Detections
Analytics
CIS Google Container-Optimized OS v1.2.0 L1 Server
Audit Details
Name: CIS Google Container-Optimized OS v1.2.0 L1 Server
Updated: 10/28/2024
Authority: CIS
Plugin: Unix
Revision: 1.0
Estimated Item Count: 63
File Details
Filename: CIS_Google_Container-Optimized_OS_v1.2.0_L1_Server.audit
Size: 144 kB
Audit Items
| Description | Categories |
|---|---|
| 1.1.2 Ensure /tmp is configured | ACCESS CONTROL, MEDIA PROTECTION |
| 1.1.3 Ensure nodev option set on /tmp partition | ACCESS CONTROL, MEDIA PROTECTION |
| 1.1.4 Ensure nosuid option set on /tmp partition | ACCESS CONTROL, MEDIA PROTECTION |
| 1.1.5 Ensure noexec option set on /tmp partition | CONFIGURATION MANAGEMENT |
| 1.1.9 Ensure nodev option set on /home partition | ACCESS CONTROL, MEDIA PROTECTION |
| 1.1.10 Ensure nodev option set on /dev/shm partition | ACCESS CONTROL, MEDIA PROTECTION |
| 1.1.11 Ensure nosuid option set on /dev/shm partition | ACCESS CONTROL, MEDIA PROTECTION |
| 1.1.12 Ensure noexec option set on /dev/shm partition | CONFIGURATION MANAGEMENT |
| 1.1.13 Disable Automounting | MEDIA PROTECTION, SYSTEM AND INFORMATION INTEGRITY |
| 1.2.1 Ensure dm-verity is enabled | ACCESS CONTROL, AUDIT AND ACCOUNTABILITY |
| 1.3.1 Ensure authentication required for single user mode | IDENTIFICATION AND AUTHENTICATION |
| 1.4.2 Ensure XD/NX support is enabled | SYSTEM AND INFORMATION INTEGRITY |
| 1.4.3 Ensure address space layout randomization (ASLR) is enabled | SYSTEM AND INFORMATION INTEGRITY |
| 1.5.1.2 Ensure local login warning banner is configured properly | CONFIGURATION MANAGEMENT |
| 1.5.1.3 Ensure remote login warning banner is configured properly | CONFIGURATION MANAGEMENT |
| 1.5.1.5 Ensure permissions on /etc/issue are configured | ACCESS CONTROL, MEDIA PROTECTION |
| 1.6 Ensure AppArmor is installed | ACCESS CONTROL, MEDIA PROTECTION |
| 2.1.1.1 Ensure time synchronization is in use | AUDIT AND ACCOUNTABILITY |
| 2.1.2 Ensure X Window System is not installed | CONFIGURATION MANAGEMENT |
| 2.1.3 Ensure NFS and RPC are not enabled | SECURITY ASSESSMENT AND AUTHORIZATION, CONFIGURATION MANAGEMENT, SYSTEM AND COMMUNICATIONS PROTECTION |
| 2.1.4 Ensure rsync service is not enabled | SECURITY ASSESSMENT AND AUTHORIZATION, CONFIGURATION MANAGEMENT, SYSTEM AND COMMUNICATIONS PROTECTION |
| 3.1.1 Ensure packet redirect sending is disabled | CONFIGURATION MANAGEMENT, SYSTEM AND COMMUNICATIONS PROTECTION |
| 3.2.5 Ensure broadcast ICMP requests are ignored | CONFIGURATION MANAGEMENT, CONTINGENCY PLANNING, PLANNING, PROGRAM MANAGEMENT, SYSTEM AND SERVICES ACQUISITION, SYSTEM AND COMMUNICATIONS PROTECTION |
| 3.2.6 Ensure bogus ICMP responses are ignored | CONFIGURATION MANAGEMENT, CONTINGENCY PLANNING, PLANNING, PROGRAM MANAGEMENT, SYSTEM AND SERVICES ACQUISITION, SYSTEM AND COMMUNICATIONS PROTECTION |
| 3.2.7 Ensure Reverse Path Filtering is enabled | CONFIGURATION MANAGEMENT, CONTINGENCY PLANNING, PLANNING, PROGRAM MANAGEMENT, SYSTEM AND SERVICES ACQUISITION, SYSTEM AND COMMUNICATIONS PROTECTION |
| 3.2.8 Ensure TCP SYN Cookies is enabled | CONFIGURATION MANAGEMENT, CONTINGENCY PLANNING, PLANNING, PROGRAM MANAGEMENT, SYSTEM AND SERVICES ACQUISITION, SYSTEM AND COMMUNICATIONS PROTECTION |
| 3.3.3 Ensure iptables is installed | SECURITY ASSESSMENT AND AUTHORIZATION, SYSTEM AND COMMUNICATIONS PROTECTION |
| 4.1.2.2 Ensure journald is configured to write logfiles to persistent disk | AUDIT AND ACCOUNTABILITY |
| 5.1.1 Ensure permissions on /etc/ssh/sshd_config are configured | ACCESS CONTROL, MEDIA PROTECTION |
| 5.1.2 Ensure permissions on SSH private host key files are configured | ACCESS CONTROL, MEDIA PROTECTION |
| 5.1.3 Ensure permissions on SSH public host key files are configured | ACCESS CONTROL, MEDIA PROTECTION |
| 5.1.4 Ensure SSH Protocol is set to 2 | ACCESS CONTROL, CONFIGURATION MANAGEMENT, IDENTIFICATION AND AUTHENTICATION, MAINTENANCE, SYSTEM AND COMMUNICATIONS PROTECTION |
| 5.1.5 Ensure SSH LogLevel is appropriate | AUDIT AND ACCOUNTABILITY |
| 5.1.6 Ensure SSH X11 forwarding is disabled | SECURITY ASSESSMENT AND AUTHORIZATION, SYSTEM AND COMMUNICATIONS PROTECTION |
| 5.1.8 Ensure SSH IgnoreRhosts is enabled | SECURITY ASSESSMENT AND AUTHORIZATION, SYSTEM AND COMMUNICATIONS PROTECTION |
| 5.1.9 Ensure SSH HostbasedAuthentication is disabled | IDENTIFICATION AND AUTHENTICATION |
| 5.1.10 Ensure SSH root login is disabled | ACCESS CONTROL |
| 5.1.11 Ensure SSH PermitEmptyPasswords is disabled | IDENTIFICATION AND AUTHENTICATION |
| 5.1.12 Ensure SSH PermitUserEnvironment is disabled | ACCESS CONTROL, MEDIA PROTECTION |
| 5.1.13 Ensure only strong Ciphers are used | ACCESS CONTROL, IDENTIFICATION AND AUTHENTICATION, SYSTEM AND COMMUNICATIONS PROTECTION |
| 5.1.15 Ensure only strong Key Exchange algorithms are used | ACCESS CONTROL, IDENTIFICATION AND AUTHENTICATION, SYSTEM AND COMMUNICATIONS PROTECTION |
| 5.1.19 Ensure SSH PAM is enabled | ACCESS CONTROL, AUDIT AND ACCOUNTABILITY |
| 5.3.1.3 Ensure password expiration warning days is 7 or more | IDENTIFICATION AND AUTHENTICATION |
| 5.3.1.5 Ensure all users last password change date is in the past | IDENTIFICATION AND AUTHENTICATION |
| 5.3.3 Ensure default group for the root account is GID 0 | ACCESS CONTROL, MEDIA PROTECTION |
| 5.4 Ensure root login is restricted to system console | ACCESS CONTROL |
| 5.5 Ensure access to the su command is restricted | ACCESS CONTROL, MEDIA PROTECTION |
| 6.1.1 Ensure permissions on /etc/passwd are configured | ACCESS CONTROL, MEDIA PROTECTION |
| 6.1.2 Ensure permissions on /etc/shadow are configured | ACCESS CONTROL, MEDIA PROTECTION |
| 6.1.3 Ensure permissions on /etc/group are configured | ACCESS CONTROL, MEDIA PROTECTION |