Detections
Analytics

CIS Google Container-Optimized OS L1 Server v1.0.0

Warning! Audit Deprecated

This audit file has been deprecated and will be removed in a future update.

View Next Version

Audit Details

Name: CIS Google Container-Optimized OS L1 Server v1.0.0

Updated: 6/13/2023

Authority: CIS

Plugin: Unix

Revision: 1.7

Estimated Item Count: 83

Audit Items

DescriptionCategories
1.1.2 Ensure /tmp is configured - config check
1.1.2 Ensure /tmp is configured - mount check
1.1.3 Ensure nodev option set on /tmp partition
1.1.4 Ensure nosuid option set on /tmp partition
1.1.5 Ensure noexec option set on /tmp partition
1.1.9 Ensure nodev option set on /home partition
1.1.10 Ensure nodev option set on /dev/shm partition
1.1.11 Ensure nosuid option set on /dev/shm partition
1.1.12 Ensure noexec option set on /dev/shm partition
1.1.13 Disable Automounting
1.2.1 Ensure dm-verity is enabled
1.3.1 Ensure authentication required for single user mode - emergency.service
1.3.1 Ensure authentication required for single user mode - rescue.service
1.4.2 Ensure XD/NX support is enabled
1.4.3 Ensure address space layout randomization (ASLR) is enabled - sysctl
1.4.3 Ensure address space layout randomization (ASLR) is enabled - sysctl.conf sysctl.d
1.5.1.2 Ensure local login warning banner is configured properly - banner text
1.5.1.2 Ensure local login warning banner is configured properly - platform flags
1.5.1.3 Ensure remote login warning banner is configured properly - banner text
1.5.1.3 Ensure remote login warning banner is configured properly - platform flags
1.5.1.5 Ensure permissions on /etc/issue are configured
1.6 Ensure AppArmor is installed
2.1.1.1 Ensure time synchronization is in use
2.1.2 Ensure X Window System is not installed
2.1.3 Ensure NFS and RPC are not enabled - nfs-server
2.1.3 Ensure NFS and RPC are not enabled - rpcbind
2.1.4 Ensure rsync service is not enabled
3.1.1 Ensure packet redirect sending is disabled - net.ipv4.conf.all.send_redirects (sysctl.conf/sysctl.d)
3.1.1 Ensure packet redirect sending is disabled - net.ipv4.conf.default.send_redirects (sysctl.conf/sysctl.d)
3.1.1 Ensure packet redirect sending is disabled - sysctl net.ipv4.conf.all.send_redirects
3.1.1 Ensure packet redirect sending is disabled - sysctl net.ipv4.conf.default.send_redirects
3.2.5 Ensure broadcast ICMP requests are ignored - sysctl exec
3.2.5 Ensure broadcast ICMP requests are ignored - sysctl.conf/sysctl.d
3.2.6 Ensure bogus ICMP responses are ignored - sysctl exec
3.2.6 Ensure bogus ICMP responses are ignored - sysctl.conf/sysctl.d
3.2.7 Ensure Reverse Path Filtering is enabled - net.ipv4.conf.all.rp_filter' (sysctl.conf/sysctl.d)
3.2.7 Ensure Reverse Path Filtering is enabled - net.ipv4.conf.default.rp_filter' (sysctl.conf/sysctl.d)
3.2.7 Ensure Reverse Path Filtering is enabled - sysctl net.ipv4.conf.all.rp_filter
3.2.7 Ensure Reverse Path Filtering is enabled - sysctl net.ipv4.conf.default.rp_filter
3.2.8 Ensure TCP SYN Cookies is enabled - sysctl exec
3.2.8 Ensure TCP SYN Cookies is enabled - sysctl.conf/sysctl.d
3.3.3 Ensure iptables is installed
4.1.2.2 Ensure journald is configured to write logfiles to persistent disk
5.1.1 Ensure permissions on /etc/ssh/sshd_config are configured
5.1.2 Ensure permissions on SSH private host key files are configured
5.1.3 Ensure permissions on SSH public host key files are configured
5.1.4 Ensure SSH Protocol is set to 2
5.1.5 Ensure SSH LogLevel is appropriate
5.1.6 Ensure SSH X11 forwarding is disabled
5.1.8 Ensure SSH IgnoreRhosts is enabled