| 1.1.7 Ensure that the etcd pod specification file permissions are set to 600 or more restrictive | CIS Kubernetes v1.23 Benchmark v1.0.1 L1 Master | Unix | ACCESS CONTROL, MEDIA PROTECTION |
| 1.1.11 Ensure that the etcd data directory permissions are set to 700 or more restrictive | CIS Kubernetes v1.23 Benchmark v1.0.1 L1 Master | Unix | ACCESS CONTROL, MEDIA PROTECTION |
| 1.1.12 Ensure that the etcd data directory ownership is set to etcd:etcd | CIS Kubernetes v1.20 Benchmark v1.0.1 L1 Master | Unix | ACCESS CONTROL, MEDIA PROTECTION |
| 1.1.17 Ensure that the controller-manager.conf file permissions are set to 600 or more restrictive | CIS Kubernetes v1.20 Benchmark v1.0.1 L1 Master | Unix | ACCESS CONTROL, MEDIA PROTECTION |
| 1.1.19 Ensure that the Kubernetes PKI directory and file ownership is set to root:root | CIS Kubernetes v1.24 Benchmark v1.0.0 L1 Master | Unix | ACCESS CONTROL, MEDIA PROTECTION |
| 1.1.21 Ensure that the Kubernetes PKI key file permissions are set to 600 | CIS Kubernetes v1.24 Benchmark v1.0.0 L1 Master | Unix | ACCESS CONTROL, MEDIA PROTECTION |
| 1.2.1 Ensure that the --anonymous-auth argument is set to false | CIS Kubernetes v1.20 Benchmark v1.0.1 L1 Master | Unix | ACCESS CONTROL, MEDIA PROTECTION |
| 1.2.1 Ensure that the --anonymous-auth argument is set to false | CIS Kubernetes v1.23 Benchmark v1.0.1 L1 Master | Unix | ACCESS CONTROL, MEDIA PROTECTION |
| 1.2.1 Ensure that the --anonymous-auth argument is set to false | CIS Kubernetes v1.24 Benchmark v1.0.0 L1 Master | Unix | ACCESS CONTROL, MEDIA PROTECTION |
| 1.2.6 Ensure that the --authorization-mode argument is not set to AlwaysAllow | CIS Kubernetes v1.20 Benchmark v1.0.1 L1 Master | Unix | ACCESS CONTROL, MEDIA PROTECTION |
| 1.2.7 Ensure that the --authorization-mode argument includes Node | CIS Kubernetes v1.20 Benchmark v1.0.1 L1 Master | Unix | ACCESS CONTROL, MEDIA PROTECTION |
| 1.2.10 Ensure that the admission control plugin AlwaysAdmit is not set | CIS Kubernetes v1.23 Benchmark v1.0.1 L1 Master | Unix | ACCESS CONTROL, MEDIA PROTECTION |
| 1.2.10 Ensure that the admission control plugin AlwaysAdmit is not set | CIS Kubernetes v1.24 Benchmark v1.0.0 L1 Master | Unix | ACCESS CONTROL, MEDIA PROTECTION |
| 1.5.1 Ensure SELinux is configured | CIS Bottlerocket L1 | Unix | ACCESS CONTROL, MEDIA PROTECTION |
| 1.5.1.4 Ensure permissions on /etc/motd are configured | CIS Google Container-Optimized OS L2 Server v1.1.0 | Unix | ACCESS CONTROL, MEDIA PROTECTION |
| 1.5.1.6 Ensure permissions on /etc/issue.net are configured | CIS Google Container-Optimized OS L2 Server v1.1.0 | Unix | ACCESS CONTROL, MEDIA PROTECTION |
| 2.5 Ensure that the --peer-client-cert-auth argument is set to true | CIS Kubernetes v1.20 Benchmark v1.0.1 L1 Master | Unix | ACCESS CONTROL, MEDIA PROTECTION |
| 4.1.1 Ensure that the kubelet service file permissions are set to 600 or more restrictive | CIS Kubernetes v1.23 Benchmark v1.0.1 L1 Worker | Unix | ACCESS CONTROL, MEDIA PROTECTION |
| 4.1.3 Ensure permissions on all logfiles are configured | CIS Google Container-Optimized OS L2 Server v1.1.0 | Unix | ACCESS CONTROL, MEDIA PROTECTION |
| 4.1.3 If proxy kubeconfig file exists ensure permissions are set to 600 or more restrictive | CIS Kubernetes v1.23 Benchmark v1.0.1 L1 Worker | Unix | ACCESS CONTROL, MEDIA PROTECTION |
| 4.2.1 Ensure that the --anonymous-auth argument is set to false | CIS Kubernetes v1.24 Benchmark v1.0.0 L1 Worker | Unix | ACCESS CONTROL, MEDIA PROTECTION |
| 4.2.2 Ensure that the --authorization-mode argument is not set to AlwaysAllow | CIS Kubernetes v1.23 Benchmark v1.0.1 L1 Worker | Unix | ACCESS CONTROL, MEDIA PROTECTION |
| 4.2.7 Restrict Access to SYSCAT.CONTEXTATTRIBUTES | CIS IBM DB2 11 v1.1.0 Database Level 1 | IBM_DB2DB | ACCESS CONTROL, MEDIA PROTECTION |
| 4.2.11 Restrict Access to SYSCAT.DBAUTH | CIS IBM DB2 11 v1.1.0 Database Level 1 | IBM_DB2DB | ACCESS CONTROL, MEDIA PROTECTION |
| 4.2.23 Restrict Access to SYSCAT.ROUTINES | CIS IBM DB2 11 v1.1.0 Database Level 1 | IBM_DB2DB | ACCESS CONTROL, MEDIA PROTECTION |
| 4.2.26 Restrict Access to SYSCAT.SECURITYLABELCOMPONENTS | CIS IBM DB2 11 v1.1.0 Database Level 1 | IBM_DB2DB | ACCESS CONTROL, MEDIA PROTECTION |
| 4.2.29 Restrict Access to SYSCAT.SECURITYPOLICYCOMPONENTRULES | CIS IBM DB2 11 v1.1.0 Database Level 1 | IBM_DB2DB | ACCESS CONTROL, MEDIA PROTECTION |
| 4.2.40 Restrict Access to SYSCAT.USEROPTIONS | CIS IBM DB2 11 v1.1.0 Database Level 1 | IBM_DB2DB | ACCESS CONTROL, MEDIA PROTECTION |
| 4.2.41 Restrict Access to SYSCAT.VARIABLEAUTH | CIS IBM DB2 11 v1.1.0 Database Level 1 | IBM_DB2DB | ACCESS CONTROL, MEDIA PROTECTION |
| 4.2.45 Restrict Access to SYSCAT.XSROBJECTAUTH | CIS IBM DB2 11 v1.1.0 Database Level 1 | IBM_DB2DB | ACCESS CONTROL, MEDIA PROTECTION |
| 4.3.13 Restrict Access to SYSIBM.SYSEVENTTABLES | CIS IBM DB2 11 v1.1.0 Database Level 1 | IBM_DB2DB | ACCESS CONTROL, MEDIA PROTECTION |
| 4.3.14 Restrict Access to SYSIBM.SYSEXTTAB | CIS IBM DB2 11 v1.1.0 Database Level 1 | IBM_DB2DB | ACCESS CONTROL, MEDIA PROTECTION |
| 5.1.1 Ensure permissions on /etc/ssh/sshd_config are configured | CIS Google Container-Optimized OS L1 Server v1.1.0 | Unix | ACCESS CONTROL, MEDIA PROTECTION |
| 5.1.2 Ensure permissions on SSH private host key files are configured | CIS Google Container-Optimized OS L1 Server v1.1.0 | Unix | ACCESS CONTROL, MEDIA PROTECTION |
| 5.1.3 Ensure permissions on SSH public host key files are configured | CIS Google Container-Optimized OS L1 Server v1.1.0 | Unix | ACCESS CONTROL, MEDIA PROTECTION |
| 5.1.5 Ensure Appropriate Permissions Are Enabled for System Wide Applications | CIS Apple macOS 14.0 Sonoma Cloud-tailored v1.0.0 L1 | Unix | ACCESS CONTROL, MEDIA PROTECTION |
| 5.1.7 Ensure No World Writable Folders Exist in the Library Folder | CIS Apple macOS 13.0 Ventura v2.1.0 L2 | Unix | ACCESS CONTROL, MEDIA PROTECTION |
| 5.1.7 Ensure No World Writable Folders Exist in the Library Folder | CIS Apple macOS 14.0 Sonoma v1.1.0 L2 | Unix | ACCESS CONTROL, MEDIA PROTECTION |
| 5.3.4 Ensure default user umask is 027 or more restrictive - /etc/profile /etc/profile.d | CIS Google Container-Optimized OS L2 Server v1.1.0 | Unix | ACCESS CONTROL, MEDIA PROTECTION |
| 6.1.4 Ensure permissions on /etc/gshadow are configured | CIS Google Container-Optimized OS L1 Server v1.1.0 | Unix | ACCESS CONTROL, MEDIA PROTECTION |
| 6.1.8 Ensure permissions on /etc/gshadow- are configured | CIS Google Container-Optimized OS L2 Server v1.1.0 | Unix | ACCESS CONTROL, MEDIA PROTECTION |
| 6.3.2 Ensure that the 'cross db ownership chaining' database flag for Cloud SQL SQL Server instance is set to 'off' | CIS Google Cloud Platform v3.0.0 L1 | GCP | ACCESS CONTROL, MEDIA PROTECTION |
| DTBI046 - Logon options must be configured to prompt (Internet zone). | DISA STIG IE 10 V1R16 | Windows | ACCESS CONTROL |
| DTBI046 - User Authentication-Logon - Internet Zone -'1A00 = 65536'. | DISA STIG IE 9 v1r5 | Windows | ACCESS CONTROL |
| DTBI136 - Logon options must be configured and enforced (Restricted Sites zone). | DISA STIG IE 10 V1R16 | Windows | ACCESS CONTROL |
| DTBI136 - User Authentication - Logon - Restricted -'1A00 = 196608'. | DISA STIG IE 9 v1r5 | Windows | ACCESS CONTROL |
| DTOO200 - Allow users with earlier versions of Office to read with browsers. | DISA STIG OfficeSystem 2007 v4r9 | Windows | ACCESS CONTROL |
| WA00540 A22 - The web server must be configured to explicitly deny access to the OS root - Order | DISA STIG Apache Server 2.2 Unix v1r11 | Unix | ACCESS CONTROL |
| WA00540 A22 - The web server must be configured to explicitly deny access to the OS root. 'httpd.conf Order Deny,Allow | DISA STIG Apache Server 2.2 Unix v1r10 | Unix | ACCESS CONTROL |
| WG470 IIS6 - Wscript.exe and Cscript.exe must not be accessible by users other than the SA and Web Manager. - 'wscript.exe' | DISA STIG IIS 6.0 Server v6r16 | Windows | ACCESS CONTROL |
