| Identifier | Severity | Rationale | Scan Results | True Finding | Errata |
|---|---|---|---|---|---|
| CCE-80439-3 | medium | Inaccurate time stamps make it more difficult to correlate events and can lead to an inaccurate analysis. Determining the correct time a particular event occurred on a system is critical when conducting forensic analysis and investigating system events. Sources outside the configured acceptable allowance (drift) may be inaccurate. | failed | False Positive | Manually verified settings exist as required. |
| CCE-80438-5 | low | To provide availability for name resolution services, multiple redundant name servers are mandated. A failure in name resolution could lead to the failure of security functions requiring name resolution, which may include time synchronization, centralized authentication, and remote system logging. | failed | failed | This is a setting that is defined by the end-user. |
| CCE-80207-4 | medium | Smart card login provides two-factor authentication stronger than that provided by a username and password combination. Smart cards leverage PKI (public key infrastructure) in order to provide and verify credentials. | failed | failed | This should be setup after the end-user is able to validate the initial login credentials without issue. |
| CCE-83421-8 | medium | If the rootpw, targetpw, or runaspw flags are defined and not disabled, by default the operating system will prompt the invoking user for the "root" user password. | failed | False-Positive | This is created as a part of the instance's creation. |
| CCE-86056-9 | medium | Notifying administrators of an impending disk space problem may allow them to take corrective action prior to any disruption. | failed | False-Positive | Verified this has been set. |
| CCE-88380-1 | medium | IAccounts providing no operational purpose provide additional opportunities for system compromise. Unnecessary accounts include user accounts for individuals not requiring access to the system and application accounts for applications not installed on the system. | failed | False-Positive | This is created as a part of the instance's creation. |
| CCE-80351-0 | medium | Without re-authentication, users may access resources or perform tasks for which they do not have authorization. | failed | False-Positive | This is created as a part of the instance's creation. |
| CCE-80541-6 | medium | Information stored in one location is vulnerable to accidental or incidental deletion or alteration.Off-loading is a common process in information systems with limited audit storage capacity. | failed | failed | This is a setting that is defined by the end-user. |
| CCE-27343-3 | medium | A log server (loghost) receives syslog messages from one or more systems. This data can be used as an additional log source in the event a system is compromised and its local logs are suspect. Forwarding log messages to a remote loghost also provides system administrators with a centralized place to view the status of multiple hosts within the enterprise. | failed | failed | This is a setting that is defined by the end-user. |
| CCE-27349-0 | medium | In firewalld the default zone is applied only after all the applicable rules in the table are examined for a match. Setting the default zone to drop implements proper design for a firewall, i.e. any packets which are not explicitly permitted should not be accepted. | failed | failed | This is a setting that is defined by the end-user. |
| CCE-80447-6 | medium | In order to prevent unauthorized connection of devices, unauthorized transfer of information, or unauthorized tunneling (i.e., embedding of data types within data types), organizations must disable or restrict unused or unnecessary physical and logical ports/protocols on information systems. | failed | failed | This is a setting that is defined by the end-user. |
| CCE-80359-3 | high | Use of weak or untested encryption algorithms undermines the purposes of utilizing encryption to protect data. The operating system must implement cryptographic modules adhering to the higher standards approved by the federal government since this provides assurance they have been tested and validated. | failed | False-Positive | Manually verified this setting exists. |
| CCE-27140-3 | high | Virus scanning software can be used to detect if a system has been compromised by computer viruses, as well as to limit their spread to other systems. | failed | failed | This is a setting that is defined by the end-user. |
| CCE-86257-3 | high | Virus scanning software can be used to detect if a system has been compromised by computer viruses, as well as to limit their spread to other systems. | failed | failed | This is a setting that is defined by the end-user. |
| CCE-86262-3 | high | Virus scanning software can be used to detect if a system has been compromised by computer viruses, as well as to limit their spread to other systems. | failed | failed | This is a setting that is defined by the end-user. |
| CCE-27140-3 | high | Virus scanning software can be used to detect if a system has been compromised by computer viruses, as well as to limit their spread to other systems. | failed | failed | This is a setting that is defined by the end-user. |
| CCE-80517-6 | medium | Malicious users with removable boot media can gain access to a system configured to use removable media as the boot loader. | failed | failed | The system does not contain the /boot partition. |
| CCE-27309-4 | high | Password protection on the boot loader configuration ensures users with physical access cannot trivially alter important bootloader settings. These include which kernel to use, and whether to enter single-user mode. | failed | failed | This is a setting that is defined by the end-user. In addition, AWS does not allow its EC2 instances to access the bootoader. |
| CCE-83562-9 | low | Having a non-default grub superuser username makes password-guessing attacks less effective. | failed | failed | This is a setting that is defined by the end-user. In addition, AWS does not allow its EC2 instances to access the boot loader on boot. |