CSCv7|14

Title

Controlled Access Based on the Need to Know

Reference Item Details

Category: Controlled Access Based on the Need to Know

Audit Items

View all Reference Audit Items

NamePluginAudit Name
1.1 Create a separate partition for containersUnixCIS Docker 1.13.0 v1.0.0 L1 Linux
1.1 Create a separate partition for containersUnixCIS Docker 1.11.0 v1.0.0 L1 Linux
1.1 Create a separate partition for containersUnixCIS Docker 1.12.0 v1.0.0 L1 Linux
1.1 Create a separate partition for containersUnixCIS Docker 1.6 v1.0.0 L1 Linux
1.1 Ensure 'Web content' is on non-system partitionWindowsCIS IIS 10 v1.2.1 Level 1
1.1 Ensure a separate partition for containers has been createdUnixCIS Docker Community Edition v1.1.0 L1 Linux Host OS
1.1.1 Ensure a separate partition for containers has been createdUnixCIS Docker v1.6.0 L1 Docker Linux
1.2 Use Dedicated Least Privileged Account for MySQL Daemon/ServiceUnixCIS MySQL 8.0 Enterprise Linux OS L1 v1.3.0
1.2 Use Dedicated Least Privileged Account for MySQL Daemon/ServiceUnixCIS MySQL 8.0 Community Linux OS L1 v1.0.0
1.3 Ensure device is physically securedJuniperCIS Juniper OS Benchmark v2.1.0 L1
1.3.10 Ensure 'Password Profiles' do not existPalo_AltoCIS Palo Alto Firewall 10 v1.1.0 L1
1.17 Ensure a support role has been created to manage incidents with AWS Supportamazon_awsCIS Amazon Web Services Foundations L1 2.0.0
1.20 Ensure that IAM Access analyzer is enabled for all regionsamazon_awsCIS Amazon Web Services Foundations L1 2.0.0
2.7.1 Ensure 'Notification Settings' are configured for all 'Managed Apps'MDMAirWatch - CIS Apple iOS 13 and iPadOS 13 v1.0.0 End User Owned L1
2.7.1 Ensure 'Notification Settings' are configured for all 'Managed Apps'MDMAirWatch - CIS Apple iOS 14 and iPadOS 14 v1.0.0 End User Owned L1
2.7.1 Ensure 'Notification Settings' are configured for all 'Managed Apps'MDMMobileIron - CIS Apple iOS 14 and iPadOS 14 v1.0.0 End User Owned L1
2.7.1 Ensure 'Notification Settings' are configured for all 'Managed Apps'MDMMobileIron - CIS Apple iOS 13 and iPadOS 13 v1.0.0 End User Owned L1
2.8 Ensure that security policies restrict User-ID Agent traffic from crossing into untrusted zonesPalo_AltoCIS Palo Alto Firewall 9 v1.1.0 L1
2.8 Ensure that security policies restrict User-ID Agent traffic from crossing into untrusted zonesPalo_AltoCIS Palo Alto Firewall 10 v1.1.0 L1
2.8 Ensure that security policies restrict User-ID Agent traffic from crossing into untrusted zonesPalo_AltoCIS Palo Alto Firewall 11 v1.0.0 L1
2.8 Ensure that security policies restrict User-ID Agent traffic from crossing into untrusted zonesPalo_AltoCIS Palo Alto Firewall 8 Benchmark L1 v1.0.0
3.4 Ensure that Cassandra is run using a non-privileged, dedicated service accountUnixCIS Apache Cassandra 3.11 L1 Unix Audit v1.0.0
3.4 Ensure that Cassandra is run using a non-privileged, dedicated service accountUnixCIS Apache Cassandra 3.11 L2 Unix Audit v1.0.0
4.1.9 Minimize access to create persistent volumesGCPCIS Google Kubernetes Engine (GKE) v1.5.0 L1
4.1.10 Minimize access to the proxy sub-resource of nodesGCPCIS Google Kubernetes Engine (GKE) v1.5.0 L1
4.1.11 Minimize access to the approval sub-resource of certificatesigningrequests objectsGCPCIS Google Kubernetes Engine (GKE) v1.5.0 L1
4.1.12 Minimize access to webhook configuration objectsGCPCIS Google Kubernetes Engine (GKE) v1.5.0 L1
4.1.13 Minimize access to the service account token creationGCPCIS Google Kubernetes Engine (GKE) v1.5.0 L1
4.2 Ensure 'Applications and Threats Update Schedule' is set to download and install updates at daily or shorter intervalsPalo_AltoCIS Palo Alto Firewall 10 v1.1.0 L1
4.2 Ensure 'Applications and Threats Update Schedule' is set to download and install updates at daily or shorter intervalsPalo_AltoCIS Palo Alto Firewall 9 v1.1.0 L1
4.2.6 Ensure that the --make-iptables-util-chains argument is set to trueUnixCIS Kubernetes Benchmark v1.8.0 L1 Worker
4.2.7 Ensure that the --make-iptables-util-chains argument is set to trueUnixCIS Kubernetes v1.20 Benchmark v1.0.1 L1 Worker
4.2.7 Ensure that the --make-iptables-util-chains argument is set to trueUnixCIS Kubernetes v1.24 Benchmark v1.0.0 L1 Worker
4.2.7 Ensure that the --make-iptables-util-chains argument is set to trueUnixCIS Kubernetes v1.23 Benchmark v1.0.1 L1 Worker
4.4 Ensure 'Find My iPhone/iPad' is set to 'Enabled' on end-user owned devicesMDMMobileIron - CIS Apple iOS 14 and iPadOS 14 v1.0.0 End User Owned L1
4.4 Ensure 'Find My iPhone/iPad' is set to 'Enabled' on end-user owned devicesMDMAirWatch - CIS Apple iOS 14 and iPadOS 14 v1.0.0 End User Owned L1
4.4 Ensure 'Find My iPhone/iPad' is set to 'Enabled' on end-user owned devicesMDMMobileIron - CIS Apple iOS 13 and iPadOS 13 v1.0.0 End User Owned L1
4.4 Ensure 'Find My iPhone/iPad' is set to 'Enabled' on end-user owned devicesMDMAirWatch - CIS Apple iOS 13 and iPadOS 13 v1.0.0 End User Owned L1
4.8 Ensure S3 bucket policy changes are monitoredamazon_awsCIS Amazon Web Services Foundations L1 2.0.0
5.1.2 Minimize access to secretsUnixCIS Kubernetes v1.20 Benchmark v1.0.1 L1 Master
5.1.2 Minimize access to secretsUnixCIS Kubernetes v1.24 Benchmark v1.0.0 L1 Master
5.1.2 Minimize access to secretsUnixCIS Kubernetes v1.23 Benchmark v1.0.1 L1 Master
5.1.2 Minimize access to secretsUnixCIS Kubernetes Benchmark v1.8.0 L1 Master
5.1.3 Minimize wildcard use in Roles and ClusterRoles - clusterrolesUnixCIS Kubernetes v1.24 Benchmark v1.0.0 L1 Worker
5.1.3 Minimize wildcard use in Roles and ClusterRoles - clusterrolesUnixCIS Kubernetes v1.20 Benchmark v1.0.1 L1 Worker
5.1.3 Minimize wildcard use in Roles and ClusterRoles - clusterrolesUnixCIS Kubernetes v1.23 Benchmark v1.0.1 L1 Worker
5.1.10 Minimize access to the proxy sub-resource of nodesUnixCIS Kubernetes Benchmark v1.8.0 L1 Master
5.1.11 Minimize access to the approval sub-resource of certificatesigningrequests objectsUnixCIS Kubernetes Benchmark v1.8.0 L1 Master
5.1.12 Minimize access to webhook configuration objectsUnixCIS Kubernetes Benchmark v1.8.0 L1 Master
5.1.13 Minimize access to the service account token creationUnixCIS Kubernetes Benchmark v1.8.0 L1 Master