CSCv7|9

Title

Limitation and Control of Network Ports, Protocols, and Services

Reference Item Details

Category: Limitation and Control of Network Ports, Protocols, and Services

Audit Items

View all Reference Audit Items

NamePluginAudit Name
1.2 Do Not Install a Multi-Use System - chkconfigUnixCIS BIND DNS v1.0.0 L1 Authoritative Name Server
1.2 Do Not Install a Multi-Use System - chkconfigUnixCIS BIND DNS v1.0.0 L1 Caching Only Name Server
1.2 Do Not Install a Multi-Use System - systemctlUnixCIS BIND DNS v1.0.0 L1 Caching Only Name Server
1.2 Do Not Install a Multi-Use System - systemctlUnixCIS BIND DNS v1.0.0 L1 Authoritative Name Server
1.2.4 Ensure that the --kubelet-client-certificate and --kubelet-client-key arguments are set as appropriate - certificateUnixCIS Kubernetes v1.20 Benchmark v1.0.1 L1 Master
1.2.4 Ensure that the --kubelet-client-certificate and --kubelet-client-key arguments are set as appropriate - certificateUnixCIS Kubernetes v1.24 Benchmark v1.0.0 L1 Master
1.2.4 Ensure that the --kubelet-client-certificate and --kubelet-client-key arguments are set as appropriate - certificateUnixCIS Kubernetes v1.23 Benchmark v1.0.1 L1 Master
1.2.4 Ensure that the --kubelet-client-certificate and --kubelet-client-key arguments are set as appropriate - keyUnixCIS Kubernetes v1.20 Benchmark v1.0.1 L1 Master
1.2.4 Ensure that the --kubelet-client-certificate and --kubelet-client-key arguments are set as appropriate - keyUnixCIS Kubernetes v1.24 Benchmark v1.0.0 L1 Master
1.2.4 Ensure that the --kubelet-client-certificate and --kubelet-client-key arguments are set as appropriate - keyUnixCIS Kubernetes v1.23 Benchmark v1.0.1 L1 Master
1.2.5 Ensure that the --kubelet-certificate-authority argument is set as appropriateUnixCIS Kubernetes v1.24 Benchmark v1.0.0 L1 Master
1.2.5 Ensure that the --kubelet-certificate-authority argument is set as appropriateUnixCIS Kubernetes v1.23 Benchmark v1.0.1 L1 Master
1.2.5 Ensure that the --kubelet-certificate-authority argument is set as appropriateUnixCIS Kubernetes v1.20 Benchmark v1.0.1 L1 Master
1.2.12 Ensure that the admission control plugin SecurityContextDeny is set if PodSecurityPolicy is not usedUnixCIS Kubernetes v1.20 Benchmark v1.0.1 L1 Master
1.2.12 Ensure that the admission control plugin SecurityContextDeny is set if PodSecurityPolicy is not usedUnixCIS Kubernetes v1.24 Benchmark v1.0.0 L1 Master
1.2.12 Ensure that the admission control plugin SecurityContextDeny is set if PodSecurityPolicy is not usedUnixCIS Kubernetes v1.23 Benchmark v1.0.1 L1 Master
1.2.29 Ensure that the --etcd-certfile and --etcd-keyfile arguments are set as appropriate - certfileUnixCIS Kubernetes Benchmark v1.6.1 L1 Master
1.2.29 Ensure that the --etcd-certfile and --etcd-keyfile arguments are set as appropriate - keyfileUnixCIS Kubernetes Benchmark v1.6.1 L1 Master
1.3 Dedicated Name Server RoleUnixCIS BIND DNS v1.0.0 L1 Caching Only Name Server
1.3 Dedicated Name Server RoleUnixCIS BIND DNS v1.0.0 L1 Authoritative Name Server
2.2 Ensure 'Protect RE' Firewall Filter includes explicit terms for all Management ServicesJuniperCIS Juniper OS Benchmark v2.1.0 L2
2.2 Ensure network traffic is restricted between containers on the default bridgeUnixCIS Docker v1.3.1 L1 Docker Linux
2.4 Ensure 'Protect RE' Firewall Filter includes explicit terms for all ProtocolsJuniperCIS Juniper OS Benchmark v2.1.0 L2
2.5 Ensure that the User-ID Agent has minimal permissions if User-ID is enabledPalo_AltoCIS Palo Alto Firewall 8 Benchmark L1 v1.0.0
2.5 Ensure that the User-ID Agent has minimal permissions if User-ID is enabledPalo_AltoCIS Palo Alto Firewall 9 v1.0.1 L1
2.5 Ensure that the User-ID Agent has minimal permissions if User-ID is enabledPalo_AltoCIS Palo Alto Firewall 10 v1.0.0 L1
2.7 Ensure that a unique Certificate Authority is used for etcdUnixCIS Kubernetes Benchmark v1.6.1 L2 Master
3.1 Ignore Erroneous or Unwanted Queries - Link local addressesUnixCIS BIND DNS v1.0.0 L1 Caching Only Name Server
3.1 Ignore Erroneous or Unwanted Queries - Link local addressesUnixCIS BIND DNS v1.0.0 L1 Authoritative Name Server
3.1 Ignore Erroneous or Unwanted Queries - Multicast addressesUnixCIS BIND DNS v1.0.0 L1 Caching Only Name Server
3.1 Ignore Erroneous or Unwanted Queries - Multicast addressesUnixCIS BIND DNS v1.0.0 L1 Authoritative Name Server
3.1 Ignore Erroneous or Unwanted Queries - RFC 1918 10/8; addressesUnixCIS BIND DNS v1.0.0 L1 Caching Only Name Server
3.1 Ignore Erroneous or Unwanted Queries - RFC 1918 10/8; addressesUnixCIS BIND DNS v1.0.0 L1 Authoritative Name Server
3.1 Ignore Erroneous or Unwanted Queries - RFC 1918 172.16/12; addressesUnixCIS BIND DNS v1.0.0 L1 Authoritative Name Server
3.1 Ignore Erroneous or Unwanted Queries - RFC 1918 172.16/12; addressesUnixCIS BIND DNS v1.0.0 L1 Caching Only Name Server
3.1 Ignore Erroneous or Unwanted Queries - RFC 1918 192.168/16; addressesUnixCIS BIND DNS v1.0.0 L1 Caching Only Name Server
3.1 Ignore Erroneous or Unwanted Queries - RFC 1918 192.168/16; addressesUnixCIS BIND DNS v1.0.0 L1 Authoritative Name Server
3.4 Ensure interface description is setJuniperCIS Juniper OS Benchmark v2.1.0 L1
3.4 Restrict Queries of the Cache - Authoritative OnlyUnixCIS BIND DNS v1.0.0 L1 Authoritative Name Server
3.4 Restrict Queries of the Cache - Caching OnlyUnixCIS BIND DNS v1.0.0 L1 Caching Only Name Server
3.5.2 Configure FCoE Zoning - interface vfcCiscoCIS Cisco NX-OS L2 v1.0.0
3.5.2 Configure FCoE Zoning - interface vfcCiscoCIS Cisco NX-OS L1 v1.0.0
3.5.2 Configure FCoE Zoning - vsan databaseCiscoCIS Cisco NX-OS L1 v1.0.0
3.5.2 Configure FCoE Zoning - vsan databaseCiscoCIS Cisco NX-OS L2 v1.0.0
3.16 Configure Mail Transfer Agent for Local-Only Mode - O DaemonPortOptions=Port=smtp, Addr=127.0.0.1, Name=MTAUnixCIS Red Hat Enterprise Linux 5 L1 v2.2.1
4.12.1 Ensure LLDP is Disabled if not RequiredJuniperCIS Juniper OS Benchmark v2.1.0 L2
4.12.2 Ensure LLDP-MED is Disabled if not RequiredJuniperCIS Juniper OS Benchmark v2.1.0 L2
6.10.9 Ensure Finger Service is Not SetJuniperCIS Juniper OS Benchmark v2.1.0 L1
7.3 Ensure that swarm services are bound to a specific host interfaceUnixCIS Docker v1.3.1 L1 Docker Linux
7.5 Firewall ConsiderationUnixCIS Apple macOS 10.12 L2 v1.2.0