Capacity
CCI-000054
Limit the number of concurrent sessions for each organization-defined account and/or account type to an organization-defined number.
1
Rule
Severity: Medium
The DoD Root Certificate Exists
1
Rule
Severity: Medium
Enable Shared System Certificates
29
Rule
Severity: Low
Limit the Number of Concurrent Login Sessions Allowed Per User
1
Rule
Severity: Medium
Compliance Guardian must limit the number of concurrent sessions to an organization-defined number for all accounts and/or account types.
4
Rule
Severity: Medium
The Apache web server must limit the number of allowed simultaneous session requests.
6
Rule
Severity: Medium
The Apache web server must perform server-side session management.
2
Rule
Severity: Medium
The ALG providing user access control intermediary services must limit the number of concurrent sessions to an organization-defined number for all accounts and/or account types.
2
Rule
Severity: Medium
The application server must limit the number of concurrent sessions to an organization-defined number for all accounts and/or account types.
2
Rule
Severity: Medium
The application must provide a capability to limit the number of logon sessions per user.
1
Rule
Severity: Medium
The CA API Gateway providing user access control intermediary services must limit users to two concurrent sessions.
2
Rule
Severity: Medium
The BIND 9.x secondary name server must limit the number of zones requested from a single master name server.
2
Rule
Severity: Medium
The BIND 9.x secondary name server must limit the total number of zones the name server can request at any one time.
2
Rule
Severity: Medium
The BIND 9.x server implementation must limit the number of concurrent session client connections to the number of allowed dynamic update clients.
2
Rule
Severity: Medium
A BIND 9.x master name server must limit the number of concurrent zone transfers between authorized secondary name servers.
2
Rule
Severity: Medium
For interactive sessions, IDMS must limit the number of concurrent sessions for the same user to one or allow unlimited sessions.
2
Rule
Severity: Medium
The DBMS must develop a procedure to limit the number of concurrent sessions to an organization-defined number per user for all accounts and/or account types.
1
Rule
Severity: Medium
Delivery Controller must limit the number of concurrent sessions to an organization-defined number for all accounts and/or account types.
1
Rule
Severity: Medium
The application must limit the number of concurrent sessions to three.
1
Rule
Severity: Low
The Docker Enterprise Per User Limit Login Session Control in the Universal Control Plane (UCP) Admin Settings must be set to an organization-defined value for all accounts and/or account types.
2
Rule
Severity: Medium
The DNS implementation must limit the number of concurrent sessions client connections to the number of allowed dynamic update clients.
1
Rule
Severity: Medium
The FortiGate device must limit the number of logon and user sessions.
1
Rule
Severity: Low
CounterACT must limit the number of concurrent sessions to an organization-defined number for each administrator account type.
1
Rule
Severity: Medium
Infoblox systems that perform zone transfers to non-Grid DNS servers must limit the number of concurrent sessions for zone transfers.
2
Rule
Severity: Medium
The Infoblox system must limit the number of concurrent client connections to the number of allowed dynamic update clients.
1
Rule
Severity: Medium
IBM Aspera Console must prevent concurrent logins for all accounts.
1
Rule
Severity: Medium
IBM Aspera Faspex must prevent concurrent logins for all accounts.
1
Rule
Severity: Medium
The IBM Aspera High-Speed Transfer Endpoint must limit the number of concurrent sessions to an organization-defined number for all accounts and/or account types.
1
Rule
Severity: Medium
The IBM Aspera High-Speed Transfer Server must limit the number of concurrent sessions to an organization-defined number for all accounts and/or account types.
1
Rule
Severity: Medium
The MQ Appliance messaging server must protect against or limit the effects of all types of Denial of Service (DoS) attacks by employing operationally-defined security safeguards.
1
Rule
Severity: Medium
The WebSphere Application Server maximum in-memory session count must be set according to application requirements.
1
Rule
Severity: Medium
The Ivanti MobileIron Core server must limit the number of concurrent sessions per privileged user account to three or less concurrent sessions.
1
Rule
Severity: Medium
MobileIron Sentry must limit the number of concurrent sessions for the CLISH interface to an organization-defined number for each administrator account and/or administrator account type.
1
Rule
Severity: Medium
MobileIron Sentry must be configured to limit the network access of the Sentry System Manager Portal behind the corporate firewall and whitelist source IP range.
1
Rule
Severity: Medium
The ISEC7 EMM Suite must limit the number of concurrent sessions to an organization-defined number for all accounts and/or account types.
1
Rule
Severity: Medium
The number of concurrent SQL Server sessions for each system account must be limited.
1
Rule
Severity: Medium
The Windows 2012 DNS Server must restrict incoming dynamic update requests to known clients.
2
Rule
Severity: Medium
The network device must limit the number of concurrent sessions to an organization-defined number for each administrator account and/or administrator account type.
1
Rule
Severity: Medium
Nutanix AOS must limit the number of concurrent sessions to ten for all accounts and/or account types.
1
Rule
Severity: Medium
OHS must have the mpm property set to use the worker Multi-Processing Module (MPM) as the preferred means to limit the number of allowed simultaneous requests.
1
Rule
Severity: Medium
OHS must have the mpm_prefork_module directive disabled so as not conflict with the worker directive used to limit the number of allowed simultaneous requests.
1
Rule
Severity: Medium
OHS must have the MaxClients directive defined to limit the number of allowed simultaneous requests.
1
Rule
Severity: Medium
OHS must limit the number of threads within a worker process to limit the number of allowed simultaneous requests.
1
Rule
Severity: Medium
OHS must limit the number of worker processes to limit the number of allowed simultaneous requests.
1
Rule
Severity: Medium
OHS must capture, record, and log all content related to a user session.
1
Rule
Severity: High
OHS must have the LoadModule ossl_module directive enabled to implement required cryptographic protections using cryptographic modules complying with applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance when encrypting data that must be compartmentalized.
1
Rule
Severity: Medium
Riverbed Optimization System (RiOS) must limit the number of concurrent sessions to one (1) for each administrator account and/or administrator account type.
1
Rule
Severity: Medium
The Samsung SDS EMM must limit the number of concurrent sessions to one session for all accounts and/or account types.
3
Rule
Severity: Medium
The Tanium max_soap_sessions_total setting must be explicitly enabled to limit the number of simultaneous sessions.
4
Rule
Severity: Medium
The Tanium max_soap_sessions_per_user setting must be explicitly enabled to limit the number of simultaneous sessions.
2
Rule
Severity: Medium
The Tanium soap_max_keep_alive setting must be explicitly enabled to limit the number of simultaneous sessions.
2
Rule
Severity: Medium
The Tanium "max_soap_sessions_total" setting must be explicitly enabled to limit the number of simultaneous sessions.
2
Rule
Severity: Medium
The Tanium "max_soap_sessions_per_user" setting must be explicitly enabled to limit the number of simultaneous sessions.
2
Rule
Severity: Low
The TippingPoint SMS must limit the maximum number of concurrent active sessions to one for the account of last resort.
2
Rule
Severity: Low
The TippingPoint SMS must limit total number of user sessions for privileged uses to a maximum of 10.
2
Rule
Severity: Low
The TippingPoint SMS must disable auto reconnect after disconnect.
2
Rule
Severity: Medium
The Tanium Operating System (TanOS) must limit the number of concurrent sessions to an organization-defined number for all accounts and/or account types.
1
Rule
Severity: Medium
The UEM server must limit the number of concurrent sessions per privileged user account to three or less concurrent sessions.
2
Rule
Severity: Medium
The VPN Gateway must limit the number of concurrent sessions for user accounts to 1 or to an organization-defined number.
2
Rule
Severity: Low
The number of allowed simultaneous sessions to the manager application must be limited.
3
Rule
Severity: Low
The Ubuntu operating system must limit the number of concurrent sessions to ten for all accounts and/or account types.
3
Rule
Severity: Medium
PostgreSQL must limit the number of concurrent sessions to an organization-defined number per user for all accounts and/or account types.
1
Rule
Severity: Medium
The Cisco ASA must be configured to limit the number of concurrent management sessions to an organization-defined number.
3
Rule
Severity: Medium
The Cisco switch must be configured to limit the number of concurrent management sessions to an organization-defined number.
2
Rule
Severity: Medium
The Cisco router must be configured to limit the number of concurrent management sessions to an organization-defined number.
3
Rule
Severity: Medium
The EDB Postgres Advanced Server must limit the number of concurrent sessions to an organization-defined number per user for all accounts and/or account types.
2
Rule
Severity: Medium
The HPE Nimble must limit the number of concurrent sessions to an organization-defined number for each administrator account.
2
Rule
Severity: Low
The operating system must limit the number of concurrent sessions to ten for all accounts and/or account types.
2
Rule
Severity: Medium
SSMC web server must limit the number of allowed simultaneous session requests.
2
Rule
Severity: Medium
AIX must limit the number of concurrent sessions to 10 for all accounts and/or account types.
2
Rule
Severity: Medium
The ICS must be configured to limit the number of concurrent sessions for user accounts to one.
1
Rule
Severity: Medium
The Juniper EX switch must be configured to limit the number of concurrent management sessions to 10 or less.
2
Rule
Severity: Medium
The ICS must be configured to limit the number of concurrent sessions to an organization-defined number for each administrator account and/or administrator account type.
2
Rule
Severity: Medium
MongoDB must limit the total number of concurrent connections to the database.
1
Rule
Severity: Medium
Exchange must limit the Receive connector timeout.
2
Rule
Severity: Medium
The IIS 10.0 website session state must be enabled.
2
Rule
Severity: Medium
The IIS 10.0 website session state cookie settings must be configured to Use Cookies mode.
2
Rule
Severity: Medium
The IIS 10.0 websites MaxConnections setting must be configured to limit the number of allowed simultaneous session requests.
3
Rule
Severity: Medium
The DBMS must limit the number of concurrent sessions for each system account to an organization-defined number of sessions.
1
Rule
Severity: Medium
The DBMS must protect against or limit the effects of the organization-defined types of Denial of Service (DoS) attacks.
2
Rule
Severity: Low
The Oracle Linux operating system must limit the number of concurrent sessions to 10 for all accounts and/or account types.
2
Rule
Severity: Low
OL 8 must limit the number of concurrent sessions to 10 for all accounts and/or account types.
2
Rule
Severity: Medium
MySQL Database Server 8.0 must limit the number of concurrent sessions to an organization-defined number per user for all accounts and/or account types.
2
Rule
Severity: Medium
Automation Controller must limit the number of concurrent sessions to an organization-defined number for all accounts and/or account types.
2
Rule
Severity: Medium
The Automation Controller web server must manage sessions.
2
Rule
Severity: Low
RHEL 8 must limit the number of concurrent sessions to ten for all accounts and/or account types.
1
Rule
Severity: Low
The Red Hat Enterprise Linux operating system must limit the number of concurrent sessions to 10 for all accounts and/or account types.
4
Rule
Severity: Low
The SUSE operating system must limit the number of concurrent sessions to 10 for all accounts and/or account types.
2
Rule
Severity: Low
RHEL 9 must limit the number of concurrent sessions to ten for all accounts and/or account types.
4
Rule
Severity: Low
The operating system must limit the number of concurrent sessions for each account to an organization-defined number of sessions.
2
Rule
Severity: Medium
The VMM must limit the number of concurrent sessions to ten for all accounts and/or account types.
1
Rule
Severity: Medium
ESX Agent Manager must limit the number of concurrent connections permitted.
1
Rule
Severity: Medium
VAMI must limit the number of simultaneous requests.
1
Rule
Severity: Medium
Performance Charts must limit the amount of time that each Transport Control Protocol (TCP) connection is kept alive.
1
Rule
Severity: Medium
Performance Charts must limit the number of concurrent connections permitted.
1
Rule
Severity: Medium
Performance Charts must limit the maximum size of a POST request.
1
Rule
Severity: Medium
Performance Charts must protect cookies from cross-site scripting (XSS).
1
Rule
Severity: Medium
ESX Agent Manager must limit the maximum size of a POST request.
1
Rule
Severity: Medium
ESX Agent Manager must protect cookies from cross-site scripting (XSS).
1
Rule
Severity: Medium
Lookup Service must limit the number of concurrent connections permitted.
1
Rule
Severity: Medium
Lookup Service must limit the maximum size of a POST request.
1
Rule
Severity: Medium
Lookup Service must protect cookies from cross-site scripting (XSS).
3
Rule
Severity: Medium
The ESXi host must enable lockdown mode.
1
Rule
Severity: Medium
The Photon operating system must limit the number of concurrent sessions to 10 for all accounts and/or account types.
3
Rule
Severity: Medium
The vCenter ESX Agent Manager service must limit the number of maximum concurrent connections permitted.
1
Rule
Severity: Medium
VMware Postgres must limit the number of connections.
1
Rule
Severity: Medium
Envoy must drop connections to disconnected clients.
1
Rule
Severity: Medium
Envoy must set a limit on established connections.
3
Rule
Severity: Medium
The vCenter Envoy service must set a limit on remote connections.
1
Rule
Severity: Medium
The Security Token Service must limit the number of concurrent connections permitted.
1
Rule
Severity: Medium
The Security Token Service must limit the maximum size of a POST request.
1
Rule
Severity: Medium
The Security Token Service must protect cookies from cross-site scripting (XSS).
3
Rule
Severity: Medium
The vCenter ESX Agent Manager service must limit the amount of time that each Transmission Control Protocol (TCP) connection is kept alive.
3
Rule
Severity: Medium
The vCenter ESX Agent Manager service must limit the number of times that each Transmission Control Protocol (TCP) connection is kept alive.
3
Rule
Severity: Medium
The vCenter Lookup service must limit the number of maximum concurrent connections permitted.
3
Rule
Severity: Medium
The vCenter Lookup service must limit the amount of time that each Transmission Control Protocol (TCP) connection is kept alive.
3
Rule
Severity: Medium
The vCenter Lookup service must limit the number of times that each Transmission Control Protocol (TCP) connection is kept alive.
1
Rule
Severity: Medium
vSphere UI must limit the number of concurrent connections permitted.
1
Rule
Severity: Medium
vSphere UI must limit the maximum size of a POST request.
1
Rule
Severity: Medium
vSphere UI must protect cookies from cross-site scripting (XSS).
3
Rule
Severity: Medium
The vCenter Perfcharts service must limit the amount of time that each Transmission Control Protocol (TCP) connection is kept alive.
3
Rule
Severity: Medium
The vCenter Perfcharts service must limit the number of times that each Transmission Control Protocol (TCP) connection is kept alive.
3
Rule
Severity: Low
The Photon operating system must limit the number of concurrent sessions to ten for all accounts and/or account types.
3
Rule
Severity: Medium
The vCenter PostgreSQL service must limit the number of concurrent sessions.
3
Rule
Severity: Medium
The vCenter STS service must limit the amount of time that each Transmission Control Protocol (TCP) connection is kept alive.
3
Rule
Severity: Medium
The vCenter STS service must limit the number of times that each Transmission Control Protocol (TCP) connection is kept alive.
3
Rule
Severity: Medium
The vCenter UI service must limit the amount of time that each Transmission Control Protocol (TCP) connection is kept alive.
3
Rule
Severity: Medium
The vCenter UI service must limit the number of times that each Transmission Control Protocol (TCP) connection is kept alive.
3
Rule
Severity: Medium
The vCenter VAMI service must limit the number of allowed simultaneous session requests.
2
Rule
Severity: Medium
The web server must perform server-side session management.
1
Rule
Severity: Medium
The Windows DNS Server must restrict incoming dynamic update requests to known clients.
2
Rule
Severity: Medium
The Windows DNS primary server must only send zone transfers to a specific list of secondary name servers.
1
Rule
Severity: Low
The F5 BIG-IP appliance must be configured to set the "Max In Progress Sessions per Client IP" value to 10 or less.
1
Rule
Severity: Medium
The BIG-IP appliance must limit the number of concurrent sessions to the Configuration Utility to 10 or an organization-defined number.
1
Rule
Severity: High
The BIG-IP Core implementation must be configured to limit the number of concurrent sessions to an organization-defined number for virtual servers.
1
Rule
Severity: Low
Ubuntu 22.04 LTS must limit the number of concurrent sessions to ten for all accounts and/or account types.
1
Rule
Severity: Medium
The DNS implementation must limit the number of concurrent sessions for zone transfers to the number of secondary name servers.
1
Rule
Severity: Medium
The Enterprise Voice, Video, and Messaging Endpoint must be configured to limit the number of concurrent sessions to an organizationally defined number.
1
Rule
Severity: Low
The F5 BIG-IP appliance must be configured to set the "Max In Progress Sessions per Client IP" value to 10 or an organizational-defined number.
1
Rule
Severity: Medium
The Enterprise Voice, Video, and Messaging Session Manager must limit the number of concurrent management sessions to an organizationally defined limit.
1
Rule
Severity: Medium
The F5 BIG-IP appliance must be configured to limit the number of concurrent sessions to the Configuration Utility to 10 or an organization-defined number.
1
Rule
Severity: Medium
The ISEC7 SPHERE must limit the number of concurrent sessions to an organization-defined number for all accounts and/or account types.
1
Rule
Severity: Medium
Sentry must limit the number of concurrent sessions for the CLISH interface to an organization-defined number for each administrator account and/or administrator account type.
1
Rule
Severity: Medium
Sentry must be configured to limit the network access of the Sentry System Manager Portal behind the corporate firewall and whitelist source IP range.
1
Rule
Severity: Medium
The Ivanti EPMM server must limit the number of concurrent sessions per privileged user account to three or less concurrent sessions.
1
Rule
Severity: Medium
The Juniper EX switch must be configured to limit the number of concurrent management sessions to 10 or an organization-defined value.
1
Rule
Severity: Medium
The Mainframe Product must limit the number of concurrent sessions to three for all accounts and/or account types.
1
Rule
Severity: Low
MarkLogic Server must limit the number of concurrent sessions to an organization-defined number per user for all accounts and/or account types.
1
Rule
Severity: Low
SLEM 5 must limit the number of concurrent sessions to 10 for all accounts and/or account types.
1
Rule
Severity: Low
TOSS must limit the number of concurrent sessions to 256 for all accounts and/or account types.
1
Rule
Severity: Medium
The NSX Manager must be configured to protect against denial-of-service (DoS) attacks by limit the number of concurrent sessions to an organization-defined number.
1
Rule
Severity: Medium
The web server must limit the number of allowed simultaneous session requests.
Patternfly
PatternFly elements
The content of the drawer really is up to you. It could have form fields, definition lists, text lists, labels, charts, progress bars, etc. Spacing recommendation is 24px margins. You can put tabs in here, and can also make the drawer scrollable.
Modules