forked from google/localtoast
-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathinstance_scanning.textproto
155 lines (154 loc) · 6.74 KB
/
instance_scanning.textproto
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
version: { cpe_uri: "cpe:/o:cos:cos_linux:97" version: "1.0.0" benchmark_document: "CIS Container-Optimized OS" }
benchmark_id: "udf-mounting-disabled-cos"
benchmark_id: "tmp-configured-cos"
benchmark_id: "var-nodev-cos"
benchmark_id: "var-nosuid-cos"
benchmark_id: "var-noexec-cos"
benchmark_id: "tmp-nodev-cos"
benchmark_id: "tmp-nosuid-cos"
benchmark_id: "tmp-noexec-cos"
benchmark_id: "home-nodev-cos"
benchmark_id: "shm-nodev-cos"
benchmark_id: "shm-nosuid-cos"
benchmark_id: "shm-noexec-cos"
benchmark_id: "automounting-disabled"
benchmark_id: "dm-verity-installed-cos-93"
benchmark_id: "bootloader-permissions-cos"
benchmark_id: "auth-for-single-user-required-cos"
benchmark_id: "core-dumps-restricted-cos"
benchmark_id: "nx-enabled"
benchmark_id: "aslr-enabled"
benchmark_id: "apparmor-installed"
benchmark_id: "motd-configured-cos"
benchmark_id: "local-login-warning-configured-cos"
benchmark_id: "remote-login-warning-configured-cos"
benchmark_id: "motd-permissions-cos"
benchmark_id: "etc-issue-permissions-cos"
benchmark_id: "etc-issue-net-permissions-cos"
benchmark_id: "chrony-installed-cos"
benchmark_id: "chrony-configured-cos"
benchmark_id: "x-window-system-not-installed-cos"
benchmark_id: "nfs-rpc-disabled-cos"
benchmark_id: "rsync-disabled-cos"
benchmark_id: "packet-redirect-sending-disabled-cos"
benchmark_id: "source-routed-packets-not-accepted-cos"
benchmark_id: "icmp-redirects-not-accepted-cos"
benchmark_id: "secure-icmp-redirects-not-accepted-cos"
benchmark_id: "suspicious-packets-logged-cos"
benchmark_id: "broadcast-icmp-requests-ignored-cos"
benchmark_id: "bogus-icmp-responses-ignored-cos"
benchmark_id: "reverse-path-filtering-enabled-cos"
benchmark_id: "tcp-syn-cookies-enabled-cos"
benchmark_id: "ipv6-router-advertisements-not-accepted-cos"
benchmark_id: "iptables-installed-cos"
benchmark_id: "stackdriver-correct-container"
benchmark_id: "logging-service-running"
benchmark_id: "logging-configured"
benchmark_id: "journald-compress-large-log-files-cos"
benchmark_id: "journald-write-to-persistent-disk-cos"
benchmark_id: "logfile-permissions-cos"
benchmark_id: "logrotate-configured-cos"
benchmark_id: "sshd-config-permissions"
benchmark_id: "sshd-private-host-key-permissions"
benchmark_id: "sshd-public-host-key-permissions"
benchmark_id: "ssh-protocol-set-to-2"
benchmark_id: "ssh-loglevel-appropriate"
benchmark_id: "ssh-x11-forwarding-disabled"
benchmark_id: "ssh-maxauthtries-4-or-less"
benchmark_id: "ssh-ignorerhosts-enabled"
benchmark_id: "ssh-hostbasedauthentication-disabled"
benchmark_id: "ssh-root-login-disabled"
benchmark_id: "ssh-permitemptypasswords-disabled"
benchmark_id: "ssh-permituserenvironments-disabled"
benchmark_id: "strong-ciphers-used"
benchmark_id: "strong-mac-algorithms-used-cos"
benchmark_id: "strong-key-exchange-algos-used"
benchmark_id: "ssh-idle-timeout-interval-configured-cos"
benchmark_id: "ssh-logingrace-one-minute-or-less-cos"
benchmark_id: "ssh-access-limited"
benchmark_id: "ssh-warning-banner-configured-cos"
benchmark_id: "ssh-pam-enabled"
benchmark_id: "ssh-allowtcpforwarding-disabled-cos"
benchmark_id: "ssh-maxstartups-configured-cos"
benchmark_id: "ssh-maxsessions-4-or-less-cos"
benchmark_id: "password-creation-reqs-configured-cos"
benchmark_id: "password-reuse-limited-cos"
benchmark_id: "password-hashing-algorithm-sha-512-cos"
benchmark_id: "password-expiration-365-days-or-less-cos"
benchmark_id: "minimum-days-between-password-changes-7-or-more-cos"
benchmark_id: "password-expiration-warning-days-7-or-more"
benchmark_id: "inactive-password-lock-30-days-or-less-cos"
benchmark_id: "last-password-change-date-in-past"
benchmark_id: "system-accounts-secured-cos"
benchmark_id: "default-group-for-root-account-is-gid-0"
benchmark_id: "default-user-umask-027-or-more-restrictive-cos"
benchmark_id: "default-user-shell-timeout-900-or-less"
benchmark_id: "root-login-restricted-to-system-console"
benchmark_id: "access-to-su-restricted-cos"
benchmark_id: "etc-passwd-permissions"
benchmark_id: "etc-shadow-permissions"
benchmark_id: "etc-group-permissions"
benchmark_id: "etc-gshadow-permissions"
benchmark_id: "etc-passwd-dash-permissions-cos"
benchmark_id: "etc-shadow-dash-permissions"
benchmark_id: "etc-group-dash-permissions"
benchmark_id: "etc-gshadow-dash-permissions"
benchmark_id: "password-fields-not-empty"
benchmark_id: "passwd-no-legacy-plus-entries"
benchmark_id: "shadow-no-legacy-plus-entries"
benchmark_id: "group-no-legacy-plus-entries"
benchmark_id: "root-is-only-uid-0-account"
benchmark_id: "root-path-integrity-cos"
benchmark_id: "home-dirs-exist"
benchmark_id: "home-dirs-750-or-more-restrictive"
benchmark_id: "users-own-home-dirs"
benchmark_id: "dot-files-not-group-world-writable"
benchmark_id: "no-forward-files"
benchmark_id: "no-netrc-files"
benchmark_id: "netrc-files-not-group-world-accessible"
benchmark_id: "no-rhost-files"
benchmark_id: "groups-from-etc-passwd-in-etc-group"
benchmark_id: "no-duplicate-uids"
benchmark_id: "no-duplicate-gids"
benchmark_id: "no-duplicate-user-names"
benchmark_id: "no-duplicate-group-names"
benchmark_id: "shadow-group-empty"
benchmark_id: "ipv6-default-deny-firewall-policy-cos"
benchmark_id: "configure-ipv6-loopback"
benchmark_id: "ipv6-outbound-established-connections-configured-cos"
benchmark_id: "default-deny-firewall-policy-cos"
benchmark_id: "configure-loopback"
benchmark_id: "outbound-established-connections-configured-cos"
# Generic linux checks that should be L2 in COS.
profile_level_override: {
level: 2
benchmark_id: "udf-mounting-disabled-cos"
benchmark_id: "stackdriver-correct-container"
benchmark_id: "logging-configured"
benchmark_id: "ssh-maxauthtries-4-or-less"
benchmark_id: "strong-mac-algorithms-used-cos"
benchmark_id: "ssh-idle-timeout-interval-configured-cos"
benchmark_id: "ssh-logingrace-one-minute-or-less-cos"
benchmark_id: "ssh-access-limited"
benchmark_id: "ssh-warning-banner-configured-cos"
benchmark_id: "ssh-allowtcpforwarding-disabled-cos"
benchmark_id: "ssh-maxstartups-configured-cos"
benchmark_id: "ssh-maxsessions-4-or-less-cos"
benchmark_id: "password-reuse-limited-cos"
benchmark_id: "password-hashing-algorithm-sha-512-cos"
benchmark_id: "password-expiration-365-days-or-less-cos"
benchmark_id: "minimum-days-between-password-changes-7-or-more-cos"
benchmark_id: "password-expiration-warning-days-7-or-more"
benchmark_id: "inactive-password-lock-30-days-or-less-cos"
benchmark_id: "etc-shadow-dash-permissions"
benchmark_id: "etc-gshadow-dash-permissions"
benchmark_id: "home-dirs-exist"
benchmark_id: "home-dirs-750-or-more-restrictive"
benchmark_id: "users-own-home-dirs"
benchmark_id: "dot-files-not-group-world-writable"
benchmark_id: "no-forward-files"
benchmark_id: "no-netrc-files"
benchmark_id: "netrc-files-not-group-world-accessible"
benchmark_id: "no-rhost-files"
benchmark_id: "groups-from-etc-passwd-in-etc-group"
}