Add Amazon Linux 2023 DISA STIG Profile

[Eric-Domeier]

Description:

• Add a DISA STIG Profile for Amazon Linux 2023 and attempts to make the results importable to stig viewer

Rationale:

• Amazon linux 2023 stig profile is useful for federal agencies, cmmc, fedramp etc.

• Amazon Linux 2023 Department of War (Previously Department of Defense) STIG #13885

Review Hints:

• This builds off of @jesseborden branch, attempts to get the --stig-viewer flag working properly.

• products/al2023/overlays/srg_support.xml is just a copy paste from products/rhel8/overlays/srg_support.xml with name replaced, the content hasn't actually been checked yet.

• I haven't verified the content in controls/stig_al2023.yml yet

• modifies applicability templates to ensure checks are applicable for al2023

To-do

• There are 131 checks that are not remediated (Still failing after running the fix scripts)

[openshift-ci]

Hi @Eric-Domeier. Thanks for your PR.

I'm waiting for a github.com member to verify that this patch is reasonable to test. If it is, they should reply with /ok-to-test on its own line. Until that is done, I will not automatically test new commits in this PR, but the usual testing commands by org members will still work. Regular contributors should join the org to skip this step.

Once the patch is verified, the new status will be reflected by the ok-to-test label.

I understand the commands that are listed here.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.

[Eric-Domeier]

Needs further review, copy-pasted from RHEL8

[github-actions]

ATEX Test Results

Test artifacts have been submitted to Testing Farm.

Results: View Test Results
Workflow Run: View Workflow Details

This comment was automatically generated by the ATEX workflow.

[openshift-merge-robot]

PR needs rebase.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.

[Eric-Domeier]

@Mab879 @jan-cerny I could use some input on the AIDE Database check rule. Currently when running this profile, it "passes" but when ran manually I get the following output

---------------------------------------------------
Detailed information about changes:
---------------------------------------------------

Directory: /boot/loader/entries
 Mtime     : 2026-01-18 17:11:10 +0000        | 2026-01-18 18:25:10 +0000
 Ctime     : 2026-01-18 17:11:10 +0000        | 2026-01-18 18:25:10 +0000

File: /boot/loader/entries/ee78bed5782442a1a6344896391bb47b-6.1.158-180.294.amzn2023.x86_64.conf
 Mtime     : 2026-01-18 17:11:10 +0000        | 2026-01-18 18:25:10 +0000
 Ctime     : 2026-01-18 17:11:10 +0000        | 2026-01-18 18:25:10 +0000

File: /root/.bash_history
 SHA512    : eSAQneKNnsRlm7rLH3UA/pyw1owdWjwO | zHST6EDoUHJlZZgARSx+Y8lN8nZJ8bTP
             2XvvA7anzu15wGHSlUu9+G7h6VFgjmTG | qOC5YBBEiMrlhHLcNN3Rad8YiBmrNvbY
             //D3ke9ALqv2vN1JkfWN9w==         | rlf7vva5szUCEr7qOcbbOg==

File: /var/log/journal/dcc583e8d48d4700801f7f110769af4b/system.journal
 SHA512    : 1zOyQedep75D4pQz9sAlyL3BKbZaXDk7 | DPUpJseIUblLa1fEJDvOyWWvVK/+uqUD
             12AGhCMmj03y7hflKvpyIC6pVNwQUy+x | N7COWgdIEyWTgBkctTUCCnF+VvxStWJR
             0o6D05Ds3+ec/6JvpiM4+Q==         | 0XGwxuljfZF/thq5XCmgCA==

File: /var/log/journal/dcc583e8d48d4700801f7f110769af4b/user-1000.journal
 SHA512    : upY4mUVALfpSnEDWDCVOCjYETMAjijhU | At1JC9vXr0Q32/WAmAS8Gu78YyQwmCW9
             853yKVlG21zp68VaYHTt/xHP8FD8Jf6A | p3Nf0YInPNnVnpRQ8m+65I6BnDK3t6hB
             sLIDF5orcNvbFWynBsFNaw==         | zGPiz2mM2oIyjZrommoCxg==

File: /var/log/lastlog
 Mtime     : 2026-01-18 17:22:38 +0000        | 2026-01-18 18:25:52 +0000
 Ctime     : 2026-01-18 17:22:38 +0000        | 2026-01-18 18:25:52 +0000
 SHA512    : JZcxWxEZ8YugK42+6vukJlGA1ex4pX87 | d/Q17T5vKL4F5TcuGUrptEhFjLibqhor
             18r6P8UdPXezhHyqEz+q3b7nKxv7YUmP | Czv2ZyaDDLXl9w9vsr6vI5LhiJUGmznP
             X5w8ssJVSSlZuE9RcDu8aw==         | W4rtIKGwaHhbm8rY7RLHAA==

So I guess there's really two issues here

Issue 1: expected output for a "Pass" should be

AIDE found NO differences between database and filesystem. Looks okay!!

Issue 2: /var/log, .bash_history are volatile paths that should probably be whitelisted in /etc/aide.conf - is there already a rule somewhere to add paths for whitelisting i'm not seeing?

For the /boot/loader/entries I'm guessing the remediation script is changing something here after AIDE database is built

[bordencastle]

@Eric-Domeier I think this should be rsyslog-openssl

[Eric-Domeier]

Correct, I modified the rule as such here

linux_os/guide/system/logging/package_rsyslog-gnutls_installed/rule.yml

Not sure if this is the preferred way or not though, it is correctly using rsyslog-openssl however

[bordencastle]

Also attempted to fix that one here. bordencastleadmin@0f4ebdf

[bordencastle]

This value should be set to ossl.
See where I attempted to do that here.... bordencastleadmin@0f4ebdf

[bordencastle]

But I think the original rule could maybe be used, then just pass in the option/variable of ossl if amazon linux 2023 instead of creating a totally new rule.

[bordencastle]

sssd must be installed first. Add package_sssd_installed rule.

[bordencastle]

I think a couple more of those sssd rules will become applicable and get remediated if this is added in. Amazon Linux 2023 does not have sssd installed by default it appears.

[bordencastle]

There was something strange with the overrides for the packages and the macros not working when I tried it though, I don't know why, but that's why I updated the macros here to make the sssd install work. bordencastleadmin@0f4ebdf#diff-182dc0614884550d3533d1e8d12b71afe23ffa8d96c22e3a07992754d5e13e93

[bordencastle]

If you look at the /build/al2023/product.yml it has a platform_package_overrides section, but without changing those macros it seemed to keep tying the original packages and not the overrides.

[Eric-Domeier]

I notice in builds/al2023/fixes/ansible/package_sssd_installed.yml we have this:

# platform = multi_platform_all
# reboot = false
# strategy = enable
# complexity = low
# disruption = low
- name: Gather the package facts
  package_facts:
    manager: auto
  tags:
  - DISA-STIG-AZLX-23-001290
  - NIST-800-53-CM-6(a)
  - enable_strategy
  - low_complexity
  - low_disruption
  - medium_severity
  - no_reboot_needed
  - package_sssd_installed

- name: Ensure sssd is installed
  ansible.builtin.package:
    name: sssd
    state: present
  **when: '"sssd-common" in ansible_facts.packages'**
  tags:
  - DISA-STIG-AZLX-23-001290
  - NIST-800-53-CM-6(a)
  - enable_strategy
  - low_complexity
  - low_disruption
  - medium_severity
  - no_reboot_needed
  - package_sssd_installed

sssd-common is also not installed in vanilla al2023 so might be why its not installing, looking into that

[Eric-Domeier]

Yeah having trouble tracking down why that "when" clause exists, but if i install sssd-common manually before running the remediation, oscap successfully applies the sssd rules. not sure if this is intended or not

[bordencastle]

I think the rules here should be replaced with:
- service_systemd-journal-upload_enabled
- systemd_journal_upload_url