| 1.1 Ensure the Pre-Installation Planning Checklist Has Been Implemented | CIS Apache HTTP Server 2.4 L1 v2.1.0 Middleware | Unix | CONFIGURATION MANAGEMENT, SYSTEM AND INFORMATION INTEGRITY |
| 1.6.3 Create network segmentation using Network Policies | CIS Kubernetes 1.13 Benchmark v1.4.1 L2 | Unix | SECURITY ASSESSMENT AND AUTHORIZATION, SYSTEM AND COMMUNICATIONS PROTECTION, SYSTEM AND INFORMATION INTEGRITY |
| 1.12 Ensure host-based intrusion detection tool is used - mcafeetp package | CIS Red Hat Enterprise Linux 7 STIG v2.0.0 STIG | Unix | SYSTEM AND INFORMATION INTEGRITY |
| 1.12 Ensure host-based intrusion detection tool is used - mfetpd process | CIS Red Hat Enterprise Linux 7 STIG v2.0.0 STIG | Unix | SYSTEM AND INFORMATION INTEGRITY |
| 2.2.6 Ensure 'REMOTE_LISTENER' Is Empty | CIS Oracle Server 12c DB Unified Auditing v3.0.0 | OracleDB | ACCESS CONTROL, SYSTEM AND INFORMATION INTEGRITY |
| 2.3.10.6 (L1) Ensure 'Network access: Named Pipes that can be accessed anonymously' is set to 'None' | CIS Microsoft Windows 8.1 v2.4.1 L1 Bitlocker | Windows | SECURITY ASSESSMENT AND AUTHORIZATION, SYSTEM AND COMMUNICATIONS PROTECTION, SYSTEM AND INFORMATION INTEGRITY |
| 2.3.10.6 Ensure 'Network access: Named Pipes that can be accessed anonymously' is set to 'None' | CIS Microsoft Windows 8.1 v2.4.1 L1 | Windows | SECURITY ASSESSMENT AND AUTHORIZATION, SYSTEM AND COMMUNICATIONS PROTECTION, SYSTEM AND INFORMATION INTEGRITY |
| 2.4.2 Ensure Priority accounts have 'Strict protection' presets applied | CIS Microsoft 365 Foundations E5 L1 v3.1.0 | microsoft_azure | SYSTEM AND INFORMATION INTEGRITY |
| 2.7 Ensure TLS authentication for Docker daemon is configured - tlscacert | CIS Docker v1.6.0 L1 Docker Linux | Unix | ACCESS CONTROL, SYSTEM AND COMMUNICATIONS PROTECTION, SYSTEM AND INFORMATION INTEGRITY |
| 2.7 Ensure TLS authentication for Docker daemon is configured - tlscert | CIS Docker v1.6.0 L1 Docker Linux | Unix | ACCESS CONTROL, SYSTEM AND COMMUNICATIONS PROTECTION, SYSTEM AND INFORMATION INTEGRITY |
| 2.7 Ensure TLS authentication for Docker daemon is configured - tlskey | CIS Docker v1.6.0 L1 Docker Linux | Unix | ACCESS CONTROL, SYSTEM AND COMMUNICATIONS PROTECTION, SYSTEM AND INFORMATION INTEGRITY |
| 2.7 Ensure TLS authentication for Docker daemon is configured - tlsverify | CIS Docker v1.6.0 L1 Docker Linux | Unix | ACCESS CONTROL, SYSTEM AND COMMUNICATIONS PROTECTION, SYSTEM AND INFORMATION INTEGRITY |
| 2.8.1 Ensure 'Allow remote access connections to this machine' is set to 'Disabled' | CIS Google Chrome L1 v3.0.0 | Windows | ACCESS CONTROL, SYSTEM AND COMMUNICATIONS PROTECTION, SYSTEM AND INFORMATION INTEGRITY |
| 2.8.2 Ensure 'Allow remote users to interact with elevated windows in remote assistance sessions' is set to 'Disabled' | CIS Google Chrome L1 v3.0.0 | Windows | ACCESS CONTROL, SYSTEM AND COMMUNICATIONS PROTECTION, SYSTEM AND INFORMATION INTEGRITY |
| 2.8.3 Ensure 'Configure the required domain names for remote access clients' is set to 'Enabled' with a domain defined | CIS Google Chrome L1 v3.0.0 | Windows | ACCESS CONTROL, SYSTEM AND COMMUNICATIONS PROTECTION, SYSTEM AND INFORMATION INTEGRITY |
| 2.8.4 Ensure 'Enable curtaining of remote access hosts' is set to 'Disabled' | CIS Google Chrome L1 v3.0.0 | Windows | ACCESS CONTROL, SYSTEM AND COMMUNICATIONS PROTECTION, SYSTEM AND INFORMATION INTEGRITY |
| 2.8.5 Ensure 'Enable firewall traversal from remote access host' is set to 'Disabled' | CIS Google Chrome L1 v3.0.0 | Windows | ACCESS CONTROL, SYSTEM AND COMMUNICATIONS PROTECTION, SYSTEM AND INFORMATION INTEGRITY |
| 2.8.6 Ensure 'Enable or disable PIN-less authentication for remote access hosts' is set to 'Disabled' | CIS Google Chrome L1 v3.0.0 | Windows | ACCESS CONTROL, SYSTEM AND COMMUNICATIONS PROTECTION, SYSTEM AND INFORMATION INTEGRITY |
| 2.8.7 Ensure 'Enable the use of relay servers by the remote access host' is set to 'Disabled'. | CIS Google Chrome L1 v3.0.0 | Windows | ACCESS CONTROL, SYSTEM AND COMMUNICATIONS PROTECTION, SYSTEM AND INFORMATION INTEGRITY |
| 2.32 Ensure 'Allow remote debugging' is set to 'Disabled' | CIS Google Chrome L1 v3.0.0 | Windows | ACCESS CONTROL, RISK ASSESSMENT, SYSTEM AND COMMUNICATIONS PROTECTION, SYSTEM AND INFORMATION INTEGRITY |
| 3.2 Ensure 'Allow unmanaged devices' is set to 'False' | CIS Microsoft Exchange Server 2019 L1 MDM v1.0.0 | Windows | ACCESS CONTROL, SYSTEM AND COMMUNICATIONS PROTECTION, SYSTEM AND INFORMATION INTEGRITY |
| 3.2 Ensure intrusion prevention is enabled for untrusted interfaces | CIS Cisco ASA 9.x Firewall L1 v1.1.0 | Cisco | CONFIGURATION MANAGEMENT, CONTINGENCY PLANNING, PLANNING, PROGRAM MANAGEMENT, SYSTEM AND SERVICES ACQUISITION, SYSTEM AND COMMUNICATIONS PROTECTION, SYSTEM AND INFORMATION INTEGRITY |
| 3.2.1.29 Ensure 'Allow proximity based password sharing requests' is set to 'Disabled' | AirWatch - CIS Apple iPadOS 17 Institutionally Owned L1 | MDM | ACCESS CONTROL, SYSTEM AND COMMUNICATIONS PROTECTION, SYSTEM AND INFORMATION INTEGRITY |
| 3.2.1.29 Ensure 'Allow proximity based password sharing requests' is set to 'Disabled' | MobileIron - CIS Apple iPadOS 17 Institutionally Owned L1 | MDM | ACCESS CONTROL, SYSTEM AND COMMUNICATIONS PROTECTION, SYSTEM AND INFORMATION INTEGRITY |
| 3.2.1.29 Ensure 'Allow proximity based password sharing requests' is set to 'Disabled' | AirWatch - CIS Apple iOS 17 Institution Owned L1 | MDM | ACCESS CONTROL, SYSTEM AND COMMUNICATIONS PROTECTION, SYSTEM AND INFORMATION INTEGRITY |
| 3.2.1.29 Ensure 'Allow proximity based password sharing requests' is set to 'Disabled' | MobileIron - CIS Apple iOS 17 Institution Owned L1 | MDM | ACCESS CONTROL, SYSTEM AND COMMUNICATIONS PROTECTION, SYSTEM AND INFORMATION INTEGRITY |
| 3.4.1 Configure LLDP | CIS Cisco NX-OS L1 v1.1.0 | Cisco | SECURITY ASSESSMENT AND AUTHORIZATION, CONFIGURATION MANAGEMENT, CONTINGENCY PLANNING, PLANNING, PROGRAM MANAGEMENT, SYSTEM AND SERVICES ACQUISITION, SYSTEM AND COMMUNICATIONS PROTECTION, SYSTEM AND INFORMATION INTEGRITY |
| 3.9 Ensure 'Require encryption on device' is set to 'True' | CIS Microsoft Exchange Server 2019 L1 MDM v1.0.0 | Windows | ACCESS CONTROL, SYSTEM AND COMMUNICATIONS PROTECTION, SYSTEM AND INFORMATION INTEGRITY |
| 4.10 (L1) Host must verify certificates for TLS remote logging endpoints | CIS VMware ESXi 8.0 v1.1.0 L1 | VMware | ACCESS CONTROL, SYSTEM AND COMMUNICATIONS PROTECTION, SYSTEM AND INFORMATION INTEGRITY |
| 4.11 (L1) Host must use strict x509 verification for TLS-enabled remote logging endpoints | CIS VMware ESXi 8.0 v1.1.0 L1 | VMware | ACCESS CONTROL, SYSTEM AND COMMUNICATIONS PROTECTION, SYSTEM AND INFORMATION INTEGRITY |
| 5.3.21 Ensure SSH AllowTcpForwarding is disabled - sshd | CIS CentOS 6 Workstation L2 v3.0.0 | Unix | SECURITY ASSESSMENT AND AUTHORIZATION, CONFIGURATION MANAGEMENT, SYSTEM AND INFORMATION INTEGRITY |
| 5.3.21 Ensure SSH AllowTcpForwarding is disabled - sshd | CIS Red Hat 6 Workstation L2 v3.0.0 | Unix | SECURITY ASSESSMENT AND AUTHORIZATION, CONFIGURATION MANAGEMENT, SYSTEM AND INFORMATION INTEGRITY |
| 5.3.21 Ensure SSH AllowTcpForwarding is disabled - sshd_config | CIS Red Hat 6 Server L2 v3.0.0 | Unix | SECURITY ASSESSMENT AND AUTHORIZATION, CONFIGURATION MANAGEMENT, SYSTEM AND INFORMATION INTEGRITY |
| 6.3 Ensure storage area network (SAN) resources are segregated properly | CIS VMware ESXi 6.5 v1.0.0 Level 1 | VMware | SECURITY ASSESSMENT AND AUTHORIZATION, SYSTEM AND COMMUNICATIONS PROTECTION, SYSTEM AND INFORMATION INTEGRITY |
| 6.4 Ensure DNS sinkholing is configured on all anti-spyware profiles in use | CIS Palo Alto Firewall 8 Benchmark L1 v1.0.0 | Palo_Alto | AUDIT AND ACCOUNTABILITY, SYSTEM AND INFORMATION INTEGRITY |
| 6.5 Ensure passive DNS monitoring is set to enabled on all anti-spyware profiles in use | CIS Palo Alto Firewall 8 Benchmark L1 v1.0.0 | Palo_Alto | AUDIT AND ACCOUNTABILITY, SYSTEM AND INFORMATION INTEGRITY |
| 8.1 Ensure 'SSL Forward Proxy Policy' for traffic destined to the Internet is configured - Invalid Categories | CIS Palo Alto Firewall 8 Benchmark L1 v1.0.0 | Palo_Alto | SYSTEM AND COMMUNICATIONS PROTECTION, SYSTEM AND INFORMATION INTEGRITY |
| 8.1 Ensure 'SSL Forward Proxy Policy' for traffic destined to the Internet is configured - Policies | CIS Palo Alto Firewall 8 Benchmark L1 v1.0.0 | Palo_Alto | SYSTEM AND COMMUNICATIONS PROTECTION, SYSTEM AND INFORMATION INTEGRITY |
| 8.2 Ensure 'SSL Inbound Inspection' is required for all untrusted traffic destined for servers using SSL or TLS | CIS Palo Alto Firewall 8 Benchmark L1 v1.0.0 | Palo_Alto | SYSTEM AND COMMUNICATIONS PROTECTION, SYSTEM AND INFORMATION INTEGRITY |
| 18.3.4 (L1) Ensure 'Enable Structured Exception Handling Overwrite Protection (SEHOP)' is set to 'Enabled' | CIS Microsoft Windows 8.1 v2.4.1 L1 Bitlocker | Windows | SYSTEM AND COMMUNICATIONS PROTECTION, SYSTEM AND INFORMATION INTEGRITY |
| 18.9.35.1 (L1) Ensure 'Prevent the computer from joining a homegroup' is set to 'Enabled' | CIS Microsoft Windows 8.1 v2.4.1 L1 Bitlocker | Windows | SECURITY ASSESSMENT AND AUTHORIZATION, SYSTEM AND COMMUNICATIONS PROTECTION, SYSTEM AND INFORMATION INTEGRITY |
| 18.9.35.1 Ensure 'Prevent the computer from joining a homegroup' is set to 'Enabled' | CIS Microsoft Windows 8.1 v2.4.1 L1 | Windows | SECURITY ASSESSMENT AND AUTHORIZATION, SYSTEM AND COMMUNICATIONS PROTECTION, SYSTEM AND INFORMATION INTEGRITY |
| 18.9.98.1 (L2) Ensure 'Allow Remote Shell Access' is set to 'Disabled' | CIS Microsoft Windows 8.1 v2.4.1 L2 | Windows | IDENTIFICATION AND AUTHENTICATION, SYSTEM AND INFORMATION INTEGRITY |
| 18.9.98.1 (L2) Ensure 'Allow Remote Shell Access' is set to 'Disabled' | CIS Microsoft Windows 8.1 v2.4.1 L2 Bitlocker | Windows | IDENTIFICATION AND AUTHENTICATION, SYSTEM AND INFORMATION INTEGRITY |
| CASA-FW-000300 - The Cisco ASA must be configured to generate an alert that can be forwarded to organization-defined personnel and/or the firewall administrator when denial-of-service (DoS) incidents are detected - scanning-threat | DISA STIG Cisco ASA FW v2r1 | Cisco | SYSTEM AND INFORMATION INTEGRITY |
| DTBI015 - The IE warning about certificate address mismatch must be enforced. | DISA STIG Microsoft Internet Explorer 9 v1r15 | Windows | SYSTEM AND INFORMATION INTEGRITY |
| DTBI820 - Launching programs and unsafe files property must be set to prompt (Internet zone). | DISA STIG Microsoft Internet Explorer 9 v1r15 | Windows | SYSTEM AND INFORMATION INTEGRITY |
| DTBI870 - Launching programs and unsafe files property must be set to prompt (Restricted Site zone). | DISA STIG Microsoft Internet Explorer 9 v1r15 | Windows | SYSTEM AND INFORMATION INTEGRITY |
| GEN006480 - The system must have a host-based intrusion detection tool installed. | DISA STIG AIX 5.3 v1r2 | Unix | SYSTEM AND INFORMATION INTEGRITY |
| WG440 W22 - Monitoring software must include CGI or equivalent programs in its scope. | DISA STIG Apache Server 2.2 Windows v1r13 | Windows | SYSTEM AND INFORMATION INTEGRITY |
