Detections
Analytics

CIS Google Container-Optimized OS L2 Server v1.0.0

Warning! Audit Deprecated

This audit file has been deprecated and will be removed in a future update.

View Next Version

Audit Details

Name: CIS Google Container-Optimized OS L2 Server v1.0.0

Updated: 6/13/2023

Authority: CIS

Plugin: Unix

Revision: 1.10

Estimated Item Count: 94

Audit Items

DescriptionCategories
1.1.1.1 Ensure mounting of udf filesystems is disabled - lsmod
1.1.1.1 Ensure mounting of udf filesystems is disabled - modprobe
1.1.6 Ensure nosuid option set on /var partition
1.1.7 Ensure noexec option set on /var partition
1.1.8 Ensure nodev option set on /var partition
1.4.1 Ensure core dumps are restricted - limits config
1.4.1 Ensure core dumps are restricted - processsizemax
1.4.1 Ensure core dumps are restricted - storage
1.4.1 Ensure core dumps are restricted - sysctl
1.5.1.1 Ensure message of the day is configured properly - banner text
1.5.1.1 Ensure message of the day is configured properly - platform flags
1.5.1.4 Ensure permissions on /etc/motd are configured
1.5.1.6 Ensure permissions on /etc/issue.net are configured
2.1.1.2 Ensure chrony is configured - NTP server
2.1.1.2 Ensure chrony is configured - process
3.2.1 Ensure source routed packets are not accepted - net.ipv4.conf.all.accept_source_route
3.2.1 Ensure source routed packets are not accepted - net.ipv4.conf.default.accept_source_route
3.2.1 Ensure source routed packets are not accepted - net.ipv6.conf.all.accept_source_route
3.2.1 Ensure source routed packets are not accepted - net.ipv6.conf.default.accept_source_route
3.2.2 Ensure ICMP redirects are not accepted - net.ipv4.conf.all.accept_redirects
3.2.2 Ensure ICMP redirects are not accepted - net.ipv4.conf.default.accept_redirects
3.2.2 Ensure ICMP redirects are not accepted - net.ipv6.conf.all.accept_redirects
3.2.2 Ensure ICMP redirects are not accepted - net.ipv6.conf.default.accept_redirects
3.2.3 Ensure secure ICMP redirects are not accepted - net.ipv4.conf.all.secure_redirects
3.2.3 Ensure secure ICMP redirects are not accepted - net.ipv4.conf.default.secure_redirects
3.2.4 Ensure suspicious packets are logged - net.ipv4.conf.all.log_martians
3.2.4 Ensure suspicious packets are logged - net.ipv4.conf.default.log_martians
3.2.9 Ensure IPv6 router advertisements are not accepted - net.ipv6.conf.all.accept_ra
3.2.9 Ensure IPv6 router advertisements are not accepted - net.ipv6.conf.default.accept_ra
3.3.1.1 Ensure IPv6 default deny firewall policy - Chain FORWARD
3.3.1.1 Ensure IPv6 default deny firewall policy - Chain INPUT
3.3.1.1 Ensure IPv6 default deny firewall policy - Chain OUTPUT
3.3.1.2 Ensure IPv6 loopback traffic is configured
3.3.1.3 Ensure IPv6 outbound and established connections are configured
3.3.1.4 Ensure IPv6 firewall rules exist for all open ports
3.3.2.1 Ensure default deny firewall policy - Chain FORWARD
3.3.2.1 Ensure default deny firewall policy - Chain INPUT
3.3.2.1 Ensure default deny firewall policy - Chain OUTPUT
3.3.2.2 Ensure loopback traffic is configured
3.3.2.3 Ensure outbound and established connections are configured
4.1.1.1 Ensure correct container image is set for stackdriver logging agent
4.1.1.2 Ensure stackdriver Service is running
4.1.1.3 Ensure logging is configured
4.1.2.1 Ensure journald is configured to compress large log files
4.1.3 Ensure permissions on all logfiles are configured
4.2 Ensure logrotate is configured
5.1.7 Ensure SSH MaxAuthTries is set to 4 or less
5.1.14 Ensure only strong MAC algorithms are used
5.1.16 Ensure SSH Idle Timeout Interval is configured - ClientAliveCountMax
5.1.16 Ensure SSH Idle Timeout Interval is configured - ClientAliveInterval