800-53|RA-5

Title

VULNERABILITY SCANNING

Description

The organization:

Supplemental

Security categorization of information systems guides the frequency and comprehensiveness of vulnerability scans. Organizations determine the required vulnerability scanning for all information system components, ensuring that potential sources of vulnerabilities such as networked printers, scanners, and copiers are not overlooked. Vulnerability analyses for custom software applications may require additional approaches such as static analysis, dynamic analysis, binary analysis, or a hybrid of the three approaches. Organizations can employ these analysis approaches in a variety of tools (e.g., web-based application scanners, static analysis tools, binary analyzers) and in source code reviews. Vulnerability scanning includes, for example: (i) scanning for patch levels; (ii) scanning for functions, ports, protocols, and services that should not be accessible to users or devices; and (iii) scanning for improperly configured or incorrectly operating information flow control mechanisms. Organizations consider using tools that express vulnerabilities in the Common Vulnerabilities and Exposures (CVE) naming convention and that use the Open Vulnerability Assessment Language (OVAL) to determine/test for the presence of vulnerabilities. Suggested sources for vulnerability information include the Common Weakness Enumeration (CWE) listing and the National Vulnerability Database (NVD). In addition, security control assessments such as red team exercises provide other sources of potential vulnerabilities for which to scan. Organizations also consider using tools that express vulnerability impact by the Common Vulnerability Scoring System (CVSS).

Reference Item Details

Related: CA-2,CA-7,CM-4,CM-6,RA-2,RA-3,SA-11,SI-2

Category: RISK ASSESSMENT

Family: RISK ASSESSMENT

Priority: P1

Baseline Impact: LOW,MODERATE,HIGH

Audit Items

View all Reference Audit Items

NamePluginAudit Name
1.1 (L1) Ensure ESXi is properly patchedVMwareCIS VMware ESXi 7.0 v1.4.0 L1
1.1 Ensure All Apple-provided Software Is CurrentUnixCIS Apple macOS 14.0 Sonoma v2.0.0 L1
1.1 Ensure All Apple-provided Software Is CurrentUnixCIS Apple macOS 12.0 Monterey v3.1.0 L1
1.1 Ensure All Apple-provided Software Is CurrentUnixCIS Apple macOS 13.0 Ventura Cloud-tailored v1.1.0 L1
1.1 Ensure All Apple-provided Software Is CurrentUnixCIS Apple macOS 11.0 Big Sur v4.0.0 L1
1.1 Ensure All Apple-provided Software Is CurrentUnixCIS Apple macOS 13.0 Ventura v3.0.0 L1
1.1 Ensure All Apple-provided Software Is CurrentUnixCIS Apple macOS 10.15 Catalina v3.0.0 L1
1.1 Ensure All Apple-provided Software Is CurrentUnixCIS Apple macOS 12.0 Monterey Cloud-tailored v1.0.0 L1
1.1 Ensure All Apple-provided Software Is CurrentUnixCIS Apple macOS 14.0 Sonoma Cloud-tailored v1.0.0 L1
1.1 Ensure All Apple-provided Software Is CurrentUnixCIS Apple macOS 15.0 Sequoia v1.0.0 L1
1.1 Ensure ESXi is properly patchedVMwareCIS VMware ESXi 6.7 v1.3.0 Level 1
1.1 Use the Latest Package UpdatesUnixCIS Oracle Solaris 11.4 L1 v1.1.0
1.1 Verify all Apple-provided software is currentUnixCIS Apple macOS 10.14 v2.0.0 L1
1.1.1 Install Available UpdatesIBM_DB2DBCIS IBM DB2 11 v1.1.0 Database Level 1
1.1.5.1 Ensure 'Enable Automatic Updates' is set to 'Enabled'WindowsCIS Microsoft Office Enterprise v1.2.0 L1
1.1.5.2 Ensure 'Hide option to enable or disable updates' is set to 'Enabled'WindowsCIS Microsoft Office Enterprise v1.2.0 L1
1.2 Ensure Auto Update Is EnabledUnixCIS Apple macOS 12.0 Monterey v3.1.0 L1
1.2 Ensure Auto Update Is EnabledUnixCIS Apple macOS 14.0 Sonoma Cloud-tailored v1.0.0 L1
1.2 Ensure Auto Update Is EnabledUnixCIS Apple macOS 14.0 Sonoma v2.0.0 L1
1.2 Ensure Auto Update Is EnabledUnixCIS Apple macOS 10.14 v2.0.0 L1
1.2 Ensure Auto Update Is EnabledUnixCIS Apple macOS 10.15 Catalina v3.0.0 L1
1.2 Ensure Auto Update Is EnabledUnixCIS Apple macOS 11.0 Big Sur v4.0.0 L1
1.2 Ensure Auto Update Is EnabledUnixCIS Apple macOS 12.0 Monterey Cloud-tailored v1.0.0 L1
1.2 Ensure Auto Update Is EnabledUnixCIS Apple macOS 13.0 Ventura Cloud-tailored v1.1.0 L1
1.2 Ensure Auto Update Is EnabledUnixCIS Apple macOS 15.0 Sequoia v1.0.0 L1
1.2 Ensure Auto Update Is EnabledUnixCIS Apple macOS 13.0 Ventura v3.0.0 L1
1.2.1 Ensure GPG keys are configuredUnixCIS Fedora 28 Family Linux Server L1 v2.0.0
1.2.1 Ensure GPG keys are configuredUnixCIS AlmaLinux OS 8 Workstation L1 v3.0.0
1.2.1 Ensure GPG keys are configuredUnixCIS Red Hat EL8 Workstation L1 v3.0.0
1.2.1 Ensure GPG keys are configuredUnixCIS SUSE Linux Enterprise 12 v3.1.0 L1 Server
1.2.1 Ensure GPG keys are configuredUnixCIS SUSE Linux Enterprise 12 v3.1.0 L1 Workstation
1.2.1 Ensure GPG keys are configuredUnixCIS Rocky Linux 8 Server L1 v2.0.0
1.2.1 Ensure GPG keys are configuredUnixCIS Fedora 28 Family Linux Workstation L1 v2.0.0
1.2.1 Ensure GPG keys are configuredUnixCIS CentOS Linux 7 v4.0.0 L1 Workstation
1.2.1 Ensure GPG keys are configuredUnixCIS AlmaLinux OS 8 Server L1 v3.0.0
1.2.1 Ensure GPG keys are configuredUnixCIS Amazon Linux 2 v3.0.0 L1
1.2.1 Ensure GPG keys are configuredUnixCIS CentOS Linux 7 v4.0.0 L1 Server
1.2.1 Ensure GPG keys are configuredUnixCIS Rocky Linux 8 Workstation L1 v2.0.0
1.2.1 Ensure GPG keys are configuredUnixCIS Oracle Linux 7 v4.0.0 L1 Workstation
1.2.1 Ensure GPG keys are configuredUnixCIS CentOS Linux 8 Workstation L1 v2.0.0
1.2.1 Ensure GPG keys are configuredUnixCIS Oracle Linux 7 v4.0.0 L1 Server
1.2.1 Ensure GPG keys are configuredUnixCIS Red Hat Enterprise Linux 7 v4.0.0 L1 Workstation
1.2.1 Ensure GPG keys are configuredUnixCIS SUSE Linux Enterprise 15 Server L1 v1.1.1
1.2.1 Ensure GPG keys are configuredUnixCIS Oracle Linux 8 Server L1 v3.0.0
1.2.1 Ensure GPG keys are configuredUnixCIS SUSE Linux Enterprise 15 Workstation L1 v1.1.1
1.2.1 Ensure GPG keys are configuredUnixCIS CentOS Linux 8 Server L1 v2.0.0
1.14 Ensure 'DNS interception checks enabled' is set to 'Enabled'WindowsCIS Google Chrome L1 v3.0.0
1.15 Ensure 'Enable component updates in Google Chrome' is set to 'Enabled'WindowsCIS Google Chrome L1 v3.0.0
1.117 (L1) Ensure 'Notify a user that a browser restart is recommended or required for pending updates' is set to 'Enabled: Required - Show a recurring prompt to the user indicating that a restart is required'WindowsCIS Microsoft Edge v3.0.0 L1
1.120 (L1) Ensure 'Set the time period for update notifications' is set to 'Enabled: 86400000'WindowsCIS Microsoft Edge v3.0.0 L1