amazon inspector - assessment report
Post on 25-Mar-2022
26 Views
Preview:
TRANSCRIPT
Amazon Inspector - Assessment Report
Findings Report
Report generated on 2019-02-11 at 22:00:00 UTC
Assessment Template: Assessment-Template-Default
Assessment Run start: 2019-02-11 at 21:39:57 UTCAssessment Run end: 2019-02-11 at 21:56:39 UTC
Amazon InspectorAssessment-Template-Default
2019-02-11 21:56:40 UTC
Section 1: Executive Summary
This is an Inspector assessment report for an assessment started on 2019-02-11 21:39:57UTC for assessment template 'Assessment-Template-Default'. The assessment targetincluded 1 instances, and was tested against 4 Rules Packages.
The assessment target is defined using the following EC2 tagsKey Value
Name Ubuntu-Desktop-1
The following Rules Packages were assessed. A total of 252 findings were created, withthe following distribution by severity:
Rules Package High Medium Low Informational
CIS Operating System Security ConfigurationBenchmarks-1.0
80 0 0 10
Common Vulnerabilities and Exposures-1.1 96 60 2 0
Network Reachability-1.1 0 0 1 2
Security Best Practices-1.0 0 1 0 0
Amazon InspectorAssessment-Template-Default
2019-02-11 21:56:40 UTC
Section 2: What is Tested
This section details the Rules Packages included in this assessment run, and the EC2instances included in the assessment target.
2.1: Rules Packages - Count: 4
2.1.1: CIS Operating System Security Configuration Benchmarks-1.0
Description: The CIS Security Benchmarks program provides well-defined, un-biased and consensus-based industry best practices to help organizations assessand improve their security.
The rules in this package help establish a secure configuration posture for thefollowing operating systems:
- Amazon Linux version 2015.03 (CIS benchmark v1.1.0)- Windows Server 2008 R2 (CIS Benchmark for Microsoft Windows 2008 R2,v3.0.0, Level 1 Domain Controller)- Windows Server 2008 R2 (CIS Benchmark for Microsoft Windows 2008 R2,v3.0.0, Level 1 Member Server Profile)- Windows Server 2012 R2 (CIS Benchmark for Microsoft Windows Server2012 R2, v2.2.0, Level 1 Member Server Profile)- Windows Server 2012 R2 (CIS Benchmark for Microsoft Windows Server2012 R2, v2.2.0, Level 1 Domain Controller Profile)- Windows Server 2012 (CIS Benchmark for Microsoft Windows Server 2012non-R2, v2.0.0, Level 1 Member Server Profile)- Windows Server 2012 (CIS Benchmark for Microsoft Windows Server 2012non-R2, v2.0.0, Level 1 Domain Controller Profile)- Amazon Linux (CIS Benchmark for Amazon Linux Benchmark v2.1.0 Level 1)- Amazon Linux (CIS Benchmark for Amazon Linux Benchmark v2.1.0 Level 2)- CentOS Linux 7 (CIS Benchmark for CentOS Linux 7 Benchmark v2.2.0 Level1 Server)
Amazon InspectorAssessment-Template-Default
2019-02-11 21:56:40 UTC
- CentOS Linux 7 (CIS Benchmark for CentOS Linux 7 Benchmark v2.2.0 Level2 Server)- CentOS Linux 7 (CIS Benchmark for CentOS Linux 7 Benchmark v2.2.0 Level1 Workstation)- CentOS Linux 7 (CIS Benchmark for CentOS Linux 7 Benchmark v2.2.0 Level2 Workstation)- Red Hat Enterprise Linux 7 (CIS Benchmark for Red Hat Enterprise Linux 7Benchmark v2.1.1 Level 1 Server)- Red Hat Enterprise Linux 7 (CIS Benchmark for Red Hat Enterprise Linux 7Benchmark v2.1.1 Level 2 Server)- Red Hat Enterprise Linux 7 (CIS Benchmark for Red Hat Enterprise Linux 7Benchmark v2.1.1 Level 1 Workstation)- Red Hat Enterprise Linux 7 (CIS Benchmark for Red Hat Enterprise Linux 7Benchmark v2.1.1 Level 2 Workstation)- Ubuntu Linux 16.04 LTS (CIS Benchmark for Ubuntu Linux 16.04 LTSBenchmark v1.1.0 Level 1 Server)- Ubuntu Linux 16.04 LTS (CIS Benchmark for Ubuntu Linux 16.04 LTSBenchmark v1.1.0 Level 2 Server)- Ubuntu Linux 16.04 LTS (CIS Benchmark for Ubuntu Linux 16.04 LTSBenchmark v1.1.0 Level 1 Workstation)- Ubuntu Linux 16.04 LTS (CIS Benchmark for Ubuntu Linux 16.04 LTSBenchmark v1.1.0 Level 2 Workstation)- CentOS Linux 6 (CIS Benchmark for CentOS Linux 6 Benchmark v2.0.2,Level 1 Server)- CentOS Linux 6 (CIS Benchmark for CentOS Linux 6 Benchmark v2.0.2,Level 2 Server)- CentOS Linux 6 (CIS Benchmark for CentOS Linux 6 Benchmark v2.0.2,Level 1 Workstation)- CentOS Linux 6 (CIS Benchmark for CentOS Linux 6 Benchmark v2.0.2,Level 2 Workstation)- Red Hat Enterprise Linux 6 (CIS Benchmark for Red Hat Enterprise Linux 6Benchmark v2.0.2, Level 1 Server)- Red Hat Enterprise Linux 6 (CIS Benchmark for Red Hat Enterprise Linux 6Benchmark v2.0.2, Level 2 Server)- Red Hat Enterprise Linux 6 (CIS Benchmark for Red Hat Enterprise Linux 6Benchmark v2.0.2, Level 1 Workstation)
Amazon InspectorAssessment-Template-Default
2019-02-11 21:56:40 UTC
- Red Hat Enterprise Linux 6 (CIS Benchmark for Red Hat Enterprise Linux 6Benchmark v2.0.2 Level 2 Workstation)- Ubuntu Linux 14.04 LTS (CIS Benchmark for Ubuntu Linux 14.04 LTSBenchmark v2.0.0, Level 1 Server)- Ubuntu Linux 14.04 LTS (CIS Benchmark for Ubuntu Linux 14.04 LTSBenchmark v2.0.0, Level 2 Server)- Ubuntu Linux 14.04 LTS (CIS Benchmark for Ubuntu Linux 14.04 LTSBenchmark v2.0.0, Level 1 Workstation)- Ubuntu Linux 14.04 LTS (CIS Benchmark for Ubuntu Linux 14.04 LTSBenchmark v2.0.0, Level 2 Workstation)
If a particular CIS benchmark appears in a finding produced by an AmazonInspector assessment run, you can download a detailed PDF description ofthe benchmark from https://benchmarks.cisecurity.org/ (free registrationrequired). The benchmark document provides detailed information about this CISbenchmark, its severity, and how to mitigate it.Provider: Amazon Web Services, Inc.Version: 1.0
2.1.2: Common Vulnerabilities and Exposures-1.1
Description: The rules in this package help verify whether the EC2 instancesin your application are exposed to Common Vulnerabilities and Exposures(CVEs). Attacks can exploit unpatched vulnerabilities to compromise theconfidentiality, integrity, or availability of your service or data. The CVE systemprovides a reference for publicly known information security vulnerabilitiesand exposures. For more information, see https://cve.mitre.org/. If a particularCVE appears in one of the produced Findings at the end of a completed Inspectorassessment, you can search https://cve.mitre.org/ using the CVE's ID (forexample, "CVE-2009-0021") to find detailed information about this CVE, itsseverity, and how to mitigate it.Provider: Amazon Web Services, Inc.Version: 1.1
2.1.3: Network Reachability-1.1
Amazon InspectorAssessment-Template-Default
2019-02-11 21:56:40 UTC
Description: These rules analyze the reachability of your instances over thenetwork. Attacks can exploit your instances over the network by accessingservices that are listening on open ports. These rules evaluate the security yourhost configuration in AWS to determine if it allows access to ports and servicesover the network. For reachable ports and services, the Amazon Inspectorfindings identify where they can be reached from, and provide guidance on howto restrict access to these ports.Provider: Amazon Web Services, Inc.Version: 1.1
2.1.4: Security Best Practices-1.0
Description: The rules in this package help determine whether your systems areconfigured securely.Provider: Amazon Web Services, Inc.Version: 1.0
2.2: Assessment Target - Assessment-Template-Default
2.2.1: EC2 Tags:
The following EC2 tags (Key/Value pairs) were used to define this assessment target.
Key Value
Name Ubuntu-Desktop-1
2.2.2: Instances - Count 1
Instance ID
i-04372149a51fe6560
Amazon InspectorAssessment-Template-Default
2019-02-11 21:56:40 UTC
Section 3: Findings Summary
This section lists the rules that generated findings, the severity of the finding, andthe number of instances affected. More details about the findings can be found in the"Findings Details" section. Rules that passed on all target instances available during theassessment run are listed in the "Passed Rules" section.
3.1: Findings table - CIS Operating System SecurityConfiguration Benchmarks-1.0
3.1.1 Level 1 - Server
Rule Severity Failed
1.1.16 Ensure noexec option set on /run/shm partition High 1
1.1.1.1 Ensure mounting of cramfs filesystems is disabled High 1
1.1.1.2 Ensure mounting of freevxfs filesystems is disabled High 1
1.1.1.3 Ensure mounting of jffs2 filesystems is disabled High 1
1.1.1.4 Ensure mounting of hfs filesystems is disabled High 1
1.1.1.5 Ensure mounting of hfsplus filesystems is disabled High 1
1.1.1.6 Ensure mounting of udf filesystems is disabled High 1
1.3.1 Ensure AIDE is installed High 1
1.3.2 Ensure filesystem integrity is regularly checked High 1
1.4.1 Ensure permissions on bootloader config are configured High 1
1.4.2 Ensure bootloader password is set High 1
1.5.1 Ensure core dumps are restricted High 1
1.7.1.4 Ensure permissions on /etc/motd are configured Informational 1
2.2.2 Ensure X Window System is not installed High 1
2.2.3 Ensure Avahi Server is not enabled High 1
2.2.4 Ensure CUPS is not enabled High 1
2.3.4 Ensure telnet client is not installed High 1
3.1.2 Ensure packet redirect sending is disabled High 1
3.2.1 Ensure source routed packets are not accepted High 1
3.2.2 Ensure ICMP redirects are not accepted High 1
3.2.3 Ensure secure ICMP redirects are not accepted High 1
3.2.4 Ensure suspicious packets are logged High 1
Amazon InspectorAssessment-Template-Default
2019-02-11 21:56:40 UTC
3.3.1 Ensure IPv6 router advertisements are not accepted Informational 1
3.3.2 Ensure IPv6 redirects are not accepted Informational 1
3.3.3 Ensure IPv6 is disabled Informational 1
3.4.3 Ensure /etc/hosts.deny is configured High 1
3.5.1 Ensure DCCP is disabled Informational 1
3.5.2 Ensure SCTP is disabled Informational 1
3.5.3 Ensure RDS is disabled Informational 1
3.5.4 Ensure TIPC is disabled Informational 1
3.6.2 Ensure default deny firewall policy High 1
3.6.3 Ensure loopback traffic is configured High 1
3.6.5 Ensure firewall rules exist for all open ports High 1
4.2.4 Ensure permissions on all logfiles are configured High 1
4.2.1.4 Ensure rsyslog is configured to send logs to a remote log host High 1
5.6 Ensure access to the su command is restricted High 1
5.1.2 Ensure permissions on /etc/crontab are configured High 1
5.1.3 Ensure permissions on /etc/cron.hourly are configured High 1
5.1.4 Ensure permissions on /etc/cron.daily are configured High 1
5.1.5 Ensure permissions on /etc/cron.weekly are configured High 1
5.1.6 Ensure permissions on /etc/cron.monthly are configured High 1
5.1.7 Ensure permissions on /etc/cron.d are configured High 1
5.1.8 Ensure at/cron is restricted to authorized users High 1
5.2.1 Ensure permissions on /etc/ssh/sshd_config are configured High 1
5.2.4 Ensure SSH X11 forwarding is disabled High 1
5.2.5 Ensure SSH MaxAuthTries is set to 4 or less High 1
5.2.8 Ensure SSH root login is disabled High 1
5.2.10 Ensure SSH PermitUserEnvironment is disabled High 1
5.2.11 Ensure only approved MAC algorithms are used High 1
5.2.12 Ensure SSH Idle Timeout Interval is configured High 1
5.2.13 Ensure SSH LoginGraceTime is set to one minute or less High 1
5.2.14 Ensure SSH access is limited High 1
5.2.15 Ensure SSH warning banner is configured High 1
5.3.1 Ensure password creation requirements are configured High 1
5.3.2 Ensure lockout for failed password attempts is configured Informational 1
5.3.3 Ensure password reuse is limited High 1
5.4.2 Ensure system accounts are non-login High 1
5.4.4 Ensure default user umask is 027 or more restrictive High 1
5.4.5 Ensure default user shell timeout is 900 seconds or less High 1
5.4.1.1 Ensure password expiration is 90 days or less High 1
5.4.1.2 Ensure minimum days between password changes is 7 or more High 1
Amazon InspectorAssessment-Template-Default
2019-02-11 21:56:40 UTC
5.4.1.4 Ensure inactive password lock is 30 days or less High 1
6.2.1 Ensure password fields are not empty High 1
6.2.7 Ensure all users' home directories exist High 1
6.2.8 Ensure users' home directories permissions are 750 or morerestrictive
High 1
3.1.2 Level 1 - Workstation
Rule Severity Failed
1.1.16 Ensure noexec option set on /run/shm partition High 1
1.1.1.1 Ensure mounting of cramfs filesystems is disabled High 1
1.1.1.2 Ensure mounting of freevxfs filesystems is disabled High 1
1.1.1.3 Ensure mounting of jffs2 filesystems is disabled High 1
1.1.1.4 Ensure mounting of hfs filesystems is disabled High 1
1.1.1.5 Ensure mounting of hfsplus filesystems is disabled High 1
1.1.1.6 Ensure mounting of udf filesystems is disabled High 1
1.3.1 Ensure AIDE is installed High 1
1.3.2 Ensure filesystem integrity is regularly checked High 1
1.4.1 Ensure permissions on bootloader config are configured High 1
1.4.2 Ensure bootloader password is set High 1
1.5.1 Ensure core dumps are restricted High 1
1.7.1.4 Ensure permissions on /etc/motd are configured Informational 1
2.2.3 Ensure Avahi Server is not enabled High 1
2.3.4 Ensure telnet client is not installed High 1
3.1.2 Ensure packet redirect sending is disabled High 1
3.2.1 Ensure source routed packets are not accepted High 1
3.2.2 Ensure ICMP redirects are not accepted High 1
3.2.3 Ensure secure ICMP redirects are not accepted High 1
3.2.4 Ensure suspicious packets are logged High 1
3.3.1 Ensure IPv6 router advertisements are not accepted Informational 1
3.3.2 Ensure IPv6 redirects are not accepted Informational 1
3.3.3 Ensure IPv6 is disabled Informational 1
3.4.3 Ensure /etc/hosts.deny is configured High 1
3.5.1 Ensure DCCP is disabled Informational 1
3.5.2 Ensure SCTP is disabled Informational 1
3.5.3 Ensure RDS is disabled Informational 1
3.5.4 Ensure TIPC is disabled Informational 1
3.6.2 Ensure default deny firewall policy High 1
3.6.3 Ensure loopback traffic is configured High 1
Amazon InspectorAssessment-Template-Default
2019-02-11 21:56:40 UTC
3.6.5 Ensure firewall rules exist for all open ports High 1
4.2.4 Ensure permissions on all logfiles are configured High 1
4.2.1.4 Ensure rsyslog is configured to send logs to a remote log host High 1
5.6 Ensure access to the su command is restricted High 1
5.1.2 Ensure permissions on /etc/crontab are configured High 1
5.1.3 Ensure permissions on /etc/cron.hourly are configured High 1
5.1.4 Ensure permissions on /etc/cron.daily are configured High 1
5.1.5 Ensure permissions on /etc/cron.weekly are configured High 1
5.1.6 Ensure permissions on /etc/cron.monthly are configured High 1
5.1.7 Ensure permissions on /etc/cron.d are configured High 1
5.1.8 Ensure at/cron is restricted to authorized users High 1
5.2.1 Ensure permissions on /etc/ssh/sshd_config are configured High 1
5.2.4 Ensure SSH X11 forwarding is disabled High 1
5.2.5 Ensure SSH MaxAuthTries is set to 4 or less High 1
5.2.8 Ensure SSH root login is disabled High 1
5.2.10 Ensure SSH PermitUserEnvironment is disabled High 1
5.2.11 Ensure only approved MAC algorithms are used High 1
5.2.12 Ensure SSH Idle Timeout Interval is configured High 1
5.2.13 Ensure SSH LoginGraceTime is set to one minute or less High 1
5.2.14 Ensure SSH access is limited High 1
5.2.15 Ensure SSH warning banner is configured High 1
5.3.1 Ensure password creation requirements are configured High 1
5.3.2 Ensure lockout for failed password attempts is configured Informational 1
5.3.3 Ensure password reuse is limited High 1
5.4.2 Ensure system accounts are non-login High 1
5.4.4 Ensure default user umask is 027 or more restrictive High 1
5.4.5 Ensure default user shell timeout is 900 seconds or less High 1
5.4.1.1 Ensure password expiration is 90 days or less High 1
5.4.1.2 Ensure minimum days between password changes is 7 or more High 1
5.4.1.4 Ensure inactive password lock is 30 days or less High 1
6.2.1 Ensure password fields are not empty High 1
6.2.7 Ensure all users' home directories exist High 1
6.2.8 Ensure users' home directories permissions are 750 or morerestrictive
High 1
3.1.3 Level 2 - Server
Rule Severity Failed
1.1.2 Ensure separate partition exists for /tmp High 1
Amazon InspectorAssessment-Template-Default
2019-02-11 21:56:40 UTC
1.1.5 Ensure separate partition exists for /var High 1
1.1.6 Ensure separate partition exists for /var/tmp High 1
1.1.10 Ensure separate partition exists for /var/log High 1
1.1.11 Ensure separate partition exists for /var/log/audit High 1
1.1.12 Ensure separate partition exists for /home High 1
1.1.16 Ensure noexec option set on /run/shm partition High 1
1.1.1.1 Ensure mounting of cramfs filesystems is disabled High 1
1.1.1.2 Ensure mounting of freevxfs filesystems is disabled High 1
1.1.1.3 Ensure mounting of jffs2 filesystems is disabled High 1
1.1.1.4 Ensure mounting of hfs filesystems is disabled High 1
1.1.1.5 Ensure mounting of hfsplus filesystems is disabled High 1
1.1.1.6 Ensure mounting of udf filesystems is disabled High 1
1.3.1 Ensure AIDE is installed High 1
1.3.2 Ensure filesystem integrity is regularly checked High 1
1.4.1 Ensure permissions on bootloader config are configured High 1
1.4.2 Ensure bootloader password is set High 1
1.5.1 Ensure core dumps are restricted High 1
1.7.1.4 Ensure permissions on /etc/motd are configured Informational 1
2.2.2 Ensure X Window System is not installed High 1
2.2.3 Ensure Avahi Server is not enabled High 1
2.2.4 Ensure CUPS is not enabled High 1
2.3.4 Ensure telnet client is not installed High 1
3.1.2 Ensure packet redirect sending is disabled High 1
3.2.1 Ensure source routed packets are not accepted High 1
3.2.2 Ensure ICMP redirects are not accepted High 1
3.2.3 Ensure secure ICMP redirects are not accepted High 1
3.2.4 Ensure suspicious packets are logged High 1
3.3.1 Ensure IPv6 router advertisements are not accepted Informational 1
3.3.2 Ensure IPv6 redirects are not accepted Informational 1
3.3.3 Ensure IPv6 is disabled Informational 1
3.4.3 Ensure /etc/hosts.deny is configured High 1
3.5.1 Ensure DCCP is disabled Informational 1
3.5.2 Ensure SCTP is disabled Informational 1
3.5.3 Ensure RDS is disabled Informational 1
3.5.4 Ensure TIPC is disabled Informational 1
3.6.2 Ensure default deny firewall policy High 1
3.6.3 Ensure loopback traffic is configured High 1
3.6.5 Ensure firewall rules exist for all open ports High 1
4.1.2 Ensure auditd service is enabled High 1
Amazon InspectorAssessment-Template-Default
2019-02-11 21:56:40 UTC
4.1.3 Ensure auditing for processes that start prior to auditd is enabled High 1
4.1.4 Ensure events that modify date and time information are collected High 1
4.1.5 Ensure events that modify user/group information are collected High 1
4.1.6 Ensure events that modify the system's network environment arecollected
High 1
4.1.7 Ensure events that modify the system's Mandatory Access Controlsare collected
High 1
4.1.8 Ensure login and logout events are collected High 1
4.1.9 Ensure session initiation information is collected High 1
4.1.10 Ensure discretionary access control permission modificationevents are collected
High 1
4.1.11 Ensure unsuccessful unauthorized file access attempts arecollected
High 1
4.1.13 Ensure successful file system mounts are collected High 1
4.1.14 Ensure file deletion events by users are collected High 1
4.1.15 Ensure changes to system administration scope (sudoers) iscollected
High 1
4.1.16 Ensure system administrator actions (sudolog) are collected High 1
4.1.17 Ensure kernel module loading and unloading is collected High 1
4.1.18 Ensure the audit configuration is immutable High 1
4.1.1.1 Ensure audit log storage size is configured Informational 1
4.1.1.2 Ensure system is disabled when audit logs are full High 1
4.1.1.3 Ensure audit logs are not automatically deleted High 1
4.2.4 Ensure permissions on all logfiles are configured High 1
4.2.1.4 Ensure rsyslog is configured to send logs to a remote log host High 1
5.6 Ensure access to the su command is restricted High 1
5.1.2 Ensure permissions on /etc/crontab are configured High 1
5.1.3 Ensure permissions on /etc/cron.hourly are configured High 1
5.1.4 Ensure permissions on /etc/cron.daily are configured High 1
5.1.5 Ensure permissions on /etc/cron.weekly are configured High 1
5.1.6 Ensure permissions on /etc/cron.monthly are configured High 1
5.1.7 Ensure permissions on /etc/cron.d are configured High 1
5.1.8 Ensure at/cron is restricted to authorized users High 1
5.2.1 Ensure permissions on /etc/ssh/sshd_config are configured High 1
5.2.4 Ensure SSH X11 forwarding is disabled High 1
5.2.5 Ensure SSH MaxAuthTries is set to 4 or less High 1
5.2.8 Ensure SSH root login is disabled High 1
5.2.10 Ensure SSH PermitUserEnvironment is disabled High 1
5.2.11 Ensure only approved MAC algorithms are used High 1
5.2.12 Ensure SSH Idle Timeout Interval is configured High 1
Amazon InspectorAssessment-Template-Default
2019-02-11 21:56:40 UTC
5.2.13 Ensure SSH LoginGraceTime is set to one minute or less High 1
5.2.14 Ensure SSH access is limited High 1
5.2.15 Ensure SSH warning banner is configured High 1
5.3.1 Ensure password creation requirements are configured High 1
5.3.2 Ensure lockout for failed password attempts is configured Informational 1
5.3.3 Ensure password reuse is limited High 1
5.4.2 Ensure system accounts are non-login High 1
5.4.4 Ensure default user umask is 027 or more restrictive High 1
5.4.5 Ensure default user shell timeout is 900 seconds or less High 1
5.4.1.1 Ensure password expiration is 90 days or less High 1
5.4.1.2 Ensure minimum days between password changes is 7 or more High 1
5.4.1.4 Ensure inactive password lock is 30 days or less High 1
6.2.1 Ensure password fields are not empty High 1
6.2.7 Ensure all users' home directories exist High 1
6.2.8 Ensure users' home directories permissions are 750 or morerestrictive
High 1
3.1.4 Level 2 - Workstation
Rule Severity Failed
1.1.2 Ensure separate partition exists for /tmp High 1
1.1.5 Ensure separate partition exists for /var High 1
1.1.6 Ensure separate partition exists for /var/tmp High 1
1.1.10 Ensure separate partition exists for /var/log High 1
1.1.11 Ensure separate partition exists for /var/log/audit High 1
1.1.12 Ensure separate partition exists for /home High 1
1.1.16 Ensure noexec option set on /run/shm partition High 1
1.1.1.1 Ensure mounting of cramfs filesystems is disabled High 1
1.1.1.2 Ensure mounting of freevxfs filesystems is disabled High 1
1.1.1.3 Ensure mounting of jffs2 filesystems is disabled High 1
1.1.1.4 Ensure mounting of hfs filesystems is disabled High 1
1.1.1.5 Ensure mounting of hfsplus filesystems is disabled High 1
1.1.1.6 Ensure mounting of udf filesystems is disabled High 1
1.3.1 Ensure AIDE is installed High 1
1.3.2 Ensure filesystem integrity is regularly checked High 1
1.4.1 Ensure permissions on bootloader config are configured High 1
1.4.2 Ensure bootloader password is set High 1
1.5.1 Ensure core dumps are restricted High 1
1.7.1.4 Ensure permissions on /etc/motd are configured Informational 1
Amazon InspectorAssessment-Template-Default
2019-02-11 21:56:40 UTC
2.2.3 Ensure Avahi Server is not enabled High 1
2.2.4 Ensure CUPS is not enabled High 1
2.3.4 Ensure telnet client is not installed High 1
3.1.2 Ensure packet redirect sending is disabled High 1
3.2.1 Ensure source routed packets are not accepted High 1
3.2.2 Ensure ICMP redirects are not accepted High 1
3.2.3 Ensure secure ICMP redirects are not accepted High 1
3.2.4 Ensure suspicious packets are logged High 1
3.3.1 Ensure IPv6 router advertisements are not accepted Informational 1
3.3.2 Ensure IPv6 redirects are not accepted Informational 1
3.3.3 Ensure IPv6 is disabled Informational 1
3.4.3 Ensure /etc/hosts.deny is configured High 1
3.5.1 Ensure DCCP is disabled Informational 1
3.5.2 Ensure SCTP is disabled Informational 1
3.5.3 Ensure RDS is disabled Informational 1
3.5.4 Ensure TIPC is disabled Informational 1
3.6.2 Ensure default deny firewall policy High 1
3.6.3 Ensure loopback traffic is configured High 1
3.6.5 Ensure firewall rules exist for all open ports High 1
4.1.2 Ensure auditd service is enabled High 1
4.1.3 Ensure auditing for processes that start prior to auditd is enabled High 1
4.1.4 Ensure events that modify date and time information are collected High 1
4.1.5 Ensure events that modify user/group information are collected High 1
4.1.6 Ensure events that modify the system's network environment arecollected
High 1
4.1.7 Ensure events that modify the system's Mandatory Access Controlsare collected
High 1
4.1.8 Ensure login and logout events are collected High 1
4.1.9 Ensure session initiation information is collected High 1
4.1.10 Ensure discretionary access control permission modificationevents are collected
High 1
4.1.11 Ensure unsuccessful unauthorized file access attempts arecollected
High 1
4.1.13 Ensure successful file system mounts are collected High 1
4.1.14 Ensure file deletion events by users are collected High 1
4.1.15 Ensure changes to system administration scope (sudoers) iscollected
High 1
4.1.16 Ensure system administrator actions (sudolog) are collected High 1
4.1.17 Ensure kernel module loading and unloading is collected High 1
4.1.18 Ensure the audit configuration is immutable High 1
Amazon InspectorAssessment-Template-Default
2019-02-11 21:56:40 UTC
4.1.1.1 Ensure audit log storage size is configured Informational 1
4.1.1.2 Ensure system is disabled when audit logs are full High 1
4.1.1.3 Ensure audit logs are not automatically deleted High 1
4.2.4 Ensure permissions on all logfiles are configured High 1
4.2.1.4 Ensure rsyslog is configured to send logs to a remote log host High 1
5.6 Ensure access to the su command is restricted High 1
5.1.2 Ensure permissions on /etc/crontab are configured High 1
5.1.3 Ensure permissions on /etc/cron.hourly are configured High 1
5.1.4 Ensure permissions on /etc/cron.daily are configured High 1
5.1.5 Ensure permissions on /etc/cron.weekly are configured High 1
5.1.6 Ensure permissions on /etc/cron.monthly are configured High 1
5.1.7 Ensure permissions on /etc/cron.d are configured High 1
5.1.8 Ensure at/cron is restricted to authorized users High 1
5.2.1 Ensure permissions on /etc/ssh/sshd_config are configured High 1
5.2.4 Ensure SSH X11 forwarding is disabled High 1
5.2.5 Ensure SSH MaxAuthTries is set to 4 or less High 1
5.2.8 Ensure SSH root login is disabled High 1
5.2.10 Ensure SSH PermitUserEnvironment is disabled High 1
5.2.11 Ensure only approved MAC algorithms are used High 1
5.2.12 Ensure SSH Idle Timeout Interval is configured High 1
5.2.13 Ensure SSH LoginGraceTime is set to one minute or less High 1
5.2.14 Ensure SSH access is limited High 1
5.2.15 Ensure SSH warning banner is configured High 1
5.3.1 Ensure password creation requirements are configured High 1
5.3.2 Ensure lockout for failed password attempts is configured Informational 1
5.3.3 Ensure password reuse is limited High 1
5.4.2 Ensure system accounts are non-login High 1
5.4.4 Ensure default user umask is 027 or more restrictive High 1
5.4.5 Ensure default user shell timeout is 900 seconds or less High 1
5.4.1.1 Ensure password expiration is 90 days or less High 1
5.4.1.2 Ensure minimum days between password changes is 7 or more High 1
5.4.1.4 Ensure inactive password lock is 30 days or less High 1
6.2.1 Ensure password fields are not empty High 1
6.2.7 Ensure all users' home directories exist High 1
6.2.8 Ensure users' home directories permissions are 750 or morerestrictive
High 1
Amazon InspectorAssessment-Template-Default
2019-02-11 21:56:40 UTC
3.2: Findings table - Common Vulnerabilities andExposures-1.1
Rule Severity Failed
CVE-2013-7447 Medium 1
CVE-2014-8625 High 1
CVE-2014-9939 High 1
CVE-2015-1336 High 1
CVE-2015-5297 Medium 1
CVE-2015-8539 High 1
CVE-2016-10708 High 1
CVE-2016-2226 High 1
CVE-2016-4484 High 1
CVE-2016-5011 Medium 1
CVE-2016-7913 High 1
CVE-2016-9588 Medium 1
CVE-2017-0794 High 1
CVE-2017-11591 High 1
CVE-2017-11683 Medium 1
CVE-2017-13168 Medium 1
CVE-2017-14502 High 1
CVE-2017-14859 Medium 1
CVE-2017-14862 Medium 1
CVE-2017-14864 Medium 1
CVE-2017-15299 Medium 1
CVE-2017-16649 High 1
CVE-2017-17669 Medium 1
CVE-2017-18216 Medium 1
CVE-2017-2647 High 1
CVE-2017-6519 High 1
CVE-2017-9239 Medium 1
CVE-2017-9525 High 1
CVE-2018-0495 Low 1
CVE-2018-0734 Medium 1
CVE-2018-0735 Medium 1
CVE-2018-1000004 High 1
CVE-2018-1000030 High 1
CVE-2018-1000802 High 1
Amazon InspectorAssessment-Template-Default
2019-02-11 21:56:40 UTC
CVE-2018-1000877 High 1
CVE-2018-1000878 High 1
CVE-2018-1000880 Medium 1
CVE-2018-10119 High 1
CVE-2018-10120 High 1
CVE-2018-10583 High 1
CVE-2018-1060 High 1
CVE-2018-1061 High 1
CVE-2018-1066 High 1
CVE-2018-10902 Medium 1
CVE-2018-10963 Medium 1
CVE-2018-11574 High 1
CVE-2018-11790 Medium 1
CVE-2018-12384 Medium 1
CVE-2018-12389 High 1
CVE-2018-12390 High 1
CVE-2018-12392 High 1
CVE-2018-12393 High 1
CVE-2018-12896 Medium 1
CVE-2018-14633 High 1
CVE-2018-14634 High 1
CVE-2018-14647 High 1
CVE-2018-14734 High 1
CVE-2018-15126 High 1
CVE-2018-15127 High 1
CVE-2018-15473 High 1
CVE-2018-15572 Medium 1
CVE-2018-15594 Medium 1
CVE-2018-16276 High 1
CVE-2018-16336 Medium 1
CVE-2018-16395 High 1
CVE-2018-16396 High 1
CVE-2018-16646 Medium 1
CVE-2018-16658 Medium 1
CVE-2018-17100 High 1
CVE-2018-17101 High 1
CVE-2018-17466 High 1
CVE-2018-17581 Medium 1
CVE-2018-17972 Medium 1
Amazon InspectorAssessment-Template-Default
2019-02-11 21:56:40 UTC
CVE-2018-18281 Medium 1
CVE-2018-18311 High 1
CVE-2018-18312 High 1
CVE-2018-18313 High 1
CVE-2018-18314 High 1
CVE-2018-18386 Medium 1
CVE-2018-18500 High 1
CVE-2018-18501 High 1
CVE-2018-18502 High 1
CVE-2018-18503 High 1
CVE-2018-18504 High 1
CVE-2018-18505 High 1
CVE-2018-18506 Medium 1
CVE-2018-18557 High 1
CVE-2018-18661 Medium 1
CVE-2018-18690 Medium 1
CVE-2018-18710 Medium 1
CVE-2018-18751 High 1
CVE-2018-19058 Medium 1
CVE-2018-19059 Medium 1
CVE-2018-19060 Medium 1
CVE-2018-19149 Medium 1
CVE-2018-19409 High 1
CVE-2018-19475 High 1
CVE-2018-19476 High 1
CVE-2018-19477 High 1
CVE-2018-19787 Medium 1
CVE-2018-19788 High 1
CVE-2018-19840 Medium 1
CVE-2018-19841 Medium 1
CVE-2018-20019 High 1
CVE-2018-20020 High 1
CVE-2018-20021 High 1
CVE-2018-20022 High 1
CVE-2018-20023 High 1
CVE-2018-20024 High 1
CVE-2018-20459 Medium 1
CVE-2018-20481 Medium 1
CVE-2018-20544 Medium 1
Amazon InspectorAssessment-Template-Default
2019-02-11 21:56:40 UTC
CVE-2018-20545 High 1
CVE-2018-20546 Medium 1
CVE-2018-20547 Medium 1
CVE-2018-20548 High 1
CVE-2018-20549 High 1
CVE-2018-20551 Medium 1
CVE-2018-20650 Medium 1
CVE-2018-20685 Medium 1
CVE-2018-20748 High 1
CVE-2018-20749 High 1
CVE-2018-20750 High 1
CVE-2018-3136 Medium 1
CVE-2018-3139 Medium 1
CVE-2018-3149 High 1
CVE-2018-3169 High 1
CVE-2018-3180 High 1
CVE-2018-5407 Low 1
CVE-2018-5807 High 1
CVE-2018-5810 High 1
CVE-2018-5811 Medium 1
CVE-2018-5812 Medium 1
CVE-2018-5813 High 1
CVE-2018-5815 High 1
CVE-2018-5816 High 1
CVE-2018-6307 High 1
CVE-2018-6554 Medium 1
CVE-2018-6555 High 1
CVE-2018-7456 Medium 1
CVE-2018-7566 Medium 1
CVE-2018-8784 High 1
CVE-2018-8785 High 1
CVE-2018-8786 High 1
CVE-2018-8787 High 1
CVE-2018-8788 High 1
CVE-2018-8789 High 1
CVE-2018-8905 High 1
CVE-2018-9363 High 1
CVE-2018-9518 High 1
CVE-2018-9568 High 1
Amazon InspectorAssessment-Template-Default
2019-02-11 21:56:40 UTC
CVE-2019-1000019 Medium 1
CVE-2019-1000020 Medium 1
CVE-2019-3813 High 1
CVE-2019-3823 High 1
CVE-2019-6109 Medium 1
CVE-2019-6110 Medium 1
CVE-2019-7310 High 1
3.3: Findings table - Network Reachability-1.1
Rule Severity Failed
Recognized port with listener reachable from internet Informational 1
Recognized port with no listener reachable from internet Informational 1
Unrecognized port with listener reachable from internet Low 1
3.4: Findings table - Security Best Practices-1.0
Rule Severity Failed
Disable root login over SSH Medium 1
Amazon InspectorAssessment-Template-Default
2019-02-11 21:56:40 UTC
Section 4: Findings Details
This section details the findings generated in this assessment run, and the instances thatgenerated the finding. If an instance is not listed here, that means it was checked andpassed.
4.1: Findings details - CIS Operating System SecurityConfiguration Benchmarks-1.0
4.1.1 Level 1 - Server
1.1.16 Ensure noexec option set on /run/shm partition
SeverityHigh
DescriptionDescription The noexec mount option specifies that the filesystem cannot containexecutable binaries. Rationale Setting this option on a file system prevents users fromexecuting programs from shared memory. This deters users from introducing potentiallymalicious software on the system.
RecommendationEdit the /etc/fstab file and add noexec to the fourth field (mounting options) for the /run/shm partition. See the fstab(5) manual page for more information. Run the followingcommand to remount /run/shm: # mount -o remount,noexec /run/shm
Failed Instancesi-04372149a51fe6560
1.1.1.1 Ensure mounting of cramfs filesystems is disabled
SeverityHigh
Description
Amazon InspectorAssessment-Template-Default
2019-02-11 21:56:40 UTC
Description The cramfs filesystem type is a compressed read-only Linux filesystemembedded in small footprint systems. A cramfs image can be used without havingto first decompress the image. Rationale Removing support for unneeded filesystemtypes reduces the local attack surface of the server. If this filesystem type is not needed,disable it.
RecommendationEdit or create the file /etc/modprobe.d/CIS.conf and add the following line: installcramfs /bin/true
Failed Instancesi-04372149a51fe6560
1.1.1.2 Ensure mounting of freevxfs filesystems is disabled
SeverityHigh
DescriptionDescription The freevxfs filesystem type is a free version of the Veritas type filesystem.This is the primary filesystem type for HP-UX operating systems. Rationale Removingsupport for unneeded filesystem types reduces the local attack surface of the system. Ifthis filesystem type is not needed, disable it.
RecommendationEdit or create the file /etc/modprobe.d/CIS.conf and add the following line: installfreevxfs /bin/true
Failed Instancesi-04372149a51fe6560
1.1.1.3 Ensure mounting of jffs2 filesystems is disabled
SeverityHigh
DescriptionDescription The jffs2 (journaling flash filesystem 2) filesystem type is a log-structuredfilesystem used in flash memory devices. Rationale Removing support for unneeded
Amazon InspectorAssessment-Template-Default
2019-02-11 21:56:40 UTC
filesystem types reduces the local attack surface of the system. If this filesystem type isnot needed, disable it.
RecommendationEdit or create the file /etc/modprobe.d/CIS.conf and add the following line: install jffs2 /bin/true
Failed Instancesi-04372149a51fe6560
1.1.1.4 Ensure mounting of hfs filesystems is disabled
SeverityHigh
DescriptionDescription The hfs filesystem type is a hierarchical filesystem that allows you tomount Mac OS filesystems. Rationale Removing support for unneeded filesystem typesreduces the local attack surface of the system. If this filesystem type is not needed,disable it.
RecommendationEdit or create the file /etc/modprobe.d/CIS.conf and add the following line: install hfs /bin/true
Failed Instancesi-04372149a51fe6560
1.1.1.5 Ensure mounting of hfsplus filesystems is disabled
SeverityHigh
DescriptionDescription The hfsplus filesystem type is a hierarchical filesystem designed to replacehfs that allows you to mount Mac OS filesystems. Rationale Removing support forunneeded filesystem types reduces the local attack surface of the system. If thisfilesystem type is not needed, disable it.
Recommendation
Amazon InspectorAssessment-Template-Default
2019-02-11 21:56:40 UTC
Edit or create the file /etc/modprobe.d/CIS.conf and add the following line: installhfsplus /bin/true
Failed Instancesi-04372149a51fe6560
1.1.1.6 Ensure mounting of udf filesystems is disabled
SeverityHigh
DescriptionDescription The udf filesystem type is the universal disk format used to implementISO/IEC 13346 and ECMA-167 specifications. This is an open vendor filesystemtype for data storage on a broad range of media. This filesystem type is necessary tosupport writing DVDs and newer optical disc formats. Rationale Removing supportfor unneeded filesystem types reduces the local attack surface of the system. If thisfilesystem type is not needed, disable it.
RecommendationEdit or create the file /etc/modprobe.d/CIS.conf and add the following line: install udf /bin/true
Failed Instancesi-04372149a51fe6560
1.3.1 Ensure AIDE is installed
SeverityHigh
DescriptionDescription AIDE takes a snapshot of filesystem state including modification times,permissions, and file hashes which can then be used to compare against the current stateof the filesystem to detect modifications to the system. Rationale By monitoring thefilesystem state compromised files can be detected to prevent or limit the exposure ofaccidental or malicious misconfigurations or modified binaries.
Recommendation
Amazon InspectorAssessment-Template-Default
2019-02-11 21:56:40 UTC
Run the following command to install AIDE: # apt-get install aide Configure AIDEas appropriate for your environment. Consult the AIDE documentation for options.Initialize AIDE: # aide --init
Failed Instancesi-04372149a51fe6560
1.3.2 Ensure filesystem integrity is regularly checked
SeverityHigh
DescriptionDescription Periodic checking of the filesystem integrity is needed to detect changesto the filesystem. Rationale Periodic file checking allows the system administratorto determine on a regular basis if critical files have been changed in an unauthorizedfashion.
RecommendationRun the following command: # crontab -u root -e Add the following line to the crontab:0 5 * * * /usr/bin/aide --check
Failed Instancesi-04372149a51fe6560
1.4.1 Ensure permissions on bootloader config are configured
SeverityHigh
DescriptionDescription The grub configuration file contains information on boot settings andpasswords for unlocking boot options. The grub configuration is usually grub.cfg storedin /boot/grub. Rationale Setting the permissions to read and write for root only preventsnon-root users from seeing the boot parameters or changing them. Non-root users whoread the boot parameters may be able to identify weaknesses in security upon boot andbe able to exploit them.
Recommendation
Amazon InspectorAssessment-Template-Default
2019-02-11 21:56:40 UTC
Run the following commands to set permissions on your grub configuration: # chownroot:root /boot/grub/grub.cfg# chmod og-rwx /boot/grub/grub.cfg
Failed Instancesi-04372149a51fe6560
1.4.2 Ensure bootloader password is set
SeverityHigh
DescriptionDescription Setting the boot loader password will require that anyone rebooting thesystem must enter a password before being able to set command line boot parametersRationale Requiring a boot password upon execution of the boot loader will prevent anunauthorized user from entering boot parameters or changing the boot partition. Thisprevents users from weakening security (e.g. turning off SELinux at boot time).
RecommendationCreate an encrypted password with grub-mkpasswd-pbkdf2: # grub-mkpasswd-pbkdf2Enter password: <password>Reenter password: <password>Your PBKDF2 is<encrypted-password> Add the following into /etc/grub.d/00_header or a custom /etc/grub.d configuration file: cat <<EOFset superusers="<username>"password_pbkdf2<username><encrypted-password>EOF Run the following command to update thegrub2 configuration: # update-grub
Failed Instancesi-04372149a51fe6560
1.5.1 Ensure core dumps are restricted
SeverityHigh
DescriptionDescription A core dump is the memory of an executable program. It is generallyused to determine why a program aborted. It can also be used to glean confidentialinformation from a core file. The system provides the ability to set a soft limit for coredumps, but this can be overridden by the user. Rationale Setting a hard limit on coredumps prevents users from overriding the soft variable. If core dumps are required,
Amazon InspectorAssessment-Template-Default
2019-02-11 21:56:40 UTC
consider setting limits for user groups (see limits.conf(5)). In addition, setting thefs.suid_dumpable variable to 0 will prevent setuid programs from dumping core.
RecommendationAdd the following line to the /etc/security/limits.conf file or a /etc/security/limits.d/* file: * hard core 0 Set the following parameter in the /etc/sysctl.conf file:fs.suid_dumpable = 0 Run the following command to set the active kernel parameter: #sysctl -w fs.suid_dumpable=0
Failed Instancesi-04372149a51fe6560
1.7.1.4 Ensure permissions on /etc/motd are configured
SeverityInformational
DescriptionDescription The contents of the /etc/motd file are displayed to users after login andfunction as a message of the day for authenticated users. Rationale If the /etc/motd filedoes not have the correct ownership it could be modified by unauthorized users withincorrect or misleading information.
RecommendationRun the following commands to set permissions on /etc/motd: # chown root:root /etc/motd# chmod 644 /etc/motd
Failed Instancesi-04372149a51fe6560
2.2.2 Ensure X Window System is not installed
SeverityHigh
DescriptionDescription The X Window System provides a Graphical User Interface (GUI) whereusers can have multiple windows in which to run programs and various add on. The XWindows system is typically used on workstations where users login, but not on serverswhere users typically do not login. Rationale Unless your organization specifically
Amazon InspectorAssessment-Template-Default
2019-02-11 21:56:40 UTC
requires graphical login access via X Windows, remove it to reduce the potential attacksurface.
RecommendationRun the following command to remove the X Windows System packages: apt-getremove xserver-xorg*
Failed Instancesi-04372149a51fe6560
2.2.3 Ensure Avahi Server is not enabled
SeverityHigh
DescriptionDescription Avahi is a free zeroconf implementation, including a system for multicastDNS/DNS-SD service discovery. Avahi allows programs to publish and discoverservices and hosts running on a local network with no specific configuration. Forexample, a user can plug a computer into a network and Avahi automatically findsprinters to print to, files to look at and people to talk to, as well as network servicesrunning on the machine. Rationale Automatic discovery of network services is notnormally required for system functionality. It is recommended to disable the service toreduce the potential attach surface.
RecommendationRemove or comment out start lines in /etc/init/avahi-daemon.conf: #start on runlevel[2345]
Failed Instancesi-04372149a51fe6560
2.2.4 Ensure CUPS is not enabled
SeverityHigh
DescriptionDescription The Common Unix Print System (CUPS) provides the ability to print toboth local and network printers. A system running CUPS can also accept print jobs from
Amazon InspectorAssessment-Template-Default
2019-02-11 21:56:40 UTC
remote systems and print them to local printers. It also provides a web based remoteadministration capability. Rationale If the system does not need to print jobs or acceptprint jobs from other systems, it is recommended that CUPS be disabled to reduce thepotential attack surface.
RecommendationRemove or comment out start lines in /etc/init/cups.conf: #start on runlevel [2345]Impact: Disabling CUPS will prevent printing from the system, a common task forworkstation systems.
Failed Instancesi-04372149a51fe6560
2.3.4 Ensure telnet client is not installed
SeverityHigh
DescriptionDescription The telnet package contains the telnet client, which allows users to startconnections to other systems via the telnet protocol. Rationale The telnet protocol isinsecure and unencrypted. The use of an unencrypted transmission medium could allowan unauthorized user to steal credentials. The ssh package provides an encrypted sessionand stronger security and is included in most Linux distributions.
RecommendationRun the following command to uninstall telnet: # apt-get remove telnet Impact: Manyinsecure service clients are used as troubleshooting tools and in testing environments.Uninstalling them can inhibit capability to test and troubleshoot. If they are required it isadvisable to remove the clients after use to prevent accidental or intentional misuse.
Failed Instancesi-04372149a51fe6560
3.1.2 Ensure packet redirect sending is disabled
SeverityHigh
Description
Amazon InspectorAssessment-Template-Default
2019-02-11 21:56:40 UTC
Description ICMP Redirects are used to send routing information to other hosts. As ahost itself does not act as a router (in a host only configuration), there is no need to sendredirects. Rationale An attacker could use a compromised host to send invalid ICMPredirects to other router devices in an attempt to corrupt routing and have users access asystem set up by the attacker as opposed to a valid system.
RecommendationSet the following parameters in the /etc/sysctl.conf file: net.ipv4.conf.all.send_redirects = 0net.ipv4.conf.default.send_redirects = 0 Run the following commands to set theactive kernel parameters: # sysctl -w net.ipv4.conf.all.send_redirects=0# sysctl -w net.ipv4.conf.default.send_redirects=0# sysctl -w net.ipv4.route.flush=1
Failed Instancesi-04372149a51fe6560
3.2.1 Ensure source routed packets are not accepted
SeverityHigh
DescriptionDescription In networking, source routing allows a sender to partially or fully specifythe route packets take through a network. In contrast, non-source routed packets travel apath determined by routers in the network. In some cases, systems may not be routableor reachable from some locations (e.g. private addresses vs. Internet routable), andso source routed packets would need to be used. Rationale Setting net.ipv4.conf.all.accept_source_route and net.ipv4.conf.default.accept_source_route to 0 disablesthe system from accepting source routed packets. Assume this system was capable ofrouting packets to Internet routable addresses on one interface and private addresses onanother interface. Assume that the private addresses were not routable to the Internetroutable addresses and vice versa. Under normal routing circumstances, an attackerfrom the Internet routable addresses could not use the system as a way to reach theprivate address systems. If, however, source routed packets were allowed, they could beused to gain access to the private address systems as the route could be specified, ratherthan rely on routing protocols that did not allow this routing.
RecommendationSet the following parameters in the /etc/sysctl.conf file: net.ipv4.conf.all.accept_source_route = 0net.ipv4.conf.default.accept_source_route = 0 Run the following commands to
Amazon InspectorAssessment-Template-Default
2019-02-11 21:56:40 UTC
set the active kernel parameters: # sysctl -w net.ipv4.conf.all.accept_source_route=0#sysctl -w net.ipv4.conf.default.accept_source_route=0# sysctl -w net.ipv4.route.flush=1
Failed Instancesi-04372149a51fe6560
3.2.2 Ensure ICMP redirects are not accepted
SeverityHigh
DescriptionDescription ICMP redirect messages are packets that convey routing information andtell your host (acting as a router) to send packets via an alternate path. It is a way ofallowing an outside routing device to update your system routing tables. By settingnet.ipv4.conf.all.accept_redirects to 0, the system will not accept any ICMP redirectmessages, and therefore, won't allow outsiders to update the system's routing tables.Rationale Attackers could use bogus ICMP redirect messages to maliciously alter thesystem routing tables and get them to send packets to incorrect networks and allow yoursystem packets to be captured.
RecommendationSet the following parameters in the /etc/sysctl.conf file: net.ipv4.conf.all.accept_redirects = 0net.ipv4.conf.default.accept_redirects = 0 Run the following commands to set theactive kernel parameters: # sysctl -w net.ipv4.conf.all.accept_redirects=0# sysctl -w net.ipv4.conf.default.accept_redirects=0# sysctl -w net.ipv4.route.flush=1
Failed Instancesi-04372149a51fe6560
3.2.3 Ensure secure ICMP redirects are not accepted
SeverityHigh
DescriptionDescription Secure ICMP redirects are the same as ICMP redirects, except they comefrom gateways listed on the default gateway list. It is assumed that these gateways areknown to your system, and that they are likely to be secure. Rationale It is still possiblefor even known gateways to be compromised. Setting net.ipv4.conf.all.secure_redirec
Amazon InspectorAssessment-Template-Default
2019-02-11 21:56:40 UTC
ts to 0 protects the system from routing table updates by possibly compromised knowngateways.
RecommendationSet the following parameters in the /etc/sysctl.conf file: net.ipv4.conf.all.secure_redirects = 0net.ipv4.conf.default.secure_redirects = 0 Run the following commands to set theactive kernel parameters: # sysctl -w net.ipv4.conf.all.secure_redirects=0# sysctl -w net.ipv4.conf.default.secure_redirects=0# sysctl -w net.ipv4.route.flush=1
Failed Instancesi-04372149a51fe6560
3.2.4 Ensure suspicious packets are logged
SeverityHigh
DescriptionDescription When enabled, this feature logs packets with un-routable source addressesto the kernel log. Rationale Enabling this feature and logging these packets allows anadministrator to investigate the possibility that an attacker is sending spoofed packets totheir system.
RecommendationSet the following parameters in the /etc/sysctl.conf file: net.ipv4.conf.all.log_martians =1net.ipv4.conf.default.log_martians = 1 Run the following commands to set the activekernel parameters: # sysctl -w net.ipv4.conf.all.log_martians=1# sysctl -w net.ipv4.conf.default.log_martians=1# sysctl -w net.ipv4.route.flush=1
Failed Instancesi-04372149a51fe6560
3.3.1 Ensure IPv6 router advertisements are not accepted
SeverityInformational
DescriptionDescription This setting disables the system's ability to accept IPv6 routeradvertisements. Rationale It is recommended that systems not accept router
Amazon InspectorAssessment-Template-Default
2019-02-11 21:56:40 UTC
advertisements as they could be tricked into routing traffic to compromised machines.Setting hard routes within the system (usually a single default route to a trusted router)protects the system from bad routes.
RecommendationSet the following parameters in the /etc/sysctl.conf file: net.ipv6.conf.all.accept_ra =0net.ipv6.conf.default.accept_ra = 0 Run the following commands to set the activekernel parameters: # sysctl -w net.ipv6.conf.all.accept_ra=0# sysctl -w net.ipv6.conf.default.accept_ra=0# sysctl -w net.ipv6.route.flush=1
Failed Instancesi-04372149a51fe6560
3.3.2 Ensure IPv6 redirects are not accepted
SeverityInformational
DescriptionDescription This setting prevents the system from accepting ICMP redirects. ICMPredirects tell the system about alternate routes for sending traffic. Rationale It isrecommended that systems not accept ICMP redirects as they could be tricked intorouting traffic to compromised machines. Setting hard routes within the system (usuallya single default route to a trusted router) protects the system from bad routes.
RecommendationSet the following parameters in the /etc/sysctl.conf file: net.ipv6.conf.all.accept_redirects = 0net.ipv6.conf.default.accept_redirects = 0 Run the following commands to set theactive kernel parameters: # sysctl -w net.ipv6.conf.all.accept_redirects=0# sysctl -w net.ipv6.conf.default.accept_redirects=0# sysctl -w net.ipv6.route.flush=1
Failed Instancesi-04372149a51fe6560
3.3.3 Ensure IPv6 is disabled
SeverityInformational
Description
Amazon InspectorAssessment-Template-Default
2019-02-11 21:56:40 UTC
Description Although IPv6 has many advantages over IPv4, few organizations haveimplemented IPv6. Rationale If IPv6 is not to be used, it is recommended that it bedisabled to reduce the attack surface of the system.
RecommendationEdit /etc/default/grub and add ' ipv6.disable=1' to GRUB_CMDLINE_LINUX: GRUB_CMDLINE_LINUX="ipv6.disable=1" Run the following command to update thegrub2 configuration: # update-grub
Failed Instancesi-04372149a51fe6560
3.4.3 Ensure /etc/hosts.deny is configured
SeverityHigh
DescriptionDescription The /etc/hosts.deny file specifies which IP addresses are not permitted toconnect to the host. It is intended to be used in conjunction with the /etc/hosts.allow file.Rationale The /etc/hosts.deny file serves as a failsafe so that any host not specified in /etc/hosts.allow is denied access to the system.
RecommendationRun the following command to create /etc/hosts.deny: # echo "ALL: ALL" >> /etc/hosts.deny
Failed Instancesi-04372149a51fe6560
3.5.1 Ensure DCCP is disabled
SeverityInformational
DescriptionDescription The Datagram Congestion Control Protocol (DCCP) is a transport layerprotocol that supports streaming media and telephony. DCCP provides a way to gainaccess to congestion control, without having to do it at the application layer, but
Amazon InspectorAssessment-Template-Default
2019-02-11 21:56:40 UTC
does not provide in-sequence delivery. Rationale If the protocol is not required, it isrecommended that the drivers not be installed to reduce the potential attack surface.
RecommendationEdit or create the file /etc/modprobe.d/CIS.conf and add the following line: installdccp /bin/true
Failed Instancesi-04372149a51fe6560
3.5.2 Ensure SCTP is disabled
SeverityInformational
DescriptionDescription The Stream Control Transmission Protocol (SCTP) is a transport layerprotocol used to support message oriented communication, with several streams ofmessages in one connection. It serves a similar function as TCP and UDP, incorporatingfeatures of both. It is message-oriented like UDP, and ensures reliable in-sequencetransport of messages with congestion control like TCP. Rationale If the protocol is notbeing used, it is recommended that kernel module not be loaded, disabling the service toreduce the potential attack surface.
RecommendationEdit or create the file /etc/modprobe.d/CIS.conf and add the following line: install sctp /bin/true
Failed Instancesi-04372149a51fe6560
3.5.3 Ensure RDS is disabled
SeverityInformational
DescriptionDescription The Reliable Datagram Sockets (RDS) protocol is a transport layer protocoldesigned to provide low-latency, high-bandwidth communications between clusternodes. It was developed by the Oracle Corporation. Rationale If the protocol is not
Amazon InspectorAssessment-Template-Default
2019-02-11 21:56:40 UTC
being used, it is recommended that kernel module not be loaded, disabling the service toreduce the potential attack surface.
RecommendationEdit or create the file /etc/modprobe.d/CIS.conf and add the following line: install rds /bin/true
Failed Instancesi-04372149a51fe6560
3.5.4 Ensure TIPC is disabled
SeverityInformational
DescriptionDescription The Transparent Inter-Process Communication (TIPC) protocol is designedto provide communication between cluster nodes. Rationale If the protocol is not beingused, it is recommended that kernel module not be loaded, disabling the service toreduce the potential attack surface.
RecommendationEdit or create the file /etc/modprobe.d/CIS.conf and add the following line: install tipc /bin/true
Failed Instancesi-04372149a51fe6560
3.6.2 Ensure default deny firewall policy
SeverityHigh
DescriptionDescription A default deny all policy on connections ensures that any unconfigurednetwork usage will be rejected. Rationale With a default accept policy the firewall willaccept any packet that is not configured to be denied. It is easier to white list acceptableusage than to black list unacceptable usage.
Recommendation
Amazon InspectorAssessment-Template-Default
2019-02-11 21:56:40 UTC
Run the following commands to implement a default DROP policy: # iptables -PINPUT DROP# iptables -P OUTPUT DROP# iptables -P FORWARD DROP
Failed Instancesi-04372149a51fe6560
3.6.3 Ensure loopback traffic is configured
SeverityHigh
DescriptionDescription Configure the loopback interface to accept traffic. Configure all otherinterfaces to deny traffic to the loopback network (127.0.0.0/8). Rationale Loopbacktraffic is generated between processes on machine and is typically critical to operationof the system. The loopback interface is the only place that loopback network(127.0.0.0/8) traffic should be seen, all other interfaces should ignore traffic on thisnetwork as an anti-spoofing measure.
RecommendationRun the following commands to implement the loopback rules: # iptables -A INPUT-i lo -j ACCEPT# iptables -A OUTPUT -o lo -j ACCEPT# iptables -A INPUT -s127.0.0.0/8 -j DROP
Failed Instancesi-04372149a51fe6560
3.6.5 Ensure firewall rules exist for all open ports
SeverityHigh
DescriptionDescription Any ports that have been opened on non-loopback addresses need firewallrules to govern traffic. Rationale Without a firewall rule configured for open portsdefault firewall policy will drop all packets to these ports.
Recommendation
Amazon InspectorAssessment-Template-Default
2019-02-11 21:56:40 UTC
For each port identified in the audit which does not have a firewall rule establish aproper rule for accepting inbound connections: # iptables -A INPUT -p <protocol> --dport <port> -m state --state NEW -j ACCEPT
Failed Instancesi-04372149a51fe6560
4.2.4 Ensure permissions on all logfiles are configured
SeverityHigh
DescriptionDescription Log files stored in /var/log/ contain logged information from many serviceson the system, or on log hosts others as well. Rationale It is important to ensure that logfiles have the correct permissions to ensure that sensitive data is archived and protected.
RecommendationRun the following command to set permissions on all existing log files: # chmod -R g-wx,o-rwx /var/log/*
Failed Instancesi-04372149a51fe6560
4.2.1.4 Ensure rsyslog is configured to send logs to a remote log host
SeverityHigh
DescriptionDescription The rsyslog utility supports the ability to send logs it gathers to a remotelog host running syslogd(8) or to receive messages from remote hosts, reducingadministrative overhead. Rationale Storing log data on a remote host protects logintegrity from local attacks. If an attacker gains root access on the local system, theycould tamper with or remove log data that is stored on the local system
RecommendationEdit the /etc/rsyslog.conf file and add the following line (where loghost.example.comis the name of your central log host). *.* @@loghost.example.com Run the followingcommand to restart rsyslog: # pkill -HUP rsyslogd
Amazon InspectorAssessment-Template-Default
2019-02-11 21:56:40 UTC
Failed Instancesi-04372149a51fe6560
5.6 Ensure access to the su command is restricted
SeverityHigh
DescriptionDescription The su command allows a user to run a command or shell as another user.The program has been superseded by sudo, which allows for more granular controlover privileged access. Normally, the su command can be executed by any user. Byuncommenting the pam_wheel.so statement in /etc/pam.d/su, the su command will onlyallow users in the wheel group to execute su. Rationale Restricting the use of su, andusing sudo in its place, provides system administrators better control of the escalation ofuser privileges to execute privileged commands. The sudo utility also provides a betterlogging and audit mechanism, as it can log each command executed via sudo, whereassu can only record that a user executed the su program.
RecommendationAdd the following line to the /etc/pam.d/su file: auth required pam_wheel.so use_uidCreate a comma separated list of users in the wheel statement in the /etc/group file:wheel:x:10:root,<user list>
Failed Instancesi-04372149a51fe6560
5.1.2 Ensure permissions on /etc/crontab are configured
SeverityHigh
DescriptionDescription The /etc/crontab file is used by cron to control its own jobs. The commandsin this item make sure that root is the user and group owner of the file and that only theowner can access the file. Rationale This file contains information on what system jobsare run by cron. Write access to these files could provide unprivileged users with theability to elevate their privileges. Read access to these files could provide users with the
Amazon InspectorAssessment-Template-Default
2019-02-11 21:56:40 UTC
ability to gain insight on system jobs that run on the system and could provide them away to gain unauthorized privileged access.
RecommendationRun the following commands to set ownership and permissions on /etc/crontab: #chown root:root /etc/crontab# chmod og-rwx /etc/crontab
Failed Instancesi-04372149a51fe6560
5.1.3 Ensure permissions on /etc/cron.hourly are configured
SeverityHigh
DescriptionDescription This directory contains system cron jobs that need to run on an hourlybasis. The files in this directory cannot be manipulated by the crontab command, butare instead edited by system administrators using a text editor. The commands belowrestrict read/write and search access to user and group root, preventing regular usersfrom accessing this directory. Rationale Granting write access to this directory fornon-privileged users could provide them the means for gaining unauthorized elevatedprivileges. Granting read access to this directory could give an unprivileged user insightin how to gain elevated privileges or circumvent auditing controls.
RecommendationRun the following commands to set ownership and permissions on /etc/cron.hourly: #chown root:root /etc/cron.hourly# chmod og-rwx /etc/cron.hourly
Failed Instancesi-04372149a51fe6560
5.1.4 Ensure permissions on /etc/cron.daily are configured
SeverityHigh
DescriptionDescription The /etc/cron.daily directory contains system cron jobs that need to run ona daily basis. The files in this directory cannot be manipulated by the crontab command,
Amazon InspectorAssessment-Template-Default
2019-02-11 21:56:40 UTC
but are instead edited by system administrators using a text editor. The commandsbelow restrict read/write and search access to user and group root, preventing regularusers from accessing this directory. Rationale Granting write access to this directory fornon-privileged users could provide them the means for gaining unauthorized elevatedprivileges. Granting read access to this directory could give an unprivileged user insightin how to gain elevated privileges or circumvent auditing controls.
RecommendationRun the following commands to set ownership and permissions on /etc/cron.daily: #chown root:root /etc/cron.daily# chmod og-rwx /etc/cron.daily
Failed Instancesi-04372149a51fe6560
5.1.5 Ensure permissions on /etc/cron.weekly are configured
SeverityHigh
DescriptionDescription The /etc/cron.weekly directory contains system cron jobs that needto run on a weekly basis. The files in this directory cannot be manipulated by thecrontab command, but are instead edited by system administrators using a text editor.The commands below restrict read/write and search access to user and group root,preventing regular users from accessing this directory. Rationale Granting write accessto this directory for non-privileged users could provide them the means for gainingunauthorized elevated privileges. Granting read access to this directory could give anunprivileged user insight in how to gain elevated privileges or circumvent auditingcontrols.
RecommendationRun the following commands to set ownership and permissions on /etc/cron.weekly: #chown root:root /etc/cron.weekly# chmod og-rwx /etc/cron.weekly
Failed Instancesi-04372149a51fe6560
5.1.6 Ensure permissions on /etc/cron.monthly are configured
Severity
Amazon InspectorAssessment-Template-Default
2019-02-11 21:56:40 UTC
High
DescriptionDescription The /etc/cron.monthly directory contains system cron jobs that needto run on a monthly basis. The files in this directory cannot be manipulated by thecrontab command, but are instead edited by system administrators using a text editor.The commands below restrict read/write and search access to user and group root,preventing regular users from accessing this directory. Rationale Granting write accessto this directory for non-privileged users could provide them the means for gainingunauthorized elevated privileges. Granting read access to this directory could give anunprivileged user insight in how to gain elevated privileges or circumvent auditingcontrols.
RecommendationRun the following commands to set ownership and permissions on /etc/cron.monthly: #chown root:root /etc/cron.monthly# chmod og-rwx /etc/cron.monthly
Failed Instancesi-04372149a51fe6560
5.1.7 Ensure permissions on /etc/cron.d are configured
SeverityHigh
DescriptionDescription The /etc/cron.d directory contains system cron jobs that need to run in asimilar manner to the hourly, daily weekly and monthly jobs from /etc/crontab, butrequire more granular control as to when they run. The files in this directory cannot bemanipulated by the crontab command, but are instead edited by system administratorsusing a text editor. The commands below restrict read/write and search access to userand group root, preventing regular users from accessing this directory. RationaleGranting write access to this directory for non-privileged users could provide themthe means for gaining unauthorized elevated privileges. Granting read access to thisdirectory could give an unprivileged user insight in how to gain elevated privileges orcircumvent auditing controls.
Recommendation
Amazon InspectorAssessment-Template-Default
2019-02-11 21:56:40 UTC
Run the following commands to set ownership and permissions on /etc/cron.d: # chownroot:root /etc/cron.d# chmod og-rwx /etc/cron.d
Failed Instancesi-04372149a51fe6560
5.1.8 Ensure at/cron is restricted to authorized users
SeverityHigh
DescriptionDescription Configure /etc/cron.allow and /etc/at.allow to allow specific users to usethese services. If /etc/cron.allow or /etc/at.allow do not exist, then /etc/at.deny and /etc/cron.deny are checked. Any user not specifically defined in those files is allowed touse at and cron. By removing the files, only users in /etc/cron.allow and /etc/at.alloware allowed to use at and cron. Note that even though a given user is not listed incron.allow, cron jobs can still be run as that user. The cron.allow file only controlsadministrative access to the crontab command for scheduling and modifying cron jobs.Rationale On many systems, only the system administrator is authorized to schedulecron jobs. Using the cron.allow file to control who can run cron jobs enforces thispolicy. It is easier to manage an allow list than a deny list. In a deny list, you couldpotentially add a user ID to the system and forget to add it to the deny files.
RecommendationRun the following commands to remove /etc/cron.deny and /etc/at.deny and createand set permissions and ownership for /etc/cron.allow and /etc/at.allow: # rm /etc/cron.deny# rm /etc/at.deny# touch /etc/cron.allow# touch /etc/at.allow# chmod og-rwx /etc/cron.allow# chmod og-rwx /etc/at.allow# chown root:root /etc/cron.allow# chownroot:root /etc/at.allow
Failed Instancesi-04372149a51fe6560
5.2.1 Ensure permissions on /etc/ssh/sshd_config are configured
SeverityHigh
Description
Amazon InspectorAssessment-Template-Default
2019-02-11 21:56:40 UTC
Description The /etc/ssh/sshd_config file contains configuration specifications for sshd.The command below sets the owner and group of the file to root. Rationale The /etc/ssh/sshd_config file needs to be protected from unauthorized changes by non-privilegedusers.
RecommendationRun the following commands to set ownership and permissions on /etc/ssh/sshd_config:# chown root:root /etc/ssh/sshd_config# chmod 600 /etc/ssh/sshd_config
Failed Instancesi-04372149a51fe6560
5.2.4 Ensure SSH X11 forwarding is disabled
SeverityHigh
DescriptionDescription The X11Forwarding parameter provides the ability to tunnel X11 trafficthrough the connection to enable remote graphic connections. Rationale Disable X11forwarding unless there is an operational requirement to use X11 applications directly.There is a small risk that the remote X11 servers of users who are logged in via SSHwith X11 forwarding could be compromised by other users on the X11 server. Note thateven if X11 forwarding is disabled, users can always install their own forwarders.
RecommendationEdit the /etc/ssh/sshd_config file to set the parameter as follows: X11Forwarding no
Failed Instancesi-04372149a51fe6560
5.2.5 Ensure SSH MaxAuthTries is set to 4 or less
SeverityHigh
DescriptionDescription The MaxAuthTries parameter specifies the maximum number ofauthentication attempts permitted per connection. When the login failure count reacheshalf the number, error messages will be written to the syslog file detailing the login
Amazon InspectorAssessment-Template-Default
2019-02-11 21:56:40 UTC
failure. Rationale Setting the MaxAuthTries parameter to a low number will minimizethe risk of successful brute force attacks to the SSH server. While the recommendedsetting is 4, set the number based on site policy.
RecommendationEdit the /etc/ssh/sshd_config file to set the parameter as follows: MaxAuthTries 4
Failed Instancesi-04372149a51fe6560
5.2.8 Ensure SSH root login is disabled
SeverityHigh
DescriptionDescription The PermitRootLogin parameter specifies if the root user can log in usingssh(1). The default is no. Rationale Disallowing root logins over SSH requires systemadmins to authenticate using their own individual account, then escalating to root viasudo or su. This in turn limits opportunity for non-repudiation and provides a clear audittrail in the event of a security incident
RecommendationEdit the /etc/ssh/sshd_config file to set the parameter as follows: PermitRootLogin no
Failed Instancesi-04372149a51fe6560
5.2.10 Ensure SSH PermitUserEnvironment is disabled
SeverityHigh
DescriptionDescription The PermitUserEnvironment option allows users to present environmentoptions to the ssh daemon. Rationale Permitting users the ability to set environmentvariables through the SSH daemon could potentially allow users to bypass securitycontrols (e.g. setting an execution path that has ssh executing trojan'd programs)
Recommendation
Amazon InspectorAssessment-Template-Default
2019-02-11 21:56:40 UTC
Edit the /etc/ssh/sshd_config file to set the parameter as follows:PermitUserEnvironment no
Failed Instancesi-04372149a51fe6560
5.2.11 Ensure only approved MAC algorithms are used
SeverityHigh
DescriptionDescription This variable limits the types of MAC algorithms that SSH can use duringcommunication. Rationale MD5 and 96-bit MAC algorithms are considered weak andhave been shown to increase exploitability in SSH downgrade attacks. Weak algorithmscontinue to have a great deal of attention as a weak spot that can be exploited withexpanded computing power. An attacker that breaks the algorithm could take advantageof a MiTM position to decrypt the SSH tunnel and capture credentials and information
RecommendationEdit the /etc/ssh/sshd_config file to set the parameter as follows: MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-512,hmac-sha2-256,umac-128@openssh.com
Failed Instancesi-04372149a51fe6560
5.2.12 Ensure SSH Idle Timeout Interval is configured
SeverityHigh
DescriptionDescription The two options ClientAliveInterval and ClientAliveCountMax controlthe timeout of ssh sessions. When the ClientAliveInterval variable is set, ssh sessionsthat have no activity for the specified length of time are terminated. When theClientAliveCountMax variable is set, sshd will send client alive messages at everyClientAliveInterval interval. When the number of consecutive client alive messages aresent with no response from the client, the ssh session is terminated. For example, if theClientAliveInterval is set to 15 seconds and the ClientAliveCountMax is set to 3, the
Amazon InspectorAssessment-Template-Default
2019-02-11 21:56:40 UTC
client ssh session will be terminated after 45 seconds of idle time. Rationale Having notimeout value associated with a connection could allow an unauthorized user access toanother user's ssh session (e.g. user walks away from their computer and doesn't lockthe screen). Setting a timeout value at least reduces the risk of this happening.. Whilethe recommended setting is 300 seconds (5 minutes), set this timeout value based on sitepolicy. The recommended setting for ClientAliveCountMax is 0. In this case, the clientsession will be terminated after 5 minutes of idle time and no keepalive messages willbe sent.
RecommendationEdit the /etc/ssh/sshd_config file to set the parameters as follows: ClientAliveInterval300ClientAliveCountMax 0
Failed Instancesi-04372149a51fe6560
5.2.13 Ensure SSH LoginGraceTime is set to one minute or less
SeverityHigh
DescriptionDescription The LoginGraceTime parameter specifies the time allowed for successfulauthentication to the SSH server. The longer the Grace period is the more openunauthenticated connections can exist. Like other session controls in this session theGrace Period should be limited to appropriate organizational limits to ensure the serviceis available for needed access. Rationale Setting the LoginGraceTime parameter to alow number will minimize the risk of successful brute force attacks to the SSH server.It will also limit the number of concurrent unauthenticated connections While therecommended setting is 60 seconds (1 Minute), set the number based on site policy.
RecommendationEdit the /etc/ssh/sshd_config file to set the parameter as follows: LoginGraceTime 60
Failed Instancesi-04372149a51fe6560
5.2.14 Ensure SSH access is limited
Severity
Amazon InspectorAssessment-Template-Default
2019-02-11 21:56:40 UTC
High
DescriptionDescription There are several options available to limit which users and group canaccess the system via SSH. It is recommended that at least one of the following optionsbe leveraged: AllowUsers The AllowUsers variable gives the system administrator theoption of allowing specific users to ssh into the system. The list consists of commaseparated user names. Numeric user IDs are not recognized with this variable. Ifa system administrator wants to restrict user access further by only allowing theallowed users to log in from a particular host, the entry can be specified in the form ofuser@host. AllowGroups The AllowGroups variable gives the system administratorthe option of allowing specific groups of users to ssh into the system. The list consistsof comma separated group names. Numeric group IDs are not recognized with thisvariable. DenyUsers The DenyUsers variable gives the system administrator theoption of denying specific users to ssh into the system. The list consists of commaseparated user names. Numeric user IDs are not recognized with this variable. If asystem administrator wants to restrict user access further by specifically denying auser's access from a particular host, the entry can be specified in the form of user@host.DenyGroups The DenyGroups variable gives the system administrator the option ofdenying specific groups of users to ssh into the system. The list consists of commaseparated group names. Numeric group IDs are not recognized with this variable.Rationale Restricting which users can remotely access the system via SSH will helpensure that only authorized users access the system.
RecommendationEdit the /etc/ssh/sshd_config file to set one or more of the parameter as follows:AllowUsers <userlist>AllowGroups <grouplist>DenyUsers <userlist>DenyGroups<grouplist>
Failed Instancesi-04372149a51fe6560
5.2.15 Ensure SSH warning banner is configured
SeverityHigh
Description
Amazon InspectorAssessment-Template-Default
2019-02-11 21:56:40 UTC
Description The Banner parameter specifies a file whose contents must be sent to theremote user before authentication is permitted. By default, no banner is displayed.Rationale Banners are used to warn connecting users of the particular site's policyregarding connection. Presenting a warning message prior to the normal user login mayassist the prosecution of trespassers on the computer system.
RecommendationEdit the /etc/ssh/sshd_config file to set the parameter as follows: Banner /etc/issue.net
Failed Instancesi-04372149a51fe6560
5.3.1 Ensure password creation requirements are configured
SeverityHigh
DescriptionDescription The pam_pwquality.so module checks the strength of passwords. Itperforms checks such as making sure a password is not a dictionary word, it is a certainlength, contains a mix of characters (e.g. alphabet, numeric, other) and more. Thefollowing are definitions of the pam_pwquality.so options. try_first_pass - retrieve thepassword from a previous stacked PAM module. If not available, then prompt the userfor a password. retry=3 - Allow 3 tries before sending back a failure. The followingoptions are set in the /etc/security/pwquality.conf file: minlen=14 - password must be14 characters or moredcredit=-1 - provide at least one digitucredit=-1 - provide at leastone uppercase characterocredit=-1 - provide at least one special characterlcredit=-1- provide at least one lowercase character The settings shown above are one possiblepolicy. Alter these values to conform to your own organization's password policies.Rationale Strong passwords protect systems from being hacked through brute forcemethods.
RecommendationRun the following command to install the pam_pwquality module: apt-get installlibpam-pwquality Edit the /etc/pam.d/common-passwd file to include the appropriateoptions for pam_pwquality.so and to conform to site policy: password requisitepam_pwquality.so try_first_pass retry=3 Edit /etc/security/pwquality.conf to add orupdate the following settings to conform to site policy: minlen=14dcredit=-1ucredit=-1ocredit=-1lcredit=-1
Amazon InspectorAssessment-Template-Default
2019-02-11 21:56:40 UTC
Failed Instancesi-04372149a51fe6560
5.3.2 Ensure lockout for failed password attempts is configured
SeverityInformational
DescriptionDescription Lock out users after n unsuccessful consecutive login attempts. The firstsets of changes are made to the PAM configuration files. The second set of changes areapplied to the program specific PAM configuration file. The second set of changes mustbe applied to each program that will lock out users. Check the documentation for eachsecondary program for instructions on how to configure them to work with PAM. Setthe lockout number to the policy in effect at your site. Rationale Locking out user IDsafter n unsuccessful consecutive login attempts mitigates brute force password attacksagainst your systems.
RecommendationEdit the /etc/pam.d/common-auth file and add the auth line below: auth requiredpam_tally2.so onerr=fail audit silent deny=5 unlock_time=900 Note: If a user hasbeen locked out because they have reached the maximum consecutive failure countdefined by deny= in the pam_tally2.so module, the user can be unlocked by issuing thecommand /sbin/pam_tally2 -u <username> --reset. This command sets the failed countto 0, effectively unlocking the user.
Failed Instancesi-04372149a51fe6560
5.3.3 Ensure password reuse is limited
SeverityHigh
DescriptionDescription The /etc/security/opasswd file stores the users' old passwords and can bechecked to ensure that users are not recycling recent passwords. Rationale Forcing usersnot to reuse their past 5 passwords make it less likely that an attacker will be able to
Amazon InspectorAssessment-Template-Default
2019-02-11 21:56:40 UTC
guess the password. Note that these change only apply to accounts configured on thelocal system.
RecommendationEdit the /etc/pam.d/common-password file to include the remember option and conformto site policy as shown: password sufficient pam_unix.so remember=5
Failed Instancesi-04372149a51fe6560
5.4.2 Ensure system accounts are non-login
SeverityHigh
DescriptionDescription There are a number of accounts provided with Ubuntu that are used tomanage applications and are not intended to provide an interactive shell. Rationale Itis important to make sure that accounts that are not being used by regular users areprevented from being used to provide an interactive shell. By default, Ubuntu sets thepassword field for these accounts to an invalid string, but it is also recommended thatthe shell field in the password file be set to /sbin/nologin. This prevents the accountfrom potentially being used to run any commands.
RecommendationSet the shell for any accounts returned by the audit script to /usr/sbin/nologin: #usermod -s /usr/sbin/nologin <user> The following script will automatically set all usershells required to /usr/sbin/nologin and lock the sync, shutdown, and halt users: #!/bin/bashfor user in `awk -F: '($3 < 1000) {print $1 }' /etc/passwd`; do if [ $user != "root" ];then usermod -L $user if [ $user != "sync" ] && [ $user != "shutdown" ] && [ $user !="halt" ]; then usermod -s /usr/sbin/nologin $user fi fidone
Failed Instancesi-04372149a51fe6560
5.4.4 Ensure default user umask is 027 or more restrictive
SeverityHigh
Amazon InspectorAssessment-Template-Default
2019-02-11 21:56:40 UTC
DescriptionDescription The default umask determines the permissions of files created by users. Theuser creating the file has the discretion of making their files and directories readableby others via the chmod command. Users who wish to allow their files and directoriesto be readable by others by default may choose a different default umask by insertingthe umask command into the standard shell configuration files (.profile, .bashrc, etc.) intheir home directories. Rationale Setting a very secure default value for umask ensuresthat users make a conscious choice about their file permissions. A default umask settingof 077 causes files and directories created by users to not be readable by any other useron the system. A umask of 027 would make files and directories readable by users in thesame Unix group, while a umask of 022 would make files readable by every user on thesystem.
RecommendationEdit the /etc/bash.bashrc and /etc/profile files (and the appropriate files for any othershell supported on your system) and add or edit any umask parameters as follows:umask 027
Failed Instancesi-04372149a51fe6560
5.4.5 Ensure default user shell timeout is 900 seconds or less
SeverityHigh
DescriptionDescription The default TMOUT determines the shell timeout for users. The TMOUTvalue is measured in seconds. Rationale Having no timeout value associated with a shellcould allow an unauthorized user access to another user's shell session (e.g. user walksaway from their computer and doesn't lock the screen). Setting a timeout value at leastreduces the risk of this happening.
RecommendationEdit the /etc/bashrc and /etc/profile files (and the appropriate files for any othershell supported on your system) and add or edit any umask parameters as follows:TMOUT=600
Failed Instances
Amazon InspectorAssessment-Template-Default
2019-02-11 21:56:40 UTC
i-04372149a51fe6560
5.4.1.1 Ensure password expiration is 90 days or less
SeverityHigh
DescriptionDescription The PASS_MAX_DAYS parameter in /etc/login.defs allows anadministrator to force passwords to expire once they reach a defined age. It isrecommended that the PASS_MAX_DAYS parameter be set to less than or equal to 90days. Rationale The window of opportunity for an attacker to leverage compromisedcredentials or successfully compromise credentials via an online brute force attack islimited by the age of the password. Therefore, reducing the maximum age of a passwordalso reduces an attacker's window of opportunity.
RecommendationSet the PASS_MAX_DAYS parameter to 90 in /etc/login.defs: PASS_MAX_DAYS 90Modify user parameters for all users with a password set to match: # chage --maxdays90 <user>
Failed Instancesi-04372149a51fe6560
5.4.1.2 Ensure minimum days between password changes is 7 or more
SeverityHigh
DescriptionDescription The PASS_MIN_DAYS parameter in /etc/login.defs allows anadministrator to prevent users from changing their password until a minimum number ofdays have passed since the last time the user changed their password. It is recommendedthat PASS_MIN_DAYS parameter be set to 7 or more days. Rationale By restrictingthe frequency of password changes, an administrator can prevent users from repeatedlychanging their password in an attempt to circumvent password reuse controls.
Recommendation
Amazon InspectorAssessment-Template-Default
2019-02-11 21:56:40 UTC
Set the PASS_MIN_DAYS parameter to 7 in /etc/login.defs: PASS_MIN_DAYS 7Modify user parameters for all users with a password set to match: # chage --mindays 7<user>
Failed Instancesi-04372149a51fe6560
5.4.1.4 Ensure inactive password lock is 30 days or less
SeverityHigh
DescriptionDescription User accounts that have been inactive for over a given period of time canbe automatically disabled. It is recommended that accounts that are inactive for 30days after password expiration be disabled. Rationale Inactive accounts pose a threat tosystem security since the users are not logging in to notice failed login attempts or otheranomalies.
RecommendationRun the following command to set the default password inactivity period to 30 days: #useradd -D -f 30 Modify user parameters for all users with a password set to match: #chage --inactive 30 <user>
Failed Instancesi-04372149a51fe6560
6.2.1 Ensure password fields are not empty
SeverityHigh
DescriptionDescription An account with an empty password field means that anybody may log in asthat user without providing a password. Rationale All accounts must have passwords orbe locked to prevent the account from being used by an unauthorized user.
RecommendationIf any accounts in the /etc/shadow file do not have a password, run the followingcommand to lock the account until it can be determined why it does not have a
Amazon InspectorAssessment-Template-Default
2019-02-11 21:56:40 UTC
password: # passwd -l <username> Also, check to see if the account is logged in andinvestigate what it is being used for to determine if it needs to be forced off.
Failed Instancesi-04372149a51fe6560
6.2.7 Ensure all users' home directories exist
SeverityHigh
DescriptionDescription Users can be defined in /etc/passwd without a home directory or with ahome directory that does not actually exist. Rationale If the user's home directory doesnot exist or is unassigned, the user will be placed in "/" and will not be able to write anyfiles or have local environment variables set.
RecommendationIf any users' home directories do not exist, create them and make sure the respectiveuser owns the directory. Users without an assigned home directory should be removedor assigned a home directory as appropriate.
Failed Instancesi-04372149a51fe6560
6.2.8 Ensure users' home directories permissions are 750 or more restrictive
SeverityHigh
DescriptionDescription While the system administrator can establish secure permissions for users'home directories, the users can easily override these. Rationale Group or world-writableuser home directories may enable malicious users to steal or modify other users' data orto gain another user's system privileges.
RecommendationMaking global modifications to user home directories without alerting the usercommunity can result in unexpected outages and unhappy users. Therefore, it is
Amazon InspectorAssessment-Template-Default
2019-02-11 21:56:40 UTC
recommended that a monitoring policy be established to report user file permissions anddetermine the action to be taken in accordance with site policy.
Failed Instancesi-04372149a51fe6560
4.1.2 Level 1 - Workstation
1.1.16 Ensure noexec option set on /run/shm partition
SeverityHigh
DescriptionDescription The noexec mount option specifies that the filesystem cannot containexecutable binaries. Rationale Setting this option on a file system prevents users fromexecuting programs from shared memory. This deters users from introducing potentiallymalicious software on the system.
RecommendationEdit the /etc/fstab file and add noexec to the fourth field (mounting options) for the /run/shm partition. See the fstab(5) manual page for more information. Run the followingcommand to remount /run/shm: # mount -o remount,noexec /run/shm
Failed Instancesi-04372149a51fe6560
1.1.1.1 Ensure mounting of cramfs filesystems is disabled
SeverityHigh
DescriptionDescription The cramfs filesystem type is a compressed read-only Linux filesystemembedded in small footprint systems. A cramfs image can be used without havingto first decompress the image. Rationale Removing support for unneeded filesystemtypes reduces the local attack surface of the server. If this filesystem type is not needed,disable it.
Recommendation
Amazon InspectorAssessment-Template-Default
2019-02-11 21:56:40 UTC
Edit or create the file /etc/modprobe.d/CIS.conf and add the following line: installcramfs /bin/true
Failed Instancesi-04372149a51fe6560
1.1.1.2 Ensure mounting of freevxfs filesystems is disabled
SeverityHigh
DescriptionDescription The freevxfs filesystem type is a free version of the Veritas type filesystem.This is the primary filesystem type for HP-UX operating systems. Rationale Removingsupport for unneeded filesystem types reduces the local attack surface of the system. Ifthis filesystem type is not needed, disable it.
RecommendationEdit or create the file /etc/modprobe.d/CIS.conf and add the following line: installfreevxfs /bin/true
Failed Instancesi-04372149a51fe6560
1.1.1.3 Ensure mounting of jffs2 filesystems is disabled
SeverityHigh
DescriptionDescription The jffs2 (journaling flash filesystem 2) filesystem type is a log-structuredfilesystem used in flash memory devices. Rationale Removing support for unneededfilesystem types reduces the local attack surface of the system. If this filesystem type isnot needed, disable it.
RecommendationEdit or create the file /etc/modprobe.d/CIS.conf and add the following line: install jffs2 /bin/true
Failed Instancesi-04372149a51fe6560
Amazon InspectorAssessment-Template-Default
2019-02-11 21:56:40 UTC
1.1.1.4 Ensure mounting of hfs filesystems is disabled
SeverityHigh
DescriptionDescription The hfs filesystem type is a hierarchical filesystem that allows you tomount Mac OS filesystems. Rationale Removing support for unneeded filesystem typesreduces the local attack surface of the system. If this filesystem type is not needed,disable it.
RecommendationEdit or create the file /etc/modprobe.d/CIS.conf and add the following line: install hfs /bin/true
Failed Instancesi-04372149a51fe6560
1.1.1.5 Ensure mounting of hfsplus filesystems is disabled
SeverityHigh
DescriptionDescription The hfsplus filesystem type is a hierarchical filesystem designed to replacehfs that allows you to mount Mac OS filesystems. Rationale Removing support forunneeded filesystem types reduces the local attack surface of the system. If thisfilesystem type is not needed, disable it.
RecommendationEdit or create the file /etc/modprobe.d/CIS.conf and add the following line: installhfsplus /bin/true
Failed Instancesi-04372149a51fe6560
1.1.1.6 Ensure mounting of udf filesystems is disabled
SeverityHigh
Amazon InspectorAssessment-Template-Default
2019-02-11 21:56:40 UTC
DescriptionDescription The udf filesystem type is the universal disk format used to implementISO/IEC 13346 and ECMA-167 specifications. This is an open vendor filesystemtype for data storage on a broad range of media. This filesystem type is necessary tosupport writing DVDs and newer optical disc formats. Rationale Removing supportfor unneeded filesystem types reduces the local attack surface of the system. If thisfilesystem type is not needed, disable it.
RecommendationEdit or create the file /etc/modprobe.d/CIS.conf and add the following line: install udf /bin/true
Failed Instancesi-04372149a51fe6560
1.3.1 Ensure AIDE is installed
SeverityHigh
DescriptionDescription AIDE takes a snapshot of filesystem state including modification times,permissions, and file hashes which can then be used to compare against the current stateof the filesystem to detect modifications to the system. Rationale By monitoring thefilesystem state compromised files can be detected to prevent or limit the exposure ofaccidental or malicious misconfigurations or modified binaries.
RecommendationRun the following command to install AIDE: # apt-get install aide Configure AIDEas appropriate for your environment. Consult the AIDE documentation for options.Initialize AIDE: # aide --init
Failed Instancesi-04372149a51fe6560
1.3.2 Ensure filesystem integrity is regularly checked
SeverityHigh
Amazon InspectorAssessment-Template-Default
2019-02-11 21:56:40 UTC
DescriptionDescription Periodic checking of the filesystem integrity is needed to detect changesto the filesystem. Rationale Periodic file checking allows the system administratorto determine on a regular basis if critical files have been changed in an unauthorizedfashion.
RecommendationRun the following command: # crontab -u root -e Add the following line to the crontab:0 5 * * * /usr/bin/aide --check
Failed Instancesi-04372149a51fe6560
1.4.1 Ensure permissions on bootloader config are configured
SeverityHigh
DescriptionDescription The grub configuration file contains information on boot settings andpasswords for unlocking boot options. The grub configuration is usually grub.cfg storedin /boot/grub. Rationale Setting the permissions to read and write for root only preventsnon-root users from seeing the boot parameters or changing them. Non-root users whoread the boot parameters may be able to identify weaknesses in security upon boot andbe able to exploit them.
RecommendationRun the following commands to set permissions on your grub configuration: # chownroot:root /boot/grub/grub.cfg# chmod og-rwx /boot/grub/grub.cfg
Failed Instancesi-04372149a51fe6560
1.4.2 Ensure bootloader password is set
SeverityHigh
Description
Amazon InspectorAssessment-Template-Default
2019-02-11 21:56:40 UTC
Description Setting the boot loader password will require that anyone rebooting thesystem must enter a password before being able to set command line boot parametersRationale Requiring a boot password upon execution of the boot loader will prevent anunauthorized user from entering boot parameters or changing the boot partition. Thisprevents users from weakening security (e.g. turning off SELinux at boot time).
RecommendationCreate an encrypted password with grub-mkpasswd-pbkdf2: # grub-mkpasswd-pbkdf2Enter password: <password>Reenter password: <password>Your PBKDF2 is<encrypted-password> Add the following into /etc/grub.d/00_header or a custom /etc/grub.d configuration file: cat <<EOFset superusers="<username>"password_pbkdf2<username><encrypted-password>EOF Run the following command to update thegrub2 configuration: # update-grub
Failed Instancesi-04372149a51fe6560
1.5.1 Ensure core dumps are restricted
SeverityHigh
DescriptionDescription A core dump is the memory of an executable program. It is generallyused to determine why a program aborted. It can also be used to glean confidentialinformation from a core file. The system provides the ability to set a soft limit for coredumps, but this can be overridden by the user. Rationale Setting a hard limit on coredumps prevents users from overriding the soft variable. If core dumps are required,consider setting limits for user groups (see limits.conf(5)). In addition, setting thefs.suid_dumpable variable to 0 will prevent setuid programs from dumping core.
RecommendationAdd the following line to the /etc/security/limits.conf file or a /etc/security/limits.d/* file: * hard core 0 Set the following parameter in the /etc/sysctl.conf file:fs.suid_dumpable = 0 Run the following command to set the active kernel parameter: #sysctl -w fs.suid_dumpable=0
Failed Instancesi-04372149a51fe6560
Amazon InspectorAssessment-Template-Default
2019-02-11 21:56:40 UTC
1.7.1.4 Ensure permissions on /etc/motd are configured
SeverityInformational
DescriptionDescription The contents of the /etc/motd file are displayed to users after login andfunction as a message of the day for authenticated users. Rationale If the /etc/motd filedoes not have the correct ownership it could be modified by unauthorized users withincorrect or misleading information.
RecommendationRun the following commands to set permissions on /etc/motd: # chown root:root /etc/motd# chmod 644 /etc/motd
Failed Instancesi-04372149a51fe6560
2.2.3 Ensure Avahi Server is not enabled
SeverityHigh
DescriptionDescription Avahi is a free zeroconf implementation, including a system for multicastDNS/DNS-SD service discovery. Avahi allows programs to publish and discoverservices and hosts running on a local network with no specific configuration. Forexample, a user can plug a computer into a network and Avahi automatically findsprinters to print to, files to look at and people to talk to, as well as network servicesrunning on the machine. Rationale Automatic discovery of network services is notnormally required for system functionality. It is recommended to disable the service toreduce the potential attach surface.
RecommendationRemove or comment out start lines in /etc/init/avahi-daemon.conf: #start on runlevel[2345]
Failed Instancesi-04372149a51fe6560
Amazon InspectorAssessment-Template-Default
2019-02-11 21:56:40 UTC
2.3.4 Ensure telnet client is not installed
SeverityHigh
DescriptionDescription The telnet package contains the telnet client, which allows users to startconnections to other systems via the telnet protocol. Rationale The telnet protocol isinsecure and unencrypted. The use of an unencrypted transmission medium could allowan unauthorized user to steal credentials. The ssh package provides an encrypted sessionand stronger security and is included in most Linux distributions.
RecommendationRun the following command to uninstall telnet: # apt-get remove telnet Impact: Manyinsecure service clients are used as troubleshooting tools and in testing environments.Uninstalling them can inhibit capability to test and troubleshoot. If they are required it isadvisable to remove the clients after use to prevent accidental or intentional misuse.
Failed Instancesi-04372149a51fe6560
3.1.2 Ensure packet redirect sending is disabled
SeverityHigh
DescriptionDescription ICMP Redirects are used to send routing information to other hosts. As ahost itself does not act as a router (in a host only configuration), there is no need to sendredirects. Rationale An attacker could use a compromised host to send invalid ICMPredirects to other router devices in an attempt to corrupt routing and have users access asystem set up by the attacker as opposed to a valid system.
RecommendationSet the following parameters in the /etc/sysctl.conf file: net.ipv4.conf.all.send_redirects = 0net.ipv4.conf.default.send_redirects = 0 Run the following commands to set theactive kernel parameters: # sysctl -w net.ipv4.conf.all.send_redirects=0# sysctl -w net.ipv4.conf.default.send_redirects=0# sysctl -w net.ipv4.route.flush=1
Failed Instances
Amazon InspectorAssessment-Template-Default
2019-02-11 21:56:40 UTC
i-04372149a51fe6560
3.2.1 Ensure source routed packets are not accepted
SeverityHigh
DescriptionDescription In networking, source routing allows a sender to partially or fully specifythe route packets take through a network. In contrast, non-source routed packets travel apath determined by routers in the network. In some cases, systems may not be routableor reachable from some locations (e.g. private addresses vs. Internet routable), andso source routed packets would need to be used. Rationale Setting net.ipv4.conf.all.accept_source_route and net.ipv4.conf.default.accept_source_route to 0 disablesthe system from accepting source routed packets. Assume this system was capable ofrouting packets to Internet routable addresses on one interface and private addresses onanother interface. Assume that the private addresses were not routable to the Internetroutable addresses and vice versa. Under normal routing circumstances, an attackerfrom the Internet routable addresses could not use the system as a way to reach theprivate address systems. If, however, source routed packets were allowed, they could beused to gain access to the private address systems as the route could be specified, ratherthan rely on routing protocols that did not allow this routing.
RecommendationSet the following parameters in the /etc/sysctl.conf file: net.ipv4.conf.all.accept_source_route = 0net.ipv4.conf.default.accept_source_route = 0 Run the following commands toset the active kernel parameters: # sysctl -w net.ipv4.conf.all.accept_source_route=0#sysctl -w net.ipv4.conf.default.accept_source_route=0# sysctl -w net.ipv4.route.flush=1
Failed Instancesi-04372149a51fe6560
3.2.2 Ensure ICMP redirects are not accepted
SeverityHigh
Description
Amazon InspectorAssessment-Template-Default
2019-02-11 21:56:40 UTC
Description ICMP redirect messages are packets that convey routing information andtell your host (acting as a router) to send packets via an alternate path. It is a way ofallowing an outside routing device to update your system routing tables. By settingnet.ipv4.conf.all.accept_redirects to 0, the system will not accept any ICMP redirectmessages, and therefore, won't allow outsiders to update the system's routing tables.Rationale Attackers could use bogus ICMP redirect messages to maliciously alter thesystem routing tables and get them to send packets to incorrect networks and allow yoursystem packets to be captured.
RecommendationSet the following parameters in the /etc/sysctl.conf file: net.ipv4.conf.all.accept_redirects = 0net.ipv4.conf.default.accept_redirects = 0 Run the following commands to set theactive kernel parameters: # sysctl -w net.ipv4.conf.all.accept_redirects=0# sysctl -w net.ipv4.conf.default.accept_redirects=0# sysctl -w net.ipv4.route.flush=1
Failed Instancesi-04372149a51fe6560
3.2.3 Ensure secure ICMP redirects are not accepted
SeverityHigh
DescriptionDescription Secure ICMP redirects are the same as ICMP redirects, except they comefrom gateways listed on the default gateway list. It is assumed that these gateways areknown to your system, and that they are likely to be secure. Rationale It is still possiblefor even known gateways to be compromised. Setting net.ipv4.conf.all.secure_redirects to 0 protects the system from routing table updates by possibly compromised knowngateways.
RecommendationSet the following parameters in the /etc/sysctl.conf file: net.ipv4.conf.all.secure_redirects = 0net.ipv4.conf.default.secure_redirects = 0 Run the following commands to set theactive kernel parameters: # sysctl -w net.ipv4.conf.all.secure_redirects=0# sysctl -w net.ipv4.conf.default.secure_redirects=0# sysctl -w net.ipv4.route.flush=1
Failed Instancesi-04372149a51fe6560
Amazon InspectorAssessment-Template-Default
2019-02-11 21:56:40 UTC
3.2.4 Ensure suspicious packets are logged
SeverityHigh
DescriptionDescription When enabled, this feature logs packets with un-routable source addressesto the kernel log. Rationale Enabling this feature and logging these packets allows anadministrator to investigate the possibility that an attacker is sending spoofed packets totheir system.
RecommendationSet the following parameters in the /etc/sysctl.conf file: net.ipv4.conf.all.log_martians =1net.ipv4.conf.default.log_martians = 1 Run the following commands to set the activekernel parameters: # sysctl -w net.ipv4.conf.all.log_martians=1# sysctl -w net.ipv4.conf.default.log_martians=1# sysctl -w net.ipv4.route.flush=1
Failed Instancesi-04372149a51fe6560
3.3.1 Ensure IPv6 router advertisements are not accepted
SeverityInformational
DescriptionDescription This setting disables the system's ability to accept IPv6 routeradvertisements. Rationale It is recommended that systems not accept routeradvertisements as they could be tricked into routing traffic to compromised machines.Setting hard routes within the system (usually a single default route to a trusted router)protects the system from bad routes.
RecommendationSet the following parameters in the /etc/sysctl.conf file: net.ipv6.conf.all.accept_ra =0net.ipv6.conf.default.accept_ra = 0 Run the following commands to set the activekernel parameters: # sysctl -w net.ipv6.conf.all.accept_ra=0# sysctl -w net.ipv6.conf.default.accept_ra=0# sysctl -w net.ipv6.route.flush=1
Failed Instancesi-04372149a51fe6560
Amazon InspectorAssessment-Template-Default
2019-02-11 21:56:40 UTC
3.3.2 Ensure IPv6 redirects are not accepted
SeverityInformational
DescriptionDescription This setting prevents the system from accepting ICMP redirects. ICMPredirects tell the system about alternate routes for sending traffic. Rationale It isrecommended that systems not accept ICMP redirects as they could be tricked intorouting traffic to compromised machines. Setting hard routes within the system (usuallya single default route to a trusted router) protects the system from bad routes.
RecommendationSet the following parameters in the /etc/sysctl.conf file: net.ipv6.conf.all.accept_redirects = 0net.ipv6.conf.default.accept_redirects = 0 Run the following commands to set theactive kernel parameters: # sysctl -w net.ipv6.conf.all.accept_redirects=0# sysctl -w net.ipv6.conf.default.accept_redirects=0# sysctl -w net.ipv6.route.flush=1
Failed Instancesi-04372149a51fe6560
3.3.3 Ensure IPv6 is disabled
SeverityInformational
DescriptionDescription Although IPv6 has many advantages over IPv4, few organizations haveimplemented IPv6. Rationale If IPv6 is not to be used, it is recommended that it bedisabled to reduce the attack surface of the system.
RecommendationEdit /etc/default/grub and add ' ipv6.disable=1' to GRUB_CMDLINE_LINUX: GRUB_CMDLINE_LINUX="ipv6.disable=1" Run the following command to update thegrub2 configuration: # update-grub
Failed Instancesi-04372149a51fe6560
3.4.3 Ensure /etc/hosts.deny is configured
Amazon InspectorAssessment-Template-Default
2019-02-11 21:56:40 UTC
SeverityHigh
DescriptionDescription The /etc/hosts.deny file specifies which IP addresses are not permitted toconnect to the host. It is intended to be used in conjunction with the /etc/hosts.allow file.Rationale The /etc/hosts.deny file serves as a failsafe so that any host not specified in /etc/hosts.allow is denied access to the system.
RecommendationRun the following command to create /etc/hosts.deny: # echo "ALL: ALL" >> /etc/hosts.deny
Failed Instancesi-04372149a51fe6560
3.5.1 Ensure DCCP is disabled
SeverityInformational
DescriptionDescription The Datagram Congestion Control Protocol (DCCP) is a transport layerprotocol that supports streaming media and telephony. DCCP provides a way to gainaccess to congestion control, without having to do it at the application layer, butdoes not provide in-sequence delivery. Rationale If the protocol is not required, it isrecommended that the drivers not be installed to reduce the potential attack surface.
RecommendationEdit or create the file /etc/modprobe.d/CIS.conf and add the following line: installdccp /bin/true
Failed Instancesi-04372149a51fe6560
3.5.2 Ensure SCTP is disabled
SeverityInformational
Description
Amazon InspectorAssessment-Template-Default
2019-02-11 21:56:40 UTC
Description The Stream Control Transmission Protocol (SCTP) is a transport layerprotocol used to support message oriented communication, with several streams ofmessages in one connection. It serves a similar function as TCP and UDP, incorporatingfeatures of both. It is message-oriented like UDP, and ensures reliable in-sequencetransport of messages with congestion control like TCP. Rationale If the protocol is notbeing used, it is recommended that kernel module not be loaded, disabling the service toreduce the potential attack surface.
RecommendationEdit or create the file /etc/modprobe.d/CIS.conf and add the following line: install sctp /bin/true
Failed Instancesi-04372149a51fe6560
3.5.3 Ensure RDS is disabled
SeverityInformational
DescriptionDescription The Reliable Datagram Sockets (RDS) protocol is a transport layer protocoldesigned to provide low-latency, high-bandwidth communications between clusternodes. It was developed by the Oracle Corporation. Rationale If the protocol is notbeing used, it is recommended that kernel module not be loaded, disabling the service toreduce the potential attack surface.
RecommendationEdit or create the file /etc/modprobe.d/CIS.conf and add the following line: install rds /bin/true
Failed Instancesi-04372149a51fe6560
3.5.4 Ensure TIPC is disabled
SeverityInformational
Description
Amazon InspectorAssessment-Template-Default
2019-02-11 21:56:40 UTC
Description The Transparent Inter-Process Communication (TIPC) protocol is designedto provide communication between cluster nodes. Rationale If the protocol is not beingused, it is recommended that kernel module not be loaded, disabling the service toreduce the potential attack surface.
RecommendationEdit or create the file /etc/modprobe.d/CIS.conf and add the following line: install tipc /bin/true
Failed Instancesi-04372149a51fe6560
3.6.2 Ensure default deny firewall policy
SeverityHigh
DescriptionDescription A default deny all policy on connections ensures that any unconfigurednetwork usage will be rejected. Rationale With a default accept policy the firewall willaccept any packet that is not configured to be denied. It is easier to white list acceptableusage than to black list unacceptable usage.
RecommendationRun the following commands to implement a default DROP policy: # iptables -PINPUT DROP# iptables -P OUTPUT DROP# iptables -P FORWARD DROP
Failed Instancesi-04372149a51fe6560
3.6.3 Ensure loopback traffic is configured
SeverityHigh
DescriptionDescription Configure the loopback interface to accept traffic. Configure all otherinterfaces to deny traffic to the loopback network (127.0.0.0/8). Rationale Loopbacktraffic is generated between processes on machine and is typically critical to operationof the system. The loopback interface is the only place that loopback network
Amazon InspectorAssessment-Template-Default
2019-02-11 21:56:40 UTC
(127.0.0.0/8) traffic should be seen, all other interfaces should ignore traffic on thisnetwork as an anti-spoofing measure.
RecommendationRun the following commands to implement the loopback rules: # iptables -A INPUT-i lo -j ACCEPT# iptables -A OUTPUT -o lo -j ACCEPT# iptables -A INPUT -s127.0.0.0/8 -j DROP
Failed Instancesi-04372149a51fe6560
3.6.5 Ensure firewall rules exist for all open ports
SeverityHigh
DescriptionDescription Any ports that have been opened on non-loopback addresses need firewallrules to govern traffic. Rationale Without a firewall rule configured for open portsdefault firewall policy will drop all packets to these ports.
RecommendationFor each port identified in the audit which does not have a firewall rule establish aproper rule for accepting inbound connections: # iptables -A INPUT -p <protocol> --dport <port> -m state --state NEW -j ACCEPT
Failed Instancesi-04372149a51fe6560
4.2.4 Ensure permissions on all logfiles are configured
SeverityHigh
DescriptionDescription Log files stored in /var/log/ contain logged information from many serviceson the system, or on log hosts others as well. Rationale It is important to ensure that logfiles have the correct permissions to ensure that sensitive data is archived and protected.
Recommendation
Amazon InspectorAssessment-Template-Default
2019-02-11 21:56:40 UTC
Run the following command to set permissions on all existing log files: # chmod -R g-wx,o-rwx /var/log/*
Failed Instancesi-04372149a51fe6560
4.2.1.4 Ensure rsyslog is configured to send logs to a remote log host
SeverityHigh
DescriptionDescription The rsyslog utility supports the ability to send logs it gathers to a remotelog host running syslogd(8) or to receive messages from remote hosts, reducingadministrative overhead. Rationale Storing log data on a remote host protects logintegrity from local attacks. If an attacker gains root access on the local system, theycould tamper with or remove log data that is stored on the local system
RecommendationEdit the /etc/rsyslog.conf file and add the following line (where loghost.example.comis the name of your central log host). *.* @@loghost.example.com Run the followingcommand to restart rsyslog: # pkill -HUP rsyslogd
Failed Instancesi-04372149a51fe6560
5.6 Ensure access to the su command is restricted
SeverityHigh
DescriptionDescription The su command allows a user to run a command or shell as another user.The program has been superseded by sudo, which allows for more granular controlover privileged access. Normally, the su command can be executed by any user. Byuncommenting the pam_wheel.so statement in /etc/pam.d/su, the su command will onlyallow users in the wheel group to execute su. Rationale Restricting the use of su, andusing sudo in its place, provides system administrators better control of the escalation ofuser privileges to execute privileged commands. The sudo utility also provides a better
Amazon InspectorAssessment-Template-Default
2019-02-11 21:56:40 UTC
logging and audit mechanism, as it can log each command executed via sudo, whereassu can only record that a user executed the su program.
RecommendationAdd the following line to the /etc/pam.d/su file: auth required pam_wheel.so use_uidCreate a comma separated list of users in the wheel statement in the /etc/group file:wheel:x:10:root,<user list>
Failed Instancesi-04372149a51fe6560
5.1.2 Ensure permissions on /etc/crontab are configured
SeverityHigh
DescriptionDescription The /etc/crontab file is used by cron to control its own jobs. The commandsin this item make sure that root is the user and group owner of the file and that only theowner can access the file. Rationale This file contains information on what system jobsare run by cron. Write access to these files could provide unprivileged users with theability to elevate their privileges. Read access to these files could provide users with theability to gain insight on system jobs that run on the system and could provide them away to gain unauthorized privileged access.
RecommendationRun the following commands to set ownership and permissions on /etc/crontab: #chown root:root /etc/crontab# chmod og-rwx /etc/crontab
Failed Instancesi-04372149a51fe6560
5.1.3 Ensure permissions on /etc/cron.hourly are configured
SeverityHigh
DescriptionDescription This directory contains system cron jobs that need to run on an hourlybasis. The files in this directory cannot be manipulated by the crontab command, but
Amazon InspectorAssessment-Template-Default
2019-02-11 21:56:40 UTC
are instead edited by system administrators using a text editor. The commands belowrestrict read/write and search access to user and group root, preventing regular usersfrom accessing this directory. Rationale Granting write access to this directory fornon-privileged users could provide them the means for gaining unauthorized elevatedprivileges. Granting read access to this directory could give an unprivileged user insightin how to gain elevated privileges or circumvent auditing controls.
RecommendationRun the following commands to set ownership and permissions on /etc/cron.hourly: #chown root:root /etc/cron.hourly# chmod og-rwx /etc/cron.hourly
Failed Instancesi-04372149a51fe6560
5.1.4 Ensure permissions on /etc/cron.daily are configured
SeverityHigh
DescriptionDescription The /etc/cron.daily directory contains system cron jobs that need to run ona daily basis. The files in this directory cannot be manipulated by the crontab command,but are instead edited by system administrators using a text editor. The commandsbelow restrict read/write and search access to user and group root, preventing regularusers from accessing this directory. Rationale Granting write access to this directory fornon-privileged users could provide them the means for gaining unauthorized elevatedprivileges. Granting read access to this directory could give an unprivileged user insightin how to gain elevated privileges or circumvent auditing controls.
RecommendationRun the following commands to set ownership and permissions on /etc/cron.daily: #chown root:root /etc/cron.daily# chmod og-rwx /etc/cron.daily
Failed Instancesi-04372149a51fe6560
5.1.5 Ensure permissions on /etc/cron.weekly are configured
SeverityHigh
Amazon InspectorAssessment-Template-Default
2019-02-11 21:56:40 UTC
DescriptionDescription The /etc/cron.weekly directory contains system cron jobs that needto run on a weekly basis. The files in this directory cannot be manipulated by thecrontab command, but are instead edited by system administrators using a text editor.The commands below restrict read/write and search access to user and group root,preventing regular users from accessing this directory. Rationale Granting write accessto this directory for non-privileged users could provide them the means for gainingunauthorized elevated privileges. Granting read access to this directory could give anunprivileged user insight in how to gain elevated privileges or circumvent auditingcontrols.
RecommendationRun the following commands to set ownership and permissions on /etc/cron.weekly: #chown root:root /etc/cron.weekly# chmod og-rwx /etc/cron.weekly
Failed Instancesi-04372149a51fe6560
5.1.6 Ensure permissions on /etc/cron.monthly are configured
SeverityHigh
DescriptionDescription The /etc/cron.monthly directory contains system cron jobs that needto run on a monthly basis. The files in this directory cannot be manipulated by thecrontab command, but are instead edited by system administrators using a text editor.The commands below restrict read/write and search access to user and group root,preventing regular users from accessing this directory. Rationale Granting write accessto this directory for non-privileged users could provide them the means for gainingunauthorized elevated privileges. Granting read access to this directory could give anunprivileged user insight in how to gain elevated privileges or circumvent auditingcontrols.
RecommendationRun the following commands to set ownership and permissions on /etc/cron.monthly: #chown root:root /etc/cron.monthly# chmod og-rwx /etc/cron.monthly
Failed Instances
Amazon InspectorAssessment-Template-Default
2019-02-11 21:56:40 UTC
i-04372149a51fe6560
5.1.7 Ensure permissions on /etc/cron.d are configured
SeverityHigh
DescriptionDescription The /etc/cron.d directory contains system cron jobs that need to run in asimilar manner to the hourly, daily weekly and monthly jobs from /etc/crontab, butrequire more granular control as to when they run. The files in this directory cannot bemanipulated by the crontab command, but are instead edited by system administratorsusing a text editor. The commands below restrict read/write and search access to userand group root, preventing regular users from accessing this directory. RationaleGranting write access to this directory for non-privileged users could provide themthe means for gaining unauthorized elevated privileges. Granting read access to thisdirectory could give an unprivileged user insight in how to gain elevated privileges orcircumvent auditing controls.
RecommendationRun the following commands to set ownership and permissions on /etc/cron.d: # chownroot:root /etc/cron.d# chmod og-rwx /etc/cron.d
Failed Instancesi-04372149a51fe6560
5.1.8 Ensure at/cron is restricted to authorized users
SeverityHigh
DescriptionDescription Configure /etc/cron.allow and /etc/at.allow to allow specific users to usethese services. If /etc/cron.allow or /etc/at.allow do not exist, then /etc/at.deny and /etc/cron.deny are checked. Any user not specifically defined in those files is allowed touse at and cron. By removing the files, only users in /etc/cron.allow and /etc/at.alloware allowed to use at and cron. Note that even though a given user is not listed incron.allow, cron jobs can still be run as that user. The cron.allow file only controlsadministrative access to the crontab command for scheduling and modifying cron jobs.
Amazon InspectorAssessment-Template-Default
2019-02-11 21:56:40 UTC
Rationale On many systems, only the system administrator is authorized to schedulecron jobs. Using the cron.allow file to control who can run cron jobs enforces thispolicy. It is easier to manage an allow list than a deny list. In a deny list, you couldpotentially add a user ID to the system and forget to add it to the deny files.
RecommendationRun the following commands to remove /etc/cron.deny and /etc/at.deny and createand set permissions and ownership for /etc/cron.allow and /etc/at.allow: # rm /etc/cron.deny# rm /etc/at.deny# touch /etc/cron.allow# touch /etc/at.allow# chmod og-rwx /etc/cron.allow# chmod og-rwx /etc/at.allow# chown root:root /etc/cron.allow# chownroot:root /etc/at.allow
Failed Instancesi-04372149a51fe6560
5.2.1 Ensure permissions on /etc/ssh/sshd_config are configured
SeverityHigh
DescriptionDescription The /etc/ssh/sshd_config file contains configuration specifications for sshd.The command below sets the owner and group of the file to root. Rationale The /etc/ssh/sshd_config file needs to be protected from unauthorized changes by non-privilegedusers.
RecommendationRun the following commands to set ownership and permissions on /etc/ssh/sshd_config:# chown root:root /etc/ssh/sshd_config# chmod 600 /etc/ssh/sshd_config
Failed Instancesi-04372149a51fe6560
5.2.4 Ensure SSH X11 forwarding is disabled
SeverityHigh
Description
Amazon InspectorAssessment-Template-Default
2019-02-11 21:56:40 UTC
Description The X11Forwarding parameter provides the ability to tunnel X11 trafficthrough the connection to enable remote graphic connections. Rationale Disable X11forwarding unless there is an operational requirement to use X11 applications directly.There is a small risk that the remote X11 servers of users who are logged in via SSHwith X11 forwarding could be compromised by other users on the X11 server. Note thateven if X11 forwarding is disabled, users can always install their own forwarders.
RecommendationEdit the /etc/ssh/sshd_config file to set the parameter as follows: X11Forwarding no
Failed Instancesi-04372149a51fe6560
5.2.5 Ensure SSH MaxAuthTries is set to 4 or less
SeverityHigh
DescriptionDescription The MaxAuthTries parameter specifies the maximum number ofauthentication attempts permitted per connection. When the login failure count reacheshalf the number, error messages will be written to the syslog file detailing the loginfailure. Rationale Setting the MaxAuthTries parameter to a low number will minimizethe risk of successful brute force attacks to the SSH server. While the recommendedsetting is 4, set the number based on site policy.
RecommendationEdit the /etc/ssh/sshd_config file to set the parameter as follows: MaxAuthTries 4
Failed Instancesi-04372149a51fe6560
5.2.8 Ensure SSH root login is disabled
SeverityHigh
DescriptionDescription The PermitRootLogin parameter specifies if the root user can log in usingssh(1). The default is no. Rationale Disallowing root logins over SSH requires system
Amazon InspectorAssessment-Template-Default
2019-02-11 21:56:40 UTC
admins to authenticate using their own individual account, then escalating to root viasudo or su. This in turn limits opportunity for non-repudiation and provides a clear audittrail in the event of a security incident
RecommendationEdit the /etc/ssh/sshd_config file to set the parameter as follows: PermitRootLogin no
Failed Instancesi-04372149a51fe6560
5.2.10 Ensure SSH PermitUserEnvironment is disabled
SeverityHigh
DescriptionDescription The PermitUserEnvironment option allows users to present environmentoptions to the ssh daemon. Rationale Permitting users the ability to set environmentvariables through the SSH daemon could potentially allow users to bypass securitycontrols (e.g. setting an execution path that has ssh executing trojan'd programs)
RecommendationEdit the /etc/ssh/sshd_config file to set the parameter as follows:PermitUserEnvironment no
Failed Instancesi-04372149a51fe6560
5.2.11 Ensure only approved MAC algorithms are used
SeverityHigh
DescriptionDescription This variable limits the types of MAC algorithms that SSH can use duringcommunication. Rationale MD5 and 96-bit MAC algorithms are considered weak andhave been shown to increase exploitability in SSH downgrade attacks. Weak algorithmscontinue to have a great deal of attention as a weak spot that can be exploited withexpanded computing power. An attacker that breaks the algorithm could take advantageof a MiTM position to decrypt the SSH tunnel and capture credentials and information
Amazon InspectorAssessment-Template-Default
2019-02-11 21:56:40 UTC
RecommendationEdit the /etc/ssh/sshd_config file to set the parameter as follows: MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-512,hmac-sha2-256,umac-128@openssh.com
Failed Instancesi-04372149a51fe6560
5.2.12 Ensure SSH Idle Timeout Interval is configured
SeverityHigh
DescriptionDescription The two options ClientAliveInterval and ClientAliveCountMax controlthe timeout of ssh sessions. When the ClientAliveInterval variable is set, ssh sessionsthat have no activity for the specified length of time are terminated. When theClientAliveCountMax variable is set, sshd will send client alive messages at everyClientAliveInterval interval. When the number of consecutive client alive messages aresent with no response from the client, the ssh session is terminated. For example, if theClientAliveInterval is set to 15 seconds and the ClientAliveCountMax is set to 3, theclient ssh session will be terminated after 45 seconds of idle time. Rationale Having notimeout value associated with a connection could allow an unauthorized user access toanother user's ssh session (e.g. user walks away from their computer and doesn't lockthe screen). Setting a timeout value at least reduces the risk of this happening.. Whilethe recommended setting is 300 seconds (5 minutes), set this timeout value based on sitepolicy. The recommended setting for ClientAliveCountMax is 0. In this case, the clientsession will be terminated after 5 minutes of idle time and no keepalive messages willbe sent.
RecommendationEdit the /etc/ssh/sshd_config file to set the parameters as follows: ClientAliveInterval300ClientAliveCountMax 0
Failed Instancesi-04372149a51fe6560
5.2.13 Ensure SSH LoginGraceTime is set to one minute or less
Amazon InspectorAssessment-Template-Default
2019-02-11 21:56:40 UTC
SeverityHigh
DescriptionDescription The LoginGraceTime parameter specifies the time allowed for successfulauthentication to the SSH server. The longer the Grace period is the more openunauthenticated connections can exist. Like other session controls in this session theGrace Period should be limited to appropriate organizational limits to ensure the serviceis available for needed access. Rationale Setting the LoginGraceTime parameter to alow number will minimize the risk of successful brute force attacks to the SSH server.It will also limit the number of concurrent unauthenticated connections While therecommended setting is 60 seconds (1 Minute), set the number based on site policy.
RecommendationEdit the /etc/ssh/sshd_config file to set the parameter as follows: LoginGraceTime 60
Failed Instancesi-04372149a51fe6560
5.2.14 Ensure SSH access is limited
SeverityHigh
DescriptionDescription There are several options available to limit which users and group canaccess the system via SSH. It is recommended that at least one of the following optionsbe leveraged: AllowUsers The AllowUsers variable gives the system administrator theoption of allowing specific users to ssh into the system. The list consists of commaseparated user names. Numeric user IDs are not recognized with this variable. Ifa system administrator wants to restrict user access further by only allowing theallowed users to log in from a particular host, the entry can be specified in the form ofuser@host. AllowGroups The AllowGroups variable gives the system administratorthe option of allowing specific groups of users to ssh into the system. The list consistsof comma separated group names. Numeric group IDs are not recognized with thisvariable. DenyUsers The DenyUsers variable gives the system administrator theoption of denying specific users to ssh into the system. The list consists of commaseparated user names. Numeric user IDs are not recognized with this variable. If asystem administrator wants to restrict user access further by specifically denying a
Amazon InspectorAssessment-Template-Default
2019-02-11 21:56:40 UTC
user's access from a particular host, the entry can be specified in the form of user@host.DenyGroups The DenyGroups variable gives the system administrator the option ofdenying specific groups of users to ssh into the system. The list consists of commaseparated group names. Numeric group IDs are not recognized with this variable.Rationale Restricting which users can remotely access the system via SSH will helpensure that only authorized users access the system.
RecommendationEdit the /etc/ssh/sshd_config file to set one or more of the parameter as follows:AllowUsers <userlist>AllowGroups <grouplist>DenyUsers <userlist>DenyGroups<grouplist>
Failed Instancesi-04372149a51fe6560
5.2.15 Ensure SSH warning banner is configured
SeverityHigh
DescriptionDescription The Banner parameter specifies a file whose contents must be sent to theremote user before authentication is permitted. By default, no banner is displayed.Rationale Banners are used to warn connecting users of the particular site's policyregarding connection. Presenting a warning message prior to the normal user login mayassist the prosecution of trespassers on the computer system.
RecommendationEdit the /etc/ssh/sshd_config file to set the parameter as follows: Banner /etc/issue.net
Failed Instancesi-04372149a51fe6560
5.3.1 Ensure password creation requirements are configured
SeverityHigh
Description
Amazon InspectorAssessment-Template-Default
2019-02-11 21:56:40 UTC
Description The pam_pwquality.so module checks the strength of passwords. Itperforms checks such as making sure a password is not a dictionary word, it is a certainlength, contains a mix of characters (e.g. alphabet, numeric, other) and more. Thefollowing are definitions of the pam_pwquality.so options. try_first_pass - retrieve thepassword from a previous stacked PAM module. If not available, then prompt the userfor a password. retry=3 - Allow 3 tries before sending back a failure. The followingoptions are set in the /etc/security/pwquality.conf file: minlen=14 - password must be14 characters or moredcredit=-1 - provide at least one digitucredit=-1 - provide at leastone uppercase characterocredit=-1 - provide at least one special characterlcredit=-1- provide at least one lowercase character The settings shown above are one possiblepolicy. Alter these values to conform to your own organization's password policies.Rationale Strong passwords protect systems from being hacked through brute forcemethods.
RecommendationRun the following command to install the pam_pwquality module: apt-get installlibpam-pwquality Edit the /etc/pam.d/common-passwd file to include the appropriateoptions for pam_pwquality.so and to conform to site policy: password requisitepam_pwquality.so try_first_pass retry=3 Edit /etc/security/pwquality.conf to add orupdate the following settings to conform to site policy: minlen=14dcredit=-1ucredit=-1ocredit=-1lcredit=-1
Failed Instancesi-04372149a51fe6560
5.3.2 Ensure lockout for failed password attempts is configured
SeverityInformational
DescriptionDescription Lock out users after n unsuccessful consecutive login attempts. The firstsets of changes are made to the PAM configuration files. The second set of changes areapplied to the program specific PAM configuration file. The second set of changes mustbe applied to each program that will lock out users. Check the documentation for eachsecondary program for instructions on how to configure them to work with PAM. Setthe lockout number to the policy in effect at your site. Rationale Locking out user IDsafter n unsuccessful consecutive login attempts mitigates brute force password attacksagainst your systems.
Amazon InspectorAssessment-Template-Default
2019-02-11 21:56:40 UTC
RecommendationEdit the /etc/pam.d/common-auth file and add the auth line below: auth requiredpam_tally2.so onerr=fail audit silent deny=5 unlock_time=900 Note: If a user hasbeen locked out because they have reached the maximum consecutive failure countdefined by deny= in the pam_tally2.so module, the user can be unlocked by issuing thecommand /sbin/pam_tally2 -u <username> --reset. This command sets the failed countto 0, effectively unlocking the user.
Failed Instancesi-04372149a51fe6560
5.3.3 Ensure password reuse is limited
SeverityHigh
DescriptionDescription The /etc/security/opasswd file stores the users' old passwords and can bechecked to ensure that users are not recycling recent passwords. Rationale Forcing usersnot to reuse their past 5 passwords make it less likely that an attacker will be able toguess the password. Note that these change only apply to accounts configured on thelocal system.
RecommendationEdit the /etc/pam.d/common-password file to include the remember option and conformto site policy as shown: password sufficient pam_unix.so remember=5
Failed Instancesi-04372149a51fe6560
5.4.2 Ensure system accounts are non-login
SeverityHigh
DescriptionDescription There are a number of accounts provided with Ubuntu that are used tomanage applications and are not intended to provide an interactive shell. Rationale Itis important to make sure that accounts that are not being used by regular users areprevented from being used to provide an interactive shell. By default, Ubuntu sets the
Amazon InspectorAssessment-Template-Default
2019-02-11 21:56:40 UTC
password field for these accounts to an invalid string, but it is also recommended thatthe shell field in the password file be set to /sbin/nologin. This prevents the accountfrom potentially being used to run any commands.
RecommendationSet the shell for any accounts returned by the audit script to /usr/sbin/nologin: #usermod -s /usr/sbin/nologin <user> The following script will automatically set all usershells required to /usr/sbin/nologin and lock the sync, shutdown, and halt users: #!/bin/bashfor user in `awk -F: '($3 < 1000) {print $1 }' /etc/passwd`; do if [ $user != "root" ];then usermod -L $user if [ $user != "sync" ] && [ $user != "shutdown" ] && [ $user !="halt" ]; then usermod -s /usr/sbin/nologin $user fi fidone
Failed Instancesi-04372149a51fe6560
5.4.4 Ensure default user umask is 027 or more restrictive
SeverityHigh
DescriptionDescription The default umask determines the permissions of files created by users. Theuser creating the file has the discretion of making their files and directories readableby others via the chmod command. Users who wish to allow their files and directoriesto be readable by others by default may choose a different default umask by insertingthe umask command into the standard shell configuration files (.profile, .bashrc, etc.) intheir home directories. Rationale Setting a very secure default value for umask ensuresthat users make a conscious choice about their file permissions. A default umask settingof 077 causes files and directories created by users to not be readable by any other useron the system. A umask of 027 would make files and directories readable by users in thesame Unix group, while a umask of 022 would make files readable by every user on thesystem.
RecommendationEdit the /etc/bash.bashrc and /etc/profile files (and the appropriate files for any othershell supported on your system) and add or edit any umask parameters as follows:umask 027
Failed Instances
Amazon InspectorAssessment-Template-Default
2019-02-11 21:56:40 UTC
i-04372149a51fe6560
5.4.5 Ensure default user shell timeout is 900 seconds or less
SeverityHigh
DescriptionDescription The default TMOUT determines the shell timeout for users. The TMOUTvalue is measured in seconds. Rationale Having no timeout value associated with a shellcould allow an unauthorized user access to another user's shell session (e.g. user walksaway from their computer and doesn't lock the screen). Setting a timeout value at leastreduces the risk of this happening.
RecommendationEdit the /etc/bashrc and /etc/profile files (and the appropriate files for any othershell supported on your system) and add or edit any umask parameters as follows:TMOUT=600
Failed Instancesi-04372149a51fe6560
5.4.1.1 Ensure password expiration is 90 days or less
SeverityHigh
DescriptionDescription The PASS_MAX_DAYS parameter in /etc/login.defs allows anadministrator to force passwords to expire once they reach a defined age. It isrecommended that the PASS_MAX_DAYS parameter be set to less than or equal to 90days. Rationale The window of opportunity for an attacker to leverage compromisedcredentials or successfully compromise credentials via an online brute force attack islimited by the age of the password. Therefore, reducing the maximum age of a passwordalso reduces an attacker's window of opportunity.
RecommendationSet the PASS_MAX_DAYS parameter to 90 in /etc/login.defs: PASS_MAX_DAYS 90Modify user parameters for all users with a password set to match: # chage --maxdays90 <user>
Amazon InspectorAssessment-Template-Default
2019-02-11 21:56:40 UTC
Failed Instancesi-04372149a51fe6560
5.4.1.2 Ensure minimum days between password changes is 7 or more
SeverityHigh
DescriptionDescription The PASS_MIN_DAYS parameter in /etc/login.defs allows anadministrator to prevent users from changing their password until a minimum number ofdays have passed since the last time the user changed their password. It is recommendedthat PASS_MIN_DAYS parameter be set to 7 or more days. Rationale By restrictingthe frequency of password changes, an administrator can prevent users from repeatedlychanging their password in an attempt to circumvent password reuse controls.
RecommendationSet the PASS_MIN_DAYS parameter to 7 in /etc/login.defs: PASS_MIN_DAYS 7Modify user parameters for all users with a password set to match: # chage --mindays 7<user>
Failed Instancesi-04372149a51fe6560
5.4.1.4 Ensure inactive password lock is 30 days or less
SeverityHigh
DescriptionDescription User accounts that have been inactive for over a given period of time canbe automatically disabled. It is recommended that accounts that are inactive for 30days after password expiration be disabled. Rationale Inactive accounts pose a threat tosystem security since the users are not logging in to notice failed login attempts or otheranomalies.
RecommendationRun the following command to set the default password inactivity period to 30 days: #useradd -D -f 30 Modify user parameters for all users with a password set to match: #chage --inactive 30 <user>
Amazon InspectorAssessment-Template-Default
2019-02-11 21:56:40 UTC
Failed Instancesi-04372149a51fe6560
6.2.1 Ensure password fields are not empty
SeverityHigh
DescriptionDescription An account with an empty password field means that anybody may log in asthat user without providing a password. Rationale All accounts must have passwords orbe locked to prevent the account from being used by an unauthorized user.
RecommendationIf any accounts in the /etc/shadow file do not have a password, run the followingcommand to lock the account until it can be determined why it does not have apassword: # passwd -l <username> Also, check to see if the account is logged in andinvestigate what it is being used for to determine if it needs to be forced off.
Failed Instancesi-04372149a51fe6560
6.2.7 Ensure all users' home directories exist
SeverityHigh
DescriptionDescription Users can be defined in /etc/passwd without a home directory or with ahome directory that does not actually exist. Rationale If the user's home directory doesnot exist or is unassigned, the user will be placed in "/" and will not be able to write anyfiles or have local environment variables set.
RecommendationIf any users' home directories do not exist, create them and make sure the respectiveuser owns the directory. Users without an assigned home directory should be removedor assigned a home directory as appropriate.
Failed Instancesi-04372149a51fe6560
Amazon InspectorAssessment-Template-Default
2019-02-11 21:56:40 UTC
6.2.8 Ensure users' home directories permissions are 750 or more restrictive
SeverityHigh
DescriptionDescription While the system administrator can establish secure permissions for users'home directories, the users can easily override these. Rationale Group or world-writableuser home directories may enable malicious users to steal or modify other users' data orto gain another user's system privileges.
RecommendationMaking global modifications to user home directories without alerting the usercommunity can result in unexpected outages and unhappy users. Therefore, it isrecommended that a monitoring policy be established to report user file permissions anddetermine the action to be taken in accordance with site policy.
Failed Instancesi-04372149a51fe6560
4.1.3 Level 2 - Server
1.1.2 Ensure separate partition exists for /tmp
SeverityHigh
DescriptionDescription The /tmp directory is a world-writable directory used for temporary storageby all users and some applications. Rationale Since the /tmp directory is intended tobe world-writable, there is a risk of resource exhaustion if it is not bound to a separatepartition. In addition, making /tmp its own file system allows an administrator to set thenoexec option on the mount, making /tmp useless for an attacker to install executablecode. It would also prevent an attacker from establishing a hardlink to a system setuidprogram and wait for it to be updated. Once the program was updated, the hardlinkwould be broken and the attacker would have his own copy of the program. If theprogram happened to have a security vulnerability, the attacker could continue toexploit the known flaw.
Amazon InspectorAssessment-Template-Default
2019-02-11 21:56:40 UTC
RecommendationFor new installations, during installation create a custom partition setup and specifya separate partition for /tmp. For systems that were previously installed, create a newpartition and configure /etc/fstab as appropriate. Impact: Resizing filesystems is acommon activity in cloud-hosted servers. Separate filesystem partitions may preventsuccessful resizing, or may require the installation of additional tools solely for thepurpose of resizing operations. The use of these additional tools may introduce theirown security considerations.
Failed Instancesi-04372149a51fe6560
1.1.5 Ensure separate partition exists for /var
SeverityHigh
DescriptionDescription The /var directory is used by daemons and other system services totemporarily store dynamic data. Some directories created by these processes may beworld-writable. Rationale Since the /var directory may contain world-writable files anddirectories, there is a risk of resource exhaustion if it is not bound to a separate partition.
RecommendationFor new installations, during installation create a custom partition setup and specifya separate partition for /var. For systems that were previously installed, create a newpartition and configure /etc/fstab as appropriate. Impact: Resizing filesystems is acommon activity in cloud-hosted servers. Separate filesystem partitions may preventsuccessful resizing, or may require the installation of additional tools solely for thepurpose of resizing operations. The use of these additional tools may introduce theirown security considerations.
Failed Instancesi-04372149a51fe6560
1.1.6 Ensure separate partition exists for /var/tmp
SeverityHigh
Amazon InspectorAssessment-Template-Default
2019-02-11 21:56:40 UTC
DescriptionDescription The /var/tmp directory is a world-writable directory used for temporarystorage by all users and some applications. Rationale Since the /var/tmp directory isintended to be world-writable, there is a risk of resource exhaustion if it is not boundto a separate partition. In addition, making /var/tmp its own file system allows anadministrator to set the noexec option on the mount, making /var/tmp useless for anattacker to install executable code. It would also prevent an attacker from establishing ahardlink to a system setuid program and wait for it to be updated. Once the program wasupdated, the hardlink would be broken and the attacker would have his own copy of theprogram. If the program happened to have a security vulnerability, the attacker couldcontinue to exploit the known flaw.
RecommendationFor new installations, during installation create a custom partition setup and specifya separate partition for /var/tmp. For systems that were previously installed, create anew partition and configure /etc/fstab as appropriate. Impact: Resizing filesystems isa common activity in cloud-hosted servers. Separate filesystem partitions may preventsuccessful resizing, or may require the installation of additional tools solely for thepurpose of resizing operations. The use of these additional tools may introduce theirown security considerations.
Failed Instancesi-04372149a51fe6560
1.1.10 Ensure separate partition exists for /var/log
SeverityHigh
DescriptionDescription The /var/log directory is used by system services to store log data .Rationale There are two important reasons to ensure that system logs are stored on aseparate partition: protection against resource exhaustion (since logs can grow quitelarge) and protection of audit data.
RecommendationFor new installations, during installation create a custom partition setup and specifya separate partition for /var/log. For systems that were previously installed, create anew partition and configure /etc/fstab as appropriate. Impact: Resizing filesystems is
Amazon InspectorAssessment-Template-Default
2019-02-11 21:56:40 UTC
a common activity in cloud-hosted servers. Separate filesystem partitions may preventsuccessful resizing, or may require the installation of additional tools solely for thepurpose of resizing operations. The use of these additional tools may introduce theirown security considerations.
Failed Instancesi-04372149a51fe6560
1.1.11 Ensure separate partition exists for /var/log/audit
SeverityHigh
DescriptionDescription The auditing daemon, auditd, stores log data in the /var/log/audit directory.Rationale There are two important reasons to ensure that data gathered by auditd isstored on a separate partition: protection against resource exhaustion (since the audit.logfile can grow quite large) and protection of audit data. The audit daemon calculates howmuch free space is left and performs actions based on the results. If other processes(such as syslog) consume space in the same partition as auditd, it may not perform asdesired.
RecommendationFor new installations, during installation create a custom partition setup and specify aseparate partition for /var/log/audit. For systems that were previously installed, createa new partition and configure /etc/fstab as appropriate. Impact: Resizing filesystems isa common activity in cloud-hosted servers. Separate filesystem partitions may preventsuccessful resizing, or may require the installation of additional tools solely for thepurpose of resizing operations. The use of these additional tools may introduce theirown security considerations.
Failed Instancesi-04372149a51fe6560
1.1.12 Ensure separate partition exists for /home
SeverityHigh
Description
Amazon InspectorAssessment-Template-Default
2019-02-11 21:56:40 UTC
Description The /home directory is used to support disk storage needs of local users.Rationale If the system is intended to support local users, create a separate partition forthe /home directory to protect against resource exhaustion and restrict the type of filesthat can be stored under /home.
RecommendationFor new installations, during installation create a custom partition setup and specifya separate partition for /home. For systems that were previously installed, create anew partition and configure /etc/fstab as appropriate. Impact: Resizing filesystems isa common activity in cloud-hosted servers. Separate filesystem partitions may preventsuccessful resizing, or may require the installation of additional tools solely for thepurpose of resizing operations. The use of these additional tools may introduce theirown security considerations.
Failed Instancesi-04372149a51fe6560
1.1.16 Ensure noexec option set on /run/shm partition
SeverityHigh
DescriptionDescription The noexec mount option specifies that the filesystem cannot containexecutable binaries. Rationale Setting this option on a file system prevents users fromexecuting programs from shared memory. This deters users from introducing potentiallymalicious software on the system.
RecommendationEdit the /etc/fstab file and add noexec to the fourth field (mounting options) for the /run/shm partition. See the fstab(5) manual page for more information. Run the followingcommand to remount /run/shm: # mount -o remount,noexec /run/shm
Failed Instancesi-04372149a51fe6560
1.1.1.1 Ensure mounting of cramfs filesystems is disabled
SeverityHigh
Amazon InspectorAssessment-Template-Default
2019-02-11 21:56:40 UTC
DescriptionDescription The cramfs filesystem type is a compressed read-only Linux filesystemembedded in small footprint systems. A cramfs image can be used without havingto first decompress the image. Rationale Removing support for unneeded filesystemtypes reduces the local attack surface of the server. If this filesystem type is not needed,disable it.
RecommendationEdit or create the file /etc/modprobe.d/CIS.conf and add the following line: installcramfs /bin/true
Failed Instancesi-04372149a51fe6560
1.1.1.2 Ensure mounting of freevxfs filesystems is disabled
SeverityHigh
DescriptionDescription The freevxfs filesystem type is a free version of the Veritas type filesystem.This is the primary filesystem type for HP-UX operating systems. Rationale Removingsupport for unneeded filesystem types reduces the local attack surface of the system. Ifthis filesystem type is not needed, disable it.
RecommendationEdit or create the file /etc/modprobe.d/CIS.conf and add the following line: installfreevxfs /bin/true
Failed Instancesi-04372149a51fe6560
1.1.1.3 Ensure mounting of jffs2 filesystems is disabled
SeverityHigh
DescriptionDescription The jffs2 (journaling flash filesystem 2) filesystem type is a log-structuredfilesystem used in flash memory devices. Rationale Removing support for unneeded
Amazon InspectorAssessment-Template-Default
2019-02-11 21:56:40 UTC
filesystem types reduces the local attack surface of the system. If this filesystem type isnot needed, disable it.
RecommendationEdit or create the file /etc/modprobe.d/CIS.conf and add the following line: install jffs2 /bin/true
Failed Instancesi-04372149a51fe6560
1.1.1.4 Ensure mounting of hfs filesystems is disabled
SeverityHigh
DescriptionDescription The hfs filesystem type is a hierarchical filesystem that allows you tomount Mac OS filesystems. Rationale Removing support for unneeded filesystem typesreduces the local attack surface of the system. If this filesystem type is not needed,disable it.
RecommendationEdit or create the file /etc/modprobe.d/CIS.conf and add the following line: install hfs /bin/true
Failed Instancesi-04372149a51fe6560
1.1.1.5 Ensure mounting of hfsplus filesystems is disabled
SeverityHigh
DescriptionDescription The hfsplus filesystem type is a hierarchical filesystem designed to replacehfs that allows you to mount Mac OS filesystems. Rationale Removing support forunneeded filesystem types reduces the local attack surface of the system. If thisfilesystem type is not needed, disable it.
Recommendation
Amazon InspectorAssessment-Template-Default
2019-02-11 21:56:40 UTC
Edit or create the file /etc/modprobe.d/CIS.conf and add the following line: installhfsplus /bin/true
Failed Instancesi-04372149a51fe6560
1.1.1.6 Ensure mounting of udf filesystems is disabled
SeverityHigh
DescriptionDescription The udf filesystem type is the universal disk format used to implementISO/IEC 13346 and ECMA-167 specifications. This is an open vendor filesystemtype for data storage on a broad range of media. This filesystem type is necessary tosupport writing DVDs and newer optical disc formats. Rationale Removing supportfor unneeded filesystem types reduces the local attack surface of the system. If thisfilesystem type is not needed, disable it.
RecommendationEdit or create the file /etc/modprobe.d/CIS.conf and add the following line: install udf /bin/true
Failed Instancesi-04372149a51fe6560
1.3.1 Ensure AIDE is installed
SeverityHigh
DescriptionDescription AIDE takes a snapshot of filesystem state including modification times,permissions, and file hashes which can then be used to compare against the current stateof the filesystem to detect modifications to the system. Rationale By monitoring thefilesystem state compromised files can be detected to prevent or limit the exposure ofaccidental or malicious misconfigurations or modified binaries.
Recommendation
Amazon InspectorAssessment-Template-Default
2019-02-11 21:56:40 UTC
Run the following command to install AIDE: # apt-get install aide Configure AIDEas appropriate for your environment. Consult the AIDE documentation for options.Initialize AIDE: # aide --init
Failed Instancesi-04372149a51fe6560
1.3.2 Ensure filesystem integrity is regularly checked
SeverityHigh
DescriptionDescription Periodic checking of the filesystem integrity is needed to detect changesto the filesystem. Rationale Periodic file checking allows the system administratorto determine on a regular basis if critical files have been changed in an unauthorizedfashion.
RecommendationRun the following command: # crontab -u root -e Add the following line to the crontab:0 5 * * * /usr/bin/aide --check
Failed Instancesi-04372149a51fe6560
1.4.1 Ensure permissions on bootloader config are configured
SeverityHigh
DescriptionDescription The grub configuration file contains information on boot settings andpasswords for unlocking boot options. The grub configuration is usually grub.cfg storedin /boot/grub. Rationale Setting the permissions to read and write for root only preventsnon-root users from seeing the boot parameters or changing them. Non-root users whoread the boot parameters may be able to identify weaknesses in security upon boot andbe able to exploit them.
Recommendation
Amazon InspectorAssessment-Template-Default
2019-02-11 21:56:40 UTC
Run the following commands to set permissions on your grub configuration: # chownroot:root /boot/grub/grub.cfg# chmod og-rwx /boot/grub/grub.cfg
Failed Instancesi-04372149a51fe6560
1.4.2 Ensure bootloader password is set
SeverityHigh
DescriptionDescription Setting the boot loader password will require that anyone rebooting thesystem must enter a password before being able to set command line boot parametersRationale Requiring a boot password upon execution of the boot loader will prevent anunauthorized user from entering boot parameters or changing the boot partition. Thisprevents users from weakening security (e.g. turning off SELinux at boot time).
RecommendationCreate an encrypted password with grub-mkpasswd-pbkdf2: # grub-mkpasswd-pbkdf2Enter password: <password>Reenter password: <password>Your PBKDF2 is<encrypted-password> Add the following into /etc/grub.d/00_header or a custom /etc/grub.d configuration file: cat <<EOFset superusers="<username>"password_pbkdf2<username><encrypted-password>EOF Run the following command to update thegrub2 configuration: # update-grub
Failed Instancesi-04372149a51fe6560
1.5.1 Ensure core dumps are restricted
SeverityHigh
DescriptionDescription A core dump is the memory of an executable program. It is generallyused to determine why a program aborted. It can also be used to glean confidentialinformation from a core file. The system provides the ability to set a soft limit for coredumps, but this can be overridden by the user. Rationale Setting a hard limit on coredumps prevents users from overriding the soft variable. If core dumps are required,
Amazon InspectorAssessment-Template-Default
2019-02-11 21:56:40 UTC
consider setting limits for user groups (see limits.conf(5)). In addition, setting thefs.suid_dumpable variable to 0 will prevent setuid programs from dumping core.
RecommendationAdd the following line to the /etc/security/limits.conf file or a /etc/security/limits.d/* file: * hard core 0 Set the following parameter in the /etc/sysctl.conf file:fs.suid_dumpable = 0 Run the following command to set the active kernel parameter: #sysctl -w fs.suid_dumpable=0
Failed Instancesi-04372149a51fe6560
1.7.1.4 Ensure permissions on /etc/motd are configured
SeverityInformational
DescriptionDescription The contents of the /etc/motd file are displayed to users after login andfunction as a message of the day for authenticated users. Rationale If the /etc/motd filedoes not have the correct ownership it could be modified by unauthorized users withincorrect or misleading information.
RecommendationRun the following commands to set permissions on /etc/motd: # chown root:root /etc/motd# chmod 644 /etc/motd
Failed Instancesi-04372149a51fe6560
2.2.2 Ensure X Window System is not installed
SeverityHigh
DescriptionDescription The X Window System provides a Graphical User Interface (GUI) whereusers can have multiple windows in which to run programs and various add on. The XWindows system is typically used on workstations where users login, but not on serverswhere users typically do not login. Rationale Unless your organization specifically
Amazon InspectorAssessment-Template-Default
2019-02-11 21:56:40 UTC
requires graphical login access via X Windows, remove it to reduce the potential attacksurface.
RecommendationRun the following command to remove the X Windows System packages: apt-getremove xserver-xorg*
Failed Instancesi-04372149a51fe6560
2.2.3 Ensure Avahi Server is not enabled
SeverityHigh
DescriptionDescription Avahi is a free zeroconf implementation, including a system for multicastDNS/DNS-SD service discovery. Avahi allows programs to publish and discoverservices and hosts running on a local network with no specific configuration. Forexample, a user can plug a computer into a network and Avahi automatically findsprinters to print to, files to look at and people to talk to, as well as network servicesrunning on the machine. Rationale Automatic discovery of network services is notnormally required for system functionality. It is recommended to disable the service toreduce the potential attach surface.
RecommendationRemove or comment out start lines in /etc/init/avahi-daemon.conf: #start on runlevel[2345]
Failed Instancesi-04372149a51fe6560
2.2.4 Ensure CUPS is not enabled
SeverityHigh
DescriptionDescription The Common Unix Print System (CUPS) provides the ability to print toboth local and network printers. A system running CUPS can also accept print jobs from
Amazon InspectorAssessment-Template-Default
2019-02-11 21:56:40 UTC
remote systems and print them to local printers. It also provides a web based remoteadministration capability. Rationale If the system does not need to print jobs or acceptprint jobs from other systems, it is recommended that CUPS be disabled to reduce thepotential attack surface.
RecommendationRemove or comment out start lines in /etc/init/cups.conf: #start on runlevel [2345]Impact: Disabling CUPS will prevent printing from the system, a common task forworkstation systems.
Failed Instancesi-04372149a51fe6560
2.3.4 Ensure telnet client is not installed
SeverityHigh
DescriptionDescription The telnet package contains the telnet client, which allows users to startconnections to other systems via the telnet protocol. Rationale The telnet protocol isinsecure and unencrypted. The use of an unencrypted transmission medium could allowan unauthorized user to steal credentials. The ssh package provides an encrypted sessionand stronger security and is included in most Linux distributions.
RecommendationRun the following command to uninstall telnet: # apt-get remove telnet Impact: Manyinsecure service clients are used as troubleshooting tools and in testing environments.Uninstalling them can inhibit capability to test and troubleshoot. If they are required it isadvisable to remove the clients after use to prevent accidental or intentional misuse.
Failed Instancesi-04372149a51fe6560
3.1.2 Ensure packet redirect sending is disabled
SeverityHigh
Description
Amazon InspectorAssessment-Template-Default
2019-02-11 21:56:40 UTC
Description ICMP Redirects are used to send routing information to other hosts. As ahost itself does not act as a router (in a host only configuration), there is no need to sendredirects. Rationale An attacker could use a compromised host to send invalid ICMPredirects to other router devices in an attempt to corrupt routing and have users access asystem set up by the attacker as opposed to a valid system.
RecommendationSet the following parameters in the /etc/sysctl.conf file: net.ipv4.conf.all.send_redirects = 0net.ipv4.conf.default.send_redirects = 0 Run the following commands to set theactive kernel parameters: # sysctl -w net.ipv4.conf.all.send_redirects=0# sysctl -w net.ipv4.conf.default.send_redirects=0# sysctl -w net.ipv4.route.flush=1
Failed Instancesi-04372149a51fe6560
3.2.1 Ensure source routed packets are not accepted
SeverityHigh
DescriptionDescription In networking, source routing allows a sender to partially or fully specifythe route packets take through a network. In contrast, non-source routed packets travel apath determined by routers in the network. In some cases, systems may not be routableor reachable from some locations (e.g. private addresses vs. Internet routable), andso source routed packets would need to be used. Rationale Setting net.ipv4.conf.all.accept_source_route and net.ipv4.conf.default.accept_source_route to 0 disablesthe system from accepting source routed packets. Assume this system was capable ofrouting packets to Internet routable addresses on one interface and private addresses onanother interface. Assume that the private addresses were not routable to the Internetroutable addresses and vice versa. Under normal routing circumstances, an attackerfrom the Internet routable addresses could not use the system as a way to reach theprivate address systems. If, however, source routed packets were allowed, they could beused to gain access to the private address systems as the route could be specified, ratherthan rely on routing protocols that did not allow this routing.
RecommendationSet the following parameters in the /etc/sysctl.conf file: net.ipv4.conf.all.accept_source_route = 0net.ipv4.conf.default.accept_source_route = 0 Run the following commands to
Amazon InspectorAssessment-Template-Default
2019-02-11 21:56:40 UTC
set the active kernel parameters: # sysctl -w net.ipv4.conf.all.accept_source_route=0#sysctl -w net.ipv4.conf.default.accept_source_route=0# sysctl -w net.ipv4.route.flush=1
Failed Instancesi-04372149a51fe6560
3.2.2 Ensure ICMP redirects are not accepted
SeverityHigh
DescriptionDescription ICMP redirect messages are packets that convey routing information andtell your host (acting as a router) to send packets via an alternate path. It is a way ofallowing an outside routing device to update your system routing tables. By settingnet.ipv4.conf.all.accept_redirects to 0, the system will not accept any ICMP redirectmessages, and therefore, won't allow outsiders to update the system's routing tables.Rationale Attackers could use bogus ICMP redirect messages to maliciously alter thesystem routing tables and get them to send packets to incorrect networks and allow yoursystem packets to be captured.
RecommendationSet the following parameters in the /etc/sysctl.conf file: net.ipv4.conf.all.accept_redirects = 0net.ipv4.conf.default.accept_redirects = 0 Run the following commands to set theactive kernel parameters: # sysctl -w net.ipv4.conf.all.accept_redirects=0# sysctl -w net.ipv4.conf.default.accept_redirects=0# sysctl -w net.ipv4.route.flush=1
Failed Instancesi-04372149a51fe6560
3.2.3 Ensure secure ICMP redirects are not accepted
SeverityHigh
DescriptionDescription Secure ICMP redirects are the same as ICMP redirects, except they comefrom gateways listed on the default gateway list. It is assumed that these gateways areknown to your system, and that they are likely to be secure. Rationale It is still possiblefor even known gateways to be compromised. Setting net.ipv4.conf.all.secure_redirec
Amazon InspectorAssessment-Template-Default
2019-02-11 21:56:40 UTC
ts to 0 protects the system from routing table updates by possibly compromised knowngateways.
RecommendationSet the following parameters in the /etc/sysctl.conf file: net.ipv4.conf.all.secure_redirects = 0net.ipv4.conf.default.secure_redirects = 0 Run the following commands to set theactive kernel parameters: # sysctl -w net.ipv4.conf.all.secure_redirects=0# sysctl -w net.ipv4.conf.default.secure_redirects=0# sysctl -w net.ipv4.route.flush=1
Failed Instancesi-04372149a51fe6560
3.2.4 Ensure suspicious packets are logged
SeverityHigh
DescriptionDescription When enabled, this feature logs packets with un-routable source addressesto the kernel log. Rationale Enabling this feature and logging these packets allows anadministrator to investigate the possibility that an attacker is sending spoofed packets totheir system.
RecommendationSet the following parameters in the /etc/sysctl.conf file: net.ipv4.conf.all.log_martians =1net.ipv4.conf.default.log_martians = 1 Run the following commands to set the activekernel parameters: # sysctl -w net.ipv4.conf.all.log_martians=1# sysctl -w net.ipv4.conf.default.log_martians=1# sysctl -w net.ipv4.route.flush=1
Failed Instancesi-04372149a51fe6560
3.3.1 Ensure IPv6 router advertisements are not accepted
SeverityInformational
DescriptionDescription This setting disables the system's ability to accept IPv6 routeradvertisements. Rationale It is recommended that systems not accept router
Amazon InspectorAssessment-Template-Default
2019-02-11 21:56:40 UTC
advertisements as they could be tricked into routing traffic to compromised machines.Setting hard routes within the system (usually a single default route to a trusted router)protects the system from bad routes.
RecommendationSet the following parameters in the /etc/sysctl.conf file: net.ipv6.conf.all.accept_ra =0net.ipv6.conf.default.accept_ra = 0 Run the following commands to set the activekernel parameters: # sysctl -w net.ipv6.conf.all.accept_ra=0# sysctl -w net.ipv6.conf.default.accept_ra=0# sysctl -w net.ipv6.route.flush=1
Failed Instancesi-04372149a51fe6560
3.3.2 Ensure IPv6 redirects are not accepted
SeverityInformational
DescriptionDescription This setting prevents the system from accepting ICMP redirects. ICMPredirects tell the system about alternate routes for sending traffic. Rationale It isrecommended that systems not accept ICMP redirects as they could be tricked intorouting traffic to compromised machines. Setting hard routes within the system (usuallya single default route to a trusted router) protects the system from bad routes.
RecommendationSet the following parameters in the /etc/sysctl.conf file: net.ipv6.conf.all.accept_redirects = 0net.ipv6.conf.default.accept_redirects = 0 Run the following commands to set theactive kernel parameters: # sysctl -w net.ipv6.conf.all.accept_redirects=0# sysctl -w net.ipv6.conf.default.accept_redirects=0# sysctl -w net.ipv6.route.flush=1
Failed Instancesi-04372149a51fe6560
3.3.3 Ensure IPv6 is disabled
SeverityInformational
Description
Amazon InspectorAssessment-Template-Default
2019-02-11 21:56:40 UTC
Description Although IPv6 has many advantages over IPv4, few organizations haveimplemented IPv6. Rationale If IPv6 is not to be used, it is recommended that it bedisabled to reduce the attack surface of the system.
RecommendationEdit /etc/default/grub and add ' ipv6.disable=1' to GRUB_CMDLINE_LINUX: GRUB_CMDLINE_LINUX="ipv6.disable=1" Run the following command to update thegrub2 configuration: # update-grub
Failed Instancesi-04372149a51fe6560
3.4.3 Ensure /etc/hosts.deny is configured
SeverityHigh
DescriptionDescription The /etc/hosts.deny file specifies which IP addresses are not permitted toconnect to the host. It is intended to be used in conjunction with the /etc/hosts.allow file.Rationale The /etc/hosts.deny file serves as a failsafe so that any host not specified in /etc/hosts.allow is denied access to the system.
RecommendationRun the following command to create /etc/hosts.deny: # echo "ALL: ALL" >> /etc/hosts.deny
Failed Instancesi-04372149a51fe6560
3.5.1 Ensure DCCP is disabled
SeverityInformational
DescriptionDescription The Datagram Congestion Control Protocol (DCCP) is a transport layerprotocol that supports streaming media and telephony. DCCP provides a way to gainaccess to congestion control, without having to do it at the application layer, but
Amazon InspectorAssessment-Template-Default
2019-02-11 21:56:40 UTC
does not provide in-sequence delivery. Rationale If the protocol is not required, it isrecommended that the drivers not be installed to reduce the potential attack surface.
RecommendationEdit or create the file /etc/modprobe.d/CIS.conf and add the following line: installdccp /bin/true
Failed Instancesi-04372149a51fe6560
3.5.2 Ensure SCTP is disabled
SeverityInformational
DescriptionDescription The Stream Control Transmission Protocol (SCTP) is a transport layerprotocol used to support message oriented communication, with several streams ofmessages in one connection. It serves a similar function as TCP and UDP, incorporatingfeatures of both. It is message-oriented like UDP, and ensures reliable in-sequencetransport of messages with congestion control like TCP. Rationale If the protocol is notbeing used, it is recommended that kernel module not be loaded, disabling the service toreduce the potential attack surface.
RecommendationEdit or create the file /etc/modprobe.d/CIS.conf and add the following line: install sctp /bin/true
Failed Instancesi-04372149a51fe6560
3.5.3 Ensure RDS is disabled
SeverityInformational
DescriptionDescription The Reliable Datagram Sockets (RDS) protocol is a transport layer protocoldesigned to provide low-latency, high-bandwidth communications between clusternodes. It was developed by the Oracle Corporation. Rationale If the protocol is not
Amazon InspectorAssessment-Template-Default
2019-02-11 21:56:40 UTC
being used, it is recommended that kernel module not be loaded, disabling the service toreduce the potential attack surface.
RecommendationEdit or create the file /etc/modprobe.d/CIS.conf and add the following line: install rds /bin/true
Failed Instancesi-04372149a51fe6560
3.5.4 Ensure TIPC is disabled
SeverityInformational
DescriptionDescription The Transparent Inter-Process Communication (TIPC) protocol is designedto provide communication between cluster nodes. Rationale If the protocol is not beingused, it is recommended that kernel module not be loaded, disabling the service toreduce the potential attack surface.
RecommendationEdit or create the file /etc/modprobe.d/CIS.conf and add the following line: install tipc /bin/true
Failed Instancesi-04372149a51fe6560
3.6.2 Ensure default deny firewall policy
SeverityHigh
DescriptionDescription A default deny all policy on connections ensures that any unconfigurednetwork usage will be rejected. Rationale With a default accept policy the firewall willaccept any packet that is not configured to be denied. It is easier to white list acceptableusage than to black list unacceptable usage.
Recommendation
Amazon InspectorAssessment-Template-Default
2019-02-11 21:56:40 UTC
Run the following commands to implement a default DROP policy: # iptables -PINPUT DROP# iptables -P OUTPUT DROP# iptables -P FORWARD DROP
Failed Instancesi-04372149a51fe6560
3.6.3 Ensure loopback traffic is configured
SeverityHigh
DescriptionDescription Configure the loopback interface to accept traffic. Configure all otherinterfaces to deny traffic to the loopback network (127.0.0.0/8). Rationale Loopbacktraffic is generated between processes on machine and is typically critical to operationof the system. The loopback interface is the only place that loopback network(127.0.0.0/8) traffic should be seen, all other interfaces should ignore traffic on thisnetwork as an anti-spoofing measure.
RecommendationRun the following commands to implement the loopback rules: # iptables -A INPUT-i lo -j ACCEPT# iptables -A OUTPUT -o lo -j ACCEPT# iptables -A INPUT -s127.0.0.0/8 -j DROP
Failed Instancesi-04372149a51fe6560
3.6.5 Ensure firewall rules exist for all open ports
SeverityHigh
DescriptionDescription Any ports that have been opened on non-loopback addresses need firewallrules to govern traffic. Rationale Without a firewall rule configured for open portsdefault firewall policy will drop all packets to these ports.
Recommendation
Amazon InspectorAssessment-Template-Default
2019-02-11 21:56:40 UTC
For each port identified in the audit which does not have a firewall rule establish aproper rule for accepting inbound connections: # iptables -A INPUT -p <protocol> --dport <port> -m state --state NEW -j ACCEPT
Failed Instancesi-04372149a51fe6560
4.1.2 Ensure auditd service is enabled
SeverityHigh
DescriptionDescription Turn on the auditd daemon to record system events. Rationale Thecapturing of system events provides system administrators with information to allowthem to determine if unauthorized access to their system is occurring.
RecommendationRun the following command to enable auditd: # update-rc.d auditd enable
Failed Instancesi-04372149a51fe6560
4.1.3 Ensure auditing for processes that start prior to auditd is enabled
SeverityHigh
DescriptionDescription Configure grub so that processes that are capable of being audited can beaudited even if they start up prior to auditd startup. Rationale Audit events need to becaptured on processes that start up prior to auditd, so that potential malicious activitycannot go undetected.
RecommendationEdit /etc/default/grub and add audit=1 to GRUB_CMDLINE_LINUX:GRUB_CMDLINE_LINUX="audit=1" Run the following command to update thegrub2 configuration: # update-grub
Failed Instancesi-04372149a51fe6560
Amazon InspectorAssessment-Template-Default
2019-02-11 21:56:40 UTC
4.1.4 Ensure events that modify date and time information are collected
SeverityHigh
DescriptionDescription Capture events where the system date and/or time has been modified.The parameters in this section are set to determine if the adjtimex (tune kernel clock),settimeofday (Set time, using timeval and timezone structures) stime (using secondssince 1/1/1970) or clock_settime (allows for the setting of several internal clocks andtimers) system calls have been executed and always write an audit record to the /var/log/audit.log file upon exit, tagging the records with the identifier "time-change" RationaleUnexpected changes in system date and/or time could be a sign of malicious activity onthe system.
RecommendationFor 32 bit systems add the following lines to the /etc/audit/audit.rules file: -a always,exit-F arch=b32 -S adjtimex -S settimeofday -S stime -k time-change-a always,exit -Farch=b32 -S clock_settime -k time-change-w /etc/localtime -p wa -k time-change For64 bit systems add the following lines to the /etc/audit/audit.rules file: -a always,exit-F arch=b64 -S adjtimex -S settimeofday -k time-change-a always,exit -F arch=b32-S adjtimex -S settimeofday -S stime -k time-change-a always,exit -F arch=b64 -Sclock_settime -k time-change-a always,exit -F arch=b32 -S clock_settime -k time-change-w /etc/localtime -p wa -k time-change
Failed Instancesi-04372149a51fe6560
4.1.5 Ensure events that modify user/group information are collected
SeverityHigh
DescriptionDescription Record events affecting the group, passwd (user IDs), shadow and gshadow(passwords) or /etc/security/opasswd (old passwords, based on remember parameterin the PAM configuration) files. The parameters in this section will watch the files tosee if they have been opened for write or have had attribute changes (e.g. permissions)and tag them with the identifier "identity" in the audit log file. Rationale Unexpected
Amazon InspectorAssessment-Template-Default
2019-02-11 21:56:40 UTC
changes to these files could be an indication that the system has been compromised andthat an unauthorized user is attempting to hide their activities or compromise additionalaccounts.
RecommendationAdd the following lines to the /etc/audit/audit.rules file: -w /etc/group -p wa -k identity-w /etc/passwd -p wa -k identity-w /etc/gshadow -p wa -k identity-w /etc/shadow -p wa -k identity-w /etc/security/opasswd -p wa -k identity
Failed Instancesi-04372149a51fe6560
4.1.6 Ensure events that modify the system's network environment are collected
SeverityHigh
DescriptionDescription Record changes to network environment files or system calls. The belowparameters monitor the sethostname (set the systems host name) or setdomainname (setthe systems domainname) system calls, and write an audit event on system call exit.The other parameters monitor the /etc/issue and /etc/issue.net files (messages displayedpre-login), /etc/hosts (file containing host names and associated IP addresses) and /etc/sysconfig/network (directory containing network interface scripts and configurations)files. Rationale Monitoring sethostname and setdomainname will identify potentialunauthorized changes to host and domainname of a system. The changing of thesenames could potentially break security parameters that are set based on those names.The /etc/hosts file is monitored for changes in the file that can indicate an unauthorizedintruder is trying to change machine associations with IP addresses and trick usersand processes into connecting to unintended machines. Monitoring /etc/issue and /etc/issue.net is important, as intruders could put disinformation into those files and trickusers into providing information to the intruder. Monitoring /etc/sysconfig/network isimportant as it can show if network interfaces or scripts are being modified in a way thatcan lead to the machine becoming unavailable or compromised. All audit records willbe tagged with the identifier "system-locale."
RecommendationFor 32 bit systems add the following lines to the /etc/audit/audit.rules file: -a always,exit-F arch=b32 -S sethostname -S setdomainname -k system-locale-w /etc/issue -p wa -
Amazon InspectorAssessment-Template-Default
2019-02-11 21:56:40 UTC
k system-locale-w /etc/issue.net -p wa -k system-locale-w /etc/hosts -p wa -k system-locale-w /etc/network -p wa -k system-locale-w /etc/networks -p wa -k system-localeFor 64 bit systems add the following lines to the /etc/audit/audit.rules file: -a always,exit-F arch=b64 -S sethostname -S setdomainname -k system-locale-a always,exit -Farch=b32 -S sethostname -S setdomainname -k system-locale-w /etc/issue -p wa -ksystem-locale-w /etc/issue.net -p wa -k system-locale-w /etc/hosts -p wa -k system-locale-w /etc/network -p wa -k system-locale-w /etc/networks -p wa -k system-locale
Failed Instancesi-04372149a51fe6560
4.1.7 Ensure events that modify the system's Mandatory Access Controls are collected
SeverityHigh
DescriptionDescription Monitor SELinux/AppArmor mandatory access controls. The parametersbelow monitor any write access (potential additional, deletion or modification of filesin the directory) or attribute changes to the /etc/selinux or /etc/apparmor and /etc/apparmor.d directories. Rationale Changes to files in these directories could indicatethat an unauthorized user is attempting to modify access controls and change securitycontexts, leading to a compromise of the system.
RecommendationOn systems using SELinux add the following line to the /etc/audit/audit.rules file: -w /etc/selinux/ -p wa -k MAC-policy On systems using AppArmor add the followingline to the /etc/audit/audit.rules file: -w /etc/apparmor/ -p wa -k MAC-policy-w /etc/apparmor.d/ -p wa -k MAC-policy
Failed Instancesi-04372149a51fe6560
4.1.8 Ensure login and logout events are collected
SeverityHigh
Description
Amazon InspectorAssessment-Template-Default
2019-02-11 21:56:40 UTC
Description Monitor login and logout events. The parameters below track changes tofiles associated with login/logout events. The file /var/log/faillog tracks failed eventsfrom login. The file /var/log/lastlog maintain records of the last time a user successfullylogged in. The file /var/log/tallylog maintains records of failures via the pam_tally2module Rationale Monitoring login/logout events could provide a system administratorwith information associated with brute force attacks against user logins.
RecommendationAdd the following lines to the /etc/audit/audit.rules file: -w /var/log/faillog -p wa -klogins-w /var/log/lastlog -p wa -k logins-w /var/log/tallylog -p wa -k logins
Failed Instancesi-04372149a51fe6560
4.1.9 Ensure session initiation information is collected
SeverityHigh
DescriptionDescription Monitor session initiation events. The parameters in this section trackchanges to the files associated with session events. The file /var/run/utmp file tracksall currently logged in users. The /var/log/wtmp file tracks logins, logouts, shutdown,and reboot events. All audit records will be tagged with the identifier "session." Thefile /var/log/btmp keeps track of failed login attempts and can be read by enteringthe command /usr/bin/last -f /var/log/btmp. All audit records will be tagged with theidentifier "logins." Rationale Monitoring these files for changes could alert a systemadministrator to logins occurring at unusual hours, which could indicate intruder activity(i.e. a user logging in at a time when they do not normally log in).
RecommendationAdd the following lines to the /etc/audit/audit.rules file: -w /var/run/utmp -p wa -ksession-w /var/log/wtmp -p wa -k logins-w /var/log/btmp -p wa -k logins
Failed Instancesi-04372149a51fe6560
4.1.10 Ensure discretionary access control permission modification events are collected
Severity
Amazon InspectorAssessment-Template-Default
2019-02-11 21:56:40 UTC
High
DescriptionDescription Monitor changes to file permissions, attributes, ownership and group. Theparameters in this section track changes for system calls that affect file permissionsand attributes. The chmod, fchmod and fchmodat system calls affect the permissionsassociated with a file. The chown, fchown, fchownat and lchown system calls affectowner and group attributes on a file. The setxattr, lsetxattr, fsetxattr (set extended fileattributes) and removexattr, lremovexattr, fremovexattr (remove extended file attributes)control extended file attributes. In all cases, an audit record will only be written for non-system user ids (auid >= 1000) and will ignore Daemon events (auid = 4294967295).All audit records will be tagged with the identifier "perm_mod." Rationale Monitoringfor changes in file attributes could alert a system administrator to activity that couldindicate intruder activity or policy violation.
RecommendationFor 32 bit systems add the following lines to the /etc/audit/audit.rules file: -a always,exit-F arch=b32 -S chmod -S fchmod -S fchmodat -F auid>=1000 -F auid!=4294967295 -k perm_mod-a always,exit -F arch=b32 -S chown -S fchown -S fchownat -S lchown -Fauid>=1000 -F auid!=4294967295 -k perm_mod-a always,exit -F arch=b32 -S setxattr-S lsetxattr -S fsetxattr -S removexattr -S lremovexattr -S fremovexattr -F auid>=1000-F auid!=4294967295 -k perm_mod For 64 bit systems add the following lines to the /etc/audit/audit.rules file: -a always,exit -F arch=b64 -S chmod -S fchmod -S fchmodat-F auid>=1000 -F auid!=4294967295 -k perm_mod-a always,exit -F arch=b32 -Schmod -S fchmod -S fchmodat -F auid>=1000 -F auid!=4294967295 -k perm_mod-aalways,exit -F arch=b64 -S chown -S fchown -S fchownat -S lchown -F auid>=1000 -F auid!=4294967295 -k perm_mod-a always,exit -F arch=b32 -S chown -S fchown -Sfchownat -S lchown -F auid>=1000 -F auid!=4294967295 -k perm_mod-a always,exit-F arch=b64 -S setxattr -S lsetxattr -S fsetxattr -S removexattr -S lremovexattr -Sfremovexattr -F auid>=1000 -F auid!=4294967295 -k perm_mod-a always,exit -F arch=b32 -S setxattr -S lsetxattr -S fsetxattr -S removexattr -S lremovexattr -Sfremovexattr -F auid>=1000 -F auid!=4294967295 -k perm_mod
Failed Instancesi-04372149a51fe6560
4.1.11 Ensure unsuccessful unauthorized file access attempts are collected
Severity
Amazon InspectorAssessment-Template-Default
2019-02-11 21:56:40 UTC
High
DescriptionDescription Monitor for unsuccessful attempts to access files. The parametersbelow are associated with system calls that control creation (creat), opening (open,openat) and truncation (truncate, ftruncate) of files. An audit log record will only bewritten if the user is a non-privileged user (auid > = 1000), is not a Daemon event(auid=4294967295) and if the system call returned EACCES (permission denied to thefile) or EPERM (some other permanent error associated with the specific system call).All audit records will be tagged with the identifier "access." Rationale Failed attemptsto open, create or truncate files could be an indication that an individual or process istrying to gain unauthorized access to the system.
RecommendationFor 32 bit systems add the following lines to the /etc/audit/audit.rules file: -a always,exit-F arch=b32 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -k access-a always,exit -F arch=b32 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -k access For 64 bit systems add the following lines to the /etc/audit/audit.rules file: -a always,exit -F arch=b64 -S creat -S open -S openat -S truncate-S ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -k access-aalways,exit -F arch=b32 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -k access-a always,exit -F arch=b64 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EPERM -F auid>=1000 -Fauid!=4294967295 -k access-a always,exit -F arch=b32 -S creat -S open -S openat -Struncate -S ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -k access
Failed Instancesi-04372149a51fe6560
4.1.13 Ensure successful file system mounts are collected
SeverityHigh
DescriptionDescription Monitor the use of the mount system call. The mount (and umount) systemcall controls the mounting and unmounting of file systems. The parameters belowconfigure the system to create an audit record when the mount system call is used
Amazon InspectorAssessment-Template-Default
2019-02-11 21:56:40 UTC
by a non-privileged user Rationale It is highly unusual for a non privileged user tomount file systems to the system. While tracking mount commands gives the systemadministrator evidence that external media may have been mounted (based on a reviewof the source of the mount and confirming it's an external media type), it does notconclusively indicate that data was exported to the media. System administrators whowish to determine if data were exported, would also have to track successful open, creatand truncate system calls requiring write access to a file under the mount point of theexternal media file system. This could give a fair indication that a write occurred. Theonly way to truly prove it, would be to track successful writes to the external media.Tracking write system calls could quickly fill up the audit log and is not recommended.Recommendations on configuration options to track data export to media is beyond thescope of this document.
RecommendationFor 32 bit systems add the following lines to the /etc/audit/audit.rules file: -a always,exit-F arch=b32 -S mount -F auid>=1000 -F auid!=4294967295 -k mounts For 64 bitsystems add the following lines to the /etc/audit/audit.rules file: -a always,exit -Farch=b64 -S mount -F auid>=1000 -F auid!=4294967295 -k mounts-a always,exit -Farch=b32 -S mount -F auid>=1000 -F auid!=4294967295 -k mounts
Failed Instancesi-04372149a51fe6560
4.1.14 Ensure file deletion events by users are collected
SeverityHigh
DescriptionDescription Monitor the use of system calls associated with the deletion or renamingof files and file attributes. This configuration statement sets up monitoring for theunlink (remove a file), unlinkat (remove a file attribute), rename (rename a file) andrenameat (rename a file attribute) system calls and tags them with the identifier "delete".Rationale Monitoring these calls from non-privileged users could provide a systemadministrator with evidence that inappropriate removal of files and file attributesassociated with protected files is occurring. While this audit option will look at allevents, system administrators will want to look for specific privileged files that arebeing deleted or altered.
Amazon InspectorAssessment-Template-Default
2019-02-11 21:56:40 UTC
RecommendationFor 32 bit systems add the following lines to the /etc/audit/audit.rules file: -a always,exit-F arch=b32 -S unlink -S unlinkat -S rename -S renameat -F auid>=1000 -F auid!=4294967295 -k delete For 64 bit systems add the following lines to the /etc/audit/audit.rules file: -a always,exit -F arch=b64 -S unlink -S unlinkat -S rename -S renameat-F auid>=1000 -F auid!=4294967295 -k delete-a always,exit -F arch=b32 -S unlink -Sunlinkat -S rename -S renameat -F auid>=1000 -F auid!=4294967295 -k delete
Failed Instancesi-04372149a51fe6560
4.1.15 Ensure changes to system administration scope (sudoers) is collected
SeverityHigh
DescriptionDescription Monitor scope changes for system administrations. If the system has beenproperly configured to force system administrators to log in as themselves first andthen use the sudo command to execute privileged commands, it is possible to monitorchanges in scope. The file /etc/sudoers will be written to when the file or its attributeshave changed. The audit records will be tagged with the identifier "scope." RationaleChanges in the /etc/sudoers file can indicate that an unauthorized change has been madeto scope of system administrator activity.
RecommendationAdd the following line to the /etc/audit/audit.rules file: -w /etc/sudoers -p wa -k scope-w /etc/sudoers.d/ -p wa -k scope
Failed Instancesi-04372149a51fe6560
4.1.16 Ensure system administrator actions (sudolog) are collected
SeverityHigh
DescriptionDescription Monitor the sudo log file. If the system has been properly configured todisable the use of the su command and force all administrators to have to log in first
Amazon InspectorAssessment-Template-Default
2019-02-11 21:56:40 UTC
and then use sudo to execute privileged commands, then all administrator commandswill be logged to /var/log/sudo.log. Any time a command is executed, an audit eventwill be triggered as the /var/log/sudo.log file will be opened for write and the executedadministration command will be written to the log. Rationale Changes in /var/log/sudo.log indicate that an administrator has executed a command or the log file itself hasbeen tampered with. Administrators will want to correlate the events written to the audittrail with the records written to /var/log/sudo.log to verify if unauthorized commandshave been executed.
RecommendationAdd the following lines to the /etc/audit/audit.rules file: -w /var/log/sudo.log -p wa -kactions
Failed Instancesi-04372149a51fe6560
4.1.17 Ensure kernel module loading and unloading is collected
SeverityHigh
DescriptionDescription Monitor the loading and unloading of kernel modules. The programsinsmod (install a kernel module), rmmod (remove a kernel module), and modprobe(a more sophisticated program to load and unload modules, as well as some otherfeatures) control loading and unloading of modules. The init_module (load a module)and delete_module (delete a module) system calls control loading and unloading ofmodules. Any execution of the loading and unloading module programs and systemcalls will trigger an audit record with an identifier of "modules". Rationale Monitoringthe use of insmod, rmmod and modprobe could provide system administrators withevidence that an unauthorized user loaded or unloaded a kernel module, possiblycompromising the security of the system. Monitoring of the init_module anddelete_module system calls would reflect an unauthorized user attempting to use adifferent program to load and unload modules.
RecommendationFor 32 bit systems add the following lines to the /etc/audit/audit.rules file: -w /sbin/insmod -p x -k modules-w /sbin/rmmod -p x -k modules-w /sbin/modprobe -p x -kmodules-a always,exit arch=b32 -S init_module -S delete_module -k modules For 64
Amazon InspectorAssessment-Template-Default
2019-02-11 21:56:40 UTC
bit systems add the following lines to the /etc/audit/audit.rules file: -w /sbin/insmod -p x -k modules-w /sbin/rmmod -p x -k modules-w /sbin/modprobe -p x -k modules-aalways,exit arch=b64 -S init_module -S delete_module -k modules
Failed Instancesi-04372149a51fe6560
4.1.18 Ensure the audit configuration is immutable
SeverityHigh
DescriptionDescription Set system audit so that audit rules cannot be modified with auditctl. Settingthe flag "-e 2" forces audit to be put in immutable mode. Audit changes can only bemade on system reboot. Rationale In immutable mode, unauthorized users cannotexecute changes to the audit system to potentially hide malicious activity and then putthe audit rules back. Users would most likely notice a system reboot and that could alertadministrators of an attempt to make unauthorized audit changes.
RecommendationAdd the following line to the end of the/etc/audit/audit.rules file. -e 2
Failed Instancesi-04372149a51fe6560
4.1.1.1 Ensure audit log storage size is configured
SeverityInformational
DescriptionDescription Configure the maximum size of the audit log file. Once the log reachesthe maximum size, it will be rotated and a new log file will be started. Rationale It isimportant that an appropriate size is determined for log files so that they do not impactthe system and audit data is not lost.
RecommendationSet the following parameter in /etc/audit/auditd.conf in accordance with site policy:max_log_file = <MB>
Amazon InspectorAssessment-Template-Default
2019-02-11 21:56:40 UTC
Failed Instancesi-04372149a51fe6560
4.1.1.2 Ensure system is disabled when audit logs are full
SeverityHigh
DescriptionDescription The auditd daemon can be configured to halt the system when the audit logsare full. Rationale In high security contexts, the risk of detecting unauthorized access ornonrepudiation exceeds the benefit of the system's availability.
RecommendationSet the following parameters in /etc/audit/auditd.conf: space_left_action =emailaction_mail_acct = rootadmin_space_left_action = halt
Failed Instancesi-04372149a51fe6560
4.1.1.3 Ensure audit logs are not automatically deleted
SeverityHigh
DescriptionDescription The max_log_file_action setting determines how to handle the audit log filereaching the max file size. A value of keep_logs will rotate the logs but never delete oldlogs. Rationale In high security contexts, the benefits of maintaining a long audit historyexceed the cost of storing the audit history.
RecommendationSet the following parameter in /etc/audit/auditd.conf: max_log_file_action = keep_logs
Failed Instancesi-04372149a51fe6560
4.2.4 Ensure permissions on all logfiles are configured
Severity
Amazon InspectorAssessment-Template-Default
2019-02-11 21:56:40 UTC
High
DescriptionDescription Log files stored in /var/log/ contain logged information from many serviceson the system, or on log hosts others as well. Rationale It is important to ensure that logfiles have the correct permissions to ensure that sensitive data is archived and protected.
RecommendationRun the following command to set permissions on all existing log files: # chmod -R g-wx,o-rwx /var/log/*
Failed Instancesi-04372149a51fe6560
4.2.1.4 Ensure rsyslog is configured to send logs to a remote log host
SeverityHigh
DescriptionDescription The rsyslog utility supports the ability to send logs it gathers to a remotelog host running syslogd(8) or to receive messages from remote hosts, reducingadministrative overhead. Rationale Storing log data on a remote host protects logintegrity from local attacks. If an attacker gains root access on the local system, theycould tamper with or remove log data that is stored on the local system
RecommendationEdit the /etc/rsyslog.conf file and add the following line (where loghost.example.comis the name of your central log host). *.* @@loghost.example.com Run the followingcommand to restart rsyslog: # pkill -HUP rsyslogd
Failed Instancesi-04372149a51fe6560
5.6 Ensure access to the su command is restricted
SeverityHigh
Description
Amazon InspectorAssessment-Template-Default
2019-02-11 21:56:40 UTC
Description The su command allows a user to run a command or shell as another user.The program has been superseded by sudo, which allows for more granular controlover privileged access. Normally, the su command can be executed by any user. Byuncommenting the pam_wheel.so statement in /etc/pam.d/su, the su command will onlyallow users in the wheel group to execute su. Rationale Restricting the use of su, andusing sudo in its place, provides system administrators better control of the escalation ofuser privileges to execute privileged commands. The sudo utility also provides a betterlogging and audit mechanism, as it can log each command executed via sudo, whereassu can only record that a user executed the su program.
RecommendationAdd the following line to the /etc/pam.d/su file: auth required pam_wheel.so use_uidCreate a comma separated list of users in the wheel statement in the /etc/group file:wheel:x:10:root,<user list>
Failed Instancesi-04372149a51fe6560
5.1.2 Ensure permissions on /etc/crontab are configured
SeverityHigh
DescriptionDescription The /etc/crontab file is used by cron to control its own jobs. The commandsin this item make sure that root is the user and group owner of the file and that only theowner can access the file. Rationale This file contains information on what system jobsare run by cron. Write access to these files could provide unprivileged users with theability to elevate their privileges. Read access to these files could provide users with theability to gain insight on system jobs that run on the system and could provide them away to gain unauthorized privileged access.
RecommendationRun the following commands to set ownership and permissions on /etc/crontab: #chown root:root /etc/crontab# chmod og-rwx /etc/crontab
Failed Instancesi-04372149a51fe6560
Amazon InspectorAssessment-Template-Default
2019-02-11 21:56:40 UTC
5.1.3 Ensure permissions on /etc/cron.hourly are configured
SeverityHigh
DescriptionDescription This directory contains system cron jobs that need to run on an hourlybasis. The files in this directory cannot be manipulated by the crontab command, butare instead edited by system administrators using a text editor. The commands belowrestrict read/write and search access to user and group root, preventing regular usersfrom accessing this directory. Rationale Granting write access to this directory fornon-privileged users could provide them the means for gaining unauthorized elevatedprivileges. Granting read access to this directory could give an unprivileged user insightin how to gain elevated privileges or circumvent auditing controls.
RecommendationRun the following commands to set ownership and permissions on /etc/cron.hourly: #chown root:root /etc/cron.hourly# chmod og-rwx /etc/cron.hourly
Failed Instancesi-04372149a51fe6560
5.1.4 Ensure permissions on /etc/cron.daily are configured
SeverityHigh
DescriptionDescription The /etc/cron.daily directory contains system cron jobs that need to run ona daily basis. The files in this directory cannot be manipulated by the crontab command,but are instead edited by system administrators using a text editor. The commandsbelow restrict read/write and search access to user and group root, preventing regularusers from accessing this directory. Rationale Granting write access to this directory fornon-privileged users could provide them the means for gaining unauthorized elevatedprivileges. Granting read access to this directory could give an unprivileged user insightin how to gain elevated privileges or circumvent auditing controls.
RecommendationRun the following commands to set ownership and permissions on /etc/cron.daily: #chown root:root /etc/cron.daily# chmod og-rwx /etc/cron.daily
Amazon InspectorAssessment-Template-Default
2019-02-11 21:56:40 UTC
Failed Instancesi-04372149a51fe6560
5.1.5 Ensure permissions on /etc/cron.weekly are configured
SeverityHigh
DescriptionDescription The /etc/cron.weekly directory contains system cron jobs that needto run on a weekly basis. The files in this directory cannot be manipulated by thecrontab command, but are instead edited by system administrators using a text editor.The commands below restrict read/write and search access to user and group root,preventing regular users from accessing this directory. Rationale Granting write accessto this directory for non-privileged users could provide them the means for gainingunauthorized elevated privileges. Granting read access to this directory could give anunprivileged user insight in how to gain elevated privileges or circumvent auditingcontrols.
RecommendationRun the following commands to set ownership and permissions on /etc/cron.weekly: #chown root:root /etc/cron.weekly# chmod og-rwx /etc/cron.weekly
Failed Instancesi-04372149a51fe6560
5.1.6 Ensure permissions on /etc/cron.monthly are configured
SeverityHigh
DescriptionDescription The /etc/cron.monthly directory contains system cron jobs that needto run on a monthly basis. The files in this directory cannot be manipulated by thecrontab command, but are instead edited by system administrators using a text editor.The commands below restrict read/write and search access to user and group root,preventing regular users from accessing this directory. Rationale Granting write accessto this directory for non-privileged users could provide them the means for gainingunauthorized elevated privileges. Granting read access to this directory could give an
Amazon InspectorAssessment-Template-Default
2019-02-11 21:56:40 UTC
unprivileged user insight in how to gain elevated privileges or circumvent auditingcontrols.
RecommendationRun the following commands to set ownership and permissions on /etc/cron.monthly: #chown root:root /etc/cron.monthly# chmod og-rwx /etc/cron.monthly
Failed Instancesi-04372149a51fe6560
5.1.7 Ensure permissions on /etc/cron.d are configured
SeverityHigh
DescriptionDescription The /etc/cron.d directory contains system cron jobs that need to run in asimilar manner to the hourly, daily weekly and monthly jobs from /etc/crontab, butrequire more granular control as to when they run. The files in this directory cannot bemanipulated by the crontab command, but are instead edited by system administratorsusing a text editor. The commands below restrict read/write and search access to userand group root, preventing regular users from accessing this directory. RationaleGranting write access to this directory for non-privileged users could provide themthe means for gaining unauthorized elevated privileges. Granting read access to thisdirectory could give an unprivileged user insight in how to gain elevated privileges orcircumvent auditing controls.
RecommendationRun the following commands to set ownership and permissions on /etc/cron.d: # chownroot:root /etc/cron.d# chmod og-rwx /etc/cron.d
Failed Instancesi-04372149a51fe6560
5.1.8 Ensure at/cron is restricted to authorized users
SeverityHigh
Description
Amazon InspectorAssessment-Template-Default
2019-02-11 21:56:40 UTC
Description Configure /etc/cron.allow and /etc/at.allow to allow specific users to usethese services. If /etc/cron.allow or /etc/at.allow do not exist, then /etc/at.deny and /etc/cron.deny are checked. Any user not specifically defined in those files is allowed touse at and cron. By removing the files, only users in /etc/cron.allow and /etc/at.alloware allowed to use at and cron. Note that even though a given user is not listed incron.allow, cron jobs can still be run as that user. The cron.allow file only controlsadministrative access to the crontab command for scheduling and modifying cron jobs.Rationale On many systems, only the system administrator is authorized to schedulecron jobs. Using the cron.allow file to control who can run cron jobs enforces thispolicy. It is easier to manage an allow list than a deny list. In a deny list, you couldpotentially add a user ID to the system and forget to add it to the deny files.
RecommendationRun the following commands to remove /etc/cron.deny and /etc/at.deny and createand set permissions and ownership for /etc/cron.allow and /etc/at.allow: # rm /etc/cron.deny# rm /etc/at.deny# touch /etc/cron.allow# touch /etc/at.allow# chmod og-rwx /etc/cron.allow# chmod og-rwx /etc/at.allow# chown root:root /etc/cron.allow# chownroot:root /etc/at.allow
Failed Instancesi-04372149a51fe6560
5.2.1 Ensure permissions on /etc/ssh/sshd_config are configured
SeverityHigh
DescriptionDescription The /etc/ssh/sshd_config file contains configuration specifications for sshd.The command below sets the owner and group of the file to root. Rationale The /etc/ssh/sshd_config file needs to be protected from unauthorized changes by non-privilegedusers.
RecommendationRun the following commands to set ownership and permissions on /etc/ssh/sshd_config:# chown root:root /etc/ssh/sshd_config# chmod 600 /etc/ssh/sshd_config
Failed Instancesi-04372149a51fe6560
Amazon InspectorAssessment-Template-Default
2019-02-11 21:56:40 UTC
5.2.4 Ensure SSH X11 forwarding is disabled
SeverityHigh
DescriptionDescription The X11Forwarding parameter provides the ability to tunnel X11 trafficthrough the connection to enable remote graphic connections. Rationale Disable X11forwarding unless there is an operational requirement to use X11 applications directly.There is a small risk that the remote X11 servers of users who are logged in via SSHwith X11 forwarding could be compromised by other users on the X11 server. Note thateven if X11 forwarding is disabled, users can always install their own forwarders.
RecommendationEdit the /etc/ssh/sshd_config file to set the parameter as follows: X11Forwarding no
Failed Instancesi-04372149a51fe6560
5.2.5 Ensure SSH MaxAuthTries is set to 4 or less
SeverityHigh
DescriptionDescription The MaxAuthTries parameter specifies the maximum number ofauthentication attempts permitted per connection. When the login failure count reacheshalf the number, error messages will be written to the syslog file detailing the loginfailure. Rationale Setting the MaxAuthTries parameter to a low number will minimizethe risk of successful brute force attacks to the SSH server. While the recommendedsetting is 4, set the number based on site policy.
RecommendationEdit the /etc/ssh/sshd_config file to set the parameter as follows: MaxAuthTries 4
Failed Instancesi-04372149a51fe6560
5.2.8 Ensure SSH root login is disabled
Amazon InspectorAssessment-Template-Default
2019-02-11 21:56:40 UTC
SeverityHigh
DescriptionDescription The PermitRootLogin parameter specifies if the root user can log in usingssh(1). The default is no. Rationale Disallowing root logins over SSH requires systemadmins to authenticate using their own individual account, then escalating to root viasudo or su. This in turn limits opportunity for non-repudiation and provides a clear audittrail in the event of a security incident
RecommendationEdit the /etc/ssh/sshd_config file to set the parameter as follows: PermitRootLogin no
Failed Instancesi-04372149a51fe6560
5.2.10 Ensure SSH PermitUserEnvironment is disabled
SeverityHigh
DescriptionDescription The PermitUserEnvironment option allows users to present environmentoptions to the ssh daemon. Rationale Permitting users the ability to set environmentvariables through the SSH daemon could potentially allow users to bypass securitycontrols (e.g. setting an execution path that has ssh executing trojan'd programs)
RecommendationEdit the /etc/ssh/sshd_config file to set the parameter as follows:PermitUserEnvironment no
Failed Instancesi-04372149a51fe6560
5.2.11 Ensure only approved MAC algorithms are used
SeverityHigh
Description
Amazon InspectorAssessment-Template-Default
2019-02-11 21:56:40 UTC
Description This variable limits the types of MAC algorithms that SSH can use duringcommunication. Rationale MD5 and 96-bit MAC algorithms are considered weak andhave been shown to increase exploitability in SSH downgrade attacks. Weak algorithmscontinue to have a great deal of attention as a weak spot that can be exploited withexpanded computing power. An attacker that breaks the algorithm could take advantageof a MiTM position to decrypt the SSH tunnel and capture credentials and information
RecommendationEdit the /etc/ssh/sshd_config file to set the parameter as follows: MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-512,hmac-sha2-256,umac-128@openssh.com
Failed Instancesi-04372149a51fe6560
5.2.12 Ensure SSH Idle Timeout Interval is configured
SeverityHigh
DescriptionDescription The two options ClientAliveInterval and ClientAliveCountMax controlthe timeout of ssh sessions. When the ClientAliveInterval variable is set, ssh sessionsthat have no activity for the specified length of time are terminated. When theClientAliveCountMax variable is set, sshd will send client alive messages at everyClientAliveInterval interval. When the number of consecutive client alive messages aresent with no response from the client, the ssh session is terminated. For example, if theClientAliveInterval is set to 15 seconds and the ClientAliveCountMax is set to 3, theclient ssh session will be terminated after 45 seconds of idle time. Rationale Having notimeout value associated with a connection could allow an unauthorized user access toanother user's ssh session (e.g. user walks away from their computer and doesn't lockthe screen). Setting a timeout value at least reduces the risk of this happening.. Whilethe recommended setting is 300 seconds (5 minutes), set this timeout value based on sitepolicy. The recommended setting for ClientAliveCountMax is 0. In this case, the clientsession will be terminated after 5 minutes of idle time and no keepalive messages willbe sent.
Recommendation
Amazon InspectorAssessment-Template-Default
2019-02-11 21:56:40 UTC
Edit the /etc/ssh/sshd_config file to set the parameters as follows: ClientAliveInterval300ClientAliveCountMax 0
Failed Instancesi-04372149a51fe6560
5.2.13 Ensure SSH LoginGraceTime is set to one minute or less
SeverityHigh
DescriptionDescription The LoginGraceTime parameter specifies the time allowed for successfulauthentication to the SSH server. The longer the Grace period is the more openunauthenticated connections can exist. Like other session controls in this session theGrace Period should be limited to appropriate organizational limits to ensure the serviceis available for needed access. Rationale Setting the LoginGraceTime parameter to alow number will minimize the risk of successful brute force attacks to the SSH server.It will also limit the number of concurrent unauthenticated connections While therecommended setting is 60 seconds (1 Minute), set the number based on site policy.
RecommendationEdit the /etc/ssh/sshd_config file to set the parameter as follows: LoginGraceTime 60
Failed Instancesi-04372149a51fe6560
5.2.14 Ensure SSH access is limited
SeverityHigh
DescriptionDescription There are several options available to limit which users and group canaccess the system via SSH. It is recommended that at least one of the following optionsbe leveraged: AllowUsers The AllowUsers variable gives the system administrator theoption of allowing specific users to ssh into the system. The list consists of commaseparated user names. Numeric user IDs are not recognized with this variable. Ifa system administrator wants to restrict user access further by only allowing theallowed users to log in from a particular host, the entry can be specified in the form of
Amazon InspectorAssessment-Template-Default
2019-02-11 21:56:40 UTC
user@host. AllowGroups The AllowGroups variable gives the system administratorthe option of allowing specific groups of users to ssh into the system. The list consistsof comma separated group names. Numeric group IDs are not recognized with thisvariable. DenyUsers The DenyUsers variable gives the system administrator theoption of denying specific users to ssh into the system. The list consists of commaseparated user names. Numeric user IDs are not recognized with this variable. If asystem administrator wants to restrict user access further by specifically denying auser's access from a particular host, the entry can be specified in the form of user@host.DenyGroups The DenyGroups variable gives the system administrator the option ofdenying specific groups of users to ssh into the system. The list consists of commaseparated group names. Numeric group IDs are not recognized with this variable.Rationale Restricting which users can remotely access the system via SSH will helpensure that only authorized users access the system.
RecommendationEdit the /etc/ssh/sshd_config file to set one or more of the parameter as follows:AllowUsers <userlist>AllowGroups <grouplist>DenyUsers <userlist>DenyGroups<grouplist>
Failed Instancesi-04372149a51fe6560
5.2.15 Ensure SSH warning banner is configured
SeverityHigh
DescriptionDescription The Banner parameter specifies a file whose contents must be sent to theremote user before authentication is permitted. By default, no banner is displayed.Rationale Banners are used to warn connecting users of the particular site's policyregarding connection. Presenting a warning message prior to the normal user login mayassist the prosecution of trespassers on the computer system.
RecommendationEdit the /etc/ssh/sshd_config file to set the parameter as follows: Banner /etc/issue.net
Failed Instancesi-04372149a51fe6560
Amazon InspectorAssessment-Template-Default
2019-02-11 21:56:40 UTC
5.3.1 Ensure password creation requirements are configured
SeverityHigh
DescriptionDescription The pam_pwquality.so module checks the strength of passwords. Itperforms checks such as making sure a password is not a dictionary word, it is a certainlength, contains a mix of characters (e.g. alphabet, numeric, other) and more. Thefollowing are definitions of the pam_pwquality.so options. try_first_pass - retrieve thepassword from a previous stacked PAM module. If not available, then prompt the userfor a password. retry=3 - Allow 3 tries before sending back a failure. The followingoptions are set in the /etc/security/pwquality.conf file: minlen=14 - password must be14 characters or moredcredit=-1 - provide at least one digitucredit=-1 - provide at leastone uppercase characterocredit=-1 - provide at least one special characterlcredit=-1- provide at least one lowercase character The settings shown above are one possiblepolicy. Alter these values to conform to your own organization's password policies.Rationale Strong passwords protect systems from being hacked through brute forcemethods.
RecommendationRun the following command to install the pam_pwquality module: apt-get installlibpam-pwquality Edit the /etc/pam.d/common-passwd file to include the appropriateoptions for pam_pwquality.so and to conform to site policy: password requisitepam_pwquality.so try_first_pass retry=3 Edit /etc/security/pwquality.conf to add orupdate the following settings to conform to site policy: minlen=14dcredit=-1ucredit=-1ocredit=-1lcredit=-1
Failed Instancesi-04372149a51fe6560
5.3.2 Ensure lockout for failed password attempts is configured
SeverityInformational
DescriptionDescription Lock out users after n unsuccessful consecutive login attempts. The firstsets of changes are made to the PAM configuration files. The second set of changes are
Amazon InspectorAssessment-Template-Default
2019-02-11 21:56:40 UTC
applied to the program specific PAM configuration file. The second set of changes mustbe applied to each program that will lock out users. Check the documentation for eachsecondary program for instructions on how to configure them to work with PAM. Setthe lockout number to the policy in effect at your site. Rationale Locking out user IDsafter n unsuccessful consecutive login attempts mitigates brute force password attacksagainst your systems.
RecommendationEdit the /etc/pam.d/common-auth file and add the auth line below: auth requiredpam_tally2.so onerr=fail audit silent deny=5 unlock_time=900 Note: If a user hasbeen locked out because they have reached the maximum consecutive failure countdefined by deny= in the pam_tally2.so module, the user can be unlocked by issuing thecommand /sbin/pam_tally2 -u <username> --reset. This command sets the failed countto 0, effectively unlocking the user.
Failed Instancesi-04372149a51fe6560
5.3.3 Ensure password reuse is limited
SeverityHigh
DescriptionDescription The /etc/security/opasswd file stores the users' old passwords and can bechecked to ensure that users are not recycling recent passwords. Rationale Forcing usersnot to reuse their past 5 passwords make it less likely that an attacker will be able toguess the password. Note that these change only apply to accounts configured on thelocal system.
RecommendationEdit the /etc/pam.d/common-password file to include the remember option and conformto site policy as shown: password sufficient pam_unix.so remember=5
Failed Instancesi-04372149a51fe6560
5.4.2 Ensure system accounts are non-login
Severity
Amazon InspectorAssessment-Template-Default
2019-02-11 21:56:40 UTC
High
DescriptionDescription There are a number of accounts provided with Ubuntu that are used tomanage applications and are not intended to provide an interactive shell. Rationale Itis important to make sure that accounts that are not being used by regular users areprevented from being used to provide an interactive shell. By default, Ubuntu sets thepassword field for these accounts to an invalid string, but it is also recommended thatthe shell field in the password file be set to /sbin/nologin. This prevents the accountfrom potentially being used to run any commands.
RecommendationSet the shell for any accounts returned by the audit script to /usr/sbin/nologin: #usermod -s /usr/sbin/nologin <user> The following script will automatically set all usershells required to /usr/sbin/nologin and lock the sync, shutdown, and halt users: #!/bin/bashfor user in `awk -F: '($3 < 1000) {print $1 }' /etc/passwd`; do if [ $user != "root" ];then usermod -L $user if [ $user != "sync" ] && [ $user != "shutdown" ] && [ $user !="halt" ]; then usermod -s /usr/sbin/nologin $user fi fidone
Failed Instancesi-04372149a51fe6560
5.4.4 Ensure default user umask is 027 or more restrictive
SeverityHigh
DescriptionDescription The default umask determines the permissions of files created by users. Theuser creating the file has the discretion of making their files and directories readableby others via the chmod command. Users who wish to allow their files and directoriesto be readable by others by default may choose a different default umask by insertingthe umask command into the standard shell configuration files (.profile, .bashrc, etc.) intheir home directories. Rationale Setting a very secure default value for umask ensuresthat users make a conscious choice about their file permissions. A default umask settingof 077 causes files and directories created by users to not be readable by any other useron the system. A umask of 027 would make files and directories readable by users in thesame Unix group, while a umask of 022 would make files readable by every user on thesystem.
Amazon InspectorAssessment-Template-Default
2019-02-11 21:56:40 UTC
RecommendationEdit the /etc/bash.bashrc and /etc/profile files (and the appropriate files for any othershell supported on your system) and add or edit any umask parameters as follows:umask 027
Failed Instancesi-04372149a51fe6560
5.4.5 Ensure default user shell timeout is 900 seconds or less
SeverityHigh
DescriptionDescription The default TMOUT determines the shell timeout for users. The TMOUTvalue is measured in seconds. Rationale Having no timeout value associated with a shellcould allow an unauthorized user access to another user's shell session (e.g. user walksaway from their computer and doesn't lock the screen). Setting a timeout value at leastreduces the risk of this happening.
RecommendationEdit the /etc/bashrc and /etc/profile files (and the appropriate files for any othershell supported on your system) and add or edit any umask parameters as follows:TMOUT=600
Failed Instancesi-04372149a51fe6560
5.4.1.1 Ensure password expiration is 90 days or less
SeverityHigh
DescriptionDescription The PASS_MAX_DAYS parameter in /etc/login.defs allows anadministrator to force passwords to expire once they reach a defined age. It isrecommended that the PASS_MAX_DAYS parameter be set to less than or equal to 90days. Rationale The window of opportunity for an attacker to leverage compromisedcredentials or successfully compromise credentials via an online brute force attack is
Amazon InspectorAssessment-Template-Default
2019-02-11 21:56:40 UTC
limited by the age of the password. Therefore, reducing the maximum age of a passwordalso reduces an attacker's window of opportunity.
RecommendationSet the PASS_MAX_DAYS parameter to 90 in /etc/login.defs: PASS_MAX_DAYS 90Modify user parameters for all users with a password set to match: # chage --maxdays90 <user>
Failed Instancesi-04372149a51fe6560
5.4.1.2 Ensure minimum days between password changes is 7 or more
SeverityHigh
DescriptionDescription The PASS_MIN_DAYS parameter in /etc/login.defs allows anadministrator to prevent users from changing their password until a minimum number ofdays have passed since the last time the user changed their password. It is recommendedthat PASS_MIN_DAYS parameter be set to 7 or more days. Rationale By restrictingthe frequency of password changes, an administrator can prevent users from repeatedlychanging their password in an attempt to circumvent password reuse controls.
RecommendationSet the PASS_MIN_DAYS parameter to 7 in /etc/login.defs: PASS_MIN_DAYS 7Modify user parameters for all users with a password set to match: # chage --mindays 7<user>
Failed Instancesi-04372149a51fe6560
5.4.1.4 Ensure inactive password lock is 30 days or less
SeverityHigh
DescriptionDescription User accounts that have been inactive for over a given period of time canbe automatically disabled. It is recommended that accounts that are inactive for 30
Amazon InspectorAssessment-Template-Default
2019-02-11 21:56:40 UTC
days after password expiration be disabled. Rationale Inactive accounts pose a threat tosystem security since the users are not logging in to notice failed login attempts or otheranomalies.
RecommendationRun the following command to set the default password inactivity period to 30 days: #useradd -D -f 30 Modify user parameters for all users with a password set to match: #chage --inactive 30 <user>
Failed Instancesi-04372149a51fe6560
6.2.1 Ensure password fields are not empty
SeverityHigh
DescriptionDescription An account with an empty password field means that anybody may log in asthat user without providing a password. Rationale All accounts must have passwords orbe locked to prevent the account from being used by an unauthorized user.
RecommendationIf any accounts in the /etc/shadow file do not have a password, run the followingcommand to lock the account until it can be determined why it does not have apassword: # passwd -l <username> Also, check to see if the account is logged in andinvestigate what it is being used for to determine if it needs to be forced off.
Failed Instancesi-04372149a51fe6560
6.2.7 Ensure all users' home directories exist
SeverityHigh
DescriptionDescription Users can be defined in /etc/passwd without a home directory or with ahome directory that does not actually exist. Rationale If the user's home directory does
Amazon InspectorAssessment-Template-Default
2019-02-11 21:56:40 UTC
not exist or is unassigned, the user will be placed in "/" and will not be able to write anyfiles or have local environment variables set.
RecommendationIf any users' home directories do not exist, create them and make sure the respectiveuser owns the directory. Users without an assigned home directory should be removedor assigned a home directory as appropriate.
Failed Instancesi-04372149a51fe6560
6.2.8 Ensure users' home directories permissions are 750 or more restrictive
SeverityHigh
DescriptionDescription While the system administrator can establish secure permissions for users'home directories, the users can easily override these. Rationale Group or world-writableuser home directories may enable malicious users to steal or modify other users' data orto gain another user's system privileges.
RecommendationMaking global modifications to user home directories without alerting the usercommunity can result in unexpected outages and unhappy users. Therefore, it isrecommended that a monitoring policy be established to report user file permissions anddetermine the action to be taken in accordance with site policy.
Failed Instancesi-04372149a51fe6560
4.1.4 Level 2 - Workstation
1.1.2 Ensure separate partition exists for /tmp
SeverityHigh
Description
Amazon InspectorAssessment-Template-Default
2019-02-11 21:56:40 UTC
Description The /tmp directory is a world-writable directory used for temporary storageby all users and some applications. Rationale Since the /tmp directory is intended tobe world-writable, there is a risk of resource exhaustion if it is not bound to a separatepartition. In addition, making /tmp its own file system allows an administrator to set thenoexec option on the mount, making /tmp useless for an attacker to install executablecode. It would also prevent an attacker from establishing a hardlink to a system setuidprogram and wait for it to be updated. Once the program was updated, the hardlinkwould be broken and the attacker would have his own copy of the program. If theprogram happened to have a security vulnerability, the attacker could continue toexploit the known flaw.
RecommendationFor new installations, during installation create a custom partition setup and specifya separate partition for /tmp. For systems that were previously installed, create a newpartition and configure /etc/fstab as appropriate. Impact: Resizing filesystems is acommon activity in cloud-hosted servers. Separate filesystem partitions may preventsuccessful resizing, or may require the installation of additional tools solely for thepurpose of resizing operations. The use of these additional tools may introduce theirown security considerations.
Failed Instancesi-04372149a51fe6560
1.1.5 Ensure separate partition exists for /var
SeverityHigh
DescriptionDescription The /var directory is used by daemons and other system services totemporarily store dynamic data. Some directories created by these processes may beworld-writable. Rationale Since the /var directory may contain world-writable files anddirectories, there is a risk of resource exhaustion if it is not bound to a separate partition.
RecommendationFor new installations, during installation create a custom partition setup and specifya separate partition for /var. For systems that were previously installed, create a newpartition and configure /etc/fstab as appropriate. Impact: Resizing filesystems is acommon activity in cloud-hosted servers. Separate filesystem partitions may prevent
Amazon InspectorAssessment-Template-Default
2019-02-11 21:56:40 UTC
successful resizing, or may require the installation of additional tools solely for thepurpose of resizing operations. The use of these additional tools may introduce theirown security considerations.
Failed Instancesi-04372149a51fe6560
1.1.6 Ensure separate partition exists for /var/tmp
SeverityHigh
DescriptionDescription The /var/tmp directory is a world-writable directory used for temporarystorage by all users and some applications. Rationale Since the /var/tmp directory isintended to be world-writable, there is a risk of resource exhaustion if it is not boundto a separate partition. In addition, making /var/tmp its own file system allows anadministrator to set the noexec option on the mount, making /var/tmp useless for anattacker to install executable code. It would also prevent an attacker from establishing ahardlink to a system setuid program and wait for it to be updated. Once the program wasupdated, the hardlink would be broken and the attacker would have his own copy of theprogram. If the program happened to have a security vulnerability, the attacker couldcontinue to exploit the known flaw.
RecommendationFor new installations, during installation create a custom partition setup and specifya separate partition for /var/tmp. For systems that were previously installed, create anew partition and configure /etc/fstab as appropriate. Impact: Resizing filesystems isa common activity in cloud-hosted servers. Separate filesystem partitions may preventsuccessful resizing, or may require the installation of additional tools solely for thepurpose of resizing operations. The use of these additional tools may introduce theirown security considerations.
Failed Instancesi-04372149a51fe6560
1.1.10 Ensure separate partition exists for /var/log
Severity
Amazon InspectorAssessment-Template-Default
2019-02-11 21:56:40 UTC
High
DescriptionDescription The /var/log directory is used by system services to store log data .Rationale There are two important reasons to ensure that system logs are stored on aseparate partition: protection against resource exhaustion (since logs can grow quitelarge) and protection of audit data.
RecommendationFor new installations, during installation create a custom partition setup and specifya separate partition for /var/log. For systems that were previously installed, create anew partition and configure /etc/fstab as appropriate. Impact: Resizing filesystems isa common activity in cloud-hosted servers. Separate filesystem partitions may preventsuccessful resizing, or may require the installation of additional tools solely for thepurpose of resizing operations. The use of these additional tools may introduce theirown security considerations.
Failed Instancesi-04372149a51fe6560
1.1.11 Ensure separate partition exists for /var/log/audit
SeverityHigh
DescriptionDescription The auditing daemon, auditd, stores log data in the /var/log/audit directory.Rationale There are two important reasons to ensure that data gathered by auditd isstored on a separate partition: protection against resource exhaustion (since the audit.logfile can grow quite large) and protection of audit data. The audit daemon calculates howmuch free space is left and performs actions based on the results. If other processes(such as syslog) consume space in the same partition as auditd, it may not perform asdesired.
RecommendationFor new installations, during installation create a custom partition setup and specify aseparate partition for /var/log/audit. For systems that were previously installed, createa new partition and configure /etc/fstab as appropriate. Impact: Resizing filesystems isa common activity in cloud-hosted servers. Separate filesystem partitions may prevent
Amazon InspectorAssessment-Template-Default
2019-02-11 21:56:40 UTC
successful resizing, or may require the installation of additional tools solely for thepurpose of resizing operations. The use of these additional tools may introduce theirown security considerations.
Failed Instancesi-04372149a51fe6560
1.1.12 Ensure separate partition exists for /home
SeverityHigh
DescriptionDescription The /home directory is used to support disk storage needs of local users.Rationale If the system is intended to support local users, create a separate partition forthe /home directory to protect against resource exhaustion and restrict the type of filesthat can be stored under /home.
RecommendationFor new installations, during installation create a custom partition setup and specifya separate partition for /home. For systems that were previously installed, create anew partition and configure /etc/fstab as appropriate. Impact: Resizing filesystems isa common activity in cloud-hosted servers. Separate filesystem partitions may preventsuccessful resizing, or may require the installation of additional tools solely for thepurpose of resizing operations. The use of these additional tools may introduce theirown security considerations.
Failed Instancesi-04372149a51fe6560
1.1.16 Ensure noexec option set on /run/shm partition
SeverityHigh
DescriptionDescription The noexec mount option specifies that the filesystem cannot containexecutable binaries. Rationale Setting this option on a file system prevents users fromexecuting programs from shared memory. This deters users from introducing potentiallymalicious software on the system.
Amazon InspectorAssessment-Template-Default
2019-02-11 21:56:40 UTC
RecommendationEdit the /etc/fstab file and add noexec to the fourth field (mounting options) for the /run/shm partition. See the fstab(5) manual page for more information. Run the followingcommand to remount /run/shm: # mount -o remount,noexec /run/shm
Failed Instancesi-04372149a51fe6560
1.1.1.1 Ensure mounting of cramfs filesystems is disabled
SeverityHigh
DescriptionDescription The cramfs filesystem type is a compressed read-only Linux filesystemembedded in small footprint systems. A cramfs image can be used without havingto first decompress the image. Rationale Removing support for unneeded filesystemtypes reduces the local attack surface of the server. If this filesystem type is not needed,disable it.
RecommendationEdit or create the file /etc/modprobe.d/CIS.conf and add the following line: installcramfs /bin/true
Failed Instancesi-04372149a51fe6560
1.1.1.2 Ensure mounting of freevxfs filesystems is disabled
SeverityHigh
DescriptionDescription The freevxfs filesystem type is a free version of the Veritas type filesystem.This is the primary filesystem type for HP-UX operating systems. Rationale Removingsupport for unneeded filesystem types reduces the local attack surface of the system. Ifthis filesystem type is not needed, disable it.
Recommendation
Amazon InspectorAssessment-Template-Default
2019-02-11 21:56:40 UTC
Edit or create the file /etc/modprobe.d/CIS.conf and add the following line: installfreevxfs /bin/true
Failed Instancesi-04372149a51fe6560
1.1.1.3 Ensure mounting of jffs2 filesystems is disabled
SeverityHigh
DescriptionDescription The jffs2 (journaling flash filesystem 2) filesystem type is a log-structuredfilesystem used in flash memory devices. Rationale Removing support for unneededfilesystem types reduces the local attack surface of the system. If this filesystem type isnot needed, disable it.
RecommendationEdit or create the file /etc/modprobe.d/CIS.conf and add the following line: install jffs2 /bin/true
Failed Instancesi-04372149a51fe6560
1.1.1.4 Ensure mounting of hfs filesystems is disabled
SeverityHigh
DescriptionDescription The hfs filesystem type is a hierarchical filesystem that allows you tomount Mac OS filesystems. Rationale Removing support for unneeded filesystem typesreduces the local attack surface of the system. If this filesystem type is not needed,disable it.
RecommendationEdit or create the file /etc/modprobe.d/CIS.conf and add the following line: install hfs /bin/true
Failed Instancesi-04372149a51fe6560
Amazon InspectorAssessment-Template-Default
2019-02-11 21:56:40 UTC
1.1.1.5 Ensure mounting of hfsplus filesystems is disabled
SeverityHigh
DescriptionDescription The hfsplus filesystem type is a hierarchical filesystem designed to replacehfs that allows you to mount Mac OS filesystems. Rationale Removing support forunneeded filesystem types reduces the local attack surface of the system. If thisfilesystem type is not needed, disable it.
RecommendationEdit or create the file /etc/modprobe.d/CIS.conf and add the following line: installhfsplus /bin/true
Failed Instancesi-04372149a51fe6560
1.1.1.6 Ensure mounting of udf filesystems is disabled
SeverityHigh
DescriptionDescription The udf filesystem type is the universal disk format used to implementISO/IEC 13346 and ECMA-167 specifications. This is an open vendor filesystemtype for data storage on a broad range of media. This filesystem type is necessary tosupport writing DVDs and newer optical disc formats. Rationale Removing supportfor unneeded filesystem types reduces the local attack surface of the system. If thisfilesystem type is not needed, disable it.
RecommendationEdit or create the file /etc/modprobe.d/CIS.conf and add the following line: install udf /bin/true
Failed Instancesi-04372149a51fe6560
1.3.1 Ensure AIDE is installed
Amazon InspectorAssessment-Template-Default
2019-02-11 21:56:40 UTC
SeverityHigh
DescriptionDescription AIDE takes a snapshot of filesystem state including modification times,permissions, and file hashes which can then be used to compare against the current stateof the filesystem to detect modifications to the system. Rationale By monitoring thefilesystem state compromised files can be detected to prevent or limit the exposure ofaccidental or malicious misconfigurations or modified binaries.
RecommendationRun the following command to install AIDE: # apt-get install aide Configure AIDEas appropriate for your environment. Consult the AIDE documentation for options.Initialize AIDE: # aide --init
Failed Instancesi-04372149a51fe6560
1.3.2 Ensure filesystem integrity is regularly checked
SeverityHigh
DescriptionDescription Periodic checking of the filesystem integrity is needed to detect changesto the filesystem. Rationale Periodic file checking allows the system administratorto determine on a regular basis if critical files have been changed in an unauthorizedfashion.
RecommendationRun the following command: # crontab -u root -e Add the following line to the crontab:0 5 * * * /usr/bin/aide --check
Failed Instancesi-04372149a51fe6560
1.4.1 Ensure permissions on bootloader config are configured
SeverityHigh
Amazon InspectorAssessment-Template-Default
2019-02-11 21:56:40 UTC
DescriptionDescription The grub configuration file contains information on boot settings andpasswords for unlocking boot options. The grub configuration is usually grub.cfg storedin /boot/grub. Rationale Setting the permissions to read and write for root only preventsnon-root users from seeing the boot parameters or changing them. Non-root users whoread the boot parameters may be able to identify weaknesses in security upon boot andbe able to exploit them.
RecommendationRun the following commands to set permissions on your grub configuration: # chownroot:root /boot/grub/grub.cfg# chmod og-rwx /boot/grub/grub.cfg
Failed Instancesi-04372149a51fe6560
1.4.2 Ensure bootloader password is set
SeverityHigh
DescriptionDescription Setting the boot loader password will require that anyone rebooting thesystem must enter a password before being able to set command line boot parametersRationale Requiring a boot password upon execution of the boot loader will prevent anunauthorized user from entering boot parameters or changing the boot partition. Thisprevents users from weakening security (e.g. turning off SELinux at boot time).
RecommendationCreate an encrypted password with grub-mkpasswd-pbkdf2: # grub-mkpasswd-pbkdf2Enter password: <password>Reenter password: <password>Your PBKDF2 is<encrypted-password> Add the following into /etc/grub.d/00_header or a custom /etc/grub.d configuration file: cat <<EOFset superusers="<username>"password_pbkdf2<username><encrypted-password>EOF Run the following command to update thegrub2 configuration: # update-grub
Failed Instancesi-04372149a51fe6560
1.5.1 Ensure core dumps are restricted
Amazon InspectorAssessment-Template-Default
2019-02-11 21:56:40 UTC
SeverityHigh
DescriptionDescription A core dump is the memory of an executable program. It is generallyused to determine why a program aborted. It can also be used to glean confidentialinformation from a core file. The system provides the ability to set a soft limit for coredumps, but this can be overridden by the user. Rationale Setting a hard limit on coredumps prevents users from overriding the soft variable. If core dumps are required,consider setting limits for user groups (see limits.conf(5)). In addition, setting thefs.suid_dumpable variable to 0 will prevent setuid programs from dumping core.
RecommendationAdd the following line to the /etc/security/limits.conf file or a /etc/security/limits.d/* file: * hard core 0 Set the following parameter in the /etc/sysctl.conf file:fs.suid_dumpable = 0 Run the following command to set the active kernel parameter: #sysctl -w fs.suid_dumpable=0
Failed Instancesi-04372149a51fe6560
1.7.1.4 Ensure permissions on /etc/motd are configured
SeverityInformational
DescriptionDescription The contents of the /etc/motd file are displayed to users after login andfunction as a message of the day for authenticated users. Rationale If the /etc/motd filedoes not have the correct ownership it could be modified by unauthorized users withincorrect or misleading information.
RecommendationRun the following commands to set permissions on /etc/motd: # chown root:root /etc/motd# chmod 644 /etc/motd
Failed Instancesi-04372149a51fe6560
2.2.3 Ensure Avahi Server is not enabled
Amazon InspectorAssessment-Template-Default
2019-02-11 21:56:40 UTC
SeverityHigh
DescriptionDescription Avahi is a free zeroconf implementation, including a system for multicastDNS/DNS-SD service discovery. Avahi allows programs to publish and discoverservices and hosts running on a local network with no specific configuration. Forexample, a user can plug a computer into a network and Avahi automatically findsprinters to print to, files to look at and people to talk to, as well as network servicesrunning on the machine. Rationale Automatic discovery of network services is notnormally required for system functionality. It is recommended to disable the service toreduce the potential attach surface.
RecommendationRemove or comment out start lines in /etc/init/avahi-daemon.conf: #start on runlevel[2345]
Failed Instancesi-04372149a51fe6560
2.2.4 Ensure CUPS is not enabled
SeverityHigh
DescriptionDescription The Common Unix Print System (CUPS) provides the ability to print toboth local and network printers. A system running CUPS can also accept print jobs fromremote systems and print them to local printers. It also provides a web based remoteadministration capability. Rationale If the system does not need to print jobs or acceptprint jobs from other systems, it is recommended that CUPS be disabled to reduce thepotential attack surface.
RecommendationRemove or comment out start lines in /etc/init/cups.conf: #start on runlevel [2345]Impact: Disabling CUPS will prevent printing from the system, a common task forworkstation systems.
Failed Instancesi-04372149a51fe6560
Amazon InspectorAssessment-Template-Default
2019-02-11 21:56:40 UTC
2.3.4 Ensure telnet client is not installed
SeverityHigh
DescriptionDescription The telnet package contains the telnet client, which allows users to startconnections to other systems via the telnet protocol. Rationale The telnet protocol isinsecure and unencrypted. The use of an unencrypted transmission medium could allowan unauthorized user to steal credentials. The ssh package provides an encrypted sessionand stronger security and is included in most Linux distributions.
RecommendationRun the following command to uninstall telnet: # apt-get remove telnet Impact: Manyinsecure service clients are used as troubleshooting tools and in testing environments.Uninstalling them can inhibit capability to test and troubleshoot. If they are required it isadvisable to remove the clients after use to prevent accidental or intentional misuse.
Failed Instancesi-04372149a51fe6560
3.1.2 Ensure packet redirect sending is disabled
SeverityHigh
DescriptionDescription ICMP Redirects are used to send routing information to other hosts. As ahost itself does not act as a router (in a host only configuration), there is no need to sendredirects. Rationale An attacker could use a compromised host to send invalid ICMPredirects to other router devices in an attempt to corrupt routing and have users access asystem set up by the attacker as opposed to a valid system.
RecommendationSet the following parameters in the /etc/sysctl.conf file: net.ipv4.conf.all.send_redirects = 0net.ipv4.conf.default.send_redirects = 0 Run the following commands to set theactive kernel parameters: # sysctl -w net.ipv4.conf.all.send_redirects=0# sysctl -w net.ipv4.conf.default.send_redirects=0# sysctl -w net.ipv4.route.flush=1
Failed Instances
Amazon InspectorAssessment-Template-Default
2019-02-11 21:56:40 UTC
i-04372149a51fe6560
3.2.1 Ensure source routed packets are not accepted
SeverityHigh
DescriptionDescription In networking, source routing allows a sender to partially or fully specifythe route packets take through a network. In contrast, non-source routed packets travel apath determined by routers in the network. In some cases, systems may not be routableor reachable from some locations (e.g. private addresses vs. Internet routable), andso source routed packets would need to be used. Rationale Setting net.ipv4.conf.all.accept_source_route and net.ipv4.conf.default.accept_source_route to 0 disablesthe system from accepting source routed packets. Assume this system was capable ofrouting packets to Internet routable addresses on one interface and private addresses onanother interface. Assume that the private addresses were not routable to the Internetroutable addresses and vice versa. Under normal routing circumstances, an attackerfrom the Internet routable addresses could not use the system as a way to reach theprivate address systems. If, however, source routed packets were allowed, they could beused to gain access to the private address systems as the route could be specified, ratherthan rely on routing protocols that did not allow this routing.
RecommendationSet the following parameters in the /etc/sysctl.conf file: net.ipv4.conf.all.accept_source_route = 0net.ipv4.conf.default.accept_source_route = 0 Run the following commands toset the active kernel parameters: # sysctl -w net.ipv4.conf.all.accept_source_route=0#sysctl -w net.ipv4.conf.default.accept_source_route=0# sysctl -w net.ipv4.route.flush=1
Failed Instancesi-04372149a51fe6560
3.2.2 Ensure ICMP redirects are not accepted
SeverityHigh
Description
Amazon InspectorAssessment-Template-Default
2019-02-11 21:56:40 UTC
Description ICMP redirect messages are packets that convey routing information andtell your host (acting as a router) to send packets via an alternate path. It is a way ofallowing an outside routing device to update your system routing tables. By settingnet.ipv4.conf.all.accept_redirects to 0, the system will not accept any ICMP redirectmessages, and therefore, won't allow outsiders to update the system's routing tables.Rationale Attackers could use bogus ICMP redirect messages to maliciously alter thesystem routing tables and get them to send packets to incorrect networks and allow yoursystem packets to be captured.
RecommendationSet the following parameters in the /etc/sysctl.conf file: net.ipv4.conf.all.accept_redirects = 0net.ipv4.conf.default.accept_redirects = 0 Run the following commands to set theactive kernel parameters: # sysctl -w net.ipv4.conf.all.accept_redirects=0# sysctl -w net.ipv4.conf.default.accept_redirects=0# sysctl -w net.ipv4.route.flush=1
Failed Instancesi-04372149a51fe6560
3.2.3 Ensure secure ICMP redirects are not accepted
SeverityHigh
DescriptionDescription Secure ICMP redirects are the same as ICMP redirects, except they comefrom gateways listed on the default gateway list. It is assumed that these gateways areknown to your system, and that they are likely to be secure. Rationale It is still possiblefor even known gateways to be compromised. Setting net.ipv4.conf.all.secure_redirects to 0 protects the system from routing table updates by possibly compromised knowngateways.
RecommendationSet the following parameters in the /etc/sysctl.conf file: net.ipv4.conf.all.secure_redirects = 0net.ipv4.conf.default.secure_redirects = 0 Run the following commands to set theactive kernel parameters: # sysctl -w net.ipv4.conf.all.secure_redirects=0# sysctl -w net.ipv4.conf.default.secure_redirects=0# sysctl -w net.ipv4.route.flush=1
Failed Instancesi-04372149a51fe6560
Amazon InspectorAssessment-Template-Default
2019-02-11 21:56:40 UTC
3.2.4 Ensure suspicious packets are logged
SeverityHigh
DescriptionDescription When enabled, this feature logs packets with un-routable source addressesto the kernel log. Rationale Enabling this feature and logging these packets allows anadministrator to investigate the possibility that an attacker is sending spoofed packets totheir system.
RecommendationSet the following parameters in the /etc/sysctl.conf file: net.ipv4.conf.all.log_martians =1net.ipv4.conf.default.log_martians = 1 Run the following commands to set the activekernel parameters: # sysctl -w net.ipv4.conf.all.log_martians=1# sysctl -w net.ipv4.conf.default.log_martians=1# sysctl -w net.ipv4.route.flush=1
Failed Instancesi-04372149a51fe6560
3.3.1 Ensure IPv6 router advertisements are not accepted
SeverityInformational
DescriptionDescription This setting disables the system's ability to accept IPv6 routeradvertisements. Rationale It is recommended that systems not accept routeradvertisements as they could be tricked into routing traffic to compromised machines.Setting hard routes within the system (usually a single default route to a trusted router)protects the system from bad routes.
RecommendationSet the following parameters in the /etc/sysctl.conf file: net.ipv6.conf.all.accept_ra =0net.ipv6.conf.default.accept_ra = 0 Run the following commands to set the activekernel parameters: # sysctl -w net.ipv6.conf.all.accept_ra=0# sysctl -w net.ipv6.conf.default.accept_ra=0# sysctl -w net.ipv6.route.flush=1
Failed Instancesi-04372149a51fe6560
Amazon InspectorAssessment-Template-Default
2019-02-11 21:56:40 UTC
3.3.2 Ensure IPv6 redirects are not accepted
SeverityInformational
DescriptionDescription This setting prevents the system from accepting ICMP redirects. ICMPredirects tell the system about alternate routes for sending traffic. Rationale It isrecommended that systems not accept ICMP redirects as they could be tricked intorouting traffic to compromised machines. Setting hard routes within the system (usuallya single default route to a trusted router) protects the system from bad routes.
RecommendationSet the following parameters in the /etc/sysctl.conf file: net.ipv6.conf.all.accept_redirects = 0net.ipv6.conf.default.accept_redirects = 0 Run the following commands to set theactive kernel parameters: # sysctl -w net.ipv6.conf.all.accept_redirects=0# sysctl -w net.ipv6.conf.default.accept_redirects=0# sysctl -w net.ipv6.route.flush=1
Failed Instancesi-04372149a51fe6560
3.3.3 Ensure IPv6 is disabled
SeverityInformational
DescriptionDescription Although IPv6 has many advantages over IPv4, few organizations haveimplemented IPv6. Rationale If IPv6 is not to be used, it is recommended that it bedisabled to reduce the attack surface of the system.
RecommendationEdit /etc/default/grub and add ' ipv6.disable=1' to GRUB_CMDLINE_LINUX: GRUB_CMDLINE_LINUX="ipv6.disable=1" Run the following command to update thegrub2 configuration: # update-grub
Failed Instancesi-04372149a51fe6560
3.4.3 Ensure /etc/hosts.deny is configured
Amazon InspectorAssessment-Template-Default
2019-02-11 21:56:40 UTC
SeverityHigh
DescriptionDescription The /etc/hosts.deny file specifies which IP addresses are not permitted toconnect to the host. It is intended to be used in conjunction with the /etc/hosts.allow file.Rationale The /etc/hosts.deny file serves as a failsafe so that any host not specified in /etc/hosts.allow is denied access to the system.
RecommendationRun the following command to create /etc/hosts.deny: # echo "ALL: ALL" >> /etc/hosts.deny
Failed Instancesi-04372149a51fe6560
3.5.1 Ensure DCCP is disabled
SeverityInformational
DescriptionDescription The Datagram Congestion Control Protocol (DCCP) is a transport layerprotocol that supports streaming media and telephony. DCCP provides a way to gainaccess to congestion control, without having to do it at the application layer, butdoes not provide in-sequence delivery. Rationale If the protocol is not required, it isrecommended that the drivers not be installed to reduce the potential attack surface.
RecommendationEdit or create the file /etc/modprobe.d/CIS.conf and add the following line: installdccp /bin/true
Failed Instancesi-04372149a51fe6560
3.5.2 Ensure SCTP is disabled
SeverityInformational
Description
Amazon InspectorAssessment-Template-Default
2019-02-11 21:56:40 UTC
Description The Stream Control Transmission Protocol (SCTP) is a transport layerprotocol used to support message oriented communication, with several streams ofmessages in one connection. It serves a similar function as TCP and UDP, incorporatingfeatures of both. It is message-oriented like UDP, and ensures reliable in-sequencetransport of messages with congestion control like TCP. Rationale If the protocol is notbeing used, it is recommended that kernel module not be loaded, disabling the service toreduce the potential attack surface.
RecommendationEdit or create the file /etc/modprobe.d/CIS.conf and add the following line: install sctp /bin/true
Failed Instancesi-04372149a51fe6560
3.5.3 Ensure RDS is disabled
SeverityInformational
DescriptionDescription The Reliable Datagram Sockets (RDS) protocol is a transport layer protocoldesigned to provide low-latency, high-bandwidth communications between clusternodes. It was developed by the Oracle Corporation. Rationale If the protocol is notbeing used, it is recommended that kernel module not be loaded, disabling the service toreduce the potential attack surface.
RecommendationEdit or create the file /etc/modprobe.d/CIS.conf and add the following line: install rds /bin/true
Failed Instancesi-04372149a51fe6560
3.5.4 Ensure TIPC is disabled
SeverityInformational
Description
Amazon InspectorAssessment-Template-Default
2019-02-11 21:56:40 UTC
Description The Transparent Inter-Process Communication (TIPC) protocol is designedto provide communication between cluster nodes. Rationale If the protocol is not beingused, it is recommended that kernel module not be loaded, disabling the service toreduce the potential attack surface.
RecommendationEdit or create the file /etc/modprobe.d/CIS.conf and add the following line: install tipc /bin/true
Failed Instancesi-04372149a51fe6560
3.6.2 Ensure default deny firewall policy
SeverityHigh
DescriptionDescription A default deny all policy on connections ensures that any unconfigurednetwork usage will be rejected. Rationale With a default accept policy the firewall willaccept any packet that is not configured to be denied. It is easier to white list acceptableusage than to black list unacceptable usage.
RecommendationRun the following commands to implement a default DROP policy: # iptables -PINPUT DROP# iptables -P OUTPUT DROP# iptables -P FORWARD DROP
Failed Instancesi-04372149a51fe6560
3.6.3 Ensure loopback traffic is configured
SeverityHigh
DescriptionDescription Configure the loopback interface to accept traffic. Configure all otherinterfaces to deny traffic to the loopback network (127.0.0.0/8). Rationale Loopbacktraffic is generated between processes on machine and is typically critical to operationof the system. The loopback interface is the only place that loopback network
Amazon InspectorAssessment-Template-Default
2019-02-11 21:56:40 UTC
(127.0.0.0/8) traffic should be seen, all other interfaces should ignore traffic on thisnetwork as an anti-spoofing measure.
RecommendationRun the following commands to implement the loopback rules: # iptables -A INPUT-i lo -j ACCEPT# iptables -A OUTPUT -o lo -j ACCEPT# iptables -A INPUT -s127.0.0.0/8 -j DROP
Failed Instancesi-04372149a51fe6560
3.6.5 Ensure firewall rules exist for all open ports
SeverityHigh
DescriptionDescription Any ports that have been opened on non-loopback addresses need firewallrules to govern traffic. Rationale Without a firewall rule configured for open portsdefault firewall policy will drop all packets to these ports.
RecommendationFor each port identified in the audit which does not have a firewall rule establish aproper rule for accepting inbound connections: # iptables -A INPUT -p <protocol> --dport <port> -m state --state NEW -j ACCEPT
Failed Instancesi-04372149a51fe6560
4.1.2 Ensure auditd service is enabled
SeverityHigh
DescriptionDescription Turn on the auditd daemon to record system events. Rationale Thecapturing of system events provides system administrators with information to allowthem to determine if unauthorized access to their system is occurring.
RecommendationRun the following command to enable auditd: # update-rc.d auditd enable
Amazon InspectorAssessment-Template-Default
2019-02-11 21:56:40 UTC
Failed Instancesi-04372149a51fe6560
4.1.3 Ensure auditing for processes that start prior to auditd is enabled
SeverityHigh
DescriptionDescription Configure grub so that processes that are capable of being audited can beaudited even if they start up prior to auditd startup. Rationale Audit events need to becaptured on processes that start up prior to auditd, so that potential malicious activitycannot go undetected.
RecommendationEdit /etc/default/grub and add audit=1 to GRUB_CMDLINE_LINUX:GRUB_CMDLINE_LINUX="audit=1" Run the following command to update thegrub2 configuration: # update-grub
Failed Instancesi-04372149a51fe6560
4.1.4 Ensure events that modify date and time information are collected
SeverityHigh
DescriptionDescription Capture events where the system date and/or time has been modified.The parameters in this section are set to determine if the adjtimex (tune kernel clock),settimeofday (Set time, using timeval and timezone structures) stime (using secondssince 1/1/1970) or clock_settime (allows for the setting of several internal clocks andtimers) system calls have been executed and always write an audit record to the /var/log/audit.log file upon exit, tagging the records with the identifier "time-change" RationaleUnexpected changes in system date and/or time could be a sign of malicious activity onthe system.
RecommendationFor 32 bit systems add the following lines to the /etc/audit/audit.rules file: -a always,exit-F arch=b32 -S adjtimex -S settimeofday -S stime -k time-change-a always,exit -F
Amazon InspectorAssessment-Template-Default
2019-02-11 21:56:40 UTC
arch=b32 -S clock_settime -k time-change-w /etc/localtime -p wa -k time-change For64 bit systems add the following lines to the /etc/audit/audit.rules file: -a always,exit-F arch=b64 -S adjtimex -S settimeofday -k time-change-a always,exit -F arch=b32-S adjtimex -S settimeofday -S stime -k time-change-a always,exit -F arch=b64 -Sclock_settime -k time-change-a always,exit -F arch=b32 -S clock_settime -k time-change-w /etc/localtime -p wa -k time-change
Failed Instancesi-04372149a51fe6560
4.1.5 Ensure events that modify user/group information are collected
SeverityHigh
DescriptionDescription Record events affecting the group, passwd (user IDs), shadow and gshadow(passwords) or /etc/security/opasswd (old passwords, based on remember parameterin the PAM configuration) files. The parameters in this section will watch the files tosee if they have been opened for write or have had attribute changes (e.g. permissions)and tag them with the identifier "identity" in the audit log file. Rationale Unexpectedchanges to these files could be an indication that the system has been compromised andthat an unauthorized user is attempting to hide their activities or compromise additionalaccounts.
RecommendationAdd the following lines to the /etc/audit/audit.rules file: -w /etc/group -p wa -k identity-w /etc/passwd -p wa -k identity-w /etc/gshadow -p wa -k identity-w /etc/shadow -p wa -k identity-w /etc/security/opasswd -p wa -k identity
Failed Instancesi-04372149a51fe6560
4.1.6 Ensure events that modify the system's network environment are collected
SeverityHigh
Description
Amazon InspectorAssessment-Template-Default
2019-02-11 21:56:40 UTC
Description Record changes to network environment files or system calls. The belowparameters monitor the sethostname (set the systems host name) or setdomainname (setthe systems domainname) system calls, and write an audit event on system call exit.The other parameters monitor the /etc/issue and /etc/issue.net files (messages displayedpre-login), /etc/hosts (file containing host names and associated IP addresses) and /etc/sysconfig/network (directory containing network interface scripts and configurations)files. Rationale Monitoring sethostname and setdomainname will identify potentialunauthorized changes to host and domainname of a system. The changing of thesenames could potentially break security parameters that are set based on those names.The /etc/hosts file is monitored for changes in the file that can indicate an unauthorizedintruder is trying to change machine associations with IP addresses and trick usersand processes into connecting to unintended machines. Monitoring /etc/issue and /etc/issue.net is important, as intruders could put disinformation into those files and trickusers into providing information to the intruder. Monitoring /etc/sysconfig/network isimportant as it can show if network interfaces or scripts are being modified in a way thatcan lead to the machine becoming unavailable or compromised. All audit records willbe tagged with the identifier "system-locale."
RecommendationFor 32 bit systems add the following lines to the /etc/audit/audit.rules file: -a always,exit-F arch=b32 -S sethostname -S setdomainname -k system-locale-w /etc/issue -p wa -k system-locale-w /etc/issue.net -p wa -k system-locale-w /etc/hosts -p wa -k system-locale-w /etc/network -p wa -k system-locale-w /etc/networks -p wa -k system-localeFor 64 bit systems add the following lines to the /etc/audit/audit.rules file: -a always,exit-F arch=b64 -S sethostname -S setdomainname -k system-locale-a always,exit -Farch=b32 -S sethostname -S setdomainname -k system-locale-w /etc/issue -p wa -ksystem-locale-w /etc/issue.net -p wa -k system-locale-w /etc/hosts -p wa -k system-locale-w /etc/network -p wa -k system-locale-w /etc/networks -p wa -k system-locale
Failed Instancesi-04372149a51fe6560
4.1.7 Ensure events that modify the system's Mandatory Access Controls are collected
SeverityHigh
Description
Amazon InspectorAssessment-Template-Default
2019-02-11 21:56:40 UTC
Description Monitor SELinux/AppArmor mandatory access controls. The parametersbelow monitor any write access (potential additional, deletion or modification of filesin the directory) or attribute changes to the /etc/selinux or /etc/apparmor and /etc/apparmor.d directories. Rationale Changes to files in these directories could indicatethat an unauthorized user is attempting to modify access controls and change securitycontexts, leading to a compromise of the system.
RecommendationOn systems using SELinux add the following line to the /etc/audit/audit.rules file: -w /etc/selinux/ -p wa -k MAC-policy On systems using AppArmor add the followingline to the /etc/audit/audit.rules file: -w /etc/apparmor/ -p wa -k MAC-policy-w /etc/apparmor.d/ -p wa -k MAC-policy
Failed Instancesi-04372149a51fe6560
4.1.8 Ensure login and logout events are collected
SeverityHigh
DescriptionDescription Monitor login and logout events. The parameters below track changes tofiles associated with login/logout events. The file /var/log/faillog tracks failed eventsfrom login. The file /var/log/lastlog maintain records of the last time a user successfullylogged in. The file /var/log/tallylog maintains records of failures via the pam_tally2module Rationale Monitoring login/logout events could provide a system administratorwith information associated with brute force attacks against user logins.
RecommendationAdd the following lines to the /etc/audit/audit.rules file: -w /var/log/faillog -p wa -klogins-w /var/log/lastlog -p wa -k logins-w /var/log/tallylog -p wa -k logins
Failed Instancesi-04372149a51fe6560
4.1.9 Ensure session initiation information is collected
SeverityHigh
Amazon InspectorAssessment-Template-Default
2019-02-11 21:56:40 UTC
DescriptionDescription Monitor session initiation events. The parameters in this section trackchanges to the files associated with session events. The file /var/run/utmp file tracksall currently logged in users. The /var/log/wtmp file tracks logins, logouts, shutdown,and reboot events. All audit records will be tagged with the identifier "session." Thefile /var/log/btmp keeps track of failed login attempts and can be read by enteringthe command /usr/bin/last -f /var/log/btmp. All audit records will be tagged with theidentifier "logins." Rationale Monitoring these files for changes could alert a systemadministrator to logins occurring at unusual hours, which could indicate intruder activity(i.e. a user logging in at a time when they do not normally log in).
RecommendationAdd the following lines to the /etc/audit/audit.rules file: -w /var/run/utmp -p wa -ksession-w /var/log/wtmp -p wa -k logins-w /var/log/btmp -p wa -k logins
Failed Instancesi-04372149a51fe6560
4.1.10 Ensure discretionary access control permission modification events are collected
SeverityHigh
DescriptionDescription Monitor changes to file permissions, attributes, ownership and group. Theparameters in this section track changes for system calls that affect file permissionsand attributes. The chmod, fchmod and fchmodat system calls affect the permissionsassociated with a file. The chown, fchown, fchownat and lchown system calls affectowner and group attributes on a file. The setxattr, lsetxattr, fsetxattr (set extended fileattributes) and removexattr, lremovexattr, fremovexattr (remove extended file attributes)control extended file attributes. In all cases, an audit record will only be written for non-system user ids (auid >= 1000) and will ignore Daemon events (auid = 4294967295).All audit records will be tagged with the identifier "perm_mod." Rationale Monitoringfor changes in file attributes could alert a system administrator to activity that couldindicate intruder activity or policy violation.
RecommendationFor 32 bit systems add the following lines to the /etc/audit/audit.rules file: -a always,exit-F arch=b32 -S chmod -S fchmod -S fchmodat -F auid>=1000 -F auid!=4294967295 -
Amazon InspectorAssessment-Template-Default
2019-02-11 21:56:40 UTC
k perm_mod-a always,exit -F arch=b32 -S chown -S fchown -S fchownat -S lchown -Fauid>=1000 -F auid!=4294967295 -k perm_mod-a always,exit -F arch=b32 -S setxattr-S lsetxattr -S fsetxattr -S removexattr -S lremovexattr -S fremovexattr -F auid>=1000-F auid!=4294967295 -k perm_mod For 64 bit systems add the following lines to the /etc/audit/audit.rules file: -a always,exit -F arch=b64 -S chmod -S fchmod -S fchmodat-F auid>=1000 -F auid!=4294967295 -k perm_mod-a always,exit -F arch=b32 -Schmod -S fchmod -S fchmodat -F auid>=1000 -F auid!=4294967295 -k perm_mod-aalways,exit -F arch=b64 -S chown -S fchown -S fchownat -S lchown -F auid>=1000 -F auid!=4294967295 -k perm_mod-a always,exit -F arch=b32 -S chown -S fchown -Sfchownat -S lchown -F auid>=1000 -F auid!=4294967295 -k perm_mod-a always,exit-F arch=b64 -S setxattr -S lsetxattr -S fsetxattr -S removexattr -S lremovexattr -Sfremovexattr -F auid>=1000 -F auid!=4294967295 -k perm_mod-a always,exit -F arch=b32 -S setxattr -S lsetxattr -S fsetxattr -S removexattr -S lremovexattr -Sfremovexattr -F auid>=1000 -F auid!=4294967295 -k perm_mod
Failed Instancesi-04372149a51fe6560
4.1.11 Ensure unsuccessful unauthorized file access attempts are collected
SeverityHigh
DescriptionDescription Monitor for unsuccessful attempts to access files. The parametersbelow are associated with system calls that control creation (creat), opening (open,openat) and truncation (truncate, ftruncate) of files. An audit log record will only bewritten if the user is a non-privileged user (auid > = 1000), is not a Daemon event(auid=4294967295) and if the system call returned EACCES (permission denied to thefile) or EPERM (some other permanent error associated with the specific system call).All audit records will be tagged with the identifier "access." Rationale Failed attemptsto open, create or truncate files could be an indication that an individual or process istrying to gain unauthorized access to the system.
RecommendationFor 32 bit systems add the following lines to the /etc/audit/audit.rules file: -a always,exit-F arch=b32 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -k access-a always,exit -F arch=b32 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EPERM -F auid>=1000 -F auid!
Amazon InspectorAssessment-Template-Default
2019-02-11 21:56:40 UTC
=4294967295 -k access For 64 bit systems add the following lines to the /etc/audit/audit.rules file: -a always,exit -F arch=b64 -S creat -S open -S openat -S truncate-S ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -k access-aalways,exit -F arch=b32 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -k access-a always,exit -F arch=b64 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EPERM -F auid>=1000 -Fauid!=4294967295 -k access-a always,exit -F arch=b32 -S creat -S open -S openat -Struncate -S ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -k access
Failed Instancesi-04372149a51fe6560
4.1.13 Ensure successful file system mounts are collected
SeverityHigh
DescriptionDescription Monitor the use of the mount system call. The mount (and umount) systemcall controls the mounting and unmounting of file systems. The parameters belowconfigure the system to create an audit record when the mount system call is usedby a non-privileged user Rationale It is highly unusual for a non privileged user tomount file systems to the system. While tracking mount commands gives the systemadministrator evidence that external media may have been mounted (based on a reviewof the source of the mount and confirming it's an external media type), it does notconclusively indicate that data was exported to the media. System administrators whowish to determine if data were exported, would also have to track successful open, creatand truncate system calls requiring write access to a file under the mount point of theexternal media file system. This could give a fair indication that a write occurred. Theonly way to truly prove it, would be to track successful writes to the external media.Tracking write system calls could quickly fill up the audit log and is not recommended.Recommendations on configuration options to track data export to media is beyond thescope of this document.
RecommendationFor 32 bit systems add the following lines to the /etc/audit/audit.rules file: -a always,exit-F arch=b32 -S mount -F auid>=1000 -F auid!=4294967295 -k mounts For 64 bitsystems add the following lines to the /etc/audit/audit.rules file: -a always,exit -F
Amazon InspectorAssessment-Template-Default
2019-02-11 21:56:40 UTC
arch=b64 -S mount -F auid>=1000 -F auid!=4294967295 -k mounts-a always,exit -Farch=b32 -S mount -F auid>=1000 -F auid!=4294967295 -k mounts
Failed Instancesi-04372149a51fe6560
4.1.14 Ensure file deletion events by users are collected
SeverityHigh
DescriptionDescription Monitor the use of system calls associated with the deletion or renamingof files and file attributes. This configuration statement sets up monitoring for theunlink (remove a file), unlinkat (remove a file attribute), rename (rename a file) andrenameat (rename a file attribute) system calls and tags them with the identifier "delete".Rationale Monitoring these calls from non-privileged users could provide a systemadministrator with evidence that inappropriate removal of files and file attributesassociated with protected files is occurring. While this audit option will look at allevents, system administrators will want to look for specific privileged files that arebeing deleted or altered.
RecommendationFor 32 bit systems add the following lines to the /etc/audit/audit.rules file: -a always,exit-F arch=b32 -S unlink -S unlinkat -S rename -S renameat -F auid>=1000 -F auid!=4294967295 -k delete For 64 bit systems add the following lines to the /etc/audit/audit.rules file: -a always,exit -F arch=b64 -S unlink -S unlinkat -S rename -S renameat-F auid>=1000 -F auid!=4294967295 -k delete-a always,exit -F arch=b32 -S unlink -Sunlinkat -S rename -S renameat -F auid>=1000 -F auid!=4294967295 -k delete
Failed Instancesi-04372149a51fe6560
4.1.15 Ensure changes to system administration scope (sudoers) is collected
SeverityHigh
Description
Amazon InspectorAssessment-Template-Default
2019-02-11 21:56:40 UTC
Description Monitor scope changes for system administrations. If the system has beenproperly configured to force system administrators to log in as themselves first andthen use the sudo command to execute privileged commands, it is possible to monitorchanges in scope. The file /etc/sudoers will be written to when the file or its attributeshave changed. The audit records will be tagged with the identifier "scope." RationaleChanges in the /etc/sudoers file can indicate that an unauthorized change has been madeto scope of system administrator activity.
RecommendationAdd the following line to the /etc/audit/audit.rules file: -w /etc/sudoers -p wa -k scope-w /etc/sudoers.d/ -p wa -k scope
Failed Instancesi-04372149a51fe6560
4.1.16 Ensure system administrator actions (sudolog) are collected
SeverityHigh
DescriptionDescription Monitor the sudo log file. If the system has been properly configured todisable the use of the su command and force all administrators to have to log in firstand then use sudo to execute privileged commands, then all administrator commandswill be logged to /var/log/sudo.log. Any time a command is executed, an audit eventwill be triggered as the /var/log/sudo.log file will be opened for write and the executedadministration command will be written to the log. Rationale Changes in /var/log/sudo.log indicate that an administrator has executed a command or the log file itself hasbeen tampered with. Administrators will want to correlate the events written to the audittrail with the records written to /var/log/sudo.log to verify if unauthorized commandshave been executed.
RecommendationAdd the following lines to the /etc/audit/audit.rules file: -w /var/log/sudo.log -p wa -kactions
Failed Instancesi-04372149a51fe6560
Amazon InspectorAssessment-Template-Default
2019-02-11 21:56:40 UTC
4.1.17 Ensure kernel module loading and unloading is collected
SeverityHigh
DescriptionDescription Monitor the loading and unloading of kernel modules. The programsinsmod (install a kernel module), rmmod (remove a kernel module), and modprobe(a more sophisticated program to load and unload modules, as well as some otherfeatures) control loading and unloading of modules. The init_module (load a module)and delete_module (delete a module) system calls control loading and unloading ofmodules. Any execution of the loading and unloading module programs and systemcalls will trigger an audit record with an identifier of "modules". Rationale Monitoringthe use of insmod, rmmod and modprobe could provide system administrators withevidence that an unauthorized user loaded or unloaded a kernel module, possiblycompromising the security of the system. Monitoring of the init_module anddelete_module system calls would reflect an unauthorized user attempting to use adifferent program to load and unload modules.
RecommendationFor 32 bit systems add the following lines to the /etc/audit/audit.rules file: -w /sbin/insmod -p x -k modules-w /sbin/rmmod -p x -k modules-w /sbin/modprobe -p x -kmodules-a always,exit arch=b32 -S init_module -S delete_module -k modules For 64bit systems add the following lines to the /etc/audit/audit.rules file: -w /sbin/insmod -p x -k modules-w /sbin/rmmod -p x -k modules-w /sbin/modprobe -p x -k modules-aalways,exit arch=b64 -S init_module -S delete_module -k modules
Failed Instancesi-04372149a51fe6560
4.1.18 Ensure the audit configuration is immutable
SeverityHigh
DescriptionDescription Set system audit so that audit rules cannot be modified with auditctl. Settingthe flag "-e 2" forces audit to be put in immutable mode. Audit changes can only bemade on system reboot. Rationale In immutable mode, unauthorized users cannot
Amazon InspectorAssessment-Template-Default
2019-02-11 21:56:40 UTC
execute changes to the audit system to potentially hide malicious activity and then putthe audit rules back. Users would most likely notice a system reboot and that could alertadministrators of an attempt to make unauthorized audit changes.
RecommendationAdd the following line to the end of the/etc/audit/audit.rules file. -e 2
Failed Instancesi-04372149a51fe6560
4.1.1.1 Ensure audit log storage size is configured
SeverityInformational
DescriptionDescription Configure the maximum size of the audit log file. Once the log reachesthe maximum size, it will be rotated and a new log file will be started. Rationale It isimportant that an appropriate size is determined for log files so that they do not impactthe system and audit data is not lost.
RecommendationSet the following parameter in /etc/audit/auditd.conf in accordance with site policy:max_log_file = <MB>
Failed Instancesi-04372149a51fe6560
4.1.1.2 Ensure system is disabled when audit logs are full
SeverityHigh
DescriptionDescription The auditd daemon can be configured to halt the system when the audit logsare full. Rationale In high security contexts, the risk of detecting unauthorized access ornonrepudiation exceeds the benefit of the system's availability.
RecommendationSet the following parameters in /etc/audit/auditd.conf: space_left_action =emailaction_mail_acct = rootadmin_space_left_action = halt
Amazon InspectorAssessment-Template-Default
2019-02-11 21:56:40 UTC
Failed Instancesi-04372149a51fe6560
4.1.1.3 Ensure audit logs are not automatically deleted
SeverityHigh
DescriptionDescription The max_log_file_action setting determines how to handle the audit log filereaching the max file size. A value of keep_logs will rotate the logs but never delete oldlogs. Rationale In high security contexts, the benefits of maintaining a long audit historyexceed the cost of storing the audit history.
RecommendationSet the following parameter in /etc/audit/auditd.conf: max_log_file_action = keep_logs
Failed Instancesi-04372149a51fe6560
4.2.4 Ensure permissions on all logfiles are configured
SeverityHigh
DescriptionDescription Log files stored in /var/log/ contain logged information from many serviceson the system, or on log hosts others as well. Rationale It is important to ensure that logfiles have the correct permissions to ensure that sensitive data is archived and protected.
RecommendationRun the following command to set permissions on all existing log files: # chmod -R g-wx,o-rwx /var/log/*
Failed Instancesi-04372149a51fe6560
4.2.1.4 Ensure rsyslog is configured to send logs to a remote log host
Severity
Amazon InspectorAssessment-Template-Default
2019-02-11 21:56:40 UTC
High
DescriptionDescription The rsyslog utility supports the ability to send logs it gathers to a remotelog host running syslogd(8) or to receive messages from remote hosts, reducingadministrative overhead. Rationale Storing log data on a remote host protects logintegrity from local attacks. If an attacker gains root access on the local system, theycould tamper with or remove log data that is stored on the local system
RecommendationEdit the /etc/rsyslog.conf file and add the following line (where loghost.example.comis the name of your central log host). *.* @@loghost.example.com Run the followingcommand to restart rsyslog: # pkill -HUP rsyslogd
Failed Instancesi-04372149a51fe6560
5.6 Ensure access to the su command is restricted
SeverityHigh
DescriptionDescription The su command allows a user to run a command or shell as another user.The program has been superseded by sudo, which allows for more granular controlover privileged access. Normally, the su command can be executed by any user. Byuncommenting the pam_wheel.so statement in /etc/pam.d/su, the su command will onlyallow users in the wheel group to execute su. Rationale Restricting the use of su, andusing sudo in its place, provides system administrators better control of the escalation ofuser privileges to execute privileged commands. The sudo utility also provides a betterlogging and audit mechanism, as it can log each command executed via sudo, whereassu can only record that a user executed the su program.
RecommendationAdd the following line to the /etc/pam.d/su file: auth required pam_wheel.so use_uidCreate a comma separated list of users in the wheel statement in the /etc/group file:wheel:x:10:root,<user list>
Failed Instancesi-04372149a51fe6560
Amazon InspectorAssessment-Template-Default
2019-02-11 21:56:40 UTC
5.1.2 Ensure permissions on /etc/crontab are configured
SeverityHigh
DescriptionDescription The /etc/crontab file is used by cron to control its own jobs. The commandsin this item make sure that root is the user and group owner of the file and that only theowner can access the file. Rationale This file contains information on what system jobsare run by cron. Write access to these files could provide unprivileged users with theability to elevate their privileges. Read access to these files could provide users with theability to gain insight on system jobs that run on the system and could provide them away to gain unauthorized privileged access.
RecommendationRun the following commands to set ownership and permissions on /etc/crontab: #chown root:root /etc/crontab# chmod og-rwx /etc/crontab
Failed Instancesi-04372149a51fe6560
5.1.3 Ensure permissions on /etc/cron.hourly are configured
SeverityHigh
DescriptionDescription This directory contains system cron jobs that need to run on an hourlybasis. The files in this directory cannot be manipulated by the crontab command, butare instead edited by system administrators using a text editor. The commands belowrestrict read/write and search access to user and group root, preventing regular usersfrom accessing this directory. Rationale Granting write access to this directory fornon-privileged users could provide them the means for gaining unauthorized elevatedprivileges. Granting read access to this directory could give an unprivileged user insightin how to gain elevated privileges or circumvent auditing controls.
RecommendationRun the following commands to set ownership and permissions on /etc/cron.hourly: #chown root:root /etc/cron.hourly# chmod og-rwx /etc/cron.hourly
Amazon InspectorAssessment-Template-Default
2019-02-11 21:56:40 UTC
Failed Instancesi-04372149a51fe6560
5.1.4 Ensure permissions on /etc/cron.daily are configured
SeverityHigh
DescriptionDescription The /etc/cron.daily directory contains system cron jobs that need to run ona daily basis. The files in this directory cannot be manipulated by the crontab command,but are instead edited by system administrators using a text editor. The commandsbelow restrict read/write and search access to user and group root, preventing regularusers from accessing this directory. Rationale Granting write access to this directory fornon-privileged users could provide them the means for gaining unauthorized elevatedprivileges. Granting read access to this directory could give an unprivileged user insightin how to gain elevated privileges or circumvent auditing controls.
RecommendationRun the following commands to set ownership and permissions on /etc/cron.daily: #chown root:root /etc/cron.daily# chmod og-rwx /etc/cron.daily
Failed Instancesi-04372149a51fe6560
5.1.5 Ensure permissions on /etc/cron.weekly are configured
SeverityHigh
DescriptionDescription The /etc/cron.weekly directory contains system cron jobs that needto run on a weekly basis. The files in this directory cannot be manipulated by thecrontab command, but are instead edited by system administrators using a text editor.The commands below restrict read/write and search access to user and group root,preventing regular users from accessing this directory. Rationale Granting write accessto this directory for non-privileged users could provide them the means for gainingunauthorized elevated privileges. Granting read access to this directory could give an
Amazon InspectorAssessment-Template-Default
2019-02-11 21:56:40 UTC
unprivileged user insight in how to gain elevated privileges or circumvent auditingcontrols.
RecommendationRun the following commands to set ownership and permissions on /etc/cron.weekly: #chown root:root /etc/cron.weekly# chmod og-rwx /etc/cron.weekly
Failed Instancesi-04372149a51fe6560
5.1.6 Ensure permissions on /etc/cron.monthly are configured
SeverityHigh
DescriptionDescription The /etc/cron.monthly directory contains system cron jobs that needto run on a monthly basis. The files in this directory cannot be manipulated by thecrontab command, but are instead edited by system administrators using a text editor.The commands below restrict read/write and search access to user and group root,preventing regular users from accessing this directory. Rationale Granting write accessto this directory for non-privileged users could provide them the means for gainingunauthorized elevated privileges. Granting read access to this directory could give anunprivileged user insight in how to gain elevated privileges or circumvent auditingcontrols.
RecommendationRun the following commands to set ownership and permissions on /etc/cron.monthly: #chown root:root /etc/cron.monthly# chmod og-rwx /etc/cron.monthly
Failed Instancesi-04372149a51fe6560
5.1.7 Ensure permissions on /etc/cron.d are configured
SeverityHigh
Description
Amazon InspectorAssessment-Template-Default
2019-02-11 21:56:40 UTC
Description The /etc/cron.d directory contains system cron jobs that need to run in asimilar manner to the hourly, daily weekly and monthly jobs from /etc/crontab, butrequire more granular control as to when they run. The files in this directory cannot bemanipulated by the crontab command, but are instead edited by system administratorsusing a text editor. The commands below restrict read/write and search access to userand group root, preventing regular users from accessing this directory. RationaleGranting write access to this directory for non-privileged users could provide themthe means for gaining unauthorized elevated privileges. Granting read access to thisdirectory could give an unprivileged user insight in how to gain elevated privileges orcircumvent auditing controls.
RecommendationRun the following commands to set ownership and permissions on /etc/cron.d: # chownroot:root /etc/cron.d# chmod og-rwx /etc/cron.d
Failed Instancesi-04372149a51fe6560
5.1.8 Ensure at/cron is restricted to authorized users
SeverityHigh
DescriptionDescription Configure /etc/cron.allow and /etc/at.allow to allow specific users to usethese services. If /etc/cron.allow or /etc/at.allow do not exist, then /etc/at.deny and /etc/cron.deny are checked. Any user not specifically defined in those files is allowed touse at and cron. By removing the files, only users in /etc/cron.allow and /etc/at.alloware allowed to use at and cron. Note that even though a given user is not listed incron.allow, cron jobs can still be run as that user. The cron.allow file only controlsadministrative access to the crontab command for scheduling and modifying cron jobs.Rationale On many systems, only the system administrator is authorized to schedulecron jobs. Using the cron.allow file to control who can run cron jobs enforces thispolicy. It is easier to manage an allow list than a deny list. In a deny list, you couldpotentially add a user ID to the system and forget to add it to the deny files.
RecommendationRun the following commands to remove /etc/cron.deny and /etc/at.deny and createand set permissions and ownership for /etc/cron.allow and /etc/at.allow: # rm /etc/
Amazon InspectorAssessment-Template-Default
2019-02-11 21:56:40 UTC
cron.deny# rm /etc/at.deny# touch /etc/cron.allow# touch /etc/at.allow# chmod og-rwx /etc/cron.allow# chmod og-rwx /etc/at.allow# chown root:root /etc/cron.allow# chownroot:root /etc/at.allow
Failed Instancesi-04372149a51fe6560
5.2.1 Ensure permissions on /etc/ssh/sshd_config are configured
SeverityHigh
DescriptionDescription The /etc/ssh/sshd_config file contains configuration specifications for sshd.The command below sets the owner and group of the file to root. Rationale The /etc/ssh/sshd_config file needs to be protected from unauthorized changes by non-privilegedusers.
RecommendationRun the following commands to set ownership and permissions on /etc/ssh/sshd_config:# chown root:root /etc/ssh/sshd_config# chmod 600 /etc/ssh/sshd_config
Failed Instancesi-04372149a51fe6560
5.2.4 Ensure SSH X11 forwarding is disabled
SeverityHigh
DescriptionDescription The X11Forwarding parameter provides the ability to tunnel X11 trafficthrough the connection to enable remote graphic connections. Rationale Disable X11forwarding unless there is an operational requirement to use X11 applications directly.There is a small risk that the remote X11 servers of users who are logged in via SSHwith X11 forwarding could be compromised by other users on the X11 server. Note thateven if X11 forwarding is disabled, users can always install their own forwarders.
RecommendationEdit the /etc/ssh/sshd_config file to set the parameter as follows: X11Forwarding no
Amazon InspectorAssessment-Template-Default
2019-02-11 21:56:40 UTC
Failed Instancesi-04372149a51fe6560
5.2.5 Ensure SSH MaxAuthTries is set to 4 or less
SeverityHigh
DescriptionDescription The MaxAuthTries parameter specifies the maximum number ofauthentication attempts permitted per connection. When the login failure count reacheshalf the number, error messages will be written to the syslog file detailing the loginfailure. Rationale Setting the MaxAuthTries parameter to a low number will minimizethe risk of successful brute force attacks to the SSH server. While the recommendedsetting is 4, set the number based on site policy.
RecommendationEdit the /etc/ssh/sshd_config file to set the parameter as follows: MaxAuthTries 4
Failed Instancesi-04372149a51fe6560
5.2.8 Ensure SSH root login is disabled
SeverityHigh
DescriptionDescription The PermitRootLogin parameter specifies if the root user can log in usingssh(1). The default is no. Rationale Disallowing root logins over SSH requires systemadmins to authenticate using their own individual account, then escalating to root viasudo or su. This in turn limits opportunity for non-repudiation and provides a clear audittrail in the event of a security incident
RecommendationEdit the /etc/ssh/sshd_config file to set the parameter as follows: PermitRootLogin no
Failed Instancesi-04372149a51fe6560
Amazon InspectorAssessment-Template-Default
2019-02-11 21:56:40 UTC
5.2.10 Ensure SSH PermitUserEnvironment is disabled
SeverityHigh
DescriptionDescription The PermitUserEnvironment option allows users to present environmentoptions to the ssh daemon. Rationale Permitting users the ability to set environmentvariables through the SSH daemon could potentially allow users to bypass securitycontrols (e.g. setting an execution path that has ssh executing trojan'd programs)
RecommendationEdit the /etc/ssh/sshd_config file to set the parameter as follows:PermitUserEnvironment no
Failed Instancesi-04372149a51fe6560
5.2.11 Ensure only approved MAC algorithms are used
SeverityHigh
DescriptionDescription This variable limits the types of MAC algorithms that SSH can use duringcommunication. Rationale MD5 and 96-bit MAC algorithms are considered weak andhave been shown to increase exploitability in SSH downgrade attacks. Weak algorithmscontinue to have a great deal of attention as a weak spot that can be exploited withexpanded computing power. An attacker that breaks the algorithm could take advantageof a MiTM position to decrypt the SSH tunnel and capture credentials and information
RecommendationEdit the /etc/ssh/sshd_config file to set the parameter as follows: MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-512,hmac-sha2-256,umac-128@openssh.com
Failed Instancesi-04372149a51fe6560
5.2.12 Ensure SSH Idle Timeout Interval is configured
Amazon InspectorAssessment-Template-Default
2019-02-11 21:56:40 UTC
SeverityHigh
DescriptionDescription The two options ClientAliveInterval and ClientAliveCountMax controlthe timeout of ssh sessions. When the ClientAliveInterval variable is set, ssh sessionsthat have no activity for the specified length of time are terminated. When theClientAliveCountMax variable is set, sshd will send client alive messages at everyClientAliveInterval interval. When the number of consecutive client alive messages aresent with no response from the client, the ssh session is terminated. For example, if theClientAliveInterval is set to 15 seconds and the ClientAliveCountMax is set to 3, theclient ssh session will be terminated after 45 seconds of idle time. Rationale Having notimeout value associated with a connection could allow an unauthorized user access toanother user's ssh session (e.g. user walks away from their computer and doesn't lockthe screen). Setting a timeout value at least reduces the risk of this happening.. Whilethe recommended setting is 300 seconds (5 minutes), set this timeout value based on sitepolicy. The recommended setting for ClientAliveCountMax is 0. In this case, the clientsession will be terminated after 5 minutes of idle time and no keepalive messages willbe sent.
RecommendationEdit the /etc/ssh/sshd_config file to set the parameters as follows: ClientAliveInterval300ClientAliveCountMax 0
Failed Instancesi-04372149a51fe6560
5.2.13 Ensure SSH LoginGraceTime is set to one minute or less
SeverityHigh
DescriptionDescription The LoginGraceTime parameter specifies the time allowed for successfulauthentication to the SSH server. The longer the Grace period is the more openunauthenticated connections can exist. Like other session controls in this session theGrace Period should be limited to appropriate organizational limits to ensure the serviceis available for needed access. Rationale Setting the LoginGraceTime parameter to alow number will minimize the risk of successful brute force attacks to the SSH server.
Amazon InspectorAssessment-Template-Default
2019-02-11 21:56:40 UTC
It will also limit the number of concurrent unauthenticated connections While therecommended setting is 60 seconds (1 Minute), set the number based on site policy.
RecommendationEdit the /etc/ssh/sshd_config file to set the parameter as follows: LoginGraceTime 60
Failed Instancesi-04372149a51fe6560
5.2.14 Ensure SSH access is limited
SeverityHigh
DescriptionDescription There are several options available to limit which users and group canaccess the system via SSH. It is recommended that at least one of the following optionsbe leveraged: AllowUsers The AllowUsers variable gives the system administrator theoption of allowing specific users to ssh into the system. The list consists of commaseparated user names. Numeric user IDs are not recognized with this variable. Ifa system administrator wants to restrict user access further by only allowing theallowed users to log in from a particular host, the entry can be specified in the form ofuser@host. AllowGroups The AllowGroups variable gives the system administratorthe option of allowing specific groups of users to ssh into the system. The list consistsof comma separated group names. Numeric group IDs are not recognized with thisvariable. DenyUsers The DenyUsers variable gives the system administrator theoption of denying specific users to ssh into the system. The list consists of commaseparated user names. Numeric user IDs are not recognized with this variable. If asystem administrator wants to restrict user access further by specifically denying auser's access from a particular host, the entry can be specified in the form of user@host.DenyGroups The DenyGroups variable gives the system administrator the option ofdenying specific groups of users to ssh into the system. The list consists of commaseparated group names. Numeric group IDs are not recognized with this variable.Rationale Restricting which users can remotely access the system via SSH will helpensure that only authorized users access the system.
Recommendation
Amazon InspectorAssessment-Template-Default
2019-02-11 21:56:40 UTC
Edit the /etc/ssh/sshd_config file to set one or more of the parameter as follows:AllowUsers <userlist>AllowGroups <grouplist>DenyUsers <userlist>DenyGroups<grouplist>
Failed Instancesi-04372149a51fe6560
5.2.15 Ensure SSH warning banner is configured
SeverityHigh
DescriptionDescription The Banner parameter specifies a file whose contents must be sent to theremote user before authentication is permitted. By default, no banner is displayed.Rationale Banners are used to warn connecting users of the particular site's policyregarding connection. Presenting a warning message prior to the normal user login mayassist the prosecution of trespassers on the computer system.
RecommendationEdit the /etc/ssh/sshd_config file to set the parameter as follows: Banner /etc/issue.net
Failed Instancesi-04372149a51fe6560
5.3.1 Ensure password creation requirements are configured
SeverityHigh
DescriptionDescription The pam_pwquality.so module checks the strength of passwords. Itperforms checks such as making sure a password is not a dictionary word, it is a certainlength, contains a mix of characters (e.g. alphabet, numeric, other) and more. Thefollowing are definitions of the pam_pwquality.so options. try_first_pass - retrieve thepassword from a previous stacked PAM module. If not available, then prompt the userfor a password. retry=3 - Allow 3 tries before sending back a failure. The followingoptions are set in the /etc/security/pwquality.conf file: minlen=14 - password must be14 characters or moredcredit=-1 - provide at least one digitucredit=-1 - provide at leastone uppercase characterocredit=-1 - provide at least one special characterlcredit=-1
Amazon InspectorAssessment-Template-Default
2019-02-11 21:56:40 UTC
- provide at least one lowercase character The settings shown above are one possiblepolicy. Alter these values to conform to your own organization's password policies.Rationale Strong passwords protect systems from being hacked through brute forcemethods.
RecommendationRun the following command to install the pam_pwquality module: apt-get installlibpam-pwquality Edit the /etc/pam.d/common-passwd file to include the appropriateoptions for pam_pwquality.so and to conform to site policy: password requisitepam_pwquality.so try_first_pass retry=3 Edit /etc/security/pwquality.conf to add orupdate the following settings to conform to site policy: minlen=14dcredit=-1ucredit=-1ocredit=-1lcredit=-1
Failed Instancesi-04372149a51fe6560
5.3.2 Ensure lockout for failed password attempts is configured
SeverityInformational
DescriptionDescription Lock out users after n unsuccessful consecutive login attempts. The firstsets of changes are made to the PAM configuration files. The second set of changes areapplied to the program specific PAM configuration file. The second set of changes mustbe applied to each program that will lock out users. Check the documentation for eachsecondary program for instructions on how to configure them to work with PAM. Setthe lockout number to the policy in effect at your site. Rationale Locking out user IDsafter n unsuccessful consecutive login attempts mitigates brute force password attacksagainst your systems.
RecommendationEdit the /etc/pam.d/common-auth file and add the auth line below: auth requiredpam_tally2.so onerr=fail audit silent deny=5 unlock_time=900 Note: If a user hasbeen locked out because they have reached the maximum consecutive failure countdefined by deny= in the pam_tally2.so module, the user can be unlocked by issuing thecommand /sbin/pam_tally2 -u <username> --reset. This command sets the failed countto 0, effectively unlocking the user.
Amazon InspectorAssessment-Template-Default
2019-02-11 21:56:40 UTC
Failed Instancesi-04372149a51fe6560
5.3.3 Ensure password reuse is limited
SeverityHigh
DescriptionDescription The /etc/security/opasswd file stores the users' old passwords and can bechecked to ensure that users are not recycling recent passwords. Rationale Forcing usersnot to reuse their past 5 passwords make it less likely that an attacker will be able toguess the password. Note that these change only apply to accounts configured on thelocal system.
RecommendationEdit the /etc/pam.d/common-password file to include the remember option and conformto site policy as shown: password sufficient pam_unix.so remember=5
Failed Instancesi-04372149a51fe6560
5.4.2 Ensure system accounts are non-login
SeverityHigh
DescriptionDescription There are a number of accounts provided with Ubuntu that are used tomanage applications and are not intended to provide an interactive shell. Rationale Itis important to make sure that accounts that are not being used by regular users areprevented from being used to provide an interactive shell. By default, Ubuntu sets thepassword field for these accounts to an invalid string, but it is also recommended thatthe shell field in the password file be set to /sbin/nologin. This prevents the accountfrom potentially being used to run any commands.
RecommendationSet the shell for any accounts returned by the audit script to /usr/sbin/nologin: #usermod -s /usr/sbin/nologin <user> The following script will automatically set all usershells required to /usr/sbin/nologin and lock the sync, shutdown, and halt users: #!/bin/
Amazon InspectorAssessment-Template-Default
2019-02-11 21:56:40 UTC
bashfor user in `awk -F: '($3 < 1000) {print $1 }' /etc/passwd`; do if [ $user != "root" ];then usermod -L $user if [ $user != "sync" ] && [ $user != "shutdown" ] && [ $user !="halt" ]; then usermod -s /usr/sbin/nologin $user fi fidone
Failed Instancesi-04372149a51fe6560
5.4.4 Ensure default user umask is 027 or more restrictive
SeverityHigh
DescriptionDescription The default umask determines the permissions of files created by users. Theuser creating the file has the discretion of making their files and directories readableby others via the chmod command. Users who wish to allow their files and directoriesto be readable by others by default may choose a different default umask by insertingthe umask command into the standard shell configuration files (.profile, .bashrc, etc.) intheir home directories. Rationale Setting a very secure default value for umask ensuresthat users make a conscious choice about their file permissions. A default umask settingof 077 causes files and directories created by users to not be readable by any other useron the system. A umask of 027 would make files and directories readable by users in thesame Unix group, while a umask of 022 would make files readable by every user on thesystem.
RecommendationEdit the /etc/bash.bashrc and /etc/profile files (and the appropriate files for any othershell supported on your system) and add or edit any umask parameters as follows:umask 027
Failed Instancesi-04372149a51fe6560
5.4.5 Ensure default user shell timeout is 900 seconds or less
SeverityHigh
Description
Amazon InspectorAssessment-Template-Default
2019-02-11 21:56:40 UTC
Description The default TMOUT determines the shell timeout for users. The TMOUTvalue is measured in seconds. Rationale Having no timeout value associated with a shellcould allow an unauthorized user access to another user's shell session (e.g. user walksaway from their computer and doesn't lock the screen). Setting a timeout value at leastreduces the risk of this happening.
RecommendationEdit the /etc/bashrc and /etc/profile files (and the appropriate files for any othershell supported on your system) and add or edit any umask parameters as follows:TMOUT=600
Failed Instancesi-04372149a51fe6560
5.4.1.1 Ensure password expiration is 90 days or less
SeverityHigh
DescriptionDescription The PASS_MAX_DAYS parameter in /etc/login.defs allows anadministrator to force passwords to expire once they reach a defined age. It isrecommended that the PASS_MAX_DAYS parameter be set to less than or equal to 90days. Rationale The window of opportunity for an attacker to leverage compromisedcredentials or successfully compromise credentials via an online brute force attack islimited by the age of the password. Therefore, reducing the maximum age of a passwordalso reduces an attacker's window of opportunity.
RecommendationSet the PASS_MAX_DAYS parameter to 90 in /etc/login.defs: PASS_MAX_DAYS 90Modify user parameters for all users with a password set to match: # chage --maxdays90 <user>
Failed Instancesi-04372149a51fe6560
5.4.1.2 Ensure minimum days between password changes is 7 or more
SeverityHigh
Amazon InspectorAssessment-Template-Default
2019-02-11 21:56:40 UTC
DescriptionDescription The PASS_MIN_DAYS parameter in /etc/login.defs allows anadministrator to prevent users from changing their password until a minimum number ofdays have passed since the last time the user changed their password. It is recommendedthat PASS_MIN_DAYS parameter be set to 7 or more days. Rationale By restrictingthe frequency of password changes, an administrator can prevent users from repeatedlychanging their password in an attempt to circumvent password reuse controls.
RecommendationSet the PASS_MIN_DAYS parameter to 7 in /etc/login.defs: PASS_MIN_DAYS 7Modify user parameters for all users with a password set to match: # chage --mindays 7<user>
Failed Instancesi-04372149a51fe6560
5.4.1.4 Ensure inactive password lock is 30 days or less
SeverityHigh
DescriptionDescription User accounts that have been inactive for over a given period of time canbe automatically disabled. It is recommended that accounts that are inactive for 30days after password expiration be disabled. Rationale Inactive accounts pose a threat tosystem security since the users are not logging in to notice failed login attempts or otheranomalies.
RecommendationRun the following command to set the default password inactivity period to 30 days: #useradd -D -f 30 Modify user parameters for all users with a password set to match: #chage --inactive 30 <user>
Failed Instancesi-04372149a51fe6560
6.2.1 Ensure password fields are not empty
SeverityHigh
Amazon InspectorAssessment-Template-Default
2019-02-11 21:56:40 UTC
DescriptionDescription An account with an empty password field means that anybody may log in asthat user without providing a password. Rationale All accounts must have passwords orbe locked to prevent the account from being used by an unauthorized user.
RecommendationIf any accounts in the /etc/shadow file do not have a password, run the followingcommand to lock the account until it can be determined why it does not have apassword: # passwd -l <username> Also, check to see if the account is logged in andinvestigate what it is being used for to determine if it needs to be forced off.
Failed Instancesi-04372149a51fe6560
6.2.7 Ensure all users' home directories exist
SeverityHigh
DescriptionDescription Users can be defined in /etc/passwd without a home directory or with ahome directory that does not actually exist. Rationale If the user's home directory doesnot exist or is unassigned, the user will be placed in "/" and will not be able to write anyfiles or have local environment variables set.
RecommendationIf any users' home directories do not exist, create them and make sure the respectiveuser owns the directory. Users without an assigned home directory should be removedor assigned a home directory as appropriate.
Failed Instancesi-04372149a51fe6560
6.2.8 Ensure users' home directories permissions are 750 or more restrictive
SeverityHigh
Description
Amazon InspectorAssessment-Template-Default
2019-02-11 21:56:40 UTC
Description While the system administrator can establish secure permissions for users'home directories, the users can easily override these. Rationale Group or world-writableuser home directories may enable malicious users to steal or modify other users' data orto gain another user's system privileges.
RecommendationMaking global modifications to user home directories without alerting the usercommunity can result in unexpected outages and unhappy users. Therefore, it isrecommended that a monitoring policy be established to report user file permissions anddetermine the action to be taken in accordance with site policy.
Failed Instancesi-04372149a51fe6560
4.2: Findings details - Common Vulnerabilities andExposures-1.1
CVE-2013-7447
SeverityMedium
DescriptionInteger overflow in the gdk_cairo_set_source_pixbuf function in gdk/gdkcairo.c inGTK+ before 3.9.8, as used in eom, gnome-photos, eog, gambas3, thunar, pinpoint, andpossibly other applications, allows remote attackers to cause a denial of service (crash)via a large image file, which triggers a large memory allocation.
RecommendationUse your Operating System's update feature to update package thunar-0:1.6.3-1ubuntu5.For more information see https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-7447
Failed Instancesi-04372149a51fe6560
CVE-2014-8625
Severity
Amazon InspectorAssessment-Template-Default
2019-02-11 21:56:40 UTC
High
DescriptionMultiple format string vulnerabilities in the parse_error_msg function in parsehelp.cin dpkg before 1.17.22 allow remote attackers to cause a denial of service (crash) andpossibly execute arbitrary code via format string specifiers in the (1) package or (2)architecture name.
RecommendationUse your Operating System's update feature to update packagedpkg-0:1.17.5ubuntu5.8-0. For more information see https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-8625
Failed Instancesi-04372149a51fe6560
CVE-2014-9939
SeverityHigh
Descriptionihex.c in GNU Binutils before 2.26 contains a stack buffer overflow when printing badbytes in Intel Hex objects.
RecommendationUse your Operating System's update feature to update packagebinutils-0:2.24-5ubuntu14.2. For more information see https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-9939
Failed Instancesi-04372149a51fe6560
CVE-2015-1336
SeverityHigh
Description
Amazon InspectorAssessment-Template-Default
2019-02-11 21:56:40 UTC
The daily mandb cleanup job in Man-db before 2.7.6.1-1 as packaged in Ubuntu andDebian allows local users with access to the man account to gain privileges via vectorsinvolving insecure chown use.
RecommendationUse your Operating System's update feature to update package man-db-0:2.6.7.1-1ubuntu1. For more information see https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-1336
Failed Instancesi-04372149a51fe6560
CVE-2015-5297
SeverityMedium
DescriptionAn integer overflow issue has been reported in the general_composite_rect() functionin pixman prior to version 0.32.8. An attacker could exploit this issue to cause anapplication using pixman to crash or, potentially, execute arbitrary code.
RecommendationUse your Operating System's update feature to update package libpixman-1-0-0:0.30.2-2ubuntu1.1. For more information see https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5297
Failed Instancesi-04372149a51fe6560
CVE-2015-8539
SeverityHigh
DescriptionThe KEYS subsystem in the Linux kernel before 4.4 allows local users to gainprivileges or cause a denial of service (BUG) via crafted keyctl commands thatnegatively instantiate a key, related to security/keys/encrypted-keys/encrypted.c,security/keys/trusted.c, and security/keys/user_defined.c.
Amazon InspectorAssessment-Template-Default
2019-02-11 21:56:40 UTC
RecommendationUse your Operating System's update feature to update package linux-image-3.13.0-158-generic-0:3.13.0-158.208. For more information see https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-8539
Failed Instancesi-04372149a51fe6560
CVE-2016-10708
SeverityHigh
Descriptionsshd in OpenSSH before 7.4 allows remote attackers to cause a denial of service (NULLpointer dereference and daemon crash) via an out-of-sequence NEWKEYS message, asdemonstrated by Honggfuzz, related to kex.c and packet.c.
RecommendationUse your Operating System's update feature to update package openssh-server-1:6.6p1-2ubuntu2.10. For more information see https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-10708
Failed Instancesi-04372149a51fe6560
CVE-2016-2226
SeverityHigh
DescriptionInteger overflow in the string_appends function in cplus-dem.c in libiberty allowsremote attackers to execute arbitrary code via a crafted executable, which triggers abuffer overflow.
RecommendationUse your Operating System's update feature to update packagebinutils-0:2.24-5ubuntu14.2. For more information see https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-2226
Amazon InspectorAssessment-Template-Default
2019-02-11 21:56:40 UTC
Failed Instancesi-04372149a51fe6560
CVE-2016-4484
SeverityHigh
DescriptionThe Debian initrd script for the cryptsetup package 2:1.7.3-2 and earlier allowsphysically proximate attackers to gain shell access via many log in attempts with aninvalid password.
RecommendationUse your Operating System's update feature to update packagecryptsetup-2:1.6.1-1ubuntu1. For more information see https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-4484
Failed Instancesi-04372149a51fe6560
CVE-2016-5011
SeverityMedium
DescriptionThe parse_dos_extended function in partitions/dos.c in the libblkid library in util-linux allows physically proximate attackers to cause a denial of service (memoryconsumption) via a crafted MSDOS partition table with an extended partition bootrecord at zero offset.
RecommendationUse your Operating System's update feature to update package util-linux-0:2.20.1-5.1ubuntu20.9. For more information see https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-5011
Failed Instancesi-04372149a51fe6560
Amazon InspectorAssessment-Template-Default
2019-02-11 21:56:40 UTC
CVE-2016-7913
SeverityHigh
DescriptionThe xc2028_set_config function in drivers/media/tuners/tuner-xc2028.c in the Linuxkernel before 4.6 allows local users to gain privileges or cause a denial of service (use-after-free) via vectors involving omission of the firmware name from a certain datastructure.
RecommendationUse your Operating System's update feature to update package linux-image-3.13.0-158-generic-0:3.13.0-158.208. For more information see https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-7913
Failed Instancesi-04372149a51fe6560
CVE-2016-9588
SeverityMedium
Descriptionarch/x86/kvm/vmx.c in the Linux kernel through 4.9 mismanages the #BP and #OFexceptions, which allows guest OS users to cause a denial of service (guest OS crash)by declining to handle an exception thrown by an L2 guest.
RecommendationUse your Operating System's update feature to update package linux-image-3.13.0-158-generic-0:3.13.0-158.208, linux-image-3.13.0-161-generic-0:3.13.0-161.211. For moreinformation see https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-9588
Failed Instancesi-04372149a51fe6560
CVE-2017-0794
Severity
Amazon InspectorAssessment-Template-Default
2019-02-11 21:56:40 UTC
High
DescriptionA elevation of privilege vulnerability in the Upstream kernel scsi driver. Product:Android. Versions: Android kernel. Android ID: A-35644812.
RecommendationUse your Operating System's update feature to update package linux-image-3.13.0-158-generic-0:3.13.0-158.208. For more information see https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0794
Failed Instancesi-04372149a51fe6560
CVE-2017-11591
SeverityHigh
DescriptionThere is a Floating point exception in the Exiv2::ValueType function in Exiv2 0.26 thatwill lead to a remote denial of service attack via crafted input.
RecommendationUse your Operating System's update feature to update packagelibexiv2-12-0:0.23-1ubuntu2.1. For more information see https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-11591
Failed Instancesi-04372149a51fe6560
CVE-2017-11683
SeverityMedium
DescriptionThere is a reachable assertion in the Internal::TiffReader::visitDirectory function intiffvisitor.cpp of Exiv2 0.26 that will lead to a remote denial of service attack via craftedinput.
Amazon InspectorAssessment-Template-Default
2019-02-11 21:56:40 UTC
RecommendationUse your Operating System's update feature to update packagelibexiv2-12-0:0.23-1ubuntu2.1. For more information see https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-11683
Failed Instancesi-04372149a51fe6560
CVE-2017-13168
SeverityMedium
DescriptionAn elevation of privilege vulnerability in the kernel scsi driver. Product: Android.Versions: Android kernel. Android ID A-65023233.
RecommendationUse your Operating System's update feature to update package linux-image-3.13.0-158-generic-0:3.13.0-158.208, linux-image-3.13.0-161-generic-0:3.13.0-161.211. For moreinformation see https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-13168
Failed Instancesi-04372149a51fe6560
CVE-2017-14502
SeverityHigh
Descriptionread_header in archive_read_support_format_rar.c in libarchive 3.3.2 suffers from anoff-by-one error for UTF-16 names in RAR archives, leading to an out-of-bounds readin archive_read_format_rar_read_header.
RecommendationUse your Operating System's update feature to update package libarchive13-0:3.1.2-7ubuntu2.6. For more information see https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-14502
Failed Instances
Amazon InspectorAssessment-Template-Default
2019-02-11 21:56:40 UTC
i-04372149a51fe6560
CVE-2017-14859
SeverityMedium
DescriptionAn Invalid memory address dereference was discovered inExiv2::StringValueBase::read in value.cpp in Exiv2 0.26. The vulnerability causes asegmentation fault and application crash, which leads to denial of service.
RecommendationUse your Operating System's update feature to update packagelibexiv2-12-0:0.23-1ubuntu2.1. For more information see https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-14859
Failed Instancesi-04372149a51fe6560
CVE-2017-14862
SeverityMedium
DescriptionAn Invalid memory address dereference was discovered in Exiv2::DataValue::read invalue.cpp in Exiv2 0.26. The vulnerability causes a segmentation fault and applicationcrash, which leads to denial of service.
RecommendationUse your Operating System's update feature to update packagelibexiv2-12-0:0.23-1ubuntu2.1. For more information see https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-14862
Failed Instancesi-04372149a51fe6560
CVE-2017-14864
Amazon InspectorAssessment-Template-Default
2019-02-11 21:56:40 UTC
SeverityMedium
DescriptionAn Invalid memory address dereference was discovered in Exiv2::getULong intypes.cpp in Exiv2 0.26. The vulnerability causes a segmentation fault and applicationcrash, which leads to denial of service.
RecommendationUse your Operating System's update feature to update packagelibexiv2-12-0:0.23-1ubuntu2.1. For more information see https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-14864
Failed Instancesi-04372149a51fe6560
CVE-2017-15299
SeverityMedium
DescriptionThe KEYS subsystem in the Linux kernel through 4.13.7 mishandles use of add_key fora key that already exists but is uninstantiated, which allows local users to cause a denialof service (NULL pointer dereference and system crash) or possibly have unspecifiedother impact via a crafted system call.
RecommendationUse your Operating System's update feature to update package linux-image-3.13.0-158-generic-0:3.13.0-158.208. For more information see https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-15299
Failed Instancesi-04372149a51fe6560
CVE-2017-16649
SeverityHigh
Description
Amazon InspectorAssessment-Template-Default
2019-02-11 21:56:40 UTC
The usbnet_generic_cdc_bind function in drivers/net/usb/cdc_ether.c in the Linuxkernel through 4.13.11 allows local users to cause a denial of service (divide-by-zeroerror and system crash) or possibly have unspecified other impact via a crafted USBdevice.
RecommendationUse your Operating System's update feature to update package linux-image-3.13.0-158-generic-0:3.13.0-158.208, linux-image-3.13.0-161-generic-0:3.13.0-161.211. For moreinformation see https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-16649
Failed Instancesi-04372149a51fe6560
CVE-2017-17669
SeverityMedium
DescriptionThere is a heap-based buffer over-read in the Exiv2::Internal::PngChunk::keyTXTChunk function of pngchunk_int.cpp in Exiv2 0.26. A crafted PNG file will lead to a remotedenial of service attack.
RecommendationUse your Operating System's update feature to update packagelibexiv2-12-0:0.23-1ubuntu2.1. For more information see https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-17669
Failed Instancesi-04372149a51fe6560
CVE-2017-18216
SeverityMedium
DescriptionIn fs/ocfs2/cluster/nodemanager.c in the Linux kernel before 4.15, local users can causea denial of service (NULL pointer dereference and BUG) because a required mutex isnot used.
Amazon InspectorAssessment-Template-Default
2019-02-11 21:56:40 UTC
RecommendationUse your Operating System's update feature to update package linux-image-3.13.0-158-generic-0:3.13.0-158.208. For more information see https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-18216
Failed Instancesi-04372149a51fe6560
CVE-2017-2647
SeverityHigh
DescriptionThe KEYS subsystem in the Linux kernel before 3.18 allows local users to gainprivileges or cause a denial of service (NULL pointer dereference and systemcrash) via vectors involving a NULL value for a certain match field, related to thekeyring_search_iterator function in keyring.c.
RecommendationUse your Operating System's update feature to update package linux-image-3.13.0-158-generic-0:3.13.0-158.208, linux-image-3.13.0-161-generic-0:3.13.0-161.211. For moreinformation see https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-2647
Failed Instancesi-04372149a51fe6560
CVE-2017-6519
SeverityHigh
Descriptionavahi-daemon in Avahi through 0.6.32 and 0.7 inadvertently responds to IPv6 unicastqueries with source addresses that are not on-link, which allows remote attackers tocause a denial of service (traffic amplification) and may cause information leakage byobtaining potentially sensitive information from the responding device via port-5353UDP packets. NOTE: this may overlap CVE-2015-2809.
Recommendation
Amazon InspectorAssessment-Template-Default
2019-02-11 21:56:40 UTC
Use your Operating System's update feature to update package avahi-daemon-0:0.6.31-4ubuntu1.2, libavahi-core7-0:0.6.31-4ubuntu1.2. For more information see https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-6519
Failed Instancesi-04372149a51fe6560
CVE-2017-9239
SeverityMedium
DescriptionAn issue was discovered in Exiv2 0.26. When the data structure of the structure ifdis incorrect, the program assigns pValue_ to 0x0, and the value of pValue() is 0x0.TiffImageEntry::doWriteImage will use the value of pValue() to cause a segmentationfault. To exploit this vulnerability, someone must open a crafted tiff file.
RecommendationUse your Operating System's update feature to update packagelibexiv2-12-0:0.23-1ubuntu2.1. For more information see https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-9239
Failed Instancesi-04372149a51fe6560
CVE-2017-9525
SeverityHigh
DescriptionIn the cron package through 3.0pl1-128 on Debian, and through 3.0pl1-128ubuntu2on Ubuntu, the postinst maintainer script allows for group-crontab-to-root privilegeescalation via symlink attacks against unsafe usage of the chown and chmod programs.
RecommendationUse your Operating System's update feature to update packagecron-0:3.0pl1-124ubuntu2. For more information see https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-9525
Amazon InspectorAssessment-Template-Default
2019-02-11 21:56:40 UTC
Failed Instancesi-04372149a51fe6560
CVE-2018-0495
SeverityLow
DescriptionLibgcrypt before 1.7.10 and 1.8.x before 1.8.3 allows a memory-cache side-channelattack on ECDSA signatures that can be mitigated through the use of blinding duringthe signing process in the _gcry_ecc_ecdsa_sign function in cipher/ecc-ecdsa.c, aka theReturn Of the Hidden Number Problem or ROHNP. To discover an ECDSA key, theattacker needs access to either the local machine or a different virtual machine on thesame physical host.
RecommendationUse your Operating System's update feature to update package libnss3-2:3.28.4-0ubuntu0.14.04.3. For more information see https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-0495
Failed Instancesi-04372149a51fe6560
CVE-2018-0734
SeverityMedium
DescriptionThe OpenSSL DSA signature algorithm has been shown to be vulnerable to a timingside channel attack. An attacker could use variations in the signing algorithm to recoverthe private key. Fixed in OpenSSL 1.1.1a (Affected 1.1.1). Fixed in OpenSSL 1.1.0j(Affected 1.1.0-1.1.0i). Fixed in OpenSSL 1.0.2q (Affected 1.0.2-1.0.2p).
RecommendationUse your Operating System's update feature to update package libssl1.0.0-0:1.0.1f-1ubuntu2.26. For more information see https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-0734
Amazon InspectorAssessment-Template-Default
2019-02-11 21:56:40 UTC
Failed Instancesi-04372149a51fe6560
CVE-2018-0735
SeverityMedium
DescriptionThe OpenSSL ECDSA signature algorithm has been shown to be vulnerable to a timingside channel attack. An attacker could use variations in the signing algorithm to recoverthe private key. Fixed in OpenSSL 1.1.0j (Affected 1.1.0-1.1.0i). Fixed in OpenSSL1.1.1a (Affected 1.1.1).
RecommendationUse your Operating System's update feature to update package libssl1.0.0-0:1.0.1f-1ubuntu2.26. For more information see https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-0735
Failed Instancesi-04372149a51fe6560
CVE-2018-1000004
SeverityHigh
DescriptionIn the Linux kernel 4.12, 3.10, 2.6 and possibly earlier versions a race conditionvulnerability exists in the sound system, this can lead to a deadlock and denial of servicecondition.
RecommendationUse your Operating System's update feature to update package linux-image-3.13.0-158-generic-0:3.13.0-158.208. For more information see https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-1000004
Failed Instancesi-04372149a51fe6560
Amazon InspectorAssessment-Template-Default
2019-02-11 21:56:40 UTC
CVE-2018-1000030
SeverityHigh
DescriptionPython 2.7.14 is vulnerable to a Heap-Buffer-Overflow as well as a Heap-Use-After-Free. Python versions prior to 2.7.14 may also be vulnerable and it appears thatPython 2.7.17 and prior may also be vulnerable however this has not been confirmed.The vulnerability lies when multiply threads are handling large amounts of data.In both cases there is essentially a race condition that occurs. For the Heap-Buffer-Overflow, Thread 2 is creating the size for a buffer, but Thread1 is already writing tothe buffer without knowing how much to write. So when a large amount of data is beingprocessed, it is very easy to cause memory corruption using a Heap-Buffer-Overflow.As for the Use-After-Free, Thread3->Malloc->Thread1->Free's->Thread2-Re-uses-Free'd Memory. The PSRT has stated that this is not a security vulnerability due to the factthat the attacker must be able to run code, however in some situations, such as functionas a service, this vulnerability can potentially be used by an attacker to violate a trustboundary, as such the DWF feels this issue deserves a CVE.
RecommendationUse your Operating System's update feature to update packagepython2.7-0:2.7.6-8ubuntu0.4, python2.7-minimal-0:2.7.6-8ubuntu0.4, python3.4-0:3.4.3-1ubuntu1~14.04.6, python3.4-minimal-0:3.4.3-1ubuntu1~14.04.6. For moreinformation see https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-1000030
Failed Instancesi-04372149a51fe6560
CVE-2018-1000802
SeverityHigh
DescriptionPython Software Foundation Python (CPython) version 2.7 contains a CWE-77:Improper Neutralization of Special Elements used in a Command ('Command Injection')vulnerability in shutil module (make_archive function) that can result in Denial ofservice, Information gain via injection of arbitrary files on the system or entire drive.
Amazon InspectorAssessment-Template-Default
2019-02-11 21:56:40 UTC
This attack appear to be exploitable via Passage of unfiltered user input to the function.This vulnerability appears to have been fixed in after commit add531a1e55b0a739b0f42582f1c9747e5649ace.
RecommendationUse your Operating System's update feature to update packagepython2.7-0:2.7.6-8ubuntu0.4, python2.7-minimal-0:2.7.6-8ubuntu0.4, python3.4-0:3.4.3-1ubuntu1~14.04.6, python3.4-minimal-0:3.4.3-1ubuntu1~14.04.6. For moreinformation see https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-1000802
Failed Instancesi-04372149a51fe6560
CVE-2018-1000877
SeverityHigh
Descriptionlibarchive version commit 416694915449219d505531b1096384f3237dd6cc onwards(release v3.1.0 onwards) contains a CWE-415: Double Free vulnerability in RARdecoder - libarchive/archive_read_support_format_rar.c, parse_codes(), realloc(rar->lzss.window, new_size) with new_size = 0 that can result in Crash/DoS. This attackappear to be exploitable via the victim must open a specially crafted RAR archive.
RecommendationUse your Operating System's update feature to update package libarchive13-0:3.1.2-7ubuntu2.6. For more information see https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-1000877
Failed Instancesi-04372149a51fe6560
CVE-2018-1000878
SeverityHigh
Description
Amazon InspectorAssessment-Template-Default
2019-02-11 21:56:40 UTC
libarchive version commit 416694915449219d505531b1096384f3237dd6cc onwards(release v3.1.0 onwards) contains a CWE-416: Use After Free vulnerability in RARdecoder - libarchive/archive_read_support_format_rar.c that can result in Crash/DoS - itis unknown if RCE is possible. This attack appear to be exploitable via the victim mustopen a specially crafted RAR archive.
RecommendationUse your Operating System's update feature to update package libarchive13-0:3.1.2-7ubuntu2.6. For more information see https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-1000878
Failed Instancesi-04372149a51fe6560
CVE-2018-1000880
SeverityMedium
Descriptionlibarchive version commit 9693801580c0cf7c70e862d305270a16b52826a7 onwards(release v3.2.0 onwards) contains a CWE-20: Improper Input Validation vulnerability inWARC parser - libarchive/archive_read_support_format_warc.c, _warc_read() that canresult in DoS - quasi-infinite run time and disk usage from tiny file. This attack appearto be exploitable via the victim must open a specially crafted WARC file.
RecommendationUse your Operating System's update feature to update package libarchive13-0:3.1.2-7ubuntu2.6. For more information see https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-1000880
Failed Instancesi-04372149a51fe6560
CVE-2018-10119
SeverityHigh
Description
Amazon InspectorAssessment-Template-Default
2019-02-11 21:56:40 UTC
sot/source/sdstor/stgstrms.cxx in LibreOffice before 5.4.5.1 and 6.x before 6.0.1.1uses an incorrect integer data type in the StgSmallStrm class, which allows remoteattackers to cause a denial of service (use-after-free with write access) or possibly haveunspecified other impact via a crafted document that uses the structured storage ole2wrapper file format.
RecommendationUse your Operating System's update feature to update package libreoffice-core-1:4.2.8-0ubuntu5.3. For more information see https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-10119
Failed Instancesi-04372149a51fe6560
CVE-2018-10120
SeverityHigh
DescriptionThe SwCTBWrapper::Read function in sw/source/filter/ww8/ww8toolbar.cxx inLibreOffice before 5.4.6.1 and 6.x before 6.0.2.1 does not validate a customizationsindex, which allows remote attackers to cause a denial of service (heap-based bufferoverflow with write access) or possibly have unspecified other impact via a crafteddocument that contains a certain Microsoft Word record.
RecommendationUse your Operating System's update feature to update package libreoffice-core-1:4.2.8-0ubuntu5.3. For more information see https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-10120
Failed Instancesi-04372149a51fe6560
CVE-2018-10583
SeverityHigh
Description
Amazon InspectorAssessment-Template-Default
2019-02-11 21:56:40 UTC
An information disclosure vulnerability occurs when LibreOffice 6.0.3 and ApacheOpenOffice Writer 4.1.5 automatically process and initiate an SMB connectionembedded in a malicious file, as demonstrated by xlink:href=file://192.168.0.2/test.jpgwithin an office:document-content element in a .odt XML document.
RecommendationUse your Operating System's update feature to update package libreoffice-core-1:4.2.8-0ubuntu5.3. For more information see https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-10583
Failed Instancesi-04372149a51fe6560
CVE-2018-1060
SeverityHigh
Descriptionpython before versions 2.7.15, 3.4.9, 3.5.6rc1, 3.6.5rc1 and 3.7.0 is vulnerable tocatastrophic backtracking in pop3lib's apop() method. An attacker could use this flaw tocause denial of service.
RecommendationUse your Operating System's update feature to update packagepython2.7-0:2.7.6-8ubuntu0.4, python2.7-minimal-0:2.7.6-8ubuntu0.4, python3.4-0:3.4.3-1ubuntu1~14.04.6, python3.4-minimal-0:3.4.3-1ubuntu1~14.04.6. For moreinformation see https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-1060
Failed Instancesi-04372149a51fe6560
CVE-2018-1061
SeverityHigh
Description
Amazon InspectorAssessment-Template-Default
2019-02-11 21:56:40 UTC
python before versions 2.7.15, 3.4.9, 3.5.6rc1, 3.6.5rc1 and 3.7.0 is vulnerable tocatastrophic backtracking in the difflib.IS_LINE_JUNK method. An attacker could usethis flaw to cause denial of service.
RecommendationUse your Operating System's update feature to update packagepython2.7-0:2.7.6-8ubuntu0.4, python2.7-minimal-0:2.7.6-8ubuntu0.4, python3.4-0:3.4.3-1ubuntu1~14.04.6, python3.4-minimal-0:3.4.3-1ubuntu1~14.04.6. For moreinformation see https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-1061
Failed Instancesi-04372149a51fe6560
CVE-2018-1066
SeverityHigh
DescriptionThe Linux kernel before version 4.11 is vulnerable to a NULL pointer dereference in fs/cifs/cifsencrypt.c:setup_ntlmv2_rsp() that allows an attacker controlling a CIFS serverto kernel panic a client that has this server mounted, because an empty TargetInfo fieldin an NTLMSSP setup negotiation response is mishandled during session recovery.
RecommendationUse your Operating System's update feature to update package linux-image-3.13.0-158-generic-0:3.13.0-158.208, linux-image-3.13.0-161-generic-0:3.13.0-161.211. For moreinformation see https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-1066
Failed Instancesi-04372149a51fe6560
CVE-2018-10902
SeverityMedium
DescriptionIt was found that the raw midi kernel driver does not protect against concurrentaccess which leads to a double realloc (double free) in snd_rawmidi_input_params()
Amazon InspectorAssessment-Template-Default
2019-02-11 21:56:40 UTC
and snd_rawmidi_output_status() which are part of snd_rawmidi_ioctl() handlerin rawmidi.c file. A malicious local attacker could possibly use this for privilegeescalation.
RecommendationUse your Operating System's update feature to update package linux-image-3.13.0-158-generic-0:3.13.0-158.208, linux-image-3.13.0-161-generic-0:3.13.0-161.211. For moreinformation see https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-10902
Failed Instancesi-04372149a51fe6560
CVE-2018-10963
SeverityMedium
DescriptionThe TIFFWriteDirectorySec() function in tif_dirwrite.c in LibTIFF through 4.0.9 allowsremote attackers to cause a denial of service (assertion failure and application crash) viaa crafted file, a different vulnerability than CVE-2017-13726.
RecommendationUse your Operating System's update feature to update packagelibtiff5-0:4.0.3-7ubuntu0.9. For more information see https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-10963
Failed Instancesi-04372149a51fe6560
CVE-2018-11574
SeverityHigh
DescriptionImproper input validation together with an integer overflow in the EAP-TLS protocolimplementation in PPPD may cause a crash, information disclosure, or authenticationbypass. This implementation is distributed as a patch for PPPD 0.91, and includes the
Amazon InspectorAssessment-Template-Default
2019-02-11 21:56:40 UTC
affected eap.c and eap-tls.c files. Configurations that use the `refuse-app` option areunaffected.
RecommendationUse your Operating System's update feature to update packageppp-0:2.4.5-5.1ubuntu2.2. For more information see https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-11574
Failed Instancesi-04372149a51fe6560
CVE-2018-11790
SeverityMedium
DescriptionWhen loading a document with Apache Open Office 4.1.5 and earlier with smallerend line termination than the operating system uses, the defect occurs. In this caseOpenOffice runs into an Arithmetic Overflow at a string length calculation.
RecommendationUse your Operating System's update feature to update package libreoffice-core-1:4.2.8-0ubuntu5.3. For more information see https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-11790
Failed Instancesi-04372149a51fe6560
CVE-2018-12384
SeverityMedium
DescriptionA flaw was found in the way NSS responded to an SSLv2-compatible ClientHello witha ServerHello that had an all-zero random. A man-in-the-middle attacker could use thisflaw in a passive replay attack.
Recommendation
Amazon InspectorAssessment-Template-Default
2019-02-11 21:56:40 UTC
Use your Operating System's update feature to update package libnss3-2:3.28.4-0ubuntu0.14.04.3. For more information see https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-12384
Failed Instancesi-04372149a51fe6560
CVE-2018-12389
SeverityHigh
DescriptionRESERVED This candidate has been reserved by an organization or individual thatwill use it when announcing a new security problem. When the candidate has beenpublicized, the details for this candidate will be provided.
RecommendationUse your Operating System's update feature to update package thunderbird-1:60.2.1+build1-0ubuntu0.14.04.2. For more information see https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-12389
Failed Instancesi-04372149a51fe6560
CVE-2018-12390
SeverityHigh
DescriptionRESERVED This candidate has been reserved by an organization or individual thatwill use it when announcing a new security problem. When the candidate has beenpublicized, the details for this candidate will be provided.
RecommendationUse your Operating System's update feature to update package thunderbird-1:60.2.1+build1-0ubuntu0.14.04.2. For more information see https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-12390
Failed Instances
Amazon InspectorAssessment-Template-Default
2019-02-11 21:56:40 UTC
i-04372149a51fe6560
CVE-2018-12392
SeverityHigh
DescriptionRESERVED This candidate has been reserved by an organization or individual thatwill use it when announcing a new security problem. When the candidate has beenpublicized, the details for this candidate will be provided.
RecommendationUse your Operating System's update feature to update package thunderbird-1:60.2.1+build1-0ubuntu0.14.04.2. For more information see https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-12392
Failed Instancesi-04372149a51fe6560
CVE-2018-12393
SeverityHigh
DescriptionRESERVED This candidate has been reserved by an organization or individual thatwill use it when announcing a new security problem. When the candidate has beenpublicized, the details for this candidate will be provided.
RecommendationUse your Operating System's update feature to update package thunderbird-1:60.2.1+build1-0ubuntu0.14.04.2. For more information see https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-12393
Failed Instancesi-04372149a51fe6560
CVE-2018-12896
Amazon InspectorAssessment-Template-Default
2019-02-11 21:56:40 UTC
SeverityMedium
DescriptionAn issue was discovered in the Linux kernel through 4.17.3. An Integer Overflow inkernel/time/posix-timers.c in the POSIX timer code is caused by the way the overrunaccounting works. Depending on interval and expiry time values, the overrun canbe larger than INT_MAX, but the accounting is int based. This basically makesthe accounting values, which are visible to user space via timer_getoverrun(2) andsiginfo::si_overrun, random. For example, a local user can cause a denial of service(signed integer overflow) via crafted mmap, futex, timer_create, and timer_settimesystem calls.
RecommendationUse your Operating System's update feature to update package linux-image-3.13.0-158-generic-0:3.13.0-158.208, linux-image-3.13.0-161-generic-0:3.13.0-161.211. For moreinformation see https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-12896
Failed Instancesi-04372149a51fe6560
CVE-2018-14633
SeverityHigh
DescriptionA security flaw was found in the chap_server_compute_md5() function in the ISCSItarget code in the Linux kernel in a way an authentication request from an ISCSIinitiator is processed. An unauthenticated remote attacker can cause a stack bufferoverflow and smash up to 17 bytes of the stack. The attack requires the iSCSI targetto be enabled on the victim host. Depending on how the target's code was built (i.e.depending on a compiler, compile flags and hardware architecture) an attack may leadto a system crash and thus to a denial-of-service or possibly to a non-authorized accessto data exported by an iSCSI target. Due to the nature of the flaw, privilege escalationcannot be fully ruled out, although we believe it is highly unlikely. Kernel versions4.18.x, 4.14.x and 3.10.x are believed to be vulnerable.
Recommendation
Amazon InspectorAssessment-Template-Default
2019-02-11 21:56:40 UTC
Use your Operating System's update feature to update package linux-image-3.13.0-158-generic-0:3.13.0-158.208. For more information see https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-14633
Failed Instancesi-04372149a51fe6560
CVE-2018-14634
SeverityHigh
DescriptionAn integer overflow flaw was found in the Linux kernel's create_elf_tables() function.An unprivileged local user with access to SUID (or otherwise privileged) binary coulduse this flaw to escalate their privileges on the system. Kernel versions 2.6.x, 3.10.x and4.14.x are believed to be vulnerable.
RecommendationUse your Operating System's update feature to update package linux-image-3.13.0-158-generic-0:3.13.0-158.208. For more information see https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-14634
Failed Instancesi-04372149a51fe6560
CVE-2018-14647
SeverityHigh
DescriptionPython's elementtree C accelerator failed to initialise Expat's hash salt duringinitialization. This could make it easy to conduct denial of service attacks against Expatby constructing an XML document that would cause pathological hash collisions inExpat's internal data structures, consuming large amounts CPU and RAM. Python 3.8,3.7, 3.6, 3.5, 3.4, 2.7 are believed to be vulnerable.
Recommendation
Amazon InspectorAssessment-Template-Default
2019-02-11 21:56:40 UTC
Use your Operating System's update feature to update packagepython2.7-0:2.7.6-8ubuntu0.4, python2.7-minimal-0:2.7.6-8ubuntu0.4, python3.4-0:3.4.3-1ubuntu1~14.04.6, python3.4-minimal-0:3.4.3-1ubuntu1~14.04.6. For moreinformation see https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-14647
Failed Instancesi-04372149a51fe6560
CVE-2018-14734
SeverityHigh
Descriptiondrivers/infiniband/core/ucma.c in the Linux kernel through 4.17.11 allowsucma_leave_multicast to access a certain data structure after a cleanup step inucma_process_join, which allows attackers to cause a denial of service (use-after-free).
RecommendationUse your Operating System's update feature to update package linux-image-3.13.0-158-generic-0:3.13.0-158.208, linux-image-3.13.0-161-generic-0:3.13.0-161.211. For moreinformation see https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-14734
Failed Instancesi-04372149a51fe6560
CVE-2018-15126
SeverityHigh
DescriptionLibVNC before commit 73cb96fec028a576a5a24417b57723b55854ad7b containsheap use-after-free vulnerability in server code of file transfer extension that can resultremote code execution
RecommendationUse your Operating System's update feature to update package libvncserver0-0:0.9.9+dfsg-1ubuntu1.3. For more information see https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-15126
Amazon InspectorAssessment-Template-Default
2019-02-11 21:56:40 UTC
Failed Instancesi-04372149a51fe6560
CVE-2018-15127
SeverityHigh
DescriptionLibVNC before commit 502821828ed00b4a2c4bef90683d0fd88ce495de contains heapout-of-bound write vulnerability in server code of file transfer extension that can resultremote code execution
RecommendationUse your Operating System's update feature to update package libvncserver0-0:0.9.9+dfsg-1ubuntu1.3. For more information see https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-15127
Failed Instancesi-04372149a51fe6560
CVE-2018-15473
SeverityHigh
DescriptionOpenSSH through 7.7 is prone to a user enumeration vulnerability due to not delayingbailout for an invalid authenticating user until after the packet containing the request hasbeen fully parsed, related to auth2-gss.c, auth2-hostbased.c, and auth2-pubkey.c.
RecommendationUse your Operating System's update feature to update package openssh-server-1:6.6p1-2ubuntu2.10. For more information see https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-15473
Failed Instancesi-04372149a51fe6560
CVE-2018-15572
Amazon InspectorAssessment-Template-Default
2019-02-11 21:56:40 UTC
SeverityMedium
DescriptionThe spectre_v2_select_mitigation function in arch/x86/kernel/cpu/bugs.c in the Linuxkernel before 4.18.1 does not always fill RSB upon a context switch, which makes iteasier for attackers to conduct userspace-userspace spectreRSB attacks.
RecommendationUse your Operating System's update feature to update package linux-image-3.13.0-158-generic-0:3.13.0-158.208. For more information see https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-15572
Failed Instancesi-04372149a51fe6560
CVE-2018-15594
SeverityMedium
Descriptionarch/x86/kernel/paravirt.c in the Linux kernel before 4.18.1 mishandles certainindirect calls, which makes it easier for attackers to conduct Spectre-v2 attacks againstparavirtual guests.
RecommendationUse your Operating System's update feature to update package linux-image-3.13.0-158-generic-0:3.13.0-158.208. For more information see https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-15594
Failed Instancesi-04372149a51fe6560
CVE-2018-16276
SeverityHigh
Description
Amazon InspectorAssessment-Template-Default
2019-02-11 21:56:40 UTC
An issue was discovered in yurex_read in drivers/usb/misc/yurex.c in the Linux kernelbefore 4.17.7. Local attackers could use user access read/writes with incorrect boundschecking in the yurex USB driver to crash the kernel or potentially escalate privileges.
RecommendationUse your Operating System's update feature to update package linux-image-3.13.0-158-generic-0:3.13.0-158.208, linux-image-3.13.0-161-generic-0:3.13.0-161.211. For moreinformation see https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-16276
Failed Instancesi-04372149a51fe6560
CVE-2018-16336
SeverityMedium
DescriptionExiv2::Internal::PngChunk::parseTXTChunk in Exiv2 v0.26 allows remote attackersto cause a denial of service (heap-based buffer over-read) via a crafted image file, adifferent vulnerability than CVE-2018-10999.
RecommendationUse your Operating System's update feature to update packagelibexiv2-12-0:0.23-1ubuntu2.1. For more information see https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-16336
Failed Instancesi-04372149a51fe6560
CVE-2018-16395
SeverityHigh
DescriptionAn issue was discovered in the OpenSSL library in Ruby before 2.3.8, 2.4.xbefore 2.4.5, 2.5.x before 2.5.2, and 2.6.x before 2.6.0-preview3. When twoOpenSSL::X509::Name objects are compared using ==, depending on the ordering,non-equal objects may return true. When the first argument is one character longer than
Amazon InspectorAssessment-Template-Default
2019-02-11 21:56:40 UTC
the second, or the second argument contains a character that is one less than a characterin the same position of the first argument, the result of == will be true. This could beleveraged to create an illegitimate certificate that may be accepted as legitimate andthen used in signing or encryption operations.
RecommendationUse your Operating System's update feature to update package libruby1.9.1-0:1.9.3.484-2ubuntu1.12, ruby1.9.1-0:1.9.3.484-2ubuntu1.12. For more information see https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-16395
Failed Instancesi-04372149a51fe6560
CVE-2018-16396
SeverityHigh
DescriptionAn issue was discovered in Ruby before 2.3.8, 2.4.x before 2.4.5, 2.5.x before 2.5.2, and2.6.x before 2.6.0-preview3. It does not taint strings that result from unpacking taintedstrings with some formats.
RecommendationUse your Operating System's update feature to update package libruby1.9.1-0:1.9.3.484-2ubuntu1.12, ruby1.9.1-0:1.9.3.484-2ubuntu1.12. For more information see https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-16396
Failed Instancesi-04372149a51fe6560
CVE-2018-16646
SeverityMedium
DescriptionIn Poppler 0.68.0, the Parser::getObj() function in Parser.cc may cause infinite recursionvia a crafted file. A remote attacker can leverage this for a DoS attack.
Recommendation
Amazon InspectorAssessment-Template-Default
2019-02-11 21:56:40 UTC
Use your Operating System's update feature to update package libpoppler44-0:0.24.5-2ubuntu4.12, poppler-utils-0:0.24.5-2ubuntu4.12. For more information see https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-16646
Failed Instancesi-04372149a51fe6560
CVE-2018-16658
SeverityMedium
DescriptionAn issue was discovered in the Linux kernel before 4.18.6. An information leak incdrom_ioctl_drive_status in drivers/cdrom/cdrom.c could be used by local attackersto read kernel memory because a cast from unsigned long to int interferes with boundschecking. This is similar to CVE-2018-10940.
RecommendationUse your Operating System's update feature to update package linux-image-3.13.0-158-generic-0:3.13.0-158.208, linux-image-3.13.0-161-generic-0:3.13.0-161.211. For moreinformation see https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-16658
Failed Instancesi-04372149a51fe6560
CVE-2018-17100
SeverityHigh
DescriptionAn issue was discovered in LibTIFF 4.0.9. There is a int32 overflow in multiply_msin tools/ppm2tiff.c, which can cause a denial of service (crash) or possibly haveunspecified other impact via a crafted image file.
RecommendationUse your Operating System's update feature to update packagelibtiff5-0:4.0.3-7ubuntu0.9. For more information see https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-17100
Amazon InspectorAssessment-Template-Default
2019-02-11 21:56:40 UTC
Failed Instancesi-04372149a51fe6560
CVE-2018-17101
SeverityHigh
DescriptionAn issue was discovered in LibTIFF 4.0.9. There are two out-of-bounds writes incpTags in tools/tiff2bw.c and tools/pal2rgb.c, which can cause a denial of service(application crash) or possibly have unspecified other impact via a crafted image file.
RecommendationUse your Operating System's update feature to update packagelibtiff5-0:4.0.3-7ubuntu0.9. For more information see https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-17101
Failed Instancesi-04372149a51fe6560
CVE-2018-17466
SeverityHigh
DescriptionIncorrect texture handling in Angle in Google Chrome prior to 70.0.3538.67 allowed aremote attacker to perform an out of bounds memory read via a crafted HTML page.
RecommendationUse your Operating System's update feature to update package firefox-0:63.0+build2-0ubuntu0.14.04.2, thunderbird-1:60.2.1+build1-0ubuntu0.14.04.2. For more informationsee https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-17466
Failed Instancesi-04372149a51fe6560
CVE-2018-17581
Amazon InspectorAssessment-Template-Default
2019-02-11 21:56:40 UTC
SeverityMedium
DescriptionCiffDirectory::readDirectory() at crwimage_int.cpp in Exiv2 0.26 has excessive stackconsumption due to a recursive function, leading to Denial of service.
RecommendationUse your Operating System's update feature to update packagelibexiv2-12-0:0.23-1ubuntu2.1. For more information see https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-17581
Failed Instancesi-04372149a51fe6560
CVE-2018-17972
SeverityMedium
DescriptionAn issue was discovered in the proc_pid_stack function in fs/proc/base.c in the Linuxkernel through 4.18.11. It does not ensure that only root may inspect the kernel stackof an arbitrary task, allowing a local attacker to exploit racy stack unwinding and leakkernel task stack contents.
RecommendationUse your Operating System's update feature to update package linux-image-3.13.0-158-generic-0:3.13.0-158.208, linux-image-3.13.0-161-generic-0:3.13.0-161.211. For moreinformation see https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-17972
Failed Instancesi-04372149a51fe6560
CVE-2018-18281
SeverityMedium
Description
Amazon InspectorAssessment-Template-Default
2019-02-11 21:56:40 UTC
Since Linux kernel version 3.2, the mremap() syscall performs TLB flushes afterdropping pagetable locks. If a syscall such as ftruncate() removes entries from thepagetables of a task that is in the middle of mremap(), a stale TLB entry can remainfor a short time that permits access to a physical page after it has been released back tothe page allocator and reused. This is fixed in the following kernel versions: 4.9.135,4.14.78, 4.18.16, 4.19.
RecommendationUse your Operating System's update feature to update package linux-image-3.13.0-158-generic-0:3.13.0-158.208, linux-image-3.13.0-161-generic-0:3.13.0-161.211. For moreinformation see https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-18281
Failed Instancesi-04372149a51fe6560
CVE-2018-18311
SeverityHigh
DescriptionPerl before 5.26.3 and 5.28.x before 5.28.1 has a buffer overflow via a crafted regularexpression that triggers invalid write operations.
RecommendationUse your Operating System's update feature to update packageperl-0:5.18.2-2ubuntu1.6. For more information see https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-18311
Failed Instancesi-04372149a51fe6560
CVE-2018-18312
SeverityHigh
DescriptionPerl before 5.26.3 and 5.28.0 before 5.28.1 has a buffer overflow via a crafted regularexpression that triggers invalid write operations.
Amazon InspectorAssessment-Template-Default
2019-02-11 21:56:40 UTC
RecommendationUse your Operating System's update feature to update packageperl-0:5.18.2-2ubuntu1.6. For more information see https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-18312
Failed Instancesi-04372149a51fe6560
CVE-2018-18313
SeverityHigh
DescriptionPerl before 5.26.3 has a buffer over-read via a crafted regular expression that triggersdisclosure of sensitive information from process memory.
RecommendationUse your Operating System's update feature to update packageperl-0:5.18.2-2ubuntu1.6. For more information see https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-18313
Failed Instancesi-04372149a51fe6560
CVE-2018-18314
SeverityHigh
DescriptionPerl before 5.26.3 has a buffer overflow via a crafted regular expression that triggersinvalid write operations.
RecommendationUse your Operating System's update feature to update packageperl-0:5.18.2-2ubuntu1.6. For more information see https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-18314
Failed Instancesi-04372149a51fe6560
Amazon InspectorAssessment-Template-Default
2019-02-11 21:56:40 UTC
CVE-2018-18386
SeverityMedium
Descriptiondrivers/tty/n_tty.c in the Linux kernel before 4.14.11 allows local attackers (who areable to access pseudo terminals) to hang/block further usage of any pseudo terminaldevices due to an EXTPROC versus ICANON confusion in TIOCINQ.
RecommendationUse your Operating System's update feature to update package linux-image-3.13.0-158-generic-0:3.13.0-158.208, linux-image-3.13.0-161-generic-0:3.13.0-161.211. For moreinformation see https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-18386
Failed Instancesi-04372149a51fe6560
CVE-2018-18500
SeverityHigh
DescriptionA use-after-free vulnerability can occur while parsing an HTML5 stream in concert withcustom HTML elements. This results in the stream parser object being freed while stillin use, leading to a potentially exploitable crash. This vulnerability affects Thunderbird< 60.5, Firefox ESR < 60.5, and Firefox < 65.
RecommendationUse your Operating System's update feature to update package firefox-0:63.0+build2-0ubuntu0.14.04.2. For more information see https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-18500
Failed Instancesi-04372149a51fe6560
CVE-2018-18501
Severity
Amazon InspectorAssessment-Template-Default
2019-02-11 21:56:40 UTC
High
DescriptionMozilla developers and community members reported memory safety bugs present inFirefox 64 and Firefox ESR 60.4. Some of these bugs showed evidence of memorycorruption and we presume that with enough effort that some of these could beexploited to run arbitrary code. This vulnerability affects Thunderbird < 60.5, FirefoxESR < 60.5, and Firefox < 65.
RecommendationUse your Operating System's update feature to update package firefox-0:63.0+build2-0ubuntu0.14.04.2. For more information see https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-18501
Failed Instancesi-04372149a51fe6560
CVE-2018-18502
SeverityHigh
DescriptionMozilla developers and community members reported memory safety bugs present inFirefox 64. Some of these bugs showed evidence of memory corruption and we presumethat with enough effort that some of these could be exploited to run arbitrary code. Thisvulnerability affects Firefox < 65.
RecommendationUse your Operating System's update feature to update package firefox-0:63.0+build2-0ubuntu0.14.04.2. For more information see https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-18502
Failed Instancesi-04372149a51fe6560
CVE-2018-18503
SeverityHigh
Amazon InspectorAssessment-Template-Default
2019-02-11 21:56:40 UTC
DescriptionWhen JavaScript is used to create and manipulate an audio buffer, a potentiallyexploitable crash may occur because of a compartment mismatch in some situations.This vulnerability affects Firefox < 65.
RecommendationUse your Operating System's update feature to update package firefox-0:63.0+build2-0ubuntu0.14.04.2. For more information see https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-18503
Failed Instancesi-04372149a51fe6560
CVE-2018-18504
SeverityHigh
DescriptionA crash and out-of-bounds read can occur when the buffer of a texture client is freedwhile it is still in use during graphic operations. This results is a potentially exploitablecrash and the possibility of reading from the memory of the freed buffers. Thisvulnerability affects Firefox < 65.
RecommendationUse your Operating System's update feature to update package firefox-0:63.0+build2-0ubuntu0.14.04.2. For more information see https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-18504
Failed Instancesi-04372149a51fe6560
CVE-2018-18505
SeverityHigh
DescriptionAn earlier fix for an Inter-process Communication (IPC) vulnerability, CVE-2011-3079,added authentication to communication between IPC endpoints and server parents
Amazon InspectorAssessment-Template-Default
2019-02-11 21:56:40 UTC
during IPC process creation. This authentication is insufficient for channels created afterthe IPC process is started, leading to the authentication not being correctly applied tolater channels. This could allow for a sandbox escape through IPC channels due to lackof message validation in the listener process. This vulnerability affects Thunderbird <60.5, Firefox ESR < 60.5, and Firefox < 65.
RecommendationUse your Operating System's update feature to update package firefox-0:63.0+build2-0ubuntu0.14.04.2. For more information see https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-18505
Failed Instancesi-04372149a51fe6560
CVE-2018-18506
SeverityMedium
DescriptionWhen proxy auto-detection is enabled, if a web server serves a Proxy Auto-Configuration (PAC) file or if a PAC file is loaded locally, this PAC file can specifythat requests to the localhost are to be sent through the proxy to another server. Thisbehavior is disallowed by default when a proxy is manually configured, but whenenabled could allow for attacks on services and tools that bind to the localhost fornetworked behavior if they are accessed through browsing. This vulnerability affectsFirefox < 65.
RecommendationUse your Operating System's update feature to update package firefox-0:63.0+build2-0ubuntu0.14.04.2. For more information see https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-18506
Failed Instancesi-04372149a51fe6560
CVE-2018-18557
SeverityHigh
Amazon InspectorAssessment-Template-Default
2019-02-11 21:56:40 UTC
DescriptionLibTIFF 4.0.9 (with JBIG enabled) decodes arbitrarily-sized JBIG into a buffer,ignoring the buffer size, which leads to a tif_jbig.c JBIGDecode out-of-bounds write.
RecommendationUse your Operating System's update feature to update packagelibtiff5-0:4.0.3-7ubuntu0.9. For more information see https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-18557
Failed Instancesi-04372149a51fe6560
CVE-2018-18661
SeverityMedium
DescriptionAn issue was discovered in LibTIFF 4.0.9. There is a NULL pointer dereference in thefunction LZWDecode in the file tif_lzw.c.
RecommendationUse your Operating System's update feature to update packagelibtiff5-0:4.0.3-7ubuntu0.9. For more information see https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-18661
Failed Instancesi-04372149a51fe6560
CVE-2018-18690
SeverityMedium
DescriptionIn the Linux kernel before 4.17, a local attacker able to set attributes on an xfsfilesystem could make this filesystem non-operational until the next mount bytriggering an unchecked error condition during an xfs attribute change, becausexfs_attr_shortform_addname in fs/xfs/libxfs/xfs_attr.c mishandles ATTR_REPLACEoperations with conversion of an attr from short to long form.
Amazon InspectorAssessment-Template-Default
2019-02-11 21:56:40 UTC
RecommendationUse your Operating System's update feature to update package linux-image-3.13.0-158-generic-0:3.13.0-158.208, linux-image-3.13.0-161-generic-0:3.13.0-161.211. For moreinformation see https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-18690
Failed Instancesi-04372149a51fe6560
CVE-2018-18710
SeverityMedium
DescriptionAn issue was discovered in the Linux kernel through 4.19. An information leak incdrom_ioctl_select_disc in drivers/cdrom/cdrom.c could be used by local attackers toread kernel memory because a cast from unsigned long to int interferes with boundschecking. This is similar to CVE-2018-10940 and CVE-2018-16658.
RecommendationUse your Operating System's update feature to update package linux-image-3.13.0-158-generic-0:3.13.0-158.208, linux-image-3.13.0-161-generic-0:3.13.0-161.211. For moreinformation see https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-18710
Failed Instancesi-04372149a51fe6560
CVE-2018-18751
SeverityHigh
DescriptionAn issue was discovered in GNU gettext 0.19.8. There is a double free indefault_add_message in read-catalog.c, related to an invalid free in po_gram_parse inpo-gram-gen.y, as demonstrated by lt-msgfmt.
Recommendation
Amazon InspectorAssessment-Template-Default
2019-02-11 21:56:40 UTC
Use your Operating System's update feature to update packagegettext-0:0.18.3.1-1ubuntu3. For more information see https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-18751
Failed Instancesi-04372149a51fe6560
CVE-2018-19058
SeverityMedium
DescriptionAn issue was discovered in Poppler 0.71.0. There is a reachable abort in Object.h, willlead to denial of service because EmbFile::save2 in FileSpec.cc lacks a stream checkbefore saving an embedded file.
RecommendationUse your Operating System's update feature to update package libpoppler44-0:0.24.5-2ubuntu4.12, poppler-utils-0:0.24.5-2ubuntu4.12. For more information see https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-19058
Failed Instancesi-04372149a51fe6560
CVE-2018-19059
SeverityMedium
DescriptionAn issue was discovered in Poppler 0.71.0. There is a out-of-bounds read inEmbFile::save2 in FileSpec.cc, will lead to denial of service, as demonstrated by utils/pdfdetach.cc not validating embedded files before save attempts.
RecommendationUse your Operating System's update feature to update package libpoppler44-0:0.24.5-2ubuntu4.12, poppler-utils-0:0.24.5-2ubuntu4.12. For more information see https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-19059
Failed Instances
Amazon InspectorAssessment-Template-Default
2019-02-11 21:56:40 UTC
i-04372149a51fe6560
CVE-2018-19060
SeverityMedium
DescriptionAn issue was discovered in Poppler 0.71.0. There is a NULL pointer dereference in goo/GooString.h, will lead to denial of service, as demonstrated by utils/pdfdetach.cc notvalidating a filename of an embedded file before constructing a save path.
RecommendationUse your Operating System's update feature to update package libpoppler44-0:0.24.5-2ubuntu4.12, poppler-utils-0:0.24.5-2ubuntu4.12. For more information see https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-19060
Failed Instancesi-04372149a51fe6560
CVE-2018-19149
SeverityMedium
DescriptionPoppler before 0.70.0 has a NULL pointer dereference in _poppler_attachment_newwhen called from poppler_annot_file_attachment_get_attachment.
RecommendationUse your Operating System's update feature to update package libpoppler44-0:0.24.5-2ubuntu4.12, poppler-utils-0:0.24.5-2ubuntu4.12. For more information see https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-19149
Failed Instancesi-04372149a51fe6560
CVE-2018-19409
Severity
Amazon InspectorAssessment-Template-Default
2019-02-11 21:56:40 UTC
High
DescriptionAn issue was discovered in Artifex Ghostscript before 9.26. LockSafetyParams is notchecked correctly if another device is used.
RecommendationUse your Operating System's update feature to update package ghostscript-0:9.25~dfsg+1-0ubuntu0.14.04.2, libgs9-0:9.25~dfsg+1-0ubuntu0.14.04.2. For more information seehttps://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-19409
Failed Instancesi-04372149a51fe6560
CVE-2018-19475
SeverityHigh
Descriptionpsi/zdevice2.c in Artifex Ghostscript before 9.26 allows remote attackers to bypassintended access restrictions because available stack space is not checked when thedevice remains the same.
RecommendationUse your Operating System's update feature to update package ghostscript-0:9.25~dfsg+1-0ubuntu0.14.04.2, libgs9-0:9.25~dfsg+1-0ubuntu0.14.04.2. For more information seehttps://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-19475
Failed Instancesi-04372149a51fe6560
CVE-2018-19476
SeverityHigh
Descriptionpsi/zicc.c in Artifex Ghostscript before 9.26 allows remote attackers to bypass intendedaccess restrictions because of a setcolorspace type confusion.
Amazon InspectorAssessment-Template-Default
2019-02-11 21:56:40 UTC
RecommendationUse your Operating System's update feature to update package ghostscript-0:9.25~dfsg+1-0ubuntu0.14.04.2, libgs9-0:9.25~dfsg+1-0ubuntu0.14.04.2. For more information seehttps://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-19476
Failed Instancesi-04372149a51fe6560
CVE-2018-19477
SeverityHigh
Descriptionpsi/zfjbig2.c in Artifex Ghostscript before 9.26 allows remote attackers to bypassintended access restrictions because of a JBIG2Decode type confusion.
RecommendationUse your Operating System's update feature to update package ghostscript-0:9.25~dfsg+1-0ubuntu0.14.04.2, libgs9-0:9.25~dfsg+1-0ubuntu0.14.04.2. For more information seehttps://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-19477
Failed Instancesi-04372149a51fe6560
CVE-2018-19787
SeverityMedium
DescriptionAn issue was discovered in lxml before 4.2.5. lxml/html/clean.py in the lxml.html.cleanmodule does not remove javascript: URLs that use escaping, allowing a remote attackerto conduct XSS attacks, as demonstrated by "j a v a s c r i p t:" in Internet Explorer. Thisis a similar issue to CVE-2014-3146.
RecommendationUse your Operating System's update feature to update package python-lxml-0:3.3.3-1ubuntu0.1, python3-lxml-0:3.3.3-1ubuntu0.1. For more information see https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-19787
Amazon InspectorAssessment-Template-Default
2019-02-11 21:56:40 UTC
Failed Instancesi-04372149a51fe6560
CVE-2018-19788
SeverityHigh
DescriptionA flaw was found in PolicyKit (aka polkit) 0.115 that allows a user with a uid greaterthan INT_MAX to successfully execute any systemctl command.
RecommendationUse your Operating System's update feature to update package libpolkit-backend-1-0-0:0.105-4ubuntu3.14.04.2, policykit-1-0:0.105-4ubuntu3.14.04.2. For more informationsee https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-19788
Failed Instancesi-04372149a51fe6560
CVE-2018-19840
SeverityMedium
DescriptionThe function WavpackPackInit in pack_utils.c in libwavpack.a in WavPack through5.1.0 allows attackers to cause a denial-of-service (resource exhaustion caused byan infinite loop) via a crafted wav audio file because WavpackSetConfiguration64mishandles a sample rate of zero.
RecommendationUse your Operating System's update feature to update package libwavpack1-0:4.70.0-1ubuntu0.1. For more information see https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-19840
Failed Instancesi-04372149a51fe6560
CVE-2018-19841
Amazon InspectorAssessment-Template-Default
2019-02-11 21:56:40 UTC
SeverityMedium
DescriptionThe function WavpackVerifySingleBlock in open_utils.c in libwavpack.a in WavPackthrough 5.1.0 allows attackers to cause a denial-of-service (out-of-bounds read andapplication crash) via a crafted WavPack Lossless Audio file, as demonstrated bywvunpack.
RecommendationUse your Operating System's update feature to update package libwavpack1-0:4.70.0-1ubuntu0.1. For more information see https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-19841
Failed Instancesi-04372149a51fe6560
CVE-2018-20019
SeverityHigh
DescriptionLibVNC before commit a83439b9fbe0f03c48eb94ed05729cb016f8b72f containsmultiple heap out-of-bound write vulnerabilities in VNC client code that can resultremote code execution
RecommendationUse your Operating System's update feature to update package libvncserver0-0:0.9.9+dfsg-1ubuntu1.3. For more information see https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-20019
Failed Instancesi-04372149a51fe6560
CVE-2018-20020
SeverityHigh
Description
Amazon InspectorAssessment-Template-Default
2019-02-11 21:56:40 UTC
LibVNC before commit 7b1ef0ffc4815cab9a96c7278394152bdc89dc4d contains heapout-of-bound write vulnerability inside structure in VNC client code that can resultremote code execution
RecommendationUse your Operating System's update feature to update package libvncserver0-0:0.9.9+dfsg-1ubuntu1.3. For more information see https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-20020
Failed Instancesi-04372149a51fe6560
CVE-2018-20021
SeverityHigh
DescriptionLibVNC before commit c3115350eb8bb635d0fdb4dbbb0d0541f38ed19c contains aCWE-835: Infinite loop vulnerability in VNC client code. Vulnerability allows attackerto consume excessive amount of resources like CPU and RAM
RecommendationUse your Operating System's update feature to update package libvncserver0-0:0.9.9+dfsg-1ubuntu1.3. For more information see https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-20021
Failed Instancesi-04372149a51fe6560
CVE-2018-20022
SeverityHigh
DescriptionLibVNC before 2f5b2ad1c6c99b1ac6482c95844a84d66bb52838 contains multipleweaknesses CWE-665: Improper Initialization vulnerability in VNC client code thatallows attacker to read stack memory and can be abuse for information disclosure.
Amazon InspectorAssessment-Template-Default
2019-02-11 21:56:40 UTC
Combined with another vulnerability, it can be used to leak stack memory layout and inbypassing ASLR
RecommendationUse your Operating System's update feature to update package libvncserver0-0:0.9.9+dfsg-1ubuntu1.3. For more information see https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-20022
Failed Instancesi-04372149a51fe6560
CVE-2018-20023
SeverityHigh
DescriptionLibVNC before 8b06f835e259652b0ff026898014fc7297ade858 contains CWE-665:Improper Initialization vulnerability in VNC Repeater client code that allows attacker toread stack memory and can be abuse for information disclosure. Combined with anothervulnerability, it can be used to leak stack memory layout and in bypassing ASLR
RecommendationUse your Operating System's update feature to update package libvncserver0-0:0.9.9+dfsg-1ubuntu1.3. For more information see https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-20023
Failed Instancesi-04372149a51fe6560
CVE-2018-20024
SeverityHigh
DescriptionLibVNC before commit 4a21bbd097ef7c44bb000c3bd0907f96a10e4ce7 contains nullpointer dereference in VNC client code that can result DoS.
Recommendation
Amazon InspectorAssessment-Template-Default
2019-02-11 21:56:40 UTC
Use your Operating System's update feature to update package libvncserver0-0:0.9.9+dfsg-1ubuntu1.3. For more information see https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-20024
Failed Instancesi-04372149a51fe6560
CVE-2018-20459
SeverityMedium
DescriptionIn radare2 through 3.1.3, the armass_assemble function in libr/asm/arch/arm/armass.callows attackers to cause a denial-of-service (application crash by out-of-boundsread) by crafting an arm assembly input because a loop uses an incorrect index inarmass.c and certain length validation is missing in armass64.c, a related issue toCVE-2018-20457.
RecommendationUse your Operating System's update feature to update package libcaca0-0:0.99.beta18-1ubuntu5. For more information see https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-20459
Failed Instancesi-04372149a51fe6560
CVE-2018-20481
SeverityMedium
DescriptionXRef::getEntry in XRef.cc in Poppler 0.72.0 mishandles unallocated XRef entries,which allows remote attackers to cause a denial of service (NULL pointer dereference)via a crafted PDF document, when XRefEntry::setFlag in XRef.h is called fromParser::makeStream in Parser.cc.
Recommendation
Amazon InspectorAssessment-Template-Default
2019-02-11 21:56:40 UTC
Use your Operating System's update feature to update package libpoppler44-0:0.24.5-2ubuntu4.12, poppler-utils-0:0.24.5-2ubuntu4.12. For more information see https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-20481
Failed Instancesi-04372149a51fe6560
CVE-2018-20544
SeverityMedium
DescriptionThere is floating point exception at caca/dither.c (function caca_dither_bitmap) inlibcaca 0.99.beta19.
RecommendationUse your Operating System's update feature to update package libcaca0-0:0.99.beta18-1ubuntu5. For more information see https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-20544
Failed Instancesi-04372149a51fe6560
CVE-2018-20545
SeverityHigh
DescriptionThere is an illegal WRITE memory access at common-image.c (function load_image) inlibcaca 0.99.beta19 for 4bpp data.
RecommendationUse your Operating System's update feature to update package libcaca0-0:0.99.beta18-1ubuntu5. For more information see https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-20545
Failed Instancesi-04372149a51fe6560
Amazon InspectorAssessment-Template-Default
2019-02-11 21:56:40 UTC
CVE-2018-20546
SeverityMedium
DescriptionThere is an illegal READ memory access at caca/dither.c (function get_rgba_default) inlibcaca 0.99.beta19 for the default bpp case.
RecommendationUse your Operating System's update feature to update package libcaca0-0:0.99.beta18-1ubuntu5. For more information see https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-20546
Failed Instancesi-04372149a51fe6560
CVE-2018-20547
SeverityMedium
DescriptionThere is an illegal READ memory access at caca/dither.c (function get_rgba_default) inlibcaca 0.99.beta19 for 24bpp data.
RecommendationUse your Operating System's update feature to update package libcaca0-0:0.99.beta18-1ubuntu5. For more information see https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-20547
Failed Instancesi-04372149a51fe6560
CVE-2018-20548
SeverityHigh
Description
Amazon InspectorAssessment-Template-Default
2019-02-11 21:56:40 UTC
There is an illegal WRITE memory access at common-image.c (function load_image) inlibcaca 0.99.beta19 for 1bpp data.
RecommendationUse your Operating System's update feature to update package libcaca0-0:0.99.beta18-1ubuntu5. For more information see https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-20548
Failed Instancesi-04372149a51fe6560
CVE-2018-20549
SeverityHigh
DescriptionThere is an illegal WRITE memory access at caca/file.c (function caca_file_read) inlibcaca 0.99.beta19.
RecommendationUse your Operating System's update feature to update package libcaca0-0:0.99.beta18-1ubuntu5. For more information see https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-20549
Failed Instancesi-04372149a51fe6560
CVE-2018-20551
SeverityMedium
DescriptionA reachable Object::getString assertion in Poppler 0.72.0 allows attackers to causea denial of service due to construction of invalid rich media annotation assets in theAnnotRichMedia class in Annot.c.
Recommendation
Amazon InspectorAssessment-Template-Default
2019-02-11 21:56:40 UTC
Use your Operating System's update feature to update package libpoppler44-0:0.24.5-2ubuntu4.12, poppler-utils-0:0.24.5-2ubuntu4.12. For more information see https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-20551
Failed Instancesi-04372149a51fe6560
CVE-2018-20650
SeverityMedium
DescriptionA reachable Object::dictLookup assertion in Poppler 0.72.0 allows attackers to cause adenial of service due to the lack of a check for the dict data type, as demonstrated by useof the FileSpec class (in FileSpec.cc) in pdfdetach.
RecommendationUse your Operating System's update feature to update package libpoppler44-0:0.24.5-2ubuntu4.12, poppler-utils-0:0.24.5-2ubuntu4.12. For more information see https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-20650
Failed Instancesi-04372149a51fe6560
CVE-2018-20685
SeverityMedium
DescriptionIn OpenSSH 7.9, scp.c in the scp client allows remote SSH servers to bypass intendedaccess restrictions via the filename of . or an empty filename. The impact is modifyingthe permissions of the target directory on the client side.
RecommendationUse your Operating System's update feature to update package openssh-client-1:6.6p1-2ubuntu2.10, openssh-server-1:6.6p1-2ubuntu2.10. For more information see https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-20685
Failed Instances
Amazon InspectorAssessment-Template-Default
2019-02-11 21:56:40 UTC
i-04372149a51fe6560
CVE-2018-20748
SeverityHigh
DescriptionLibVNC before 0.9.12 contains multiple heap out-of-bounds write vulnerabilities inlibvncclient/rfbproto.c. The fix for CVE-2018-20019 was incomplete.
RecommendationUse your Operating System's update feature to update package libvncserver0-0:0.9.9+dfsg-1ubuntu1.3. For more information see https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-20748
Failed Instancesi-04372149a51fe6560
CVE-2018-20749
SeverityHigh
DescriptionLibVNC before 0.9.12 contains a heap out-of-bounds write vulnerability inlibvncserver/rfbserver.c. The fix for CVE-2018-15127 was incomplete.
RecommendationUse your Operating System's update feature to update package libvncserver0-0:0.9.9+dfsg-1ubuntu1.3. For more information see https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-20749
Failed Instancesi-04372149a51fe6560
CVE-2018-20750
SeverityHigh
Amazon InspectorAssessment-Template-Default
2019-02-11 21:56:40 UTC
DescriptionLibVNC through 0.9.12 contains a heap out-of-bounds write vulnerability inlibvncserver/rfbserver.c. The fix for CVE-2018-15127 was incomplete.
RecommendationUse your Operating System's update feature to update package libvncserver0-0:0.9.9+dfsg-1ubuntu1.3. For more information see https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-20750
Failed Instancesi-04372149a51fe6560
CVE-2018-3136
SeverityMedium
DescriptionVulnerability in the Java SE, Java SE Embedded component of Oracle Java SE(subcomponent: Security). Supported versions that are affected are Java SE: 6u201,7u191, 8u182 and 11; Java SE Embedded: 8u181. Difficult to exploit vulnerabilityallows unauthenticated attacker with network access via multiple protocols tocompromise Java SE, Java SE Embedded. Successful attacks require human interactionfrom a person other than the attacker and while the vulnerability is in Java SE, Java SEEmbedded, attacks may significantly impact additional products. Successful attacks ofthis vulnerability can result in unauthorized update, insert or delete access to some ofJava SE, Java SE Embedded accessible data. Note: This vulnerability applies to Javadeployments, typically in clients running sandboxed Java Web Start applications orsandboxed Java applets (in Java SE 8), that load and run untrusted code (e.g. code thatcomes from the internet) and rely on the Java sandbox for security. This vulnerabilitydoes not apply to Java deployments, typically in servers, that load and run only trustedcode (e.g. code installed by an administrator). CVSS 3.0 Base Score 3.4 (Integrityimpacts). CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:C/C:N/I:L/A:N).
RecommendationUse your Operating System's update feature to update package openjdk-7-jre-0:7u181-2.6.14-0ubuntu0.2, openjdk-7-jre-headless-0:7u181-2.6.14-0ubuntu0.2. For moreinformation see https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-3136
Amazon InspectorAssessment-Template-Default
2019-02-11 21:56:40 UTC
Failed Instancesi-04372149a51fe6560
CVE-2018-3139
SeverityMedium
DescriptionVulnerability in the Java SE, Java SE Embedded component of Oracle Java SE(subcomponent: Networking). Supported versions that are affected are Java SE: 6u201,7u191, 8u182 and 11; Java SE Embedded: 8u181. Difficult to exploit vulnerabilityallows unauthenticated attacker with network access via multiple protocols tocompromise Java SE, Java SE Embedded. Successful attacks require human interactionfrom a person other than the attacker. Successful attacks of this vulnerability can resultin unauthorized read access to a subset of Java SE, Java SE Embedded accessibledata. Note: This vulnerability applies to Java deployments, typically in clients runningsandboxed Java Web Start applications or sandboxed Java applets (in Java SE 8), thatload and run untrusted code (e.g. code that comes from the internet) and rely on the Javasandbox for security. This vulnerability does not apply to Java deployments, typicallyin servers, that load and run only trusted code (e.g. code installed by an administrator).CVSS 3.0 Base Score 3.1 (Confidentiality impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:N/A:N).
RecommendationUse your Operating System's update feature to update package openjdk-7-jre-0:7u181-2.6.14-0ubuntu0.2, openjdk-7-jre-headless-0:7u181-2.6.14-0ubuntu0.2. For moreinformation see https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-3139
Failed Instancesi-04372149a51fe6560
CVE-2018-3149
SeverityHigh
Description
Amazon InspectorAssessment-Template-Default
2019-02-11 21:56:40 UTC
Vulnerability in the Java SE, Java SE Embedded, JRockit component of Oracle Java SE(subcomponent: JNDI). Supported versions that are affected are Java SE: 6u201, 7u191,8u182 and 11; Java SE Embedded: 8u181; JRockit: R28.3.19. Difficult to exploitvulnerability allows unauthenticated attacker with network access via multiple protocolsto compromise Java SE, Java SE Embedded, JRockit. Successful attacks require humaninteraction from a person other than the attacker and while the vulnerability is in JavaSE, Java SE Embedded, JRockit, attacks may significantly impact additional products.Successful attacks of this vulnerability can result in takeover of Java SE, Java SEEmbedded, JRockit. Note: This vulnerability applies to Java deployments, typically inclients running sandboxed Java Web Start applications or sandboxed Java applets (inJava SE 8), that load and run untrusted code (e.g. code that comes from the internet) andrely on the Java sandbox for security. This vulnerability can also be exploited by usingAPIs in the specified Component, e.g. through a web service which supplies data to theAPIs. CVSS 3.0 Base Score 8.3 (Confidentiality, Integrity and Availability impacts).CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H).
RecommendationUse your Operating System's update feature to update package openjdk-7-jre-0:7u181-2.6.14-0ubuntu0.2, openjdk-7-jre-headless-0:7u181-2.6.14-0ubuntu0.2. For moreinformation see https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-3149
Failed Instancesi-04372149a51fe6560
CVE-2018-3169
SeverityHigh
DescriptionVulnerability in the Java SE, Java SE Embedded component of Oracle Java SE(subcomponent: Hotspot). Supported versions that are affected are Java SE: 7u191,8u182 and 11; Java SE Embedded: 8u181. Difficult to exploit vulnerability allowsunauthenticated attacker with network access via multiple protocols to compromiseJava SE, Java SE Embedded. Successful attacks require human interaction froma person other than the attacker and while the vulnerability is in Java SE, Java SEEmbedded, attacks may significantly impact additional products. Successful attacksof this vulnerability can result in takeover of Java SE, Java SE Embedded. Note: Thisvulnerability applies to Java deployments, typically in clients running sandboxed Java
Amazon InspectorAssessment-Template-Default
2019-02-11 21:56:40 UTC
Web Start applications or sandboxed Java applets (in Java SE 8), that load and rununtrusted code (e.g. code that comes from the internet) and rely on the Java sandbox forsecurity. This vulnerability does not apply to Java deployments, typically in servers, thatload and run only trusted code (e.g. code installed by an administrator). CVSS 3.0 BaseScore 8.3 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H).
RecommendationUse your Operating System's update feature to update package openjdk-7-jre-0:7u181-2.6.14-0ubuntu0.2, openjdk-7-jre-headless-0:7u181-2.6.14-0ubuntu0.2. For moreinformation see https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-3169
Failed Instancesi-04372149a51fe6560
CVE-2018-3180
SeverityHigh
DescriptionVulnerability in the Java SE, Java SE Embedded, JRockit component of Oracle JavaSE (subcomponent: JSSE). Supported versions that are affected are Java SE: 6u201,7u191, 8u182 and 11; Java SE Embedded: 8u181; JRockit: R28.3.19. Difficult toexploit vulnerability allows unauthenticated attacker with network access via SSL/TLS to compromise Java SE, Java SE Embedded, JRockit. Successful attacks of thisvulnerability can result in unauthorized update, insert or delete access to some of JavaSE, Java SE Embedded, JRockit accessible data as well as unauthorized read accessto a subset of Java SE, Java SE Embedded, JRockit accessible data and unauthorizedability to cause a partial denial of service (partial DOS) of Java SE, Java SE Embedded,JRockit. Note: This vulnerability applies to Java deployments, typically in clientsrunning sandboxed Java Web Start applications or sandboxed Java applets (in Java SE8), that load and run untrusted code (e.g. code that comes from the internet) and rely onthe Java sandbox for security. This vulnerability can also be exploited by using APIs inthe specified Component, e.g. through a web service which supplies data to the APIs.CVSS 3.0 Base Score 5.6 (Confidentiality, Integrity and Availability impacts). CVSSVector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L).
Recommendation
Amazon InspectorAssessment-Template-Default
2019-02-11 21:56:40 UTC
Use your Operating System's update feature to update package openjdk-7-jre-0:7u181-2.6.14-0ubuntu0.2, openjdk-7-jre-headless-0:7u181-2.6.14-0ubuntu0.2. For moreinformation see https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-3180
Failed Instancesi-04372149a51fe6560
CVE-2018-5407
SeverityLow
DescriptionSimultaneous Multi-threading (SMT) in processors can enable local users to exploitsoftware vulnerable to timing attacks via a side-channel timing attack on 'portcontention'.
RecommendationUse your Operating System's update feature to update package libssl1.0.0-0:1.0.1f-1ubuntu2.26. For more information see https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-5407
Failed Instancesi-04372149a51fe6560
CVE-2018-5807
SeverityHigh
DescriptionAn error within the "samsung_load_raw()" function (internal/dcraw_common.cpp)in LibRaw versions prior to 0.18.9 can be exploited to cause an out-of-bounds readmemory access and subsequently cause a crash.
RecommendationUse your Operating System's update feature to update packagelibraw9-0:0.15.4-1ubuntu0.2. For more information see https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-5807
Failed Instances
Amazon InspectorAssessment-Template-Default
2019-02-11 21:56:40 UTC
i-04372149a51fe6560
CVE-2018-5810
SeverityHigh
DescriptionAn error within the "rollei_load_raw()" function (internal/dcraw_common.cpp) inLibRaw versions prior to 0.18.9 can be exploited to cause a heap-based buffer overflowand subsequently cause a crash.
RecommendationUse your Operating System's update feature to update packagelibraw9-0:0.15.4-1ubuntu0.2. For more information see https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-5810
Failed Instancesi-04372149a51fe6560
CVE-2018-5811
SeverityMedium
DescriptionAn error within the "nikon_coolscan_load_raw()" function (internal/dcraw_common.cpp) in LibRaw versions prior to 0.18.9 can be exploited to cause anout-of-bounds read memory access and subsequently cause a crash.
RecommendationUse your Operating System's update feature to update packagelibraw9-0:0.15.4-1ubuntu0.2. For more information see https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-5811
Failed Instancesi-04372149a51fe6560
CVE-2018-5812
Amazon InspectorAssessment-Template-Default
2019-02-11 21:56:40 UTC
SeverityMedium
DescriptionAn error within the "nikon_coolscan_load_raw()" function (internal/dcraw_common.cpp) in LibRaw versions prior to 0.18.9 can be exploited to trigger aNULL pointer dereference.
RecommendationUse your Operating System's update feature to update packagelibraw9-0:0.15.4-1ubuntu0.2. For more information see https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-5812
Failed Instancesi-04372149a51fe6560
CVE-2018-5813
SeverityHigh
DescriptionAn error within the "parse_minolta()" function (dcraw/dcraw.c) in LibRaw versionsprior to 0.18.11 can be exploited to trigger an infinite loop via a specially crafted file.
RecommendationUse your Operating System's update feature to update packagelibraw9-0:0.15.4-1ubuntu0.2. For more information see https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-5813
Failed Instancesi-04372149a51fe6560
CVE-2018-5815
SeverityHigh
Description
Amazon InspectorAssessment-Template-Default
2019-02-11 21:56:40 UTC
An integer overflow error within the "parse_qt()" function (internal/dcraw_common.cpp) in LibRaw versions prior to 0.18.12 can be exploited to trigger aninfinite loop via a specially crafted Apple QuickTime file.
RecommendationUse your Operating System's update feature to update packagelibraw9-0:0.15.4-1ubuntu0.2. For more information see https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-5815
Failed Instancesi-04372149a51fe6560
CVE-2018-5816
SeverityHigh
DescriptionAn integer overflow error within the "identify()" function (internal/dcraw_common.cpp)in LibRaw versions prior to 0.18.12 can be exploited to trigger a division by zerovia specially crafted NOKIARAW file (Note: This vulnerability is caused due to anincomplete fix of CVE-2018-5804).
RecommendationUse your Operating System's update feature to update packagelibraw9-0:0.15.4-1ubuntu0.2. For more information see https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-5816
Failed Instancesi-04372149a51fe6560
CVE-2018-6307
SeverityHigh
DescriptionLibVNC before commit ca2a5ac02fbbadd0a21fabba779c1ea69173d10b contains heapuse-after-free vulnerability in server code of file transfer extension that can resultremote code execution.
Amazon InspectorAssessment-Template-Default
2019-02-11 21:56:40 UTC
RecommendationUse your Operating System's update feature to update package libvncserver0-0:0.9.9+dfsg-1ubuntu1.3. For more information see https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-6307
Failed Instancesi-04372149a51fe6560
CVE-2018-6554
SeverityMedium
DescriptionMemory leak in the irda_bind function in net/irda/af_irda.c and later in drivers/staging/irda/net/af_irda.c in the Linux kernel before 4.17 allows local users to cause a denial ofservice (memory consumption) by repeatedly binding an AF_IRDA socket.
RecommendationUse your Operating System's update feature to update package linux-image-3.13.0-158-generic-0:3.13.0-158.208. For more information see https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-6554
Failed Instancesi-04372149a51fe6560
CVE-2018-6555
SeverityHigh
DescriptionThe irda_setsockopt function in net/irda/af_irda.c and later in drivers/staging/irda/net/af_irda.c in the Linux kernel before 4.17 allows local users to cause a denial of service(ias_object use-after-free and system crash) or possibly have unspecified other impactvia an AF_IRDA socket.
Recommendation
Amazon InspectorAssessment-Template-Default
2019-02-11 21:56:40 UTC
Use your Operating System's update feature to update package linux-image-3.13.0-158-generic-0:3.13.0-158.208. For more information see https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-6555
Failed Instancesi-04372149a51fe6560
CVE-2018-7456
SeverityMedium
DescriptionA NULL Pointer Dereference occurs in the function TIFFPrintDirectory in tif_print.cin LibTIFF 4.0.9 when using the tiffinfo tool to print crafted TIFF information, adifferent vulnerability than CVE-2017-18013. (This affects an earlier part of theTIFFPrintDirectory function that was not addressed by the CVE-2017-18013 patch.)
RecommendationUse your Operating System's update feature to update packagelibtiff5-0:4.0.3-7ubuntu0.9. For more information see https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-7456
Failed Instancesi-04372149a51fe6560
CVE-2018-7566
SeverityMedium
DescriptionThe Linux kernel 4.15 has a Buffer Overflow via an SNDRV_SEQ_IOCTL_SET_CLIENT_POOL ioctl write operation to /dev/snd/seq by a local user.
RecommendationUse your Operating System's update feature to update package linux-image-3.13.0-158-generic-0:3.13.0-158.208. For more information see https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-7566
Failed Instances
Amazon InspectorAssessment-Template-Default
2019-02-11 21:56:40 UTC
i-04372149a51fe6560
CVE-2018-8784
SeverityHigh
DescriptionFreeRDP prior to version 2.0.0-rc4 contains a Heap-Based Buffer Overflow in functionzgfx_decompress_segment() that results in a memory corruption and probably even aremote code execution.
RecommendationUse your Operating System's update feature to update package libfreerdp1-0:1.0.2-2ubuntu1.1. For more information see https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-8784
Failed Instancesi-04372149a51fe6560
CVE-2018-8785
SeverityHigh
DescriptionFreeRDP prior to version 2.0.0-rc4 contains a Heap-Based Buffer Overflow in functionzgfx_decompress() that results in a memory corruption and probably even a remotecode execution.
RecommendationUse your Operating System's update feature to update package libfreerdp1-0:1.0.2-2ubuntu1.1. For more information see https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-8785
Failed Instancesi-04372149a51fe6560
CVE-2018-8786
Amazon InspectorAssessment-Template-Default
2019-02-11 21:56:40 UTC
SeverityHigh
DescriptionFreeRDP prior to version 2.0.0-rc4 contains an Integer Truncation that leads to a Heap-Based Buffer Overflow in function update_read_bitmap_update() and results in amemory corruption and probably even a remote code execution.
RecommendationUse your Operating System's update feature to update package libfreerdp1-0:1.0.2-2ubuntu1.1. For more information see https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-8786
Failed Instancesi-04372149a51fe6560
CVE-2018-8787
SeverityHigh
DescriptionFreeRDP prior to version 2.0.0-rc4 contains an Integer Overflow that leads to a Heap-Based Buffer Overflow in function gdi_Bitmap_Decompress() and results in a memorycorruption and probably even a remote code execution.
RecommendationUse your Operating System's update feature to update package libfreerdp1-0:1.0.2-2ubuntu1.1. For more information see https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-8787
Failed Instancesi-04372149a51fe6560
CVE-2018-8788
SeverityHigh
Description
Amazon InspectorAssessment-Template-Default
2019-02-11 21:56:40 UTC
FreeRDP prior to version 2.0.0-rc4 contains an Out-Of-Bounds Write of up to 4 bytesin function nsc_rle_decode() that results in a memory corruption and possibly even aremote code execution.
RecommendationUse your Operating System's update feature to update package libfreerdp1-0:1.0.2-2ubuntu1.1. For more information see https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-8788
Failed Instancesi-04372149a51fe6560
CVE-2018-8789
SeverityHigh
DescriptionFreeRDP prior to version 2.0.0-rc4 contains several Out-Of-Bounds Reads in theNTLM Authentication module that results in a Denial of Service (segfault).
RecommendationUse your Operating System's update feature to update package libfreerdp1-0:1.0.2-2ubuntu1.1. For more information see https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-8789
Failed Instancesi-04372149a51fe6560
CVE-2018-8905
SeverityHigh
DescriptionIn LibTIFF 4.0.9, a heap-based buffer overflow occurs in the functionLZWDecodeCompat in tif_lzw.c via a crafted TIFF file, as demonstrated by tiff2ps.
Recommendation
Amazon InspectorAssessment-Template-Default
2019-02-11 21:56:40 UTC
Use your Operating System's update feature to update packagelibtiff5-0:4.0.3-7ubuntu0.9. For more information see https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-8905
Failed Instancesi-04372149a51fe6560
CVE-2018-9363
SeverityHigh
DescriptionIn the hidp_process_report in bluetooth, there is an integer overflow. This could lead toan out of bounds write with no additional execution privileges needed. User interactionis not needed for exploitation. Product: Android Versions: Android kernel Android ID:A-65853588 References: Upstream kernel.
RecommendationUse your Operating System's update feature to update package linux-image-3.13.0-158-generic-0:3.13.0-158.208, linux-image-3.13.0-161-generic-0:3.13.0-161.211. For moreinformation see https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-9363
Failed Instancesi-04372149a51fe6560
CVE-2018-9518
SeverityHigh
DescriptionIn nfc_llcp_build_sdreq_tlv of llcp_commands.c, there is a possible out of bounds writedue to a missing bounds check. This could lead to local escalation of privilege withSystem execution privileges needed. User interaction is not needed for exploitation.Product: Android. Versions: Android kernel. Android ID: A-73083945.
Recommendation
Amazon InspectorAssessment-Template-Default
2019-02-11 21:56:40 UTC
Use your Operating System's update feature to update package linux-image-3.13.0-158-generic-0:3.13.0-158.208. For more information see https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-9518
Failed Instancesi-04372149a51fe6560
CVE-2018-9568
SeverityHigh
DescriptionIn sk_clone_lock of sock.c, there is a possible memory corruption due to typeconfusion. This could lead to local escalation of privilege with no additional executionprivileges needed. User interaction is not needed for exploitation. Product: Android.Versions: Android kernel. Android ID: A-113509306. References: Upstream kernel.
RecommendationUse your Operating System's update feature to update package linux-image-3.13.0-158-generic-0:3.13.0-158.208, linux-image-3.13.0-161-generic-0:3.13.0-161.211. For moreinformation see https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-9568
Failed Instancesi-04372149a51fe6560
CVE-2019-1000019
SeverityMedium
Descriptionlibarchive version commit bf9aec176c6748f0ee7a678c5f9f9555b9a757c1 onwards(release v3.0.2 onwards) contains a CWE-125: Out-of-bounds Read vulnerability in7zip decompression, archive_read_support_format_7zip.c, header_bytes() that canresult in a crash (denial of service). This attack appears to be exploitable via the victimopening a specially crafted 7zip file.
Recommendation
Amazon InspectorAssessment-Template-Default
2019-02-11 21:56:40 UTC
Use your Operating System's update feature to update package libarchive13-0:3.1.2-7ubuntu2.6. For more information see https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-1000019
Failed Instancesi-04372149a51fe6560
CVE-2019-1000020
SeverityMedium
Descriptionlibarchive version commit 5a98dcf8a86364b3c2c469c85b93647dfb139961 onwards(version v2.8.0 onwards) contains a CWE-835: Loop with Unreachable Exit Condition('Infinite Loop') vulnerability in ISO9660 parser, archive_read_support_format_iso9660.c, read_CE()/parse_rockridge() that can result in DoS by infinite loop. This attackappears to be exploitable via the victim opening a specially crafted ISO9660 file.
RecommendationUse your Operating System's update feature to update package libarchive13-0:3.1.2-7ubuntu2.6. For more information see https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-1000020
Failed Instancesi-04372149a51fe6560
CVE-2019-3813
SeverityHigh
DescriptionSpice, versions 0.5.2 through 0.14.1, are vulnerable to an out-of-bounds read due to anoff-by-one error in memslot_get_virt. This may lead to a denial of service, or, in theworst case, code-execution by unauthenticated attackers.
Recommendation
Amazon InspectorAssessment-Template-Default
2019-02-11 21:56:40 UTC
Use your Operating System's update feature to update package libspice-server1-0:0.12.4-0nocelt2ubuntu1.7. For more information see https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-3813
Failed Instancesi-04372149a51fe6560
CVE-2019-3823
SeverityHigh
Descriptionlibcurl versions from 7.34.0 to before 7.64.0 are vulnerable to a heap out-of-boundsread in the code handling the end-of-response for SMTP. If the buffer passed to`smtp_endofresp()` isn't NUL terminated and contains no character ending the parsednumber, and `len` is set to 5, then the `strtol()` call reads beyond the allocated buffer.The read contents will not be returned to the caller.
RecommendationUse your Operating System's update feature to update packagecurl-0:7.35.0-1ubuntu2.19, libcurl3-0:7.35.0-1ubuntu2.19, libcurl3-gnutls-0:7.35.0-1ubuntu2.19. For more information see https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-3823
Failed Instancesi-04372149a51fe6560
CVE-2019-6109
SeverityMedium
DescriptionAn issue was discovered in OpenSSH 7.9. Due to missing character encoding in theprogress display, a malicious server (or Man-in-The-Middle attacker) can employcrafted object names to manipulate the client output, e.g., by using ANSI control codesto hide additional files being transferred. This affects refresh_progress_meter() inprogressmeter.c.
Amazon InspectorAssessment-Template-Default
2019-02-11 21:56:40 UTC
RecommendationUse your Operating System's update feature to update package openssh-client-1:6.6p1-2ubuntu2.10, openssh-server-1:6.6p1-2ubuntu2.10. For more information see https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-6109
Failed Instancesi-04372149a51fe6560
CVE-2019-6110
SeverityMedium
DescriptionIn OpenSSH 7.9, due to accepting and displaying arbitrary stderr output from the server,a malicious server (or Man-in-The-Middle attacker) can manipulate the client output,for example to use ANSI control codes to hide additional files being transferred.
RecommendationUse your Operating System's update feature to update package openssh-client-1:6.6p1-2ubuntu2.10, openssh-server-1:6.6p1-2ubuntu2.10. For more information see https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-6110
Failed Instancesi-04372149a51fe6560
CVE-2019-7310
SeverityHigh
DescriptionIn Poppler 0.73.0, a heap-based buffer over-read (due to an integer signedness error inthe XRef::getEntry function in XRef.cc) allows remote attackers to cause a denial ofservice (application crash) or possibly have unspecified other impact via a crafted PDFdocument, as demonstrated by pdftocairo.
Recommendation
Amazon InspectorAssessment-Template-Default
2019-02-11 21:56:40 UTC
Use your Operating System's update feature to update package libpoppler44-0:0.24.5-2ubuntu4.12, poppler-utils-0:0.24.5-2ubuntu4.12. For more information see https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-7310
Failed Instancesi-04372149a51fe6560
4.3: Findings details - Network Reachability-1.1
Recognized port with listener reachable from internet
SeverityInformational
DescriptionA recognized port is reachable from the internet with a service listening
RecommendationYou can edit the Security Group sg-070eb17ac5ab81bb6 to remove access from theinternet on port 22, 80
Failed Instancesi-04372149a51fe6560
Recognized port with no listener reachable from internet
SeverityInformational
DescriptionOn this instance, recognized port(s) are reachable from the internet with no processlistening on the port.
RecommendationYou can edit the Security Group sg-070eb17ac5ab81bb6 to remove access from theinternet on port 443, 3389
Failed Instancesi-04372149a51fe6560
Amazon InspectorAssessment-Template-Default
2019-02-11 21:56:40 UTC
Unrecognized port with listener reachable from internet
SeverityLow
DescriptionAn unrecognized port is reachable from the internet with a service listening
RecommendationYou can edit the Security Group sg-070eb17ac5ab81bb6 to remove access from theinternet on port 5901
Failed Instancesi-04372149a51fe6560
4.4: Findings details - Security Best Practices-1.0
Disable root login over SSH
SeverityMedium
DescriptionThis rule helps determine whether the SSH daemon is configured to permit logging in toyour EC2 instance as root.
RecommendationTo reduce the likelihood of a successful brute-force attack, we recommend that youconfigure your EC2 instance to prevent root account logins over SSH. To disable SSHroot account logins, set PermitRootLogin to 'no' in /etc/ssh/sshd_config and restartsshd. When logged in as a non-root user, you can use sudo to escalate privileges whennecessary. If you want to allow public key authentication with a command associatedwith the key, you can set PermitRootLogin to 'forced-commands-only'.
Failed Instancesi-04372149a51fe6560
Amazon InspectorAssessment-Template-Default
2019-02-11 21:56:40 UTC
top related