User Guide

User Guide API Cube API Sysadmin SD Elements Training

Refer to this page for information about version-specific improvements to SD Elements and associated content.

2025.3 | 2025.2 | 2025.1

2025.3

September 27, 2025

New features and enhancements

Advanced Reports
- Added All Countermeasures Report template to Advanced Reports
Trend Reports
- Adjusted formula for Mean time to Complete from cumulative to rolling average based on the last 16 weeks.
  - Timeout window for trend reports have been extended
  - Adjusted configuration to help improve performance for Trend Reports
General Library Improvements
- Ability to sort by phase or priority on Library Countermeasure List Table
- New Filter UI on Library Weakness Page
Gitlab Ultimate, Advanced SAST
- Added new Integration that retrieves Advanced SAST findings from GitLab back to SD Elements
- Currently allows you to connect to a specific project_id from GitLab Ultimate
Reusable Components
- Added the ability to accept components changes (remove deactivated components or add newly activated components) directly from the dialog that appears by clicking on the blue ‘Component Updates Available’ button
- Added the ability to see a blue ‘Component Updates Available’ button in projects when newly activated library components are relevant, allowing them to review and accept updates directly from the dialog

Summary of content updates

Added CIS Alibaba Cloud Foundation which is security best practices and configuration guidelines for securely deploying Alibaba Cloud environment and services.
Updated Azure Kubernetes Services CIS benchmarks to the latest version 1.7.0.
Compliance Regulations and Mappings
- CIS Alibaba Cloud Foundation (August 28, 2025)
- CIS Azure Kubernetes Services 1.7.0
New/Updated Content Packs
- CIS Alibaba Cloud Foundation
New Just-in-Time Training
- Defending T-SQL (21)
- Defending PL/SQL (21)
- OAuth Fundamentals (20)

Content additions and updates (as of September 11, 2025):

Compliance Regulations and Mappings
- Added CIS Alibaba Cloud Foundation
- Added Azure Kubernetes Service (AKS) CIS
- Added EN 18031-2
- Added EN 18031-3
- Added Central Bank of Brazil (BACEN)
- Updated MITRE CWE VIEW [INFO: Updated the regulation sections].
Content Packs
- Added Secrets Management
- Added HashiCorp Vault
- Added Okta
- Added CIS Alibaba Cloud Foundation
- Added CIS Azure Kubernetes Service
- Added Model Context Protocol (MCP)
- Added Central Bank of Brazil (BACEN)
T20: Generate unique session IDs and reset old IDs after authentication
- TA1350: FedRAMP / Moderate Baseline [Updated]
  - INFO: Updated the text.
- TA2339: FedRAMP / High Baseline [Updated]
  - INFO: Updated the text.
T61: Disable default accounts or change all default passwords [Updated]
- INFO: Updated the phase.
T146: Use encryption for network communications in mobile environments
- TA6252: Employ a SIM/USIM PIN [Updated]
  - INFO: Updated the match conditions.
T1366: Identify applicable compliance regulations
- TA7197: Central Bank of Brazil (BACEN): CMN Resolution 4893/2021 [Added]
T2173: Ensure the expected behavior is implemented (Hardware/Firmware)
- P1571: Expected behavior violation (Hardware/Firmware) [Updated]
  - INFO: Updated the match conditions.
T2175: Provide documentation for design (Hardware/Firmware)
- P1573: Missing documentation for design (Hardware/Firmware) [Updated]
  - INFO: Updated the match conditions.
T2187: Enforce proper implementation of wear leveling operations (Hardware/Firmware)
- P1585: Improper write handling in limited-write non-volatile memories (Hardware/Firmware) [Updated]
  - INFO: Updated the match conditions.
T2194: Protect software-controllable physical operation features (Hardware/Firmware) [Updated]
- INFO: Updated the title and text.
T2196: Prevent exposure of sensitive system information due to uncleared debug information (Hardware/Firmware)
- P1594: Exposure of sensitive system information due to uncleared debug information (Hardware/Firmware) [Updated]
  - INFO: Updated the match conditions.
T2202: Prevent hardware logic with insecure De-Synchronization between control and data channels (Hardware/Firmware)
- P1600: Hardware logic with insecure desynchronization between control and data channels (Hardware/Firmware) [Updated]
  - INFO: Updated the match conditions.
T2206: Prevent the generation of incorrect security tokens (Hardware/Firmware)
- P1604: Generation of incorrect security tokens (Hardware/Firmware) [Updated]
  - INFO: Updated the match conditions.
T2211: Include a firmware update mechanism/feature (Hardware/Firmware)
- P1609: Firmware cannot be updated (Hardware/Firmware) [Updated]
  - INFO: Updated the match conditions.
T2216: Prevent modification of measurement reporting data by an untrusted agent (Hardware/Firmware)
- P1614: Mutable attestation or measurement reporting data (Hardware/Firmware) [Updated]
  - INFO: Updated the match conditions.
T2218: Prevent same Public Key usage for different environments (Debug and Production) (Hardware/Firmware)
- P1616: Public key re-use for signing both debug and production code (Hardware/Firmware) [Updated]
  - INFO: Updated the match conditions.
T2222: Prevent incorrect Chaining or Granularity of Debug Components (Hardware/Firmware)
- P1620: Incorrect chaining or granularity of debug components (Hardware/Firmware) [Updated]
  - INFO: Updated the match conditions.
T2225: Data remanence within the hardware component (Hardware/Firmware)
- P1623: Insufficient or incomplete data removal within hardware component (Hardware/Firmware) [Updated]
  - INFO: Updated the match conditions.
T2227: Preserve the integrity of hardware configuration state (Hardware/Firmware)
- P1625: Improperly preserved integrity of hardware configuration state during a power save/restore operation (Hardware/Firmware) [Updated]
  - INFO: Updated the match conditions.
T2350: Create a Product Security Incident Response Team (PSIRT)
- TA7200: Central Bank of Brazil (BACEN): CMN Resolution 4893/2021 [Added]
T2392: Create an Incident Response Plan
- TA7199: Central Bank of Brazil (BACEN): CMN Resolution 4893/2021 [Added]
T2492: Use device-generated opaque keys to encrypt OS files and data on the device (Hardware/Firmware)
- P1722: Unsecure key generation (Hardware/Firmware) [Updated]
  - INFO: Updated the match conditions.
T2494: Encrypt the bootloader (Hardware/Firmware)
- P1723: Unencrypted bootloader (Hardware/Firmware) [Updated]
  - INFO: Updated the match conditions.
T2496: Generate and forward audit logs (Hardware/Firmware)
- P1724: Lack of device-generated audit logs (Hardware/Firmware) [Updated]
  - INFO: Updated the match conditions.
T2502: Define a cybersecurity policy for your organization
- TA7198: Central Bank of Brazil (BACEN): CMN Resolution 4893/2021 [Added]
T2597: Implement RBAC instead of individual accounts
- P1761: Lack of Role Based access control [Updated]
  - INFO: Updated the match conditions.
T2605: Validate database traffic [Updated]
- INFO: Updated the text.
T2662: Restrict network access to the database server [Updated]
- INFO: Updated the match conditions.
T2664: Create dedicated database user accounts with minimum privileges (Database Server) [Updated]
- INFO: Updated the title and match conditions.
T2666: Protect data in transit with TLS (Database Server) [Updated]
- INFO: Updated the title.
T2667: Schedule regular database backups to protect availability (Database Server) [Updated]
- INFO: Updated the title.
T3644: Configure Azure Private Link (Azure App Service) [Unpublished]
T3645: Configure Azure Private Link (Azure App Service) [Updated]
- INFO: Updated the text.
T3944: Create dedicated database user accounts with minimum privileges (AWS Database) [Updated]
- INFO: Updated the title.
T3946: Schedule regular database backups to protect availability (AWS Database) [Updated]
- INFO: Updated the title.
T3998: Protect data in transit using TLS (AWS Service) [Updated]
- INFO: Updated the title.
T3999: Protect data at rest with encryption (AWS Service) [Updated]
- INFO: Updated the title.
T4000: Consider using customer-managed keys (AWS Service) [Updated]
- INFO: Updated the title.
T4001: Ensure logging features are enabled and configured appropriately (AWS Service) [Updated]
- INFO: Updated the title.
T4048: Protect data in transit using TLS (Azure Service) [Updated]
- INFO: Updated the title.
T4049: Protect data at rest with encryption (Azure Service) [Updated]
- INFO: Updated the title.
T4050: Consider using customer-managed keys (Azure Service) [Updated]
- INFO: Updated the title.
T4051: Ensure logging features are enabled and configured appropriately (Azure Service) [Updated]
- INFO: Updated the title.
T4053: Restrict the use of highly privileged accounts (Azure Environment) [Updated]
- INFO: Updated the title.
T4092: Follow best practices for service account identities [Updated]
- INFO: Updated the text.
T4093: Follow a least privilege approach when granting service permissions [Updated]
- INFO: Updated the text.
T4094: Disable public access and use private connect [Updated]
- INFO: Updated the text.
T4095: Consider using customer-managed keys (CMEKs) [Updated]
- INFO: Updated the text.
T4096: Ensure logging features are enabled and configured appropriately (GCP Service) [Updated]
- INFO: Updated the title and text.
T4098: Restrict the use of highly privileged accounts (GCP Environment) [Updated]
- INFO: Updated the title.
T4145: Require client authentication and implement least privilege permissions (Message Broker) [Updated]
- INFO: Updated the title.
T4146: Implement defenses against denial of service attacks (Message Broker) [Updated]
- INFO: Updated the title.
T4147: Use strict access controls for administration (Message Broker) [Updated]
- INFO: Updated the title.
T4154: Use strict access controls for administration (Proxy Server) [Updated]
- INFO: Updated the title.
T4168: Require client authentication and implement least privilege permissions (Service Bus) [Updated]
- INFO: Updated the title.
T4169: Implement defenses against denial of service attacks (Service Bus) [Updated]
- INFO: Updated the title.
T4170: Use strict access controls for administration (Service Bus) [Updated]
- INFO: Updated the title.
T4175: Use strict access controls for administration (VPN Server) [Updated]
- INFO: Updated the title.
T4178: Consider using a private APN (3G) [Updated]
- INFO: Updated the title.
T4179: Restrict the use of legacy protocols and monitor device connections (3G) [Updated]
- INFO: Updated the title and text.
T4180: Harden cell network hardware and monitor performance (3G) [Updated]
- INFO: Updated the title.
T4183: Consider using a private APN (4G) [Updated]
- INFO: Updated the title.
T4184: Restrict the use of legacy protocols and monitor device connections (4G) [Updated]
- INFO: Updated the title and text.
T4185: Harden cell network hardware and monitor performance (4G) [Updated]
- INFO: Updated the title.
T4189: Restrict the use of legacy protocols and monitor device connections (5G) [Updated]
- INFO: Updated the title and text.
T4190: Harden cell network hardware and monitor performance (5G) [Updated]
- INFO: Updated the title.
T4384: Implement and maintain cybersecurity measures for open-source software development (EU CRA) [Updated]
- INFO: Updated the text.
T5582: Strengthen access control and authentication for OCI users and resources (Oracle Cloud Infrastructure) [Updated]
- INFO: Updated the text.
T5583: Enforce robust IAM password policies (Oracle Cloud Infrastructure) [Updated]
- INFO: Updated the text.
T5584: Enhance API and Authentication Key Management (Oracle Cloud Infrastructure) [Updated]
- INFO: Updated the text.
T5585: Restrict and manage administrative access to services and resources (Oracle Cloud Infrastructure) [Updated]
- INFO: Updated the text.
T5586: Restrict ingress access to SSH and RDP ports in security lists and network security groups (Oracle Cloud Infrastructure) [Updated]
- INFO: Updated the text.
T5587: Restrict network access to Oracle Cloud services using ingress filtering and Virtual Cloud Networks (Oracle Cloud Infrastructure) [Updated]
- INFO: Updated the text.
T5590: Enhance visibility and resource governance using default tags, Event Rules, and Notifications (Oracle Cloud Infrastructure) [Updated]
- INFO: Updated the text.
T5591: Enhance visibility into network traffic with VCN flow logs (Oracle Cloud Infrastructure) [Updated]
- INFO: Updated the text.
T5592: Enable Cloud Guard for security monitoring (Oracle Cloud Infrastructure) [Updated]
- INFO: Updated the text.
T5593: Rotate encryption keys using Oracle Cloud Infrastructure Vault (Oracle Cloud Infrastructure) [Updated]
- INFO: Updated the text.
T5598: Enforce compartmentalization by creating and using compartments for cloud resources (Oracle Cloud Infrastructure) [Updated]
- INFO: Updated the text.
T5600: Verify Access and Authentication settings for OCI Security (Oracle Cloud Infrastructure) [Updated]
- INFO: Updated the text.
T5601: Verify that the password policies enforce complexity requirements (Oracle Cloud Infrastructure) [Updated]
- INFO: Updated the text.
T5602: Validate Access Controls and Key Management for accessing OCI APIs (Oracle Cloud Infrastructure) [Updated]
- INFO: Updated the text.
T5603: Verify Least Privilege Enforcement for Service and Tenancy Administrators (Oracle Cloud Infrastructure) [Updated]
- INFO: Updated the text.
T5604: Verify ingress access to SSH and RDP ports are restricted in security lists and network security groups (Oracle Cloud Infrastructure) [Updated]
- INFO: Updated the text.
T5605: Verify network access restrictions using ingress filtering and Virtual Cloud Networks (Oracle Cloud Infrastructure) [Updated]
- INFO: Updated the text.
T5608: Verify enforcement of default tags, Event Rules, and Notifications in Oracle Cloud Infrastructure (Oracle Cloud Infrastructure) [Updated]
- INFO: Updated the text.
T5609: Verify the VCN flow logging is enabled(Oracle Cloud Infrastructure) [Updated]
- INFO: Updated the text.
T5610: Verify that Cloud Guard is enabled (Oracle Cloud Infrastructure) [Updated]
- INFO: Updated the text.
T5611: Verify the security of encryption keys in use (Oracle Cloud Infrastructure) [Updated]
- INFO: Updated the text.
T5616: Verify compartments are used for all cloud resources and the root compartment remains empty (Oracle Cloud Infrastructure) [Updated]
- INFO: Updated the text.
T5724: Implement a secure access control mechanism {ACM-2} {EN 18031} [Updated]
- INFO: Updated the title, text, and, match conditions.
- TA7138: EN 18031-2 {ACM-2} Documentation Requirements [Added]
- TA7155: EN 18031-3 {ACM-2} Documentation Requirements [Added]
- TA7172: EN 18031-1 {ACM-2} Documentation Requirements [Added]
- P3468: Lack of secure access control mechanism (EN 18031) [Updated]
  - INFO: Updated the title and match conditions.
T5725: Use an appropriate authentication mechanism {AUM-2} {EN 18031-1} [Updated]
- INFO: Updated the title.
- P3469: Lack of secure authentication mechanism (EN 18031) [Updated]
  - INFO: Updated the title and match conditions.
T5726: Ensure the validation of authenticators used in authentication mechanisms {AUM-3} {EN 18031-1} [Updated]
- INFO: Updated the title.
- P3470: Insufficient verification of authenticators (EN 18031) [Updated]
  - INFO: Updated the title and match conditions.
T5727: Implement the capability to change authentication mechanisms {AUM-4} {EN 18031-1} [Updated]
- INFO: Updated the title.
- P3471: Lack of authenticator reset mechanism (EN 18031) [Updated]
  - INFO: Updated the title and match conditions.
T5728: Use strong passwords in authentication mechanisms {AUM-5} {EN 18031-1} [Updated]
- INFO: Updated the title.
- P3472: Weak password requirements (EN 18031) [Updated]
  - INFO: Updated the title and match conditions.
T5729: Implement brute-force protection in authentication mechanism {AUM-6} {EN 18031-1} [Updated]
- INFO: Updated the title.
- P3473: Lack of brute-force protection (EN 18031) [Updated]
  - INFO: Updated the title and match conditions.
T5730: Ensure the applicability and appropriateness of DoS resilience mechanisms {RLM-1} {EN 18031-1} [Updated]
- INFO: Updated the title.
- P3474: Lack of Denial of Service (DoS) protection (EN 18031) [Updated]
  - INFO: Updated the title.
T5731: Ensure the applicability and appropriateness of network monitoring mechanisms {NMM-1} {EN 18031-1} [Updated]
- INFO: Updated the title.
- P3475: Lack of network monitoring mechanism (EN 18031) [Updated]
  - INFO: Updated the title.
T5732: Ensure the applicability and appropriateness of network traffic control mechanisms {TCM-1} {EN 18031-1} [Updated]
- INFO: Updated the title.
- P3476: Lack of traffic control mechanism (EN 18031) [Updated]
  - INFO: Updated the title.
T5733: Use best practices for cryptography {CRY-1} {EN 18031} [Updated]
- INFO: Updated the title, text, and, match conditions.
- TA7142: EN 18031-2 {CRY-1} Documentation Requirements [Added]
- TA7159: EN 18031-3 {CRY-1} Documentation Requirements [Added]
- TA7173: EN 18031-1 {CRY-1} Documentation Requirements [Added]
- P3477: Use of weak cryptographic algorithms or unsecure cryptographic practices (EN 18031) [Updated]
  - INFO: Updated the title and match conditions.
T5734: Ensure the applicability and appropriateness of secure update mechanisms {SUM-1} {EN 18031} [Updated]
- INFO: Updated the title, text, and, match conditions.
- TA7139: EN 18031-2 {SUM-1} Documentation Requirements [Added]
- TA7156: EN 18031-3 {SUM-1} Documentation Requirements [Added]
- TA7174: EN 18031-1 {SUM-1} Documentation Requirements [Added]
- P3478: Lack of secure update mechanism (EN 18031) [Updated]
  - INFO: Updated the title and match conditions.
T5735: Implement a secure update mechanism on your device {SUM-2} {EN 18031} [Updated]
- INFO: Updated the title, text, and, match conditions.
- TA7140: EN 18031-2 {SUM-2} Documentation Requirements [Added]
- TA7157: EN 18031-3 {SUM-2} Documentation Requirements [Added]
- TA7175: EN 18031-1 {SUM-2} Documentation Requirements [Added]
- P3478: Lack of secure update mechanism (EN 18031) [Updated]
  - INFO: Updated the title and match conditions.
T5736: Implement a secure automated software update mechanism on your device {SUM-3} {EN 18031} [Updated]
- INFO: Updated the title, text, and, match conditions.
- TA7141: EN 18031-2 {SUM-3} Documentation Requirements [Added]
- TA7158: EN 18031-3 {SUM-3} Documentation Requirements [Added]
- TA7176: EN 18031-1 {SUM-3} Documentation Requirements [Added]
- P3478: Lack of secure update mechanism (EN 18031) [Updated]
  - INFO: Updated the title and match conditions.
T5737: Ensure the applicability and appropriateness of secure storage mechanisms {SSM-1} {EN 18031} [Updated]
- INFO: Updated the title and text.
- TA7143: EN 18031-2 {SSM-1} Documentation Requirements [Added]
- TA7160: EN 18031-3 {SSM-1} Documentation Requirements [Added]
- TA7177: EN 18031-1 {SSM-1} Documentation Requirements [Added]
- P3479: Lack of secure storage mechanism (EN 18031) [Updated]
  - INFO: Updated the title and match conditions.
T5738: Implement integrity protection for storage mechanisms {SSM-2} {EN 18031} [Updated]
- INFO: Updated the title and text.
- TA7144: EN 18031-2 {SSM-2} Documentation Requirements [Added]
- TA7161: EN 18031-3 {SSM-2} Documentation Requirements [Added]
- TA7178: EN 18031-1 {SSM-2} Documentation Requirements [Added]
- P3479: Lack of secure storage mechanism (EN 18031) [Updated]
  - INFO: Updated the title and match conditions.
T5739: Implement appropriate confidentiality protection for secure storage mechanisms {SSM-3} {EN 18031} [Updated]
- INFO: Updated the title and text.
- TA7145: EN 18031-2 {SSM-3} Documentation Requirements [Added]
- TA7162: EN 18031-3 {SSM-3} Documentation Requirements [Added]
- TA7179: EN 18031-1 {SSM-3} Documentation Requirements [Added]
- P3479: Lack of secure storage mechanism (EN 18031) [Updated]
  - INFO: Updated the title and match conditions.
T5740: Ensure the applicability and appropriateness of secure communication mechanisms {SCM-1} {EN 18031-1} [Updated]
- INFO: Updated the title.
- P3480: Lack of secure communication mechanism (EN 18031) [Updated]
  - INFO: Updated the title and match conditions.
T5741: Implement appropriate integrity and authenticity protection for communication mechanisms {SCM-2} {EN 18031-1} [Updated]
- INFO: Updated the title.
- P3480: Lack of secure communication mechanism (EN 18031) [Updated]
  - INFO: Updated the title and match conditions.
T5742: Implement appropriate confidentiality protection for communication mechanisms {SCM-3} {EN 18031-1} [Updated]
- INFO: Updated the title.
- P3480: Lack of secure communication mechanism (EN 18031) [Updated]
  - INFO: Updated the title and match conditions.
T5743: Implement appropriate replay protection for communication mechanisms {SCM-4} {EN 18031-1} [Updated]
- INFO: Updated the title.
- P3480: Lack of secure communication mechanism (EN 18031) [Updated]
  - INFO: Updated the title and match conditions.
T5744: Implement appropriate confidential cryptographic keys {CCK-1} {EN 18031} [Updated]
- INFO: Updated the title, text, and, match conditions.
- TA7146: EN 18031-2 {CCK-1} Documentation Requirements [Added]
- TA7163: EN 18031-3 {CCK-1} Documentation Requirements [Added]
- TA7186: EN 18031-1 {CCK-1} Documentation Requirements [Added]
- P3477: Use of weak cryptographic algorithms or unsecure cryptographic practices (EN 18031) [Updated]
  - INFO: Updated the title and match conditions.
T5745: Implement secure confidential cryptographic keys {CCK-2} {EN 18031} [Updated]
- INFO: Updated the title, text, and, match conditions.
- TA7147: EN 18031-2 {CCK-2} Documentation Requirements [Added]
- TA7164: EN 18031-3 {CCK-2} Documentation Requirements [Added]
- TA7187: EN 18031-1 {CCK-2} Documentation Requirements [Added]
- P3477: Use of weak cryptographic algorithms or unsecure cryptographic practices (EN 18031) [Updated]
  - INFO: Updated the title and match conditions.
T5746: Implement features for preventing default values for preinstalled confidential cryptographic keys {CCK-3} {EN 18031} [Updated]
- INFO: Updated the title, text, and, match conditions.
- TA7148: EN 18031-2 {CCK-3} Documentation Requirements [Added]
- TA7165: EN 18031-3 {CCK-3} Documentation Requirements [Added]
- TA7188: EN 18031-1 {CCK-3} Documentation Requirements [Added]
- P3477: Use of weak cryptographic algorithms or unsecure cryptographic practices (EN 18031) [Updated]
  - INFO: Updated the title and match conditions.
T5747: Ensure the use of updated and secure software and hardware {GEC-1} {EN 18031} [Updated]
- INFO: Updated the title and text.
- TA7149: EN 18031-2 {GEC-1} Documentation Requirements [Added]
- TA7166: EN 18031-3 {GEC-1} Documentation Requirements [Added]
- TA7180: EN 18031-1 {GEC-1} Documentation Requirements [Added]
- P3481: Use of insecure third party software and hardware (EN 18031) [Updated]
  - INFO: Updated the title and match conditions.
T5748: Control access to network interfaces and services {GEC-2} {EN 18031} [Updated]
- INFO: Updated the title and text.
- TA7150: EN 18031-2 {GEC-2} Documentation Requirements [Added]
- TA7167: EN 18031-3 {GEC-2} Documentation Requirements [Added]
- TA7181: EN 18031-1 {GEC-2} Documentation Requirements [Added]
- P3482: Exposure of services (EN 18031) [Updated]
  - INFO: Updated the title and match conditions.
T5749: Implement a feature for configuring optional services and the related exposed network interfaces {GEC-3} {EN 18031} [Updated]
- INFO: Updated the title and text.
- TA7151: EN 18031-2 {GEC-3} Documentation Requirements [Added]
- TA7168: EN 18031-3 {GEC-3} Documentation Requirements [Added]
- TA7182: EN 18031-1 {GEC-3} Documentation Requirements [Added]
- P3483: Lack of control over configuration parameters (EN 18031) [Updated]
  - INFO: Updated the title and match conditions.
T5750: Document exposed network interfaces and services {GEC-4} {EN 18031} [Updated]
- INFO: Updated the title and text.
- TA7152: EN 18031-2 {GEC-4} Documentation Requirements [Added]
- TA7169: EN 18031-3 {GEC-4} Documentation Requirements [Added]
- TA7183: EN 18031-1 {GEC-4} Documentation Requirements [Added]
- P3484: Lack of technical documentation (EN 18031) [Updated]
  - INFO: Updated the title and match conditions.
T5751: Disable unnecessary external interfaces {GEC-5} {EN 18031} [Updated]
- INFO: Updated the title and text.
- TA7153: EN 18031-2 {GEC-5} Documentation Requirements [Added]
- TA7170: EN 18031-3 {GEC-5} Documentation Requirements [Added]
- TA7184: EN 18031-1 {GEC-5} Documentation Requirements [Added]
- P3485: Exposure of physical external interfaces (EN 18031) [Updated]
  - INFO: Updated the title and match conditions.
T5752: Implement Input validation {GEC-6} {EN 18031} [Updated]
- INFO: Updated the title and text.
- TA7154: EN 18031-2 {GEC-6} Documentation Requirements [Added]
- TA7171: EN 18031-3 {GEC-6} Documentation Requirements [Added]
- TA7185: EN 18031-1 {GEC-6} Documentation Requirements [Added]
- P3486: Poor input validation (EN 18031) [Updated]
  - INFO: Updated the title and match conditions.
T5938: Ensure detailed design documentation (Hardware) [Added]
- P3586: Lack of Comprehensive Design Documentation (Hardware) [Added]
T5939: Review protected locked registers early in design phase (Hardware) [Added]
- P3587: Inadequate Early Review of Protected Locked Registers (Hardware) [Added]
T5940: Isolate sandboxes or managed runtimes in separate address spaces (Hardware) [Added]
- P3588: Transient Execution Vulnerabilities (Hardware) [Added]
T5941: Include serialization instructions to prevent transient execution (Hardware) [Added]
- P3589: Speculative Execution Vulnerabilities (Hardware) [Added]
T5942: Use Control-Flow Integrity (CFI) techniques (Hardware) [Added]
- P3590: Control-Flow Manipulation Vulnerability (Hardware) [Added]
T5943: Engineer processor pipeline to prevent transient access (Hardware) [Added]
- P3591: Transient Execution Data Exposure (Hardware) [Added]
T5944: Design software for strong context isolation (Hardware) [Added]
- P3592: Weak Context Isolation (Hardware) [Added]
T5945: Invoke state-sanitizing operations on context switch (Hardware) [Added]
- P3593: Lack of State-Sanitizing Operations on Context Switch (Hardware) [Added]
T5946: Use software techniques to mitigate transient execution (Hardware) [Added]
- P3594: Transient Execution Weaknesses (Hardware) [Added]
T5947: Tag predictor entries with microarchitectural bits (Hardware) [Added]
- P3595: Predictor Entry Cross-Mode Training Vulnerability (Hardware) [Added]
T5948: Sanitize microarchitectural predictor state on context switches (Hardware) [Added]
- P3596: Shared Microarchitectural Predictor State (Hardware) [Added]
T5949: Disable predictor sharing (Hardware) [Added]
- P3597: Predictor Sharing Weakness (Hardware) [Added]
T5950: Review and define secure register defaults and IP parameters (Hardware) [Added]
- P3598: Insecure Register Defaults and IP Parameters (Hardware) [Added]
T5951: Evaluate and test register write-once or sticky fields (Hardware) [Added]
- P3599: Improper Implementation of Register Write-Once or Sticky Fields (Hardware) [Added]
T5952: Ensure robust security lock bit protections (Hardware) [Added]
- P3600: Security Lock Bit Protections Vulnerability (Hardware) [Added]
T5953: Ensure data consistency across distributed components (Hardware) [Added]
- P3601: Data Inconsistency in Distributed Systems (Hardware) [Added]
T5954: Implement hardware-level mitigations for microarchitectural state clearing (Hardware) [Added]
- P3602: Microarchitectural State Clearing Weakness (Hardware) [Added]
T5955: Implement register zeroization policy (Hardware) [Added]
- P3603: Lack of Register Zeroization Policy (Hardware) [Added]
T5956: Apply blinding or masking techniques to implementations of cryptographic algorithms (Hardware) [Added]
- P3604: Side-Channel Vulnerability in Cryptographic Algorithms (Hardware) [Added]
T5957: Add shielding or tamper-resistant protections to the device (Hardware) [Added]
- P3605: Physical Side-Channel Vulnerabilities (Hardware) [Added]
T5958: Ensure correct implementation of cryptographic algorithms (Hardware) [Added]
- P3606: Incorrect Implementation of Cryptographic Algorithms (Hardware) [Added]
T5959: Ensure valid cryptographic inputs (Hardware) [Added]
- P3607: Invalid Cryptographic Inputs (Hardware) [Added]
T5960: Account for security primitive behavior in extreme temperatures (Hardware) [Added]
- P3608: Temperature-Induced Vulnerabilities in Security Primitives (Hardware) [Added]
T5961: Implement control flow logic for cryptographic operations (Hardware) [Added]
- P3609: Inadequate Control Flow Logic in Cryptographic Operations (Hardware) [Added]
T5962: Consider power consumption during security token evaluation (Hardware) [Added]
- P3610: Power Analysis Vulnerability in Security Token Evaluation (Hardware) [Added]
T5963: Encrypt data before transmission (Hardware) [Added]
- P3611: Cleartext Transmission of Sensitive Information (Hardware) [Added]
T5964: Ensure components are updateable (Hardware) [Added]
- P3612: Lack of Updateability in Software Components (Hardware) [Added]
T5965: Ensure supply chain control for components (Hardware) [Added]
- P3613: Uncontrolled Supply Chain for Components (Hardware) [Added]
T5966: Incorporate logging and feedback mechanisms (Hardware) [Added]
- P3614: Lack of Logging and Feedback Mechanisms (Hardware) [Added]
T5967: Specify requirements for handling environmental conditions (Hardware) [Added]
- P3615: Lack of Defined Environmental Handling Requirements (Hardware) [Added]
T5968: Use a dedicated, unprivileged service account to run Vault (HashiCorp Vault) [Added]
- P3616: Privilege Escalation Risk (Vault) [Added]
T5969: Restrict write access for service account (HashiCorp Vault) [Added]
- P3617: Unrestricted Write Access for Vault Service Account (Vault Service) [Added]
T5970: Use Vault with TLS in production (HashiCorp Vault) [Added]
- P3618: Lack of Encrypted Communication (Vault) [Added]
T5971: Disable swap to protect sensitive data (HashiCorp Vault) [Added]
- P3619: Sensitive Data Exposure via Swap (Vault with Integrated Storage) [Added]
T5972: Prevent core dumps to protect encryption keys (HashiCorp Vault) [Added]
- P3620: Core Dump Exposure of Sensitive Data (Linux Systems with Vault) [Added]
T5973: Run Vault as the sole user process (HashiCorp Vault) [Added]
- P3621: Process Interference and Unauthorized Access (Vault) [Added]
T5974: Use local firewall or network security features to restrict traffic (HashiCorp Vault) [Added]
- P3622: Unrestricted Network Traffic (General Network Security) [Added]
T5975: Revoke initial root token after setup (HashiCorp Vault) [Added]
- P3623: Persistent Root Token Exposure (HashiCorp Vault) [Added]
T5976: Verify and configure user lockout settings (HashiCorp Vault) [Added]
- P3624: Inadequate User Lockout Configuration (Vault) [Added]
T5977: Enable audit device logs (HashiCorp Vault) [Added]
- P3625: Lack of Audit Device Logs (Vault) [Added]
T5978: Prevent commands from appearing in history (HashiCorp Vault) [Added]
- P3626: Command History Exposure (Unix-like Systems) [Added]
T5979: Upgrade Vault regularly (HashiCorp Vault) [Added]
- P3627: Outdated Software Vulnerabilities (HashiCorp Vault) [Added]
T5980: Use NTP to synchronize clocks across Vault nodes (HashiCorp Vault) [Added]
- P3628: Clock Skew Vulnerability in Time-Dependent Operations (Vault Nodes) [Added]
T5981: Restrict storage access outside of Vault (HashiCorp Vault) [Added]
- P3629: Unrestricted Storage Access (Generic Storage Systems) [Added]
T5982: Configure seal stanza with secure practices (HashiCorp Vault) [Added]
- P3630: Improper Configuration of Vault Seal Stanza (HashiCorp Vault) [Added]
T5983: Use TLS 1.3 for Vault's TLS listener (HashiCorp Vault) [Added]
- P3631: Use of Outdated TLS Versions (Vault's TLS Listener) [Added]
T5984: Protect against misconfigured or malicious plugins (HashiCorp Vault) [Added]
- P3632: Misconfigured or Malicious Vault Plugins (HashiCorp Vault) [Added]
T5985: Ensure consistent configuration (HashiCorp Vault) [Added]
- P3633: Inconsistent Configuration Files (Vault) [Added]
T5986: Ensure appropriate permissions on sensitive files (HashiCorp Vault) [Added]
- P3634: Insecure File Permissions (Vault) [Added]
T5987: Avoid using command-line arguments for Vault login and unseal (HashiCorp Vault) [Added]
- P3635: Exposure of Secret Values via Command-Line Arguments (Vault Software) [Added]
T5988: Revoke token-based access (HashiCorp Vault) [Added]
- P3636: Persistent Token-Based Access (Vault) [Added]
T5989: Use short-lived credentials (HashiCorp Vault) [Added]
- P3637: Long-Lived Credential Exposure (General Software Systems) [Added]
T5990: Access Vault through its API over the network (HashiCorp Vault) [Added]
- P3638: Direct Machine Access (Vault) [Added]
T5991: Lock down access to filesystem and administrative capabilities (HashiCorp Vault) [Added]
- P3639: Improper Access Control (Linux Systems with Systemd) [Added]
T5992: Upgrade Vault servers with external storage (HashiCorp Vault) [Added]
- P3640: Insecure Upgrade Process (Vault Servers) [Added]
T5993: Use SELinux and AppArmor for enhanced security (HashiCorp Vault) [Added]
- P3641: Lack of Mandatory Access Control (Linux Systems) [Added]
T5994: Review and adjust Linux ulimits for production (HashiCorp Vault) [Added]
- P3642: Resource Exhaustion Due to Default ulimits (Linux Systems) [Added]
T5995: Use memory locking (mlock) inside Vault containers (HashiCorp Vault) [Added]
- P3643: Memory Swapping Vulnerability (Vault Container) [Added]
T5996: Encrypt swap file when disabling mlock (HashiCorp Vault) [Added]
- P3644: Unencrypted Swap File Exposure (Operating Systems with Swap Functionality) [Added]
T5997: Separate projects for enhanced security (Azure Pipelines) [Added]
- P3645: Lack of Project Isolation (Azure Pipelines) [Added]
T5998: Use branch policies for safe code changes (Azure Pipelines) [Added]
- P3646: Lack of Branch Policies for Code Changes (Azure Pipelines) [Added]
T5999: Add additional security for forks (Azure Pipelines) [Added]
- P3647: Inadequate Security Measures for Fork Builds (Azure Pipelines) [Added]
T6000: Minimize the scope of service connections (Azure Pipelines) [Added]
- P3648: Excessive Privileges in Service Connections (Azure Pipelines) [Added]
T6001: Use workload identity federation for authentication (Azure Pipelines) [Added]
- P3649: Credential Exposure Risk (Azure Pipelines) [Added]
T6002: Minimize GitHub App access (Azure Pipelines) [Added]
- P3650: Excessive Permissions in GitHub Apps (Azure Pipelines) [Added]
T6003: Migrate to YAML pipelines for enhanced security (Azure Pipelines) [Added]
- P3651: Misconfiguration Risks in Classic Pipelines (Azure Pipelines) [Added]
T6004: Secure containers by implementing best practices (Azure Pipelines) [Added]
- P3652: Improper Container Configuration (Azure Pipelines) [Added]
T6005: Use Microsoft-hosted agents for isolation (Azure Pipelines) [Added]
- P3653: Lack of Isolation in Pipeline Execution (Azure Pipelines) [Added]
T6006: Isolate production artifacts and sensitive agent pools (Azure Pipelines) [Added]
- P3654: Lack of Isolation for Production Artifacts and Sensitive Agent Pools (Azure Pipelines) [Added]
T6007: Regularly update self-hosted agent pools (Azure Pipelines) [Added]
- P3655: Outdated Software in Self-Hosted Agent Pools (Azure Pipelines) [Added]
T6008: Restrict access to secrets (Azure Pipelines) [Added]
- P3656: Inadequate Restriction of Access to Secrets (Azure Pipelines) [Added]
T6009: Enable shell parameter validation (Azure Pipelines) [Added]
- P3657: Shell Parameter Injection Vulnerability (Azure Pipelines) [Added]
T6010: Use parameters instead of variables (Azure Pipelines) [Added]
- P3658: Improper Input Validation in Pipeline Configuration (Azure Pipelines) [Added]
T6011: Reference secrets from templates (Azure Pipelines) [Added]
- P3659: Exposure of Sensitive Information through Direct Inclusion (Azure Pipelines) [Added]
T6012: Avoid using secrets when possible (Azure Pipelines) [Added]
- P3660: Insecure Secret Management Practices (Azure Pipelines) [Added]
T6013: Audit secret handling in tasks and logs (Azure Pipelines) [Added]
- P3661: Inadequate Secret Management in Tasks and Logs (Azure Pipelines) [Added]
T6014: Review and remove unnecessary secrets (Azure Pipelines) [Added]
- P3662: Excessive Secrets Management (Azure Pipelines) [Added]
T6015: Rotate secrets regularly (Azure Pipelines) [Added]
- P3663: Inadequate Secret Rotation (Azure Pipelines) [Added]
T6016: Escape special characters in arguments (Azure Pipelines) [Added]
- P3664: Shell Command Injection Vulnerability (Azure Pipelines) [Added]
T6017: Validate inputs and use parameters (Azure Pipelines) [Added]
- P3665: Lack of Input Validation and Parameterization (Azure Pipelines) [Added]
T6018: Avoid using PATH in scripts (Azure Pipelines) [Added]
- P3666: Reliance on PATH Environment Variable (Azure Pipelines) [Added]
T6019: Control available tasks (Azure Pipelines) [Added]
- P3667: Uncontrolled Task Execution (Azure Pipelines) [Added]
T6020: Mark volumes as read only (Azure Pipelines) [Added]
- P3668: Unauthorized Modification of Volumes (Azure Pipelines) [Added]
T6021: Set container-specific resource limits (Azure Pipelines) [Added]
- P3669: Resource Exhaustion Vulnerability (Azure Pipelines) [Added]
T6022: Use trusted images (Azure Pipelines) [Added]
- P3670: Use of Untrusted Container Images (Azure Pipelines) [Added]
T6023: Scan containers for vulnerabilities and enforce runtime threat protection (Azure Pipelines) [Added]
- P3671: Lack of Vulnerability Scanning and Runtime Threat Protection (Azure Pipelines) [Added]
T6024: Implement security policies to prevent privilege escalation (Azure Pipelines) [Added]
- P3672: Privilege Escalation Vulnerability (Azure Pipelines) [Added]
T6025: Utilize network policies (Azure Pipelines) [Added]
- P3673: Unrestricted Container Communication (Azure Pipelines) [Added]
T6026: Use extends templates in pipelines (Azure Pipelines) [Added]
- P3674: Inconsistent Pipeline Structures (Azure Pipelines) [Added]
T6027: Restrict access with containerized steps (Azure Pipelines) [Added]
- P3675: Insecure Pipeline Execution (Azure Pipelines) [Added]
T6028: Deploy phishing-resistant MFA (Okta) [Added]
- P3676: Phishing-Resistant MFA Weakness (Okta) [Added]
T6029: Enable adaptive authentication (Okta) [Added]
- P3677: Lack of Adaptive Authentication (Okta) [Added]
T6030: Monitor authentication events (Okta) [Added]
- P3678: Inadequate Monitoring of Authentication Events (Okta) [Added]
T6031: Centralize authentication controls (Okta) [Added]
- P3679: Decentralized Authentication Controls (Okta) [Added]
T6032: Configure federation protocols (Okta) [Added]
- P3680: Improper Configuration of Federation Protocols (Okta) [Added]
T6033: Monitor SSO activities (Okta) [Added]
- P3681: Lack of Monitoring for Single Sign-On Activities (Okta) [Added]
T6034: Enable user workflows (Okta) [Added]
- P3682: Lack of Structured User Access Management (Okta) [Added]
T6035: Automate credential rotation (Okta) [Added]
- P3683: Static Credential Usage in DevOps Environments (Okta) [Added]
T6036: Centralize secrets management (Okta) [Added]
- P3684: Decentralized Secrets Management (Okta) [Added]
T6037: Secure deployment pipelines (Okta) [Added]
- P3685: Insecure Deployment Pipelines (Okta) [Added]
T6038: Monitor configuration changes (Okta) [Added]
- P3686: Lack of Configuration Change Monitoring (Okta) [Added]
T6039: Deploy automated workflows for identity lifecycle management (Okta) [Added]
- P3687: Inadequate Identity Lifecycle Management (Okta) [Added]
T6040: Control temporary access (Okta) [Added]
- P3688: Inadequate Management of Temporary Access (Okta) [Added]
T6041: Use asymmetric cryptographic techniques for client authentication (Okta) [Added]
- P3689: Insecure Client Authentication (Okta) [Added]
T6042: Implement PKCE for OAuth 2.0 authorization code flow (Okta) [Added]
- P3690: Authorization Code Interception Vulnerability (Okta) [Added]
T6043: Implement OAuth 2.0 Demonstrating Proof-of-Possession (DPoP) (Okta) [Added]
- P3691: OAuth 2.0 Access Token Replay Vulnerability (Okta) [Added]
T6044: Implement short-lived access tokens and refresh token rotation (Okta) [Added]
- P3692: Long-Lived Access Tokens and Static Refresh Tokens (Okta) [Added]
T6045: Implement principle of least privilege in OAuth/OpenID Connect applications (Okta) [Added]
- P3693: Excessive Permissions in OAuth/OpenID Connect Applications (Okta) [Added]
T6046: Implement OAuth 2.0 authorization code flow with PKCE (Okta) [Added]
- P3694: Authorization Code Injection Vulnerability (Okta) [Added]
T6047: Secure API tokens (Okta) [Added]
- P3695: Insecure API Token Management (Okta) [Added]
T6048: Integrate Okta with Identity Threat Detection and Response (ITDR) (Okta) [Added]
- P3696: Identity Threat Detection and Response Weakness (Okta) [Added]
T6049: Develop a robust IAM strategy (Okta) [Added]
- P3697: Inadequate Identity and Access Management (IAM) Strategy (Okta) [Added]
T6050: Automate account lifecycles (Okta) [Added]
- P3698: Inadequate Account Lifecycle Management (Okta) [Added]
T6051: Conduct regular access and privilege audits (Okta) [Added]
- P3699: Inadequate Access Control Management (Okta) [Added]
T6052: Enable Multi-Factor Authentication (MFA) for users (Okta) [Added]
- P3700: Lack of Multi-factor Authentication (Okta) [Added]
T6053: Implement strong password policies (Okta) [Added]
- P3701: Weak Password Policy (Okta) [Added]
T6054: Adopt least-privilege with custom admin roles (Okta) [Added]
- P3702: Excessive Privilege Assignment (Okta) [Added]
T6055: Secure service accounts (Okta) [Added]
- P3703: Improper Use of User Accounts for Service Integrations (Okta) [Added]
T6056: Configure catch-all deny rules (Okta) [Added]
- P3704: Lack of Catch-All Deny Rules (Okta) [Added]
T6057: Ensure signing is enabled (SMB) [Added]
- P3705: Lack of SMB Signing by Default (SMB) [Added]
T6058: Configure SMB client to use alternative ports (SMB) [Added]
- P3706: Default Port Usage in SMB Client (SMB) [Added]
T6059: Audit the use of SMB over QUIC (SMB) [Added]
- P3707: Lack of Auditing for SMB over QUIC (SMB) [Added]
T6060: Enable authentication rate limiter (SMB) [Added]
- P3708: Lack of Authentication Rate Limiting (SMB) [Added]
T6061: Mandate encryption for all outbound SMB connections (SMB) [Added]
- P3709: Lack of Encryption for Outbound SMB Connections (SMB) [Added]
T6062: Enforce the use of latest protocol versions (SMB) [Added]
- P3710: Use of Deprecated SMB Protocol Versions (SMB) [Added]
T6063: Reconfigure firewall rules for netBIOS ports (SMB) [Added]
- P3711: Unrestricted SMB NetBIOS Port Access (SMB) [Added]
T6064: Disable client guest connections (SMB) [Added]
- P3712: Insecure Guest Logons in SMB Client Connections (SMB) [Added]
T6065: Prevent NTLM authentication for remote outbound connections (SMB) [Added]
- P3713: Insecure Authentication Protocol Usage (SMB) [Added]
T6066: Implement SMB over QUIC client access control (SMB) [Added]
- P3714: Lack of Access Control in SMB over QUIC (SMB) [Added]
T6067: Implement SMB over QUIC for secure file sharing (SMB) [Added]
- P3715: Unencrypted SMB Traffic (SMB) [Added]
T6068: Disable remote mailslots for SMB and DC locator protocol (SMB) [Added]
- P3716: Insecure Remote Mailslot Usage (SMB) [Added]
T6069: Enable encryption (SMB) [Added]
- P3717: Lack of SMB Traffic Encryption (SMB) [Added]
T6070: Ensure NTFS permissions follow the principle of least privilege (SMB) [Added]
- P3718: Excessive NTFS Permissions (SMB) [Added]
T6071: Use Windows Firewall or a dedicated network firewall (SMB) [Added]
- P3719: Unrestricted SMB Port Access (SMB) [Added]
T6072: Enable automatic updates for Windows Server (SMB) [Added]
- P3720: Lack of Timely Security Updates (SMB) [Added]
T6073: Implement monitoring solutions for SMB traffic (SMB) [Added]
- P3721: Lack of Monitoring Solutions for SMB Traffic (SMB) [Added]
T6074: Utilize a Virtual Private Network (VPN) for remote access (SMB) [Added]
- P3722: Unencrypted Remote SMB Access (SMB) [Added]
T6075: Verify secure IAM configuration and root account restrictions are implemented (Alibaba Cloud) [Added]
- P3723: Lack of enforced IAM controls (Alibaba Cloud) [Added]
- I3898: Verify that the 'root' account is not used [Added]
- I3899: Verify that no root account access key exists [Added]
- I3900: Verify that MFA is enabled for the root account [Added]
- I3901: Verify that multi-factor authentication is enabled for all RAM users that have a console password [Added]
- I3902: Verify that users not logged on for 90 days or longer are disabled for console logon [Added]
- I3903: Verify that access keys are rotated every 90 days or less [Added]
- I3904: Verify that the RAM password policy requires at least one uppercase letter [Added]
- I3905: Verify that the RAM password policy requires at least one lowercase letter [Added]
- I3906: Verify that RAM password policy requires at least one symbol [Added]
- I3907: Verify that RAM password policy requires at least one number [Added]
- I3908: Verify that the RAM password policy requires minimum length of 14 or greater [Added]
- I3909: Verify that the RAM password policy prevents password reuse [Added]
- I3910: Verify that the RAM password policy expires passwords in 365 days or greater [Added]
- I3911: Verify that the RAM password policy temporarily blocks logon after 5 incorrect logon attempts within an hour [Added]
- I3912: Verify that RAM policies do not allow full ':' administrative privileges [Added]
- I3913: Verify that RAM policies are attached only to groups or roles [Added]
T6076: Verify secure logging (Alibaba Cloud) [Added]
- P3724: Lack of secure logging configuration (Alibaba Cloud) [Added]
- I3914: Verify that ActionTrail are configured to export copies of all Log entries [Added]
- I3915: Verify that the OSS used to store ActionTrail logs is not publicly accessible [Added]
- I3916: Verify that audit logs for multiple cloud resources are integrated with Log Service [Added]
- I3917: Verify that Log Service is enabled for Container Service for Kubernetes [Added]
- I3918: Verify that the virtual network flow log service is enabled [Added]
T6077: Verify real-time monitoring and alerting for critical security events (Alibaba Cloud) [Added]
- P3726: Lack of Monitoring and Alarms for critical security events (Alibaba Cloud) [Added]
- I3923: Verify that log monitoring and alerts are set up for RAM Role changes [Added]
- I3925: Verify that log monitoring and alerts are set up for VPC network route changes [Added]
- I3926: Test that log monitoring and alerts are set up for VPC changes [Added]
- I3927: Verify that log monitoring and alerts are set up for OSS permission changes [Added]
- I3928: Verify that log monitoring and alerts are set up for RDS instance configuration changes [Added]
- I3929: Verify that log monitoring and alerts are set up for unauthorized API calls [Added]
- I3930: Verify that log monitoring and alerts are set up for Management Console sign-in without MFA [Added]
- I3931: Verify that log monitoring and alerts are set up for usage of 'root' account [Added]
- I3934: Verify that log monitoring and alerts are set up for OSS bucket policy changes [Added]
T6078: Verify security logging configuration for protection services (Alibaba Cloud) [Added]
- P3725: Inadequate security logging for protection services (Alibaba Cloud) [Added]
- I3919: Verify that Anti-DDoS access and security log service is enabled [Added]
- I3920: Verify that Web Application Firewall access and security log service is enabled [Added]
- I3921: Verify that Cloud Firewall access and security log analysis is enabled [Added]
- I3922: Verify that Security Center Network, Host and Security log analysis is enabled [Added]
T6079: Verify monitoring and retention settings for key security operations (Alibaba Cloud) [Added]
- P3727: Lack of monitoring and long-term retention for high-risk operations (Alibaba Cloud) [Added]
- I3924: Verify that log monitoring and alerts are set up for Cloud Firewall changes [Added]
- I3932: Test that log monitoring and alerts are set up for Management Console authentication failures [Added]
- I3933: Verify that log monitoring and alerts are set up for customer created CMKs [Added]
- I3935: Test that log monitoring and alerts are set up for security group changes [Added]
- I3936: Verify that Logstore data retention period is set 365 days or greater [Added]
T6080: Verify secure and minimal network access configuration (Alibaba Cloud) [Added]
- P3728: Overly Permissive Security Group Rules (Alibaba Cloud) [Added]
- I3937: Verify that legacy networks do not exist [Added]
- I3940: Verify that routing tables for VPC peering are least access [Added]
- I3941: Verify that the security group is configured with fine grained rules [Added]
T6081: Verify ingress access to critical ports is restricted (Alibaba Cloud) [Added]
- P3729: Unrestricted ingress access to critical ports (Alibaba Cloud) [Added]
- I3938: Verify that SSH access is restricted from the internet [Added]
- I3939: Verify that VPC flow logging is enabled in all VPCs [Added]
T6082: Verify encryption of virtual machine disks (Alibaba Cloud VM) [Added]
- P3730: Lack of encryption for virtual machine storage at rest (Alibaba Cloud VM) [Added]
- I3942: Verify that 'Unattached disks' are encrypted [Added]
- I3943: Verify that the Virtual Machine's disk is encrypted [Added]
T6083: Verify OS patch status and endpoint protection on virtual machines (Alibaba Cloud VM) [Added]
- P3731: Unrestricted ingress access to critical ports (Alibaba Cloud VM) [Added]
- I3944: Verify that no security groups allow ingress from 0.0.0.0/0 to port 22 [Added]
- I3945: Verify that no security groups allow ingress from 0.0.0.0/0 to port 3389 [Added]
T6084: Verify that the OSS bucket access policy does not allow public access (Alibaba Cloud VM) [Added]
- P3732: Unpatched operating systems and lack of endpoint protection (Alibaba Cloud VM) [Added]
- I3946: Verify that the latest OS Patches for all Virtual Machines are applied [Added]
- I3947: Verify that the endpoint protection for all Virtual Machines is installed [Added]
T6085: Verify secure access and logging configuration for OSS buckets (Alibaba Cloud OSS) [Added]
- P3733: Insecure Object Storage Service (OSS) Buckets (Alibaba Cloud OSS) [Added]
- I3948: Verify that the OSS bucket is not anonymously or publicly accessible [Added]
- I3949: Verify that there are no publicly accessible objects in storage buckets [Added]
- I3950: Verify that logging is enabled for OSS buckets [Added]
- I3951: Verify that 'Secure transfer required' is set to 'Enabled' [Added]
T6086: Verify expiration and HTTPS enforcement for OSS signed URLs (Alibaba Cloud OSS) [Added]
- P3734: Lack of secure expiration and transport controls for signed URLs (Alibaba Cloud OSS) [Added]
- I3952: Verify that the shared URL signature expires within an hour [Added]
- I3953: Verify that URL signature is allowed only over https [Added]
T6087: Verify network restrictions and encryption settings for OSS buckets (Alibaba Cloud OSS) [Added]
- P3735: Lack of network restrictions and encryption for object storage (Alibaba Cloud OSS) [Added]
- I3954: Verify that the network access rule for storage bucket is not set to publicly accessible [Added]
- I3955: Verify that server-side encryption is set to ‘Encrypt with Service Key’ [Added]
- I3956: Verify that server-side encryption is set to ‘Encrypt with BYOK’ [Added]
T6088: Verify encryption, access, and audit settings for RDS instances (Alibaba Cloud RDS) [Added]
- P3736: Lack of secure access, encryption, and audit logging for RDS instances (Alibaba Cloud RDS) [Added]
- I3957: Verify that the RDS instance requires all incoming connections to use SSL [Added]
- I3958: Verify that RDS Instances are not open to the world [Added]
- I3960: Verify that 'Auditing' Retention is 'greater than 6 months' [Added]
- I3961: Verify that 'TDE' is set to 'Enabled' on for applicable database instance [Added]
T6089: Verify PostgreSQL database-level logging for activity tracking (Alibaba Cloud RDS) [Added]
- P3738: Lack of logging for database activities in PostgreSQL databases (Alibaba Cloud RDS) [Added]
- I3963: Verify that the parameter 'log_connections' is set to 'ON' for PostgreSQL Database [Added]
- I3964: Verify that the server parameter 'log_disconnections' is set to 'ON' for PostgreSQL Database Server [Added]
- I3965: Verify that the server parameter 'log_duration' is set to 'ON' for PostgreSQL Database Server [Added]
T6090: Verify auditing and BYOK encryption settings for RDS instances (Alibaba Cloud RDS) [Added]
- P3737: Insufficient auditing and lack of control over encryption keys in RDS instances (Alibaba Cloud RDS) [Added]
- I3959: Verify that 'Auditing' is set to 'On' for applicable database instances [Added]
- I3962: Verify that RDS instance TDE protector is encrypted with BYOK [Added]
T6091: Verify observability and proactive monitoring for Kubernetes clusters (Alibaba Cloud Kubernetes) [Added]
- P3739: Limited observability and inadequate health monitoring (Alibaba Cloud Kubernetes) [Added]
- I3966: Verify that Log Service is set to ‘Enabled’ on Kubernetes Engine Clusters [Added]
- I3967: Verify that CloudMonitor is set to Enabled on Kubernetes Engine Clusters [Added]
- I3971: Verify that Basic Authentication is not enabled on Kubernetes Engine Clusters [Added]
T6092: Verify access control and authentication configuration for Kubernetes clusters (Alibaba Cloud Kubernetes) [Added]
- P3740: Inadequate access control configuration (Alibaba Cloud Kubernetes) [Added]
- I3968: Verify that role-based access control (RBAC) authorization is Enabled on Kubernetes Engine Clusters [Added]
- I3969: Verify that Cluster Check is triggered at least once per week for Kubernetes Clusters [Added]
- I3970: Verify that Kubernetes web UI / Dashboard is not enabled [Added]
T6093: Verify private networking and secure communication in Kubernetes clusters (Alibaba Cloud Kubernetes) [Added]
- P3741: Overly permissive network communication and public exposure of Kubernetes clusters (Alibaba Cloud Kubernetes) [Added]
- I3972: Verify that Network policy is enabled on Kubernetes Engine Clusters [Added]
- I3973: Verify ENI multiple IP mode support for Kubernetes Cluster [Added]
- I3974: Verify that the Kubernetes Cluster is created with Private cluster enabled [Added]
T6094: Verify threat detection and automatic quarantine configuration in Security Center (Alibaba Cloud) [Added]
- P3742: Lack of real-time threat detection and automated containment in cloud environments (Alibaba Cloud) [Added]
- I3975: Verify that Security Center is Advanced or Enterprise Edition [Added]
- I3976: Verify that all assets are installed with security agent [Added]
- I3977: Verify that Automatic Quarantine is enabled [Added]
T6095: Verify baseline threat detection and asset visibility configurations (Alibaba Cloud) [Added]
- P3743: Lack of baseline threat detection and asset visibility in cloud infrastructure (Alibaba Cloud) [Added]
- I3978: Verify that Webshell detection is enabled on all web servers [Added]
- I3979: Verify that notification is enabled on all high risk items [Added]
- I3980: Verify that Config Assessment is granted with privilege [Added]
- I3981: Verify that scheduled vulnerability scan is enabled on all servers [Added]
- I3982: Test that Asset Fingerprint automatically collects asset fingerprint data [Added]
T6096: Enforce secure IAM configuration and root account restrictions (Alibaba Cloud) [Added]
- P3723: Lack of enforced IAM controls (Alibaba Cloud) [Added]
- I3813: Avoid the use of the "root" account [Added]
- I3814: Ensure no root account access key exists [Added]
- I3815: Ensure MFA is enabled for the "root" account [Added]
- I3816: Ensure that multi-factor authentication is enabled for all RAM users that have a console password [Added]
- I3817: Ensure users not logged on for 90 days or longer are disabled for console logon [Added]
- I3818: Ensure access keys are rotated every 90 days or less [Added]
- I3819: Ensure RAM password policy requires at least one uppercase letter [Added]
- I3820: Ensure RAM password policy requires at least one lowercase letter [Added]
- I3821: Ensure RAM password policy require at least one symbol [Added]
- I3822: Ensure RAM password policy require at least one number [Added]
- I3823: Ensure RAM password policy requires minimum length of 14 or greater [Added]
- I3824: Ensure RAM password policy prevents password reuse [Added]
- I3825: Ensure RAM password policy expires passwords in 365 days or greater [Added]
- I3826: Ensure RAM password policy temporarily blocks logon after 5 incorrect logon attempts within an hour [Added]
- I3827: Ensure RAM policies that allow full ":" administrative privileges are not created [Added]
- I3828: Ensure RAM policies are attached only to groups or roles [Added]
T6097: Enforce logging and storage security settings (Alibaba Cloud) [Added]
- P3724: Lack of secure logging configuration (Alibaba Cloud) [Added]
- I3829: Ensure that ActionTrail are configured to export copies of all Log entries [Added]
- I3830: Ensure the OSS used to store ActionTrail logs is not publicly accessible [Added]
- I3831: Ensure audit logs for multiple cloud resources are integrated with Log Service [Added]
- I3832: Ensure Log Service is enabled for Container Service for Kubernetes [Added]
- I3833: Ensure virtual network flow log service is enabled [Added]
T6098: Implement real-time monitoring and alerting for critical security events (Alibaba Cloud) [Added]
- P3726: Lack of Monitoring and Alarms for critical security events (Alibaba Cloud) [Added]
- I3838: Ensure log monitoring and alerts are set up for RAM Role changes [Added]
- I3840: Ensure log monitoring and alerts are set up for VPC network route changes [Added]
- I3841: Ensure log monitoring and alerts are set up for VPC changes [Added]
- I3842: Ensure log monitoring and alerts are set up for OSS permission changes [Added]
- I3843: Ensure log monitoring and alerts are set up for RDS instance configuration changes [Added]
- I3844: Ensure a log monitoring and alerts are set up for unauthorized API calls [Added]
- I3845: Ensure a log monitoring and alerts are set up for Management Console sign-in without MFA [Added]
- I3846: Ensure a log monitoring and alerts are set up for usage of "root" account [Added]
- I3849: Ensure a log monitoring and alerts are set up for OSS bucket policy changes [Added]
T6099: Enable security logging for protection services (Alibaba Cloud) [Added]
- P3725: Inadequate security logging for protection services (Alibaba Cloud) [Added]
- I3834: Ensure Anti-DDoS access and security log service is enabled [Added]
- I3835: Ensure Web Application Firewall access and security log service is enabled [Added]
- I3836: Ensure Cloud Firewall access and security log analysis is enabled [Added]
- I3837: Ensure Security Center Network, Host and Security log analysis is enabled [Added]
T6100: Implement log monitoring and retention settings for key security operations (Alibaba Cloud) [Added]
- P3727: Lack of monitoring and long-term retention for high-risk operations (Alibaba Cloud) [Added]
- I3839: Ensure log monitoring and alerts are set up for Cloud Firewall changes [Added]
- I3847: Ensure a log monitoring and alerts are set up for Management Console authentication failures [Added]
- I3848: Ensure a log monitoring and alerts are set up for disabling or deletion of customer created CMKs [Added]
- I3850: Ensure a log monitoring and alerts are set up for security group changes [Added]
- I3851: Ensure that Logstore data retention period is set 365 days or greater [Added]
T6101: Enforce secure and minimal network access configuration (Alibaba Cloud) [Added]
- P3728: Overly Permissive Security Group Rules (Alibaba Cloud) [Added]
- I3852: Ensure legacy networks does not exist [Added]
- I3855: Ensure routing tables for VPC peering are "least access" [Added]
- I3856: Ensure the security group are configured with fine grained rules [Added]
T6102: Restrict ingress access to critical ports (Alibaba Cloud) [Added]
- P3729: Unrestricted ingress access to critical ports (Alibaba Cloud) [Added]
- I3853: Ensure that SSH access is restricted from the internet [Added]
- I3854: Ensure VPC flow logging is enabled in all VPCs [Added]
T6103: Enforce encryption for all virtual machine disks (Alibaba Cloud VM) [Added]
- P3730: Lack of encryption for virtual machine storage at rest (Alibaba Cloud VM) [Added]
- I3857: Ensure that 'Unattached disks' are encrypted [Added]
- I3858: Ensure that ‘Virtual Machine’s disk’ are encrypted [Added]
T6104: Restrict public access to remote management ports (Alibaba Cloud VM) [Added]
- P3731: Unrestricted ingress access to critical ports (Alibaba Cloud VM) [Added]
- I3859: Ensure no security groups allow ingress from 0.0.0.0/0 to port 22 [Added]
- I3860: Ensure no security groups allow ingress from 0.0.0.0/0 to port 3389 [Added]
T6105: Apply OS patches and endpoint protection (Alibaba Cloud VM) [Added]
- P3732: Unpatched operating systems and lack of endpoint protection (Alibaba Cloud VM) [Added]
- I3861: Ensure that the latest OS Patches for all Virtual Machines are applied [Added]
- I3862: Ensure that the endpoint protection for all Virtual Machines is installed [Added]
T6106: Enforce secure configuration and access controls for OSS buckets (Alibaba Cloud OSS) [Added]
- P3733: Insecure Object Storage Service (OSS) Buckets (Alibaba Cloud OSS) [Added]
- I3863: Ensure that OSS bucket is not anonymously or publicly accessible [Added]
- I3864: Ensure that there are no publicly accessible objects in storage buckets [Added]
- I3865: Ensure that logging is enabled for OSS buckets [Added]
- I3866: Ensure that 'Secure transfer required' is set to 'Enabled' [Added]
T6107: Enforce secure signed URL policies for OSS access (Alibaba Cloud OSS) [Added]
- P3734: Lack of secure expiration and transport controls for signed URLs (Alibaba Cloud OSS) [Added]
- I3867: Ensure that the shared URL signature expires within an hour [Added]
- I3868: Ensure that URL signature is allowed only over https [Added]
T6108: Enforce network access and encryption policies for OSS buckets (Alibaba Cloud OSS) [Added]
- P3735: Lack of network restrictions and encryption for object storage (Alibaba Cloud OSS) [Added]
- I3869: Ensure network access rule for storage bucket is not set to publicly accessible [Added]
- I3870: Ensure server-side encryption is set to ‘Encrypt with Service Key’ [Added]
- I3871: Ensure server-side encryption is set to ‘Encrypt with BYOK’ [Added]
T6109: Enforce secure configuration and auditing for RDS instances (Alibaba Cloud RDS) [Added]
- P3736: Lack of secure access, encryption, and audit logging for RDS instances (Alibaba Cloud RDS) [Added]
- I3872: Ensure that RDS instance requires all incoming connections to use SSL [Added]
- I3873: Ensure that RDS Instances are not open to the world [Added]
- I3875: Ensure that 'Auditing' Retention is 'greater than 6 months' [Added]
- I3876: Ensure that 'TDE' is set to 'Enabled' on for applicable database instance [Added]
T6110: Enable PostgreSQL database-level logging for activity tracking (Alibaba Cloud RDS) [Added]
- P3738: Lack of logging for database activities in PostgreSQL databases (Alibaba Cloud RDS) [Added]
- I3878: Ensure parameter 'log_connections' is set to 'ON' for PostgreSQL Database [Added]
- I3879: Ensure server parameter 'log_disconnections' is set to 'ON' for PostgreSQL Database Server [Added]
- I3880: Ensure server parameter 'log_duration is set to 'ON' for PostgreSQL Database Server [Added]
T6111: Enforce auditing and customer-managed encryption for RDS instances (Alibaba Cloud RDS) [Added]
- P3737: Insufficient auditing and lack of control over encryption keys in RDS instances (Alibaba Cloud RDS) [Added]
- I3874: Ensure that 'Auditing' is set to 'On' for applicable database instances [Added]
- I3877: Ensure RDS instance TDE protector is encrypted with BYOK (Use your own key) [Added]
T6112: Enable observability and proactive monitoring for Kubernetes clusters (Alibaba Cloud Kubernetes) [Added]
- P3739: Limited observability and inadequate health monitoring (Alibaba Cloud Kubernetes) [Added]
- I3881: Ensure Log Service is set to ‘Enabled’ on Kubernetes Engine Clusters [Added]
- I3882: Ensure CloudMonitor is set to Enabled on Kubernetes Engine Clusters [Added]
- I3886: Ensure Basic Authentication is not enabled on Kubernetes Engine Clusters [Added]
T6113: Lack of access control and authentication hardening in Kubernetes clusters (Alibaba Cloud Kubernetes) [Added]
- P3740: Inadequate access control configuration (Alibaba Cloud Kubernetes) [Added]
- I3883: Ensure role-based access control (RBAC) authorization is Enabled on Kubernetes Engine Clusters [Added]
- I3884: Ensure Cluster Check triggered at least once per week for Kubernetes Clusters [Added]
- I3885: Ensure Kubernetes web UI / Dashboard is not enabled [Added]
T6114: Enforce private networking and secure communication in Kubernetes clusters (Alibaba Cloud Kubernetes) [Added]
- P3741: Overly permissive network communication and public exposure of Kubernetes clusters (Alibaba Cloud Kubernetes) [Added]
- I3887: Ensure Network policy is enabled on Kubernetes Engine Clusters [Added]
- I3888: Ensure ENI multiple IP mode support for Kubernetes Cluster [Added]
- I3889: Ensure Kubernetes Cluster is created with Private cluster enabled [Added]
T6115: Enforce advanced threat detection and automated response with Alibaba Cloud Security Center (Alibaba Cloud) [Added]
- P3742: Lack of real-time threat detection and automated containment in cloud environments (Alibaba Cloud) [Added]
- I3890: Ensure that Security Center is Advanced or Enterprise Edition [Added]
- I3891: Ensure that all assets are installed with security agent [Added]
- I3892: Ensure that Automatic Quarantine is enabled [Added]
T6116: Enforce baseline threat detection and asset visibility across cloud infrastructure (Alibaba Cloud) [Added]
- P3743: Lack of baseline threat detection and asset visibility in cloud infrastructure (Alibaba Cloud) [Added]
- I3893: Ensure that Webshell detection is enabled on all web servers [Added]
- I3894: Ensure that notification is enabled on all high risk items [Added]
- I3895: Ensure that Config Assessment is granted with privilege [Added]
- I3896: Ensure that scheduled vulnerability scan is enabled on all servers [Added]
- I3897: Ensure that Asset Fingerprint automatically collects asset fingerprint data [Added]
T6135: Verify the permissions and ownership of the kubeconfig file (Azure Kubernetes Services) [Added]
- P3753: Insecure Kubeconfig File Permissions (Azure Kubernetes Service) [Added]
- I4021: Verify that the kubeconfig file permissions are set to 644 or more restrictive [Added]
- I4022: Verify that the kubelet kubeconfig file ownership is set to root:root [Added]
- I4023: Verify that the azure.json file has permissions set to 644 or more restrictive [Added]
- I4024: Verify that the azure.json file ownership is set to root:root [Added]
T6136: Verify Kubelet security configurations (Azure Kubernetes Services) [Added]
- P3754: Insecure Kubelet Configuration (Azure Kubernetes Service) [Added]
- I4025: Verify that the --anonymous-auth argument is set to false [Added]
- I4026: Verify that the --authorization-mode argument is not set to AlwaysAllow [Added]
- I4027: Verify that the --client-ca-file argument is set as appropriate [Added]
- I4028: Verify that the --read-only-port is secured [Added]
- I4029: Verify that the --streaming-connection-idle-timeout argument is not set to 0 [Added]
- I4030: Verify that the --make-iptables-util-chains argument is set to true [Added]
- I4031: Verify that the --eventRecordQPS argument is set to 0 or a level which ensures appropriate event capture [Added]
- I4032: Verify that the --rotate-certificates argument is not set to false [Added]
- I4033: Verify that the RotateKubeletServerCertificate argument is set to true [Added]
T6137: Verify that access to Kubernetes secrets is restricted (Azure Kubernetes Services) [Added]
- P3755: Unrestricted Access to Secrets and Roles (Azure Kubernetes Service) [Added]
- I4034: Verify that the cluster-admin role is only used where required [Added]
- I4035: Test that access to secrets is minimized [Added]
- I4036: Verify that wildcard use in Roles and ClusterRoles is minimized [Added]
- I4037: Test that access to create pods is minimized [Added]
- I4038: Verify that default service accounts are not actively used [Added]
- I4039: Verify that Service Account Tokens are only mounted where necessary [Added]
T6138: Verify that containers do not run with elevated privileges (Azure Kubernetes Services) [Added]
- P3756: Privilege Escalation Risk in Containerized Applications (Azure Kubernetes Service) [Added]
- I4040: Test that the admission of privileged containers is minimized [Added]
- I4041: Test minimizing the admission of containers wishing to share the host process ID namespace [Added]
- I4042: Test minimizing the admission of containers wishing to share the host IPC namespace [Added]
- I4043: Test minimizing the admission of containers wishing to share the host network namespace [Added]
- I4044: Test that the admission of containers minimizes allowPrivilegeEscalation [Added]
T6139: Test network policies to isolate traffic in your cluster network (Azure Kubernetes Services) [Added]
- P3757: Lack of Network Policies (Azure Kubernetes Service) [Added]
- I4045: Verify that the latest CNI version is used [Added]
- I4046: Verify that all Namespaces have Network Policies defined [Added]
T6140: Verify the use of external secrets management for Kubernetes (Azure Kubernetes Services) [Added]
- P3758: Insecure Secret Management in Kubernetes Environments (Azure Kubernetes Service) [Added]
- I4047: Verify that secrets are managed as files instead of environment variables [Added]
- I4048: Test external secret storage for security vulnerabilities [Added]
T6141: Verify the use of namespaces to isolate your Kubernetes objects (Azure Kubernetes Services) [Added]
- P3759: Lack of Namespace Isolation (Azure Kubernetes Service) [Added]
- I4049: Test administrative boundaries between resources using namespaces [Added]
- I4050: Test that security context is applied to your pods and containers [Added]
- I4051: Verify that the default namespace is not used [Added]
- I4053: Verify that dedicated AKS Service Accounts are used [Added]
T6142: Scan images being deployed to Azure (Azure Kubernetes Services) [Added]
- P3760: Lack of Automated Vulnerability Scanning for Container Images (Azure Kubernetes Service) [Added]
- I4052: Verify Image Vulnerability Scanning using Microsoft Defender for Cloud [Added]
T6143: Verify that access to the Kubernetes API is restricted (Azure Kubernetes Services) [Added]
- P3761: Unauthorized Access to Kubernetes Control Plane (Azure Kubernetes Service) [Added]
- I4054: Verify that access to the Control Plane Endpoint is restricted [Added]
- I4055: Verify that clusters are created with Private Endpoint Enabled and Public Access Disabled [Added]
- I4056: Verify that clusters are created with Private Nodes [Added]
- I4057: Verify that Network Policy is Enabled and set as appropriate [Added]
T6144: Secure kubeconfig files in Kubernetes (Azure Kubernetes Services) [Added]
- P3753: Insecure Kubeconfig File Permissions (Azure Kubernetes Service) [Added]
- I3984: Ensure that the kubeconfig file permissions are set to 644 or more restrictive [Added]
- I3985: Ensure that the kubelet kubeconfig file ownership is set to root:root [Added]
- I3986: Ensure that the azure.json file has permissions set to 644 or more restrictive [Added]
- I3987: Ensure that the azure.json file ownership is set to root:root [Added]
T6145: Secure Kubelet Configuration for Kubernetes (Azure Kubernetes Services) [Added]
- P3754: Insecure Kubelet Configuration (Azure Kubernetes Service) [Added]
- I3988: Ensure that the --anonymous-auth argument is set to false [Added]
- I3989: Ensure that the --authorization-mode argument is not set to AlwaysAllow [Added]
- I3990: Ensure that the --client-ca-file argument is set as appropriate [Added]
- I3991: Ensure that the --read-only-port is secured [Added]
- I3992: Ensure that the --streaming-connection-idle-timeout argument is not set to 0 [Added]
- I3993: Ensure that the --make-iptables-util-chains argument is set to true [Added]
- I3994: Ensure that the --eventRecordQPS argument is set to 0 or a level which ensures appropriate event capture [Added]
- I3995: Ensure that the --rotate-certificates argument is not set to false [Added]
- I3996: Ensure that the RotateKubeletServerCertificate argument is set to true [Added]
T6146: Restrict access to secrets and roles in Kubernetes (Azure Kubernetes Services) [Added]
- P3755: Unrestricted Access to Secrets and Roles (Azure Kubernetes Service) [Added]
- I3997: Ensure that the cluster-admin role is only used where required [Added]
- I3998: Minimize access to secrets [Added]
- I3999: Minimize wildcard use in Roles and ClusterRoles [Added]
- I4000: Minimize access to create pods [Added]
- I4001: Ensure that default service accounts are not actively used [Added]
- I4002: Ensure that Service Account Tokens are only mounted where necessary [Added]
T6147: Restrict privileged settings in Kubernetes (Azure Kubernetes Services) [Added]
- P3756: Privilege Escalation Risk in Containerized Applications (Azure Kubernetes Service) [Added]
- I4003: Minimize the admission of privileged containers [Added]
- I4004: Minimize the admission of containers wishing to share the host process ID namespace [Added]
- I4005: Minimize the admission of containers wishing to share the host IPC namespace [Added]
- I4006: Minimize the admission of containers wishing to share the host network namespace [Added]
- I4007: Minimize the admission of containers with allowPrivilegeEscalation [Added]
T6148: Implement network policies for Kubernetes security (Azure Kubernetes Services) [Added]
- P3757: Lack of Network Policies (Azure Kubernetes Service) [Added]
- I4008: Ensure latest CNI version is used [Added]
- I4009: Ensure that all Namespaces have Network Policies defined [Added]
T6149: Enhance security of sensitive information in Kubernetes environments (Azure Kubernetes Services) [Added]
- P3758: Insecure Secret Management in Kubernetes Environments (Azure Kubernetes Service) [Added]
- I4010: Prefer using secrets as files over secrets as environment variables [Added]
- I4011: Consider external secret storage [Added]
T6150: Implement namespaces for security in Kubernetes (Azure Kubernetes Services) [Added]
- P3759: Lack of Namespace Isolation (Azure Kubernetes Service) [Added]
- I4012: Create administrative boundaries between resources using namespaces [Added]
- I4013: Apply Security Context to Your Pods and Containers [Added]
- I4014: The default namespace should not be used [Added]
- I4016: Prefer using dedicated AKS Service Accounts [Added]
T6151: Implement vulnerability scanning for images stored in Microsoft Defender for Cloud (Azure Kubernetes Services) [Added]
- P3760: Lack of Automated Vulnerability Scanning for Container Images (Azure Kubernetes Service) [Added]
- I4015: Ensure Image Vulnerability Scanning using Microsoft Defender for Cloud (MDC) image scanning or a third party provider [Added]
T6152: Secure the control plane of your Kubernetes cluster with Endpoint Private Access (Azure Kubernetes Services) [Added]
- P3761: Unauthorized Access to Kubernetes Control Plane (Azure Kubernetes Service) [Added]
- I4017: Restrict Access to the Control Plane Endpoint [Added]
- I4018: Ensure clusters are created with Private Endpoint Enabled and Public Access Disabled [Added]
- I4019: Ensure clusters are created with Private Nodes [Added]
- I4020: Ensure Network Policy is Enabled and set as appropriate [Added]
T6153: Restrict children’s access to trusted external content by default {ACM-3} {EN 18031-2} [Added]
- P3468: Lack of secure access control mechanism (EN 18031) [Updated]
  - INFO: Updated the title and match conditions.
T6154: Restrict third‑party access to children’s personal information & device privacy functions by default {ACM-4} {EN 18031-2} [Added]
- P3468: Lack of secure access control mechanism (EN 18031) [Updated]
  - INFO: Updated the title and match conditions.
T6155: Implement parent/guardian configuration functionality for controlling children access to security & privacy assets {ACM-5} {EN 18031-2} [Added]
- P3468: Lack of secure access control mechanism (EN 18031) [Updated]
  - INFO: Updated the title and match conditions.
T6156: Implement authorized configuration functionality to restrict third‑party access to children’s privacy assets {ACM-6} {EN 18031-2} [Added]
- P3468: Lack of secure access control mechanism (EN 18031) [Updated]
  - INFO: Updated the title and match conditions.
T6157: Implement secure logging mechanism on your device {LGM-1} {EN 18031-2 and 18031-3} [Added]
- P3765: Lack of secure logging mechanism (EN 18031-2 and 18031-3) [Added]
- TA7189: EN 18031-3 {LGM-1} Documentation Requirements [Added]
- TA7193: EN 18031-2 {LGM-1} Documentation Requirements [Added]
T6158: Implement persistent storage of log data {LGM-2} {EN 18031-2 and 18031-3} [Added]
- P3765: Lack of secure logging mechanism (EN 18031-2 and 18031-3) [Added]
- TA7190: EN 18031-3 {LGM-2} Documentation Requirements [Added]
- TA7194: EN 18031-2 {LGM-2} Documentation Requirements [Added]
T6159: Persistently store an appropriate amount of events in your logging mechanism {LGM-3} {EN 18031-2 and EN 18031-3} [Added]
- P3765: Lack of secure logging mechanism (EN 18031-2 and 18031-3) [Added]
- TA7191: EN 18031-3 {LGM-3} Documentation Requirements [Added]
- TA7195: EN 18031-2 {LGM-3} Documentation Requirements [Added]
T6160: Include time-related information with your persistently stored logs {LGM-4} {EN 18031-2 and EN 18031-3} [Added]
- P3765: Lack of secure logging mechanism (EN 18031-2 and 18031-3) [Added]
- TA7192: EN 18031-3 {LGM-4} Documentation Requirements [Added]
- TA7196: EN 18031-2 {LGM-4} Documentation Requirements [Added]
T6161: Implement deletion mechanism in your device {DLM-1} {EN 18031-2} [Added]
- P3762: Incomplete data deletion (EN 18031-2) [Added]
T6162: Implement user notification mechanism in your device {UNM-1} {EN 18031-2} [Added]
- P3763: Missing or inconsistent user notification (EN 18031-2) [Added]
T6163: Include appropriate information in your user notifications {UNM-2} {EN 18031-2} [Added]
- P3763: Missing or inconsistent user notification (EN 18031-2) [Added]
T6164: implement boot integrity verification mechanism on your device {GEC-8} {EN 18031-3} [Added]
- P3766: Insecure boot process verification (EN 18031-3) [Added]
T6165: Document your device's external sensing capabilties {GEC-7} {EN 18031-2} [Added]
- P3764: Insufficient documentation of external sensing capabilities (EN 18031-2) [Added]
T6166: Use an appropriate authentication mechanism {AUM-2} {EN 18031-2} [Added]
- P3469: Lack of secure authentication mechanism (EN 18031) [Updated]
  - INFO: Updated the title and match conditions.
T6167: Ensure the validation of authenticators used in authentication mechanisms {AUM-3} {EN 18031-2} [Added]
- P3470: Insufficient verification of authenticators (EN 18031) [Updated]
  - INFO: Updated the title and match conditions.
T6168: Implement the capability to change authentication mechanisms {AUM-4} {EN 18031-2} [Added]
- P3471: Lack of authenticator reset mechanism (EN 18031) [Updated]
  - INFO: Updated the title and match conditions.
T6169: Use strong passwords in authentication mechanisms {AUM-5} {EN 18031-2} [Added]
- P3472: Weak password requirements (EN 18031) [Updated]
  - INFO: Updated the title and match conditions.
T6170: Implement brute-force protection in authentication mechanism {AUM-6} {EN 18031-2} [Added]
- P3473: Lack of brute-force protection (EN 18031) [Updated]
  - INFO: Updated the title and match conditions.
T6171: Use an appropriate authentication mechanism {AUM-2} {EN 18031-3} [Added]
- P3469: Lack of secure authentication mechanism (EN 18031) [Updated]
  - INFO: Updated the title and match conditions.
T6172: Ensure the validation of authenticators used in authentication mechanisms {AUM-3} {EN 18031-3} [Added]
- P3470: Insufficient verification of authenticators (EN 18031) [Updated]
  - INFO: Updated the title and match conditions.
T6173: Implement the capability to change authentication mechanisms {AUM-4} {EN 18031-3} [Added]
- P3471: Lack of authenticator reset mechanism (EN 18031) [Updated]
  - INFO: Updated the title and match conditions.
T6174: Use strong passwords in authentication mechanisms {AUM-5} {EN 18031-3} [Added]
- P3472: Weak password requirements (EN 18031) [Updated]
  - INFO: Updated the title and match conditions.
T6175: Implement brute-force protection in authentication mechanism {AUM-6} {EN 18031-3} [Added]
- P3473: Lack of brute-force protection (EN 18031) [Updated]
  - INFO: Updated the title and match conditions.
T6176: Ensure the applicability and appropriateness of secure communication mechanisms {SCM-1} {EN 18031-2} [Added]
- P3480: Lack of secure communication mechanism (EN 18031) [Updated]
  - INFO: Updated the title and match conditions.
T6177: Implement appropriate integrity and authenticity protection for communication mechanisms {SCM-2} {EN 18031-2} [Added]
- P3480: Lack of secure communication mechanism (EN 18031) [Updated]
  - INFO: Updated the title and match conditions.
T6178: Implement appropriate confidentiality protection for communication mechanisms {SCM-3} {EN 18031-2} [Added]
- P3480: Lack of secure communication mechanism (EN 18031) [Updated]
  - INFO: Updated the title and match conditions.
T6179: Implement appropriate replay protection for communication mechanisms {SCM-4} {EN 18031-2} [Added]
- P3480: Lack of secure communication mechanism (EN 18031) [Updated]
  - INFO: Updated the title and match conditions.
T6180: Ensure the applicability and appropriateness of secure communication mechanisms {SCM-1} {EN 18031-3} [Added]
- P3480: Lack of secure communication mechanism (EN 18031) [Updated]
  - INFO: Updated the title and match conditions.
T6181: Implement appropriate integrity and authenticity protection for communication mechanisms {SCM-2} {EN 18031-3} [Added]
- P3480: Lack of secure communication mechanism (EN 18031) [Updated]
  - INFO: Updated the title and match conditions.
T6182: Implement appropriate confidentiality protection for communication mechanisms {SCM-3} {EN 18031-3} [Added]
- P3480: Lack of secure communication mechanism (EN 18031) [Updated]
  - INFO: Updated the title and match conditions.
T6183: Implement appropriate replay protection for communication mechanisms {SCM-4} {EN 18031-3} [Added]
- P3480: Lack of secure communication mechanism (EN 18031) [Updated]
  - INFO: Updated the title and match conditions.
T6184: Validate and Sanitize All Server Responses (MCP Client) [Added]
- P3767: Improper Input Validation in MCP Client (MCP Client) [Added]
T6185: Use Encrypted Communications (MCP Client) [Added]
- P3768: Unencrypted Data Transmission (MCP Client) [Added]
T6186: Implement Secure Secret Management (MCP Client) [Added]
- P3769: Insufficient Credential Handling (MCP Client) [Added]
T6187: Sanitize User Input Before Inclusion in Context (MCP Client) [Added]
- P3770: Prompt Injection Vulnerability (MCP Client) [Added]
T6188: Implement Message Validation and Size Limits (MCP Client) [Added]
- P3771: Lack of Message Validation and Size Limits (MCP Client) [Added]
T6189: Use OS Encryption and Restrictive Permissions for Local Storage (MCP Client) [Added]
- P3772: Inadequate Protection of Local Storage (MCP Client) [Added]
T6190: Ship with Hardened, Least-Privilege Defaults (MCP Client) [Added]
- P3773: Excessive Privilege Assignment (MCP Client) [Added]
T6191: Enforce default-deny egress in client tools (MCP Client) [Added]
- P3774: Unrestricted Egress Traffic (MCP Client) [Added]
T6192: Sandbox local tool execution (MCP Client) [Added]
- P3775: Insufficient Local Sandboxing (MCP Client) [Added]
T6193: Require user approval and allowlists for URLs (MCP Client) [Added]
- P3776: Lack of URL Validation and User Approval (MCP Client) [Added]
T6194: Apply client-side DLP and canaries (MCP Client) [Added]
- P3777: Inadequate Client-Side Data Protection (MCP Client) [Added]
T6195: Implement Client-Side Output Filtering (MCP Client) [Added]
- P3778: Unfiltered Tool Output to LLM (MCP Client) [Added]
T6196: Restrict environment exposure and scrub dumps (MCP Client) [Added]
- P3779: Exposure of Sensitive Environment and Configuration Data (MCP Client) [Added]
T6197: Support OAuth 2.1 for Enhanced Authorization Capabilities (MCP Client) [Added]
- P3780: Persistent Token Exposure and Overbroad Access Control (MCP Server) [Added]
T6198: Implement Human-in-the-Loop for Tool Operations (MCP Client) [Added]
- P3781: Automated Tool Execution Without Human Oversight Enables Unauthorized Actions and Security Breaches (MCP Client) [Added]
T6199: Implement Human Oversight for Sampling Requests (MCP Client) [Added]
- P3782: Lack of Human Oversight on Sampling Requests Enables Unauthorized Model Access and Manipulation (MCP Client) [Added]
T6200: Validate Tool Annotations and Prevent Social Engineering (MCP Client) [Added]
- P3783: Reliance on Untrusted Tool Annotations Facilitates Social Engineering Attacks (MCP Client) [Added]
T6201: Prioritize HTTPS Transport Over STDIO for Enhanced Security Isolation (MCP Client/MCP Server) [Added]
- P3784: Unrestricted STDIO Transport Usage Weakens Security Isolation (MCP Client/MCP Server) [Added]
T6202: Test that the MCP client validates and sanitizes server responses (MCP Client) [Added]
- P3767: Improper Input Validation in MCP Client (MCP Client) [Added]
T6203: Test that encrypted communications are enforced for data transit (MCP Client) [Added]
- P3768: Unencrypted Data Transmission (MCP Client) [Added]
T6204: Test the implementation of secure credential handling (MCP Client) [Added]
- P3769: Insufficient Credential Handling (MCP Client) [Added]
T6205: Test that user input is properly sanitized and validated (MCP Client) [Added]
- P3770: Prompt Injection Vulnerability (MCP Client) [Added]
T6206: Test message validation and size limits for the MCP client (MCP Client) [Added]
- P3771: Lack of Message Validation and Size Limits (MCP Client) [Added]
T6207: Test that at-rest client data is securely managed (MCP Client) [Added]
- P3772: Inadequate Protection of Local Storage (MCP Client) [Added]
T6208: Test that the MCP client operates with a reduced attack surface (MCP Client) [Added]
- P3773: Excessive Privilege Assignment (MCP Client) [Added]
T6209: Test that client-side tools are restricted from connecting to unauthorized hosts (MCP Client) [Added]
- P3774: Unrestricted Egress Traffic (MCP Client) [Added]
T6210: Test the implementation of local sandboxing measures (MCP Client) [Added]
- P3775: Insufficient Local Sandboxing (MCP Client) [Added]
T6211: Test that the application prevents unsafe navigation and fetches (MCP Client) [Added]
- P3776: Lack of URL Validation and User Approval (MCP Client) [Added]
T6212: Test that the MCP Client ensures safe and policy-compliant inputs (MCP Client) [Added]
- P3777: Inadequate Client-Side Data Protection (MCP Client) [Added]
T6213: Test that sensitive data is not propagated to prompts (MCP Client) [Added]
- P3778: Unfiltered Tool Output to LLM (MCP Client) [Added]
T6214: Test that environment and configuration secrets are protected (MCP Client) [Added]
- P3779: Exposure of Sensitive Environment and Configuration Data (MCP Client) [Added]
T6215: Test the implementation of OAuth 2.1 for enhanced security (MCP Client) [Added]
- P3780: Persistent Token Exposure and Overbroad Access Control (MCP Server) [Added]
T6216: Test that all automated tool executions require human oversight (MCP Client) [Added]
- P3781: Automated Tool Execution Without Human Oversight Enables Unauthorized Actions and Security Breaches (MCP Client) [Added]
T6217: Test that human oversight is implemented for sampling requests (MCP Client) [Added]
- P3782: Lack of Human Oversight on Sampling Requests Enables Unauthorized Model Access and Manipulation (MCP Client) [Added]
T6218: Test that tool annotations are marked as untrusted by default (MCP Client) [Added]
- P3783: Reliance on Untrusted Tool Annotations Facilitates Social Engineering Attacks (MCP Client) [Added]
T6219: Test the prioritization of secure transport methods (MCP Client) [Added]
- P3784: Unrestricted STDIO Transport Usage Weakens Security Isolation (MCP Client/MCP Server) [Added]
T6220: Implement Verified Code Updates with User Approval (MCP Client) [Added]
- P3785: Malicious MCP Server Code Update (MCP Client) [Added]
T6221: Verify Secure Code Update Implementation (MCP Client) [Added]
- P3785: Malicious MCP Server Code Update (MCP Client) [Added]
T6222: Implement Stateless Authentication with Per-Request Validation (MCP Server) [Added]
- P3786: Weak Authentication Mechanisms (MCP Server) [Added]
T6223: Implement Secure Session Management Separate from Authentication (MCP Server) [Added]
- P3787: Unprotected Session Management (MCP Server) [Added]
T6224: Enforce Encryption on All Channels (MCP Server) [Added]
- P3788: Lack of Encryption on Communication Channels (MCP Server) [Added]
T6225: Implement Per-Session Access Controls (MCP Server) [Added]
- P3789: Lack of Per-Session Access Controls (MCP Server) [Added]
T6226: Implement Strict Input Parsing and Sanitization (MCP Server) [Added]
- P3790: Improper Input Parsing (MCP Server) [Added]
T6227: Input Validation and Sanitization (MCP Server) [Added]
- P3791: Improper Input Handling (MCP Server) [Added]
T6228: Implement API Rate Limiting and Resource Quotas (MCP Server) [Added]
- P3792: Lack of API Rate Limiting and Resource Quotas (MCP Server) [Added]
T6229: Isolate Contexts Per Tenant/User at All Layers (MCP Client/MCP Server) [Added]
- P3793: Lack of Context Isolation (MCP Server) [Added]
T6230: Strict Chunk Parsing and Boundary Enforcement (MCP Server) [Added]
- P3794: Improper Request Parsing (MCP Server) [Added]
T6231: Enforce Strict Schema/Field Validation (MCP Server) [Added]
- P3795: Lack of Strict Schema/Field Validation (MCP Server) [Added]
T6232: Log All AuthZ/AuthN Failures and Alert on Rate Limits (MCP Server) [Added]
- P3796: Inadequate Logging and Alerting Mechanisms (MCP Server) [Added]
T6233: Support OAuth 2.1 with Token Audience Validation for Enhanced Security (MCP Server) [Added]
- P3797: Insufficient OAuth 2.1 Authorization Enforcement (MCP Server) [Added]
T6234: Store and Manage Third-Party API Credentials Securely Rather Than Token Passthrough (MCP Server) [Added]
- P3798: Insecure Management of Third-Party API Credentials (MCP Server) [Added]
T6235: Implement DNS Rebinding Protection for HTTP Transport (MCP Server) [Added]
- P3799: Exposure to DNS Rebinding Attacks (MCP Server) [Added]
T6236: Test Stateless Authentication and Per-Request Validation (MCP Server) [Added]
- P3786: Weak Authentication Mechanisms (MCP Server) [Added]
T6237: Test that session management is properly implemented (MCP Server) [Added]
- P3787: Unprotected Session Management (MCP Server) [Added]
T6238: Test that data in transit is protected from interception (MCP Server) [Added]
- P3788: Lack of Encryption on Communication Channels (MCP Server) [Added]
T6239: Test that users can only access their own sessions (MCP Server) [Added]
- P3789: Lack of Per-Session Access Controls (MCP Server) [Added]
T6240: Test that input parsing and sanitization are properly implemented (MCP Server) [Added]
- P3790: Improper Input Parsing (MCP Server) [Added]
T6241: Test that the MCP server mitigates adversarial content injection (MCP Server) [Added]
- P3791: Improper Input Handling (MCP Server) [Added]
T6242: Test that the server maintains availability under load (MCP Server) [Added]
- P3792: Lack of API Rate Limiting and Resource Quotas (MCP Server) [Added]
T6243: Test that cross-tenant data exposure is prevented (MCP Client/MCP Server) [Added]
- P3793: Lack of Context Isolation (MCP Server) [Added]
T6244: Test that request smuggling and desync vectors are eliminated (MCP Server) [Added]
- P3794: Improper Request Parsing (MCP Server) [Added]
T6245: Test that strict schema and field validation is enforced (MCP Server) [Added]
- P3795: Lack of Strict Schema/Field Validation (MCP Server) [Added]
T6246: Test the logging and alerting mechanisms (MCP Server) [Added]
- P3796: Inadequate Logging and Alerting Mechanisms (MCP Server) [Added]
T6247: Test the implementation of OAuth 2.1 for enhanced security (MCP Server) [Added]
- P3797: Insufficient OAuth 2.1 Authorization Enforcement (MCP Server) [Added]
T6248: Test that third-party API credentials are securely managed (MCP Server) [Added]
- P3798: Insecure Management of Third-Party API Credentials (MCP Server) [Added]
T6249: Test that the MCP server is protected against DNS rebinding attacks (MCP Server) [Added]
- P3799: Exposure to DNS Rebinding Attacks (MCP Server) [Added]
T6253: Implement comprehensive risk management policies for outsourcing of data processing and storage and cloud computing services [Added]
- P3803: Inadequate Risk Management for Outsourcing Services [Added]
T6254: Ensure effective risk management policies for business continuity and provisions of Central Bank of Brazil [Added]
- P3804: Insufficient Risk Management Policies for Business Continuity [Added]
T6255: Create and operate a fraud prevention process for financial institutions [Added]
- P3805: Incomplete Fraud Prevention Processes in Financial Institutions [Added]
Changes to Project Properties and Profiles
- Q193: Components
  - Q101: Components In Development
    - A1077: Hardware solution or embedded device [Updated]
      - INFO: Updated the text and description.
    - A2322: Firmware [Added]
- Q199: Authentication
  - Q508: Secrets Management Software [Added]
    - A2323: HashiCorp Vault [Added]
  - Q120: Authentication Features
    - Q509: Identity-as-a-Service (IDaaS) Providers Used [Added]
      - A2325: Okta Deployment [Added]
      - A2326: Integration with Okta [Added]
- Q202: More Features
  - Q215: Input Validation
    - A2307: Receives text input from users [Updated]
      - INFO: Updated the text and description.
- Q204: Financial Systems
  - Q229: Financial Regulations
    - A2351: In-scope for Central Bank of Brazil (BACEN)'s Regulations [Added]
- Q206: Privacy
  - Q160: Handles Personal Data
    - Q224: Privacy Regulations
      - A1148: GDPR [Updated]
        
        INFO: Updated the match conditions.
- Q207: Application Layer
  - Q186: Application Layer Protocols Used
    - A2327: Server Message Block (SMB) [Added]
- Q237: Compliance Scope: Other
  - Q489: Select the EN 18031 standard that you are required to comply with [Updated]
    - INFO: Updated the text and description.
    - Q490: Specific details about your device (Related to 18031) [Updated]
      - INFO: Updated the text and description.
      - A2259: Legal restrictions prevent implementing access control or authentication mechanisms. [Updated]
        
        INFO: Updated the text, description, and, match conditions.
      - A2260: Device design and/or deployment environment includes physical or logical measures that make unauthorized access to sensitive/confidential information in transit impossible. [Updated]
        
        INFO: Updated the text, description, and, match conditions.
      - A2261: Device design and/or deployment environment includes physical or logical measures that make unauthorized access to sensitive/confidential information at rest impossible. [Updated]
        
        INFO: Updated the text, description, and, match conditions.
      - A2262: Absence of authentication is required for the device’s intended functionality. [Updated]
        
        INFO: Updated the text, description, and, match conditions.
      - A2263: The device cannot support software updates due to functional safety. [Updated]
        
        INFO: Updated the text, description, and, match conditions.
      - A2264: The device’s software is immutable. [Updated]
        
        INFO: Updated the text, description, and, match conditions.
      - A2265: The device’s network interfaces are used solely on a local network that does not interoperate with other networks. [Updated]
        
        INFO: Updated the text, description, and, match conditions.
      - A2266: The device exchanges data between different networks to permanently connect other devices directly to the Internet. [Updated]
        
        INFO: Updated the text, description, and, match conditions.
      - A2267: Conflicting security goals prevent implementing functionality to change authenticator information. [Updated]
        
        INFO: Updated the text, description, and, match conditions.
      - A2268: Other devices in the device’s network provide sufficient protection against DoS attacks and loss of essential network operation functions. [Updated]
        
        INFO: Updated the text, description, and, match conditions.
      - A2269: Alternative measures to software updates adequately protect the affected security and network or privacy or financial assets throughout the device’s lifecycle. [Updated]
        
        INFO: Updated the text, description, and, match conditions.
      - A2270: The device is intended to be publicly accessed. [Updated]
        
        INFO: Updated the text, description, and, match conditions.
      - A2271: The device’s software affects network or security or privacy or financial assets. [Updated]
        
        INFO: Updated the text, description, and, match conditions.
      - A2272: The device requires deviation from secure‑communication best practices for integrity/authenticity for interoperability reasons. [Updated]
        
        INFO: Updated the text, description, and, match conditions.
      - A2273: The device manages access to network/security/privacy/financial objects via user interfaces in environments where physical or logical measures provide confidence in the correctness of the entity’s claim. [Updated]
        
        INFO: Updated the text, description, and, match conditions.
      - A2274: Managed access is used only for reading personal information, privacy functions, or privacy function configuration where access without authentication is needed to enable intended equipment functionality. [Updated]
        
        INFO: Updated the text, description, and, match conditions.
      - A2275: Managed access is used only for reading personal information, privacy functions, or privacy function configuration where legal implications do not allow authentication mechanisms. [Updated]
        
        INFO: Updated the text, description, and, match conditions.
      - A2276: Temporary exposure of network assets or security or privacy or financial assets is required to establish or manage a connection. [Updated]
        
        INFO: Updated the text, description, and, match conditions.
      - A2277: Deviation from confidentiality best practices is unavoidable for interoperability reasons. [Updated]
        
        INFO: Updated the text, description, and, match conditions.
      - A2278: Duplicate transfer of information to the device’s network interface does not constitute a replay attack. [Updated]
        
        INFO: Updated the text, description, and, match conditions.
      - A2279: Deviation from best practices against replay attacks is unavoidable for interoperability reasons. [Updated]
        
        INFO: Updated the text, description, and, match conditions.
      - A2280: The device uses pre‑installed confidential cryptographic keys to establish initial trust relationships under conditions controlled by an authorized entity. [Updated]
        
        INFO: Updated the text, description, and, match conditions.
      - A2281: The device uses pre‑installed confidential cryptographic keys as shared parameters required for the equipment’s intended functionality. [Updated]
        
        INFO: Updated the text, description, and, match conditions.
      - A2282: The device currently has publicly known, exploitable hardware or software vulnerabilities that affect security or network assets and have not been risk‑addressed. [Updated]
        
        INFO: Updated the text, description, and, match conditions.
      - A2283: The device exposes a network interface or services in its factory‑default state that affect security or network assets. [Updated]
        
        INFO: Updated the text, description, and, match conditions.
      - A2284: The device has an external interface capable of receiving input. [Updated]
        
        INFO: Updated the text, description, and, match conditions.
      - A2285: The device uses or generates confidential cryptographic keys. [Updated]
        
        INFO: Updated the text, description, and, match conditions.
      - A2336: The device is a toy or childcare equipment. [Added]
      - A2337: There are user‑notification methods that do not involve the device. [Added]
      - A2338: The device has non‑network external interfaces with sensing capabilities that can affect the user’s privacy. [Added]
      - A2339: The device’s intended functionality includes processing personal information of special categories. [Added]
      - A2340: The device is Internet‑connected radio equipment. [Added]
      - A2341: Legal restrictions prohibit logging of events affecting the device. [Added]
      - A2342: The related log data is stored outside the device. [Added]
      - A2343: The device processes financial information. [Added]
    - A2334: In scope for EN 18031-2 [Added]
    - A2335: In scope for EN 18031-3 [Added]
  - Q378: In-Scope for EU Cyber Resilience Act
    - A1610: Open-source software steward [Updated]
      - INFO: Updated the description.
- Q243: Internal Hidden Properties
  - Q189: Internal Properties (Use this, for all hidden answers)
    - A2321: Database Server [Added]
- Q258: Architecture/Environment
  - Q500: Architectural Features
    - A2303: Fault Tolerance [Updated]
      - INFO: Updated the description and children.
- Q284: Context and Characteristics
  - Q460: Accessibility Requirements
    - A2016: Does this project need to meet accessibility requirements? [Updated]
      - INFO: Updated the text and description.
- Q289: Cloud Computing
  - Q290: Cloud Providers
    - A2328: Alibaba Cloud [Added]
- Q362: Microsoft Azure
  - Q306: Azure Services
    - Q370: More Azure Services
      - A2324: Azure Pipelines [Added]
    - A1204: Azure Key Vault [Updated]
      - INFO: Updated the question.
- Q461: AI and Machine Learning
  - Q513: Model Context Protocol (MCP) [Added]
    - Q514: MCP Client Transport [Added]
      - A2346: STDIO [Added]
      - A2347: Streamable HTTP [Added]
    - Q515: MCP Server Transport [Added]
      - A2348: STDIO [Added]
      - A2349: Streamable HTTP [Added]
    - A2344: MCP Client [Added]
    - A2345: MCP Server [Added]
  - Q357: Artificial Intelligence/Machine Learning
    - Q368: Classification of AI Systems (EU AI Act) [Updated]
      - INFO: Updated the text, description, and, parent.
    - Q457: AI Content Organization
      - A2007: Role-agnostic AI content [Updated]
        
        INFO: Updated the description.
- Q482: Oracle Cloud [Updated]
  - INFO: Updated the text.
- Q503: IBM Cloud [Updated]
  - INFO: Updated the match conditions.
- Q510: Alibaba Cloud [Added]
  - Q511: Alibaba Cloud Configuration [Added]
    - A2329: Alibaba Cloud Configuration [Added]
  - Q512: Alibaba Cloud Services [Added]
    - A2330: Virtual Machine [Added]
    - A2331: Object Storage Service (OSS) [Added]
    - A2332: Relational Database Service (RDS) [Added]
    - A2333: Alibaba Cloud Kubernetes (ACK) [Added]
Added Components
- SC820: HashiCorp Vault
- SC821: Okta Deployment
- SC822: SMB Server
- SC823: Alibaba Environment
- SC824: Alibaba Cloud VM
- SC825: Alibaba Cloud OSS
- SC826: Alibaba Cloud RDS
- SC827: Alibaba Cloud Kubernetes
- SC828: MCP Client
- SC829: MCP Server
Updated Components
- SC421: Azure Pipelines
  - INFO: Updated the description.

2025.2

July 19, 2025

New features and enhancements

System View with a compliance report
- The feature flag is enabled by default now, and system view has been extended with a new homepage for compliance reports
- Users can create one or many compliance reports under an existing system view with a desired regulation assigned, as well as the option to edit, delete, or download that report
Verification Improvement on Checkmarx
- New Global Connector configuration is offered under Checkmarx SAST, allowing users to not retrieve net new scans and skipping already processed scans
Library Threat Framework Mapping Added
- Users will be able to map custom or builtin threats to the support threat framework offerings in SD Elements
- Users can revert updates to reflect latest builtin updates
Advanced Report Updates
- Added Countermeasure Status Update Date as a dimension for filtering for BU/APP/Proj and Countermeasure context (Includes support for Trend Report)
- Added dimensions ‘Updated by’ and ‘Updated Date’ to Library countermeasure for the library countermeasure context
- Added ‘Countermeasure became relevant’ and ‘# of days since relevancy’ dimensions for BU/APP/Proj and Countermeasure context
General Library Improvements
- Ability to expand all related countermeasures on Library Weakness page
- New Filter UI present on Library Threats page
Decommission of unused integrations
- The following Integrations will be removed: Archer, IBM RTC, Pivotal Tracker; HP WebInspect, & Mend
  - Any historical information will be present, but no connections will be present going forward
Removal of legacy Global Report and Training Report
- Replaced with the new functionality of Advanced Reports that gives users more flexibility and configurability
Updates

August 16, 2025
Navigator UX Improvements: Added Export Functionality and support of Multi-Line Text
App Scan Addition: Added configuration to allow users to retrieve only net new scans and skip already processed scans

Summary of content updates

CVSS Scores
- Added CVSS scores to Countermeasures with missing scores.
- Please note that the addition of missing CVSS scores has resulted in the change of priority scoring for 1387 Countermeasures.
- A list of all priority changes can be found here.
CIS Azure Compute Microsoft Windows Server
- Added two compliance regulations reports for Domain Controller and Member Server, 45 Countermeasures, associated Weaknesses and test tasks including 966 How-Tos and associated test.
CIS Azure Foundation
- Added a compliance report with 25 Countermeasures, associated Weaknesses and How-tos.
CIS IBM Cloud
- Added a compliance report with 24 Countermeasures, associated Weaknesses and How-tos.
CIS Kubernetes
- Added two compliance reports with 12 Countermeasures, associated Weaknesses and How-tos.
CIS Amazon EKS
- Updated and added a compliance report with Countermeasures, associated Weaknesses and How-tos.
OWASP Agentic AI
- 12 new Additional Requirements
- 1 new report with 15 sections
- 1 report for OWASP Machine Learning Security Top 10 with 10 sections
- Regulation section mapping
- Survey answer and dependent components
US Privacy Tracker
- 6 new Additional Requirements
- 5 new reports with 15 sections in total
- Regulation section mapping
- Survey answers and dependent components
EN 18031-1
- 29 new countermeasures
- 1 new report for EN 18031-1 with 31 sections
- Regulation section mapping
- Survey answer and dependent components
Mobile Updates (iOS and Android)
- iOS: Added one How-To and one Additional Requirement, updated one Additional Requirement
- Android: Added 2 Countermeasures, 2 corresponding test tasks, associated Weaknesses, and one Additional Requirement
- Updated the titles of 91 How-Tos and 18 Additional Requirements for Android and iOS.
Components & Dependent Components
- Added new components: Azure subscription, JFrog, Apache Kafka, gRPC, Vue.js. , Kubernetes Master and Worker Nodes, Azure Windows Domain Controller and Member Server, IBM Cloud components.
Hardware Content Improvements
- Added new Component Answers and added MITRE Hardware Design CWE Compliance report (MITRE CWE VIEW: Hardware Design).
Other improvements
- Made improvements to risk classification answers (diagram), added new answers to the SDE survey to improve applicability of the content, and made improvements to some profiles.
New Just-in-Time Training
- Defending C/C++ (16)
- Secure Software Coding (14)
- Mobile Fundamentals (8)

Content additions and updates (as of June 20, 2025):

Compliance Regulations and Mappings
- Added EN 18031-1 [Experimental]
- Added MITRE CWE VIEW: Hardware Design
- Added US Privacy: Delaware Personal Data Privacy Act
- Added US Privacy: Iowa Consumer Data Protection Act
- Added US Privacy: Nebraska Data Privacy Act
- Added US Privacy: New Hampshire Data Privacy Act
- Added US Privacy: New Jersey Data Privacy Act
- Added OWASP Agentic AI - Threats and Mitigations
- Added OWASP Machine Learning Security Top 10
- Added CIS Benchmark for IBM Cloud Foundations
- Added EN 18031-1
- Added CIS Azure Foundations
- Added CIS Azure Compute Microsoft Windows Server (Member Server)
- Added CIS Azure Compute Microsoft Windows Server (Domain Controller)
- Added CIS Kubernetes (Master Node)
- Added CIS Amazon EKS
- Added CIS Kubernetes (Worker Node)
- Removed CIS AWS Foundations Benchmark
- Removed CIS Amazon EKS Benchmark
- Updated US AI Regulation [INFO: Updated the regulation sections].
Content Packs
- Added IBM Cloud Service
- Added JFrog
- Added EN 18031
- Added CIS Azure Compute Microsoft Windows Server
- Added CIS Azure Foundation
- Added Apache Kafka
- Added gRPC
- Added VueJS
- Added CIS Kubernetes
- Added Amazon EKS CIS
T1: Use multi-factor authentication for remote access to high risk systems or administrative access to services
- TA284: Android - Fingerprint Authentication [Updated]
  - INFO: Updated the title and text.
T10: Use server-to-server authentication [Updated]
- INFO: Updated the text.
T21: Ensure all data in transit is encrypted using a secure TLS channel [Updated]
- INFO: Updated the text.
- TA965: Choice of cipher [Updated]
  - INFO: Updated the text.
T31: Validate all forms of input
- I3039: Sanitize User Input in Vue.js Applications [Added]
T37: Avoid DOM-based Cross-Site Scripting (XSS)
- I3040: Prevent DOM-based XSS in Vue.js applications [Added]
T46: Do not log confidential data
- I406: Android - Logs [Updated]
  - INFO: Updated the title.
T49: Disable and remove debug capabilities and code/data, and prepare application for release [Updated]
- INFO: Updated the text.
- TA281: Android - Preparation for release and final APK [Updated]
  - INFO: Updated the title.
- I414: Android - Preparing application for release [Updated]
  - INFO: Updated the title.
T59: Use standard libraries for cryptography [Updated]
- INFO: Updated the text.
- TA278: Android - Using native cryptography libraries in Android NDK [Updated]
  - INFO: Updated the title.
T60: Use correct and approved cryptographic algorithms, parameters, and key lengths [Updated]
- INFO: Updated the text.
T69: Strong password requirements for server-to-server system accounts
- P687: Insufficient System Account Password Requirements [Updated]
  - INFO: Updated the match conditions.
T75: Use regular expressions that are not vulnerable to Denial of Service
- I3042: Prevent Regular Expression-Based DoS Attacks in Vue.js Applications [Added]
T105: Verify that your application does not have unnecessary debug capability or leftover test/debug code
- TA771: Android - Test the release version of application for debug and test leftovers [Updated]
  - INFO: Updated the title and text.
T146: Use encryption for network communications in mobile environments
- TA945: iOS - App Transport Security (ATS) [Updated]
  - INFO: Updated the title and text.
- I269: Android (Java) - Using encrypted channels [Updated]
  - INFO: Updated the title.
- I293: iOS (Objective-C) - Network Communications Encryption [Updated]
  - INFO: Updated the title.
- I537: iOS (Swift) - Network Communications Encryption [Updated]
  - INFO: Updated the title and text.
- I1392: Android (Kotlin) - Using encrypted channels [Updated]
  - INFO: Updated the title.
T148: Avoid caching confidential data on client
- TA2879: iOS - Client-side caching [Updated]
  - INFO: Updated the title.
- I512: iOS (Objective-C) - Temporary Camera Files [Updated]
  - INFO: Updated the title.
- I536: iOS (Swift) - Temporary Camera Files [Updated]
  - INFO: Updated the title.
- I1408: iOS - Protect against client-side caching [Updated]
  - INFO: Updated the title.
T152: Avoid asking for and using excessive permissions
- I253: Android - Permissions [Updated]
  - INFO: Updated the title and text.
T156: Validate certificate and its chain of trust properly
- I264: Android (Java) - Establishing a secure channel and validating certificates [Updated]
  - INFO: Updated the title.
- I275: iOS (Objective-C) - Certificate Validation - HTTP-based protocols [Updated]
  - INFO: Updated the title.
- I397: Android - WebViewClient [Updated]
  - INFO: Updated the title.
- I510: iOS (Objective-C) - Certificate Validation - Direct SSL [Updated]
  - INFO: Updated the title.
- I531: iOS (Swift) - Certificate Validation - HTTP-based protocols [Updated]
  - INFO: Updated the title.
- I532: iOS (Swift) - Certificate Validation - Direct SSL [Updated]
  - INFO: Updated the title and text.
- I919: iOS - Certificate transparency [Updated]
  - INFO: Updated the title.
T157: Temporary files must be cleaned up after the resource is used
- TA7131: Android - Validating and Securing Cache Usage [Added]
- I267: Android (Java) - Cache Monitor with expiry handling [Updated]
  - INFO: Updated the title.
- I1391: Android (Kotlin) - Cache Monitor with expiry handling [Updated]
  - INFO: Updated the title.
T161: Treat unique device IDs as personal information
- TA280: Android - Unique device IDs [Updated]
  - INFO: Updated the title.
- TA942: iOS - Device Tracking [Updated]
  - INFO: Updated the title.
T162: Validate pathname before retrieving local resources
- I413: Android - Preventing Path Traversal [Updated]
  - INFO: Updated the title.
- I1395: Android (Kotlin) - Preventing Path Traversal [Updated]
  - INFO: Updated the title.
T164: Clear session information from client upon logout
- I3038: Implement Proper Logout Handling in Vue.js [Added]
- I268: Android (Java) – Session cache cleanup on logout [Updated]
  - INFO: Updated the title and text.
- I511: iOS (Objective-C) - Session cleanup [Updated]
  - INFO: Updated the title.
- I529: iOS (Swift) - Session cleanup [Updated]
  - INFO: Updated the title.
T168: Prevent auto-snapshot from saving sensitive data (iOS)
- I254: iOS (Objective-C) - Auto-snapshot Prevention [Updated]
  - INFO: Updated the title.
- I527: iOS (Swift) - Auto-snapshot Prevention [Updated]
  - INFO: Updated the title.
- I1405: iOS - Disable application backgrounding [Updated]
  - INFO: Updated the title.
- I1406: iOS (Objective-C) - Mask sensitive data in the iOS app UI [Updated]
  - INFO: Updated the title.
- I1409: iOS (Swift) - Mask sensitive data in iOS app UI [Updated]
  - INFO: Updated the title.
T170: Secure IPC endpoints used in clients
- I265: Android - Securing IPC Endpoints with Intents [Updated]
  - INFO: Updated the title.
T174: Test that the client application is not asking for excessive permissions
- I277: Android - Black-box testing [Updated]
  - INFO: Updated the title and text.
- I285: Android - White-box testing [Updated]
  - INFO: Updated the title.
T175: Test that the client validates digital certificates
- I278: iOS - Devices or emulators (iPhone/iPad) [Updated]
  - INFO: Updated the title.
- I280: Android - Emulator [Updated]
  - INFO: Updated the title and text.
- I281: Android - Devices [Updated]
  - INFO: Updated the title and text.
T176: Apply principles of privacy when handling personal information
- TA7111: Nebraska DPA [Section 13] [Added]
- TA7113: New Hampshire DPA [Section 507-H:4] [Added]
- TA7114: New Hampshire DPA [Section 507-H:8] [Added]
- TA7116: New Jersey DPA [Section C.56:8-166.12] [Added]
T177: Allow users to review and update their personal information
- TA7115: New Hampshire DPA [Section 507-H:14] [Added]
T178: Obtain consent from users prior to collecting personal information
- TA943: iOS - Purpose String [Updated]
  - INFO: Updated the title.
T187: Test if the app prevents sensitive data leaks through the auto-snapshot feature of iOS
- I303: iOS - Auto-snapshot Prevention Test [Updated]
  - INFO: Updated the title and text.
T189: Minimize the use of unmanaged (native) code
- TA824: Android - Discover and remove illegal syscalls in Android O [Updated]
  - INFO: Updated the title.
T244: Securely delete any unprotected sensitive data before a resource is released or shared
- I270: Android - Secure Management of Sensitive Data [Updated]
  - INFO: Updated the title.
T248: Protect secret keys and passwords in the application
- I272: Android - Using server-side module to store secret keys and passwords for Android applications [Updated]
  - INFO: Updated the title.
- I420: Android (Java) - Secure Key Storage [Updated]
  - INFO: Updated the title.
- I429: iOS (Objective-C) - Using iOS Keychain services for secure data storage [Updated]
  - INFO: Updated the title.
- I535: iOS (Swift) - Using iOS Keychain services for secure data storage [Updated]
  - INFO: Updated the title.
- I1393: Android (Kotlin) - Using server-side module to store secret keys and passwords for Android applications [Updated]
  - INFO: Updated the title.
T261: Manage iOS Pasteboards that are used with sensitive data
- I426: iOS (Objective-C) - Pasteboards [Updated]
  - INFO: Updated the title.
- I525: iOS (Swift) - Pasteboards [Updated]
  - INFO: Updated the title.
T262: Mask passwords by default on mobiles but consider usability options
- I273: iOS (Objective-C) - Inter-App Communication [Updated]
  - INFO: Updated the title.
T265: Handle requests made through iOS URL schemes or Universal Links securely
- I514: iOS (Objective-C) - Universal Links [Updated]
  - INFO: Updated the title.
- I526: iOS (Swift) - Universal Links [Updated]
  - INFO: Updated the title.
- I534: iOS (Swift) - Inter-App Communication [Updated]
  - INFO: Updated the title.
T270: Follow best practices for storing application data on Android devices
- I402: Android - Storage options and considerations [Updated]
  - INFO: Updated the title.
- I1394: Android (Kotlin) - Storage options and considerations [Updated]
  - INFO: Updated the title.
T271: Prevent access to Android components if they do not need external communication
- I404: Android - Disabling external access to Android components [Updated]
  - INFO: Updated the title.
T272: Restrict access to the application's exported components (Android)
- I405: Android - Using Permissions for Access Control [Updated]
  - INFO: Updated the title and text.
- I408: Android - Intent Filters and Explicit Intents [Updated]
  - INFO: Updated the title and text.
- I415: Android - Determining who has requested access to an Android exported component [Updated]
  - INFO: Updated the title.
T275: Avoid sending sensitive data using implicit Intents or Broadcasts
- I403: Android - Avoiding Intent Sniffing [Updated]
  - INFO: Updated the title and text.
T276: Validate the content of received Intents
- I409: Android - Validate input received by Android broadcast receiver [Updated]
  - INFO: Updated the title.
T278: Follow best security practices when using WebView (Android)
- I416: Android - Using WebView Securely [Updated]
  - INFO: Updated the title and text.
T279: Avoid dynamically loading any code without proper security considerations
- TA274: Android - Dynamic class loading [Updated]
  - INFO: Updated the title.
T282: Bind variables in SQL statements for client applications
- I315: Android - SQLite [Updated]
  - INFO: Updated the title and text.
- I709: Android - Bind parameters to content provider query [Updated]
  - INFO: Updated the title.
- I1398: Android (Kotlin) - Bind parameters to content provider query [Updated]
  - INFO: Updated the title.
T295: Avoid storing unencrypted confidential data without access control mechanisms
- I482: iOS (Objective-C) - Data encryption with PBKDF2 [Updated]
  - INFO: Updated the title.
- I528: iOS (Swift) - Data encryption with PBKDF2 [Updated]
  - INFO: Updated the title.
T296: Test that unencrypted confidential data is not stored without access control mechanisms
- I431: iOS - Test that entries are securely stored in iOS Keychain [Updated]
  - INFO: Updated the title.
T305: Verify that your application dynamically loads code only from secure locations
- TA275: Android - Verifying dynamic class loading [Updated]
  - INFO: Updated the title and text.
T316: Prevent unauthorized access to information through keyboard caches and shared dictionaries
- I424: Android - Keyboard Suggestions [Updated]
  - INFO: Updated the title.
- I425: iOS (Objective-C) - Disabling iOS Auto-correction and keyboard extensions [Updated]
  - INFO: Updated the title.
- I523: iOS (Swift) - Disabling Auto-correction and keyboard extensions [Updated]
  - INFO: Updated the title.
T317: Verify that keyboard caches and shared dictionaries do not divulge confidential information
- I513: iOS (Objective-C) - Disabling auto-correction and keyboard extensions [Updated]
  - INFO: Updated the title and text.
- I533: iOS (Swift) - Disabling auto-correction and keyboard extensions [Updated]
  - INFO: Updated the title.
T324: Follow best security practices when using WKWebView (iOS)
- I480: iOS (Objective-C) - WKWebView [Updated]
  - INFO: Updated the title.
- I524: iOS (Swift) - WKWebView [Updated]
  - INFO: Updated the title.
T364: Enable secure backup and restore capabilities
- TA282: Android - Auto-backup of application data [Updated]
  - INFO: Updated the title.
T365: Verify the security of backing up and restoring procedures
- TA283: Android - Verifying auto-backup of application data [Updated]
  - INFO: Updated the title.
T408: Set secure flag on Android Activities with sensitive content
- I495: Android - Setting FLAG_SECURE for Android Activity [Updated]
  - INFO: Updated the title.
- I1396: Android (Kotlin) - Setting FLAG_SECURE for Android Activity [Updated]
  - INFO: Updated the title.
T410: Manage use of Android third-party keyboards with sensitive data
- I496: Android - Third-party keyboards [Updated]
  - INFO: Updated the title.
T423: Disable copying on Android text fields with sensitive data
- I500: Android - Disabling copying capability of Android text fields [Updated]
  - INFO: Updated the title.
- I1806: Android - Mask sensitive information in the Android clipboard [Updated]
  - INFO: Updated the title.
T433: Design a fallback mechanism or a degraded mode for the system
- I3041: Offload Memory-Intensive Tasks to Web Workers [Added]
T446: Verify that only standard libraries are used for cryptography
- TA279: Android - Checking the cryptography libraries that are used with native code [Updated]
  - INFO: Updated the title.
T515: Limit resource consumption of outgoing HTTP requests sent to external user-defined webhooks [Updated]
- INFO: Updated the text.
- I2315: How-to handle requests sent to external webhooks set by users [Added]
T578: Execute only compiled programs in mainframe
- I538: Notes on executing compiled modules in mainframe [Updated]
  - INFO: Updated the text.
T608: Obfuscate your executables
- I563: Android - Obfuscation in Android [Updated]
  - INFO: Updated the title and text.
T609: Protect your application against debuggers
- I2148: iOS - Jailbreak Detection [Added]
- I586: Android - Debugger Detection [Updated]
  - INFO: Updated the title and text.
- I587: iOS - Debugger Detection [Updated]
  - INFO: Updated the title and text.
T612: Detect rooted devices and assess the runtime environment with the aid of SafetyNet Attestation API
- TA791: Android - Root or Custom Build Detection [Updated]
  - INFO: Updated the title and text.
T615: Check your mobile application's integrity and installation source
- I568: Android - Integrity and installation source [Updated]
  - INFO: Updated the title.
T751: Provide users with a notification of personal information processing
- TA944: iOS - Privacy Notice [Updated]
  - INFO: Updated the title.
T754: Enable the restriction of processing personal information of an individual for a specific purpose
- TA7112: Nebraska DPA [Section 14] [Added]
T897: Test if the unmanaged code is used securely
- TA825: Android - Test if illegal syscalls exist in an Android O application [Updated]
  - INFO: Updated the title.
T1041: Enable multi-factor authentication (Microsoft Azure) [Updated]
- INFO: Updated the text.
- I2324: Ensure only MFA enabled identities can access privileged Virtual Machine [Added]
- I2349: Ensure that 'multifactor authentication' is 'enabled' for all users [Added]
- I2350: Ensure that 'Allow users to remember multifactor authentication on devices they trust' is disabled [Added]
- I2354: Ensure that a multifactor authentication policy exists for all users [Added]
- I2355: Ensure that multifactor authentication is required for risky sign-ins [Added]
- I2356: Ensure that multifactor authentication is required for Windows Azure Service Management API [Added]
- I2357: Ensure that multifactor authentication is required to access Microsoft Admin Portals [Added]
- P1014: Disabled multi-factor authentication (Azure Active Directory) [Updated]
  - INFO: Updated the title and match conditions.
T1042: Test that multi-factor authentication is enabled (Microsoft Azure) [Updated]
- INFO: Updated the text.
- I2457: Verify that only MFA enabled identities can access privileged Virtual Machine [Added]
- I2482: Verify that multifactor authentication is enabled for all users [Added]
- I2483: Verify that multifactor authentication is not remembered on trusted devices [Added]
- I2487: Verify that a multifactor authentication policy exists for all users [Added]
- I2488: Verify that multifactor authentication is required for risky sign-ins [Added]
- I2489: Verify that multifactor authentication is required for Windows Azure Service Management API [Added]
- I2490: Verify that multifactor authentication is required to access Microsoft Admin Portals [Added]
- P1014: Disabled multi-factor authentication (Azure Active Directory) [Updated]
  - INFO: Updated the title and match conditions.
T1053: Enable VM protection features (Microsoft Azure)
- I2394: Ensure that Microsoft Defender for Cloud is configured to check VM operating systems for updates [Added]
- I2395: Ensure that Microsoft Cloud Security Benchmark policies are not set to 'Disabled' [Added]
- I2396: Ensure That 'All users with the following roles' is set to 'Owner' [Added]
- I2397: Ensure 'Additional email addresses' is Configured with a Security Contact Email [Added]
- I2398: Ensure that 'Notify about alerts with the following severity (or higher)' is enabled [Added]
- I2399: Ensure that 'Notify about attack paths with the following risk level (or higher)' is enabled [Added]
- TA7136: Implement the latest OS patches for all virtual machines (Azure Policy) [Added]
T1054: Test that VM protection features are enabled (Microsoft Azure)
- I2527: Verify that Microsoft Defender for Cloud checks VM operating systems for updates [Added]
- I2528: Verify that Microsoft Cloud Security Benchmark policies are not set to 'Disabled' [Added]
- I2529: Verify that 'All users with the following roles' is set to 'Owner' [Added]
- I2530: Verify that 'Additional email addresses' is Configured with a Security Contact Email [Added]
- I2531: Verify that 'Notify about alerts with the following severity (or higher)' is enabled [Added]
- I2532: Verify that 'Notify about attack paths with the following risk level (or higher)' is enabled [Added]
- TA7133: Verify that the latest OS patches for all virtual machines are applied (Microsoft Defender for Cloud) [Added]
T1077: Log critical events (Microsoft Azure)
- I2362: Ensure that Azure Monitor Resource Logging is Enabled for All Services that Support it [Added]
- I2364: Ensure that a 'Diagnostic Setting' exists for Subscription Activity Logs [Added]
- I2365: Ensure Diagnostic Setting captures appropriate categories [Added]
- I2367: Ensure that logging for Azure Key Vault is 'Enabled' [Added]
- I2374: Ensure that Activity Log Alert exists for Create Policy Assignment [Added]
- I2375: Ensure that Activity Log Alert exists for Delete Policy Assignment [Added]
- I2376: Ensure that Activity Log Alert exists for Create or Update Network Security Group [Added]
- I2377: Ensure that Activity Log Alert exists for Delete Network Security Group [Added]
- I2378: Ensure that Activity Log Alert exists for Create or Update Security Solution [Added]
- I2379: Ensure that Activity Log Alert exists for Delete Security Solution [Added]
- I2380: Ensure that Activity Log Alert exists for Create or Update SQL Server Firewall Rule [Added]
- I2381: Ensure that Activity Log Alert exists for Delete SQL Server Firewall Rule [Added]
- I2382: Ensure that Activity Log Alert exists for Create or Update Public IP Address rule [Added]
- I2383: Ensure that Activity Log Alert exists for Delete Public IP Address rule [Added]
- I2384: Ensure that an Activity Log Alert exists for Service Health [Added]
- TA7135: Enable diagnostic settings for Azure resources (Microsoft Azure) [Added]
- TA964: Azure Functions: Auditing and Logging [Updated]
  - INFO: Updated the title.
T1078: Verify that critical events are logged (Microsoft Azure)
- I2495: Verify that Azure Monitor Resource Logging is Enabled for All Services that Support it [Added]
- I2497: Verify that a 'Diagnostic Setting' exists for Subscription Activity Logs [Added]
- I2498: Verify that Diagnostic Setting captures appropriate categories [Added]
- I2500: Verify that logging for Azure Key Vault is 'Enabled' [Added]
- I2507: Verify that Activity Log Alert exists for Create Policy Assignment [Added]
- I2508: Verify that Activity Log Alert exists for Delete Policy Assignment [Added]
- I2509: Verify that Activity Log Alert exists for Create or Update Network Security Group [Added]
- I2510: Verify that Activity Log Alert exists for Delete Network Security Group [Added]
- I2511: Verify that Activity Log Alert exists for Create or Update Security Solution [Added]
- I2512: Verify that Activity Log Alert exists for Delete Security Solution [Added]
- I2513: Verify that Activity Log Alert exists for Create or Update SQL Server Firewall Rule [Added]
- I2514: Verify that Activity Log Alert exists for Delete SQL Server Firewall Rule [Added]
- I2515: Verify that Activity Log Alert exists for Create or Update Public IP Address rule [Added]
- I2516: Verify that Activity Log Alert exists for Delete Public IP Address rule [Added]
- I2517: Verify that an Activity Log Alert exists for Service Health [Added]
- TA7132: Verify that diagnostic settings are enabled for Azure resources (Microsoft Azure) [Added]
T1081: Configure Key Vault securely (Microsoft Azure)
- I2417: Ensure that the Expiration Date is set for all Keys in RBAC Key Vaults [Added]
- I2418: Ensure that the Expiration Date is set for all Keys in Non-RBAC Key Vaults. [Added]
- I2419: Ensure that the Expiration Date is set for all Secrets in RBAC Key Vaults [Added]
- I2420: Ensure that the Expiration Date is set for all Secrets in Non-RBAC Key Vaults [Added]
- I2421: Ensure the Key Vault is Recoverable [Added]
- TA7137: Implement expiration dates for keys and secrets in Azure Key Vault (Microsoft Azure Key Vault) [Added]
T1082: Verify that Key Vault is configured securely (Microsoft Azure)
- I2550: Verify that the Expiration Date is set for all Keys in RBAC Key Vaults [Added]
- I2551: Verify that the Expiration Date is set for all Keys in Non-RBAC Key Vaults [Added]
- I2552: Verify that the Expiration Date is set for all Secrets in RBAC Key Vaults [Added]
- I2553: Verify that the Expiration Date is set for all Secrets in Non-RBAC Key Vaults [Added]
- I2554: Verify that the Key Vault is Recoverable [Added]
- TA7134: Verify that all Keys and Secrets in Azure Key Vaults have an expiration date set (Microsoft Azure Key Vault) [Added]
T1246: Disable profiling features in applications (Kubernetes Master Node) [Updated]
- INFO: Updated the title and text.
- I3564: Ensure that the --profiling argument is set to false [Added]
- I3570: Ensure that the --profiling argument is set to false [Added]
T1247: Test that profiling is disabled if not needed (Kubernetes Master Node) [Updated]
- INFO: Updated the title and text.
- I3670: Verify that the --profiling argument is set to false [Added]
- I3676: Verify that the --profiling argument is set to false [Added]
T1252: Implement audit logging in Kubernetes (Kubernetes Master Node) [Updated]
- INFO: Updated the title and text.
T1253: Verify the audit policy for Kubernetes security concerns (Kubernetes Master Node) [Updated]
- INFO: Updated the title and text.
- I3582: Ensure that a minimal audit policy is created [Added]
- I3583: Ensure that the audit policy covers key security concerns [Added]
- I3688: Verify that a minimal audit policy is created [Added]
- I3689: Verify that the audit policy covers key security concerns [Added]
T1254: Secure Kubelet Configuration for Kubernetes (Kubernetes Worker Node) [Updated]
- INFO: Updated the title and text.
T1255: Verify Kubelet security configurations (Kubernetes Worker Node) [Updated]
- INFO: Updated the title and text.
T1258: Implement individual service account credentials for each controller (Kubernetes Master Node) [Updated]
- INFO: Updated the title and text.
- I3565: Ensure that the --use-service-account-credentials argument is set to true [Added]
- I3566: Ensure that the --service-account-private-key-file argument is set as appropriate [Added]
- I3588: Ensure that default service accounts are not actively used. [Added]
- I3589: Ensure that Service Account Tokens are only mounted where necessary [Added]
- I3596: Minimize access to the service account token creation [Added]
T1259: Verify that service account is securely configured (Kubernetes Master Node) [Updated]
- INFO: Updated the title and text.
- I3671: Verify that the --use-service-account-credentials argument is set to true [Added]
- I3672: Verify that the --service-account-private-key-file argument is set as appropriate [Added]
- I3694: Verify that default service accounts are not actively used [Added]
- I3695: Verify that Service Account Tokens are only mounted where necessary [Added]
- I3702: Verify that access to the service account token creation is minimized [Added]
T1260: Implement TLS encryption for the etcd service (Kubernetes Master Node) [Updated]
- INFO: Updated the title and text.
- I3572: Ensure that the --cert-file and --key-file arguments are set as appropriate [Added]
- I3573: Ensure that the --client-cert-auth argument is set to true [Added]
- I3574: Ensure that the --auto-tls argument is not set to true [Added]
- I3575: Ensure that the --peer-cert-file and --peer-key-file arguments are set as appropriate [Added]
- I3576: Ensure that the --peer-client-cert-auth argument is set to true [Added]
- I3577: Ensure that the --peer-auto-tls argument is not set to true [Added]
- I3578: Ensure that a unique Certificate Authority is used for etcd [Added]
T1261: Verify the security configurations for etcd service (Kubernetes Master Node) [Updated]
- INFO: Updated the title and text.
- I3678: Verify that the --cert-file and --key-file arguments are set as appropriate [Added]
- I3679: Verify that the --client-cert-auth argument is set to true [Added]
- I3680: Verify that the --auto-tls argument is not set to true [Added]
- I3681: Verify that the --peer-cert-file and --peer-key-file arguments are set as appropriate [Added]
- I3682: Verify that the --peer-client-cert-auth argument is set to true [Added]
- I3683: Verify that the --peer-auto-tls argument is not set to true [Added]
- I3684: Verify that a unique Certificate Authority is used for etcd [Added]
T1262: Implement garbage collection on pod termination (Kubernetes Master Node) [Updated]
- INFO: Updated the title and text.
- I3563: Ensure that the --terminated-pod-gc-threshold argument is set as appropriate [Added]
T1263: Test the garbage collector activation on pod termination (Kubernetes Master Node) [Updated]
- INFO: Updated the title and text.
- I3669: Verify that the --terminated-pod-gc-threshold argument is set as appropriate [Added]
T1266: Implement Role Based Access Control for Kubernetes (Kubernetes Master Node) [Updated]
- INFO: Updated the title and text.
- I3534: Ensure that the --anonymous-auth argument is set to false [Added]
- I3535: Ensure that the --token-auth-file parameter is not set [Added]
- I3536: Ensure that the DenyServiceExternalIPs is set [Added]
- I3537: Ensure that the --kubelet-client-certificate and --kubelet-client-key arguments are set as appropriate [Added]
- I3538: Ensure that the --kubelet-certificate-authority argument is set as appropriate [Added]
- I3539: Ensure that the --authorization-mode argument is not set to AlwaysAllow [Added]
- I3540: Ensure that the --authorization-mode argument includes Node [Added]
- I3541: Ensure that the --authorization-mode argument includes RBAC [Added]
- I3542: Ensure that the admission control plugin EventRateLimit is set [Added]
- I3543: Ensure that the admission control plugin AlwaysAdmit is not set [Added]
- I3544: Ensure that the admission control plugin AlwaysPullImages is set [Added]
- I3545: Ensure that the admission control plugin ServiceAccount is set [Added]
- I3546: Ensure that the admission control plugin NamespaceLifecycle is set [Added]
- I3547: Ensure that the admission control plugin NodeRestriction is set [Added]
- I3548: Ensure that the --profiling argument is set to false [Added]
- I3549: Ensure that the --audit-log-path argument is set [Added]
- I3550: Ensure that the --audit-log-maxage argument is set to 30 or as appropriate [Added]
- I3551: Ensure that the --audit-log-maxbackup argument is set to 10 or as appropriate [Added]
- I3552: Ensure that the --audit-log-maxsize argument is set to 100 or as appropriate [Added]
- I3553: Ensure that the --request-timeout argument is set as appropriate [Added]
- I3554: Ensure that the --service-account-lookup argument is set to true [Added]
- I3555: Ensure that the --service-account-key-file argument is set as appropriate [Added]
- I3556: Ensure that the --etcd-certfile and --etcd-keyfile arguments are set as appropriate [Added]
- I3557: Ensure that the --tls-cert-file and --tls-private-key-file arguments are set as appropriate [Added]
- I3558: Ensure that the --client-ca-file argument is set as appropriate [Added]
- I3559: Ensure that the --etcd-cafile argument is set as appropriate [Added]
- I3560: Ensure that the --encryption-provider-config argument is set as appropriate [Added]
- I3561: Ensure that encryption providers are appropriately configured [Added]
- I3562: Ensure that the API Server only makes use of Strong Cryptographic Ciphers [Added]
T1267: Verify that the API server is configured to only use strong cryptographic ciphers (Kubernetes Master Node) [Updated]
- INFO: Updated the title and text.
- I3640: Verify that the --anonymous-auth argument is set to false [Added]
- I3641: Verify that the --token-auth-file parameter is not set [Added]
- I3642: Verify that DenyServiceExternalIPs is set [Added]
- I3643: Verify that the --kubelet-client-certificate and --kubelet-client-key arguments are set as appropriate [Added]
- I3644: Verify that the --kubelet-certificate-authority argument is set as appropriate [Added]
- I3645: Verify that the --authorization-mode argument is not set to AlwaysAllow [Added]
- I3646: Verify that the --authorization-mode argument includes Node [Added]
- I3647: Verify that the --authorization-mode argument includes RBAC [Added]
- I3648: Verify that the admission control plugin EventRateLimit is set [Added]
- I3649: Verify that the admission control plugin AlwaysAdmit is not set [Added]
- I3650: Verify that the admission control plugin AlwaysPullImages is set [Added]
- I3651: Verify that the admission control plugin ServiceAccount is set [Added]
- I3652: Verify that the admission control plugin NamespaceLifecycle is set [Added]
- I3653: Verify that the admission control plugin NodeRestriction is set [Added]
- I3654: Verify that the --profiling argument is set to false [Added]
- I3655: Verify that the --audit-log-path argument is set [Added]
- I3656: Verify that the --audit-log-maxage argument is set to 30 or as appropriate [Added]
- I3657: Verify that the --audit-log-maxbackup argument is set to 10 or as appropriate [Added]
- I3658: Verify that the --audit-log-maxsize argument is set to 100 or as appropriate [Added]
- I3659: Verify that the --request-timeout argument is set as appropriate [Added]
- I3660: Verify that the --service-account-lookup argument is set to true [Added]
- I3661: Verify that the --service-account-key-file argument is set as appropriate [Added]
- I3662: Verify that the --etcd-certfile and --etcd-keyfile arguments are set as appropriate [Added]
- I3663: Verify that the --tls-cert-file and --tls-private-key-file arguments are set as appropriate [Added]
- I3664: Verify that the --client-ca-file argument is set as appropriate [Added]
- I3665: Verify that the --etcd-cafile argument is set as appropriate [Added]
- I3666: Verify that the --encryption-provider-config argument is set as appropriate [Added]
- I3667: Verify that encryption providers are appropriately configured [Added]
- I3668: Verify that the API Server only makes use of Strong Cryptographic Ciphers [Added]
T1290: Implement a security context for your pods and containers (Kubernetes Master Node) [Updated]
- INFO: Updated the title and text.
- I3617: Apply Security Context to Your Pods and Containers [Added]
T1291: Test that security context is applied to your pods and containers (Kubernetes Master Node) [Updated]
- INFO: Updated the title and text.
- I3723: Test that security context is applied to your pods and containers [Added]
T1292: Implement image provenance for secure deployments (Kubernetes Master Node) [Updated]
- INFO: Updated the title and text.
- I3614: Configure Image Provenance using ImagePolicyWebhook admission controller [Added]
T1293: Verify the image provenance configuration for your deployment (Kubernetes Master Node) [Updated]
- INFO: Updated the title and text.
- I3720: Test Configure Image Provenance using ImagePolicyWebhook admission controller [Added]
T2059: Enable App Service authentication and identity management (Azure App Service) [Updated]
- INFO: Updated the title.
- P1505: Improper App Service authentication and identity management (Azure App Service) [Updated]
  - INFO: Updated the title and match conditions.
T2064: Verify that App Service authentication and identity management is enabled (Azure App Service) [Updated]
- INFO: Updated the title.
- P1505: Improper App Service authentication and identity management (Azure App Service) [Updated]
  - INFO: Updated the title and match conditions.
T2065: Configure TLS for secure connections to App Service (Azure App Service) [Updated]
- INFO: Updated the title.
- P1511: Insecure network communication (Azure App Service) [Updated]
  - INFO: Updated the title and match conditions.
T2066: Verify that TLS is configured properly for App Service (Azure App Service) [Updated]
- INFO: Updated the title.
- P1511: Insecure network communication (Azure App Service) [Updated]
  - INFO: Updated the title and match conditions.
T2067: Use the latest version of software on App Service (Azure App Service) [Updated]
- INFO: Updated the title.
- P1512: Using outdated software in App Service (Azure App Service) [Updated]
  - INFO: Updated the title and match conditions.
T2068: Verify that the latest version of software is used on App Service (Azure App Service) [Updated]
- INFO: Updated the title.
- P1512: Using outdated software in App Service (Azure App Service) [Updated]
  - INFO: Updated the title and match conditions.
T2091: Restrict access to Controller Manager service (Kubernetes Master Node) [Updated]
- INFO: Updated the title and text.
- I3569: Ensure that the --bind-address argument is set to 127.0.0.1 [Added]
T2092: Verify that the Controller Manager service is not bound to non-loopback insecure addresses (Kubernetes Master Node) [Updated]
- INFO: Updated the title and text.
- I3675: Verify that the --bind-address argument is set to 127.0.0.1 [Added]
T2093: Implement kubelet server certificate rotation for Kubernetes (Kubernetes Master Node) [Updated]
- INFO: Updated the title and text.
- I3568: Ensure that the RotateKubeletServerCertificate argument is set to true [Added]
T2094: Verify kubelet server certificate rotation on controller-manager (Kubernetes Master Node) [Updated]
- INFO: Updated the title and text.
- I3674: Verify that the RotateKubeletServerCertificate argument is set to true [Added]
T2095: Secure Kubernetes configuration files with proper permissions and ownership (Kubernetes Master Node) [Updated]
- INFO: Updated the title and text.
- I3513: Ensure that the API server pod specification file permissions are set to 600 or more restrictive [Added]
- I3514: Ensure that the API server pod specification file ownership is set to root:root [Added]
- I3515: Ensure that the controller manager pod specification file permissions are set to 600 or more restrictive [Added]
- I3516: Ensure that the controller manager pod specification file ownership is set to root:root [Added]
- I3517: Ensure that the scheduler pod specification file permissions are set to 600 or more restrictive [Added]
- I3518: Ensure that the scheduler pod specification file ownership is set to root:root [Added]
- I3519: Ensure that the etcd pod specification file permissions are set to 600 or more restrictive [Added]
- I3520: Ensure that the etcd pod specification file ownership is set to root:root [Added]
- I3521: Ensure that the Container Network Interface file permissions are set to 600 or more restrictive [Added]
- I3522: Ensure that the Container Network Interface file ownership is set to root:root [Added]
- I3523: Ensure that the etcd data directory permissions are set to 700 or more restrictive [Added]
- I3524: Ensure that the etcd data directory ownership is set to etcd:etcd [Added]
- I3525: Ensure that the default administrative credential file permissions are set to 600 [Added]
- I3526: Ensure that the default administrative credential file ownership is set to root:root [Added]
- I3527: Ensure that the scheduler.conf file permissions are set to 600 or more restrictive [Added]
- I3528: Ensure that the scheduler.conf file ownership is set to root:root [Added]
- I3529: Ensure that the controller-manager.conf file permissions are set to 600 or more restrictive [Added]
- I3530: Ensure that the controller-manager.conf file ownership is set to root:root [Added]
- I3531: Ensure that the Kubernetes PKI directory and file ownership is set to root:root [Added]
- I3532: Ensure that the Kubernetes PKI certificate file permissions are set to 600 or more restrictive [Added]
- I3533: Ensure that the Kubernetes PKI key file permissions are set to 600 [Added]
- I3567: Ensure that the --root-ca-file argument is set as appropriate [Added]
T2096: Verify that the permissions on the sensitive configuration files are set properly (Kubernetes Master Node) [Updated]
- INFO: Updated the title and text.
- I3619: Verify that the API server pod specification file permissions are set to 600 or more restrictive [Added]
- I3620: Verify that the API server pod specification file ownership is set to root:root [Added]
- I3621: Verify that the controller manager pod specification file permissions are set to 600 or more restrictive [Added]
- I3622: Verify that the controller manager pod specification file ownership is set to root:root [Added]
- I3623: Verify that the scheduler pod specification file permissions are set to 600 or more restrictive [Added]
- I3624: Verify that the scheduler pod specification file ownership is set to root:root [Added]
- I3625: Verify that the etcd pod specification file permissions are set to 600 or more restrictive [Added]
- I3626: Verify that the etcd pod specification file ownership is set to root:root [Added]
- I3627: Verify that the Container Network Interface file permissions are set to 600 or more restrictive [Added]
- I3628: Verify that the Container Network Interface file ownership is set to root:root [Added]
- I3629: Verify that the etcd data directory permissions are set to 700 or more restrictive [Added]
- I3630: Verify that the etcd data directory ownership is set to etcd:etcd [Added]
- I3631: Verify that the default administrative credential file permissions are set to 600 [Added]
- I3632: Verify that the default administrative credential file ownership is set to root:root [Added]
- I3633: Verify that the scheduler.conf file permissions are set to 600 or more restrictive [Added]
- I3634: Verify that the scheduler.conf file ownership is set to root:root [Added]
- I3635: Verify that the controller-manager.conf file permissions are set to 600 or more restrictive [Added]
- I3636: Verify that the controller-manager.conf file ownership is set to root:root [Added]
- I3637: Verify that the Kubernetes PKI directory and file ownership is set to root:root [Added]
- I3638: Verify that the Kubernetes PKI certificate file permissions are set to 600 or more restrictive [Added]
- I3639: Verify that the Kubernetes PKI key file permissions are set to 600 [Added]
- I3673: Verify that the --root-ca-file argument is set as appropriate [Added]
T2122: Update Android Security Provider
- I1399: Android - Update Android Security Provider in the application [Updated]
  - INFO: Updated the title.
T2133: Protect the security of data in iOS [Updated]
- INFO: Updated the text.
- TA7130: iOS - Best Practices for Keychain Usage [Added]
- I1400: iOS (Swift) - Data encryption using CryptoKit framework [Updated]
  - INFO: Updated the title.
- I1401: iOS (Swift) - Create and validate signatures in CryptoKit framework [Updated]
  - INFO: Updated the title.
- I1403: iOS (Objective-C) - Encryption with Apple Secure Enclave [Updated]
  - INFO: Updated the title.
T2137: Ensure that sensitive data is not recorded (iOS)
- I1410: iOS (Objective-C) - Prevent information disclosure in iOS when mirroring/recording [Updated]
  - INFO: Updated the title.
- I1411: iOS (Swift) - Prevent information disclosure when mirroring/recording [Updated]
  - INFO: Updated the title.
T2232: Use write protection for Parametric Data values (Hardware/Firmware)
- P1630: Missing write protection for parametric data values (Hardware/Firmware) [Updated]
  - INFO: Updated the match conditions.
T2233: Set proper setting of Bus Controlling Capability in Fabric end-point (Hardware/Firmware)
- P1631: Improper setting of bus controlling capability in fabric end-point (Hardware/Firmware) [Updated]
  - INFO: Updated the match conditions.
T2234: Restrict mapping of unwarranted programming overlaps of protected and unprotected ranges by Fabric-Address (Hardware/Firmware)
- P1632: Fabric-address map allows programming of unwarranted overlaps of protected and unprotected ranges (Hardware/Firmware) [Updated]
  - INFO: Updated the match conditions.
T2235: Put security checks in Fabric Bridge (Hardware/Firmware)
- P1633: Missing security checks in fabric bridge (Hardware/Firmware) [Updated]
  - INFO: Updated the match conditions.
T2236: Put security controls in On-chip Fabrics or Buses (Hardware/Firmware)
- P1634: Missing support for security features in on-chip fabrics or buses (Hardware/Firmware) [Updated]
  - INFO: Updated the match conditions.
T2237: Protect against Electromagnetic Fault Injection (EM-FI) (Hardware/Firmware)
- P1635: Improper protection against Electromagnetic Fault Injection (EM-FI) (Hardware/Firmware) [Updated]
  - INFO: Updated the match conditions.
T2238: Protect alert signals against untrusted agents (Hardware/Firmware)
- P1636: Improper protection for out of bounds signal level alerts (Hardware/Firmware) [Updated]
  - INFO: Updated the match conditions.
T2239: Tag traces to indicate owner and debugging privilege level (Hardware/Firmware)
- P1637: Improper management of sensitive trace data (Hardware/Firmware) [Updated]
  - INFO: Updated the match conditions.
T2240: Designate an immutable Root of Trust for storage (Hardware/Firmware)
- P1638: Missing immutable root of trust in hardware (Hardware/Firmware) [Updated]
  - INFO: Updated the match conditions.
T2241: Ensure security version data is protected from tampering (Hardware/Firmware)
- P1639: Security version number mutable to older versions (Hardware/Firmware) [Updated]
  - INFO: Updated the match conditions.
T2242: Implement priority-based arbitration inside the Network on Chips (Hardware/Firmware)
- P1640: Improper isolation of shared resources in network on chip (Hardware/Firmware) [Updated]
  - INFO: Updated the match conditions.
T2243: Protect against fault injection attacks (Hardware/Firmware)
- P1641: Insufficient protection against instruction skipping via fault injection (Hardware/Firmware) [Updated]
  - INFO: Updated the match conditions.
T2244: Protect against error injection errors in redundant blocks (Hardware/Firmware)
- P1642: Unauthorized error injection can degrade hardware redundancy (Hardware/Firmware) [Updated]
  - INFO: Updated the match conditions.
T2245: Protect against abnormal thermal range (Hardware/Firmware)
- P1643: Improper protections against hardware overheating (Hardware/Firmware) [Updated]
  - INFO: Updated the match conditions.
T2453: Verify that managed components are used (Containerization) [Updated]
- INFO: Updated the title.
T2462: Minimize the admission of high-privileged containers (Containerization)
- I1674: CIS Amazon Elastic Kubernetes Service (EKS) Benchmark v1.0.1 (Level 1, Recommendation 4.2.1) [Unpublished]
- I1678: CIS Amazon Elastic Kubernetes Service (EKS) Benchmark v1.0.1 (Level 1, Recommendation 4.2.5) [Unpublished]
- I1683: CIS Amazon Elastic Kubernetes Service (EKS) Benchmark v1.0.1 (Level 2, Recommendation 4.2.6) [Unpublished]
- I1831: CIS Azure Kubernetes Service (AKS) Benchmark v1.2.0 (Level 1, Recommendation 4.2.1) [Unpublished]
- I1835: CIS Azure Kubernetes Service (AKS) Benchmark v1.2.0 (Level 1, Recommendation 4.2.5) [Unpublished]
- I1836: CIS Azure Kubernetes Service (AKS) Benchmark v1.2.0 (Level 2, Recommendation 4.2.6) [Unpublished]
T2473: Verify the presence of security constraints in all user stories and features
- P1716: Lack of Technical Documentation [Updated]
  - INFO: Updated the match conditions.
T2492: Use device-generated opaque keys to encrypt OS files and data on the device (Hardware/Firmware)
- P1722: Unsecure key generation (Hardware/Firmware) [Updated]
  - INFO: Updated the match conditions.
T2494: Encrypt the bootloader (Hardware/Firmware)
- P1723: Unencrypted bootloader (Hardware/Firmware) [Updated]
  - INFO: Updated the match conditions.
T2496: Generate and forward audit logs (Hardware/Firmware)
- P1724: Lack of device-generated audit logs (Hardware/Firmware) [Updated]
  - INFO: Updated the match conditions.
T2525: Prevent Large Language Model Denial of Service
- TA7119: Agentic AI:T4 - Prevent resource overload [Added]
T2526: Test the prevention Large Language Model Denial of Service
- TA7125: Agentic AI:T4 - Verify resource overload [Added]
T2529: Prevent sensitive information disclosure in Large Language Models
- TA7121: Agentic AI:T9 - Add behavioral profiling [Added]
T2530: Test the prevention of sensitive information disclosure in Large Language Models
- TA7127: Agentic AI:T9 - Test behavioral profiling [Added]
T2533: Mitigate excessive agency in Large Language Models
- TA7118: Agentic AI:T3 - Add permission controls [Added]
- TA7120: Agentic AI:T8 - Introduce logging and monitoring [Added]
- TA7122: Agentic AI:T13 - Ensure integrity [Added]
- TA7123: Agentic AI:T14 - Limit delegation [Added]
T2534: Test excessive agency mitigation in Large Language Models
- TA7124: Agentic AI:T3 - Test permission controls [Added]
- TA7126: Agentic AI:T8 - Test logging and monitoring [Added]
- TA7128: Agentic AI:T13 - Verify integrity [Added]
- TA7129: Agentic AI:T14 - Verify delegation [Added]
T2582: Implement security best practices for data protection (SageMaker) [Updated]
- INFO: Updated the text.
T4016: Implement robust record-keeping (logging) for high-risk AI systems [Updated]
- INFO: Updated the match conditions.
T4186: Restrict physical access to devices, and prefer eSIMs [Unpublished]
- P2190: SIM cloning attacks in LTE network [Unpublished]
T4191: Restrict physical access to devices, and prefer eSIMs [Unpublished]
- P2195: SIM cloning attacks in 5G network [Unpublished]
T5535: Verify encryption of data in transit with SSL (Azure CycleCloud) [Updated]
- INFO: Updated the title.
T5650: Establish Dedicated Management, Identity, and Connectivity Subscriptions (Azure Subscriptions) [Added]
- P3416: Improper Subscription Isolation (Azure Subscriptions) [Added]
T5651: Create additional subscriptions for region-specific governance (Azure Subscriptions) [Added]
- P3417: Lack of Region-Specific Governance (Azure Subscriptions) [Added]
T5652: Ensure resource group and resource region alignment (Azure Subscriptions) [Added]
- P3418: Resource Misalignment in Azure Resource Management (Azure Subscriptions) [Added]
T5653: Use separate subscriptions for active-active deployments (Azure Subscriptions) [Added]
- P3419: Improper Resource Management in Active-Active Deployments (Azure Subscriptions) [Added]
T5654: Use subscriptions as scale units to manage Azure resources efficiently (Azure Subscriptions) [Added]
- P3420: Potential Resource Limitations in Azure Workloads (Azure Subscriptions) [Added]
T5655: Build a Subscription Vending Process (Azure Subscriptions) [Added]
- P3421: Lack of Automated Subscription Management (Azure Subscriptions) [Added]
T5656: Prevent Transferring Azure Subscriptions to or from Microsoft Entra Tenant (Azure Subscriptions) [Added]
- P3422: Unauthorized Subscription Transfer Risk (Azure Subscriptions) [Added]
T5657: Validate Incoming Messenger Messages (Android) [Added]
- P3423: Unvalidated Incoming IPC Messages (Android) [Added]
T5658: Verify Validation of Incoming Messenger Messages (Android) [Added]
- P3423: Unvalidated Incoming IPC Messages (Android) [Added]
T5659: Verify Secure User Data Control Features (Android) [Added]
- P3424: Lack of user control over stored data (Android) [Added]
T5660: Implement secure data control options for users (Android) [Added]
- P3424: Lack of user control over stored data (Android) [Added]
T5685: Implement multi-factor authentication for IBM Cloud resources (IBM Cloud Internet Services) [Added]
- P3441: Lack of Multi-Factor Authentication (IBM Cloud VPC) [Added]
- I2185: Monitor account owner for frequent, unexpected, or unauthorized logins [Added]
- I2186: Ensure API keys unused for 180 days are detected and optionally disabled [Added]
- I2187: Ensure API keys are rotated every 90 days [Added]
- I2188: Restrict user API key creation and service ID creation [Added]
- I2189: Ensure no owner account API key exists [Added]
- I2190: Ensure compliance with IBM Cloud password requirements [Added]
- I2191: Ensure multi-factor authentication (MFA) is enabled for all users in account [Added]
- I2192: Ensure multi-factor authentication (MFA) is enabled for the account owner [Added]
- I2193: Ensure multi-factor authentication (MFA) is enabled at the account level [Added]
- I2194: Ensure contact email is valid [Added]
- I2195: Ensure contact phone number is valid [Added]
- I2196: Ensure IAM users are members of access groups and IAM policies are assigned only to access groups [Added]
- I2197: Ensure a support access group has been created [Added]
- I2198: Minimize the number of users with admin privileges in the account [Added]
- I2199: Minimize the number of Service IDs with admin privileges in the account [Added]
- I2200: Ensure IAM does not allow public access to Cloud Object Storage [Added]
- I2201: Ensure Inactive User Accounts are Suspend [Added]
- I2202: Enable audit logging for IBM Cloud Identity and Access Management [Added]
- I2203: Ensure Identity Federation is set up with a Corporate IDP [Added]
- I2249: Ensure certificates are automatically renewed before expiration [Added]
T5686: Implement access restrictions on IBM Cloud Object Storage (IBM Cloud Object Storage) [Added]
- P3442: Lack of Access Restrictions (IBM Cloud Object Storage) [Added]
- I2204: Ensure network access for Cloud Object Storage is restricted [Added]
- I2205: Ensure network access is set to be exposed only on Private end-points [Added]
- I2206: Ensure access is restricted by using IAM and S3 access control [Added]
- I2207: Disable public (anonymous) access to IBM Cloud Object Storage buckets [Added]
T5687: Enhance data security with envelope encryption (IBM Cloud Object Storage) [Added]
- P3443: Lack of Granular Data Encryption (IBM Cloud Object Storage) [Added]
- I2208: Ensure Cloud Object Storage encryption is done with customer managed keys [Added]
- I2209: Ensure Cloud Object Storage Encryption is set to On with BYOK [Added]
- I2210: Ensure Cloud Object Storage Encryption is set to On with KYOK [Added]
T5688: Implement customer-managed encryption keys in IBM Cloud Block Storage (IBM Cloud Block Storage) [Added]
- P3444: Inadequate Control Over Encryption Keys (IBM Cloud Block Storage) [Added]
- I2211: Ensure 'OS disk' are encrypted with Customer managed keys [Added]
- I2212: Ensure 'Data disks' are encrypted with customer managed keys [Added]
- I2213: Ensure 'Unattached disks' are encrypted with customer managed keys [Added]
T5689: Implement Bring Your Own Key (BYOK) for Enhanced Data Security (IBM Key Management Services) [Added]
- P3445: Lack of Customer-Controlled Encryption Keys (IBM Key Management Services) [Added]
- I2214: Ensure Block Storage is encrypted with customer managed keys [Added]
- I2215: Ensure Block Storage is encrypted with BYOK [Added]
- I2216: Ensure Block Storage is encrypted with KYOK [Added]
T5690: Enable alerts for vulnerabilities in container images (IBM Cloud Container Registry) [Added]
- P3446: Lack of Vulnerability Alerts in Container Images (IBM Cloud Container Registry) [Added]
- I2217: Ensure auditing is configured in the IBM Cloud account [Added]
- I2218: Ensure that archiving is enabled for audit events [Added]
- I2219: Ensure that events are collected and processed [Added]
- I2220: Ensure alerts are defined on custom views [Added]
- I2221: Ensure login only from a list of authorized countries/IP ranges [Added]
- I2222: Ensure Activity Tracker data is encrypted at rest [Added]
- I2223: Ensure Activity Tracker trails are integrated with LogDNA Logs [Added]
- I2248: Ensure alerts are enabled for vulnerabilities [Added]
T5691: Implement encryption at rest using IBM Cloud Database service (IBM Cloud Database) [Added]
- P3447: Lack of Encryption at Rest (IBM Cloud Database) [Added]
- I2224: Ensure disk encryption is enabled with customer managed keys [Added]
- I2225: Ensure network access is set to be exposed on “Private end points only” [Added]
- I2226: Ensure IBM Cloud Databases disk encryption is set to On [Added]
T5692: Implement encryption for client data at-rest using IBM Key Protect (IBM Cloudant) [Added]
- P3448: Lack of Encryption for Client Data at Rest (IBM Cloudant) [Added]
- I2227: Ensure Cloudant encryption is set to On [Added]
- I2228: Ensure IBM Cloudant encryption is enabled with customer managed keys [Added]
- I2229: Ensure IBM Cloudant is only accessible via HTTPS or TLS Connections [Added]
T5693: Enhance web application security with minimum TLS version and WAF (IBM Cloud Internet Services) [Added]
- P3449: Insecure Data Transmission and Insufficient Web Application Protection (IBM Cloud Internet Services) [Added]
- I2230: Enable TLS 1.2 at minimum for all inbound traffic [Added]
- I2231: Ensure Web application firewall is set to ON [Added]
- I2232: Ensure DDoS protection is Active on IBM Cloud Internet Services [Added]
T5694: Implement strict ingress access controls in VPC security groups (IBM Cloud VPC) [Added]
- P3450: Unrestricted Ingress Access in VPC Security Groups (IBM Cloud VPC) [Added]
- I2233: Ensure no VPC access control lists allow ingress from 0.0.0.0/0 to port 22 [Added]
- I2234: Ensure the default security group of every VPC restricts all traffic [Added]
- I2235: Ensure no VPC security groups allow ingress from 0.0.0.0/0 to port 3389 [Added]
- I2236: Ensure no VPC security groups allow ingress from 0.0.0.0/0 to port 22 [Added]
- I2237: Ensure no VPC access control lists allow ingress from 0.0.0.0/0 to port 3389 [Added]
T5695: Secure client requests on IBM Cloud Kubernetes Service (IBM Cloud Kubernetes Service) [Added]
- P3451: Insecure Client Requests (IBM Cloud Kubernetes Service) [Added]
- I2238: Ensure TLS 1.2 for all inbound traffic at IBM Cloud Kubernetes Service Ingress [Added]
- I2239: Ensure IBM Cloud Kubernetes Service worker nodes are updated [Added]
- I2240: Ensure that clusters are accessible only by using private endpoints [Added]
- I2241: Ensure IBM Cloud Kubernetes Service cluster has image pull secrets enabled [Added]
- I2242: Ensure Kubernetes Service clusters have the monitoring service enabled [Added]
- I2243: Ensure IBM Cloud Kubernetes Service clusters have the logging service enabled [Added]
- I2244: Ensure Kubernetes secrets data is encrypted with bring your own key (BYOK) [Added]
- I2245: Ensure Kubernetes secrets data is encrypted with keep your own key (KYOK) [Added]
- I2246: Block deployments of vulnerable images to Kubernetes clusters [Added]
T5696: Implement a regular key rotation policy using Key Protect (IBM Key Protect) [Added]
- P3452: Lack of Regular Key Rotation Policy (IBM Key Protect) [Added]
- I2247: Ensure IBM Key Protect has automated rotation for customer managed keys enabled [Added]
T5697: Verify the security of API key management practices (IBM Cloud Internet Services) [Added]
- P3441: Lack of Multi-Factor Authentication (IBM Cloud VPC) [Added]
- I2250: Verify account owner for frequent, unexpected, or unauthorized logins [Added]
- I2251: Verify that API keys unused for 180 days are detected and optionally disabled [Added]
- I2252: Verify that API keys are rotated every 90 days [Added]
- I2253: Verify that user API key creation are restricted via IAM roles [Added]
- I2254: Verify that no owner account API key exists [Added]
- I2255: Verify compliance with IBM Cloud password requirements [Added]
- I2256: Verify that multi-factor authentication (MFA) is enabled [Added]
- I2257: Verify that multi-factor authentication (MFA) is enabled for the account owner [Added]
- I2258: Verify that multi-factor authentication (MFA) is enabled at the account level [Added]
- I2259: Verify that the contact email is valid [Added]
- I2260: Verify that the contact phone number is valid [Added]
- I2261: Verify that IAM users are members of access groups [Added]
- I2262: Verify that a support access group has been created [Added]
- I2263: Test minimizing the number of users with admin privileges in the account [Added]
- I2264: Test minimizing the number of Service IDs with admin privileges in the account [Added]
- I2265: Verify that IAM does not allow public access to Cloud Object Storage [Added]
- I2266: Verify that inactive user accounts are suspended [Added]
- I2267: Verify that audit logging is enabled [Added]
- I2268: Verify that Identity Federation is set up with a Corporate IDP [Added]
- I2314: Verify that Certificate Manager automatically renews certificates [Added]
T5698: Verify that the IBM Cloud Object Storage bucket firewall restricts access (IBM Cloud Object Storage) [Added]
- P3442: Lack of Access Restrictions (IBM Cloud Object Storage) [Added]
- I2269: Verify that network access is restricted to specific IP range [Added]
- I2270: Verify that network access is set to be exposed only on Private end-points [Added]
- I2271: Verify that access is restricted by using IAM and S3 access control [Added]
- I2272: Verify that public access to IBM Cloud Object Storage buckets is disabled [Added]
T5699: Verify that the encryption keys are managed securely (IBM Cloud Object Storage) [Added]
- P3443: Lack of Granular Data Encryption (IBM Cloud Object Storage) [Added]
- I2273: Verify Cloud Object Storage encryption with customer managed keys [Added]
- I2274: Verify that Cloud Object Storage Encryption is set to On with BYOK [Added]
- I2275: Verify that Cloud Object Storage Encryption is set to On with KYOK [Added]
T5700: Verify that encryption is managed through IBM Key Management Services (IBM Cloud Block Storage) [Added]
- P3444: Inadequate Control Over Encryption Keys (IBM Cloud Block Storage) [Added]
- I2276: Verify that 'OS disk' are encrypted with Customer managed keys [Added]
- I2277: Verify that 'Data disks' are encrypted with customer managed keys [Added]
- I2278: Verify that unattached disks are encrypted with customer managed keys [Added]
T5703: Verify that the database service is provisioned with encryption at rest (IBM Cloud Database) [Added]
- P3447: Lack of Encryption at Rest (IBM Cloud Database) [Added]
- I2289: Verify disk encryption is enabled with customer managed keys [Added]
- I2290: Verify network access to IBM Cloud Databases service [Added]
- I2291: Verify IBM Cloud Databases disk encryption is set to On [Added]
T5704: Verify that the Cloudant instance is provisioned with BYOK (IBM Cloudant) [Added]
- P3448: Lack of Encryption for Client Data at Rest (IBM Cloudant) [Added]
- I2292: Verify Cloudant encryption is set to On [Added]
- I2293: Verify that IBM Cloudant encryption is enabled with customer managed keys [Added]
- I2294: Verify that IBM Cloudant is only accessible via HTTPS or TLS Connections [Added]
T5705: Verify the minimum TLS version is set to 1.2 (IBM Cloud Internet Services) [Added]
- P3449: Insecure Data Transmission and Insufficient Web Application Protection (IBM Cloud Internet Services) [Added]
- I2295: Test that TLS 1.2 is enabled for all inbound traffic [Added]
- I2296: Verify that the Web application firewall is set to ON [Added]
- I2297: Verify that DDoS protection is Active on IBM Cloud Internet Services [Added]
T5706: Verify that VPC access control lists filter traffic appropriately (IBM Cloud VPC) [Added]
- P3450: Unrestricted Ingress Access in VPC Security Groups (IBM Cloud VPC) [Added]
- I2298: Verify that no VPC access control lists allow ingress from 0.0.0.0/0 to port 22 [Added]
- I2299: Verify that the default security group of every VPC restricts all traffic [Added]
- I2300: Verify that no VPC security groups allow ingress from 0.0.0.0/0 to port 3389 [Added]
- I2301: Verify that no VPC security groups allow ingress from 0.0.0.0/0 to port 22 [Added]
- I2302: Verify access control from 0.0.0.0/0 to port 3389 [Added]
T5707: Verify that insecure HTTP requests are redirected to HTTPS (IBM Cloud Kubernetes Service) [Added]
- P3451: Insecure Client Requests (IBM Cloud Kubernetes Service) [Added]
- I2303: Verify TLS 1.2 for all inbound traffic at IBM Cloud Kubernetes Service Ingress [Added]
- I2304: Verify that Kubernetes Service worker nodes are updated [Added]
- I2305: Verify that clusters are accessible only by using private endpoints [Added]
- I2306: Verify that IBM Cloud Kubernetes Service cluster has image pull secrets enabled [Added]
- I2307: Verify Kubernetes Service clusters have the monitoring service enabled [Added]
- I2308: Verify Kubernetes Service clusters have the logging service enabled [Added]
- I2309: Verify that Kubernetes secrets data is encrypted with bring your own key (BYOK) [Added]
- I2310: Verify that Kubernetes secrets data is encrypted with keep your own key (KYOK) [Added]
- I2311: Verify that vulnerable images are blocked from deploying to Kubernetes clusters [Added]
T5709: Organize artifacts with a dedicated artifact repository (JFrog Artifactory) [Added]
- P3453: Lack of Dedicated Artifact Repository (JFrog Artifactory) [Added]
T5710: Utilize build info for enhanced traceability (JFrog Artifactory) [Added]
- P3454: Lack of Build Information Traceability (JFrog Artifactory) [Added]
T5711: Design a universal binary repository structure (JFrog Artifactory) [Added]
- P3455: Inadequate Repository Structure Management (JFrog Artifactory) [Added]
T5712: Implement a 4-part naming convention for repositories (JFrog Artifactory) [Added]
- P3456: Inconsistent Repository Naming (JFrog Artifactory) [Added]
T5713: Create a repository structure for development lifecycle (JFrog Artifactory) [Added]
- P3457: Inadequate Repository Structure (JFrog Artifactory) [Added]
T5714: Implement security processes (JFrog Xray) [Added]
- P3458: Lack of Structured Security Processes (JFrog Xray) [Added]
T5715: Involve R&D in security and compliance (JFrog Xray) [Added]
- P3459: Lack of Integrated Security and Compliance in Software Development Lifecycle (JFrog Xray) [Added]
T5716: Define a policy for high-severity issues (JFrog Xray) [Added]
- P3460: Lack of Structured Policy for High-Severity Issues (JFrog Xray) [Added]
T5717: Implement continuous scanning (JFrog Xray) [Added]
- P3461: Lack of Continuous Vulnerability Scanning (JFrog Xray) [Added]
T5718: Standardize violation management workflow (JFrog Xray) [Added]
- P3462: Inconsistent Violation Management Workflow (JFrog Xray) [Added]
T5719: Prioritize security and compliance violations (JFrog Xray) [Added]
- P3463: Lack of Prioritization in Security and Compliance Violations (JFrog Xray) [Added]
T5720: Implement software package management (JFrog Curation) [Added]
- P3464: Insecure Dependency Management (JFrog Curation) [Added]
T5721: Implement comprehensive software supply chain protection (JFrog Advanced Security) [Added]
- P3465: Software Supply Chain Vulnerabilities (JFrog Advanced Security) [Added]
T5722: Implement continuous runtime security (JFrog Runtime) [Added]
- P3466: Lack of Continuous Runtime Security Monitoring (JFrog Runtime) [Added]
T5723: Implement pre-selection & OSS intelligence (JFrog Catalog) [Added]
- P3467: Inadequate Management of Open-Source Software Packages (JFrog Catalog) [Added]
T5724: Use appropriate access control mechanisms [ACM-2] (EN 18031-1) [Added]
- P3468: Lack of secure access control mechanism (EN 18031-1) [Added]
T5725: Use an appropriate authentication mechanism [AUM-2] (EN 18031-1) [Added]
- P3469: Lack of secure authentication mechanism (EN 18031-1) [Added]
T5726: Ensure the validation of authenticators used in authentication mechanisms [AUM-3] (EN 18031-1) [Added]
- P3470: Insufficient verification of authenticators (EN 18031-1) [Added]
T5727: Implement the capability to change authentication mechanisms [AUM-4] (EN 18031-1) [Added]
- P3471: Lack of authenticator reset mechanism (EN 18031-1) [Added]
T5728: Use strong passwords in authentication mechanisms [AUM-5] (EN 18031-1) [Added]
- P3472: Weak password requirements (EN 18031-1) [Added]
T5729: Implement brute-force protection in authentication mechanism [AUM-6] (EN 18031-1) [Added]
- P3473: Lack of brute-force protection (EN 18031-1) [Added]
T5730: Ensure the applicability and appropriateness of DoS resilience mechanisms [RLM-1] (EN 18031-1) [Added]
- P3474: Lack of Denial of Service (DoS) protection (EN 18031-1) [Added]
T5731: Ensure the applicability and appropriateness of network monitoring mechanisms [NMM-1] (EN 18031-1) [Added]
- P3475: Lack of network monitoring mechanism (EN 18031-1) [Added]
T5732: Ensure the applicability and appropriateness of network traffic control mechanisms [TCM-1] (EN 18031-1) [Added]
- P3476: Lack of traffic control mechanism (EN 18031-1) [Added]
T5733: Use best practices for cryptography [CRY-1] (EN 18031-1) [Added]
- P3477: Use of weak cryptographic algorithms or unsecure cryptographic practices (EN 18031-1) [Added]
T5734: Ensure the applicability and appropriateness of secure update mechanisms [SUM-1] (EN 18031-1) [Added]
- P3478: Lack of secure update mechanism (EN 18031-1) [Added]
T5735: Implement a secure update mechanism [SUM-2] (EN 18031-1) [Added]
- P3478: Lack of secure update mechanism (EN 18031-1) [Added]
T5736: Implement an automated secure update mechanism [SUM-3] (EN 18031-1) [Added]
- P3478: Lack of secure update mechanism (EN 18031-1) [Added]
T5737: Ensure the applicability and appropriateness of secure storage mechanisms [SSM-1] (EN 18031-1) [Added]
- P3479: Lack of secure storage mechanism (EN 18031-1) [Added]
T5738: Implement appropriate integrity protection for secure storage mechanisms [SSM-2] (EN 18031-1) [Added]
- P3479: Lack of secure storage mechanism (EN 18031-1) [Added]
T5739: Implement appropriate confidentiality protection for secure storage mechanisms [SSM-3] (EN 18031-1) [Added]
- P3479: Lack of secure storage mechanism (EN 18031-1) [Added]
T5740: Ensure the applicability and appropriateness of secure communication mechanisms [SCM-1] (EN 18031-1) [Added]
- P3480: Lack of secure communication mechanism (EN 18031-1) [Added]
T5741: Implement appropriate integrity and authenticity protection for communication mechanisms [SCM-2] (EN 18031-1) [Added]
- P3480: Lack of secure communication mechanism (EN 18031-1) [Added]
T5742: Implement appropriate confidentiality protection for communication mechanisms [SCM-3] (EN 18031-1) [Added]
- P3480: Lack of secure communication mechanism (EN 18031-1) [Added]
T5743: Implement appropriate replay protection for communication mechanisms [SCM-4] (EN 18031-1) [Added]
- P3480: Lack of secure communication mechanism (EN 18031-1) [Added]
T5744: Implement appropriate confidential cryptographic keys [CCK-1] (EN 18031-1) [Added]
- P3477: Use of weak cryptographic algorithms or unsecure cryptographic practices (EN 18031-1) [Added]
T5745: Implement secure confidential cryptographic keys [CCK-2] (EN 18031-1) [Added]
- P3477: Use of weak cryptographic algorithms or unsecure cryptographic practices (EN 18031-1) [Added]
T5746: Implement features for preventing default values for preinstalled confidential cryptographic keys [CCK-3] (EN 18031-1) [Added]
- P3477: Use of weak cryptographic algorithms or unsecure cryptographic practices (EN 18031-1) [Added]
T5747: Ensure the use of updated and secure software and hardware [GEC-1] (EN 18031-1) [Added]
- P3481: Use of insecure third party software and hardware (EN 18031-1) [Added]
T5748: Control access to network interfaces and services [GEC-2] (EN 18031-1) [Added]
- P3482: Exposure of services (EN 18031-1) [Added]
T5749: Implement a feature for configuring optional services and the related exposed network interfaces [GEC-3] (EN 18031-1) [Added]
- P3483: Lack of control over configuration parameters (EN 18031-1) [Added]
T5750: Document exposed network interfaces and services [GEC-4] (EN 18031-1) [Added]
- P3484: Lack of technical documentation (EN 18031-1) [Added]
T5751: Disable unnecessary external interfaces [GEC-5] (EN 18031-1) [Added]
- P3485: Exposure of physical external interfaces (EN 18031-1) [Added]
T5752: Implement Input validation [GEC-6] (EN 18031-1) [Added]
- P3486: Poor input validation (EN 18031-1) [Added]
T5753: Verify the network security configuration for Azure Databricks (Azure Databricks) [Added]
- P3487: Lack of Network Traffic Control (Azure Databricks) [Added]
- I2449: Verify that Azure Databricks is deployed in a customer-managed virtual network (VNet) [Added]
- I2450: Verify that network security groups are configured for Databricks subnets [Added]
- I2452: Verify that users and groups are synced from Microsoft Entra ID to Azure Databricks [Added]
- I2453: Verify that Unity Catalog is configured for Azure Databricks [Added]
- I2454: Verify that usage is restricted and expiry is enforced for Databricks personal access tokens [Added]
- I2455: Verify that diagnostic log delivery is configured for Azure Databricks [Added]
T5754: Verify that data exchanged between worker nodes is encrypted (Azure Databricks) [Added]
- P3488: Lack of Encryption for Data in Transit and at Rest (Microsoft Azure Foundation) [Added]
- I2451: Verify that traffic is encrypted between cluster worker nodes [Added]
- I2456: Verify that data at rest and in transit is encrypted in Azure Databricks using customer managed keys (CMK) [Added]
T5756: Verify that users provide consent for permissions from verified publishers (Microsoft 365) [Added]
- P3490: Lack of Role-Based Access Control (RBAC) (Microsoft Azure Foundation) [Added]
- I2467: Verify that user consent for applications is set to allow verified publishers [Added]
- I2470: Verify that 'Guest invite restrictions' is set to 'Only users assigned to specific admin roles can invite guest users' [Added]
- I2472: Verify that the user ability to access groups features in My Groups is restricted [Added]
- I2473: Verify that users can create security groups in Azure portals, API or PowerShell is set to No [Added]
- I2474: Verify that Owners can manage group membership requests in My Groups is set to No [Added]
- I2475: Verify that Users can create Microsoft 365 groups in Azure portals, API or PowerShell is set to No [Added]
- I2478: Test that a custom role is assigned permissions for administering resource locks [Added]
- I2479: Verify that Subscription leaving Microsoft Entra tenant is set to Permit no one [Added]
T5757: Verify the configuration of Named locations in Conditional Access (Microsoft Entra ID) [Added]
- P3491: Lack of Conditional Access Policies (Microsoft Azure Foundation) [Added]
- I2484: Verify that 'trusted locations' are defined [Added]
- I2485: Verify that an exclusionary geographic Conditional Access policy is considered [Added]
- I2486: Verify that an exclusionary device code flow policy is considered [Added]
T5758: Verify that Basic or Free SKUs are not used for production workloads (Microsoft Azure) [Added]
- P3492: Inadequate SKU Selection for Production Workloads (Microsoft Azure Foundation) [Added]
- I2496: Verify that SKU Basic/Consumption is not used on monitored artifacts [Added]
T5759: Verify that virtual network flow logs are captured and sent to Log Analytics (Microsoft Azure) [Added]
- P3493: Lack of Centralized Logging Strategy (Microsoft Azure) [Added]
- I2499: Verify that the storage account containing the container with activity logs is encrypted with Customer Managed Key (CMK) [Added]
- I2501: Verify that Network Security Group Flow logs are captured and sent to Log Analytics [Added]
- I2502: Verify that logging for Azure AppService 'HTTP logs' is enabled [Added]
- I2503: Verify that virtual network flow logs are captured and sent to Log Analytics [Added]
- I2504: Verify that a Microsoft Entra diagnostic setting exists to send Microsoft Graph activity logs to an appropriate destination [Added]
- I2505: Verify that a Microsoft Entra diagnostic setting exists to send Microsoft Entra activity logs to an appropriate destination [Added]
- I2506: Verify that Intune logs are captured and sent to Log Analytics [Added]
- I2518: Verify that Application Insights are Configured [Added]
T5760: Verify the configuration of network security groups for Azure (Microsoft Azure) [Added]
- P3494: Improperly Configured Network Security Groups (Microsoft Azure Foundation) [Added]
- I2519: Verify that RDP access from the Internet is evaluated and restricted [Added]
- I2520: Verify that SSH access from the Internet is evaluated and restricted [Added]
- I2521: Verify that UDP access from the Internet is evaluated and restricted [Added]
- I2522: Verify that HTTP(S) access from the Internet is evaluated and restricted [Added]
- I2525: Verify that Public IP addresses are Evaluated on a Periodic Basis [Added]
T5761: Verify that virtual network flow logs are retained for greater than or equal to 90 days (Microsoft Azure) [Added]
- P3495: Lack of Virtual Network Flow Logs Retention (Microsoft Azure Foundation) [Added]
- I2523: Verify that Network Security Group Flow Log retention period is 'greater than 90 days' [Added]
- I2524: Verify that Network Watcher is 'Enabled' for Azure Regions that are in use [Added]
- I2526: Verify that virtual network flow log retention days is set to greater than or equal to 90 [Added]
T5762: Verify the organization's attack surface is minimized (Microsoft Defender for Cloud) [Added]
- I2533: Verify that Microsoft Defender External Attack Surface Monitoring (EASM) is enabled [Added]
- I2534: Verify that Microsoft Defender for DNS is set to 'On' [Added]
- I2535: Verify that Defender for Servers is set to 'On' [Added]
- I2536: Verify that 'Vulnerability assessment for machines' component status is set to 'On' [Added]
- I2537: Verify that 'Endpoint protection' component status is set to 'On' [Added]
- I2538: Verify that 'Agentless scanning for machines' component status is set to 'On' [Added]
- I2539: Verify that 'File Integrity Monitoring' component status is set to 'On' [Added]
- I2540: Verify that Microsoft Defender for Containers is set to 'On' [Added]
- I2541: Verify that Microsoft Defender for Storage is set to 'On' [Added]
- I2542: Verify that Microsoft Defender for App Services is set to 'On' [Added]
- I2543: Verify that Microsoft Defender for Azure Cosmos DB Is Set To 'On' [Added]
- I2544: Verify that Microsoft Defender for Open-Source Relational Databases Is Set To 'On' [Added]
- I2545: Verify that Microsoft Defender for Azure SQL Databases Is Set To 'On' [Added]
- I2546: Verify that Microsoft Defender for SQL Servers on Machines Is Set To 'On' [Added]
- I2547: Verify that Microsoft Defender for Key Vault is set to 'On' [Added]
- I2548: Test that Microsoft Defender for Resource Manager is set to 'On' [Added]
- I2549: Verify that Microsoft Defender for IoT Hub is set to 'On' [Added]
T5763: Implement a vulnerability assessment for machines (Microsoft Defender for Cloud) [Added]
- I2400: Ensure that Microsoft Defender External Attack Surface Monitoring (EASM) is enabled [Added]
- I2401: [LEGACY] Ensure That Microsoft Defender for DNS Is Set To 'On' [Added]
- I2402: Ensure that Defender for Servers is set to 'On' [Added]
- I2403: Ensure that 'Vulnerability assessment for machines' component status is set to 'On' [Added]
- I2404: Ensure that 'Endpoint protection' component status is set to 'On' [Added]
- I2405: Ensure that 'Agentless scanning for machines' component status is set to 'On' [Added]
- I2406: Ensure that 'File Integrity Monitoring' component status is set to 'On' [Added]
- I2407: Ensure That Microsoft Defender for Containers Is Set To 'On' [Added]
- I2408: Ensure That Microsoft Defender for Storage Is Set To 'On' [Added]
- I2409: Ensure That Microsoft Defender for App Services Is Set To 'On' [Added]
- I2410: Ensure That Microsoft Defender for Azure Cosmos DB Is Set To 'On' [Added]
- I2411: Ensure That Microsoft Defender for Open-Source Relational Databases Is Set To 'On' [Added]
- I2412: Ensure That Microsoft Defender for (Managed Instance) Azure SQL Databases Is Set To 'On' [Added]
- I2413: Ensure That Microsoft Defender for SQL Servers on Machines Is Set To 'On' [Added]
- I2414: Ensure That Microsoft Defender for Key Vault Is Set To 'On' [Added]
- I2415: Ensure That Microsoft Defender for Resource Manager Is Set To 'On' [Added]
- I2416: Ensure That Microsoft Defender for IoT Hub Is Set To 'On' [Added]
T5764: Verify the security of Azure Key Vault configurations (Microsoft Azure Key Vault) [Added]
- P3496: Public Network Exposure of Azure Key Vault (Microsoft Azure Foundation) [Added]
- I2555: Verify that Role Based Access Control for Azure Key Vault is enabled [Added]
- I2556: Verify that Public Network Access when using Private Endpoint is disabled [Added]
- I2557: Verify that Private Endpoints are Used for Azure Key Vault [Added]
- I2558: Verify that automatic key rotation is enabled within Azure Key Vault [Added]
- I2559: Verify that Azure Key Vault Managed HSM is used when required [Added]
- I2560: Verify that an Azure Bastion Host Exists [Added]
T5766: Verify that blob versioning is enabled for data recovery (Microsoft Azure Storage) [Added]
- P3498: Lack of Blob Versioning (Microsoft Azure Foundation) [Added]
- I2565: Verify that 'Versioning' is set to 'Enabled' on Azure Blob Storage [Added]
- I2567: Verify that 'Allow Azure services on the trusted services list to access this storage account' is Enabled for Storage Account Access [Added]
- I2573: Verify that Azure Resource Manager ReadOnly locks are considered for Azure Storage Accounts [Added]
- I2574: Verify that Redundancy is set to 'geo-redundant storage (GRS)' on critical Azure Storage Accounts [Added]
- I2578: Verify that Private Endpoints are used to access Storage Accounts [Added]
T5767: Verify that data encryption in transit is enabled (Azure Storage) [Added]
- P3499: Lack of Data Encryption in Transit (Microsoft Azure Foundation) [Added]
- I2566: Verify that 'Secure transfer required' is set to 'Enabled' [Added]
- I2569: Verify that the 'Minimum TLS version' for storage accounts is set to 'Version 1.2' [Added]
T5768: Implement Network Security Groups for Azure Databricks (Microsoft Azure Databricks) [Added]
- P3487: Lack of Network Traffic Control (Azure Databricks) [Added]
- I2316: Ensure that Azure Databricks is deployed in a customer-managed virtual network (VNet) [Added]
- I2317: Ensure that network security groups are configured for Databricks subnets [Added]
- I2319: Ensure that users and groups are synced from Microsoft Entra ID to Azure Databricks [Added]
- I2320: Ensure that Unity Catalog is configured for Azure Databricks [Added]
- I2321: Ensure that usage is restricted and expiry is enforced for Databricks personal access tokens [Added]
- I2322: Ensure that diagnostic log delivery is configured for Azure Databricks [Added]
T5769: Implement encryption for data in transit and at rest (Microsoft Azure Databricks) [Added]
- P3488: Lack of Encryption for Data in Transit and at Rest (Microsoft Azure Foundation) [Added]
- I2318: Ensure that traffic is encrypted between cluster worker nodes [Added]
- I2323: Ensure that data at rest and in transit is encrypted in Azure Databricks using customer managed keys (CMK) [Added]
T5770: Implement Resource Manager Locks to Secure Azure Resources (Microsoft Azure) [Added]
- P3489: Lack of Resource Manager Locks (Microsoft Azure Foundation) [Added]
- I2325: Ensure that 'Restrict non-admin users from creating tenants' is set to 'Yes' [Added]
- I2326: Ensure that 'Number of methods required to reset' is set to '2' [Added]
- I2327: Ensure that account 'Lockout threshold' is less than or equal to '10' [Added]
- I2328: Ensure that account 'Lockout duration in seconds' is greater than or equal to '60' [Added]
- I2329: Ensure that a 'Custom banned password list' is set to 'Enforce' [Added]
- I2330: Ensure that 'Number of days before users are asked to re-confirm their authentication information' is not set to '0' [Added]
- I2331: Ensure that 'Notify users on password resets?' is set to 'Yes' [Added]
- I2332: Ensure that 'Notify all admins when other admins reset their password?' is set to 'Yes' [Added]
- I2333: Ensure that 'User consent for applications' is set to 'Do not allow user consent' [Added]
- I2335: Ensure that 'Users can register applications' is set to 'No' [Added]
- I2336: Ensure that Guest user access is restricted to properties and memberships of their own directory objects [Added]
- I2338: Ensure that 'Restrict access to Microsoft Entra admin center' is set to 'Yes' [Added]
- I2343: Ensure that 'Require Multifactor Authentication to register or join devices with Microsoft Entra' is set to 'Yes' [Added]
- I2344: Ensure that no custom subscription administrator roles exist [Added]
- I2347: Ensure fewer than 5 users have global administrator assignment [Added]
- I2348: Ensure that 'security defaults' is enabled in Microsoft Entra ID [Added]
- I2358: Ensure that Azure admin accounts are not used for daily operations [Added]
- I2359: Ensure that guest users are reviewed on a regular basis [Added]
- I2360: Ensure that use of the 'User Access Administrator' role is restricted [Added]
- I2361: Ensure that Resource Locks are set for Mission-Critical Azure Resources [Added]
T5771: Implement Role-Based Access Control (RBAC) in Microsoft 365 (Microsoft 365) [Added]
- P3490: Lack of Role-Based Access Control (RBAC) (Microsoft Azure Foundation) [Added]
- I2334: Ensure that 'User consent for applications' is set to 'Allow user consent for apps from verified publishers, for selected permissions' [Added]
- I2337: Ensure that 'Guest invite restrictions' is set to 'Only users assigned to specific admin roles can invite guest users' [Added]
- I2339: Ensure that 'Restrict user ability to access groups features in My Groups' is set to 'Yes' [Added]
- I2340: Ensure that 'Users can create security groups in Azure portals, API or PowerShell' is set to 'No' [Added]
- I2341: Ensure that 'Owners can manage group membership requests in My Groups' is set to 'No' [Added]
- I2342: Ensure that 'Users can create Microsoft 365 groups in Azure portals, API or PowerShell' is set to 'No' [Added]
- I2345: Ensure that a custom role is assigned permissions for administering resource locks [Added]
- I2346: Ensure that 'Subscription leaving Microsoft Entra tenant' and 'Subscription entering Microsoft Entra tenant' is set to 'Permit no one' [Added]
T5772: Implement Conditional Access Policies (Microsoft Azure Active Directory) [Added]
- P3491: Lack of Conditional Access Policies (Microsoft Azure Foundation) [Added]
- I2351: Ensure that 'trusted locations' are defined [Added]
- I2352: Ensure that an exclusionary geographic Conditional Access policy is considered [Added]
- I2353: Ensure that an exclusionary device code flow policy is considered [Added]
T5773: Implement a robust logging strategy for Azure services (Microsoft Azure) [Added]
- P3493: Lack of Centralized Logging Strategy (Microsoft Azure) [Added]
- I2366: Ensure the storage account containing the container with activity logs is encrypted with Customer Managed Key (CMK) [Added]
- I2368: Ensure that Network Security Group Flow logs are captured and sent to Log Analytics [Added]
- I2369: Ensure that logging for Azure AppService 'HTTP logs' is enabled [Added]
- I2370: Ensure that virtual network flow logs are captured and sent to Log Analytics [Added]
- I2371: Ensure that a Microsoft Entra diagnostic setting exists to send Microsoft Graph activity logs to an appropriate destination [Added]
- I2372: Ensure that a Microsoft Entra diagnostic setting exists to send Microsoft Entra activity logs to an appropriate destination [Added]
- I2373: Ensure that Intune logs are captured and sent to Log Analytics [Added]
- I2385: Ensure Application Insights are Configured [Added]
T5774: Configure network security groups to enhance Azure security (Microsoft Azure) [Added]
- P3494: Improperly Configured Network Security Groups (Microsoft Azure Foundation) [Added]
- I2386: Ensure that RDP access from the Internet is evaluated and restricted [Added]
- I2387: Ensure that SSH access from the Internet is evaluated and restricted [Added]
- I2388: Ensure that UDP access from the Internet is evaluated and restricted [Added]
- I2389: Ensure that HTTP(S) access from the Internet is evaluated and restricted [Added]
- I2392: Ensure that Public IP addresses are Evaluated on a Periodic Basis [Added]
T5775: Enable virtual network flow logs retention (Microsoft Azure) [Added]
- P3495: Lack of Virtual Network Flow Logs Retention (Microsoft Azure Foundation) [Added]
- I2390: Ensure that Network Security Group Flow Log retention period is 'greater than 90 days' [Added]
- I2391: Ensure that Network Watcher is 'Enabled' for Azure Regions that are in use [Added]
- I2393: Ensure that virtual network flow log retention days is set to greater than or equal to 90 [Added]
T5776: Enhance security by minimizing public exposure of Azure Key Vault (Microsoft Azure Key Vault) [Added]
- P3496: Public Network Exposure of Azure Key Vault (Microsoft Azure Foundation) [Added]
- I2422: Ensure that Role Based Access Control for Azure Key Vault is enabled [Added]
- I2423: Ensure that Public Network Access when using Private Endpoint is disabled [Added]
- I2424: Ensure that Private Endpoints are Used for Azure Key Vault [Added]
- I2425: Ensure automatic key rotation is enabled within Azure Key Vault [Added]
- I2426: Ensure that Azure Key Vault Managed HSM is used when required [Added]
- I2427: Ensure an Azure Bastion Host Exists [Added]
T5777: Implement soft delete for Azure storage accounts (Microsoft Azure Storage) [Added]
- P3497: Lack of Soft Delete Feature (Microsoft Azure Foundation) [Added]
- I2428: Ensure soft delete for Azure File Shares is Enabled [Added]
- I2429: Ensure 'SMB protocol version' is set to 'SMB 3.1.1' or higher for SMB file shares [Added]
- I2430: Ensure 'SMB channel encryption' is set to 'AES-256-GCM' or higher for SMB file shares [Added]
- I2431: Ensure that soft delete for blobs on Azure Blob Storage storage accounts is Enabled [Added]
- I2435: Ensure Soft Delete is Enabled for Azure Containers and Blob Storage [Added]
- I2437: Ensure 'Cross Tenant Replication' is not enabled [Added]
- I2438: Ensure that 'Allow Blob Anonymous Access' is set to 'Disabled' [Added]
- I2439: Ensure Azure Resource Manager Delete locks are applied to Azure Storage Accounts [Added]
- I2442: Ensure that 'Enable key rotation reminders' is enabled for each Storage Account [Added]
- I2443: Ensure that Storage Account access keys are periodically regenerated [Added]
- I2444: Ensure 'Allow storage account key access' for Azure Storage Accounts is 'Disabled' [Added]
- I2446: Ensure that 'Public Network Access' is 'Disabled' for storage accounts [Added]
- I2447: Ensure default network access rule for storage accounts is set to deny [Added]
- I2448: Ensure that 'Default to Microsoft Entra authorization in the Azure portal' is set to 'Enabled' [Added]
T5778: Implement blob versioning for data integrity and recovery (Microsoft Azure Storage) [Added]
- P3498: Lack of Blob Versioning (Microsoft Azure Foundation) [Added]
- I2432: Ensure 'Versioning' is set to 'Enabled' on Azure Blob Storage storage accounts [Added]
- I2434: Ensure 'Allow Azure services on the trusted services list to access this storage account' is Enabled for Storage Account Access [Added]
- I2440: Ensure Azure Resource Manager ReadOnly locks are considered for Azure Storage Accounts [Added]
- I2441: Ensure Redundancy is set to 'geo-redundant storage (GRS)' on critical Azure Storage Accounts [Added]
- I2445: Ensure Private Endpoints are used to access Storage Accounts [Added]
T5779: Enable data encryption in transit for Azure Storage (Microsoft Azure Storage) [Added]
- P3499: Lack of Data Encryption in Transit (Microsoft Azure Foundation) [Added]
- I2433: Ensure that 'Secure transfer required' is set to 'Enabled' [Added]
- I2436: Ensure the 'Minimum TLS version' for storage accounts is set to 'Version 1.2' [Added]
T5780: Evaluate Azure SKUs for Production Workloads (Microsoft Azure) [Added]
- P3492: Inadequate SKU Selection for Production Workloads (Microsoft Azure Foundation) [Added]
- I2363: Ensure that SKU Basic/Consumption is not used on artifacts that need to be monitored (Particularly for Production Workloads) [Added]
T5781: Verify password policy settings for user accounts (Azure Windows Member Server) [Added]
- P3500: Weak Password Policies (Azure Windows Member Server) [Added]
- I2803: Verify that 'Enforce password history' is set to '24 or more password(s)' [Added]
- I2804: Verify that the 'Maximum password age' is set to '365 or fewer days, but not 0' [Added]
- I2805: Verify that 'Minimum password age' is set to '1 or more day(s)' [Added]
- I2806: Verify that the minimum password length is set to 14 or more characters [Added]
- I2807: Verify that 'Password must meet complexity requirements' is set to 'Enabled' [Added]
- I2808: Verify that 'Store passwords using reversible encryption' is set to 'Disabled' [Added]
T5782: Verify that sensitive privileges are restricted (Azure Windows Member Server) [Added]
- P3501: Inadequate User Rights Management (Azure Windows Member Server) [Added]
- I2809: Verify that 'Access Credential Manager as a trusted caller' is set to 'No One' [Added]
- I2810: Test that 'Access this computer from the network' is set to 'Administrators, Authenticated Users' (MS only) [Added]
- I2811: Verify that 'Act as part of the operating system' is set to 'No One' [Added]
- I2812: Verify that 'Adjust memory quotas for a process' is set to 'Administrators, LOCAL SERVICE, NETWORK SERVICE' [Added]
- I2813: Verify that 'Allow log on locally' is set to 'Administrators' [Added]
- I2814: Verify that 'Allow log on through Remote Desktop Services' is set to 'Administrators, Remote Desktop Users' (MS only) [Added]
- I2815: Verify that 'Back up files and directories' is set to 'Administrators, Backup Operators' [Added]
- I2816: Verify that 'Change the system time' is set to 'Administrators, LOCAL SERVICE' [Added]
- I2817: Verify that 'Change the time zone' is set to 'Administrators, LOCAL SERVICE' [Added]
- I2818: Verify that 'Create a pagefile' is set to 'Administrators' [Added]
- I2819: Test that 'Create a token object' is set to 'No One' [Added]
- I2820: Verify that 'Create global objects' is set to 'Administrators, LOCAL SERVICE, NETWORK SERVICE, SERVICE' [Added]
- I2821: Verify that 'Create permanent shared objects' is set to 'No One' [Added]
- I2822: Verify that 'Create symbolic links' is set to 'Administrators, NT VIRTUAL MACHINE\Virtual Machines' (MS only) [Added]
- I2823: Verify that 'Debug programs' is set to 'Administrators' [Added]
- I2824: Test that 'Deny access to this computer from the network' includes 'Guests' [Added]
- I2825: Verify that 'Deny log on as a batch job' includes 'Guests' [Added]
- I2826: Verify that 'Deny log on as a service' includes 'Guests' [Added]
- I2827: Verify that 'Deny log on locally' includes 'Guests' [Added]
- I2828: Verify that 'Deny log on through Remote Desktop Services' includes 'Guests' [Added]
- I2830: Verify that 'Force shutdown from a remote system' is set to 'Administrators' [Added]
- I2831: Verify that 'Generate security audits' is set to 'LOCAL SERVICE, NETWORK SERVICE' [Added]
- I2832: Verify that 'Impersonate a client after authentication' is set correctly [Added]
- I2833: Verify that 'Increase scheduling priority' is set to 'Administrators' [Added]
- I2834: Verify that 'Load and unload device drivers' is set to 'Administrators' [Added]
- I2835: Verify that 'Lock pages in memory' is set to 'No One' [Added]
- I2836: Verify that 'Manage auditing and security log' is set to 'Administrators' (MS only) [Added]
- I2837: Verify that 'Modify an object label' is set to 'No One' [Added]
- I2838: Verify that 'Modify firmware environment values' is set to 'Administrators' [Added]
- I2839: Verify that 'Perform volume maintenance tasks' is set to 'Administrators' [Added]
- I2840: Verify that 'Profile single process' is set to 'Administrators' [Added]
- I2841: Verify that 'Profile system performance' is set to 'Administrators, NT SERVICE\WdiServiceHost' [Added]
- I2842: Verify that 'Replace a process level token' is set to 'LOCAL SERVICE, NETWORK SERVICE' [Added]
- I2843: Verify that 'Restore files and directories' is set to 'Administrators, Backup Operators' [Added]
- I2844: Verify that 'Shut down the system' is set to 'Administrators, Backup Operators' [Added]
- I2845: Verify that 'Take ownership of files or other objects' is set to 'Administrators' [Added]
- I2853: Verify that 'Devices: Allowed to format and eject removable media' is set to 'Administrators' [Added]
- I2854: Verify that 'Devices: Prevent users from installing printer drivers' is set to 'Enabled' [Added]
- I2892: Verify that the system shutdown setting is disabled [Added]
- I2946: Verify that WDigest Authentication is set to Disabled [Added]
- I2952: Verify that 'Enable insecure guest logons' is set to 'Disabled' [Added]
- I2969: Verify that 'Do not display network selection UI' is set to 'Enabled' [Added]
- I2975: Verify that 'Turn off Microsoft consumer experiences' is set to 'Enabled' [Added]
- I2978: Verify that 'Allow Diagnostic Data' is set to 'Enabled: Send required diagnostic data' [Added]
- I2996: Verify that 'Prevent users and apps from accessing dangerous websites' is set to 'Enabled: Block' [Added]
- I3010: Verify that 'Allow indexing of encrypted files' is set to 'Disabled' [Added]
- I3012: Verify that 'Allow user control over installs' is set to 'Disabled' [Added]
- I3013: Verify that 'Always install with elevated privileges' is set to 'Disabled' [Added]
- I3014: Verify that 'Sign-in and lock last interactive user automatically after a restart' is set to 'Disabled' [Added]
- I3017: Verify that 'Allow Basic authentication' is set to 'Disabled' [Added]
- I3018: Verify that 'Allow unencrypted traffic' is set to 'Disabled' [Added]
- I3019: Verify that 'Disallow Digest authentication' is set to 'Enabled' [Added]
- I3020: Verify that 'Allow Basic authentication' is set to 'Disabled' [Added]
- I3021: Verify that 'Allow unencrypted traffic' is set to 'Disabled' [Added]
- I3023: Verify that 'Prevent users from modifying settings' is set to 'Enabled' [Added]
T5783: Verify the security settings for user accounts and permissions (Azure Windows Member Server) [Added]
- P3502: Unauthorized Access and Impersonation Risks (Azure Windows Member Server) [Added]
- I2829: Verify that 'Enable computer and user accounts to be trusted for delegation' is set to 'No One' (MS only) [Added]
- I2846: Verify that 'Accounts: Block Microsoft accounts' is set to 'Users can't add or log on with Microsoft accounts' [Added]
- I2847: Verify that the 'Accounts: Guest account status' is set to 'Disabled' (MS only) [Added]
- I2848: Verify that local account use of blank passwords is limited to console logon only [Added]
- I2849: Test the configuration of the administrator account renaming [Added]
- I2850: Test the configuration of the guest account renaming [Added]
- I2893: Verify that User Account Control is set to Enabled [Added]
- I2894: Verify that User Account Control settings are configured correctly [Added]
- I2895: Verify that User Account Control settings are configured correctly [Added]
- I2896: Verify that 'User Account Control: Detect application installations and prompt for elevation' is set to 'Enabled' [Added]
- I2897: Verify that User Account Control settings are properly configured [Added]
- I2898: Verify that 'User Account Control: Run all administrators in Admin Approval Mode' is set to 'Enabled' [Added]
- I2899: Verify that User Account Control is set to Enabled [Added]
- I2900: Verify that User Account Control virtualization settings are enabled [Added]
- I2968: Test that 'Block user from showing account details on sign-in' is set to 'Enabled' [Added]
- I2973: Verify that 'Allow Microsoft accounts to be optional' is set to 'Enabled' [Added]
- I2974: Verify that 'Turn off cloud consumer account state content' is set to 'Enabled' [Added]
- I2990: Verify that 'Block all consumer Microsoft account user authentication' is set to 'Enabled' [Added]
T5784: Verify the audit policy settings for security events (Azure Windows Member Server) [Added]
- P3503: Lack of Detailed Auditing for Security Events (Azure Windows Member Server) [Added]
- I2851: Verify that the audit policy subcategory settings are enabled [Added]
- I2852: Verify that 'Audit: Shut down system immediately if unable to log security audits' is set to 'Disabled' [Added]
- I2922: Verify that 'Audit Credential Validation' is set to 'Success and Failure' [Added]
- I2923: Verify that 'Audit Security Group Management' includes 'Success' [Added]
- I2924: Verify that 'Audit User Account Management' is set to 'Success and Failure' [Added]
- I2925: Verify that 'Audit PNP Activity' is set to include 'Success' [Added]
- I2926: Verify that 'Audit Process Creation' is set to include 'Success' [Added]
- I2927: Verify that 'Audit Account Lockout' includes 'Success and Failure' [Added]
- I2928: Verify that 'Audit Group Membership' is set to include 'Success' [Added]
- I2929: Verify that 'Audit Logoff' is set to include 'Success' [Added]
- I2930: Verify that 'Audit Logon' is set to 'Success and Failure' [Added]
- I2931: Verify that 'Audit Other Logon/Logoff Events' is set to 'Success and Failure' [Added]
- I2932: Verify that 'Audit Special Logon' is set to include 'Success' [Added]
- I2933: Verify that 'Audit Other Object Access Events' is set to 'Success and Failure' [Added]
- I2934: Verify that 'Audit Removable Storage' is set to 'Success and Failure' [Added]
- I2935: Verify that 'Audit Audit Policy Change' is set to include 'Success' [Added]
- I2936: Verify that 'Audit Authentication Policy Change' is set to include 'Success' [Added]
- I2937: Verify that 'Audit MPSSVC Rule-Level Policy Change' is set to 'Success and Failure' [Added]
- I2938: Verify that 'Audit Sensitive Privilege Use' is set to 'Success and Failure' [Added]
- I2939: Verify that 'Audit Security State Change' is set to include 'Success' [Added]
- I2940: Verify that 'Audit Security System Extension' includes 'Success' [Added]
- I2941: Verify that 'Audit System Integrity' is set to 'Success and Failure' [Added]
- I2957: Verify that 'Include command line in process creation events' is set to 'Enabled' [Added]
T5785: Verify that secure channel traffic is encrypted and signed (Azure Windows Member Server) [Added]
- P3504: Lack of Encryption and Signing for Secure Channel Traffic (Azure Windows Member Server) [Added]
- I2855: Verify that 'Domain member: Digitally encrypt or sign secure channel data (always)' is set to 'Enabled' [Added]
- I2856: Verify that 'Domain member: Digitally encrypt secure channel data (when possible)' is set to 'Enabled' [Added]
- I2857: Verify that 'Domain member: Digitally sign secure channel data (when possible)' is set to 'Enabled' [Added]
- I2858: Verify that 'Domain member: Disable machine account password changes' is set to 'Disabled' [Added]
- I2859: Verify that the machine account password age is set correctly [Added]
- I2901: Verify that Windows Firewall: Domain: Firewall state is set to On (recommended) [Added]
- I2902: Verify that Windows Firewall: Domain: Inbound connections is set to Block (default) [Added]
- I2903: Verify that Windows Firewall: Domain: Outbound connections is set to Allow (default) [Added]
- I2904: Verify that Windows Firewall logging is configured correctly [Added]
- I2905: Verify that Windows Firewall's logging size limit is set correctly [Added]
- I2906: Verify that Windows Firewall is logging dropped packets [Added]
- I2907: Verify that Windows Firewall logs successful connections [Added]
T5786: Verify the inactivity limit for logon sessions (Azure Windows Member Server) [Added]
- P3505: Lack of Inactivity Lock Screen Policy (Azure Windows Member Server) [Added]
- I2860: Verify that the 'Interactive logon: Machine inactivity limit' is set to '900 or fewer second(s), but not 0' [Added]
- I2861: Test the interactive logon message configuration [Added]
- I2862: Test the interactive logon message title configuration [Added]
- I2863: Verify that the interactive logon prompts users to change passwords before expiration [Added]
- I3007: Verify that 'Do not delete temp folders upon exit' is set to 'Disabled' [Added]
- I3008: Verify that 'Do not use temporary folders per session' is set to 'Disabled' [Added]
T5787: Verify that SMB packet signing is required (Azure Windows Member Server) [Added]
- P3507: Lack of SMB Packet Security (Azure Windows Member Server) [Added]
- I2864: Verify that Microsoft network client: Digitally sign communications (always) is set to Enabled [Added]
- I2865: Verify that Microsoft network client: Digitally sign communications (if server agrees) is set to Enabled [Added]
- I2866: Verify that the Microsoft network client: Send unencrypted password to third-party SMB servers is set to Disabled [Added]
- I2867: Verify Microsoft network server session timeout settings [Added]
- I2868: Verify that Microsoft network server: Digitally sign communications (always) is set to Enabled [Added]
- I2869: Verify that Microsoft network server: Digitally sign communications (if client agrees) is set to Enabled [Added]
- I2870: Verify that 'Microsoft network server: Disconnect clients when logon hours expire' is set to 'Enabled' [Added]
- I2871: Verify that the Microsoft network server's SPN target name validation level is set correctly [Added]
- I2872: Verify that 'Network access: Allow anonymous SID/Name translation' is set to 'Disabled' [Added]
- I2873: Verify that 'Network access: Do not allow anonymous enumeration of SAM accounts' is set to 'Enabled' (MS only) [Added]
- I2874: Verify that 'Network access: Do not allow anonymous enumeration of SAM accounts and shares' is set to 'Enabled' (MS only) [Added]
- I2875: Verify that 'Network access: Let Everyone permissions apply to anonymous users' is set to 'Disabled' [Added]
- I2876: Test that network access for named pipes is configured correctly [Added]
- I2877: Verify that 'Network access: Remotely accessible registry paths' is configured [Added]
- I2878: Verify that 'Network access: Remotely accessible registry paths and sub-paths' is configured [Added]
- I2879: Verify that 'Network access: Restrict anonymous access to Named Pipes and Shares' is set to 'Enabled' [Added]
- I2880: Test that network access restrictions for remote calls to SAM are properly configured [Added]
- I2881: Verify that network access shares are not accessible anonymously [Added]
- I2882: Verify that the network access sharing and security model for local accounts is set to classic [Added]
- I2883: Verify that 'Network security: Allow Local System to use computer identity for NTLM' is set to 'Enabled' [Added]
- I2884: Verify that 'Network security: Allow LocalSystem NULL session fallback' is set to 'Disabled' [Added]
- I2885: Verify that 'Network Security: Allow PKU2U authentication requests to this computer to use online identities' is set to 'Disabled' [Added]
- I2886: Verify that 'Network security: Configure encryption types allowed for Kerberos' is set to 'AES128_HMAC_SHA1, AES256_HMAC_SHA1,..... [Added]
- I2887: Verify that 'Network security: Do not store LAN Manager hash value on next password change' is set to 'Enabled' [Added]
- I2888: Verify that 'Network security: LAN Manager authentication level' is set to 'Send NTLMv2 response only. Refuse LM & NTLM' [Added]
- I2889: Verify that the network security settings are configured correctly [Added]
- I2890: Verify that the network security settings require NTLMv2 session security [Added]
- I2891: Verify that the network security settings require NTLMv2 session security [Added]
- I2953: Verify that 'Prohibit installation and configuration of Network Bridge on your DNS domain network' is set to 'Enabled' [Added]
- I2954: Verify that 'Prohibit use of Internet Connection Sharing on your DNS domain network' is set to 'Enabled' [Added]
- I2955: Verify that 'Hardened UNC Paths' is set to 'Enabled' with required settings [Added]
- I3003: Verify that 'Do not allow drive redirection' is set to 'Enabled' [Added]
T5788: Test the Windows Firewall settings for network traffic filtering (Azure Windows Member Server) [Added]
- P3506: Lack of Network Traffic Filtering (Azure Windows Member Server) [Added]
- I2908: Verify that Windows Firewall: Private: Firewall state is set to On (recommended) [Added]
- I2909: Verify that Windows Firewall: Private: Inbound connections is set to Block (default) [Added]
- I2910: Verify that 'Windows Firewall: Private: Outbound connections' is set to 'Allow (default)' [Added]
- I2911: Verify that Windows Firewall logging is configured correctly [Added]
- I2912: Verify that Windows Firewall's logging size limit is set correctly [Added]
- I2913: Verify that Windows Firewall is logging dropped packets [Added]
- I2914: Verify that Windows Firewall logs successful connections [Added]
- I2915: Verify that Windows Firewall: Public: Firewall state is set to On (recommended) [Added]
- I2916: Verify that Windows Firewall: Public: Inbound connections is set to Block (default) [Added]
- I2917: Verify that Windows Firewall: Public: Outbound connections is set to Allow (default) [Added]
- I2918: Verify that Windows Firewall logging is configured correctly [Added]
- I2919: Verify Windows Firewall settings for logging size limit [Added]
- I2920: Verify that Windows Firewall is logging dropped packets [Added]
- I2921: Verify that Windows Firewall logs successful connections [Added]
T5789: Verify the configuration of SMBv1 client driver service settings (Azure Windows Member Server) [Added]
- P3507: Lack of SMB Packet Security (Azure Windows Member Server) [Added]
- I2942: Verify that 'Configure SMB v1 client driver' is set to 'Enabled: Disable driver (recommended)' [Added]
- I2943: Verify that 'Configure SMB v1 server' is set to 'Disabled' [Added]
- I2944: Verify that 'Enable Structured Exception Handling Overwrite Protection (SEHOP)' is set to 'Enabled' [Added]
- I2945: Verify that 'NetBT NodeType configuration' is set to 'Enabled: P-node (recommended)' [Added]
- I2947: Verify that MSS: (DisableIPSourceRouting IPv6) IP source routing protection level is set to Enabled: Highest protection [Added]
- I2948: Verify that MSS: (DisableIPSourceRouting) IP source routing protection level is set to Enabled: Highest protection [Added]
- I2949: Verify that 'MSS: (EnableICMPRedirect) Allow ICMP redirects to override OSPF generated routes' is set to 'Disabled' [Added]
- I2950: Verify that the computer ignores NetBIOS name release requests [Added]
T5790: Verify the recommended state for Attack Surface Reduction rules (Azure Windows Member Server) [Added]
- P3508: Excessive Attack Surface Exposure (Azure Windows Member Server) [Added]
- I2951: Verify that 'Turn off multicast name resolution' is set to 'Enabled' [Added]
- I2956: Test that 'Minimize the number of simultaneous connections to the Internet or a Windows Domain' is set to 'Enabled: ..... [Added]
- I2987: Verify that 'Turn off Data Execution Prevention for Explorer' is set to 'Disabled' [Added]
- I2988: Verify that 'Turn off heap termination on corruption' is set to 'Disabled' [Added]
- I2989: Verify that 'Turn off shell protocol protected mode' is set to 'Disabled' [Added]
- I2994: Verify that 'Configure Attack Surface Reduction rules' is set to 'Enabled' [Added]
- I2995: Verify that the Attack Surface Reduction rules are configured [Added]
T5791: Verify the security settings for Remote Desktop Connection (Azure Windows Member Server) [Added]
- P3509: Credential Exposure via Remote Desktop Connection (Azure Windows Member Server) [Added]
- I2958: Verify that 'Encryption Oracle Remediation' is set to 'Enabled: Force Updated Clients' [Added]
- I2959: Verify that Remote host allows delegation of non-exportable credentials is set to Enabled [Added]
- I2976: Verify that 'Do not display the password reveal button' is set to 'Enabled' [Added]
- I2977: Verify that 'Enumerate administrator accounts on elevation' is set to 'Disabled' [Added]
- I3002: Verify that 'Do not allow passwords to be saved' is set to 'Enabled' [Added]
- I3022: Verify that 'Disallow WinRM from storing RunAs credentials' is set to 'Enabled' [Added]
T5792: Verify that Virtualization Based Security is enabled (Azure Windows Member Server) [Added]
- P3510: Firmware Vulnerabilities and Unauthorized Access (Azure Windows Member Server) [Added]
- I2960: Verify that 'Turn On Virtualization Based Security' is set to 'Enabled' [Added]
- I2961: Verify that 'Turn On Virtualization Based Security: Select Platform Security Level' is set to 'Secure Boot and DMA Protection' [Added]
- I2962: Verify that 'Turn On Virtualization Based Security' is set to 'Enabled with UEFI lock' [Added]
- I2963: Verify that 'Turn On Virtualization Based Security: Require UEFI Memory Attributes Table' is set to 'True (checked)' [Added]
- I2964: Test that 'Turn On Virtualization Based Security: Credential Guard Configuration' is set to 'Enabled with UEFI lock' (MS Only) [Added]
- I2965: Verify that 'Turn On Virtualization Based Security: Secure Launch Configuration' is set to 'Enabled' [Added]
T5793: Verify the implementation of Driver Policy (Azure Windows Member Server) [Added]
- P3511: Lack of Driver Policy (Azure Windows Member Server) [Added]
- I2966: Verify that 'Boot-Start Driver Initialization Policy' is set to 'Enabled: Good, unknown and bad but critical' [Added]
- I2967: Verify that 'Turn off downloading of print drivers over HTTP' is set to 'Enabled' [Added]
T5794: Verify Remote Desktop Services security settings (Azure Windows Member Server) [Added]
- P3512: Unsecured Remote Procedure Call Communications (Azure Windows Member Server) [Added]
- I2970: Verify that 'Configure Offer Remote Assistance' is set to 'Disabled' [Added]
- I2971: Verify that 'Configure Solicited Remote Assistance' is set to 'Disabled' [Added]
- I2972: Verify that 'Enable RPC Endpoint Mapper Client Authentication' is set to 'Enabled' (MS only) [Added]
- I3004: Verify that 'Always prompt for password upon connection' is set to 'Enabled' [Added]
- I3005: Verify that 'Require secure RPC communication' is set to 'Enabled' [Added]
- I3006: Verify that 'Set client connection encryption level' is set to 'Enabled: High Level' [Added]
T5795: Verify the Event Log behavior settings (Azure Windows Member Server) [Added]
- P3513: Improper Event Log Configuration (Azure Windows Member Server) [Added]
- I2979: Verify Application Control Event Log behavior when the log file reaches its maximum size [Added]
- I2980: Verify that the maximum log file size is set to 32,768 KB or greater [Added]
- I2981: Verify that Security: Control Event Log behavior is set to Disabled [Added]
- I2982: Verify that the maximum log file size is set to Enabled: 196,608 or greater [Added]
- I2983: Verify that Control Event Log behavior is set to Disabled [Added]
- I2984: Verify that the maximum log file size is set to 32,768 KB or greater [Added]
- I2985: Verify System Control Event Log behavior when the log file reaches its maximum size is set to Disabled [Added]
- I2986: Verify that the maximum log file size is set to 32,768 or greater [Added]
- I3015: Verify that 'Turn on PowerShell Script Block Logging' is set to 'Enabled' [Added]
T5796: Test the policy setting for Potentially Unwanted Applications (Azure Windows Member Server) [Added]
- P3514: Potentially Unwanted Application Vulnerability (Azure Windows Member Server) [Added]
- I2991: Test that 'Configure detection for potentially unwanted applications' is set to 'Enabled: Block' [Added]
- I2992: Verify that 'Turn off Microsoft Defender AntiVirus' is set to 'Disabled' [Added]
- I3011: Verify that Windows Defender SmartScreen is configured correctly [Added]
T5797: Verify the configuration for Microsoft Defender Antivirus Cloud Protection Service (Azure Windows Member Server) [Added]
- P3515: Improper Configuration of Microsoft Defender Antivirus Cloud Protection Service (Azure Windows Member Server) [Added]
- I2993: Verify that 'Configure local setting override for reporting to Microsoft MAPS' is set to 'Disabled' [Added]
- I3009: Verify that 'Prevent downloading of enclosures' is set to 'Enabled' [Added]
- I3016: Verify that 'Turn on PowerShell Transcription' is set to 'Disabled' [Added]
T5798: Verify that email scanning is enabled (Azure Windows Member Server) [Added]
- P3516: Unscanned Scripts and Email Attachments (Azure Windows Member Server) [Added]
- I2997: Verify that 'Scan all downloaded files and attachments' is set to 'Enabled' [Added]
- I2998: Verify that 'Turn off real-time protection' is set to 'Disabled' [Added]
- I2999: Verify that 'Turn on behavior monitoring' is set to 'Enabled' [Added]
- I3000: Verify that 'Turn on script scanning' is set to 'Enabled' [Added]
- I3001: Verify that e-mail scanning is set to Enabled [Added]
T5799: Enforce strong password policies for user accounts (Azure Windows Member Server) [Added]
- P3500: Weak Password Policies (Azure Windows Member Server) [Added]
- I2582: (L1) Ensure 'Enforce password history' is set to '24 or more password(s)' [Added]
- I2583: (L1) Ensure 'Maximum password age' is set to '365 or fewer days, but not 0' [Added]
- I2584: (L1) Ensure 'Minimum password age' is set to '1 or more day(s)' [Added]
- I2585: (L1) Ensure 'Minimum password length' is set to '14 or more character(s)' [Added]
- I2586: (L1) Ensure 'Password must meet complexity requirements' is set to 'Enabled' [Added]
- I2587: (L1) Ensure 'Store passwords using reversible encryption' is set to 'Disabled' [Added]
T5800: Implement strict user rights management (Azure Windows Member Server) [Added]
- P3501: Inadequate User Rights Management (Azure Windows Member Server) [Added]
- I2588: (L1) Ensure 'Access Credential Manager as a trusted caller' is set to 'No One' [Added]
- I2589: (L1) Ensure 'Access this computer from the network' is set to 'Administrators, Authenticated Users' (MS only) [Added]
- I2590: (L1) Ensure 'Act as part of the operating system' is set to 'No One' [Added]
- I2591: (L1) Ensure 'Adjust memory quotas for a process' is set to 'Administrators, LOCAL SERVICE, NETWORK SERVICE' [Added]
- I2592: (L1) Ensure 'Allow log on locally' is set to 'Administrators' [Added]
- I2593: (L1) Ensure 'Allow log on through Remote Desktop Services' is set to 'Administrators, Remote Desktop Users' (MS only) [Added]
- I2594: (L1) Ensure 'Back up files and directories' is set to 'Administrators, Backup Operators' [Added]
- I2595: (L1) Ensure 'Change the system time' is set to 'Administrators, LOCAL SERVICE' [Added]
- I2596: (L1) Ensure 'Change the time zone' is set to 'Administrators, LOCAL SERVICE' [Added]
- I2597: (L1) Ensure 'Create a pagefile' is set to 'Administrators' [Added]
- I2598: (L1) Ensure 'Create a token object' is set to 'No One' [Added]
- I2599: (L1) Ensure 'Create global objects' is set to 'Administrators, LOCAL SERVICE, NETWORK SERVICE, SERVICE' [Added]
- I2600: (L1) Ensure 'Create permanent shared objects' is set to 'No One' [Added]
- I2601: (L1) Ensure 'Create symbolic links' is set to 'Administrators, NT VIRTUAL MACHINE\Virtual Machines' (MS only) [Added]
- I2602: (L1) Ensure 'Debug programs' is set to 'Administrators' [Added]
- I2603: (L1) Ensure 'Deny access to this computer from the network' to include 'Guests' [Added]
- I2604: (L1) Ensure 'Deny log on as a batch job' to include 'Guests' [Added]
- I2605: (L1) Ensure 'Deny log on as a service' to include 'Guests' [Added]
- I2606: (L1) Ensure 'Deny log on locally' to include 'Guests' [Added]
- I2607: (L1) Ensure 'Deny log on through Remote Desktop Services' to include 'Guests' [Added]
- I2609: (L1) Ensure 'Force shutdown from a remote system' is set to 'Administrators' [Added]
- I2610: (L1) Ensure 'Generate security audits' is set to 'LOCAL SERVICE, NETWORK SERVICE' [Added]
- I2611: (L1) Ensure 'Impersonate a client after authentication' is set to 'Administrators, ALL SERVICE and 'IIS_IUSRS' (MS only) [Added]
- I2612: (L1) Ensure 'Increase scheduling priority' is set to 'Administrators' [Added]
- I2613: (L1) Ensure 'Load and unload device drivers' is set to 'Administrators' [Added]
- I2614: (L1) Ensure 'Lock pages in memory' is set to 'No One' [Added]
- I2615: (L1) Ensure 'Manage auditing and security log' is set to 'Administrators' (MS only) [Added]
- I2616: (L1) Ensure 'Modify an object label' is set to 'No One' [Added]
- I2617: (L1) Ensure 'Modify firmware environment values' is set to 'Administrators' [Added]
- I2618: (L1) Ensure 'Perform volume maintenance tasks' is set to 'Administrators' [Added]
- I2619: (L1) Ensure 'Profile single process' is set to 'Administrators' [Added]
- I2620: (L1) Ensure 'Profile system performance' is set to 'Administrators, NT SERVICE\WdiServiceHost' [Added]
- I2621: (L1) Ensure 'Replace a process level token' is set to 'LOCAL SERVICE, NETWORK SERVICE' [Added]
- I2622: (L1) Ensure 'Restore files and directories' is set to 'Administrators, Backup Operators' [Added]
- I2623: (L1) Ensure 'Shut down the system' is set to 'Administrators, Backup Operators' [Added]
- I2624: (L1) Ensure 'Take ownership of files or other objects' is set to 'Administrators' [Added]
- I2632: (L1) Ensure 'Devices: Allowed to format and eject removable media' is set to 'Administrators' [Added]
- I2633: (L1) Ensure 'Devices: Prevent users from installing printer drivers' is set to 'Enabled' [Added]
- I2671: (L1) Ensure 'Shutdown: Allow system to be shut down without having to log on' is set to 'Disabled' [Added]
- I2725: (L1) Ensure 'WDigest Authentication' is set to 'Disabled' [Added]
- I2731: (L1) Ensure 'Enable insecure guest logons' is set to 'Disabled' [Added]
- I2748: (L1) Ensure 'Do not display network selection UI' is set to 'Enabled' [Added]
- I2754: (L1) Ensure 'Turn off Microsoft consumer experiences' is set to 'Enabled' [Added]
- I2757: (L1) Ensure 'Allow Diagnostic Data' is set to 'Enabled: Send required diagnostic data' [Added]
- I2775: (L1) Ensure 'Prevent users and apps from accessing dangerous websites' is set to 'Enabled: Block' [Added]
- I2789: (L1) Ensure 'Allow indexing of encrypted files' is set to 'Disabled' [Added]
- I2791: (L1) Ensure 'Allow user control over installs' is set to 'Disabled' [Added]
- I2792: (L1) Ensure 'Always install with elevated privileges' is set to 'Disabled' [Added]
- I2793: (L1) Ensure 'Sign-in and lock last interactive user automatically after a restart' is set to 'Disabled' [Added]
- I2796: (L1) Ensure 'Allow Basic authentication' is set to 'Disabled' [Added]
- I2797: (L1) Ensure 'Allow unencrypted traffic' is set to 'Disabled' [Added]
- I2798: (L1) Ensure 'Disallow Digest authentication' is set to 'Enabled' [Added]
- I2799: (L1) Ensure 'Allow Basic authentication' is set to 'Disabled' [Added]
- I2800: (L1) Ensure 'Allow unencrypted traffic' is set to 'Disabled' [Added]
- I2802: (L1) Ensure 'Prevent users from modifying settings' is set to 'Enabled' [Added]
T5801: Enhance security posture of Active Directory environment (Azure Windows Member Server) [Added]
- P3502: Unauthorized Access and Impersonation Risks (Azure Windows Member Server) [Added]
- I2608: (L1) Ensure 'Enable computer and user accounts to be trusted for delegation' is set to 'No One' (MS only) [Added]
- I2625: (L1) Ensure 'Accounts: Block Microsoft accounts' is set to 'Users can't add or log on with Microsoft accounts' [Added]
- I2626: (L1) Ensure 'Accounts: Guest account status' is set to 'Disabled' (MS only) [Added]
- I2627: (L1) Ensure 'Accounts: Limit local account use of blank passwords to console logon only' is set to 'Enabled' [Added]
- I2628: (L1) Configure 'Accounts: Rename administrator account' [Added]
- I2629: (L1) Configure 'Accounts: Rename guest account' [Added]
- I2672: (L1) Ensure 'User Account Control: Admin Approval Mode for the Built-in Administrator account' is set to 'Enabled' [Added]
- I2673: (L1) Ensure 'User Account Control: Behavior of the elevation prompt for administrators in Admin Approval Mode' is set to ........ [Added]
- I2674: (L1) Ensure 'User Account Control: Behavior of the elevation prompt for standard users' is set to 'Automatically deny elevation requests' [Added]
- I2675: (L1) Ensure 'User Account Control: Detect application installations and prompt for elevation' is set to 'Enabled' [Added]
- I2676: (L1) Ensure 'User Account Control: Only elevate UIAccess applications that are installed in secure locations' is set to 'Enabled' [Added]
- I2677: (L1) Ensure 'User Account Control: Run all administrators in Admin Approval Mode' is set to 'Enabled' [Added]
- I2678: (L1) Ensure 'User Account Control: Switch to the secure desktop when prompting for elevation' is set to 'Enabled' [Added]
- I2679: (L1) Ensure 'User Account Control: Virtualize file and registry write failures to per-user locations' is set to 'Enabled' [Added]
- I2747: (L1) Ensure 'Block user from showing account details on sign-in' is set to 'Enabled' [Added]
- I2752: (L1) Ensure 'Allow Microsoft accounts to be optional' is set to 'Enabled' [Added]
- I2753: (L1) Ensure 'Turn off cloud consumer account state content' is set to 'Enabled' [Added]
- I2769: (L1) Ensure 'Block all consumer Microsoft account user authentication' is set to 'Enabled' [Added]
T5802: Implement detailed auditing for security events (Azure Windows Member Server) [Added]
- P3503: Lack of Detailed Auditing for Security Events (Azure Windows Member Server) [Added]
- I2630: (L1) Ensure 'Audit: Force audit policy subcategory settings to override audit policy category settings' is set to 'Enabled' [Added]
- I2631: (L1) Ensure 'Audit: Shut down system immediately if unable to log security audits' is set to 'Disabled' [Added]
- I2701: (L1) Ensure 'Audit Credential Validation' is set to 'Success and Failure' [Added]
- I2702: (L1) Ensure 'Audit Security Group Management' is set to include 'Success' [Added]
- I2703: (L1) Ensure 'Audit User Account Management' is set to 'Success and Failure' [Added]
- I2704: (L1) Ensure 'Audit PNP Activity' is set to include 'Success' [Added]
- I2705: (L1) Ensure 'Audit Process Creation' is set to include 'Success' [Added]
- I2706: (L1) Ensure 'Audit Account Lockout' is set to include 'Success and Failure' [Added]
- I2707: (L1) Ensure 'Audit Group Membership' is set to include 'Success' [Added]
- I2708: (L1) Ensure 'Audit Logoff' is set to include 'Success' [Added]
- I2709: (L1) Ensure 'Audit Logon' is set to 'Success and Failure' [Added]
- I2710: (L1) Ensure 'Audit Other Logon/Logoff Events' is set to 'Success and Failure' [Added]
- I2711: (L1) Ensure 'Audit Special Logon' is set to include 'Success' [Added]
- I2712: (L1) Ensure 'Audit Other Object Access Events' is set to 'Success and Failure' [Added]
- I2713: (L1) Ensure 'Audit Removable Storage' is set to 'Success and Failure' [Added]
- I2714: (L1) Ensure 'Audit Audit Policy Change' is set to include 'Success' [Added]
- I2715: (L1) Ensure 'Audit Authentication Policy Change' is set to include 'Success' [Added]
- I2716: (L1) Ensure 'Audit MPSSVC Rule-Level Policy Change' is set to 'Success and Failure' [Added]
- I2717: (L1) Ensure 'Audit Sensitive Privilege Use' is set to 'Success and Failure' [Added]
- I2718: (L1) Ensure 'Audit Security State Change' is set to include 'Success' [Added]
- I2719: (L1) Ensure 'Audit Security System Extension' is set to include 'Success' [Added]
- I2720: (L1) Ensure 'Audit System Integrity' is set to 'Success and Failure' [Added]
- I2736: (L1) Ensure 'Include command line in process creation events' is set to 'Enabled' [Added]
T5803: Configure secure channel traffic encryption and signing (Azure Windows Member Server) [Added]
- P3504: Lack of Encryption and Signing for Secure Channel Traffic (Azure Windows Member Server) [Added]
- I2634: (L1) Ensure 'Domain member: Digitally encrypt or sign secure channel data (always)' is set to 'Enabled' [Added]
- I2635: (L1) Ensure 'Domain member: Digitally encrypt secure channel data (when possible)' is set to 'Enabled' [Added]
- I2636: (L1) Ensure 'Domain member: Digitally sign secure channel data (when possible)' is set to 'Enabled' [Added]
- I2637: (L1) Ensure 'Domain member: Disable machine account password changes' is set to 'Disabled' [Added]
- I2638: (L1) Ensure 'Domain member: Maximum machine account password age' is set to '30 or fewer days, but not 0' [Added]
- I2680: (L1) Ensure 'Windows Firewall: Domain: Firewall state' is set to 'On (recommended)' [Added]
- I2681: (L1) Ensure 'Windows Firewall: Domain: Inbound connections' is set to 'Block (default)' [Added]
- I2682: (L1) Ensure 'Windows Firewall: Domain: Outbound connections' is set to 'Allow (default)' [Added]
- I2683: (L1) Ensure 'Windows Firewall: Domain: Logging: Name' is set to '%SystemRoot%\System32\logfiles\firewall\domainfw.log' [Added]
- I2684: (L1) Ensure 'Windows Firewall: Domain: Logging: Size limit (KB)' is set to '16,384 KB or greater' [Added]
- I2685: (L1) Ensure 'Windows Firewall: Domain: Logging: Log dropped packets' is set to 'Yes' [Added]
- I2686: (L1) Ensure 'Windows Firewall: Domain: Logging: Log successful connections' is set to 'Yes' [Added]
T5804: Implement an inactivity lock screen policy for Windows systems (Azure Windows Member Server) [Added]
- P3505: Lack of Inactivity Lock Screen Policy (Azure Windows Member Server) [Added]
- I2639: (L1) Ensure 'Interactive logon: Machine inactivity limit' is set to '900 or fewer second(s), but not 0' [Added]
- I2640: (L1) Configure 'Interactive logon: Message text for users attempting to log on' [Added]
- I2641: (L1) Configure 'Interactive logon: Message title for users attempting to log on' [Added]
- I2642: (L1) Ensure 'Interactive logon: Prompt user to change password before expiration' is set to 'between 5 and 14 days' [Added]
- I2786: (L1) Ensure 'Do not delete temp folders upon exit' is set to 'Disabled' [Added]
- I2787: (L1) Ensure 'Do not use temporary folders per session' is set to 'Disabled' [Added]
T5805: Enable SMB packet signing for secure data transmission (Azure Windows Member Server) [Added]
- P3507: Lack of SMB Packet Security (Azure Windows Member Server) [Added]
- I2643: (L1) Ensure 'Microsoft network client: Digitally sign communications (always)' is set to 'Enabled' [Added]
- I2644: (L1) Ensure 'Microsoft network client: Digitally sign communications (if server agrees)' is set to 'Enabled' [Added]
- I2645: (L1) Ensure 'Microsoft network client: Send unencrypted password to third-party SMB servers' is set to 'Disabled' [Added]
- I2646: (L1) Ensure 'Microsoft network server: Amount of idle time required before suspending session' is set to '15 or fewer minute(s)' [Added]
- I2647: (L1) Ensure 'Microsoft network server: Digitally sign communications (always)' is set to 'Enabled' [Added]
- I2648: (L1) Ensure 'Microsoft network server: Digitally sign communications (if client agrees)' is set to 'Enabled' [Added]
- I2649: (L1) Ensure 'Microsoft network server: Disconnect clients when logon hours expire' is set to 'Enabled' [Added]
- I2650: (L1) Ensure 'Microsoft network server: Server SPN target name validation level' is set to 'Accept if provided by client' or higher (MS only) [Added]
- I2651: (L1) Ensure 'Network access: Allow anonymous SID/Name translation' is set to 'Disabled' [Added]
- I2652: (L1) Ensure 'Network access: Do not allow anonymous enumeration of SAM accounts' is set to 'Enabled' (MS only) [Added]
- I2653: (L1) Ensure 'Network access: Do not allow anonymous enumeration of SAM accounts and shares' is set to 'Enabled' (MS only) [Added]
- I2654: (L1) Ensure 'Network access: Let Everyone permissions apply to anonymous users' is set to 'Disabled' [Added]
- I2655: (L1) Configure 'Network access: Named Pipes that can be accessed anonymously' (MS only) [Added]
- I2656: (L1) Configure 'Network access: Remotely accessible registry paths' is configured [Added]
- I2657: (L1) Configure 'Network access: Remotely accessible registry paths and sub-paths' is configured [Added]
- I2658: (L1) Ensure 'Network access: Restrict anonymous access to Named Pipes and Shares' is set to 'Enabled' [Added]
- I2659: (L1) Ensure Network access: Restrict clients allowed to make remote calls to SAM' is set to 'Administrators: Remote Access: Allow (MS only) [Added]
- I2660: (L1) Ensure 'Network access: Shares that can be accessed anonymously' is set to 'None' [Added]
- I2661: (L1) Ensure 'Network access: Sharing and security model for local accounts' is set to 'Classic - local users authenticate as themselves' [Added]
- I2662: (L1) Ensure 'Network security: Allow Local System to use computer identity for NTLM' is set to 'Enabled' [Added]
- I2663: (L1) Ensure 'Network security: Allow LocalSystem NULL session fallback' is set to 'Disabled' [Added]
- I2664: (L1) Ensure 'Network Security: Allow PKU2U authentication requests to this computer to use online identities' is set to 'Disabled' [Added]
- I2665: (L1) Ensure 'Network security: Configure encryption types allowed for Kerberos' is set to 'AES128_HMAC_SHA1, AES256_HMAC_SHA1,...' [Added]
- I2666: (L1) Ensure 'Network security: Do not store LAN Manager hash value on next password change' is set to 'Enabled' [Added]
- I2667: (L1) Ensure 'Network security: LAN Manager authentication level' is set to 'Send NTLMv2 response only. Refuse LM & NTLM' [Added]
- I2668: (L1) Ensure 'Network security: LDAP client signing requirements' is set to 'Negotiate signing' or higher [Added]
- I2669: (L1) Ensure 'Network security: Minimum session security for NTLM SSP based clients' is set to ...... [Added]
- I2670: (L1) Ensure 'Network security: Minimum session security for NTLM SSP based (including secure RPC) servers' is set to ......... [Added]
- I2732: (L1) Ensure 'Prohibit installation and configuration of Network Bridge on your DNS domain network' is set to 'Enabled' [Added]
- I2733: (L1) Ensure 'Prohibit use of Internet Connection Sharing on your DNS domain network' is set to 'Enabled' [Added]
- I2734: (L1) Ensure 'Hardened UNC Paths' is set to 'Enabled, with "Require Mutual Authentication" and "Require Integrity" set for ..... [Added]
- I2782: (L1) Ensure 'Do not allow drive redirection' is set to 'Enabled' [Added]
T5806: Implement Windows Firewall with Advanced Security (Azure Windows Member Server) [Added]
- P3506: Lack of Network Traffic Filtering (Azure Windows Member Server) [Added]
- I2687: (L1) Ensure 'Windows Firewall: Private: Firewall state' is set to 'On (recommended)' [Added]
- I2688: (L1) Ensure 'Windows Firewall: Private: Inbound connections' is set to 'Block (default)' [Added]
- I2689: (L1) Ensure 'Windows Firewall: Private: Outbound connections' is set to 'Allow (default)' [Added]
- I2690: (L1) Ensure 'Windows Firewall: Private: Logging: Name' is set to '%SystemRoot%\System32\logfiles\firewall\privatefw.log' [Added]
- I2691: (L1) Ensure 'Windows Firewall: Private: Logging: Size limit (KB)' is set to '16,384 KB or greater' [Added]
- I2692: (L1) Ensure 'Windows Firewall: Private: Logging: Log dropped packets' is set to 'Yes' [Added]
- I2693: (L1) Ensure 'Windows Firewall: Private: Logging: Log successful connections' is set to 'Yes' [Added]
- I2694: (L1) Ensure 'Windows Firewall: Public: Firewall state' is set to 'On (recommended)' [Added]
- I2695: (L1) Ensure 'Windows Firewall: Public: Inbound connections' is set to 'Block (default)' [Added]
- I2696: (L1) Ensure 'Windows Firewall: Public: Outbound connections' is set to 'Allow (default)' [Added]
- I2697: (L1) Ensure 'Windows Firewall: Public: Logging: Name' is set to '%SystemRoot%\System32\logfiles\firewall\publicfw.log' [Added]
- I2698: (L1) Ensure 'Windows Firewall: Public: Logging: Size limit (KB)' is set to '16,384 KB or greater' [Added]
- I2699: (L1) Ensure 'Windows Firewall: Public: Logging: Log dropped packets' is set to 'Yes' [Added]
- I2700: (L1) Ensure 'Windows Firewall: Public: Logging: Log successful connections' is set to 'Yes' [Added]
T5807: Disable outdated SMBv1 protocol (Azure Windows Member Server) [Added]
- P3507: Lack of SMB Packet Security (Azure Windows Member Server) [Added]
- I2721: (L1) Ensure 'Configure SMB v1 client driver' is set to 'Enabled: Disable driver (recommended)' [Added]
- I2722: (L1) Ensure 'Configure SMB v1 server' is set to 'Disabled' [Added]
- I2723: (L1) Ensure 'Enable Structured Exception Handling Overwrite Protection (SEHOP)' is set to 'Enabled' [Added]
- I2724: (L1) Ensure 'NetBT NodeType configuration' is set to 'Enabled: P-node (recommended)' [Added]
- I2726: (L1) Ensure 'MSS: (DisableIPSourceRouting IPv6) IP source routing protection level (protects against packet spoofing)' is set to ....... [Added]
- I2727: (L1) Ensure 'MSS: (DisableIPSourceRouting) IP source routing protection level (protects against packet spoofing)' is set to ..... [Added]
- I2728: (L1) Ensure 'MSS: (EnableICMPRedirect) Allow ICMP redirects to override OSPF generated routes' is set to 'Disabled' [Added]
- I2729: (L1) Ensure 'MSS: (NoNameReleaseOnDemand) Allow the computer to ignore NetBIOS name release requests except ...... [Added]
T5808: Implement Attack Surface Reduction Rules (Azure Windows Member Server) [Added]
- P3508: Excessive Attack Surface Exposure (Azure Windows Member Server) [Added]
- I2730: (L1) Ensure 'Turn off multicast name resolution' is set to 'Enabled' [Added]
- I2735: (L1) Ensure 'Minimize the number of simultaneous connections to the Internet or a Windows Domain' is set to 'Enabled: ..... [Added]
- I2766: (L1) Ensure 'Turn off Data Execution Prevention for Explorer' is set to 'Disabled' [Added]
- I2767: (L1) Ensure 'Turn off heap termination on corruption' is set to 'Disabled' [Added]
- I2768: (L1) Ensure 'Turn off shell protocol protected mode' is set to 'Disabled' [Added]
- I2773: (L1) Ensure 'Configure Attack Surface Reduction rules' is set to 'Enabled' [Added]
- I2774: (L1) Ensure 'Configure Attack Surface Reduction rules: Set the state for each ASR rule' is configured [Added]
T5809: Enable Windows Defender Remote Credential Guard (Azure Windows Member Server) [Added]
- P3509: Credential Exposure via Remote Desktop Connection (Azure Windows Member Server) [Added]
- I2737: (L1) Ensure 'Encryption Oracle Remediation' is set to 'Enabled: Force Updated Clients' [Added]
- I2738: (L1) Ensure 'Remote host allows delegation of non-exportable credentials' is set to 'Enabled' [Added]
- I2755: (L1) Ensure 'Do not display the password reveal button' is set to 'Enabled' [Added]
- I2756: (L1) Ensure 'Enumerate administrator accounts on elevation' is set to 'Disabled' [Added]
- I2781: (L1) Ensure 'Do not allow passwords to be saved' is set to 'Enabled' [Added]
- I2801: (L1) Ensure 'Disallow WinRM from storing RunAs credentials' is set to 'Enabled' [Added]
T5810: Enhance security posture with Virtualization Based Security (Azure Windows Member Server) [Added]
- P3510: Firmware Vulnerabilities and Unauthorized Access (Azure Windows Member Server) [Added]
- I2739: (NG) Ensure 'Turn On Virtualization Based Security' is set to 'Enabled' [Added]
- I2740: (NG) Ensure 'Turn On Virtualization Based Security: Select Platform Security Level' is set to 'Secure Boot and DMA Protection' [Added]
- I2741: (NG) Ensure 'Turn On Virtualization Based Security: Virtualization Based Protection of Code Integrity' is set to 'Enabled with UEFI lock' [Added]
- I2742: (NG) Ensure 'Turn On Virtualization Based Security: Require UEFI Memory Attributes Table' is set to 'True (checked)' [Added]
- I2743: (NG) Ensure 'Turn On Virtualization Based Security: Credential Guard Configuration' is set to 'Enabled with UEFI lock' (MS Only) [Added]
- I2744: (NG) Ensure 'Turn On Virtualization Based Security: Secure Launch Configuration' is set to 'Enabled' [Added]
T5811: Implement Driver Policy (Azure Windows Member Server) [Added]
- P3511: Lack of Driver Policy (Azure Windows Member Server) [Added]
- I2745: (L1) Ensure 'Boot-Start Driver Initialization Policy' is set to 'Enabled: Good, unknown and bad but critical' [Added]
- I2746: (L1) Ensure 'Turn off downloading of print drivers over HTTP' is set to 'Enabled' [Added]
T5812: Enhance security of Remote Procedure Call communications (Azure Windows Member Server) [Added]
- P3512: Unsecured Remote Procedure Call Communications (Azure Windows Member Server) [Added]
- I2749: (L1) Ensure 'Configure Offer Remote Assistance' is set to 'Disabled' [Added]
- I2750: (L1) Ensure 'Configure Solicited Remote Assistance' is set to 'Disabled' [Added]
- I2751: (L1) Ensure 'Enable RPC Endpoint Mapper Client Authentication' is set to 'Enabled' (MS only) [Added]
- I2783: (L1) Ensure 'Always prompt for password upon connection' is set to 'Enabled' [Added]
- I2784: (L1) Ensure 'Require secure RPC communication' is set to 'Enabled' [Added]
- I2785: (L1) Ensure 'Set client connection encryption level' is set to 'Enabled: High Level' [Added]
T5813: Configure Event Log Settings for Data Integrity (Azure Windows Member Server) [Added]
- P3513: Improper Event Log Configuration (Azure Windows Member Server) [Added]
- I2758: (L1) Ensure 'Application: Control Event Log behavior when the log file reaches its maximum size' is set to 'Disabled' [Added]
- I2759: (L1) Ensure 'Application: Specify the maximum log file size (KB)' is set to 'Enabled: 32,768 or greater' [Added]
- I2760: (L1) Ensure 'Security: Control Event Log behavior when the log file reaches its maximum size' is set to 'Disabled' [Added]
- I2761: (L1) Ensure 'Security: Specify the maximum log file size (KB)' is set to 'Enabled: 196,608 or greater' [Added]
- I2762: (L1) Ensure 'Setup: Control Event Log behavior when the log file reaches its maximum size' is set to 'Disabled' [Added]
- I2763: (L1) Ensure 'Setup: Specify the maximum log file size (KB)' is set to 'Enabled: 32,768 or greater' [Added]
- I2764: (L1) Ensure 'System: Control Event Log behavior when the log file reaches its maximum size' is set to 'Disabled' [Added]
- I2765: (L1) Ensure 'System: Specify the maximum log file size (KB)' is set to 'Enabled: 32,768 or greater' [Added]
- I2794: (L1) Ensure 'Turn on PowerShell Script Block Logging' is set to 'Enabled' [Added]
T5814: Block potentially unwanted applications with Microsoft Defender Antivirus (Azure Windows Member Server) [Added]
- P3514: Potentially Unwanted Application Vulnerability (Azure Windows Member Server) [Added]
- I2770: (L1) Ensure 'Configure detection for potentially unwanted applications' is set to 'Enabled: Block' [Added]
- I2771: (L1) Ensure 'Turn off Microsoft Defender AntiVirus' is set to 'Disabled' [Added]
- I2790: (L1) Ensure 'Configure Windows Defender SmartScreen' is set to 'Enabled: Warn and prevent bypass' [Added]
T5815: Configure Microsoft Defender Antivirus Cloud Protection Service (Azure Windows Member Server) [Added]
- P3515: Improper Configuration of Microsoft Defender Antivirus Cloud Protection Service (Azure Windows Member Server) [Added]
- I2772: (L1) Ensure 'Configure local setting override for reporting to Microsoft MAPS' is set to 'Disabled' [Added]
- I2788: (L1) Ensure 'Prevent downloading of enclosures' is set to 'Enabled' [Added]
- I2795: (L1) Ensure 'Turn on PowerShell Transcription' is set to 'Disabled' [Added]
T5816: Scan scripts and email attachments for threats (Azure Windows Member Server) [Added]
- P3516: Unscanned Scripts and Email Attachments (Azure Windows Member Server) [Added]
- I2776: (L1) Ensure 'Scan all downloaded files and attachments' is set to 'Enabled' [Added]
- I2777: (L1) Ensure 'Turn off real-time protection' is set to 'Disabled' [Added]
- I2778: (L1) Ensure 'Turn on behavior monitoring' is set to 'Enabled' [Added]
- I2779: (L1) Ensure 'Turn on script scanning' is set to 'Enabled' [Added]
- I2780: (L1) Ensure 'Turn on e-mail scanning' is set to 'Enabled' [Added]
T5817: Verify the policy settings for Windows security features (Azure Windows Member Server) [Added]
- P3517: Lack of policy settings for Windows security features (Azure Windows Member Server) [Added]
- I3031: Verify that 'System objects: Require case insensitivity for non-Windows subsystems' is set to 'Enabled' [Added]
- I3032: Verify that the default permissions of internal system objects are strengthened [Added]
- I3033: Verify that 'Allow users to enable online speech recognition services' is set to 'Disabled' [Added]
- I3034: Verify that the registry policy processing is configured correctly [Added]
- I3035: Verify that the registry policy processing is configured correctly [Added]
- I3036: Verify that 'Continue experiences on this device' is set to 'Disabled' [Added]
- I3037: Verify that 'Turn off background refresh of Group Policy' is set to 'Disabled' [Added]
T5818: Enforce policy settings for Windows security features (Azure Windows Member Server) [Added]
- P3517: Lack of policy settings for Windows security features (Azure Windows Member Server) [Added]
- I3024: Ensure 'System objects: Require case insensitivity for non-Windows subsystems' is set to 'Enabled' [Added]
- I3025: Ensure 'System objects: Strengthen default permissions of internal system objects (e.g. Symbolic Links)' is set to 'Enabled' [Added]
- I3026: Ensure 'Allow users to enable online speech recognition services' is set to 'Disabled' [Added]
- I3027: Ensure 'Configure registry policy processing: Do not apply during periodic background processing' is set to 'Enabled: FALSE' [Added]
- I3028: Ensure 'Configure registry policy processing: Process even if the Group Policy objects have not changed' is set to 'Enabled: TRUE' [Added]
- I3029: Ensure 'Continue experiences on this device' is set to 'Disabled' [Added]
- I3030: Ensure 'Turn off background refresh of Group Policy' is set to 'Disabled' [Added]
T5819: Configure Kafka Brokers to Use TLS for Data in Transit [Added]
- P3518: Lack of Encryption for Data in Transit (Apache Kafka) [Added]
T5820: Set up Kafka to authenticate all connections [Added]
- P3519: Lack of Authentication in Kafka Connections (Apache Kafka) [Added]
T5821: Enable TLS and SASL Authentication for ZooKeeper [Added]
- P3520: Lack of TLS and SASL Authentication (ZooKeeper) [Added]
T5822: Deploy a Consistent, Secure Configuration Across All Brokers [Added]
- P3521: Inconsistent and Insecure Broker Configuration (Distributed Messaging Systems) [Added]
T5823: Enable Detailed Logging and Auditing in Kafka [Added]
- P3522: Lack of Detailed Logging and Auditing (Kafka) [Added]
T5824: Deploy Kafka in a Segmented Network Zone [Added]
- P3523: Network Segmentation Weakness in Kafka Deployment [Added]
T5825: Implement Encryption for Kafka Log and Data Directories [Added]
- P3524: Lack of Encryption for Kafka Log and Data Directories (Apache Kafka) [Added]
T5826: Leverage Kafka’s Quota Features [Added]
- P3525: Lack of Resource Quotas (Apache Kafka) [Added]
T5827: Protect Sensitive Configuration Values [Added]
- P3526: Exposure of Sensitive Configuration Values (General Software) [Added]
T5828: Enable Transport Layer Security (TLS) for gRPC Communications [Added]
- P3527: Lack of Transport Layer Security (TLS) in gRPC Communications (gRPC) [Added]
T5829: Use Mutual TLS for Authentication [Added]
- P3528: Lack of Mutual TLS Authentication (gRPC Services) [Added]
T5830: Configure gRPC to use only modern TLS versions [Added]
- P3529: Use of Outdated TLS Versions and Weak Cipher Suites (gRPC) [Added]
T5831: Turn off gRPC server reflection in production [Added]
- P3530: Exposed gRPC Server Reflection (gRPC Server) [Added]
T5832: Design Idempotent Methods for Critical Operations [Added]
- P3531: Replay Attack Vulnerability in Critical Operations (gRPC Services) [Added]
T5833: Enforce Rate Limiting on gRPC Endpoints [Added]
- P3532: Lack of Rate Limiting on gRPC Endpoints (gRPC Services) [Added]
T5834: Tune gRPC server settings to constrain resource usage [Added]
- P3533: Resource Exhaustion Vulnerability (gRPC Server) [Added]
T5835: Maintain Secure Deployment Configurations [Added]
- P3534: Misconfigured Deployment Settings (gRPC) [Added]
T5836: Deploy gRPC services in a segmented network zone with strict firewall rules [Added]
- P3535: Improper Network Segmentation and Access Control (gRPC Services) [Added]
T5837: Enable detailed logging on the gRPC server [Added]
- P3536: Lack of Detailed Logging (gRPC Server) [Added]
T5838: Set up monitoring dashboards and automated alerts [Added]
- P3537: Lack of Real-Time Monitoring and Alerting (gRPC) [Added]
T5839: Keep gRPC server application and OS up to date with security patches [Added]
- P3538: Outdated Software Vulnerabilities (gRPC Server) [Added]
T5840: Enforce strong password policies for user accounts (Azure Windows Domain Controller) [Added]
- P3539: Weak Password Policies (Azure Windows Domain Controller) [Added]
- I3043: (L1 - DC) Ensure 'Enforce password history' is set to '24 or more password(s)' [Added]
- I3044: (L1 - DC) Ensure 'Maximum password age' is set to '365 or fewer days, but not 0' [Added]
- I3045: (L1 - DC) Ensure 'Minimum password age' is set to '1 or more day(s)' [Added]
- I3046: (L1 - DC) Ensure 'Minimum password length' is set to '14 or more character(s)' [Added]
- I3047: (L1 - DC) Ensure 'Password must meet complexity requirements' is set to 'Enabled' [Added]
- I3048: (L1 - DC) Ensure 'Store passwords using reversible encryption' is set to 'Disabled' [Added]
T5841: Implement strict user rights for sensitive privileges (Azure Windows Domain Controller) [Added]
- P3540: Excessive User Privileges (Azure Windows Domain Controller) [Added]
- I3049: (L1 - DC) Ensure 'Access Credential Manager as a trusted caller' is set to 'No One' [Added]
- I3050: (L1 - DC) Ensure 'Access this computer from the network' is set to 'Administrators, Authenticated Users, .....' (DC only) [Added]
- I3051: (L1 - DC) Ensure 'Act as part of the operating system' is set to 'No One' [Added]
- I3052: (L1 - DC) Ensure 'Add workstations to domain' is set to 'Administrators' (DC only) [Added]
- I3053: (L1 - DC) Ensure 'Adjust memory quotas for a process' is set to 'Administrators, LOCAL SERVICE, NETWORK SERVICE' [Added]
- I3054: (L1 - DC) Ensure 'Allow log on locally' is set to 'Administrators' [Added]
- I3055: (L1 - DC) Ensure 'Allow log on through Remote Desktop Services' is set to 'Administrators' (DC only) [Added]
- I3056: (L1 - DC) Ensure 'Back up files and directories' is set to 'Administrators, Backup Operators' [Added]
- I3057: (L1 - DC) Ensure 'Change the system time' is set to 'Administrators, LOCAL SERVICE' [Added]
- I3058: (L1 - DC) Ensure 'Change the time zone' is set to 'Administrators, LOCAL SERVICE' [Added]
- I3059: (L1 - DC) Ensure 'Create a pagefile' is set to 'Administrators' [Added]
- I3060: (L1 - DC) Ensure 'Create a token object' is set to 'No One' [Added]
- I3061: (L1 - DC) Ensure 'Create global objects' is set to 'Administrators, LOCAL SERVICE, NETWORK SERVICE, SERVICE' [Added]
- I3062: (L1 - DC) Ensure 'Create permanent shared objects' is set to 'No One' [Added]
- I3063: (L1 - DC) Ensure 'Create symbolic links' is set to 'Administrators' (DC only) [Added]
- I3064: (L1 - DC) Ensure 'Debug programs' is set to 'Administrators' [Added]
- I3065: (L1 - DC) Ensure 'Deny access to this computer from the network' to include 'Guests' [Added]
- I3066: (L1 - DC) Ensure 'Deny log on as a batch job' to include 'Guests' [Added]
- I3067: (L1 - DC) Ensure 'Deny log on as a service' to include 'Guests' [Added]
- I3068: (L1 - DC) Ensure 'Deny log on locally' to include 'Guests' [Added]
- I3069: (L1 - DC) Ensure 'Deny log on through Remote Desktop Services' to include 'Guests' [Added]
- I3070: (L1 - DC) Ensure 'Enable computer and user accounts to be trusted for delegation' is set to 'Administrators' (DC only) [Added]
- I3071: (L1 - DC) Ensure 'Force shutdown from a remote system' is set to 'Administrators' [Added]
- I3072: (L1 - DC) Ensure 'Generate security audits' is set to 'LOCAL SERVICE, NETWORK SERVICE' [Added]
- I3073: (L1 - DC) Ensure 'Impersonate a client after authentication' is set to 'Administrators, LOCAL SERVICE, NETWORK SERVICE, SERVICE' (DC only) [Added]
- I3074: (L1 - DC) Ensure 'Increase scheduling priority' is set to 'Administrators' [Added]
- I3075: (L1 - DC) Ensure 'Load and unload device drivers' is set to 'Administrators' [Added]
- I3076: (L1 - DC) Ensure 'Lock pages in memory' is set to 'No One' [Added]
- I3077: (L1 - DC) Ensure 'Manage auditing and security log' is set to 'Administrators' and 'Exchange Servers' (DC only) [Added]
- I3078: (L1 - DC) Ensure 'Modify an object label' is set to 'No One' [Added]
- I3079: (L1 - DC) Ensure 'Modify firmware environment values' is set to 'Administrators' [Added]
- I3080: (L1 - DC) Ensure 'Perform volume maintenance tasks' is set to 'Administrators' [Added]
- I3081: (L1 - DC) Ensure 'Profile single process' is set to 'Administrators' [Added]
- I3082: (L1 - DC) Ensure 'Profile system performance' is set to 'Administrators, NT SERVICE\WdiServiceHost' [Added]
- I3083: (L1 - DC) Ensure 'Replace a process level token' is set to 'LOCAL SERVICE, NETWORK SERVICE' [Added]
- I3084: (L1 - DC) Ensure 'Restore files and directories' is set to 'Administrators, Backup Operators' [Added]
- I3085: (L1 - DC) Ensure 'Shut down the system' is set to 'Administrators, Backup Operators' [Added]
- I3086: (L1 - DC) Ensure 'Synchronize directory service data' is set to 'No One' (DC only) [Added]
- I3087: (L1 - DC) Ensure 'Take ownership of files or other objects' is set to 'Administrators' [Added]
T5842: Restrict unauthorized Microsoft account creation (Azure Windows Domain Controller) [Added]
- P3541: Unauthorized Microsoft Account Creation (Azure Windows Domain Controller) [Added]
- I3088: (L1 - DC) Ensure 'Accounts: Block Microsoft accounts' is set to 'Users can't add or log on with Microsoft accounts' [Added]
- I3089: (L1 - DC) Ensure 'Accounts: Limit local account use of blank passwords to console logon only' is set to 'Enabled' [Added]
- I3090: (L1 - DC) Configure 'Accounts: Rename administrator account' [Added]
- I3091: (L1 - DC) Configure 'Accounts: Rename guest account' [Added]
T5843: Enhance security monitoring with precise auditing capabilities (Azure Windows Domain Controller) [Added]
- P3542: Inadequate Security Monitoring Due to Insufficient Auditing Capabilities (Azure Windows Domain Controller) [Added]
- I3092: (L1 - DC) Ensure 'Audit: Force audit policy subcategory settings to override audit policy category settings' is set to 'Enabled' [Added]
- I3093: (L1 - DC) Ensure 'Audit: Shut down system immediately if unable to log security audits' is set to 'Disabled' [Added]
T5844: Restrict access to removable NTFS media (Azure Windows Domain Controller) [Added]
- P3543: Unauthorized Access to Removable NTFS Media (Azure Windows Domain Controller) [Added]
- I3094: (L1 - DC) Ensure 'Devices: Allowed to format and eject removable media' is set to 'Administrators' [Added]
- I3095: (L1 - DC) Ensure 'Devices: Prevent users from installing printer drivers' is set to 'Enabled' [Added]
T5845: Ensure secure LDAP communications with signing requirements (Azure Windows Domain Controller) [Added]
- P3544: Unsigned LDAP Communications (Azure Windows Domain Controller) [Added]
- I3096: (L1 - DC) Ensure 'Domain controller: Allow server operators to schedule tasks' is set to 'Disabled' (DC only) [Added]
- I3097: (L1 - DC) Ensure 'Domain controller: Allow vulnerable Netlogon secure channel connections' is set to 'Not Configured' (DC Only) [Added]
- I3098: (L1 - DC) Ensure 'Domain controller: LDAP server channel binding token requirements' is set to 'Always' (DC Only) [Added]
- I3099: (L1 - DC) Ensure 'Domain controller: LDAP server signing requirements' is set to 'Require signing' (DC only) [Added]
- I3100: (L1 - DC) Ensure 'Domain controller: Refuse machine account password changes' is set to 'Disabled' (DC only) [Added]
T5846: Ensure secure channel traffic is signed and encrypted (Group Policy Management) [Added]
- P3545: Lack of Encryption and Signing in Secure Channel Traffic (Azure Windows Domain Controller) [Added]
- I3101: (L1 - DC) Ensure 'Domain member: Digitally encrypt or sign secure channel data (always)' is set to 'Enabled' [Added]
- I3102: (L1 - DC) Ensure 'Domain member: Digitally encrypt secure channel data (when possible)' is set to 'Enabled' [Added]
- I3103: (L1 - DC) Ensure 'Domain member: Digitally sign secure channel data (when possible)' is set to 'Enabled' [Added]
- I3104: (L1 - DC) Ensure 'Domain member: Disable machine account password changes' is set to 'Disabled' [Added]
- I3105: (L1 - DC) Ensure 'Domain member: Maximum machine account password age' is set to '30 or fewer days, but not 0' [Added]
T5847: Implement an inactivity lock screen policy (Azure Windows Domain Controller) [Added]
- P3546: Lack of Inactivity Lock Screen Policy (Azure Windows Domain Controller) [Added]
- I3106: (L1 - DC) Ensure 'Interactive logon: Machine inactivity limit' is set to '900 or fewer second(s), but not 0' [Added]
- I3107: (L1 - DC) Configure 'Interactive logon: Message text for users attempting to log on' [Added]
- I3108: (L1 - DC) Configure 'Interactive logon: Message title for users attempting to log on' [Added]
- I3109: (L1 - DC) Ensure 'Interactive logon: Prompt user to change password before expiration' is set to 'between 5 and 14 days' [Added]
T5848: Enhance SMB Security by Enabling Packet Signing (Azure Windows Domain Controller) [Added]
- P3547: Lack of SMB Packet Signing and Use of Plaintext Passwords (Azure Windows Domain Controller) [Added]
- I3110: (L1 - DC) Ensure 'Microsoft network client: Digitally sign communications (always)' is set to 'Enabled' [Added]
- I3111: (L1 - DC) Ensure 'Microsoft network client: Digitally sign communications (if server agrees)' is set to 'Enabled' [Added]
- I3112: (L1 - DC) Ensure 'Microsoft network client: Send unencrypted password to third-party SMB servers' is set to 'Disabled' [Added]
T5849: Configure SMB session security settings (Azure Windows Domain Controller) [Added]
- P3548: Improper Session Management and Lack of Packet Signing (Azure Windows Domain Controller) [Added]
- I3113: (L1 - DC) Ensure 'Microsoft network server: Amount of idle time required before suspending session' is set to '15 or fewer minute(s)' [Added]
- I3114: (L1 - DC) Ensure 'Microsoft network server: Digitally sign communications (always)' is set to 'Enabled' [Added]
- I3115: (L1 - DC) Ensure 'Microsoft network server: Digitally sign communications (if client agrees)' is set to 'Enabled' [Added]
- I3116: (L1 - DC) Ensure 'Microsoft network server: Disconnect clients when logon hours expire' is set to 'Enabled' [Added]
T5850: Restrict anonymous access to enhance network security (Azure Windows Domain Controller) [Added]
- P3549: Anonymous Access to Network Resources (Azure Windows Domain Controller) [Added]
- I3117: (L1 - DC) Ensure 'Network access: Allow anonymous SID/Name translation' is set to 'Disabled' [Added]
- I3118: (L1 - DC) Ensure 'Network access: Let Everyone permissions apply to anonymous users' is set to 'Disabled' [Added]
- I3119: (L1 - DC) Configure 'Network access: Named Pipes that can be accessed anonymously' (DC only) [Added]
- I3120: (L1 - DC) Configure 'Network access: Remotely accessible registry paths' is configured [Added]
- I3121: (L1 - DC) Configure 'Network access: Remotely accessible registry paths and sub-paths' is configured [Added]
- I3122: (L1 - DC) Ensure 'Network access: Restrict anonymous access to Named Pipes and Shares' is set to 'Enabled' [Added]
- I3123: (L1 - DC) Ensure 'Network access: Shares that can be accessed anonymously' is set to 'None' [Added]
- I3124: (L1 - DC) Ensure 'Network access: Sharing and security model for local accounts' is set to 'Classic - ..... [Added]
T5851: Enhance NTLM Authentication Settings for Windows Security (Azure Windows Domain Controller) [Added]
- P3550: Weak NTLM Authentication Protocols (Azure Windows Domain Controller) [Added]
- I3125: (L1 - DC) Ensure 'Network security: Allow Local System to use computer identity for NTLM' is set to 'Enabled' [Added]
- I3126: (L1 - DC) Ensure 'Network security: Allow LocalSystem NULL session fallback' is set to 'Disabled' [Added]
- I3127: (L1 - DC) Ensure 'Network Security: Allow PKU2U authentication requests to this computer to use online identities' is set to 'Disabled' [Added]
- I3128: (L1 - DC) Ensure 'Network security: Configure encryption types allowed for Kerberos' is set to 'AES128_HMAC_SHA1, AES256_HMAC_SHA1, ..... [Added]
- I3129: (L1 - DC) Ensure 'Network security: Do not store LAN Manager hash value on next password change' is set to 'Enabled' [Added]
- I3130: (L1 - DC) Ensure 'Network security: LAN Manager authentication level' is set to 'Send NTLMv2 response only. Refuse LM & NTLM' [Added]
- I3131: (L1 - DC) Ensure 'Network security: LDAP client signing requirements' is set to 'Negotiate signing' or higher [Added]
- I3132: (L1 - DC) Ensure 'Network security: Minimum session security for NTLM SSP based (including secure RPC) clients' is set to ..... [Added]
- I3133: (L1 - DC) Ensure 'Network security: Minimum session security for NTLM SSP based (including secure RPC) servers' is set to ..... [Added]
T5852: Restrict shutdown capabilities to authenticated users only (Azure Windows Domain Controller) [Added]
- P3551: Unauthorized System Shutdown (Azure Windows Domain Controller) [Added]
- I3134: (L1 - DC) Ensure 'Shutdown: Allow system to be shut down without having to log on' is set to 'Disabled' [Added]
T5853: Enable case sensitivity in Windows environment (Azure Windows Domain Controller) [Added]
- P3552: Case Insensitivity in File Systems (Azure Windows Domain Controller) [Added]
- I3135: (L1 - DC) Ensure 'System objects: Require case insensitivity for non-Windows subsystems' is set to 'Enabled' [Added]
- I3136: (L1 - DC) Ensure 'System objects: Strengthen default permissions of internal system objects (e.g. Symbolic Links)' is set to 'Enabled' [Added]
T5854: Enhance security posture with User Account Control settings (Azure Windows Domain Controller) [Added]
- P3553: Insufficient User Privilege Management (Azure Windows Domain Controller) [Added]
- I3137: (L1 - DC) Ensure 'User Account Control: Admin Approval Mode for the Built-in Administrator account' is set to 'Enabled' [Added]
- I3138: (L1 - DC) Ensure 'User Account Control: Behavior of the elevation prompt for administrators in Admin Approval Mode' is set to ..... [Added]
- I3139: (L1 - DC) Ensure 'User Account Control: Behavior of the elevation prompt for standard users' is set to ..... [Added]
- I3140: (L1 - DC) Ensure 'User Account Control: Detect application installations and prompt for elevation' is set to 'Enabled' [Added]
- I3141: (L1 - DC) Ensure 'User Account Control: Only elevate UIAccess applications that are installed in secure locations' is set to 'Enabled' [Added]
- I3142: (L1 - DC) Ensure 'User Account Control: Run all administrators in Admin Approval Mode' is set to 'Enabled' [Added]
- I3143: (L1 - DC) Ensure 'User Account Control: Switch to the secure desktop when prompting for elevation' is set to 'Enabled' [Added]
- I3144: (L1 - DC) Ensure 'User Account Control: Virtualize file and registry write failures to per-user locations' is set to 'Enabled' [Added]
T5855: Disable print job spooling service (Azure Windows Domain Controller) [Added]
- P3554: Unauthorized Access to Print Jobs (Azure Windows Domain Controller) [Added]
- I3145: (L1 - DC) Ensure 'Print Spooler (Spooler)' is set to 'Disabled' (DC only) [Added]
T5856: Enable logging for network traffic in Windows Firewall with Advanced Security (Azure Windows Domain Controller) [Added]
- P3555: Lack of Network Traffic Visibility (Azure Windows Domain Controller) [Added]
- I3146: (L1 - DC) Ensure 'Windows Firewall: Domain: Firewall state' is set to 'On (recommended)' [Added]
- I3147: (L1 - DC) Ensure 'Windows Firewall: Domain: Inbound connections' is set to 'Block (default)' [Added]
- I3148: (L1 - DC) Ensure 'Windows Firewall: Domain: Outbound connections' is set to 'Allow (default)' [Added]
- I3149: (L1 - DC) Ensure 'Windows Firewall: Domain: Logging: Name' is set to '%SystemRoot%\System32\logfiles\firewall\domainfw.log' [Added]
- I3150: (L1 - DC) Ensure 'Windows Firewall: Domain: Logging: Size limit (KB)' is set to '16,384 KB or greater' [Added]
- I3151: (L1 - DC) Ensure 'Windows Firewall: Domain: Logging: Log dropped packets' is set to 'Yes' [Added]
- I3152: (L1 - DC) Ensure 'Windows Firewall: Domain: Logging: Log successful connections' is set to 'Yes' [Added]
T5857: Enable logging for Windows Firewall with Advanced Security (Azure Windows Domain Controller) [Added]
- P3556: Lack of Logging for Windows Firewall with Advanced Security (Azure Windows Domain Controller) [Added]
- I3153: (L1 - DC) Ensure 'Windows Firewall: Private: Firewall state' is set to 'On (recommended)' [Added]
- I3154: (L1 - DC) Ensure 'Windows Firewall: Private: Inbound connections' is set to 'Block (default)' [Added]
- I3155: (L1 - DC) Ensure 'Windows Firewall: Private: Outbound connections' is set to 'Allow (default)' [Added]
- I3156: (L1 - DC) Ensure 'Windows Firewall: Private: Logging: Name' is set to '%SystemRoot%\System32\logfiles\firewall\privatefw.log' [Added]
- I3157: (L1 - DC) Ensure 'Windows Firewall: Private: Logging: Size limit (KB)' is set to '16,384 KB or greater' [Added]
- I3158: (L1 - DC) Ensure 'Windows Firewall: Private: Logging: Log dropped packets' is set to 'Yes' [Added]
- I3159: (L1 - DC) Ensure 'Windows Firewall: Private: Logging: Log successful connections' is set to 'Yes' [Added]
T5858: Implement logging for Windows Firewall with Advanced Security (Azure Windows Domain Controller) [Added]
- P3557: Lack of Logging for Network Traffic (Azure Windows Domain Controller) [Added]
- I3160: (L1 - DC) Ensure 'Windows Firewall: Public: Firewall state' is set to 'On (recommended)' [Added]
- I3161: (L1 - DC) Ensure 'Windows Firewall: Public: Inbound connections' is set to 'Block (default)' [Added]
- I3162: (L1 - DC) Ensure 'Windows Firewall: Public: Outbound connections' is set to 'Allow (default)' [Added]
- I3163: (L1 - DC) Ensure 'Windows Firewall: Public: Logging: Name' is set to '%SystemRoot%\System32\logfiles\firewall\publicfw.log' [Added]
- I3164: (L1 - DC) Ensure 'Windows Firewall: Public: Logging: Size limit (KB)' is set to '16,384 KB or greater' [Added]
- I3165: (L1 - DC) Ensure 'Windows Firewall: Public: Logging: Log dropped packets' is set to 'Yes' [Added]
- I3166: (L1 - DC) Ensure 'Windows Firewall: Public: Logging: Log successful connections' is set to 'Yes' [Added]
T5859: Strengthen security posture through comprehensive Windows audit policies (Azure Windows Domain Controller) [Added]
- P3558: Lack of visibility into unauthorized or suspicious user and system activities(Azure Windows Domain Controller) [Added]
- I3167: (L1 - DC) Ensure 'Audit Credential Validation' is set to 'Success and Failure' [Added]
- I3168: (L1 - DC) Ensure 'Audit Kerberos Authentication Service' is set to 'Success and Failure' (DC Only) [Added]
- I3169: (L1 - DC) Ensure 'Audit Computer Account Management' is set to include 'Success and Failure' (DC only) [Added]
- I3170: (L1 - DC) Ensure 'Audit Distribution Group Management' is set to include 'Success and Failure' (DC only) [Added]
- I3171: (L1 - DC) Ensure 'Audit Other Account Management Events' is set to include 'Success' (DC only) [Added]
- I3172: (L1 - DC) Ensure 'Audit Security Group Management' is set to include 'Success' [Added]
- I3173: (L1 - DC) Ensure 'Audit User Account Management' is set to 'Success and Failure' [Added]
- I3174: (L1 - DC) Ensure 'Audit PNP Activity' is set to include 'Success' [Added]
- I3175: (L1 - DC) Ensure 'Audit Process Creation' is set to include 'Success' [Added]
- I3176: (L1 - DC) Ensure 'Audit Account Lockout' is set to include 'Success and Failure' [Added]
- I3177: (L1 - DC) Ensure 'Audit Group Membership' is set to include 'Success' [Added]
- I3178: (L1 - DC) Ensure 'Audit Logoff' is set to include 'Success' [Added]
- I3179: (L1 - DC) Ensure 'Audit Logon' is set to 'Success and Failure' [Added]
- I3180: (L1 - DC) Ensure 'Audit Other Logon/Logoff Events' is set to 'Success and Failure' [Added]
- I3181: (L1 - DC) Ensure 'Audit Special Logon' is set to include 'Success' [Added]
- I3182: (L1 - DC) Ensure 'Audit Other Object Access Events' is set to 'Success and Failure' [Added]
- I3183: (L1 - DC) Ensure 'Audit Removable Storage' is set to 'Success and Failure' [Added]
- I3184: (L1 - DC) Ensure 'Audit Audit Policy Change' is set to include 'Success' [Added]
- I3185: (L1 - DC) Ensure 'Audit Authentication Policy Change' is set to include 'Success' [Added]
- I3186: (L1 - DC) Ensure 'Audit MPSSVC Rule-Level Policy Change' is set to 'Success and Failure' [Added]
- I3187: (L1 - DC) Ensure 'Audit Sensitive Privilege Use' is set to 'Success and Failure' [Added]
- I3188: (L1 - DC) Ensure 'Audit Security State Change' is set to include 'Success' [Added]
- I3189: (L1 - DC) Ensure 'Audit Security System Extension' is set to include 'Success' [Added]
- I3190: (L1 - DC) Ensure 'Audit System Integrity' is set to 'Success and Failure' [Added]
T5860: Disable automatic learning to protect user privacy (Azure Windows Domain Controller) [Added]
- P3559: Automatic Learning Enabled (Azure Windows Domain Controller) [Added]
- I3191: (L1 - DC) Ensure 'Allow users to enable online speech recognition services' is set to 'Disabled' [Added]
T5861: Enhance security posture by disabling SMBv1 and WDigest authentication (Azure Windows Domain Controller) [Added]
- P3560: Outdated Protocol and Credential Theft Vulnerabilities (Azure Windows Domain Controller) [Added]
- I3192: (L1 - DC) Ensure 'Configure SMB v1 client driver' is set to 'Enabled: Disable driver (recommended)' [Added]
- I3193: (L1 - DC) Ensure 'Configure SMB v1 server' is set to 'Disabled' [Added]
- I3194: (L1 - DC) Ensure 'Enable Structured Exception Handling Overwrite Protection (SEHOP)' is set to 'Enabled' [Added]
- I3195: (L1 - DC) Ensure 'NetBT NodeType configuration' is set to 'Enabled: P-node (recommended)' [Added]
- I3196: (L1 - DC) Ensure 'WDigest Authentication' is set to 'Disabled' [Added]
T5862: Enhance network security by disabling IP source routing and ICMP redirects (Azure Windows Domain Controller) [Added]
- P3561: IP Source Routing and ICMP Redirects Enabled (Azure Windows Domain Controller) [Added]
- I3197: (L1 - DC) Ensure 'MSS: (DisableIPSourceRouting IPv6) IP source routing protection level (protects against packet spoofing)' is set to ..... [Added]
- I3198: (L1 - DC) Ensure 'MSS: (DisableIPSourceRouting) IP source routing protection level (protects against packet spoofing)' is set to ..... [Added]
- I3199: (L1 - DC) Ensure 'MSS: (EnableICMPRedirect) Allow ICMP redirects to override OSPF generated routes' is set to 'Disabled' [Added]
- I3200: (L1 - DC) Ensure 'MSS: (NoNameReleaseOnDemand) Allow the computer to ignore NetBIOS name release requests except from WINS servers' ..... [Added]
T5863: Implement secure access to UNC paths (Azure Windows Domain Controller) [Added]
- P3562: Insecure Access to UNC Paths (Azure Windows Domain Controller) [Added]
- I3201: (L1 - DC) Ensure 'Turn off multicast name resolution' is set to 'Enabled' [Added]
- I3202: (L1 - DC) Ensure 'Enable insecure guest logons' is set to 'Disabled' [Added]
- I3203: (L1 - DC) Ensure 'Prohibit installation and configuration of Network Bridge on your DNS domain network' is set to 'Enabled' [Added]
- I3204: (L1 - DC) Ensure 'Prohibit use of Internet Connection Sharing on your DNS domain network' is set to 'Enabled' [Added]
- I3205: (L1 - DC) Ensure 'Hardened UNC Paths' is set to 'Enabled, with "Require Mutual Authentication" and "Require Integrity" set for ..... [Added]
- I3206: (L1 - DC) Ensure 'Minimize the number of simultaneous connections to the Internet or a Windows Domain' is set to ..... [Added]
T5864: Enhance security posture with Virtualization Based Security (Azure Windows Domain Controller) [Added]
- P3563: Lack of Virtualization Based Security (Azure Windows Domain Controller) [Added]
- I3207: (L1 - DC) Ensure 'Include command line in process creation events' is set to 'Enabled' [Added]
- I3208: (L1 - DC) Ensure 'Encryption Oracle Remediation' is set to 'Enabled: Force Updated Clients' [Added]
- I3209: (L1 - DC) Ensure 'Remote host allows delegation of non-exportable credentials' is set to 'Enabled' [Added]
- I3210: (NG - DC) Ensure 'Turn On Virtualization Based Security' is set to 'Enabled' [Added]
- I3211: (NG - DC) Ensure 'Turn On Virtualization Based Security: Select Platform Security Level' is set to 'Secure Boot and DMA Protection' [Added]
- I3212: (NG - DC) Ensure 'Turn On Virtualization Based Security: Virtualization Based Protection of Code Integrity' is set to ..... [Added]
- I3213: (NG - DC) Ensure 'Turn On Virtualization Based Security: Require UEFI Memory Attributes Table' is set to 'True (checked)' [Added]
- I3214: (NG - DC) Ensure 'Turn On Virtualization Based Security: Credential Guard Configuration' is set to 'Disabled' (DC Only) [Added]
- I3215: (NG - DC) Ensure 'Turn On Virtualization Based Security: Secure Launch Configuration' is set to 'Enabled' [Added]
- I3216: (L1 - DC) Ensure 'Boot-Start Driver Initialization Policy' is set to 'Enabled: Good, unknown and bad but critical' [Added]
- I3217: (L1 - DC) Ensure 'Configure registry policy processing: Do not apply during periodic background processing' is set to 'Enabled: FALSE' [Added]
- I3218: (L1 - DC) Ensure 'Configure registry policy processing: Process even if the Group Policy objects have not changed' is set to 'Enabled: TRUE' [Added]
- I3219: (L1 - DC) Ensure 'Continue experiences on this device' is set to 'Disabled' [Added]
- I3220: (L1 - DC) Ensure 'Turn off background refresh of Group Policy' is set to 'Disabled' [Added]
- I3221: (L1 - DC) Ensure 'Turn off downloading of print drivers over HTTP' is set to 'Enabled' [Added]
- I3222: (L1 - DC) Ensure 'Block user from showing account details on sign-in' is set to 'Enabled' [Added]
- I3223: (L1 - DC) Ensure 'Do not display network selection UI' is set to 'Enabled' [Added]
- I3224: (L1 - DC) Ensure 'Configure Offer Remote Assistance' is set to 'Disabled' [Added]
- I3225: (L1 - DC) Ensure 'Configure Solicited Remote Assistance' is set to 'Disabled' [Added]
- I3226: (L1 - DC) Ensure 'Configure validation of ROCA-vulnerable WHfB keys during authentication' is set to 'Enabled: Audit' or higher (DC only) [Added]
T5865: Implement Attack Surface Reduction Rules (Azure Windows Domain Controller) [Added]
- P3564: Lack of Attack Surface Reduction Rules (Azure Windows Domain Controller) [Added]
- I3227: (L1 - DC) Ensure 'Allow Microsoft accounts to be optional' is set to 'Enabled' [Added]
- I3228: (L1 - DC) Ensure 'Turn off cloud consumer account state content' is set to 'Enabled' [Added]
- I3229: (L1 - DC) Ensure 'Turn off Microsoft consumer experiences' is set to 'Enabled' [Added]
- I3230: (L1 - DC) Ensure 'Do not display the password reveal button' is set to 'Enabled' [Added]
- I3231: (L1 - DC) Ensure 'Enumerate administrator accounts on elevation' is set to 'Disabled' [Added]
- I3232: (L1 - DC) Ensure 'Allow Diagnostic Data' is set to 'Enabled: Send required diagnostic data' [Added]
- I3233: (L1 - DC) Ensure 'Application: Control Event Log behavior when the log file reaches its maximum size' is set to 'Disabled' [Added]
- I3234: (L1 - DC) Ensure 'Application: Specify the maximum log file size (KB)' is set to 'Enabled: 32,768 or greater' [Added]
- I3235: (L1 - DC) Ensure 'Security: Control Event Log behavior when the log file reaches its maximum size' is set to 'Disabled' [Added]
- I3236: (L1 - DC) Ensure 'Security: Specify the maximum log file size (KB)' is set to 'Enabled: 196,608 or greater' [Added]
- I3237: (L1 - DC) Ensure 'Setup: Control Event Log behavior when the log file reaches its maximum size' is set to 'Disabled' [Added]
- I3238: (L1 - DC) Ensure 'Setup: Specify the maximum log file size (KB)' is set to 'Enabled: 32,768 or greater' [Added]
- I3239: (L1 - DC) Ensure 'System: Control Event Log behavior when the log file reaches its maximum size' is set to 'Disabled' [Added]
- I3240: (L1 - DC) Ensure 'System: Specify the maximum log file size (KB)' is set to 'Enabled: 32,768 or greater' [Added]
- I3241: (L1 - DC) Ensure 'Turn off Data Execution Prevention for Explorer' is set to 'Disabled' [Added]
- I3242: (L1 - DC) Ensure 'Turn off heap termination on corruption' is set to 'Disabled' [Added]
- I3243: (L1 - DC) Ensure 'Turn off shell protocol protected mode' is set to 'Disabled' [Added]
- I3244: (L1 - DC) Ensure 'Block all consumer Microsoft account user authentication' is set to 'Enabled' [Added]
- I3245: (L1 - DC) Ensure 'Configure detection for potentially unwanted applications' is set to 'Enabled: Block' [Added]
- I3246: (L1 - DC) Ensure 'Turn off Microsoft Defender AntiVirus' is set to 'Disabled' [Added]
- I3247: (L1 - DC) Ensure 'Configure local setting override for reporting to Microsoft MAPS' is set to 'Disabled' [Added]
- I3248: (L1 - DC) Ensure 'Configure Attack Surface Reduction rules' is set to 'Enabled' [Added]
- I3249: (L1 - DC) Ensure 'Configure Attack Surface Reduction rules: Set the state for each ASR rule' is configured [Added]
- I3250: (L1 - DC) Ensure 'Prevent users and apps from accessing dangerous websites' is set to 'Enabled: Block' [Added]
- I3251: (L1 - DC) Ensure 'Scan all downloaded files and attachments' is set to 'Enabled' [Added]
- I3252: (L1 - DC) Ensure 'Turn off real-time protection' is set to 'Disabled' [Added]
- I3253: (L1 - DC) Ensure 'Turn on behavior monitoring' is set to 'Enabled' [Added]
- I3254: (L1 - DC) Ensure 'Turn on script scanning' is set to 'Enabled' [Added]
- I3255: (L1 - DC) Ensure 'Turn on e-mail scanning' is set to 'Enabled' [Added]
- I3256: (L1 - DC) Ensure 'Do not allow passwords to be saved' is set to 'Enabled' [Added]
- I3257: (L1 - DC) Ensure 'Do not allow drive redirection' is set to 'Enabled' [Added]
- I3258: (L1 - DC) Ensure 'Always prompt for password upon connection' is set to 'Enabled' [Added]
- I3259: (L1 - DC) Ensure 'Require secure RPC communication' is set to 'Enabled' [Added]
- I3260: (L1 - DC) Ensure 'Set client connection encryption level' is set to 'Enabled: High Level' [Added]
- I3261: (L1 - DC) Ensure 'Do not delete temp folders upon exit' is set to 'Disabled' [Added]
- I3262: (L1 - DC) Ensure 'Do not use temporary folders per session' is set to 'Disabled' [Added]
- I3263: (L1 - DC) Ensure 'Prevent downloading of enclosures' is set to 'Enabled' [Added]
- I3264: (L1 - DC) Ensure 'Allow indexing of encrypted files' is set to 'Disabled' [Added]
- I3265: (L1 - DC) Ensure 'Configure Windows Defender SmartScreen' is set to 'Enabled: Warn and prevent bypass' [Added]
- I3266: (L1 - DC) Ensure 'Allow user control over installs' is set to 'Disabled' [Added]
- I3267: (L1 - DC) Ensure 'Always install with elevated privileges' is set to 'Disabled' [Added]
- I3268: (L1 - DC) Ensure 'Sign-in and lock last interactive user automatically after a restart' is set to 'Disabled' [Added]
- I3269: (L1 - DC) Ensure 'Turn on PowerShell Script Block Logging' is set to 'Enabled' [Added]
- I3270: (L1 - DC) Ensure 'Turn on PowerShell Transcription' is set to 'Disabled' [Added]
- I3271: (L1 - DC) Ensure 'Allow Basic authentication' is set to 'Disabled' [Added]
- I3272: (L1 - DC) Ensure 'Allow unencrypted traffic' is set to 'Disabled' [Added]
- I3273: (L1 - DC) Ensure 'Disallow Digest authentication' is set to 'Enabled' [Added]
- I3274: (L1 - DC) Ensure 'Allow Basic authentication' is set to 'Disabled' [Added]
- I3275: (L1 - DC) Ensure 'Allow unencrypted traffic' is set to 'Disabled' [Added]
- I3276: (L1 - DC) Ensure 'Disallow WinRM from storing RunAs credentials' is set to 'Enabled' [Added]
- I3277: (L1 - DC) Ensure 'Prevent users from modifying settings' is set to 'Enabled' [Added]
T5866: Verify password policy settings for user accounts (Azure Windows Domain Controller) [Added]
- P3539: Weak Password Policies (Azure Windows Domain Controller) [Added]
- I3278: (L1 - DC) Verify that 'Enforce password history' is set to '24 or more password(s)' [Added]
- I3279: (L1 - DC) Verify that 'Maximum password age' is set to '365 or fewer days, but not 0' [Added]
- I3280: (L1 - DC) Verify that 'Minimum password length' is set to '14 or more character(s)' [Added]
- I3281: (L1 - DC) Verify that the minimum password length is set to 14 or more characters [Added]
- I3282: (L1 - DC) Verify that 'Password must meet complexity requirements' is set to 'Enabled' [Added]
- I3283: (L1 - DC) Verify that 'Store passwords using reversible encryption' is set to 'Disabled' [Added]
T5867: Verify that user rights are assigned correctly (Azure Windows Domain Controller) [Added]
- P3540: Excessive User Privileges (Azure Windows Domain Controller) [Added]
- I3284: (L1 - DC) Verify that 'Access Credential Manager as a trusted caller' is set to 'No One' [Added]
- I3285: (L1 - DC) Verify that 'Access this computer from the network' is set to 'Administrators, Authenticated Users, ENTERPRISE DOMAIN CONTROLLERS' [Added]
- I3286: (L1 - DC) Verify that 'Act as part of the operating system' is set to 'No One' [Added]
- I3287: (L1 - DC) Verify that 'Add workstations to domain' is set to 'Administrators' (DC only) [Added]
- I3288: (L1 - DC) Verify that 'Adjust memory quotas for a process' is set to 'Administrators, LOCAL SERVICE, NETWORK SERVICE' [Added]
- I3289: (L1 - DC) Verify that 'Allow log on locally' is set to 'Administrators' [Added]
- I3290: (L1 - DC) Verify that 'Allow log on through Remote Desktop Services' is set to 'Administrators' (DC only) [Added]
- I3291: (L1 - DC) Verify that 'Back up files and directories' is set to 'Administrators, Backup Operators' [Added]
- I3292: (L1 - DC) Verify that 'Change the system time' is set to 'Administrators, LOCAL SERVICE' [Added]
- I3293: (L1 - DC) Verify that 'Change the time zone' is set to 'Administrators, LOCAL SERVICE' [Added]
- I3294: (L1 - DC) Verify that 'Create a pagefile' is set to 'Administrators' [Added]
- I3295: (L1 - DC) Verify that 'Create a token object' is set to 'No One' [Added]
- I3296: (L1 - DC) Verify that 'Create global objects' is set to 'Administrators, LOCAL SERVICE, NETWORK SERVICE, SERVICE' [Added]
- I3297: (L1 - DC) Verify that 'Create permanent shared objects' is set to 'No One' [Added]
- I3298: (L1 - DC) Verify that 'Create symbolic links' is set to 'Administrators' (DC only) [Added]
- I3299: (L1 - DC) Verify that 'Debug programs' is set to 'Administrators' [Added]
- I3300: (L1 - DC) Verify that 'Deny access to this computer from the network' includes 'Guests' [Added]
- I3301: (L1 - DC) Verify that 'Deny log on as a batch job' includes 'Guests' [Added]
- I3302: (L1 - DC) Verify that 'Deny log on as a service' includes 'Guests' [Added]
- I3303: (L1 - DC) Verify that 'Deny log on locally' includes 'Guests' [Added]
- I3304: (L1 - DC) Verify that 'Deny log on through Remote Desktop Services' includes 'Guests' [Added]
- I3305: (L1 - DC) Verify that 'Enable computer and user accounts to be trusted for delegation' is set to 'Administrators' (DC only) [Added]
- I3306: (L1 - DC) Verify that 'Force shutdown from a remote system' is set to 'Administrators' [Added]
- I3307: (L1 - DC) Verify that 'Generate security audits' is set to 'LOCAL SERVICE, NETWORK SERVICE' [Added]
- I3308: (L1 - DC) Test that 'Impersonate a client after authentication' is set to 'Administrators, LOCAL SERVICE, NETWORK SERVICE, SERVICE' [Added]
- I3309: (L1 - DC) Verify that 'Increase scheduling priority' is set to 'Administrators' [Added]
- I3310: (L1 - DC) Verify that 'Load and unload device drivers' is set to 'Administrators' [Added]
- I3311: (L1 - DC) Verify that 'Lock pages in memory' is set to 'No One' [Added]
- I3312: (L1 - DC) Verify that the auditing and security log management is configured correctly [Added]
- I3313: (L1 - DC) Verify that 'Modify an object label' is set to 'No One' [Added]
- I3314: (L1 - DC) Verify that 'Modify firmware environment values' is set to 'Administrators' [Added]
- I3315: (L1 - DC) Verify that 'Perform volume maintenance tasks' is set to 'Administrators' [Added]
- I3316: (L1 - DC) Verify that 'Profile single process' is set to 'Administrators' [Added]
- I3317: (L1 - DC) Verify that 'Profile system performance' is set to 'Administrators, NT SERVICE\WdiServiceHost' [Added]
- I3318: (L1 - DC) Verify that 'Replace a process level token' is set to 'LOCAL SERVICE, NETWORK SERVICE' [Added]
- I3319: (L1 - DC) Verify that 'Restore files and directories' is set to 'Administrators, Backup Operators' [Added]
- I3320: (L1 - DC) Verify that 'Shut down the system' is set to 'Administrators, Backup Operators' [Added]
- I3321: (L1 - DC) Verify that 'Synchronize directory service data' is set to 'No One' (DC only) [Added]
- I3322: (L1 - DC) Verify that 'Take ownership of files or other objects' is set to 'Administrators' [Added]
T5868: Verify that users can't add or log on with Microsoft accounts (Azure Windows Domain Controller) [Added]
- P3541: Unauthorized Microsoft Account Creation (Azure Windows Domain Controller) [Added]
- I3323: (L1 - DC) Verify that 'Accounts: Block Microsoft accounts' is set to 'Users can't add or log on with Microsoft accounts' [Added]
- I3324: (L1 - DC) Verify that local account use of blank passwords is limited to console logon only [Added]
- I3325: (L1 - DC) Test that the administrator account is renamed(L1 - DC) [Added]
- I3326: (L1 - DC) Test the configuration of 'Accounts: Rename guest account' [Added]
T5869: Verify the audit policy settings for Windows Vista or later (Azure Windows Domain Controller) [Added]
- P3542: Inadequate Security Monitoring Due to Insufficient Auditing Capabilities (Azure Windows Domain Controller) [Added]
- I3327: (L1 - DC) Verify that the audit policy subcategory settings are enabled [Added]
- I3328: (L1 - DC) Verify that 'Audit: Shut down system immediately if unable to log security audits' is set to 'Disabled' [Added]
T5870: Verify the policy setting for removable NTFS media and printer driver installation (Azure Windows Domain Controller) [Added]
- P3543: Unauthorized Access to Removable NTFS Media (Azure Windows Domain Controller) [Added]
- I3329: (L1 - DC) Verify that 'Devices: Allowed to format and eject removable media' is set to 'Administrators' [Added]
- I3330: (L1 - DC) Verify that 'Devices: Prevent users from installing printer drivers' is set to 'Enabled' [Added]
T5871: Verify that the LDAP server requires signing (Azure Windows Domain Controller) [Added]
- P3544: Unsigned LDAP Communications (Azure Windows Domain Controller) [Added]
- I3331: (L1 - DC) Verify that 'Domain controller: Allow server operators to schedule tasks' is set to 'Disabled' [Added]
- I3332: (L1 - DC) Verify that 'Domain controller: Allow vulnerable Netlogon secure channel connections' is set to 'Not Configured' [Added]
- I3333: (L1 - DC) Verify that 'Domain controller: LDAP server channel binding token requirements' is set to 'Always' (DC Only' [Added]
- I3334: (L1 - DC) Verify that the Domain controller's LDAP server signing requirements are set to Require signing [Added]
- I3335: (L1 - DC) Verify that 'Domain controller: Refuse machine account password changes' is set to 'Disabled' [Added]
T5872: Verify that secure channel traffic is encrypted and signed (Azure Windows Domain Controller) [Added]
- P3545: Lack of Encryption and Signing in Secure Channel Traffic (Azure Windows Domain Controller) [Added]
- I3336: (L1 - DC) Verify that 'Domain member: Digitally encrypt or sign secure channel data (always)' is set to 'Enabled' [Added]
- I3337: (L1 - DC) Verify that 'Domain member: Digitally encrypt secure channel data (when possible)' is set to 'Enabled' [Added]
- I3338: (L1 - DC) Verify that 'Domain member: Digitally sign secure channel data (when possible)' is set to 'Enabled' [Added]
- I3339: (L1 - DC) Verify that 'Domain member: Disable machine account password changes' is set to 'Disabled' [Added]
- I3340: (L1 - DC) Verify that 'Domain member: Maximum machine account password age' is set to '30 or fewer days, but not 0' [Added]
T5873: Verify the inactivity limit for logon sessions (Azure Windows Domain Controller) [Added]
- P3546: Lack of Inactivity Lock Screen Policy (Azure Windows Domain Controller) [Added]
- I3341: (L1 - DC) Verify that 'Interactive logon: Machine inactivity limit' is set to '900 or fewer second(s), but not 0' [Added]
- I3342: (L1 - DC) Test the interactive logon message configuration [Added]
- I3343: (L1 - DC) Test the interactive logon message title configuration [Added]
- I3344: (L1 - DC) Verify that the interactive logon prompts users to change passwords before expiration [Added]
T5874: Verify that SMB packet signing is enabled (Azure Windows Domain Controller) [Added]
- P3547: Lack of SMB Packet Signing and Use of Plaintext Passwords (Azure Windows Domain Controller) [Added]
- I3345: (L1 - DC) Verify that Microsoft network client: Digitally sign communications (always) is set to Enabled [Added]
- I3346: (L1 - DC) Verify that Microsoft network client: Digitally sign communications (if server agrees) is set to Enabled [Added]
- I3347: (L1 - DC) Verify that the Microsoft network client: Send unencrypted password to third-party SMB servers is set to Disabled [Added]
T5875: Verify the SMB session inactivity policy settings (Azure Windows Domain Controller) [Added]
- P3548: Improper Session Management and Lack of Packet Signing (Azure Windows Domain Controller) [Added]
- I3348: (L1 - DC) Verify that Microsoft network server session timeout is set to 15 minutes or fewer [Added]
- I3349: (L1 - DC) Verify that Microsoft network server: Digitally sign communications (always) is set to Enabled [Added]
- I3350: (L1 - DC) Verify that Microsoft network server: Digitally sign communications (if client agrees) is set to Enabled [Added]
- I3351: (L1 - DC) Verify that 'Microsoft network server: Disconnect clients when logon hours expire' is set to 'Enabled' [Added]
T5876: Verify the security settings for anonymous user access (Azure Windows Domain Controller) [Added]
- P3549: Anonymous Access to Network Resources (Azure Windows Domain Controller) [Added]
- I3352: (L1 - DC) Verify that 'Network access: Allow anonymous SID/Name translation' is set to 'Disabled' [Added]
- I3353: (L1 - DC) Verify that 'Network access: Let Everyone permissions apply to anonymous users' is set to 'Disabled' [Added]
- I3354: (L1 - DC) Test that the network access for named pipes is configured correctly [Added]
- I3355: (L1 - DC) Verify that 'Network access: Remotely accessible registry paths' is configured [Added]
- I3356: (L1 - DC) Verify that 'Network access: Remotely accessible registry paths and sub-paths' is configured [Added]
- I3357: (L1 - DC) Verify that 'Network access: Restrict anonymous access to Named Pipes and Shares' is set to 'Enabled' [Added]
- I3358: (L1 - DC) Verify that 'Network access: Shares that can be accessed anonymously' is set to 'None' [Added]
- I3359: (L1 - DC) Verify that the network access sharing and security model for local accounts is set to classic [Added]
T5877: Verify the recommended state for NTLM authentication settings (Azure Windows Domain Controller) [Added]
- P3550: Weak NTLM Authentication Protocols (Azure Windows Domain Controller) [Added]
- I3360: (L1 - DC) Verify that 'Network security: Allow Local System to use computer identity for NTLM' is set to 'Enabled' [Added]
- I3361: (L1 - DC) Verify that 'Network security: Allow LocalSystem NULL session fallback' is set to 'Disabled' [Added]
- I3362: (L1 - DC) Verify that 'Network Security: Allow PKU2U authentication requests to this computer to use online identities' is set to 'Disabled' [Added]
- I3363: (L1 - DC) Verify that the network security configuration allows specific encryption types for Kerberos [Added]
- I3364: (L1 - DC) Verify that 'Network security: Do not store LAN Manager hash value on next password change' is set to 'Enabled' [Added]
- I3365: (L1 - DC) Verify that the LAN Manager authentication level is set correctly [Added]
- I3366: (L1 - DC) Verify that the network security settings are configured correctly [Added]
- I3367: (L1 - DC) Verify that the network security settings require NTLMv2 session security [Added]
- I3368: (L1 - DC) Verify that the network security settings require NTLMv2 session security [Added]
T5878: Verify that the shutdown command is restricted for non-logged on users (Azure Windows Domain Controller) [Added]
- P3551: Unauthorized System Shutdown (Azure Windows Domain Controller) [Added]
- I3369: (L1 - DC) Verify that the system shutdown setting is disabled [Added]
T5879: Verify the case sensitivity policy setting for subsystems (Azure Windows Domain Controller) [Added]
- P3552: Case Insensitivity in File Systems (Azure Windows Domain Controller) [Added]
- I3370: (L1 - DC) Verify that 'System objects: Require case insensitivity for non-Windows subsystems' is set to 'Enabled' [Added]
- I3371: (L1 - DC) Verify that the default permissions of internal system objects are strengthened [Added]
T5880: Verify the behavior of Admin Approval Mode for the built-in Administrator account (Azure Windows Domain Controller) [Added]
- P3553: Insufficient User Privilege Management (Azure Windows Domain Controller) [Added]
- I3372: (L1 - DC) Verify that User Account Control is set to Enabled [Added]
- I3373: (L1 - DC) Verify that User Account Control settings are configured correctly [Added]
- I3374: (L1 - DC) Verify that User Account Control settings are configured correctly [Added]
- I3375: (L1 - DC) Verify that 'User Account Control: Detect application installations and prompt for elevation' is set to 'Enabled' [Added]
- I3376: (L1 - DC) Verify that User Account Control settings are properly configured [Added]
- I3377: (L1 - DC) Verify that 'User Account Control: Run all administrators in Admin Approval Mode' is set to 'Enabled' [Added]
- I3378: (L1 - DC) Verify that User Account Control is set to Enabled [Added]
- I3379: (L1 - DC) Verify that User Account Control virtualization settings are enabled [Added]
T5881: Test that the print job handling service is disabled (Azure Windows Domain Controller) [Added]
- P3554: Unauthorized Access to Print Jobs (Azure Windows Domain Controller) [Added]
- I3380: (L1 - DC) Verify that the Print Spooler (Spooler) is set to Disabled [Added]
T5882: Verify the settings for Windows Firewall with Advanced Security (Azure Windows Domain Controller) [Added]
- P3555: Lack of Network Traffic Visibility (Azure Windows Domain Controller) [Added]
- I3381: (L1 - DC) Verify that Windows Firewall is set to On (recommended) [Added]
- I3382: (L1 - DC) Verify that Windows Firewall: Domain: Inbound connections is set to Block (default) [Added]
- I3383: (L1 - DC) Verify that Windows Firewall: Domain: Outbound connections is set to Allow (default) [Added]
- I3384: (L1 - DC) Verify that Windows Firewall logging is configured correctly [Added]
- I3385: (L1 - DC) Verify that Windows Firewall's logging size limit is configured correctly [Added]
- I3386: (L1 - DC) Verify that Windows Firewall is logging dropped packets [Added]
- I3387: (L1 - DC) Verify that Windows Firewall logs successful connections [Added]
T5883: Verify the Windows Firewall settings for network traffic filtering (Azure Windows Domain Controller) [Added]
- P3556: Lack of Logging for Windows Firewall with Advanced Security (Azure Windows Domain Controller) [Added]
- I3388: (L1 - DC) Verify that Windows Firewall: Private: Firewall state is set to On (recommended) [Added]
- I3389: (L1 - DC) Verify that Windows Firewall: Private: Inbound connections is set to Block (default) [Added]
- I3390: (L1 - DC) Verify that Windows Firewall: Private: Outbound connections is set to Allow (default) [Added]
- I3391: (L1 - DC) Verify that Windows Firewall logging is configured correctly [Added]
- I3392: (L1 - DC) Verify that Windows Firewall's logging size limit is set correctly [Added]
- I3393: (L1 - DC) Verify that Windows Firewall is logging dropped packets [Added]
- I3394: (L1 - DC) Verify that Windows Firewall is logging successful connections [Added]
T5884: Verify the implementation of settings for Windows Firewall with Advanced Security (Azure Windows Domain Controller) [Added]
- P3557: Lack of Logging for Network Traffic (Azure Windows Domain Controller) [Added]
- I3395: (L1 - DC) Verify that Windows Firewall: Public: Firewall state is set to On (recommended) [Added]
- I3396: (L1 - DC) Verify that 'Windows Firewall: Public: Inbound connections' is set to 'Block (default)' [Added]
- I3397: (L1 - DC) Verify that 'Windows Firewall: Public: Outbound connections' is set to 'Allow (default)' [Added]
- I3398: (L1 - DC) Verify that Windows Firewall logging is configured correctly [Added]
- I3399: (L1 - DC) Verify that Windows Firewall's logging size limit is set correctly [Added]
- I3400: (L1 - DC) Verify that Windows Firewall is logging dropped packets [Added]
- I3401: (L1 - DC) Verify that Windows Firewall's logging for successful connections is enabled [Added]
T5885: Verify audit logging effectiveness for Windows domain controller security (Azure Windows Domain Controller) [Added]
- P3558: Lack of visibility into unauthorized or suspicious user and system activities(Azure Windows Domain Controller) [Added]
- I3402: (L1 - DC) Verify that 'Audit Credential Validation' is set to 'Success and Failure' [Added]
- I3403: (L1 - DC) Verify that 'Audit Kerberos Authentication Service' is set to 'Success and Failure' (DC Only) [Added]
- I3404: (L1 - DC) Verify that 'Audit Computer Account Management' is set to include 'Success and Failure' (DC only) [Added]
- I3405: (L1 - DC) Verify that 'Audit Distribution Group Management' includes 'Success and Failure' [Added]
- I3406: (L1 - DC) Verify that 'Audit Other Account Management Events' includes 'Success' (DC only) [Added]
- I3407: (L1 - DC) Verify that 'Audit Security Group Management' includes 'Success' [Added]
- I3408: (L1 - DC) Test that 'Audit User Account Management' is set to 'Success and Failure' [Added]
- I3409: (L1 - DC) Verify that 'Audit PNP Activity' is set to include 'Success' [Added]
- I3410: (L1 - DC) Verify that 'Audit Process Creation' is set to include 'Success' [Added]
- I3411: (L1 - DC) Verify that 'Audit Account Lockout' includes 'Success and Failure' [Added]
- I3412: (L1 - DC) Verify that 'Audit Group Membership' is set to include 'Success' [Added]
- I3413: (L1 - DC) Verify that 'Audit Logoff' is set to include 'Success' [Added]
- I3414: (L1 - DC) Verify that 'Audit Logon' is set to 'Success and Failure' [Added]
- I3415: (L1 - DC) Verify that 'Audit Other Logon/Logoff Events' is set to 'Success and Failure' [Added]
- I3416: (L1 - DC) Verify that 'Audit Special Logon' is set to include 'Success' [Added]
- I3417: (L1 - DC) Verify that 'Audit Other Object Access Events' is set to 'Success and Failure' [Added]
- I3418: (L1 - DC) Verify that 'Audit Removable Storage' is set to 'Success and Failure' [Added]
- I3419: (L1 - DC) Verify that 'Audit Audit Policy Change' is set to include 'Success' [Added]
- I3420: (L1 - DC) Verify that 'Audit Authentication Policy Change' is set to include 'Success' [Added]
- I3421: (L1 - DC) Verify that 'Audit MPSSVC Rule-Level Policy Change' is set to 'Success and Failure' [Added]
- I3422: (L1 - DC) Verify that 'Audit Sensitive Privilege Use' is set to 'Success and Failure' [Added]
- I3423: (L1 - DC) Verify that 'Audit Security State Change' is set to include 'Success' [Added]
- I3424: (L1 - DC) Verify that the Audit Security System Extension includes Success [Added]
- I3425: (L1 - DC) Verify that 'Audit System Integrity' is set to 'Success and Failure' [Added]
T5886: Verify that the automatic learning component is disabled (Azure Windows Domain Controller) [Added]
- P3559: Automatic Learning Enabled (Azure Windows Domain Controller) [Added]
- I3426: (L1 - DC) Verify that 'Allow users to enable online speech recognition services' is set to 'Disabled' [Added]
T5887: Verify the configuration of SMBv1 client driver service (Azure Windows Domain Controller) [Added]
- P3560: Outdated Protocol and Credential Theft Vulnerabilities (Azure Windows Domain Controller) [Added]
- I3427: (L1 - DC) Verify that 'Configure SMB v1 client driver' is set to 'Enabled: Disable driver (recommended)' [Added]
- I3428: (L1 - DC) Verify that 'Configure SMB v1 server' is set to 'Disabled' [Added]
- I3429: (L1 - DC) Verify that 'Enable Structured Exception Handling Overwrite Protection (SEHOP)' is set to 'Enabled' [Added]
- I3430: (L1 - DC) Verify that 'NetBT NodeType configuration' is set to 'Enabled: P-node (recommended)' [Added]
- I3431: (L1 - DC) Verify that WDigest Authentication is set to Disabled [Added]
T5888: Verify the configuration of IP source routing settings (Azure Windows Domain Controller) [Added]
- P3561: IP Source Routing and ICMP Redirects Enabled (Azure Windows Domain Controller) [Added]
- I3432: (L1 - DC) Verify that the IP source routing protection level is set to 'Enabled: Highest protection' [Added]
- I3433: (L1 - DC) Verify that MSS: (DisableIPSourceRouting) IP source routing protection level is set to Enabled: Highest protection [Added]
- I3434: (L1 - DC) Verify that 'MSS: (EnableICMPRedirect) Allow ICMP redirects to override OSPF generated routes' is set to 'Disabled' [Added]
- I3435: (L1 - DC) Verify that the computer ignores NetBIOS name release requests [Added]
T5889: Verify the SMB client settings for secure access (Azure Windows Domain Controller) [Added]
- P3562: Insecure Access to UNC Paths (Azure Windows Domain Controller) [Added]
- I3436: (L1 - DC) Verify that 'Turn off multicast name resolution' is set to 'Enabled' [Added]
- I3437: (L1 - DC) Verify that 'Enable insecure guest logons' is set to 'Disabled' [Added]
- I3438: (L1 - DC) Verify that the installation and configuration of Network Bridge on your DNS domain network is prohibited [Added]
- I3439: (L1 - DC) Verify that 'Prohibit use of Internet Connection Sharing on your DNS domain network' is set to 'Enabled' [Added]
- I3440: (L1 - DC) Verify that 'Hardened UNC Paths' is set to 'Enabled' [Added]
- I3441: (L1 - DC) Test that 'Minimize the number of simultaneous connections to the Internet or a Windows Domain' is set to ..... [Added]
T5890: Verify the security audit events logging for process creation (Azure Windows Domain Controller) [Added]
- P3563: Lack of Virtualization Based Security (Azure Windows Domain Controller) [Added]
- I3442: (L1 - DC) Verify that 'Include command line in process creation events' is set to 'Enabled' [Added]
- I3443: (L1 - DC) Verify that 'Encryption Oracle Remediation' is set to 'Enabled: Force Updated Clients' [Added]
- I3444: (L1 - DC) Verify that the remote host allows delegation of non-exportable credentials [Added]
- I3445: (L1 - DC) Verify that 'Turn On Virtualization Based Security' is set to 'Enabled' [Added]
- I3446: (L1 - DC) Verify that 'Turn On Virtualization Based Security: Select Platform Security Level' is set to 'Secure Boot and DMA Protection' [Added]
- I3447: (L1 - DC) Verify that 'Turn On Virtualization Based Security: Virtualization Based Protection of Code Integrity' is set to .... [Added]
- I3448: (L1 - DC) Verify that 'Turn On Virtualization Based Security: Require UEFI Memory Attributes Table' is set to 'True (checked)' [Added]
- I3449: (L1 - DC) Verify that 'Turn On Virtualization Based Security: Credential Guard Configuration' is set to 'Disabled' (DC Only) [Added]
- I3450: (L1 - DC) Verify that 'Turn On Virtualization Based Security: Secure Launch Configuration' is set to 'Enabled' [Added]
- I3451: (L1 - DC) Verify that the 'Boot-Start Driver Initialization Policy' is set to 'Enabled: Good, unknown and bad but critical' [Added]
- I3452: (L1 - DC) Verify that the registry policy processing is configured correctly [Added]
- I3453: (L1 - DC) Verify that the registry policy processing is configured correctly [Added]
- I3454: (L1 - DC) Verify that 'Continue experiences on this device' is set to 'Disabled' [Added]
- I3455: (L1 - DC) Verify that 'Turn off background refresh of Group Policy' is set to 'Disabled' [Added]
- I3456: (L1 - DC) Verify that 'Turn off downloading of print drivers over HTTP' is set to 'Enabled' [Added]
- I3457: (L1 - DC) Verify that 'Block user from showing account details on sign-in' is set to 'Enabled' [Added]
- I3458: (L1 - DC) Verify that 'Do not display network selection UI' is set to 'Enabled' [Added]
- I3459: (L1 - DC) Verify that 'Configure Offer Remote Assistance' is set to 'Disabled' [Added]
- I3460: (L1 - DC) Verify that 'Configure Solicited Remote Assistance' is set to 'Disabled' [Added]
- I3461: (L1 - DC) Test that the validation of ROCA-vulnerable WHfB keys during authentication is configured [Added]
T5891: Verify that Microsoft accounts are required for Windows Store apps (Azure Windows Domain Controller) [Added]
- P3564: Lack of Attack Surface Reduction Rules (Azure Windows Domain Controller) [Added]
- I3462: (L1 - DC) Verify that 'Allow Microsoft accounts to be optional' is set to 'Enabled' [Added]
- I3463: (L1 - DC) Verify that 'Turn off cloud consumer account state content' is set to 'Enabled' [Added]
- I3464: (L1 - DC) Verify that 'Turn off Microsoft consumer experiences' is set to 'Enabled' [Added]
- I3465: (L1 - DC) Verify that 'Do not display the password reveal button' is set to 'Enabled' [Added]
- I3466: (L1 - DC) Verify that 'Enumerate administrator accounts on elevation' is set to 'Disabled' [Added]
- I3467: (L1 - DC) Verify that 'Allow Diagnostic Data' is set to 'Enabled: Send required diagnostic data' [Added]
- I3468: (L1 - DC) Verify Application Control Event Log behavior when the log file reaches its maximum size [Added]
- I3469: (L1 - DC) Verify that the maximum log file size is set to 32,768 or greater [Added]
- I3470: (L1 - DC) Verify Security Control Event Log behavior when the log file reaches its maximum size [Added]
- I3471: (L1 - DC) Verify that the maximum log file size is set to Enabled: 196,608 or greater [Added]
- I3472: (L1 - DC) Verify that the Control Event Log behavior is set to Disabled [Added]
- I3473: (L1 - DC) Verify that the maximum log file size is set to 32,768 KB or greater [Added]
- I3474: (L1 - DC) Verify System Control Event Log behavior when the log file reaches its maximum size [Added]
- I3475: (L1 - DC) Verify that the maximum log file size is set to 32,768 or greater [Added]
- I3476: (L1 - DC) Verify that 'Turn off Data Execution Prevention for Explorer' is set to 'Disabled' [Added]
- I3477: (L1 - DC) Verify that 'Turn off heap termination on corruption' is set to 'Disabled' [Added]
- I3478: (L1 - DC) Verify that 'Turn off shell protocol protected mode' is set to 'Disabled' [Added]
- I3479: (L1 - DC) Verify that 'Block all consumer Microsoft account user authentication' is set to 'Enabled' [Added]
- I3480: (L1 - DC) Verify that 'Configure detection for potentially unwanted applications' is set to 'Enabled: Block' [Added]
- I3481: (L1 - DC) Verify that 'Turn off Microsoft Defender AntiVirus' is set to 'Disabled' [Added]
- I3482: (L1 - DC) Verify that 'Configure local setting override for reporting to Microsoft MAPS' is set to 'Disabled' [Added]
- I3483: (L1 - DC) Verify that 'Configure Attack Surface Reduction rules' is set to 'Enabled' [Added]
- I3484: (L1 - DC) Verify that the Attack Surface Reduction rules are configured [Added]
- I3485: (L1 - DC) Verify that 'Prevent users and apps from accessing dangerous websites' is set to 'Enabled: Block' [Added]
- I3486: (L1 - DC) Verify that 'Scan all downloaded files and attachments' is set to 'Enabled' [Added]
- I3487: (L1 - DC) Verify that 'Turn off real-time protection' is set to 'Disabled' [Added]
- I3488: (L1 - DC) Verify that 'Turn on behavior monitoring' is set to 'Enabled' [Added]
- I3489: (L1 - DC) Verify that 'Turn on script scanning' is set to 'Enabled' [Added]
- I3490: (L1 - DC) Verify that 'Turn on e-mail scanning' is set to 'Enabled' [Added]
- I3491: (L1 - DC) Verify that 'Do not allow passwords to be saved' is set to 'Enabled' [Added]
- I3492: (L1 - DC) Verify that 'Do not allow drive redirection' is set to 'Enabled' [Added]
- I3493: (L1 - DC) Verify that 'Always prompt for password upon connection' is set to 'Enabled' [Added]
- I3494: (L1 - DC) Verify that 'Require secure RPC communication' is set to 'Enabled' [Added]
- I3495: (L1 - DC) Verify that 'Set client connection encryption level' is set to 'Enabled: High Level' [Added]
- I3496: (L1 - DC) Verify that 'Do not delete temp folders upon exit' is set to 'Disabled' [Added]
- I3497: (L1 - DC) Verify that 'Do not use temporary folders per session' is set to 'Disabled' [Added]
- I3498: (L1 - DC) Verify that 'Prevent downloading of enclosures' is set to 'Enabled' [Added]
- I3499: (L1 - DC) Verify that 'Allow indexing of encrypted files' is set to 'Disabled' [Added]
- I3500: (L1 - DC) Verify that Windows Defender SmartScreen is configured to warn and prevent bypass [Added]
- I3501: (L1 - DC) Verify that 'Allow user control over installs' is set to 'Disabled' [Added]
- I3502: (L1 - DC) Verify that 'Always install with elevated privileges' is set to 'Disabled' [Added]
- I3503: (L1 - DC) Verify that 'Sign-in and lock last interactive user automatically after a restart' is set to 'Disabled' [Added]
- I3504: (L1 - DC) Verify that 'Turn on PowerShell Script Block Logging' is set to 'Enabled' [Added]
- I3505: (L1 - DC) Verify that 'Turn on PowerShell Transcription' is set to 'Disabled' [Added]
- I3506: (L1 - DC) Verify that 'Allow Basic authentication' is set to 'Disabled' [Added]
- I3507: (L1 - DC) Verify that 'Allow unencrypted traffic' is set to 'Disabled' [Added]
- I3508: (L1 - DC) Verify that 'Disallow Digest authentication' is set to 'Enabled' [Added]
- I3509: (L1 - DC) Verify that 'Allow Basic authentication' is set to 'Disabled' [Added]
- I3510: (L1 - DC) Verify that 'Allow unencrypted traffic' is set to 'Disabled' [Added]
- I3511: (L1 - DC) Verify that 'Disallow WinRM from storing RunAs credentials' is set to 'Enabled' [Added]
- I3512: (L1 - DC) Verify that 'Prevent users from modifying settings' is set to 'Enabled' [Added]
T5892: Verify that the scheduler service is not bound to non-loopback insecure addresses (Kubernetes Master Node) [Added]
- I3571: Ensure that the --bind-address argument is set to 127.0.0.1 [Added]
T5893: Verify the security of Kubernetes authentication mechanisms (Kubernetes Master Node) [Added]
- P3565: Unrestricted Pod Creation (Kubernetes Master Node) [Added]
- I3685: Verify that client certificate authentication is not used for users [Added]
- I3686: Verify that service account token authentication is not used for users [Added]
- I3687: Verify that Bootstrap token authentication is not used for users [Added]
- I3690: Verify that the cluster-admin role is only used where required [Added]
- I3691: Test that access to secrets is minimized [Added]
- I3692: Verify that wildcard use is minimized in Roles and ClusterRoles [Added]
- I3693: Test that access to create pods is minimized [Added]
- I3696: Verify that the system:masters group is not used [Added]
- I3697: Verify the limited use of Bind, Impersonate and Escalate permissions in the Kubernetes cluster [Added]
- I3698: Test that access to create persistent volumes is minimized [Added]
- I3699: Test that access to the proxy sub-resource of nodes is minimized [Added]
- I3700: Test that access to the approval sub-resource of certificatesigningrequests objects is minimized [Added]
- I3701: Test that access to webhook configuration objects is minimized [Added]
T5894: Verify that Kubernetes clusters enforce policy controls (Kubernetes Master Node) [Added]
- P3566: Lack of Policy Control Mechanism (Kubernetes Master Node) [Added]
- I3703: Verify that the cluster has at least one active policy control mechanism in place [Added]
- I3704: Test that the admission of privileged containers is minimized [Added]
- I3705: Test minimizing the admission of containers wishing to share the host process ID namespace [Added]
- I3706: Test minimizing the admission of containers wishing to share the host IPC namespace [Added]
- I3707: Test minimizing the admission of containers wishing to share the host network namespace [Added]
- I3708: Test that the admission of containers minimizes allowPrivilegeEscalation [Added]
- I3709: Test that the admission of root containers is minimized [Added]
- I3710: Test that the admission of containers with the NET_RAW capability is minimized [Added]
- I3711: Test the admission of containers with added capabilities [Added]
- I3712: Test that the admission of containers with capabilities assigned is minimized [Added]
- I3713: Test minimize the admission of Windows HostProcess Containers [Added]
- I3714: Test minimizing the admission of HostPath volumes [Added]
- I3715: Test that the admission of containers which use HostPorts is minimized [Added]
- I3721: Test administrative boundaries between resources using namespaces [Added]
- I3722: Verify that the seccomp profile is set to docker/default in your pod definitions [Added]
- I3724: Verify that the default namespace is not used [Added]
T5895: Test network policies to isolate traffic in your cluster network (Kubernetes Master Node) [Added]
- P3567: Lack of Network Traffic Control (Kubernetes Master Node) [Added]
- I3716: Verify that the CNI in use supports Network Policies [Added]
- I3717: Verify that all Namespaces have Network Policies defined [Added]
T5896: Verify the use of external secrets management for Kubernetes (Kubernetes Master Node Secrets) [Added]
- P3568: Insecure Secret Management in Kubernetes (Kubernetes Master Node) [Added]
- I3718: Verify that secrets are managed as files instead of environment variables [Added]
- I3719: Verify that external secret storage is considered [Added]
T5897: Bind scheduler service to loopback addresses (Kubernetes Master Node) [Added]
- I3677: Verify that the --bind-address argument is set to 127.0.0.1 [Added]
T5898: Implement restrictions on pod creation in Kubernetes (Kubernetes Master Node) [Added]
- P3565: Unrestricted Pod Creation (Kubernetes Master Node) [Added]
- I3579: Client certificate authentication should not be used for users [Added]
- I3580: Service account token authentication should not be used for users [Added]
- I3581: Bootstrap token authentication should not be used for users [Added]
- I3584: Ensure that the cluster-admin role is only used where required [Added]
- I3585: Minimize access to secrets [Added]
- I3586: Minimize wildcard use in Roles and ClusterRoles [Added]
- I3587: Minimize access to create pods [Added]
- I3590: Avoid use of system:masters group [Added]
- I3591: Limit use of the Bind, Impersonate and Escalate permissions in the Kubernetes cluster [Added]
- I3592: Minimize access to create persistent volumes [Added]
- I3593: Minimize access to the proxy sub-resource of nodes [Added]
- I3594: Minimize access to the approval sub-resource of certificatesigningrequests objects [Added]
- I3595: Minimize access to webhook configuration objects [Added]
T5899: Implement a policy control mechanism in Kubernetes (Kubernetes Master Node) [Added]
- P3566: Lack of Policy Control Mechanism (Kubernetes Master Node) [Added]
- I3597: Ensure that the cluster has at least one active policy control mechanism in place [Added]
- I3598: Minimize the admission of privileged containers [Added]
- I3599: Minimize the admission of containers wishing to share the host process ID namespace [Added]
- I3600: Minimize the admission of containers wishing to share the host IPC namespace [Added]
- I3601: Minimize the admission of containers wishing to share the host network namespace [Added]
- I3602: Minimize the admission of containers with allowPrivilegeEscalation [Added]
- I3603: Minimize the admission of root containers [Added]
- I3604: Minimize the admission of containers with the NET_RAW capability [Added]
- I3605: Minimize the admission of containers with added capabilities [Added]
- I3606: Minimize the admission of containers with capabilities assigned [Added]
- I3607: Minimize the admission of Windows HostProcess Containers [Added]
- I3608: Minimize the admission of HostPath volumes [Added]
- I3609: Minimize the admission of containers which use HostPorts [Added]
- I3615: Create administrative boundaries between resources using namespaces [Added]
- I3616: Ensure that the seccomp profile is set to docker/default in your pod definitions [Added]
- I3618: The default namespace should not be used [Added]
T5900: Implement network policies in Kubernetes (Kubernetes Master Node) [Added]
- P3567: Lack of Network Traffic Control (Kubernetes Master Node) [Added]
- I3610: Ensure that the CNI in use supports Network Policies [Added]
- I3611: Ensure that all Namespaces have Network Policies defined [Added]
T5901: Implement an external secrets management system for Kubernetes (Kubernetes Master Node) [Added]
- P3568: Insecure Secret Management in Kubernetes (Kubernetes Master Node) [Added]
- I3612: Prefer using secrets as files over secrets as environment variables [Added]
- I3613: Consider external secret storage [Added]
T5902: Verify that audit logs are collected and managed (Amazon EKS) [Added]
- P3569: Lack of Robust Audit Log Management (Amazon EKS) [Added]
- I3758: Test that audit logs are enabled [Added]
- I3759: Verify that audit logs are collected and managed [Added]
T5903: Verify kubelet configuration permissions and ownership (Amazon EKS) [Added]
- P3570: Insecure Permissions on Kubelet Configuration Files (Amazon EKS) [Added]
- I3760: Verify that the kubeconfig file permissions are set to 644 or more restrictive [Added]
- I3761: Verify that the kubelet kubeconfig file ownership is set to root:root [Added]
- I3762: Verify that the kubelet configuration file has permissions set to 644 or more restrictive [Added]
- I3763: Verify that the kubelet configuration file ownership is set to root:root [Added]
T5904: Verify that anonymous requests to the Kubelet server are disabled (Amazon EKS) [Added]
- P3571: Anonymous Request Handling Vulnerability (Amazon EKS) [Added]
- I3764: Verify that Anonymous Auth is Not Enabled [Added]
- I3765: Verify that the --authorization-mode argument is not set to AlwaysAllow [Added]
- I3766: Verify that a Client CA File is Configured [Added]
T5905: Test that the read-only port is disabled (Amazon EKS) [Added]
- P3572: Unauthorized Access via Read-Only Port (Amazon EKS) [Added]
- I3767: Verify that the --read-only-port is disabled [Added]
- I3768: Verify that the --streaming-connection-idle-timeout argument is not set to 0 [Added]
T5906: Verify Kubelet's iptables management settings (Amazon EKS) [Added]
- P3573: Unrestricted Event Logging Leading to Denial of Service (Amazon EKS) [Added]
- I3769: Verify that the --make-iptables-util-chains argument is set to true [Added]
- I3770: Verify that the --eventRecordQPS argument is set to 0 or a level which ensures appropriate event capture [Added]
T5907: Test kubelet client and server certificate rotation (Amazon EKS) [Added]
- P3574: Lack of Certificate Rotation (Amazon EKS) [Added]
- I3771: Verify that the --rotate-certificates argument is not present or is set to true [Added]
- I3772: Verify that the RotateKubeletServerCertificate argument is set to true [Added]
T5908: Verify that access to Kubernetes secrets is restricted (Amazon EKS) [Added]
- P3575: Excessive Privilege Assignment (Amazon EKS) [Added]
- I3773: Verify that the cluster-admin role is only used where required [Added]
- I3774: Verify that wildcard use in Roles and ClusterRoles is minimized [Added]
- I3775: Test the Cluster Access Manager API for EKS cluster access control management [Added]
- I3792: Verify that Kubernetes RBAC users are managed with AWS IAM Authenticator [Added]
- I3804: Test that access to secrets is minimized [Added]
- I3805: Test that access to create pods is minimized [Added]
- I3806: Verify that default service accounts are not actively used [Added]
- I3807: Verify that Service Account Tokens are only mounted where necessary [Added]
- I3808: Verify the limited use of Bind, Impersonate and Escalate permissions in the Kubernetes cluster [Added]
T5909: Verify that containers do not run with elevated privileges (Amazon EKS) [Added]
- P3576: Excessive Container Privileges (Amazon EKS) [Added]
- I3776: Test that the admission of privileged containers is minimized [Added]
- I3777: Test minimizing the admission of containers wishing to share the host process ID namespace [Added]
- I3778: Test minimizing the admission of containers wishing to share the host IPC namespace [Added]
- I3779: Verify that the admission of containers wishing to share the host network namespace is minimized [Added]
- I3780: Test that the admission of containers minimizes allowPrivilegeEscalation [Added]
T5910: Test network policies to isolate traffic in your cluster network (Amazon EKS) [Added]
- P3577: Lack of Network Policies (Amazon EKS) [Added]
- I3781: Verify that CNI plugin supports network policies [Added]
- I3809: Verify that all Namespaces have Network Policies defined [Added]
T5911: Verify the use of external secrets management for Kubernetes (Amazon EKS) [Added]
- P3578: Insecure Secret Management in Kubernetes (Amazon EKS) [Added]
- I3810: Verify that secrets are managed as files instead of environment variables [Added]
- I3811: Verify that external secret storage is considered [Added]
T5912: Verify that namespaces are used to isolate Kubernetes objects (Amazon EKS) [Added]
- P3579: Lack of Resource Isolation and Access Control (Amazon EKS) [Added]
- I3782: Verify that the default namespace is not used [Added]
- I3812: Test administrative boundaries between resources using namespaces [Added]
T5913: Test that images deployed to Amazon EKS are scanned for vulnerabilities (Amazon EKS) [Added]
- P3580: Lack of Vulnerability Scanning for Container Images (Amazon EKS) [Added]
- I3783: Verify Image Vulnerability Scanning using Amazon ECR [Added]
T5914: Verify the Cluster Service Account configuration for read-only access (Amazon EKS) [Added]
- P3581: Excessive Permissions for Cluster Service Account (Amazon EKS) [Added]
- I3784: Test that cluster access to Amazon ECR is minimized to read-only [Added]
T5915: Verify that Kubernetes workloads use dedicated Service accounts (Amazon EKS) [Added]
- P3582: Lack of Dedicated Service Accounts for Kubernetes Workloads (Amazon EKS) [Added]
- I3785: Verify that dedicated EKS Service Accounts are used [Added]
T5916: Test that Kubernetes secrets are encrypted during Amazon EKS cluster creation (Amazon EKS) [Added]
- P3583: Unencrypted Kubernetes Secrets (Amazon EKS) [Added]
- I3786: Verify that Kubernetes Secrets are encrypted using Customer Master Keys (CMKs) managed in AWS KMS [Added]
T5917: Verify that Endpoint Private Access is enabled (Amazon EKS) [Added]
- P3584: Unrestricted Access to Kubernetes Control Plane (Amazon EKS) [Added]
- I3787: Test Restrict Access to the Control Plane Endpoint [Added]
- I3788: Verify that clusters are created with Private Endpoint Enabled and Public Access Disabled [Added]
- I3789: Verify that clusters are created with Private Nodes [Added]
T5918: Test the network policy implementation options for EKS (Amazon EKS) [Added]
- P3577: Lack of Network Policies (Amazon EKS) [Added]
- I3790: Verify that Network Policy is Enabled and set as appropriate [Added]
- I3791: Verify that traffic is encrypted to HTTPS load balancers with TLS certificates [Added]
T5919: Implement a robust audit log management process in EKS (Amazon EKS) [Added]
- P3569: Lack of Robust Audit Log Management (Amazon EKS) [Added]
- I3725: Enable audit Logs [Added]
- I3726: Ensure audit logs are collected and managed [Added]
T5920: Implement secure permissions for kubelet configuration files (Amazon EKS) [Added]
- P3570: Insecure Permissions on Kubelet Configuration Files (Amazon EKS) [Added]
- I3727: Ensure that the kubeconfig file permissions are set to 644 or more restrictive [Added]
- I3728: Ensure that the kubelet kubeconfig file ownership is set to root:root [Added]
- I3729: Ensure that the kubelet configuration file has permissions set to 644 or more restrictive [Added]
- I3730: Ensure that the kubelet configuration file ownership is set to root:root [Added]
T5921: Secure Kubelet Server by Disabling Anonymous Requests (Amazon EKS) [Added]
- P3571: Anonymous Request Handling Vulnerability (Amazon EKS) [Added]
- I3731: Ensure that the Anonymous Auth is Not Enabled [Added]
- I3732: Ensure that the --authorization-mode argument is not set to AlwaysAllow [Added]
- I3733: Ensure that a Client CA File is Configured [Added]
T5922: Disable read-only port to enhance system security (Amazon EKS) [Added]
- P3572: Unauthorized Access via Read-Only Port (Amazon EKS) [Added]
- I3734: Ensure that the --read-only-port is disabled [Added]
- I3735: Ensure that the --streaming-connection-idle-timeout argument is not set to 0 [Added]
T5923: Configure eventRecordQPS in Kubelet settings (Amazon EKS) [Added]
- P3573: Unrestricted Event Logging Leading to Denial of Service (Amazon EKS) [Added]
- I3736: Ensure that the --make-iptables-util-chains argument is set to true [Added]
- I3737: Ensure that the --eventRecordQPS argument is set to 0 or a level which ensures appropriate event capture [Added]
T5924: Implement certificate rotation for Kubernetes clusters (Amazon EKS) [Added]
- P3574: Lack of Certificate Rotation (Amazon EKS) [Added]
- I3738: Ensure that the --rotate-certificates argument is not present or is set to true [Added]
- I3739: Ensure that the RotateKubeletServerCertificate argument is set to true [Added]
T5925: Restrict access to Kubernetes secrets and roles (Amazon EKS) [Added]
- P3575: Excessive Privilege Assignment (Amazon EKS) [Added]
- I3740: Ensure that the cluster-admin role is only used where required [Added]
- I3741: Ensure that default service accounts are not actively used. [Added]
- I3742: Ensure that Service Account Tokens are only mounted where necessary [Added]
- I3743: Cluster Access Manager API to streamline and enhance the management of access controls within EKS clusters [Added]
- I3757: Manage Kubernetes RBAC users with AWS IAM Authenticator for Kubernetes or Upgrade to AWS CLI v1.16.156 or greater [Added]
- I3793: Minimize access to secrets [Added]
- I3794: Minimize wildcard use in Roles and ClusterRoles [Added]
- I3795: Limit use of the Bind, Impersonate and Escalate permissions in the Kubernetes cluster [Added]
T5926: Restrict container privileges in Kubernetes (Kubernetes) [Added]
- P3576: Excessive Container Privileges (Amazon EKS) [Added]
- I3744: Minimize the admission of privileged containers [Added]
- I3745: Minimize the admission of containers with allowPrivilegeEscalation [Added]
- I3796: Minimize the admission of containers wishing to share the host process ID namespace [Added]
- I3797: Minimize the admission of containers wishing to share the host IPC namespace [Added]
- I3798: Minimize the admission of containers wishing to share the host network namespace [Added]
T5927: Implement network policies for enhanced security in Kubernetes (Amazon EKS) [Added]
- P3577: Lack of Network Policies (Amazon EKS) [Added]
- I3746: Ensure CNI plugin supports network policies. [Added]
- I3799: Ensure that all Namespaces have Network Policies defined [Added]
T5928: Organize and Isolate Resources with Kubernetes Namespaces (Amazon EKS) [Added]
- P3579: Lack of Resource Isolation and Access Control (Amazon EKS) [Added]
- I3802: Create administrative boundaries between resources using namespaces [Added]
- I3803: The default namespace should not be used [Added]
T5929: Implement a vulnerability scanning process for deployed images (Amazon EKS) [Added]
- P3580: Lack of Vulnerability Scanning for Container Images (Amazon EKS) [Added]
- I3747: Ensure Image Vulnerability Scanning using Amazon ECR image scanning or a third party provider [Added]
T5930: Restrict Cluster Service Account Permissions for Amazon ECR (Amazon EKS) [Added]
- P3581: Excessive Permissions for Cluster Service Account (Amazon EKS) [Added]
- I3748: Minimize user access to Amazon ECR [Added]
- I3749: Minimize cluster access to read-only for Amazon ECR [Added]
T5931: Implement encryption for Kubernetes secrets (Amazon EKS) [Added]
- P3583: Unencrypted Kubernetes Secrets (Amazon EKS) [Added]
- I3751: Ensure Kubernetes Secrets are encrypted using Customer Master Keys (CMKs) managed in AWS KMS [Added]
T5932: Restrict access to the Kubernetes control plane (Amazon EKS) [Added]
- P3584: Unrestricted Access to Kubernetes Control Plane (Amazon EKS) [Added]
- I3752: Restrict Access to the Control Plane Endpoint [Added]
- I3753: Ensure clusters are created with Private Endpoint Enabled and Public Access Disabled [Added]
- I3754: Ensure clusters are created with Private Nodes [Added]
T5933: Implement network policies for enhanced security (Amazon EKS) [Added]
- P3577: Lack of Network Policies (Amazon EKS) [Added]
- I3755: Ensure Network Policy is Enabled and set as appropriate [Added]
- I3756: Encrypt traffic to HTTPS load balancers with TLS certificates [Added]
T5934: Implement an external secrets management system for Kubernetes (Amazon EKS) [Added]
- P3578: Insecure Secret Management in Kubernetes (Amazon EKS) [Added]
- I3800: Prefer using secrets as files over secrets as environment variables [Added]
- I3801: Consider external secret storage [Added]
T5935: Implement dedicated service accounts for Kubernetes workloads (Amazon EKS) [Added]
- P3582: Lack of Dedicated Service Accounts for Kubernetes Workloads (Amazon EKS) [Added]
- I3750: Prefer using dedicated EKS Service Accounts [Added]
T5936: Verify that the kubelet service file permissions are secure (Kubernetes Worker Node) [Added]
- P3585: Insecure File Permissions on Configuration Files (Kubernetes Worker Node) [Added]
T5937: Implement strict file permissions for Kubernetes configuration files (Kubernetes Worker Node) [Added]
- P3585: Insecure File Permissions on Configuration Files (Kubernetes Worker Node) [Added]
Changes to Project Properties and Profiles
- Q193: Components
  - Q101: Components In Development
    - A1077: Firmware, embedded, or hardware solution [Updated]
      - INFO: Updated the children.
- Q195: Language and Framework
  - Q109: Programming Language
    - Q110: Technology/Framework
      - A2319: Vue.js [Added]
- Q206: Privacy
  - Q160: Handles Personal Data
    - Q454: US State-Specific Privacy Legislation
      - A1255: California Civil Code (CCPA and CPRA) [Updated]
        
        INFO: Updated the question.
      - A1256: CalOPPA [Updated]
        
        INFO: Updated the question.
      - A1996: Virginia CDPA [Updated]
        
        INFO: Updated the description and match conditions.
      - A1997: Colorado PA [Updated]
        
        INFO: Updated the match conditions.
      - A1998: Connecticut PDPOM [Updated]
        
        INFO: Updated the match conditions.
      - A1999: Utah CPA [Updated]
        
        INFO: Updated the match conditions.
      - A2000: Oregon PL [Updated]
        
        INFO: Updated the match conditions.
      - A2001: Texas DPSA [Updated]
        
        INFO: Updated the match conditions.
      - A2002: Montana CDPA [Updated]
        
        INFO: Updated the description and match conditions.
      - A2214: Delaware PDPA [Added]
      - A2215: Iowa CDPA [Added]
      - A2216: Nebraska DPA [Added]
      - A2217: New Hampshire DPA [Added]
      - A2218: New Jersey DPA [Added]
- Q207: Application Layer
  - Q186: Application Layer Protocols Used
    - A2317: gRPC [Added]
- Q211: Development Tools
  - Q364: Version Control Platforms [Updated]
    - INFO: Updated the text.
- Q237: Compliance Scope: Other
  - Q489: In scope for EN 18031 [Added]
    - Q490: Specific details about your device (Related to 18031-1) [Added]
      - A2259: There are legal restrictions that prevent the implementation of access control [Added]
      - A2260: The device is designed in a fashion or deployed in an environment where physical/logical measures make unauthorized access to sensitive/confidential information in transit impossible [Added]
      - A2261: The device is designed in a fashion or deployed in an environment where physical/logical measures make unauthorized access to sensitive/confidential information at rest impossible [Added]
      - A2262: An absence of authentication features is necessary for your device's functionality [Added]
      - A2263: Your device does not have software update capabilities because of functional safety [Added]
      - A2264: Your device's software is immutable [Added]
      - A2265: Your device's network interfaces are used solely in a local network that does not interoperate with other networks [Added]
      - A2266: Your device exchanges data between different networks to permanently connect other devices directly to the internet [Added]
      - A2267: Conflicting security goals do not allow for implementing functionality for changing authenticator information [Added]
      - A2268: Other devices in your device's network provide sufficient protection against DoS attacks and loss of essential network operation functions [Added]
      - A2269: Alternative measures to software updates adequately protect the affected security and network assets throughout the device's lifecycle [Added]
      - A2270: Your device is meant to be publically accessed [Added]
      - A2271: Your device's software affects network or security assets [Added]
      - A2272: Your device requires deviation from secure communication best practices concerning integrity/authenticity for interoperability reasons [Added]
      - A2273: Your device manages access to network/security objects over user interfaces where physical or logical measures in the environment provide confidence in the correctness of the entity's claim [Added]
      - A2274: Managed access is only used for reading personal information, privacy functions, or privacy function configuration where access without authentication is needed to enable intended equipment functionality [Added]
      - A2275: Managed access is only used for reading personal information, privacy functions, or privacy function configuration where legal implications do not allow for authentication mechanisms [Added]
      - A2276: Temporary exposure of network assets or security assets is required as part of establishing or managing a connection [Added]
      - A2277: Deviation from confidentiality best practices is inevitable for interoperability reasons [Added]
      - A2278: Duplicate transfer of information to your device's network interface does not constitute a replay attack [Added]
      - A2279: Deviation from best practices against replay attacks is inevitable for interoperability reasons [Added]
      - A2280: Your device uses preinstalled confidential cryptographic keys to establish initial trust relationships under conditions controlled by an authorized entity [Added]
      - A2281: Your device uses preinstalled confidential cryptographic keys that are shared parameters required for the equipment's intended functionality [Added]
      - A2282: Your device currently has publicly-known and exploitable hardware or software vulnerabilities that affect security or network assets and have not been risk-addressed [Added]
      - A2283: Your device exposes network interface or services in its factory default state which affect security or network assets [Added]
      - A2284: Your device has an external interface that is capable of receiving input [Added]
      - A2285: Your device uses or generates confidential cryptographic keys [Added]
    - A2258: In scope for EN 18031-1 [Added]
- Q243: Internal Hidden Properties
  - Q189: Internal Properties (Use this, for all hidden answers)
    - A718: The application is a generic server application [Updated]
      - INFO: Updated the children.
    - A740: This is a new project [Updated]
      - INFO: Updated the children.
    - A1061: Set of default answers for software profiles [Updated]
      - INFO: Updated the text and children.
    - A2008: LLM Role-based [Updated]
      - INFO: Updated the match conditions.
    - A2009: LLM Role-agnostic [Updated]
      - INFO: Updated the match conditions.
    - A2010: MD Role-based [Updated]
      - INFO: Updated the match conditions.
    - A2011: MD Role-agnostic [Updated]
      - INFO: Updated the match conditions.
    - A2309: IBM Cloud All Services [Added]
    - A2320: Classification Off [Added]
- Q289: Cloud Computing
  - Q290: Cloud Providers
    - A2308: IBM Cloud [Added]
- Q299: General
  - Q375: CI/CD Tools
    - A2257: JFrog [Added]
- Q307: Containerization
  - Q308: Containerization Technologies
    - Q506: Kubernetes Profiles [Added]
      - A2310: Master Node [Added]
      - A2311: Worker Node [Added]
- Q362: Microsoft Azure
  - Q306: Azure Services
    - Q502: Azure Windows Profiles [Added]
      - A2314: Member Server [Added]
      - A2315: Domain Controller [Added]
    - Q370: More Azure Services
      - A1196: Azure Multi-Factor Authentication [Unpublished]
      - A1204: Azure Key Vault [Updated]
        
        INFO: Updated the question.
  - Q365: Azure Cloud Configuration
    - A2132: Azure Subscriptions [Added]
- Q369: Network Technologies
  - Q372: Network Components
    - Q507: Message Brokers [Added]
      - A2316: Apache Kafka [Added]
- Q461: AI and Machine Learning
  - Q357: Artificial Intelligence/Machine Learning
    - Q457: AI Content Organization
      - A1629: Role-based AI content [Updated]
        
        INFO: Updated the children.
      - A2007: Role-agnostic AI content [Updated]
        
        INFO: Updated the children.
    - A2223: Agentic AI (LLM-Based) [Added]
- Q503: IBM Cloud [Added]
  - Q488: IBM Cloud Services [Added]
    - A2246: IBM Cloud VPC [Added]
    - A2247: IBM Cloud Object Storage [Added]
    - A2248: IBM Key Management Services [Added]
    - A2249: IBM Cloud Container Registry [Added]
    - A2250: IBM Cloud Database [Added]
    - A2251: IBM Cloudant [Added]
    - A2252: IBM Cloud Internet Services [Added]
    - A2253: IBM Key Protect [Added]
    - A2254: IBM Cloud Block Storage [Added]
    - A2255: IBM Cloud Activity Tracker [Added]
    - A2256: IBM Cloud Kubernetes Service [Added]
Added Components
- SC807: IBM Cloud VPC
- SC808: IBM Cloud Object Storage
- SC809: IBM Key Management Services
- SC810: IBM Cloud Container Registry
- SC811: IBM Cloud Database
- SC812: IBM Cloudant
- SC813: IBM Cloud Internet Services
- SC814: IBM Key Protect
- SC815: IBM Cloud Block Storage
- SC816: IBM Cloud Activity Tracker
- SC817: IBM Cloud Kubernetes Service
- SC818: JFrog
- SC819: Apache Kafka
Updated Components
- SC64: Amazon EKS
  - INFO: Updated the description.

2025.1

April 26, 2025

New features and enhancements

System View and Compliance Report Export
- Behind a feature flag, we have added a new dedicated dashboard for users to manage a grouping of projects into one system view.
- Added the ability to also export a compliance report based off a regulation (i.e. GDPR) under a selected System view, which will group all the projects in a CSV with the Task ID, Project Name, and Task Status (grouped by the tasks).
Jira, Skip & Log UX Enhancement
- Added improved error messaging on the Jira sync logs when Skip & Log is enabled, providing not only every error that occurred but also included the Task ID and the Jira URL link (if available).
RIA JIRA Comment Sync support
- We have extended the in-app JIRA comment Sync to be supported in RIA installations
- JIRA Comment Sync will have the same configurations as the current functionality but will sync comments within the existing sync process between tasks
New Library Threats UI and API
- Added the ability to surface threats in the Library and to create and manage custom/builtin threats.
  - Added the ability to filter the Library Countermeasures page by active status, type, and CAPEC.
  - Added the ability to save a copy of an existing Library Threat.
  - Added the ability for users to map Threats to Weaknesses and CAPECs.
  - Added full create, read, update, and delete via Library Threats API.
New Library Countermeasure List Page Improvements
- Added the ability to retain and share curated search results for library countermeasure page.
- Added the ability to configure the Countermeasure table to user preferences and expand full width.
- Added a new UX filter that allows users to intuitively select multiple filters.
- Modified labels are now present in read-only view.
Navigator
- Added a generative AI-powered conversationalist interface within SD Elements that enables users to interact intuitively with the SD Elements Library.

Updates

EOL of Integrations
- Informing that we have integrations that have not been used actively in the last 2 years and will be EOL for 2025.1 release
- The following Integrations will be removed: Archer, VersionOne, IBM RTC, Pivotal Tracker; HP WebInspect, & Mend - Please see the User Guide documentation here.

Summary of content updates

Improved the content of several countermeasures and weaknesses for clarity and currency.
EU Data Act
- Added a new compliance regulation
- 10 new countermeasures and 10 weaknesses were created to cover as much relevant content from the Act as possible
- 7 terms were added to the Glossary and referenced in the content to clarify legal language when specific terms are used.
Mobile content
- iOS: 6 new countermeasures, 6 corresponding test tasks, and 6 weaknesses
- Android: 3 new countermeasures, 3 corresponding test tasks, and 3 weaknesses
New Just-in-Time Training
- iOS/Swift
- Android/Kotlin
CIS AWS Foundations
- Added new countermeasures, weaknesses, and howtos. Updated existing countermeasures.
- Added a new regulation report for AWS Foundations 4.0.1.
Components Added new components: blockchain, smart contract, Containerd, low-code/no-code, and Micronaut.
Accessibility
- Added a dependent component.
- Added regulation report for Web Content Accessibility Guidelines (WCAG) 2.1

EU Radio Equipment Directive (EU RED)

- Added a new compliance regulation 
- Added 14 new countermeasures and 13 new weaknesses

Content additions and updates (as of April 1, 2025):

Added JITTs
- Secure Software Design (26)
- Defending iOS (26)
- Defending Swift (26)
Compliance Regulations and Mappings
- Added Web Content Accessibility Guidelines (WCAG) 2.1
- Added EU Data Act
- Added MITRE ATLAS
- Added OWASP Top 10 for LLM Applications 2025
- Added CIS AWS Foundations v4.0.1
- Added CIS Azure Compute Services
- Added ISO 27701
- Added CIS Oracle Cloud Infrastructure
- Added EU Radio Equipment Directive (RED)
- Added 2024 CWE Top 25 Most Dangerous Software Weaknesses
- Added India Digital Personal Data Protection Act (DPDPA) 2023
- Updated ASD-STIG [INFO: Updated the regulation sections].
- Updated PCI-SSS-v1.2.1 [INFO: Updated the regulation sections].
- Updated US AI Regulation [INFO: Updated the regulation sections].
- Updated US AI Regulation [INFO: Updated the regulation sections].
Content Packs
- Added Blockchain
- Added Smart Contract
- Added Containerd
- Added Accessibility
- Added EU Data Act
- Added Low-Code/No-Code
- Added Micronaut
- Added CIS Azure Compute Services
- Added ISO 27701 (2019)
- Added CIS Oracle Cloud Infrastructure
- Added Oracle
- Added EU RED
- Added EN 18031-1
- Added India DPDPA
- Updated EU AI Act [INFO: Updated the created date time].
- Updated CircleCI [INFO: Updated the created date time].
- Updated EU Digital Operational Resilience Act [INFO: Updated the created date time].
T146: Use encryption for network communications in mobile environments
- TA6250: Enabling Confidentiality on the Air Interface [Updated]
  - INFO: Updated the match conditions.
- TA6251: Ensure Confidentiality Protection of S1 Interface [Updated]
  - INFO: Updated the match conditions.
T176: Apply principles of privacy when handling personal information
- TA7098: Breach prevention [Added]
- TA7102: Data protection officer [Added]
- TA7103: Independent data auditor [Added]
- P257: Privacy Violation [Updated]
  - INFO: Updated the match conditions.
T179: Allow access for users to remove their personal information from the system
- TA7100: Data retention and disposal [Added]
T207: Provide special data protection for children's personal information
- TA7101: Children data protection [Added]
- P257: Privacy Violation [Updated]
  - INFO: Updated the match conditions.
T313: Identify and classify categories of personal information
- TA7097: Data quality and accuracy [Added]
- P257: Privacy Violation [Updated]
  - INFO: Updated the match conditions.
T663: Delete root user access keys in AWS (AWS IAM) [Updated]
- INFO: Updated the title and text.
- I1923: Ensure no 'root' user account access key exists [Added]
- I1926: Eliminate use of the 'root' user for administrative and daily tasks [Added]
T664: Enable Multi-Factor Authentication for AWS Console Access (AWS Identity and Access Management) [Updated]
- INFO: Updated the title and text.
- I1929: Ensure multi-factor authentication (MFA) is enabled for all IAM users that have a console password [Added]
T665: Deactivate unused AWS IAM credentials (AWS IAM) [Updated]
- INFO: Updated the title and text.
- I1931: Ensure credentials unused for 45 days or more are disabled [Added]
T666: Rotate access keys regularly in AWS (AWS IAM) [Updated]
- INFO: Updated the title and text.
- I1933: Ensure access keys are rotated every 90 days or less [Added]
T667: Enforce password complexity with IAM password policies (AWS IAM) [Updated]
- INFO: Updated the title and text.
- I1927: Ensure IAM password policy requires minimum length of 14 or greater [Added]
- I1928: Ensure IAM password policy prevents password reuse [Added]
T671: Enable Multi-Factor Authentication for AWS Root Account (AWS IAM) [Updated]
- INFO: Updated the title and text.
- I1924: Ensure MFA is enabled for the 'root' user account [Added]
T672: Establish security questions for AWS support authentication (AWS Support Portal) [Updated]
- INFO: Updated the title and text.
- I1922: Ensure security questions are registered in the AWS account [Added]
T673: Add users to IAM groups with attached policies (AWS IAM) [Updated]
- INFO: Updated the title and text.
- I1934: Ensure IAM users receive permissions only through groups [Added]
T676: Ensure contact details are current in AWS accounts (AWS Account Management) [Updated]
- INFO: Updated the title and text.
- I1920: Maintain current contact details [Added]
T677: Specify contact information for account's security team (AWS Account Management) [Updated]
- INFO: Updated the title and text.
- I1921: Ensure security contact information is registered [Added]
T678: Create an IAM Role for Incident Management (AWS Support) [Updated]
- INFO: Updated the title and text.
- I1936: Ensure a support role has been created to manage incidents with AWS Support [Added]
T679: Create IAM User Credentials for Access (AWS IAM) [Updated]
- INFO: Updated the title and text.
- I1930: Do not create access keys during initial setup for IAM users with a console password [Added]
T680: Implement least privilege access with IAM policies (AWS IAM) [Updated]
- INFO: Updated the title and text.
- I1935: Ensure IAM policies that allow full ":" administrative privileges are not attached [Added]
T681: Record AWS API calls with AWS CloudTrail (AWS CloudTrail) [Updated]
- INFO: Updated the title and text.
- I1950: Ensure CloudTrail is enabled in all regions [Added]
T684: Enable AWS Config for Configuration Management (AWS Config) [Updated]
- INFO: Updated the title and text.
- I1952: Ensure AWS Config is enabled in all regions [Added]
T685: Enable server access logging for S3 buckets (AWS S3) [Updated]
- INFO: Updated the title and text.
- I1953: Ensure that server access logging is enabled on the CloudTrail S3 bucket [Added]
- I1957: Ensure that object-level logging for write events is enabled for S3 buckets [Added]
- I1958: Ensure that object-level logging for read events is enabled for S3 buckets [Added]
T686: Establish metric filters and alarms for API calls in AWS CloudTrail (AWS CloudTrail) [Updated]
- INFO: Updated the title and text.
- I1959: Ensure unauthorized API calls are monitored [Added]
- I1960: Ensure management console sign-in without MFA is monitored [Added]
- I1961: Ensure usage of the 'root' account is monitored [Added]
- I1962: Ensure IAM policy changes are monitored [Added]
- I1963: Ensure CloudTrail configuration changes are monitored [Added]
- I1964: Ensure AWS Management Console authentication failures are monitored [Added]
- I1965: Ensure disabling or scheduled deletion of customer created CMKs is monitored [Added]
- I1966: Ensure S3 bucket policy changes are monitored [Added]
- I1967: Ensure AWS Config configuration changes are monitored [Added]
- I1968: Ensure security group changes are monitored [Added]
- I1969: Ensure Network Access Control List (NACL) changes are monitored [Added]
- I1970: Ensure changes to network gateways are monitored [Added]
- I1971: Ensure route table changes are monitored [Added]
- I1972: Ensure VPC changes are monitored [Added]
- I1973: Ensure AWS Organizations changes are monitored [Added]
- I1974: Ensure AWS Security Hub is enabled [Added]
T688: Restrict Ingress Access to Remote Server Administration Ports (AWS Network Access Control List) [Updated]
- INFO: Updated the title and text.
- I1975: Ensure no Network ACLs allow ingress from 0.0.0.0/0 to remote server administration ports [Added]
- I1976: Ensure no security groups allow ingress from 0.0.0.0/0 to remote server administration ports [Added]
- I1977: Ensure no security groups allow ingress from ::/0 to remote server administration ports [Added]
T689: Protect the 'root' user account with hardware MFA (AWS Identity and Access Management) [Updated]
- INFO: Updated the title and text.
- I1925: Ensure hardware MFA is enabled for the 'root' user account [Added]
T690: Assign IAM Roles to EC2 Instances for AWS Access (AWS EC2) [Updated]
- INFO: Updated the title and text.
- I1937: Ensure IAM instance roles are used for AWS resource access from instances [Added]
T691: Enable file validation for CloudTrail logs (AWS CloudTrail) [Updated]
- INFO: Updated the title and text.
- I1951: Ensure CloudTrail log file validation is enabled [Added]
T692: Configure AWS CloudTrail to use SSE-KMS for enhanced security (AWS CloudTrail) [Updated]
- INFO: Updated the title and text.
- I1954: Ensure CloudTrail logs are encrypted at rest using KMS CMKs [Added]
T693: Enable CMK key rotation for AWS Key Management Service (AWS KMS) [Updated]
- INFO: Updated the title and text.
- I1955: Ensure rotation for customer-created symmetric CMKs is enabled [Added]
T694: Capture IP traffic information with VPC Flow Logs (AWS VPC) [Updated]
- INFO: Updated the title and text.
- I1956: Ensure VPC flow logging is enabled in all VPCs [Added]
T695: Restrict all traffic in the default security group (AWS VPC) [Updated]
- INFO: Updated the title and text.
- I1978: Ensure the default security group of every VPC restricts all traffic [Added]
T696: Update routing tables for VPC peering connections (AWS VPC) [Updated]
- INFO: Updated the title and text.
- I1979: Ensure routing tables for VPC peering are "least access" [Added]
T697: Verify that the 'root' user account access keys are deleted (AWS IAM) [Updated]
- INFO: Updated the title and text.
- I1986: Verify that no 'root' user account access key exists [Added]
- I1989: Test that the 'root' user is not used for administrative and daily tasks [Added]
T698: Verify that Multi-Factor Authentication is enabled for all accounts (AWS IAM) [Updated]
- INFO: Updated the title and text.
- I1992: Verify that multi-factor authentication is enabled for all IAM users [Added]
T699: Verify that unused AWS IAM credentials are deactivated (AWS IAM) [Updated]
- INFO: Updated the title and text.
- I1994: Verify that unused credentials are disabled after 45 days [Added]
T700: Verify that access keys are rotated regularly (AWS IAM) [Updated]
- INFO: Updated the title and text.
- I1996: Verify that access keys are rotated every 90 days or less [Added]
T701: Verify that IAM password policies enforce complexity requirements (AWS IAM) [Updated]
- INFO: Updated the title and text.
- I1990: Verify that IAM password policy requires minimum length of 14 or greater [Added]
- I1991: Verify that IAM password policy prevents password reuse [Added]
T705: Verify that Multi-Factor Authentication is enabled for root accounts (AWS IAM) [Updated]
- INFO: Updated the title and text.
- I1987: Verify that MFA is enabled for the 'root' user account [Added]
T706: Verify that security questions are established for account authentication (AWS Support Portal) [Updated]
- INFO: Updated the title and text.
- I1985: Verify that security questions are registered in the AWS account [Added]
T707: Verify that IAM policies enforce least privilege (AWS IAM) [Updated]
- INFO: Updated the title and text.
- I1997: Verify that IAM users receive permissions only through groups [Added]
- I1998: Verify that IAM policies do not allow full administrative privileges [Added]
T710: Verify that contact details for AWS accounts are current (AWS Account Management) [Updated]
- INFO: Updated the title and text.
- I1983: Verify that the application's contact details are maintained [Added]
T711: Verify that the account's security team contact information is specified (AWS IAM) [Updated]
- INFO: Updated the title and text.
- I1984: Verify that security contact information is registered [Added]
T712: Verify that IAM Roles are configured for incident management (AWS Support) [Updated]
- INFO: Updated the title and text.
- I1999: Verify that a support role has been created to manage incidents with AWS Support [Added]
T713: Verify that IAM user access types are configured correctly (AWS IAM) [Updated]
- INFO: Updated the title and text.
- I1993: Verify that access keys are not created during initial setup for IAM users with a console password [Added]
T715: Verify that AWS API calls are logged and monitored (AWS CloudTrail) [Updated]
- INFO: Updated the title and text.
- I2013: Verify that CloudTrail is enabled in all regions [Added]
T718: Verify that AWS Config is enabled in all regions (AWS Config) [Updated]
- INFO: Updated the title and text.
- I2015: Verify that AWS Config is enabled in all regions [Added]
T719: Verify that server access logging is enabled for S3 buckets (AWS S3) [Updated]
- INFO: Updated the title and text.
- I2016: Verify that server access logging is enabled on the CloudTrail S3 bucket [Added]
- I2020: Verify that object-level logging for write events is enabled for S3 buckets [Added]
- I2021: Verify that object-level logging for read events is enabled for S3 buckets [Added]
T720: Verify that metric filters and alarms are established for unauthorized API calls (AWS CloudTrail) [Updated]
- INFO: Updated the title and text.
- I2022: Verify that unauthorized API calls are monitored [Added]
- I2023: Verify that management console sign-in without MFA is monitored [Added]
- I2024: Verify that the 'root' account usage is monitored [Added]
- I2025: Verify that IAM policy changes are monitored [Added]
- I2026: Verify that CloudTrail configuration changes are monitored [Added]
- I2027: Verify that AWS Management Console authentication failures are monitored [Added]
- I2028: Verify that the scheduled deletion of customer created CMKs is monitored [Added]
- I2029: Verify that S3 bucket policy changes are monitored [Added]
- I2030: Verify that AWS Config configuration changes are monitored [Added]
- I2031: Verify that security group changes are monitored [Added]
- I2032: Verify that Network Access Control List (NACL) changes are monitored [Added]
- I2033: Verify that changes to network gateways are monitored [Added]
- I2034: Verify that route table changes are monitored [Added]
- I2035: Verify that VPC changes are monitored [Added]
- I2036: Verify that AWS Organizations changes are monitored [Added]
- I2037: Verify that AWS Security Hub is enabled [Added]
T722: Verify that no NACL allows unrestricted ingress access to remote server administration ports (AWS Network Access Control List) [Updated]
- INFO: Updated the title and text.
- I2038: Verify that no Network ACLs allow ingress from 0.0.0.0/0 to remote server administration ports [Added]
- I2039: Verify that security groups do not allow ingress from 0.0.0.0/0 to remote server administration ports [Added]
- I2040: Verify that security groups do not allow ingress from ::/0 to remote server administration ports [Added]
T723: Verify that the 'root' user account is protected with MFA (AWS Identity and Access Management) [Updated]
- INFO: Updated the title and text.
- I1988: Verify that hardware MFA is enabled for the 'root' user account [Added]
T724: Verify that AWS access is properly managed through roles (AWS IAM) [Updated]
- INFO: Updated the title and text.
- I2000: Verify that IAM instance roles are used for AWS resource access from instances [Added]
T725: Verify that CloudTrail log file validation is enabled (AWS CloudTrail) [Updated]
- INFO: Updated the title and text.
- I2014: Verify that CloudTrail log file validation is enabled [Added]
T726: Verify that CloudTrail logs are configured to use SSE-KMS (AWS CloudTrail) [Updated]
- INFO: Updated the title and text.
- I2017: Verify that CloudTrail logs are encrypted at rest using KMS CMKs [Added]
T727: Verify that key rotation is enabled for symmetric keys (AWS Key Management Service) [Updated]
- INFO: Updated the title and text.
- I2018: Verify that rotation for customer-created symmetric CMKs is enabled [Added]
T728: Verify that VPC Flow Logs are enabled for packet rejects (AWS VPC Flow Logs) [Updated]
- INFO: Updated the title and text.
- I2019: Verify that VPC flow logging is enabled in all VPCs [Added]
T729: Verify that the default security group restricts all traffic (AWS VPC) [Updated]
- INFO: Updated the title and text.
- I2041: Verify that the default security group of every VPC restricts all traffic [Added]
T730: Verify that routing tables are updated for VPC peering connections (AWS VPC) [Updated]
- INFO: Updated the title and text.
- I2042: Verify that VPC peering routing tables enforce least access [Added]
T766: Encrypt data on Amazon RDS using AES-256 (Amazon RDS) [Updated]
- INFO: Updated the title and text.
- I1946: Ensure that encryption-at-rest is enabled for RDS instances [Added]
- I1947: Ensure the Auto Minor Version Upgrade feature is enabled for RDS instances [Added]
- I1948: Ensure that RDS instances are not publicly accessible [Added]
- I1949: Ensure Multi-AZ deployments are used for enhanced availability in Amazon RDS [Added]
T767: Force encryption at EBS volume creation in Amazon EC2 (AWS Elastic Compute Cloud) [Updated]
- INFO: Updated the title and text.
- I1981: Ensure EBS volume encryption is enabled in all regions [Added]
T770: Configure S3 bucket policies for secure access (Amazon S3) [Updated]
- INFO: Updated the title and text.
- I1942: Ensure S3 Bucket Policy is set to deny HTTP requests [Added]
- I1943: Ensure MFA Delete is enabled on S3 buckets [Added]
- I1944: Ensure all data in Amazon S3 has been discovered, classified, and secured when necessary [Added]
- I1945: Ensure that S3 is configured with 'Block Public Access' enabled [Added]
T799: Verify that RDS database instances restrict unauthorized access (Amazon RDS) [Updated]
- INFO: Updated the title and text.
- I2009: Verify that encryption-at-rest is enabled for RDS instances [Added]
- I2010: Verify that the Auto Minor Version Upgrade feature is enabled for RDS instances [Added]
- I2011: Verify that RDS instances are not publicly accessible [Added]
- I2012: Verify that Multi-AZ deployments are used for enhanced availability in Amazon RDS [Added]
T800: Verify that EBS volumes are encrypted at rest (AWS Elastic Compute Cloud) [Updated]
- INFO: Updated the title and text.
- I2044: Verify that EBS volume encryption is enabled in all regions [Added]
T803: Verify that Amazon S3 bucket permissions are configured for HTTPS access (AWS S3) [Updated]
- INFO: Updated the title and text.
- I2005: Verify that S3 Bucket Policy is set to deny HTTP requests [Added]
- I2006: Verify that MFA Delete is enabled on S3 buckets [Added]
- I2007: Verify that all data in Amazon S3 has been discovered, classified, and secured when necessary [Added]
- I2008: Verify that S3 is configured with 'Block Public Access' enabled [Added]
T1891: Perform Privacy Impact Assessment (PIA)
- TA7104: Data protection impact assessments [Added]
T2128: Notify users and regulators of breaches of personal information
- TA7099: Breach notification [Added]
- P257: Privacy Violation [Updated]
  - INFO: Updated the match conditions.
T2257: Regularly update and patch containerization systems [Updated]
- INFO: Updated the title, text, and, priority from 6 to 10.
T2444: Secure authentication to and from worker nodes (Containerization)
- I1816: CIS Azure Kubernetes Service (AKS) Benchmark v1.2.0 (Level 1, Recommendation 3.2.3) [Unpublished]
- TA6272: CIS Azure Kubernetes Service (AKS) Benchmark v1.2.0 (Level 1, Recommendation 3.2.3) [Unpublished]
T2445: Verify secure authentication to and from worker nodes (Containerization)
- TA6273: CIS Azure Kubernetes Service (AKS) Benchmark v1.2.0 (Level 1, Recommendation 3.2.3) [Unpublished]
T2450: Protect worker nodes with proper flags and arguments (Containerization)
- I1819: CIS Azure Kubernetes Service (AKS) Benchmark v1.2.0 (Level 1, Recommendation 3.2.6) [Unpublished]
- I1820: CIS Azure Kubernetes Service (AKS) Benchmark v1.2.0 (Level 1, Recommendation 3.2.7) [Unpublished]
- I1821: CIS Azure Kubernetes Service (AKS) Benchmark v1.2.0 (Level 1, Recommendation 3.2.8) [Unpublished]
- TA6278: CIS Azure Kubernetes Service (AKS) Benchmark v1.2.0 (Level 1, Recommendation 3.2.6) [Unpublished]
- TA6280: CIS Azure Kubernetes Service (AKS) Benchmark v1.2.0 (Level 1, Recommendation 3.2.7) [Unpublished]
- TA6282: CIS Azure Kubernetes Service (AKS) Benchmark v1.2.0 (Level 1, Recommendation 3.2.8) [Unpublished]
T2451: Verify that worker nodes are protected with proper flags and arguments (Containerization)
- TA6279: CIS Azure Kubernetes Service (AKS) Benchmark v1.2.0 (Level 1, Recommendation 3.2.6) [Unpublished]
- TA6281: CIS Azure Kubernetes Service (AKS) Benchmark v1.2.0 (Level 1, Recommendation 3.2.7) [Unpublished]
- TA6283: CIS Azure Kubernetes Service (AKS) Benchmark v1.2.0 (Level 1, Recommendation 3.2.8) [Unpublished]
T2542: Address necessary human-AI configurations and oversight of AI systems
- TA7090: Human operators and businesses liability [Added]
T4015: Provide comprehensive technical documentation for high-risk AI systems
- TA7092: Documentation and risk assessment processes [Added]
T4019: Implement transparency with users of high-risk AI systems
- TA7093: Transparency and disclosure of information to consumers [Added]
T4024: Ensure the responsible and compliant use of high-risk AI systems by deployers
- TA7091: Risk management policies in AI systems [Added]
T4601: Prioritize static network configuration [Updated]
- INFO: Updated the title and text.
T4722: Implement decentralized mining pools [Added]
- P2530: Centralized Mining Power (Proof-of-Work Blockchains) [Added]
T4723: Implement identity verification to mitigate sybil attacks [Added]
- P2531: Lack of Identity Verification (Network Systems) [Added]
T4724: Implement diverse peer selection [Added]
- P2532: Lack of Diverse Peer Selection (Networked Applications) [Added]
T4725: Implement post-quantum cryptography [Added]
- P2533: Vulnerability to Quantum Decryption (Cryptographic Systems) [Added]
T4726: Conduct regular blockchain security awareness training [Added]
- P2534: Human Error Vulnerabilities in Organizational Security (General Workforce) [Added]
T4727: Implement secure routing protocols [Added]
- P2535: Insecure Routing Protocols (Network Infrastructure) [Added]
T4728: Implement traffic filtering and rate limiting [Added]
- P2536: Unrestricted Resource Consumption (Web Services) [Added]
T4729: Use hardware wallets [Added]
- P2537: Insecure Private Key Storage (Cryptocurrency Wallets) [Added]
T4730: Implement Multi-Factor Authentication (MFA) for blockchain systems [Added]
- P2538: Lack of Multi-Factor Authentication (Blockchain Systems) [Added]
T4731: Conduct regular blockchain security audits [Added]
- P2539: Lack of Regular Security Audits (General Software Systems) [Added]
T4732: Adopt OWASP framework for secure coding [Added]
- P2540: Lack of Secure Coding Practices (General Software Development) [Added]
T4733: Implement effective network segmentation [Added]
- P2541: Lack of Effective Network Segmentation (General Network Security) [Added]
T4734: Implement continuous monitoring for network activities [Added]
- P2542: Lack of Continuous Monitoring for Network Activities (General Network Security) [Added]
T4735: Implement Role-Based Access Control (RBAC) in blockchain systems [Added]
- P2543: Lack of Role-Based Access Control (RBAC) in Blockchain Systems [Added]
T4736: Implement secure access controls in smart contracts [Added]
- P2544: Lack of Secure Access Controls in Smart Contracts (Ethereum-based Smart Contracts) [Added]
T4737: Use require(), assert(), and revert() for smart contract safeguards [Added]
- P2545: Lack of Internal Safeguards in Smart Contracts (Solidity-based Smart Contracts) [Added]
T4738: Combine unit testing with property-based testing [Added]
- P2546: Inadequate Testing Framework for Smart Contracts (Smart Contract Platforms) [Added]
T4739: Commission a smart contract audit [Added]
- P2547: Lack of Independent Security Review in Smart Contracts (Smart Contract Platforms) [Added]
T4740: Store all code in a version control system [Added]
- P2548: Lack of Version Control System (General Software Development) [Added]
T4741: Implement contract upgrade mechanisms [Added]
- P2549: Lack of Contract Upgrade Mechanisms (Smart Contracts) [Added]
T4742: Implement a timelock for smart contract governance actions [Added]
- P2550: Immediate Execution of Governance Actions (Smart Contract Systems) [Added]
T4743: Reuse existing libraries for smart contracts [Added]
- P2551: Custom Implementation of Smart Contract Logic (Smart Contracts) [Added]
T4744: Implement checks-effects-interactions pattern [Added]
- P2552: Reentrancy Vulnerability (Smart Contracts) [Added]
T4745: Use a decentralized oracle network [Added]
- P2553: Oracle Manipulation Vulnerability (Blockchain-based Applications) [Added]
T4746: Ensure container images are secure [Added]
- P2554: Use of unverified container images [Added]
T4747: Limit container privileges [Added]
- P2555: Excessive container privileges [Added]
T4748: Implement Role-Based Access Control (RBAC) for container orchestration [Added]
- P2556: Lack of Role-Based Access Control (RBAC) in container orchestration environments [Added]
T4749: Monitor containers in real-time [Added]
- P2557: Lack of real-time monitoring in containerized environments [Added]
T4750: Isolate container networks [Added]
- P2558: Lack of network isolation in containerized environments [Added]
T4751: Reduce the attack surface of container images [Added]
- P2559: Excessive attack surface in container images [Added]
T4752: Implement authentication and logging for Containerd registry access [Added]
- P2560: Lack of authentication and logging for Containerd registry access (Containerd) [Added]
T4753: Implement image scanning for vulnerabilities in Containerd [Added]
- P2561: Lack of image scanning for vulnerabilities (Containerd) [Added]
T4754: Implement user namespaces in Containerd [Added]
- P2562: Lack of user namespace isolation (Containerd) [Added]
T4755: Regularly update and patch Containerd [Added]
- P2563: Outdated software vulnerabilities (Containerd) [Added]
T4756: Implement secure image management in Containerd [Added]
- P2564: Insecure image management in Containerd [Added]
T4757: Implement Role-Based Access Control (RBAC) for Containerd [Added]
- P2566: Lack of Role-Based Access Control (RBAC) in Containerd [Added]
T4758: Implement real-time monitoring for Containerd [Added]
- P2567: Lack of real-time monitoring in Containerd (Containerd) [Added]
T4759: Implement network namespaces for container isolation [Added]
- P2568: Lack of network namespace isolation (Containerd) [Added]
T4760: Remove unnecessary software, libraries, and services from Containerd images [Added]
- P2569: Excessive software, libraries, and services in Containerd images (Containerd) [Added]
T4761: Provide descriptive alternative text for images (accessibility) [Added]
- P2570: Lack of Descriptive Alternative Text for Images (Web Applications) [Added]
T4762: Provide descriptive text transcripts for non-live web-based audio (accessibility) [Added]
- P2571: Lack of Descriptive Text Transcripts for Non-Live Web-Based Audio (Web Applications) [Added]
T4763: Ensure logical and intuitive reading and navigation order (accessibility) [Added]
- P2572: Inconsistent Reading and Navigation Order (Web Applications) [Added]
T4764: Ensure sufficient contrast ratio for text and images of text (accessibility) [Added]
- P2573: Insufficient Contrast Ratio for Text and Images of Text (Web Applications) [Added]
T4765: Implement keyboard accessibility features (accessibility) [Added]
- P2574: Keyboard Navigation Weakness (Web Applications) [Added]
T4766: Allow users to control time limits and interruptions (accessibility) [Added]
- P2575: Lack of User Control Over Time Limits and Interruptions (Generic Web Applications) [Added]
T4767: Disable motion animation triggered by interaction (accessibility) [Added]
- P2576: Uncontrolled Motion Animation Triggered by Interaction (Affected Software) [Added]
T4768: Provide descriptive and informative page titles (accessibility) [Added]
- P2577: Lack of Descriptive and Informative Page Titles (Web Applications) [Added]
T4769: Ensure single pointer operation for gestures (accessibility) [Added]
- P2578: Inadequate Single Pointer Operation for Gestures (Affected Software) [Added]
T4770: Use the HTML lang attribute to identify the language of the page (accessibility) [Added]
- P2579: Lack of HTML lang Attribute (Web Applications) [Added]
T4771: Provide user control over substantial page changes (accessibility) [Added]
- P2580: Lack of User Control Over Substantial Page Changes (Web Applications) [Added]
T4772: Provide clear form validation and error handling (accessibility) [Added]
- P2581: Lack of Clear Form Validation and Error Handling (Web Applications) [Added]
T4773: Use accessible markup for status messages (accessibility) [Added]
- P2582: Inaccessible Status Messages (Web Applications) [Added]
T4794: Determine if the EU Data Act applies to your application (EU DA) [Added]
- P2608: Lack of identifying the compliance requirements applicable to your products and services (EU DA) [Added]
T4795: Ensure transparency and user control over the data with connected products and services (EU DA) [Added]
- P2609: Lack of transparency and user control over data access and usage (EU DA) [Added]
T4796: Ensure user data access rights and protection (EU DA) [Added]
- P2610: Inadequate user control, protection, and transparency in data handling by primary data holders and third parties (EU DA) [Added]
T4797: Adhere to data sharing protocol when making data available (EU DA) [Added]
- P2611: Unfair and incompliant data sharing practices (EU DA) [Added]
T4798: Make data availabe in case of exceptional need to use data (EU DA) [Added]
- P2612: Failure to provide timely data access to public sector bodies in specific situations (EU DA) [Added]
T4799: Facilitate efficient data processing service switching (EU DA) [Added]
- P2613: Failure to provide customer autonomy and flexibility within data processing services (EU DA) [Added]
T4800: Prevent unauthorized international data access (EU DA) [Added]
- P2614: Mishandling international data transfer requests (EU DA) [Added]
T4801: Implement interoperability requirements (EU DA) [Added]
- P2615: Lack of standardized data interoperability and efficient data exchange mechanisms across diverse platforms and services (EU DA) [Added]
T4802: Ensure compliance with essential smart contract requirements (EU DA) [Added]
- P2616: Lack of adherence to standards of security, reliability, and legality for smart contracts used in data sharing (EU DA) [Added]
T4803: Monitor and respond to unauthorized data use (EU DA) [Added]
- P2617: lack of proper response to unauthorized data use (EU DA) [Added]
T4828: Deploy ensemble model defense against adversarial attacks [Added]
T4829: Implement preprocessing defense against adversarial perturbations [Added]
T4830: Ensure aligned training of generative AI models [Added]
T4831: Test robustness of ensemble models against adversarial inputs [Added]
T4832: Test effectiveness of preprocessing against adversarial perturbations [Added]
T4833: Test fine-tuning alignement of generative AI models [Added]
T4834: Implement protection against system prompt leakage [Added]
T4835: Implement defenses against vector and embedding weaknesses [Added]
- P2620: Vector and embedding vulenrabilities in Large Language Models [Added]
T4836: Implement verification and fact-checking to mitigate misinformation [Added]
T4837: Test effectiveness of protections against system prompt leakage [Added]
T4838: Test effectiveness of defenses against vector and embedding weaknesses [Added]
- P2620: Vector and embedding vulenrabilities in Large Language Models [Added]
T4839: Test effectiveness of misinformation mitigatation [Added]
T5230: Additional ASD-STIG requirements for T71 [Added]
- TA7087: ASD-STIG requirements [Added]
T5232: Additional ASD-STIG requirements for T45 [Added]
- TA7088: ASD-STIG requirements [Added]
T5233: Additional ASD-STIG requirements for T437 [Added]
- TA7089: ASD-STIG requirements [Added]
T5500: Adhere to the principle of least privilege (low-code/no-code) [Added]
- P3344: Excessive Privilege Assignment in Low-Code/No-Code Applications [Added]
T5501: Disable or monitor the use of implicitly shared connections (low-code/no-code) [Added]
- P3345: Implicitly Shared Connections in Low-Code/No-Code Platforms [Added]
T5502: Limit connectors to an approved services list (low-code/no-code) [Added]
- P3346: Unrestricted Connector Usage in Low-Code/No-Code Platforms [Added]
T5503: Limit connection creation to dedicated personnel (low-code/no-code) [Added]
- P3347: Insecure Connection Management (Low-Code/No-Code Applications) [Added]
T5504: Implement a change management system for tenant-level configuration (low-code/no-code) [Added]
- P3348: Lack of Change Management System for Tenant-Level Configuration (Low-Code/No-Code Platforms) [Added]
T5505: Sanitize user input (low-code/no-code) [Added]
- P3349: Improper Input Handling in Low-Code/No-Code Applications [Added]
T5506: Continuously inventory and scan application components (low-code/no-code) [Added]
- P3350: Use of Deprecated or Vulnerable Components (Low-Code/No-Code Development Platforms) [Added]
T5507: Educate business users on the compliance, privacy, and security risks related to data storage (low-code/no-code) [Added]
- P3351: Lack of User Awareness on Data Compliance and Security Risks (Low-Code/No-Code Applications) [Added]
T5508: Maintain a comprehensive inventory of applications (low-code/no-code) [Added]
- P3352: Unmanaged or Abandoned Applications (Low-Code/No-Code Applications) [Added]
T5509: Leverage platform built-in capabilities to collect user access and platform audit logs (low-code/no-code) [Added]
- P3353: Inadequate Logging and Audit Trails (Low-Code/No-Code Platforms) [Added]
T5510: Configure and enable SSL with secure cryptography algorithms [Added]
- P3354: Lack of Secure Data Transmission (Micronaut) [Added]
T5511: Configure management endpoints on a separate port [Added]
- P3355: Insecure Exposure of Management Endpoints (Micronaut) [Added]
T5512: Limit scope of URL access rules [Added]
- P3356: Excessive Resource Exposure via URL Access Rules (Micronaut) [Added]
T5513: Implement role-based access control in Micronaut [Added]
- P3357: Lack of Role-Based Access Control (Micronaut) [Added]
T5514: Verify that access keys are securely managed (AWS IAM) [Added]
- P3358: Insecure Access Key Management (AWS IAM) [Added]
- I1995: Verify that there is only one active access key for any single IAM user [Added]
T5515: Verify that HTTPS connections are enabled (AWS IAM) [Added]
- P3359: Lack of HTTPS Encryption (Applications Hosted on AWS) [Added]
- I2001: Verify that expired SSL/TLS certificates are removed from AWS IAM [Added]
T5516: Verify the IAM Access Analyzer for IAM policies (AWS IAM) [Added]
- P3360: Excessive Resource Exposure through IAM Policies (AWS IAM) [Added]
- I2002: Verify that IAM Access Analyzer is enabled for all regions [Added]
T5517: Verify user access management in multi-account environments (AWS IAM) [Added]
- P3361: Decentralized IAM User Management (AWS IAM) [Added]
- I2003: Verify that IAM users are managed centrally via identity federation or AWS Organizations [Added]
T5518: Verify that file transfer capabilities in CloudShell are secured (AWS CloudShell) [Added]
- P3362: Excessive Permissions in AWS CloudShell (AWS CloudShell) [Added]
- I2004: Verify that access to AWSCloudShellFullAccess is restricted [Added]
T5519: Verify the configuration of the Metadata Service on AWS EC2 instances (AWS EC2) [Added]
- P3363: Unauthorized Access to Instance Metadata (AWS EC2) [Added]
- I2043: Verify that the EC2 Metadata Service only allows IMDSv2 [Added]
T5520: Verify that CIFS access is restricted to trusted networks (AWS Storage Gateway) [Added]
- P3364: Unrestricted CIFS Access (AWS EC2) [Added]
- I2045: Verify that CIFS access is restricted to trusted networks [Added]
T5521: Manage access keys securely in AWS IAM (AWS IAM) [Added]
- P3358: Insecure Access Key Management (AWS IAM) [Added]
- I1932: Ensure there is only one active access key for any single IAM user [Added]
T5522: Enable HTTPS connections (AWS IAM) [Added]
- P3359: Lack of HTTPS Encryption (Applications Hosted on AWS) [Added]
- I1938: Ensure that all expired SSL/TLS certificates stored in AWS IAM are removed [Added]
T5523: Enable IAM Access Analyzer for IAM policies (AWS IAM) [Added]
- P3360: Excessive Resource Exposure through IAM Policies (AWS IAM) [Added]
- I1939: Ensure that IAM Access Analyzer is enabled for all regions [Added]
T5524: Manage access to AWS CloudShell with IAM policies (AWS CloudShell) [Added]
- P3362: Excessive Permissions in AWS CloudShell (AWS CloudShell) [Added]
- I1941: Ensure access to AWSCloudShellFullAccess is restricted [Added]
T5525: Choose Instance Metadata Service Version 2 for AWS EC2 (AWS EC2) [Added]
- P3363: Unauthorized Access to Instance Metadata (AWS EC2) [Added]
- I1980: Ensure that the EC2 Metadata Service only allows IMDSv2 [Added]
T5526: Restrict CIFS access to trusted networks using AWS Security Groups (AWS EC2) [Added]
- P3364: Unrestricted CIFS Access (AWS EC2) [Added]
- I1982: Ensure CIFS access is restricted to trusted networks to prevent unauthorized access [Added]
T5527: Centralize IAM User Management (AWS IAM) [Added]
- P3361: Decentralized IAM User Management (AWS IAM) [Added]
- I1940: Ensure IAM users are managed centrally via identity federation or AWS Organizations for multi-account environments [Added]
T5528: Verify secure communication settings in Azure App Service (Azure App Service) [Added]
- P3365: Lack of Enforced secure communication (Azure App Service) [Added]
T5529: Verify authentication and client certificate validation(Azure App Service) [Added]
- P3366: Lack of authentication and client certificate validation (Azure App Service) [Added]
T5530: Verify elimination of app secrets using Managed Service Identity (Azure App Service) [Added]
- P3367: Hardcoded Credentials in Application Code (Azure App Service) [Added]
T5531: Verify that web apps use supported versions (Azure App Service) [Added]
- P3368: Use of deprecated language versions in web applications (Azure App Service) [Added]
T5532: Verify secure storage of sensitive information in Azure Key Vault (Azure App Service) [Added]
- P3369: Insecure storage of sensitive information (Azure App Service) [Added]
T5533: Verify Network Security Group configuration for Azure Virtual Networks (Azure Container Instances) [Added]
- P3370: Improper Network Traffic Control (Azure Container Instances) [Added]
T5534: Verify Managed Identity usage for Container Instances (Azure Container Instances) [Added]
- P3371: Lack of Managed Identity for Container Instances (Azure Container Instances) [Added]
T5535: Verify encryption of data in transit with SSL(Azure CycleCloud) [Added]
- P3372: Unencrypted Data Transmission (Azure CycleCloud) [Added]
T5536: Verify secure remote access to Azure Virtual Machines(Azure Virtual Machines) [Added]
- P3373: Exposed Remote Access Protocol Ports (Azure Virtual Machines) [Added]
T5537: Verify migration of blob-based VHDs to Managed Disks on Virtual Machines (Azure Virtual Machines) [Added]
- P3374: Insecure Storage Configuration (Azure Virtual Machines) [Added]
T5538: Verify encryption of OS, data, and unattached disks with CMK (Azure Virtual Machines) [Added]
- P3375: Lack of Disk Encryption with Customer Managed Keys (Azure Virtual Machines) [Added]
T5539: Enforce secure communication (Azure App Service) [Added]
- P3365: Lack of Enforced secure communication (Azure App Service) [Added]
T5540: Enforce authentication and client certificate validation(Azure App Service) [Added]
- P3366: Lack of authentication and client certificate validation (Azure App Service) [Added]
T5541: Eliminate app secrets using Managed Service Identity (Azure App Service) [Added]
- P3367: Hardcoded Credentials in Application Code (Azure App Service) [Added]
T5542: Ensure web apps run on supported language versions (Azure App Service) [Added]
- P3368: Use of deprecated language versions in web applications (Azure App Service) [Added]
T5543: Store sensitive information securely in Azure Key Vault (Azure App Service) [Added]
- P3369: Insecure storage of sensitive information (Azure App Service) [Added]
T5544: Configure Network Security Groups for Azure Virtual Networks (Azure Container Instances) [Added]
- P3370: Improper Network Traffic Control (Azure Container Instances) [Added]
T5545: Use Managed Identity for Container Instances (Azure Container Instances) [Added]
- P3371: Lack of Managed Identity for Container Instances (Azure Container Instances) [Added]
T5546: Ensure data in transit is encrypted with SSL (Azure CycleCloud) [Added]
- P3372: Unencrypted Data Transmission (Azure CycleCloud) [Added]
T5547: Secure remote access to Azure Virtual Machines (Azure Virtual Machines) [Added]
- P3373: Exposed Remote Access Protocol Ports (Azure Virtual Machines) [Added]
T5548: Use Managed Disks for Virtual Machines and enforce secure VM configurations (Azure Virtual Machines) [Added]
- P3374: Insecure Storage Configuration (Azure Virtual Machines) [Added]
T5549: Encrypt OS, data, and unattached disks with Customer Managed Keys in VMs (Azure Virtual Machines) [Added]
- P3375: Lack of Disk Encryption with Customer Managed Keys (Azure Virtual Machines) [Added]
T5574: Ensure compliance of marketing and advertising (ISO 27701) [Added]
- P257: Privacy Violation [Updated]
  - INFO: Updated the match conditions.
T5575: Evaluate compliance of processing instructions (ISO 27701) [Added]
- P257: Privacy Violation [Updated]
  - INFO: Updated the match conditions.
T5576: Ensure customer compliance demonstration (ISO 27701) [Added]
- P257: Privacy Violation [Updated]
  - INFO: Updated the match conditions.
T5577: Fulfill obligations to Personally Identifiable Information principals (ISO 27701) [Added]
- P257: Privacy Violation [Updated]
  - INFO: Updated the match conditions.
T5578: Secure lifecycle mangement of Personally Identifiable Information (ISO 27701) [Added]
- P257: Privacy Violation [Updated]
  - INFO: Updated the match conditions.
T5579: Notify customers of Personally Identifiable Information disclosure requests (ISO 27701) [Added]
- P257: Privacy Violation [Updated]
  - INFO: Updated the match conditions.
T5580: Evaluate legally binding Personally Identifiable Information disclosure requests (ISO 27701) [Added]
- P257: Privacy Violation [Updated]
  - INFO: Updated the match conditions.
T5581: Ensure transparency and compliance in subcontractor engagement for Personally Identifiable Information processing (ISO 27701) [Added]
- P257: Privacy Violation [Updated]
  - INFO: Updated the match conditions.
T5582: Strengthen access control and authentication for OCI users and resources (Oracle Cloud Infrastructure) [Added]
- P3376: Insecure Identity and Access Management (IAM) Practices (Oracle Cloud Infrastructure) [Added]
- I2052: Ensure MFA is enabled for all users with a console password [Added]
- I2056: Ensure user IAM Database Passwords rotate within 90 days [Added]
- I2058: Ensure all OCI IAM user accounts have a valid and current email address [Added]
- I2059: Ensure Instance Principal authentication is used for OCI instances, OCI Cloud Databases and OCI Functions to access OCI resources. [Added]
T5583: Enforce robust IAM password policies (Oracle Cloud Infrastructure) [Added]
- P3377: Weak password policies (Oracle Cloud Infrastructure) [Added]
- I2049: Ensure IAM password policy requires minimum length of 14 or greater [Added]
- I2050: Ensure IAM password policy expires passwords within 365 days [Added]
- I2051: Ensure IAM password policy prevents password reuse [Added]
T5584: Enhance API and Authentication Key Management (Oracle Cloud Infrastructure) [Added]
- P3378: Excessive or uncontrolled privileges (Oracle Cloud Infrastructure) [Added]
- I2053: Ensure user API keys rotate within 90 days [Added]
- I2054: Ensure user customer secret keys rotate every 90 days [Added]
- I2055: Ensure user auth tokens rotate within 90 days or less [Added]
- I2057: Ensure API keys are not created for tenancy administrator users [Added]
T5585: Restrict and manage administrative access to services and resources (Oracle Cloud Infrastructure) [Added]
- P3379: Excessive privileges in cloud resource management (Oracle Cloud Infrastructure) [Added]
- I2046: Ensure service level admins are created to manage resources of particular service [Added]
- I2047: Ensure permissions on all resources are given only to the tenancy administrator group [Added]
- I2048: Ensure IAM administrators cannot update tenancy Administrators group [Added]
- I2060: Ensure storage service-level admins cannot delete resources they manage. [Added]
T5586: Restrict ingress access to SSH and RDP ports in security lists and network security groups (Oracle Cloud Infrastructure) [Added]
- P3380: Unrestricted ingress access to critical ports (Oracle Cloud Infrastructure) [Added]
- I2061: Ensure no security lists allow ingress from 0.0.0.0/0 to port 22 [Added]
- I2062: Ensure no security lists allow ingress from 0.0.0.0/0 to port 3389 [Added]
- I2063: Ensure no network security groups allow ingress from 0.0.0.0/0 to port 22 [Added]
- I2064: Ensure no network security groups allow ingress from 0.0.0.0/0 to port 3389 [Added]
- I2065: Ensure the default security list of every VCN restricts all traffic except ICMP [Added]
T5587: Restrict network access to Oracle Cloud services using ingress filtering and Virtual Cloud Networks (Oracle Cloud Infrastructure) [Added]
- P3381: Unrestricted Network Access to Oracle Cloud Services (Oracle Cloud Infrastructure) [Added]
- I2066: Ensure Oracle Integration Cloud (OIC) access is restricted to allowed sources. [Added]
- I2067: Ensure Oracle Analytics Cloud (OAC) access is restricted to allowed sources or deployed within a Virtual Cloud Network. [Added]
- I2068: Ensure Oracle Autonomous Shared Databases (ADB) access is restricted to allowed sources or deployed within a Virtual Cloud Network [Added]
T5588: Enhance Compute Instance security by adopting IMDSv2 and enabling Secure Boot on Shielded Instances (Oracle Compute Instance) [Added]
- P3382: Use of legacy MetaData Service Endpoints (Oracle Compute Instance) [Added]
- I2069: Ensure Compute Instance Legacy Metadata service endpoint is disabled [Added]
- I2070: Ensure Secure Boot is enabled on Compute Instance [Added]
T5589: Enable in-transit encryption for Oracle Cloud services (Oracle Compute Instance) [Added]
- P3383: Unencrypted data transmission Between Virtual Machines and Block Volumes (Oracle Compute Instance) [Added]
- I2071: Ensure In-transit Encryption is enabled on Compute Instance [Added]
T5590: Enhance visibility and resource governance using default tags, Event Rules, and Notifications (Oracle Cloud Infrastructure) [Added]
- P3384: Lack of governance and visibility over cloud resource changes (Oracle Cloud Infrastructure) [Added]
- I2072: Ensure default tags are used on resources [Added]
- I2073: Create at least one notification topic and subscription to receive monitoring alerts [Added]
- I2074: Ensure a notification is configured for Identity Provider changes [Added]
- I2075: Ensure a notification is configured for IdP group mapping changes [Added]
- I2076: Ensure a notification is configured for IAM group changes [Added]
- I2077: Ensure a notification is configured for IAM policy changes [Added]
- I2078: Ensure a notification is configured for user changes [Added]
- I2079: Ensure a notification is configured for VCN changes [Added]
- I2080: Ensure a notification is configured for changes to route tables [Added]
- I2081: Ensure a notification is configured for security list changes [Added]
- I2082: Ensure a notification is configured for network security group changes [Added]
- I2083: Ensure a notification is configured for changes to network gateways [Added]
- I2086: Ensure a notification is configured for Oracle Cloud Guard problems detected [Added]
T5591: Enhance visibility into network traffic with VCN flow logs (Oracle Cloud Infrastructure) [Added]
- P3385: Lack of network traffic visibility (Oracle Cloud Infrastructure) [Added]
- I2084: Ensure VCN flow logging is enabled for all subnets [Added]
T5592: Enable Cloud Guard for security monitoring (Oracle Cloud Infrastructure) [Added]
- P3386: Misconfigured resources and insecure Activities (Oracle Cloud Infrastructure) [Added]
- I2085: Ensure Cloud Guard is enabled in the root compartment of the tenancy [Added]
T5593: Rotate encryption keys using Oracle Cloud Infrastructure Vault (Oracle Cloud Infrastructure) [Added]
- P3387: Inadequate key management practices (Oracle Cloud Infrastructure) [Added]
- I2087: Ensure customer created Customer Managed Key (CMK) is rotated at least annually [Added]
T5594: Enable and enforce Object Storage write-level logging for all buckets (Oracle Cloud Infrastructure) [Added]
- P3388: Lack of visibility into Object Storage modifications and access (Oracle Cloud Infrastructure) [Added]
- I2088: Ensure write level Object Storage logging is enabled for all buckets [Added]
T5595: Enhance Object Storage security by enabling Customer Managed Key (CMK) encryption and versioning (Oracle Object Storage) [Added]
- P3389: Inadequate encryption control and lack of data recoverability (Oracle Object Storage) [Added]
- I2090: Ensure Object Storage Buckets are encrypted with a Customer Managed Key (CMK). [Added]
- I2091: Ensure Versioning is Enabled for Object Storage Buckets [Added]
T5596: Enforce Customer Managed Key (CMK) encryption for block and boot volumes (Oracle Block Volume) [Added]
- P3390: Insufficient control over encryption keys for Block and Boot Volumes (Block Volume) [Added]
- I2092: Ensure Block Volumes are encrypted with Customer Managed Keys (CMK). [Added]
- I2093: Ensure boot volumes are encrypted with Customer Managed Key (CMK). [Added]
T5597: Enforce Customer Managed Key (CMK) encryption for File Storage Systems (FSS) (Oracle File Storage) [Added]
- P3391: Lack of customer-controlled encryption for File Storage Systems (Oracle File Storage) [Added]
- I2094: Ensure File Storage Systems are encrypted with Customer Managed Keys (CMK) [Added]
T5598: Enforce compartmentalization by creating and using compartments for cloud resources (Oracle Cloud Infrastructure) [Added]
- P3392: Lack of compartmentalization in Oracle Cloud Infrastructure (Oracle Cloud Infrastructure) [Added]
- I2095: Create at least one compartment in your tenancy to store cloud resources [Added]
- I2096: Ensure no resources are created in the root compartment [Added]
T5599: Restrict public access to Object Storage buckets (Oracle Object Storage) [Added]
- P3393: Publicly accessible object Storage Buckets (Oracle Object Storage) [Added]
- I2089: Ensure no Object Storage buckets are publicly visible. [Added]
T5600: Verify Access and Authentication settings for OCI Security (Oracle Cloud Infrastructure) [Added]
- P3376: Insecure Identity and Access Management (IAM) Practices (Oracle Cloud Infrastructure) [Added]
- I2103: Verify that MFA is enabled for all users with a console password [Added]
- I2107: Verify that user IAM Database Passwords rotate within 90 days [Added]
- I2109: Verify that all OCI IAM user accounts have a valid and current email address [Added]
- I2110: Verify that Instance Principal authentication is used for OCI resources [Added]
T5601: Verify that the password policies enforce complexity requirements (Oracle Cloud Infrastructure) [Added]
- P3377: Weak password policies (Oracle Cloud Infrastructure) [Added]
- I2100: Verify that IAM password policy requires minimum length of 14 or greater [Added]
- I2101: Test that IAM password policy expires passwords within 365 days [Added]
- I2102: Verify that IAM password policy prevents password reuse [Added]
T5602: Validate Access Controls and Key Management for accessing OCI APIs (Oracle Cloud Infrastructure) [Added]
- P3378: Excessive or uncontrolled privileges (Oracle Cloud Infrastructure) [Added]
- I2104: Verify that user API keys rotate within 90 days [Added]
- I2105: Verify that user customer secret keys rotate every 90 days [Added]
- I2106: Verify that user auth tokens rotate within 90 days or less [Added]
- I2108: Verify that API keys are not created for tenancy administrator users [Added]
T5603: Verify Least Privilege Enforcement for Service and Tenancy Administrators (Oracle Cloud Infrastructure) [Added]
- P3379: Excessive privileges in cloud resource management (Oracle Cloud Infrastructure) [Added]
- I2097: Test that service level admins are created to manage resources of particular service [Added]
- I2098: Verify that permissions on all resources are given only to the tenancy administrator group [Added]
- I2099: Verify that IAM administrators cannot update tenancy Administrators group [Added]
- I2111: Verify that storage service-level admins cannot delete resources they manage [Added]
T5604: Verify ingress access to SSH and RDP ports are restricted in security lists and network security groups (Oracle Cloud Infrastructure) [Added]
- P3380: Unrestricted ingress access to critical ports (Oracle Cloud Infrastructure) [Added]
- I2112: Verify that no security lists allow ingress from 0.0.0.0/0 to port 22 [Added]
- I2113: Verify that security lists do not allow ingress from 0.0.0.0/0 to port 3389 [Added]
- I2114: Verify that no network security groups allow ingress from 0.0.0.0/0 to port 22 [Added]
- I2115: Verify that no network security groups allow ingress from 0.0.0.0/0 to port 3389 [Added]
- I2116: Verify that the default security list of every VCN restricts all traffic except ICMP [Added]
T5605: Verify network access restrictions using ingress filtering and Virtual Cloud Networks (Oracle Cloud Infrastructure) [Added]
- P3381: Unrestricted Network Access to Oracle Cloud Services (Oracle Cloud Infrastructure) [Added]
- I2117: Test that Oracle Integration Cloud access is restricted to allowed sources [Added]
- I2118: Verify that Oracle Analytics Cloud access is restricted to allowed sources [Added]
- I2119: Verify that Oracle Autonomous Shared Databases access is restricted [Added]
T5606: Verify Compute Instance security by adopting IMDSv2 and enabling Secure Boot on Shielded Instances (Oracle Compute Instance) [Added]
- P3382: Use of legacy MetaData Service Endpoints (Oracle Compute Instance) [Added]
- I2120: Verify that the Compute Instance Legacy Metadata service endpoint is disabled [Added]
- I2121: Verify that Secure Boot is enabled on Oracle Cloud services [Added]
T5607: Verify the in-transit encryption for Block Volume service is enabled (Oracle Compute Instance) [Added]
- P3383: Unencrypted data transmission Between Virtual Machines and Block Volumes (Oracle Compute Instance) [Added]
- I2122: Verify that In-transit Encryption is enabled on Oracle Cloud services [Added]
T5608: Verify enforcement of default tags, Event Rules, and Notifications in Oracle Cloud Infrastructure (Oracle Cloud Infrastructure) [Added]
- P3384: Lack of governance and visibility over cloud resource changes (Oracle Cloud Infrastructure) [Added]
- I2123: Verify that default tags are used on resources [Added]
- I2124: Test that at least one notification topic and subscription is created for monitoring alerts [Added]
- I2125: Test that a notification is configured for Identity Provider changes [Added]
- I2126: Verify that a notification is configured for IdP group mapping changes [Added]
- I2127: Test that a notification is configured for IAM group changes [Added]
- I2128: Test that a notification is configured for IAM policy changes [Added]
- I2129: Test that a notification is configured for user changes [Added]
- I2130: Test that a notification is configured for VCN changes [Added]
- I2131: Test that a notification is configured for changes to route tables [Added]
- I2132: Test that a notification is configured for security list changes [Added]
- I2133: Test that a notification is configured for network security group changes [Added]
- I2134: Verify that a notification is configured for changes to network gateways [Added]
- I2137: Test that a notification is configured for Oracle Cloud Guard problems detected [Added]
T5609: Verify the VCN flow logging is enabled(Oracle Cloud Infrastructure) [Added]
- P3385: Lack of network traffic visibility (Oracle Cloud Infrastructure) [Added]
- I2135: Test that VCN flow logging is enabled for all subnets [Added]
T5610: Verify that Cloud Guard is enabled (Oracle Cloud Infrastructure) [Added]
- P3386: Misconfigured resources and insecure Activities (Oracle Cloud Infrastructure) [Added]
- I2136: Verify that Cloud Guard is enabled in the root compartment of the tenancy [Added]
T5611: Verify the security of encryption keys in use (Oracle Cloud Infrastructure) [Added]
- P3387: Inadequate key management practices (Oracle Cloud Infrastructure) [Added]
- I2138: Verify that the Customer Managed Key is rotated at least annually [Added]
T5612: Verify write-level logging is enabled and enforced for all Object Storage buckets (Oracle Cloud Infrastructure) [Added]
- P3388: Lack of visibility into Object Storage modifications and access (Oracle Cloud Infrastructure) [Added]
- I2139: Verify that write level Object Storage logging is enabled for all buckets [Added]
T5613: Verify CMK encryption and versioning are enabled for Object Storage buckets (Oracle Object Storage) [Added]
- P3389: Inadequate encryption control and lack of data recoverability (Oracle Object Storage) [Added]
- I2141: Verify that Object Storage Buckets are encrypted with a Customer Managed Key (CMK) [Added]
- I2142: Verify that Versioning is Enabled for Oracle Cloud Object Storage Buckets [Added]
T5614: Verify CMK encryption is enforced for block and boot volumes (Oracle Block Volume) [Added]
- P3390: Insufficient control over encryption keys for Block and Boot Volumes (Block Volume) [Added]
- I2143: Verify that Block Volumes are encrypted with Customer Managed Keys (CMK) [Added]
- I2144: Verify that boot volumes are encrypted with Customer Managed Key (CMK) [Added]
T5615: Verify CMK encryption is enforced for File Storage Systems (FSS) (Oracle File Storage) [Added]
- P3391: Lack of customer-controlled encryption for File Storage Systems (Oracle File Storage) [Added]
- I2145: Verify that File Storage Systems are encrypted with Customer Managed Keys (CMK) [Added]
T5616: Verify compartments are used for all cloud resources and the root compartment remains empty (Oracle Cloud Infrastructure) [Added]
- P3392: Lack of compartmentalization in Oracle Cloud Infrastructure (Oracle Cloud Infrastructure) [Added]
- I2146: Test that at least one compartment is created in your tenancy to store cloud resources [Added]
- I2147: Verify that no resources are created in the root compartment [Added]
T5617: Verify Object Storage buckets are not publicly accessible (Oracle Object Storage) [Added]
- P3393: Publicly accessible object Storage Buckets (Oracle Object Storage) [Added]
- I2140: Verify that no Object Storage buckets are publicly visible [Added]
T5618: Align product scope with the RED (EU RED) [Added]
- P3394: Misinterpretation of Compliance Scope (EU RED) [Added]
T5619: Identify and address essential requirements (EU RED) [Added]
- P3395: Inadequate Risk Assessment for Radio Equipment (EU RED) [Added]
T5620: Implement procedures for managing changes (EU RED) [Added]
- P3396: Lack of Formal Change Management Process (EU RED) [Added]
T5621: Perform a comprehensive risk assessment (EU RED) [Added]
- P3395: Inadequate Risk Assessment for Radio Equipment (EU RED) [Added]
T5622: Choose the appropriate conformity assessment procedure (EU RED) [Added]
- P3401: Inadequate Conformity Assessment (EU RED) [Added]
T5623: Compile the complete technical documentation for conformity assessment (EU RED) [Added]
- P3397: Lack of Comprehensive Documentation (EU RED) [Added]
T5624: Address software security and integrity (EU RED) [Added]
- P3398: Unauthorized Software Loading and Modification (EU RED) [Added]
T5625: Establish a compliant manufacturing process (EU RED) [Added]
- P3399: Non-compliance with Approved Design Specifications (EU RED) [Added]
T5626: Implement a process for ongoing monitoring or vigilance (EU RED) [Added]
- P3400: Lack of System for Monitoring Radio Equipment (EU RED) [Added]
T5627: Provide instructions for safe use (EU RED) [Added]
- P3402: Insufficient User Guidance in Radio Equipment Software (EU RED) [Added]
T5628: Mandate USB-C as the common charger for specified devices (EU RED) [Added]
- P3403: Improper USB-C Compliance Handling (EU RED) [Added]
T5629: Provide device identification and enforce traceability (EU RED) [Added]
- P3404: Insufficient Device Identification and Traceability (EU RED) [Added]
T5630: Prepare the EU Declaration of Conformity (DoC) (EU RED) [Added]
- P3405: Inappropriate Handling of EU Declaration of Conformity (EU RED) [Added]
T5631: Operate an approved quality system (EU RED) [Added]
- P3406: Insufficient Quality System Conformity Management (EU RED) [Added]
T5632: Use Short-Lived Access Tokens (iOS) [Added]
- P3407: Insecure token lifecycle management (iOS) [Added]
T5633: Implement best practices for Biometric authentication (iOS) [Added]
- P3408: Improper implementation of biometric authentication (iOS) [Added]
T5634: Securely integrate iCloud storage into iOS applications (iOS) [Added]
- P3409: Insecure iCloud storage handling (iOS) [Added]
T5635: Follow best practices for handling CloudKit Storage (iOS) [Added]
- P3410: Improper CloudKit data handling and access control (iOS) [Added]
T5636: Implement secure and privacy-compliant handling of app permissions (iOS) [Added]
- P3411: Insecure permission handling and data access (iOS) [Added]
T5637: Implement best practices for handling location data (iOS) [Added]
- P3412: Improper handling of location data (iOS) [Added]
T5638: Verify implementation of secure short-lived token handling in an iOS app (iOS) [Added]
- P3407: Insecure token lifecycle management (iOS) [Added]
T5639: Verify secure and user-friendly implementation of biometric authentication (iOS) [Added]
- P3408: Improper implementation of biometric authentication (iOS) [Added]
T5640: Verify secure handling of iCloud Storage (iOS) [Added]
- P3409: Insecure iCloud storage handling (iOS) [Added]
T5641: Verify secure implementation of CloudKit storage in the iOS application (iOS) [Added]
- P3410: Improper CloudKit data handling and access control (iOS) [Added]
T5642: Verify secure and privacy-compliant handling of app permissions (iOS) [Added]
- P3411: Insecure permission handling and data access (iOS) [Added]
T5643: Verify secure handling of location data (iOS) [Added]
- P3412: Improper handling of location data (iOS) [Added]
T5644: Implement secure key rotation mechanism in the Android application (Android) [Added]
- P3413: Improper cryptographic key management (Android) [Added]
T5645: Implement secure Binder communication (Android) [Added]
- P3414: Improper inter-process communication handling (Android) [Added]
T5646: Implement secure services (Android) [Added]
- P3415: Improper service declaration and access control (Android) [Added]
T5647: Verify secure key management and rotation using Android Keystore (Android) [Added]
- P3413: Improper cryptographic key management (Android) [Added]
T5648: Verify secure implementation of inter-process communication (IPC) using Binder and AIDL (Android) [Added]
- P3414: Improper inter-process communication handling (Android) [Added]
T5649: Verify secure implementation services (Android) [Added]
- P3415: Improper service declaration and access control (Android) [Added]
Changes to Project Properties and Profiles
- Q193: Components
  - Q101: Components In Development
    - A6: Web service [Updated]
      - INFO: Updated the description.
- Q195: Language and Framework
  - Q109: Programming Language
    - Q110: Technology/Framework
      - A1136: React [Updated]
        
        INFO: Updated the match conditions.
      - A2109: Micronaut [Added]
    - A2108: Low-code/No-code [Added]
- Q199: Authentication
  - Q129: Requires Server-to-Server Authentication
    - A17: Yes [Updated]
      - INFO: Updated the description.
- Q206: Privacy
  - Q160: Handles Personal Data
    - Q481: Privacy Standards [Added]
      - A2120: ISO 27701 [Added]
    - Q224: Privacy Regulations
      - A2131: India DPDPA [Added]
- Q237: Compliance Scope: Other
  - Q473: In-Scope for EU Data Act [Added]
    - A2028: Yes [Added]
  - Q485: In scope for EU RED [Added]
    - A2127: Yes [Added]
- Q258: Architecture/Environment
  - Q322: Architecture
    - Q459: Blockchain Architecture [Added]
      - A2014: Smart Contract [Added]
    - A1142: Contains components that communicate through a network [Updated]
      - INFO: Updated the text and description.
    - A2013: Blockchain [Added]
- Q284: Context and Characteristics
  - Q460: Accessibility Requirements [Added]
    - A2016: This application has accessibility requirements [Added]
- Q289: Cloud Computing
  - Q343: Generic Cloud Content [Updated]
    - INFO: Updated the text.
    - A1332: Include generic, story-driven cloud countermeasures [Updated]
      - INFO: Updated the text and description.
  - Q290: Cloud Providers
    - A1159: Non-Story-Driven Amazon Web Services (AWS) Content [Updated]
      - INFO: Updated the text and description.
    - A1190: Microsoft Azure [Updated]
      - INFO: Updated the description.
    - A1212: Non-Story-Driven Google Cloud Content [Updated]
      - INFO: Updated the text and description.
    - A1333: Story-Driven Amazon Web Services (AWS) Content [Updated]
      - INFO: Updated the text and description.
    - A1336: Story-Driven Google Cloud Content [Updated]
      - INFO: Updated the text and description.
    - A2121: Oracle [Added]
- Q307: Containerization
  - Q308: Containerization Technologies
    - A2015: Containerd [Added]
- Q361: Amazon Web Services (AWS)
  - Q298: AWS Services
    - Q379: More AWS Services
      - A1513: AWS Glue [Updated]
        
        INFO: Updated the question.
      - A1628: AWS FSx for Windows File Server [Updated]
        
        INFO: Updated the question.
    - A2111: AWS CloudShell [Added]
  - Q366: AWS Cloud Configuration
    - A1392: AWS Cloud Configuration [Updated]
      - INFO: Updated the description.
- Q362: Microsoft Azure
  - Q306: Azure Services
    - Q370: More Azure Services
      - A1474: Azure Key Vault Managed HSM [Updated]
        
        INFO: Updated the question.
    - A2112: Azure CycleCloud [Added]
  - Q365: Azure Cloud Configuration
    - A1391: Azure Cloud Configuration [Updated]
      - INFO: Updated the description.
- Q363: Google Cloud Platform (GCP)
  - Q367: GCP Cloud Configuration
    - A1393: GCP Cloud Configuration [Updated]
      - INFO: Updated the description.
- Q461: AI and Machine Learning [Added]
  - Q357: Artificial Intelligence/Machine Learning [Updated]
    - INFO: Updated the parent.
    - Q455: US State-Specific AI Regulation [Added]
      - A2004: Utah AIPA [Added]
      - A2005: Colorado CPAI [Added]
    - Q376: AI/ML Usecases [Updated]
      - INFO: Updated the parent and required.
    - Q457: AI Content Organization [Updated]
      - INFO: Updated the parent.
  - Q368: Type of AI system [Updated]
    - INFO: Updated the parent.
  - Q458: AI/ML Frameworks [Updated]
    - INFO: Updated the parent.
- Q482: Oracle [Added]
  - Q483: Oracle Cloud Configuration [Added]
    - A2122: Oracle Cloud Configuration [Added]
  - Q484: Oracle Services [Added]
    - A2123: Compute Instance [Added]
    - A2124: Object Storage [Added]
    - A2125: Block Volume [Added]
    - A2126: File Storage [Added]
Added Components
- SC776: Blockchain
- SC777: Smart Contract
- SC778: Containerd
- SC779: Oracle Services
- SC780: Oracle Environment
- SC781: Oracle Compute instance
- SC782: Oracle Object Storage
- SC783: Oracle Block Volume
- SC784: Oracle File Storage
Updated Components
- SC189: AWS CloudShell
  - INFO: Updated the description.
- SC375: Azure CycleCloud
  - INFO: Updated the description.

2025.1

July 5, 2025

New features and enhancements

System View with a compliance report
- The feature flag is enabled by default now, and system view has been extended with a new homepage for compliance reports
  - Users can create one or many compliance reports under an existing system view with a desired regulation assigned, as well as the option to edit, delete, or download that report
Verification Improvement on Checkmarx
- New Global Connector configuration is offered under Checkmarx SAST, allowing users to not retrieve net new scans and skipping already processed scans
Library Threat Framework Mapping Added
- Users will be able to map custom or builtin threats to the support threat framework offerings in SD Elements
- Users can revert updates to reflect latest builtin updates
Advanced Report Updates
- Added Countermeasure Status Update Date as a dimension for filtering for BU/APP/Proj and Countermeasure context (Includes support for Trend Report)
- Added dimensions ‘Updated by’ and ‘Updated Date’ to Library countermeasure for the library countermeasure context
- Added ‘Countermeasure became relevant’ and ‘# of days since relevancy’ dimensions for BU/APP/Proj and Countermeasure context
General Library Improvements
- Ability to expand all related countermeasures on Library Weakness page
- New Filter UI present on Library Threats page
Decommission of unused integrations
- The following Integrations will be removed: Archer, IBM RTC, Pivotal Tracker; HP WebInspect, & Mend
  - Any historical information will be present, but no connections will be present going forward
Removal of legacy Global Report and Training Report
- Replaced with the new functionality of Advanced Reports that gives users more flexibility and configurability

Summary of content updates

CIS Azure Compute Microsoft Windows Server
- Added two compliance regulations reports for Domain Controller and Member Server, 45 Countermeasures, associated Weaknesses and test tasks including 966 How-Tos and associated test.
CIS Azure Foundation
- Added a compliance report with 25 Countermeasures, associated Weaknesses and How-tos.
CIS IBM Cloud
- Added a compliance report with 24 Countermeasures, associated Weaknesses and How-tos.
CIS Kubernetes
- Added two compliance reports with 12 Countermeasures, associated Weaknesses and How-tos.
CIS Amazon EKS
- Updated and added a compliance report with Countermeasures, associated Weaknesses and How-tos.
OWASP Agentic AI
- 12 new Additional Requirements
- 1 new report with 15 sections
- 1 report for OWASP Machine Learning Security Top 10 with 10 sections
- Regulation section mapping
- Survey answer and dependent components
US Privacy Tracker
- 6 new Additional Requirements
- 5 new reports with 15 sections in total
- Regulation section mapping
- Survey answers and dependent components
EN 18031-1
- 29 new countermeasures
- 1 new report for EN 18031-1 with 31 sections
- Regulation section mapping
- Survey answer and dependent components
Mobile Updates (iOS and Android)
- iOS: Added one How-To and one Additional Requirement, updated one Additional Requirement
- Android: Added 2 Countermeasures, 2 corresponding test tasks, associated Weaknesses, and one Additional Requirement
- Updated the titles of 91 How-Tos and 18 Additional Requirements for Android and iOS.
Components & Dependent Components
- Added new components: Azure subscription, JFrog, Apache Kafka, gRPC, Vue.js. , Kubernetes Master and Worker Nodes, Azure Windows Domain Controller and Member Server, IBM Cloud components.
CVSS Scores
- Added CVSS to some Countermeasures with missing CVSS Scores.
Hardware Content Improvements
- Added new Component Answers and added MITRE Hardware Design CWE Compliance report (MITRE CWE VIEW: Hardware Design).
Other improvements
- Made improvements to risk classification answers (diagram), added new answers to the SDE survey to improve applicability of the content, and made improvements to some profiles.
New Just-in-Time Training
- Defending C/C++ (16)
- Secure Software Coding (14)
- Mobile Fundamentals (8)

Content additions and updates (as of June 20, 2025):

Compliance Regulations and Mappings
- Added EN 18031-1 [Experimental]
- Added MITRE CWE VIEW: Hardware Design
- Added US Privacy: Delaware Personal Data Privacy Act
- Added US Privacy: Iowa Consumer Data Protection Act
- Added US Privacy: Nebraska Data Privacy Act
- Added US Privacy: New Hampshire Data Privacy Act
- Added US Privacy: New Jersey Data Privacy Act
- Added OWASP Agentic AI - Threats and Mitigations
- Added OWASP Machine Learning Security Top 10
- Added CIS Benchmark for IBM Cloud Foundations
- Added EN 18031-1
- Added CIS Azure Foundations
- Added CIS Azure Compute Microsoft Windows Server (Member Server)
- Added CIS Azure Compute Microsoft Windows Server (Domain Controller)
- Added CIS Kubernetes (Master Node)
- Added CIS Amazon EKS
- Added CIS Kubernetes (Worker Node)
- Removed CIS AWS Foundations Benchmark
- Removed CIS Amazon EKS Benchmark
- Updated US AI Regulation [INFO: Updated the regulation sections].
Content Packs
- Added IBM Cloud Service
- Added JFrog
- Added EN 18031
- Added CIS Azure Compute Microsoft Windows Server
- Added CIS Azure Foundation
- Added Apache Kafka
- Added gRPC
- Added VueJS
- Added CIS Kubernetes
- Added Amazon EKS CIS
T1: Use multi-factor authentication for remote access to high risk systems or administrative access to services
- TA284: Android - Fingerprint Authentication [Updated]
  - INFO: Updated the title and text.
T10: Use server-to-server authentication [Updated]
- INFO: Updated the text.
T21: Ensure all data in transit is encrypted using a secure TLS channel [Updated]
- INFO: Updated the text.
- TA965: Choice of cipher [Updated]
  - INFO: Updated the text.
T31: Validate all forms of input
- I3039: Sanitize User Input in Vue.js Applications [Added]
T37: Avoid DOM-based Cross-Site Scripting (XSS)
- I3040: Prevent DOM-based XSS in Vue.js applications [Added]
T46: Do not log confidential data
- I406: Android - Logs [Updated]
  - INFO: Updated the title.
T49: Disable and remove debug capabilities and code/data, and prepare application for release [Updated]
- INFO: Updated the text.
- TA281: Android - Preparation for release and final APK [Updated]
  - INFO: Updated the title.
- I414: Android - Preparing application for release [Updated]
  - INFO: Updated the title.
T59: Use standard libraries for cryptography [Updated]
- INFO: Updated the text.
- TA278: Android - Using native cryptography libraries in Android NDK [Updated]
  - INFO: Updated the title.
T60: Use correct and approved cryptographic algorithms, parameters, and key lengths [Updated]
- INFO: Updated the text.
T69: Strong password requirements for server-to-server system accounts
- P687: Insufficient System Account Password Requirements [Updated]
  - INFO: Updated the match conditions.
T75: Use regular expressions that are not vulnerable to Denial of Service
- I3042: Prevent Regular Expression-Based DoS Attacks in Vue.js Applications [Added]
T105: Verify that your application does not have unnecessary debug capability or leftover test/debug code
- TA771: Android - Test the release version of application for debug and test leftovers [Updated]
  - INFO: Updated the title and text.
T146: Use encryption for network communications in mobile environments
- TA945: iOS - App Transport Security (ATS) [Updated]
  - INFO: Updated the title and text.
- I269: Android (Java) - Using encrypted channels [Updated]
  - INFO: Updated the title.
- I293: iOS (Objective-C) - Network Communications Encryption [Updated]
  - INFO: Updated the title.
- I537: iOS (Swift) - Network Communications Encryption [Updated]
  - INFO: Updated the title and text.
- I1392: Android (Kotlin) - Using encrypted channels [Updated]
  - INFO: Updated the title.
T148: Avoid caching confidential data on client
- TA2879: iOS - Client-side caching [Updated]
  - INFO: Updated the title.
- I512: iOS (Objective-C) - Temporary Camera Files [Updated]
  - INFO: Updated the title.
- I536: iOS (Swift) - Temporary Camera Files [Updated]
  - INFO: Updated the title.
- I1408: iOS - Protect against client-side caching [Updated]
  - INFO: Updated the title.
T152: Avoid asking for and using excessive permissions
- I253: Android - Permissions [Updated]
  - INFO: Updated the title and text.
T156: Validate certificate and its chain of trust properly
- I264: Android (Java) - Establishing a secure channel and validating certificates [Updated]
  - INFO: Updated the title.
- I275: iOS (Objective-C) - Certificate Validation - HTTP-based protocols [Updated]
  - INFO: Updated the title.
- I397: Android - WebViewClient [Updated]
  - INFO: Updated the title.
- I510: iOS (Objective-C) - Certificate Validation - Direct SSL [Updated]
  - INFO: Updated the title.
- I531: iOS (Swift) - Certificate Validation - HTTP-based protocols [Updated]
  - INFO: Updated the title.
- I532: iOS (Swift) - Certificate Validation - Direct SSL [Updated]
  - INFO: Updated the title and text.
- I919: iOS - Certificate transparency [Updated]
  - INFO: Updated the title.
T157: Temporary files must be cleaned up after the resource is used
- TA7131: Android - Validating and Securing Cache Usage [Added]
- I267: Android (Java) - Cache Monitor with expiry handling [Updated]
  - INFO: Updated the title.
- I1391: Android (Kotlin) - Cache Monitor with expiry handling [Updated]
  - INFO: Updated the title.
T161: Treat unique device IDs as personal information
- TA280: Android - Unique device IDs [Updated]
  - INFO: Updated the title.
- TA942: iOS - Device Tracking [Updated]
  - INFO: Updated the title.
T162: Validate pathname before retrieving local resources
- I413: Android - Preventing Path Traversal [Updated]
  - INFO: Updated the title.
- I1395: Android (Kotlin) - Preventing Path Traversal [Updated]
  - INFO: Updated the title.
T164: Clear session information from client upon logout
- I3038: Implement Proper Logout Handling in Vue.js [Added]
- I268: Android (Java) – Session cache cleanup on logout [Updated]
  - INFO: Updated the title and text.
- I511: iOS (Objective-C) - Session cleanup [Updated]
  - INFO: Updated the title.
- I529: iOS (Swift) - Session cleanup [Updated]
  - INFO: Updated the title.
T168: Prevent auto-snapshot from saving sensitive data (iOS)
- I254: iOS (Objective-C) - Auto-snapshot Prevention [Updated]
  - INFO: Updated the title.
- I527: iOS (Swift) - Auto-snapshot Prevention [Updated]
  - INFO: Updated the title.
- I1405: iOS - Disable application backgrounding [Updated]
  - INFO: Updated the title.
- I1406: iOS (Objective-C) - Mask sensitive data in the iOS app UI [Updated]
  - INFO: Updated the title.
- I1409: iOS (Swift) - Mask sensitive data in iOS app UI [Updated]
  - INFO: Updated the title.
T170: Secure IPC endpoints used in clients
- I265: Android - Securing IPC Endpoints with Intents [Updated]
  - INFO: Updated the title.
T174: Test that the client application is not asking for excessive permissions
- I277: Android - Black-box testing [Updated]
  - INFO: Updated the title and text.
- I285: Android - White-box testing [Updated]
  - INFO: Updated the title.
T175: Test that the client validates digital certificates
- I278: iOS - Devices or emulators (iPhone/iPad) [Updated]
  - INFO: Updated the title.
- I280: Android - Emulator [Updated]
  - INFO: Updated the title and text.
- I281: Android - Devices [Updated]
  - INFO: Updated the title and text.
T176: Apply principles of privacy when handling personal information
- TA7111: Nebraska DPA [Section 13] [Added]
- TA7113: New Hampshire DPA [Section 507-H:4] [Added]
- TA7114: New Hampshire DPA [Section 507-H:8] [Added]
- TA7116: New Jersey DPA [Section C.56:8-166.12] [Added]
T177: Allow users to review and update their personal information
- TA7115: New Hampshire DPA [Section 507-H:14] [Added]
T178: Obtain consent from users prior to collecting personal information
- TA943: iOS - Purpose String [Updated]
  - INFO: Updated the title.
T187: Test if the app prevents sensitive data leaks through the auto-snapshot feature of iOS
- I303: iOS - Auto-snapshot Prevention Test [Updated]
  - INFO: Updated the title and text.
T189: Minimize the use of unmanaged (native) code
- TA824: Android - Discover and remove illegal syscalls in Android O [Updated]
  - INFO: Updated the title.
T244: Securely delete any unprotected sensitive data before a resource is released or shared
- I270: Android - Secure Management of Sensitive Data [Updated]
  - INFO: Updated the title.
T248: Protect secret keys and passwords in the application
- I272: Android - Using server-side module to store secret keys and passwords for Android applications [Updated]
  - INFO: Updated the title.
- I420: Android (Java) - Secure Key Storage [Updated]
  - INFO: Updated the title.
- I429: iOS (Objective-C) - Using iOS Keychain services for secure data storage [Updated]
  - INFO: Updated the title.
- I535: iOS (Swift) - Using iOS Keychain services for secure data storage [Updated]
  - INFO: Updated the title.
- I1393: Android (Kotlin) - Using server-side module to store secret keys and passwords for Android applications [Updated]
  - INFO: Updated the title.
T261: Manage iOS Pasteboards that are used with sensitive data
- I426: iOS (Objective-C) - Pasteboards [Updated]
  - INFO: Updated the title.
- I525: iOS (Swift) - Pasteboards [Updated]
  - INFO: Updated the title.
T262: Mask passwords by default on mobiles but consider usability options
- I273: iOS (Objective-C) - Inter-App Communication [Updated]
  - INFO: Updated the title.
T265: Handle requests made through iOS URL schemes or Universal Links securely
- I514: iOS (Objective-C) - Universal Links [Updated]
  - INFO: Updated the title.
- I526: iOS (Swift) - Universal Links [Updated]
  - INFO: Updated the title.
- I534: iOS (Swift) - Inter-App Communication [Updated]
  - INFO: Updated the title.
T270: Follow best practices for storing application data on Android devices
- I402: Android - Storage options and considerations [Updated]
  - INFO: Updated the title.
- I1394: Android (Kotlin) - Storage options and considerations [Updated]
  - INFO: Updated the title.
T271: Prevent access to Android components if they do not need external communication
- I404: Android - Disabling external access to Android components [Updated]
  - INFO: Updated the title.
T272: Restrict access to the application's exported components (Android)
- I405: Android - Using Permissions for Access Control [Updated]
  - INFO: Updated the title and text.
- I408: Android - Intent Filters and Explicit Intents [Updated]
  - INFO: Updated the title and text.
- I415: Android - Determining who has requested access to an Android exported component [Updated]
  - INFO: Updated the title.
T275: Avoid sending sensitive data using implicit Intents or Broadcasts
- I403: Android - Avoiding Intent Sniffing [Updated]
  - INFO: Updated the title and text.
T276: Validate the content of received Intents
- I409: Android - Validate input received by Android broadcast receiver [Updated]
  - INFO: Updated the title.
T278: Follow best security practices when using WebView (Android)
- I416: Android - Using WebView Securely [Updated]
  - INFO: Updated the title and text.
T279: Avoid dynamically loading any code without proper security considerations
- TA274: Android - Dynamic class loading [Updated]
  - INFO: Updated the title.
T282: Bind variables in SQL statements for client applications
- I315: Android - SQLite [Updated]
  - INFO: Updated the title and text.
- I709: Android - Bind parameters to content provider query [Updated]
  - INFO: Updated the title.
- I1398: Android (Kotlin) - Bind parameters to content provider query [Updated]
  - INFO: Updated the title.
T295: Avoid storing unencrypted confidential data without access control mechanisms
- I482: iOS (Objective-C) - Data encryption with PBKDF2 [Updated]
  - INFO: Updated the title.
- I528: iOS (Swift) - Data encryption with PBKDF2 [Updated]
  - INFO: Updated the title.
T296: Test that unencrypted confidential data is not stored without access control mechanisms
- I431: iOS - Test that entries are securely stored in iOS Keychain [Updated]
  - INFO: Updated the title.
T305: Verify that your application dynamically loads code only from secure locations
- TA275: Android - Verifying dynamic class loading [Updated]
  - INFO: Updated the title and text.
T316: Prevent unauthorized access to information through keyboard caches and shared dictionaries
- I424: Android - Keyboard Suggestions [Updated]
  - INFO: Updated the title.
- I425: iOS (Objective-C) - Disabling iOS Auto-correction and keyboard extensions [Updated]
  - INFO: Updated the title.
- I523: iOS (Swift) - Disabling Auto-correction and keyboard extensions [Updated]
  - INFO: Updated the title.
T317: Verify that keyboard caches and shared dictionaries do not divulge confidential information
- I513: iOS (Objective-C) - Disabling auto-correction and keyboard extensions [Updated]
  - INFO: Updated the title and text.
- I533: iOS (Swift) - Disabling auto-correction and keyboard extensions [Updated]
  - INFO: Updated the title.
T324: Follow best security practices when using WKWebView (iOS)
- I480: iOS (Objective-C) - WKWebView [Updated]
  - INFO: Updated the title.
- I524: iOS (Swift) - WKWebView [Updated]
  - INFO: Updated the title.
T364: Enable secure backup and restore capabilities
- TA282: Android - Auto-backup of application data [Updated]
  - INFO: Updated the title.
T365: Verify the security of backing up and restoring procedures
- TA283: Android - Verifying auto-backup of application data [Updated]
  - INFO: Updated the title.
T408: Set secure flag on Android Activities with sensitive content
- I495: Android - Setting FLAG_SECURE for Android Activity [Updated]
  - INFO: Updated the title.
- I1396: Android (Kotlin) - Setting FLAG_SECURE for Android Activity [Updated]
  - INFO: Updated the title.
T410: Manage use of Android third-party keyboards with sensitive data
- I496: Android - Third-party keyboards [Updated]
  - INFO: Updated the title.
T423: Disable copying on Android text fields with sensitive data
- I500: Android - Disabling copying capability of Android text fields [Updated]
  - INFO: Updated the title.
- I1806: Android - Mask sensitive information in the Android clipboard [Updated]
  - INFO: Updated the title.
T433: Design a fallback mechanism or a degraded mode for the system
- I3041: Offload Memory-Intensive Tasks to Web Workers [Added]
T446: Verify that only standard libraries are used for cryptography
- TA279: Android - Checking the cryptography libraries that are used with native code [Updated]
  - INFO: Updated the title.
T515: Limit resource consumption of outgoing HTTP requests sent to external user-defined webhooks [Updated]
- INFO: Updated the text.
- I2315: How-to handle requests sent to external webhooks set by users [Added]
T578: Execute only compiled programs in mainframe
- I538: Notes on executing compiled modules in mainframe [Updated]
  - INFO: Updated the text.
T608: Obfuscate your executables
- I563: Android - Obfuscation in Android [Updated]
  - INFO: Updated the title and text.
T609: Protect your application against debuggers
- I2148: iOS - Jailbreak Detection [Added]
- I586: Android - Debugger Detection [Updated]
  - INFO: Updated the title and text.
- I587: iOS - Debugger Detection [Updated]
  - INFO: Updated the title and text.
T612: Detect rooted devices and assess the runtime environment with the aid of SafetyNet Attestation API
- TA791: Android - Root or Custom Build Detection [Updated]
  - INFO: Updated the title and text.
T615: Check your mobile application's integrity and installation source
- I568: Android - Integrity and installation source [Updated]
  - INFO: Updated the title.
T751: Provide users with a notification of personal information processing
- TA944: iOS - Privacy Notice [Updated]
  - INFO: Updated the title.
T754: Enable the restriction of processing personal information of an individual for a specific purpose
- TA7112: Nebraska DPA [Section 14] [Added]
T897: Test if the unmanaged code is used securely
- TA825: Android - Test if illegal syscalls exist in an Android O application [Updated]
  - INFO: Updated the title.
T1041: Enable multi-factor authentication (Microsoft Azure) [Updated]
- INFO: Updated the text.
- I2324: Ensure only MFA enabled identities can access privileged Virtual Machine [Added]
- I2349: Ensure that 'multifactor authentication' is 'enabled' for all users [Added]
- I2350: Ensure that 'Allow users to remember multifactor authentication on devices they trust' is disabled [Added]
- I2354: Ensure that a multifactor authentication policy exists for all users [Added]
- I2355: Ensure that multifactor authentication is required for risky sign-ins [Added]
- I2356: Ensure that multifactor authentication is required for Windows Azure Service Management API [Added]
- I2357: Ensure that multifactor authentication is required to access Microsoft Admin Portals [Added]
- P1014: Disabled multi-factor authentication (Azure Active Directory) [Updated]
  - INFO: Updated the title and match conditions.
T1042: Test that multi-factor authentication is enabled (Microsoft Azure) [Updated]
- INFO: Updated the text.
- I2457: Verify that only MFA enabled identities can access privileged Virtual Machine [Added]
- I2482: Verify that multifactor authentication is enabled for all users [Added]
- I2483: Verify that multifactor authentication is not remembered on trusted devices [Added]
- I2487: Verify that a multifactor authentication policy exists for all users [Added]
- I2488: Verify that multifactor authentication is required for risky sign-ins [Added]
- I2489: Verify that multifactor authentication is required for Windows Azure Service Management API [Added]
- I2490: Verify that multifactor authentication is required to access Microsoft Admin Portals [Added]
- P1014: Disabled multi-factor authentication (Azure Active Directory) [Updated]
  - INFO: Updated the title and match conditions.
T1053: Enable VM protection features (Microsoft Azure)
- I2394: Ensure that Microsoft Defender for Cloud is configured to check VM operating systems for updates [Added]
- I2395: Ensure that Microsoft Cloud Security Benchmark policies are not set to 'Disabled' [Added]
- I2396: Ensure That 'All users with the following roles' is set to 'Owner' [Added]
- I2397: Ensure 'Additional email addresses' is Configured with a Security Contact Email [Added]
- I2398: Ensure that 'Notify about alerts with the following severity (or higher)' is enabled [Added]
- I2399: Ensure that 'Notify about attack paths with the following risk level (or higher)' is enabled [Added]
- TA7136: Implement the latest OS patches for all virtual machines (Azure Policy) [Added]
T1054: Test that VM protection features are enabled (Microsoft Azure)
- I2527: Verify that Microsoft Defender for Cloud checks VM operating systems for updates [Added]
- I2528: Verify that Microsoft Cloud Security Benchmark policies are not set to 'Disabled' [Added]
- I2529: Verify that 'All users with the following roles' is set to 'Owner' [Added]
- I2530: Verify that 'Additional email addresses' is Configured with a Security Contact Email [Added]
- I2531: Verify that 'Notify about alerts with the following severity (or higher)' is enabled [Added]
- I2532: Verify that 'Notify about attack paths with the following risk level (or higher)' is enabled [Added]
- TA7133: Verify that the latest OS patches for all virtual machines are applied (Microsoft Defender for Cloud) [Added]
T1077: Log critical events (Microsoft Azure)
- I2362: Ensure that Azure Monitor Resource Logging is Enabled for All Services that Support it [Added]
- I2364: Ensure that a 'Diagnostic Setting' exists for Subscription Activity Logs [Added]
- I2365: Ensure Diagnostic Setting captures appropriate categories [Added]
- I2367: Ensure that logging for Azure Key Vault is 'Enabled' [Added]
- I2374: Ensure that Activity Log Alert exists for Create Policy Assignment [Added]
- I2375: Ensure that Activity Log Alert exists for Delete Policy Assignment [Added]
- I2376: Ensure that Activity Log Alert exists for Create or Update Network Security Group [Added]
- I2377: Ensure that Activity Log Alert exists for Delete Network Security Group [Added]
- I2378: Ensure that Activity Log Alert exists for Create or Update Security Solution [Added]
- I2379: Ensure that Activity Log Alert exists for Delete Security Solution [Added]
- I2380: Ensure that Activity Log Alert exists for Create or Update SQL Server Firewall Rule [Added]
- I2381: Ensure that Activity Log Alert exists for Delete SQL Server Firewall Rule [Added]
- I2382: Ensure that Activity Log Alert exists for Create or Update Public IP Address rule [Added]
- I2383: Ensure that Activity Log Alert exists for Delete Public IP Address rule [Added]
- I2384: Ensure that an Activity Log Alert exists for Service Health [Added]
- TA7135: Enable diagnostic settings for Azure resources (Microsoft Azure) [Added]
- TA964: Azure Functions: Auditing and Logging [Updated]
  - INFO: Updated the title.
T1078: Verify that critical events are logged (Microsoft Azure)
- I2495: Verify that Azure Monitor Resource Logging is Enabled for All Services that Support it [Added]
- I2497: Verify that a 'Diagnostic Setting' exists for Subscription Activity Logs [Added]
- I2498: Verify that Diagnostic Setting captures appropriate categories [Added]
- I2500: Verify that logging for Azure Key Vault is 'Enabled' [Added]
- I2507: Verify that Activity Log Alert exists for Create Policy Assignment [Added]
- I2508: Verify that Activity Log Alert exists for Delete Policy Assignment [Added]
- I2509: Verify that Activity Log Alert exists for Create or Update Network Security Group [Added]
- I2510: Verify that Activity Log Alert exists for Delete Network Security Group [Added]
- I2511: Verify that Activity Log Alert exists for Create or Update Security Solution [Added]
- I2512: Verify that Activity Log Alert exists for Delete Security Solution [Added]
- I2513: Verify that Activity Log Alert exists for Create or Update SQL Server Firewall Rule [Added]
- I2514: Verify that Activity Log Alert exists for Delete SQL Server Firewall Rule [Added]
- I2515: Verify that Activity Log Alert exists for Create or Update Public IP Address rule [Added]
- I2516: Verify that Activity Log Alert exists for Delete Public IP Address rule [Added]
- I2517: Verify that an Activity Log Alert exists for Service Health [Added]
- TA7132: Verify that diagnostic settings are enabled for Azure resources (Microsoft Azure) [Added]
T1081: Configure Key Vault securely (Microsoft Azure)
- I2417: Ensure that the Expiration Date is set for all Keys in RBAC Key Vaults [Added]
- I2418: Ensure that the Expiration Date is set for all Keys in Non-RBAC Key Vaults. [Added]
- I2419: Ensure that the Expiration Date is set for all Secrets in RBAC Key Vaults [Added]
- I2420: Ensure that the Expiration Date is set for all Secrets in Non-RBAC Key Vaults [Added]
- I2421: Ensure the Key Vault is Recoverable [Added]
- TA7137: Implement expiration dates for keys and secrets in Azure Key Vault (Microsoft Azure Key Vault) [Added]
T1082: Verify that Key Vault is configured securely (Microsoft Azure)
- I2550: Verify that the Expiration Date is set for all Keys in RBAC Key Vaults [Added]
- I2551: Verify that the Expiration Date is set for all Keys in Non-RBAC Key Vaults [Added]
- I2552: Verify that the Expiration Date is set for all Secrets in RBAC Key Vaults [Added]
- I2553: Verify that the Expiration Date is set for all Secrets in Non-RBAC Key Vaults [Added]
- I2554: Verify that the Key Vault is Recoverable [Added]
- TA7134: Verify that all Keys and Secrets in Azure Key Vaults have an expiration date set (Microsoft Azure Key Vault) [Added]
T1246: Disable profiling features in applications (Kubernetes Master Node) [Updated]
- INFO: Updated the title and text.
- I3564: Ensure that the --profiling argument is set to false [Added]
- I3570: Ensure that the --profiling argument is set to false [Added]
T1247: Test that profiling is disabled if not needed (Kubernetes Master Node) [Updated]
- INFO: Updated the title and text.
- I3670: Verify that the --profiling argument is set to false [Added]
- I3676: Verify that the --profiling argument is set to false [Added]
T1252: Implement audit logging in Kubernetes (Kubernetes Master Node) [Updated]
- INFO: Updated the title and text.
T1253: Verify the audit policy for Kubernetes security concerns (Kubernetes Master Node) [Updated]
- INFO: Updated the title and text.
- I3582: Ensure that a minimal audit policy is created [Added]
- I3583: Ensure that the audit policy covers key security concerns [Added]
- I3688: Verify that a minimal audit policy is created [Added]
- I3689: Verify that the audit policy covers key security concerns [Added]
T1254: Secure Kubelet Configuration for Kubernetes (Kubernetes Worker Node) [Updated]
- INFO: Updated the title and text.
T1255: Verify Kubelet security configurations (Kubernetes Worker Node) [Updated]
- INFO: Updated the title and text.
T1258: Implement individual service account credentials for each controller (Kubernetes Master Node) [Updated]
- INFO: Updated the title and text.
- I3565: Ensure that the --use-service-account-credentials argument is set to true [Added]
- I3566: Ensure that the --service-account-private-key-file argument is set as appropriate [Added]
- I3588: Ensure that default service accounts are not actively used. [Added]
- I3589: Ensure that Service Account Tokens are only mounted where necessary [Added]
- I3596: Minimize access to the service account token creation [Added]
T1259: Verify that service account is securely configured (Kubernetes Master Node) [Updated]
- INFO: Updated the title and text.
- I3671: Verify that the --use-service-account-credentials argument is set to true [Added]
- I3672: Verify that the --service-account-private-key-file argument is set as appropriate [Added]
- I3694: Verify that default service accounts are not actively used [Added]
- I3695: Verify that Service Account Tokens are only mounted where necessary [Added]
- I3702: Verify that access to the service account token creation is minimized [Added]
T1260: Implement TLS encryption for the etcd service (Kubernetes Master Node) [Updated]
- INFO: Updated the title and text.
- I3572: Ensure that the --cert-file and --key-file arguments are set as appropriate [Added]
- I3573: Ensure that the --client-cert-auth argument is set to true [Added]
- I3574: Ensure that the --auto-tls argument is not set to true [Added]
- I3575: Ensure that the --peer-cert-file and --peer-key-file arguments are set as appropriate [Added]
- I3576: Ensure that the --peer-client-cert-auth argument is set to true [Added]
- I3577: Ensure that the --peer-auto-tls argument is not set to true [Added]
- I3578: Ensure that a unique Certificate Authority is used for etcd [Added]
T1261: Verify the security configurations for etcd service (Kubernetes Master Node) [Updated]
- INFO: Updated the title and text.
- I3678: Verify that the --cert-file and --key-file arguments are set as appropriate [Added]
- I3679: Verify that the --client-cert-auth argument is set to true [Added]
- I3680: Verify that the --auto-tls argument is not set to true [Added]
- I3681: Verify that the --peer-cert-file and --peer-key-file arguments are set as appropriate [Added]
- I3682: Verify that the --peer-client-cert-auth argument is set to true [Added]
- I3683: Verify that the --peer-auto-tls argument is not set to true [Added]
- I3684: Verify that a unique Certificate Authority is used for etcd [Added]
T1262: Implement garbage collection on pod termination (Kubernetes Master Node) [Updated]
- INFO: Updated the title and text.
- I3563: Ensure that the --terminated-pod-gc-threshold argument is set as appropriate [Added]
T1263: Test the garbage collector activation on pod termination (Kubernetes Master Node) [Updated]
- INFO: Updated the title and text.
- I3669: Verify that the --terminated-pod-gc-threshold argument is set as appropriate [Added]
T1266: Implement Role Based Access Control for Kubernetes (Kubernetes Master Node) [Updated]
- INFO: Updated the title and text.
- I3534: Ensure that the --anonymous-auth argument is set to false [Added]
- I3535: Ensure that the --token-auth-file parameter is not set [Added]
- I3536: Ensure that the DenyServiceExternalIPs is set [Added]
- I3537: Ensure that the --kubelet-client-certificate and --kubelet-client-key arguments are set as appropriate [Added]
- I3538: Ensure that the --kubelet-certificate-authority argument is set as appropriate [Added]
- I3539: Ensure that the --authorization-mode argument is not set to AlwaysAllow [Added]
- I3540: Ensure that the --authorization-mode argument includes Node [Added]
- I3541: Ensure that the --authorization-mode argument includes RBAC [Added]
- I3542: Ensure that the admission control plugin EventRateLimit is set [Added]
- I3543: Ensure that the admission control plugin AlwaysAdmit is not set [Added]
- I3544: Ensure that the admission control plugin AlwaysPullImages is set [Added]
- I3545: Ensure that the admission control plugin ServiceAccount is set [Added]
- I3546: Ensure that the admission control plugin NamespaceLifecycle is set [Added]
- I3547: Ensure that the admission control plugin NodeRestriction is set [Added]
- I3548: Ensure that the --profiling argument is set to false [Added]
- I3549: Ensure that the --audit-log-path argument is set [Added]
- I3550: Ensure that the --audit-log-maxage argument is set to 30 or as appropriate [Added]
- I3551: Ensure that the --audit-log-maxbackup argument is set to 10 or as appropriate [Added]
- I3552: Ensure that the --audit-log-maxsize argument is set to 100 or as appropriate [Added]
- I3553: Ensure that the --request-timeout argument is set as appropriate [Added]
- I3554: Ensure that the --service-account-lookup argument is set to true [Added]
- I3555: Ensure that the --service-account-key-file argument is set as appropriate [Added]
- I3556: Ensure that the --etcd-certfile and --etcd-keyfile arguments are set as appropriate [Added]
- I3557: Ensure that the --tls-cert-file and --tls-private-key-file arguments are set as appropriate [Added]
- I3558: Ensure that the --client-ca-file argument is set as appropriate [Added]
- I3559: Ensure that the --etcd-cafile argument is set as appropriate [Added]
- I3560: Ensure that the --encryption-provider-config argument is set as appropriate [Added]
- I3561: Ensure that encryption providers are appropriately configured [Added]
- I3562: Ensure that the API Server only makes use of Strong Cryptographic Ciphers [Added]
T1267: Verify that the API server is configured to only use strong cryptographic ciphers (Kubernetes Master Node) [Updated]
- INFO: Updated the title and text.
- I3640: Verify that the --anonymous-auth argument is set to false [Added]
- I3641: Verify that the --token-auth-file parameter is not set [Added]
- I3642: Verify that DenyServiceExternalIPs is set [Added]
- I3643: Verify that the --kubelet-client-certificate and --kubelet-client-key arguments are set as appropriate [Added]
- I3644: Verify that the --kubelet-certificate-authority argument is set as appropriate [Added]
- I3645: Verify that the --authorization-mode argument is not set to AlwaysAllow [Added]
- I3646: Verify that the --authorization-mode argument includes Node [Added]
- I3647: Verify that the --authorization-mode argument includes RBAC [Added]
- I3648: Verify that the admission control plugin EventRateLimit is set [Added]
- I3649: Verify that the admission control plugin AlwaysAdmit is not set [Added]
- I3650: Verify that the admission control plugin AlwaysPullImages is set [Added]
- I3651: Verify that the admission control plugin ServiceAccount is set [Added]
- I3652: Verify that the admission control plugin NamespaceLifecycle is set [Added]
- I3653: Verify that the admission control plugin NodeRestriction is set [Added]
- I3654: Verify that the --profiling argument is set to false [Added]
- I3655: Verify that the --audit-log-path argument is set [Added]
- I3656: Verify that the --audit-log-maxage argument is set to 30 or as appropriate [Added]
- I3657: Verify that the --audit-log-maxbackup argument is set to 10 or as appropriate [Added]
- I3658: Verify that the --audit-log-maxsize argument is set to 100 or as appropriate [Added]
- I3659: Verify that the --request-timeout argument is set as appropriate [Added]
- I3660: Verify that the --service-account-lookup argument is set to true [Added]
- I3661: Verify that the --service-account-key-file argument is set as appropriate [Added]
- I3662: Verify that the --etcd-certfile and --etcd-keyfile arguments are set as appropriate [Added]
- I3663: Verify that the --tls-cert-file and --tls-private-key-file arguments are set as appropriate [Added]
- I3664: Verify that the --client-ca-file argument is set as appropriate [Added]
- I3665: Verify that the --etcd-cafile argument is set as appropriate [Added]
- I3666: Verify that the --encryption-provider-config argument is set as appropriate [Added]
- I3667: Verify that encryption providers are appropriately configured [Added]
- I3668: Verify that the API Server only makes use of Strong Cryptographic Ciphers [Added]
T1290: Implement a security context for your pods and containers (Kubernetes Master Node) [Updated]
- INFO: Updated the title and text.
- I3617: Apply Security Context to Your Pods and Containers [Added]
T1291: Test that security context is applied to your pods and containers (Kubernetes Master Node) [Updated]
- INFO: Updated the title and text.
- I3723: Test that security context is applied to your pods and containers [Added]
T1292: Implement image provenance for secure deployments (Kubernetes Master Node) [Updated]
- INFO: Updated the title and text.
- I3614: Configure Image Provenance using ImagePolicyWebhook admission controller [Added]
T1293: Verify the image provenance configuration for your deployment (Kubernetes Master Node) [Updated]
- INFO: Updated the title and text.
- I3720: Test Configure Image Provenance using ImagePolicyWebhook admission controller [Added]
T2059: Enable App Service authentication and identity management (Azure App Service) [Updated]
- INFO: Updated the title.
- P1505: Improper App Service authentication and identity management (Azure App Service) [Updated]
  - INFO: Updated the title and match conditions.
T2064: Verify that App Service authentication and identity management is enabled (Azure App Service) [Updated]
- INFO: Updated the title.
- P1505: Improper App Service authentication and identity management (Azure App Service) [Updated]
  - INFO: Updated the title and match conditions.
T2065: Configure TLS for secure connections to App Service (Azure App Service) [Updated]
- INFO: Updated the title.
- P1511: Insecure network communication (Azure App Service) [Updated]
  - INFO: Updated the title and match conditions.
T2066: Verify that TLS is configured properly for App Service (Azure App Service) [Updated]
- INFO: Updated the title.
- P1511: Insecure network communication (Azure App Service) [Updated]
  - INFO: Updated the title and match conditions.
T2067: Use the latest version of software on App Service (Azure App Service) [Updated]
- INFO: Updated the title.
- P1512: Using outdated software in App Service (Azure App Service) [Updated]
  - INFO: Updated the title and match conditions.
T2068: Verify that the latest version of software is used on App Service (Azure App Service) [Updated]
- INFO: Updated the title.
- P1512: Using outdated software in App Service (Azure App Service) [Updated]
  - INFO: Updated the title and match conditions.
T2091: Restrict access to Controller Manager service (Kubernetes Master Node) [Updated]
- INFO: Updated the title and text.
- I3569: Ensure that the --bind-address argument is set to 127.0.0.1 [Added]
T2092: Verify that the Controller Manager service is not bound to non-loopback insecure addresses (Kubernetes Master Node) [Updated]
- INFO: Updated the title and text.
- I3675: Verify that the --bind-address argument is set to 127.0.0.1 [Added]
T2093: Implement kubelet server certificate rotation for Kubernetes (Kubernetes Master Node) [Updated]
- INFO: Updated the title and text.
- I3568: Ensure that the RotateKubeletServerCertificate argument is set to true [Added]
T2094: Verify kubelet server certificate rotation on controller-manager (Kubernetes Master Node) [Updated]
- INFO: Updated the title and text.
- I3674: Verify that the RotateKubeletServerCertificate argument is set to true [Added]
T2095: Secure Kubernetes configuration files with proper permissions and ownership (Kubernetes Master Node) [Updated]
- INFO: Updated the title and text.
- I3513: Ensure that the API server pod specification file permissions are set to 600 or more restrictive [Added]
- I3514: Ensure that the API server pod specification file ownership is set to root:root [Added]
- I3515: Ensure that the controller manager pod specification file permissions are set to 600 or more restrictive [Added]
- I3516: Ensure that the controller manager pod specification file ownership is set to root:root [Added]
- I3517: Ensure that the scheduler pod specification file permissions are set to 600 or more restrictive [Added]
- I3518: Ensure that the scheduler pod specification file ownership is set to root:root [Added]
- I3519: Ensure that the etcd pod specification file permissions are set to 600 or more restrictive [Added]
- I3520: Ensure that the etcd pod specification file ownership is set to root:root [Added]
- I3521: Ensure that the Container Network Interface file permissions are set to 600 or more restrictive [Added]
- I3522: Ensure that the Container Network Interface file ownership is set to root:root [Added]
- I3523: Ensure that the etcd data directory permissions are set to 700 or more restrictive [Added]
- I3524: Ensure that the etcd data directory ownership is set to etcd:etcd [Added]
- I3525: Ensure that the default administrative credential file permissions are set to 600 [Added]
- I3526: Ensure that the default administrative credential file ownership is set to root:root [Added]
- I3527: Ensure that the scheduler.conf file permissions are set to 600 or more restrictive [Added]
- I3528: Ensure that the scheduler.conf file ownership is set to root:root [Added]
- I3529: Ensure that the controller-manager.conf file permissions are set to 600 or more restrictive [Added]
- I3530: Ensure that the controller-manager.conf file ownership is set to root:root [Added]
- I3531: Ensure that the Kubernetes PKI directory and file ownership is set to root:root [Added]
- I3532: Ensure that the Kubernetes PKI certificate file permissions are set to 600 or more restrictive [Added]
- I3533: Ensure that the Kubernetes PKI key file permissions are set to 600 [Added]
- I3567: Ensure that the --root-ca-file argument is set as appropriate [Added]
T2096: Verify that the permissions on the sensitive configuration files are set properly (Kubernetes Master Node) [Updated]
- INFO: Updated the title and text.
- I3619: Verify that the API server pod specification file permissions are set to 600 or more restrictive [Added]
- I3620: Verify that the API server pod specification file ownership is set to root:root [Added]
- I3621: Verify that the controller manager pod specification file permissions are set to 600 or more restrictive [Added]
- I3622: Verify that the controller manager pod specification file ownership is set to root:root [Added]
- I3623: Verify that the scheduler pod specification file permissions are set to 600 or more restrictive [Added]
- I3624: Verify that the scheduler pod specification file ownership is set to root:root [Added]
- I3625: Verify that the etcd pod specification file permissions are set to 600 or more restrictive [Added]
- I3626: Verify that the etcd pod specification file ownership is set to root:root [Added]
- I3627: Verify that the Container Network Interface file permissions are set to 600 or more restrictive [Added]
- I3628: Verify that the Container Network Interface file ownership is set to root:root [Added]
- I3629: Verify that the etcd data directory permissions are set to 700 or more restrictive [Added]
- I3630: Verify that the etcd data directory ownership is set to etcd:etcd [Added]
- I3631: Verify that the default administrative credential file permissions are set to 600 [Added]
- I3632: Verify that the default administrative credential file ownership is set to root:root [Added]
- I3633: Verify that the scheduler.conf file permissions are set to 600 or more restrictive [Added]
- I3634: Verify that the scheduler.conf file ownership is set to root:root [Added]
- I3635: Verify that the controller-manager.conf file permissions are set to 600 or more restrictive [Added]
- I3636: Verify that the controller-manager.conf file ownership is set to root:root [Added]
- I3637: Verify that the Kubernetes PKI directory and file ownership is set to root:root [Added]
- I3638: Verify that the Kubernetes PKI certificate file permissions are set to 600 or more restrictive [Added]
- I3639: Verify that the Kubernetes PKI key file permissions are set to 600 [Added]
- I3673: Verify that the --root-ca-file argument is set as appropriate [Added]
T2122: Update Android Security Provider
- I1399: Android - Update Android Security Provider in the application [Updated]
  - INFO: Updated the title.
T2133: Protect the security of data in iOS [Updated]
- INFO: Updated the text.
- TA7130: iOS - Best Practices for Keychain Usage [Added]
- I1400: iOS (Swift) - Data encryption using CryptoKit framework [Updated]
  - INFO: Updated the title.
- I1401: iOS (Swift) - Create and validate signatures in CryptoKit framework [Updated]
  - INFO: Updated the title.
- I1403: iOS (Objective-C) - Encryption with Apple Secure Enclave [Updated]
  - INFO: Updated the title.
T2137: Ensure that sensitive data is not recorded (iOS)
- I1410: iOS (Objective-C) - Prevent information disclosure in iOS when mirroring/recording [Updated]
  - INFO: Updated the title.
- I1411: iOS (Swift) - Prevent information disclosure when mirroring/recording [Updated]
  - INFO: Updated the title.
T2232: Use write protection for Parametric Data values (Hardware/Firmware)
- P1630: Missing write protection for parametric data values (Hardware/Firmware) [Updated]
  - INFO: Updated the match conditions.
T2233: Set proper setting of Bus Controlling Capability in Fabric end-point (Hardware/Firmware)
- P1631: Improper setting of bus controlling capability in fabric end-point (Hardware/Firmware) [Updated]
  - INFO: Updated the match conditions.
T2234: Restrict mapping of unwarranted programming overlaps of protected and unprotected ranges by Fabric-Address (Hardware/Firmware)
- P1632: Fabric-address map allows programming of unwarranted overlaps of protected and unprotected ranges (Hardware/Firmware) [Updated]
  - INFO: Updated the match conditions.
T2235: Put security checks in Fabric Bridge (Hardware/Firmware)
- P1633: Missing security checks in fabric bridge (Hardware/Firmware) [Updated]
  - INFO: Updated the match conditions.
T2236: Put security controls in On-chip Fabrics or Buses (Hardware/Firmware)
- P1634: Missing support for security features in on-chip fabrics or buses (Hardware/Firmware) [Updated]
  - INFO: Updated the match conditions.
T2237: Protect against Electromagnetic Fault Injection (EM-FI) (Hardware/Firmware)
- P1635: Improper protection against Electromagnetic Fault Injection (EM-FI) (Hardware/Firmware) [Updated]
  - INFO: Updated the match conditions.
T2238: Protect alert signals against untrusted agents (Hardware/Firmware)
- P1636: Improper protection for out of bounds signal level alerts (Hardware/Firmware) [Updated]
  - INFO: Updated the match conditions.
T2239: Tag traces to indicate owner and debugging privilege level (Hardware/Firmware)
- P1637: Improper management of sensitive trace data (Hardware/Firmware) [Updated]
  - INFO: Updated the match conditions.
T2240: Designate an immutable Root of Trust for storage (Hardware/Firmware)
- P1638: Missing immutable root of trust in hardware (Hardware/Firmware) [Updated]
  - INFO: Updated the match conditions.
T2241: Ensure security version data is protected from tampering (Hardware/Firmware)
- P1639: Security version number mutable to older versions (Hardware/Firmware) [Updated]
  - INFO: Updated the match conditions.
T2242: Implement priority-based arbitration inside the Network on Chips (Hardware/Firmware)
- P1640: Improper isolation of shared resources in network on chip (Hardware/Firmware) [Updated]
  - INFO: Updated the match conditions.
T2243: Protect against fault injection attacks (Hardware/Firmware)
- P1641: Insufficient protection against instruction skipping via fault injection (Hardware/Firmware) [Updated]
  - INFO: Updated the match conditions.
T2244: Protect against error injection errors in redundant blocks (Hardware/Firmware)
- P1642: Unauthorized error injection can degrade hardware redundancy (Hardware/Firmware) [Updated]
  - INFO: Updated the match conditions.
T2245: Protect against abnormal thermal range (Hardware/Firmware)
- P1643: Improper protections against hardware overheating (Hardware/Firmware) [Updated]
  - INFO: Updated the match conditions.
T2453: Verify that managed components are used (Containerization) [Updated]
- INFO: Updated the title.
T2462: Minimize the admission of high-privileged containers (Containerization)
- I1674: CIS Amazon Elastic Kubernetes Service (EKS) Benchmark v1.0.1 (Level 1, Recommendation 4.2.1) [Unpublished]
- I1678: CIS Amazon Elastic Kubernetes Service (EKS) Benchmark v1.0.1 (Level 1, Recommendation 4.2.5) [Unpublished]
- I1683: CIS Amazon Elastic Kubernetes Service (EKS) Benchmark v1.0.1 (Level 2, Recommendation 4.2.6) [Unpublished]
- I1831: CIS Azure Kubernetes Service (AKS) Benchmark v1.2.0 (Level 1, Recommendation 4.2.1) [Unpublished]
- I1835: CIS Azure Kubernetes Service (AKS) Benchmark v1.2.0 (Level 1, Recommendation 4.2.5) [Unpublished]
- I1836: CIS Azure Kubernetes Service (AKS) Benchmark v1.2.0 (Level 2, Recommendation 4.2.6) [Unpublished]
T2473: Verify the presence of security constraints in all user stories and features
- P1716: Lack of Technical Documentation [Updated]
  - INFO: Updated the match conditions.
T2492: Use device-generated opaque keys to encrypt OS files and data on the device (Hardware/Firmware)
- P1722: Unsecure key generation (Hardware/Firmware) [Updated]
  - INFO: Updated the match conditions.
T2494: Encrypt the bootloader (Hardware/Firmware)
- P1723: Unencrypted bootloader (Hardware/Firmware) [Updated]
  - INFO: Updated the match conditions.
T2496: Generate and forward audit logs (Hardware/Firmware)
- P1724: Lack of device-generated audit logs (Hardware/Firmware) [Updated]
  - INFO: Updated the match conditions.
T2525: Prevent Large Language Model Denial of Service
- TA7119: Agentic AI:T4 - Prevent resource overload [Added]
T2526: Test the prevention Large Language Model Denial of Service
- TA7125: Agentic AI:T4 - Verify resource overload [Added]
T2529: Prevent sensitive information disclosure in Large Language Models
- TA7121: Agentic AI:T9 - Add behavioral profiling [Added]
T2530: Test the prevention of sensitive information disclosure in Large Language Models
- TA7127: Agentic AI:T9 - Test behavioral profiling [Added]
T2533: Mitigate excessive agency in Large Language Models
- TA7118: Agentic AI:T3 - Add permission controls [Added]
- TA7120: Agentic AI:T8 - Introduce logging and monitoring [Added]
- TA7122: Agentic AI:T13 - Ensure integrity [Added]
- TA7123: Agentic AI:T14 - Limit delegation [Added]
T2534: Test excessive agency mitigation in Large Language Models
- TA7124: Agentic AI:T3 - Test permission controls [Added]
- TA7126: Agentic AI:T8 - Test logging and monitoring [Added]
- TA7128: Agentic AI:T13 - Verify integrity [Added]
- TA7129: Agentic AI:T14 - Verify delegation [Added]
T2582: Implement security best practices for data protection (SageMaker) [Updated]
- INFO: Updated the text.
T4016: Implement robust record-keeping (logging) for high-risk AI systems [Updated]
- INFO: Updated the match conditions.
T4186: Restrict physical access to devices, and prefer eSIMs [Unpublished]
- P2190: SIM cloning attacks in LTE network [Unpublished]
T4191: Restrict physical access to devices, and prefer eSIMs [Unpublished]
- P2195: SIM cloning attacks in 5G network [Unpublished]
T5535: Verify encryption of data in transit with SSL (Azure CycleCloud) [Updated]
- INFO: Updated the title.
T5650: Establish Dedicated Management, Identity, and Connectivity Subscriptions (Azure Subscriptions) [Added]
- P3416: Improper Subscription Isolation (Azure Subscriptions) [Added]
T5651: Create additional subscriptions for region-specific governance (Azure Subscriptions) [Added]
- P3417: Lack of Region-Specific Governance (Azure Subscriptions) [Added]
T5652: Ensure resource group and resource region alignment (Azure Subscriptions) [Added]
- P3418: Resource Misalignment in Azure Resource Management (Azure Subscriptions) [Added]
T5653: Use separate subscriptions for active-active deployments (Azure Subscriptions) [Added]
- P3419: Improper Resource Management in Active-Active Deployments (Azure Subscriptions) [Added]
T5654: Use subscriptions as scale units to manage Azure resources efficiently (Azure Subscriptions) [Added]
- P3420: Potential Resource Limitations in Azure Workloads (Azure Subscriptions) [Added]
T5655: Build a Subscription Vending Process (Azure Subscriptions) [Added]
- P3421: Lack of Automated Subscription Management (Azure Subscriptions) [Added]
T5656: Prevent Transferring Azure Subscriptions to or from Microsoft Entra Tenant (Azure Subscriptions) [Added]
- P3422: Unauthorized Subscription Transfer Risk (Azure Subscriptions) [Added]
T5657: Validate Incoming Messenger Messages (Android) [Added]
- P3423: Unvalidated Incoming IPC Messages (Android) [Added]
T5658: Verify Validation of Incoming Messenger Messages (Android) [Added]
- P3423: Unvalidated Incoming IPC Messages (Android) [Added]
T5659: Verify Secure User Data Control Features (Android) [Added]
- P3424: Lack of user control over stored data (Android) [Added]
T5660: Implement secure data control options for users (Android) [Added]
- P3424: Lack of user control over stored data (Android) [Added]
T5685: Implement multi-factor authentication for IBM Cloud resources (IBM Cloud Internet Services) [Added]
- P3441: Lack of Multi-Factor Authentication (IBM Cloud VPC) [Added]
- I2185: Monitor account owner for frequent, unexpected, or unauthorized logins [Added]
- I2186: Ensure API keys unused for 180 days are detected and optionally disabled [Added]
- I2187: Ensure API keys are rotated every 90 days [Added]
- I2188: Restrict user API key creation and service ID creation [Added]
- I2189: Ensure no owner account API key exists [Added]
- I2190: Ensure compliance with IBM Cloud password requirements [Added]
- I2191: Ensure multi-factor authentication (MFA) is enabled for all users in account [Added]
- I2192: Ensure multi-factor authentication (MFA) is enabled for the account owner [Added]
- I2193: Ensure multi-factor authentication (MFA) is enabled at the account level [Added]
- I2194: Ensure contact email is valid [Added]
- I2195: Ensure contact phone number is valid [Added]
- I2196: Ensure IAM users are members of access groups and IAM policies are assigned only to access groups [Added]
- I2197: Ensure a support access group has been created [Added]
- I2198: Minimize the number of users with admin privileges in the account [Added]
- I2199: Minimize the number of Service IDs with admin privileges in the account [Added]
- I2200: Ensure IAM does not allow public access to Cloud Object Storage [Added]
- I2201: Ensure Inactive User Accounts are Suspend [Added]
- I2202: Enable audit logging for IBM Cloud Identity and Access Management [Added]
- I2203: Ensure Identity Federation is set up with a Corporate IDP [Added]
- I2249: Ensure certificates are automatically renewed before expiration [Added]
T5686: Implement access restrictions on IBM Cloud Object Storage (IBM Cloud Object Storage) [Added]
- P3442: Lack of Access Restrictions (IBM Cloud Object Storage) [Added]
- I2204: Ensure network access for Cloud Object Storage is restricted [Added]
- I2205: Ensure network access is set to be exposed only on Private end-points [Added]
- I2206: Ensure access is restricted by using IAM and S3 access control [Added]
- I2207: Disable public (anonymous) access to IBM Cloud Object Storage buckets [Added]
T5687: Enhance data security with envelope encryption (IBM Cloud Object Storage) [Added]
- P3443: Lack of Granular Data Encryption (IBM Cloud Object Storage) [Added]
- I2208: Ensure Cloud Object Storage encryption is done with customer managed keys [Added]
- I2209: Ensure Cloud Object Storage Encryption is set to On with BYOK [Added]
- I2210: Ensure Cloud Object Storage Encryption is set to On with KYOK [Added]
T5688: Implement customer-managed encryption keys in IBM Cloud Block Storage (IBM Cloud Block Storage) [Added]
- P3444: Inadequate Control Over Encryption Keys (IBM Cloud Block Storage) [Added]
- I2211: Ensure 'OS disk' are encrypted with Customer managed keys [Added]
- I2212: Ensure 'Data disks' are encrypted with customer managed keys [Added]
- I2213: Ensure 'Unattached disks' are encrypted with customer managed keys [Added]
T5689: Implement Bring Your Own Key (BYOK) for Enhanced Data Security (IBM Key Management Services) [Added]
- P3445: Lack of Customer-Controlled Encryption Keys (IBM Key Management Services) [Added]
- I2214: Ensure Block Storage is encrypted with customer managed keys [Added]
- I2215: Ensure Block Storage is encrypted with BYOK [Added]
- I2216: Ensure Block Storage is encrypted with KYOK [Added]
T5690: Enable alerts for vulnerabilities in container images (IBM Cloud Container Registry) [Added]
- P3446: Lack of Vulnerability Alerts in Container Images (IBM Cloud Container Registry) [Added]
- I2217: Ensure auditing is configured in the IBM Cloud account [Added]
- I2218: Ensure that archiving is enabled for audit events [Added]
- I2219: Ensure that events are collected and processed [Added]
- I2220: Ensure alerts are defined on custom views [Added]
- I2221: Ensure login only from a list of authorized countries/IP ranges [Added]
- I2222: Ensure Activity Tracker data is encrypted at rest [Added]
- I2223: Ensure Activity Tracker trails are integrated with LogDNA Logs [Added]
- I2248: Ensure alerts are enabled for vulnerabilities [Added]
T5691: Implement encryption at rest using IBM Cloud Database service (IBM Cloud Database) [Added]
- P3447: Lack of Encryption at Rest (IBM Cloud Database) [Added]
- I2224: Ensure disk encryption is enabled with customer managed keys [Added]
- I2225: Ensure network access is set to be exposed on “Private end points only” [Added]
- I2226: Ensure IBM Cloud Databases disk encryption is set to On [Added]
T5692: Implement encryption for client data at-rest using IBM Key Protect (IBM Cloudant) [Added]
- P3448: Lack of Encryption for Client Data at Rest (IBM Cloudant) [Added]
- I2227: Ensure Cloudant encryption is set to On [Added]
- I2228: Ensure IBM Cloudant encryption is enabled with customer managed keys [Added]
- I2229: Ensure IBM Cloudant is only accessible via HTTPS or TLS Connections [Added]
T5693: Enhance web application security with minimum TLS version and WAF (IBM Cloud Internet Services) [Added]
- P3449: Insecure Data Transmission and Insufficient Web Application Protection (IBM Cloud Internet Services) [Added]
- I2230: Enable TLS 1.2 at minimum for all inbound traffic [Added]
- I2231: Ensure Web application firewall is set to ON [Added]
- I2232: Ensure DDoS protection is Active on IBM Cloud Internet Services [Added]
T5694: Implement strict ingress access controls in VPC security groups (IBM Cloud VPC) [Added]
- P3450: Unrestricted Ingress Access in VPC Security Groups (IBM Cloud VPC) [Added]
- I2233: Ensure no VPC access control lists allow ingress from 0.0.0.0/0 to port 22 [Added]
- I2234: Ensure the default security group of every VPC restricts all traffic [Added]
- I2235: Ensure no VPC security groups allow ingress from 0.0.0.0/0 to port 3389 [Added]
- I2236: Ensure no VPC security groups allow ingress from 0.0.0.0/0 to port 22 [Added]
- I2237: Ensure no VPC access control lists allow ingress from 0.0.0.0/0 to port 3389 [Added]
T5695: Secure client requests on IBM Cloud Kubernetes Service (IBM Cloud Kubernetes Service) [Added]
- P3451: Insecure Client Requests (IBM Cloud Kubernetes Service) [Added]
- I2238: Ensure TLS 1.2 for all inbound traffic at IBM Cloud Kubernetes Service Ingress [Added]
- I2239: Ensure IBM Cloud Kubernetes Service worker nodes are updated [Added]
- I2240: Ensure that clusters are accessible only by using private endpoints [Added]
- I2241: Ensure IBM Cloud Kubernetes Service cluster has image pull secrets enabled [Added]
- I2242: Ensure Kubernetes Service clusters have the monitoring service enabled [Added]
- I2243: Ensure IBM Cloud Kubernetes Service clusters have the logging service enabled [Added]
- I2244: Ensure Kubernetes secrets data is encrypted with bring your own key (BYOK) [Added]
- I2245: Ensure Kubernetes secrets data is encrypted with keep your own key (KYOK) [Added]
- I2246: Block deployments of vulnerable images to Kubernetes clusters [Added]
T5696: Implement a regular key rotation policy using Key Protect (IBM Key Protect) [Added]
- P3452: Lack of Regular Key Rotation Policy (IBM Key Protect) [Added]
- I2247: Ensure IBM Key Protect has automated rotation for customer managed keys enabled [Added]
T5697: Verify the security of API key management practices (IBM Cloud Internet Services) [Added]
- P3441: Lack of Multi-Factor Authentication (IBM Cloud VPC) [Added]
- I2250: Verify account owner for frequent, unexpected, or unauthorized logins [Added]
- I2251: Verify that API keys unused for 180 days are detected and optionally disabled [Added]
- I2252: Verify that API keys are rotated every 90 days [Added]
- I2253: Verify that user API key creation are restricted via IAM roles [Added]
- I2254: Verify that no owner account API key exists [Added]
- I2255: Verify compliance with IBM Cloud password requirements [Added]
- I2256: Verify that multi-factor authentication (MFA) is enabled [Added]
- I2257: Verify that multi-factor authentication (MFA) is enabled for the account owner [Added]
- I2258: Verify that multi-factor authentication (MFA) is enabled at the account level [Added]
- I2259: Verify that the contact email is valid [Added]
- I2260: Verify that the contact phone number is valid [Added]
- I2261: Verify that IAM users are members of access groups [Added]
- I2262: Verify that a support access group has been created [Added]
- I2263: Test minimizing the number of users with admin privileges in the account [Added]
- I2264: Test minimizing the number of Service IDs with admin privileges in the account [Added]
- I2265: Verify that IAM does not allow public access to Cloud Object Storage [Added]
- I2266: Verify that inactive user accounts are suspended [Added]
- I2267: Verify that audit logging is enabled [Added]
- I2268: Verify that Identity Federation is set up with a Corporate IDP [Added]
- I2314: Verify that Certificate Manager automatically renews certificates [Added]
T5698: Verify that the IBM Cloud Object Storage bucket firewall restricts access (IBM Cloud Object Storage) [Added]
- P3442: Lack of Access Restrictions (IBM Cloud Object Storage) [Added]
- I2269: Verify that network access is restricted to specific IP range [Added]
- I2270: Verify that network access is set to be exposed only on Private end-points [Added]
- I2271: Verify that access is restricted by using IAM and S3 access control [Added]
- I2272: Verify that public access to IBM Cloud Object Storage buckets is disabled [Added]
T5699: Verify that the encryption keys are managed securely (IBM Cloud Object Storage) [Added]
- P3443: Lack of Granular Data Encryption (IBM Cloud Object Storage) [Added]
- I2273: Verify Cloud Object Storage encryption with customer managed keys [Added]
- I2274: Verify that Cloud Object Storage Encryption is set to On with BYOK [Added]
- I2275: Verify that Cloud Object Storage Encryption is set to On with KYOK [Added]
T5700: Verify that encryption is managed through IBM Key Management Services (IBM Cloud Block Storage) [Added]
- P3444: Inadequate Control Over Encryption Keys (IBM Cloud Block Storage) [Added]
- I2276: Verify that 'OS disk' are encrypted with Customer managed keys [Added]
- I2277: Verify that 'Data disks' are encrypted with customer managed keys [Added]
- I2278: Verify that unattached disks are encrypted with customer managed keys [Added]
T5703: Verify that the database service is provisioned with encryption at rest (IBM Cloud Database) [Added]
- P3447: Lack of Encryption at Rest (IBM Cloud Database) [Added]
- I2289: Verify disk encryption is enabled with customer managed keys [Added]
- I2290: Verify network access to IBM Cloud Databases service [Added]
- I2291: Verify IBM Cloud Databases disk encryption is set to On [Added]
T5704: Verify that the Cloudant instance is provisioned with BYOK (IBM Cloudant) [Added]
- P3448: Lack of Encryption for Client Data at Rest (IBM Cloudant) [Added]
- I2292: Verify Cloudant encryption is set to On [Added]
- I2293: Verify that IBM Cloudant encryption is enabled with customer managed keys [Added]
- I2294: Verify that IBM Cloudant is only accessible via HTTPS or TLS Connections [Added]
T5705: Verify the minimum TLS version is set to 1.2 (IBM Cloud Internet Services) [Added]
- P3449: Insecure Data Transmission and Insufficient Web Application Protection (IBM Cloud Internet Services) [Added]
- I2295: Test that TLS 1.2 is enabled for all inbound traffic [Added]
- I2296: Verify that the Web application firewall is set to ON [Added]
- I2297: Verify that DDoS protection is Active on IBM Cloud Internet Services [Added]
T5706: Verify that VPC access control lists filter traffic appropriately (IBM Cloud VPC) [Added]
- P3450: Unrestricted Ingress Access in VPC Security Groups (IBM Cloud VPC) [Added]
- I2298: Verify that no VPC access control lists allow ingress from 0.0.0.0/0 to port 22 [Added]
- I2299: Verify that the default security group of every VPC restricts all traffic [Added]
- I2300: Verify that no VPC security groups allow ingress from 0.0.0.0/0 to port 3389 [Added]
- I2301: Verify that no VPC security groups allow ingress from 0.0.0.0/0 to port 22 [Added]
- I2302: Verify access control from 0.0.0.0/0 to port 3389 [Added]
T5707: Verify that insecure HTTP requests are redirected to HTTPS (IBM Cloud Kubernetes Service) [Added]
- P3451: Insecure Client Requests (IBM Cloud Kubernetes Service) [Added]
- I2303: Verify TLS 1.2 for all inbound traffic at IBM Cloud Kubernetes Service Ingress [Added]
- I2304: Verify that Kubernetes Service worker nodes are updated [Added]
- I2305: Verify that clusters are accessible only by using private endpoints [Added]
- I2306: Verify that IBM Cloud Kubernetes Service cluster has image pull secrets enabled [Added]
- I2307: Verify Kubernetes Service clusters have the monitoring service enabled [Added]
- I2308: Verify Kubernetes Service clusters have the logging service enabled [Added]
- I2309: Verify that Kubernetes secrets data is encrypted with bring your own key (BYOK) [Added]
- I2310: Verify that Kubernetes secrets data is encrypted with keep your own key (KYOK) [Added]
- I2311: Verify that vulnerable images are blocked from deploying to Kubernetes clusters [Added]
T5709: Organize artifacts with a dedicated artifact repository (JFrog Artifactory) [Added]
- P3453: Lack of Dedicated Artifact Repository (JFrog Artifactory) [Added]
T5710: Utilize build info for enhanced traceability (JFrog Artifactory) [Added]
- P3454: Lack of Build Information Traceability (JFrog Artifactory) [Added]
T5711: Design a universal binary repository structure (JFrog Artifactory) [Added]
- P3455: Inadequate Repository Structure Management (JFrog Artifactory) [Added]
T5712: Implement a 4-part naming convention for repositories (JFrog Artifactory) [Added]
- P3456: Inconsistent Repository Naming (JFrog Artifactory) [Added]
T5713: Create a repository structure for development lifecycle (JFrog Artifactory) [Added]
- P3457: Inadequate Repository Structure (JFrog Artifactory) [Added]
T5714: Implement security processes (JFrog Xray) [Added]
- P3458: Lack of Structured Security Processes (JFrog Xray) [Added]
T5715: Involve R&D in security and compliance (JFrog Xray) [Added]
- P3459: Lack of Integrated Security and Compliance in Software Development Lifecycle (JFrog Xray) [Added]
T5716: Define a policy for high-severity issues (JFrog Xray) [Added]
- P3460: Lack of Structured Policy for High-Severity Issues (JFrog Xray) [Added]
T5717: Implement continuous scanning (JFrog Xray) [Added]
- P3461: Lack of Continuous Vulnerability Scanning (JFrog Xray) [Added]
T5718: Standardize violation management workflow (JFrog Xray) [Added]
- P3462: Inconsistent Violation Management Workflow (JFrog Xray) [Added]
T5719: Prioritize security and compliance violations (JFrog Xray) [Added]
- P3463: Lack of Prioritization in Security and Compliance Violations (JFrog Xray) [Added]
T5720: Implement software package management (JFrog Curation) [Added]
- P3464: Insecure Dependency Management (JFrog Curation) [Added]
T5721: Implement comprehensive software supply chain protection (JFrog Advanced Security) [Added]
- P3465: Software Supply Chain Vulnerabilities (JFrog Advanced Security) [Added]
T5722: Implement continuous runtime security (JFrog Runtime) [Added]
- P3466: Lack of Continuous Runtime Security Monitoring (JFrog Runtime) [Added]
T5723: Implement pre-selection & OSS intelligence (JFrog Catalog) [Added]
- P3467: Inadequate Management of Open-Source Software Packages (JFrog Catalog) [Added]
T5724: Use appropriate access control mechanisms [ACM-2] (EN 18031-1) [Added]
- P3468: Lack of secure access control mechanism (EN 18031-1) [Added]
T5725: Use an appropriate authentication mechanism [AUM-2] (EN 18031-1) [Added]
- P3469: Lack of secure authentication mechanism (EN 18031-1) [Added]
T5726: Ensure the validation of authenticators used in authentication mechanisms [AUM-3] (EN 18031-1) [Added]
- P3470: Insufficient verification of authenticators (EN 18031-1) [Added]
T5727: Implement the capability to change authentication mechanisms [AUM-4] (EN 18031-1) [Added]
- P3471: Lack of authenticator reset mechanism (EN 18031-1) [Added]
T5728: Use strong passwords in authentication mechanisms [AUM-5] (EN 18031-1) [Added]
- P3472: Weak password requirements (EN 18031-1) [Added]
T5729: Implement brute-force protection in authentication mechanism [AUM-6] (EN 18031-1) [Added]
- P3473: Lack of brute-force protection (EN 18031-1) [Added]
T5730: Ensure the applicability and appropriateness of DoS resilience mechanisms [RLM-1] (EN 18031-1) [Added]
- P3474: Lack of Denial of Service (DoS) protection (EN 18031-1) [Added]
T5731: Ensure the applicability and appropriateness of network monitoring mechanisms [NMM-1] (EN 18031-1) [Added]
- P3475: Lack of network monitoring mechanism (EN 18031-1) [Added]
T5732: Ensure the applicability and appropriateness of network traffic control mechanisms [TCM-1] (EN 18031-1) [Added]
- P3476: Lack of traffic control mechanism (EN 18031-1) [Added]
T5733: Use best practices for cryptography [CRY-1] (EN 18031-1) [Added]
- P3477: Use of weak cryptographic algorithms or unsecure cryptographic practices (EN 18031-1) [Added]
T5734: Ensure the applicability and appropriateness of secure update mechanisms [SUM-1] (EN 18031-1) [Added]
- P3478: Lack of secure update mechanism (EN 18031-1) [Added]
T5735: Implement a secure update mechanism [SUM-2] (EN 18031-1) [Added]
- P3478: Lack of secure update mechanism (EN 18031-1) [Added]
T5736: Implement an automated secure update mechanism [SUM-3] (EN 18031-1) [Added]
- P3478: Lack of secure update mechanism (EN 18031-1) [Added]
T5737: Ensure the applicability and appropriateness of secure storage mechanisms [SSM-1] (EN 18031-1) [Added]
- P3479: Lack of secure storage mechanism (EN 18031-1) [Added]
T5738: Implement appropriate integrity protection for secure storage mechanisms [SSM-2] (EN 18031-1) [Added]
- P3479: Lack of secure storage mechanism (EN 18031-1) [Added]
T5739: Implement appropriate confidentiality protection for secure storage mechanisms [SSM-3] (EN 18031-1) [Added]
- P3479: Lack of secure storage mechanism (EN 18031-1) [Added]
T5740: Ensure the applicability and appropriateness of secure communication mechanisms [SCM-1] (EN 18031-1) [Added]
- P3480: Lack of secure communication mechanism (EN 18031-1) [Added]
T5741: Implement appropriate integrity and authenticity protection for communication mechanisms [SCM-2] (EN 18031-1) [Added]
- P3480: Lack of secure communication mechanism (EN 18031-1) [Added]
T5742: Implement appropriate confidentiality protection for communication mechanisms [SCM-3] (EN 18031-1) [Added]
- P3480: Lack of secure communication mechanism (EN 18031-1) [Added]
T5743: Implement appropriate replay protection for communication mechanisms [SCM-4] (EN 18031-1) [Added]
- P3480: Lack of secure communication mechanism (EN 18031-1) [Added]
T5744: Implement appropriate confidential cryptographic keys [CCK-1] (EN 18031-1) [Added]
- P3477: Use of weak cryptographic algorithms or unsecure cryptographic practices (EN 18031-1) [Added]
T5745: Implement secure confidential cryptographic keys [CCK-2] (EN 18031-1) [Added]
- P3477: Use of weak cryptographic algorithms or unsecure cryptographic practices (EN 18031-1) [Added]
T5746: Implement features for preventing default values for preinstalled confidential cryptographic keys [CCK-3] (EN 18031-1) [Added]
- P3477: Use of weak cryptographic algorithms or unsecure cryptographic practices (EN 18031-1) [Added]
T5747: Ensure the use of updated and secure software and hardware [GEC-1] (EN 18031-1) [Added]
- P3481: Use of insecure third party software and hardware (EN 18031-1) [Added]
T5748: Control access to network interfaces and services [GEC-2] (EN 18031-1) [Added]
- P3482: Exposure of services (EN 18031-1) [Added]
T5749: Implement a feature for configuring optional services and the related exposed network interfaces [GEC-3] (EN 18031-1) [Added]
- P3483: Lack of control over configuration parameters (EN 18031-1) [Added]
T5750: Document exposed network interfaces and services [GEC-4] (EN 18031-1) [Added]
- P3484: Lack of technical documentation (EN 18031-1) [Added]
T5751: Disable unnecessary external interfaces [GEC-5] (EN 18031-1) [Added]
- P3485: Exposure of physical external interfaces (EN 18031-1) [Added]
T5752: Implement Input validation [GEC-6] (EN 18031-1) [Added]
- P3486: Poor input validation (EN 18031-1) [Added]
T5753: Verify the network security configuration for Azure Databricks (Azure Databricks) [Added]
- P3487: Lack of Network Traffic Control (Azure Databricks) [Added]
- I2449: Verify that Azure Databricks is deployed in a customer-managed virtual network (VNet) [Added]
- I2450: Verify that network security groups are configured for Databricks subnets [Added]
- I2452: Verify that users and groups are synced from Microsoft Entra ID to Azure Databricks [Added]
- I2453: Verify that Unity Catalog is configured for Azure Databricks [Added]
- I2454: Verify that usage is restricted and expiry is enforced for Databricks personal access tokens [Added]
- I2455: Verify that diagnostic log delivery is configured for Azure Databricks [Added]
T5754: Verify that data exchanged between worker nodes is encrypted (Azure Databricks) [Added]
- P3488: Lack of Encryption for Data in Transit and at Rest (Microsoft Azure Foundation) [Added]
- I2451: Verify that traffic is encrypted between cluster worker nodes [Added]
- I2456: Verify that data at rest and in transit is encrypted in Azure Databricks using customer managed keys (CMK) [Added]
T5756: Verify that users provide consent for permissions from verified publishers (Microsoft 365) [Added]
- P3490: Lack of Role-Based Access Control (RBAC) (Microsoft Azure Foundation) [Added]
- I2467: Verify that user consent for applications is set to allow verified publishers [Added]
- I2470: Verify that 'Guest invite restrictions' is set to 'Only users assigned to specific admin roles can invite guest users' [Added]
- I2472: Verify that the user ability to access groups features in My Groups is restricted [Added]
- I2473: Verify that users can create security groups in Azure portals, API or PowerShell is set to No [Added]
- I2474: Verify that Owners can manage group membership requests in My Groups is set to No [Added]
- I2475: Verify that Users can create Microsoft 365 groups in Azure portals, API or PowerShell is set to No [Added]
- I2478: Test that a custom role is assigned permissions for administering resource locks [Added]
- I2479: Verify that Subscription leaving Microsoft Entra tenant is set to Permit no one [Added]
T5757: Verify the configuration of Named locations in Conditional Access (Microsoft Entra ID) [Added]
- P3491: Lack of Conditional Access Policies (Microsoft Azure Foundation) [Added]
- I2484: Verify that 'trusted locations' are defined [Added]
- I2485: Verify that an exclusionary geographic Conditional Access policy is considered [Added]
- I2486: Verify that an exclusionary device code flow policy is considered [Added]
T5758: Verify that Basic or Free SKUs are not used for production workloads (Microsoft Azure) [Added]
- P3492: Inadequate SKU Selection for Production Workloads (Microsoft Azure Foundation) [Added]
- I2496: Verify that SKU Basic/Consumption is not used on monitored artifacts [Added]
T5759: Verify that virtual network flow logs are captured and sent to Log Analytics (Microsoft Azure) [Added]
- P3493: Lack of Centralized Logging Strategy (Microsoft Azure) [Added]
- I2499: Verify that the storage account containing the container with activity logs is encrypted with Customer Managed Key (CMK) [Added]
- I2501: Verify that Network Security Group Flow logs are captured and sent to Log Analytics [Added]
- I2502: Verify that logging for Azure AppService 'HTTP logs' is enabled [Added]
- I2503: Verify that virtual network flow logs are captured and sent to Log Analytics [Added]
- I2504: Verify that a Microsoft Entra diagnostic setting exists to send Microsoft Graph activity logs to an appropriate destination [Added]
- I2505: Verify that a Microsoft Entra diagnostic setting exists to send Microsoft Entra activity logs to an appropriate destination [Added]
- I2506: Verify that Intune logs are captured and sent to Log Analytics [Added]
- I2518: Verify that Application Insights are Configured [Added]
T5760: Verify the configuration of network security groups for Azure (Microsoft Azure) [Added]
- P3494: Improperly Configured Network Security Groups (Microsoft Azure Foundation) [Added]
- I2519: Verify that RDP access from the Internet is evaluated and restricted [Added]
- I2520: Verify that SSH access from the Internet is evaluated and restricted [Added]
- I2521: Verify that UDP access from the Internet is evaluated and restricted [Added]
- I2522: Verify that HTTP(S) access from the Internet is evaluated and restricted [Added]
- I2525: Verify that Public IP addresses are Evaluated on a Periodic Basis [Added]
T5761: Verify that virtual network flow logs are retained for greater than or equal to 90 days (Microsoft Azure) [Added]
- P3495: Lack of Virtual Network Flow Logs Retention (Microsoft Azure Foundation) [Added]
- I2523: Verify that Network Security Group Flow Log retention period is 'greater than 90 days' [Added]
- I2524: Verify that Network Watcher is 'Enabled' for Azure Regions that are in use [Added]
- I2526: Verify that virtual network flow log retention days is set to greater than or equal to 90 [Added]
T5762: Verify the organization's attack surface is minimized (Microsoft Defender for Cloud) [Added]
- I2533: Verify that Microsoft Defender External Attack Surface Monitoring (EASM) is enabled [Added]
- I2534: Verify that Microsoft Defender for DNS is set to 'On' [Added]
- I2535: Verify that Defender for Servers is set to 'On' [Added]
- I2536: Verify that 'Vulnerability assessment for machines' component status is set to 'On' [Added]
- I2537: Verify that 'Endpoint protection' component status is set to 'On' [Added]
- I2538: Verify that 'Agentless scanning for machines' component status is set to 'On' [Added]
- I2539: Verify that 'File Integrity Monitoring' component status is set to 'On' [Added]
- I2540: Verify that Microsoft Defender for Containers is set to 'On' [Added]
- I2541: Verify that Microsoft Defender for Storage is set to 'On' [Added]
- I2542: Verify that Microsoft Defender for App Services is set to 'On' [Added]
- I2543: Verify that Microsoft Defender for Azure Cosmos DB Is Set To 'On' [Added]
- I2544: Verify that Microsoft Defender for Open-Source Relational Databases Is Set To 'On' [Added]
- I2545: Verify that Microsoft Defender for Azure SQL Databases Is Set To 'On' [Added]
- I2546: Verify that Microsoft Defender for SQL Servers on Machines Is Set To 'On' [Added]
- I2547: Verify that Microsoft Defender for Key Vault is set to 'On' [Added]
- I2548: Test that Microsoft Defender for Resource Manager is set to 'On' [Added]
- I2549: Verify that Microsoft Defender for IoT Hub is set to 'On' [Added]
T5763: Implement a vulnerability assessment for machines (Microsoft Defender for Cloud) [Added]
- I2400: Ensure that Microsoft Defender External Attack Surface Monitoring (EASM) is enabled [Added]
- I2401: [LEGACY] Ensure That Microsoft Defender for DNS Is Set To 'On' [Added]
- I2402: Ensure that Defender for Servers is set to 'On' [Added]
- I2403: Ensure that 'Vulnerability assessment for machines' component status is set to 'On' [Added]
- I2404: Ensure that 'Endpoint protection' component status is set to 'On' [Added]
- I2405: Ensure that 'Agentless scanning for machines' component status is set to 'On' [Added]
- I2406: Ensure that 'File Integrity Monitoring' component status is set to 'On' [Added]
- I2407: Ensure That Microsoft Defender for Containers Is Set To 'On' [Added]
- I2408: Ensure That Microsoft Defender for Storage Is Set To 'On' [Added]
- I2409: Ensure That Microsoft Defender for App Services Is Set To 'On' [Added]
- I2410: Ensure That Microsoft Defender for Azure Cosmos DB Is Set To 'On' [Added]
- I2411: Ensure That Microsoft Defender for Open-Source Relational Databases Is Set To 'On' [Added]
- I2412: Ensure That Microsoft Defender for (Managed Instance) Azure SQL Databases Is Set To 'On' [Added]
- I2413: Ensure That Microsoft Defender for SQL Servers on Machines Is Set To 'On' [Added]
- I2414: Ensure That Microsoft Defender for Key Vault Is Set To 'On' [Added]
- I2415: Ensure That Microsoft Defender for Resource Manager Is Set To 'On' [Added]
- I2416: Ensure That Microsoft Defender for IoT Hub Is Set To 'On' [Added]
T5764: Verify the security of Azure Key Vault configurations (Microsoft Azure Key Vault) [Added]
- P3496: Public Network Exposure of Azure Key Vault (Microsoft Azure Foundation) [Added]
- I2555: Verify that Role Based Access Control for Azure Key Vault is enabled [Added]
- I2556: Verify that Public Network Access when using Private Endpoint is disabled [Added]
- I2557: Verify that Private Endpoints are Used for Azure Key Vault [Added]
- I2558: Verify that automatic key rotation is enabled within Azure Key Vault [Added]
- I2559: Verify that Azure Key Vault Managed HSM is used when required [Added]
- I2560: Verify that an Azure Bastion Host Exists [Added]
T5766: Verify that blob versioning is enabled for data recovery (Microsoft Azure Storage) [Added]
- P3498: Lack of Blob Versioning (Microsoft Azure Foundation) [Added]
- I2565: Verify that 'Versioning' is set to 'Enabled' on Azure Blob Storage [Added]
- I2567: Verify that 'Allow Azure services on the trusted services list to access this storage account' is Enabled for Storage Account Access [Added]
- I2573: Verify that Azure Resource Manager ReadOnly locks are considered for Azure Storage Accounts [Added]
- I2574: Verify that Redundancy is set to 'geo-redundant storage (GRS)' on critical Azure Storage Accounts [Added]
- I2578: Verify that Private Endpoints are used to access Storage Accounts [Added]
T5767: Verify that data encryption in transit is enabled (Azure Storage) [Added]
- P3499: Lack of Data Encryption in Transit (Microsoft Azure Foundation) [Added]
- I2566: Verify that 'Secure transfer required' is set to 'Enabled' [Added]
- I2569: Verify that the 'Minimum TLS version' for storage accounts is set to 'Version 1.2' [Added]
T5768: Implement Network Security Groups for Azure Databricks (Microsoft Azure Databricks) [Added]
- P3487: Lack of Network Traffic Control (Azure Databricks) [Added]
- I2316: Ensure that Azure Databricks is deployed in a customer-managed virtual network (VNet) [Added]
- I2317: Ensure that network security groups are configured for Databricks subnets [Added]
- I2319: Ensure that users and groups are synced from Microsoft Entra ID to Azure Databricks [Added]
- I2320: Ensure that Unity Catalog is configured for Azure Databricks [Added]
- I2321: Ensure that usage is restricted and expiry is enforced for Databricks personal access tokens [Added]
- I2322: Ensure that diagnostic log delivery is configured for Azure Databricks [Added]
T5769: Implement encryption for data in transit and at rest (Microsoft Azure Databricks) [Added]
- P3488: Lack of Encryption for Data in Transit and at Rest (Microsoft Azure Foundation) [Added]
- I2318: Ensure that traffic is encrypted between cluster worker nodes [Added]
- I2323: Ensure that data at rest and in transit is encrypted in Azure Databricks using customer managed keys (CMK) [Added]
T5770: Implement Resource Manager Locks to Secure Azure Resources (Microsoft Azure) [Added]
- P3489: Lack of Resource Manager Locks (Microsoft Azure Foundation) [Added]
- I2325: Ensure that 'Restrict non-admin users from creating tenants' is set to 'Yes' [Added]
- I2326: Ensure that 'Number of methods required to reset' is set to '2' [Added]
- I2327: Ensure that account 'Lockout threshold' is less than or equal to '10' [Added]
- I2328: Ensure that account 'Lockout duration in seconds' is greater than or equal to '60' [Added]
- I2329: Ensure that a 'Custom banned password list' is set to 'Enforce' [Added]
- I2330: Ensure that 'Number of days before users are asked to re-confirm their authentication information' is not set to '0' [Added]
- I2331: Ensure that 'Notify users on password resets?' is set to 'Yes' [Added]
- I2332: Ensure that 'Notify all admins when other admins reset their password?' is set to 'Yes' [Added]
- I2333: Ensure that 'User consent for applications' is set to 'Do not allow user consent' [Added]
- I2335: Ensure that 'Users can register applications' is set to 'No' [Added]
- I2336: Ensure that Guest user access is restricted to properties and memberships of their own directory objects [Added]
- I2338: Ensure that 'Restrict access to Microsoft Entra admin center' is set to 'Yes' [Added]
- I2343: Ensure that 'Require Multifactor Authentication to register or join devices with Microsoft Entra' is set to 'Yes' [Added]
- I2344: Ensure that no custom subscription administrator roles exist [Added]
- I2347: Ensure fewer than 5 users have global administrator assignment [Added]
- I2348: Ensure that 'security defaults' is enabled in Microsoft Entra ID [Added]
- I2358: Ensure that Azure admin accounts are not used for daily operations [Added]
- I2359: Ensure that guest users are reviewed on a regular basis [Added]
- I2360: Ensure that use of the 'User Access Administrator' role is restricted [Added]
- I2361: Ensure that Resource Locks are set for Mission-Critical Azure Resources [Added]
T5771: Implement Role-Based Access Control (RBAC) in Microsoft 365 (Microsoft 365) [Added]
- P3490: Lack of Role-Based Access Control (RBAC) (Microsoft Azure Foundation) [Added]
- I2334: Ensure that 'User consent for applications' is set to 'Allow user consent for apps from verified publishers, for selected permissions' [Added]
- I2337: Ensure that 'Guest invite restrictions' is set to 'Only users assigned to specific admin roles can invite guest users' [Added]
- I2339: Ensure that 'Restrict user ability to access groups features in My Groups' is set to 'Yes' [Added]
- I2340: Ensure that 'Users can create security groups in Azure portals, API or PowerShell' is set to 'No' [Added]
- I2341: Ensure that 'Owners can manage group membership requests in My Groups' is set to 'No' [Added]
- I2342: Ensure that 'Users can create Microsoft 365 groups in Azure portals, API or PowerShell' is set to 'No' [Added]
- I2345: Ensure that a custom role is assigned permissions for administering resource locks [Added]
- I2346: Ensure that 'Subscription leaving Microsoft Entra tenant' and 'Subscription entering Microsoft Entra tenant' is set to 'Permit no one' [Added]
T5772: Implement Conditional Access Policies (Microsoft Azure Active Directory) [Added]
- P3491: Lack of Conditional Access Policies (Microsoft Azure Foundation) [Added]
- I2351: Ensure that 'trusted locations' are defined [Added]
- I2352: Ensure that an exclusionary geographic Conditional Access policy is considered [Added]
- I2353: Ensure that an exclusionary device code flow policy is considered [Added]
T5773: Implement a robust logging strategy for Azure services (Microsoft Azure) [Added]
- P3493: Lack of Centralized Logging Strategy (Microsoft Azure) [Added]
- I2366: Ensure the storage account containing the container with activity logs is encrypted with Customer Managed Key (CMK) [Added]
- I2368: Ensure that Network Security Group Flow logs are captured and sent to Log Analytics [Added]
- I2369: Ensure that logging for Azure AppService 'HTTP logs' is enabled [Added]
- I2370: Ensure that virtual network flow logs are captured and sent to Log Analytics [Added]
- I2371: Ensure that a Microsoft Entra diagnostic setting exists to send Microsoft Graph activity logs to an appropriate destination [Added]
- I2372: Ensure that a Microsoft Entra diagnostic setting exists to send Microsoft Entra activity logs to an appropriate destination [Added]
- I2373: Ensure that Intune logs are captured and sent to Log Analytics [Added]
- I2385: Ensure Application Insights are Configured [Added]
T5774: Configure network security groups to enhance Azure security (Microsoft Azure) [Added]
- P3494: Improperly Configured Network Security Groups (Microsoft Azure Foundation) [Added]
- I2386: Ensure that RDP access from the Internet is evaluated and restricted [Added]
- I2387: Ensure that SSH access from the Internet is evaluated and restricted [Added]
- I2388: Ensure that UDP access from the Internet is evaluated and restricted [Added]
- I2389: Ensure that HTTP(S) access from the Internet is evaluated and restricted [Added]
- I2392: Ensure that Public IP addresses are Evaluated on a Periodic Basis [Added]
T5775: Enable virtual network flow logs retention (Microsoft Azure) [Added]
- P3495: Lack of Virtual Network Flow Logs Retention (Microsoft Azure Foundation) [Added]
- I2390: Ensure that Network Security Group Flow Log retention period is 'greater than 90 days' [Added]
- I2391: Ensure that Network Watcher is 'Enabled' for Azure Regions that are in use [Added]
- I2393: Ensure that virtual network flow log retention days is set to greater than or equal to 90 [Added]
T5776: Enhance security by minimizing public exposure of Azure Key Vault (Microsoft Azure Key Vault) [Added]
- P3496: Public Network Exposure of Azure Key Vault (Microsoft Azure Foundation) [Added]
- I2422: Ensure that Role Based Access Control for Azure Key Vault is enabled [Added]
- I2423: Ensure that Public Network Access when using Private Endpoint is disabled [Added]
- I2424: Ensure that Private Endpoints are Used for Azure Key Vault [Added]
- I2425: Ensure automatic key rotation is enabled within Azure Key Vault [Added]
- I2426: Ensure that Azure Key Vault Managed HSM is used when required [Added]
- I2427: Ensure an Azure Bastion Host Exists [Added]
T5777: Implement soft delete for Azure storage accounts (Microsoft Azure Storage) [Added]
- P3497: Lack of Soft Delete Feature (Microsoft Azure Foundation) [Added]
- I2428: Ensure soft delete for Azure File Shares is Enabled [Added]
- I2429: Ensure 'SMB protocol version' is set to 'SMB 3.1.1' or higher for SMB file shares [Added]
- I2430: Ensure 'SMB channel encryption' is set to 'AES-256-GCM' or higher for SMB file shares [Added]
- I2431: Ensure that soft delete for blobs on Azure Blob Storage storage accounts is Enabled [Added]
- I2435: Ensure Soft Delete is Enabled for Azure Containers and Blob Storage [Added]
- I2437: Ensure 'Cross Tenant Replication' is not enabled [Added]
- I2438: Ensure that 'Allow Blob Anonymous Access' is set to 'Disabled' [Added]
- I2439: Ensure Azure Resource Manager Delete locks are applied to Azure Storage Accounts [Added]
- I2442: Ensure that 'Enable key rotation reminders' is enabled for each Storage Account [Added]
- I2443: Ensure that Storage Account access keys are periodically regenerated [Added]
- I2444: Ensure 'Allow storage account key access' for Azure Storage Accounts is 'Disabled' [Added]
- I2446: Ensure that 'Public Network Access' is 'Disabled' for storage accounts [Added]
- I2447: Ensure default network access rule for storage accounts is set to deny [Added]
- I2448: Ensure that 'Default to Microsoft Entra authorization in the Azure portal' is set to 'Enabled' [Added]
T5778: Implement blob versioning for data integrity and recovery (Microsoft Azure Storage) [Added]
- P3498: Lack of Blob Versioning (Microsoft Azure Foundation) [Added]
- I2432: Ensure 'Versioning' is set to 'Enabled' on Azure Blob Storage storage accounts [Added]
- I2434: Ensure 'Allow Azure services on the trusted services list to access this storage account' is Enabled for Storage Account Access [Added]
- I2440: Ensure Azure Resource Manager ReadOnly locks are considered for Azure Storage Accounts [Added]
- I2441: Ensure Redundancy is set to 'geo-redundant storage (GRS)' on critical Azure Storage Accounts [Added]
- I2445: Ensure Private Endpoints are used to access Storage Accounts [Added]
T5779: Enable data encryption in transit for Azure Storage (Microsoft Azure Storage) [Added]
- P3499: Lack of Data Encryption in Transit (Microsoft Azure Foundation) [Added]
- I2433: Ensure that 'Secure transfer required' is set to 'Enabled' [Added]
- I2436: Ensure the 'Minimum TLS version' for storage accounts is set to 'Version 1.2' [Added]
T5780: Evaluate Azure SKUs for Production Workloads (Microsoft Azure) [Added]
- P3492: Inadequate SKU Selection for Production Workloads (Microsoft Azure Foundation) [Added]
- I2363: Ensure that SKU Basic/Consumption is not used on artifacts that need to be monitored (Particularly for Production Workloads) [Added]
T5781: Verify password policy settings for user accounts (Azure Windows Member Server) [Added]
- P3500: Weak Password Policies (Azure Windows Member Server) [Added]
- I2803: Verify that 'Enforce password history' is set to '24 or more password(s)' [Added]
- I2804: Verify that the 'Maximum password age' is set to '365 or fewer days, but not 0' [Added]
- I2805: Verify that 'Minimum password age' is set to '1 or more day(s)' [Added]
- I2806: Verify that the minimum password length is set to 14 or more characters [Added]
- I2807: Verify that 'Password must meet complexity requirements' is set to 'Enabled' [Added]
- I2808: Verify that 'Store passwords using reversible encryption' is set to 'Disabled' [Added]
T5782: Verify that sensitive privileges are restricted (Azure Windows Member Server) [Added]
- P3501: Inadequate User Rights Management (Azure Windows Member Server) [Added]
- I2809: Verify that 'Access Credential Manager as a trusted caller' is set to 'No One' [Added]
- I2810: Test that 'Access this computer from the network' is set to 'Administrators, Authenticated Users' (MS only) [Added]
- I2811: Verify that 'Act as part of the operating system' is set to 'No One' [Added]
- I2812: Verify that 'Adjust memory quotas for a process' is set to 'Administrators, LOCAL SERVICE, NETWORK SERVICE' [Added]
- I2813: Verify that 'Allow log on locally' is set to 'Administrators' [Added]
- I2814: Verify that 'Allow log on through Remote Desktop Services' is set to 'Administrators, Remote Desktop Users' (MS only) [Added]
- I2815: Verify that 'Back up files and directories' is set to 'Administrators, Backup Operators' [Added]
- I2816: Verify that 'Change the system time' is set to 'Administrators, LOCAL SERVICE' [Added]
- I2817: Verify that 'Change the time zone' is set to 'Administrators, LOCAL SERVICE' [Added]
- I2818: Verify that 'Create a pagefile' is set to 'Administrators' [Added]
- I2819: Test that 'Create a token object' is set to 'No One' [Added]
- I2820: Verify that 'Create global objects' is set to 'Administrators, LOCAL SERVICE, NETWORK SERVICE, SERVICE' [Added]
- I2821: Verify that 'Create permanent shared objects' is set to 'No One' [Added]
- I2822: Verify that 'Create symbolic links' is set to 'Administrators, NT VIRTUAL MACHINE\Virtual Machines' (MS only) [Added]
- I2823: Verify that 'Debug programs' is set to 'Administrators' [Added]
- I2824: Test that 'Deny access to this computer from the network' includes 'Guests' [Added]
- I2825: Verify that 'Deny log on as a batch job' includes 'Guests' [Added]
- I2826: Verify that 'Deny log on as a service' includes 'Guests' [Added]
- I2827: Verify that 'Deny log on locally' includes 'Guests' [Added]
- I2828: Verify that 'Deny log on through Remote Desktop Services' includes 'Guests' [Added]
- I2830: Verify that 'Force shutdown from a remote system' is set to 'Administrators' [Added]
- I2831: Verify that 'Generate security audits' is set to 'LOCAL SERVICE, NETWORK SERVICE' [Added]
- I2832: Verify that 'Impersonate a client after authentication' is set correctly [Added]
- I2833: Verify that 'Increase scheduling priority' is set to 'Administrators' [Added]
- I2834: Verify that 'Load and unload device drivers' is set to 'Administrators' [Added]
- I2835: Verify that 'Lock pages in memory' is set to 'No One' [Added]
- I2836: Verify that 'Manage auditing and security log' is set to 'Administrators' (MS only) [Added]
- I2837: Verify that 'Modify an object label' is set to 'No One' [Added]
- I2838: Verify that 'Modify firmware environment values' is set to 'Administrators' [Added]
- I2839: Verify that 'Perform volume maintenance tasks' is set to 'Administrators' [Added]
- I2840: Verify that 'Profile single process' is set to 'Administrators' [Added]
- I2841: Verify that 'Profile system performance' is set to 'Administrators, NT SERVICE\WdiServiceHost' [Added]
- I2842: Verify that 'Replace a process level token' is set to 'LOCAL SERVICE, NETWORK SERVICE' [Added]
- I2843: Verify that 'Restore files and directories' is set to 'Administrators, Backup Operators' [Added]
- I2844: Verify that 'Shut down the system' is set to 'Administrators, Backup Operators' [Added]
- I2845: Verify that 'Take ownership of files or other objects' is set to 'Administrators' [Added]
- I2853: Verify that 'Devices: Allowed to format and eject removable media' is set to 'Administrators' [Added]
- I2854: Verify that 'Devices: Prevent users from installing printer drivers' is set to 'Enabled' [Added]
- I2892: Verify that the system shutdown setting is disabled [Added]
- I2946: Verify that WDigest Authentication is set to Disabled [Added]
- I2952: Verify that 'Enable insecure guest logons' is set to 'Disabled' [Added]
- I2969: Verify that 'Do not display network selection UI' is set to 'Enabled' [Added]
- I2975: Verify that 'Turn off Microsoft consumer experiences' is set to 'Enabled' [Added]
- I2978: Verify that 'Allow Diagnostic Data' is set to 'Enabled: Send required diagnostic data' [Added]
- I2996: Verify that 'Prevent users and apps from accessing dangerous websites' is set to 'Enabled: Block' [Added]
- I3010: Verify that 'Allow indexing of encrypted files' is set to 'Disabled' [Added]
- I3012: Verify that 'Allow user control over installs' is set to 'Disabled' [Added]
- I3013: Verify that 'Always install with elevated privileges' is set to 'Disabled' [Added]
- I3014: Verify that 'Sign-in and lock last interactive user automatically after a restart' is set to 'Disabled' [Added]
- I3017: Verify that 'Allow Basic authentication' is set to 'Disabled' [Added]
- I3018: Verify that 'Allow unencrypted traffic' is set to 'Disabled' [Added]
- I3019: Verify that 'Disallow Digest authentication' is set to 'Enabled' [Added]
- I3020: Verify that 'Allow Basic authentication' is set to 'Disabled' [Added]
- I3021: Verify that 'Allow unencrypted traffic' is set to 'Disabled' [Added]
- I3023: Verify that 'Prevent users from modifying settings' is set to 'Enabled' [Added]
T5783: Verify the security settings for user accounts and permissions (Azure Windows Member Server) [Added]
- P3502: Unauthorized Access and Impersonation Risks (Azure Windows Member Server) [Added]
- I2829: Verify that 'Enable computer and user accounts to be trusted for delegation' is set to 'No One' (MS only) [Added]
- I2846: Verify that 'Accounts: Block Microsoft accounts' is set to 'Users can't add or log on with Microsoft accounts' [Added]
- I2847: Verify that the 'Accounts: Guest account status' is set to 'Disabled' (MS only) [Added]
- I2848: Verify that local account use of blank passwords is limited to console logon only [Added]
- I2849: Test the configuration of the administrator account renaming [Added]
- I2850: Test the configuration of the guest account renaming [Added]
- I2893: Verify that User Account Control is set to Enabled [Added]
- I2894: Verify that User Account Control settings are configured correctly [Added]
- I2895: Verify that User Account Control settings are configured correctly [Added]
- I2896: Verify that 'User Account Control: Detect application installations and prompt for elevation' is set to 'Enabled' [Added]
- I2897: Verify that User Account Control settings are properly configured [Added]
- I2898: Verify that 'User Account Control: Run all administrators in Admin Approval Mode' is set to 'Enabled' [Added]
- I2899: Verify that User Account Control is set to Enabled [Added]
- I2900: Verify that User Account Control virtualization settings are enabled [Added]
- I2968: Test that 'Block user from showing account details on sign-in' is set to 'Enabled' [Added]
- I2973: Verify that 'Allow Microsoft accounts to be optional' is set to 'Enabled' [Added]
- I2974: Verify that 'Turn off cloud consumer account state content' is set to 'Enabled' [Added]
- I2990: Verify that 'Block all consumer Microsoft account user authentication' is set to 'Enabled' [Added]
T5784: Verify the audit policy settings for security events (Azure Windows Member Server) [Added]
- P3503: Lack of Detailed Auditing for Security Events (Azure Windows Member Server) [Added]
- I2851: Verify that the audit policy subcategory settings are enabled [Added]
- I2852: Verify that 'Audit: Shut down system immediately if unable to log security audits' is set to 'Disabled' [Added]
- I2922: Verify that 'Audit Credential Validation' is set to 'Success and Failure' [Added]
- I2923: Verify that 'Audit Security Group Management' includes 'Success' [Added]
- I2924: Verify that 'Audit User Account Management' is set to 'Success and Failure' [Added]
- I2925: Verify that 'Audit PNP Activity' is set to include 'Success' [Added]
- I2926: Verify that 'Audit Process Creation' is set to include 'Success' [Added]
- I2927: Verify that 'Audit Account Lockout' includes 'Success and Failure' [Added]
- I2928: Verify that 'Audit Group Membership' is set to include 'Success' [Added]
- I2929: Verify that 'Audit Logoff' is set to include 'Success' [Added]
- I2930: Verify that 'Audit Logon' is set to 'Success and Failure' [Added]
- I2931: Verify that 'Audit Other Logon/Logoff Events' is set to 'Success and Failure' [Added]
- I2932: Verify that 'Audit Special Logon' is set to include 'Success' [Added]
- I2933: Verify that 'Audit Other Object Access Events' is set to 'Success and Failure' [Added]
- I2934: Verify that 'Audit Removable Storage' is set to 'Success and Failure' [Added]
- I2935: Verify that 'Audit Audit Policy Change' is set to include 'Success' [Added]
- I2936: Verify that 'Audit Authentication Policy Change' is set to include 'Success' [Added]
- I2937: Verify that 'Audit MPSSVC Rule-Level Policy Change' is set to 'Success and Failure' [Added]
- I2938: Verify that 'Audit Sensitive Privilege Use' is set to 'Success and Failure' [Added]
- I2939: Verify that 'Audit Security State Change' is set to include 'Success' [Added]
- I2940: Verify that 'Audit Security System Extension' includes 'Success' [Added]
- I2941: Verify that 'Audit System Integrity' is set to 'Success and Failure' [Added]
- I2957: Verify that 'Include command line in process creation events' is set to 'Enabled' [Added]
T5785: Verify that secure channel traffic is encrypted and signed (Azure Windows Member Server) [Added]
- P3504: Lack of Encryption and Signing for Secure Channel Traffic (Azure Windows Member Server) [Added]
- I2855: Verify that 'Domain member: Digitally encrypt or sign secure channel data (always)' is set to 'Enabled' [Added]
- I2856: Verify that 'Domain member: Digitally encrypt secure channel data (when possible)' is set to 'Enabled' [Added]
- I2857: Verify that 'Domain member: Digitally sign secure channel data (when possible)' is set to 'Enabled' [Added]
- I2858: Verify that 'Domain member: Disable machine account password changes' is set to 'Disabled' [Added]
- I2859: Verify that the machine account password age is set correctly [Added]
- I2901: Verify that Windows Firewall: Domain: Firewall state is set to On (recommended) [Added]
- I2902: Verify that Windows Firewall: Domain: Inbound connections is set to Block (default) [Added]
- I2903: Verify that Windows Firewall: Domain: Outbound connections is set to Allow (default) [Added]
- I2904: Verify that Windows Firewall logging is configured correctly [Added]
- I2905: Verify that Windows Firewall's logging size limit is set correctly [Added]
- I2906: Verify that Windows Firewall is logging dropped packets [Added]
- I2907: Verify that Windows Firewall logs successful connections [Added]
T5786: Verify the inactivity limit for logon sessions (Azure Windows Member Server) [Added]
- P3505: Lack of Inactivity Lock Screen Policy (Azure Windows Member Server) [Added]
- I2860: Verify that the 'Interactive logon: Machine inactivity limit' is set to '900 or fewer second(s), but not 0' [Added]
- I2861: Test the interactive logon message configuration [Added]
- I2862: Test the interactive logon message title configuration [Added]
- I2863: Verify that the interactive logon prompts users to change passwords before expiration [Added]
- I3007: Verify that 'Do not delete temp folders upon exit' is set to 'Disabled' [Added]
- I3008: Verify that 'Do not use temporary folders per session' is set to 'Disabled' [Added]
T5787: Verify that SMB packet signing is required (Azure Windows Member Server) [Added]
- P3507: Lack of SMB Packet Security (Azure Windows Member Server) [Added]
- I2864: Verify that Microsoft network client: Digitally sign communications (always) is set to Enabled [Added]
- I2865: Verify that Microsoft network client: Digitally sign communications (if server agrees) is set to Enabled [Added]
- I2866: Verify that the Microsoft network client: Send unencrypted password to third-party SMB servers is set to Disabled [Added]
- I2867: Verify Microsoft network server session timeout settings [Added]
- I2868: Verify that Microsoft network server: Digitally sign communications (always) is set to Enabled [Added]
- I2869: Verify that Microsoft network server: Digitally sign communications (if client agrees) is set to Enabled [Added]
- I2870: Verify that 'Microsoft network server: Disconnect clients when logon hours expire' is set to 'Enabled' [Added]
- I2871: Verify that the Microsoft network server's SPN target name validation level is set correctly [Added]
- I2872: Verify that 'Network access: Allow anonymous SID/Name translation' is set to 'Disabled' [Added]
- I2873: Verify that 'Network access: Do not allow anonymous enumeration of SAM accounts' is set to 'Enabled' (MS only) [Added]
- I2874: Verify that 'Network access: Do not allow anonymous enumeration of SAM accounts and shares' is set to 'Enabled' (MS only) [Added]
- I2875: Verify that 'Network access: Let Everyone permissions apply to anonymous users' is set to 'Disabled' [Added]
- I2876: Test that network access for named pipes is configured correctly [Added]
- I2877: Verify that 'Network access: Remotely accessible registry paths' is configured [Added]
- I2878: Verify that 'Network access: Remotely accessible registry paths and sub-paths' is configured [Added]
- I2879: Verify that 'Network access: Restrict anonymous access to Named Pipes and Shares' is set to 'Enabled' [Added]
- I2880: Test that network access restrictions for remote calls to SAM are properly configured [Added]
- I2881: Verify that network access shares are not accessible anonymously [Added]
- I2882: Verify that the network access sharing and security model for local accounts is set to classic [Added]
- I2883: Verify that 'Network security: Allow Local System to use computer identity for NTLM' is set to 'Enabled' [Added]
- I2884: Verify that 'Network security: Allow LocalSystem NULL session fallback' is set to 'Disabled' [Added]
- I2885: Verify that 'Network Security: Allow PKU2U authentication requests to this computer to use online identities' is set to 'Disabled' [Added]
- I2886: Verify that 'Network security: Configure encryption types allowed for Kerberos' is set to 'AES128_HMAC_SHA1, AES256_HMAC_SHA1,..... [Added]
- I2887: Verify that 'Network security: Do not store LAN Manager hash value on next password change' is set to 'Enabled' [Added]
- I2888: Verify that 'Network security: LAN Manager authentication level' is set to 'Send NTLMv2 response only. Refuse LM & NTLM' [Added]
- I2889: Verify that the network security settings are configured correctly [Added]
- I2890: Verify that the network security settings require NTLMv2 session security [Added]
- I2891: Verify that the network security settings require NTLMv2 session security [Added]
- I2953: Verify that 'Prohibit installation and configuration of Network Bridge on your DNS domain network' is set to 'Enabled' [Added]
- I2954: Verify that 'Prohibit use of Internet Connection Sharing on your DNS domain network' is set to 'Enabled' [Added]
- I2955: Verify that 'Hardened UNC Paths' is set to 'Enabled' with required settings [Added]
- I3003: Verify that 'Do not allow drive redirection' is set to 'Enabled' [Added]
T5788: Test the Windows Firewall settings for network traffic filtering (Azure Windows Member Server) [Added]
- P3506: Lack of Network Traffic Filtering (Azure Windows Member Server) [Added]
- I2908: Verify that Windows Firewall: Private: Firewall state is set to On (recommended) [Added]
- I2909: Verify that Windows Firewall: Private: Inbound connections is set to Block (default) [Added]
- I2910: Verify that 'Windows Firewall: Private: Outbound connections' is set to 'Allow (default)' [Added]
- I2911: Verify that Windows Firewall logging is configured correctly [Added]
- I2912: Verify that Windows Firewall's logging size limit is set correctly [Added]
- I2913: Verify that Windows Firewall is logging dropped packets [Added]
- I2914: Verify that Windows Firewall logs successful connections [Added]
- I2915: Verify that Windows Firewall: Public: Firewall state is set to On (recommended) [Added]
- I2916: Verify that Windows Firewall: Public: Inbound connections is set to Block (default) [Added]
- I2917: Verify that Windows Firewall: Public: Outbound connections is set to Allow (default) [Added]
- I2918: Verify that Windows Firewall logging is configured correctly [Added]
- I2919: Verify Windows Firewall settings for logging size limit [Added]
- I2920: Verify that Windows Firewall is logging dropped packets [Added]
- I2921: Verify that Windows Firewall logs successful connections [Added]
T5789: Verify the configuration of SMBv1 client driver service settings (Azure Windows Member Server) [Added]
- P3507: Lack of SMB Packet Security (Azure Windows Member Server) [Added]
- I2942: Verify that 'Configure SMB v1 client driver' is set to 'Enabled: Disable driver (recommended)' [Added]
- I2943: Verify that 'Configure SMB v1 server' is set to 'Disabled' [Added]
- I2944: Verify that 'Enable Structured Exception Handling Overwrite Protection (SEHOP)' is set to 'Enabled' [Added]
- I2945: Verify that 'NetBT NodeType configuration' is set to 'Enabled: P-node (recommended)' [Added]
- I2947: Verify that MSS: (DisableIPSourceRouting IPv6) IP source routing protection level is set to Enabled: Highest protection [Added]
- I2948: Verify that MSS: (DisableIPSourceRouting) IP source routing protection level is set to Enabled: Highest protection [Added]
- I2949: Verify that 'MSS: (EnableICMPRedirect) Allow ICMP redirects to override OSPF generated routes' is set to 'Disabled' [Added]
- I2950: Verify that the computer ignores NetBIOS name release requests [Added]
T5790: Verify the recommended state for Attack Surface Reduction rules (Azure Windows Member Server) [Added]
- P3508: Excessive Attack Surface Exposure (Azure Windows Member Server) [Added]
- I2951: Verify that 'Turn off multicast name resolution' is set to 'Enabled' [Added]
- I2956: Test that 'Minimize the number of simultaneous connections to the Internet or a Windows Domain' is set to 'Enabled: ..... [Added]
- I2987: Verify that 'Turn off Data Execution Prevention for Explorer' is set to 'Disabled' [Added]
- I2988: Verify that 'Turn off heap termination on corruption' is set to 'Disabled' [Added]
- I2989: Verify that 'Turn off shell protocol protected mode' is set to 'Disabled' [Added]
- I2994: Verify that 'Configure Attack Surface Reduction rules' is set to 'Enabled' [Added]
- I2995: Verify that the Attack Surface Reduction rules are configured [Added]
T5791: Verify the security settings for Remote Desktop Connection (Azure Windows Member Server) [Added]
- P3509: Credential Exposure via Remote Desktop Connection (Azure Windows Member Server) [Added]
- I2958: Verify that 'Encryption Oracle Remediation' is set to 'Enabled: Force Updated Clients' [Added]
- I2959: Verify that Remote host allows delegation of non-exportable credentials is set to Enabled [Added]
- I2976: Verify that 'Do not display the password reveal button' is set to 'Enabled' [Added]
- I2977: Verify that 'Enumerate administrator accounts on elevation' is set to 'Disabled' [Added]
- I3002: Verify that 'Do not allow passwords to be saved' is set to 'Enabled' [Added]
- I3022: Verify that 'Disallow WinRM from storing RunAs credentials' is set to 'Enabled' [Added]
T5792: Verify that Virtualization Based Security is enabled (Azure Windows Member Server) [Added]
- P3510: Firmware Vulnerabilities and Unauthorized Access (Azure Windows Member Server) [Added]
- I2960: Verify that 'Turn On Virtualization Based Security' is set to 'Enabled' [Added]
- I2961: Verify that 'Turn On Virtualization Based Security: Select Platform Security Level' is set to 'Secure Boot and DMA Protection' [Added]
- I2962: Verify that 'Turn On Virtualization Based Security' is set to 'Enabled with UEFI lock' [Added]
- I2963: Verify that 'Turn On Virtualization Based Security: Require UEFI Memory Attributes Table' is set to 'True (checked)' [Added]
- I2964: Test that 'Turn On Virtualization Based Security: Credential Guard Configuration' is set to 'Enabled with UEFI lock' (MS Only) [Added]
- I2965: Verify that 'Turn On Virtualization Based Security: Secure Launch Configuration' is set to 'Enabled' [Added]
T5793: Verify the implementation of Driver Policy (Azure Windows Member Server) [Added]
- P3511: Lack of Driver Policy (Azure Windows Member Server) [Added]
- I2966: Verify that 'Boot-Start Driver Initialization Policy' is set to 'Enabled: Good, unknown and bad but critical' [Added]
- I2967: Verify that 'Turn off downloading of print drivers over HTTP' is set to 'Enabled' [Added]
T5794: Verify Remote Desktop Services security settings (Azure Windows Member Server) [Added]
- P3512: Unsecured Remote Procedure Call Communications (Azure Windows Member Server) [Added]
- I2970: Verify that 'Configure Offer Remote Assistance' is set to 'Disabled' [Added]
- I2971: Verify that 'Configure Solicited Remote Assistance' is set to 'Disabled' [Added]
- I2972: Verify that 'Enable RPC Endpoint Mapper Client Authentication' is set to 'Enabled' (MS only) [Added]
- I3004: Verify that 'Always prompt for password upon connection' is set to 'Enabled' [Added]
- I3005: Verify that 'Require secure RPC communication' is set to 'Enabled' [Added]
- I3006: Verify that 'Set client connection encryption level' is set to 'Enabled: High Level' [Added]
T5795: Verify the Event Log behavior settings (Azure Windows Member Server) [Added]
- P3513: Improper Event Log Configuration (Azure Windows Member Server) [Added]
- I2979: Verify Application Control Event Log behavior when the log file reaches its maximum size [Added]
- I2980: Verify that the maximum log file size is set to 32,768 KB or greater [Added]
- I2981: Verify that Security: Control Event Log behavior is set to Disabled [Added]
- I2982: Verify that the maximum log file size is set to Enabled: 196,608 or greater [Added]
- I2983: Verify that Control Event Log behavior is set to Disabled [Added]
- I2984: Verify that the maximum log file size is set to 32,768 KB or greater [Added]
- I2985: Verify System Control Event Log behavior when the log file reaches its maximum size is set to Disabled [Added]
- I2986: Verify that the maximum log file size is set to 32,768 or greater [Added]
- I3015: Verify that 'Turn on PowerShell Script Block Logging' is set to 'Enabled' [Added]
T5796: Test the policy setting for Potentially Unwanted Applications (Azure Windows Member Server) [Added]
- P3514: Potentially Unwanted Application Vulnerability (Azure Windows Member Server) [Added]
- I2991: Test that 'Configure detection for potentially unwanted applications' is set to 'Enabled: Block' [Added]
- I2992: Verify that 'Turn off Microsoft Defender AntiVirus' is set to 'Disabled' [Added]
- I3011: Verify that Windows Defender SmartScreen is configured correctly [Added]
T5797: Verify the configuration for Microsoft Defender Antivirus Cloud Protection Service (Azure Windows Member Server) [Added]
- P3515: Improper Configuration of Microsoft Defender Antivirus Cloud Protection Service (Azure Windows Member Server) [Added]
- I2993: Verify that 'Configure local setting override for reporting to Microsoft MAPS' is set to 'Disabled' [Added]
- I3009: Verify that 'Prevent downloading of enclosures' is set to 'Enabled' [Added]
- I3016: Verify that 'Turn on PowerShell Transcription' is set to 'Disabled' [Added]
T5798: Verify that email scanning is enabled (Azure Windows Member Server) [Added]
- P3516: Unscanned Scripts and Email Attachments (Azure Windows Member Server) [Added]
- I2997: Verify that 'Scan all downloaded files and attachments' is set to 'Enabled' [Added]
- I2998: Verify that 'Turn off real-time protection' is set to 'Disabled' [Added]
- I2999: Verify that 'Turn on behavior monitoring' is set to 'Enabled' [Added]
- I3000: Verify that 'Turn on script scanning' is set to 'Enabled' [Added]
- I3001: Verify that e-mail scanning is set to Enabled [Added]
T5799: Enforce strong password policies for user accounts (Azure Windows Member Server) [Added]
- P3500: Weak Password Policies (Azure Windows Member Server) [Added]
- I2582: (L1) Ensure 'Enforce password history' is set to '24 or more password(s)' [Added]
- I2583: (L1) Ensure 'Maximum password age' is set to '365 or fewer days, but not 0' [Added]
- I2584: (L1) Ensure 'Minimum password age' is set to '1 or more day(s)' [Added]
- I2585: (L1) Ensure 'Minimum password length' is set to '14 or more character(s)' [Added]
- I2586: (L1) Ensure 'Password must meet complexity requirements' is set to 'Enabled' [Added]
- I2587: (L1) Ensure 'Store passwords using reversible encryption' is set to 'Disabled' [Added]
T5800: Implement strict user rights management (Azure Windows Member Server) [Added]
- P3501: Inadequate User Rights Management (Azure Windows Member Server) [Added]
- I2588: (L1) Ensure 'Access Credential Manager as a trusted caller' is set to 'No One' [Added]
- I2589: (L1) Ensure 'Access this computer from the network' is set to 'Administrators, Authenticated Users' (MS only) [Added]
- I2590: (L1) Ensure 'Act as part of the operating system' is set to 'No One' [Added]
- I2591: (L1) Ensure 'Adjust memory quotas for a process' is set to 'Administrators, LOCAL SERVICE, NETWORK SERVICE' [Added]
- I2592: (L1) Ensure 'Allow log on locally' is set to 'Administrators' [Added]
- I2593: (L1) Ensure 'Allow log on through Remote Desktop Services' is set to 'Administrators, Remote Desktop Users' (MS only) [Added]
- I2594: (L1) Ensure 'Back up files and directories' is set to 'Administrators, Backup Operators' [Added]
- I2595: (L1) Ensure 'Change the system time' is set to 'Administrators, LOCAL SERVICE' [Added]
- I2596: (L1) Ensure 'Change the time zone' is set to 'Administrators, LOCAL SERVICE' [Added]
- I2597: (L1) Ensure 'Create a pagefile' is set to 'Administrators' [Added]
- I2598: (L1) Ensure 'Create a token object' is set to 'No One' [Added]
- I2599: (L1) Ensure 'Create global objects' is set to 'Administrators, LOCAL SERVICE, NETWORK SERVICE, SERVICE' [Added]
- I2600: (L1) Ensure 'Create permanent shared objects' is set to 'No One' [Added]
- I2601: (L1) Ensure 'Create symbolic links' is set to 'Administrators, NT VIRTUAL MACHINE\Virtual Machines' (MS only) [Added]
- I2602: (L1) Ensure 'Debug programs' is set to 'Administrators' [Added]
- I2603: (L1) Ensure 'Deny access to this computer from the network' to include 'Guests' [Added]
- I2604: (L1) Ensure 'Deny log on as a batch job' to include 'Guests' [Added]
- I2605: (L1) Ensure 'Deny log on as a service' to include 'Guests' [Added]
- I2606: (L1) Ensure 'Deny log on locally' to include 'Guests' [Added]
- I2607: (L1) Ensure 'Deny log on through Remote Desktop Services' to include 'Guests' [Added]
- I2609: (L1) Ensure 'Force shutdown from a remote system' is set to 'Administrators' [Added]
- I2610: (L1) Ensure 'Generate security audits' is set to 'LOCAL SERVICE, NETWORK SERVICE' [Added]
- I2611: (L1) Ensure 'Impersonate a client after authentication' is set to 'Administrators, ALL SERVICE and 'IIS_IUSRS' (MS only) [Added]
- I2612: (L1) Ensure 'Increase scheduling priority' is set to 'Administrators' [Added]
- I2613: (L1) Ensure 'Load and unload device drivers' is set to 'Administrators' [Added]
- I2614: (L1) Ensure 'Lock pages in memory' is set to 'No One' [Added]
- I2615: (L1) Ensure 'Manage auditing and security log' is set to 'Administrators' (MS only) [Added]
- I2616: (L1) Ensure 'Modify an object label' is set to 'No One' [Added]
- I2617: (L1) Ensure 'Modify firmware environment values' is set to 'Administrators' [Added]
- I2618: (L1) Ensure 'Perform volume maintenance tasks' is set to 'Administrators' [Added]
- I2619: (L1) Ensure 'Profile single process' is set to 'Administrators' [Added]
- I2620: (L1) Ensure 'Profile system performance' is set to 'Administrators, NT SERVICE\WdiServiceHost' [Added]
- I2621: (L1) Ensure 'Replace a process level token' is set to 'LOCAL SERVICE, NETWORK SERVICE' [Added]
- I2622: (L1) Ensure 'Restore files and directories' is set to 'Administrators, Backup Operators' [Added]
- I2623: (L1) Ensure 'Shut down the system' is set to 'Administrators, Backup Operators' [Added]
- I2624: (L1) Ensure 'Take ownership of files or other objects' is set to 'Administrators' [Added]
- I2632: (L1) Ensure 'Devices: Allowed to format and eject removable media' is set to 'Administrators' [Added]
- I2633: (L1) Ensure 'Devices: Prevent users from installing printer drivers' is set to 'Enabled' [Added]
- I2671: (L1) Ensure 'Shutdown: Allow system to be shut down without having to log on' is set to 'Disabled' [Added]
- I2725: (L1) Ensure 'WDigest Authentication' is set to 'Disabled' [Added]
- I2731: (L1) Ensure 'Enable insecure guest logons' is set to 'Disabled' [Added]
- I2748: (L1) Ensure 'Do not display network selection UI' is set to 'Enabled' [Added]
- I2754: (L1) Ensure 'Turn off Microsoft consumer experiences' is set to 'Enabled' [Added]
- I2757: (L1) Ensure 'Allow Diagnostic Data' is set to 'Enabled: Send required diagnostic data' [Added]
- I2775: (L1) Ensure 'Prevent users and apps from accessing dangerous websites' is set to 'Enabled: Block' [Added]
- I2789: (L1) Ensure 'Allow indexing of encrypted files' is set to 'Disabled' [Added]
- I2791: (L1) Ensure 'Allow user control over installs' is set to 'Disabled' [Added]
- I2792: (L1) Ensure 'Always install with elevated privileges' is set to 'Disabled' [Added]
- I2793: (L1) Ensure 'Sign-in and lock last interactive user automatically after a restart' is set to 'Disabled' [Added]
- I2796: (L1) Ensure 'Allow Basic authentication' is set to 'Disabled' [Added]
- I2797: (L1) Ensure 'Allow unencrypted traffic' is set to 'Disabled' [Added]
- I2798: (L1) Ensure 'Disallow Digest authentication' is set to 'Enabled' [Added]
- I2799: (L1) Ensure 'Allow Basic authentication' is set to 'Disabled' [Added]
- I2800: (L1) Ensure 'Allow unencrypted traffic' is set to 'Disabled' [Added]
- I2802: (L1) Ensure 'Prevent users from modifying settings' is set to 'Enabled' [Added]
T5801: Enhance security posture of Active Directory environment (Azure Windows Member Server) [Added]
- P3502: Unauthorized Access and Impersonation Risks (Azure Windows Member Server) [Added]
- I2608: (L1) Ensure 'Enable computer and user accounts to be trusted for delegation' is set to 'No One' (MS only) [Added]
- I2625: (L1) Ensure 'Accounts: Block Microsoft accounts' is set to 'Users can't add or log on with Microsoft accounts' [Added]
- I2626: (L1) Ensure 'Accounts: Guest account status' is set to 'Disabled' (MS only) [Added]
- I2627: (L1) Ensure 'Accounts: Limit local account use of blank passwords to console logon only' is set to 'Enabled' [Added]
- I2628: (L1) Configure 'Accounts: Rename administrator account' [Added]
- I2629: (L1) Configure 'Accounts: Rename guest account' [Added]
- I2672: (L1) Ensure 'User Account Control: Admin Approval Mode for the Built-in Administrator account' is set to 'Enabled' [Added]
- I2673: (L1) Ensure 'User Account Control: Behavior of the elevation prompt for administrators in Admin Approval Mode' is set to ........ [Added]
- I2674: (L1) Ensure 'User Account Control: Behavior of the elevation prompt for standard users' is set to 'Automatically deny elevation requests' [Added]
- I2675: (L1) Ensure 'User Account Control: Detect application installations and prompt for elevation' is set to 'Enabled' [Added]
- I2676: (L1) Ensure 'User Account Control: Only elevate UIAccess applications that are installed in secure locations' is set to 'Enabled' [Added]
- I2677: (L1) Ensure 'User Account Control: Run all administrators in Admin Approval Mode' is set to 'Enabled' [Added]
- I2678: (L1) Ensure 'User Account Control: Switch to the secure desktop when prompting for elevation' is set to 'Enabled' [Added]
- I2679: (L1) Ensure 'User Account Control: Virtualize file and registry write failures to per-user locations' is set to 'Enabled' [Added]
- I2747: (L1) Ensure 'Block user from showing account details on sign-in' is set to 'Enabled' [Added]
- I2752: (L1) Ensure 'Allow Microsoft accounts to be optional' is set to 'Enabled' [Added]
- I2753: (L1) Ensure 'Turn off cloud consumer account state content' is set to 'Enabled' [Added]
- I2769: (L1) Ensure 'Block all consumer Microsoft account user authentication' is set to 'Enabled' [Added]
T5802: Implement detailed auditing for security events (Azure Windows Member Server) [Added]
- P3503: Lack of Detailed Auditing for Security Events (Azure Windows Member Server) [Added]
- I2630: (L1) Ensure 'Audit: Force audit policy subcategory settings to override audit policy category settings' is set to 'Enabled' [Added]
- I2631: (L1) Ensure 'Audit: Shut down system immediately if unable to log security audits' is set to 'Disabled' [Added]
- I2701: (L1) Ensure 'Audit Credential Validation' is set to 'Success and Failure' [Added]
- I2702: (L1) Ensure 'Audit Security Group Management' is set to include 'Success' [Added]
- I2703: (L1) Ensure 'Audit User Account Management' is set to 'Success and Failure' [Added]
- I2704: (L1) Ensure 'Audit PNP Activity' is set to include 'Success' [Added]
- I2705: (L1) Ensure 'Audit Process Creation' is set to include 'Success' [Added]
- I2706: (L1) Ensure 'Audit Account Lockout' is set to include 'Success and Failure' [Added]
- I2707: (L1) Ensure 'Audit Group Membership' is set to include 'Success' [Added]
- I2708: (L1) Ensure 'Audit Logoff' is set to include 'Success' [Added]
- I2709: (L1) Ensure 'Audit Logon' is set to 'Success and Failure' [Added]
- I2710: (L1) Ensure 'Audit Other Logon/Logoff Events' is set to 'Success and Failure' [Added]
- I2711: (L1) Ensure 'Audit Special Logon' is set to include 'Success' [Added]
- I2712: (L1) Ensure 'Audit Other Object Access Events' is set to 'Success and Failure' [Added]
- I2713: (L1) Ensure 'Audit Removable Storage' is set to 'Success and Failure' [Added]
- I2714: (L1) Ensure 'Audit Audit Policy Change' is set to include 'Success' [Added]
- I2715: (L1) Ensure 'Audit Authentication Policy Change' is set to include 'Success' [Added]
- I2716: (L1) Ensure 'Audit MPSSVC Rule-Level Policy Change' is set to 'Success and Failure' [Added]
- I2717: (L1) Ensure 'Audit Sensitive Privilege Use' is set to 'Success and Failure' [Added]
- I2718: (L1) Ensure 'Audit Security State Change' is set to include 'Success' [Added]
- I2719: (L1) Ensure 'Audit Security System Extension' is set to include 'Success' [Added]
- I2720: (L1) Ensure 'Audit System Integrity' is set to 'Success and Failure' [Added]
- I2736: (L1) Ensure 'Include command line in process creation events' is set to 'Enabled' [Added]
T5803: Configure secure channel traffic encryption and signing (Azure Windows Member Server) [Added]
- P3504: Lack of Encryption and Signing for Secure Channel Traffic (Azure Windows Member Server) [Added]
- I2634: (L1) Ensure 'Domain member: Digitally encrypt or sign secure channel data (always)' is set to 'Enabled' [Added]
- I2635: (L1) Ensure 'Domain member: Digitally encrypt secure channel data (when possible)' is set to 'Enabled' [Added]
- I2636: (L1) Ensure 'Domain member: Digitally sign secure channel data (when possible)' is set to 'Enabled' [Added]
- I2637: (L1) Ensure 'Domain member: Disable machine account password changes' is set to 'Disabled' [Added]
- I2638: (L1) Ensure 'Domain member: Maximum machine account password age' is set to '30 or fewer days, but not 0' [Added]
- I2680: (L1) Ensure 'Windows Firewall: Domain: Firewall state' is set to 'On (recommended)' [Added]
- I2681: (L1) Ensure 'Windows Firewall: Domain: Inbound connections' is set to 'Block (default)' [Added]
- I2682: (L1) Ensure 'Windows Firewall: Domain: Outbound connections' is set to 'Allow (default)' [Added]
- I2683: (L1) Ensure 'Windows Firewall: Domain: Logging: Name' is set to '%SystemRoot%\System32\logfiles\firewall\domainfw.log' [Added]
- I2684: (L1) Ensure 'Windows Firewall: Domain: Logging: Size limit (KB)' is set to '16,384 KB or greater' [Added]
- I2685: (L1) Ensure 'Windows Firewall: Domain: Logging: Log dropped packets' is set to 'Yes' [Added]
- I2686: (L1) Ensure 'Windows Firewall: Domain: Logging: Log successful connections' is set to 'Yes' [Added]
T5804: Implement an inactivity lock screen policy for Windows systems (Azure Windows Member Server) [Added]
- P3505: Lack of Inactivity Lock Screen Policy (Azure Windows Member Server) [Added]
- I2639: (L1) Ensure 'Interactive logon: Machine inactivity limit' is set to '900 or fewer second(s), but not 0' [Added]
- I2640: (L1) Configure 'Interactive logon: Message text for users attempting to log on' [Added]
- I2641: (L1) Configure 'Interactive logon: Message title for users attempting to log on' [Added]
- I2642: (L1) Ensure 'Interactive logon: Prompt user to change password before expiration' is set to 'between 5 and 14 days' [Added]
- I2786: (L1) Ensure 'Do not delete temp folders upon exit' is set to 'Disabled' [Added]
- I2787: (L1) Ensure 'Do not use temporary folders per session' is set to 'Disabled' [Added]
T5805: Enable SMB packet signing for secure data transmission (Azure Windows Member Server) [Added]
- P3507: Lack of SMB Packet Security (Azure Windows Member Server) [Added]
- I2643: (L1) Ensure 'Microsoft network client: Digitally sign communications (always)' is set to 'Enabled' [Added]
- I2644: (L1) Ensure 'Microsoft network client: Digitally sign communications (if server agrees)' is set to 'Enabled' [Added]
- I2645: (L1) Ensure 'Microsoft network client: Send unencrypted password to third-party SMB servers' is set to 'Disabled' [Added]
- I2646: (L1) Ensure 'Microsoft network server: Amount of idle time required before suspending session' is set to '15 or fewer minute(s)' [Added]
- I2647: (L1) Ensure 'Microsoft network server: Digitally sign communications (always)' is set to 'Enabled' [Added]
- I2648: (L1) Ensure 'Microsoft network server: Digitally sign communications (if client agrees)' is set to 'Enabled' [Added]
- I2649: (L1) Ensure 'Microsoft network server: Disconnect clients when logon hours expire' is set to 'Enabled' [Added]
- I2650: (L1) Ensure 'Microsoft network server: Server SPN target name validation level' is set to 'Accept if provided by client' or higher (MS only) [Added]
- I2651: (L1) Ensure 'Network access: Allow anonymous SID/Name translation' is set to 'Disabled' [Added]
- I2652: (L1) Ensure 'Network access: Do not allow anonymous enumeration of SAM accounts' is set to 'Enabled' (MS only) [Added]
- I2653: (L1) Ensure 'Network access: Do not allow anonymous enumeration of SAM accounts and shares' is set to 'Enabled' (MS only) [Added]
- I2654: (L1) Ensure 'Network access: Let Everyone permissions apply to anonymous users' is set to 'Disabled' [Added]
- I2655: (L1) Configure 'Network access: Named Pipes that can be accessed anonymously' (MS only) [Added]
- I2656: (L1) Configure 'Network access: Remotely accessible registry paths' is configured [Added]
- I2657: (L1) Configure 'Network access: Remotely accessible registry paths and sub-paths' is configured [Added]
- I2658: (L1) Ensure 'Network access: Restrict anonymous access to Named Pipes and Shares' is set to 'Enabled' [Added]
- I2659: (L1) Ensure Network access: Restrict clients allowed to make remote calls to SAM' is set to 'Administrators: Remote Access: Allow (MS only) [Added]
- I2660: (L1) Ensure 'Network access: Shares that can be accessed anonymously' is set to 'None' [Added]
- I2661: (L1) Ensure 'Network access: Sharing and security model for local accounts' is set to 'Classic - local users authenticate as themselves' [Added]
- I2662: (L1) Ensure 'Network security: Allow Local System to use computer identity for NTLM' is set to 'Enabled' [Added]
- I2663: (L1) Ensure 'Network security: Allow LocalSystem NULL session fallback' is set to 'Disabled' [Added]
- I2664: (L1) Ensure 'Network Security: Allow PKU2U authentication requests to this computer to use online identities' is set to 'Disabled' [Added]
- I2665: (L1) Ensure 'Network security: Configure encryption types allowed for Kerberos' is set to 'AES128_HMAC_SHA1, AES256_HMAC_SHA1,...' [Added]
- I2666: (L1) Ensure 'Network security: Do not store LAN Manager hash value on next password change' is set to 'Enabled' [Added]
- I2667: (L1) Ensure 'Network security: LAN Manager authentication level' is set to 'Send NTLMv2 response only. Refuse LM & NTLM' [Added]
- I2668: (L1) Ensure 'Network security: LDAP client signing requirements' is set to 'Negotiate signing' or higher [Added]
- I2669: (L1) Ensure 'Network security: Minimum session security for NTLM SSP based clients' is set to ...... [Added]
- I2670: (L1) Ensure 'Network security: Minimum session security for NTLM SSP based (including secure RPC) servers' is set to ......... [Added]
- I2732: (L1) Ensure 'Prohibit installation and configuration of Network Bridge on your DNS domain network' is set to 'Enabled' [Added]
- I2733: (L1) Ensure 'Prohibit use of Internet Connection Sharing on your DNS domain network' is set to 'Enabled' [Added]
- I2734: (L1) Ensure 'Hardened UNC Paths' is set to 'Enabled, with "Require Mutual Authentication" and "Require Integrity" set for ..... [Added]
- I2782: (L1) Ensure 'Do not allow drive redirection' is set to 'Enabled' [Added]
T5806: Implement Windows Firewall with Advanced Security (Azure Windows Member Server) [Added]
- P3506: Lack of Network Traffic Filtering (Azure Windows Member Server) [Added]
- I2687: (L1) Ensure 'Windows Firewall: Private: Firewall state' is set to 'On (recommended)' [Added]
- I2688: (L1) Ensure 'Windows Firewall: Private: Inbound connections' is set to 'Block (default)' [Added]
- I2689: (L1) Ensure 'Windows Firewall: Private: Outbound connections' is set to 'Allow (default)' [Added]
- I2690: (L1) Ensure 'Windows Firewall: Private: Logging: Name' is set to '%SystemRoot%\System32\logfiles\firewall\privatefw.log' [Added]
- I2691: (L1) Ensure 'Windows Firewall: Private: Logging: Size limit (KB)' is set to '16,384 KB or greater' [Added]
- I2692: (L1) Ensure 'Windows Firewall: Private: Logging: Log dropped packets' is set to 'Yes' [Added]
- I2693: (L1) Ensure 'Windows Firewall: Private: Logging: Log successful connections' is set to 'Yes' [Added]
- I2694: (L1) Ensure 'Windows Firewall: Public: Firewall state' is set to 'On (recommended)' [Added]
- I2695: (L1) Ensure 'Windows Firewall: Public: Inbound connections' is set to 'Block (default)' [Added]
- I2696: (L1) Ensure 'Windows Firewall: Public: Outbound connections' is set to 'Allow (default)' [Added]
- I2697: (L1) Ensure 'Windows Firewall: Public: Logging: Name' is set to '%SystemRoot%\System32\logfiles\firewall\publicfw.log' [Added]
- I2698: (L1) Ensure 'Windows Firewall: Public: Logging: Size limit (KB)' is set to '16,384 KB or greater' [Added]
- I2699: (L1) Ensure 'Windows Firewall: Public: Logging: Log dropped packets' is set to 'Yes' [Added]
- I2700: (L1) Ensure 'Windows Firewall: Public: Logging: Log successful connections' is set to 'Yes' [Added]
T5807: Disable outdated SMBv1 protocol (Azure Windows Member Server) [Added]
- P3507: Lack of SMB Packet Security (Azure Windows Member Server) [Added]
- I2721: (L1) Ensure 'Configure SMB v1 client driver' is set to 'Enabled: Disable driver (recommended)' [Added]
- I2722: (L1) Ensure 'Configure SMB v1 server' is set to 'Disabled' [Added]
- I2723: (L1) Ensure 'Enable Structured Exception Handling Overwrite Protection (SEHOP)' is set to 'Enabled' [Added]
- I2724: (L1) Ensure 'NetBT NodeType configuration' is set to 'Enabled: P-node (recommended)' [Added]
- I2726: (L1) Ensure 'MSS: (DisableIPSourceRouting IPv6) IP source routing protection level (protects against packet spoofing)' is set to ....... [Added]
- I2727: (L1) Ensure 'MSS: (DisableIPSourceRouting) IP source routing protection level (protects against packet spoofing)' is set to ..... [Added]
- I2728: (L1) Ensure 'MSS: (EnableICMPRedirect) Allow ICMP redirects to override OSPF generated routes' is set to 'Disabled' [Added]
- I2729: (L1) Ensure 'MSS: (NoNameReleaseOnDemand) Allow the computer to ignore NetBIOS name release requests except ...... [Added]
T5808: Implement Attack Surface Reduction Rules (Azure Windows Member Server) [Added]
- P3508: Excessive Attack Surface Exposure (Azure Windows Member Server) [Added]
- I2730: (L1) Ensure 'Turn off multicast name resolution' is set to 'Enabled' [Added]
- I2735: (L1) Ensure 'Minimize the number of simultaneous connections to the Internet or a Windows Domain' is set to 'Enabled: ..... [Added]
- I2766: (L1) Ensure 'Turn off Data Execution Prevention for Explorer' is set to 'Disabled' [Added]
- I2767: (L1) Ensure 'Turn off heap termination on corruption' is set to 'Disabled' [Added]
- I2768: (L1) Ensure 'Turn off shell protocol protected mode' is set to 'Disabled' [Added]
- I2773: (L1) Ensure 'Configure Attack Surface Reduction rules' is set to 'Enabled' [Added]
- I2774: (L1) Ensure 'Configure Attack Surface Reduction rules: Set the state for each ASR rule' is configured [Added]
T5809: Enable Windows Defender Remote Credential Guard (Azure Windows Member Server) [Added]
- P3509: Credential Exposure via Remote Desktop Connection (Azure Windows Member Server) [Added]
- I2737: (L1) Ensure 'Encryption Oracle Remediation' is set to 'Enabled: Force Updated Clients' [Added]
- I2738: (L1) Ensure 'Remote host allows delegation of non-exportable credentials' is set to 'Enabled' [Added]
- I2755: (L1) Ensure 'Do not display the password reveal button' is set to 'Enabled' [Added]
- I2756: (L1) Ensure 'Enumerate administrator accounts on elevation' is set to 'Disabled' [Added]
- I2781: (L1) Ensure 'Do not allow passwords to be saved' is set to 'Enabled' [Added]
- I2801: (L1) Ensure 'Disallow WinRM from storing RunAs credentials' is set to 'Enabled' [Added]
T5810: Enhance security posture with Virtualization Based Security (Azure Windows Member Server) [Added]
- P3510: Firmware Vulnerabilities and Unauthorized Access (Azure Windows Member Server) [Added]
- I2739: (NG) Ensure 'Turn On Virtualization Based Security' is set to 'Enabled' [Added]
- I2740: (NG) Ensure 'Turn On Virtualization Based Security: Select Platform Security Level' is set to 'Secure Boot and DMA Protection' [Added]
- I2741: (NG) Ensure 'Turn On Virtualization Based Security: Virtualization Based Protection of Code Integrity' is set to 'Enabled with UEFI lock' [Added]
- I2742: (NG) Ensure 'Turn On Virtualization Based Security: Require UEFI Memory Attributes Table' is set to 'True (checked)' [Added]
- I2743: (NG) Ensure 'Turn On Virtualization Based Security: Credential Guard Configuration' is set to 'Enabled with UEFI lock' (MS Only) [Added]
- I2744: (NG) Ensure 'Turn On Virtualization Based Security: Secure Launch Configuration' is set to 'Enabled' [Added]
T5811: Implement Driver Policy (Azure Windows Member Server) [Added]
- P3511: Lack of Driver Policy (Azure Windows Member Server) [Added]
- I2745: (L1) Ensure 'Boot-Start Driver Initialization Policy' is set to 'Enabled: Good, unknown and bad but critical' [Added]
- I2746: (L1) Ensure 'Turn off downloading of print drivers over HTTP' is set to 'Enabled' [Added]
T5812: Enhance security of Remote Procedure Call communications (Azure Windows Member Server) [Added]
- P3512: Unsecured Remote Procedure Call Communications (Azure Windows Member Server) [Added]
- I2749: (L1) Ensure 'Configure Offer Remote Assistance' is set to 'Disabled' [Added]
- I2750: (L1) Ensure 'Configure Solicited Remote Assistance' is set to 'Disabled' [Added]
- I2751: (L1) Ensure 'Enable RPC Endpoint Mapper Client Authentication' is set to 'Enabled' (MS only) [Added]
- I2783: (L1) Ensure 'Always prompt for password upon connection' is set to 'Enabled' [Added]
- I2784: (L1) Ensure 'Require secure RPC communication' is set to 'Enabled' [Added]
- I2785: (L1) Ensure 'Set client connection encryption level' is set to 'Enabled: High Level' [Added]
T5813: Configure Event Log Settings for Data Integrity (Azure Windows Member Server) [Added]
- P3513: Improper Event Log Configuration (Azure Windows Member Server) [Added]
- I2758: (L1) Ensure 'Application: Control Event Log behavior when the log file reaches its maximum size' is set to 'Disabled' [Added]
- I2759: (L1) Ensure 'Application: Specify the maximum log file size (KB)' is set to 'Enabled: 32,768 or greater' [Added]
- I2760: (L1) Ensure 'Security: Control Event Log behavior when the log file reaches its maximum size' is set to 'Disabled' [Added]
- I2761: (L1) Ensure 'Security: Specify the maximum log file size (KB)' is set to 'Enabled: 196,608 or greater' [Added]
- I2762: (L1) Ensure 'Setup: Control Event Log behavior when the log file reaches its maximum size' is set to 'Disabled' [Added]
- I2763: (L1) Ensure 'Setup: Specify the maximum log file size (KB)' is set to 'Enabled: 32,768 or greater' [Added]
- I2764: (L1) Ensure 'System: Control Event Log behavior when the log file reaches its maximum size' is set to 'Disabled' [Added]
- I2765: (L1) Ensure 'System: Specify the maximum log file size (KB)' is set to 'Enabled: 32,768 or greater' [Added]
- I2794: (L1) Ensure 'Turn on PowerShell Script Block Logging' is set to 'Enabled' [Added]
T5814: Block potentially unwanted applications with Microsoft Defender Antivirus (Azure Windows Member Server) [Added]
- P3514: Potentially Unwanted Application Vulnerability (Azure Windows Member Server) [Added]
- I2770: (L1) Ensure 'Configure detection for potentially unwanted applications' is set to 'Enabled: Block' [Added]
- I2771: (L1) Ensure 'Turn off Microsoft Defender AntiVirus' is set to 'Disabled' [Added]
- I2790: (L1) Ensure 'Configure Windows Defender SmartScreen' is set to 'Enabled: Warn and prevent bypass' [Added]
T5815: Configure Microsoft Defender Antivirus Cloud Protection Service (Azure Windows Member Server) [Added]
- P3515: Improper Configuration of Microsoft Defender Antivirus Cloud Protection Service (Azure Windows Member Server) [Added]
- I2772: (L1) Ensure 'Configure local setting override for reporting to Microsoft MAPS' is set to 'Disabled' [Added]
- I2788: (L1) Ensure 'Prevent downloading of enclosures' is set to 'Enabled' [Added]
- I2795: (L1) Ensure 'Turn on PowerShell Transcription' is set to 'Disabled' [Added]
T5816: Scan scripts and email attachments for threats (Azure Windows Member Server) [Added]
- P3516: Unscanned Scripts and Email Attachments (Azure Windows Member Server) [Added]
- I2776: (L1) Ensure 'Scan all downloaded files and attachments' is set to 'Enabled' [Added]
- I2777: (L1) Ensure 'Turn off real-time protection' is set to 'Disabled' [Added]
- I2778: (L1) Ensure 'Turn on behavior monitoring' is set to 'Enabled' [Added]
- I2779: (L1) Ensure 'Turn on script scanning' is set to 'Enabled' [Added]
- I2780: (L1) Ensure 'Turn on e-mail scanning' is set to 'Enabled' [Added]
T5817: Verify the policy settings for Windows security features (Azure Windows Member Server) [Added]
- P3517: Lack of policy settings for Windows security features (Azure Windows Member Server) [Added]
- I3031: Verify that 'System objects: Require case insensitivity for non-Windows subsystems' is set to 'Enabled' [Added]
- I3032: Verify that the default permissions of internal system objects are strengthened [Added]
- I3033: Verify that 'Allow users to enable online speech recognition services' is set to 'Disabled' [Added]
- I3034: Verify that the registry policy processing is configured correctly [Added]
- I3035: Verify that the registry policy processing is configured correctly [Added]
- I3036: Verify that 'Continue experiences on this device' is set to 'Disabled' [Added]
- I3037: Verify that 'Turn off background refresh of Group Policy' is set to 'Disabled' [Added]
T5818: Enforce policy settings for Windows security features (Azure Windows Member Server) [Added]
- P3517: Lack of policy settings for Windows security features (Azure Windows Member Server) [Added]
- I3024: Ensure 'System objects: Require case insensitivity for non-Windows subsystems' is set to 'Enabled' [Added]
- I3025: Ensure 'System objects: Strengthen default permissions of internal system objects (e.g. Symbolic Links)' is set to 'Enabled' [Added]
- I3026: Ensure 'Allow users to enable online speech recognition services' is set to 'Disabled' [Added]
- I3027: Ensure 'Configure registry policy processing: Do not apply during periodic background processing' is set to 'Enabled: FALSE' [Added]
- I3028: Ensure 'Configure registry policy processing: Process even if the Group Policy objects have not changed' is set to 'Enabled: TRUE' [Added]
- I3029: Ensure 'Continue experiences on this device' is set to 'Disabled' [Added]
- I3030: Ensure 'Turn off background refresh of Group Policy' is set to 'Disabled' [Added]
T5819: Configure Kafka Brokers to Use TLS for Data in Transit [Added]
- P3518: Lack of Encryption for Data in Transit (Apache Kafka) [Added]
T5820: Set up Kafka to authenticate all connections [Added]
- P3519: Lack of Authentication in Kafka Connections (Apache Kafka) [Added]
T5821: Enable TLS and SASL Authentication for ZooKeeper [Added]
- P3520: Lack of TLS and SASL Authentication (ZooKeeper) [Added]
T5822: Deploy a Consistent, Secure Configuration Across All Brokers [Added]
- P3521: Inconsistent and Insecure Broker Configuration (Distributed Messaging Systems) [Added]
T5823: Enable Detailed Logging and Auditing in Kafka [Added]
- P3522: Lack of Detailed Logging and Auditing (Kafka) [Added]
T5824: Deploy Kafka in a Segmented Network Zone [Added]
- P3523: Network Segmentation Weakness in Kafka Deployment [Added]
T5825: Implement Encryption for Kafka Log and Data Directories [Added]
- P3524: Lack of Encryption for Kafka Log and Data Directories (Apache Kafka) [Added]
T5826: Leverage Kafka’s Quota Features [Added]
- P3525: Lack of Resource Quotas (Apache Kafka) [Added]
T5827: Protect Sensitive Configuration Values [Added]
- P3526: Exposure of Sensitive Configuration Values (General Software) [Added]
T5828: Enable Transport Layer Security (TLS) for gRPC Communications [Added]
- P3527: Lack of Transport Layer Security (TLS) in gRPC Communications (gRPC) [Added]
T5829: Use Mutual TLS for Authentication [Added]
- P3528: Lack of Mutual TLS Authentication (gRPC Services) [Added]
T5830: Configure gRPC to use only modern TLS versions [Added]
- P3529: Use of Outdated TLS Versions and Weak Cipher Suites (gRPC) [Added]
T5831: Turn off gRPC server reflection in production [Added]
- P3530: Exposed gRPC Server Reflection (gRPC Server) [Added]
T5832: Design Idempotent Methods for Critical Operations [Added]
- P3531: Replay Attack Vulnerability in Critical Operations (gRPC Services) [Added]
T5833: Enforce Rate Limiting on gRPC Endpoints [Added]
- P3532: Lack of Rate Limiting on gRPC Endpoints (gRPC Services) [Added]
T5834: Tune gRPC server settings to constrain resource usage [Added]
- P3533: Resource Exhaustion Vulnerability (gRPC Server) [Added]
T5835: Maintain Secure Deployment Configurations [Added]
- P3534: Misconfigured Deployment Settings (gRPC) [Added]
T5836: Deploy gRPC services in a segmented network zone with strict firewall rules [Added]
- P3535: Improper Network Segmentation and Access Control (gRPC Services) [Added]
T5837: Enable detailed logging on the gRPC server [Added]
- P3536: Lack of Detailed Logging (gRPC Server) [Added]
T5838: Set up monitoring dashboards and automated alerts [Added]
- P3537: Lack of Real-Time Monitoring and Alerting (gRPC) [Added]
T5839: Keep gRPC server application and OS up to date with security patches [Added]
- P3538: Outdated Software Vulnerabilities (gRPC Server) [Added]
T5840: Enforce strong password policies for user accounts (Azure Windows Domain Controller) [Added]
- P3539: Weak Password Policies (Azure Windows Domain Controller) [Added]
- I3043: (L1 - DC) Ensure 'Enforce password history' is set to '24 or more password(s)' [Added]
- I3044: (L1 - DC) Ensure 'Maximum password age' is set to '365 or fewer days, but not 0' [Added]
- I3045: (L1 - DC) Ensure 'Minimum password age' is set to '1 or more day(s)' [Added]
- I3046: (L1 - DC) Ensure 'Minimum password length' is set to '14 or more character(s)' [Added]
- I3047: (L1 - DC) Ensure 'Password must meet complexity requirements' is set to 'Enabled' [Added]
- I3048: (L1 - DC) Ensure 'Store passwords using reversible encryption' is set to 'Disabled' [Added]
T5841: Implement strict user rights for sensitive privileges (Azure Windows Domain Controller) [Added]
- P3540: Excessive User Privileges (Azure Windows Domain Controller) [Added]
- I3049: (L1 - DC) Ensure 'Access Credential Manager as a trusted caller' is set to 'No One' [Added]
- I3050: (L1 - DC) Ensure 'Access this computer from the network' is set to 'Administrators, Authenticated Users, .....' (DC only) [Added]
- I3051: (L1 - DC) Ensure 'Act as part of the operating system' is set to 'No One' [Added]
- I3052: (L1 - DC) Ensure 'Add workstations to domain' is set to 'Administrators' (DC only) [Added]
- I3053: (L1 - DC) Ensure 'Adjust memory quotas for a process' is set to 'Administrators, LOCAL SERVICE, NETWORK SERVICE' [Added]
- I3054: (L1 - DC) Ensure 'Allow log on locally' is set to 'Administrators' [Added]
- I3055: (L1 - DC) Ensure 'Allow log on through Remote Desktop Services' is set to 'Administrators' (DC only) [Added]
- I3056: (L1 - DC) Ensure 'Back up files and directories' is set to 'Administrators, Backup Operators' [Added]
- I3057: (L1 - DC) Ensure 'Change the system time' is set to 'Administrators, LOCAL SERVICE' [Added]
- I3058: (L1 - DC) Ensure 'Change the time zone' is set to 'Administrators, LOCAL SERVICE' [Added]
- I3059: (L1 - DC) Ensure 'Create a pagefile' is set to 'Administrators' [Added]
- I3060: (L1 - DC) Ensure 'Create a token object' is set to 'No One' [Added]
- I3061: (L1 - DC) Ensure 'Create global objects' is set to 'Administrators, LOCAL SERVICE, NETWORK SERVICE, SERVICE' [Added]
- I3062: (L1 - DC) Ensure 'Create permanent shared objects' is set to 'No One' [Added]
- I3063: (L1 - DC) Ensure 'Create symbolic links' is set to 'Administrators' (DC only) [Added]
- I3064: (L1 - DC) Ensure 'Debug programs' is set to 'Administrators' [Added]
- I3065: (L1 - DC) Ensure 'Deny access to this computer from the network' to include 'Guests' [Added]
- I3066: (L1 - DC) Ensure 'Deny log on as a batch job' to include 'Guests' [Added]
- I3067: (L1 - DC) Ensure 'Deny log on as a service' to include 'Guests' [Added]
- I3068: (L1 - DC) Ensure 'Deny log on locally' to include 'Guests' [Added]
- I3069: (L1 - DC) Ensure 'Deny log on through Remote Desktop Services' to include 'Guests' [Added]
- I3070: (L1 - DC) Ensure 'Enable computer and user accounts to be trusted for delegation' is set to 'Administrators' (DC only) [Added]
- I3071: (L1 - DC) Ensure 'Force shutdown from a remote system' is set to 'Administrators' [Added]
- I3072: (L1 - DC) Ensure 'Generate security audits' is set to 'LOCAL SERVICE, NETWORK SERVICE' [Added]
- I3073: (L1 - DC) Ensure 'Impersonate a client after authentication' is set to 'Administrators, LOCAL SERVICE, NETWORK SERVICE, SERVICE' (DC only) [Added]
- I3074: (L1 - DC) Ensure 'Increase scheduling priority' is set to 'Administrators' [Added]
- I3075: (L1 - DC) Ensure 'Load and unload device drivers' is set to 'Administrators' [Added]
- I3076: (L1 - DC) Ensure 'Lock pages in memory' is set to 'No One' [Added]
- I3077: (L1 - DC) Ensure 'Manage auditing and security log' is set to 'Administrators' and 'Exchange Servers' (DC only) [Added]
- I3078: (L1 - DC) Ensure 'Modify an object label' is set to 'No One' [Added]
- I3079: (L1 - DC) Ensure 'Modify firmware environment values' is set to 'Administrators' [Added]
- I3080: (L1 - DC) Ensure 'Perform volume maintenance tasks' is set to 'Administrators' [Added]
- I3081: (L1 - DC) Ensure 'Profile single process' is set to 'Administrators' [Added]
- I3082: (L1 - DC) Ensure 'Profile system performance' is set to 'Administrators, NT SERVICE\WdiServiceHost' [Added]
- I3083: (L1 - DC) Ensure 'Replace a process level token' is set to 'LOCAL SERVICE, NETWORK SERVICE' [Added]
- I3084: (L1 - DC) Ensure 'Restore files and directories' is set to 'Administrators, Backup Operators' [Added]
- I3085: (L1 - DC) Ensure 'Shut down the system' is set to 'Administrators, Backup Operators' [Added]
- I3086: (L1 - DC) Ensure 'Synchronize directory service data' is set to 'No One' (DC only) [Added]
- I3087: (L1 - DC) Ensure 'Take ownership of files or other objects' is set to 'Administrators' [Added]
T5842: Restrict unauthorized Microsoft account creation (Azure Windows Domain Controller) [Added]
- P3541: Unauthorized Microsoft Account Creation (Azure Windows Domain Controller) [Added]
- I3088: (L1 - DC) Ensure 'Accounts: Block Microsoft accounts' is set to 'Users can't add or log on with Microsoft accounts' [Added]
- I3089: (L1 - DC) Ensure 'Accounts: Limit local account use of blank passwords to console logon only' is set to 'Enabled' [Added]
- I3090: (L1 - DC) Configure 'Accounts: Rename administrator account' [Added]
- I3091: (L1 - DC) Configure 'Accounts: Rename guest account' [Added]
T5843: Enhance security monitoring with precise auditing capabilities (Azure Windows Domain Controller) [Added]
- P3542: Inadequate Security Monitoring Due to Insufficient Auditing Capabilities (Azure Windows Domain Controller) [Added]
- I3092: (L1 - DC) Ensure 'Audit: Force audit policy subcategory settings to override audit policy category settings' is set to 'Enabled' [Added]
- I3093: (L1 - DC) Ensure 'Audit: Shut down system immediately if unable to log security audits' is set to 'Disabled' [Added]
T5844: Restrict access to removable NTFS media (Azure Windows Domain Controller) [Added]
- P3543: Unauthorized Access to Removable NTFS Media (Azure Windows Domain Controller) [Added]
- I3094: (L1 - DC) Ensure 'Devices: Allowed to format and eject removable media' is set to 'Administrators' [Added]
- I3095: (L1 - DC) Ensure 'Devices: Prevent users from installing printer drivers' is set to 'Enabled' [Added]
T5845: Ensure secure LDAP communications with signing requirements (Azure Windows Domain Controller) [Added]
- P3544: Unsigned LDAP Communications (Azure Windows Domain Controller) [Added]
- I3096: (L1 - DC) Ensure 'Domain controller: Allow server operators to schedule tasks' is set to 'Disabled' (DC only) [Added]
- I3097: (L1 - DC) Ensure 'Domain controller: Allow vulnerable Netlogon secure channel connections' is set to 'Not Configured' (DC Only) [Added]
- I3098: (L1 - DC) Ensure 'Domain controller: LDAP server channel binding token requirements' is set to 'Always' (DC Only) [Added]
- I3099: (L1 - DC) Ensure 'Domain controller: LDAP server signing requirements' is set to 'Require signing' (DC only) [Added]
- I3100: (L1 - DC) Ensure 'Domain controller: Refuse machine account password changes' is set to 'Disabled' (DC only) [Added]
T5846: Ensure secure channel traffic is signed and encrypted (Group Policy Management) [Added]
- P3545: Lack of Encryption and Signing in Secure Channel Traffic (Azure Windows Domain Controller) [Added]
- I3101: (L1 - DC) Ensure 'Domain member: Digitally encrypt or sign secure channel data (always)' is set to 'Enabled' [Added]
- I3102: (L1 - DC) Ensure 'Domain member: Digitally encrypt secure channel data (when possible)' is set to 'Enabled' [Added]
- I3103: (L1 - DC) Ensure 'Domain member: Digitally sign secure channel data (when possible)' is set to 'Enabled' [Added]
- I3104: (L1 - DC) Ensure 'Domain member: Disable machine account password changes' is set to 'Disabled' [Added]
- I3105: (L1 - DC) Ensure 'Domain member: Maximum machine account password age' is set to '30 or fewer days, but not 0' [Added]
T5847: Implement an inactivity lock screen policy (Azure Windows Domain Controller) [Added]
- P3546: Lack of Inactivity Lock Screen Policy (Azure Windows Domain Controller) [Added]
- I3106: (L1 - DC) Ensure 'Interactive logon: Machine inactivity limit' is set to '900 or fewer second(s), but not 0' [Added]
- I3107: (L1 - DC) Configure 'Interactive logon: Message text for users attempting to log on' [Added]
- I3108: (L1 - DC) Configure 'Interactive logon: Message title for users attempting to log on' [Added]
- I3109: (L1 - DC) Ensure 'Interactive logon: Prompt user to change password before expiration' is set to 'between 5 and 14 days' [Added]
T5848: Enhance SMB Security by Enabling Packet Signing (Azure Windows Domain Controller) [Added]
- P3547: Lack of SMB Packet Signing and Use of Plaintext Passwords (Azure Windows Domain Controller) [Added]
- I3110: (L1 - DC) Ensure 'Microsoft network client: Digitally sign communications (always)' is set to 'Enabled' [Added]
- I3111: (L1 - DC) Ensure 'Microsoft network client: Digitally sign communications (if server agrees)' is set to 'Enabled' [Added]
- I3112: (L1 - DC) Ensure 'Microsoft network client: Send unencrypted password to third-party SMB servers' is set to 'Disabled' [Added]
T5849: Configure SMB session security settings (Azure Windows Domain Controller) [Added]
- P3548: Improper Session Management and Lack of Packet Signing (Azure Windows Domain Controller) [Added]
- I3113: (L1 - DC) Ensure 'Microsoft network server: Amount of idle time required before suspending session' is set to '15 or fewer minute(s)' [Added]
- I3114: (L1 - DC) Ensure 'Microsoft network server: Digitally sign communications (always)' is set to 'Enabled' [Added]
- I3115: (L1 - DC) Ensure 'Microsoft network server: Digitally sign communications (if client agrees)' is set to 'Enabled' [Added]
- I3116: (L1 - DC) Ensure 'Microsoft network server: Disconnect clients when logon hours expire' is set to 'Enabled' [Added]
T5850: Restrict anonymous access to enhance network security (Azure Windows Domain Controller) [Added]
- P3549: Anonymous Access to Network Resources (Azure Windows Domain Controller) [Added]
- I3117: (L1 - DC) Ensure 'Network access: Allow anonymous SID/Name translation' is set to 'Disabled' [Added]
- I3118: (L1 - DC) Ensure 'Network access: Let Everyone permissions apply to anonymous users' is set to 'Disabled' [Added]
- I3119: (L1 - DC) Configure 'Network access: Named Pipes that can be accessed anonymously' (DC only) [Added]
- I3120: (L1 - DC) Configure 'Network access: Remotely accessible registry paths' is configured [Added]
- I3121: (L1 - DC) Configure 'Network access: Remotely accessible registry paths and sub-paths' is configured [Added]
- I3122: (L1 - DC) Ensure 'Network access: Restrict anonymous access to Named Pipes and Shares' is set to 'Enabled' [Added]
- I3123: (L1 - DC) Ensure 'Network access: Shares that can be accessed anonymously' is set to 'None' [Added]
- I3124: (L1 - DC) Ensure 'Network access: Sharing and security model for local accounts' is set to 'Classic - ..... [Added]
T5851: Enhance NTLM Authentication Settings for Windows Security (Azure Windows Domain Controller) [Added]
- P3550: Weak NTLM Authentication Protocols (Azure Windows Domain Controller) [Added]
- I3125: (L1 - DC) Ensure 'Network security: Allow Local System to use computer identity for NTLM' is set to 'Enabled' [Added]
- I3126: (L1 - DC) Ensure 'Network security: Allow LocalSystem NULL session fallback' is set to 'Disabled' [Added]
- I3127: (L1 - DC) Ensure 'Network Security: Allow PKU2U authentication requests to this computer to use online identities' is set to 'Disabled' [Added]
- I3128: (L1 - DC) Ensure 'Network security: Configure encryption types allowed for Kerberos' is set to 'AES128_HMAC_SHA1, AES256_HMAC_SHA1, ..... [Added]
- I3129: (L1 - DC) Ensure 'Network security: Do not store LAN Manager hash value on next password change' is set to 'Enabled' [Added]
- I3130: (L1 - DC) Ensure 'Network security: LAN Manager authentication level' is set to 'Send NTLMv2 response only. Refuse LM & NTLM' [Added]
- I3131: (L1 - DC) Ensure 'Network security: LDAP client signing requirements' is set to 'Negotiate signing' or higher [Added]
- I3132: (L1 - DC) Ensure 'Network security: Minimum session security for NTLM SSP based (including secure RPC) clients' is set to ..... [Added]
- I3133: (L1 - DC) Ensure 'Network security: Minimum session security for NTLM SSP based (including secure RPC) servers' is set to ..... [Added]
T5852: Restrict shutdown capabilities to authenticated users only (Azure Windows Domain Controller) [Added]
- P3551: Unauthorized System Shutdown (Azure Windows Domain Controller) [Added]
- I3134: (L1 - DC) Ensure 'Shutdown: Allow system to be shut down without having to log on' is set to 'Disabled' [Added]
T5853: Enable case sensitivity in Windows environment (Azure Windows Domain Controller) [Added]
- P3552: Case Insensitivity in File Systems (Azure Windows Domain Controller) [Added]
- I3135: (L1 - DC) Ensure 'System objects: Require case insensitivity for non-Windows subsystems' is set to 'Enabled' [Added]
- I3136: (L1 - DC) Ensure 'System objects: Strengthen default permissions of internal system objects (e.g. Symbolic Links)' is set to 'Enabled' [Added]
T5854: Enhance security posture with User Account Control settings (Azure Windows Domain Controller) [Added]
- P3553: Insufficient User Privilege Management (Azure Windows Domain Controller) [Added]
- I3137: (L1 - DC) Ensure 'User Account Control: Admin Approval Mode for the Built-in Administrator account' is set to 'Enabled' [Added]
- I3138: (L1 - DC) Ensure 'User Account Control: Behavior of the elevation prompt for administrators in Admin Approval Mode' is set to ..... [Added]
- I3139: (L1 - DC) Ensure 'User Account Control: Behavior of the elevation prompt for standard users' is set to ..... [Added]
- I3140: (L1 - DC) Ensure 'User Account Control: Detect application installations and prompt for elevation' is set to 'Enabled' [Added]
- I3141: (L1 - DC) Ensure 'User Account Control: Only elevate UIAccess applications that are installed in secure locations' is set to 'Enabled' [Added]
- I3142: (L1 - DC) Ensure 'User Account Control: Run all administrators in Admin Approval Mode' is set to 'Enabled' [Added]
- I3143: (L1 - DC) Ensure 'User Account Control: Switch to the secure desktop when prompting for elevation' is set to 'Enabled' [Added]
- I3144: (L1 - DC) Ensure 'User Account Control: Virtualize file and registry write failures to per-user locations' is set to 'Enabled' [Added]
T5855: Disable print job spooling service (Azure Windows Domain Controller) [Added]
- P3554: Unauthorized Access to Print Jobs (Azure Windows Domain Controller) [Added]
- I3145: (L1 - DC) Ensure 'Print Spooler (Spooler)' is set to 'Disabled' (DC only) [Added]
T5856: Enable logging for network traffic in Windows Firewall with Advanced Security (Azure Windows Domain Controller) [Added]
- P3555: Lack of Network Traffic Visibility (Azure Windows Domain Controller) [Added]
- I3146: (L1 - DC) Ensure 'Windows Firewall: Domain: Firewall state' is set to 'On (recommended)' [Added]
- I3147: (L1 - DC) Ensure 'Windows Firewall: Domain: Inbound connections' is set to 'Block (default)' [Added]
- I3148: (L1 - DC) Ensure 'Windows Firewall: Domain: Outbound connections' is set to 'Allow (default)' [Added]
- I3149: (L1 - DC) Ensure 'Windows Firewall: Domain: Logging: Name' is set to '%SystemRoot%\System32\logfiles\firewall\domainfw.log' [Added]
- I3150: (L1 - DC) Ensure 'Windows Firewall: Domain: Logging: Size limit (KB)' is set to '16,384 KB or greater' [Added]
- I3151: (L1 - DC) Ensure 'Windows Firewall: Domain: Logging: Log dropped packets' is set to 'Yes' [Added]
- I3152: (L1 - DC) Ensure 'Windows Firewall: Domain: Logging: Log successful connections' is set to 'Yes' [Added]
T5857: Enable logging for Windows Firewall with Advanced Security (Azure Windows Domain Controller) [Added]
- P3556: Lack of Logging for Windows Firewall with Advanced Security (Azure Windows Domain Controller) [Added]
- I3153: (L1 - DC) Ensure 'Windows Firewall: Private: Firewall state' is set to 'On (recommended)' [Added]
- I3154: (L1 - DC) Ensure 'Windows Firewall: Private: Inbound connections' is set to 'Block (default)' [Added]
- I3155: (L1 - DC) Ensure 'Windows Firewall: Private: Outbound connections' is set to 'Allow (default)' [Added]
- I3156: (L1 - DC) Ensure 'Windows Firewall: Private: Logging: Name' is set to '%SystemRoot%\System32\logfiles\firewall\privatefw.log' [Added]
- I3157: (L1 - DC) Ensure 'Windows Firewall: Private: Logging: Size limit (KB)' is set to '16,384 KB or greater' [Added]
- I3158: (L1 - DC) Ensure 'Windows Firewall: Private: Logging: Log dropped packets' is set to 'Yes' [Added]
- I3159: (L1 - DC) Ensure 'Windows Firewall: Private: Logging: Log successful connections' is set to 'Yes' [Added]
T5858: Implement logging for Windows Firewall with Advanced Security (Azure Windows Domain Controller) [Added]
- P3557: Lack of Logging for Network Traffic (Azure Windows Domain Controller) [Added]
- I3160: (L1 - DC) Ensure 'Windows Firewall: Public: Firewall state' is set to 'On (recommended)' [Added]
- I3161: (L1 - DC) Ensure 'Windows Firewall: Public: Inbound connections' is set to 'Block (default)' [Added]
- I3162: (L1 - DC) Ensure 'Windows Firewall: Public: Outbound connections' is set to 'Allow (default)' [Added]
- I3163: (L1 - DC) Ensure 'Windows Firewall: Public: Logging: Name' is set to '%SystemRoot%\System32\logfiles\firewall\publicfw.log' [Added]
- I3164: (L1 - DC) Ensure 'Windows Firewall: Public: Logging: Size limit (KB)' is set to '16,384 KB or greater' [Added]
- I3165: (L1 - DC) Ensure 'Windows Firewall: Public: Logging: Log dropped packets' is set to 'Yes' [Added]
- I3166: (L1 - DC) Ensure 'Windows Firewall: Public: Logging: Log successful connections' is set to 'Yes' [Added]
T5859: Strengthen security posture through comprehensive Windows audit policies (Azure Windows Domain Controller) [Added]
- P3558: Lack of visibility into unauthorized or suspicious user and system activities(Azure Windows Domain Controller) [Added]
- I3167: (L1 - DC) Ensure 'Audit Credential Validation' is set to 'Success and Failure' [Added]
- I3168: (L1 - DC) Ensure 'Audit Kerberos Authentication Service' is set to 'Success and Failure' (DC Only) [Added]
- I3169: (L1 - DC) Ensure 'Audit Computer Account Management' is set to include 'Success and Failure' (DC only) [Added]
- I3170: (L1 - DC) Ensure 'Audit Distribution Group Management' is set to include 'Success and Failure' (DC only) [Added]
- I3171: (L1 - DC) Ensure 'Audit Other Account Management Events' is set to include 'Success' (DC only) [Added]
- I3172: (L1 - DC) Ensure 'Audit Security Group Management' is set to include 'Success' [Added]
- I3173: (L1 - DC) Ensure 'Audit User Account Management' is set to 'Success and Failure' [Added]
- I3174: (L1 - DC) Ensure 'Audit PNP Activity' is set to include 'Success' [Added]
- I3175: (L1 - DC) Ensure 'Audit Process Creation' is set to include 'Success' [Added]
- I3176: (L1 - DC) Ensure 'Audit Account Lockout' is set to include 'Success and Failure' [Added]
- I3177: (L1 - DC) Ensure 'Audit Group Membership' is set to include 'Success' [Added]
- I3178: (L1 - DC) Ensure 'Audit Logoff' is set to include 'Success' [Added]
- I3179: (L1 - DC) Ensure 'Audit Logon' is set to 'Success and Failure' [Added]
- I3180: (L1 - DC) Ensure 'Audit Other Logon/Logoff Events' is set to 'Success and Failure' [Added]
- I3181: (L1 - DC) Ensure 'Audit Special Logon' is set to include 'Success' [Added]
- I3182: (L1 - DC) Ensure 'Audit Other Object Access Events' is set to 'Success and Failure' [Added]
- I3183: (L1 - DC) Ensure 'Audit Removable Storage' is set to 'Success and Failure' [Added]
- I3184: (L1 - DC) Ensure 'Audit Audit Policy Change' is set to include 'Success' [Added]
- I3185: (L1 - DC) Ensure 'Audit Authentication Policy Change' is set to include 'Success' [Added]
- I3186: (L1 - DC) Ensure 'Audit MPSSVC Rule-Level Policy Change' is set to 'Success and Failure' [Added]
- I3187: (L1 - DC) Ensure 'Audit Sensitive Privilege Use' is set to 'Success and Failure' [Added]
- I3188: (L1 - DC) Ensure 'Audit Security State Change' is set to include 'Success' [Added]
- I3189: (L1 - DC) Ensure 'Audit Security System Extension' is set to include 'Success' [Added]
- I3190: (L1 - DC) Ensure 'Audit System Integrity' is set to 'Success and Failure' [Added]
T5860: Disable automatic learning to protect user privacy (Azure Windows Domain Controller) [Added]
- P3559: Automatic Learning Enabled (Azure Windows Domain Controller) [Added]
- I3191: (L1 - DC) Ensure 'Allow users to enable online speech recognition services' is set to 'Disabled' [Added]
T5861: Enhance security posture by disabling SMBv1 and WDigest authentication (Azure Windows Domain Controller) [Added]
- P3560: Outdated Protocol and Credential Theft Vulnerabilities (Azure Windows Domain Controller) [Added]
- I3192: (L1 - DC) Ensure 'Configure SMB v1 client driver' is set to 'Enabled: Disable driver (recommended)' [Added]
- I3193: (L1 - DC) Ensure 'Configure SMB v1 server' is set to 'Disabled' [Added]
- I3194: (L1 - DC) Ensure 'Enable Structured Exception Handling Overwrite Protection (SEHOP)' is set to 'Enabled' [Added]
- I3195: (L1 - DC) Ensure 'NetBT NodeType configuration' is set to 'Enabled: P-node (recommended)' [Added]
- I3196: (L1 - DC) Ensure 'WDigest Authentication' is set to 'Disabled' [Added]
T5862: Enhance network security by disabling IP source routing and ICMP redirects (Azure Windows Domain Controller) [Added]
- P3561: IP Source Routing and ICMP Redirects Enabled (Azure Windows Domain Controller) [Added]
- I3197: (L1 - DC) Ensure 'MSS: (DisableIPSourceRouting IPv6) IP source routing protection level (protects against packet spoofing)' is set to ..... [Added]
- I3198: (L1 - DC) Ensure 'MSS: (DisableIPSourceRouting) IP source routing protection level (protects against packet spoofing)' is set to ..... [Added]
- I3199: (L1 - DC) Ensure 'MSS: (EnableICMPRedirect) Allow ICMP redirects to override OSPF generated routes' is set to 'Disabled' [Added]
- I3200: (L1 - DC) Ensure 'MSS: (NoNameReleaseOnDemand) Allow the computer to ignore NetBIOS name release requests except from WINS servers' ..... [Added]
T5863: Implement secure access to UNC paths (Azure Windows Domain Controller) [Added]
- P3562: Insecure Access to UNC Paths (Azure Windows Domain Controller) [Added]
- I3201: (L1 - DC) Ensure 'Turn off multicast name resolution' is set to 'Enabled' [Added]
- I3202: (L1 - DC) Ensure 'Enable insecure guest logons' is set to 'Disabled' [Added]
- I3203: (L1 - DC) Ensure 'Prohibit installation and configuration of Network Bridge on your DNS domain network' is set to 'Enabled' [Added]
- I3204: (L1 - DC) Ensure 'Prohibit use of Internet Connection Sharing on your DNS domain network' is set to 'Enabled' [Added]
- I3205: (L1 - DC) Ensure 'Hardened UNC Paths' is set to 'Enabled, with "Require Mutual Authentication" and "Require Integrity" set for ..... [Added]
- I3206: (L1 - DC) Ensure 'Minimize the number of simultaneous connections to the Internet or a Windows Domain' is set to ..... [Added]
T5864: Enhance security posture with Virtualization Based Security (Azure Windows Domain Controller) [Added]
- P3563: Lack of Virtualization Based Security (Azure Windows Domain Controller) [Added]
- I3207: (L1 - DC) Ensure 'Include command line in process creation events' is set to 'Enabled' [Added]
- I3208: (L1 - DC) Ensure 'Encryption Oracle Remediation' is set to 'Enabled: Force Updated Clients' [Added]
- I3209: (L1 - DC) Ensure 'Remote host allows delegation of non-exportable credentials' is set to 'Enabled' [Added]
- I3210: (NG - DC) Ensure 'Turn On Virtualization Based Security' is set to 'Enabled' [Added]
- I3211: (NG - DC) Ensure 'Turn On Virtualization Based Security: Select Platform Security Level' is set to 'Secure Boot and DMA Protection' [Added]
- I3212: (NG - DC) Ensure 'Turn On Virtualization Based Security: Virtualization Based Protection of Code Integrity' is set to ..... [Added]
- I3213: (NG - DC) Ensure 'Turn On Virtualization Based Security: Require UEFI Memory Attributes Table' is set to 'True (checked)' [Added]
- I3214: (NG - DC) Ensure 'Turn On Virtualization Based Security: Credential Guard Configuration' is set to 'Disabled' (DC Only) [Added]
- I3215: (NG - DC) Ensure 'Turn On Virtualization Based Security: Secure Launch Configuration' is set to 'Enabled' [Added]
- I3216: (L1 - DC) Ensure 'Boot-Start Driver Initialization Policy' is set to 'Enabled: Good, unknown and bad but critical' [Added]
- I3217: (L1 - DC) Ensure 'Configure registry policy processing: Do not apply during periodic background processing' is set to 'Enabled: FALSE' [Added]
- I3218: (L1 - DC) Ensure 'Configure registry policy processing: Process even if the Group Policy objects have not changed' is set to 'Enabled: TRUE' [Added]
- I3219: (L1 - DC) Ensure 'Continue experiences on this device' is set to 'Disabled' [Added]
- I3220: (L1 - DC) Ensure 'Turn off background refresh of Group Policy' is set to 'Disabled' [Added]
- I3221: (L1 - DC) Ensure 'Turn off downloading of print drivers over HTTP' is set to 'Enabled' [Added]
- I3222: (L1 - DC) Ensure 'Block user from showing account details on sign-in' is set to 'Enabled' [Added]
- I3223: (L1 - DC) Ensure 'Do not display network selection UI' is set to 'Enabled' [Added]
- I3224: (L1 - DC) Ensure 'Configure Offer Remote Assistance' is set to 'Disabled' [Added]
- I3225: (L1 - DC) Ensure 'Configure Solicited Remote Assistance' is set to 'Disabled' [Added]
- I3226: (L1 - DC) Ensure 'Configure validation of ROCA-vulnerable WHfB keys during authentication' is set to 'Enabled: Audit' or higher (DC only) [Added]
T5865: Implement Attack Surface Reduction Rules (Azure Windows Domain Controller) [Added]
- P3564: Lack of Attack Surface Reduction Rules (Azure Windows Domain Controller) [Added]
- I3227: (L1 - DC) Ensure 'Allow Microsoft accounts to be optional' is set to 'Enabled' [Added]
- I3228: (L1 - DC) Ensure 'Turn off cloud consumer account state content' is set to 'Enabled' [Added]
- I3229: (L1 - DC) Ensure 'Turn off Microsoft consumer experiences' is set to 'Enabled' [Added]
- I3230: (L1 - DC) Ensure 'Do not display the password reveal button' is set to 'Enabled' [Added]
- I3231: (L1 - DC) Ensure 'Enumerate administrator accounts on elevation' is set to 'Disabled' [Added]
- I3232: (L1 - DC) Ensure 'Allow Diagnostic Data' is set to 'Enabled: Send required diagnostic data' [Added]
- I3233: (L1 - DC) Ensure 'Application: Control Event Log behavior when the log file reaches its maximum size' is set to 'Disabled' [Added]
- I3234: (L1 - DC) Ensure 'Application: Specify the maximum log file size (KB)' is set to 'Enabled: 32,768 or greater' [Added]
- I3235: (L1 - DC) Ensure 'Security: Control Event Log behavior when the log file reaches its maximum size' is set to 'Disabled' [Added]
- I3236: (L1 - DC) Ensure 'Security: Specify the maximum log file size (KB)' is set to 'Enabled: 196,608 or greater' [Added]
- I3237: (L1 - DC) Ensure 'Setup: Control Event Log behavior when the log file reaches its maximum size' is set to 'Disabled' [Added]
- I3238: (L1 - DC) Ensure 'Setup: Specify the maximum log file size (KB)' is set to 'Enabled: 32,768 or greater' [Added]
- I3239: (L1 - DC) Ensure 'System: Control Event Log behavior when the log file reaches its maximum size' is set to 'Disabled' [Added]
- I3240: (L1 - DC) Ensure 'System: Specify the maximum log file size (KB)' is set to 'Enabled: 32,768 or greater' [Added]
- I3241: (L1 - DC) Ensure 'Turn off Data Execution Prevention for Explorer' is set to 'Disabled' [Added]
- I3242: (L1 - DC) Ensure 'Turn off heap termination on corruption' is set to 'Disabled' [Added]
- I3243: (L1 - DC) Ensure 'Turn off shell protocol protected mode' is set to 'Disabled' [Added]
- I3244: (L1 - DC) Ensure 'Block all consumer Microsoft account user authentication' is set to 'Enabled' [Added]
- I3245: (L1 - DC) Ensure 'Configure detection for potentially unwanted applications' is set to 'Enabled: Block' [Added]
- I3246: (L1 - DC) Ensure 'Turn off Microsoft Defender AntiVirus' is set to 'Disabled' [Added]
- I3247: (L1 - DC) Ensure 'Configure local setting override for reporting to Microsoft MAPS' is set to 'Disabled' [Added]
- I3248: (L1 - DC) Ensure 'Configure Attack Surface Reduction rules' is set to 'Enabled' [Added]
- I3249: (L1 - DC) Ensure 'Configure Attack Surface Reduction rules: Set the state for each ASR rule' is configured [Added]
- I3250: (L1 - DC) Ensure 'Prevent users and apps from accessing dangerous websites' is set to 'Enabled: Block' [Added]
- I3251: (L1 - DC) Ensure 'Scan all downloaded files and attachments' is set to 'Enabled' [Added]
- I3252: (L1 - DC) Ensure 'Turn off real-time protection' is set to 'Disabled' [Added]
- I3253: (L1 - DC) Ensure 'Turn on behavior monitoring' is set to 'Enabled' [Added]
- I3254: (L1 - DC) Ensure 'Turn on script scanning' is set to 'Enabled' [Added]
- I3255: (L1 - DC) Ensure 'Turn on e-mail scanning' is set to 'Enabled' [Added]
- I3256: (L1 - DC) Ensure 'Do not allow passwords to be saved' is set to 'Enabled' [Added]
- I3257: (L1 - DC) Ensure 'Do not allow drive redirection' is set to 'Enabled' [Added]
- I3258: (L1 - DC) Ensure 'Always prompt for password upon connection' is set to 'Enabled' [Added]
- I3259: (L1 - DC) Ensure 'Require secure RPC communication' is set to 'Enabled' [Added]
- I3260: (L1 - DC) Ensure 'Set client connection encryption level' is set to 'Enabled: High Level' [Added]
- I3261: (L1 - DC) Ensure 'Do not delete temp folders upon exit' is set to 'Disabled' [Added]
- I3262: (L1 - DC) Ensure 'Do not use temporary folders per session' is set to 'Disabled' [Added]
- I3263: (L1 - DC) Ensure 'Prevent downloading of enclosures' is set to 'Enabled' [Added]
- I3264: (L1 - DC) Ensure 'Allow indexing of encrypted files' is set to 'Disabled' [Added]
- I3265: (L1 - DC) Ensure 'Configure Windows Defender SmartScreen' is set to 'Enabled: Warn and prevent bypass' [Added]
- I3266: (L1 - DC) Ensure 'Allow user control over installs' is set to 'Disabled' [Added]
- I3267: (L1 - DC) Ensure 'Always install with elevated privileges' is set to 'Disabled' [Added]
- I3268: (L1 - DC) Ensure 'Sign-in and lock last interactive user automatically after a restart' is set to 'Disabled' [Added]
- I3269: (L1 - DC) Ensure 'Turn on PowerShell Script Block Logging' is set to 'Enabled' [Added]
- I3270: (L1 - DC) Ensure 'Turn on PowerShell Transcription' is set to 'Disabled' [Added]
- I3271: (L1 - DC) Ensure 'Allow Basic authentication' is set to 'Disabled' [Added]
- I3272: (L1 - DC) Ensure 'Allow unencrypted traffic' is set to 'Disabled' [Added]
- I3273: (L1 - DC) Ensure 'Disallow Digest authentication' is set to 'Enabled' [Added]
- I3274: (L1 - DC) Ensure 'Allow Basic authentication' is set to 'Disabled' [Added]
- I3275: (L1 - DC) Ensure 'Allow unencrypted traffic' is set to 'Disabled' [Added]
- I3276: (L1 - DC) Ensure 'Disallow WinRM from storing RunAs credentials' is set to 'Enabled' [Added]
- I3277: (L1 - DC) Ensure 'Prevent users from modifying settings' is set to 'Enabled' [Added]
T5866: Verify password policy settings for user accounts (Azure Windows Domain Controller) [Added]
- P3539: Weak Password Policies (Azure Windows Domain Controller) [Added]
- I3278: (L1 - DC) Verify that 'Enforce password history' is set to '24 or more password(s)' [Added]
- I3279: (L1 - DC) Verify that 'Maximum password age' is set to '365 or fewer days, but not 0' [Added]
- I3280: (L1 - DC) Verify that 'Minimum password length' is set to '14 or more character(s)' [Added]
- I3281: (L1 - DC) Verify that the minimum password length is set to 14 or more characters [Added]
- I3282: (L1 - DC) Verify that 'Password must meet complexity requirements' is set to 'Enabled' [Added]
- I3283: (L1 - DC) Verify that 'Store passwords using reversible encryption' is set to 'Disabled' [Added]
T5867: Verify that user rights are assigned correctly (Azure Windows Domain Controller) [Added]
- P3540: Excessive User Privileges (Azure Windows Domain Controller) [Added]
- I3284: (L1 - DC) Verify that 'Access Credential Manager as a trusted caller' is set to 'No One' [Added]
- I3285: (L1 - DC) Verify that 'Access this computer from the network' is set to 'Administrators, Authenticated Users, ENTERPRISE DOMAIN CONTROLLERS' [Added]
- I3286: (L1 - DC) Verify that 'Act as part of the operating system' is set to 'No One' [Added]
- I3287: (L1 - DC) Verify that 'Add workstations to domain' is set to 'Administrators' (DC only) [Added]
- I3288: (L1 - DC) Verify that 'Adjust memory quotas for a process' is set to 'Administrators, LOCAL SERVICE, NETWORK SERVICE' [Added]
- I3289: (L1 - DC) Verify that 'Allow log on locally' is set to 'Administrators' [Added]
- I3290: (L1 - DC) Verify that 'Allow log on through Remote Desktop Services' is set to 'Administrators' (DC only) [Added]
- I3291: (L1 - DC) Verify that 'Back up files and directories' is set to 'Administrators, Backup Operators' [Added]
- I3292: (L1 - DC) Verify that 'Change the system time' is set to 'Administrators, LOCAL SERVICE' [Added]
- I3293: (L1 - DC) Verify that 'Change the time zone' is set to 'Administrators, LOCAL SERVICE' [Added]
- I3294: (L1 - DC) Verify that 'Create a pagefile' is set to 'Administrators' [Added]
- I3295: (L1 - DC) Verify that 'Create a token object' is set to 'No One' [Added]
- I3296: (L1 - DC) Verify that 'Create global objects' is set to 'Administrators, LOCAL SERVICE, NETWORK SERVICE, SERVICE' [Added]
- I3297: (L1 - DC) Verify that 'Create permanent shared objects' is set to 'No One' [Added]
- I3298: (L1 - DC) Verify that 'Create symbolic links' is set to 'Administrators' (DC only) [Added]
- I3299: (L1 - DC) Verify that 'Debug programs' is set to 'Administrators' [Added]
- I3300: (L1 - DC) Verify that 'Deny access to this computer from the network' includes 'Guests' [Added]
- I3301: (L1 - DC) Verify that 'Deny log on as a batch job' includes 'Guests' [Added]
- I3302: (L1 - DC) Verify that 'Deny log on as a service' includes 'Guests' [Added]
- I3303: (L1 - DC) Verify that 'Deny log on locally' includes 'Guests' [Added]
- I3304: (L1 - DC) Verify that 'Deny log on through Remote Desktop Services' includes 'Guests' [Added]
- I3305: (L1 - DC) Verify that 'Enable computer and user accounts to be trusted for delegation' is set to 'Administrators' (DC only) [Added]
- I3306: (L1 - DC) Verify that 'Force shutdown from a remote system' is set to 'Administrators' [Added]
- I3307: (L1 - DC) Verify that 'Generate security audits' is set to 'LOCAL SERVICE, NETWORK SERVICE' [Added]
- I3308: (L1 - DC) Test that 'Impersonate a client after authentication' is set to 'Administrators, LOCAL SERVICE, NETWORK SERVICE, SERVICE' [Added]
- I3309: (L1 - DC) Verify that 'Increase scheduling priority' is set to 'Administrators' [Added]
- I3310: (L1 - DC) Verify that 'Load and unload device drivers' is set to 'Administrators' [Added]
- I3311: (L1 - DC) Verify that 'Lock pages in memory' is set to 'No One' [Added]
- I3312: (L1 - DC) Verify that the auditing and security log management is configured correctly [Added]
- I3313: (L1 - DC) Verify that 'Modify an object label' is set to 'No One' [Added]
- I3314: (L1 - DC) Verify that 'Modify firmware environment values' is set to 'Administrators' [Added]
- I3315: (L1 - DC) Verify that 'Perform volume maintenance tasks' is set to 'Administrators' [Added]
- I3316: (L1 - DC) Verify that 'Profile single process' is set to 'Administrators' [Added]
- I3317: (L1 - DC) Verify that 'Profile system performance' is set to 'Administrators, NT SERVICE\WdiServiceHost' [Added]
- I3318: (L1 - DC) Verify that 'Replace a process level token' is set to 'LOCAL SERVICE, NETWORK SERVICE' [Added]
- I3319: (L1 - DC) Verify that 'Restore files and directories' is set to 'Administrators, Backup Operators' [Added]
- I3320: (L1 - DC) Verify that 'Shut down the system' is set to 'Administrators, Backup Operators' [Added]
- I3321: (L1 - DC) Verify that 'Synchronize directory service data' is set to 'No One' (DC only) [Added]
- I3322: (L1 - DC) Verify that 'Take ownership of files or other objects' is set to 'Administrators' [Added]
T5868: Verify that users can't add or log on with Microsoft accounts (Azure Windows Domain Controller) [Added]
- P3541: Unauthorized Microsoft Account Creation (Azure Windows Domain Controller) [Added]
- I3323: (L1 - DC) Verify that 'Accounts: Block Microsoft accounts' is set to 'Users can't add or log on with Microsoft accounts' [Added]
- I3324: (L1 - DC) Verify that local account use of blank passwords is limited to console logon only [Added]
- I3325: (L1 - DC) Test that the administrator account is renamed(L1 - DC) [Added]
- I3326: (L1 - DC) Test the configuration of 'Accounts: Rename guest account' [Added]
T5869: Verify the audit policy settings for Windows Vista or later (Azure Windows Domain Controller) [Added]
- P3542: Inadequate Security Monitoring Due to Insufficient Auditing Capabilities (Azure Windows Domain Controller) [Added]
- I3327: (L1 - DC) Verify that the audit policy subcategory settings are enabled [Added]
- I3328: (L1 - DC) Verify that 'Audit: Shut down system immediately if unable to log security audits' is set to 'Disabled' [Added]
T5870: Verify the policy setting for removable NTFS media and printer driver installation (Azure Windows Domain Controller) [Added]
- P3543: Unauthorized Access to Removable NTFS Media (Azure Windows Domain Controller) [Added]
- I3329: (L1 - DC) Verify that 'Devices: Allowed to format and eject removable media' is set to 'Administrators' [Added]
- I3330: (L1 - DC) Verify that 'Devices: Prevent users from installing printer drivers' is set to 'Enabled' [Added]
T5871: Verify that the LDAP server requires signing (Azure Windows Domain Controller) [Added]
- P3544: Unsigned LDAP Communications (Azure Windows Domain Controller) [Added]
- I3331: (L1 - DC) Verify that 'Domain controller: Allow server operators to schedule tasks' is set to 'Disabled' [Added]
- I3332: (L1 - DC) Verify that 'Domain controller: Allow vulnerable Netlogon secure channel connections' is set to 'Not Configured' [Added]
- I3333: (L1 - DC) Verify that 'Domain controller: LDAP server channel binding token requirements' is set to 'Always' (DC Only' [Added]
- I3334: (L1 - DC) Verify that the Domain controller's LDAP server signing requirements are set to Require signing [Added]
- I3335: (L1 - DC) Verify that 'Domain controller: Refuse machine account password changes' is set to 'Disabled' [Added]
T5872: Verify that secure channel traffic is encrypted and signed (Azure Windows Domain Controller) [Added]
- P3545: Lack of Encryption and Signing in Secure Channel Traffic (Azure Windows Domain Controller) [Added]
- I3336: (L1 - DC) Verify that 'Domain member: Digitally encrypt or sign secure channel data (always)' is set to 'Enabled' [Added]
- I3337: (L1 - DC) Verify that 'Domain member: Digitally encrypt secure channel data (when possible)' is set to 'Enabled' [Added]
- I3338: (L1 - DC) Verify that 'Domain member: Digitally sign secure channel data (when possible)' is set to 'Enabled' [Added]
- I3339: (L1 - DC) Verify that 'Domain member: Disable machine account password changes' is set to 'Disabled' [Added]
- I3340: (L1 - DC) Verify that 'Domain member: Maximum machine account password age' is set to '30 or fewer days, but not 0' [Added]
T5873: Verify the inactivity limit for logon sessions (Azure Windows Domain Controller) [Added]
- P3546: Lack of Inactivity Lock Screen Policy (Azure Windows Domain Controller) [Added]
- I3341: (L1 - DC) Verify that 'Interactive logon: Machine inactivity limit' is set to '900 or fewer second(s), but not 0' [Added]
- I3342: (L1 - DC) Test the interactive logon message configuration [Added]
- I3343: (L1 - DC) Test the interactive logon message title configuration [Added]
- I3344: (L1 - DC) Verify that the interactive logon prompts users to change passwords before expiration [Added]
T5874: Verify that SMB packet signing is enabled (Azure Windows Domain Controller) [Added]
- P3547: Lack of SMB Packet Signing and Use of Plaintext Passwords (Azure Windows Domain Controller) [Added]
- I3345: (L1 - DC) Verify that Microsoft network client: Digitally sign communications (always) is set to Enabled [Added]
- I3346: (L1 - DC) Verify that Microsoft network client: Digitally sign communications (if server agrees) is set to Enabled [Added]
- I3347: (L1 - DC) Verify that the Microsoft network client: Send unencrypted password to third-party SMB servers is set to Disabled [Added]
T5875: Verify the SMB session inactivity policy settings (Azure Windows Domain Controller) [Added]
- P3548: Improper Session Management and Lack of Packet Signing (Azure Windows Domain Controller) [Added]
- I3348: (L1 - DC) Verify that Microsoft network server session timeout is set to 15 minutes or fewer [Added]
- I3349: (L1 - DC) Verify that Microsoft network server: Digitally sign communications (always) is set to Enabled [Added]
- I3350: (L1 - DC) Verify that Microsoft network server: Digitally sign communications (if client agrees) is set to Enabled [Added]
- I3351: (L1 - DC) Verify that 'Microsoft network server: Disconnect clients when logon hours expire' is set to 'Enabled' [Added]
T5876: Verify the security settings for anonymous user access (Azure Windows Domain Controller) [Added]
- P3549: Anonymous Access to Network Resources (Azure Windows Domain Controller) [Added]
- I3352: (L1 - DC) Verify that 'Network access: Allow anonymous SID/Name translation' is set to 'Disabled' [Added]
- I3353: (L1 - DC) Verify that 'Network access: Let Everyone permissions apply to anonymous users' is set to 'Disabled' [Added]
- I3354: (L1 - DC) Test that the network access for named pipes is configured correctly [Added]
- I3355: (L1 - DC) Verify that 'Network access: Remotely accessible registry paths' is configured [Added]
- I3356: (L1 - DC) Verify that 'Network access: Remotely accessible registry paths and sub-paths' is configured [Added]
- I3357: (L1 - DC) Verify that 'Network access: Restrict anonymous access to Named Pipes and Shares' is set to 'Enabled' [Added]
- I3358: (L1 - DC) Verify that 'Network access: Shares that can be accessed anonymously' is set to 'None' [Added]
- I3359: (L1 - DC) Verify that the network access sharing and security model for local accounts is set to classic [Added]
T5877: Verify the recommended state for NTLM authentication settings (Azure Windows Domain Controller) [Added]
- P3550: Weak NTLM Authentication Protocols (Azure Windows Domain Controller) [Added]
- I3360: (L1 - DC) Verify that 'Network security: Allow Local System to use computer identity for NTLM' is set to 'Enabled' [Added]
- I3361: (L1 - DC) Verify that 'Network security: Allow LocalSystem NULL session fallback' is set to 'Disabled' [Added]
- I3362: (L1 - DC) Verify that 'Network Security: Allow PKU2U authentication requests to this computer to use online identities' is set to 'Disabled' [Added]
- I3363: (L1 - DC) Verify that the network security configuration allows specific encryption types for Kerberos [Added]
- I3364: (L1 - DC) Verify that 'Network security: Do not store LAN Manager hash value on next password change' is set to 'Enabled' [Added]
- I3365: (L1 - DC) Verify that the LAN Manager authentication level is set correctly [Added]
- I3366: (L1 - DC) Verify that the network security settings are configured correctly [Added]
- I3367: (L1 - DC) Verify that the network security settings require NTLMv2 session security [Added]
- I3368: (L1 - DC) Verify that the network security settings require NTLMv2 session security [Added]
T5878: Verify that the shutdown command is restricted for non-logged on users (Azure Windows Domain Controller) [Added]
- P3551: Unauthorized System Shutdown (Azure Windows Domain Controller) [Added]
- I3369: (L1 - DC) Verify that the system shutdown setting is disabled [Added]
T5879: Verify the case sensitivity policy setting for subsystems (Azure Windows Domain Controller) [Added]
- P3552: Case Insensitivity in File Systems (Azure Windows Domain Controller) [Added]
- I3370: (L1 - DC) Verify that 'System objects: Require case insensitivity for non-Windows subsystems' is set to 'Enabled' [Added]
- I3371: (L1 - DC) Verify that the default permissions of internal system objects are strengthened [Added]
T5880: Verify the behavior of Admin Approval Mode for the built-in Administrator account (Azure Windows Domain Controller) [Added]
- P3553: Insufficient User Privilege Management (Azure Windows Domain Controller) [Added]
- I3372: (L1 - DC) Verify that User Account Control is set to Enabled [Added]
- I3373: (L1 - DC) Verify that User Account Control settings are configured correctly [Added]
- I3374: (L1 - DC) Verify that User Account Control settings are configured correctly [Added]
- I3375: (L1 - DC) Verify that 'User Account Control: Detect application installations and prompt for elevation' is set to 'Enabled' [Added]
- I3376: (L1 - DC) Verify that User Account Control settings are properly configured [Added]
- I3377: (L1 - DC) Verify that 'User Account Control: Run all administrators in Admin Approval Mode' is set to 'Enabled' [Added]
- I3378: (L1 - DC) Verify that User Account Control is set to Enabled [Added]
- I3379: (L1 - DC) Verify that User Account Control virtualization settings are enabled [Added]
T5881: Test that the print job handling service is disabled (Azure Windows Domain Controller) [Added]
- P3554: Unauthorized Access to Print Jobs (Azure Windows Domain Controller) [Added]
- I3380: (L1 - DC) Verify that the Print Spooler (Spooler) is set to Disabled [Added]
T5882: Verify the settings for Windows Firewall with Advanced Security (Azure Windows Domain Controller) [Added]
- P3555: Lack of Network Traffic Visibility (Azure Windows Domain Controller) [Added]
- I3381: (L1 - DC) Verify that Windows Firewall is set to On (recommended) [Added]
- I3382: (L1 - DC) Verify that Windows Firewall: Domain: Inbound connections is set to Block (default) [Added]
- I3383: (L1 - DC) Verify that Windows Firewall: Domain: Outbound connections is set to Allow (default) [Added]
- I3384: (L1 - DC) Verify that Windows Firewall logging is configured correctly [Added]
- I3385: (L1 - DC) Verify that Windows Firewall's logging size limit is configured correctly [Added]
- I3386: (L1 - DC) Verify that Windows Firewall is logging dropped packets [Added]
- I3387: (L1 - DC) Verify that Windows Firewall logs successful connections [Added]
T5883: Verify the Windows Firewall settings for network traffic filtering (Azure Windows Domain Controller) [Added]
- P3556: Lack of Logging for Windows Firewall with Advanced Security (Azure Windows Domain Controller) [Added]
- I3388: (L1 - DC) Verify that Windows Firewall: Private: Firewall state is set to On (recommended) [Added]
- I3389: (L1 - DC) Verify that Windows Firewall: Private: Inbound connections is set to Block (default) [Added]
- I3390: (L1 - DC) Verify that Windows Firewall: Private: Outbound connections is set to Allow (default) [Added]
- I3391: (L1 - DC) Verify that Windows Firewall logging is configured correctly [Added]
- I3392: (L1 - DC) Verify that Windows Firewall's logging size limit is set correctly [Added]
- I3393: (L1 - DC) Verify that Windows Firewall is logging dropped packets [Added]
- I3394: (L1 - DC) Verify that Windows Firewall is logging successful connections [Added]
T5884: Verify the implementation of settings for Windows Firewall with Advanced Security (Azure Windows Domain Controller) [Added]
- P3557: Lack of Logging for Network Traffic (Azure Windows Domain Controller) [Added]
- I3395: (L1 - DC) Verify that Windows Firewall: Public: Firewall state is set to On (recommended) [Added]
- I3396: (L1 - DC) Verify that 'Windows Firewall: Public: Inbound connections' is set to 'Block (default)' [Added]
- I3397: (L1 - DC) Verify that 'Windows Firewall: Public: Outbound connections' is set to 'Allow (default)' [Added]
- I3398: (L1 - DC) Verify that Windows Firewall logging is configured correctly [Added]
- I3399: (L1 - DC) Verify that Windows Firewall's logging size limit is set correctly [Added]
- I3400: (L1 - DC) Verify that Windows Firewall is logging dropped packets [Added]
- I3401: (L1 - DC) Verify that Windows Firewall's logging for successful connections is enabled [Added]
T5885: Verify audit logging effectiveness for Windows domain controller security (Azure Windows Domain Controller) [Added]
- P3558: Lack of visibility into unauthorized or suspicious user and system activities(Azure Windows Domain Controller) [Added]
- I3402: (L1 - DC) Verify that 'Audit Credential Validation' is set to 'Success and Failure' [Added]
- I3403: (L1 - DC) Verify that 'Audit Kerberos Authentication Service' is set to 'Success and Failure' (DC Only) [Added]
- I3404: (L1 - DC) Verify that 'Audit Computer Account Management' is set to include 'Success and Failure' (DC only) [Added]
- I3405: (L1 - DC) Verify that 'Audit Distribution Group Management' includes 'Success and Failure' [Added]
- I3406: (L1 - DC) Verify that 'Audit Other Account Management Events' includes 'Success' (DC only) [Added]
- I3407: (L1 - DC) Verify that 'Audit Security Group Management' includes 'Success' [Added]
- I3408: (L1 - DC) Test that 'Audit User Account Management' is set to 'Success and Failure' [Added]
- I3409: (L1 - DC) Verify that 'Audit PNP Activity' is set to include 'Success' [Added]
- I3410: (L1 - DC) Verify that 'Audit Process Creation' is set to include 'Success' [Added]
- I3411: (L1 - DC) Verify that 'Audit Account Lockout' includes 'Success and Failure' [Added]
- I3412: (L1 - DC) Verify that 'Audit Group Membership' is set to include 'Success' [Added]
- I3413: (L1 - DC) Verify that 'Audit Logoff' is set to include 'Success' [Added]
- I3414: (L1 - DC) Verify that 'Audit Logon' is set to 'Success and Failure' [Added]
- I3415: (L1 - DC) Verify that 'Audit Other Logon/Logoff Events' is set to 'Success and Failure' [Added]
- I3416: (L1 - DC) Verify that 'Audit Special Logon' is set to include 'Success' [Added]
- I3417: (L1 - DC) Verify that 'Audit Other Object Access Events' is set to 'Success and Failure' [Added]
- I3418: (L1 - DC) Verify that 'Audit Removable Storage' is set to 'Success and Failure' [Added]
- I3419: (L1 - DC) Verify that 'Audit Audit Policy Change' is set to include 'Success' [Added]
- I3420: (L1 - DC) Verify that 'Audit Authentication Policy Change' is set to include 'Success' [Added]
- I3421: (L1 - DC) Verify that 'Audit MPSSVC Rule-Level Policy Change' is set to 'Success and Failure' [Added]
- I3422: (L1 - DC) Verify that 'Audit Sensitive Privilege Use' is set to 'Success and Failure' [Added]
- I3423: (L1 - DC) Verify that 'Audit Security State Change' is set to include 'Success' [Added]
- I3424: (L1 - DC) Verify that the Audit Security System Extension includes Success [Added]
- I3425: (L1 - DC) Verify that 'Audit System Integrity' is set to 'Success and Failure' [Added]
T5886: Verify that the automatic learning component is disabled (Azure Windows Domain Controller) [Added]
- P3559: Automatic Learning Enabled (Azure Windows Domain Controller) [Added]
- I3426: (L1 - DC) Verify that 'Allow users to enable online speech recognition services' is set to 'Disabled' [Added]
T5887: Verify the configuration of SMBv1 client driver service (Azure Windows Domain Controller) [Added]
- P3560: Outdated Protocol and Credential Theft Vulnerabilities (Azure Windows Domain Controller) [Added]
- I3427: (L1 - DC) Verify that 'Configure SMB v1 client driver' is set to 'Enabled: Disable driver (recommended)' [Added]
- I3428: (L1 - DC) Verify that 'Configure SMB v1 server' is set to 'Disabled' [Added]
- I3429: (L1 - DC) Verify that 'Enable Structured Exception Handling Overwrite Protection (SEHOP)' is set to 'Enabled' [Added]
- I3430: (L1 - DC) Verify that 'NetBT NodeType configuration' is set to 'Enabled: P-node (recommended)' [Added]
- I3431: (L1 - DC) Verify that WDigest Authentication is set to Disabled [Added]
T5888: Verify the configuration of IP source routing settings (Azure Windows Domain Controller) [Added]
- P3561: IP Source Routing and ICMP Redirects Enabled (Azure Windows Domain Controller) [Added]
- I3432: (L1 - DC) Verify that the IP source routing protection level is set to 'Enabled: Highest protection' [Added]
- I3433: (L1 - DC) Verify that MSS: (DisableIPSourceRouting) IP source routing protection level is set to Enabled: Highest protection [Added]
- I3434: (L1 - DC) Verify that 'MSS: (EnableICMPRedirect) Allow ICMP redirects to override OSPF generated routes' is set to 'Disabled' [Added]
- I3435: (L1 - DC) Verify that the computer ignores NetBIOS name release requests [Added]
T5889: Verify the SMB client settings for secure access (Azure Windows Domain Controller) [Added]
- P3562: Insecure Access to UNC Paths (Azure Windows Domain Controller) [Added]
- I3436: (L1 - DC) Verify that 'Turn off multicast name resolution' is set to 'Enabled' [Added]
- I3437: (L1 - DC) Verify that 'Enable insecure guest logons' is set to 'Disabled' [Added]
- I3438: (L1 - DC) Verify that the installation and configuration of Network Bridge on your DNS domain network is prohibited [Added]
- I3439: (L1 - DC) Verify that 'Prohibit use of Internet Connection Sharing on your DNS domain network' is set to 'Enabled' [Added]
- I3440: (L1 - DC) Verify that 'Hardened UNC Paths' is set to 'Enabled' [Added]
- I3441: (L1 - DC) Test that 'Minimize the number of simultaneous connections to the Internet or a Windows Domain' is set to ..... [Added]
T5890: Verify the security audit events logging for process creation (Azure Windows Domain Controller) [Added]
- P3563: Lack of Virtualization Based Security (Azure Windows Domain Controller) [Added]
- I3442: (L1 - DC) Verify that 'Include command line in process creation events' is set to 'Enabled' [Added]
- I3443: (L1 - DC) Verify that 'Encryption Oracle Remediation' is set to 'Enabled: Force Updated Clients' [Added]
- I3444: (L1 - DC) Verify that the remote host allows delegation of non-exportable credentials [Added]
- I3445: (L1 - DC) Verify that 'Turn On Virtualization Based Security' is set to 'Enabled' [Added]
- I3446: (L1 - DC) Verify that 'Turn On Virtualization Based Security: Select Platform Security Level' is set to 'Secure Boot and DMA Protection' [Added]
- I3447: (L1 - DC) Verify that 'Turn On Virtualization Based Security: Virtualization Based Protection of Code Integrity' is set to .... [Added]
- I3448: (L1 - DC) Verify that 'Turn On Virtualization Based Security: Require UEFI Memory Attributes Table' is set to 'True (checked)' [Added]
- I3449: (L1 - DC) Verify that 'Turn On Virtualization Based Security: Credential Guard Configuration' is set to 'Disabled' (DC Only) [Added]
- I3450: (L1 - DC) Verify that 'Turn On Virtualization Based Security: Secure Launch Configuration' is set to 'Enabled' [Added]
- I3451: (L1 - DC) Verify that the 'Boot-Start Driver Initialization Policy' is set to 'Enabled: Good, unknown and bad but critical' [Added]
- I3452: (L1 - DC) Verify that the registry policy processing is configured correctly [Added]
- I3453: (L1 - DC) Verify that the registry policy processing is configured correctly [Added]
- I3454: (L1 - DC) Verify that 'Continue experiences on this device' is set to 'Disabled' [Added]
- I3455: (L1 - DC) Verify that 'Turn off background refresh of Group Policy' is set to 'Disabled' [Added]
- I3456: (L1 - DC) Verify that 'Turn off downloading of print drivers over HTTP' is set to 'Enabled' [Added]
- I3457: (L1 - DC) Verify that 'Block user from showing account details on sign-in' is set to 'Enabled' [Added]
- I3458: (L1 - DC) Verify that 'Do not display network selection UI' is set to 'Enabled' [Added]
- I3459: (L1 - DC) Verify that 'Configure Offer Remote Assistance' is set to 'Disabled' [Added]
- I3460: (L1 - DC) Verify that 'Configure Solicited Remote Assistance' is set to 'Disabled' [Added]
- I3461: (L1 - DC) Test that the validation of ROCA-vulnerable WHfB keys during authentication is configured [Added]
T5891: Verify that Microsoft accounts are required for Windows Store apps (Azure Windows Domain Controller) [Added]
- P3564: Lack of Attack Surface Reduction Rules (Azure Windows Domain Controller) [Added]
- I3462: (L1 - DC) Verify that 'Allow Microsoft accounts to be optional' is set to 'Enabled' [Added]
- I3463: (L1 - DC) Verify that 'Turn off cloud consumer account state content' is set to 'Enabled' [Added]
- I3464: (L1 - DC) Verify that 'Turn off Microsoft consumer experiences' is set to 'Enabled' [Added]
- I3465: (L1 - DC) Verify that 'Do not display the password reveal button' is set to 'Enabled' [Added]
- I3466: (L1 - DC) Verify that 'Enumerate administrator accounts on elevation' is set to 'Disabled' [Added]
- I3467: (L1 - DC) Verify that 'Allow Diagnostic Data' is set to 'Enabled: Send required diagnostic data' [Added]
- I3468: (L1 - DC) Verify Application Control Event Log behavior when the log file reaches its maximum size [Added]
- I3469: (L1 - DC) Verify that the maximum log file size is set to 32,768 or greater [Added]
- I3470: (L1 - DC) Verify Security Control Event Log behavior when the log file reaches its maximum size [Added]
- I3471: (L1 - DC) Verify that the maximum log file size is set to Enabled: 196,608 or greater [Added]
- I3472: (L1 - DC) Verify that the Control Event Log behavior is set to Disabled [Added]
- I3473: (L1 - DC) Verify that the maximum log file size is set to 32,768 KB or greater [Added]
- I3474: (L1 - DC) Verify System Control Event Log behavior when the log file reaches its maximum size [Added]
- I3475: (L1 - DC) Verify that the maximum log file size is set to 32,768 or greater [Added]
- I3476: (L1 - DC) Verify that 'Turn off Data Execution Prevention for Explorer' is set to 'Disabled' [Added]
- I3477: (L1 - DC) Verify that 'Turn off heap termination on corruption' is set to 'Disabled' [Added]
- I3478: (L1 - DC) Verify that 'Turn off shell protocol protected mode' is set to 'Disabled' [Added]
- I3479: (L1 - DC) Verify that 'Block all consumer Microsoft account user authentication' is set to 'Enabled' [Added]
- I3480: (L1 - DC) Verify that 'Configure detection for potentially unwanted applications' is set to 'Enabled: Block' [Added]
- I3481: (L1 - DC) Verify that 'Turn off Microsoft Defender AntiVirus' is set to 'Disabled' [Added]
- I3482: (L1 - DC) Verify that 'Configure local setting override for reporting to Microsoft MAPS' is set to 'Disabled' [Added]
- I3483: (L1 - DC) Verify that 'Configure Attack Surface Reduction rules' is set to 'Enabled' [Added]
- I3484: (L1 - DC) Verify that the Attack Surface Reduction rules are configured [Added]
- I3485: (L1 - DC) Verify that 'Prevent users and apps from accessing dangerous websites' is set to 'Enabled: Block' [Added]
- I3486: (L1 - DC) Verify that 'Scan all downloaded files and attachments' is set to 'Enabled' [Added]
- I3487: (L1 - DC) Verify that 'Turn off real-time protection' is set to 'Disabled' [Added]
- I3488: (L1 - DC) Verify that 'Turn on behavior monitoring' is set to 'Enabled' [Added]
- I3489: (L1 - DC) Verify that 'Turn on script scanning' is set to 'Enabled' [Added]
- I3490: (L1 - DC) Verify that 'Turn on e-mail scanning' is set to 'Enabled' [Added]
- I3491: (L1 - DC) Verify that 'Do not allow passwords to be saved' is set to 'Enabled' [Added]
- I3492: (L1 - DC) Verify that 'Do not allow drive redirection' is set to 'Enabled' [Added]
- I3493: (L1 - DC) Verify that 'Always prompt for password upon connection' is set to 'Enabled' [Added]
- I3494: (L1 - DC) Verify that 'Require secure RPC communication' is set to 'Enabled' [Added]
- I3495: (L1 - DC) Verify that 'Set client connection encryption level' is set to 'Enabled: High Level' [Added]
- I3496: (L1 - DC) Verify that 'Do not delete temp folders upon exit' is set to 'Disabled' [Added]
- I3497: (L1 - DC) Verify that 'Do not use temporary folders per session' is set to 'Disabled' [Added]
- I3498: (L1 - DC) Verify that 'Prevent downloading of enclosures' is set to 'Enabled' [Added]
- I3499: (L1 - DC) Verify that 'Allow indexing of encrypted files' is set to 'Disabled' [Added]
- I3500: (L1 - DC) Verify that Windows Defender SmartScreen is configured to warn and prevent bypass [Added]
- I3501: (L1 - DC) Verify that 'Allow user control over installs' is set to 'Disabled' [Added]
- I3502: (L1 - DC) Verify that 'Always install with elevated privileges' is set to 'Disabled' [Added]
- I3503: (L1 - DC) Verify that 'Sign-in and lock last interactive user automatically after a restart' is set to 'Disabled' [Added]
- I3504: (L1 - DC) Verify that 'Turn on PowerShell Script Block Logging' is set to 'Enabled' [Added]
- I3505: (L1 - DC) Verify that 'Turn on PowerShell Transcription' is set to 'Disabled' [Added]
- I3506: (L1 - DC) Verify that 'Allow Basic authentication' is set to 'Disabled' [Added]
- I3507: (L1 - DC) Verify that 'Allow unencrypted traffic' is set to 'Disabled' [Added]
- I3508: (L1 - DC) Verify that 'Disallow Digest authentication' is set to 'Enabled' [Added]
- I3509: (L1 - DC) Verify that 'Allow Basic authentication' is set to 'Disabled' [Added]
- I3510: (L1 - DC) Verify that 'Allow unencrypted traffic' is set to 'Disabled' [Added]
- I3511: (L1 - DC) Verify that 'Disallow WinRM from storing RunAs credentials' is set to 'Enabled' [Added]
- I3512: (L1 - DC) Verify that 'Prevent users from modifying settings' is set to 'Enabled' [Added]
T5892: Verify that the scheduler service is not bound to non-loopback insecure addresses (Kubernetes Master Node) [Added]
- I3571: Ensure that the --bind-address argument is set to 127.0.0.1 [Added]
T5893: Verify the security of Kubernetes authentication mechanisms (Kubernetes Master Node) [Added]
- P3565: Unrestricted Pod Creation (Kubernetes Master Node) [Added]
- I3685: Verify that client certificate authentication is not used for users [Added]
- I3686: Verify that service account token authentication is not used for users [Added]
- I3687: Verify that Bootstrap token authentication is not used for users [Added]
- I3690: Verify that the cluster-admin role is only used where required [Added]
- I3691: Test that access to secrets is minimized [Added]
- I3692: Verify that wildcard use is minimized in Roles and ClusterRoles [Added]
- I3693: Test that access to create pods is minimized [Added]
- I3696: Verify that the system:masters group is not used [Added]
- I3697: Verify the limited use of Bind, Impersonate and Escalate permissions in the Kubernetes cluster [Added]
- I3698: Test that access to create persistent volumes is minimized [Added]
- I3699: Test that access to the proxy sub-resource of nodes is minimized [Added]
- I3700: Test that access to the approval sub-resource of certificatesigningrequests objects is minimized [Added]
- I3701: Test that access to webhook configuration objects is minimized [Added]
T5894: Verify that Kubernetes clusters enforce policy controls (Kubernetes Master Node) [Added]
- P3566: Lack of Policy Control Mechanism (Kubernetes Master Node) [Added]
- I3703: Verify that the cluster has at least one active policy control mechanism in place [Added]
- I3704: Test that the admission of privileged containers is minimized [Added]
- I3705: Test minimizing the admission of containers wishing to share the host process ID namespace [Added]
- I3706: Test minimizing the admission of containers wishing to share the host IPC namespace [Added]
- I3707: Test minimizing the admission of containers wishing to share the host network namespace [Added]
- I3708: Test that the admission of containers minimizes allowPrivilegeEscalation [Added]
- I3709: Test that the admission of root containers is minimized [Added]
- I3710: Test that the admission of containers with the NET_RAW capability is minimized [Added]
- I3711: Test the admission of containers with added capabilities [Added]
- I3712: Test that the admission of containers with capabilities assigned is minimized [Added]
- I3713: Test minimize the admission of Windows HostProcess Containers [Added]
- I3714: Test minimizing the admission of HostPath volumes [Added]
- I3715: Test that the admission of containers which use HostPorts is minimized [Added]
- I3721: Test administrative boundaries between resources using namespaces [Added]
- I3722: Verify that the seccomp profile is set to docker/default in your pod definitions [Added]
- I3724: Verify that the default namespace is not used [Added]
T5895: Test network policies to isolate traffic in your cluster network (Kubernetes Master Node) [Added]
- P3567: Lack of Network Traffic Control (Kubernetes Master Node) [Added]
- I3716: Verify that the CNI in use supports Network Policies [Added]
- I3717: Verify that all Namespaces have Network Policies defined [Added]
T5896: Verify the use of external secrets management for Kubernetes (Kubernetes Master Node Secrets) [Added]
- P3568: Insecure Secret Management in Kubernetes (Kubernetes Master Node) [Added]
- I3718: Verify that secrets are managed as files instead of environment variables [Added]
- I3719: Verify that external secret storage is considered [Added]
T5897: Bind scheduler service to loopback addresses (Kubernetes Master Node) [Added]
- I3677: Verify that the --bind-address argument is set to 127.0.0.1 [Added]
T5898: Implement restrictions on pod creation in Kubernetes (Kubernetes Master Node) [Added]
- P3565: Unrestricted Pod Creation (Kubernetes Master Node) [Added]
- I3579: Client certificate authentication should not be used for users [Added]
- I3580: Service account token authentication should not be used for users [Added]
- I3581: Bootstrap token authentication should not be used for users [Added]
- I3584: Ensure that the cluster-admin role is only used where required [Added]
- I3585: Minimize access to secrets [Added]
- I3586: Minimize wildcard use in Roles and ClusterRoles [Added]
- I3587: Minimize access to create pods [Added]
- I3590: Avoid use of system:masters group [Added]
- I3591: Limit use of the Bind, Impersonate and Escalate permissions in the Kubernetes cluster [Added]
- I3592: Minimize access to create persistent volumes [Added]
- I3593: Minimize access to the proxy sub-resource of nodes [Added]
- I3594: Minimize access to the approval sub-resource of certificatesigningrequests objects [Added]
- I3595: Minimize access to webhook configuration objects [Added]
T5899: Implement a policy control mechanism in Kubernetes (Kubernetes Master Node) [Added]
- P3566: Lack of Policy Control Mechanism (Kubernetes Master Node) [Added]
- I3597: Ensure that the cluster has at least one active policy control mechanism in place [Added]
- I3598: Minimize the admission of privileged containers [Added]
- I3599: Minimize the admission of containers wishing to share the host process ID namespace [Added]
- I3600: Minimize the admission of containers wishing to share the host IPC namespace [Added]
- I3601: Minimize the admission of containers wishing to share the host network namespace [Added]
- I3602: Minimize the admission of containers with allowPrivilegeEscalation [Added]
- I3603: Minimize the admission of root containers [Added]
- I3604: Minimize the admission of containers with the NET_RAW capability [Added]
- I3605: Minimize the admission of containers with added capabilities [Added]
- I3606: Minimize the admission of containers with capabilities assigned [Added]
- I3607: Minimize the admission of Windows HostProcess Containers [Added]
- I3608: Minimize the admission of HostPath volumes [Added]
- I3609: Minimize the admission of containers which use HostPorts [Added]
- I3615: Create administrative boundaries between resources using namespaces [Added]
- I3616: Ensure that the seccomp profile is set to docker/default in your pod definitions [Added]
- I3618: The default namespace should not be used [Added]
T5900: Implement network policies in Kubernetes (Kubernetes Master Node) [Added]
- P3567: Lack of Network Traffic Control (Kubernetes Master Node) [Added]
- I3610: Ensure that the CNI in use supports Network Policies [Added]
- I3611: Ensure that all Namespaces have Network Policies defined [Added]
T5901: Implement an external secrets management system for Kubernetes (Kubernetes Master Node) [Added]
- P3568: Insecure Secret Management in Kubernetes (Kubernetes Master Node) [Added]
- I3612: Prefer using secrets as files over secrets as environment variables [Added]
- I3613: Consider external secret storage [Added]
T5902: Verify that audit logs are collected and managed (Amazon EKS) [Added]
- P3569: Lack of Robust Audit Log Management (Amazon EKS) [Added]
- I3758: Test that audit logs are enabled [Added]
- I3759: Verify that audit logs are collected and managed [Added]
T5903: Verify kubelet configuration permissions and ownership (Amazon EKS) [Added]
- P3570: Insecure Permissions on Kubelet Configuration Files (Amazon EKS) [Added]
- I3760: Verify that the kubeconfig file permissions are set to 644 or more restrictive [Added]
- I3761: Verify that the kubelet kubeconfig file ownership is set to root:root [Added]
- I3762: Verify that the kubelet configuration file has permissions set to 644 or more restrictive [Added]
- I3763: Verify that the kubelet configuration file ownership is set to root:root [Added]
T5904: Verify that anonymous requests to the Kubelet server are disabled (Amazon EKS) [Added]
- P3571: Anonymous Request Handling Vulnerability (Amazon EKS) [Added]
- I3764: Verify that Anonymous Auth is Not Enabled [Added]
- I3765: Verify that the --authorization-mode argument is not set to AlwaysAllow [Added]
- I3766: Verify that a Client CA File is Configured [Added]
T5905: Test that the read-only port is disabled (Amazon EKS) [Added]
- P3572: Unauthorized Access via Read-Only Port (Amazon EKS) [Added]
- I3767: Verify that the --read-only-port is disabled [Added]
- I3768: Verify that the --streaming-connection-idle-timeout argument is not set to 0 [Added]
T5906: Verify Kubelet's iptables management settings (Amazon EKS) [Added]
- P3573: Unrestricted Event Logging Leading to Denial of Service (Amazon EKS) [Added]
- I3769: Verify that the --make-iptables-util-chains argument is set to true [Added]
- I3770: Verify that the --eventRecordQPS argument is set to 0 or a level which ensures appropriate event capture [Added]
T5907: Test kubelet client and server certificate rotation (Amazon EKS) [Added]
- P3574: Lack of Certificate Rotation (Amazon EKS) [Added]
- I3771: Verify that the --rotate-certificates argument is not present or is set to true [Added]
- I3772: Verify that the RotateKubeletServerCertificate argument is set to true [Added]
T5908: Verify that access to Kubernetes secrets is restricted (Amazon EKS) [Added]
- P3575: Excessive Privilege Assignment (Amazon EKS) [Added]
- I3773: Verify that the cluster-admin role is only used where required [Added]
- I3774: Verify that wildcard use in Roles and ClusterRoles is minimized [Added]
- I3775: Test the Cluster Access Manager API for EKS cluster access control management [Added]
- I3792: Verify that Kubernetes RBAC users are managed with AWS IAM Authenticator [Added]
- I3804: Test that access to secrets is minimized [Added]
- I3805: Test that access to create pods is minimized [Added]
- I3806: Verify that default service accounts are not actively used [Added]
- I3807: Verify that Service Account Tokens are only mounted where necessary [Added]
- I3808: Verify the limited use of Bind, Impersonate and Escalate permissions in the Kubernetes cluster [Added]
T5909: Verify that containers do not run with elevated privileges (Amazon EKS) [Added]
- P3576: Excessive Container Privileges (Amazon EKS) [Added]
- I3776: Test that the admission of privileged containers is minimized [Added]
- I3777: Test minimizing the admission of containers wishing to share the host process ID namespace [Added]
- I3778: Test minimizing the admission of containers wishing to share the host IPC namespace [Added]
- I3779: Verify that the admission of containers wishing to share the host network namespace is minimized [Added]
- I3780: Test that the admission of containers minimizes allowPrivilegeEscalation [Added]
T5910: Test network policies to isolate traffic in your cluster network (Amazon EKS) [Added]
- P3577: Lack of Network Policies (Amazon EKS) [Added]
- I3781: Verify that CNI plugin supports network policies [Added]
- I3809: Verify that all Namespaces have Network Policies defined [Added]
T5911: Verify the use of external secrets management for Kubernetes (Amazon EKS) [Added]
- P3578: Insecure Secret Management in Kubernetes (Amazon EKS) [Added]
- I3810: Verify that secrets are managed as files instead of environment variables [Added]
- I3811: Verify that external secret storage is considered [Added]
T5912: Verify that namespaces are used to isolate Kubernetes objects (Amazon EKS) [Added]
- P3579: Lack of Resource Isolation and Access Control (Amazon EKS) [Added]
- I3782: Verify that the default namespace is not used [Added]
- I3812: Test administrative boundaries between resources using namespaces [Added]
T5913: Test that images deployed to Amazon EKS are scanned for vulnerabilities (Amazon EKS) [Added]
- P3580: Lack of Vulnerability Scanning for Container Images (Amazon EKS) [Added]
- I3783: Verify Image Vulnerability Scanning using Amazon ECR [Added]
T5914: Verify the Cluster Service Account configuration for read-only access (Amazon EKS) [Added]
- P3581: Excessive Permissions for Cluster Service Account (Amazon EKS) [Added]
- I3784: Test that cluster access to Amazon ECR is minimized to read-only [Added]
T5915: Verify that Kubernetes workloads use dedicated Service accounts (Amazon EKS) [Added]
- P3582: Lack of Dedicated Service Accounts for Kubernetes Workloads (Amazon EKS) [Added]
- I3785: Verify that dedicated EKS Service Accounts are used [Added]
T5916: Test that Kubernetes secrets are encrypted during Amazon EKS cluster creation (Amazon EKS) [Added]
- P3583: Unencrypted Kubernetes Secrets (Amazon EKS) [Added]
- I3786: Verify that Kubernetes Secrets are encrypted using Customer Master Keys (CMKs) managed in AWS KMS [Added]
T5917: Verify that Endpoint Private Access is enabled (Amazon EKS) [Added]
- P3584: Unrestricted Access to Kubernetes Control Plane (Amazon EKS) [Added]
- I3787: Test Restrict Access to the Control Plane Endpoint [Added]
- I3788: Verify that clusters are created with Private Endpoint Enabled and Public Access Disabled [Added]
- I3789: Verify that clusters are created with Private Nodes [Added]
T5918: Test the network policy implementation options for EKS (Amazon EKS) [Added]
- P3577: Lack of Network Policies (Amazon EKS) [Added]
- I3790: Verify that Network Policy is Enabled and set as appropriate [Added]
- I3791: Verify that traffic is encrypted to HTTPS load balancers with TLS certificates [Added]
T5919: Implement a robust audit log management process in EKS (Amazon EKS) [Added]
- P3569: Lack of Robust Audit Log Management (Amazon EKS) [Added]
- I3725: Enable audit Logs [Added]
- I3726: Ensure audit logs are collected and managed [Added]
T5920: Implement secure permissions for kubelet configuration files (Amazon EKS) [Added]
- P3570: Insecure Permissions on Kubelet Configuration Files (Amazon EKS) [Added]
- I3727: Ensure that the kubeconfig file permissions are set to 644 or more restrictive [Added]
- I3728: Ensure that the kubelet kubeconfig file ownership is set to root:root [Added]
- I3729: Ensure that the kubelet configuration file has permissions set to 644 or more restrictive [Added]
- I3730: Ensure that the kubelet configuration file ownership is set to root:root [Added]
T5921: Secure Kubelet Server by Disabling Anonymous Requests (Amazon EKS) [Added]
- P3571: Anonymous Request Handling Vulnerability (Amazon EKS) [Added]
- I3731: Ensure that the Anonymous Auth is Not Enabled [Added]
- I3732: Ensure that the --authorization-mode argument is not set to AlwaysAllow [Added]
- I3733: Ensure that a Client CA File is Configured [Added]
T5922: Disable read-only port to enhance system security (Amazon EKS) [Added]
- P3572: Unauthorized Access via Read-Only Port (Amazon EKS) [Added]
- I3734: Ensure that the --read-only-port is disabled [Added]
- I3735: Ensure that the --streaming-connection-idle-timeout argument is not set to 0 [Added]
T5923: Configure eventRecordQPS in Kubelet settings (Amazon EKS) [Added]
- P3573: Unrestricted Event Logging Leading to Denial of Service (Amazon EKS) [Added]
- I3736: Ensure that the --make-iptables-util-chains argument is set to true [Added]
- I3737: Ensure that the --eventRecordQPS argument is set to 0 or a level which ensures appropriate event capture [Added]
T5924: Implement certificate rotation for Kubernetes clusters (Amazon EKS) [Added]
- P3574: Lack of Certificate Rotation (Amazon EKS) [Added]
- I3738: Ensure that the --rotate-certificates argument is not present or is set to true [Added]
- I3739: Ensure that the RotateKubeletServerCertificate argument is set to true [Added]
T5925: Restrict access to Kubernetes secrets and roles (Amazon EKS) [Added]
- P3575: Excessive Privilege Assignment (Amazon EKS) [Added]
- I3740: Ensure that the cluster-admin role is only used where required [Added]
- I3741: Ensure that default service accounts are not actively used. [Added]
- I3742: Ensure that Service Account Tokens are only mounted where necessary [Added]
- I3743: Cluster Access Manager API to streamline and enhance the management of access controls within EKS clusters [Added]
- I3757: Manage Kubernetes RBAC users with AWS IAM Authenticator for Kubernetes or Upgrade to AWS CLI v1.16.156 or greater [Added]
- I3793: Minimize access to secrets [Added]
- I3794: Minimize wildcard use in Roles and ClusterRoles [Added]
- I3795: Limit use of the Bind, Impersonate and Escalate permissions in the Kubernetes cluster [Added]
T5926: Restrict container privileges in Kubernetes (Kubernetes) [Added]
- P3576: Excessive Container Privileges (Amazon EKS) [Added]
- I3744: Minimize the admission of privileged containers [Added]
- I3745: Minimize the admission of containers with allowPrivilegeEscalation [Added]
- I3796: Minimize the admission of containers wishing to share the host process ID namespace [Added]
- I3797: Minimize the admission of containers wishing to share the host IPC namespace [Added]
- I3798: Minimize the admission of containers wishing to share the host network namespace [Added]
T5927: Implement network policies for enhanced security in Kubernetes (Amazon EKS) [Added]
- P3577: Lack of Network Policies (Amazon EKS) [Added]
- I3746: Ensure CNI plugin supports network policies. [Added]
- I3799: Ensure that all Namespaces have Network Policies defined [Added]
T5928: Organize and Isolate Resources with Kubernetes Namespaces (Amazon EKS) [Added]
- P3579: Lack of Resource Isolation and Access Control (Amazon EKS) [Added]
- I3802: Create administrative boundaries between resources using namespaces [Added]
- I3803: The default namespace should not be used [Added]
T5929: Implement a vulnerability scanning process for deployed images (Amazon EKS) [Added]
- P3580: Lack of Vulnerability Scanning for Container Images (Amazon EKS) [Added]
- I3747: Ensure Image Vulnerability Scanning using Amazon ECR image scanning or a third party provider [Added]
T5930: Restrict Cluster Service Account Permissions for Amazon ECR (Amazon EKS) [Added]
- P3581: Excessive Permissions for Cluster Service Account (Amazon EKS) [Added]
- I3748: Minimize user access to Amazon ECR [Added]
- I3749: Minimize cluster access to read-only for Amazon ECR [Added]
T5931: Implement encryption for Kubernetes secrets (Amazon EKS) [Added]
- P3583: Unencrypted Kubernetes Secrets (Amazon EKS) [Added]
- I3751: Ensure Kubernetes Secrets are encrypted using Customer Master Keys (CMKs) managed in AWS KMS [Added]
T5932: Restrict access to the Kubernetes control plane (Amazon EKS) [Added]
- P3584: Unrestricted Access to Kubernetes Control Plane (Amazon EKS) [Added]
- I3752: Restrict Access to the Control Plane Endpoint [Added]
- I3753: Ensure clusters are created with Private Endpoint Enabled and Public Access Disabled [Added]
- I3754: Ensure clusters are created with Private Nodes [Added]
T5933: Implement network policies for enhanced security (Amazon EKS) [Added]
- P3577: Lack of Network Policies (Amazon EKS) [Added]
- I3755: Ensure Network Policy is Enabled and set as appropriate [Added]
- I3756: Encrypt traffic to HTTPS load balancers with TLS certificates [Added]
T5934: Implement an external secrets management system for Kubernetes (Amazon EKS) [Added]
- P3578: Insecure Secret Management in Kubernetes (Amazon EKS) [Added]
- I3800: Prefer using secrets as files over secrets as environment variables [Added]
- I3801: Consider external secret storage [Added]
T5935: Implement dedicated service accounts for Kubernetes workloads (Amazon EKS) [Added]
- P3582: Lack of Dedicated Service Accounts for Kubernetes Workloads (Amazon EKS) [Added]
- I3750: Prefer using dedicated EKS Service Accounts [Added]
T5936: Verify that the kubelet service file permissions are secure (Kubernetes Worker Node) [Added]
- P3585: Insecure File Permissions on Configuration Files (Kubernetes Worker Node) [Added]
T5937: Implement strict file permissions for Kubernetes configuration files (Kubernetes Worker Node) [Added]
- P3585: Insecure File Permissions on Configuration Files (Kubernetes Worker Node) [Added]
Changes to Project Properties and Profiles
- Q193: Components
  - Q101: Components In Development
    - A1077: Firmware, embedded, or hardware solution [Updated]
      - INFO: Updated the children.
- Q195: Language and Framework
  - Q109: Programming Language
    - Q110: Technology/Framework
      - A2319: Vue.js [Added]
- Q206: Privacy
  - Q160: Handles Personal Data
    - Q454: US State-Specific Privacy Legislation
      - A1255: California Civil Code (CCPA and CPRA) [Updated]
        
        INFO: Updated the question.
      - A1256: CalOPPA [Updated]
        
        INFO: Updated the question.
      - A1996: Virginia CDPA [Updated]
        
        INFO: Updated the description and match conditions.
      - A1997: Colorado PA [Updated]
        
        INFO: Updated the match conditions.
      - A1998: Connecticut PDPOM [Updated]
        
        INFO: Updated the match conditions.
      - A1999: Utah CPA [Updated]
        
        INFO: Updated the match conditions.
      - A2000: Oregon PL [Updated]
        
        INFO: Updated the match conditions.
      - A2001: Texas DPSA [Updated]
        
        INFO: Updated the match conditions.
      - A2002: Montana CDPA [Updated]
        
        INFO: Updated the description and match conditions.
      - A2214: Delaware PDPA [Added]
      - A2215: Iowa CDPA [Added]
      - A2216: Nebraska DPA [Added]
      - A2217: New Hampshire DPA [Added]
      - A2218: New Jersey DPA [Added]
- Q207: Application Layer
  - Q186: Application Layer Protocols Used
    - A2317: gRPC [Added]
- Q211: Development Tools
  - Q364: Version Control Platforms [Updated]
    - INFO: Updated the text.
- Q237: Compliance Scope: Other
  - Q489: In scope for EN 18031 [Added]
    - Q490: Specific details about your device (Related to 18031-1) [Added]
      - A2259: There are legal restrictions that prevent the implementation of access control [Added]
      - A2260: The device is designed in a fashion or deployed in an environment where physical/logical measures make unauthorized access to sensitive/confidential information in transit impossible [Added]
      - A2261: The device is designed in a fashion or deployed in an environment where physical/logical measures make unauthorized access to sensitive/confidential information at rest impossible [Added]
      - A2262: An absence of authentication features is necessary for your device's functionality [Added]
      - A2263: Your device does not have software update capabilities because of functional safety [Added]
      - A2264: Your device's software is immutable [Added]
      - A2265: Your device's network interfaces are used solely in a local network that does not interoperate with other networks [Added]
      - A2266: Your device exchanges data between different networks to permanently connect other devices directly to the internet [Added]
      - A2267: Conflicting security goals do not allow for implementing functionality for changing authenticator information [Added]
      - A2268: Other devices in your device's network provide sufficient protection against DoS attacks and loss of essential network operation functions [Added]
      - A2269: Alternative measures to software updates adequately protect the affected security and network assets throughout the device's lifecycle [Added]
      - A2270: Your device is meant to be publically accessed [Added]
      - A2271: Your device's software affects network or security assets [Added]
      - A2272: Your device requires deviation from secure communication best practices concerning integrity/authenticity for interoperability reasons [Added]
      - A2273: Your device manages access to network/security objects over user interfaces where physical or logical measures in the environment provide confidence in the correctness of the entity's claim [Added]
      - A2274: Managed access is only used for reading personal information, privacy functions, or privacy function configuration where access without authentication is needed to enable intended equipment functionality [Added]
      - A2275: Managed access is only used for reading personal information, privacy functions, or privacy function configuration where legal implications do not allow for authentication mechanisms [Added]
      - A2276: Temporary exposure of network assets or security assets is required as part of establishing or managing a connection [Added]
      - A2277: Deviation from confidentiality best practices is inevitable for interoperability reasons [Added]
      - A2278: Duplicate transfer of information to your device's network interface does not constitute a replay attack [Added]
      - A2279: Deviation from best practices against replay attacks is inevitable for interoperability reasons [Added]
      - A2280: Your device uses preinstalled confidential cryptographic keys to establish initial trust relationships under conditions controlled by an authorized entity [Added]
      - A2281: Your device uses preinstalled confidential cryptographic keys that are shared parameters required for the equipment's intended functionality [Added]
      - A2282: Your device currently has publicly-known and exploitable hardware or software vulnerabilities that affect security or network assets and have not been risk-addressed [Added]
      - A2283: Your device exposes network interface or services in its factory default state which affect security or network assets [Added]
      - A2284: Your device has an external interface that is capable of receiving input [Added]
      - A2285: Your device uses or generates confidential cryptographic keys [Added]
    - A2258: In scope for EN 18031-1 [Added]
- Q243: Internal Hidden Properties
  - Q189: Internal Properties (Use this, for all hidden answers)
    - A718: The application is a generic server application [Updated]
      - INFO: Updated the children.
    - A740: This is a new project [Updated]
      - INFO: Updated the children.
    - A1061: Set of default answers for software profiles [Updated]
      - INFO: Updated the text and children.
    - A2008: LLM Role-based [Updated]
      - INFO: Updated the match conditions.
    - A2009: LLM Role-agnostic [Updated]
      - INFO: Updated the match conditions.
    - A2010: MD Role-based [Updated]
      - INFO: Updated the match conditions.
    - A2011: MD Role-agnostic [Updated]
      - INFO: Updated the match conditions.
    - A2309: IBM Cloud All Services [Added]
    - A2320: Classification Off [Added]
- Q289: Cloud Computing
  - Q290: Cloud Providers
    - A2308: IBM Cloud [Added]
- Q299: General
  - Q375: CI/CD Tools
    - A2257: JFrog [Added]
- Q307: Containerization
  - Q308: Containerization Technologies
    - Q506: Kubernetes Profiles [Added]
      - A2310: Master Node [Added]
      - A2311: Worker Node [Added]
- Q362: Microsoft Azure
  - Q306: Azure Services
    - Q502: Azure Windows Profiles [Added]
      - A2314: Member Server [Added]
      - A2315: Domain Controller [Added]
    - Q370: More Azure Services
      - A1196: Azure Multi-Factor Authentication [Unpublished]
      - A1204: Azure Key Vault [Updated]
        
        INFO: Updated the question.
  - Q365: Azure Cloud Configuration
    - A2132: Azure Subscriptions [Added]
- Q369: Network Technologies
  - Q372: Network Components
    - Q507: Message Brokers [Added]
      - A2316: Apache Kafka [Added]
- Q461: AI and Machine Learning
  - Q357: Artificial Intelligence/Machine Learning
    - Q457: AI Content Organization
      - A1629: Role-based AI content [Updated]
        
        INFO: Updated the children.
      - A2007: Role-agnostic AI content [Updated]
        
        INFO: Updated the children.
    - A2223: Agentic AI (LLM-Based) [Added]
- Q503: IBM Cloud [Added]
  - Q488: IBM Cloud Services [Added]
    - A2246: IBM Cloud VPC [Added]
    - A2247: IBM Cloud Object Storage [Added]
    - A2248: IBM Key Management Services [Added]
    - A2249: IBM Cloud Container Registry [Added]
    - A2250: IBM Cloud Database [Added]
    - A2251: IBM Cloudant [Added]
    - A2252: IBM Cloud Internet Services [Added]
    - A2253: IBM Key Protect [Added]
    - A2254: IBM Cloud Block Storage [Added]
    - A2255: IBM Cloud Activity Tracker [Added]
    - A2256: IBM Cloud Kubernetes Service [Added]
Added Components
- SC807: IBM Cloud VPC
- SC808: IBM Cloud Object Storage
- SC809: IBM Key Management Services
- SC810: IBM Cloud Container Registry
- SC811: IBM Cloud Database
- SC812: IBM Cloudant
- SC813: IBM Cloud Internet Services
- SC814: IBM Key Protect
- SC815: IBM Cloud Block Storage
- SC816: IBM Cloud Activity Tracker
- SC817: IBM Cloud Kubernetes Service
- SC818: JFrog
- SC819: Apache Kafka
Updated Components
- SC64: Amazon EKS
  - INFO: Updated the description.

2025.1

April 26, 2025

New features and enhancements

System View and Compliance Report Export
- Behind a feature flag, we have added a new dedicated dashboard for users to manage a grouping of projects into one system view.
- Added the ability to also export a compliance report based off a regulation (i.e. GDPR) under a selected System view, which will group all the projects in a CSV with the Task ID, Project Name, and Task Status (grouped by the tasks).
Jira, Skip & Log UX Enhancement
- Added improved error messaging on the Jira sync logs when Skip & Log is enabled, providing not only every error that occurred but also included the Task ID and the Jira URL link (if available).
RIA JIRA Comment Sync support
- We have extended the in-app JIRA comment Sync to be supported in RIA installations
- JIRA Comment Sync will have the same configurations as the current functionality but will sync comments within the existing sync process between tasks
New Library Threats UI and API
- Added the ability to surface threats in the Library and to create and manage custom/builtin threats.
  - Added the ability to filter the Library Countermeasures page by active status, type, and CAPEC.
  - Added the ability to save a copy of an existing Library Threat.
  - Added the ability for users to map Threats to Weaknesses and CAPECs.
  - Added full create, read, update, and delete via Library Threats API.
New Library Countermeasure List Page Improvements
- Added the ability to retain and share curated search results for library countermeasure page.
- Added the ability to configure the Countermeasure table to user preferences and expand full width.
- Added a new UX filter that allows users to intuitively select multiple filters.
- Modified labels are now present in read-only view.
Navigator
- Added a generative AI-powered conversationalist interface within SD Elements that enables users to interact intuitively with the SD Elements Library.

Updates

EOL of Integrations
- Informing that we have integrations that have not been used actively in the last 2 years and will be EOL for 2025.1 release
- The following Integrations will be removed: Archer, VersionOne, IBM RTC, Pivotal Tracker; HP WebInspect, & Mend - Please see the User Guide documentation here.

Summary of content updates

Improved the content of several countermeasures and weaknesses for clarity and currency.
EU Data Act
- Added a new compliance regulation
- 10 new countermeasures and 10 weaknesses were created to cover as much relevant content from the Act as possible
- 7 terms were added to the Glossary and referenced in the content to clarify legal language when specific terms are used.
Mobile content
- iOS: 6 new countermeasures, 6 corresponding test tasks, and 6 weaknesses
- Android: 3 new countermeasures, 3 corresponding test tasks, and 3 weaknesses
New Just-in-Time Training
- iOS/Swift
- Android/Kotlin
CIS AWS Foundations
- Added new countermeasures, weaknesses, and howtos. Updated existing countermeasures.
- Added a new regulation report for AWS Foundations 4.0.1.
Components Added new components: blockchain, smart contract, Containerd, low-code/no-code, and Micronaut.
Accessibility
- Added a dependent component.
- Added regulation report for Web Content Accessibility Guidelines (WCAG) 2.1

EU Radio Equipment Directive (EU RED)

- Added a new compliance regulation 
- Added 14 new countermeasures and 13 new weaknesses

Content additions and updates (as of April 1, 2025):

Added JITTs
- Secure Software Design (26)
- Defending iOS (26)
- Defending Swift (26)
Compliance Regulations and Mappings
- Added Web Content Accessibility Guidelines (WCAG) 2.1
- Added EU Data Act
- Added MITRE ATLAS
- Added OWASP Top 10 for LLM Applications 2025
- Added CIS AWS Foundations v4.0.1
- Added CIS Azure Compute Services
- Added ISO 27701
- Added CIS Oracle Cloud Infrastructure
- Added EU Radio Equipment Directive (RED)
- Added 2024 CWE Top 25 Most Dangerous Software Weaknesses
- Added India Digital Personal Data Protection Act (DPDPA) 2023
- Updated ASD-STIG [INFO: Updated the regulation sections].
- Updated PCI-SSS-v1.2.1 [INFO: Updated the regulation sections].
- Updated US AI Regulation [INFO: Updated the regulation sections].
- Updated US AI Regulation [INFO: Updated the regulation sections].
Content Packs
- Added Blockchain
- Added Smart Contract
- Added Containerd
- Added Accessibility
- Added EU Data Act
- Added Low-Code/No-Code
- Added Micronaut
- Added CIS Azure Compute Services
- Added ISO 27701 (2019)
- Added CIS Oracle Cloud Infrastructure
- Added Oracle
- Added EU RED
- Added EN 18031-1
- Added India DPDPA
- Updated EU AI Act [INFO: Updated the created date time].
- Updated CircleCI [INFO: Updated the created date time].
- Updated EU Digital Operational Resilience Act [INFO: Updated the created date time].
T146: Use encryption for network communications in mobile environments
- TA6250: Enabling Confidentiality on the Air Interface [Updated]
  - INFO: Updated the match conditions.
- TA6251: Ensure Confidentiality Protection of S1 Interface [Updated]
  - INFO: Updated the match conditions.
T176: Apply principles of privacy when handling personal information
- TA7098: Breach prevention [Added]
- TA7102: Data protection officer [Added]
- TA7103: Independent data auditor [Added]
- P257: Privacy Violation [Updated]
  - INFO: Updated the match conditions.
T179: Allow access for users to remove their personal information from the system
- TA7100: Data retention and disposal [Added]
T207: Provide special data protection for children's personal information
- TA7101: Children data protection [Added]
- P257: Privacy Violation [Updated]
  - INFO: Updated the match conditions.
T313: Identify and classify categories of personal information
- TA7097: Data quality and accuracy [Added]
- P257: Privacy Violation [Updated]
  - INFO: Updated the match conditions.
T663: Delete root user access keys in AWS (AWS IAM) [Updated]
- INFO: Updated the title and text.
- I1923: Ensure no 'root' user account access key exists [Added]
- I1926: Eliminate use of the 'root' user for administrative and daily tasks [Added]
T664: Enable Multi-Factor Authentication for AWS Console Access (AWS Identity and Access Management) [Updated]
- INFO: Updated the title and text.
- I1929: Ensure multi-factor authentication (MFA) is enabled for all IAM users that have a console password [Added]
T665: Deactivate unused AWS IAM credentials (AWS IAM) [Updated]
- INFO: Updated the title and text.
- I1931: Ensure credentials unused for 45 days or more are disabled [Added]
T666: Rotate access keys regularly in AWS (AWS IAM) [Updated]
- INFO: Updated the title and text.
- I1933: Ensure access keys are rotated every 90 days or less [Added]
T667: Enforce password complexity with IAM password policies (AWS IAM) [Updated]
- INFO: Updated the title and text.
- I1927: Ensure IAM password policy requires minimum length of 14 or greater [Added]
- I1928: Ensure IAM password policy prevents password reuse [Added]
T671: Enable Multi-Factor Authentication for AWS Root Account (AWS IAM) [Updated]
- INFO: Updated the title and text.
- I1924: Ensure MFA is enabled for the 'root' user account [Added]
T672: Establish security questions for AWS support authentication (AWS Support Portal) [Updated]
- INFO: Updated the title and text.
- I1922: Ensure security questions are registered in the AWS account [Added]
T673: Add users to IAM groups with attached policies (AWS IAM) [Updated]
- INFO: Updated the title and text.
- I1934: Ensure IAM users receive permissions only through groups [Added]
T676: Ensure contact details are current in AWS accounts (AWS Account Management) [Updated]
- INFO: Updated the title and text.
- I1920: Maintain current contact details [Added]
T677: Specify contact information for account's security team (AWS Account Management) [Updated]
- INFO: Updated the title and text.
- I1921: Ensure security contact information is registered [Added]
T678: Create an IAM Role for Incident Management (AWS Support) [Updated]
- INFO: Updated the title and text.
- I1936: Ensure a support role has been created to manage incidents with AWS Support [Added]
T679: Create IAM User Credentials for Access (AWS IAM) [Updated]
- INFO: Updated the title and text.
- I1930: Do not create access keys during initial setup for IAM users with a console password [Added]
T680: Implement least privilege access with IAM policies (AWS IAM) [Updated]
- INFO: Updated the title and text.
- I1935: Ensure IAM policies that allow full ":" administrative privileges are not attached [Added]
T681: Record AWS API calls with AWS CloudTrail (AWS CloudTrail) [Updated]
- INFO: Updated the title and text.
- I1950: Ensure CloudTrail is enabled in all regions [Added]
T684: Enable AWS Config for Configuration Management (AWS Config) [Updated]
- INFO: Updated the title and text.
- I1952: Ensure AWS Config is enabled in all regions [Added]
T685: Enable server access logging for S3 buckets (AWS S3) [Updated]
- INFO: Updated the title and text.
- I1953: Ensure that server access logging is enabled on the CloudTrail S3 bucket [Added]
- I1957: Ensure that object-level logging for write events is enabled for S3 buckets [Added]
- I1958: Ensure that object-level logging for read events is enabled for S3 buckets [Added]
T686: Establish metric filters and alarms for API calls in AWS CloudTrail (AWS CloudTrail) [Updated]
- INFO: Updated the title and text.
- I1959: Ensure unauthorized API calls are monitored [Added]
- I1960: Ensure management console sign-in without MFA is monitored [Added]
- I1961: Ensure usage of the 'root' account is monitored [Added]
- I1962: Ensure IAM policy changes are monitored [Added]
- I1963: Ensure CloudTrail configuration changes are monitored [Added]
- I1964: Ensure AWS Management Console authentication failures are monitored [Added]
- I1965: Ensure disabling or scheduled deletion of customer created CMKs is monitored [Added]
- I1966: Ensure S3 bucket policy changes are monitored [Added]
- I1967: Ensure AWS Config configuration changes are monitored [Added]
- I1968: Ensure security group changes are monitored [Added]
- I1969: Ensure Network Access Control List (NACL) changes are monitored [Added]
- I1970: Ensure changes to network gateways are monitored [Added]
- I1971: Ensure route table changes are monitored [Added]
- I1972: Ensure VPC changes are monitored [Added]
- I1973: Ensure AWS Organizations changes are monitored [Added]
- I1974: Ensure AWS Security Hub is enabled [Added]
T688: Restrict Ingress Access to Remote Server Administration Ports (AWS Network Access Control List) [Updated]
- INFO: Updated the title and text.
- I1975: Ensure no Network ACLs allow ingress from 0.0.0.0/0 to remote server administration ports [Added]
- I1976: Ensure no security groups allow ingress from 0.0.0.0/0 to remote server administration ports [Added]
- I1977: Ensure no security groups allow ingress from ::/0 to remote server administration ports [Added]
T689: Protect the 'root' user account with hardware MFA (AWS Identity and Access Management) [Updated]
- INFO: Updated the title and text.
- I1925: Ensure hardware MFA is enabled for the 'root' user account [Added]
T690: Assign IAM Roles to EC2 Instances for AWS Access (AWS EC2) [Updated]
- INFO: Updated the title and text.
- I1937: Ensure IAM instance roles are used for AWS resource access from instances [Added]
T691: Enable file validation for CloudTrail logs (AWS CloudTrail) [Updated]
- INFO: Updated the title and text.
- I1951: Ensure CloudTrail log file validation is enabled [Added]
T692: Configure AWS CloudTrail to use SSE-KMS for enhanced security (AWS CloudTrail) [Updated]
- INFO: Updated the title and text.
- I1954: Ensure CloudTrail logs are encrypted at rest using KMS CMKs [Added]
T693: Enable CMK key rotation for AWS Key Management Service (AWS KMS) [Updated]
- INFO: Updated the title and text.
- I1955: Ensure rotation for customer-created symmetric CMKs is enabled [Added]
T694: Capture IP traffic information with VPC Flow Logs (AWS VPC) [Updated]
- INFO: Updated the title and text.
- I1956: Ensure VPC flow logging is enabled in all VPCs [Added]
T695: Restrict all traffic in the default security group (AWS VPC) [Updated]
- INFO: Updated the title and text.
- I1978: Ensure the default security group of every VPC restricts all traffic [Added]
T696: Update routing tables for VPC peering connections (AWS VPC) [Updated]
- INFO: Updated the title and text.
- I1979: Ensure routing tables for VPC peering are "least access" [Added]
T697: Verify that the 'root' user account access keys are deleted (AWS IAM) [Updated]
- INFO: Updated the title and text.
- I1986: Verify that no 'root' user account access key exists [Added]
- I1989: Test that the 'root' user is not used for administrative and daily tasks [Added]
T698: Verify that Multi-Factor Authentication is enabled for all accounts (AWS IAM) [Updated]
- INFO: Updated the title and text.
- I1992: Verify that multi-factor authentication is enabled for all IAM users [Added]
T699: Verify that unused AWS IAM credentials are deactivated (AWS IAM) [Updated]
- INFO: Updated the title and text.
- I1994: Verify that unused credentials are disabled after 45 days [Added]
T700: Verify that access keys are rotated regularly (AWS IAM) [Updated]
- INFO: Updated the title and text.
- I1996: Verify that access keys are rotated every 90 days or less [Added]
T701: Verify that IAM password policies enforce complexity requirements (AWS IAM) [Updated]
- INFO: Updated the title and text.
- I1990: Verify that IAM password policy requires minimum length of 14 or greater [Added]
- I1991: Verify that IAM password policy prevents password reuse [Added]
T705: Verify that Multi-Factor Authentication is enabled for root accounts (AWS IAM) [Updated]
- INFO: Updated the title and text.
- I1987: Verify that MFA is enabled for the 'root' user account [Added]
T706: Verify that security questions are established for account authentication (AWS Support Portal) [Updated]
- INFO: Updated the title and text.
- I1985: Verify that security questions are registered in the AWS account [Added]
T707: Verify that IAM policies enforce least privilege (AWS IAM) [Updated]
- INFO: Updated the title and text.
- I1997: Verify that IAM users receive permissions only through groups [Added]
- I1998: Verify that IAM policies do not allow full administrative privileges [Added]
T710: Verify that contact details for AWS accounts are current (AWS Account Management) [Updated]
- INFO: Updated the title and text.
- I1983: Verify that the application's contact details are maintained [Added]
T711: Verify that the account's security team contact information is specified (AWS IAM) [Updated]
- INFO: Updated the title and text.
- I1984: Verify that security contact information is registered [Added]
T712: Verify that IAM Roles are configured for incident management (AWS Support) [Updated]
- INFO: Updated the title and text.
- I1999: Verify that a support role has been created to manage incidents with AWS Support [Added]
T713: Verify that IAM user access types are configured correctly (AWS IAM) [Updated]
- INFO: Updated the title and text.
- I1993: Verify that access keys are not created during initial setup for IAM users with a console password [Added]
T715: Verify that AWS API calls are logged and monitored (AWS CloudTrail) [Updated]
- INFO: Updated the title and text.
- I2013: Verify that CloudTrail is enabled in all regions [Added]
T718: Verify that AWS Config is enabled in all regions (AWS Config) [Updated]
- INFO: Updated the title and text.
- I2015: Verify that AWS Config is enabled in all regions [Added]
T719: Verify that server access logging is enabled for S3 buckets (AWS S3) [Updated]
- INFO: Updated the title and text.
- I2016: Verify that server access logging is enabled on the CloudTrail S3 bucket [Added]
- I2020: Verify that object-level logging for write events is enabled for S3 buckets [Added]
- I2021: Verify that object-level logging for read events is enabled for S3 buckets [Added]
T720: Verify that metric filters and alarms are established for unauthorized API calls (AWS CloudTrail) [Updated]
- INFO: Updated the title and text.
- I2022: Verify that unauthorized API calls are monitored [Added]
- I2023: Verify that management console sign-in without MFA is monitored [Added]
- I2024: Verify that the 'root' account usage is monitored [Added]
- I2025: Verify that IAM policy changes are monitored [Added]
- I2026: Verify that CloudTrail configuration changes are monitored [Added]
- I2027: Verify that AWS Management Console authentication failures are monitored [Added]
- I2028: Verify that the scheduled deletion of customer created CMKs is monitored [Added]
- I2029: Verify that S3 bucket policy changes are monitored [Added]
- I2030: Verify that AWS Config configuration changes are monitored [Added]
- I2031: Verify that security group changes are monitored [Added]
- I2032: Verify that Network Access Control List (NACL) changes are monitored [Added]
- I2033: Verify that changes to network gateways are monitored [Added]
- I2034: Verify that route table changes are monitored [Added]
- I2035: Verify that VPC changes are monitored [Added]
- I2036: Verify that AWS Organizations changes are monitored [Added]
- I2037: Verify that AWS Security Hub is enabled [Added]
T722: Verify that no NACL allows unrestricted ingress access to remote server administration ports (AWS Network Access Control List) [Updated]
- INFO: Updated the title and text.
- I2038: Verify that no Network ACLs allow ingress from 0.0.0.0/0 to remote server administration ports [Added]
- I2039: Verify that security groups do not allow ingress from 0.0.0.0/0 to remote server administration ports [Added]
- I2040: Verify that security groups do not allow ingress from ::/0 to remote server administration ports [Added]
T723: Verify that the 'root' user account is protected with MFA (AWS Identity and Access Management) [Updated]
- INFO: Updated the title and text.
- I1988: Verify that hardware MFA is enabled for the 'root' user account [Added]
T724: Verify that AWS access is properly managed through roles (AWS IAM) [Updated]
- INFO: Updated the title and text.
- I2000: Verify that IAM instance roles are used for AWS resource access from instances [Added]
T725: Verify that CloudTrail log file validation is enabled (AWS CloudTrail) [Updated]
- INFO: Updated the title and text.
- I2014: Verify that CloudTrail log file validation is enabled [Added]
T726: Verify that CloudTrail logs are configured to use SSE-KMS (AWS CloudTrail) [Updated]
- INFO: Updated the title and text.
- I2017: Verify that CloudTrail logs are encrypted at rest using KMS CMKs [Added]
T727: Verify that key rotation is enabled for symmetric keys (AWS Key Management Service) [Updated]
- INFO: Updated the title and text.
- I2018: Verify that rotation for customer-created symmetric CMKs is enabled [Added]
T728: Verify that VPC Flow Logs are enabled for packet rejects (AWS VPC Flow Logs) [Updated]
- INFO: Updated the title and text.
- I2019: Verify that VPC flow logging is enabled in all VPCs [Added]
T729: Verify that the default security group restricts all traffic (AWS VPC) [Updated]
- INFO: Updated the title and text.
- I2041: Verify that the default security group of every VPC restricts all traffic [Added]
T730: Verify that routing tables are updated for VPC peering connections (AWS VPC) [Updated]
- INFO: Updated the title and text.
- I2042: Verify that VPC peering routing tables enforce least access [Added]
T766: Encrypt data on Amazon RDS using AES-256 (Amazon RDS) [Updated]
- INFO: Updated the title and text.
- I1946: Ensure that encryption-at-rest is enabled for RDS instances [Added]
- I1947: Ensure the Auto Minor Version Upgrade feature is enabled for RDS instances [Added]
- I1948: Ensure that RDS instances are not publicly accessible [Added]
- I1949: Ensure Multi-AZ deployments are used for enhanced availability in Amazon RDS [Added]
T767: Force encryption at EBS volume creation in Amazon EC2 (AWS Elastic Compute Cloud) [Updated]
- INFO: Updated the title and text.
- I1981: Ensure EBS volume encryption is enabled in all regions [Added]
T770: Configure S3 bucket policies for secure access (Amazon S3) [Updated]
- INFO: Updated the title and text.
- I1942: Ensure S3 Bucket Policy is set to deny HTTP requests [Added]
- I1943: Ensure MFA Delete is enabled on S3 buckets [Added]
- I1944: Ensure all data in Amazon S3 has been discovered, classified, and secured when necessary [Added]
- I1945: Ensure that S3 is configured with 'Block Public Access' enabled [Added]
T799: Verify that RDS database instances restrict unauthorized access (Amazon RDS) [Updated]
- INFO: Updated the title and text.
- I2009: Verify that encryption-at-rest is enabled for RDS instances [Added]
- I2010: Verify that the Auto Minor Version Upgrade feature is enabled for RDS instances [Added]
- I2011: Verify that RDS instances are not publicly accessible [Added]
- I2012: Verify that Multi-AZ deployments are used for enhanced availability in Amazon RDS [Added]
T800: Verify that EBS volumes are encrypted at rest (AWS Elastic Compute Cloud) [Updated]
- INFO: Updated the title and text.
- I2044: Verify that EBS volume encryption is enabled in all regions [Added]
T803: Verify that Amazon S3 bucket permissions are configured for HTTPS access (AWS S3) [Updated]
- INFO: Updated the title and text.
- I2005: Verify that S3 Bucket Policy is set to deny HTTP requests [Added]
- I2006: Verify that MFA Delete is enabled on S3 buckets [Added]
- I2007: Verify that all data in Amazon S3 has been discovered, classified, and secured when necessary [Added]
- I2008: Verify that S3 is configured with 'Block Public Access' enabled [Added]
T1891: Perform Privacy Impact Assessment (PIA)
- TA7104: Data protection impact assessments [Added]
T2128: Notify users and regulators of breaches of personal information
- TA7099: Breach notification [Added]
- P257: Privacy Violation [Updated]
  - INFO: Updated the match conditions.
T2257: Regularly update and patch containerization systems [Updated]
- INFO: Updated the title, text, and, priority from 6 to 10.
T2444: Secure authentication to and from worker nodes (Containerization)
- I1816: CIS Azure Kubernetes Service (AKS) Benchmark v1.2.0 (Level 1, Recommendation 3.2.3) [Unpublished]
- TA6272: CIS Azure Kubernetes Service (AKS) Benchmark v1.2.0 (Level 1, Recommendation 3.2.3) [Unpublished]
T2445: Verify secure authentication to and from worker nodes (Containerization)
- TA6273: CIS Azure Kubernetes Service (AKS) Benchmark v1.2.0 (Level 1, Recommendation 3.2.3) [Unpublished]
T2450: Protect worker nodes with proper flags and arguments (Containerization)
- I1819: CIS Azure Kubernetes Service (AKS) Benchmark v1.2.0 (Level 1, Recommendation 3.2.6) [Unpublished]
- I1820: CIS Azure Kubernetes Service (AKS) Benchmark v1.2.0 (Level 1, Recommendation 3.2.7) [Unpublished]
- I1821: CIS Azure Kubernetes Service (AKS) Benchmark v1.2.0 (Level 1, Recommendation 3.2.8) [Unpublished]
- TA6278: CIS Azure Kubernetes Service (AKS) Benchmark v1.2.0 (Level 1, Recommendation 3.2.6) [Unpublished]
- TA6280: CIS Azure Kubernetes Service (AKS) Benchmark v1.2.0 (Level 1, Recommendation 3.2.7) [Unpublished]
- TA6282: CIS Azure Kubernetes Service (AKS) Benchmark v1.2.0 (Level 1, Recommendation 3.2.8) [Unpublished]
T2451: Verify that worker nodes are protected with proper flags and arguments (Containerization)
- TA6279: CIS Azure Kubernetes Service (AKS) Benchmark v1.2.0 (Level 1, Recommendation 3.2.6) [Unpublished]
- TA6281: CIS Azure Kubernetes Service (AKS) Benchmark v1.2.0 (Level 1, Recommendation 3.2.7) [Unpublished]
- TA6283: CIS Azure Kubernetes Service (AKS) Benchmark v1.2.0 (Level 1, Recommendation 3.2.8) [Unpublished]
T2542: Address necessary human-AI configurations and oversight of AI systems
- TA7090: Human operators and businesses liability [Added]
T4015: Provide comprehensive technical documentation for high-risk AI systems
- TA7092: Documentation and risk assessment processes [Added]
T4019: Implement transparency with users of high-risk AI systems
- TA7093: Transparency and disclosure of information to consumers [Added]
T4024: Ensure the responsible and compliant use of high-risk AI systems by deployers
- TA7091: Risk management policies in AI systems [Added]
T4601: Prioritize static network configuration [Updated]
- INFO: Updated the title and text.
T4722: Implement decentralized mining pools [Added]
- P2530: Centralized Mining Power (Proof-of-Work Blockchains) [Added]
T4723: Implement identity verification to mitigate sybil attacks [Added]
- P2531: Lack of Identity Verification (Network Systems) [Added]
T4724: Implement diverse peer selection [Added]
- P2532: Lack of Diverse Peer Selection (Networked Applications) [Added]
T4725: Implement post-quantum cryptography [Added]
- P2533: Vulnerability to Quantum Decryption (Cryptographic Systems) [Added]
T4726: Conduct regular blockchain security awareness training [Added]
- P2534: Human Error Vulnerabilities in Organizational Security (General Workforce) [Added]
T4727: Implement secure routing protocols [Added]
- P2535: Insecure Routing Protocols (Network Infrastructure) [Added]
T4728: Implement traffic filtering and rate limiting [Added]
- P2536: Unrestricted Resource Consumption (Web Services) [Added]
T4729: Use hardware wallets [Added]
- P2537: Insecure Private Key Storage (Cryptocurrency Wallets) [Added]
T4730: Implement Multi-Factor Authentication (MFA) for blockchain systems [Added]
- P2538: Lack of Multi-Factor Authentication (Blockchain Systems) [Added]
T4731: Conduct regular blockchain security audits [Added]
- P2539: Lack of Regular Security Audits (General Software Systems) [Added]
T4732: Adopt OWASP framework for secure coding [Added]
- P2540: Lack of Secure Coding Practices (General Software Development) [Added]
T4733: Implement effective network segmentation [Added]
- P2541: Lack of Effective Network Segmentation (General Network Security) [Added]
T4734: Implement continuous monitoring for network activities [Added]
- P2542: Lack of Continuous Monitoring for Network Activities (General Network Security) [Added]
T4735: Implement Role-Based Access Control (RBAC) in blockchain systems [Added]
- P2543: Lack of Role-Based Access Control (RBAC) in Blockchain Systems [Added]
T4736: Implement secure access controls in smart contracts [Added]
- P2544: Lack of Secure Access Controls in Smart Contracts (Ethereum-based Smart Contracts) [Added]
T4737: Use require(), assert(), and revert() for smart contract safeguards [Added]
- P2545: Lack of Internal Safeguards in Smart Contracts (Solidity-based Smart Contracts) [Added]
T4738: Combine unit testing with property-based testing [Added]
- P2546: Inadequate Testing Framework for Smart Contracts (Smart Contract Platforms) [Added]
T4739: Commission a smart contract audit [Added]
- P2547: Lack of Independent Security Review in Smart Contracts (Smart Contract Platforms) [Added]
T4740: Store all code in a version control system [Added]
- P2548: Lack of Version Control System (General Software Development) [Added]
T4741: Implement contract upgrade mechanisms [Added]
- P2549: Lack of Contract Upgrade Mechanisms (Smart Contracts) [Added]
T4742: Implement a timelock for smart contract governance actions [Added]
- P2550: Immediate Execution of Governance Actions (Smart Contract Systems) [Added]
T4743: Reuse existing libraries for smart contracts [Added]
- P2551: Custom Implementation of Smart Contract Logic (Smart Contracts) [Added]
T4744: Implement checks-effects-interactions pattern [Added]
- P2552: Reentrancy Vulnerability (Smart Contracts) [Added]
T4745: Use a decentralized oracle network [Added]
- P2553: Oracle Manipulation Vulnerability (Blockchain-based Applications) [Added]
T4746: Ensure container images are secure [Added]
- P2554: Use of unverified container images [Added]
T4747: Limit container privileges [Added]
- P2555: Excessive container privileges [Added]
T4748: Implement Role-Based Access Control (RBAC) for container orchestration [Added]
- P2556: Lack of Role-Based Access Control (RBAC) in container orchestration environments [Added]
T4749: Monitor containers in real-time [Added]
- P2557: Lack of real-time monitoring in containerized environments [Added]
T4750: Isolate container networks [Added]
- P2558: Lack of network isolation in containerized environments [Added]
T4751: Reduce the attack surface of container images [Added]
- P2559: Excessive attack surface in container images [Added]
T4752: Implement authentication and logging for Containerd registry access [Added]
- P2560: Lack of authentication and logging for Containerd registry access (Containerd) [Added]
T4753: Implement image scanning for vulnerabilities in Containerd [Added]
- P2561: Lack of image scanning for vulnerabilities (Containerd) [Added]
T4754: Implement user namespaces in Containerd [Added]
- P2562: Lack of user namespace isolation (Containerd) [Added]
T4755: Regularly update and patch Containerd [Added]
- P2563: Outdated software vulnerabilities (Containerd) [Added]
T4756: Implement secure image management in Containerd [Added]
- P2564: Insecure image management in Containerd [Added]
T4757: Implement Role-Based Access Control (RBAC) for Containerd [Added]
- P2566: Lack of Role-Based Access Control (RBAC) in Containerd [Added]
T4758: Implement real-time monitoring for Containerd [Added]
- P2567: Lack of real-time monitoring in Containerd (Containerd) [Added]
T4759: Implement network namespaces for container isolation [Added]
- P2568: Lack of network namespace isolation (Containerd) [Added]
T4760: Remove unnecessary software, libraries, and services from Containerd images [Added]
- P2569: Excessive software, libraries, and services in Containerd images (Containerd) [Added]
T4761: Provide descriptive alternative text for images (accessibility) [Added]
- P2570: Lack of Descriptive Alternative Text for Images (Web Applications) [Added]
T4762: Provide descriptive text transcripts for non-live web-based audio (accessibility) [Added]
- P2571: Lack of Descriptive Text Transcripts for Non-Live Web-Based Audio (Web Applications) [Added]
T4763: Ensure logical and intuitive reading and navigation order (accessibility) [Added]
- P2572: Inconsistent Reading and Navigation Order (Web Applications) [Added]
T4764: Ensure sufficient contrast ratio for text and images of text (accessibility) [Added]
- P2573: Insufficient Contrast Ratio for Text and Images of Text (Web Applications) [Added]
T4765: Implement keyboard accessibility features (accessibility) [Added]
- P2574: Keyboard Navigation Weakness (Web Applications) [Added]
T4766: Allow users to control time limits and interruptions (accessibility) [Added]
- P2575: Lack of User Control Over Time Limits and Interruptions (Generic Web Applications) [Added]
T4767: Disable motion animation triggered by interaction (accessibility) [Added]
- P2576: Uncontrolled Motion Animation Triggered by Interaction (Affected Software) [Added]
T4768: Provide descriptive and informative page titles (accessibility) [Added]
- P2577: Lack of Descriptive and Informative Page Titles (Web Applications) [Added]
T4769: Ensure single pointer operation for gestures (accessibility) [Added]
- P2578: Inadequate Single Pointer Operation for Gestures (Affected Software) [Added]
T4770: Use the HTML lang attribute to identify the language of the page (accessibility) [Added]
- P2579: Lack of HTML lang Attribute (Web Applications) [Added]
T4771: Provide user control over substantial page changes (accessibility) [Added]
- P2580: Lack of User Control Over Substantial Page Changes (Web Applications) [Added]
T4772: Provide clear form validation and error handling (accessibility) [Added]
- P2581: Lack of Clear Form Validation and Error Handling (Web Applications) [Added]
T4773: Use accessible markup for status messages (accessibility) [Added]
- P2582: Inaccessible Status Messages (Web Applications) [Added]
T4794: Determine if the EU Data Act applies to your application (EU DA) [Added]
- P2608: Lack of identifying the compliance requirements applicable to your products and services (EU DA) [Added]
T4795: Ensure transparency and user control over the data with connected products and services (EU DA) [Added]
- P2609: Lack of transparency and user control over data access and usage (EU DA) [Added]
T4796: Ensure user data access rights and protection (EU DA) [Added]
- P2610: Inadequate user control, protection, and transparency in data handling by primary data holders and third parties (EU DA) [Added]
T4797: Adhere to data sharing protocol when making data available (EU DA) [Added]
- P2611: Unfair and incompliant data sharing practices (EU DA) [Added]
T4798: Make data availabe in case of exceptional need to use data (EU DA) [Added]
- P2612: Failure to provide timely data access to public sector bodies in specific situations (EU DA) [Added]
T4799: Facilitate efficient data processing service switching (EU DA) [Added]
- P2613: Failure to provide customer autonomy and flexibility within data processing services (EU DA) [Added]
T4800: Prevent unauthorized international data access (EU DA) [Added]
- P2614: Mishandling international data transfer requests (EU DA) [Added]
T4801: Implement interoperability requirements (EU DA) [Added]
- P2615: Lack of standardized data interoperability and efficient data exchange mechanisms across diverse platforms and services (EU DA) [Added]
T4802: Ensure compliance with essential smart contract requirements (EU DA) [Added]
- P2616: Lack of adherence to standards of security, reliability, and legality for smart contracts used in data sharing (EU DA) [Added]
T4803: Monitor and respond to unauthorized data use (EU DA) [Added]
- P2617: lack of proper response to unauthorized data use (EU DA) [Added]
T4828: Deploy ensemble model defense against adversarial attacks [Added]
T4829: Implement preprocessing defense against adversarial perturbations [Added]
T4830: Ensure aligned training of generative AI models [Added]
T4831: Test robustness of ensemble models against adversarial inputs [Added]
T4832: Test effectiveness of preprocessing against adversarial perturbations [Added]
T4833: Test fine-tuning alignement of generative AI models [Added]
T4834: Implement protection against system prompt leakage [Added]
T4835: Implement defenses against vector and embedding weaknesses [Added]
- P2620: Vector and embedding vulenrabilities in Large Language Models [Added]
T4836: Implement verification and fact-checking to mitigate misinformation [Added]
T4837: Test effectiveness of protections against system prompt leakage [Added]
T4838: Test effectiveness of defenses against vector and embedding weaknesses [Added]
- P2620: Vector and embedding vulenrabilities in Large Language Models [Added]
T4839: Test effectiveness of misinformation mitigatation [Added]
T5230: Additional ASD-STIG requirements for T71 [Added]
- TA7087: ASD-STIG requirements [Added]
T5232: Additional ASD-STIG requirements for T45 [Added]
- TA7088: ASD-STIG requirements [Added]
T5233: Additional ASD-STIG requirements for T437 [Added]
- TA7089: ASD-STIG requirements [Added]
T5500: Adhere to the principle of least privilege (low-code/no-code) [Added]
- P3344: Excessive Privilege Assignment in Low-Code/No-Code Applications [Added]
T5501: Disable or monitor the use of implicitly shared connections (low-code/no-code) [Added]
- P3345: Implicitly Shared Connections in Low-Code/No-Code Platforms [Added]
T5502: Limit connectors to an approved services list (low-code/no-code) [Added]
- P3346: Unrestricted Connector Usage in Low-Code/No-Code Platforms [Added]
T5503: Limit connection creation to dedicated personnel (low-code/no-code) [Added]
- P3347: Insecure Connection Management (Low-Code/No-Code Applications) [Added]
T5504: Implement a change management system for tenant-level configuration (low-code/no-code) [Added]
- P3348: Lack of Change Management System for Tenant-Level Configuration (Low-Code/No-Code Platforms) [Added]
T5505: Sanitize user input (low-code/no-code) [Added]
- P3349: Improper Input Handling in Low-Code/No-Code Applications [Added]
T5506: Continuously inventory and scan application components (low-code/no-code) [Added]
- P3350: Use of Deprecated or Vulnerable Components (Low-Code/No-Code Development Platforms) [Added]
T5507: Educate business users on the compliance, privacy, and security risks related to data storage (low-code/no-code) [Added]
- P3351: Lack of User Awareness on Data Compliance and Security Risks (Low-Code/No-Code Applications) [Added]
T5508: Maintain a comprehensive inventory of applications (low-code/no-code) [Added]
- P3352: Unmanaged or Abandoned Applications (Low-Code/No-Code Applications) [Added]
T5509: Leverage platform built-in capabilities to collect user access and platform audit logs (low-code/no-code) [Added]
- P3353: Inadequate Logging and Audit Trails (Low-Code/No-Code Platforms) [Added]
T5510: Configure and enable SSL with secure cryptography algorithms [Added]
- P3354: Lack of Secure Data Transmission (Micronaut) [Added]
T5511: Configure management endpoints on a separate port [Added]
- P3355: Insecure Exposure of Management Endpoints (Micronaut) [Added]
T5512: Limit scope of URL access rules [Added]
- P3356: Excessive Resource Exposure via URL Access Rules (Micronaut) [Added]
T5513: Implement role-based access control in Micronaut [Added]
- P3357: Lack of Role-Based Access Control (Micronaut) [Added]
T5514: Verify that access keys are securely managed (AWS IAM) [Added]
- P3358: Insecure Access Key Management (AWS IAM) [Added]
- I1995: Verify that there is only one active access key for any single IAM user [Added]
T5515: Verify that HTTPS connections are enabled (AWS IAM) [Added]
- P3359: Lack of HTTPS Encryption (Applications Hosted on AWS) [Added]
- I2001: Verify that expired SSL/TLS certificates are removed from AWS IAM [Added]
T5516: Verify the IAM Access Analyzer for IAM policies (AWS IAM) [Added]
- P3360: Excessive Resource Exposure through IAM Policies (AWS IAM) [Added]
- I2002: Verify that IAM Access Analyzer is enabled for all regions [Added]
T5517: Verify user access management in multi-account environments (AWS IAM) [Added]
- P3361: Decentralized IAM User Management (AWS IAM) [Added]
- I2003: Verify that IAM users are managed centrally via identity federation or AWS Organizations [Added]
T5518: Verify that file transfer capabilities in CloudShell are secured (AWS CloudShell) [Added]
- P3362: Excessive Permissions in AWS CloudShell (AWS CloudShell) [Added]
- I2004: Verify that access to AWSCloudShellFullAccess is restricted [Added]
T5519: Verify the configuration of the Metadata Service on AWS EC2 instances (AWS EC2) [Added]
- P3363: Unauthorized Access to Instance Metadata (AWS EC2) [Added]
- I2043: Verify that the EC2 Metadata Service only allows IMDSv2 [Added]
T5520: Verify that CIFS access is restricted to trusted networks (AWS Storage Gateway) [Added]
- P3364: Unrestricted CIFS Access (AWS EC2) [Added]
- I2045: Verify that CIFS access is restricted to trusted networks [Added]
T5521: Manage access keys securely in AWS IAM (AWS IAM) [Added]
- P3358: Insecure Access Key Management (AWS IAM) [Added]
- I1932: Ensure there is only one active access key for any single IAM user [Added]
T5522: Enable HTTPS connections (AWS IAM) [Added]
- P3359: Lack of HTTPS Encryption (Applications Hosted on AWS) [Added]
- I1938: Ensure that all expired SSL/TLS certificates stored in AWS IAM are removed [Added]
T5523: Enable IAM Access Analyzer for IAM policies (AWS IAM) [Added]
- P3360: Excessive Resource Exposure through IAM Policies (AWS IAM) [Added]
- I1939: Ensure that IAM Access Analyzer is enabled for all regions [Added]
T5524: Manage access to AWS CloudShell with IAM policies (AWS CloudShell) [Added]
- P3362: Excessive Permissions in AWS CloudShell (AWS CloudShell) [Added]
- I1941: Ensure access to AWSCloudShellFullAccess is restricted [Added]
T5525: Choose Instance Metadata Service Version 2 for AWS EC2 (AWS EC2) [Added]
- P3363: Unauthorized Access to Instance Metadata (AWS EC2) [Added]
- I1980: Ensure that the EC2 Metadata Service only allows IMDSv2 [Added]
T5526: Restrict CIFS access to trusted networks using AWS Security Groups (AWS EC2) [Added]
- P3364: Unrestricted CIFS Access (AWS EC2) [Added]
- I1982: Ensure CIFS access is restricted to trusted networks to prevent unauthorized access [Added]
T5527: Centralize IAM User Management (AWS IAM) [Added]
- P3361: Decentralized IAM User Management (AWS IAM) [Added]
- I1940: Ensure IAM users are managed centrally via identity federation or AWS Organizations for multi-account environments [Added]
T5528: Verify secure communication settings in Azure App Service (Azure App Service) [Added]
- P3365: Lack of Enforced secure communication (Azure App Service) [Added]
T5529: Verify authentication and client certificate validation(Azure App Service) [Added]
- P3366: Lack of authentication and client certificate validation (Azure App Service) [Added]
T5530: Verify elimination of app secrets using Managed Service Identity (Azure App Service) [Added]
- P3367: Hardcoded Credentials in Application Code (Azure App Service) [Added]
T5531: Verify that web apps use supported versions (Azure App Service) [Added]
- P3368: Use of deprecated language versions in web applications (Azure App Service) [Added]
T5532: Verify secure storage of sensitive information in Azure Key Vault (Azure App Service) [Added]
- P3369: Insecure storage of sensitive information (Azure App Service) [Added]
T5533: Verify Network Security Group configuration for Azure Virtual Networks (Azure Container Instances) [Added]
- P3370: Improper Network Traffic Control (Azure Container Instances) [Added]
T5534: Verify Managed Identity usage for Container Instances (Azure Container Instances) [Added]
- P3371: Lack of Managed Identity for Container Instances (Azure Container Instances) [Added]
T5535: Verify encryption of data in transit with SSL(Azure CycleCloud) [Added]
- P3372: Unencrypted Data Transmission (Azure CycleCloud) [Added]
T5536: Verify secure remote access to Azure Virtual Machines(Azure Virtual Machines) [Added]
- P3373: Exposed Remote Access Protocol Ports (Azure Virtual Machines) [Added]
T5537: Verify migration of blob-based VHDs to Managed Disks on Virtual Machines (Azure Virtual Machines) [Added]
- P3374: Insecure Storage Configuration (Azure Virtual Machines) [Added]
T5538: Verify encryption of OS, data, and unattached disks with CMK (Azure Virtual Machines) [Added]
- P3375: Lack of Disk Encryption with Customer Managed Keys (Azure Virtual Machines) [Added]
T5539: Enforce secure communication (Azure App Service) [Added]
- P3365: Lack of Enforced secure communication (Azure App Service) [Added]
T5540: Enforce authentication and client certificate validation(Azure App Service) [Added]
- P3366: Lack of authentication and client certificate validation (Azure App Service) [Added]
T5541: Eliminate app secrets using Managed Service Identity (Azure App Service) [Added]
- P3367: Hardcoded Credentials in Application Code (Azure App Service) [Added]
T5542: Ensure web apps run on supported language versions (Azure App Service) [Added]
- P3368: Use of deprecated language versions in web applications (Azure App Service) [Added]
T5543: Store sensitive information securely in Azure Key Vault (Azure App Service) [Added]
- P3369: Insecure storage of sensitive information (Azure App Service) [Added]
T5544: Configure Network Security Groups for Azure Virtual Networks (Azure Container Instances) [Added]
- P3370: Improper Network Traffic Control (Azure Container Instances) [Added]
T5545: Use Managed Identity for Container Instances (Azure Container Instances) [Added]
- P3371: Lack of Managed Identity for Container Instances (Azure Container Instances) [Added]
T5546: Ensure data in transit is encrypted with SSL (Azure CycleCloud) [Added]
- P3372: Unencrypted Data Transmission (Azure CycleCloud) [Added]
T5547: Secure remote access to Azure Virtual Machines (Azure Virtual Machines) [Added]
- P3373: Exposed Remote Access Protocol Ports (Azure Virtual Machines) [Added]
T5548: Use Managed Disks for Virtual Machines and enforce secure VM configurations (Azure Virtual Machines) [Added]
- P3374: Insecure Storage Configuration (Azure Virtual Machines) [Added]
T5549: Encrypt OS, data, and unattached disks with Customer Managed Keys in VMs (Azure Virtual Machines) [Added]
- P3375: Lack of Disk Encryption with Customer Managed Keys (Azure Virtual Machines) [Added]
T5574: Ensure compliance of marketing and advertising (ISO 27701) [Added]
- P257: Privacy Violation [Updated]
  - INFO: Updated the match conditions.
T5575: Evaluate compliance of processing instructions (ISO 27701) [Added]
- P257: Privacy Violation [Updated]
  - INFO: Updated the match conditions.
T5576: Ensure customer compliance demonstration (ISO 27701) [Added]
- P257: Privacy Violation [Updated]
  - INFO: Updated the match conditions.
T5577: Fulfill obligations to Personally Identifiable Information principals (ISO 27701) [Added]
- P257: Privacy Violation [Updated]
  - INFO: Updated the match conditions.
T5578: Secure lifecycle mangement of Personally Identifiable Information (ISO 27701) [Added]
- P257: Privacy Violation [Updated]
  - INFO: Updated the match conditions.
T5579: Notify customers of Personally Identifiable Information disclosure requests (ISO 27701) [Added]
- P257: Privacy Violation [Updated]
  - INFO: Updated the match conditions.
T5580: Evaluate legally binding Personally Identifiable Information disclosure requests (ISO 27701) [Added]
- P257: Privacy Violation [Updated]
  - INFO: Updated the match conditions.
T5581: Ensure transparency and compliance in subcontractor engagement for Personally Identifiable Information processing (ISO 27701) [Added]
- P257: Privacy Violation [Updated]
  - INFO: Updated the match conditions.
T5582: Strengthen access control and authentication for OCI users and resources (Oracle Cloud Infrastructure) [Added]
- P3376: Insecure Identity and Access Management (IAM) Practices (Oracle Cloud Infrastructure) [Added]
- I2052: Ensure MFA is enabled for all users with a console password [Added]
- I2056: Ensure user IAM Database Passwords rotate within 90 days [Added]
- I2058: Ensure all OCI IAM user accounts have a valid and current email address [Added]
- I2059: Ensure Instance Principal authentication is used for OCI instances, OCI Cloud Databases and OCI Functions to access OCI resources. [Added]
T5583: Enforce robust IAM password policies (Oracle Cloud Infrastructure) [Added]
- P3377: Weak password policies (Oracle Cloud Infrastructure) [Added]
- I2049: Ensure IAM password policy requires minimum length of 14 or greater [Added]
- I2050: Ensure IAM password policy expires passwords within 365 days [Added]
- I2051: Ensure IAM password policy prevents password reuse [Added]
T5584: Enhance API and Authentication Key Management (Oracle Cloud Infrastructure) [Added]
- P3378: Excessive or uncontrolled privileges (Oracle Cloud Infrastructure) [Added]
- I2053: Ensure user API keys rotate within 90 days [Added]
- I2054: Ensure user customer secret keys rotate every 90 days [Added]
- I2055: Ensure user auth tokens rotate within 90 days or less [Added]
- I2057: Ensure API keys are not created for tenancy administrator users [Added]
T5585: Restrict and manage administrative access to services and resources (Oracle Cloud Infrastructure) [Added]
- P3379: Excessive privileges in cloud resource management (Oracle Cloud Infrastructure) [Added]
- I2046: Ensure service level admins are created to manage resources of particular service [Added]
- I2047: Ensure permissions on all resources are given only to the tenancy administrator group [Added]
- I2048: Ensure IAM administrators cannot update tenancy Administrators group [Added]
- I2060: Ensure storage service-level admins cannot delete resources they manage. [Added]
T5586: Restrict ingress access to SSH and RDP ports in security lists and network security groups (Oracle Cloud Infrastructure) [Added]
- P3380: Unrestricted ingress access to critical ports (Oracle Cloud Infrastructure) [Added]
- I2061: Ensure no security lists allow ingress from 0.0.0.0/0 to port 22 [Added]
- I2062: Ensure no security lists allow ingress from 0.0.0.0/0 to port 3389 [Added]
- I2063: Ensure no network security groups allow ingress from 0.0.0.0/0 to port 22 [Added]
- I2064: Ensure no network security groups allow ingress from 0.0.0.0/0 to port 3389 [Added]
- I2065: Ensure the default security list of every VCN restricts all traffic except ICMP [Added]
T5587: Restrict network access to Oracle Cloud services using ingress filtering and Virtual Cloud Networks (Oracle Cloud Infrastructure) [Added]
- P3381: Unrestricted Network Access to Oracle Cloud Services (Oracle Cloud Infrastructure) [Added]
- I2066: Ensure Oracle Integration Cloud (OIC) access is restricted to allowed sources. [Added]
- I2067: Ensure Oracle Analytics Cloud (OAC) access is restricted to allowed sources or deployed within a Virtual Cloud Network. [Added]
- I2068: Ensure Oracle Autonomous Shared Databases (ADB) access is restricted to allowed sources or deployed within a Virtual Cloud Network [Added]
T5588: Enhance Compute Instance security by adopting IMDSv2 and enabling Secure Boot on Shielded Instances (Oracle Compute Instance) [Added]
- P3382: Use of legacy MetaData Service Endpoints (Oracle Compute Instance) [Added]
- I2069: Ensure Compute Instance Legacy Metadata service endpoint is disabled [Added]
- I2070: Ensure Secure Boot is enabled on Compute Instance [Added]
T5589: Enable in-transit encryption for Oracle Cloud services (Oracle Compute Instance) [Added]
- P3383: Unencrypted data transmission Between Virtual Machines and Block Volumes (Oracle Compute Instance) [Added]
- I2071: Ensure In-transit Encryption is enabled on Compute Instance [Added]
T5590: Enhance visibility and resource governance using default tags, Event Rules, and Notifications (Oracle Cloud Infrastructure) [Added]
- P3384: Lack of governance and visibility over cloud resource changes (Oracle Cloud Infrastructure) [Added]
- I2072: Ensure default tags are used on resources [Added]
- I2073: Create at least one notification topic and subscription to receive monitoring alerts [Added]
- I2074: Ensure a notification is configured for Identity Provider changes [Added]
- I2075: Ensure a notification is configured for IdP group mapping changes [Added]
- I2076: Ensure a notification is configured for IAM group changes [Added]
- I2077: Ensure a notification is configured for IAM policy changes [Added]
- I2078: Ensure a notification is configured for user changes [Added]
- I2079: Ensure a notification is configured for VCN changes [Added]
- I2080: Ensure a notification is configured for changes to route tables [Added]
- I2081: Ensure a notification is configured for security list changes [Added]
- I2082: Ensure a notification is configured for network security group changes [Added]
- I2083: Ensure a notification is configured for changes to network gateways [Added]
- I2086: Ensure a notification is configured for Oracle Cloud Guard problems detected [Added]
T5591: Enhance visibility into network traffic with VCN flow logs (Oracle Cloud Infrastructure) [Added]
- P3385: Lack of network traffic visibility (Oracle Cloud Infrastructure) [Added]
- I2084: Ensure VCN flow logging is enabled for all subnets [Added]
T5592: Enable Cloud Guard for security monitoring (Oracle Cloud Infrastructure) [Added]
- P3386: Misconfigured resources and insecure Activities (Oracle Cloud Infrastructure) [Added]
- I2085: Ensure Cloud Guard is enabled in the root compartment of the tenancy [Added]
T5593: Rotate encryption keys using Oracle Cloud Infrastructure Vault (Oracle Cloud Infrastructure) [Added]
- P3387: Inadequate key management practices (Oracle Cloud Infrastructure) [Added]
- I2087: Ensure customer created Customer Managed Key (CMK) is rotated at least annually [Added]
T5594: Enable and enforce Object Storage write-level logging for all buckets (Oracle Cloud Infrastructure) [Added]
- P3388: Lack of visibility into Object Storage modifications and access (Oracle Cloud Infrastructure) [Added]
- I2088: Ensure write level Object Storage logging is enabled for all buckets [Added]
T5595: Enhance Object Storage security by enabling Customer Managed Key (CMK) encryption and versioning (Oracle Object Storage) [Added]
- P3389: Inadequate encryption control and lack of data recoverability (Oracle Object Storage) [Added]
- I2090: Ensure Object Storage Buckets are encrypted with a Customer Managed Key (CMK). [Added]
- I2091: Ensure Versioning is Enabled for Object Storage Buckets [Added]
T5596: Enforce Customer Managed Key (CMK) encryption for block and boot volumes (Oracle Block Volume) [Added]
- P3390: Insufficient control over encryption keys for Block and Boot Volumes (Block Volume) [Added]
- I2092: Ensure Block Volumes are encrypted with Customer Managed Keys (CMK). [Added]
- I2093: Ensure boot volumes are encrypted with Customer Managed Key (CMK). [Added]
T5597: Enforce Customer Managed Key (CMK) encryption for File Storage Systems (FSS) (Oracle File Storage) [Added]
- P3391: Lack of customer-controlled encryption for File Storage Systems (Oracle File Storage) [Added]
- I2094: Ensure File Storage Systems are encrypted with Customer Managed Keys (CMK) [Added]
T5598: Enforce compartmentalization by creating and using compartments for cloud resources (Oracle Cloud Infrastructure) [Added]
- P3392: Lack of compartmentalization in Oracle Cloud Infrastructure (Oracle Cloud Infrastructure) [Added]
- I2095: Create at least one compartment in your tenancy to store cloud resources [Added]
- I2096: Ensure no resources are created in the root compartment [Added]
T5599: Restrict public access to Object Storage buckets (Oracle Object Storage) [Added]
- P3393: Publicly accessible object Storage Buckets (Oracle Object Storage) [Added]
- I2089: Ensure no Object Storage buckets are publicly visible. [Added]
T5600: Verify Access and Authentication settings for OCI Security (Oracle Cloud Infrastructure) [Added]
- P3376: Insecure Identity and Access Management (IAM) Practices (Oracle Cloud Infrastructure) [Added]
- I2103: Verify that MFA is enabled for all users with a console password [Added]
- I2107: Verify that user IAM Database Passwords rotate within 90 days [Added]
- I2109: Verify that all OCI IAM user accounts have a valid and current email address [Added]
- I2110: Verify that Instance Principal authentication is used for OCI resources [Added]
T5601: Verify that the password policies enforce complexity requirements (Oracle Cloud Infrastructure) [Added]
- P3377: Weak password policies (Oracle Cloud Infrastructure) [Added]
- I2100: Verify that IAM password policy requires minimum length of 14 or greater [Added]
- I2101: Test that IAM password policy expires passwords within 365 days [Added]
- I2102: Verify that IAM password policy prevents password reuse [Added]
T5602: Validate Access Controls and Key Management for accessing OCI APIs (Oracle Cloud Infrastructure) [Added]
- P3378: Excessive or uncontrolled privileges (Oracle Cloud Infrastructure) [Added]
- I2104: Verify that user API keys rotate within 90 days [Added]
- I2105: Verify that user customer secret keys rotate every 90 days [Added]
- I2106: Verify that user auth tokens rotate within 90 days or less [Added]
- I2108: Verify that API keys are not created for tenancy administrator users [Added]
T5603: Verify Least Privilege Enforcement for Service and Tenancy Administrators (Oracle Cloud Infrastructure) [Added]
- P3379: Excessive privileges in cloud resource management (Oracle Cloud Infrastructure) [Added]
- I2097: Test that service level admins are created to manage resources of particular service [Added]
- I2098: Verify that permissions on all resources are given only to the tenancy administrator group [Added]
- I2099: Verify that IAM administrators cannot update tenancy Administrators group [Added]
- I2111: Verify that storage service-level admins cannot delete resources they manage [Added]
T5604: Verify ingress access to SSH and RDP ports are restricted in security lists and network security groups (Oracle Cloud Infrastructure) [Added]
- P3380: Unrestricted ingress access to critical ports (Oracle Cloud Infrastructure) [Added]
- I2112: Verify that no security lists allow ingress from 0.0.0.0/0 to port 22 [Added]
- I2113: Verify that security lists do not allow ingress from 0.0.0.0/0 to port 3389 [Added]
- I2114: Verify that no network security groups allow ingress from 0.0.0.0/0 to port 22 [Added]
- I2115: Verify that no network security groups allow ingress from 0.0.0.0/0 to port 3389 [Added]
- I2116: Verify that the default security list of every VCN restricts all traffic except ICMP [Added]
T5605: Verify network access restrictions using ingress filtering and Virtual Cloud Networks (Oracle Cloud Infrastructure) [Added]
- P3381: Unrestricted Network Access to Oracle Cloud Services (Oracle Cloud Infrastructure) [Added]
- I2117: Test that Oracle Integration Cloud access is restricted to allowed sources [Added]
- I2118: Verify that Oracle Analytics Cloud access is restricted to allowed sources [Added]
- I2119: Verify that Oracle Autonomous Shared Databases access is restricted [Added]
T5606: Verify Compute Instance security by adopting IMDSv2 and enabling Secure Boot on Shielded Instances (Oracle Compute Instance) [Added]
- P3382: Use of legacy MetaData Service Endpoints (Oracle Compute Instance) [Added]
- I2120: Verify that the Compute Instance Legacy Metadata service endpoint is disabled [Added]
- I2121: Verify that Secure Boot is enabled on Oracle Cloud services [Added]
T5607: Verify the in-transit encryption for Block Volume service is enabled (Oracle Compute Instance) [Added]
- P3383: Unencrypted data transmission Between Virtual Machines and Block Volumes (Oracle Compute Instance) [Added]
- I2122: Verify that In-transit Encryption is enabled on Oracle Cloud services [Added]
T5608: Verify enforcement of default tags, Event Rules, and Notifications in Oracle Cloud Infrastructure (Oracle Cloud Infrastructure) [Added]
- P3384: Lack of governance and visibility over cloud resource changes (Oracle Cloud Infrastructure) [Added]
- I2123: Verify that default tags are used on resources [Added]
- I2124: Test that at least one notification topic and subscription is created for monitoring alerts [Added]
- I2125: Test that a notification is configured for Identity Provider changes [Added]
- I2126: Verify that a notification is configured for IdP group mapping changes [Added]
- I2127: Test that a notification is configured for IAM group changes [Added]
- I2128: Test that a notification is configured for IAM policy changes [Added]
- I2129: Test that a notification is configured for user changes [Added]
- I2130: Test that a notification is configured for VCN changes [Added]
- I2131: Test that a notification is configured for changes to route tables [Added]
- I2132: Test that a notification is configured for security list changes [Added]
- I2133: Test that a notification is configured for network security group changes [Added]
- I2134: Verify that a notification is configured for changes to network gateways [Added]
- I2137: Test that a notification is configured for Oracle Cloud Guard problems detected [Added]
T5609: Verify the VCN flow logging is enabled(Oracle Cloud Infrastructure) [Added]
- P3385: Lack of network traffic visibility (Oracle Cloud Infrastructure) [Added]
- I2135: Test that VCN flow logging is enabled for all subnets [Added]
T5610: Verify that Cloud Guard is enabled (Oracle Cloud Infrastructure) [Added]
- P3386: Misconfigured resources and insecure Activities (Oracle Cloud Infrastructure) [Added]
- I2136: Verify that Cloud Guard is enabled in the root compartment of the tenancy [Added]
T5611: Verify the security of encryption keys in use (Oracle Cloud Infrastructure) [Added]
- P3387: Inadequate key management practices (Oracle Cloud Infrastructure) [Added]
- I2138: Verify that the Customer Managed Key is rotated at least annually [Added]
T5612: Verify write-level logging is enabled and enforced for all Object Storage buckets (Oracle Cloud Infrastructure) [Added]
- P3388: Lack of visibility into Object Storage modifications and access (Oracle Cloud Infrastructure) [Added]
- I2139: Verify that write level Object Storage logging is enabled for all buckets [Added]
T5613: Verify CMK encryption and versioning are enabled for Object Storage buckets (Oracle Object Storage) [Added]
- P3389: Inadequate encryption control and lack of data recoverability (Oracle Object Storage) [Added]
- I2141: Verify that Object Storage Buckets are encrypted with a Customer Managed Key (CMK) [Added]
- I2142: Verify that Versioning is Enabled for Oracle Cloud Object Storage Buckets [Added]
T5614: Verify CMK encryption is enforced for block and boot volumes (Oracle Block Volume) [Added]
- P3390: Insufficient control over encryption keys for Block and Boot Volumes (Block Volume) [Added]
- I2143: Verify that Block Volumes are encrypted with Customer Managed Keys (CMK) [Added]
- I2144: Verify that boot volumes are encrypted with Customer Managed Key (CMK) [Added]
T5615: Verify CMK encryption is enforced for File Storage Systems (FSS) (Oracle File Storage) [Added]
- P3391: Lack of customer-controlled encryption for File Storage Systems (Oracle File Storage) [Added]
- I2145: Verify that File Storage Systems are encrypted with Customer Managed Keys (CMK) [Added]
T5616: Verify compartments are used for all cloud resources and the root compartment remains empty (Oracle Cloud Infrastructure) [Added]
- P3392: Lack of compartmentalization in Oracle Cloud Infrastructure (Oracle Cloud Infrastructure) [Added]
- I2146: Test that at least one compartment is created in your tenancy to store cloud resources [Added]
- I2147: Verify that no resources are created in the root compartment [Added]
T5617: Verify Object Storage buckets are not publicly accessible (Oracle Object Storage) [Added]
- P3393: Publicly accessible object Storage Buckets (Oracle Object Storage) [Added]
- I2140: Verify that no Object Storage buckets are publicly visible [Added]
T5618: Align product scope with the RED (EU RED) [Added]
- P3394: Misinterpretation of Compliance Scope (EU RED) [Added]
T5619: Identify and address essential requirements (EU RED) [Added]
- P3395: Inadequate Risk Assessment for Radio Equipment (EU RED) [Added]
T5620: Implement procedures for managing changes (EU RED) [Added]
- P3396: Lack of Formal Change Management Process (EU RED) [Added]
T5621: Perform a comprehensive risk assessment (EU RED) [Added]
- P3395: Inadequate Risk Assessment for Radio Equipment (EU RED) [Added]
T5622: Choose the appropriate conformity assessment procedure (EU RED) [Added]
- P3401: Inadequate Conformity Assessment (EU RED) [Added]
T5623: Compile the complete technical documentation for conformity assessment (EU RED) [Added]
- P3397: Lack of Comprehensive Documentation (EU RED) [Added]
T5624: Address software security and integrity (EU RED) [Added]
- P3398: Unauthorized Software Loading and Modification (EU RED) [Added]
T5625: Establish a compliant manufacturing process (EU RED) [Added]
- P3399: Non-compliance with Approved Design Specifications (EU RED) [Added]
T5626: Implement a process for ongoing monitoring or vigilance (EU RED) [Added]
- P3400: Lack of System for Monitoring Radio Equipment (EU RED) [Added]
T5627: Provide instructions for safe use (EU RED) [Added]
- P3402: Insufficient User Guidance in Radio Equipment Software (EU RED) [Added]
T5628: Mandate USB-C as the common charger for specified devices (EU RED) [Added]
- P3403: Improper USB-C Compliance Handling (EU RED) [Added]
T5629: Provide device identification and enforce traceability (EU RED) [Added]
- P3404: Insufficient Device Identification and Traceability (EU RED) [Added]
T5630: Prepare the EU Declaration of Conformity (DoC) (EU RED) [Added]
- P3405: Inappropriate Handling of EU Declaration of Conformity (EU RED) [Added]
T5631: Operate an approved quality system (EU RED) [Added]
- P3406: Insufficient Quality System Conformity Management (EU RED) [Added]
T5632: Use Short-Lived Access Tokens (iOS) [Added]
- P3407: Insecure token lifecycle management (iOS) [Added]
T5633: Implement best practices for Biometric authentication (iOS) [Added]
- P3408: Improper implementation of biometric authentication (iOS) [Added]
T5634: Securely integrate iCloud storage into iOS applications (iOS) [Added]
- P3409: Insecure iCloud storage handling (iOS) [Added]
T5635: Follow best practices for handling CloudKit Storage (iOS) [Added]
- P3410: Improper CloudKit data handling and access control (iOS) [Added]
T5636: Implement secure and privacy-compliant handling of app permissions (iOS) [Added]
- P3411: Insecure permission handling and data access (iOS) [Added]
T5637: Implement best practices for handling location data (iOS) [Added]
- P3412: Improper handling of location data (iOS) [Added]
T5638: Verify implementation of secure short-lived token handling in an iOS app (iOS) [Added]
- P3407: Insecure token lifecycle management (iOS) [Added]
T5639: Verify secure and user-friendly implementation of biometric authentication (iOS) [Added]
- P3408: Improper implementation of biometric authentication (iOS) [Added]
T5640: Verify secure handling of iCloud Storage (iOS) [Added]
- P3409: Insecure iCloud storage handling (iOS) [Added]
T5641: Verify secure implementation of CloudKit storage in the iOS application (iOS) [Added]
- P3410: Improper CloudKit data handling and access control (iOS) [Added]
T5642: Verify secure and privacy-compliant handling of app permissions (iOS) [Added]
- P3411: Insecure permission handling and data access (iOS) [Added]
T5643: Verify secure handling of location data (iOS) [Added]
- P3412: Improper handling of location data (iOS) [Added]
T5644: Implement secure key rotation mechanism in the Android application (Android) [Added]
- P3413: Improper cryptographic key management (Android) [Added]
T5645: Implement secure Binder communication (Android) [Added]
- P3414: Improper inter-process communication handling (Android) [Added]
T5646: Implement secure services (Android) [Added]
- P3415: Improper service declaration and access control (Android) [Added]
T5647: Verify secure key management and rotation using Android Keystore (Android) [Added]
- P3413: Improper cryptographic key management (Android) [Added]
T5648: Verify secure implementation of inter-process communication (IPC) using Binder and AIDL (Android) [Added]
- P3414: Improper inter-process communication handling (Android) [Added]
T5649: Verify secure implementation services (Android) [Added]
- P3415: Improper service declaration and access control (Android) [Added]
Changes to Project Properties and Profiles
- Q193: Components
  - Q101: Components In Development
    - A6: Web service [Updated]
      - INFO: Updated the description.
- Q195: Language and Framework
  - Q109: Programming Language
    - Q110: Technology/Framework
      - A1136: React [Updated]
        
        INFO: Updated the match conditions.
      - A2109: Micronaut [Added]
    - A2108: Low-code/No-code [Added]
- Q199: Authentication
  - Q129: Requires Server-to-Server Authentication
    - A17: Yes [Updated]
      - INFO: Updated the description.
- Q206: Privacy
  - Q160: Handles Personal Data
    - Q481: Privacy Standards [Added]
      - A2120: ISO 27701 [Added]
    - Q224: Privacy Regulations
      - A2131: India DPDPA [Added]
- Q237: Compliance Scope: Other
  - Q473: In-Scope for EU Data Act [Added]
    - A2028: Yes [Added]
  - Q485: In scope for EU RED [Added]
    - A2127: Yes [Added]
- Q258: Architecture/Environment
  - Q322: Architecture
    - Q459: Blockchain Architecture [Added]
      - A2014: Smart Contract [Added]
    - A1142: Contains components that communicate through a network [Updated]
      - INFO: Updated the text and description.
    - A2013: Blockchain [Added]
- Q284: Context and Characteristics
  - Q460: Accessibility Requirements [Added]
    - A2016: This application has accessibility requirements [Added]
- Q289: Cloud Computing
  - Q343: Generic Cloud Content [Updated]
    - INFO: Updated the text.
    - A1332: Include generic, story-driven cloud countermeasures [Updated]
      - INFO: Updated the text and description.
  - Q290: Cloud Providers
    - A1159: Non-Story-Driven Amazon Web Services (AWS) Content [Updated]
      - INFO: Updated the text and description.
    - A1190: Microsoft Azure [Updated]
      - INFO: Updated the description.
    - A1212: Non-Story-Driven Google Cloud Content [Updated]
      - INFO: Updated the text and description.
    - A1333: Story-Driven Amazon Web Services (AWS) Content [Updated]
      - INFO: Updated the text and description.
    - A1336: Story-Driven Google Cloud Content [Updated]
      - INFO: Updated the text and description.
    - A2121: Oracle [Added]
- Q307: Containerization
  - Q308: Containerization Technologies
    - A2015: Containerd [Added]
- Q361: Amazon Web Services (AWS)
  - Q298: AWS Services
    - Q379: More AWS Services
      - A1513: AWS Glue [Updated]
        
        INFO: Updated the question.
      - A1628: AWS FSx for Windows File Server [Updated]
        
        INFO: Updated the question.
    - A2111: AWS CloudShell [Added]
  - Q366: AWS Cloud Configuration
    - A1392: AWS Cloud Configuration [Updated]
      - INFO: Updated the description.
- Q362: Microsoft Azure
  - Q306: Azure Services
    - Q370: More Azure Services
      - A1474: Azure Key Vault Managed HSM [Updated]
        
        INFO: Updated the question.
    - A2112: Azure CycleCloud [Added]
  - Q365: Azure Cloud Configuration
    - A1391: Azure Cloud Configuration [Updated]
      - INFO: Updated the description.
- Q363: Google Cloud Platform (GCP)
  - Q367: GCP Cloud Configuration
    - A1393: GCP Cloud Configuration [Updated]
      - INFO: Updated the description.
- Q461: AI and Machine Learning [Added]
  - Q357: Artificial Intelligence/Machine Learning [Updated]
    - INFO: Updated the parent.
    - Q455: US State-Specific AI Regulation [Added]
      - A2004: Utah AIPA [Added]
      - A2005: Colorado CPAI [Added]
    - Q376: AI/ML Usecases [Updated]
      - INFO: Updated the parent and required.
    - Q457: AI Content Organization [Updated]
      - INFO: Updated the parent.
  - Q368: Type of AI system [Updated]
    - INFO: Updated the parent.
  - Q458: AI/ML Frameworks [Updated]
    - INFO: Updated the parent.
- Q482: Oracle [Added]
  - Q483: Oracle Cloud Configuration [Added]
    - A2122: Oracle Cloud Configuration [Added]
  - Q484: Oracle Services [Added]
    - A2123: Compute Instance [Added]
    - A2124: Object Storage [Added]
    - A2125: Block Volume [Added]
    - A2126: File Storage [Added]
Added Components
- SC776: Blockchain
- SC777: Smart Contract
- SC778: Containerd
- SC779: Oracle Services
- SC780: Oracle Environment
- SC781: Oracle Compute instance
- SC782: Oracle Object Storage
- SC783: Oracle Block Volume
- SC784: Oracle File Storage
Updated Components
- SC189: AWS CloudShell
  - INFO: Updated the description.
- SC375: Azure CycleCloud
  - INFO: Updated the description.

results matching ""

No results matching ""