Detections
Analytics

800-53|SC-7(12)

Title

HOST-BASED PROTECTION

Description

The organization implements [Assignment: organization-defined host-based boundary protection mechanisms] at [Assignment: organization-defined information system components].

Supplemental

Host-based boundary protection mechanisms include, for example, host-based firewalls. Information system components employing host-based boundary protection mechanisms include, for example, servers, workstations, and mobile devices.

Reference Item Details

Category: SYSTEM AND COMMUNICATIONS PROTECTION

Parent Title: BOUNDARY PROTECTION

Family: SYSTEM AND COMMUNICATIONS PROTECTION

Audit Items

View all Reference Audit Items

NamePluginAudit Name
1.1.2 Ensure /tmp is configuredUnixCIS Fedora 19 Family Linux Workstation L1 v1.0.0
1.1.2 Ensure /tmp is configuredUnixCIS Fedora 19 Family Linux Server L1 v1.0.0
1.1.2 Ensure separate partition exists for /tmpUnixCIS SUSE Linux Enterprise Workstation 11 L2 v2.1.1
1.1.2 Ensure separate partition exists for /tmpUnixCIS SUSE Linux Enterprise Server 11 L2 v2.1.1
1.1.3.9.5 Set 'MSS: (DisableIPSourceRouting) IP source routing protection level (protects against packet spoofing)' to 'Highest protection'WindowsCIS Windows 8 L1 v1.0.0
1.1.3.9.7 Configure 'MSS: (TcpMaxDataRetransmissions) How many times unacknowledged data is retransmitted (3 recommended, 5 is default)'WindowsCIS Windows 8 L1 v1.0.0
1.1.3.9.8 Configure 'MSS: (EnableICMPRedirect) Allow ICMP redirects to override OSPF generated routes'WindowsCIS Windows 8 L1 v1.0.0
1.1.3.9.10 Configure 'MSS: (KeepAliveTime) How often keep-alive packets are sent in milliseconds'WindowsCIS Windows 8 L1 v1.0.0
1.1.3.9.11 Configure 'MSS: (TcpMaxDataRetransmissions IPv6) How many times unacknowledged data is retransmitted (3 recommended, 5 default)'WindowsCIS Windows 8 L1 v1.0.0
1.1.3.9.15 Set 'MSS: (DisableIPSourceRouting IPv6) IP source routing protection level (protects against packet spoofing)' to 'Highest'WindowsCIS Windows 8 L1 v1.0.0
1.1.3.9.16 Configure 'MSS: (PerformRouterDiscovery) Allow IRDP to detect and configure Default Gateway addresses (could lead to DoS)'WindowsCIS Windows 8 L1 v1.0.0
1.1.5.1.1 Set 'Windows Firewall: Domain: Display a notification' to 'Yes (default)'WindowsCIS Windows 8 L1 v1.0.0
1.1.5.1.2 Set 'Windows Firewall: Domain: Logging: Size limit (KB)' to '16384 KB or greater'WindowsCIS Windows 8 L1 v1.0.0
1.1.5.1.3 Set 'Windows Firewall: Domain: Logging: Name' to '%SYSTEMROOT%\System32\logfiles\firewall\domainfw.log'WindowsCIS Windows 8 L1 v1.0.0
1.1.5.1.4 Set 'Windows Firewall: Domain: Apply local firewall rules' to 'Yes (default)'WindowsCIS Windows 8 L1 v1.0.0
1.1.5.1.4 Set 'Windows Firewall: Private: Logging: Size limit (KB)' to '16384 KB or greater'WindowsCIS Windows 8 L1 v1.0.0
1.1.5.1.5 Set 'Windows Firewall: Domain: Apply local connection security rules' to 'Yes (default)'WindowsCIS Windows 8 L1 v1.0.0
1.1.5.1.7 Set 'Windows Firewall: Domain: Outbound connections' to 'Allow (default)'WindowsCIS Windows 8 L1 v1.0.0
1.1.5.1.8 Set 'Windows Firewall: Domain: Logging: Log dropped packets' to 'Yes'WindowsCIS Windows 8 L1 v1.0.0
1.1.5.1.9 Set 'Windows Firewall: Domain: Logging: Log successful connections' to 'Yes'WindowsCIS Windows 8 L1 v1.0.0
1.1.5.1.11 Set 'Windows Firewall: Domain: Firewall state' to 'On (recommended)'WindowsCIS Windows 8 L1 v1.0.0
1.1.5.2.1 Set 'Windows Firewall: Private: Firewall state' to 'On (recommended)'WindowsCIS Windows 8 L1 v1.0.0
1.1.5.2.2 Set 'Windows Firewall: Private: Outbound connections' to 'Allow (default)'WindowsCIS Windows 8 L1 v1.0.0
1.1.5.2.3 Set 'Windows Firewall: Private: Apply local firewall rules' to 'Yes (default)'WindowsCIS Windows 8 L1 v1.0.0
1.1.5.2.5 Set 'Windows Firewall: Private: Apply local connection security rules' to 'Yes (default)'WindowsCIS Windows 8 L1 v1.0.0
1.1.5.2.6 Set 'Windows Firewall: Private: Display a notification' to 'Yes (default)'WindowsCIS Windows 8 L1 v1.0.0
1.1.5.2.8 Set 'Windows Firewall: Private: Logging: Name' to '%SYSTEMROOT%\System32\logfiles\firewall\privatefw.log'WindowsCIS Windows 8 L1 v1.0.0
1.1.5.2.9 Set 'Windows Firewall: Private: Allow unicast response' to 'No'WindowsCIS Windows 8 L1 v1.0.0
1.1.5.3.1 Set 'Windows Firewall: Public: Outbound connections' to 'Allow (default)'WindowsCIS Windows 8 L1 v1.0.0
1.1.5.3.2 Set 'Windows Firewall: Public: Apply local firewall rules' to 'Yes (default)'WindowsCIS Windows 8 L1 v1.0.0
1.1.5.3.3 Set 'Windows Firewall: Public: Apply local connection security rules' to 'No'WindowsCIS Windows 8 L1 v1.0.0
1.1.5.3.4 Set 'Windows Firewall: Public: Logging: Log dropped packets' to 'Yes'WindowsCIS Windows 8 L1 v1.0.0
1.1.5.3.5 Set 'Windows Firewall: Public: Display a notification' to 'No'WindowsCIS Windows 8 L1 v1.0.0
1.1.5.3.6 Set 'Windows Firewall: Public: Allow unicast response' to 'No'WindowsCIS Windows 8 L1 v1.0.0
1.1.5.3.7 Set 'Windows Firewall: Public: Logging: Name' to '%SYSTEMROOT%\System32\logfiles\firewall\publicfw.log'WindowsCIS Windows 8 L1 v1.0.0
1.1.5.3.8 Set 'Windows Firewall: Public: Logging: Log successful connections' to 'Yes'WindowsCIS Windows 8 L1 v1.0.0
1.1.5.3.9 Set 'Windows Firewall: Public: Logging: Size limit (KB)' to '16384 KB or greater'WindowsCIS Windows 8 L1 v1.0.0
1.1.5.3.10 Set 'Windows Firewall: Public: Firewall state' to 'On (recommended)'WindowsCIS Windows 8 L1 v1.0.0
1.2 Install TCP Wrappers - Ensure 'ENABLE_TCPWRAPPERS' is set to 'YES' in /etc/default/inetdUnixCIS Solaris 9 v1.3
1.2.1.1 Configure 'Set IP Stateless Autoconfiguration Limits State'WindowsCIS Windows 8 L1 v1.0.0
1.3 Enable TCP Wrappers and a host based firewall (firewall_enable)UnixCIS FreeBSD v1.0.5
1.3 Enable TCP Wrappers and a host based firewall (inetd_enable)UnixCIS FreeBSD v1.0.5
1.3 Enable TCP Wrappers and a host based firewall (inetd_flags)UnixCIS FreeBSD v1.0.5
1.3 Enable TCP Wrappers and a host based firewall (ipfw_load)UnixCIS FreeBSD v1.0.5
1.4 Ensure that the Forged Transmits policy is set to rejectVMwareCIS VMware ESXi 5.1 v1.0.1 Level 1
1.6.1 - TCP/IP Tuning - 'ipsrcrouteforward = 0'UnixCIS AIX 5.3/6.1 L2 v1.1.0
1.6.10 - TCP/IP Tuning - 'bcastping = 0'UnixCIS AIX 5.3/6.1 L2 v1.1.0
1.6.11 - TCP/IP Tuning - 'icmpaddressmask = 0'UnixCIS AIX 5.3/6.1 L2 v1.1.0
1.6.12 - TCP/IP Tuning - 'udp_pmtu_discover = 0'UnixCIS AIX 5.3/6.1 L2 v1.1.0
1.6.13 - TCP/IP Tuning - 'ipsrcrouterecv = 0'UnixCIS AIX 5.3/6.1 L2 v1.1.0