CSCv7|8.3

Title

Enable Operating System Anti-Exploitation Features/ Deploy Anti-Exploit Technologies

Description

Enable anti-exploitation features such as Data Execution Prevention (DEP) or Address Space Layout Randomization (ASLR) that are available in an operating system or deploy appropriate toolkits that can be configured to apply protection to a broader set of applications and executables.

Reference Item Details

Category: Malware Defenses

Audit Items

View all Reference Audit Items

NamePluginAudit Name
1.1.36 Ensure that the admission control plugin EventRateLimit is setUnixCIS Kubernetes 1.13 Benchmark v1.4.1 L1
1.2.9 Ensure that the admission control plugin EventRateLimit is setUnixCIS Kubernetes v1.20 Benchmark v1.0.1 L1 Master
1.2.9 Ensure that the admission control plugin EventRateLimit is setUnixCIS Kubernetes v1.24 Benchmark v1.0.0 L1 Master
1.2.9 Ensure that the admission control plugin EventRateLimit is setUnixCIS Kubernetes v1.23 Benchmark v1.0.1 L1 Master
1.2.10 Ensure that the admission control plugin EventRateLimit is setUnixCIS Kubernetes Benchmark v1.6.1 L1 Master
1.2.10 Ensure that the APIPriorityAndFairness feature gate is enabled - ConfigMapsOpenShiftCIS RedHat OpenShift Container Platform 4 v1.2.0 L1
1.2.10 Ensure that the APIPriorityAndFairness feature gate is enabled - FeatureGatesOpenShiftCIS RedHat OpenShift Container Platform 4 v1.2.0 L1
1.2.10 Ensure that the APIPriorityAndFairness feature gate is enabled - OverridesOpenShiftCIS RedHat OpenShift Container Platform 4 v1.2.0 L1
1.4.2 Ensure XD/NX support is enabledUnixCIS Google Container-Optimized OS L1 Server v1.0.0
1.4.3 Ensure address space layout randomization (ASLR) is enabled - sysctlUnixCIS Google Container-Optimized OS L1 Server v1.0.0
1.4.3 Ensure address space layout randomization (ASLR) is enabled - sysctl.conf sysctl.dUnixCIS Google Container-Optimized OS L1 Server v1.0.0
1.5.1 Ensure address space layout randomization (ASLR) is enabled - configUnixCIS Debian Linux 11 Workstation L1 v1.0.0
1.5.1 Ensure address space layout randomization (ASLR) is enabled - configUnixCIS Ubuntu Linux 22.04 LTS Server L1 v1.0.0
1.5.1 Ensure address space layout randomization (ASLR) is enabled - configUnixCIS Debian Linux 11 Server L1 v1.0.0
1.5.1 Ensure address space layout randomization (ASLR) is enabled - configUnixCIS Ubuntu Linux 22.04 LTS Workstation L1 v1.0.0
1.5.1 Ensure address space layout randomization (ASLR) is enabled - sysctlUnixCIS Debian Linux 11 Workstation L1 v1.0.0
1.5.1 Ensure address space layout randomization (ASLR) is enabled - sysctlUnixCIS Ubuntu Linux 22.04 LTS Server L1 v1.0.0
1.5.1 Ensure address space layout randomization (ASLR) is enabled - sysctlUnixCIS Debian Linux 11 Server L1 v1.0.0
1.5.1 Ensure address space layout randomization (ASLR) is enabled - sysctlUnixCIS Ubuntu Linux 22.04 LTS Workstation L1 v1.0.0
1.5.1 Ensure XD/NX support is enabledUnixCIS Ubuntu Linux 16.04 LTS Workstation L1 v2.0.0
1.5.1 Ensure XD/NX support is enabledUnixCIS Ubuntu Linux 20.04 LTS Workstation L1 v1.1.0
1.5.1 Ensure XD/NX support is enabledUnixCIS Ubuntu Linux 16.04 LTS Server L1 v2.0.0
1.5.1 Ensure XD/NX support is enabledUnixCIS Ubuntu Linux 20.04 LTS Server L1 v1.1.0
1.5.2 Ensure XD/NX support is enabledUnixCIS Debian 9 Workstation L1 v1.0.1
1.5.2 Ensure XD/NX support is enabledUnixCIS Debian 8 Workstation L1 v2.0.2
1.5.2 Ensure XD/NX support is enabledUnixCIS SUSE Linux Enterprise Server 11 L1 v2.1.1
1.5.2 Ensure XD/NX support is enabledUnixCIS Red Hat Enterprise Linux 7 STIG v2.0.0 L1 Workstation
1.5.2 Ensure XD/NX support is enabledUnixCIS Oracle Linux 7 Server L1 v3.1.1
1.5.2 Ensure XD/NX support is enabledUnixCIS Oracle Linux 6 Server L1 v2.0.0
1.5.2 Ensure XD/NX support is enabledUnixCIS Debian 9 Server L1 v1.0.1
1.5.2 Ensure XD/NX support is enabledUnixCIS Debian 8 Server L1 v2.0.2
1.5.2 Ensure XD/NX support is enabledUnixCIS Red Hat EL7 Server L1 v3.1.1
1.5.2 Ensure XD/NX support is enabledUnixCIS Oracle Linux 7 Workstation L1 v3.1.1
1.5.2 Ensure XD/NX support is enabledUnixCIS CentOS 6 Workstation L1 v3.0.0
1.5.2 Ensure XD/NX support is enabledUnixCIS Distribution Independent Linux Server L1 v2.0.0
1.5.2 Ensure XD/NX support is enabledUnixCIS SUSE Linux Enterprise Workstation 11 L1 v2.1.1
1.5.2 Ensure XD/NX support is enabledUnixCIS Red Hat 6 Server L1 v3.0.0
1.5.2 Ensure XD/NX support is enabledUnixCIS CentOS 6 Server L1 v3.0.0
1.5.2 Ensure XD/NX support is enabledUnixCIS CentOS 7 v3.1.2 Workstation L1
1.5.2 Ensure XD/NX support is enabledUnixCIS Distribution Independent Linux Workstation L1 v2.0.0
1.5.2 Ensure XD/NX support is enabledUnixCIS Red Hat Enterprise Linux 7 STIG v2.0.0 L1 Server
1.20.1 Ensure 'Configure Microsoft Defender SmartScreen' is set to 'Enabled'WindowsCIS Microsoft Edge L1 v1.1.0
1.20.2 Ensure 'Configure Microsoft Defender SmartScreen to block potentially unwanted apps' is set to 'Enabled'WindowsCIS Microsoft Edge L1 v1.1.0
1.20.3 Ensure 'Enable Microsoft Defender SmartScreen DNS requests' is set to 'Disabled'WindowsCIS Microsoft Edge L1 v1.1.0
1.20.4 Ensure 'Force Microsoft Defender SmartScreen checks on downloads from trusted sources' is set to 'Enabled'WindowsCIS Microsoft Edge L1 v1.1.0
1.20.5 Ensure 'Prevent bypassing Microsoft Defender SmartScreen prompts for sites' is set to 'Enabled'WindowsCIS Microsoft Edge L1 v1.1.0
1.20.6 Ensure 'Prevent bypassing of Microsoft Defender SmartScreen warnings about downloads' is set to 'Enabled'WindowsCIS Microsoft Edge L1 v1.1.0
1.22.1 Ensure 'Configure Edge TyposquattingChecker' is set to 'Enabled'WindowsCIS Microsoft Edge L1 v1.1.0
1.23 Ensure 'Ads setting for sites with intrusive ads' is set to 'Enabled: Block ads on sites with intrusive ads'WindowsCIS Microsoft Edge L1 v1.1.0
1.24 Ensure 'Allow download restrictions' is set to 'Enabled: Block potentially dangerous downloads'WindowsCIS Microsoft Edge L1 v1.1.0