon Linux 2023 must automatically exit interactive command shell user sessions after 15 minutes of inactivity.V-274143MEDIUMAmazon Linux 2023 must enforce 24 hours/1 day as the minimum password lifetime.V-274144MEDIUMAmazon Linux 2023 must enforce a delay of at least four seconds between logon prompts following a failed logon attempt.V-274145MEDIUMAmazon Linux 2023 must define default permissions for all authenticated users in such a way that the user can only read and modify their own files.V-274146MEDIUMAmazon Linux 2023 must automatically remove or disable temporary user accounts after 72 hours.V-274147MEDIUMAmazon Linux 2023 must automatically lock an account when three unsuccessful logon attempts occur.V-274148MEDIUMAmazon Linux 2023 must be able to enforce a 60-day maximum password lifetime restriction.V-274149MEDIUMAmazon Linux 2023 must disable account identifiers (individuals, groups, roles, and devices) after 35 days of inactivity.V-274150MEDIUMAmazon Linux 2023 must automatically expire temporary accounts within 72 hours.V-274151MEDIUMAmazon Linux 2023 must restrict the use of the "su" command.V-274152MEDIUMAmazon Linux 2023 must enable the SELinux targeted policy.V-274153HIGHAmazon Linux 2023 must use a Linux Security Module configured to enforce limits on system services.V-274154MEDIUMAmazon Linux 2023 must automatically lock an account when three unsuccessful logon attempts occur.V-274155MEDIUMAmazon Linux 2023 must automatically lock the root account until the root account is released by an administrator when three unsuccessful logon attempts occur during a 15-minute time period.V-274156MEDIUMAmazon Linux 2023 must automatically lock an account until the locked account is released by an administrator when three unsuccessful logon attempts in 15 minutes occur.V-274157MEDIUMAmazon Linux 2023 must maintain an account lock until the locked account is released by an administrator.V-274158MEDIUMAmazon Linux 2023 must be configured to prohibit or restrict the use of functions, ports, protocols, and/or services, as defined in the Ports, Protocols, and Services Management Category Assurance List (PPSM CAL) and vulnerability assessments.V-274159MEDIUMAmazon Linux 2023 must insure all interactive users have a primary group that exists.V-274160MEDIUMAmazon Linux 2023 must ensure all interactive users have unique User IDs (UIDs).V-274161MEDIUMAmazon Linux 2023 must ensure the password complexity module is enabled in the password-auth file.V-274162MEDIUMAmazon Linux 2023 password-auth must be configured to use a sufficient number of hashing rounds.V-274163MEDIUMAmazon Linux 2023 system-auth must be configured to use a sufficient number of hashing rounds.V-274164MEDIUMAmazon Linux 2023 must ensure a sticky bit be set on all public directories.V-274165MEDIUMAmazon Linux 2023 must ensure all world-writable directories be owned by root, sys, bin, or an application user.V-274166MEDIUMAmazon Linux 2023 must terminate idle user sessions.V-274167MEDIUMAmazon Linux 2023 must enable auditing of processes that start prior to the audit daemon.V-274168MEDIUMAmazon Linux 2023 must allocate an audit_backlog_limit of sufficient size to capture processes that start prior to the audit daemon.V-274169MEDIUMAmazon Linux 2023 must enable discretionary access control on hardlinks.V-274170MEDIUMAmazon Linux 2023 must enable kernel parameters to enforce discretionary access control on symlinks.V-274173MEDIUMAmazon Linux 2023 debug-shell systemd service must be disabled.V-274175MEDIUMAmazon Linux 2023 must synchronize internal information system clocks to the authoritative time source at least every 24 hours.V-274177MEDIUMAmazon Linux 2023 must prevent the loading of a new kernel for later execution.V-274178MEDIUMAmazon Linux 2023 must prevent files with the setuid and setgid bit set from being executed on the /boot/efi directory.V-274179MEDIUMAmazon Linux 2023 must mount /dev/shm with the nodev option.V-274180MEDIUMAmazon Linux 2023 must mount /dev/shm with the nosuid option.V-274181MEDIUMAmazon Linux 2023 must ensure the pcscd service is active.V-274182MEDIUMAmazon Linux 2023 file system automount function must be disabled unless required.V-274183MEDIUMAmazon Linux 2023 must protect against or limit the effects of denial-of-service (DoS) attacks by ensuring rate-limiting measures are configured on impacted network interfaces.V-274184MEDIUMAmazon Linux 2023 must implement nonexecutable data to protect its memory from unauthorized code execution.V-274185MEDIUMAmazon Linux 2023 must remove all software components after updated versions have been installed.V-274186MEDIUMAmazon Linux 2023 must configure the use of the pam_faillock.so module in the /etc/pam.d/system-auth file.V-274187MEDIUMAmazon Linux 2023 audit system must protect logon user identifiers (UIDs) from unauthorized change.V-283440HIGHAmazon Linux 2023 must implement DOD-approved encryption in the bind package.V-283441HIGHAmazon Linux 2023 must enable FIPS mode.V-283442HIGHThe Amazon Linux 2023 SSH client must be configured to use only DOD-approved encryption ciphers employing FIPS 140-3-validated cryptographic hash algorithms to protect the confidentiality of SSH client connections.V-283443HIGHThe Amazon Linux 2023 SSH client must be configured to use only DOD-approved Message Authentication Codes (MACs) employing FIPS 140-3-validated cryptographic hash algorithms to protect the confidentiality of SSH client connections.V-283452HIGHAmazon Linux 2023 must implement a FIPS 140-2/140-3 compliant systemwide cryptographic policy.