1.1 Use a Split-Horizon Architecture | CIS BIND DNS v1.0.0 L1 Caching Only Name Server | Unix | SYSTEM AND COMMUNICATIONS PROTECTION |
1.1 Use a Split-Horizon Architecture | CIS BIND DNS v1.0.0 L1 Authoritative Name Server | Unix | SYSTEM AND COMMUNICATIONS PROTECTION |
1.3.10 Ensure 'Password Profiles' do not exist | CIS Palo Alto Firewall 10 v1.1.0 L1 | Palo_Alto | ACCESS CONTROL, AUDIT AND ACCOUNTABILITY, CONFIGURATION MANAGEMENT, CONTINGENCY PLANNING, IDENTIFICATION AND AUTHENTICATION, MEDIA PROTECTION, PLANNING, PROGRAM MANAGEMENT, RISK ASSESSMENT, SYSTEM AND SERVICES ACQUISITION, SYSTEM AND COMMUNICATIONS PROTECTION, SYSTEM AND INFORMATION INTEGRITY |
3.5 Ensure proxy-arp is disabled | CIS Juniper OS Benchmark v2.1.0 L2 | Juniper | SYSTEM AND COMMUNICATIONS PROTECTION |
3.6 Ensure ICMP Redirects are set to disabled (on all untrusted IPv4 networks) | CIS Juniper OS Benchmark v2.1.0 L1 | Juniper | SYSTEM AND COMMUNICATIONS PROTECTION |
3.7 Ensure ICMP Redirects are set to disabled (on all untrusted IPv6 networks) | CIS Juniper OS Benchmark v2.1.0 L1 | Juniper | SYSTEM AND COMMUNICATIONS PROTECTION |
4.1 Ensure 'Antivirus Update Schedule' is set to download and install updates hourly | CIS Palo Alto Firewall 8 Benchmark L1 v1.0.0 | Palo_Alto | SYSTEM AND COMMUNICATIONS PROTECTION, SYSTEM AND INFORMATION INTEGRITY |
4.1.4 Ensure Bogon Filtering is set (where EBGP is used) | CIS Juniper OS Benchmark v2.1.0 L2 | Juniper | SYSTEM AND COMMUNICATIONS PROTECTION |
4.1.5 Ensure Ingress Filtering is set for EBGP peers | CIS Juniper OS Benchmark v2.1.0 L1 | Juniper | SYSTEM AND COMMUNICATIONS PROTECTION |
4.1.6 Ensure RPKI is set for Origin Validation of EBGP peers | CIS Juniper OS Benchmark v2.1.0 L2 | Juniper | SYSTEM AND COMMUNICATIONS PROTECTION |
4.2 Ensure 'Applications and Threats Update Schedule' is set to download and install updates at daily or shorter intervals | CIS Palo Alto Firewall 8 Benchmark L1 v1.0.0 | Palo_Alto | SYSTEM AND COMMUNICATIONS PROTECTION, SYSTEM AND INFORMATION INTEGRITY |
4.2 Ensure 'Applications and Threats Update Schedule' is set to download and install updates at daily or shorter intervals | CIS Palo Alto Firewall 10 v1.1.0 L1 | Palo_Alto | ACCESS CONTROL, AUDIT AND ACCOUNTABILITY, CONFIGURATION MANAGEMENT, IDENTIFICATION AND AUTHENTICATION, MEDIA PROTECTION, RISK ASSESSMENT, SYSTEM AND COMMUNICATIONS PROTECTION, SYSTEM AND INFORMATION INTEGRITY |
4.2 Ensure 'Applications and Threats Update Schedule' is set to download and install updates at daily or shorter intervals | CIS Palo Alto Firewall 9 v1.1.0 L1 | Palo_Alto | ACCESS CONTROL, AUDIT AND ACCOUNTABILITY, CONFIGURATION MANAGEMENT, IDENTIFICATION AND AUTHENTICATION, MEDIA PROTECTION, RISK ASSESSMENT, SYSTEM AND COMMUNICATIONS PROTECTION, SYSTEM AND INFORMATION INTEGRITY |
4.6.1 Create administrative boundaries between resources using namespaces | CIS Google Kubernetes Engine (GKE) v1.5.0 L1 | GCP | SYSTEM AND COMMUNICATIONS PROTECTION |
5.6.4 Ensure clusters are created with Private Endpoint Enabled and Public Access Disabled | CIS Google Kubernetes Engine (GKE) v1.5.0 L2 | GCP | SECURITY ASSESSMENT AND AUTHORIZATION, SYSTEM AND COMMUNICATIONS PROTECTION |
5.6.5 Ensure clusters are created with Private Nodes | CIS Google Kubernetes Engine (GKE) v1.5.0 L1 | GCP | SECURITY ASSESSMENT AND AUTHORIZATION, SYSTEM AND COMMUNICATIONS PROTECTION |
5.7 Ensure 'WildFire Update Schedule' is set to download and install updates every minute | CIS Palo Alto Firewall 8 Benchmark L1 v1.0.0 | Palo_Alto | SYSTEM AND COMMUNICATIONS PROTECTION, SYSTEM AND INFORMATION INTEGRITY |
5.7.1 Create administrative boundaries between resources using namespaces | CIS Kubernetes v1.24 Benchmark v1.0.0 L1 Master | Unix | SYSTEM AND COMMUNICATIONS PROTECTION |
5.7.1 Create administrative boundaries between resources using namespaces | CIS Kubernetes Benchmark v1.9.0 L1 Master | Unix | SYSTEM AND COMMUNICATIONS PROTECTION |
5.7.1 Create administrative boundaries between resources using namespaces | CIS Kubernetes v1.20 Benchmark v1.0.1 L1 Master | Unix | SYSTEM AND COMMUNICATIONS PROTECTION |
5.7.1 Create administrative boundaries between resources using namespaces | CIS Kubernetes v1.23 Benchmark v1.0.1 L1 Master | Unix | SYSTEM AND COMMUNICATIONS PROTECTION |
5.10 Ensure that the host's network namespace is not shared | CIS Docker v1.6.0 L1 Docker Linux | Unix | CONFIGURATION MANAGEMENT, CONTINGENCY PLANNING, PLANNING, PROGRAM MANAGEMENT, SYSTEM AND SERVICES ACQUISITION, SYSTEM AND COMMUNICATIONS PROTECTION |
5.31 Ensure that the host's user namespaces are not shared | CIS Docker v1.6.0 L1 Docker Linux | Unix | SYSTEM AND COMMUNICATIONS PROTECTION |
6.16 Ensure that a Zone Protection Profile with an enabled SYN Flood Action of SYN Cookies is attached to all untrusted zones | CIS Palo Alto Firewall 8 Benchmark L1 v1.0.0 | Palo_Alto | SYSTEM AND COMMUNICATIONS PROTECTION |
6.17 Ensure that all zones have Zone Protection Profiles with all Reconnaissance Protection settings enabled, tuned, and set to appropriate actions | CIS Palo Alto Firewall 10 v1.1.0 L1 | Palo_Alto | ACCESS CONTROL, CONFIGURATION MANAGEMENT |
6.17 Ensure that all zones have Zone Protection Profiles with all Reconnaissance Protection settings enabled, tuned, and set to appropriate actions | CIS Palo Alto Firewall 11 v1.0.0 L1 | Palo_Alto | ACCESS CONTROL, CONFIGURATION MANAGEMENT |
6.18 Ensure all zones have Zone Protection Profiles that drop specially crafted packets | CIS Palo Alto Firewall 11 v1.0.0 L1 | Palo_Alto | ACCESS CONTROL, CONFIGURATION MANAGEMENT |
6.18 Ensure all zones have Zone Protection Profiles that drop specially crafted packets | CIS Palo Alto Firewall 10 v1.1.0 L1 | Palo_Alto | ACCESS CONTROL, CONFIGURATION MANAGEMENT |
6.18 Ensure that all zones have Zone Protection Profiles with all Reconnaissance Protection settings enabled, tuned, and set to appropriate actions | CIS Palo Alto Firewall 9 v1.1.0 L1 | Palo_Alto | ACCESS CONTROL, CONFIGURATION MANAGEMENT |
6.19 Ensure all zones have Zone Protection Profiles that drop specially crafted packets | CIS Palo Alto Firewall 8 Benchmark L1 v1.0.0 | Palo_Alto | SYSTEM AND COMMUNICATIONS PROTECTION |
6.19 Ensure all zones have Zone Protection Profiles that drop specially crafted packets | CIS Palo Alto Firewall 9 v1.1.0 L1 | Palo_Alto | ACCESS CONTROL, CONFIGURATION MANAGEMENT |
7.3 Ensure 'Security Policy' denying any/all traffic to/from IP addresses on Trusted Threat Intelligence Sources Exists | CIS Palo Alto Firewall 8 Benchmark L1 v1.0.0 | Palo_Alto | CONFIGURATION MANAGEMENT, SYSTEM AND COMMUNICATIONS PROTECTION, SYSTEM AND INFORMATION INTEGRITY |
8.1 Ensure 'SSL Forward Proxy Policy' for traffic destined to the Internet is configured - Invalid Categories | CIS Palo Alto Firewall 8 Benchmark L1 v1.0.0 | Palo_Alto | SYSTEM AND COMMUNICATIONS PROTECTION, SYSTEM AND INFORMATION INTEGRITY |
8.1 Ensure 'SSL Forward Proxy Policy' for traffic destined to the Internet is configured - Policies | CIS Palo Alto Firewall 8 Benchmark L1 v1.0.0 | Palo_Alto | SYSTEM AND COMMUNICATIONS PROTECTION, SYSTEM AND INFORMATION INTEGRITY |
8.2 Ensure 'SSL Inbound Inspection' is required for all untrusted traffic destined for servers using SSL or TLS | CIS Palo Alto Firewall 8 Benchmark L1 v1.0.0 | Palo_Alto | SYSTEM AND COMMUNICATIONS PROTECTION, SYSTEM AND INFORMATION INTEGRITY |