CSCv7|9.4

Title

Apply Host-based Firewalls or Port Filtering

Description

Apply host-based firewalls or port filtering tools on end systems, with a default-deny rule that drops all traffic except those services and ports that are explicitly allowed.

Reference Item Details

Category: Limitation and Control of Network Ports, Protocols, and Services

Audit Items

View all Reference Audit Items

NamePluginAudit Name
1.1.2 Ensure /tmp is configuredUnixCIS Oracle Linux 7 Workstation L1 v3.1.1
1.1.2 Ensure /tmp is configuredUnixCIS Red Hat EL7 Workstation L1 v3.1.1
1.1.2 Ensure /tmp is configuredUnixCIS Oracle Linux 7 Server L1 v3.1.1
1.1.2 Ensure /tmp is configuredUnixCIS Red Hat EL7 Server L1 v3.1.1
1.1.2 Ensure /tmp is configuredUnixCIS Fedora 19 Family Linux Workstation L1 v1.0.0
1.1.2 Ensure /tmp is configuredUnixCIS Amazon Linux 2 v2.0.0 L1
1.1.2 Ensure /tmp is configuredUnixCIS CentOS 7 v3.1.2 Workstation L1
1.1.2 Ensure /tmp is configuredUnixCIS CentOS 7 v3.1.2 Server L1
1.1.2 Ensure /tmp is configuredUnixCIS Fedora 19 Family Linux Server L1 v1.0.0
1.1.2 Ensure separate partition exists for /tmpUnixCIS SUSE Linux Enterprise Server 11 L2 v2.1.1
1.1.2 Ensure separate partition exists for /tmpUnixCIS SUSE Linux Enterprise Workstation 11 L2 v2.1.1
2.1 Configure TCP Wrappers - hosts.allowUnixCIS Oracle Solaris 11.4 L1 v1.0.0
2.1 Configure TCP Wrappers - hosts.denyUnixCIS Oracle Solaris 11.4 L1 v1.0.0
2.1 Configure TCP Wrappers - inetadmUnixCIS Oracle Solaris 11.4 L1 v1.0.0
2.1 Configure TCP Wrappers - rpc/bindUnixCIS Oracle Solaris 11.4 L1 v1.0.0
2.2 Ensure 'Protect RE' Firewall Filter includes explicit terms for all Management ServicesJuniperCIS Juniper OS Benchmark v2.1.0 L2
2.2 Ensure the ESXi host firewall is configured to restrict access to services running on the hostUnixCIS VMware ESXi 6.7 v1.2.0 Level 1 Bare Metal
2.2 Ensure the ESXi host firewall is configured to restrict access to services running on the hostUnixCIS VMware ESXi 6.5 v1.0.0 Level 1 Bare Metal
2.2 Ensure the ESXi host firewall is configured to restrict access to services running on the hostVMwareCIS VMware ESXi 7.0 v1.1.0 Level 1
2.3 Ensure 'Protect RE' Firewall filter includes Rate-Limiting for Management Services termsJuniperCIS Juniper OS Benchmark v2.1.0 L2
2.3 Ensure Managed Object Browser (MOB) is disabledVMwareCIS VMware ESXi 7.0 v1.1.0 Level 1
2.3 Ensure Managed Object Browser (MOB) is disabledVMwareCIS VMware ESXi 6.7 v1.2.0 Level 1
2.4 Ensure 'Protect RE' Firewall Filter includes explicit terms for all ProtocolsJuniperCIS Juniper OS Benchmark v2.1.0 L2
2.5 Ensure firewall filters contain explicit deny and log termJuniperCIS Juniper OS Benchmark v2.1.0 L2
2.5.2.1 Ensure Firewall Is EnabledUnixCIS Apple macOS 12.0 Monterey v1.1.0 L1
2.5.2.1 Ensure Firewall Is EnabledUnixCIS Apple macOS 11 v2.1.0 L1
2.5.2.1 Ensure Firewall Is EnabledUnixCIS Apple macOS 10.15 v2.1.0 L1
2.5.2.2 Ensure Firewall Is EnabledUnixCIS Apple macOS 10.14 v2.0.0 L1
2.5.2.2 Ensure Firewall Stealth Mode Is EnabledUnixCIS Apple macOS 10.15 v2.1.0 L1
2.5.2.2 Ensure Firewall Stealth Mode Is EnabledUnixCIS Apple macOS 11 v2.1.0 L1
2.5.2.2 Ensure Firewall Stealth Mode Is EnabledUnixCIS Apple macOS 12.0 Monterey v1.1.0 L1
2.5.2.3 Ensure Firewall Stealth Mode Is EnabledUnixCIS Apple macOS 10.14 v2.0.0 L1
2.6 Ensure firewall filters contain explicit deny and log termJuniperCIS Juniper OS Benchmark v2.1.0 L2
3.1 Disable Response to Broadcast ICMPv4 Echo RequestUnixCIS Oracle Solaris 11.4 L1 v1.0.0
3.1.1 Disable IPv6UnixCIS Fedora 19 Family Linux Server L2 v1.0.0
3.1.1 Disable IPv6UnixCIS Red Hat Enterprise Linux 7 STIG v2.0.0 L2 Workstation
3.1.1 Disable IPv6UnixCIS Ubuntu Linux 20.04 LTS Workstation L2 v1.1.0
3.1.1 Disable IPv6UnixCIS Oracle Linux 7 Workstation L2 v3.1.1
3.1.1 Disable IPv6UnixCIS Fedora 19 Family Linux Workstation L2 v1.0.0
3.1.1 Disable IPv6UnixCIS Ubuntu Linux 16.04 LTS Workstation L2 v2.0.0
17.9.2 (L1) Ensure 'Audit Other System Events' is set to 'Success and Failure'WindowsCIS Microsoft Windows 8.1 v2.4.0 L1 Bitlocker
17.9.2 (L1) Ensure 'Audit Other System Events' is set to 'Success and Failure'WindowsCIS Microsoft Windows 8.1 v2.4.0 L1
17.9.2 Ensure 'Audit Other System Events' is set to 'Success and Failure'WindowsCIS Windows Server 2012 MS L1 v2.2.0
17.9.2 Ensure 'Audit Other System Events' is set to 'Success and Failure'WindowsCIS Windows Server 2012 DC L1 v2.2.0
17.9.2 Ensure 'Audit Other System Events' is set to 'Success and Failure'WindowsCIS Microsoft Windows Server 2016 MS L1 v1.3.0
17.9.2 Ensure 'Audit Other System Events' is set to 'Success and Failure'WindowsCIS Microsoft Windows Server 2016 DC L1 v1.3.0
20.30 Ensure 'Host-based firewall is installed and enabled'WindowsCIS Microsoft Windows Server 2019 STIG MS STIG v1.0.1
20.30 Ensure 'Host-based firewall is installed and enabled'WindowsCIS Microsoft Windows Server 2019 STIG DC STIG v1.0.1
20.31 Ensure 'Host-based firewall is installed and enabled'WindowsCIS Microsoft Windows Server 2016 STIG MS STIG v1.1.0
20.31 Ensure 'Host-based firewall is installed and enabled'WindowsCIS Microsoft Windows Server 2016 STIG DC STIG v1.1.0