CIS Google Container-Optimized OS L1 Server v1.0.0

Audit Details

Name: CIS Google Container-Optimized OS L1 Server v1.0.0

Updated: 9/7/2022

Authority: CIS

Plugin: Unix

Revision: 1.1

Estimated Item Count: 82

File Details

Filename: CIS_Google_Container_Optimized_OS_v1.0.0_L1_Server.audit

Size: 168 kB

MD5: 8cb70709ee2f37331f50e6e5626f11ff
SHA256: 3d524a56bbebb3de600a21f2ec2f126f8cd1063ca27f95f4f6519c63da2f0907

Audit Items

DescriptionCategories
1.1.2 Ensure /tmp is configured - config check

ACCESS CONTROL, MEDIA PROTECTION

1.1.2 Ensure /tmp is configured - mount check

ACCESS CONTROL, MEDIA PROTECTION

1.1.3 Ensure nodev option set on /tmp partition

ACCESS CONTROL, MEDIA PROTECTION

1.1.4 Ensure nosuid option set on /tmp partition

ACCESS CONTROL, MEDIA PROTECTION

1.1.5 Ensure noexec option set on /tmp partition

CONFIGURATION MANAGEMENT

1.1.9 Ensure nodev option set on /home partition

ACCESS CONTROL, MEDIA PROTECTION

1.1.10 Ensure nodev option set on /dev/shm partition

ACCESS CONTROL, MEDIA PROTECTION

1.1.11 Ensure nosuid option set on /dev/shm partition

ACCESS CONTROL, MEDIA PROTECTION

1.1.12 Ensure noexec option set on /dev/shm partition

CONFIGURATION MANAGEMENT

1.1.13 Disable Automounting

MEDIA PROTECTION, SYSTEM AND INFORMATION INTEGRITY

1.2.1 Ensure dm-verity is enabled

ACCESS CONTROL, AUDIT AND ACCOUNTABILITY

1.3.1 Ensure authentication required for single user mode - emergency.service

CONFIGURATION MANAGEMENT, IDENTIFICATION AND AUTHENTICATION, SYSTEM AND SERVICES ACQUISITION

1.3.1 Ensure authentication required for single user mode - rescue.service

CONFIGURATION MANAGEMENT, IDENTIFICATION AND AUTHENTICATION, SYSTEM AND SERVICES ACQUISITION

1.4.2 Ensure XD/NX support is enabled

SYSTEM AND INFORMATION INTEGRITY

1.4.3 Ensure address space layout randomization (ASLR) is enabled - sysctl

SYSTEM AND INFORMATION INTEGRITY

1.4.3 Ensure address space layout randomization (ASLR) is enabled - sysctl.conf sysctl.d

SYSTEM AND INFORMATION INTEGRITY

1.5.1.2 Ensure local login warning banner is configured properly - banner text

CONFIGURATION MANAGEMENT

1.5.1.2 Ensure local login warning banner is configured properly - platform flags

CONFIGURATION MANAGEMENT

1.5.1.3 Ensure remote login warning banner is configured properly - banner text

CONFIGURATION MANAGEMENT

1.5.1.3 Ensure remote login warning banner is configured properly - platform flags

CONFIGURATION MANAGEMENT

1.5.1.5 Ensure permissions on /etc/issue are configured

ACCESS CONTROL, MEDIA PROTECTION

1.6 Ensure AppArmor is installed

ACCESS CONTROL, MEDIA PROTECTION

2.1.1.1 Ensure time synchronization is in use

AUDIT AND ACCOUNTABILITY

2.1.2 Ensure X Window System is not installed

CONFIGURATION MANAGEMENT

2.1.3 Ensure NFS and RPC are not enabled - nfs-server

SECURITY ASSESSMENT AND AUTHORIZATION, CONFIGURATION MANAGEMENT, SYSTEM AND COMMUNICATIONS PROTECTION

2.1.3 Ensure NFS and RPC are not enabled - rpcbind

SECURITY ASSESSMENT AND AUTHORIZATION, CONFIGURATION MANAGEMENT, SYSTEM AND COMMUNICATIONS PROTECTION

2.1.4 Ensure rsync service is not enabled

SECURITY ASSESSMENT AND AUTHORIZATION, CONFIGURATION MANAGEMENT, SYSTEM AND COMMUNICATIONS PROTECTION

3.1.1 Ensure packet redirect sending is disabled - net.ipv4.conf.all.send_redirects (sysctl.conf/sysctl.d)

CONFIGURATION MANAGEMENT, SYSTEM AND COMMUNICATIONS PROTECTION

3.1.1 Ensure packet redirect sending is disabled - net.ipv4.conf.default.send_redirects (sysctl.conf/sysctl.d)

CONFIGURATION MANAGEMENT, SYSTEM AND COMMUNICATIONS PROTECTION

3.1.1 Ensure packet redirect sending is disabled - sysctl net.ipv4.conf.all.send_redirects

CONFIGURATION MANAGEMENT, SYSTEM AND COMMUNICATIONS PROTECTION

3.1.1 Ensure packet redirect sending is disabled - sysctl net.ipv4.conf.default.send_redirects

CONFIGURATION MANAGEMENT, SYSTEM AND COMMUNICATIONS PROTECTION

3.2.5 Ensure broadcast ICMP requests are ignored - sysctl exec

CONFIGURATION MANAGEMENT, CONTINGENCY PLANNING, PLANNING, PROGRAM MANAGEMENT, SYSTEM AND SERVICES ACQUISITION, SYSTEM AND COMMUNICATIONS PROTECTION

3.2.5 Ensure broadcast ICMP requests are ignored - sysctl.conf/sysctl.d

CONFIGURATION MANAGEMENT, CONTINGENCY PLANNING, PLANNING, PROGRAM MANAGEMENT, SYSTEM AND SERVICES ACQUISITION, SYSTEM AND COMMUNICATIONS PROTECTION

3.2.6 Ensure bogus ICMP responses are ignored - sysctl exec

CONFIGURATION MANAGEMENT, CONTINGENCY PLANNING, PLANNING, PROGRAM MANAGEMENT, SYSTEM AND SERVICES ACQUISITION, SYSTEM AND COMMUNICATIONS PROTECTION

3.2.6 Ensure bogus ICMP responses are ignored - sysctl.conf/sysctl.d

CONFIGURATION MANAGEMENT, CONTINGENCY PLANNING, PLANNING, PROGRAM MANAGEMENT, SYSTEM AND SERVICES ACQUISITION, SYSTEM AND COMMUNICATIONS PROTECTION

3.2.7 Ensure Reverse Path Filtering is enabled - net.ipv4.conf.all.rp_filter' (sysctl.conf/sysctl.d)

CONFIGURATION MANAGEMENT, CONTINGENCY PLANNING, PLANNING, PROGRAM MANAGEMENT, SYSTEM AND SERVICES ACQUISITION, SYSTEM AND COMMUNICATIONS PROTECTION

3.2.7 Ensure Reverse Path Filtering is enabled - net.ipv4.conf.default.rp_filter' (sysctl.conf/sysctl.d)

CONFIGURATION MANAGEMENT, CONTINGENCY PLANNING, PLANNING, PROGRAM MANAGEMENT, SYSTEM AND SERVICES ACQUISITION, SYSTEM AND COMMUNICATIONS PROTECTION

3.2.7 Ensure Reverse Path Filtering is enabled - sysctl net.ipv4.conf.all.rp_filter

CONFIGURATION MANAGEMENT, CONTINGENCY PLANNING, PLANNING, PROGRAM MANAGEMENT, SYSTEM AND SERVICES ACQUISITION, SYSTEM AND COMMUNICATIONS PROTECTION

3.2.7 Ensure Reverse Path Filtering is enabled - sysctl net.ipv4.conf.default.rp_filter

CONFIGURATION MANAGEMENT, CONTINGENCY PLANNING, PLANNING, PROGRAM MANAGEMENT, SYSTEM AND SERVICES ACQUISITION, SYSTEM AND COMMUNICATIONS PROTECTION

3.2.8 Ensure TCP SYN Cookies is enabled - sysctl exec

CONFIGURATION MANAGEMENT, CONTINGENCY PLANNING, PLANNING, PROGRAM MANAGEMENT, SYSTEM AND SERVICES ACQUISITION, SYSTEM AND COMMUNICATIONS PROTECTION

3.2.8 Ensure TCP SYN Cookies is enabled - sysctl.conf/sysctl.d

CONFIGURATION MANAGEMENT, CONTINGENCY PLANNING, PLANNING, PROGRAM MANAGEMENT, SYSTEM AND SERVICES ACQUISITION, SYSTEM AND COMMUNICATIONS PROTECTION

3.3.3 Ensure iptables is installed

SECURITY ASSESSMENT AND AUTHORIZATION, SYSTEM AND COMMUNICATIONS PROTECTION

4.1.2.2 Ensure journald is configured to write logfiles to persistent disk

AUDIT AND ACCOUNTABILITY

5.1.1 Ensure permissions on /etc/ssh/sshd_config are configured

ACCESS CONTROL, MEDIA PROTECTION

5.1.2 Ensure permissions on SSH private host key files are configured

ACCESS CONTROL, MEDIA PROTECTION

5.1.3 Ensure permissions on SSH public host key files are configured

ACCESS CONTROL, MEDIA PROTECTION

5.1.4 Ensure SSH Protocol is set to 2

ACCESS CONTROL, CONFIGURATION MANAGEMENT, IDENTIFICATION AND AUTHENTICATION, MAINTENANCE, SYSTEM AND COMMUNICATIONS PROTECTION

5.1.5 Ensure SSH LogLevel is appropriate

AUDIT AND ACCOUNTABILITY

5.1.6 Ensure SSH X11 forwarding is disabled

SECURITY ASSESSMENT AND AUTHORIZATION, SYSTEM AND COMMUNICATIONS PROTECTION

5.1.8 Ensure SSH IgnoreRhosts is enabled

SECURITY ASSESSMENT AND AUTHORIZATION, SYSTEM AND COMMUNICATIONS PROTECTION