Browse by Tactic

All CME entries organized by their D3FEND-aligned tactic.

Harden Harden (68)

CME ID	Control Name	Category	Layer	CVSS Modifications	CWEs
CME-904	WAF (Web Application Firewall)	Application Controls	Application	AC:L→H	4
CME-905	Content Security Policy (CSP) Headers	Application Controls	Application	AC:L→H	1
CME-906	Rate Limiting / Connection Throttling	Application Controls	Network	A:H→L, AC:L→H	2
CME-907	Application-Layer RBAC Enforcement	Application Controls	Application	PR:L→H, I:H→L	5
CME-908	Object-Level Authorization Checks (IDOR Prevention)	Application Controls	Application	AC:L→H, C:H→L	2
CME-909	Default-Deny API Authorization Policy	Application Controls	Application	PR:N→L, AC:L→H	3
CME-912	HTTP Header Normalization and Request Smuggling Prevention	Application Controls	Application	AC:L→H, I:H→L	3
CME-913	CSRF Protection (Anti-CSRF Token & SameSite Cookie Enforcement)	Application Controls	Application	AC:L→H	2
CME-914	Strict CORS Origin Allowlist Enforcement	Application Controls	Application	AC:L→H, C:H→L	2
CME-915	Cross-Origin Request Restriction (Reverse Proxy Origin Enforcement)	Application Controls	Application	AC:L→H	4
CME-916	SameSite Cookie Attribute Enforcement	Application Controls	Application	AC:L→H	3
CME-1301	Path Traversal Prevention (Canonicalization)	Application Input Validation	Application	AC:L→H, C:H→L	4
CME-1302	Deserialization Allowlist (Safe Loading)	Application Input Validation	Application	AC:L→H, I:H→L	3
CME-1304	SSRF Prevention (Outbound Request Allowlist)	Application Input Validation	Application	C:H→L, AC:L→H	1
CME-1305	SQL Injection Prevention (Parameterized Queries)	Application Input Validation	Application	AC:L→H, C:H→L, I:H→L	1
CME-1306	XSS Prevention (Context-Aware Output Encoding)	Application Input Validation	Application	AC:L→H, I:H→L	1
CME-1307	Command Injection Prevention (No Shell Invocation)	Application Input Validation	Application	AC:L→H, I:H→L, S:C→U	2
CME-1308	Origin and CORS Validation Enforcement	Application Input Validation	Application	AC:L→H	2
CME-1309	Script Engine Restriction (Sandbox / Disable)	Application Input Validation	Application	AC:L→H, I:H→L, C:H→L	4
CME-1310	File Upload Validation (Content Inspection and Extension Allowlist)	Application Input Validation	Application	AC:L→H, I:H→L	3
CME-1311	Input Size and Quantity Bounds Enforcement	Application Input Validation	Application	AC:L→H	5
CME-801	Multi-Factor Authentication (MFA)	Credential Hardening	Identity	AC:L→H, PR:N→H	3
CME-802	Password Quality Enforcement (pwquality)	Credential Hardening	Identity	AC:L→H	1
CME-803	Account Lockout Policy (pam_faillock)	Credential Hardening	Identity	AC:L→H	1
CME-804	SSH Key-Only Authentication	Credential Hardening	Identity	AC:L→H, PR:N→H	2
CME-805	Credential Rotation Policy	Credential Hardening	Identity	AC:L→H	2
CME-806	Kerberos Authentication (GSSAPI)	Credential Hardening	Identity	AC:L→H	2
CME-401	System-wide Crypto Policy (FUTURE)	Cryptographic Controls	Application	AC:L→H	3
CME-402	FIPS 140-3 Mode	Cryptographic Controls	OS/Kernel	AC:L→H	3
CME-403	TLS 1.3 Enforcement	Cryptographic Controls	Network	AC:L→H	2
CME-404	Certificate Pinning	Cryptographic Controls	Application	AC:L→H	1
CME-405	DNSSEC Validation	Cryptographic Controls	Network	AC:L→H	1
CME-406	Signed Package Enforcement (GPG)	Cryptographic Controls	OS/Kernel	I:H→L	2
CME-407	Data-at-Rest Encryption (LUKS/dm-crypt)	Cryptographic Controls	Data	C:H→L	3
CME-502	noexec on /tmp and /dev/shm	Filesystem Hardening	OS/Kernel	AC:L→H	2
CME-503	nosuid on Non-Root Partitions	Filesystem Hardening	OS/Kernel	PR:L→H	1
CME-504	dm-verity (Verified Boot)	Filesystem Hardening	OS/Kernel	I:H→N	2
CME-505	IMA/EVM (Integrity Measurement Architecture)	Filesystem Hardening	OS/Kernel	I:H→L	2
CME-507	Secure Dynamic Linker Configuration (LD_PRELOAD/PATH Hardening)	Filesystem Hardening	OS/Kernel	AC:L→H	2
CME-101	ASLR (Address Space Layout Randomization)	Kernel Hardening	OS/Kernel	AC:L→H	7
CME-102	NX/XD Bit (Non-Executable Memory)	Kernel Hardening	OS/Kernel	AC:L→H	3
CME-103	Stack Canaries (Stack Protector)	Kernel Hardening	OS/Kernel	AC:L→H	3
CME-104	KASLR (Kernel Address Space Layout Randomization)	Kernel Hardening	OS/Kernel	AC:L→H	2
CME-105	SMEP (Supervisor Mode Execution Prevention)	Kernel Hardening	OS/Kernel	AC:L→H, S:C→U	2
CME-106	SMAP (Supervisor Mode Access Prevention)	Kernel Hardening	OS/Kernel	AC:L→H	3
CME-107	Kernel Module Loading Restriction	Kernel Hardening	OS/Kernel	AC:L→H, I:H→L	2
CME-108	kptr_restrict (Kernel Pointer Restriction)	Kernel Hardening	OS/Kernel	AC:L→H	2
CME-109	Kernel Lockdown Mode	Kernel Hardening	OS/Kernel	PR:L→H, AC:L→H	2
CME-110	KEXEC Restriction	Kernel Hardening	OS/Kernel	AC:L→H	1
CME-111	Secure Boot (UEFI)	Kernel Hardening	OS/Kernel	I:H→L, AC:L→H	3
CME-112	RELRO and PIE (Full)	Kernel Hardening	OS/Kernel	AC:L→H	4
CME-113	Control Flow Integrity (CFI / Shadow Call Stack)	Kernel Hardening	OS/Kernel	AC:L→H	4
CME-114	Process Resource Limits (ulimit/prlimit)	Kernel Hardening	OS/Kernel	A:H→L	4
CME-116	FORTIFY_SOURCE (Buffer Overflow Detection)	Kernel Hardening	OS/Kernel	AC:L→H	5
CME-117	Heap Allocator Hardening (glibc Safe-Linking and Metadata Protection)	Kernel Hardening	OS/Kernel	AC:L→H	4
CME-118	Protected File Links (Kernel Symlink/Hardlink Protection)	Kernel Hardening	OS/Kernel	AC:L→H	4
CME-301	SELinux (Enforcing Mode)	Mandatory Access Control	OS/Kernel	S:C→U, C:H→L, I:H→L	3
CME-302	SELinux Confined User Mapping	Mandatory Access Control	OS/Kernel	PR:L→H	2
CME-303	SELinux Booleans (Restrictive)	Mandatory Access Control	OS/Kernel	S:C→U	1
CME-304	AppArmor (Enforcing Profile)	Mandatory Access Control	OS/Kernel	S:C→U, C:H→L	2
CME-207	DNS Rebinding Protection	Network Isolation	Network	AV:N→L	2
CME-901	SSH Hardening (Comprehensive)	Protocol Hardening	Network	PR:N→H, AC:L→H	2
CME-902	Disable Unused Network Services	Protocol Hardening	Network	AV:N→L	2
CME-903	Kernel Network Hardening (sysctl)	Protocol Hardening	Network	AC:L→H	3
CME-601	Kernel-Level Syscall Filtering (seccomp)	Syscall & BPF Controls	OS/Kernel	S:C→U, I:H→L	2
CME-602	seccomp-bpf Profile (Container Default)	Syscall & BPF Controls	OS/Kernel	S:C→U, AC:L→H	3
CME-603	Unprivileged BPF Disabled	Syscall & BPF Controls	OS/Kernel	PR:L→H	2
CME-604	Unprivileged User Namespaces Disabled	Syscall & BPF Controls	OS/Kernel	PR:L→H, AC:L→H	2

Isolate Isolate (21)

CME ID	Control Name	Category	Layer	CVSS Modifications	CWEs
CME-910	Role Separation / Duty Segregation	Application Controls	Application	S:C→U	3
CME-911	Fine-Grained Administrative Permission Scoping	Application Controls	Application	C:H→L, I:H→L	4
CME-1303	Application-Level Filesystem Access Confinement	Application Input Validation	Application	C:H→L, S:C→U	3
CME-701	Sandboxing / gVisor Runtime	Container Isolation	Application	S:C→U	2
CME-702	Linux Namespaces (User, PID, Network, Mount)	Container Isolation	OS/Kernel	S:C→U, PR:L→H	1
CME-703	Rootless Containers	Container Isolation	OS/Kernel	S:C→U, PR:L→H	2
CME-704	cgroups v2 Resource Limits	Container Isolation	OS/Kernel	A:H→L	2
CME-705	Dropped Linux Capabilities	Container Isolation	OS/Kernel	PR:L→H, S:C→U	2
CME-706	Pod Security Standards (Restricted)	Container Isolation	Application	S:C→U, PR:L→H	2
CME-501	Read-Only Root Filesystem	Filesystem Hardening	OS/Kernel	I:H→L, A:H→L	1
CME-506	Landlock LSM (Filesystem Sandboxing)	Filesystem Hardening	OS/Kernel	S:C→U, C:H→L	2
CME-201	Zero Trust Gateway / Identity-Aware Proxy	Network Isolation	Network	AV:N→L	3
CME-202	Host-Based Firewall (firewalld/nftables)	Network Isolation	Network	AV:N→A, S:C→U	1
CME-203	Network Segmentation (VLANs/Subnets)	Network Isolation	Network	AV:N→A, S:C→U	2
CME-204	IPsec / WireGuard (Encrypted Transport)	Network Isolation	Network	AC:L→H, C:H→L	3
CME-205	Service Binding to Localhost	Network Isolation	Network	AV:N→L	2
CME-206	Network Policy (Kubernetes)	Network Isolation	Network	AV:N→A, S:C→U	2
CME-707	NoNewPrivileges	Privilege Isolation	OS/Kernel	PR:L→H	2
CME-708	Least Privilege sudo Configuration	Privilege Isolation	OS/Kernel	PR:L→H	2
CME-709	systemd Service Sandboxing (PrivateDevices, PrivateTmp, ProtectSystem)	Privilege Isolation	OS/Kernel	S:C→U, C:H→L, I:H→L	2
CME-710	DynamicUser (systemd)	Privilege Isolation	OS/Kernel	S:C→U	1

Detect Detect (9)

CME ID	Control Name	Category	Layer	CVSS Modifications	CWEs
CME-1004	AIDE / File Integrity Monitoring	Integrity Detection	OS/Kernel	I:H→L	1
CME-1007	Application Configuration Drift Detection (IaC Enforcement)	Integrity Detection	Application	AC:L→H, I:H→L	4
CME-1001	EDR Agent (Endpoint Detection & Response)	Runtime Detection	Application	AC:L→H	0
CME-1002	Audit Subsystem (auditd)	Runtime Detection	OS/Kernel	AC:L→H	1
CME-1003	Falco / eBPF Runtime Security	Runtime Detection	OS/Kernel	AC:L→H	0
CME-1005	Runtime Memory Error Detection (KASAN/HWASan)	Runtime Detection	OS/Kernel	AC:L→H	7
CME-1006	Privilege Change Audit Logging	Runtime Detection	Application	AC:L→H	2
CME-1008	Application Admin Event Logging (SIEM Integration)	Runtime Detection	Application	AC:L→H	4
CME-1009	Privilege Assignment Monitoring (Role Grant Alerting)	Runtime Detection	Application	AC:L→H, C:H→L	3

Evict Evict (3)

CME ID	Control Name	Category	Layer	CVSS Modifications	CWEs
CME-1101	Automated Patch Management (dnf-automatic)	Patch Management	OS/Kernel	AC:L→H	0
CME-1102	Live Kernel Patching (kpatch/livepatch)	Patch Management	OS/Kernel	AC:L→H	1
CME-1103	Automated Container Image Rebuilds	Patch Management	Application	AC:L→H	0

Restore Restore (3)

CME ID	Control Name	Category	Layer	CVSS Modifications	CWEs
CME-1201	Immutable Infrastructure	Recovery Controls	Application	A:H→L, I:H→L	0
CME-1202	Automated Backup with Integrity Verification	Recovery Controls	Data	A:H→L	1
CME-1203	Disaster Recovery / Multi-Region Failover	Recovery Controls	Application	A:H→L	0