CIS Google Container-Optimized OS L2 Server v1.0.0

Audit Details

Name: CIS Google Container-Optimized OS L2 Server v1.0.0

Updated: 7/15/2022

Authority: CIS

Plugin: Unix

Revision: 1.0

Estimated Item Count: 93

File Details

Filename: CIS_Google_Container_Optimized_OS_v1.0.0_L2_Server.audit

Size: 184 kB

MD5: 36d5ea35c6c481330df10b42456add2e
SHA256: 5dc9020619314d9460a37c302b0fae445000ce4b4924debbea4c4b4d10f8d053

Audit Items

DescriptionCategories
1.1.1.1 Ensure mounting of udf filesystems is disabled - lsmod

ACCESS CONTROL, CONFIGURATION MANAGEMENT, IDENTIFICATION AND AUTHENTICATION

1.1.1.1 Ensure mounting of udf filesystems is disabled - modprobe

ACCESS CONTROL, CONFIGURATION MANAGEMENT, IDENTIFICATION AND AUTHENTICATION

1.1.6 Ensure nosuid option set on /var partition

ACCESS CONTROL, MEDIA PROTECTION

1.1.7 Ensure noexec option set on /var partition

CONFIGURATION MANAGEMENT

1.1.8 Ensure nodev option set on /var partition

ACCESS CONTROL, MEDIA PROTECTION

1.4.1 Ensure core dumps are restricted - limits config

CONFIGURATION MANAGEMENT

1.4.1 Ensure core dumps are restricted - processsizemax

CONFIGURATION MANAGEMENT

1.4.1 Ensure core dumps are restricted - storage

CONFIGURATION MANAGEMENT

1.4.1 Ensure core dumps are restricted - sysctl

CONFIGURATION MANAGEMENT

1.5.1.1 Ensure message of the day is configured properly - banner text

CONFIGURATION MANAGEMENT

1.5.1.1 Ensure message of the day is configured properly - platform flags

CONFIGURATION MANAGEMENT

1.5.1.4 Ensure permissions on /etc/motd are configured

ACCESS CONTROL, MEDIA PROTECTION

1.5.1.6 Ensure permissions on /etc/issue.net are configured

ACCESS CONTROL, MEDIA PROTECTION

2.1.1.2 Ensure chrony is configured - NTP server

AUDIT AND ACCOUNTABILITY

2.1.1.2 Ensure chrony is configured - process

AUDIT AND ACCOUNTABILITY

3.2.1 Ensure source routed packets are not accepted - net.ipv4.conf.all.accept_source_route

CONFIGURATION MANAGEMENT, SYSTEM AND SERVICES ACQUISITION

3.2.1 Ensure source routed packets are not accepted - net.ipv4.conf.default.accept_source_route

CONFIGURATION MANAGEMENT, SYSTEM AND SERVICES ACQUISITION

3.2.1 Ensure source routed packets are not accepted - net.ipv6.conf.all.accept_source_route

CONFIGURATION MANAGEMENT, SYSTEM AND SERVICES ACQUISITION

3.2.1 Ensure source routed packets are not accepted - net.ipv6.conf.default.accept_source_route

CONFIGURATION MANAGEMENT, SYSTEM AND SERVICES ACQUISITION

3.2.2 Ensure ICMP redirects are not accepted - net.ipv4.conf.all.accept_redirects

CONFIGURATION MANAGEMENT, SYSTEM AND SERVICES ACQUISITION

3.2.2 Ensure ICMP redirects are not accepted - net.ipv4.conf.default.accept_redirects

CONFIGURATION MANAGEMENT, SYSTEM AND SERVICES ACQUISITION

3.2.2 Ensure ICMP redirects are not accepted - net.ipv6.conf.all.accept_redirects

CONFIGURATION MANAGEMENT, SYSTEM AND SERVICES ACQUISITION

3.2.2 Ensure ICMP redirects are not accepted - net.ipv6.conf.default.accept_redirects

CONFIGURATION MANAGEMENT, SYSTEM AND SERVICES ACQUISITION

3.2.3 Ensure secure ICMP redirects are not accepted - net.ipv4.conf.all.secure_redirects

CONFIGURATION MANAGEMENT, SYSTEM AND SERVICES ACQUISITION

3.2.3 Ensure secure ICMP redirects are not accepted - net.ipv4.conf.default.secure_redirects

CONFIGURATION MANAGEMENT, SYSTEM AND SERVICES ACQUISITION

3.2.4 Ensure suspicious packets are logged - net.ipv4.conf.all.log_martians

AUDIT AND ACCOUNTABILITY, SYSTEM AND INFORMATION INTEGRITY

3.2.4 Ensure suspicious packets are logged - net.ipv4.conf.default.log_martians

AUDIT AND ACCOUNTABILITY, SYSTEM AND INFORMATION INTEGRITY

3.2.9 Ensure IPv6 router advertisements are not accepted - net.ipv6.conf.all.accept_ra

CONFIGURATION MANAGEMENT, SYSTEM AND SERVICES ACQUISITION

3.2.9 Ensure IPv6 router advertisements are not accepted - net.ipv6.conf.default.accept_ra

CONFIGURATION MANAGEMENT, SYSTEM AND SERVICES ACQUISITION

3.3.1.1 Ensure IPv6 default deny firewall policy - Chain FORWARD

SECURITY ASSESSMENT AND AUTHORIZATION

3.3.1.1 Ensure IPv6 default deny firewall policy - Chain INPUT

SECURITY ASSESSMENT AND AUTHORIZATION

3.3.1.1 Ensure IPv6 default deny firewall policy - Chain OUTPUT

SECURITY ASSESSMENT AND AUTHORIZATION

3.3.1.2 Ensure IPv6 loopback traffic is configured

SECURITY ASSESSMENT AND AUTHORIZATION

3.3.1.3 Ensure IPv6 outbound and established connections are configured

SECURITY ASSESSMENT AND AUTHORIZATION

3.3.1.4 Ensure IPv6 firewall rules exist for all open ports

SECURITY ASSESSMENT AND AUTHORIZATION, CONFIGURATION MANAGEMENT, SYSTEM AND SERVICES ACQUISITION

3.3.2.1 Ensure default deny firewall policy - Chain FORWARD

SECURITY ASSESSMENT AND AUTHORIZATION

3.3.2.1 Ensure default deny firewall policy - Chain INPUT

SECURITY ASSESSMENT AND AUTHORIZATION

3.3.2.1 Ensure default deny firewall policy - Chain OUTPUT

SECURITY ASSESSMENT AND AUTHORIZATION

3.3.2.2 Ensure loopback traffic is configured

SECURITY ASSESSMENT AND AUTHORIZATION

3.3.2.3 Ensure outbound and established connections are configured

SECURITY ASSESSMENT AND AUTHORIZATION

4.1.1.1 Ensure correct container image is set for stackdriver logging agent

AUDIT AND ACCOUNTABILITY, SYSTEM AND INFORMATION INTEGRITY

4.1.1.2 Ensure stackdriver Service is running

AUDIT AND ACCOUNTABILITY, SYSTEM AND INFORMATION INTEGRITY

4.1.1.3 Ensure logging is configured

AUDIT AND ACCOUNTABILITY, SYSTEM AND INFORMATION INTEGRITY

4.1.2.1 Ensure journald is configured to compress large log files

AUDIT AND ACCOUNTABILITY

4.1.3 Ensure permissions on all logfiles are configured

ACCESS CONTROL, MEDIA PROTECTION

4.2 Ensure logrotate is configured

AUDIT AND ACCOUNTABILITY

5.1.7 Ensure SSH MaxAuthTries is set to 4 or less

AUDIT AND ACCOUNTABILITY, SYSTEM AND INFORMATION INTEGRITY

5.1.14 Ensure only strong MAC algorithms are used

SYSTEM AND COMMUNICATIONS PROTECTION

5.1.16 Ensure SSH Idle Timeout Interval is configured - ClientAliveCountMax

ACCESS CONTROL

5.1.16 Ensure SSH Idle Timeout Interval is configured - ClientAliveInterval

ACCESS CONTROL