| 1.5.6 Create an 'access-list' for use with SNMP - 'SNMP permit secured by ACL' | CIS Cisco IOS 12 L1 v4.0.0 | Cisco | SYSTEM AND COMMUNICATIONS PROTECTION |
| 2.1 Restrict network traffic between containers | CIS Docker 1.13.0 v1.0.0 L1 Docker | Unix | SYSTEM AND COMMUNICATIONS PROTECTION |
| 2.3 Allow Docker to make changes to iptables | CIS Docker 1.13.0 v1.0.0 L1 Docker | Unix | SYSTEM AND COMMUNICATIONS PROTECTION |
| 2.4 Configure TCP Wrappers - Allow localhost. | CIS Solaris 10 L1 v5.2 | Unix | SYSTEM AND COMMUNICATIONS PROTECTION |
| 2.4 Configure TCP Wrappers - Deny access to this server from all networks | CIS Solaris 10 L1 v5.2 | Unix | SYSTEM AND COMMUNICATIONS PROTECTION |
| 2.17 Bind swarm services to a specific host interface | CIS Docker 1.13.0 v1.0.0 L1 Docker | Unix | SYSTEM AND COMMUNICATIONS PROTECTION |
| 3.1.1 Ensure IP forwarding is disabled - sysctl | CIS SUSE Linux Enterprise Workstation 11 L1 v2.1.1 | Unix | SYSTEM AND COMMUNICATIONS PROTECTION |
| 3.1.1 Ensure IP forwarding is disabled - sysctl | CIS SUSE Linux Enterprise Server 11 L1 v2.1.1 | Unix | SYSTEM AND COMMUNICATIONS PROTECTION |
| 3.1.2 Ensure packet redirect sending is disabled - /etc/sysctl ipv4 all send | CIS SUSE Linux Enterprise Workstation 11 L1 v2.1.1 | Unix | SYSTEM AND COMMUNICATIONS PROTECTION |
| 3.1.3 Set 'no interface tunnel' | CIS Cisco IOS 12 L2 v4.0.0 | Cisco | SYSTEM AND COMMUNICATIONS PROTECTION |
| 3.2.1 Ensure source routed packets are not accepted - sysctl ipv4 default accept | CIS SUSE Linux Enterprise Workstation 11 L1 v2.1.1 | Unix | SYSTEM AND COMMUNICATIONS PROTECTION |
| 3.2.1 Set 'ip access-list extended' to Forbid Private Source Addresses from External Networks -'External interface has ACL applied' | CIS Cisco IOS 12 L2 v4.0.0 | Cisco | SYSTEM AND COMMUNICATIONS PROTECTION |
| 3.2.3 Ensure secure ICMP redirects are not accepted - /etc/sysctl ipv4 default secure | CIS SUSE Linux Enterprise Workstation 11 L1 v2.1.1 | Unix | SYSTEM AND COMMUNICATIONS PROTECTION |
| 3.2.3 Ensure secure ICMP redirects are not accepted - /etc/sysctl ipv4 default secure | CIS SUSE Linux Enterprise Server 11 L1 v2.1.1 | Unix | SYSTEM AND COMMUNICATIONS PROTECTION |
| 3.2.3 Ensure secure ICMP redirects are not accepted - sysctl ipv4 default secure | CIS SUSE Linux Enterprise Server 11 L1 v2.1.1 | Unix | SYSTEM AND COMMUNICATIONS PROTECTION |
| 3.2.5 Ensure broadcast ICMP requests are ignored - /etc/sysctl | CIS SUSE Linux Enterprise Server 11 L1 v2.1.1 | Unix | SYSTEM AND COMMUNICATIONS PROTECTION |
| 3.2.7 Ensure Reverse Path Filtering is enabled - sysctl ipv4 all rp_filter | CIS SUSE Linux Enterprise Workstation 11 L1 v2.1.1 | Unix | SYSTEM AND COMMUNICATIONS PROTECTION |
| 3.2.8 Ensure TCP SYN Cookies is enabled - /etc/sysctl | CIS SUSE Linux Enterprise Server 11 L1 v2.1.1 | Unix | SYSTEM AND COMMUNICATIONS PROTECTION |
| 3.3.1 Ensure IPv6 router advertisements are not accepted - /etc/sysctl ipv6 all accept | CIS SUSE Linux Enterprise Workstation 11 L1 v2.1.1 | Unix | SYSTEM AND COMMUNICATIONS PROTECTION |
| 3.3.2 Ensure IPv6 redirects are not accepted - /etc/sysctl ipv6 all accept | CIS SUSE Linux Enterprise Workstation 11 L1 v2.1.1 | Unix | SYSTEM AND COMMUNICATIONS PROTECTION |
| 3.3.2 Ensure IPv6 redirects are not accepted - /etc/sysctl ipv6 all accept | CIS SUSE Linux Enterprise Server 11 L1 v2.1.1 | Unix | SYSTEM AND COMMUNICATIONS PROTECTION |
| 3.3.2 Ensure IPv6 redirects are not accepted - sysctl ipv6 default accept | CIS SUSE Linux Enterprise Server 11 L1 v2.1.1 | Unix | SYSTEM AND COMMUNICATIONS PROTECTION |
| 3.3.5 ipforwarding | CIS IBM AIX 7.1 L1 v2.1.0 | Unix | SYSTEM AND COMMUNICATIONS PROTECTION |
| 3.4.2 Ensure /etc/hosts.allow is configured | CIS SUSE Linux Enterprise Server 11 L1 v2.1.1 | Unix | SYSTEM AND COMMUNICATIONS PROTECTION |
| 3.4.3 Ensure /etc/hosts.deny is configured | CIS SUSE Linux Enterprise Workstation 11 L1 v2.1.1 | Unix | SYSTEM AND COMMUNICATIONS PROTECTION |
| 6.5 Ensure subnets for the Web tier ELB are created | CIS Amazon Web Services Three-tier Web Architecture L1 1.0.0 | amazon_aws | SYSTEM AND COMMUNICATIONS PROTECTION |
| 6.9 Ensure Elastic IPs for the NAT Gateways are allocated | CIS Amazon Web Services Three-tier Web Architecture L1 1.0.0 | amazon_aws | SYSTEM AND COMMUNICATIONS PROTECTION |
| 6.22 Create the App tier Security Group and ensure it allows inbound connections from App tier ELB Security Group for explicit ports | CIS Amazon Web Services Three-tier Web Architecture L1 1.0.0 | amazon_aws | SYSTEM AND COMMUNICATIONS PROTECTION |
| 7.2 Ensure 'Service setting of ANY' in a security policy allowing traffic does not exist | CIS Palo Alto Firewall 7 Benchmark L1 v1.0.0 | Palo_Alto | SYSTEM AND COMMUNICATIONS PROTECTION |
| 7.4.4 Create /etc/hosts.deny | CIS Ubuntu 12.04 LTS Benchmark L1 v1.1.0 | Unix | SYSTEM AND COMMUNICATIONS PROTECTION |
| 7.7 Ensure Firewall is active - iptables | CIS Debian Linux 7 L1 v1.0.0 | Unix | SYSTEM AND COMMUNICATIONS PROTECTION |
| 7.7 Ensure Firewall is active - iptables-persistent | CIS Debian Linux 7 L1 v1.0.0 | Unix | SYSTEM AND COMMUNICATIONS PROTECTION |
| 7.7 Ensure Firewall is active - iptables-persistent run level 2 | CIS Debian Linux 7 L1 v1.0.0 | Unix | SYSTEM AND COMMUNICATIONS PROTECTION |
| 18.5.2 (L1) Ensure 'MSS: (DisableIPSourceRouting IPv6) IP source routing protection level' is set to 'Enabled: Highest protection, source routing is completely disabled' | CIS Microsoft Windows 10 Stand-alone v3.0.0 L1 | Windows | SYSTEM AND COMMUNICATIONS PROTECTION |
| 18.5.3 (L1) Ensure 'MSS: (DisableIPSourceRouting) IP source routing protection level' is set to 'Enabled: Highest protection, source routing is completely disabled' | CIS Microsoft Windows 10 Stand-alone v3.0.0 L1 BL | Windows | SYSTEM AND COMMUNICATIONS PROTECTION |
| 18.10.56.3.9.2 Ensure 'Require secure RPC communication' is set to 'Enabled' | CIS Microsoft Windows Server 2016 STIG v3.0.0 L1 Domain Controller | Windows | SYSTEM AND COMMUNICATIONS PROTECTION |
| Access control lists | ArubaOS Switch 16.x Hardening Guide v1.0.0 | ArubaOS | SYSTEM AND COMMUNICATIONS PROTECTION |
| ACLs: Filter for RFC 3330 addresses (192.0.0.0/24) | TNS Alcatel-Lucent TiMOS/Nokia SR-OS Best Practice Audit | Alcatel | SYSTEM AND COMMUNICATIONS PROTECTION |
| ACLs: Filter for RFC 3330 addresses (198.18.0.0/15) | TNS Alcatel-Lucent TiMOS/Nokia SR-OS Best Practice Audit | Alcatel | SYSTEM AND COMMUNICATIONS PROTECTION |
| Adtran : Firewall - Deny by Default ACL | TNS Adtran AOS Best Practice Audit | Adtran | SYSTEM AND COMMUNICATIONS PROTECTION |
| Brocade - Fabric Element Authentication must be rejected | Tenable Best Practices Brocade FabricOS | Brocade | SYSTEM AND COMMUNICATIONS PROTECTION |
| Brocade - IPfilter policy must be rejected | Tenable Best Practices Brocade FabricOS | Brocade | SYSTEM AND COMMUNICATIONS PROTECTION |
| Ensure 'SSH source restriction' is set to an authorized IP address | Tenable Cisco Firepower Best Practices Audit | Cisco | SYSTEM AND COMMUNICATIONS PROTECTION |
| Ensure packet fragments are restricted for untrusted interfaces | Tenable Cisco Firepower Threat Defense Best Practices Audit | Cisco_Firepower | SYSTEM AND COMMUNICATIONS PROTECTION |
| ESXi.firewall-restrict-access | VMWare vSphere 6.5 Hardening Guide | VMware | SYSTEM AND COMMUNICATIONS PROTECTION |
| FireEye - Management interface is only accessible from specific IP ranges | TNS FireEye | FireEye | SYSTEM AND COMMUNICATIONS PROTECTION |
| Front panel security | ArubaOS Switch 16.x Hardening Guide v1.0.0 | ArubaOS | SYSTEM AND COMMUNICATIONS PROTECTION |
| Network Security - Use the Out-of-Band (OOB) interface for all management related traffic | Juniper Hardening JunOS 12 Devices Checklist | Juniper | SYSTEM AND COMMUNICATIONS PROTECTION |
| Port security auto-recovery | ArubaOS Switch 16.x Hardening Guide v1.0.0 | ArubaOS | SYSTEM AND COMMUNICATIONS PROTECTION |
| vNetwork : reject-promiscuous-mode-StandardSwitch | VMWare vSphere 6.5 Hardening Guide | VMware | SYSTEM AND COMMUNICATIONS PROTECTION |
