CSCv7|12

Title

Boundary Defense

Reference Item Details

Reference: CIS Critical Security Controls v7

Category: Boundary Defense

Audit Items

Name	Plugin	Audit Name
1.1 Use a Split-Horizon Architecture	Unix	CIS BIND DNS v1.0.0 L1 Authoritative Name Server
1.1 Use a Split-Horizon Architecture	Unix	CIS BIND DNS v1.0.0 L1 Caching Only Name Server
3.5 Ensure proxy-arp is disabled	Juniper	CIS Juniper OS Benchmark v2.1.0 L2
3.6 Ensure ICMP Redirects are set to disabled (on all untrusted IPv4 networks)	Juniper	CIS Juniper OS Benchmark v2.1.0 L1
3.7 Ensure ICMP Redirects are set to disabled (on all untrusted IPv6 networks)	Juniper	CIS Juniper OS Benchmark v2.1.0 L1
4.1 Ensure 'Antivirus Update Schedule' is set to download and install updates hourly	Palo_Alto	CIS Palo Alto Firewall 8 Benchmark L1 v1.0.0
4.1.4 Ensure Bogon Filtering is set (where EBGP is used)	Juniper	CIS Juniper OS Benchmark v2.1.0 L2
4.1.5 Ensure Ingress Filtering is set for EBGP peers	Juniper	CIS Juniper OS Benchmark v2.1.0 L1
4.1.6 Ensure RPKI is set for Origin Validation of EBGP peers	Juniper	CIS Juniper OS Benchmark v2.1.0 L2
4.2 Ensure 'Applications and Threats Update Schedule' is set to download and install updates at daily or shorter intervals	Palo_Alto	CIS Palo Alto Firewall 8 Benchmark L1 v1.0.0
4.2 Ensure 'Applications and Threats Update Schedule' is set to download and install updates at daily or shorter intervals	Palo_Alto	CIS Palo Alto Firewall 9 v1.1.0 L1
4.6.1 Create administrative boundaries between resources using namespaces	GCP	CIS Google Kubernetes Engine (GKE) v1.6.1 L1
5.7 Ensure 'WildFire Update Schedule' is set to download and install updates every minute	Palo_Alto	CIS Palo Alto Firewall 8 Benchmark L1 v1.0.0
5.7.1 Create administrative boundaries between resources using namespaces	Unix	CIS Kubernetes v1.24 Benchmark v1.0.0 L1 Master
5.7.1 Create administrative boundaries between resources using namespaces	Unix	CIS Kubernetes v1.20 Benchmark v1.0.1 L1 Master
5.7.1 Create administrative boundaries between resources using namespaces	Unix	CIS Kubernetes v1.23 Benchmark v1.0.1 L1 Master
5.10 Ensure that the host's network namespace is not shared	Unix	CIS Docker v1.6.0 L1 Docker Linux
5.31 Ensure that the host's user namespaces are not shared	Unix	CIS Docker v1.6.0 L1 Docker Linux
6.16 Ensure that a Zone Protection Profile with an enabled SYN Flood Action of SYN Cookies is attached to all untrusted zones	Palo_Alto	CIS Palo Alto Firewall 8 Benchmark L1 v1.0.0
6.18 Ensure that all zones have Zone Protection Profiles with all Reconnaissance Protection settings enabled, tuned, and set to appropriate actions	Palo_Alto	CIS Palo Alto Firewall 9 v1.1.0 L1
6.19 Ensure all zones have Zone Protection Profiles that drop specially crafted packets	Palo_Alto	CIS Palo Alto Firewall 8 Benchmark L1 v1.0.0
6.19 Ensure all zones have Zone Protection Profiles that drop specially crafted packets	Palo_Alto	CIS Palo Alto Firewall 9 v1.1.0 L1
7.3 Ensure 'Security Policy' denying any/all traffic to/from IP addresses on Trusted Threat Intelligence Sources Exists	Palo_Alto	CIS Palo Alto Firewall 8 Benchmark L1 v1.0.0
8.1 Ensure 'SSL Forward Proxy Policy' for traffic destined to the Internet is configured - Invalid Categories	Palo_Alto	CIS Palo Alto Firewall 8 Benchmark L1 v1.0.0
8.1 Ensure 'SSL Forward Proxy Policy' for traffic destined to the Internet is configured - Policies	Palo_Alto	CIS Palo Alto Firewall 8 Benchmark L1 v1.0.0
8.2 Ensure 'SSL Inbound Inspection' is required for all untrusted traffic destined for servers using SSL or TLS	Palo_Alto	CIS Palo Alto Firewall 8 Benchmark L1 v1.0.0

Detections

Analytics

CSCv7|12

Title

Reference Item Details

Audit Items