CSCv7|9

Title

Limitation and Control of Network Ports, Protocols, and Services

Reference Item Details

Category: Limitation and Control of Network Ports, Protocols, and Services

Audit Items

View all Reference Audit Items

NamePluginAudit Name
1.2 Do Not Install a Multi-Use System - chkconfigUnixCIS BIND DNS v1.0.0 L1 Authoritative Name Server
1.2 Do Not Install a Multi-Use System - chkconfigUnixCIS BIND DNS v1.0.0 L1 Caching Only Name Server
1.2 Do Not Install a Multi-Use System - systemctlUnixCIS BIND DNS v1.0.0 L1 Caching Only Name Server
1.2 Do Not Install a Multi-Use System - systemctlUnixCIS BIND DNS v1.0.0 L1 Authoritative Name Server
1.2.4 Ensure that the --kubelet-client-certificate and --kubelet-client-key arguments are set as appropriate - certificateUnixCIS Kubernetes v1.20 Benchmark v1.0.1 L1 Master
1.2.4 Ensure that the --kubelet-client-certificate and --kubelet-client-key arguments are set as appropriate - certificateUnixCIS Kubernetes v1.24 Benchmark v1.0.0 L1 Master
1.2.4 Ensure that the --kubelet-client-certificate and --kubelet-client-key arguments are set as appropriate - certificateUnixCIS Kubernetes v1.23 Benchmark v1.0.1 L1 Master
1.2.4 Ensure that the --kubelet-client-certificate and --kubelet-client-key arguments are set as appropriate - keyUnixCIS Kubernetes v1.20 Benchmark v1.0.1 L1 Master
1.2.4 Ensure that the --kubelet-client-certificate and --kubelet-client-key arguments are set as appropriate - keyUnixCIS Kubernetes v1.24 Benchmark v1.0.0 L1 Master
1.2.4 Ensure that the --kubelet-client-certificate and --kubelet-client-key arguments are set as appropriate - keyUnixCIS Kubernetes v1.23 Benchmark v1.0.1 L1 Master
1.2.5 Ensure that the --kubelet-certificate-authority argument is set as appropriateUnixCIS Kubernetes v1.20 Benchmark v1.0.1 L1 Master
1.2.5 Ensure that the --kubelet-certificate-authority argument is set as appropriateUnixCIS Kubernetes v1.24 Benchmark v1.0.0 L1 Master
1.2.5 Ensure that the --kubelet-certificate-authority argument is set as appropriateUnixCIS Kubernetes v1.23 Benchmark v1.0.1 L1 Master
1.2.12 Ensure that the admission control plugin SecurityContextDeny is set if PodSecurityPolicy is not usedUnixCIS Kubernetes v1.23 Benchmark v1.0.1 L1 Master
1.2.12 Ensure that the admission control plugin SecurityContextDeny is set if PodSecurityPolicy is not usedUnixCIS Kubernetes v1.24 Benchmark v1.0.0 L1 Master
1.2.12 Ensure that the admission control plugin SecurityContextDeny is set if PodSecurityPolicy is not usedUnixCIS Kubernetes v1.20 Benchmark v1.0.1 L1 Master
1.3 Dedicated Name Server RoleUnixCIS BIND DNS v1.0.0 L1 Caching Only Name Server
1.3 Dedicated Name Server RoleUnixCIS BIND DNS v1.0.0 L1 Authoritative Name Server
2.2 Ensure 'Protect RE' Firewall Filter includes explicit terms for all Management ServicesJuniperCIS Juniper OS Benchmark v2.1.0 L2
2.4 Ensure 'Protect RE' Firewall Filter includes explicit terms for all ProtocolsJuniperCIS Juniper OS Benchmark v2.1.0 L2
2.5 Ensure that the User-ID Agent has minimal permissions if User-ID is enabledPalo_AltoCIS Palo Alto Firewall 8 Benchmark L1 v1.0.0
2.5 Ensure that the User-ID Agent has minimal permissions if User-ID is enabledPalo_AltoCIS Palo Alto Firewall 9 v1.1.0 L1
3.1 Ignore Erroneous or Unwanted Queries - Link local addressesUnixCIS BIND DNS v1.0.0 L1 Authoritative Name Server
3.1 Ignore Erroneous or Unwanted Queries - Link local addressesUnixCIS BIND DNS v1.0.0 L1 Caching Only Name Server
3.1 Ignore Erroneous or Unwanted Queries - Multicast addressesUnixCIS BIND DNS v1.0.0 L1 Authoritative Name Server
3.1 Ignore Erroneous or Unwanted Queries - Multicast addressesUnixCIS BIND DNS v1.0.0 L1 Caching Only Name Server
3.1 Ignore Erroneous or Unwanted Queries - RFC 1918 10/8; addressesUnixCIS BIND DNS v1.0.0 L1 Caching Only Name Server
3.1 Ignore Erroneous or Unwanted Queries - RFC 1918 10/8; addressesUnixCIS BIND DNS v1.0.0 L1 Authoritative Name Server
3.1 Ignore Erroneous or Unwanted Queries - RFC 1918 172.16/12; addressesUnixCIS BIND DNS v1.0.0 L1 Authoritative Name Server
3.1 Ignore Erroneous or Unwanted Queries - RFC 1918 172.16/12; addressesUnixCIS BIND DNS v1.0.0 L1 Caching Only Name Server
3.1 Ignore Erroneous or Unwanted Queries - RFC 1918 192.168/16; addressesUnixCIS BIND DNS v1.0.0 L1 Authoritative Name Server
3.1 Ignore Erroneous or Unwanted Queries - RFC 1918 192.168/16; addressesUnixCIS BIND DNS v1.0.0 L1 Caching Only Name Server
3.2.5 Disable IP Source-RoutingCiscoCIS Cisco NX-OS L1 v1.1.0
3.4 Ensure interface description is setJuniperCIS Juniper OS Benchmark v2.1.0 L1
3.4 Restrict Queries of the Cache - Authoritative OnlyUnixCIS BIND DNS v1.0.0 L1 Authoritative Name Server
3.4 Restrict Queries of the Cache - Caching OnlyUnixCIS BIND DNS v1.0.0 L1 Caching Only Name Server
3.5.2 Configure FCoE ZoningCiscoCIS Cisco NX-OS L2 v1.1.0
3.13 Ensure VPN traffic goes through the relevant ACLCiscoCIS Cisco ASA 9.x Firewall L2 v1.1.0
3.16 Configure Mail Transfer Agent for Local-Only Mode - O DaemonPortOptions=Port=smtp, Addr=127.0.0.1, Name=MTAUnixCIS Red Hat Enterprise Linux 5 L1 v2.2.1
4.12.1 Ensure LLDP is Disabled if not RequiredJuniperCIS Juniper OS Benchmark v2.1.0 L2
4.12.2 Ensure LLDP-MED is Disabled if not RequiredJuniperCIS Juniper OS Benchmark v2.1.0 L2
6.10.9 Ensure Finger Service is Not SetJuniperCIS Juniper OS Benchmark v2.1.0 L1
7.2 Ensure that swarm services are bound to a specific host interfaceUnixCIS Docker v1.7.0 L1 Docker Swarm
7.5 Firewall ConsiderationUnixCIS Apple macOS 10.13 L2 v1.1.0
7.5 Firewall ConsiderationUnixCIS Apple macOS 10.12 L2 v1.2.0
9.1 Ensure the TimeOut Is Set to 10 or LessUnixCIS Apache HTTP Server 2.4 L1 v2.1.0 Middleware
9.1 Ensure the TimeOut Is Set to 10 or LessUnixCIS Apache HTTP Server 2.4 L1 v2.1.0