CSCv7|9.4

Title

Apply Host-based Firewalls or Port Filtering

Description

Apply host-based firewalls or port filtering tools on end systems, with a default-deny rule that drops all traffic except those services and ports that are explicitly allowed.

Reference Item Details

Category: Limitation and Control of Network Ports, Protocols, and Services

Audit Items

View all Reference Audit Items

NamePluginAudit Name
1.1.2 Ensure /tmp is configuredUnixCIS Oracle Linux 7 Server L1 v3.1.1
1.1.2 Ensure /tmp is configuredUnixCIS Oracle Linux 7 Workstation L1 v3.1.1
1.1.2 Ensure /tmp is configuredUnixCIS Red Hat EL7 Workstation L1 v3.1.1
1.1.2 Ensure /tmp is configuredUnixCIS Fedora 19 Family Linux Workstation L1 v1.0.0
1.1.2 Ensure /tmp is configuredUnixCIS Fedora 19 Family Linux Server L1 v1.0.0
1.1.2 Ensure /tmp is configuredUnixCIS CentOS 7 v3.1.2 Server L1
1.1.2 Ensure /tmp is configuredUnixCIS Amazon Linux 2 v2.0.0 L1
1.1.2 Ensure /tmp is configuredUnixCIS Red Hat EL7 Server L1 v3.1.1
1.1.2 Ensure /tmp is configuredUnixCIS CentOS 7 v3.1.2 Workstation L1
1.1.2 Ensure separate partition exists for /tmpUnixCIS SUSE Linux Enterprise Server 11 L2 v2.1.1
1.1.2 Ensure separate partition exists for /tmpUnixCIS SUSE Linux Enterprise Workstation 11 L2 v2.1.1
1.2.14 Ensure that the admission control plugin SecurityContextConstraint is setOpenShiftCIS RedHat OpenShift Container Platform 4 v1.5.0 L1
1.2.15 Ensure that the admission control plugin NodeRestriction is setOpenShiftCIS RedHat OpenShift Container Platform 4 v1.5.0 L1
1.2.17 Ensure that the --insecure-port argument is set to 0OpenShiftCIS RedHat OpenShift Container Platform 4 v1.5.0 L1
2.1 Configure TCP Wrappers - hosts.allowUnixCIS Oracle Solaris 11.4 L1 v1.0.0
2.1 Configure TCP Wrappers - hosts.denyUnixCIS Oracle Solaris 11.4 L1 v1.0.0
2.1 Configure TCP Wrappers - inetadmUnixCIS Oracle Solaris 11.4 L1 v1.0.0
2.1 Configure TCP Wrappers - rpc/bindUnixCIS Oracle Solaris 11.4 L1 v1.0.0
2.2 Ensure 'Protect RE' Firewall Filter includes explicit terms for all Management ServicesJuniperCIS Juniper OS Benchmark v2.1.0 L2
2.2 Ensure the ESXi host firewall is configured to restrict access to services running on the hostUnixCIS VMware ESXi 6.7 v1.3.0 Level 1 Bare Metal
2.2 Ensure the ESXi host firewall is configured to restrict access to services running on the hostUnixCIS VMware ESXi 6.5 v1.0.0 Level 1 Bare Metal
2.2 Ensure the ESXi host firewall is configured to restrict access to services running on the hostVMwareCIS VMware ESXi 7.0 v1.3.0 Level 1
2.2.1 Ensure Firewall Is EnabledUnixCIS Apple macOS 13.0 Ventura v2.0.0 L1
2.2.1 Ensure Firewall Is EnabledUnixCIS Apple macOS 14.0 Sonoma v1.0.0 L1
2.2.2 Ensure Firewall Stealth Mode Is EnabledUnixCIS Apple macOS 13.0 Ventura v2.0.0 L1
2.2.2 Ensure Firewall Stealth Mode Is EnabledUnixCIS Apple macOS 14.0 Sonoma v1.0.0 L1
2.3 Ensure 'Protect RE' Firewall filter includes Rate-Limiting for Management Services termsJuniperCIS Juniper OS Benchmark v2.1.0 L2
2.3 Ensure Managed Object Browser (MOB) is disabledVMwareCIS VMware ESXi 6.7 v1.3.0 Level 1
2.3 Ensure Managed Object Browser (MOB) is disabledVMwareCIS VMware ESXi 7.0 v1.3.0 Level 1
2.4 Ensure 'Protect RE' Firewall Filter includes explicit terms for all ProtocolsJuniperCIS Juniper OS Benchmark v2.1.0 L2
2.4.7 Ensure default Admin ports are changedFortiGateCIS Fortigate 7.0.x Level 1 v1.2.0
2.5 Ensure firewall filters contain explicit deny and log termJuniperCIS Juniper OS Benchmark v2.1.0 L2
2.5.2.1 Ensure Firewall Is EnabledUnixCIS Apple macOS 11.0 Big Sur v4.0.0 L1
2.5.2.1 Ensure Firewall Is EnabledUnixCIS Apple macOS 10.15 Catalina v3.0.0 L1
2.5.2.1 Ensure Firewall Is EnabledUnixCIS Apple macOS 12.0 Monterey v3.0.0 L1
2.5.2.2 Ensure Firewall Is EnabledUnixCIS Apple macOS 10.14 v2.0.0 L1
2.5.2.2 Ensure Firewall Stealth Mode Is EnabledUnixCIS Apple macOS 10.15 Catalina v3.0.0 L1
2.5.2.2 Ensure Firewall Stealth Mode Is EnabledUnixCIS Apple macOS 12.0 Monterey v3.0.0 L1
2.5.2.2 Ensure Firewall Stealth Mode Is EnabledUnixCIS Apple macOS 11.0 Big Sur v4.0.0 L1
2.5.2.3 Ensure Firewall Stealth Mode Is EnabledUnixCIS Apple macOS 10.14 v2.0.0 L1
2.6 Ensure firewall filters contain explicit deny and log termJuniperCIS Juniper OS Benchmark v2.1.0 L2
3.1 Disable Response to Broadcast ICMPv4 Echo RequestUnixCIS Oracle Solaris 11.4 L1 v1.0.0
3.1.1 Disable IPv6UnixCIS Fedora 19 Family Linux Workstation L2 v1.0.0
3.1.1 Disable IPv6UnixCIS Fedora 19 Family Linux Server L2 v1.0.0
17.9.2 (L1) Ensure 'Audit Other System Events' is set to 'Success and Failure'WindowsCIS Microsoft Windows 8.1 v2.4.1 L1 Bitlocker
17.9.2 Ensure 'Audit Other System Events' is set to 'Success and Failure'WindowsCIS Microsoft Windows 8.1 v2.4.1 L1
20.30 Ensure 'Host-based firewall is installed and enabled'WindowsCIS Microsoft Windows Server 2019 STIG DC STIG v1.0.1
20.30 Ensure 'Host-based firewall is installed and enabled'WindowsCIS Microsoft Windows Server 2019 STIG MS STIG v1.0.1
20.31 Ensure 'Host-based firewall is installed and enabled'WindowsCIS Microsoft Windows Server 2016 STIG MS STIG v1.1.0
20.31 Ensure 'Host-based firewall is installed and enabled'WindowsCIS Microsoft Windows Server 2016 STIG DC STIG v1.1.0