| 1.1.1 Ensure that the API server pod specification file permissions are set to 600 or more restrictive | CIS Kubernetes v1.23 Benchmark v1.0.1 L1 Master | Unix | ACCESS CONTROL, MEDIA PROTECTION |
| 1.1.3 Ensure nodev option set on /tmp partition | CIS Google Container-Optimized OS v1.2.0 L1 Server | Unix | ACCESS CONTROL, MEDIA PROTECTION |
| 1.1.5 Ensure that the scheduler pod specification file permissions are set to 600 or more restrictive | CIS Kubernetes v1.20 Benchmark v1.0.1 L1 Master | Unix | ACCESS CONTROL, MEDIA PROTECTION |
| 1.1.5 Ensure that the scheduler pod specification file permissions are set to 600 or more restrictive | CIS Kubernetes v1.23 Benchmark v1.0.1 L1 Master | Unix | ACCESS CONTROL, MEDIA PROTECTION |
| 1.1.7 Ensure that the etcd pod specification file permissions are set to 600 or more restrictive | CIS Kubernetes v1.20 Benchmark v1.0.1 L1 Master | Unix | ACCESS CONTROL, MEDIA PROTECTION |
| 1.1.7 Ensure that the etcd pod specification file permissions are set to 600 or more restrictive | CIS Kubernetes v1.24 Benchmark v1.0.0 L1 Master | Unix | ACCESS CONTROL, MEDIA PROTECTION |
| 1.1.9 Ensure nodev option set on /home partition | CIS Google Container-Optimized OS v1.2.0 L1 Server | Unix | ACCESS CONTROL, MEDIA PROTECTION |
| 1.1.9 Ensure that the Container Network Interface file permissions are set to 600 or more restrictive | CIS Kubernetes v1.23 Benchmark v1.0.1 L1 Master | Unix | ACCESS CONTROL, MEDIA PROTECTION |
| 1.1.11 Ensure nosuid option set on /dev/shm partition | CIS Google Container-Optimized OS v1.2.0 L1 Server | Unix | ACCESS CONTROL, MEDIA PROTECTION |
| 1.1.13 Ensure that the admin.conf file permissions are set to 600 or more restrictive | CIS Kubernetes v1.20 Benchmark v1.0.1 L1 Master | Unix | ACCESS CONTROL, MEDIA PROTECTION |
| 1.1.19 Ensure that the Kubernetes PKI directory and file ownership is set to root:root | CIS Kubernetes v1.23 Benchmark v1.0.1 L1 Master | Unix | ACCESS CONTROL, MEDIA PROTECTION |
| 1.2.7 Ensure that the --authorization-mode argument includes Node | CIS Kubernetes v1.23 Benchmark v1.0.1 L1 Master | Unix | ACCESS CONTROL, MEDIA PROTECTION |
| 1.2.7 Ensure that the --authorization-mode argument includes Node | CIS Kubernetes v1.24 Benchmark v1.0.0 L1 Master | Unix | ACCESS CONTROL, MEDIA PROTECTION |
| 1.2.10 Ensure that the admission control plugin AlwaysAdmit is not set | CIS Kubernetes v1.20 Benchmark v1.0.1 L1 Master | Unix | ACCESS CONTROL, MEDIA PROTECTION |
| 1.2.13 Ensure that the admission control plugin ServiceAccount is set | CIS Kubernetes v1.23 Benchmark v1.0.1 L1 Master | Unix | ACCESS CONTROL, MEDIA PROTECTION |
| 1.11 Ensure That Separation of Duties Is Enforced While Assigning KMS Related Roles to Users | CIS Google Cloud Platform v3.0.0 L2 | GCP | ACCESS CONTROL, MEDIA PROTECTION |
| 2.2.1.9 Ensure 'Allow documents from unmanaged sources in managed destinations' is set to 'Disabled' | AirWatch - CIS Apple iOS 17 Benchmark v1.1.0 End User Owned L1 | MDM | ACCESS CONTROL, MEDIA PROTECTION |
| 2.2.1.9 Ensure 'Allow documents from unmanaged sources in managed destinations' is set to 'Disabled' | MobileIron - CIS Apple iOS 17 v1.1.0 End User Owned L1 | MDM | ACCESS CONTROL, MEDIA PROTECTION |
| 2.3 Ensure 'Cross DB Ownership Chaining' Server Configuration Option is set to '0' | CIS SQL Server 2022 Database L1 AWS RDS v1.1.0 | MS_SQLDB | ACCESS CONTROL, MEDIA PROTECTION |
| 2.3.1 Ensure 'Managed Safari Web Domains' is 'Configured' | AirWatch - CIS Apple iOS 17 Benchmark v1.1.0 End User Owned L1 | MDM | ACCESS CONTROL, MEDIA PROTECTION |
| 2.3.1 Ensure 'Managed Safari Web Domains' is 'Configured' | MobileIron - CIS Apple iOS 17 v1.1.0 End User Owned L1 | MDM | ACCESS CONTROL, MEDIA PROTECTION |
| 2.5 Ensure that the --peer-client-cert-auth argument is set to true | CIS Kubernetes v1.23 Benchmark v1.0.1 L1 Master | Unix | ACCESS CONTROL, MEDIA PROTECTION |
| 2.9 Ensure 'Trustworthy' Database Property is set to 'Off' | CIS SQL Server 2017 Database L1 DB v1.3.0 | MS_SQLDB | ACCESS CONTROL, MEDIA PROTECTION |
| 2.15 Ensure 'Access Approval' is 'Enabled' | CIS Google Cloud Platform v3.0.0 L2 | GCP | ACCESS CONTROL, MEDIA PROTECTION |
| 3.1.1 Require Explicit Authorization for Cataloging (CATALOG_NOAUTH) | CIS IBM DB2 11 v1.1.0 Windows OS Level 1 | Windows | ACCESS CONTROL, MEDIA PROTECTION |
| 3.1.4 Secure Permissions for All Diagnostic Logs (DIAGPATH) | CIS IBM DB2 11 v1.1.0 Linux OS Level 1 | Unix | ACCESS CONTROL, MEDIA PROTECTION |
| 3.1.11 Secure the Python Runtime Path (PYTHON_PATH) | CIS IBM DB2 11 v1.1.0 Windows OS Level 1 | Windows | ACCESS CONTROL, MEDIA PROTECTION |
| 3.1.12 Secure the R Runtime Path (R_PATH) | CIS IBM DB2 11 v1.1.0 Linux OS Level 1 | Unix | ACCESS CONTROL, MEDIA PROTECTION |
| 3.1.13 Secure the Communication Buffer Exit Library (COMM_EXIT_LIST) | CIS IBM DB2 11 v1.1.0 Linux OS Level 1 | Unix | ACCESS CONTROL, MEDIA PROTECTION |
| 3.2 Ensure that policies do not use "ALL" as Service | CIS Fortigate 7.0.x v1.3.0 L1 | FortiGate | ACCESS CONTROL, MEDIA PROTECTION |
| 3.2.1.22 Ensure 'Allow documents from unmanaged sources in managed destinations' is set to 'Disabled' | MobileIron - CIS Apple iOS 17 Institution Owned L1 | MDM | ACCESS CONTROL, MEDIA PROTECTION |
| 3.2.1.24 Ensure 'Allow Handoff' is set to 'Disabled' | AirWatch - CIS Apple iOS 17 Institution Owned L1 | MDM | ACCESS CONTROL, MEDIA PROTECTION |
| 3.2.1.24 Ensure 'Allow Handoff' is set to 'Disabled' | MobileIron - CIS Apple iOS 17 Institution Owned L1 | MDM | ACCESS CONTROL, MEDIA PROTECTION |
| 3.2.4 Enable Extended Security (DB2_EXTSECURITY) | CIS IBM DB2 11 v1.1.0 Linux OS Level 1 | Unix | ACCESS CONTROL, MEDIA PROTECTION |
| 3.2.5 Limit OS Privileges of Fenced Mode Process (DB2_LIMIT_FENCED_GROUP) | CIS IBM DB2 11 v1.1.0 Windows OS Level 1 | Windows | ACCESS CONTROL, MEDIA PROTECTION |
| 3.3.1 Secure Db2 Runtime Library | CIS IBM DB2 11 v1.1.0 Linux OS Level 1 | Unix | ACCESS CONTROL, MEDIA PROTECTION |
| 3.8 Ensure only the default permissions specified by Microsoft are granted to the public server role | CIS SQL Server 2022 Database L1 AWS RDS v1.1.0 | MS_SQLDB | ACCESS CONTROL, MEDIA PROTECTION |
| 3.9 Ensure Windows BUILTIN groups are not SQL Logins | CIS SQL Server 2017 Database L1 AWS RDS v1.3.0 | MS_SQLDB | ACCESS CONTROL, MEDIA PROTECTION |
| 3.10 Ensure Windows local groups are not SQL Logins | CIS SQL Server 2017 Database L1 AWS RDS v1.3.0 | MS_SQLDB | ACCESS CONTROL, MEDIA PROTECTION |
| 3.10 Ensure Windows local groups are not SQL Logins | CIS SQL Server 2017 Database L1 DB v1.3.0 | MS_SQLDB | ACCESS CONTROL, MEDIA PROTECTION |
| 3.11 Ensure the public role in the msdb database is not granted access to SQL Agent proxies | CIS SQL Server 2016 Database L1 DB v1.4.0 | MS_SQLDB | ACCESS CONTROL, MEDIA PROTECTION |
| 3.11 Ensure the public role in the msdb database is not granted access to SQL Agent proxies | CIS SQL Server 2017 Database L1 DB v1.3.0 | MS_SQLDB | ACCESS CONTROL, MEDIA PROTECTION |
| 4.1.7 Ensure that the certificate authorities file permissions are set to 600 or more restrictive | CIS Kubernetes v1.20 Benchmark v1.0.1 L1 Worker | Unix | ACCESS CONTROL, MEDIA PROTECTION |
| 4.7 Ensure the 'secure_file_priv' is Configured Correctly | CIS MariaDB 10.6 Database L1 v1.1.0 | MySQLDB | ACCESS CONTROL, MEDIA PROTECTION |
| 5.1.12 Ensure SSH PermitUserEnvironment is disabled | CIS Google Container-Optimized OS v1.2.0 L1 Server | Unix | ACCESS CONTROL, MEDIA PROTECTION |
| 5.2.4.8 Ensure audit tools are 755 or more restrictive | CIS Rocky Linux 8 Workstation L2 v2.0.0 | Unix | ACCESS CONTROL, MEDIA PROTECTION |
| 6.1.1 Ensure permissions on /etc/passwd are configured | CIS Google Container-Optimized OS v1.2.0 L1 Server | Unix | ACCESS CONTROL, MEDIA PROTECTION |
| 6.1.2 Ensure permissions on /etc/shadow are configured | CIS Google Container-Optimized OS v1.2.0 L1 Server | Unix | ACCESS CONTROL, MEDIA PROTECTION |
| 6.1.3 Secure SYSMAINT Authority | CIS IBM DB2 11 v1.1.0 Linux OS Level 1 | Unix | ACCESS CONTROL, MEDIA PROTECTION |
| 6.1.4 Secure SYSMON Authority | CIS IBM DB2 11 v1.1.0 Windows OS Level 1 | Windows | ACCESS CONTROL, MEDIA PROTECTION |
