| 1.4.8 Ensure GRUB 2 is configured to enable page poisoning to mitigate use-after-free vulnerabilities | CIS Red Hat Enterprise Linux 8 STIG v2.0.0 STIG | Unix | SYSTEM AND COMMUNICATIONS PROTECTION |
| 1.4.9 Ensure GRUB 2 is configured to enable poisoning of SLUB/SLAB objects to mitigate use-after-free vulnerabilities | CIS Red Hat Enterprise Linux 8 STIG v2.0.0 STIG | Unix | SYSTEM AND COMMUNICATIONS PROTECTION |
| 1.7 UBTU-24-100110 | CIS Ubuntu Linux 24.04 LTS STIG v1.0.0 CAT II | Unix | SYSTEM AND INFORMATION INTEGRITY |
| 1.15.2 Ensure 'Specify threat alert levels at which default action should not be taken when detected' is set to 'Enabled: Medium: 2 or 3' | CIS Microsoft Defender Antivirus v1.0.0 L1 Server | Windows | SYSTEM AND INFORMATION INTEGRITY |
| 1.15.2 Ensure 'Specify threat alert levels at which default action should not be taken when detected' is set to 'Enabled: Medium: 2 or 3' | CIS Microsoft Defender Antivirus v1.0.0 L1 Workstation | Windows | SYSTEM AND INFORMATION INTEGRITY |
| 1.15.3 Ensure 'Specify threat alert levels at which default action should not be taken when detected' is set to 'Enabled: High: 2 or 3' | CIS Microsoft Defender Antivirus v1.0.0 L1 Server | Windows | SYSTEM AND INFORMATION INTEGRITY |
| 1.15.3 Ensure 'Specify threat alert levels at which default action should not be taken when detected' is set to 'Enabled: High: 2 or 3' | CIS Microsoft Defender Antivirus v1.0.0 L1 Workstation | Windows | SYSTEM AND INFORMATION INTEGRITY |
| 1.15.4 Ensure 'Specify threat alert levels at which default action should not be taken when detected' is set to 'Enabled: Severe: 2 or 3' | CIS Microsoft Defender Antivirus v1.0.0 L1 Server | Windows | SYSTEM AND INFORMATION INTEGRITY |
| 1.15.4 Ensure 'Specify threat alert levels at which default action should not be taken when detected' is set to 'Enabled: Severe: 2 or 3' | CIS Microsoft Defender Antivirus v1.0.0 L1 Workstation | Windows | SYSTEM AND INFORMATION INTEGRITY |
| 1.302 RHEL-09-431025 | CIS Red Hat Enterprise Linux 9 STIG v1.0.0 CAT II | Unix | SYSTEM AND COMMUNICATIONS PROTECTION |
| 2.1.1 Turn off Bluetooth, if no paired devices exist | CIS Apple macOS 10.12 L1 v1.2.0 | Unix | CONFIGURATION MANAGEMENT |
| 2.2.31 Ensure 'Profile single process' is set to 'Administrators' | CIS Microsoft Windows Server 2022 Stand-alone v2.0.0 L1 MS | Windows | ACCESS CONTROL, AUDIT AND ACCOUNTABILITY |
| 2.2.33 Ensure 'Profile single process' is set to 'Administrators' | CIS Microsoft Windows 11 Stand-alone v5.0.0 L1 | Windows | ACCESS CONTROL, AUDIT AND ACCOUNTABILITY |
| 2.2.33 Ensure 'Profile single process' is set to 'Administrators' | CIS Microsoft Windows 11 Stand-alone v5.0.0 L1 BL | Windows | ACCESS CONTROL, AUDIT AND ACCOUNTABILITY |
| 2.2.42 Ensure 'Profile single process' is set to 'Administrators' | CIS Microsoft Windows Server 2022 v5.0.0 L1 DC | Windows | ACCESS CONTROL, AUDIT AND ACCOUNTABILITY |
| 2.2.42 Ensure 'Profile single process' is set to 'Administrators' | CIS Microsoft Windows Server 2022 v5.0.0 L1 MS | Windows | ACCESS CONTROL, AUDIT AND ACCOUNTABILITY |
| 2.3 (L1) Host must enable Secure Boot enforcement | CIS VMware ESXi 8.0 v1.3.0 L1 VMware | VMware | CONFIGURATION MANAGEMENT, SYSTEM AND SERVICES ACQUISITION |
| 2.3.10.10 (L1) Ensure 'Network access: Restrict clients allowed to make remote calls to SAM' is set to 'Administrators: Remote Access: Allow' (MS only) | CIS Azure Compute Microsoft Windows Server 2019 v1.0.0 L1 MS | Windows | ACCESS CONTROL |
| 2.3.10.11 (L1) Ensure 'Network access: Restrict clients allowed to make remote calls to SAM' is set to 'Administrators: Remote Access: Allow' (MS only) | CIS Microsoft Windows Server 2008 R2 Member Server Level 1 v3.3.1 | Windows | ACCESS CONTROL |
| 5.13 Bind incoming container traffic to a specific host interface | CIS Docker 1.11.0 v1.0.0 L1 Docker | Unix | CONFIGURATION MANAGEMENT |
| 5.14 Bind incoming container traffic to a specific host interface | CIS Docker 1.6 v1.0.0 L1 Docker | Unix | |
| 5.14 Ensure that incoming container traffic is bound to a specific host interface | CIS Docker v1.8.0 L1 OS Linux | Unix | SECURITY ASSESSMENT AND AUTHORIZATION, SYSTEM AND COMMUNICATIONS PROTECTION |
| 8.1 Ensure ServerTokens is Set to 'Prod' or 'ProductOnly' | CIS Apache HTTP Server 2.2 L1 v3.6.0 | Unix | ACCESS CONTROL |
| 8.1 Ensure ServerTokens is Set to 'Prod' or 'ProductOnly' | CIS Apache HTTP Server 2.4 v2.3.0 L1 | Unix | ACCESS CONTROL, MEDIA PROTECTION |
| 8.1 Ensure ServerTokens is Set to 'Prod' or 'ProductOnly' | CIS Apache HTTP Server 2.2 L1 v3.6.0 Middleware | Unix | ACCESS CONTROL |
| 8.1 Ensure ServerTokens is Set to 'Prod' or 'ProductOnly' | CIS Apache HTTP Server 2.2 L2 v3.6.0 | Unix | ACCESS CONTROL |
| ALMA-09-002990 - AlmaLinux OS 9 SSH client must be configured to use only encryption ciphers employing FIPS 140-3-validated cryptographic hash algorithms to protect the confidentiality of SSH client connections. | DISA Cloud Linux AlmaLinux OS 9 STIG v1r6 | Unix | ACCESS CONTROL |
| AZLX-23-001210 - Amazon Linux 2023 SSH server must be configured to use only Message Authentication Codes (MACs) employing FIPS 140-2/140-3 validated cryptographic hash algorithms to protect the confidentiality of SSH server connections. | DISA Amazon Linux 2023 STIG v1r2 | Unix | ACCESS CONTROL |
| EP11-00-008100 - The EDB Postgres Advanced Server must provide an immediate real-time alert to appropriate support staff of all audit failure events requiring real-time alerts. | EDB PostgreSQL Advanced Server v11 DB Audit v2r4 | PostgreSQLDB | AUDIT AND ACCOUNTABILITY |
| EPAS-00-008100 - The EDB Postgres Advanced Server must provide an immediate real-time alert to appropriate support staff of all audit log failures. | EnterpriseDB PostgreSQL Advanced Server DB v2r1 | PostgreSQLDB | AUDIT AND ACCOUNTABILITY |
| EX13-MB-003031 - A DoD-approved third party Exchange-aware malicious code protection application must be implemented. | DISA Microsoft Exchange 2013 Mailbox Server STIG v2r3 | Windows | SYSTEM AND INFORMATION INTEGRITY |
| F5BI-LT-000037 - The BIG-IP Core implementation must be configured to use NIST SP 800-52 Revision 1 compliant cryptography to protect the integrity of remote access sessions to virtual servers. | DISA F5 BIG-IP Local Traffic Manager STIG v2r4 | F5 | ACCESS CONTROL |
| JUSX-IP-000018 - The Juniper Networks SRX Series Gateway IDPS must protect against or limit the effects of known and unknown types of Denial of Service (DoS) attacks by employing anomaly-based detection. | DISA Juniper SRX Services Gateway IDPS v2r1 | Juniper | SYSTEM AND COMMUNICATIONS PROTECTION |
| O112-C2-018300 - The DBMS must take needed steps to protect data at rest and ensure confidentiality and integrity of application data. | DISA STIG Oracle 11.2g v2r5 Database | OracleDB | SYSTEM AND COMMUNICATIONS PROTECTION |
| OL08-00-010185 - The OL 8 SSH client must be configured to use only DOD-approved Message Authentication Codes (MACs) employing FIPS 140-3-validated cryptographic hash algorithms to protect the confidentiality of SSH client connections. | DISA Oracle Linux 8 STIG v2r8 | Unix | ACCESS CONTROL |
| OL08-00-010290 - The OL 8 SSH server must be configured to use only Message Authentication Codes (MACs) employing FIPS 140-3 validated cryptographic hash algorithms to protect the confidentiality of SSH server connections. | DISA Oracle Linux 8 STIG v2r8 | Unix | ACCESS CONTROL, MAINTENANCE |
| OL08-00-010291 - The OL 8 SSH server must be configured to use only DOD-approved encryption ciphers employing FIPS 140-3 validated cryptographic hash algorithms to protect the confidentiality of SSH server connections. | DISA Oracle Linux 8 STIG v2r8 | Unix | ACCESS CONTROL, MAINTENANCE |
| OL09-00-000254 - OL 9 SSH server must be configured to use only ciphers employing FIPS 140-3 validated cryptographic hash algorithms to protect the confidentiality of SSH server connections. | DISA Oracle Linux 9 STIG v1r5 | Unix | ACCESS CONTROL |
| OL09-00-000255 - OL 9 SSH server must be configured to use only Message Authentication Codes (MACs) employing FIPS 140-3 validated cryptographic hash algorithms to protect the confidentiality of SSH server connections. | DISA Oracle Linux 9 STIG v1r5 | Unix | ACCESS CONTROL |
| PANW-AG-000024 - The Palo Alto Networks security platform must log violations of security policies. | DISA Palo Alto Networks ALG STIG v3r4 | Palo_Alto | AUDIT AND ACCOUNTABILITY |
| PANW-AG-000144 - The Palo Alto Networks security platform must, at a minimum, off-load threat and traffic log records onto a centralized log server in real time. | DISA Palo Alto Networks ALG STIG v3r4 | Palo_Alto | AUDIT AND ACCOUNTABILITY |
| PPS9-00-008100 - The EDB Postgres Advanced Server must provide an immediate real-time alert to appropriate support staff of all audit log failures. | EDB PostgreSQL Advanced Server DB Audit v2r3 | PostgreSQLDB | AUDIT AND ACCOUNTABILITY |
| RHEL-09-255064 - The RHEL 9 SSH client must be configured to use only DOD-approved encryption ciphers employing FIPS 140-3 validated cryptographic hash algorithms to protect the confidentiality of SSH client connections. | DISA Red Hat Enterprise Linux 9 STIG v2r8 | Unix | ACCESS CONTROL |
| RHEL-10-300040 - RHEL 10 must be configured so that Secure Shell (SSH) servers use only DOD-approved encryption ciphers employing FIPS 140-3-validated cryptographic hash algorithms to protect the confidentiality of SSH server connections. | DISA Red Hat Enterprise Linux 10 STIG v1r1 | Unix | ACCESS CONTROL, MAINTENANCE |
| RHEL-10-300060 - RHEL 10 must be configured so that Secure Shell (SSH) servers use only DOD-approved Message Authentication Codes (MACs) employing FIPS 140-3-validated cryptographic hash algorithms to protect the confidentiality of SSH server connections. | DISA Red Hat Enterprise Linux 10 STIG v1r1 | Unix | ACCESS CONTROL, MAINTENANCE |
| SLES-15-010270 - The SUSE operating system SSH daemon must be configured to only use Message Authentication Codes (MACs) employing FIPS 140-2 approved cryptographic hash algorithms. | DISA SUSE Linux Enterprise Server 15 STIG v2r6 | Unix | ACCESS CONTROL, MAINTENANCE |
| SOL-11.1-120410 - The operating system must monitor for unauthorized connections of mobile devices to organizational information systems. | DISA Solaris 11 X86 STIG v3r4 | Unix | CONFIGURATION MANAGEMENT |
| The BIG-IP Core implementation must be configured to protect against or limit the effects of known and unknown types of Denial of Service (DoS) attacks by employing pattern recognition pre-processors when providing content filtering to virtual servers. | Tenable F5 BIG-IP Best Practice Audit | F5 | SYSTEM AND COMMUNICATIONS PROTECTION |
| UBTU-20-010074 - The Ubuntu operating system must be configured so that the script which runs each 30 days or less to check file integrity is the default one. | DISA Canonical Ubuntu 20.04 LTS STIG v2r4 | Unix | SYSTEM AND INFORMATION INTEGRITY |
| WDNS-SI-000008 - The Windows 2012 DNS Server must be configured to notify the ISSO/ISSM/DNS administrator when functionality of DNSSEC/TSIG has been removed or broken. | DISA Microsoft Windows 2012 Server Domain Name System STIG v2r7 | Windows | SYSTEM AND INFORMATION INTEGRITY |
