CIS Google Container-Optimized OS v1.2.0 L2 Server

Audit Details

Name: CIS Google Container-Optimized OS v1.2.0 L2 Server

Updated: 10/28/2024

Authority: CIS

Plugin: Unix

Revision: 1.0

Estimated Item Count: 58

File Details

Filename: CIS_Google_Container-Optimized_OS_v1.2.0_L2_Server.audit

Size: 172 kB

MD5: ab93b4ed99da742bfd1bd0f0ab1be1bd
SHA256: b722006fb78e7f8149aebbc89a2b701bd889ee1aa18c60dbb417bc24961b1c6f

Audit Items

DescriptionCategories
1.1.1.1 Ensure mounting of udf filesystems is disabled

ACCESS CONTROL, CONFIGURATION MANAGEMENT

1.1.6 Ensure nosuid option set on /var partition

ACCESS CONTROL, MEDIA PROTECTION

1.1.7 Ensure noexec option set on /var partition

CONFIGURATION MANAGEMENT

1.1.8 Ensure nodev option set on /var partition

ACCESS CONTROL, MEDIA PROTECTION

1.4.1 Ensure core dumps are restricted

CONFIGURATION MANAGEMENT

1.5.1.1 Ensure message of the day is configured properly

CONFIGURATION MANAGEMENT

1.5.1.4 Ensure permissions on /etc/motd are configured

ACCESS CONTROL, MEDIA PROTECTION

1.5.1.6 Ensure permissions on /etc/issue.net are configured

ACCESS CONTROL, MEDIA PROTECTION

2.1.1.2 Ensure chrony is configured

AUDIT AND ACCOUNTABILITY

3.2.1 Ensure source routed packets are not accepted

CONFIGURATION MANAGEMENT, CONTINGENCY PLANNING, PLANNING, PROGRAM MANAGEMENT, SYSTEM AND SERVICES ACQUISITION, SYSTEM AND COMMUNICATIONS PROTECTION

3.2.2 Ensure ICMP redirects are not accepted

CONFIGURATION MANAGEMENT, CONTINGENCY PLANNING, PLANNING, PROGRAM MANAGEMENT, SYSTEM AND SERVICES ACQUISITION, SYSTEM AND COMMUNICATIONS PROTECTION

3.2.3 Ensure secure ICMP redirects are not accepted

CONFIGURATION MANAGEMENT, CONTINGENCY PLANNING, PLANNING, PROGRAM MANAGEMENT, SYSTEM AND SERVICES ACQUISITION, SYSTEM AND COMMUNICATIONS PROTECTION

3.2.4 Ensure suspicious packets are logged

AUDIT AND ACCOUNTABILITY

3.2.9 Ensure IPv6 router advertisements are not accepted

CONFIGURATION MANAGEMENT, CONTINGENCY PLANNING, PLANNING, PROGRAM MANAGEMENT, SYSTEM AND SERVICES ACQUISITION, SYSTEM AND COMMUNICATIONS PROTECTION

3.3.1.1 Ensure IPv6 default deny firewall policy

SECURITY ASSESSMENT AND AUTHORIZATION, SYSTEM AND COMMUNICATIONS PROTECTION

3.3.1.2 Ensure IPv6 loopback traffic is configured

SECURITY ASSESSMENT AND AUTHORIZATION, SYSTEM AND COMMUNICATIONS PROTECTION

3.3.1.3 Ensure IPv6 outbound and established connections are configured

SECURITY ASSESSMENT AND AUTHORIZATION, SYSTEM AND COMMUNICATIONS PROTECTION

3.3.1.4 Ensure IPv6 firewall rules exist for all open ports

SECURITY ASSESSMENT AND AUTHORIZATION, CONFIGURATION MANAGEMENT, CONTINGENCY PLANNING, PLANNING, PROGRAM MANAGEMENT, SYSTEM AND SERVICES ACQUISITION, SYSTEM AND COMMUNICATIONS PROTECTION

3.3.2.1 Ensure default deny firewall policy

SECURITY ASSESSMENT AND AUTHORIZATION, SYSTEM AND COMMUNICATIONS PROTECTION

3.3.2.2 Ensure loopback traffic is configured

SECURITY ASSESSMENT AND AUTHORIZATION, SYSTEM AND COMMUNICATIONS PROTECTION

3.3.2.3 Ensure outbound and established connections are configured

SECURITY ASSESSMENT AND AUTHORIZATION, SYSTEM AND COMMUNICATIONS PROTECTION

4.1.1.1 Ensure correct container image is set for stackdriver logging agent

AUDIT AND ACCOUNTABILITY

4.1.1.2 Ensure Logging Service is Running

AUDIT AND ACCOUNTABILITY

4.1.1.3 Ensure logging is configured

AUDIT AND ACCOUNTABILITY

4.1.2.1 Ensure journald is configured to compress large log files

AUDIT AND ACCOUNTABILITY

4.1.3 Ensure permissions on all logfiles are configured

ACCESS CONTROL, MEDIA PROTECTION

4.2 Ensure logrotate is configured

AUDIT AND ACCOUNTABILITY

5.1.7 Ensure SSH MaxAuthTries is set to 4 or less

AUDIT AND ACCOUNTABILITY

5.1.14 Ensure only strong MAC algorithms are used

ACCESS CONTROL, IDENTIFICATION AND AUTHENTICATION, SYSTEM AND COMMUNICATIONS PROTECTION

5.1.16 Ensure SSH Idle Timeout Interval is configured

ACCESS CONTROL

5.1.17 Ensure SSH LoginGraceTime is set to one minute or less

CONFIGURATION MANAGEMENT

5.1.18 Ensure SSH warning banner is configured

CONFIGURATION MANAGEMENT

5.1.20 Ensure SSH AllowTcpForwarding is disabled

SECURITY ASSESSMENT AND AUTHORIZATION, SYSTEM AND COMMUNICATIONS PROTECTION

5.1.21 Ensure SSH MaxStartups is configured

CONFIGURATION MANAGEMENT

5.1.22 Ensure SSH MaxSessions is set to 4 or less

CONFIGURATION MANAGEMENT

5.2.1 Ensure password creation requirements are configured

IDENTIFICATION AND AUTHENTICATION

5.2.2 Ensure password reuse is limited

IDENTIFICATION AND AUTHENTICATION

5.2.3 Ensure password hashing algorithm is SHA-512

IDENTIFICATION AND AUTHENTICATION, SYSTEM AND COMMUNICATIONS PROTECTION

5.3.1.1 Ensure password expiration is 365 days or less

IDENTIFICATION AND AUTHENTICATION

5.3.1.2 Ensure minimum days between password changes is 7 or more

IDENTIFICATION AND AUTHENTICATION

5.3.1.4 Ensure inactive password lock is 30 days or less

IDENTIFICATION AND AUTHENTICATION

5.3.2 Ensure system accounts are secured

ACCESS CONTROL, IDENTIFICATION AND AUTHENTICATION

5.3.4 Ensure default user umask is 027 or more restrictive

ACCESS CONTROL, MEDIA PROTECTION

5.3.5 Ensure default user shell timeout is 900 seconds or less

ACCESS CONTROL

6.1.5 Ensure permissions on /etc/passwd- are configured

ACCESS CONTROL, MEDIA PROTECTION

6.1.6 Ensure permissions on /etc/shadow- are configured

ACCESS CONTROL, MEDIA PROTECTION

6.1.8 Ensure permissions on /etc/gshadow- are configured

ACCESS CONTROL, MEDIA PROTECTION

6.2.6 Ensure root PATH Integrity

CONFIGURATION MANAGEMENT

6.2.7 Ensure all users' home directories exist

CONFIGURATION MANAGEMENT

6.2.8 Ensure users' home directories permissions are 750 or more restrictive

ACCESS CONTROL, MEDIA PROTECTION