Name: CIS Google Container-Optimized OS L1 Server v1.1.0
Updated: 6/17/2024
Authority: CIS
Plugin: Unix
Revision: 1.2
Estimated Item Count: 83
Filename: CIS_Google_Container_Optimized_OS_v1.1.0_L1_Server.audit
Size: 185 kB
Description | Categories |
---|---|
1.1.2 Ensure /tmp is configured - config check | ACCESS CONTROL, MEDIA PROTECTION |
1.1.2 Ensure /tmp is configured - mount check | ACCESS CONTROL, MEDIA PROTECTION |
1.1.3 Ensure nodev option set on /tmp partition | ACCESS CONTROL, MEDIA PROTECTION |
1.1.4 Ensure nosuid option set on /tmp partition | ACCESS CONTROL, MEDIA PROTECTION |
1.1.5 Ensure noexec option set on /tmp partition | CONFIGURATION MANAGEMENT |
1.1.9 Ensure nodev option set on /home partition | ACCESS CONTROL, MEDIA PROTECTION |
1.1.10 Ensure nodev option set on /dev/shm partition | ACCESS CONTROL, MEDIA PROTECTION |
1.1.11 Ensure nosuid option set on /dev/shm partition | ACCESS CONTROL, MEDIA PROTECTION |
1.1.12 Ensure noexec option set on /dev/shm partition | CONFIGURATION MANAGEMENT |
1.1.13 Disable Automounting | MEDIA PROTECTION, SYSTEM AND INFORMATION INTEGRITY |
1.2.1 Ensure dm-verity is enabled | ACCESS CONTROL, AUDIT AND ACCOUNTABILITY |
1.3.1 Ensure authentication required for single user mode - emergency.service | CONFIGURATION MANAGEMENT, IDENTIFICATION AND AUTHENTICATION, SYSTEM AND SERVICES ACQUISITION |
1.3.1 Ensure authentication required for single user mode - rescue.service | CONFIGURATION MANAGEMENT, IDENTIFICATION AND AUTHENTICATION, SYSTEM AND SERVICES ACQUISITION |
1.4.2 Ensure XD/NX support is enabled | SYSTEM AND INFORMATION INTEGRITY |
1.4.3 Ensure address space layout randomization (ASLR) is enabled - sysctl | SYSTEM AND INFORMATION INTEGRITY |
1.4.3 Ensure address space layout randomization (ASLR) is enabled - sysctl.conf sysctl.d | SYSTEM AND INFORMATION INTEGRITY |
1.5.1.2 Ensure local login warning banner is configured properly - banner text | CONFIGURATION MANAGEMENT |
1.5.1.2 Ensure local login warning banner is configured properly - platform flags | CONFIGURATION MANAGEMENT |
1.5.1.3 Ensure remote login warning banner is configured properly - banner text | CONFIGURATION MANAGEMENT |
1.5.1.3 Ensure remote login warning banner is configured properly - platform flags | CONFIGURATION MANAGEMENT |
1.5.1.5 Ensure permissions on /etc/issue are configured | ACCESS CONTROL, MEDIA PROTECTION |
1.6 Ensure AppArmor is installed | ACCESS CONTROL, MEDIA PROTECTION |
2.1.1.1 Ensure time synchronization is in use | AUDIT AND ACCOUNTABILITY |
2.1.2 Ensure X Window System is not installed | CONFIGURATION MANAGEMENT |
2.1.3 Ensure NFS and RPC are not enabled - nfs-server | SECURITY ASSESSMENT AND AUTHORIZATION, CONFIGURATION MANAGEMENT, SYSTEM AND COMMUNICATIONS PROTECTION |
2.1.3 Ensure NFS and RPC are not enabled - rpcbind | SECURITY ASSESSMENT AND AUTHORIZATION, CONFIGURATION MANAGEMENT, SYSTEM AND COMMUNICATIONS PROTECTION |
2.1.4 Ensure rsync service is not enabled | SECURITY ASSESSMENT AND AUTHORIZATION, CONFIGURATION MANAGEMENT, SYSTEM AND COMMUNICATIONS PROTECTION |
3.1.1 Ensure packet redirect sending is disabled - net.ipv4.conf.all.send_redirects (sysctl.conf/sysctl.d) | CONFIGURATION MANAGEMENT, SYSTEM AND COMMUNICATIONS PROTECTION |
3.1.1 Ensure packet redirect sending is disabled - net.ipv4.conf.default.send_redirects (sysctl.conf/sysctl.d) | CONFIGURATION MANAGEMENT, SYSTEM AND COMMUNICATIONS PROTECTION |
3.1.1 Ensure packet redirect sending is disabled - sysctl net.ipv4.conf.all.send_redirects | CONFIGURATION MANAGEMENT, SYSTEM AND COMMUNICATIONS PROTECTION |
3.1.1 Ensure packet redirect sending is disabled - sysctl net.ipv4.conf.default.send_redirects | CONFIGURATION MANAGEMENT, SYSTEM AND COMMUNICATIONS PROTECTION |
3.2.5 Ensure broadcast ICMP requests are ignored - sysctl exec | CONFIGURATION MANAGEMENT, CONTINGENCY PLANNING, PLANNING, PROGRAM MANAGEMENT, SYSTEM AND SERVICES ACQUISITION, SYSTEM AND COMMUNICATIONS PROTECTION |
3.2.5 Ensure broadcast ICMP requests are ignored - sysctl.conf/sysctl.d | CONFIGURATION MANAGEMENT, CONTINGENCY PLANNING, PLANNING, PROGRAM MANAGEMENT, SYSTEM AND SERVICES ACQUISITION, SYSTEM AND COMMUNICATIONS PROTECTION |
3.2.6 Ensure bogus ICMP responses are ignored - sysctl exec | CONFIGURATION MANAGEMENT, CONTINGENCY PLANNING, PLANNING, PROGRAM MANAGEMENT, SYSTEM AND SERVICES ACQUISITION, SYSTEM AND COMMUNICATIONS PROTECTION |
3.2.6 Ensure bogus ICMP responses are ignored - sysctl.conf/sysctl.d | CONFIGURATION MANAGEMENT, CONTINGENCY PLANNING, PLANNING, PROGRAM MANAGEMENT, SYSTEM AND SERVICES ACQUISITION, SYSTEM AND COMMUNICATIONS PROTECTION |
3.2.7 Ensure Reverse Path Filtering is enabled - net.ipv4.conf.all.rp_filter' (sysctl.conf/sysctl.d) | CONFIGURATION MANAGEMENT, CONTINGENCY PLANNING, PLANNING, PROGRAM MANAGEMENT, SYSTEM AND SERVICES ACQUISITION, SYSTEM AND COMMUNICATIONS PROTECTION |
3.2.7 Ensure Reverse Path Filtering is enabled - net.ipv4.conf.default.rp_filter' (sysctl.conf/sysctl.d) | CONFIGURATION MANAGEMENT, CONTINGENCY PLANNING, PLANNING, PROGRAM MANAGEMENT, SYSTEM AND SERVICES ACQUISITION, SYSTEM AND COMMUNICATIONS PROTECTION |
3.2.7 Ensure Reverse Path Filtering is enabled - sysctl net.ipv4.conf.all.rp_filter | CONFIGURATION MANAGEMENT, CONTINGENCY PLANNING, PLANNING, PROGRAM MANAGEMENT, SYSTEM AND SERVICES ACQUISITION, SYSTEM AND COMMUNICATIONS PROTECTION |
3.2.7 Ensure Reverse Path Filtering is enabled - sysctl net.ipv4.conf.default.rp_filter | CONFIGURATION MANAGEMENT, CONTINGENCY PLANNING, PLANNING, PROGRAM MANAGEMENT, SYSTEM AND SERVICES ACQUISITION, SYSTEM AND COMMUNICATIONS PROTECTION |
3.2.8 Ensure TCP SYN Cookies is enabled - sysctl exec | CONFIGURATION MANAGEMENT, CONTINGENCY PLANNING, PLANNING, PROGRAM MANAGEMENT, SYSTEM AND SERVICES ACQUISITION, SYSTEM AND COMMUNICATIONS PROTECTION |
3.2.8 Ensure TCP SYN Cookies is enabled - sysctl.conf/sysctl.d | CONFIGURATION MANAGEMENT, CONTINGENCY PLANNING, PLANNING, PROGRAM MANAGEMENT, SYSTEM AND SERVICES ACQUISITION, SYSTEM AND COMMUNICATIONS PROTECTION |
3.3.3 Ensure iptables is installed | SECURITY ASSESSMENT AND AUTHORIZATION, SYSTEM AND COMMUNICATIONS PROTECTION |
4.1.2.2 Ensure journald is configured to write logfiles to persistent disk | AUDIT AND ACCOUNTABILITY |
5.1.1 Ensure permissions on /etc/ssh/sshd_config are configured | ACCESS CONTROL, MEDIA PROTECTION |
5.1.2 Ensure permissions on SSH private host key files are configured | ACCESS CONTROL, MEDIA PROTECTION |
5.1.3 Ensure permissions on SSH public host key files are configured | ACCESS CONTROL, MEDIA PROTECTION |
5.1.4 Ensure SSH Protocol is set to 2 | ACCESS CONTROL, CONFIGURATION MANAGEMENT, IDENTIFICATION AND AUTHENTICATION, MAINTENANCE, SYSTEM AND COMMUNICATIONS PROTECTION |
5.1.5 Ensure SSH LogLevel is appropriate | AUDIT AND ACCOUNTABILITY |
5.1.6 Ensure SSH X11 forwarding is disabled | SECURITY ASSESSMENT AND AUTHORIZATION, SYSTEM AND COMMUNICATIONS PROTECTION |
5.1.8 Ensure SSH IgnoreRhosts is enabled | SECURITY ASSESSMENT AND AUTHORIZATION, SYSTEM AND COMMUNICATIONS PROTECTION |