Detections
Analytics

CSCv7|9.4

Title

Apply Host-based Firewalls or Port Filtering

Description

Apply host-based firewalls or port filtering tools on end systems, with a default-deny rule that drops all traffic except those services and ports that are explicitly allowed.

Reference Item Details

Category: Limitation and Control of Network Ports, Protocols, and Services

Audit Items

View all Reference Audit Items

NamePluginAudit Name
1.1.2 Ensure /tmp is configuredUnixCIS Fedora 19 Family Linux Workstation L1 v1.0.0
1.1.2 Ensure /tmp is configuredUnixCIS Fedora 19 Family Linux Server L1 v1.0.0
1.1.2 Ensure separate partition exists for /tmpUnixCIS SUSE Linux Enterprise Workstation 11 L2 v2.1.1
1.1.2 Ensure separate partition exists for /tmpUnixCIS SUSE Linux Enterprise Server 11 L2 v2.1.1
1.2.12 Ensure that the admission control plugin SecurityContextConstraint is setOpenShiftCIS Red Hat OpenShift Container Platform v1.8.0 L1 OpenShift
1.2.13 Ensure that the admission control plugin NodeRestriction is setOpenShiftCIS Red Hat OpenShift Container Platform v1.8.0 L1 OpenShift
1.2.15 Ensure that the --insecure-port argument is set to 0OpenShiftCIS Red Hat OpenShift Container Platform v1.8.0 L1 OpenShift
1.11 UBTU-24-100300UnixCIS Ubuntu Linux 24.04 LTS STIG v1.0.0 CAT II
1.12 UBTU-24-100310UnixCIS Ubuntu Linux 24.04 LTS STIG v1.0.0 CAT II
1.46 UBTU-22-251010UnixCIS Ubuntu Linux 22.04 LTS STIG v1.0.0 CAT II
1.47 UBTU-22-251015UnixCIS Ubuntu Linux 22.04 LTS STIG v1.0.0 CAT II
1.48 UBTU-22-251020UnixCIS Ubuntu Linux 22.04 LTS STIG v1.0.0 CAT II
1.49 UBTU-22-251025UnixCIS Ubuntu Linux 22.04 LTS STIG v1.0.0 CAT II
1.50 UBTU-22-251030UnixCIS Ubuntu Linux 22.04 LTS STIG v1.0.0 CAT II
1.76 UBTU-24-300041UnixCIS Ubuntu Linux 24.04 LTS STIG v1.0.0 CAT II
1.111 UBTU-24-600200UnixCIS Ubuntu Linux 24.04 LTS STIG v1.0.0 CAT II
2.1 Configure TCP WrappersUnixCIS Oracle Solaris 11.4 L1 v1.1.0
2.1.1 Ensure Firewall Is EnabledUnixCIS Apple macOS 15.0 Sequoia Cloud-tailored v1.0.0 L1
2.1.1 Ensure Firewall Is EnabledUnixCIS Apple macOS 14.0 Sonoma Cloud-tailored v1.1.0 L1
2.1.1 Ensure Firewall Is EnabledUnixCIS Apple macOS 13.0 Ventura Cloud-tailored v1.1.0 L1
2.1.2 Ensure Firewall Stealth Mode Is EnabledUnixCIS Apple macOS 15.0 Sequoia Cloud-tailored v1.0.0 L1
2.2 (L1) Ensure the ESXi host firewall is configured to restrict access to services running on the hostVMwareCIS VMware ESXi 7.0 v1.5.0 L1
2.2 Ensure 'Protect RE' Firewall Filter includes explicit terms for all Management ServicesJuniperCIS Juniper OS Benchmark v2.1.0 L2
2.2 Ensure the ESXi host firewall is configured to restrict access to services running on the hostUnixCIS VMware ESXi 6.7 v1.3.0 Level 1 Bare Metal
2.2 Ensure the ESXi host firewall is configured to restrict access to services running on the hostUnixCIS VMware ESXi 6.5 v1.0.0 Level 1 Bare Metal
2.2.1 Ensure Firewall Is EnabledUnixCIS Apple macOS 15.0 Sequoia v1.1.0 L1
2.2.1 Ensure Firewall Is EnabledUnixCIS Apple macOS 14.0 Sonoma v2.1.0 L1
2.2.1 Ensure Firewall Is EnabledUnixCIS Apple macOS 13.0 Ventura v3.1.0 L1
2.2.2 Ensure Firewall Stealth Mode Is EnabledUnixCIS Apple macOS 14.0 Sonoma v2.1.0 L1
2.2.2 Ensure Firewall Stealth Mode Is EnabledUnixCIS Apple macOS 15.0 Sequoia v1.1.0 L1
2.2.2 Ensure Firewall Stealth Mode Is EnabledUnixCIS Apple macOS 13.0 Ventura v3.1.0 L1
2.3 (L1) Ensure Managed Object Browser (MOB) is disabledVMwareCIS VMware ESXi 7.0 v1.5.0 L1
2.3 Ensure 'Protect RE' Firewall filter includes Rate-Limiting for Management Services termsJuniperCIS Juniper OS Benchmark v2.1.0 L2
2.3 Ensure Managed Object Browser (MOB) is disabledVMwareCIS VMware ESXi 6.7 v1.3.0 Level 1
2.3.4 (L2) Ensure 'Control Manifest v2 extension availability' Is Set to Forced OnlyWindowsCIS Google Chrome Group Policy v1.0.0 L2
2.3.6 (L1) Ensure 'Control availability of extensions unpublished on the Chrome Web Store' Is DisabledWindowsCIS Google Chrome Group Policy v1.0.0 L1
2.3.6 (L2) Ensure 'Control Manifest v2 extension availability' Is Set to Forced OnlyWindowsCIS Google Chrome L2 v3.0.0
2.3.7 (L1) Ensure 'Control availability of extensions unpublished on the Chrome Web Store' Is DisabledWindowsCIS Google Chrome L1 v3.0.0
2.4 Ensure 'Protect RE' Firewall Filter includes explicit terms for all ProtocolsJuniperCIS Juniper OS Benchmark v2.1.0 L2
2.4.1.1 Ensure Firewall Is EnabledUnixCIS Apple macOS 12.0 Monterey Cloud-tailored v1.1.0 L1
2.4.7 Ensure default Admin ports are changedFortiGateCIS Fortigate 7.0.x v1.3.0 L1
2.5 Ensure firewall filters contain explicit deny and log termJuniperCIS Juniper OS Benchmark v2.1.0 L2
2.5.2.1 Ensure Firewall Is EnabledUnixCIS Apple macOS 12.0 Monterey v4.0.0 L1
2.5.2.1 Ensure Firewall Is EnabledUnixCIS Apple macOS 10.15 Catalina v3.0.0 L1
2.5.2.1 Ensure Firewall Is EnabledUnixCIS Apple macOS 11.0 Big Sur v4.0.0 L1
2.5.2.2 Ensure Firewall Is EnabledUnixCIS Apple macOS 10.14 v2.0.0 L1
2.25 (L1) Ensure 'Allow file or directory picker APIs to be called without prior user gesture' Is DisabledWindowsCIS Google Chrome L1 v3.0.0
2.46 (L1) Ensure 'Allow file or directory picker APIs to be called without prior user gesture' Is DisabledWindowsCIS Google Chrome Group Policy v1.0.0 L1
17.9.2 (L1) Ensure 'Audit Other System Events' is set to 'Success and Failure'WindowsCIS Microsoft Windows 8.1 v2.4.1 L1 Bitlocker
17.9.2 Ensure 'Audit Other System Events' is set to 'Success and Failure'WindowsCIS Microsoft Windows 8.1 v2.4.1 L1