CSCv7|8

Title

Malware Defenses

Reference Item Details

Category: Malware Defenses

Audit Items

View all Reference Audit Items

NamePluginAudit Name
1.1.5 Ensure noexec option set on /tmp partitionUnixCIS Debian 9 Workstation L1 v1.0.1
1.1.5 Ensure noexec option set on /tmp partitionUnixCIS Debian 9 Server L1 v1.0.1
1.1.17 Ensure noexec option set on /dev/shm partitionUnixCIS Debian 9 Server L1 v1.0.1
1.1.17 Ensure noexec option set on /dev/shm partitionUnixCIS Debian 9 Workstation L1 v1.0.1
1.1.20 Ensure noexec option set on removable media partitionsUnixCIS Debian 9 Workstation L1 v1.0.1
1.1.20 Ensure noexec option set on removable media partitionsUnixCIS Debian 9 Server L1 v1.0.1
1.13 Ensure 'Disable saving browser history' is set to 'Disabled'WindowsCIS Google Chrome L1 v2.1.0
2.9 Ensure 'Allow download restrictions' is set to 'Enabled: Block dangerous downloads'WindowsCIS Google Chrome L1 v2.1.0
5.1 Ensure that WildFire file size upload limits are maximizedPalo_AltoCIS Palo Alto Firewall 8 Benchmark L1 v1.0.0
5.1 Ensure that WildFire file size upload limits are maximizedPalo_AltoCIS Palo Alto Firewall 9 v1.0.1 L1
5.1 Ensure that WildFire file size upload limits are maximizedPalo_AltoCIS Palo Alto Firewall 10 v1.0.0 L1
5.2 Ensure forwarding is enabled for all applications and file types in WildFire file blocking profilesPalo_AltoCIS Palo Alto Firewall 10 v1.0.0 L1
5.2 Ensure forwarding is enabled for all applications and file types in WildFire file blocking profilesPalo_AltoCIS Palo Alto Firewall 8 Benchmark L1 v1.0.0
5.2 Ensure forwarding is enabled for all applications and file types in WildFire file blocking profilesPalo_AltoCIS Palo Alto Firewall 9 v1.0.1 L1
5.3 Ensure a WildFire Analysis profile is enabled for all security policiesPalo_AltoCIS Palo Alto Firewall 10 v1.0.0 L1
5.3 Ensure a WildFire Analysis profile is enabled for all security policiesPalo_AltoCIS Palo Alto Firewall 8 Benchmark L1 v1.0.0
5.3 Ensure a WildFire Analysis profile is enabled for all security policiesPalo_AltoCIS Palo Alto Firewall 9 v1.0.1 L1
5.4 Ensure forwarding of decrypted content to WildFire is enabledPalo_AltoCIS Palo Alto Firewall 10 v1.0.0 L1
5.4 Ensure forwarding of decrypted content to WildFire is enabledPalo_AltoCIS Palo Alto Firewall 9 v1.0.1 L1
5.5 Ensure all WildFire session information settings are enabledPalo_AltoCIS Palo Alto Firewall 8 Benchmark L1 v1.0.0
5.6 Ensure alerts are enabled for malicious files detected by WildFire - log-type 'wildfire'Palo_AltoCIS Palo Alto Firewall 9 v1.0.1 L1
5.6 Ensure alerts are enabled for malicious files detected by WildFire - log-type 'wildfire'Palo_AltoCIS Palo Alto Firewall 10 v1.0.0 L1
5.6 Ensure alerts are enabled for malicious files detected by WildFire - log-type 'wildfire'Palo_AltoCIS Palo Alto Firewall 8 Benchmark L1 v1.0.0
6.1 Ensure that antivirus profiles are set to block on all decoders except 'imap' and 'pop3'Palo_AltoCIS Palo Alto Firewall 9 v1.0.1 L1
6.1 Ensure that antivirus profiles are set to block on all decoders except 'imap' and 'pop3'Palo_AltoCIS Palo Alto Firewall 10 v1.0.0 L1
6.1 Ensure that antivirus profiles are set to block on all decoders except 'imap' and 'pop3'Palo_AltoCIS Palo Alto Firewall 8 Benchmark L1 v1.0.0
6.2 Ensure a secure antivirus profile is applied to all relevant security policiesPalo_AltoCIS Palo Alto Firewall 8 Benchmark L1 v1.0.0
6.2 Ensure a secure antivirus profile is applied to all relevant security policiesPalo_AltoCIS Palo Alto Firewall 10 v1.0.0 L1
6.2 Ensure a secure antivirus profile is applied to all relevant security policiesPalo_AltoCIS Palo Alto Firewall 9 v1.0.1 L1
6.3 Ensure an anti-spyware profile is configured to block on all spyware severity levels, categories, and threatsPalo_AltoCIS Palo Alto Firewall 10 v1.0.0 L1
6.3 Ensure an anti-spyware profile is configured to block on all spyware severity levels, categories, and threatsPalo_AltoCIS Palo Alto Firewall 8 Benchmark L1 v1.0.0
6.3 Ensure an anti-spyware profile is configured to block on all spyware severity levels, categories, and threatsPalo_AltoCIS Palo Alto Firewall 9 v1.0.1 L1
6.4 Ensure DNS sinkholing is configured on all anti-spyware profiles in usePalo_AltoCIS Palo Alto Firewall 10 v1.0.0 L1
6.4 Ensure DNS sinkholing is configured on all anti-spyware profiles in usePalo_AltoCIS Palo Alto Firewall 8 Benchmark L1 v1.0.0
6.4 Ensure DNS sinkholing is configured on all anti-spyware profiles in usePalo_AltoCIS Palo Alto Firewall 9 v1.0.1 L1
6.5 Ensure passive DNS monitoring is set to enabled on all anti-spyware profiles in usePalo_AltoCIS Palo Alto Firewall 8 Benchmark L1 v1.0.0
6.5 Ensure passive DNS monitoring is set to enabled on all anti-spyware profiles in usePalo_AltoCIS Palo Alto Firewall 10 v1.0.0 L1
6.5 Ensure passive DNS monitoring is set to enabled on all anti-spyware profiles in usePalo_AltoCIS Palo Alto Firewall 9 v1.0.1 L1
6.6 Ensure a secure anti-spyware profile is applied to all security policies permitting traffic to the InternetPalo_AltoCIS Palo Alto Firewall 9 v1.0.1 L1
6.6 Ensure a secure anti-spyware profile is applied to all security policies permitting traffic to the InternetPalo_AltoCIS Palo Alto Firewall 10 v1.0.0 L1
6.6 Ensure a secure anti-spyware profile is applied to all security policies permitting traffic to the InternetPalo_AltoCIS Palo Alto Firewall 8 Benchmark L1 v1.0.0
6.8 Ensure a secure Vulnerability Protection Profile is applied to all security rules allowing trafficPalo_AltoCIS Palo Alto Firewall 8 Benchmark L1 v1.0.0
6.8 Ensure a secure Vulnerability Protection Profile is applied to all security rules allowing trafficPalo_AltoCIS Palo Alto Firewall 9 v1.0.1 L1
6.8 Ensure a secure Vulnerability Protection Profile is applied to all security rules allowing trafficPalo_AltoCIS Palo Alto Firewall 10 v1.0.0 L1
7.3 Ensure 'Security Policy' denying any/all traffic to/from IP addresses on Trusted Threat Intelligence Sources ExistsPalo_AltoCIS Palo Alto Firewall 8 Benchmark L1 v1.0.0
7.6 Automatic Actions for Optical MediaUnixCIS Apple macOS 10.12 L1 v1.2.0
8.8 Ensure Zones are Signed with NSEC or NSEC3UnixCIS BIND DNS v1.0.0 L2 Authoritative Name Server
9.5 Response Rate Limiting and DDOS MitigationUnixCIS BIND DNS v1.0.0 L1 Authoritative Name Server