Capacity
CCI-000197
For password-based authentication, transmit passwords only cryptographically-protected channels.
29
Rule
Severity: High
Allow Only SSH Protocol 2
16
Rule
Severity: High
Uninstall vsftpd Package
1
Rule
Severity: Medium
The A10 Networks ADC must prohibit the use of unencrypted protocols for network access to privileged accounts.
2
Rule
Severity: High
AAA Services must be configured to encrypt transmitted credentials using a FIPS-validated cryptographic module.
2
Rule
Severity: Medium
The Apache web server must encrypt passwords during transmission.
2
Rule
Severity: High
An Apache web server must maintain the confidentiality of controlled information during transmission through the use of an approved TLS version.
2
Rule
Severity: Medium
The ALG providing user authentication intermediary services must transmit only encrypted representations of passwords.
2
Rule
Severity: Medium
The application server must transmit only encrypted representations of passwords.
2
Rule
Severity: Medium
The application server must utilize encryption when using LDAP for authentication.
2
Rule
Severity: High
The application must transmit only cryptographically-protected passwords.
1
Rule
Severity: Medium
The CA API Gateway providing user authentication intermediary services must transmit only encrypted representations of passwords.
2
Rule
Severity: Low
Passwords sent through ODBC/JDBC must be encrypted.
2
Rule
Severity: High
For accounts using password authentication, the Central Log Server must use FIPS-validated SHA-1 or later protocol to protect the integrity of the password authentication process.
1
Rule
Severity: High
FIPS mode must be enabled on all Docker Engine - Enterprise nodes.
1
Rule
Severity: High
The FortiGate device must use LDAPS for the LDAP connection.
1
Rule
Severity: Medium
If passwords are used for authentication, DB2 must transmit only encrypted representations of passwords.
1
Rule
Severity: High
The IBM Aspera Console feature must be configured to use encryption services that implement NIST FIPS-validated cryptography to protect the confidentiality of remote access sessions.
1
Rule
Severity: High
The IBM Aspera Faspex feature must be configured to use encryption services that implement NIST FIPS-validated cryptography to protect the confidentiality of remote access sessions.
1
Rule
Severity: High
The IBM Aspera Shares feature must be configured to use encryption services that implement NIST FIPS-validated cryptography to protect the confidentiality of remote access sessions.
1
Rule
Severity: Medium
The IBM Aspera High-Speed Transfer Server must enable the use of dynamic token encryption keys.
1
Rule
Severity: Medium
Access to the MQ Appliance messaging server must utilize encryption when using LDAP for authentication.
2
Rule
Severity: High
The WebSphere Liberty Server must use TLS-enabled LDAP.
1
Rule
Severity: High
The WebSphere Application Server global application security must be enabled.
1
Rule
Severity: High
The WebSphere Application Server Single Sign On (SSO) must have SSL enabled for Web and SIP Security.
1
Rule
Severity: High
The WebSphere Application Server application security must be enabled for each security domain except for publicly available applications specified in the System Security Plan.
1
Rule
Severity: High
The WebSphere Application Server secure LDAP (LDAPS) must be used for authentication.
1
Rule
Severity: High
CA VM:Secure product Password Encryption (PEF) option must be properly configured to store and transmit cryptographically-protected passwords.
2
Rule
Severity: Medium
LDAP enabled security realm value allow-empty-passwords must be set to false.
2
Rule
Severity: Medium
JBoss must utilize encryption when using LDAP for authentication.
2
Rule
Severity: Medium
For local accounts using password authentication (i.e., the root account and the account of last resort) the Juniper SRX Services Gateway must use the SHA1 or later protocol for password authentication.
2
Rule
Severity: Medium
The Mainframe Product must transmit only cryptographically protected passwords.
2
Rule
Severity: High
The network device must transmit only encrypted representations of passwords.
1
Rule
Severity: High
Nutanix AOS must utilize encryption when using LDAP for authentication.
1
Rule
Severity: Medium
Nutanix AOS must not have the rsh-server package installed.
1
Rule
Severity: High
OHS must have the LoadModule ossl_module directive enabled to encrypt passwords during transmission.
1
Rule
Severity: High
OHS must use FIPS modules to encrypt passwords during transmission.
1
Rule
Severity: High
OHS must have the SSLEngine, SSLProtocol, and SSLWallet directives enabled and configured to encrypt passwords during transmission.
1
Rule
Severity: High
OHS must have the SSLCipherSuite directive enabled to encrypt passwords during transmission.
1
Rule
Severity: High
Oracle WebLogic must encrypt passwords during transmission.
1
Rule
Severity: High
Oracle WebLogic must utilize encryption when using LDAP for authentication.
2
Rule
Severity: High
The Riverbed NetProfiler must be configured to implement cryptographic mechanisms using a FIPS 140-2/140-3 validated algorithm to protect the confidentiality and integrity of all cryptographic functions.
2
Rule
Severity: High
Splunk Enterprise must use LDAPS for the LDAP connection.
1
Rule
Severity: High
Symantec ProxySG must transmit only encrypted representations of passwords.
2
Rule
Severity: High
For UEM server using password authentication, the network element must use FIPS-validated SHA-2 or later protocol to protect the integrity of the password authentication process.
1
Rule
Severity: Medium
For accounts using password authentication, the site-to-site VPN Gateway must use SHA-2 or later protocol to protect the integrity of the password authentication process.
2
Rule
Severity: Medium
The Apache web server must use cryptography to protect the integrity of remote sessions.
2
Rule
Severity: Medium
The Apache web server must use encryption strength in accordance with the categorization of data hosted by the Apache web server when remote connections are provided.
2
Rule
Severity: Medium
TLS 1.2 must be used on secured HTTP connectors.
2
Rule
Severity: High
LDAP authentication must be secured.
1
Rule
Severity: High
The macOS system must be configured to disable the tftp service.
3
Rule
Severity: High
The macOS system must be configured to disable the "tftp" service.
2
Rule
Severity: High
The macOS system must disable Trivial File Transfer Protocol service.
3
Rule
Severity: High
The Ubuntu operating system must not have the telnet package installed.
4
Rule
Severity: High
If passwords are used for authentication, PostgreSQL must transmit only encrypted representations of passwords.
2
Rule
Severity: High
For accounts using password authentication, the Cisco ISE must use FIPS-validated SHA-2 or later protocol to protect the integrity of the password authentication process.
2
Rule
Severity: High
For accounts using password authentication, the container platform must use FIPS-validated SHA-2 or later protocol to protect the integrity of the password authentication process.
3
Rule
Severity: High
If passwords are used for authentication, the EDB Postgres Advanced Server must transmit only encrypted representations of passwords.
2
Rule
Severity: High
If passwords are used for authentication, the DBMS must transmit only encrypted representations of passwords.
2
Rule
Severity: High
The operating system must transmit only encrypted representations of passwords.
2
Rule
Severity: High
SSMC web server must use encryption strength in accordance with the categorization of data hosted by the web server when remote connections are provided.
2
Rule
Severity: High
The HPE 3PAR OS must be configured to restrict the encryption algorithms and protocols to comply with DOD-approved encryption to protect the confidentiality and integrity of remote access sessions.
2
Rule
Severity: High
The HPE 3PAR OS CIMserver process must be configured to use approved encryption and communications protocols to protect the confidentiality of remote access sessions.
2
Rule
Severity: High
The HPE 3PAR OS WSAPI process must be configured to use approved encryption and communications protocols to protect the confidentiality of remote access sessions.
2
Rule
Severity: High
IF LDAP is used, AIX LDAP client must use SSL to authenticate with LDAP server.
2
Rule
Severity: High
AIX root passwords must never be passed over a network in clear text form.
2
Rule
Severity: High
The AIX rexec daemon must not be running.
2
Rule
Severity: High
AIX telnet daemon must not be running.
2
Rule
Severity: High
AIX ftpd daemon must not be running.
2
Rule
Severity: High
AIX must disable /usr/bin/rcp,
/usr/bin/rlogin,
/usr/bin/rsh, /usr/bin/rexec and /usr/bin/telnet commands.
2
Rule
Severity: High
The AIX rsh daemon must be disabled.
2
Rule
Severity: High
The AIX rlogind service must be disabled.
2
Rule
Severity: High
IBM z/OS must use NIST FIPS-validated cryptography to protect passwords in the security database.
2
Rule
Severity: High
ACF2 must use NIST FIPS-validated cryptography to protect passwords in the security database.
2
Rule
Severity: High
NIST FIPS-validated cryptography must be used to protect passwords in the security database.
2
Rule
Severity: High
The ICS must be configured to transmit only encrypted representations of passwords.
2
Rule
Severity: High
If passwords are used for authentication, the MarkLogic Server must transmit only encrypted representations of passwords.
2
Rule
Severity: High
If passwords are used for authentication, MariaDB must transmit only encrypted representations of passwords.
3
Rule
Severity: High
If passwords are used for authentication, MongoDB must transmit only encrypted representations of passwords.
2
Rule
Severity: Medium
A private IIS 10.0 website authentication mechanism must use client certificates to transmit session identifier to assure integrity.
2
Rule
Severity: High
If passwords are used for authentication, SQL Server must transmit only encrypted representations of passwords.
2
Rule
Severity: High
Confidentiality of information during transmission is controlled through the use of an approved TLS version.
4
Rule
Severity: Medium
Unencrypted passwords must not be sent to third-party SMB Servers.
2
Rule
Severity: Medium
Unencrypted passwords must not be sent to third-party Server Message Block (SMB) servers.
2
Rule
Severity: Medium
Windows Server 2019 unencrypted passwords must not be sent to third-party Server Message Block (SMB) servers.
2
Rule
Severity: Medium
Windows Server 2022 unencrypted passwords must not be sent to third-party Server Message Block (SMB) servers.
2
Rule
Severity: High
The Oracle Linux operating system must be configured so that the SSH daemon is configured to only use the SSHv2 protocol.
2
Rule
Severity: High
If passwords are used for authentication, the MySQL Database Server 8.0 must transmit only encrypted representations of passwords.
2
Rule
Severity: Medium
The Palo Alto Networks security platform must prohibit the use of unencrypted protocols for network access to privileged accounts.
2
Rule
Severity: Medium
Automation Controller must use encryption strength in accordance with the categorization of the management data during remote access management sessions.
2
Rule
Severity: Medium
Automation Controller must utilize encryption when using LDAP for authentication.
2
Rule
Severity: High
OpenShift must use FIPS validated LDAP or OpenIDConnect.
1
Rule
Severity: High
The Red Hat Enterprise Linux operating system must be configured so that the SSH daemon is configured to only use the SSHv2 protocol.
2
Rule
Severity: High
RHEL 9 must not have a File Transfer Protocol (FTP) server package installed.
2
Rule
Severity: Medium
The SUSE operating system must not have the telnet-server package installed.
2
Rule
Severity: Medium
The SUSE operating system must not have the vsftpd package installed if not required for operational support.
2
Rule
Severity: High
The SUSE operating system must not have the vsftpd package installed if not required for operational support.
2
Rule
Severity: High
The SUSE operating system must not have the telnet-server package installed.
4
Rule
Severity: Medium
The boundary protection system (firewall) must be configured to deny network traffic by default and must allow network traffic by exception (i.e., deny all, permit by exception).
2
Rule
Severity: High
Splunk Enterprise must be installed in FIPS mode to implement NIST FIPS-approved cryptography for all cryptographic functions.
2
Rule
Severity: Medium
The VMM must transmit only encrypted representations of passwords.
2
Rule
Severity: Medium
The Solidcore client Command Line Interface (CLI) Access Password protection process must be documented in the organizations written policy.
1
Rule
Severity: Medium
VAMI must use cryptography to protect the integrity of remote sessions.
4
Rule
Severity: High
The vCenter Server must enable FIPS-validated cryptography.
1
Rule
Severity: Medium
The Photon operating system must use an OpenSSH server version that does not support protocol 1.
1
Rule
Severity: High
VMware Postgres must be configured to use Transport Layer Security (TLS).
1
Rule
Severity: Medium
Envoy must use only Transport Layer Security (TLS) 1.2 for the protection of client connections.
3
Rule
Severity: High
The Photon operating system must not have the telnet package installed.
3
Rule
Severity: Medium
The vCenter PostgreSQL service must require authentication on all connections.
2
Rule
Severity: Medium
The vCenter STS service must be configured to use strong encryption ciphers.
2
Rule
Severity: Medium
The web server must encrypt passwords during transmission.
1
Rule
Severity: Medium
The BIG-IP appliance must only transmit encrypted representations of passwords.
1
Rule
Severity: High
The macOS system must disable Trivial File Transfer Protocol (TFTP) service.
1
Rule
Severity: High
Ubuntu 22.04 LTS must not have the "telnet" package installed.
1
Rule
Severity: High
The Enterprise Voice, Video, and Messaging Endpoint, when using passwords or PINs for authentication or authorization, must be configured to cryptographically protect the PIN or password.
1
Rule
Severity: Medium
For accounts using password authentication, the Enterprise Voice, Video, and Messaging Session Manager must be configured to use FIPS-validated SHA-2 or later protocol to protect the integrity of the password authentication process.
1
Rule
Severity: High
For accounts using password authentication, the F5 BIG-IP appliance site-to-site IPsec VPN Gateway must use SHA-2 or later protocol to protect the integrity of the password authentication process.
1
Rule
Severity: High
FIPS mode must be enabled.
1
Rule
Severity: High
SLEM 5 must not have the telnet-server package installed.
1
Rule
Severity: Medium
TOSS must not have the rsh-server package installed.
1
Rule
Severity: High
The NSX Manager must only enable TLS 1.2 or greater.
1
Rule
Severity: Medium
For accounts using password authentication, the site-to-site VPN Gateway must use SHA-2 or later protocol to protect the integrity of the password authentication process.
Patternfly
PatternFly elements
The content of the drawer really is up to you. It could have form fields, definition lists, text lists, labels, charts, progress bars, etc. Spacing recommendation is 24px margins. You can put tabs in here, and can also make the drawer scrollable.
Modules