This document describes the level of compliance that Google Distributed Cloud has with the CIS Ubuntu Benchmark.
Versions
This document refers to these versions:
| Anthos version | Ubuntu version | CIS Ubuntu Benchmark version | CIS level |
|---|---|---|---|
|
1.8.0
|
18.04 LTS | v2.0.1 | Level 2 Server |
Access the benchmark
The CIS Ubuntu Benchmark is available on the CIS website .
Configuration profile
In the CIS Ubuntu Benchmark document, you can read about configuration profiles. The Ubuntu images used by Google Distributed Cloud are hardened to meet the Level 2 - Server profile.
Evaluation on Google Distributed Cloud
We use the following values to specify the status of Ubuntu recommendations in Google Distributed Cloud.
| Status | Description |
|---|---|
| Pass | Complies with a benchmark recommendation. |
| Fail | Does not comply with a benchmark recommendation. |
| Equivalent control | Does not comply with the exact terms in a benchmark recommendation, but other mechanisms in Google Distributed Cloud provide equivalent security controls. |
| Depends on environment | Google Distributed Cloud does not configure items related to a benchmark recommendation. Your configuration determines whether your environment complies with the recommendation. |
Status of Google Distributed Cloud
The Ubuntu images used with Google Distributed Cloud are hardened to meet the CIS Level 2 - Server profile. The following table gives justifications for why Google Distributed Cloud components did not pass certain recommendations.
| # | Recommendation | Scored/Not Scored | Status | Justification | Affected Components |
|---|---|---|---|---|---|
|
1.1.2
|
Ensure /tmp is configured | Scored | Fail | Canonical has no plan to modify the cloud image partitions at this time. | All cluster nodes, Admin workstation, Seesaw |
|
1.1.6
|
Ensure separate partition exists for /var | Scored | Won't fix | Canonical has no plan to modify the cloud image partitions at this time. | All cluster nodes, Admin workstation, Seesaw |
|
1.1.7
|
Ensure separate partition exists for /var/tmp | Scored | Won't fix | Canonical has no plan to modify the cloud image partitions at this time. | All cluster nodes, Admin workstation, Seesaw |
|
1.1.11
|
Ensure separate partition exists for /var/log | Scored | Won't fix | Canonical has no plan to modify the cloud image partitions at this time. | All cluster nodes, Admin workstation, Seesaw |
|
1.1.12
|
Ensure separate partition exists for /var/log/audit | Scored | Won't fix | Canonical has no plan to modify the cloud image partitions at this time. | All cluster nodes, Admin workstation, Seesaw |
|
1.1.13
|
Ensure separate partition exists for /home | Scored | Won't fix | Canonical has no plan to modify the cloud image partitions at this time. | All cluster nodes, Admin workstation, Seesaw |
|
1.1.21
|
Ensure sticky bit is set on all world-writable directories | Scored | Fail | This could interfere with the functionality of Anthos and its services and is not enabled by default | All cluster nodes, Admin workstation |
|
1.5.1
|
Ensure permissions on bootloader config are configured | Scored | Fail | Permissions have been left as default. | All cluster nodes |
|
1.5.2
|
Ensure bootloader password is set | Scored | Depends on Environment | No root password is set on Ubuntu cloud images. | All cluster nodes, Admin workstation, Seesaw |
|
1.5.3
|
Ensure authentication required for single user mode | Scored | Depends on Environment | No root password is set on Ubuntu cloud images. | All cluster nodes, Admin workstation, Seesaw |
|
1.8.1.2
|
Ensure local login warning banner is configured properly | Scored | Equivalent Control | Anthos also applies DISA-STIG hardening to nodes, which updates the warning banner accordingly | All cluster nodes |
|
3.1.2
|
Ensure IP forwarding is disabled | Scored | Fail | IP forwarding is necessarily in order for Kubernetes (GKE) to correctly function and route traffic | All cluster nodes, Admin workstation, Seesaw |
|
3.2.7
|
Ensure Reverse Path Filtering is enabled | Scored | Depends on Environment | Asynchronous routing and reverse path origination is a requirement for delivering cluster load balancing | Seesaw |
|
3.5.2.5
|
Ensure firewall rules exist for all open ports | Not Scored | Depends on Environment | It is recommended that Anthos on VMware be deployed on a private network with appropriate firewall protections. The required firewall rules can be found here . | All cluster nodes, Admin workstation, Seesaw |
|
3.5.4.1.1
|
Ensure default deny firewall policy | Scored | Depends on Environment | It is recommended that Anthos on VMware be deployed on a private network with appropriate firewall protections. The required firewall rules can be found here . | All cluster nodes, Admin workstation, Seesaw |
|
3.5.4.1.2
|
Ensure loopback traffic is configured | Scored | Depends on Environment | Loopback interface usage is limited given the load balancing functionality used. | Seesaw |
|
3.5.4.2.1
|
Ensure IPv6 default deny firewall policy | Scored | Depends on Environment | It is recommended that Anthos on VMware be deployed on a private network with appropriate firewall protections. The required firewall rules can be found here . Additionally, Anthos has no requirement for IPv6 under GA support. | All cluster nodes, Admin workstation, Seesaw |
|
3.5.4.2.2
|
Ensure IPv6 loopback traffic is configured | Scored | Depends on Environment | Anthos has no requirement for IPv6 under GA support. | Admin control plane, Seesaw |
|
4.1.1.3
|
Ensure auditing for processes that start prior to auditd is enabled | Scored | Fail | A known issue with our build process flags this as Failed, however this should be considered a false alarm. This will be remedied in the future. | All cluster nodes, Seesaw |
|
4.1.1.11
|
Ensure use of privileged commands is collected | Scored | Fail | Some binaries are installed at runtime, so the runtime remediation is needed. | All cluster nodes, Admin workstation, Seesaw |
|
4.2.1.5
|
Ensure rsyslog is configured to send logs to a remote log host | Scored | Depends on Environment | Anthos on VMWare currently collects all journald logs (from system services). These can view these logs under "k8s_node" | All cluster nodes, Admin workstation, Seesaw |
|
4.2.3
|
Ensure permissions on all logfiles are configured | Scored | Fail | This specific test is overly restrictive and unrealistic as many services may require a group to write log files. This item may be removed in a future benchmark. | All cluster nodes, Admin workstation, Seesaw |
|
5.2.12
|
Ensure SSH PermitUserEnvironment is disabled | Scored | Fail | This setting conflicts with DISA-STIG hardening settings. | All cluster nodes |
|
5.2.13
|
Ensure only strong Ciphers are used | Scored | Equivalent Control | The application of DISA-STIG uses an alternative list of supported ciphers which does not 1:1 align with those used by this benchmark | All cluster nodes |
|
5.2.18
|
Ensure SSH access is limited | Scored | Depends on Environment | This is not configured by default. This can be configured to meet your specific requirements. | All cluster nodes, Admin workstation, Seesaw |
|
5.2.19
|
Ensure SSH warning banner is configured | Scored | Equivalent Control | SSH warning banner is modified by the application of DISA-STIG hardening configuration | All cluster nodes |
|
6.1.6
|
Ensure permissions on /etc/passwd are configured | Scored | Fail | This specific test is overly restrictive and is being updated by Canonical ( link ) | All cluster nodes, Admin workstation, Seesaw |
|
6.1.10
|
Ensure no world writable files exist | Scored | Fail | Permissions have been left as default. | All cluster nodes |
|
6.1.11
|
Ensure no unowned files or directories exist | Scored | Fail | Permissions have been left as default. | All cluster nodes |
|
6.1.12
|
Ensure no ungrouped files or directories exist | Scored | Fail | Permissions have been left as default. | All cluster nodes |
|
6.2.10
|
Ensure users' dot files are not group or world writable | Scored | Fail | The default settings for Ubuntu permit dot file group permissions due to compatibility | Admin workstation |
