| 1.4.1 Ensure 'Idle timeout' is less than or equal to 10 minutes for device management | CIS Palo Alto Firewall 10 v1.2.0 L1 | Palo_Alto | ACCESS CONTROL |
| 1.4.2 Ensure 'Failed Attempts' and 'Lockout Time' for Authentication Profile are properly configured | CIS Palo Alto Firewall 10 v1.2.0 L1 | Palo_Alto | ACCESS CONTROL |
| 2.6 Ensure that the User-ID service account does not have interactive logon rights | CIS Palo Alto Firewall 10 v1.2.0 L1 | Palo_Alto | ACCESS CONTROL |
| 2.9 Pair the remote control infrared receiver if enabled - 'UIDFilter != none' | CIS Apple OSX 10.10 Yosemite L1 v1.2.0 | Unix | ACCESS CONTROL |
| 3.3 Configure Security Auditing Flags - 'audit all failed events across all audit classes' | CIS Apple OSX 10.10 Yosemite L1 v1.2.0 | Unix | AUDIT AND ACCOUNTABILITY |
| 3.3 Configure Security Auditing Flags - 'audit successful/failed file attribute modification events' | CIS Apple OSX 10.10 Yosemite L1 v1.2.0 | Unix | AUDIT AND ACCOUNTABILITY |
| 3.3 Configure Security Auditing Flags - 'audit successful/failed login/logout events' | CIS Apple OSX 10.10 Yosemite L1 v1.2.0 | Unix | AUDIT AND ACCOUNTABILITY |
| 3.3 Ensure 'Passive Link State' and 'Preemptive' are configured appropriately | CIS Palo Alto Firewall 10 v1.2.0 L1 | Palo_Alto | SYSTEM AND INFORMATION INTEGRITY |
| 3.5 Retain install.log for 365 or more days | CIS Apple OSX 10.10 Yosemite L1 v1.2.0 | Unix | AUDIT AND ACCOUNTABILITY |
| 4.2 Enable 'Show Wi-Fi status in menu bar' | CIS Apple OSX 10.10 Yosemite L1 v1.2.0 | Unix | CONFIGURATION MANAGEMENT |
| 4.5 Ensure ftp server is not running | CIS Apple OSX 10.10 Yosemite L1 v1.2.0 | Unix | CONFIGURATION MANAGEMENT |
| 5.2.1 Configure account lockout threshold | CIS Apple OSX 10.10 Yosemite L1 v1.2.0 | Unix | ACCESS CONTROL |
| 5.2.5 Complex passwords must contain a Special Character | CIS Apple OSX 10.10 Yosemite L1 v1.2.0 | Unix | IDENTIFICATION AND AUTHENTICATION |
| 5.2.6 Complex passwords must contain uppercase and lowercase letters | CIS Apple OSX 10.10 Yosemite L1 v1.2.0 | Unix | |
| 5.2.8 Password History | CIS Apple OSX 10.10 Yosemite L1 v1.2.0 | Unix | IDENTIFICATION AND AUTHENTICATION |
| 5.3 Ensure forwarding of decrypted content to WildFire is enabled | CIS Palo Alto Firewall 10 v1.2.0 L1 | Palo_Alto | SYSTEM AND INFORMATION INTEGRITY |
| 5.7 Do not enable the 'root' account | CIS Apple OSX 10.10 Yosemite L1 v1.2.0 | Unix | ACCESS CONTROL |
| 6.1.2 Disable 'Show password hints' | CIS Apple OSX 10.10 Yosemite L1 v1.2.0 | Unix | IDENTIFICATION AND AUTHENTICATION |
| 6.1.4 Disable 'Allow guests to connect to shared folders' - SMB Sharing | CIS Apple OSX 10.10 Yosemite L1 v1.2.0 | Unix | ACCESS CONTROL |
| 6.5 Ensure a secure anti-spyware profile is applied to all security policies permitting traffic to the Internet | CIS Palo Alto Firewall 10 v1.2.0 L1 | Palo_Alto | SYSTEM AND INFORMATION INTEGRITY |
| 6.6 Ensure a Vulnerability Protection Profile is set to block attacks against critical and high vulnerabilities, and set to default on medium, low, and informational vulnerabilities | CIS Palo Alto Firewall 10 v1.2.0 L1 | Palo_Alto | RISK ASSESSMENT |
| 6.7 Ensure a secure Vulnerability Protection Profile is applied to all security rules allowing traffic | CIS Palo Alto Firewall 10 v1.2.0 L1 | Palo_Alto | RISK ASSESSMENT |
| 6.18 Ensure all zones have Zone Protection Profiles that drop specially crafted packets | CIS Palo Alto Firewall 10 v1.2.0 L1 | Palo_Alto | SECURITY ASSESSMENT AND AUTHORIZATION, SYSTEM AND COMMUNICATIONS PROTECTION |
| 6.22 Ensure that 'Inline Cloud Analysis' on Vulnerability Protection profiles are enabled if 'Advanced Threat Prevention' is available | CIS Palo Alto Firewall 10 v1.2.0 L1 | Palo_Alto | RISK ASSESSMENT |
| 6.23 Ensure that 'Cloud Inline Categorization' on URL Filtering profiles are enabled if 'Advanced Threat Prevention' is available | CIS Palo Alto Firewall 10 v1.2.0 L1 | Palo_Alto | SYSTEM AND COMMUNICATIONS PROTECTION |
| 7.1 Ensure application security policies exist when allowing traffic from an untrusted zone to a more trusted zone | CIS Palo Alto Firewall 10 v1.2.0 L1 | Palo_Alto | ACCESS CONTROL, MEDIA PROTECTION |
| 7.3 Ensure 'Security Policy' denying any/all traffic to/from IP addresses on Trusted Threat Intelligence Sources Exists | CIS Palo Alto Firewall 10 v1.2.0 L1 | Palo_Alto | ACCESS CONTROL, MEDIA PROTECTION |
| 7.4 Ensure that logging is enabled on built-in default security policies | CIS Palo Alto Firewall 10 v1.2.0 L1 | Palo_Alto | SYSTEM AND INFORMATION INTEGRITY |
| 8.2 Ensure 'SSL Inbound Inspection' is required for all untrusted traffic destined for servers using SSL or TLS | CIS Palo Alto Firewall 10 v1.2.0 L1 | Palo_Alto | ACCESS CONTROL, IDENTIFICATION AND AUTHENTICATION, SYSTEM AND COMMUNICATIONS PROTECTION |
| 18.5.14.1 Ensure 'Hardened UNC Paths' is set to 'Enabled, with 'Require Mutual Authentication' and 'Require Integrity' set for all NETLOGON and SYSVOL shares' - NETLOGON | CIS Azure Compute Microsoft Windows Server 2022 v1.0.0 L1 MS | Windows | IDENTIFICATION AND AUTHENTICATION |
| 18.5.14.1 Ensure 'Hardened UNC Paths' is set to 'Enabled, with 'Require Mutual Authentication' and 'Require Integrity' set for all NETLOGON and SYSVOL shares' - SYSVOL | CIS Azure Compute Microsoft Windows Server 2022 v1.0.0 L1 DC | Windows | IDENTIFICATION AND AUTHENTICATION |
| 18.9.30.2 Ensure 'Turn off Data Execution Prevention for Explorer' is set to 'Disabled' | CIS Microsoft Windows 8.1 v2.4.1 L1 | Windows | SYSTEM AND COMMUNICATIONS PROTECTION, SYSTEM AND INFORMATION INTEGRITY |
| 18.9.108.1.3 (L1) Ensure 'No auto-restart with logged on users for scheduled automatic updates installations' is set to 'Disabled' | CIS Microsoft Windows Server 2008 R2 Domain Controller Level 1 v3.3.1 | Windows | RISK ASSESSMENT, SYSTEM AND INFORMATION INTEGRITY |
| 18.9.108.1.3 (L1) Ensure 'No auto-restart with logged on users for scheduled automatic updates installations' is set to 'Disabled' | CIS Microsoft Windows Server 2008 Domain Controller Level 1 v3.3.1 | Windows | RISK ASSESSMENT, SYSTEM AND INFORMATION INTEGRITY |
| 18.10.10.2.10 (BL) Ensure 'Require additional authentication at startup' is set to 'Enabled' | CIS Microsoft Windows 11 Stand-alone v4.0.0 L1 BL | Windows | ACCESS CONTROL |
| 18.10.10.2.10 (BL) Ensure 'Require additional authentication at startup' is set to 'Enabled' | CIS Microsoft Windows 10 Stand-alone v4.0.0 BL | Windows | ACCESS CONTROL |
| 18.10.10.2.11 (BL) Ensure 'Require additional authentication at startup: Allow BitLocker without a compatible TPM' is set to 'Enabled: False' | CIS Microsoft Windows 10 Stand-alone v4.0.0 BL | Windows | ACCESS CONTROL |
| 18.10.10.2.11 (BL) Ensure 'Require additional authentication at startup: Allow BitLocker without a compatible TPM' is set to 'Enabled: False' | CIS Microsoft Windows 10 Stand-alone v4.0.0 L1 BL NG | Windows | ACCESS CONTROL |
| 18.10.10.2.13 (BL) Ensure 'Require additional authentication at startup' is set to 'Enabled' | CIS Microsoft Windows 10 Enterprise v4.0.0 L1 BL | Windows | ACCESS CONTROL |
| 18.10.10.2.13 (BL) Ensure 'Require additional authentication at startup' is set to 'Enabled' | CIS Microsoft Windows 11 Enterprise v4.0.0 BitLocker | Windows | ACCESS CONTROL |
| 18.10.10.2.13 (BL) Ensure 'Require additional authentication at startup' is set to 'Enabled' | CIS Microsoft Windows 11 Enterprise v4.0.0 L1 BitLocker | Windows | ACCESS CONTROL |
| 18.10.10.2.13 (BL) Ensure 'Require additional authentication at startup' is set to 'Enabled' | CIS Microsoft Windows 10 Enterprise v4.0.0 L1 BL NG | Windows | ACCESS CONTROL |
| 18.10.10.2.14 (BL) Ensure 'Require additional authentication at startup: Allow BitLocker without a compatible TPM' is set to 'Enabled: False' | CIS Microsoft Windows 11 Enterprise v4.0.0 L1 BitLocker | Windows | ACCESS CONTROL |
| 18.10.10.2.14 (BL) Ensure 'Require additional authentication at startup: Allow BitLocker without a compatible TPM' is set to 'Enabled: False' | CIS Microsoft Windows 10 Enterprise v4.0.0 BL | Windows | ACCESS CONTROL |
| 18.10.10.2.14 (BL) Ensure 'Require additional authentication at startup: Allow BitLocker without a compatible TPM' is set to 'Enabled: False' | CIS Microsoft Windows 10 Enterprise v4.0.0 L1 BL NG | Windows | ACCESS CONTROL |
| 18.10.92.1.1 (L1) Ensure 'No auto-restart with logged on users for scheduled automatic updates installations' is set to 'Disabled' | CIS Microsoft Windows 10 EMS Gateway v3.0.0 L1 | Windows | RISK ASSESSMENT, SYSTEM AND INFORMATION INTEGRITY |
| 18.10.93.1.1 (L1) Ensure 'No auto-restart with logged on users for scheduled automatic updates installations' is set to 'Disabled' | CIS Microsoft Windows Server 2025 v1.0.0 L1 DC | Windows | RISK ASSESSMENT, SYSTEM AND INFORMATION INTEGRITY |
| 18.10.93.1.1 (L1) Ensure 'No auto-restart with logged on users for scheduled automatic updates installations' is set to 'Disabled' | CIS Microsoft Windows 11 Stand-alone v4.0.0 L1 BL | Windows | RISK ASSESSMENT, SYSTEM AND INFORMATION INTEGRITY |
| 18.10.93.1.1 (L1) Ensure 'No auto-restart with logged on users for scheduled automatic updates installations' is set to 'Disabled' | CIS Microsoft Windows 11 Enterprise v4.0.0 L1 | Windows | RISK ASSESSMENT, SYSTEM AND INFORMATION INTEGRITY |
| 18.10.93.1.1 (L1) Ensure 'No auto-restart with logged on users for scheduled automatic updates installations' is set to 'Disabled' | CIS Microsoft Windows Server 2019 v4.0.0 L1 MS | Windows | RISK ASSESSMENT, SYSTEM AND INFORMATION INTEGRITY |
