CCI-000166

The Arista Multilayer Switch must protect against an individual (or process acting on behalf of an individual) falsely denying having performed organization-defined actions to be covered by non-repudiation.

1 rule found Severity: Low

1 rule found Severity: Medium

1 rule found Severity: Low

1 rule found Severity: High

1 rule found Severity: Medium

1 rule found Severity: High

1 rule found Severity: Medium

2 rules found Severity: Medium

1 rule found Severity: Medium

1 rule found Severity: High

2 rules found Severity: Medium

1 rule found Severity: Medium

1 rule found Severity: Low

3 rules found Severity: Medium

1 rule found Severity: Medium

1 rule found Severity: Low

1 rule found Severity: Medium

4 rules found Severity: Medium

1 rule found Severity: Medium

1 rule found Severity: High

1 rule found Severity: Medium

1 rule found Severity: High

1 rule found Severity: Medium

1 rule found Severity: High

1 rule found Severity: Medium

1 rule found Severity: High

1 rule found Severity: Medium

2 rules found Severity: Medium

1 rule found Severity: Medium

1 rule found Severity: High

1 rule found Severity: Medium

1 rule found Severity: High

1 rule found Severity: Medium

1 rule found Severity: Low

1 rule found Severity: Medium

1 rule found Severity: Low

2 rules found Severity: Low

1 rule found Severity: Medium

1 rule found Severity: High

3 rules found Severity: Medium

2 rules found Severity: Medium

1 rule found Severity: Medium

The Arista Multilayer Switch must protect against an individual (or process acting on behalf of an individual) falsely denying having performed organization-defined actions to be covered by non-repudiation.

The DBN-6300 must protect against an individual (or process acting on behalf of an individual) falsely denying having performed organization-defined actions to be covered by non-repudiation.

A policy set using the built-in role-based access control (RBAC) capabilities in the Universal Control Plane (UCP) component of Docker Enterprise must be configured.

A policy set using the built-in role-based access control (RBAC) capabilities in the Docker Trusted Registry (DTR) component of Docker Enterprise must be set.

The FortiGate device must log all user activity.

The HP FlexFabric Switch must protect against an individual (or process acting on behalf of an individual) falsely denying having performed organization-defined actions to be covered by non-repudiation.

The HYCU VM console and HYCU Web UI must be configured to use an authentication server for authenticating users prior to granting access to protect against an individual (or process acting on behalf of an individual) falsely denying having performed organization-defined requirements.

DB2 must protect against a user falsely repudiating having performed organization-defined actions.

The MQ Appliance network device must protect against an individual (or process acting on behalf of an individual) falsely denying having performed organization-defined actions to be covered by non-repudiation.

The WebSphere Application Server security auditing must be enabled.

MobileIron Sentry, for PKI-based authentication, must be configured to map validated certificates to unique user accounts.

SQL Server must protect against an individual using a shared account from falsely denying having performed a particular action.

Nutanix AOS must offload log records onto a syslog server.

Oracle WebLogic must protect against an individual falsely denying having performed a particular action.

Common Access Card (CAC)-based authentication must be enabled and enforced on the Tanium Server for all access and all accounts.

Multi-factor authentication must be enabled and enforced on the Tanium Server for all access and all accounts.

The NSX-T Manager must integrate with either VMware Identity Manager (vIDM) or VMware Workspace ONE Access.

The Horizon Connection Server must require DoD PKI for administrative logins.

MongoDB must provide audit record generation for DoD-defined auditable events within all DBMS/database components.

InPrivate Browsing must be disallowed.

The DBMS must protect against an individual using a group account from falsely denying having performed a particular action.

PostgreSQL must protect against a user falsely repudiating having performed organization-defined actions.

The EDB Postgres Advanced Server must protect against a user falsely repudiating by ensuring all accounts are individual, unique, and not shared.

The BIG-IP appliance must be configured to protect against an individual (or process acting on behalf of an individual) falsely denying having performed system configuration changes.

AccessLogValve must be configured for each application context.

The Arista network device must be configured to audit all administrator activity.

IDMS must protect against the use of default userids.

IDMS must protect against the use of external request exits that change the userid to a shared id when actions are performed that may be audited.

IDMS must protect against the use of numbered exits that change the userid to a shared id.

IDMS must protect against the use of web-based applications that use generic IDs.

IDMS must protect against the use web services that do not require a sign on when actions are performed that may be audited.

The Cisco ASA must be configured to protect against an individual (or process acting on behalf of an individual) falsely denying having performed organization-defined actions to be covered by non-repudiation.

The Cisco device must be configured to audit all administrator activity.

The Cisco ISE must protect against an individual (or process acting on behalf of an individual) falsely denying having performed organization-defined actions to be covered by non-repudiation.

The EDB Postgres Advanced Server must protect against a user falsely repudiating having performed organization-defined actions.

The F5 BIG-IP appliance must be configured to audit the execution of privileged functions such as accounts additions and changes.

The F5 BIG-IP appliance must be configured to use multifactor authentication (MFA) for interactive logins.

Incognito mode must be disabled.

Session only based cookies must be enabled.

The WebSphere Liberty Server must log remote session and security activity.

The ICS must be configured to prevent nonprivileged users from executing privileged functions.

Sentry, for PKI-based authentication, must be configured to map validated certificates to unique user accounts.

MarkLogic Server must protect against a user falsely repudiating having performed organization-defined actions.

Azure SQL Database must protect against a user falsely repudiating by ensuring only clearly unique Active Directory user accounts can connect to the database.

Azure SQL Database must protect against a user falsely repudiating by use of system-versioned tables (Temporal Tables).

MongoDB must provide audit record generation for DOD-defined auditable events within all DBMS/database components.

InPrivate mode must be disabled.

Browser history must be saved.

Session only-based cookies must be enabled.

The network device must protect against an individual (or process acting on behalf of an individual) falsely denying having performed organization-defined actions to be covered by non-repudiation.

ONTAP must be configured to use an authentication server to provide multifactor authentication.

The network device, for PKI-based authentication, must be configured to map validated certificates to unique user accounts.

The MySQL Database Server 8.0 must protect against a user falsely repudiating having performed organization-defined actions.

The Riverbed NetProfiler must be configured to automatically generate DOD-required audit records with sufficient information to support incident reporting to a central log server.

The Riverbed NetProfiler must be configured to authenticate each administrator prior to authorizing privileges based on roles.

Automation Controller must use external log providers that can collect user activity logs in independent, protected repositories to prevent modification or repudiation.

Splunk Enterprise must be configured to protect the log data stored in the indexes from alteration.

Multifactor authentication must be enabled and enforced on the Tanium Server for all access and all accounts.

The application server must protect against an individual (or process acting on behalf of an individual) falsely denying having performed organization-defined actions to be covered by non-repudiation.

The application must protect against an individual (or process acting on behalf of an individual) falsely denying having performed organization-defined actions to be covered by non-repudiation.

The Central Log Server must be configured to protect the data sent from hosts and devices from being altered in a way that may prevent the attribution of an action to an individual (or process acting on behalf of an individual).

The Cisco switch must be configured to protect against an individual falsely denying having performed organization-defined actions to be covered by non-repudiation.

The DBMS must protect against a user falsely repudiating having performed organization-defined actions.

The Dell OS10 Switch must protect against an individual (or process acting on behalf of an individual) falsely denying having performed organization-defined actions to be covered by nonrepudiation.

The Dell OS10 Switch, for PKI-based authentication, must be configured to map validated certificates to unique user accounts.

The Dragos Platform must only allow local administrative and service user accounts.

AOS must be configured to use DOD public key infrastructure (PKI) as multifactor authentication (MFA) for interactive logins.

The HYCU virtual appliance must be configured to use DOD-approved online certificate status protocol (OCSP) responders or certificate revocation lists (CRLs) to validate certificates used for PKI-based authentication.

The Juniper router must be configured to protect against an individual falsely denying having performed organization-defined actions to be covered by non-repudiation.

The Mainframe Product must protect against an individual (or process acting on behalf of an individual) falsely denying having performed actions defined in the site security plan to be covered by non-repudiation.

MariaDB must protect against a user falsely repudiating having performed organization-defined actions.

SQL Server must protect against a user falsely repudiating by ensuring only clearly unique Active Directory user accounts can connect to the database.

SQL Server must protect against a user falsely repudiating by use of system-versioned tables (Temporal Tables).

SQL Server must protect against a user falsely repudiating by ensuring databases are not in a trust relationship.

SQL Server must protect against a user falsely repudiating by ensuring all accounts are individual, unique, and not shared.

SQL Server must protect against a user falsely repudiating by ensuring the NT AUTHORITY SYSTEM account is not used for administration.

SQL Server must protect against a user falsely repudiating by ensuring only clearly unique Active Directory user accounts can connect to the instance.

The DBMS must protect against an individual who uses a shared account falsely denying having performed a particular action.

The operating system must protect against an individual falsely denying having performed a particular action. In order to do so the system must be configured to send audit records to a remote audit server.