Detections
Analytics

Item Search

NameAudit NamePluginCategory
1.3 Enable TCP Wrappers and a host based firewall (inetd_flags)CIS FreeBSD v1.0.5Unix

SYSTEM AND COMMUNICATIONS PROTECTION

2.1.14 Ensure comprehensive attachment filtering is appliedCIS Microsoft 365 Foundations E3 L2 v3.1.0microsoft_azure

SYSTEM AND INFORMATION INTEGRITY

2.3 Only enable ftpd if absolutely necessaryCIS FreeBSD v1.0.5Unix

CONFIGURATION MANAGEMENT

2.3.3.5 Ensure Remote Login Is DisabledCIS Apple macOS 13.0 Ventura v2.1.0 L1Unix

CONFIGURATION MANAGEMENT, SYSTEM AND SERVICES ACQUISITION

2.3.3.5 Ensure Remote Login Is DisabledCIS Apple macOS 14.0 Sonoma v1.1.0 L1Unix

CONFIGURATION MANAGEMENT, SYSTEM AND SERVICES ACQUISITION

2.3.5.3 (L1) Ensure 'Domain controller: LDAP server channel binding token requirements' is set to 'Always' (DC Only)CIS Microsoft Windows Server 2022 v3.0.0 L1 Domain ControllerWindows

ACCESS CONTROL, IDENTIFICATION AND AUTHENTICATION, SYSTEM AND COMMUNICATIONS PROTECTION

2.3.5.3 (L1) Ensure 'Domain controller: LDAP server channel binding token requirements' is set to 'Always' (DC Only)CIS Azure Compute Microsoft Windows Server 2019 v1.0.0 L1 DCWindows

ACCESS CONTROL, IDENTIFICATION AND AUTHENTICATION, SYSTEM AND COMMUNICATIONS PROTECTION

2.3.5.3 (L1) Ensure 'Domain controller: LDAP server channel binding token requirements' is set to 'Always' (DC Only)CIS Microsoft Windows Server 2019 v3.0.1 L1 DCWindows

ACCESS CONTROL, IDENTIFICATION AND AUTHENTICATION, SYSTEM AND COMMUNICATIONS PROTECTION

2.3.5.3 Ensure 'Domain controller: LDAP server channel binding token requirements' is set to 'Always' (DC Only)CIS Microsoft Windows Server 2022 STIG v1.0.0 L1 DCWindows

ACCESS CONTROL, IDENTIFICATION AND AUTHENTICATION, SYSTEM AND COMMUNICATIONS PROTECTION

2.3.5.3 Ensure 'Domain controller: LDAP server channel binding token requirements' is set to 'Always' (DC Only)CIS Microsoft Windows Server 2016 STIG v3.0.0 L1 Domain ControllerWindows

ACCESS CONTROL, IDENTIFICATION AND AUTHENTICATION, SYSTEM AND COMMUNICATIONS PROTECTION

2.4 Only enable rlogin/rsh/rcp if absolutely necessary (login)CIS FreeBSD v1.0.5Unix

CONFIGURATION MANAGEMENT

2.4.5 Ensure Remote Login Is DisabledCIS Apple macOS 12.0 Monterey v3.1.0 L1Unix

CONFIGURATION MANAGEMENT, SYSTEM AND SERVICES ACQUISITION

3.2.3 Ensure secure ICMP redirects are not acceptedCIS Bottlerocket L2Unix

CONFIGURATION MANAGEMENT, SYSTEM AND SERVICES ACQUISITION

3.3 Set daemon umask (/etc/periodic/* umask)CIS FreeBSD v1.0.5Unix

ACCESS CONTROL

3.3 Set daemon umask (/usr/local/etc/rc.d umask)CIS FreeBSD v1.0.5Unix

ACCESS CONTROL

3.4 Prevent syslogd from accepting messages from the networkCIS FreeBSD v1.0.5Unix

CONFIGURATION MANAGEMENT

3.4.1.3 Ensure IPv4 outbound and established connections are configuredCIS Bottlerocket L2Unix

SECURITY ASSESSMENT AND AUTHORIZATION, SYSTEM AND COMMUNICATIONS PROTECTION

3.7 Only enable other RPC-based services if absolutely necessary (rpcbind_enable)CIS FreeBSD v1.0.5Unix

CONFIGURATION MANAGEMENT

3.12 Only enable NIS if absolutely necessary (nis_server_enable)CIS FreeBSD v1.0.5Unix

CONFIGURATION MANAGEMENT

3.13 Only enable NIS client daemons if absolutely necessary (nis_ypset_enable)CIS FreeBSD v1.0.5Unix

CONFIGURATION MANAGEMENT

4.1 Disable core dumpsCIS FreeBSD v1.0.5Unix

ACCESS CONTROL

5.1.2 Minimize user access to Container Image repositoriesCIS Google Kubernetes Engine (GKE) v1.6.1 L2GCP

ACCESS CONTROL, MEDIA PROTECTION

5.1.3 Minimize cluster access to read-only for Container Image repositoriesCIS Google Kubernetes Engine (GKE) v1.6.1 L2GCP

ACCESS CONTROL, MEDIA PROTECTION

5.2 Enable system accounting (accounting_enable)CIS FreeBSD v1.0.5Unix

AUDIT AND ACCOUNTABILITY

5.3 Enable logging of packets received on closed ports (net.inet.udp.log_in_vain)CIS FreeBSD v1.0.5Unix

AUDIT AND ACCOUNTABILITY

5.4 Set permissions on system log files (/var/log/auth.lo*)CIS FreeBSD v1.0.5Unix

CONFIGURATION MANAGEMENT

5.4 Set permissions on system log files (/var/log/lpd-errs)CIS FreeBSD v1.0.5Unix

CONFIGURATION MANAGEMENT

5.4 Set permissions on system log files (/var/log/maillo*)CIS FreeBSD v1.0.5Unix

CONFIGURATION MANAGEMENT

5.4 Set permissions on system log files (/var/log/sendmail.s*)CIS FreeBSD v1.0.5Unix

CONFIGURATION MANAGEMENT

5.4 Set permissions on system log files (/var/log/slip.log*)CIS FreeBSD v1.0.5Unix

CONFIGURATION MANAGEMENT

6.2 Verify passwd, master.passwd, and group file permissions (/etc/group)CIS FreeBSD v1.0.5Unix

IDENTIFICATION AND AUTHENTICATION

6.2 Verify passwd, master.passwd, and group file permissions (/etc/master.passwd)CIS FreeBSD v1.0.5Unix
6.6.7 Ensure Remote Login Class for Authorization through External AAA - login classCIS Juniper OS Benchmark v2.1.0 L2Juniper

IDENTIFICATION AND AUTHENTICATION

6.6.7 Ensure Remote Login Class for Authorization through External AAA - remote classCIS Juniper OS Benchmark v2.1.0 L2Juniper

IDENTIFICATION AND AUTHENTICATION

7.1 Remove weak authentication services from PAM (/etc/pam.d/rsh)CIS FreeBSD v1.0.5Unix

CONFIGURATION MANAGEMENT

7.4 Restrict at/cron to authorized users (/var/at/at.allow permissions)CIS FreeBSD v1.0.5Unix

ACCESS CONTROL

7.4 Restrict at/cron to authorized users (/var/cron/allow permissions)CIS FreeBSD v1.0.5Unix
Bottlerocket is installedCIS Bottlerocket L1Unix
Ensure chrony is configured - time-serversCIS Bottlerocket L1Unix
Ensure ICMP redirects are not accepted - sysctl net.ipv4.conf.all.accept_redirects=0CIS Bottlerocket L2Unix
Ensure ICMP redirects are not accepted - sysctl net.ipv4.conf.default.accept_redirects=0CIS Bottlerocket L2Unix
Ensure ICMP redirects are not accepted - sysctl net.ipv6.conf.all.accept_redirects=0CIS Bottlerocket L2Unix
Ensure IPv4 default deny firewall policy - Chain OUTPUTCIS Bottlerocket L2Unix
Ensure IPv4 loopback traffic is configured - Chain INPUT (127.0.0.0/8)CIS Bottlerocket L2Unix
Ensure IPv4 loopback traffic is configured - Chain INPUT (lo)CIS Bottlerocket L2Unix
Ensure IPv6 default deny firewall policy - Chain FORWARDCIS Bottlerocket L2Unix
Ensure IPv6 default deny firewall policy - Chain INPUTCIS Bottlerocket L2Unix
Ensure IPv6 loopback traffic is configured - Chain INPUT (::1)CIS Bottlerocket L2Unix
Ensure source routed packets are not accepted - net.ipv4.conf.all.accept_source_routeCIS Bottlerocket L2Unix
Ensure source routed packets are not accepted - net.ipv4.conf.default.accept_source_routeCIS Bottlerocket L2Unix