Add Amazon Linux 2023 DISA STIG Profile by Eric-Domeier · Pull Request #14246

Add Amazon Linux 2023 DISA STIG Profile by Eric-Domeier · Pull Request #14246 · ComplianceAsCode/content

Description:

Add a DISA STIG Profile for Amazon Linux 2023 and attempts to make the results importable to stig viewer

Rationale:

Amazon linux 2023 stig profile is useful for federal agencies, cmmc, fedramp etc.
Amazon Linux 2023 Department of War (Previously Department of Defense) STIG #13885

Review Hints:

This builds off of @jesseborden branch, attempts to get the --stig-viewer flag working properly.
products/al2023/overlays/srg_support.xml is just a copy paste from products/rhel8/overlays/srg_support.xml with name replaced, the content hasn't actually been checked yet.
I haven't verified the content in controls/stig_al2023.yml yet
modifies applicability templates to ensure checks are applicable for al2023

To-do

There are 131 checks that are not remediated (Still failing after running the fix scripts)

Hi @Eric-Domeier. Thanks for your PR.

I'm waiting for a github.com member to verify that this patch is reasonable to test. If it is, they should reply with /ok-to-test on its own line. Until that is done, I will not automatically test new commits in this PR, but the usual testing commands by org members will still work. Regular contributors should join the org to skip this step.

Once the patch is verified, the new status will be reflected by the ok-to-test label.

I understand the commands that are listed here.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Needs further review, copy-pasted from RHEL8

ATEX Test Results

Test artifacts have been submitted to Testing Farm.

Results: View Test Results
Workflow Run: View Workflow Details

This comment was automatically generated by the ATEX workflow.

@Mab879 @jan-cerny I could use some input on the AIDE Database check rule. Currently when running this profile, it "passes" but when ran manually I get the following output

---------------------------------------------------
Detailed information about changes:
---------------------------------------------------

Directory: /boot/loader/entries
 Mtime     : 2026-01-18 17:11:10 +0000        | 2026-01-18 18:25:10 +0000
 Ctime     : 2026-01-18 17:11:10 +0000        | 2026-01-18 18:25:10 +0000

File: /boot/loader/entries/ee78bed5782442a1a6344896391bb47b-6.1.158-180.294.amzn2023.x86_64.conf
 Mtime     : 2026-01-18 17:11:10 +0000        | 2026-01-18 18:25:10 +0000
 Ctime     : 2026-01-18 17:11:10 +0000        | 2026-01-18 18:25:10 +0000

File: /root/.bash_history
 SHA512    : eSAQneKNnsRlm7rLH3UA/pyw1owdWjwO | zHST6EDoUHJlZZgARSx+Y8lN8nZJ8bTP
             2XvvA7anzu15wGHSlUu9+G7h6VFgjmTG | qOC5YBBEiMrlhHLcNN3Rad8YiBmrNvbY
             //D3ke9ALqv2vN1JkfWN9w==         | rlf7vva5szUCEr7qOcbbOg==

File: /var/log/journal/dcc583e8d48d4700801f7f110769af4b/system.journal
 SHA512    : 1zOyQedep75D4pQz9sAlyL3BKbZaXDk7 | DPUpJseIUblLa1fEJDvOyWWvVK/+uqUD
             12AGhCMmj03y7hflKvpyIC6pVNwQUy+x | N7COWgdIEyWTgBkctTUCCnF+VvxStWJR
             0o6D05Ds3+ec/6JvpiM4+Q==         | 0XGwxuljfZF/thq5XCmgCA==

File: /var/log/journal/dcc583e8d48d4700801f7f110769af4b/user-1000.journal
 SHA512    : upY4mUVALfpSnEDWDCVOCjYETMAjijhU | At1JC9vXr0Q32/WAmAS8Gu78YyQwmCW9
             853yKVlG21zp68VaYHTt/xHP8FD8Jf6A | p3Nf0YInPNnVnpRQ8m+65I6BnDK3t6hB
             sLIDF5orcNvbFWynBsFNaw==         | zGPiz2mM2oIyjZrommoCxg==

File: /var/log/lastlog
 Mtime     : 2026-01-18 17:22:38 +0000        | 2026-01-18 18:25:52 +0000
 Ctime     : 2026-01-18 17:22:38 +0000        | 2026-01-18 18:25:52 +0000
 SHA512    : JZcxWxEZ8YugK42+6vukJlGA1ex4pX87 | d/Q17T5vKL4F5TcuGUrptEhFjLibqhor
             18r6P8UdPXezhHyqEz+q3b7nKxv7YUmP | Czv2ZyaDDLXl9w9vsr6vI5LhiJUGmznP
             X5w8ssJVSSlZuE9RcDu8aw==         | W4rtIKGwaHhbm8rY7RLHAA==

So I guess there's really two issues here

Issue 1: expected output for a "Pass" should be

AIDE found NO differences between database and filesystem. Looks okay!!

Issue 2: /var/log, .bash_history are volatile paths that should probably be whitelisted in /etc/aide.conf - is there already a rule somewhere to add paths for whitelisting i'm not seeing?

For the /boot/loader/entries I'm guessing the remediation script is changing something here after AIDE database is built

		title: Amazon Linux 2023 must have the packages required for encrypting
		off-loaded audit logs installed.
		rules:
		- package_rsyslog-gnutls_installed

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Correct, I modified the rule as such here

linux_os/guide/system/logging/package_rsyslog-gnutls_installed/rule.yml

Not sure if this is the preferred way or not though, it is correctly using rsyslog-openssl however

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

		audit records off-loaded onto a different system or media from the system
		being audited via rsyslog.
		rules:
		- rsyslog_encrypt_offload_defaultnetstreamdriver

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This value should be set to ossl.
See where I attempted to do that here.... bordencastleadmin@0f4ebdf

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

But I think the original rule could maybe be used, then just pass in the option/variable of ossl if amazon linux 2023 instead of creating a totally new rule.

		title: Amazon Linux 2023 must enable certificate-based smart card
		authentication.
		rules:
		- sssd_enable_smartcards

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

sssd must be installed first. Add package_sssd_installed rule.

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think a couple more of those sssd rules will become applicable and get remediated if this is added in. Amazon Linux 2023 does not have sssd installed by default it appears.

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

If you look at the /build/al2023/product.yml it has a platform_package_overrides section, but without changing those macros it seemed to keep tying the original packages and not the overrides.

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I notice in builds/al2023/fixes/ansible/package_sssd_installed.yml we have this:

# platform = multi_platform_all
# reboot = false
# strategy = enable
# complexity = low
# disruption = low
- name: Gather the package facts
  package_facts:
    manager: auto
  tags:
  - DISA-STIG-AZLX-23-001290
  - NIST-800-53-CM-6(a)
  - enable_strategy
  - low_complexity
  - low_disruption
  - medium_severity
  - no_reboot_needed
  - package_sssd_installed

- name: Ensure sssd is installed
  ansible.builtin.package:
    name: sssd
    state: present
  **when: '"sssd-common" in ansible_facts.packages'**
  tags:
  - DISA-STIG-AZLX-23-001290
  - NIST-800-53-CM-6(a)
  - enable_strategy
  - low_complexity
  - low_disruption
  - medium_severity
  - no_reboot_needed
  - package_sssd_installed

sssd-common is also not installed in vanilla al2023 so might be why its not installing, looking into that

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Yeah having trouble tracking down why that "when" clause exists, but if i install sssd-common manually before running the remediation, oscap successfully applies the sssd rules. not sure if this is intended or not

		title: Amazon Linux 2023 must be configured to off-load audit records onto a
		different system from the system being audited via syslog.
		rules:
		- rsyslog_remote_loghost

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think the rules here should be replaced with:
- service_systemd-journal-upload_enabled
- systemd_journal_upload_url

The OVAL check in rule aide_build_database only checks that there is an existing aide database file configured in /etc/aide.conf. It doesn't run any integrity check of the system. I think they expect that the actual aide --check command should be run manually or as a cron job (we have rule aide_periodic_cron_checking that ensures the cron job is set up).

…ew and validation of each control.

Eric-Domeier and others added 13 commits

February 8, 2026 21:14

Co-authored-by: Jan Černý <jcerny@redhat.com>

		@@ -0,0 +1,13 @@
		<xsl:stylesheet version="1.0" xmlns:xsl="http://www.w3.org/1999/XSL/Transform">

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

All XSLT templates and all transforms directories have recently been removed from the project and are no longer needed. Please remove them from the PR as well.

		@@ -1,4 +1,4 @@
		{{%- if product in ["almalinux9", "debian12", "debian13", "fedora", "ol7", "ol8", "ol9", "ol10", "rhel8", "rhel9", "rhel10", "sle12", "sle15", "sle16", "slmicro5", "slmicro6", "ubuntu2204", "ubuntu2404"] %}}
		{{%- if product in ["al2023", "almalinux9", "al2023", "debian12", "debian13", "fedora", "ol7", "ol8", "ol9", "ol10", "rhel8", "rhel9", "rhel10", "sle12", "sle15", "slmicro5", "slmicro6", "ubuntu2204", "ubuntu2404"] %}}