CSCv7|9.4

Title

Apply Host-based Firewalls or Port Filtering

Description

Apply host-based firewalls or port filtering tools on end systems, with a default-deny rule that drops all traffic except those services and ports that are explicitly allowed.

Reference Item Details

Category: Limitation and Control of Network Ports, Protocols, and Services

Audit Items

View all Reference Audit Items

NamePluginAudit Name
1.1.2 Ensure /tmp is configuredUnixCIS Fedora 19 Family Linux Workstation L1 v1.0.0
1.1.2 Ensure /tmp is configuredUnixCIS Fedora 19 Family Linux Server L1 v1.0.0
1.1.2 Ensure separate partition exists for /tmpUnixCIS SUSE Linux Enterprise Workstation 11 L2 v2.1.1
1.1.2 Ensure separate partition exists for /tmpUnixCIS SUSE Linux Enterprise Server 11 L2 v2.1.1
1.2.14 Ensure that the admission control plugin SecurityContextConstraint is setOpenShiftCIS RedHat OpenShift Container Platform v1.6.0 L1
1.2.15 Ensure that the admission control plugin NodeRestriction is setOpenShiftCIS RedHat OpenShift Container Platform v1.6.0 L1
1.2.17 Ensure that the --insecure-port argument is set to 0OpenShiftCIS RedHat OpenShift Container Platform v1.6.0 L1
2.1 Configure TCP WrappersUnixCIS Oracle Solaris 11.4 L1 v1.1.0
2.1.1 Ensure Firewall Is EnabledUnixCIS Apple macOS 14.0 Sonoma Cloud-tailored v1.0.0 L1
2.1.1 Ensure Firewall Is EnabledUnixCIS Apple macOS 13.0 Ventura Cloud-tailored v1.1.0 L1
2.1.2 Ensure Firewall Stealth Mode Is EnabledUnixCIS Apple macOS 14.0 Sonoma Cloud-tailored v1.0.0 L1
2.2 (L1) Ensure the ESXi host firewall is configured to restrict access to services running on the hostVMwareCIS VMware ESXi 7.0 v1.4.0 L1
2.2 Ensure 'Protect RE' Firewall Filter includes explicit terms for all Management ServicesJuniperCIS Juniper OS Benchmark v2.1.0 L2
2.2 Ensure the ESXi host firewall is configured to restrict access to services running on the hostUnixCIS VMware ESXi 6.7 v1.3.0 Level 1 Bare Metal
2.2 Ensure the ESXi host firewall is configured to restrict access to services running on the hostUnixCIS VMware ESXi 6.5 v1.0.0 Level 1 Bare Metal
2.2.1 Ensure Firewall Is EnabledUnixCIS Apple macOS 15.0 Sequoia v1.0.0 L1
2.2.1 Ensure Firewall Is EnabledUnixCIS Apple macOS 13.0 Ventura v3.0.0 L1
2.2.1 Ensure Firewall Is EnabledUnixCIS Apple macOS 14.0 Sonoma v2.0.0 L1
2.2.2 Ensure Firewall Stealth Mode Is EnabledUnixCIS Apple macOS 15.0 Sequoia v1.0.0 L1
2.2.2 Ensure Firewall Stealth Mode Is EnabledUnixCIS Apple macOS 13.0 Ventura v3.0.0 L1
2.2.2 Ensure Firewall Stealth Mode Is EnabledUnixCIS Apple macOS 14.0 Sonoma v2.0.0 L1
2.3 (L1) Ensure Managed Object Browser (MOB) is disabledVMwareCIS VMware ESXi 7.0 v1.4.0 L1
2.3 Ensure 'Protect RE' Firewall filter includes Rate-Limiting for Management Services termsJuniperCIS Juniper OS Benchmark v2.1.0 L2
2.3 Ensure Managed Object Browser (MOB) is disabledVMwareCIS VMware ESXi 6.7 v1.3.0 Level 1
2.3.6 Ensure 'Control Manifest v2 extension availability' Is Set to Forced OnlyWindowsCIS Google Chrome L2 v3.0.0
2.3.7 Ensure 'Control availability of extensions unpublished on the Chrome Web Store' Is DisabledWindowsCIS Google Chrome L1 v3.0.0
2.4 Ensure 'Protect RE' Firewall Filter includes explicit terms for all ProtocolsJuniperCIS Juniper OS Benchmark v2.1.0 L2
2.4.1.1 Ensure Firewall Is EnabledUnixCIS Apple macOS 12.0 Monterey Cloud-tailored v1.0.0 L1
2.4.1.2 Ensure Firewall Stealth Mode Is EnabledUnixCIS Apple macOS 12.0 Monterey Cloud-tailored v1.0.0 L1
2.4.7 Ensure default Admin ports are changedFortiGateCIS Fortigate 7.0.x v1.3.0 L1
2.5 Ensure firewall filters contain explicit deny and log termJuniperCIS Juniper OS Benchmark v2.1.0 L2
2.5.2.1 Ensure Firewall Is EnabledUnixCIS Apple macOS 10.15 Catalina v3.0.0 L1
2.5.2.1 Ensure Firewall Is EnabledUnixCIS Apple macOS 11.0 Big Sur v4.0.0 L1
2.5.2.1 Ensure Firewall Is EnabledUnixCIS Apple macOS 12.0 Monterey v3.1.0 L1
2.5.2.2 Ensure Firewall Is EnabledUnixCIS Apple macOS 10.14 v2.0.0 L1
2.5.2.2 Ensure Firewall Stealth Mode Is EnabledUnixCIS Apple macOS 12.0 Monterey v3.1.0 L1
2.5.2.2 Ensure Firewall Stealth Mode Is EnabledUnixCIS Apple macOS 11.0 Big Sur v4.0.0 L1
2.5.2.2 Ensure Firewall Stealth Mode Is EnabledUnixCIS Apple macOS 10.15 Catalina v3.0.0 L1
2.5.2.3 Ensure Firewall Stealth Mode Is EnabledUnixCIS Apple macOS 10.14 v2.0.0 L1
2.6 Ensure firewall filters contain explicit deny and log termJuniperCIS Juniper OS Benchmark v2.1.0 L2
2.25 Ensure 'Allow file or directory picker APIs to be called without prior user gesture' Is DisabledWindowsCIS Google Chrome L1 v3.0.0
3.1 Disable Response to Broadcast ICMPv4 Echo RequestUnixCIS Oracle Solaris 11.4 L1 v1.1.0
3.1 Ensure that an account-level network policy has been configured to only allow access from trusted IP addressesSnowflakeCIS Snowflake Foundations v1.0.0 L2
3.1.1 Disable IPv6UnixCIS Fedora 19 Family Linux Server L2 v1.0.0
17.9.2 (L1) Ensure 'Audit Other System Events' is set to 'Success and Failure'WindowsCIS Microsoft Windows 8.1 v2.4.1 L1 Bitlocker
17.9.2 Ensure 'Audit Other System Events' is set to 'Success and Failure'WindowsCIS Microsoft Windows 8.1 v2.4.1 L1
20.31 Ensure 'Host-based firewall is installed and enabled'WindowsCIS Microsoft Windows Server 2016 STIG v3.0.0 STIG DC
20.31 Ensure 'Host-based firewall is installed and enabled'WindowsCIS Microsoft Windows Server 2016 STIG v3.0.0 STIG MS
20.31 Ensure 'Host-based firewall is installed and enabled'WindowsCIS Microsoft Windows Server 2019 STIG v2.0.0 STIG DC
20.31 Ensure 'Host-based firewall is installed and enabled'WindowsCIS Microsoft Windows Server 2019 STIG v2.0.0 STIG MS