Name: CIS Google Container-Optimized OS L2 Server v1.1.0
Updated: 8/29/2023
Authority: CIS
Plugin: Unix
Revision: 1.2
Estimated Item Count: 94
Filename: CIS_Google_Container_Optimized_OS_v1.1.0_L2_Server.audit
Size: 220 kB
Description | Categories |
---|---|
1.1.1.1 Ensure mounting of udf filesystems is disabled - lsmod | ACCESS CONTROL, CONFIGURATION MANAGEMENT, SYSTEM AND SERVICES ACQUISITION |
1.1.1.1 Ensure mounting of udf filesystems is disabled - modprobe | ACCESS CONTROL, CONFIGURATION MANAGEMENT, SYSTEM AND SERVICES ACQUISITION |
1.1.6 Ensure nosuid option set on /var partition | ACCESS CONTROL, MEDIA PROTECTION |
1.1.7 Ensure noexec option set on /var partition | CONFIGURATION MANAGEMENT |
1.1.8 Ensure nodev option set on /var partition | ACCESS CONTROL, MEDIA PROTECTION |
1.4.1 Ensure core dumps are restricted - limits config | CONFIGURATION MANAGEMENT |
1.4.1 Ensure core dumps are restricted - processsizemax | CONFIGURATION MANAGEMENT |
1.4.1 Ensure core dumps are restricted - storage | CONFIGURATION MANAGEMENT |
1.4.1 Ensure core dumps are restricted - sysctl | CONFIGURATION MANAGEMENT |
1.5.1.1 Ensure message of the day is configured properly - banner text | CONFIGURATION MANAGEMENT |
1.5.1.1 Ensure message of the day is configured properly - platform flags | CONFIGURATION MANAGEMENT |
1.5.1.4 Ensure permissions on /etc/motd are configured | ACCESS CONTROL, MEDIA PROTECTION |
1.5.1.6 Ensure permissions on /etc/issue.net are configured | ACCESS CONTROL, MEDIA PROTECTION |
2.1.1.2 Ensure chrony is configured - NTP server | AUDIT AND ACCOUNTABILITY |
2.1.1.2 Ensure chrony is configured - process | AUDIT AND ACCOUNTABILITY |
3.2.1 Ensure source routed packets are not accepted - net.ipv4.conf.all.accept_source_route | CONFIGURATION MANAGEMENT, CONTINGENCY PLANNING, PLANNING, PROGRAM MANAGEMENT, SYSTEM AND SERVICES ACQUISITION, SYSTEM AND COMMUNICATIONS PROTECTION |
3.2.1 Ensure source routed packets are not accepted - net.ipv4.conf.default.accept_source_route | CONFIGURATION MANAGEMENT, CONTINGENCY PLANNING, PLANNING, PROGRAM MANAGEMENT, SYSTEM AND SERVICES ACQUISITION, SYSTEM AND COMMUNICATIONS PROTECTION |
3.2.1 Ensure source routed packets are not accepted - net.ipv6.conf.all.accept_source_route | CONFIGURATION MANAGEMENT, CONTINGENCY PLANNING, PLANNING, PROGRAM MANAGEMENT, SYSTEM AND SERVICES ACQUISITION, SYSTEM AND COMMUNICATIONS PROTECTION |
3.2.1 Ensure source routed packets are not accepted - net.ipv6.conf.default.accept_source_route | CONFIGURATION MANAGEMENT, CONTINGENCY PLANNING, PLANNING, PROGRAM MANAGEMENT, SYSTEM AND SERVICES ACQUISITION, SYSTEM AND COMMUNICATIONS PROTECTION |
3.2.2 Ensure ICMP redirects are not accepted - net.ipv4.conf.all.accept_redirects | CONFIGURATION MANAGEMENT, CONTINGENCY PLANNING, PLANNING, PROGRAM MANAGEMENT, SYSTEM AND SERVICES ACQUISITION, SYSTEM AND COMMUNICATIONS PROTECTION |
3.2.2 Ensure ICMP redirects are not accepted - net.ipv4.conf.default.accept_redirects | CONFIGURATION MANAGEMENT, CONTINGENCY PLANNING, PLANNING, PROGRAM MANAGEMENT, SYSTEM AND SERVICES ACQUISITION, SYSTEM AND COMMUNICATIONS PROTECTION |
3.2.2 Ensure ICMP redirects are not accepted - net.ipv6.conf.all.accept_redirects | CONFIGURATION MANAGEMENT, CONTINGENCY PLANNING, PLANNING, PROGRAM MANAGEMENT, SYSTEM AND SERVICES ACQUISITION, SYSTEM AND COMMUNICATIONS PROTECTION |
3.2.2 Ensure ICMP redirects are not accepted - net.ipv6.conf.default.accept_redirects | CONFIGURATION MANAGEMENT, CONTINGENCY PLANNING, PLANNING, PROGRAM MANAGEMENT, SYSTEM AND SERVICES ACQUISITION, SYSTEM AND COMMUNICATIONS PROTECTION |
3.2.3 Ensure secure ICMP redirects are not accepted - net.ipv4.conf.all.secure_redirects | CONFIGURATION MANAGEMENT, CONTINGENCY PLANNING, PLANNING, PROGRAM MANAGEMENT, SYSTEM AND SERVICES ACQUISITION, SYSTEM AND COMMUNICATIONS PROTECTION |
3.2.3 Ensure secure ICMP redirects are not accepted - net.ipv4.conf.default.secure_redirects | CONFIGURATION MANAGEMENT, CONTINGENCY PLANNING, PLANNING, PROGRAM MANAGEMENT, SYSTEM AND SERVICES ACQUISITION, SYSTEM AND COMMUNICATIONS PROTECTION |
3.2.4 Ensure suspicious packets are logged - net.ipv4.conf.all.log_martians | AUDIT AND ACCOUNTABILITY |
3.2.4 Ensure suspicious packets are logged - net.ipv4.conf.default.log_martians | AUDIT AND ACCOUNTABILITY |
3.2.9 Ensure IPv6 router advertisements are not accepted - net.ipv6.conf.all.accept_ra | CONFIGURATION MANAGEMENT, CONTINGENCY PLANNING, PLANNING, PROGRAM MANAGEMENT, SYSTEM AND SERVICES ACQUISITION, SYSTEM AND COMMUNICATIONS PROTECTION |
3.2.9 Ensure IPv6 router advertisements are not accepted - net.ipv6.conf.default.accept_ra | CONFIGURATION MANAGEMENT, CONTINGENCY PLANNING, PLANNING, PROGRAM MANAGEMENT, SYSTEM AND SERVICES ACQUISITION, SYSTEM AND COMMUNICATIONS PROTECTION |
3.3.1.1 Ensure IPv6 default deny firewall policy - Chain FORWARD | SECURITY ASSESSMENT AND AUTHORIZATION, SYSTEM AND COMMUNICATIONS PROTECTION |
3.3.1.1 Ensure IPv6 default deny firewall policy - Chain INPUT | SECURITY ASSESSMENT AND AUTHORIZATION, SYSTEM AND COMMUNICATIONS PROTECTION |
3.3.1.1 Ensure IPv6 default deny firewall policy - Chain OUTPUT | SECURITY ASSESSMENT AND AUTHORIZATION, SYSTEM AND COMMUNICATIONS PROTECTION |
3.3.1.2 Ensure IPv6 loopback traffic is configured | SECURITY ASSESSMENT AND AUTHORIZATION, SYSTEM AND COMMUNICATIONS PROTECTION |
3.3.1.3 Ensure IPv6 outbound and established connections are configured | SECURITY ASSESSMENT AND AUTHORIZATION, SYSTEM AND COMMUNICATIONS PROTECTION |
3.3.1.4 Ensure IPv6 firewall rules exist for all open ports | SECURITY ASSESSMENT AND AUTHORIZATION, CONFIGURATION MANAGEMENT, CONTINGENCY PLANNING, PLANNING, PROGRAM MANAGEMENT, SYSTEM AND SERVICES ACQUISITION, SYSTEM AND COMMUNICATIONS PROTECTION |
3.3.2.1 Ensure default deny firewall policy - Chain FORWARD | SECURITY ASSESSMENT AND AUTHORIZATION, SYSTEM AND COMMUNICATIONS PROTECTION |
3.3.2.1 Ensure default deny firewall policy - Chain INPUT | SECURITY ASSESSMENT AND AUTHORIZATION, SYSTEM AND COMMUNICATIONS PROTECTION |
3.3.2.1 Ensure default deny firewall policy - Chain OUTPUT | SECURITY ASSESSMENT AND AUTHORIZATION, SYSTEM AND COMMUNICATIONS PROTECTION |
3.3.2.2 Ensure loopback traffic is configured | SECURITY ASSESSMENT AND AUTHORIZATION, SYSTEM AND COMMUNICATIONS PROTECTION |
3.3.2.3 Ensure outbound and established connections are configured | SECURITY ASSESSMENT AND AUTHORIZATION, SYSTEM AND COMMUNICATIONS PROTECTION |
4.1.1.1 Ensure correct container image is set for stackdriver logging agent | AUDIT AND ACCOUNTABILITY |
4.1.1.2 Ensure logging Service is running | AUDIT AND ACCOUNTABILITY |
4.1.1.3 Ensure logging is configured | AUDIT AND ACCOUNTABILITY |
4.1.2.1 Ensure journald is configured to compress large log files | AUDIT AND ACCOUNTABILITY |
4.1.3 Ensure permissions on all logfiles are configured | ACCESS CONTROL, MEDIA PROTECTION |
4.2 Ensure logrotate is configured | AUDIT AND ACCOUNTABILITY |
5.1.7 Ensure SSH MaxAuthTries is set to 4 or less | AUDIT AND ACCOUNTABILITY |
5.1.14 Ensure only strong MAC algorithms are used | ACCESS CONTROL, IDENTIFICATION AND AUTHENTICATION, SYSTEM AND COMMUNICATIONS PROTECTION |
5.1.16 Ensure SSH Idle Timeout Interval is configured - ClientAliveCountMax | ACCESS CONTROL |
5.1.16 Ensure SSH Idle Timeout Interval is configured - ClientAliveInterval | ACCESS CONTROL |