diff --git a/.github/workflows/gate.yaml b/.github/workflows/gate.yaml
index 482c477ca01..bb7aba96fdb 100644
--- a/.github/workflows/gate.yaml
+++ b/.github/workflows/gate.yaml
@@ -157,6 +157,7 @@ jobs:
       -   name: Build
           run: |-
             ./build_product \
+                al2023 \
                 alinux2 \
                 alinux3 \
                 anolis23 \
@@ -164,13 +165,13 @@ jobs:
                 chromium \
                 fedora \
                 firefox \
+                ocp4 \
                 rhcos4 \
                 rhel7 \
                 rhel8 \
                 rhel9 \
                 rhel10 \
                 uos20 \
-                ocp4
           env:
             ADDITIONAL_CMAKE_OPTIONS: "-DSSG_OVAL_SCHEMATRON_VALIDATION_ENABLED=OFF"
       -   name: Test
diff --git a/.github/workflows/gate_fedora.yml b/.github/workflows/gate_fedora.yml
index 452722f3e24..fe727f47b7c 100644
--- a/.github/workflows/gate_fedora.yml
+++ b/.github/workflows/gate_fedora.yml
@@ -25,6 +25,7 @@ jobs:
             -   name: Build
                 run: |-
                     ./build_product -j2 \
+                        al2023 \
                         alinux2 \
                         alinux3 \
                         anolis23 \
@@ -35,6 +36,7 @@ jobs:
                         fedora \
                         firefox \
                         macos1015 \
+                        ocp4 \
                         ol7  \
                         ol8 \
                         ol9 \
@@ -46,8 +48,7 @@ jobs:
                         rhel9 \
                         rhel10 \
                         rhv4 \
-                        uos20 \
-                        ocp4
+                        uos20
                 env:
                     ADDITIONAL_CMAKE_OPTIONS: "-DSSG_ANSIBLE_PLAYBOOKS_PER_RULE_ENABLED=ON -DSSG_OVAL_SCHEMATRON_VALIDATION_ENABLED=OFF"
             -   name: Test
diff --git a/CMakeLists.txt b/CMakeLists.txt
index 11037cb8505..60f206be39f 100644
--- a/CMakeLists.txt
+++ b/CMakeLists.txt
@@ -116,6 +116,7 @@ option(SSG_PRODUCT_UBUNTU1804 "If enabled, the Ubuntu 18.04 SCAP content will be
 option(SSG_PRODUCT_UBUNTU2004 "If enabled, the Ubuntu 20.04 SCAP content will be built" ${SSG_PRODUCT_DEFAULT})
 option(SSG_PRODUCT_UBUNTU2204 "If enabled, the Ubuntu 22.04 SCAP content will be built" ${SSG_PRODUCT_DEFAULT})
 option(SSG_PRODUCT_UOS20 "If enabled, the Uos 20 SCAP content will be built" ${SSG_PRODUCT_DEFAULT})
+option(SSG_PRODUCT_AL2023 "If enabled, the AL2023 SCAP content will be built" ${SSG_PRODUCT_DEFAULT})
 # Products derivatives
 option(SSG_CENTOS_DERIVATIVES_ENABLED "If enabled, CentOS derivative content will be built from the RHEL content" TRUE)
 option(SSG_SCIENTIFIC_LINUX_DERIVATIVES_ENABLED "If enabled, Scientific Linux derivative content will be built from the RHEL content" TRUE)
@@ -344,6 +345,7 @@ message(STATUS "Ubuntu 18.04: ${SSG_PRODUCT_UBUNTU1804}")
 message(STATUS "Ubuntu 20.04: ${SSG_PRODUCT_UBUNTU2004}")
 message(STATUS "Ubuntu 22.04: ${SSG_PRODUCT_UBUNTU2204}")
 message(STATUS "Uos 20: ${SSG_PRODUCT_UOS20}")
+message(STATUS "AL 2023: ${SSG_PRODUCT_AL2023}")
 message(STATUS "OpenEmbedded: ${SSG_PRODUCT_OPENEMBEDDED}")
 message(STATUS " ")
 
@@ -369,6 +371,9 @@ add_custom_target(render-policies)
 
 ssg_build_man_page()
 
+if(SSG_PRODUCT_AL2023)
+    add_subdirectory("products/al2023" "al2023")
+endif()
 if(SSG_PRODUCT_ALINUX2)
     add_subdirectory("products/alinux2" "alinux2")
 endif()
diff --git a/build_product b/build_product
index e6fb86991b0..9d6ad89ec01 100755
--- a/build_product
+++ b/build_product
@@ -345,6 +345,7 @@ set_explict_build_targets() {
 # Get this using
 # grep 'option(SSG_PRODUCT' CMakeLists.txt  | sed -e 's/option(SSG_PRODUCT_\(\w\+\).*/\1/'
 all_cmake_products=(
+	AL2023
 	ALINUX2
 	ALINUX3
 	ANOLIS8
diff --git a/components/rpm.yml b/components/rpm.yml
index 2b00bd90874..f32f248ad7c 100644
--- a/components/rpm.yml
+++ b/components/rpm.yml
@@ -17,6 +17,7 @@ rules:
 - ensure_oracle_gpgkey_installed
 - ensure_package_repositories_are_configured
 - ensure_redhat_gpgkey_installed
+- ensure_amazon_gpgkey_installed
 - ensure_suse_gpgkey_installed
 - package_dnf-automatic_installed
 - package_gnome_software_installed
diff --git a/controls/cis_al2023.yml b/controls/cis_al2023.yml
new file mode 100644
index 00000000000..0f06a25f490
--- /dev/null
+++ b/controls/cis_al2023.yml
@@ -0,0 +1,2176 @@
+---
+policy: 'CIS Benchmark for Amazon Linux 2023'
+title: 'CIS Benchmark for Amazon Linux 2023'
+id: cis_al2023
+version: '1.0.0'
+source: https://www.cisecurity.org/benchmark/amazon_linux
+levels:
+  - id: l1_server
+  - id: l2_server
+    inherits_from:
+      - l1_server
+reference_type: cis
+product: al2023
+
+controls:
+  - id: 1.1.1.1
+    title: Ensure mounting of squashfs filesystems is disabled (Automated)
+    levels:
+      - l2_server
+    status: automated
+    rules:
+      - kernel_module_squashfs_disabled
+
+  - id: 1.1.1.2
+    title: Ensure mounting of udf filesystems is disabled (Automated)
+    levels:
+      - l2_server
+    status: automated
+    rules:
+      - kernel_module_udf_disabled
+
+  - id: 1.1.1.3
+    title: Ensure mounting of cramfs filesystems is disabled (Automated)
+    levels:
+      - l1_server
+    status: automated
+    rules:
+      - kernel_module_cramfs_disabled
+
+  - id: 1.1.1.4
+    title: Ensure mounting of freevxfs filesystems is disabled (Automated)
+    levels:
+      - l1_server
+    status: automated
+    rules:
+      - kernel_module_freevxfs_disabled
+
+  - id: 1.1.1.5
+    title: Ensure mounting of jffs2 filesystems is disabled (Automated)
+    levels:
+      - l1_server
+    status: automated
+    rules:
+      - kernel_module_jffs2_disabled
+
+  - id: 1.1.1.6
+    title: Ensure mounting of hfs filesystems is disabled (Automated)
+    levels:
+      - l1_server
+    status: automated
+    rules:
+      - kernel_module_hfs_disabled
+
+  - id: 1.1.1.7
+    title: Ensure mounting of hfsplus filesystems is disabled (Automated)
+    levels:
+      - l1_server
+    status: automated
+    rules:
+      - kernel_module_hfsplus_disabled
+
+  - id: 1.1.2.1
+    title: Ensure /tmp is a separate partition (Automated)
+    levels:
+      - l1_server
+    status: automated
+    rules:
+      - partition_for_tmp
+
+  - id: 1.1.2.2
+    title: Ensure nodev option set on /tmp partition (Automated)
+    levels:
+      - l1_server
+    status: automated
+    rules:
+      - mount_option_tmp_nodev
+
+  - id: 1.1.2.3
+    title: Ensure noexec option set on /tmp partition (Automated)
+    levels:
+      - l1_server
+    status: automated
+    rules:
+      - mount_option_tmp_noexec
+
+  - id: 1.1.2.4
+    title: Ensure nosuid option set on /tmp partition (Automated)
+    levels:
+      - l1_server
+    status: automated
+    rules:
+      - mount_option_tmp_nosuid
+
+  - id: 1.1.3.1
+    title: Ensure separate partition exists for /var (Automated)
+    levels:
+      - l2_server
+    status: automated
+    rules:
+      - partition_for_var
+
+  - id: 1.1.3.2
+    title: Ensure nodev option set on /var partition (Automated)
+    levels:
+      - l1_server
+    status: automated
+    rules:
+      - mount_option_var_nodev
+
+  - id: 1.1.3.3
+    title: Ensure nosuid option set on /var partition (Automated)
+    levels:
+      - l1_server
+    status: automated
+    rules:
+      - mount_option_var_nosuid
+
+  - id: 1.1.4.1
+    title: Ensure separate partition exists for /var/tmp (Automated)
+    levels:
+      - l2_server
+    status: automated
+    rules:
+      - partition_for_var_tmp
+
+  - id: 1.1.4.2
+    title: Ensure noexec option set on /var/tmp partition (Automated)
+    levels:
+      - l1_server
+    status: automated
+    rules:
+      - mount_option_var_tmp_noexec
+
+  - id: 1.1.4.3
+    title: Ensure nosuid option set on /var/tmp partition (Automated)
+    levels:
+      - l1_server
+    status: automated
+    rules:
+      - mount_option_var_tmp_nosuid
+
+  - id: 1.1.4.4
+    title: Ensure nodev option set on /var/tmp partition (Automated)
+    levels:
+      - l1_server
+    status: automated
+    rules:
+      - mount_option_var_tmp_nodev
+
+  - id: 1.1.5.1
+    title: Ensure separate partition exists for /var/log (Automated)
+    levels:
+      - l2_server
+    status: automated
+    rules:
+      - partition_for_var_log
+
+  - id: 1.1.5.2
+    title: Ensure nodev option set on /var/log partition (Automated)
+    levels:
+      - l1_server
+    status: automated
+    rules:
+      - mount_option_var_log_nodev
+
+  - id: 1.1.5.3
+    title: Ensure noexec option set on /var/log partition (Automated)
+    levels:
+      - l1_server
+    status: automated
+    rules:
+      - mount_option_var_log_noexec
+
+  - id: 1.1.5.4
+    title: Ensure nosuid option set on /var/log partition (Automated)
+    levels:
+      - l1_server
+    status: automated
+    rules:
+      - mount_option_var_log_nosuid
+
+  - id: 1.1.6.1
+    title: Ensure separate partition exists for /var/log/audit (Automated)
+    levels:
+      - l2_server
+    status: automated
+    rules:
+      - partition_for_var_log_audit
+
+  - id: 1.1.6.2
+    title: Ensure noexec option set on /var/log/audit partition (Automated)
+    levels:
+      - l1_server
+    status: automated
+    rules:
+      - mount_option_var_log_audit_noexec
+
+  - id: 1.1.6.3
+    title: Ensure nodev option set on /var/log/audit partition (Automated)
+    levels:
+      - l1_server
+    status: automated
+    rules:
+      - mount_option_var_log_audit_nodev
+
+  - id: 1.1.6.4
+    title: Ensure nosuid option set on /var/log/audit partition (Automated)
+    levels:
+      - l1_server
+    status: automated
+    rules:
+      - mount_option_var_log_audit_nosuid
+
+  - id: 1.1.7.1
+    title: Ensure separate partition exists for /home (Automated)
+    levels:
+      - l2_server
+    status: automated
+    rules:
+      - partition_for_home
+
+  - id: 1.1.7.2
+    title: Ensure nodev option set on /home partition (Automated)
+    levels:
+      - l1_server
+    status: automated
+    rules:
+      - mount_option_home_nodev
+
+  - id: 1.1.7.3
+    title: Ensure nosuid option set on /home partition (Automated)
+    levels:
+      - l1_server
+    status: automated
+    rules:
+      - mount_option_home_nosuid
+
+  - id: 1.1.8.1
+    title: Ensure /dev/shm is a separate partition (Automated)
+    levels:
+      - l1_server
+    status: automated
+    rules:
+      - partition_for_dev_shm
+
+  - id: 1.1.8.2
+    title: Ensure nodev option set on /dev/shm partition (Automated)
+    levels:
+      - l1_server
+    status: automated
+    rules:
+      - mount_option_dev_shm_nodev
+
+  - id: 1.1.8.3
+    title: Ensure noexec option set on /dev/shm partition (Automated)
+    levels:
+      - l1_server
+    status: automated
+    rules:
+      - mount_option_dev_shm_noexec
+
+  - id: 1.1.8.4
+    title: Ensure nosuid option set on /dev/shm partition (Automated)
+    levels:
+      - l1_server
+    status: automated
+    rules:
+      - mount_option_dev_shm_nosuid
+
+  - id: 1.1.9
+    title: Ensure usb-storage is disabled (Automated)
+    levels:
+      - l1_server
+    status: automated
+    rules:
+      - kernel_module_usb-storage_disabled
+
+  - id: 1.2.1
+    title: Ensure GPG keys are configured (Manual)
+    levels:
+      - l1_server
+    status: manual
+    related_rules:
+      - ensure_amazon_gpgkey_installed
+
+  - id: 1.2.2
+    title: Ensure gpgcheck is globally activated (Automated)
+    levels:
+      - l1_server
+    status: automated
+    rules:
+      - ensure_gpgcheck_globally_activated
+
+  - id: 1.2.3
+    title: Ensure package manager repositories are configured (Manual)
+    levels:
+      - l1_server
+    status: manual
+
+  - id: 1.2.4
+    title: Ensure repo_gpgcheck is globally activated (Manual)
+    levels:
+      - l2_server
+    status: manual
+
+  - id: 1.3.1
+    title: Ensure AIDE is installed (Automated)
+    levels:
+      - l1_server
+    status: automated
+    rules:
+      - package_aide_installed
+      - aide_build_database
+
+  - id: 1.3.2
+    title: Ensure filesystem integrity is regularly checked (Automated)
+    levels:
+      - l1_server
+    status: automated
+    rules:
+      - aide_periodic_cron_checking
+
+  - id: 1.3.3
+    title: Ensure cryptographic mechanisms are used to protect the integrity of audit tools (Automated)
+    levels:
+      - l1_server
+    status: automated
+    rules:
+      - aide_check_audit_tools
+    related_rules:
+      - aide_use_fips_hashes
+
+  - id: 1.4.1
+    title: Ensure permissions on bootloader config are configured (Automated)
+    levels:
+      - l1_server
+    status: automated
+    rules:
+      - file_groupowner_grub2_cfg
+      - file_owner_grub2_cfg
+      - file_permissions_grub2_cfg
+      - file_groupowner_user_cfg
+      - file_owner_user_cfg
+      - file_permissions_user_cfg
+    related_rules:
+      - file_groupowner_efi_grub2_cfg
+      - file_owner_efi_grub2_cfg
+      - file_permissions_efi_grub2_cfg
+      - file_groupowner_efi_user_cfg
+      - file_owner_efi_user_cfg
+      - file_permissions_efi_user_cfg
+
+  - id: 1.5.1
+    title: Ensure address space layout randomization (ASLR) is enabled (Automated)
+    levels:
+      - l1_server
+    status: automated
+    rules:
+      - sysctl_kernel_randomize_va_space
+
+  - id: 1.5.2
+    title: Ensure ptrace_scope is restricted (Automated)
+    levels:
+      - l1_server
+    status: automated
+    rules:
+      - sysctl_kernel_yama_ptrace_scope
+
+  - id: 1.5.3
+    title: Ensure core dump storage is disabled (Automated)
+    levels:
+      - l1_server
+    status: automated
+    rules:
+      - coredump_disable_storage
+
+  - id: 1.5.4
+    title: Ensure core dump backtraces are disabled (Automated)
+    levels:
+      - l1_server
+    status: automated
+    rules:
+      - coredump_disable_backtraces
+
+  - id: 1.6.1.1
+    title: Ensure SELinux is installed (Automated)
+    levels:
+      - l1_server
+    status: automated
+    rules:
+      - package_libselinux_installed
+
+  - id: 1.6.1.2
+    title: Ensure SELinux is not disabled in bootloader configuration (Automated)
+    levels:
+      - l1_server
+    status: automated
+    rules:
+      - grub2_enable_selinux
+
+  - id: 1.6.1.3
+    title: Ensure SELinux policy is configured (Automated)
+    levels:
+      - l1_server
+    status: automated
+    rules:
+      - var_selinux_policy_name=targeted
+      - selinux_policytype
+
+  - id: 1.6.1.4
+    title: Ensure the SELinux mode is not disabled (Automated)
+    levels:
+      - l1_server
+    status: automated
+    rules:
+      - selinux_not_disabled
+
+  - id: 1.6.1.5
+    title: Ensure the SELinux mode is enforcing (Automated)
+    levels:
+      - l2_server
+    status: automated
+    rules:
+      - var_selinux_state=enforcing
+      - selinux_state
+
+  - id: 1.6.1.6
+    title: Ensure no unconfined services exist (Automated)
+    levels:
+      - l1_server
+    status: automated
+    rules:
+      - selinux_confinement_of_daemons
+
+  - id: 1.6.1.7
+    title: Ensure SETroubleshoot is not installed (Automated)
+    levels:
+      - l1_server
+    status: automated
+    rules:
+      - package_setroubleshoot_removed
+
+  - id: 1.6.1.8
+    title: Ensure the MCS Translation Service (mcstrans) is not installed (Automated)
+    levels:
+      - l1_server
+    status: automated
+    rules:
+      - package_mcstrans_removed
+
+  - id: 1.7.1
+    title: Ensure message of the day is configured properly (Automated)
+    levels:
+      - l1_server
+    status: automated
+    rules:
+      - banner_etc_motd
+      - motd_banner_text=cis_banners
+
+  - id: 1.7.2
+    title: Ensure local login warning banner is configured properly (Automated)
+    levels:
+      - l1_server
+    status: automated
+    rules:
+      - banner_etc_issue
+      - login_banner_text=cis_banners
+
+  - id: 1.7.3
+    title: Ensure remote login warning banner is configured properly (Automated)
+    levels:
+      - l1_server
+    status: automated
+    rules:
+      - banner_etc_issue_net
+      - remote_login_banner_text=cis_banners
+
+  - id: 1.7.4
+    title: Ensure permissions on /etc/motd are configured (Automated)
+    levels:
+      - l1_server
+    status: automated
+    rules:
+      - file_groupowner_etc_motd
+      - file_owner_etc_motd
+      - file_permissions_etc_motd
+
+  - id: 1.7.5
+    title: Ensure permissions on /etc/issue are configured (Automated)
+    levels:
+      - l1_server
+    status: automated
+    rules:
+      - file_groupowner_etc_issue
+      - file_owner_etc_issue
+      - file_permissions_etc_issue
+
+  - id: 1.7.6
+    title: Ensure permissions on /etc/issue.net are configured (Automated)
+    levels:
+      - l1_server
+    status: automated
+    rules:
+      - file_groupowner_etc_issue_net
+      - file_owner_etc_issue_net
+      - file_permissions_etc_issue_net
+
+  - id: 1.8
+    title: Ensure updates, patches, and additional security software are installed (Manual)
+    levels:
+      - l1_server
+    status: manual
+    related_rules:
+      - security_patches_up_to_date
+
+  - id: "1.9"
+    title: Ensure system-wide crypto policy is not legacy (Automated)
+    levels:
+      - l1_server
+    status: automated
+    notes: The selected crypto-policy cannot be legacy
+    rules:
+      - configure_crypto_policy
+      - var_system_crypto_policy=default_policy
+
+  - id: 2.1.1
+    title: Ensure time synchronization is in use (Automated)
+    levels:
+      - l1_server
+    status: automated
+    related_rules:
+      - package_chrony_installed
+
+  - id: 2.1.2
+    title: Ensure chrony is configured (Automated)
+    levels:
+      - l1_server
+    status: automated
+    rules:
+      - chronyd_specify_remote_server
+      - chronyd_run_as_chrony_user
+      - var_multiple_time_servers=amazon
+
+  - id: 2.2.1
+    title: Ensure xorg-x11-server-common is not installed (Automated)
+    levels:
+      - l2_server
+    status: automated
+    rules:
+      - package_xorg-x11-server-common_removed
+
+  - id: 2.2.2
+    title: Ensure avahi is not installed (Automated)
+    levels:
+      - l1_server
+    status: automated
+    rules:
+      - package_avahi_removed
+    related_rules:
+      - service_avahi-daemon_disabled
+
+  - id: 2.2.3
+    title: Ensure a print server is not installed (Automated)
+    levels:
+      - l1_server
+    status: automated
+    rules:
+      - package_cups_removed
+    related_rules:
+      - service_cups_disabled
+
+  - id: 2.2.4
+    title: Ensure a dhcp server is not installed (Automated)
+    levels:
+      - l1_server
+    status: automated
+    rules:
+      - package_dhcp_removed
+
+  - id: 2.2.5
+    title: Ensure a dns server is not installed (Automated)
+    levels:
+      - l1_server
+    status: automated
+    rules:
+      - package_bind_removed
+
+  - id: 2.2.6
+    title: Ensure an ftp server is not installed (Automated)
+    levels:
+      - l1_server
+    status: automated
+    rules:
+      - package_vsftpd_removed
+
+  - id: 2.2.7
+    title: Ensure a tftp server is not installed (Automated)
+    levels:
+      - l1_server
+    status: automated
+    rules:
+      - package_tftp-server_removed
+
+  - id: 2.2.8
+    title: Ensure a web server is not installed (Automated)
+    levels:
+      - l1_server
+    status: automated
+    rules:
+      - package_httpd_removed
+      - package_nginx_removed
+
+  - id: 2.2.9
+    title: Ensure IMAP and POP3 server is not installed (Automated)
+    levels:
+      - l1_server
+    status: automated
+    rules:
+      - package_dovecot_removed
+      - package_cyrus-imapd_removed
+
+  - id: 2.2.10
+    title: Ensure Samba is not installed (Automated)
+    levels:
+      - l1_server
+    status: automated
+    rules:
+      - package_samba_removed
+
+  - id: 2.2.11
+    title: Ensure HTTP Proxy Server is not installed (Automated)
+    levels:
+      - l1_server
+    status: automated
+    rules:
+      - package_squid_removed
+
+  - id: 2.2.12
+    title: Ensure net-snmp is not installed or the snmpd service is not enabled (Automated)
+    levels:
+      - l1_server
+    status: automated
+    rules:
+      - package_net-snmp_removed
+      - service_snmpd_disabled
+
+  - id: 2.2.13
+    title: Ensure telnet-server is not installed (Automated)
+    levels:
+      - l1_server
+    status: automated
+    rules:
+      - package_telnet-server_removed
+
+  - id: 2.2.14
+    title: Ensure dnsmasq is not installed (Automated)
+    levels:
+      - l1_server
+    status: automated
+    rules:
+      - package_dnsmasq_removed
+
+  - id: 2.2.15
+    title: Ensure mail transfer agent is configured for local-only mode (Automated)
+    levels:
+      - l1_server
+    status: automated
+    rules:
+      - postfix_network_listening_disabled
+      - var_postfix_inet_interfaces=loopback-only
+      - has_nonlocal_mta
+
+  - id: 2.2.16
+    title: Ensure nfs-utils is not installed or the nfs-server service is masked (Automated)
+    levels:
+      - l1_server
+    status: automated
+    rules:
+      - service_nfs_disabled
+    related_rules:
+      - package_nfs-utils_removed
+
+  - id: 2.2.17
+    title: Ensure rpcbind is not installed or the rpcbind services are masked (Automated)
+    levels:
+      - l1_server
+    status: automated
+    rules:
+      - service_rpcbind_disabled
+    related_rules:
+      - package_rpcbind_removed
+
+  - id: 2.2.18
+    title: Ensure rsync-daemon is not installed or the rsyncd service is masked (Automated)
+    levels:
+      - l1_server
+    status: automated
+    rules:
+      - package_rsync_removed
+    related_rules:
+      - service_rsyncd_disabled
+
+  - id: 2.3.1
+    title: Ensure telnet client is not installed (Automated)
+    levels:
+      - l1_server
+    status: automated
+    rules:
+      - package_telnet_removed
+
+  - id: 2.3.2
+    title: Ensure LDAP client is not installed (Automated)
+    levels:
+      - l1_server
+    status: automated
+    rules:
+      - package_openldap-clients_removed
+
+  - id: 2.3.3
+    title: Ensure FTP client is not installed (Automated)
+    levels:
+      - l1_server
+    status: automated
+    rules:
+      - package_ftp_removed
+
+  - id: 2.4
+    title: Ensure nonessential services listening on the system are removed or masked (Manual)
+    levels:
+      - l1_server
+    status: manual
+
+  - id: 3.1.1
+    title: Ensure IPv6 status is identified (Manual)
+    levels:
+      - l1_server
+    status: manual
+
+  - id: 3.1.2
+    title: Ensure DCCP is disabled (Automated)
+    levels:
+      - l2_server
+    status: automated
+    rules:
+      - kernel_module_dccp_disabled
+
+  - id: 3.1.3
+    title: Ensure SCTP is disabled (Automated)
+    levels:
+      - l2_server
+    status: automated
+    rules:
+      - kernel_module_sctp_disabled
+
+  - id: 3.1.4
+    title: Ensure RDS is disabled (Automated)
+    levels:
+      - l2_server
+    status: automated
+    rules:
+      - kernel_module_rds_disabled
+
+  - id: 3.1.5
+    title: Ensure TIPC is disabled (Automated)
+    levels:
+      - l2_server
+    status: automated
+    rules:
+      - kernel_module_tipc_disabled
+
+  - id: 3.2.1
+    title: Ensure IP forwarding is disabled (Automated)
+    levels:
+      - l1_server
+    status: automated
+    rules:
+      - sysctl_net_ipv4_ip_forward
+      - sysctl_net_ipv6_conf_all_forwarding
+      - sysctl_net_ipv6_conf_all_forwarding_value=disabled
+
+  - id: 3.2.2
+    title: Ensure packet redirect sending is disabled (Automated)
+    levels:
+      - l1_server
+    status: automated
+    rules:
+      - sysctl_net_ipv4_conf_all_send_redirects
+      - sysctl_net_ipv4_conf_default_send_redirects
+
+  - id: 3.3.1
+    title: Ensure source routed packets are not accepted (Automated)
+    levels:
+      - l1_server
+    status: automated
+    rules:
+      - sysctl_net_ipv4_conf_all_accept_source_route
+      - sysctl_net_ipv4_conf_all_accept_source_route_value=disabled
+      - sysctl_net_ipv4_conf_default_accept_source_route
+      - sysctl_net_ipv4_conf_default_accept_source_route_value=disabled
+      - sysctl_net_ipv6_conf_all_accept_source_route
+      - sysctl_net_ipv6_conf_all_accept_source_route_value=disabled
+      - sysctl_net_ipv6_conf_default_accept_source_route
+      - sysctl_net_ipv6_conf_default_accept_source_route_value=disabled
+
+  - id: 3.3.2
+    title: Ensure ICMP redirects are not accepted (Automated)
+    levels:
+      - l1_server
+    status: automated
+    rules:
+      - sysctl_net_ipv4_conf_all_accept_redirects
+      - sysctl_net_ipv4_conf_all_accept_redirects_value=disabled
+      - sysctl_net_ipv4_conf_default_accept_redirects
+      - sysctl_net_ipv4_conf_default_accept_redirects_value=disabled
+      - sysctl_net_ipv6_conf_all_accept_redirects
+      - sysctl_net_ipv6_conf_all_accept_redirects_value=disabled
+      - sysctl_net_ipv6_conf_default_accept_redirects
+      - sysctl_net_ipv6_conf_default_accept_redirects_value=disabled
+
+  - id: 3.3.3
+    title: Ensure secure ICMP redirects are not accepted (Automated)
+    levels:
+      - l1_server
+    status: automated
+    rules:
+      - sysctl_net_ipv4_conf_all_secure_redirects
+      - sysctl_net_ipv4_conf_all_secure_redirects_value=disabled
+      - sysctl_net_ipv4_conf_default_secure_redirects
+      - sysctl_net_ipv4_conf_default_secure_redirects_value=disabled
+
+  - id: 3.3.4
+    title: Ensure suspicious packets are logged (Automated)
+    levels:
+      - l1_server
+    status: automated
+    rules:
+      - sysctl_net_ipv4_conf_all_log_martians
+      - sysctl_net_ipv4_conf_all_log_martians_value=enabled
+      - sysctl_net_ipv4_conf_default_log_martians
+      - sysctl_net_ipv4_conf_default_log_martians_value=enabled
+
+  - id: 3.3.5
+    title: Ensure broadcast ICMP requests are ignored (Automated)
+    levels:
+      - l1_server
+    status: automated
+    rules:
+      - sysctl_net_ipv4_icmp_echo_ignore_broadcasts
+      - sysctl_net_ipv4_icmp_echo_ignore_broadcasts_value=enabled
+
+  - id: 3.3.6
+    title: Ensure bogus ICMP responses are ignored (Automated)
+    levels:
+      - l1_server
+    status: automated
+    rules:
+      - sysctl_net_ipv4_icmp_ignore_bogus_error_responses
+      - sysctl_net_ipv4_icmp_ignore_bogus_error_responses_value=enabled
+
+  - id: 3.3.7
+    title: Ensure Reverse Path Filtering is enabled (Automated)
+    levels:
+      - l1_server
+    status: automated
+    rules:
+      - sysctl_net_ipv4_conf_all_rp_filter
+      - sysctl_net_ipv4_conf_all_rp_filter_value=enabled
+      - sysctl_net_ipv4_conf_default_rp_filter
+      - sysctl_net_ipv4_conf_default_rp_filter_value=enabled
+
+  - id: 3.3.8
+    title: Ensure TCP SYN Cookies is enabled (Automated)
+    levels:
+      - l1_server
+    status: automated
+    rules:
+      - sysctl_net_ipv4_tcp_syncookies
+      - sysctl_net_ipv4_tcp_syncookies_value=enabled
+
+  - id: 3.3.9
+    title: Ensure IPv6 router advertisements are not accepted (Automated)
+    levels:
+      - l1_server
+    status: automated
+    rules:
+      - sysctl_net_ipv6_conf_all_accept_ra
+      - sysctl_net_ipv6_conf_all_accept_ra_value=disabled
+      - sysctl_net_ipv6_conf_default_accept_ra
+      - sysctl_net_ipv6_conf_default_accept_ra_value=disabled
+
+  - id: 3.4.1.1
+    title: Ensure nftables is installed (Automated)
+    levels:
+      - l2_server
+    status: automated
+    rules:
+      - package_nftables_installed
+
+  - id: 3.4.1.2
+    title: Ensure a single firewall configuration utility is in use (Automated)
+    levels:
+      - l2_server
+    status: automated
+    rules:
+      - service_firewalld_enabled
+      - package_firewalld_installed
+      - service_nftables_disabled
+
+  - id: 3.4.2.1
+    title: Ensure firewalld default zone is set (Automated)
+    levels:
+      - l2_server
+    status: automated
+    rules:
+      - set_firewalld_default_zone
+
+  - id: 3.4.2.2
+    title: Ensure at least one nftables table exists (Automated)
+    levels:
+      - l2_server
+    status: supported
+    rules:
+      - set_nftables_table
+      - var_nftables_family=inet
+      - var_nftables_table=firewalld
+
+  - id: 3.4.2.3
+    title: Ensure nftables base chains exist (Automated)
+    levels:
+      - l2_server
+    status: supported
+    related_rules:
+      - set_nftables_base_chain
+      - var_nftables_table=firewalld
+      - var_nftables_family=inet
+      - var_nftables_base_chain_names=chain_names
+      - var_nftables_base_chain_types=chain_types
+      - var_nftables_base_chain_hooks=chain_hooks
+      - var_nftables_base_chain_priorities=chain_priorities
+      - var_nftables_base_chain_policies=chain_policies
+
+  - id: 3.4.2.4
+    title: Ensure host based firewall loopback traffic is configured (Automated)
+    levels:
+      - l2_server
+    status: automated
+    rules:
+      - firewalld_loopback_traffic_trusted
+      - firewalld_loopback_traffic_restricted
+
+  - id: 3.4.2.5
+    title: Ensure firewalld drops unnecessary services and ports (Manual)
+    levels:
+      - l2_server
+    status: manual
+    related_rules:
+      - configure_firewalld_ports
+
+  - id: 3.4.2.6
+    title: Ensure nftables established connections are configured (Manual)
+    levels:
+      - l2_server
+    status: manual
+
+  - id: 3.4.2.7
+    title: Ensure nftables default deny firewall policy (Automated)
+    levels:
+      - l2_server
+    status: supported
+    related_rules:
+      - nftables_ensure_default_deny_policy
+
+  - id: 4.1.1
+    title: Ensure cron daemon is installed and enabled (Automated)
+    levels:
+      - l1_server
+    status: automated
+    rules:
+      - service_crond_enabled
+
+  - id: 4.1.2
+    title: Ensure permissions on /etc/crontab are configured (Automated)
+    levels:
+      - l1_server
+    status: automated
+    rules:
+      - file_groupowner_crontab
+      - file_owner_crontab
+      - file_permissions_crontab
+
+  - id: 4.1.3
+    title: Ensure permissions on /etc/cron.hourly are configured (Automated)
+    levels:
+      - l1_server
+    status: automated
+    rules:
+      - file_groupowner_cron_hourly
+      - file_owner_cron_hourly
+      - file_permissions_cron_hourly
+
+  - id: 4.1.4
+    title: Ensure permissions on /etc/cron.daily are configured (Automated)
+    levels:
+      - l1_server
+    status: automated
+    rules:
+      - file_groupowner_cron_daily
+      - file_owner_cron_daily
+      - file_permissions_cron_daily
+
+  - id: 4.1.5
+    title: Ensure permissions on /etc/cron.weekly are configured (Automated)
+    levels:
+      - l1_server
+    status: automated
+    rules:
+      - file_groupowner_cron_weekly
+      - file_owner_cron_weekly
+      - file_permissions_cron_weekly
+
+  - id: 4.1.6
+    title: Ensure permissions on /etc/cron.monthly are configured (Automated)
+    levels:
+      - l1_server
+    status: automated
+    rules:
+      - file_groupowner_cron_monthly
+      - file_owner_cron_monthly
+      - file_permissions_cron_monthly
+
+  - id: 4.1.7
+    title: Ensure permissions on /etc/cron.d are configured (Automated)
+    levels:
+      - l1_server
+    status: automated
+    rules:
+      - file_groupowner_cron_d
+      - file_owner_cron_d
+      - file_permissions_cron_d
+
+  - id: 4.1.8
+    title: Ensure cron is restricted to authorized users (Automated)
+    levels:
+      - l1_server
+    status: automated
+    rules:
+      - file_cron_deny_not_exist
+      - file_cron_allow_exists
+      - file_groupowner_cron_allow
+      - file_owner_cron_allow
+      - file_permissions_cron_allow
+
+  - id: 4.1.9
+    title: Ensure at is restricted to authorized users (Automated)
+    levels:
+      - l1_server
+    status: automated
+    rules:
+      - file_at_deny_not_exist
+      - file_groupowner_at_allow
+      - file_owner_at_allow
+      - file_permissions_at_allow
+
+  - id: 4.2.1
+    title: Ensure permissions on /etc/ssh/sshd_config are configured (Automated)
+    levels:
+      - l1_server
+    status: automated
+    rules:
+      - file_groupowner_sshd_config
+      - file_owner_sshd_config
+      - file_permissions_sshd_config
+
+  - id: 4.2.2
+    title: Ensure permissions on SSH private host key files are configured (Automated)
+    levels:
+      - l1_server
+    status: automated
+    rules:
+      - file_permissions_sshd_private_key
+      - file_ownership_sshd_private_key
+      - file_groupownership_sshd_private_key
+
+  - id: 4.2.3
+    title: Ensure permissions on SSH public host key files are configured (Automated)
+    levels:
+      - l1_server
+    status: automated
+    rules:
+      - file_permissions_sshd_pub_key
+      - file_ownership_sshd_pub_key
+      - file_groupownership_sshd_pub_key
+
+  - id: 4.2.4
+    title: Ensure SSH access is limited (Automated)
+    levels:
+      - l1_server
+    status: automated
+    rules:
+      - sshd_limit_user_access
+
+  - id: 4.2.5
+    title: Ensure SSH LogLevel is appropriate (Automated)
+    levels:
+      - l1_server
+    status: automated
+    rules:
+      - sshd_set_loglevel_verbose
+    related_rules:
+      - sshd_set_loglevel_info
+
+  - id: 4.2.6
+    title: Ensure SSH PAM is enabled (Automated)
+    levels:
+      - l1_server
+    status: automated
+    rules:
+      - sshd_enable_pam
+
+  - id: 4.2.7
+    title: Ensure SSH root login is disabled (Automated)
+    levels:
+      - l1_server
+    status: automated
+    rules:
+      - sshd_disable_root_login
+
+  - id: 4.2.8
+    title: Ensure SSH HostbasedAuthentication is disabled (Automated)
+    levels:
+      - l1_server
+    status: automated
+    rules:
+      - disable_host_auth
+
+  - id: 4.2.9
+    title: Ensure SSH PermitEmptyPasswords is disabled (Automated)
+    levels:
+      - l1_server
+    status: automated
+    rules:
+      - sshd_disable_empty_passwords
+
+  - id: 4.2.10
+    title: Ensure SSH PermitUserEnvironment is disabled (Automated)
+    levels:
+      - l1_server
+    status: automated
+    rules:
+      - sshd_do_not_permit_user_env
+
+  - id: 4.2.11
+    title: Ensure SSH IgnoreRhosts is enabled (Automated)
+    levels:
+      - l1_server
+    status: automated
+    rules:
+      - sshd_disable_rhosts
+
+  - id: 4.2.12
+    title: Ensure SSH X11 forwarding is disabled (Automated)
+    levels:
+      - l2_server
+    status: automated
+    rules:
+      - sshd_disable_x11_forwarding
+
+  - id: 4.2.13
+    title: Ensure SSH AllowTcpForwarding is disabled (Automated)
+    levels:
+      - l2_server
+    status: automated
+    rules:
+      - sshd_disable_tcp_forwarding
+
+  - id: 4.2.14
+    title: Ensure system-wide crypto policy is not over-ridden (Automated)
+    levels:
+      - l1_server
+    status: automated
+    rules:
+      - configure_ssh_crypto_policy
+
+  - id: 4.2.15
+    title: Ensure SSH warning banner is configured (Automated)
+    levels:
+      - l1_server
+    status: automated
+    rules:
+      - sshd_enable_warning_banner_net
+    related_rules:
+      - sshd_enable_warning_banner
+
+  - id: 4.2.16
+    title: Ensure SSH MaxAuthTries is set to 4 or less (Automated)
+    levels:
+      - l1_server
+    status: automated
+    rules:
+      - sshd_max_auth_tries_value=4
+      - sshd_set_max_auth_tries
+
+  - id: 4.2.17
+    title: Ensure SSH MaxStartups is configured (Automated)
+    levels:
+      - l1_server
+    status: automated
+    rules:
+      - sshd_set_maxstartups
+      - var_sshd_set_maxstartups=10:30:60
+
+  - id: 4.2.18
+    title: Ensure SSH MaxSessions is set to 10 or less (Automated)
+    levels:
+      - l1_server
+    status: automated
+    rules:
+      - sshd_set_max_sessions
+      - var_sshd_max_sessions=10
+
+  - id: 4.2.19
+    title: Ensure SSH LoginGraceTime is set to one minute or less (Automated)
+    levels:
+      - l1_server
+    status: automated
+    rules:
+      - sshd_set_login_grace_time
+      - var_sshd_set_login_grace_time=60
+
+  - id: 4.2.20
+    title: Ensure SSH Idle Timeout Interval is configured (Automated)
+    levels:
+      - l1_server
+    status: automated
+    rules:
+      - sshd_idle_timeout_value=15_minutes
+      - sshd_set_idle_timeout
+      - sshd_set_keepalive
+      - var_sshd_set_keepalive=1
+
+  - id: 4.3.1
+    title: Ensure sudo is installed (Automated)
+    levels:
+      - l1_server
+    status: automated
+    rules:
+      - package_sudo_installed
+
+  - id: 4.3.2
+    title: Ensure sudo commands use pty (Automated)
+    levels:
+      - l1_server
+    status: automated
+    rules:
+      - sudo_add_use_pty
+
+  - id: 4.3.3
+    title: Ensure sudo log file exists (Automated)
+    levels:
+      - l1_server
+    status: automated
+    rules:
+      - sudo_custom_logfile
+
+  - id: 4.3.4
+    title: Ensure re-authentication for privilege escalation is not disabled globally (Automated)
+    levels:
+      - l1_server
+    status: automated
+    rules:
+      - sudo_require_reauthentication
+
+  - id: 4.3.5
+    title: Ensure sudo authentication timeout is configured correctly (Automated)
+    levels:
+      - l1_server
+    status: automated
+    rules:
+      - sudo_require_reauthentication
+
+  - id: 4.3.6
+    title: Ensure access to the su command is restricted (Automated)
+    levels:
+      - l1_server
+    status: automated
+    notes: |-
+      Members of "wheel" or GID 0 groups are checked by default if the group option is not set for
+      pam_wheel.so module. The recommendation states the group should be empty to reinforce the
+      use of "sudo" for privileged access. Therefore, members of these groups should be manually
+      checked or a different group should be informed.
+    rules:
+      - var_pam_wheel_group_for_su=cis
+      - use_pam_wheel_group_for_su
+      - ensure_pam_wheel_group_empty
+
+  - id: 4.4.1
+    title: Ensure custom authselect profile is used (Manual)
+    levels:
+      - l1_server
+    status: manual
+    related_rules:
+      - no_empty_passwords
+
+  - id: 4.4.2
+    title: Ensure authselect includes with-faillock (Automated)
+    levels:
+      - l1_server
+    status: automated
+    rules:
+      - account_password_pam_faillock_password_auth
+      - account_password_pam_faillock_system_auth
+
+  - id: 4.5.1
+    title: Ensure password creation requirements are configured (Automated)
+    levels:
+      - l1_server
+    status: automated
+    notes: |-
+      The Benchmark mentions that the try_first_pass option should be included in pam_pwquality.so
+      module. However, the pam_pwquality.so module, by default, is always the first module from in
+      the PAM password stack. Therefore, the option is useless and not necessary. It was already
+      proposed to update the requirement in the next CIS version.
+    rules:
+      - accounts_password_pam_minclass
+      - accounts_password_pam_minlen
+      - accounts_password_pam_retry
+      - var_password_pam_minclass=4
+      - var_password_pam_minlen=14
+
+  - id: 4.5.2
+    title: Ensure lockout for failed password attempts is configured (Automated)
+    levels:
+      - l1_server
+    status: automated
+    rules:
+      - accounts_passwords_pam_faillock_deny
+      - var_accounts_passwords_pam_faillock_deny=3
+      - accounts_passwords_pam_faillock_unlock_time
+      - var_accounts_passwords_pam_faillock_unlock_time=900
+
+  - id: 4.5.3
+    title: Ensure password reuse is limited (Automated)
+    levels:
+      - l1_server
+    status: automated
+    rules:
+      - accounts_password_pam_pwhistory_remember_password_auth
+      - accounts_password_pam_pwhistory_remember_system_auth
+      - var_password_pam_remember_control_flag=requisite_or_required
+      - var_password_pam_remember=5
+
+  - id: 4.5.4
+    title: Ensure password hashing algorithm is SHA-512 (Automated)
+    levels:
+      - l1_server
+    status: automated
+    rules:
+      - set_password_hashing_algorithm_systemauth
+      - set_password_hashing_algorithm_passwordauth
+      - set_password_hashing_algorithm_logindefs
+      - var_password_hashing_algorithm=SHA512
+
+  - id: 4.6.1.1
+    title: Ensure password expiration is 365 days or less (Automated)
+    levels:
+      - l1_server
+    status: automated
+    rules:
+      - accounts_maximum_age_login_defs
+      - var_accounts_maximum_age_login_defs=365
+      - accounts_password_set_max_life_existing
+
+  - id: 4.6.1.2
+    title: Ensure minimum days between password changes is configured (Automated)
+    levels:
+      - l1_server
+    status: automated
+    rules:
+      - accounts_minimum_age_login_defs
+      - var_accounts_minimum_age_login_defs=1
+      - accounts_password_set_min_life_existing
+
+  - id: 4.6.1.3
+    title: Ensure password expiration warning days is 7 or more (Automated)
+    levels:
+      - l1_server
+    status: automated
+    rules:
+      - accounts_password_warn_age_login_defs
+      - var_accounts_password_warn_age_login_defs=7
+      - accounts_password_set_warn_age_existing
+
+  - id: 4.6.1.4
+    title: Ensure inactive password lock is 30 days or less (Automated)
+    levels:
+      - l1_server
+    status: automated
+    rules:
+      - account_disable_post_pw_expiration
+      - var_account_disable_post_pw_expiration=30
+      - accounts_set_post_pw_existing
+
+  - id: 4.6.1.5
+    title: Ensure all users last password change date is in the past (Automated)
+    levels:
+      - l1_server
+    status: automated
+    rules:
+      - accounts_password_last_change_is_in_past
+
+  - id: 4.6.2
+    title: Ensure system accounts are secured (Automated)
+    levels:
+      - l1_server
+    status: automated
+    rules:
+      - no_password_auth_for_systemaccounts
+      - no_shelllogin_for_systemaccounts
+
+  - id: 4.6.3
+    title: Ensure default user shell timeout is 900 seconds or less (Automated)
+    levels:
+      - l1_server
+    status: automated
+    rules:
+      - accounts_tmout
+      - var_accounts_tmout=15_min
+
+  - id: 4.6.4
+    title: Ensure default group for the root account is GID 0 (Automated)
+    levels:
+      - l1_server
+    status: automated
+    rules:
+      - accounts_root_gid_zero
+
+  - id: 4.6.5
+    title: Ensure default user umask is 027 or more restrictive (Automated)
+    levels:
+      - l1_server
+    status: automated
+    rules:
+      - accounts_umask_etc_bashrc
+      - accounts_umask_etc_login_defs
+      - accounts_umask_etc_profile
+      - var_accounts_user_umask=027
+
+  - id: 4.6.6
+    title: Ensure root password is set (Automated)
+    levels:
+      - l1_server
+    status: automated
+    rules:
+      - ensure_root_password_configured
+      - no_empty_passwords_etc_shadow
+
+  - id: 5.1.1.1
+    title: Ensure rsyslog is installed (Automated)
+    levels:
+      - l1_server
+    status: automated
+    rules:
+      - package_rsyslog_installed
+
+  - id: 5.1.1.2
+    title: Ensure rsyslog service is enabled (Manual)
+    levels:
+      - l1_server
+    status: manual
+    related_rules:
+      - service_rsyslog_enabled
+
+  - id: 5.1.1.3
+    title: Ensure journald is configured to send logs to rsyslog (Automated)
+    levels:
+      - l1_server
+    status: automated
+    rules:
+      - journald_forward_to_syslog
+
+  - id: 5.1.1.4
+    title: Ensure rsyslog default file permissions are configured (Automated)
+    levels:
+      - l1_server
+    status: automated
+    rules:
+      - rsyslog_filecreatemode
+
+  - id: 5.1.1.5
+    title: Ensure logging is configured (Manual)
+    levels:
+      - l1_server
+    status: manual
+
+  - id: 5.1.1.6
+    title: Ensure rsyslog is configured to send logs to a remote log host (Automated)
+    levels:
+      - l1_server
+    status: automated
+    rules:
+      - rsyslog_remote_loghost
+
+  - id: 5.1.1.7
+    title: Ensure rsyslog is not configured to receive logs from a remote client (Automated)
+    levels:
+      - l1_server
+    status: automated
+    rules:
+      - rsyslog_nolisten
+
+  - id: 5.1.2.1.1
+    title: Ensure systemd-journal-remote is installed (Manual)
+    levels:
+      - l1_server
+    status: manual
+
+  - id: 5.1.2.1.2
+    title: Ensure systemd-journal-remote is configured (Manual)
+    levels:
+      - l1_server
+    status: manual
+
+  - id: 5.1.2.1.3
+    title: Ensure systemd-journal-remote is enabled (Manual)
+    levels:
+      - l1_server
+    status: manual
+
+  - id: 5.1.2.1.4
+    title: Ensure journald is not configured to receive logs from a remote client (Automated)
+    levels:
+      - l1_server
+    status: automated
+    rules:
+      - socket_systemd-journal-remote_disabled
+
+  - id: 5.1.2.2
+    title: Ensure journald service is enabled (Automated)
+    levels:
+      - l1_server
+    status: automated
+    rules:
+      - service_systemd-journald_enabled
+
+  - id: 5.1.2.3
+    title: Ensure journald is configured to compress large log files (Automated)
+    levels:
+      - l1_server
+    status: automated
+    rules:
+      - journald_compress
+
+  - id: 5.1.2.4
+    title: Ensure journald is configured to write logfiles to persistent disk (Automated)
+    levels:
+      - l1_server
+    status: automated
+    rules:
+      - journald_storage
+
+  - id: 5.1.2.5
+    title: Ensure journald is not configured to send logs to rsyslog (Manual)
+    levels:
+      - l1_server
+    status: manual
+
+  - id: 5.1.2.6
+    title: Ensure journald log rotation is configured per site policy (Manual)
+    levels:
+      - l1_server
+    status: manual
+
+  - id: 5.1.2.7
+    title: Ensure journald default file permissions configured (Manual)
+    levels:
+      - l1_server
+    status: manual
+
+  - id: 5.1.3
+    title: Ensure all logfiles have appropriate permissions and ownership (Automated)
+    levels:
+      - l1_server
+    status: automated
+    rules:
+      - rsyslog_files_groupownership
+      - rsyslog_files_ownership
+      - rsyslog_files_permissions
+
+  - id: 5.2.1.1
+    title: Ensure auditd is installed (Automated)
+    levels:
+      - l2_server
+    status: automated
+    rules:
+      - package_audit_installed
+
+  - id: 5.2.1.2
+    title: Ensure auditing for processes that start prior to auditd is enabled (Automated)
+    levels:
+      - l2_server
+    status: automated
+    rules:
+      - grub2_audit_argument
+
+  - id: 5.2.1.3
+    title: Ensure audit_backlog_limit is sufficient (Automated)
+    levels:
+      - l2_server
+    status: automated
+    rules:
+      - grub2_audit_backlog_limit_argument
+
+  - id: 5.2.1.4
+    title: Ensure auditd service is enabled (Automated)
+    levels:
+      - l2_server
+    status: automated
+    rules:
+      - service_auditd_enabled
+
+  - id: 5.2.2.1
+    title: Ensure audit log storage size is configured (Automated)
+    levels:
+      - l2_server
+    status: automated
+    rules:
+      - auditd_data_retention_max_log_file
+      - var_auditd_max_log_file=6
+
+  - id: 5.2.2.2
+    title: Ensure audit logs are not automatically deleted (Automated)
+    levels:
+      - l2_server
+    status: automated
+    rules:
+      - auditd_data_retention_max_log_file_action
+      - var_auditd_max_log_file_action=keep_logs
+
+  - id: 5.2.2.3
+    title: Ensure system is disabled when audit logs are full (Automated)
+    levels:
+      - l2_server
+    status: automated
+    rules:
+      - auditd_data_retention_action_mail_acct
+      - auditd_data_retention_admin_space_left_action
+      - auditd_data_retention_space_left_action
+      - var_auditd_action_mail_acct=root
+      - var_auditd_admin_space_left_action=halt
+      - var_auditd_space_left_action=email
+
+  - id: 5.2.3.1
+    title: Ensure changes to system administration scope (sudoers) is collected (Automated)
+    levels:
+      - l2_server
+    status: automated
+    rules:
+      - audit_rules_sysadmin_actions
+
+  - id: 5.2.3.2
+    title: Ensure actions as another user are always logged (Automated)
+    levels:
+      - l2_server
+    status: automated
+    rules:
+      - audit_rules_suid_auid_privilege_function
+
+  - id: 5.2.3.3
+    title: Ensure events that modify the sudo log file are collected (Automated)
+    levels:
+      - l2_server
+    status: automated
+    rules:
+      - audit_sudo_log_events
+
+  - id: 5.2.3.4
+    title: Ensure events that modify date and time information are collected (Automated)
+    levels:
+      - l2_server
+    status: automated
+    rules:
+      - audit_rules_time_adjtimex
+      - audit_rules_time_settimeofday
+      - audit_rules_time_clock_settime
+      - audit_rules_time_stime
+      - audit_rules_time_watch_localtime
+
+  - id: 5.2.3.5
+    title: Ensure events that modify the system's network environment are collected (Automated)
+    levels:
+      - l2_server
+    status: automated
+    rules:
+      - audit_rules_networkconfig_modification
+      - audit_rules_networkconfig_modification_network_scripts
+
+  - id: 5.2.3.6
+    title: Ensure use of privileged commands are collected (Automated)
+    levels:
+      - l2_server
+    status: automated
+    rules:
+      - audit_rules_privileged_commands
+
+  - id: 5.2.3.7
+    title: Ensure unsuccessful file access attempts are collected (Automated)
+    levels:
+      - l2_server
+    status: automated
+    rules:
+      - audit_rules_unsuccessful_file_modification_creat
+      - audit_rules_unsuccessful_file_modification_ftruncate
+      - audit_rules_unsuccessful_file_modification_open
+      - audit_rules_unsuccessful_file_modification_openat
+      - audit_rules_unsuccessful_file_modification_truncate
+
+  - id: 5.2.3.8
+    title: Ensure events that modify user/group information are collected (Automated)
+    levels:
+      - l2_server
+    status: automated
+    rules:
+      - audit_rules_usergroup_modification_group
+      - audit_rules_usergroup_modification_gshadow
+      - audit_rules_usergroup_modification_opasswd
+      - audit_rules_usergroup_modification_passwd
+      - audit_rules_usergroup_modification_shadow
+
+  - id: 5.2.3.9
+    title: Ensure discretionary access control permission modification events are collected (Automated)
+    levels:
+      - l2_server
+    status: automated
+    rules:
+      - audit_rules_dac_modification_chmod
+      - audit_rules_dac_modification_chown
+      - audit_rules_dac_modification_fchmod
+      - audit_rules_dac_modification_fchmodat
+      - audit_rules_dac_modification_fchown
+      - audit_rules_dac_modification_fchownat
+      - audit_rules_dac_modification_fremovexattr
+      - audit_rules_dac_modification_fsetxattr
+      - audit_rules_dac_modification_lchown
+      - audit_rules_dac_modification_lremovexattr
+      - audit_rules_dac_modification_lsetxattr
+      - audit_rules_dac_modification_removexattr
+      - audit_rules_dac_modification_setxattr
+
+  - id: 5.2.3.10
+    title: Ensure successful file system mounts are collected (Automated)
+    levels:
+      - l2_server
+    status: automated
+    rules:
+      - audit_rules_media_export
+
+  - id: 5.2.3.11
+    title: Ensure session initiation information is collected (Automated)
+    levels:
+      - l2_server
+    status: automated
+    rules:
+      - audit_rules_session_events
+
+  - id: 5.2.3.12
+    title: Ensure login and logout events are collected (Automated)
+    levels:
+      - l2_server
+    status: automated
+    rules:
+      - audit_rules_login_events_faillock
+      - audit_rules_login_events_lastlog
+      - var_accounts_passwords_pam_faillock_dir=run
+
+  - id: 5.2.3.13
+    title: Ensure file deletion events by users are collected (Automated)
+    levels:
+      - l2_server
+    status: automated
+    rules:
+      - audit_rules_file_deletion_events_rename
+      - audit_rules_file_deletion_events_renameat
+      - audit_rules_file_deletion_events_unlink
+      - audit_rules_file_deletion_events_unlinkat
+
+  - id: 5.2.3.14
+    title: Ensure events that modify the system's Mandatory Access Controls are collected (Automated)
+    levels:
+      - l2_server
+    status: automated
+    rules:
+      - audit_rules_mac_modification
+      - audit_rules_mac_modification_usr_share
+
+  - id: 5.2.3.15
+    title: Ensure successful and unsuccessful attempts to use the chcon command are recorded (Automated)
+    levels:
+      - l2_server
+    status: automated
+    rules:
+      - audit_rules_execution_chcon
+
+  - id: 5.2.3.16
+    title: Ensure successful and unsuccessful attempts to use the setfacl command are recorded (Automated)
+    levels:
+      - l2_server
+    status: automated
+    rules:
+      - audit_rules_execution_setfacl
+
+  - id: 5.2.3.17
+    title: Ensure successful and unsuccessful attempts to use the chacl command are recorded (Automated)
+    levels:
+      - l2_server
+    status: automated
+    rules:
+      - audit_rules_execution_chacl
+
+  - id: 5.2.3.18
+    title: Ensure successful and unsuccessful attempts to use the usermod command are recorded (Automated)
+    levels:
+      - l2_server
+    status: automated
+    rules:
+      - audit_rules_privileged_commands_usermod
+
+  - id: 5.2.3.19
+    title: Ensure kernel module loading unloading and modification is collected (Automated)
+    levels:
+      - l2_server
+    status: automated
+    rules:
+      - audit_rules_kernel_module_loading_create
+      - audit_rules_kernel_module_loading_delete
+      - audit_rules_kernel_module_loading_finit
+      - audit_rules_kernel_module_loading_init
+      - audit_rules_kernel_module_loading_query
+      - audit_rules_privileged_commands_kmod
+
+  - id: 5.2.3.20
+    title: Ensure the audit configuration is immutable (Automated)
+    levels:
+      - l2_server
+    status: automated
+    rules:
+      - audit_rules_immutable
+
+  - id: 5.2.3.21
+    title: Ensure the running and on disk configuration is the same (Manual)
+    levels:
+      - l2_server
+    status: manual
+
+  - id: 5.2.4.1
+    title: Ensure audit log files are mode 0640 or less permissive (Automated)
+    levels:
+      - l2_server
+    status: automated
+    rules:
+      - file_permissions_var_log_audit
+
+  - id: 5.2.4.2
+    title: Ensure only authorized users own audit log files (Automated)
+    levels:
+      - l2_server
+    status: automated
+    rules:
+      - file_ownership_var_log_audit_stig
+
+  - id: 5.2.4.3
+    title: Ensure only authorized groups are assigned ownership of audit log files (Automated)
+    levels:
+      - l2_server
+    status: automated
+    rules:
+      - file_group_ownership_var_log_audit
+
+  - id: 5.2.4.4
+    title: Ensure the audit log directory is 0750 or more restrictive (Automated)
+    levels:
+      - l2_server
+    status: automated
+    rules:
+      - directory_permissions_var_log_audit
+
+  - id: 5.2.4.5
+    title: Ensure audit configuration files are 640 or more restrictive (Automated)
+    levels:
+      - l2_server
+    status: automated
+    rules:
+      - file_permissions_audit_configuration
+
+  - id: 5.2.4.6
+    title: Ensure audit configuration files are owned by root (Automated)
+    levels:
+      - l2_server
+    status: automated
+    rules:
+      - file_ownership_audit_configuration
+
+  - id: 5.2.4.7
+    title: Ensure audit configuration files belong to group root (Automated)
+    levels:
+      - l2_server
+    status: automated
+    rules:
+      - file_groupownership_audit_configuration
+
+  - id: 5.2.4.8
+    title: Ensure audit tools are 755 or more restrictive (Automated)
+    levels:
+      - l2_server
+    status: automated
+    rules:
+      - file_permissions_audit_binaries
+
+  - id: 5.2.4.9
+    title: Ensure audit tools are owned by root (Automated)
+    levels:
+      - l2_server
+    status: automated
+    rules:
+      - file_ownership_audit_binaries
+
+  - id: 5.2.4.10
+    title: Ensure audit tools belong to group root (Automated)
+    levels:
+      - l2_server
+    status: automated
+    rules:
+      - file_groupownership_audit_binaries
+
+  - id: 5.3
+    title: Ensure logrotate is configured (Manual)
+    levels:
+      - l1_server
+    status: manual
+    related_rules:
+      - ensure_logrotate_activated
+      - package_logrotate_installed
+      - timer_logrotate_enabled
+
+  - id: 6.1.1
+    title: Ensure permissions on /etc/passwd are configured (Automated)
+    levels:
+      - l1_server
+    status: automated
+    rules:
+      - file_groupowner_etc_passwd
+      - file_owner_etc_passwd
+      - file_permissions_etc_passwd
+
+  - id: 6.1.2
+    title: Ensure permissions on /etc/passwd are configured (Automated)
+    levels:
+      - l1_server
+    status: automated
+    rules:
+      - file_groupowner_etc_passwd
+      - file_owner_etc_passwd
+      - file_permissions_etc_passwd
+
+  - id: 6.1.3
+    title: Ensure permissions on /etc/passwd- are configured (Automated)
+    levels:
+      - l1_server
+    status: automated
+    rules:
+      - file_groupowner_backup_etc_passwd
+      - file_owner_backup_etc_passwd
+      - file_permissions_backup_etc_passwd
+
+  - id: 6.1.4
+    title: Ensure permissions on /etc/group are configured (Automated)
+    levels:
+      - l1_server
+    status: automated
+    rules:
+      - file_groupowner_etc_group
+      - file_owner_etc_group
+      - file_permissions_etc_group
+
+  - id: 6.1.5
+    title: Ensure permissions on /etc/group- are configured (Automated)
+    levels:
+      - l1_server
+    status: automated
+    rules:
+      - file_groupowner_backup_etc_group
+      - file_owner_backup_etc_group
+      - file_permissions_backup_etc_group
+
+  - id: 6.1.6
+    title: Ensure permissions on /etc/shadow are configured (Automated)
+    levels:
+      - l1_server
+    status: automated
+    rules:
+      - file_owner_etc_shadow
+      - file_groupowner_etc_shadow
+      - file_permissions_etc_shadow
+
+  - id: 6.1.7
+    title: Ensure permissions on /etc/shadow- are configured (Automated)
+    levels:
+      - l1_server
+    status: automated
+    rules:
+      - file_groupowner_backup_etc_shadow
+      - file_owner_backup_etc_shadow
+      - file_permissions_backup_etc_shadow
+
+  - id: 6.1.8
+    title: Ensure permissions on /etc/gshadow are configured (Automated)
+    levels:
+      - l1_server
+    status: automated
+    rules:
+      - file_groupowner_etc_gshadow
+      - file_owner_etc_gshadow
+      - file_permissions_etc_gshadow
+
+  - id: 6.1.9
+    title: Ensure permissions on /etc/gshadow- are configured (Automated)
+    levels:
+      - l1_server
+    status: automated
+    rules:
+      - file_groupowner_backup_etc_gshadow
+      - file_owner_backup_etc_gshadow
+      - file_permissions_backup_etc_gshadow
+
+  - id: 6.1.10
+    title: Audit system file permissions (Manual)
+    levels:
+      - l2_server
+    status: manual
+    related_rules:
+      - rpm_verify_permissions
+      - rpm_verify_ownership
+
+  - id: 6.1.11
+    title: Ensure world writable files and directories are secured (Automated)
+    levels:
+      - l1_server
+    status: automated
+    rules:
+      - file_permissions_unauthorized_world_writable
+      - dir_perms_world_writable_sticky_bits
+
+  - id: 6.1.12
+    title: Ensure no unowned or ungrouped files or directories exist (Automated)
+    levels:
+      - l1_server
+    status: automated
+    rules:
+      - no_files_unowned_by_user
+      - file_permissions_ungroupowned
+
+  - id: 6.1.13
+    title: Ensure SUID and SGID files are reviewed (Manual)
+    levels:
+      - l1_server
+    status: manual
+    related_rules:
+      - file_permissions_unauthorized_suid
+      - file_permissions_unauthorized_sgid
+
+  - id: 6.2.1
+    title: Ensure accounts in /etc/passwd use shadowed passwords (Automated)
+    levels:
+      - l1_server
+    status: automated
+    rules:
+      - accounts_password_all_shadowed
+
+  - id: 6.2.2
+    title: Ensure /etc/shadow password fields are not empty (Automated)
+    levels:
+      - l1_server
+    status: automated
+    rules:
+      - no_empty_passwords_etc_shadow
+
+  - id: 6.2.3
+    title: Ensure all groups in /etc/passwd exist in /etc/group (Automated)
+    levels:
+      - l1_server
+    status: automated
+    rules:
+      - gid_passwd_group_same
+
+  - id: 6.2.4
+    title: Ensure no duplicate UIDs exist (Automated)
+    levels:
+      - l1_server
+    status: automated
+    rules:
+      - account_unique_id
+
+  - id: 6.2.5
+    title: Ensure no duplicate GIDs exist (Automated)
+    levels:
+      - l1_server
+    status: automated
+    rules:
+      - group_unique_id
+
+  - id: 6.2.6
+    title: Ensure no duplicate user names exist (Automated)
+    levels:
+      - l1_server
+    status: automated
+    rules:
+      - account_unique_name
+
+  - id: 6.2.7
+    title: Ensure no duplicate group names exist (Automated)
+    levels:
+      - l1_server
+    status: automated
+    rules:
+      - group_unique_name
+
+  - id: 6.2.8
+    title: Ensure root PATH Integrity (Automated)
+    levels:
+      - l1_server
+    status: automated
+    rules:
+      - accounts_root_path_dirs_no_write
+      - root_path_no_dot
+
+  - id: 6.2.9
+    title: Ensure root is the only UID 0 account (Automated)
+    levels:
+      - l1_server
+    status: automated
+    rules:
+      - accounts_no_uid_except_zero
+
+  - id: 6.2.10
+    title: Ensure local interactive user home directories are configured (Automated)
+    levels:
+      - l1_server
+    status: automated
+    rules:
+      - accounts_user_interactive_home_directory_exists
+      - file_ownership_home_directories
+      - file_permissions_home_directories
+      - file_groupownership_home_directories
+
+  - id: 6.2.11
+    title: Ensure local interactive user dot files access is configured (Automated)
+    levels:
+      - l1_server
+    status: partial
+    rules:
+      - accounts_user_dot_group_ownership
+      - accounts_user_dot_user_ownership
+      - file_permission_user_init_files
+      - var_user_initialization_files_regex=all_dotfiles
+      - no_forward_files
+      - no_rsh_trust_files
+      - accounts_users_netrc_file_permissions
diff --git a/linux_os/guide/services/ntp/group.yml b/linux_os/guide/services/ntp/group.yml
index 5424a119d9e..a79cab0e8a9 100644
--- a/linux_os/guide/services/ntp/group.yml
+++ b/linux_os/guide/services/ntp/group.yml
@@ -67,6 +67,8 @@ description: |-
         {{{ weblink(link="https://wiki.debian.org/NTP") }}}
     {{% elif "alinux" in product %}}
         {{{ weblink(link="https://www.alibabacloud.com/help/en/elastic-compute-service/latest/alibaba-cloud-ntp-server") }}}
+    {{% elif "al2023" in product %}}
+        {{{ weblink(link="https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/set-time.html") }}}
     {{% else %}}
         {{{ weblink(link="https://docs.fedoraproject.org/en-US/fedora/latest/system-administrators-guide/servers/Configuring_NTP_Using_the_chrony_Suite/") }}}
     {{% endif %}}
diff --git a/linux_os/guide/services/ntp/var_multiple_time_pools.var b/linux_os/guide/services/ntp/var_multiple_time_pools.var
index 4feea20e630..3a432c23369 100644
--- a/linux_os/guide/services/ntp/var_multiple_time_pools.var
+++ b/linux_os/guide/services/ntp/var_multiple_time_pools.var
@@ -15,3 +15,4 @@ options:
     ol: "0.pool.ntp.org,1.pool.ntp.org,2.pool.ntp.org,3.pool.ntp.org"
     suse: "0.suse.pool.ntp.org,1.suse.pool.ntp.org,2.suse.pool.ntp.org,3.suse.pool.ntp.org"
     alinux: "0.ntp.cloud.aliyuncs.com,1.ntp.aliyun.com,2.ntp1.aliyun.com,3.ntp1.cloud.aliyuncs.com"
+    amazon: "0.rhel.pool.ntp.org,1.rhel.pool.ntp.org,2.rhel.pool.ntp.org,3.rhel.pool.ntp.org"
diff --git a/linux_os/guide/services/ntp/var_multiple_time_servers.var b/linux_os/guide/services/ntp/var_multiple_time_servers.var
index fb3ce1c2122..ce1729eadfc 100644
--- a/linux_os/guide/services/ntp/var_multiple_time_servers.var
+++ b/linux_os/guide/services/ntp/var_multiple_time_servers.var
@@ -17,3 +17,4 @@ options:
     ol: "0.pool.ntp.org,1.pool.ntp.org,2.pool.ntp.org,3.pool.ntp.org"
     suse: "0.suse.pool.ntp.org,1.suse.pool.ntp.org,2.suse.pool.ntp.org,3.suse.pool.ntp.org"
     alinux: "0.ntp.cloud.aliyuncs.com,1.ntp.aliyun.com,2.ntp1.aliyun.com,3.ntp1.cloud.aliyuncs.com"
+    amazon: "0.rhel.pool.ntp.org,1.rhel.pool.ntp.org,2.rhel.pool.ntp.org,3.rhel.pool.ntp.org"
diff --git a/linux_os/guide/system/software/updating/ensure_amazon_gpgkey_installed/ansible/shared.yml b/linux_os/guide/system/software/updating/ensure_amazon_gpgkey_installed/ansible/shared.yml
new file mode 100644
index 00000000000..aba0effec26
--- /dev/null
+++ b/linux_os/guide/system/software/updating/ensure_amazon_gpgkey_installed/ansible/shared.yml
@@ -0,0 +1,38 @@
+# platform = multi_platform_al
+# reboot = false
+# strategy = restrict
+# complexity = medium
+# disruption = medium
+- name: "Read permission of GPG key directory"
+  ansible.builtin.stat:
+    path: /etc/pki/rpm-gpg/
+  register: gpg_key_directory_permission
+  check_mode: no
+
+# It should fail if it doesn't find any fingerprints in file - maybe file was not parsed well.
+
+- name: Read signatures in GPG key
+  # According to /usr/share/doc/gnupg2/DETAILS fingerprints are in "fpr" record in field 10
+  ansible.builtin.command: gpg --show-keys --with-fingerprint --with-colons "/etc/pki/rpm-gpg/RPM-GPG-KEY-amazon-linux-2023"
+  changed_when: False
+  register: gpg_fingerprints
+  check_mode: no
+
+- name: Set Fact - Installed GPG Fingerprints
+  ansible.builtin.set_fact:
+    gpg_installed_fingerprints: "{{ gpg_fingerprints.stdout | regex_findall('^pub.*\n(?:^fpr[:]*)([0-9A-Fa-f]*)', '\\1') | list }}"
+
+- name: Set Fact - Valid fingerprints
+  ansible.builtin.set_fact:
+    gpg_valid_fingerprints:
+    - "{{{ release_key_fingerprint }}}"
+
+- name: Import Amazon GPG key
+  ansible.builtin.rpm_key:
+    state: present
+    key: /etc/pki/rpm-gpg/RPM-GPG-KEY-amazon-linux-2023
+  when:
+   - gpg_key_directory_permission.stat.mode <= '0755'
+   - (gpg_installed_fingerprints | difference(gpg_valid_fingerprints)) | length == 0
+   - gpg_installed_fingerprints | length > 0
+   - ansible_distribution == "Amazon" and ansible_distribution_version == "2023"
diff --git a/linux_os/guide/system/software/updating/ensure_amazon_gpgkey_installed/bash/shared.sh b/linux_os/guide/system/software/updating/ensure_amazon_gpgkey_installed/bash/shared.sh
new file mode 100644
index 00000000000..d4d302e3b04
--- /dev/null
+++ b/linux_os/guide/system/software/updating/ensure_amazon_gpgkey_installed/bash/shared.sh
@@ -0,0 +1,25 @@
+# platform = multi_platform_al
+# The fingerprint below are retrieved from the offical amazon linux 2023 machine
+readonly AMAZON_RELEASE_FINGERPRINT="{{{ release_key_fingerprint }}}"
+
+# Location of the key we would like to import (once it's integrity verified)
+readonly AMAZON_RELEASE_KEY="/etc/pki/rpm-gpg/RPM-GPG-KEY-amazon-linux-2023"
+
+RPM_GPG_DIR_PERMS=$(stat -c %a "$(dirname "$AMAZON_RELEASE_KEY")")
+
+# Verify /etc/pki/rpm-gpg directory permissions are safe
+if [ "${RPM_GPG_DIR_PERMS}" -le "755" ]
+then
+  # If they are safe, try to obtain fingerprints from the key file
+  # (to ensure there won't be e.g. CRC error).
+  readarray -t GPG_OUT < <(gpg --show-keys --with-fingerprint --with-colons "$AMAZON_RELEASE_KEY" | grep -A1 "^pub" | grep "^fpr" | cut -d ":" -f 10)
+  GPG_RESULT=$?
+  # No CRC error, safe to proceed
+  if [ "${GPG_RESULT}" -eq "0" ]
+  then
+    echo "${GPG_OUT[*]}" | grep -vE "${AMAZON_RELEASE_FINGERPRINT}" || {
+      # If $AMAZON_RELEASE_KEY file doesn't contain any keys with unknown fingerprint, import it
+      rpm --import "${AMAZON_RELEASE_KEY}"
+    }
+  fi
+fi
diff --git a/linux_os/guide/system/software/updating/ensure_amazon_gpgkey_installed/oval/shared.xml b/linux_os/guide/system/software/updating/ensure_amazon_gpgkey_installed/oval/shared.xml
new file mode 100644
index 00000000000..a403cc8ccb7
--- /dev/null
+++ b/linux_os/guide/system/software/updating/ensure_amazon_gpgkey_installed/oval/shared.xml
@@ -0,0 +1,37 @@
+{{% if pkg_version %}}
+{{# If pkg_version isn't defined, then the rule should be NOTCHECKED, because we don't have data needed for the check #}}
+<def-group>
+  <definition class="compliance" id="ensure_amazon_gpgkey_installed" version="2">
+    {{{ oval_metadata("The Amazon release packages are required to be installed.") }}}
+    <criteria comment="Vendor GPG keys" operator="OR">
+      <criteria comment="Amazon Vendor Keys" operator="AND">
+        <criteria comment="Amazon Installed" operator="OR">
+          <extend_definition comment="{{{ product }}} installed" definition_ref="installed_OS_is_{{{ product }}}" />
+        </criteria>
+        <criterion comment="package gpg-pubkey-{{{ pkg_version }}}-{{{ pkg_release }}} is installed"
+        test_ref="test_amazon_package_gpgkey-{{{ pkg_version }}}-{{{ pkg_release }}}_installed" />
+      </criteria>
+    </criteria>
+  </definition>
+
+  <!-- First define global "object_amazon_package_gpg-pubkey" to be shared (reused) across multiple tests -->
+  <linux:rpminfo_object id="object_amazon_package_gpg-pubkey" version="1">
+    <linux:name>gpg-pubkey</linux:name>
+  </linux:rpminfo_object>
+
+  <!-- Perform the particular tests themselves -->
+  <!-- Test for Amazon release key -->
+  <linux:rpminfo_test check="only one" check_existence="at_least_one_exists"
+  id="test_amazon_package_gpgkey-{{{ pkg_version }}}-{{{ pkg_release }}}_installed" version="1"
+  comment="Amazon release key package is installed">
+    <linux:object object_ref="object_amazon_package_gpg-pubkey" />
+    <linux:state state_ref="state_amazon_package_gpg-pubkey-{{{ pkg_version }}}-{{{ pkg_release }}}" />
+  </linux:rpminfo_test>
+
+  <linux:rpminfo_state id="state_amazon_package_gpg-pubkey-{{{ pkg_version }}}-{{{ pkg_release }}}" version="1">
+    <linux:release>{{{ pkg_release }}}</linux:release>
+    <linux:version>{{{ pkg_version }}}</linux:version>
+  </linux:rpminfo_state>
+
+</def-group>
+{{% endif %}}
diff --git a/linux_os/guide/system/software/updating/ensure_amazon_gpgkey_installed/rule.yml b/linux_os/guide/system/software/updating/ensure_amazon_gpgkey_installed/rule.yml
new file mode 100644
index 00000000000..316cfb26571
--- /dev/null
+++ b/linux_os/guide/system/software/updating/ensure_amazon_gpgkey_installed/rule.yml
@@ -0,0 +1,49 @@
+documentation_complete: true
+
+
+title: 'Ensure Amazon GPG Key Installed'
+
+description: |-
+    To ensure the system can cryptographically verify base software packages
+    come from Amazon (and to connect to the Amazon Network to receive them),
+    the Amazon GPG key must properly be installed. To install the Amazon GPG
+    key, run:
+    <pre>$ sudo rpm --import /etc/pki/rpm-gpg/RPM-GPG-KEY-amazon-linux-2023</pre>
+
+rationale: |-
+    Changes to software components can have significant effects on the overall
+    security of the operating system. This requirement ensures the software has
+    not been tampered with and that it has been provided by a trusted vendor.
+    The Amazon GPG key is necessary to cryptographically verify packages are
+    from Amazon.
+
+severity: high
+
+references:
+    cis-csc: 11,2,3,9
+    cjis: 5.10.4.1
+    cobit5: APO01.06,BAI03.05,BAI06.01,BAI10.01,BAI10.02,BAI10.03,BAI10.05,DSS06.02
+    cui: 3.4.8
+    disa: CCI-001749
+    hipaa: 164.308(a)(1)(ii)(D),164.312(b),164.312(c)(1),164.312(c)(2),164.312(e)(2)(i)
+    isa-62443-2009: 4.3.4.3.2,4.3.4.3.3,4.3.4.4.4
+    isa-62443-2013: 'SR 3.1,SR 3.3,SR 3.4,SR 3.8,SR 7.6'
+    iso27001-2013: A.11.2.4,A.12.1.2,A.12.2.1,A.12.5.1,A.12.6.2,A.14.1.2,A.14.1.3,A.14.2.2,A.14.2.3,A.14.2.4
+    nerc-cip: CIP-003-8 R4.2,CIP-003-8 R6,CIP-007-3 R4,CIP-007-3 R4.1,CIP-007-3 R4.2,CIP-007-3 R5.1
+    nist: CM-5(3),SI-7,SC-12,SC-12(3),CM-6(a)
+    nist-csf: PR.DS-6,PR.DS-8,PR.IP-1
+    ospp: FPT_TUD_EXT.1,FPT_TUD_EXT.2
+    pcidss: Req-6.2
+    srg: SRG-OS-000366-GPOS-00153
+
+ocil_clause: 'the Amazon GPG Key is not installed'
+
+ocil: |-
+    To ensure that the GPG key is installed, run:
+    <pre>$ rpm -q --queryformat "%{SUMMARY}\n" gpg-pubkey</pre>
+    The command should return the string below:
+    <pre>Amazon Linux <amazon-linux@amazon.com> public key</pre>
+
+fixtext: |-
+    Install {{{ full_name }}} GPG key. Run the following command:
+    $ sudo rpm --import /etc/pki/rpm-gpg/RPM-GPG-KEY-amazon-linux-2023
diff --git a/linux_os/guide/system/software/updating/ensure_amazon_gpgkey_installed/tests/key_installed.pass.sh b/linux_os/guide/system/software/updating/ensure_amazon_gpgkey_installed/tests/key_installed.pass.sh
new file mode 100644
index 00000000000..dc7b063860b
--- /dev/null
+++ b/linux_os/guide/system/software/updating/ensure_amazon_gpgkey_installed/tests/key_installed.pass.sh
@@ -0,0 +1,5 @@
+#!/bin/bash
+#
+# platform = Amazon Linux 2023
+
+rpm --import /etc/pki/rpm-gpg/RPM-GPG-KEY-amazon-linux-2023
diff --git a/linux_os/guide/system/software/updating/ensure_amazon_gpgkey_installed/tests/missing_key.fail.sh b/linux_os/guide/system/software/updating/ensure_amazon_gpgkey_installed/tests/missing_key.fail.sh
new file mode 100644
index 00000000000..32a39a04487
--- /dev/null
+++ b/linux_os/guide/system/software/updating/ensure_amazon_gpgkey_installed/tests/missing_key.fail.sh
@@ -0,0 +1,12 @@
+#!/bin/bash
+#
+
+# remove all available keys
+
+KEYS=$(rpm -q gpg-pubkey --qf '%{NAME}-%{VERSION}-%{RELEASE}\n')
+
+if [ $? = 0 ]; then
+    for KEY in $KEYS; do
+    rpm -e $KEY
+    done
+fi
diff --git a/linux_os/guide/system/software/updating/security_patches_up_to_date/ansible/shared.yml b/linux_os/guide/system/software/updating/security_patches_up_to_date/ansible/shared.yml
index 0b90decc65f..cf355e336fe 100644
--- a/linux_os/guide/system/software/updating/security_patches_up_to_date/ansible/shared.yml
+++ b/linux_os/guide/system/software/updating/security_patches_up_to_date/ansible/shared.yml
@@ -1,4 +1,4 @@
-# platform = multi_platform_alinux,multi_platform_anolis,multi_platform_fedora,multi_platform_ol,multi_platform_sle,multi_platform_ubuntu,multi_platform_uos
+# platform = multi_platform_al2023,multi_platform_alinux,multi_platform_anolis,multi_platform_fedora,multi_platform_ol,multi_platform_sle,multi_platform_ubuntu,multi_platform_uos
 # reboot = true
 # strategy = patch
 # complexity = low
diff --git a/products/al2023/CMakeLists.txt b/products/al2023/CMakeLists.txt
new file mode 100644
index 00000000000..63f7db32c8c
--- /dev/null
+++ b/products/al2023/CMakeLists.txt
@@ -0,0 +1,10 @@
+# Sometimes our users will try to do: "cd al2023; cmake ." That needs to error in a nice way.
+if("${CMAKE_SOURCE_DIR}" STREQUAL "${CMAKE_CURRENT_SOURCE_DIR}")
+    message(FATAL_ERROR "cmake has to be used on the root CMakeLists.txt, see the Building ComplianceAsCode section in the Developer Guide!")
+endif()
+
+set(PRODUCT "al2023")
+
+ssg_build_product(${PRODUCT})
+
+ssg_build_html_cce_table(${PRODUCT})
diff --git a/products/al2023/product.yml b/products/al2023/product.yml
new file mode 100644
index 00000000000..32cf5501a2e
--- /dev/null
+++ b/products/al2023/product.yml
@@ -0,0 +1,38 @@
+product: al2023
+full_name: Amazon Linux 2023
+type: platform
+
+benchmark_id: AL-2023
+benchmark_root: "../../linux_os/guide"
+components_root: "../../components"
+
+profiles_root: "./profiles"
+
+pkg_manager: "dnf"
+
+init_system: "systemd"
+
+groups:
+  dedicated_ssh_keyowner:
+    name: ssh_keys
+
+sshd_distributed_config: "true"
+
+faillock_path: "/var/log/faillock"
+
+release_key_fingerprint: "B21C50FA44A99720EAA72F7FE951904AD832C631"
+
+cpes_root: "../../shared/applicability"
+cpes:
+  - al2023:
+      name: "cpe:/o:amazon:amazon_linux:2023"
+      title: "Amazon Linux 2023"
+      check_id: installed_OS_is_al2023
+
+platform_package_overrides:
+  login_defs: "shadow-utils"
+
+reference_uris:
+  cis: 'https://www.cisecurity.org/benchmark/amazon_linux/'
+
+journald_conf_dir_path: /etc/systemd/journald.conf.d
diff --git a/products/al2023/profiles/cis.profile b/products/al2023/profiles/cis.profile
new file mode 100644
index 00000000000..10bd27080c0
--- /dev/null
+++ b/products/al2023/profiles/cis.profile
@@ -0,0 +1,21 @@
+documentation_complete: true
+
+metadata:
+    version: 1.0.0
+    SMEs:
+        - hipponix
+
+reference: https://www.cisecurity.org/benchmark/amazon_linux/
+
+title: 'CIS Amazon Linux 2023 Benchmark for Level 2 - Server'
+
+description: |-
+    This profile defines a baseline that aligns to the "Level 2 - Server"
+    configuration from the Center for Internet Security® Amazon Linux
+    2023 Benchmark™, v1.0.0, released 2023-06-26.
+
+    This profile includes Center for Internet Security®
+    Amazon Linux 2023 CIS Benchmarks™ content.
+
+selections:
+    - cis_al2023:all:l2_server
diff --git a/products/al2023/profiles/cis_server_l1.profile b/products/al2023/profiles/cis_server_l1.profile
new file mode 100644
index 00000000000..f9e9e4879d7
--- /dev/null
+++ b/products/al2023/profiles/cis_server_l1.profile
@@ -0,0 +1,21 @@
+documentation_complete: true
+
+metadata:
+    version: 1.0.0
+    SMEs:
+        - hipponix
+
+reference: https://www.cisecurity.org/benchmark/amazon_linux/
+
+title: 'CIS Amazon Linux 2023 Benchmark for Level 1 - Server'
+
+description: |-
+    This profile defines a baseline that aligns to the "Level 1 - Server"
+    configuration from the Center for Internet Security® Amazon Linux
+    2023 Benchmark™, v1.0.0, released 2023-06-26.
+
+    This profile includes Center for Internet Security®
+    Amazon Linux 2023 CIS Benchmarks™ content.
+
+selections:
+    - cis_al2023:all:l1_server
diff --git a/products/al2023/transforms/constants.xslt b/products/al2023/transforms/constants.xslt
new file mode 100644
index 00000000000..9f9b9807141
--- /dev/null
+++ b/products/al2023/transforms/constants.xslt
@@ -0,0 +1,12 @@
+<xsl:stylesheet version="1.0" xmlns:xsl="http://www.w3.org/1999/XSL/Transform">
+
+<xsl:include href="../../../shared/transforms/shared_constants.xslt"/>
+
+<xsl:variable name="product_long_name">Amazon Linux 2023</xsl:variable>
+<xsl:variable name="product_short_name">AL 2023</xsl:variable>
+<xsl:variable name="prod_type">al2023</xsl:variable>
+
+<xsl:variable name="cisuri">https://www.cisecurity.org/benchmark/amazon_linux/</xsl:variable>
+<xsl:variable name="disa-srguri" select="$disa-ossrguri"/>
+
+</xsl:stylesheet>
diff --git a/products/al2023/transforms/table-style.xslt b/products/al2023/transforms/table-style.xslt
new file mode 100644
index 00000000000..8b6caeab8cd
--- /dev/null
+++ b/products/al2023/transforms/table-style.xslt
@@ -0,0 +1,5 @@
+<xsl:stylesheet version="1.0" xmlns:xsl="http://www.w3.org/1999/XSL/Transform">
+
+<xsl:import href="../../../shared/transforms/shared_table-style.xslt"/>
+
+</xsl:stylesheet>
diff --git a/products/al2023/transforms/xccdf2table-cce.xslt b/products/al2023/transforms/xccdf2table-cce.xslt
new file mode 100644
index 00000000000..f156a669566
--- /dev/null
+++ b/products/al2023/transforms/xccdf2table-cce.xslt
@@ -0,0 +1,9 @@
+<?xml version="1.0" encoding="utf-8" standalone="yes"?>
+<xsl:stylesheet version="1.0" xmlns:xsl="http://www.w3.org/1999/XSL/Transform" xmlns:cce="http://cce.mitre.org" xmlns:dc="http://purl.org/dc/elements/1.1/" xmlns:cdf="http://checklists.nist.gov/xccdf/1.1" xmlns:xhtml="http://www.w3.org/1999/xhtml">
+
+<xsl:import href="../../../shared/transforms/shared_xccdf2table-cce.xslt"/>
+
+<xsl:include href="constants.xslt"/>
+<xsl:include href="table-style.xslt"/>
+
+</xsl:stylesheet>
diff --git a/shared/checks/oval/installed_OS_is_al2023.xml b/shared/checks/oval/installed_OS_is_al2023.xml
new file mode 100644
index 00000000000..0755643adbe
--- /dev/null
+++ b/shared/checks/oval/installed_OS_is_al2023.xml
@@ -0,0 +1,43 @@
+<def-group>
+  <definition class="inventory" id="installed_OS_is_al2023" version="2">
+    <metadata>
+      <title>Amazon Linux 2023</title>
+      <affected family="unix">
+        <platform>multi_platform_all</platform>
+      </affected>
+      <reference ref_id="cpe:/o:amazon:amazon_linux:2023" source="CPE" />
+      <description>The operating system installed on the system is Amazon Linux 2023</description>
+    </metadata>
+    <criteria operator="AND">
+      <extend_definition comment="Installed OS is part of the Unix family" definition_ref="installed_OS_is_part_of_Unix_family" />
+      <criterion comment="OS is Amazon Linux 2023" test_ref="test_al2023_name" /> 
+      <criterion comment="OS version is 2023" test_ref="test_al2023_version" />
+    </criteria>
+  </definition>
+
+  <ind:textfilecontent54_test check="all" check_existence="at_least_one_exists" comment="Check os-release ID" id="test_al2023_name" version="1">
+    <ind:object object_ref="obj_name_al2023" />
+    <ind:state state_ref="state_name_al2023" />
+  </ind:textfilecontent54_test>
+  <ind:textfilecontent54_object id="obj_name_al2023" version="1" comment="Check os-release ID">
+    <ind:filepath>/etc/os-release</ind:filepath>
+    <ind:pattern operation="pattern match">^ID=\"(\w+)\"$</ind:pattern>
+    <ind:instance datatype="int">1</ind:instance>
+  </ind:textfilecontent54_object>
+  <ind:textfilecontent54_state id="state_name_al2023" version="1">
+    <ind:subexpression>amzn</ind:subexpression>
+  </ind:textfilecontent54_state>
+  <ind:textfilecontent54_test check="all" comment="Check os-release VERSION_ID" id="test_al2023_version" version="1">
+    <ind:object object_ref="obj_version_al2023" />
+    <ind:state state_ref="state_version_al2023" />
+  </ind:textfilecontent54_test>
+  <ind:textfilecontent54_object id="obj_version_al2023" version="1" comment="Check os-release VERSION_ID">
+    <ind:filepath>/etc/os-release</ind:filepath>
+    <ind:pattern operation="pattern match">^VERSION_ID=\"(\w+)\"$</ind:pattern>
+    <ind:instance datatype="int">1</ind:instance>
+  </ind:textfilecontent54_object>
+  <ind:textfilecontent54_state id="state_version_al2023" version="1">
+    <ind:subexpression>2023</ind:subexpression>
+  </ind:textfilecontent54_state>
+
+</def-group>
diff --git a/ssg/constants.py b/ssg/constants.py
index 14c6cb5d5f3..0030370a93d 100644
--- a/ssg/constants.py
+++ b/ssg/constants.py
@@ -42,6 +42,7 @@
     'alinux3',
     'anolis8',
     'anolis23',
+    'al2023',
     'chromium',
     'debian10', 'debian11', 'debian12',
     'example',
@@ -200,6 +201,7 @@
     "Alibaba Cloud Linux 3": "alinux3",
     "Anolis OS 8": "anolis8",
     "Anolis OS 23": "anolis23",
+    "Amazon Linux 2023": "al2023",
     "Chromium": "chromium",
     "Debian 10": "debian10",
     "Debian 11": "debian11",
@@ -229,7 +231,7 @@
     "Ubuntu 22.04": "ubuntu2204",
     "UnionTech OS Server 20": "uos20",
     "OpenEmbedded": "openembedded",
-    "Not Applicable" : "example"
+    "Not Applicable" : "example",
 }
 
 
@@ -281,7 +283,7 @@
 MULTI_PLATFORM_LIST = ["rhel", "fedora", "rhv", "debian", "ubuntu",
                        "openeuler",
                        "opensuse", "sle", "ol", "ocp", "rhcos",
-                       "example", "eks", "alinux", "uos", "anolis", "openembedded"]
+                       "example", "eks", "alinux", "uos", "anolis", "openembedded", "al"]
 
 MULTI_PLATFORM_MAPPING = {
     "multi_platform_alinux": ["alinux2", "alinux3"],
@@ -301,6 +303,7 @@
     "multi_platform_ubuntu": ["ubuntu1604", "ubuntu1804", "ubuntu2004", "ubuntu2204"],
     "multi_platform_uos": ["uos20"],
     "multi_platform_openembedded": ["openembedded"],
+    "multi_platform_al": ["al2023"],
 }
 
 RHEL_CENTOS_CPE_MAPPING = {
@@ -472,6 +475,7 @@
     'ocp': 'Red Hat OpenShift Container Platform',
     'rhcos': 'Red Hat Enterprise Linux CoreOS',
     'eks': 'Amazon Elastic Kubernetes Service',
+    'al': 'Amazon Linux',
     'openembedded': 'OpenEmbedded',
 }
 
diff --git a/tests/unit/ssg-module/test_utils.py b/tests/unit/ssg-module/test_utils.py
index 02315463eff..962eb5b4839 100644
--- a/tests/unit/ssg-module/test_utils.py
+++ b/tests/unit/ssg-module/test_utils.py
@@ -12,7 +12,7 @@ def test_is_applicable():
 
     assert not utils.is_applicable('fedora,multi_platform_ubuntu', 'rhel7')
     assert not utils.is_applicable('ol7', 'rhel7')
-    assert not utils.is_applicable('alinux2,alinux3,anolis8,anolis23,fedora,debian10,debian11,uos20',
+    assert not utils.is_applicable('al2023,alinux2,alinux3,anolis8,anolis23,fedora,debian10,debian11,uos20',
                                        'rhel7')