Bootstrap script for Amazon Linux to comply CIS Amazon Linux Benchmark v2.0.0
This repositry is no longer maintained in favor of CIS hardened AMIs.
Bootstrap script for Amazon Linux to comply with CIS Amazon Linux Benchmark v2.0.0.
$ git clone https://github.com/nozaq/amazon-linux-cis.git .$ python ./amazon-linux-cis
| Argument (default value) | What it does |
|---|---|
| —time (169.254.169.123) | Specify the upstream time server |
| —chrony boolean (true) | Use chrony for time synchronization |
| —no-backup | Automatic config backup is disabled |
| —clients comma seperate list | Specify a comma separated list of hostnames and host IP addresses |
| -v —verbose | Enable verbose logging of utility |
| —disable-tcp-wrappers | Disable installation of TCP Wrappers package |
| —disable-pam | Disable the hardening of the PAM module |
| —disable-iptables | Disable the installation of IPtables |
| —disable-mount-options | Disable replacing the default /etc/fstab mounting config file |
Although the differences between Amazon Linux and Amazon Linux 2 are extensive (listed here), the majority of the changes to reach CIS compliance for Amazon Linux 2 are minor. Here’s the minimum required command line needed to install the hardening on Amazon Linux 2 instances.
python ./amazon-linux-cis --disable-mount-options