| 1.1.1.1 Ensure mounting of udf filesystems is disabled | ACCESS CONTROL, CONFIGURATION MANAGEMENT |
| 1.1.6 Ensure nosuid option set on /var partition | ACCESS CONTROL, MEDIA PROTECTION |
| 1.1.7 Ensure noexec option set on /var partition | CONFIGURATION MANAGEMENT |
| 1.1.8 Ensure nodev option set on /var partition | ACCESS CONTROL, MEDIA PROTECTION |
| 1.4.1 Ensure core dumps are restricted | CONFIGURATION MANAGEMENT |
| 1.5.1.1 Ensure message of the day is configured properly | CONFIGURATION MANAGEMENT |
| 1.5.1.4 Ensure permissions on /etc/motd are configured | ACCESS CONTROL, MEDIA PROTECTION |
| 1.5.1.6 Ensure permissions on /etc/issue.net are configured | ACCESS CONTROL, MEDIA PROTECTION |
| 2.1.1.2 Ensure chrony is configured | AUDIT AND ACCOUNTABILITY |
| 3.2.1 Ensure source routed packets are not accepted | CONFIGURATION MANAGEMENT, CONTINGENCY PLANNING, PLANNING, PROGRAM MANAGEMENT, SYSTEM AND SERVICES ACQUISITION, SYSTEM AND COMMUNICATIONS PROTECTION |
| 3.2.2 Ensure ICMP redirects are not accepted | CONFIGURATION MANAGEMENT, CONTINGENCY PLANNING, PLANNING, PROGRAM MANAGEMENT, SYSTEM AND SERVICES ACQUISITION, SYSTEM AND COMMUNICATIONS PROTECTION |
| 3.2.3 Ensure secure ICMP redirects are not accepted | CONFIGURATION MANAGEMENT, CONTINGENCY PLANNING, PLANNING, PROGRAM MANAGEMENT, SYSTEM AND SERVICES ACQUISITION, SYSTEM AND COMMUNICATIONS PROTECTION |
| 3.2.4 Ensure suspicious packets are logged | AUDIT AND ACCOUNTABILITY |
| 3.2.9 Ensure IPv6 router advertisements are not accepted | CONFIGURATION MANAGEMENT, CONTINGENCY PLANNING, PLANNING, PROGRAM MANAGEMENT, SYSTEM AND SERVICES ACQUISITION, SYSTEM AND COMMUNICATIONS PROTECTION |
| 3.3.1.1 Ensure IPv6 default deny firewall policy | SECURITY ASSESSMENT AND AUTHORIZATION, SYSTEM AND COMMUNICATIONS PROTECTION |
| 3.3.1.2 Ensure IPv6 loopback traffic is configured | SECURITY ASSESSMENT AND AUTHORIZATION, SYSTEM AND COMMUNICATIONS PROTECTION |
| 3.3.1.3 Ensure IPv6 outbound and established connections are configured | SECURITY ASSESSMENT AND AUTHORIZATION, SYSTEM AND COMMUNICATIONS PROTECTION |
| 3.3.1.4 Ensure IPv6 firewall rules exist for all open ports | SECURITY ASSESSMENT AND AUTHORIZATION, CONFIGURATION MANAGEMENT, CONTINGENCY PLANNING, PLANNING, PROGRAM MANAGEMENT, SYSTEM AND SERVICES ACQUISITION, SYSTEM AND COMMUNICATIONS PROTECTION |
| 3.3.2.1 Ensure default deny firewall policy | SECURITY ASSESSMENT AND AUTHORIZATION, SYSTEM AND COMMUNICATIONS PROTECTION |
| 3.3.2.2 Ensure loopback traffic is configured | SECURITY ASSESSMENT AND AUTHORIZATION, SYSTEM AND COMMUNICATIONS PROTECTION |
| 3.3.2.3 Ensure outbound and established connections are configured | SECURITY ASSESSMENT AND AUTHORIZATION, SYSTEM AND COMMUNICATIONS PROTECTION |
| 4.1.1.1 Ensure correct container image is set for stackdriver logging agent | AUDIT AND ACCOUNTABILITY |
| 4.1.1.2 Ensure Logging Service is Running | AUDIT AND ACCOUNTABILITY |
| 4.1.1.3 Ensure logging is configured | AUDIT AND ACCOUNTABILITY |
| 4.1.2.1 Ensure journald is configured to compress large log files | AUDIT AND ACCOUNTABILITY |
| 4.1.3 Ensure permissions on all logfiles are configured | ACCESS CONTROL, MEDIA PROTECTION |
| 4.2 Ensure logrotate is configured | AUDIT AND ACCOUNTABILITY |
| 5.1.7 Ensure SSH MaxAuthTries is set to 4 or less | AUDIT AND ACCOUNTABILITY |
| 5.1.14 Ensure only strong MAC algorithms are used | ACCESS CONTROL, IDENTIFICATION AND AUTHENTICATION, SYSTEM AND COMMUNICATIONS PROTECTION |
| 5.1.16 Ensure SSH Idle Timeout Interval is configured | ACCESS CONTROL |
| 5.1.17 Ensure SSH LoginGraceTime is set to one minute or less | CONFIGURATION MANAGEMENT |
| 5.1.18 Ensure SSH warning banner is configured | CONFIGURATION MANAGEMENT |
| 5.1.20 Ensure SSH AllowTcpForwarding is disabled | SECURITY ASSESSMENT AND AUTHORIZATION, SYSTEM AND COMMUNICATIONS PROTECTION |
| 5.1.21 Ensure SSH MaxStartups is configured | CONFIGURATION MANAGEMENT |
| 5.1.22 Ensure SSH MaxSessions is set to 4 or less | CONFIGURATION MANAGEMENT |
| 5.2.1 Ensure password creation requirements are configured | IDENTIFICATION AND AUTHENTICATION |
| 5.2.2 Ensure password reuse is limited | IDENTIFICATION AND AUTHENTICATION |
| 5.2.3 Ensure password hashing algorithm is SHA-512 | IDENTIFICATION AND AUTHENTICATION, SYSTEM AND COMMUNICATIONS PROTECTION |
| 5.3.1.1 Ensure password expiration is 365 days or less | IDENTIFICATION AND AUTHENTICATION |
| 5.3.1.2 Ensure minimum days between password changes is 7 or more | IDENTIFICATION AND AUTHENTICATION |
| 5.3.1.4 Ensure inactive password lock is 30 days or less | IDENTIFICATION AND AUTHENTICATION |
| 5.3.2 Ensure system accounts are secured | ACCESS CONTROL, IDENTIFICATION AND AUTHENTICATION |
| 5.3.4 Ensure default user umask is 027 or more restrictive | ACCESS CONTROL, MEDIA PROTECTION |
| 5.3.5 Ensure default user shell timeout is 900 seconds or less | ACCESS CONTROL |
| 6.1.5 Ensure permissions on /etc/passwd- are configured | ACCESS CONTROL, MEDIA PROTECTION |
| 6.1.6 Ensure permissions on /etc/shadow- are configured | ACCESS CONTROL, MEDIA PROTECTION |
| 6.1.8 Ensure permissions on /etc/gshadow- are configured | ACCESS CONTROL, MEDIA PROTECTION |
| 6.2.6 Ensure root PATH Integrity | CONFIGURATION MANAGEMENT |
| 6.2.7 Ensure all users' home directories exist | CONFIGURATION MANAGEMENT |
| 6.2.8 Ensure users' home directories permissions are 750 or more restrictive | ACCESS CONTROL, MEDIA PROTECTION |
