Capacity
CCI-000213
Enforce approved authorizations for logical access to information and system resources in accordance with applicable access control policies.
18
Rule
Severity: Medium
Require Authentication for Emergency Systemd Target
18
Rule
Severity: Medium
Require Authentication for Single User Mode
15
Rule
Severity: Medium
Verify that Interactive Boot is Disabled
20
Rule
Severity: High
Set Boot Loader Password in grub2
20
Rule
Severity: High
Set the UEFI Boot Loader Password
12
Rule
Severity: High
Set the Boot Loader Admin Username to a Non-Default Value
13
Rule
Severity: Medium
Set the UEFI Boot Loader Admin Username to a Non-Default Value
7
Rule
Severity: Medium
Enable authselect
1
Rule
Severity: High
Set Boot Loader Password in grub2 - systems prior to version 7.2
1
Rule
Severity: High
Set the UEFI Boot Loader Password - systems prior to version 7.2
2
Rule
Severity: Medium
Selective Authentication must be enabled on outgoing forest trusts.
4
Rule
Severity: Medium
The Apache web server must use encryption strength in accordance with the categorization of data hosted by the Apache web server when remote connections are provided.
2
Rule
Severity: High
An Apache web server must maintain the confidentiality of controlled information during transmission through the use of an approved TLS version.
1
Rule
Severity: Medium
The ALG must enforce approved authorizations for logical access to information and system resources by employing identity-based, role-based, and/or attribute-based security policies.
2
Rule
Severity: Medium
The application server must enforce approved authorizations for logical access to information and system resources in accordance with applicable access control policies.
2
Rule
Severity: High
The application must enforce approved authorizations for logical access to information and system resources in accordance with applicable access control policies.
1
Rule
Severity: Medium
The BlackBerry Enterprise Mobility Server (BEMS) must be configured to have at least one user in the following Administrator roles: Server primary administrator, auditor.
2
Rule
Severity: High
IDMS must allow only authorized users to sign on to an IDMS CV.
2
Rule
Severity: High
IDMS must enforce applicable access control policies, even after a user successfully signs on to CV.
2
Rule
Severity: Medium
All installation-delivered IDMS USER-level tasks must be properly secured.
2
Rule
Severity: Medium
All installation-delivered IDMS DEVELOPER-level tasks must be properly secured.
2
Rule
Severity: Medium
All installation-delivered IDMS DBADMIN-level tasks must be properly secured.
2
Rule
Severity: Medium
All installation-delivered IDMS DCADMIN-level tasks must be properly secured.
2
Rule
Severity: Medium
All installation-delivered IDMS User-level programs must be properly secured.
2
Rule
Severity: Medium
All installation-delivered IDMS Developer-level Programs must be properly secured.
2
Rule
Severity: Medium
All installation-delivered IDMS Database-Administrator-level programs must be properly secured.
2
Rule
Severity: Medium
All installation-delivered IDMS DC-Administrator-level programs must be properly secured.
1
Rule
Severity: Medium
Citrix StoreFront server must accept Personal Identity Verification (PIV) credentials.
1
Rule
Severity: Medium
A policy set using the built-in role-based access control (RBAC) capabilities in the Universal Control Plane (UCP) component of Docker Enterprise must be configured.
1
Rule
Severity: Medium
A policy set using the built-in role-based access control (RBAC) capabilities in the Docker Trusted Registry (DTR) component of Docker Enterprise must be set.
1
Rule
Severity: Medium
Docker Enterprise sensitive host system directories must not be mounted on containers.
2
Rule
Severity: High
Forescout must enforce approved access by employing admissions assessment filters that include, at a minimum, device attributes such as type, IP address, resource group, and/or mission conditions as defined in Forescout System Security Plan (SSP). This is required for compliance with C2C Step 4.
2
Rule
Severity: High
Endpoint policy assessment must proceed after the endpoint attempting access has been identified using an approved identification method such as IP address. This is required for compliance with C2C Step 2.
1
Rule
Severity: High
For endpoints that require automated remediation, Forescout must be configured to redirect endpoints to a logically separate network segment for remediation services. This is required for compliance with C2C Step 4.
2
Rule
Severity: High
If a device requesting access fails Forescout policy assessment, Forescout must communicate with other components and the switch to either terminate the session or isolate the device from the trusted network for remediation. This is required for compliance with C2C Step 3.
2
Rule
Severity: Medium
Forescout must be configured to notify the user before proceeding with remediation of the user's endpoint device when automated remediation is used. This is required for compliance with C2C Step 3.
2
Rule
Severity: High
Forescout must be configured so that all client machines are assessed by Forescout with exceptions that are allowed to bypass Forescout based on account or account type, as approved by the information system security manager (ISSM) and documented in the System Security Plan (SSP). This is required for compliance with C2C Step 1.
2
Rule
Severity: High
Forescout appliance must not be configured to implement a DHCP layer 3 method for separation or device authorization. This is required for compliance with C2C Step 2.
2
Rule
Severity: Medium
Forescout must send an alert to the Information System Security Manager (ISSM) and System Administrator (SA), at a minimum, when critical security issues are found that put the network at risk. This is required for compliance with C2C Step 2.
2
Rule
Severity: Medium
When devices fail the policy assessment, Forescout must create a record with sufficient detail suitable for forwarding to a remediation server for automated remediation or sending to the user for manual remediation. This is required for compliance with C2C Step 3.
2
Rule
Severity: High
Forescout must place client machines on a blacklist or terminate network communications on devices when critical security issues are found that put the network at risk. This is required for compliance with C2C Step 4.
2
Rule
Severity: Medium
Forescout must be configured so client machines do not communicate with other network devices in the DMZ or subnet except as needed to perform a client assessment or to identify itself. This is required for compliance with C2C Step 2.
1
Rule
Severity: High
The HP FlexFabric Switch must enforce the assigned privilege level for each administrator and authorizations for access to all commands relative to the privilege level in accordance with applicable policy for the device.
1
Rule
Severity: High
The HYCU 4.1 Application must enforce the assigned privilege level for each administrator and authorizations for access to all commands relative to the privilege level in accordance with applicable policy for the device.
1
Rule
Severity: Medium
The DataPower Gateway must enforce the assigned privilege level for each administrator and authorizations for access to all commands relative to the privilege level in accordance with applicable policy for the device.
1
Rule
Severity: Medium
DB2 must enforce approved authorizations for logical access to information and system resources in accordance with applicable access control policies.
1
Rule
Severity: Medium
The IBM Aspera Faspex Server must restrict users from using transfer services by default.
1
Rule
Severity: Medium
The IBM Aspera Faspex Server must restrict users read, write, and browse permissions by default.
1
Rule
Severity: Medium
The IBM Aspera High-Speed Transfer Endpoint must enable password protection of the node database.
1
Rule
Severity: Medium
The IBM Aspera High-Speed Transfer Endpoint must restrict users from using transfer services by default.
1
Rule
Severity: Medium
The IBM Aspera High-Speed Transfer Endpoint must restrict users read, write, and browse permissions by default.
1
Rule
Severity: Medium
The IBM Aspera High-Speed Transfer Server must enable password protection of the node database.
1
Rule
Severity: Medium
The IBM Aspera High-Speed Transfer Server must restrict users from using transfer services by default.
1
Rule
Severity: Medium
The IBM Aspera High-Speed Transfer Server must restrict users read, write, and browse permissions by default.
2
Rule
Severity: High
Users in the REST API admin role must be authorized.
1
Rule
Severity: Medium
The WebSphere Application Server users in a local user registry group must be authorized for that group.
1
Rule
Severity: High
The WebSphere Application Server Java 2 security must be enabled.
1
Rule
Severity: High
The WebSphere Application Server Java 2 security must not be bypassed.
1
Rule
Severity: Medium
The WebSphere Application Server users in the admin role must be authorized.
1
Rule
Severity: Medium
The WebSphere Application Server LDAP groups must be authorized for the WebSphere role.
1
Rule
Severity: Medium
CA VM:Secure product NORULE record in the SECURITY CONFIG file must be configured to REJECT.
2
Rule
Severity: High
Java permissions must be set for hosted applications.
2
Rule
Severity: High
The Java Security Manager must be enabled for the JBoss application server.
2
Rule
Severity: High
The JBoss server must be configured with Role Based Access Controls.
2
Rule
Severity: Medium
Users in JBoss Management Security Realms must be in the appropriate role.
2
Rule
Severity: High
Silent Authentication must be removed from the Default Application Security Realm.
2
Rule
Severity: High
Silent Authentication must be removed from the Default Management Security Realm.
2
Rule
Severity: High
JBoss management interfaces must be secured.
2
Rule
Severity: Medium
The Sentry must enforce approved authorizations for logical access to information and system resources by enabling identity-based, role-based, and/or attribute-based security policies. These controls are enabled in MobileIron UEM (MobileIron Core) and applied by the Sentry for conditional access enforcement.
2
Rule
Severity: Medium
For User Role Firewalls, the Juniper SRX Services Gateway Firewall must employ user attribute-based security policies to enforce approved authorizations for logical access to information and system resources.
2
Rule
Severity: Medium
The Juniper SRX Services Gateway must enforce the assigned privilege level for each administrator and authorizations for access to all commands by assigning a login class to all AAA-authenticated users.
2
Rule
Severity: Medium
The Mainframe Product must enforce approved authorizations for logical access to sensitive information and system resources in accordance with applicable access control policies.
2
Rule
Severity: Medium
The Mainframe Product must enforce approved authorizations for security administrator access to sensitive information and system resources in accordance with applicable access control policies.
2
Rule
Severity: Medium
The Mainframe Product must enforce approved authorizations for system programmer access to sensitive information and system resources in accordance with applicable access control policies.
2
Rule
Severity: High
Azure SQL Database must enforce approved authorizations for logical access to server information and system resources in accordance with applicable access control policies.
2
Rule
Severity: Medium
Exchange must have authenticated access set to Integrated Windows Authentication only.
2
Rule
Severity: Medium
Exchange Servers must use approved DoD certificates.
1
Rule
Severity: Medium
Exchange ActiveSync (EAS) must only use certificate-based authentication to access email.
1
Rule
Severity: Medium
Exchange must have IIS map client certificates to an approved certificate server.
3
Rule
Severity: Medium
Exchange servers must use approved DoD certificates.
1
Rule
Severity: Medium
Office client polling of Sharepoint servers published links must be disabled.
1
Rule
Severity: High
Manually configured SCOM Run As accounts must be set to More Secure distribution.
1
Rule
Severity: High
SCOM Run As accounts used to manage Linux/UNIX endpoints must be configured for least privilege.
1
Rule
Severity: Medium
The Microsoft SCOM Agent Action Account must be a local system account.
1
Rule
Severity: Medium
The Microsoft SCOM Run As accounts must only use least access permissions.
1
Rule
Severity: Low
The Microsoft SCOM administration console must only be installed on Management Servers and hardened Privileged Access Workstations.
1
Rule
Severity: High
The Microsoft SCOM Service Accounts and Run As accounts must not be granted enterprise or domain level administrative privileges.
1
Rule
Severity: High
SCOM SQL Management must be configured to use least privileges.
1
Rule
Severity: Medium
SQL Server must enforce approved authorizations for logical access to information and database-level system resources in accordance with applicable access control policies.
1
Rule
Severity: Medium
SQL Server must enforce approved authorizations for logical access to server-level system resources in accordance with applicable access control policies.
2
Rule
Severity: High
The network device must be configured to assign appropriate user roles or access levels to authenticated users.
2
Rule
Severity: High
ONTAP must enforce administrator privileges based on their defined roles.
1
Rule
Severity: Low
Nutanix AOS must be configured with an encrypted boot password for root.
1
Rule
Severity: Medium
Nutanix AOS role mapping must be configured to the lowest privilege level needed for user access.
1
Rule
Severity: Medium
Access to Prisma Cloud Compute must be managed based on user need and least privileged using external identity providers for authentication and grouping to role-based assignments when possible.
2
Rule
Severity: Medium
Users requiring access to Prisma Cloud Compute's Credential Store must be assigned and accessed by the appropriate role holders.
2
Rule
Severity: High
The Riverbed NetProfiler must be configured to authenticate each administrator prior to authorizing privileges based on roles.
2
Rule
Severity: Medium
Rancher MCM must generate audit records for all DoD-defined auditable events within all components in the platform.
1
Rule
Severity: Medium
Riverbed Optimization System (RiOS) must enforce the assigned privilege level for each administrator and authorizations for access to all commands relative to the privilege level in accordance with applicable policy for the device.
1
Rule
Severity: Medium
Innoslate must enforce approved authorizations for logical access to information and system resources in accordance with applicable access control policies.
1
Rule
Severity: High
Symantec ProxySG must implement security policies that enforce approved authorizations for logical access to information and system resources by employing identity-based, role-based, and/or attribute-based security policies.
4
Rule
Severity: Medium
Tanium Computer Groups must be used to restrict console users from affecting changes to unauthorized computers.
1
Rule
Severity: Medium
Documentation identifying Tanium console users and their respective User Roles must be maintained.
2
Rule
Severity: High
Role-based system access must be configured to least privileged access to Tanium Server functions through the Tanium interface.
2
Rule
Severity: Medium
Tanium console users User Roles must be validated against the documentation for User Roles.
6
Rule
Severity: Medium
Documentation identifying Tanium console users and their respective Computer Group rights must be maintained.
2
Rule
Severity: Medium
Tanium console users Computer Group rights must be validated against the documentation for Computer Group rights.
1
Rule
Severity: Medium
The Tanium Action Approval feature must be enabled for two person integrity when deploying actions to endpoints.
1
Rule
Severity: High
Symantec ProxySG must be configured to enforce user authorization to implement least privilege.
1
Rule
Severity: High
Symantec ProxySG must configure Web Management Console access restrictions to authorized IP address/ranges.
2
Rule
Severity: Medium
Tanium Computer Groups must be used to restrict console users from effecting changes to unauthorized computers.
4
Rule
Severity: Medium
Documentation identifying Tanium console users, their respective User Groups, Computer Groups, and Roles must be maintained.
2
Rule
Severity: Medium
The Tanium application must be configured to use Tanium User Groups in a manner consistent with the model outlined in the environment's system documentation.
5
Rule
Severity: Medium
The Tanium Action Approval feature must be enabled for two-person integrity when deploying actions to endpoints.
1
Rule
Severity: Medium
Documentation identifying Tanium console users, their respective functional roles, and computer groups must be maintained.
1
Rule
Severity: Medium
Documentation defining Tanium functional roles must be maintained.
2
Rule
Severity: Medium
The Tanium application must be configured to use Tanium User Groups in a manner consistent with the model outlined within the environment's system documentation.
2
Rule
Severity: High
The TippingPoint SMS must be configured to use an authentication server for the purpose of authenticating users prior to granting administrative access and to enforce access restrictions.
1
Rule
Severity: Medium
The Horizon Connection Server administrators must be limited in terms of quantity, scope, and permissions.
2
Rule
Severity: Medium
Predefined task roles to the Hardware Management Console (HMC) must be specified to limit capabilities of individual users.
2
Rule
Severity: Medium
On Classified Systems, Logical Partition must be restricted with read/write access to only its own IOCDS.
2
Rule
Severity: High
Classified Logical Partition (LPAR) channel paths must be restricted.
2
Rule
Severity: Medium
On Classified Systems the Processor Resource/Systems Manager (PR/SM) must not allow access to system complex data.
2
Rule
Severity: High
Central processors must be restricted for classified/restricted Logical Partitions (LPARs).
2
Rule
Severity: Medium
The Apache web server must use cryptography to protect the integrity of remote sessions.
2
Rule
Severity: High
Default password for keystore must be changed.
2
Rule
Severity: Medium
Cookies must have secure flag set.
2
Rule
Severity: Medium
Cookies must have http-only flag set.
2
Rule
Severity: Medium
DefaultServlet must be set to readonly for PUT and DELETE.
2
Rule
Severity: Medium
Connectors must be secured.
2
Rule
Severity: Medium
The Java Security Manager must be enabled.
1
Rule
Severity: High
The BYOAD and DOD enterprise must be configured to limit access to only enterprise corporate-owned IT resources approved by the authorizing official (AO).
1
Rule
Severity: Medium
The iOS/iPadOS 16 BYOAD must be deployed in Device Enrollment mode or User Enrollment mode.
2
Rule
Severity: Medium
The macOS system must disable FileVault automatic log on.
1
Rule
Severity: Medium
The macOS system must enable SSH server for remote access sessions.
2
Rule
Severity: Medium
The macOS system must disable Server Message Block sharing.
2
Rule
Severity: Medium
The macOS system must disable Network File System service.
2
Rule
Severity: Medium
The macOS system must disable Unix-to-Unix Copy Protocol service.
3
Rule
Severity: Medium
The macOS system must disable the built-in web server.
3
Rule
Severity: Medium
The macOS system must disable AirDrop.
3
Rule
Severity: Medium
The macOS system must disable Remote Apple Events.
2
Rule
Severity: High
The macOS system must disable Trivial File Transfer Protocol service.
3
Rule
Severity: Medium
The macOS system must disable Screen Sharing and Apple Remote Desktop.
1
Rule
Severity: High
Ubuntu operating systems booted with United Extensible Firmware Interface (UEFI) implemented must require authentication upon booting into single-user mode and maintenance.
3
Rule
Severity: Medium
The macOS system must disable Media Sharing.
2
Rule
Severity: Medium
The macOS system must disable Bluetooth sharing.
3
Rule
Severity: High
The macOS system must ensure System Integrity Protection is enabled.
3
Rule
Severity: Medium
The macOS system must disable Handoff.
3
Rule
Severity: Medium
The macOS system must enable Authenticated Root.
2
Rule
Severity: High
Ubuntu operating systems when booted must require authentication upon booting into single-user and maintenance modes.
4
Rule
Severity: High
PostgreSQL must enforce approved authorizations for logical access to information and system resources in accordance with applicable access control policies.
2
Rule
Severity: High
The Cisco ISE must enforce approved access by employing authorization policies with specific attributes; such as resource groups, device type, certificate attributes, or any other attributes that are specific to a group of endpoints, and/or mission conditions as defined in the site's Cisco ISE System Security Plan (SSP). This is required for compliance with C2C Step 4.
2
Rule
Severity: High
The Cisco ISE must be configured to profile endpoints connecting to the network. This is required for compliance with C2C Step 4.
2
Rule
Severity: High
The Cisco ISE must verify host-based firewall software is running on posture required clients defined in the NAC System Security Plan (SSP) prior to granting trusted network access. This is required for compliance with C2C Step 4.
2
Rule
Severity: High
The Cisco ISE must verify anti-malware software is installed and up to date on posture required clients defined in the NAC System Security Plan (SSP) prior to granting trusted network access. This is required for compliance with C2C Step 4.
2
Rule
Severity: High
The Cisco ISE must verify host-based IDS/IPS software is authorized and running on posture required clients defined in the NAC System Security Plan (SSP) prior to granting trusted network access. This is required for compliance with C2C Step 4.
2
Rule
Severity: Medium
For endpoints that require automated remediation, the Cisco ISE must be configured to redirect endpoints to a logically separate VLAN for remediation services. This is required for compliance with C2C Step 4.
2
Rule
Severity: Low
The Cisco ISE must be configured to notify the user before proceeding with remediation of the user's endpoint device when automated remediation is used. This is required for compliance with C2C Step 3.
2
Rule
Severity: Medium
The Cisco ISE must be configured so that all endpoints that are allowed to bypass policy assessment are approved by the Information System Security Manager (ISSM) and documented in the System Security Plan (SSP). This is This is required for compliance with C2C Step 1.
2
Rule
Severity: Medium
The Cisco ISE must send an alert to the Information System Security Manager (ISSM) and System Administrator (SA), at a minimum, when security issues are found that put the network at risk. This is required for compliance with C2C Step 2.
2
Rule
Severity: Medium
When endpoints fail the policy assessment, the Cisco ISE must create a record with sufficient detail suitable for forwarding to a remediation server for automated remediation or sending to the user for manual remediation. This is required for compliance with C2C Step 3.
2
Rule
Severity: Medium
The Cisco ISE must place client machines on the blacklist and terminate the agent connection when critical security issues are found that put the network at risk. This is required for compliance with C2C Step 4.
2
Rule
Severity: Medium
The Cisco ISE must be configured so client machines do not communicate with other network devices in the DMZ or subnet except as needed to perform an access client assessment or to identify themselves. This is required for compliance with C2C Step 2.
2
Rule
Severity: High
The DBMS must enforce approved authorizations for logical access to information and system resources in accordance with applicable access control policies.
2
Rule
Severity: Medium
Least privilege access and need to know must be required to access the container platform registry.
2
Rule
Severity: Medium
Least privilege access and need to know must be required to access the container platform runtime.
2
Rule
Severity: Medium
Least privilege access and need to know must be required to access the container platform keystore.
3
Rule
Severity: High
The EDB Postgres Advanced Server must enforce approved authorizations for logical access to information and system resources in accordance with applicable access control policies.
2
Rule
Severity: High
The Google Android 13 BYOAD and DOD enterprise must be configured to limit access to only AO-approved, corporate-owned enterprise IT resources.
2
Rule
Severity: Medium
The number of ACF2 users granted the special privilege PPGM must be justified.
2
Rule
Severity: Medium
The operating system must enforce approved authorizations for logical access to information and system resources in accordance with applicable access control policies.
2
Rule
Severity: Medium
AIX must turn on enhanced Role-Based Access Control (RBAC) to isolate security functions from nonsecurity functions, to grant system privileges to other operating system admins, and prohibit user installation of system software without explicit privileged status.
2
Rule
Severity: Low
The number of ACF2 users granted the special privilege OPERATOR must be kept to a strictly controlled minimum.
2
Rule
Severity: Low
The number of ACF2 users granted the special privilege CONSOLE must be justified.
2
Rule
Severity: Medium
The number of ACF2 users granted the special privilege ALLCMDS must be justified.
6
Rule
Severity: Medium
IBM z/OS system commands must be properly protected.
4
Rule
Severity: Medium
IBM z/OS Sensitive Utility Controls must be properly defined and protected.
2
Rule
Severity: Medium
CA-ACF2 NJE GSO record value must indicate validation options that apply to jobs submitted through a network job entry subsystem (JES2, JES3, RSCS).
2
Rule
Severity: Medium
CA-ACF2 must protect Memory and privileged program dumps in accordance with proper security requirements.
2
Rule
Severity: Medium
CA-ACF2 must properly define users that have access to the CONSOLE resource in the TSOAUTH resource class.
2
Rule
Severity: Medium
CA-ACF2 must limit access to SYSTEM DUMP data sets to appropriate authorized users.
2
Rule
Severity: Medium
CA-ACF2 must limit access to SYS(x).TRACE to system programmers only.
2
Rule
Severity: Medium
CA-ACF2 allocate access to system user catalogs must be properly protected.
2
Rule
Severity: Medium
ACF2 Classes required to properly security the z/OS UNIX environment must be ACTIVE.
2
Rule
Severity: Medium
Access to IBM z/OS special privilege TAPE-LBL or TAPE-BLP must be limited and/or justified.
2
Rule
Severity: Medium
CA-ACF2 must limit access to System page data sets (i.e., PLPA, COMMON, and LOCALx) to system programmers.
6
Rule
Severity: High
IBM z/OS must protect dynamic lists in accordance with proper security requirements.
2
Rule
Severity: High
IBM z/OS Libraries included in the system REXXLIB concatenation must be properly protected.
2
Rule
Severity: High
CA-ACF2 must limit Write or greater access to SYS1.UADS To system programmers only and read and update access must be limited to system programmer personnel and/or security personnel.
2
Rule
Severity: High
CA-ACF2 must limit all system PROCLIB data sets to appropriate authorized users.
2
Rule
Severity: High
CA-ACF2 access to the System Master Catalog must be properly protected.
6
Rule
Severity: Medium
IBM z/OS MCS consoles access authorization(s) for CONSOLE resource(s) must be properly protected.
2
Rule
Severity: High
CA-ACF2 must limit Write or greater access to SYS1.NUCLEUS to system programmers only.
2
Rule
Severity: High
CA-ACF2 must limit Write or greater access to SYS1.LPALIB to system programmers only.
2
Rule
Severity: High
CA-ACF2 must limit Write or greater access to SYS1.IMAGELIB to system programmers.
2
Rule
Severity: High
CA-ACF2 must limit Write or greater access to Libraries containing EXIT modules to system programmers only.
2
Rule
Severity: High
CA-ACF2 must limit Write and Allocate access to all APF-authorized libraries to system programmers only.
2
Rule
Severity: High
CA-ACF2 must limit Write or greater access to all LPA libraries to system programmers only.
2
Rule
Severity: Medium
CA-ACF2 must limit Write and Allocate access to LINKLIST libraries to system programmers only.
2
Rule
Severity: Medium
CA-ACF2 must limit Write and allocate access to all system-level product installation libraries to system programmers only.
2
Rule
Severity: High
CA-ACF2 must limit Write or greater access to SYS1.SVCLIB to system programmers only.
2
Rule
Severity: Medium
CA-ACF2 Access to SYS1.LINKLIB must be properly protected.
2
Rule
Severity: Medium
CA-ACF2 must limit access to data sets used to back up and/or dump SMF collection files to appropriate users and/or batch jobs that perform SMF dump processing.
6
Rule
Severity: High
IBM z/OS SYS1.PARMLIB must be properly protected.
2
Rule
Severity: Medium
CA-ACF2 must limit Write and allocate access to the JES2 System data sets (e.g., Spool, Checkpoint, and Initialization parameters) to system programmers only.
2
Rule
Severity: Low
CA-ACF2 must limit Write or greater access to libraries that contain PPT modules to system programmers only.
2
Rule
Severity: High
CA-TSS Security control ACIDs must be limited to the administrative authorities authorized and that require these privileges to perform their job duties.
2
Rule
Severity: Medium
The number of CA-TSS ACIDs possessing the tape Bypass Label Processing (BLP) privilege must be limited.
4
Rule
Severity: Medium
IBM z/OS must limit access for SMF collection files (i.e., SYS1.MANx) to appropriate users and/or batch jobs that perform SMF dump processing.
2
Rule
Severity: Medium
CA-TSS access to SYS1.LINKLIB must be properly protected.
2
Rule
Severity: High
CA-TSS must limit Write or greater access to SYS1.SVCLIB to system programmers only.
2
Rule
Severity: High
CA-TSS must limit Write or greater access to SYS1.IMAGELIB to system programmers only.
2
Rule
Severity: High
CA-TSS must limit Write or greater access to SYS1.LPALIB to system programmers only.
2
Rule
Severity: High
CA-TSS must limit WRITE or greater access to all APF-authorized libraries to system programmers only.
4
Rule
Severity: High
IBM z/OS libraries included in the system REXXLIB concatenation must be properly protected.
2
Rule
Severity: High
CA-TSS must limit Write or greater access to all LPA libraries to system programmers only.
2
Rule
Severity: High
CA-TSS must limit Write or greater access to SYS1.NUCLEUS to system programmers only.
2
Rule
Severity: Low
CA-TSS must limit Write or greater access to libraries that contain PPT modules to system programmers only.
2
Rule
Severity: Medium
CA-TSS must limit WRITE or greater access to LINKLIST libraries to system programmers only.
2
Rule
Severity: High
CA-TSS security data sets and/or databases must be properly protected.
2
Rule
Severity: High
CA-TSS must limit access to the System Master Catalog to appropriate authorized users.
2
Rule
Severity: Medium
CA-TSS allocate access to system user catalogs must be limited to system programmers only.
2
Rule
Severity: Medium
CA-TSS must limit WRITE or greater access to all system-level product installation libraries to system programmers only.
2
Rule
Severity: Medium
CA-TSS must limit WRITE or greater access to the JES2 System data sets (e.g., Spool, Checkpoint, and Initialization parameters) to system programmers only.
2
Rule
Severity: High
CA-TSS must limit Write or greater access to SYS1.UADS to system programmers only, and Read and Update access must be limited to system programmer personnel and/or security personnel.
2
Rule
Severity: Medium
CA-TSS must limit access to data sets used to back up and/or dump SMF collection files to appropriate users and/or batch jobs that perform SMF dump processing.
2
Rule
Severity: Medium
CA-TSS must limit access to SYSTEM DUMP data sets to system programmers only.
2
Rule
Severity: High
ACF2 security data sets and/or databases must be properly protected.
2
Rule
Severity: Medium
IBM z/OS data sets for the FTP Server must be properly protected.
2
Rule
Severity: Medium
IBM z/OS permission bits and user audit bits for HFS objects that are part of the FTP Server component must be properly configured.
6
Rule
Severity: Medium
IBM z/OS JESTRACE and/or SYSLOG resources must be protected in accordance with security requirements.
6
Rule
Severity: Medium
IBM z/OS JESSPOOL resources must be protected in accordance with security requirements.
6
Rule
Severity: Medium
IBM z/OS JESNEWS resources must be protected in accordance with security requirements.
6
Rule
Severity: Medium
IBM z/OS JES2 system commands must be protected in accordance with security requirements.
6
Rule
Severity: Medium
IBM z/OS JES2 spool resources must be controlled in accordance with security requirements.
2
Rule
Severity: Medium
IBM z/OS JES2 output devices must be properly controlled for Classified Systems.
6
Rule
Severity: Medium
IBM z/OS JES2 output devices must be controlled in accordance with the proper security requirements.
6
Rule
Severity: Medium
IBM z/OS JES2 input sources must be controlled in accordance with the proper security requirements.
4
Rule
Severity: Medium
IBM z/OS Surrogate users must be controlled in accordance with proper security requirements.
2
Rule
Severity: Medium
IBM z/OS special privileges must be assigned on an as-needed basis to LOGONIDs associated with STCs and LOGONIDs that need to execute TSO in batch.
2
Rule
Severity: Medium
IBM z/OS SMF collection files (i.e., SYS1.MANx) access must be limited to appropriate users and/or batch jobs that perform SMF dump processing.
4
Rule
Severity: Medium
IBM z/OS permission bits and user audit bits for HFS objects that are part of the Syslog daemon component must be configured properly.
2
Rule
Severity: Medium
IBM z/OS DFSMS resource class(es) must be defined to the GSO CLASMAP record in accordance with security requirements.
6
Rule
Severity: Medium
IBM z/OS DFSMS Program Resources must be properly defined and protected.
6
Rule
Severity: Medium
IBM z/OS DFSMS control data sets must be protected in accordance with security requirements.
2
Rule
Severity: Medium
IBM z/OS DFMSM resource class(es)must be defined to the GSO SAFDEF record in accordance with security requirements.
6
Rule
Severity: Medium
IBM z/OS DFSMS resources must be protected in accordance with the proper security requirements.
6
Rule
Severity: Medium
IBM z/OS TCP/IP resources must be properly protected.
4
Rule
Severity: Medium
IBM z/OS permission bits and user audit bits for HFS objects that are part of the Base TCP/IP component must be configured properly.
6
Rule
Severity: Medium
IBM z/OS data sets for the Base TCP/IP component must be properly protected.
2
Rule
Severity: Medium
IBM z/OS TSOAUTH resources must be restricted to authorized users.
2
Rule
Severity: High
IBM z/OS UNIX SUPERUSER resource must be protected in accordance with guidelines.
6
Rule
Severity: Medium
IBM z/OS UNIX security parameters in etc/profile must be properly specified.
6
Rule
Severity: Medium
IBM z/OS UNIX security parameters in /etc/rc must be properly specified.
6
Rule
Severity: Medium
IBM z/OS UNIX resources must be protected in accordance with security requirements.
2
Rule
Severity: Medium
IBM z/OS UNIX MVS HFS directory(s) with other write permission bit set must be properly defined.
6
Rule
Severity: Medium
IBM z/OS BPX resource(s) must be protected in accordance with security requirements.
4
Rule
Severity: Medium
IBM z/OS UNIX SYSTEM FILE SECURITY SETTINGS must be properly protected or specified.
4
Rule
Severity: Medium
IBM z/OS UNIX MVS data sets with z/OS UNIX components must be properly protected.
6
Rule
Severity: Medium
IBM z/OS UNIX MVS data sets or HFS objects must be properly protected.
6
Rule
Severity: Medium
IBM z/OS UNIX HFS permission bits and audit bits for each directory must be properly protected.
6
Rule
Severity: Medium
IBM z/OS UNIX MVS data sets used as step libraries in /etc/steplib must be properly protected.
2
Rule
Severity: Medium
IBM z/OS startup user account for the z/OS UNIX Telnet Server must be defined properly.
4
Rule
Severity: Medium
IBM z/OS HFS objects for the z/OS UNIX Telnet Server must be properly protected.
4
Rule
Severity: Medium
IBM z/OS System data sets used to support the VTAM network must be properly secured.
2
Rule
Severity: Medium
IBM Integrated Crypto Service Facility (ICSF) install data sets must be properly protected.
2
Rule
Severity: High
IBM RACF must limit Write or greater access to SYS1.NUCLEUS to system programmers only.
2
Rule
Severity: Low
IBM RACF must limit Write or greater access to libraries that contain PPT modules to system programmers only.
2
Rule
Severity: Medium
IBM RACF must protect memory and privileged program dumps in accordance with proper security requirements.
2
Rule
Severity: Medium
IBM RACF must properly define users that have access to the CONSOLE resource in the TSOAUTH resource class.
2
Rule
Severity: Medium
The IBM RACF FACILITY resource class must be active.
2
Rule
Severity: Medium
The IBM RACF OPERCMDS resource class must be active.
2
Rule
Severity: Medium
The IBM RACF MCS consoles resource class must be active.
2
Rule
Severity: Medium
IBM RACF CLASSACT SETROPTS must be specified for the TEMPDSN class.
2
Rule
Severity: Medium
IBM RACF started tasks defined with the trusted attribute must be justified.
2
Rule
Severity: Medium
IBM RACF USERIDs possessing the Tape Bypass Label Processing (BLP) privilege must be justified.
2
Rule
Severity: Medium
IBM RACF DASD volume-level protection must be properly defined.
2
Rule
Severity: Medium
IBM Sensitive Utility Controls must be properly defined and protected.
2
Rule
Severity: Medium
IBM RACF Global Access Checking must be restricted to appropriate classes and resources.
2
Rule
Severity: High
IBM RACF access to the System Master Catalog must be properly protected.
2
Rule
Severity: High
IBM RACF must limit Write or greater access to SYS1.UADS to system programmers only, and WRITE or greater access must be limited to system programmer personnel and/or security personnel.
2
Rule
Severity: Medium
IBM RACF allocate access to system user catalogs must be properly protected.
2
Rule
Severity: Medium
IBM RACF must limit WRITE or greater access to System backup files to system programmers and/or batch jobs that perform DASD backups.
2
Rule
Severity: Medium
IBM RACF must limit access to SYS(x).TRACE to system programmers only.
2
Rule
Severity: Medium
IBM RACF batch jobs must be properly secured.
2
Rule
Severity: Medium
IBM RACF batch jobs must be protected with propagation control.
2
Rule
Severity: High
IBM RACF must limit Write or greater access to SYS1.IMAGELIB to system programmers only.
2
Rule
Severity: High
IBM RACF must limit Write or greater access to SYS1.SVCLIB to appropriate authorized users.
2
Rule
Severity: High
IBM RACF must limit Write or greater access to SYS1.LPALIB to system programmers only.
2
Rule
Severity: High
IBM RACF must limit write or greater access to all LPA libraries to system programmers only.
2
Rule
Severity: High
IBM RACF must limit Write or greater access to libraries containing EXIT modules to system programmers only.
2
Rule
Severity: Medium
IBM RACF must limit WRITE or greater access to all system-level product installation libraries to system programmers.
2
Rule
Severity: Medium
IBM RACF must limit access to SYSTEM DUMP data sets to system programmers only.
2
Rule
Severity: High
IBM RACF must limit WRITE or greater access to all APF-authorized libraries to system programmers only.
2
Rule
Severity: Medium
IBM RACF access to SYS1.LINKLIB must be properly protected.
2
Rule
Severity: High
The IBM RACF System REXX IRRPWREX security data set must be properly protected.
2
Rule
Severity: High
IBM RACF security data sets and/or databases must be properly protected.
2
Rule
Severity: Medium
IBM RACF must limit access to data sets used to back up and/or dump SMF collection files to appropriate users and/or batch jobs that perform SMF dump processing.
2
Rule
Severity: High
IBM RACF must limit all system PROCLIB data sets to system programmers only.
2
Rule
Severity: Medium
IBM RACF must limit access to System page data sets (i.e., PLPA, COMMON, and LOCALx) to system programmers.
2
Rule
Severity: Medium
IBM RACF must limit WRITE or greater access to the JES2 System data sets (e.g., Spool, Checkpoint, and Initialization parameters) to system programmers only.
2
Rule
Severity: Medium
CA-TSS WRITE or Greater access to System backup files must be limited to system programmers and/or batch jobs that perform DASD backups.
2
Rule
Severity: Medium
CA-TSS must limit access to SYS(x).TRACE to system programmers only.
2
Rule
Severity: Medium
CA-TSS must limit access to System page data sets (i.e., PLPA, COMMON, and LOCALx) to system programmers only.
2
Rule
Severity: High
CA-TSS must limit WRITE or greater access to libraries containing EXIT modules to system programmers only.
2
Rule
Severity: High
CA-TSS must limit all system PROCLIB data sets to system programmers only and appropriate authorized users.
2
Rule
Severity: Medium
CA-TSS must protect memory and privileged program dumps in accordance with proper security requirements.
2
Rule
Severity: Medium
CA-TSS must properly define users that have access to the CONSOLE resource in the TSOAUTH resource class.
2
Rule
Severity: Medium
IBM z/OS Operating system commands (MVS.) of the OPERCMDS resource class must be properly owned.
2
Rule
Severity: Medium
CA-TSS AUTH Control Option values specified must be set to (OVERRIDE,ALLOVER) or (MERGE,ALLOVER).
2
Rule
Severity: High
Access to the CA-TSS MODE resource class must be appropriate.
2
Rule
Severity: Medium
Data set masking characters must be properly defined to the CA-TSS security database.
2
Rule
Severity: High
CA-TSS Emergency ACIDs must be properly limited and must audit all resource access.
2
Rule
Severity: Medium
CA-TSS ACIDs must not have access to FAC(*ALL*).
2
Rule
Severity: Medium
The CA-TSS ALL record must have appropriate access to Facility Matrix Tables.
2
Rule
Severity: Medium
Data set masking characters allowing access to all data sets must be properly restricted in the CA-TSS security database.
2
Rule
Severity: High
IBM z/OS DASD Volume access greater than CREATE found in the CA-TSS database must be limited to authorized information technology personnel requiring access to perform their job duties.
2
Rule
Severity: Medium
CA-TSS permission bits and user audit bits for HFS objects that are part of the FTP server component must be properly configured.
4
Rule
Severity: Medium
IBM z/OS data sets for the FTP server must be properly protected.
2
Rule
Severity: Medium
IBM z/OS JES2.** resource must be properly protected in the CA-TSS database.
2
Rule
Severity: Medium
IBM z/OS RJE workstations and NJE nodes must be controlled in accordance with STIG requirements.
4
Rule
Severity: Medium
IBM z/OS JES2 input sources must be properly controlled.
4
Rule
Severity: Medium
IBM z/OS JES2 output devices must be properly controlled for classified systems.
2
Rule
Severity: Medium
IBM RACF DASD Management USERIDs must be properly controlled.
2
Rule
Severity: Medium
IBM RACF permission bits and user audit bits for HFS objects that are part of the FTP server component must be properly configured.
2
Rule
Severity: Medium
IBM z/OS RJE workstations and NJE nodes must be defined to the FACILITY resource class.
2
Rule
Severity: Medium
IBM z/OS surrogate users must be controlled in accordance with proper security requirements.
4
Rule
Severity: Medium
IBM Z/OS TSOAUTH resources must be restricted to authorized users.
2
Rule
Severity: High
IBM z/OS UNIX SUPERUSER resources must be protected in accordance with guidelines.
2
Rule
Severity: Medium
IBM z/OS permission bits and user audit bits for HFS objects that are part of the Syslog daemon component must be properly configured.
2
Rule
Severity: Medium
IBM z/OS DFSMS-related RACF classes must be active.
2
Rule
Severity: Medium
IBM z/OS permission bits and user audit bits for HFS objects that are part of the Base TCP/IP component must be properly configured.
2
Rule
Severity: Medium
The IBM RACF SERVAUTH resource class must be active for TCP/IP resources.
2
Rule
Severity: High
The IBM z/OS UNIX SUPERUSER resources must be protected in accordance with guidelines.
2
Rule
Severity: Medium
IBM z/OS UNIX MVS HFS directories with other write permission bit set must be properly defined.
2
Rule
Severity: Medium
IBM z/OS UNIX MVS data sets WITH z/OS UNIX COMPONENTS must be properly protected.
2
Rule
Severity: Medium
The IBM z/OS startup user account for the z/OS UNIX Telnet Server must be properly defined.
2
Rule
Severity: Medium
IBM z/OS System datasets used to support the VTAM network must be properly secured.
2
Rule
Severity: Medium
The IBM RACF System REXX IRRPHREX security data set must be properly protected.
2
Rule
Severity: Medium
IBM RACF must limit WRITE or greater access to LINKLIST libraries to system programmers only.
2
Rule
Severity: Medium
IBM z/OS UNIX system file security settings must be properly protected or specified.
2
Rule
Severity: Medium
IBM z/OS UNIX MVS HFS directory(s) with OTHER write permission bit set must be properly defined.
2
Rule
Severity: High
The CA-TSS HFSSEC resource class must be defined with DEFPROT.
2
Rule
Severity: Medium
The IBM z/OS startup user account for the z/OS UNIX Telnet server must be properly defined.
2
Rule
Severity: Medium
IBM z/OS HFS objects for the z/OS UNIX Telnet server must be properly protected.
4
Rule
Severity: Medium
IBM Integrated Crypto Service Facility (ICSF) install data sets are not properly protected.
2
Rule
Severity: High
The Juniper EX switch must be configured to assign appropriate user roles or access levels to authenticated users.
2
Rule
Severity: High
The ICS must be configured to prevent nonprivileged users from executing privileged functions.
2
Rule
Severity: Medium
The Kubernetes API Server must enable Node,RBAC as the authorization mode.
2
Rule
Severity: Medium
The Kubernetes Scheduler must have secure binding.
4
Rule
Severity: Medium
The Kubernetes Controller Manager must have secure binding.
4
Rule
Severity: High
The Kubernetes API server must have the insecure port flag disabled.
2
Rule
Severity: High
The Kubernetes Kubelet must have the "readOnlyPort" flag disabled.
4
Rule
Severity: High
The Kubernetes API server must have the insecure bind address not set.
2
Rule
Severity: Medium
The Kubernetes API server must have the secure port set.
4
Rule
Severity: High
The Kubernetes API server must have anonymous authentication disabled.
2
Rule
Severity: High
The Kubernetes Kubelet must have anonymous authentication disabled.
4
Rule
Severity: High
The Kubernetes kubelet must enable explicit authorization.
2
Rule
Severity: Medium
Kubernetes Worker Nodes must not have sshd service running.
2
Rule
Severity: Medium
Kubernetes Worker Nodes must not have the sshd service enabled.
2
Rule
Severity: Medium
Kubernetes dashboard must not be enabled.
2
Rule
Severity: Medium
Kubernetes Kubectl cp command must give expected access and results.
2
Rule
Severity: High
The Kubernetes kubelet staticPodPath must not enable static pods.
2
Rule
Severity: Medium
Kubernetes DynamicAuditing must not be enabled.
2
Rule
Severity: Medium
Kubernetes DynamicKubeletConfig must not be enabled.
2
Rule
Severity: Medium
The Kubernetes API server must have Alpha APIs disabled.
2
Rule
Severity: High
MarkLogic Server must enforce approved authorizations for logical access to information and system resources in accordance with applicable access control policies.
2
Rule
Severity: High
MariaDB must enforce approved authorizations for logical access to information and system resources in accordance with applicable access control policies.
3
Rule
Severity: High
MongoDB must enforce approved authorizations for logical access to information and system resources in accordance with applicable access control policies.
4
Rule
Severity: Medium
Exchange servers must use approved DOD certificates.
2
Rule
Severity: Medium
Exchange must have authenticated access set to integrated Windows authentication only.
2
Rule
Severity: Medium
Access to web administration tools must be restricted to the web manager and the web managers designees.
4
Rule
Severity: High
SQL Server must enforce approved authorizations for logical access to information and system resources in accordance with applicable access control policies.
4
Rule
Severity: High
Local volumes must be formatted using NTFS.
2
Rule
Severity: High
The SQL Server default account [sa] must be disabled.
4
Rule
Severity: High
The network device must enforce the assigned privilege level for each administrator and authorizations for access to all commands relative to the privilege level in accordance with applicable policy for the device.
2
Rule
Severity: Medium
The Access this computer from the network user right must only be assigned to the Administrators and Remote Desktop Users groups.
2
Rule
Severity: Medium
The Allow log on locally user right must only be assigned to the Administrators and Users groups.
2
Rule
Severity: Medium
The Deny access to this computer from the network user right on workstations must be configured to prevent access from highly privileged domain accounts and local accounts on domain systems and unauthenticated access on all systems.
4
Rule
Severity: Medium
The "Deny log on as a batch job" user right on domain-joined workstations must be configured to prevent access from highly privileged domain accounts.
2
Rule
Severity: Medium
The Deny log on as a service user right on Windows 10 domain-joined workstations must be configured to prevent access from highly privileged domain accounts.
2
Rule
Severity: Medium
The Deny log on locally user right on workstations must be configured to prevent access from highly privileged domain accounts on domain systems and unauthenticated access on all systems.
2
Rule
Severity: Medium
The Deny log on through Remote Desktop Services user right on Windows 10 workstations must at a minimum be configured to prevent access from highly privileged domain accounts and local accounts on domain systems and unauthenticated access on all systems.
2
Rule
Severity: Medium
The "Access this computer from the network" user right must only be assigned to the Administrators and Remote Desktop Users groups.
2
Rule
Severity: Medium
The "Allow log on locally" user right must only be assigned to the Administrators and Users groups.
2
Rule
Severity: Medium
The "Deny access to this computer from the network" user right on workstations must be configured to prevent access from highly privileged domain accounts and local accounts on domain systems and unauthenticated access on all systems.
2
Rule
Severity: Medium
The "Deny log on as a service" user right on Windows 11 domain-joined workstations must be configured to prevent access from highly privileged domain accounts.
2
Rule
Severity: Medium
The "Deny log on locally" user right on workstations must be configured to prevent access from highly privileged domain accounts on domain systems and unauthenticated access on all systems.
2
Rule
Severity: Medium
The "Deny log on through Remote Desktop Services" user right on Windows 11 workstations must be configured to prevent access from highly privileged domain accounts and local accounts on domain systems and unauthenticated access on all systems.
2
Rule
Severity: High
Local volumes must use a format that supports NTFS attributes.
2
Rule
Severity: Low
Non-administrative accounts or groups must only have print permissions on printer shares.
2
Rule
Severity: Medium
The Access this computer from the network user right must only be assigned to the Administrators, Authenticated Users, and
Enterprise Domain Controllers groups on domain controllers.
2
Rule
Severity: Medium
The Allow log on through Remote Desktop Services user right must only be assigned to the Administrators group.
2
Rule
Severity: Medium
The Deny access to this computer from the network user right on domain controllers must be configured to prevent unauthenticated access.
2
Rule
Severity: Medium
The Deny log on as a batch job user right on domain controllers must be configured to prevent unauthenticated access.
2
Rule
Severity: Medium
The Deny log on as a service user right must be configured to include no accounts or groups (blank) on domain controllers.
2
Rule
Severity: Medium
The Deny log on locally user right on domain controllers must be configured to prevent unauthenticated access.
2
Rule
Severity: Medium
The "Access this computer from the network" user right must only be assigned to the Administrators and Authenticated Users groups on member servers.
2
Rule
Severity: Medium
The "Deny access to this computer from the network" user right on member servers must be configured to prevent access from highly privileged domain accounts and local accounts on domain systems and from unauthenticated access on all systems.
2
Rule
Severity: Medium
The "Deny log on as a batch job" user right on member servers must be configured to prevent access from highly privileged domain accounts on domain systems and from unauthenticated access on all systems.
2
Rule
Severity: Medium
The "Deny log on as a service" user right on member servers must be configured to prevent access from highly privileged domain accounts on domain systems. No other groups or accounts must be assigned this right.
2
Rule
Severity: Medium
The "Deny log on locally" user right on member servers must be configured to prevent access from highly privileged domain accounts on domain systems and from unauthenticated access on all systems.
2
Rule
Severity: Medium
The Allow log on locally user right must only be assigned to the Administrators group.
2
Rule
Severity: High
Windows Server 2019 local volumes must use a format that supports NTFS attributes.
2
Rule
Severity: Low
Windows Server 2019 non-administrative accounts or groups must only have print permissions on printer shares.
2
Rule
Severity: Medium
Windows Server 2019 Access this computer from the network user right must only be assigned to the Administrators, Authenticated Users, and
Enterprise Domain Controllers groups on domain controllers.
2
Rule
Severity: Medium
Windows Server 2019 Allow log on through Remote Desktop Services user right must only be assigned to the Administrators group on domain controllers.
2
Rule
Severity: Medium
Windows Server 2019 Deny access to this computer from the network user right on domain controllers must be configured to prevent unauthenticated access.
2
Rule
Severity: Medium
Windows Server 2019 Deny log on as a batch job user right on domain controllers must be configured to prevent unauthenticated access.
2
Rule
Severity: Medium
Windows Server 2019 Deny log on as a service user right must be configured to include no accounts or groups (blank) on domain controllers.
2
Rule
Severity: Medium
Windows Server 2019 Deny log on locally user right on domain controllers must be configured to prevent unauthenticated access.
2
Rule
Severity: Medium
Windows Server 2019 "Access this computer from the network" user right must only be assigned to the Administrators and Authenticated Users groups on domain-joined member servers and standalone or nondomain-joined systems.
2
Rule
Severity: Medium
Windows Server 2019 "Deny access to this computer from the network" user right on domain-joined member servers must be configured to prevent access from highly privileged domain accounts and local accounts and from unauthenticated access on all systems.
2
Rule
Severity: Medium
Windows Server 2019 "Deny log on as a batch job" user right on domain-joined member servers must be configured to prevent access from highly privileged domain accounts and from unauthenticated access on all systems.
2
Rule
Severity: Medium
Windows Server 2019 "Deny log on as a service" user right on domain-joined member servers must be configured to prevent access from highly privileged domain accounts. No other groups or accounts must be assigned this right.
2
Rule
Severity: Medium
Windows Server 2019 "Deny log on locally" user right on domain-joined member servers must be configured to prevent access from highly privileged domain accounts and from unauthenticated access on all systems.
2
Rule
Severity: Medium
Windows Server 2019 Allow log on locally user right must only be assigned to the Administrators group.
2
Rule
Severity: High
Windows Server 2022 local volumes must use a format that supports NTFS attributes.
2
Rule
Severity: Low
Windows Server 2022 nonadministrative accounts or groups must only have print permissions on printer shares.
2
Rule
Severity: Medium
Windows Server 2022 Access this computer from the network user right must only be assigned to the Administrators, Authenticated Users, and
Enterprise Domain Controllers groups on domain controllers.
2
Rule
Severity: Medium
Windows Server 2022 Allow log on through Remote Desktop Services user right must only be assigned to the Administrators group on domain controllers.
2
Rule
Severity: Medium
Windows Server 2022 Deny access to this computer from the network user right on domain controllers must be configured to prevent unauthenticated access.
2
Rule
Severity: Medium
Windows Server 2022 Deny log on as a batch job user right on domain controllers must be configured to prevent unauthenticated access.
2
Rule
Severity: Medium
Windows Server 2022 Deny log on as a service user right must be configured to include no accounts or groups (blank) on domain controllers.
2
Rule
Severity: Medium
Windows Server 2022 Deny log on locally user right on domain controllers must be configured to prevent unauthenticated access.
2
Rule
Severity: Medium
Windows Server 2022 Access this computer from the network user right must only be assigned to the Administrators and Authenticated Users groups on domain-joined member servers and standalone or nondomain-joined systems.
2
Rule
Severity: Medium
Windows Server 2022 Deny access to this computer from the network user right on domain-joined member servers must be configured to prevent access from highly privileged domain accounts and local accounts and from unauthenticated access on all systems.
2
Rule
Severity: Medium
Windows Server 2022 Deny log on as a batch job user right on domain-joined member servers must be configured to prevent access from highly privileged domain accounts and from unauthenticated access on all systems.
2
Rule
Severity: Medium
Windows Server 2022 Deny log on as a service user right on domain-joined member servers must be configured to prevent access from highly privileged domain accounts. No other groups or accounts must be assigned this right.
2
Rule
Severity: Medium
Windows Server 2022 Deny log on locally user right on domain-joined member servers must be configured to prevent access from highly privileged domain accounts and from unauthenticated access on all systems.
2
Rule
Severity: Medium
Windows Server 2022 Allow log on locally user right must only be assigned to the Administrators group.
1
Rule
Severity: Medium
The DBMS must enforce approved authorizations for logical access to the system in accordance with applicable policy.
1
Rule
Severity: Medium
The DBMS must restrict grants to sensitive information to authorized user roles.
2
Rule
Severity: High
The DBMS must enforce approved authorizations for logical access to the system in accordance with applicable policy.
2
Rule
Severity: Medium
The Oracle Linux operating system must require authentication upon booting into single-user and maintenance modes.
2
Rule
Severity: High
Oracle Linux operating systems version 7.2 or newer with a Basic Input/Output System (BIOS) must require authentication upon booting into single-user and maintenance modes.
2
Rule
Severity: High
Oracle Linux operating systems version 7.2 or newer using Unified Extensible Firmware Interface (UEFI) must require authentication upon booting into single-user and maintenance modes.
2
Rule
Severity: Medium
Oracle Linux operating systems version 7.2 or newer booted with a BIOS must have a unique name for the grub superusers account when booting into single-user and maintenance modes.
2
Rule
Severity: Medium
Oracle Linux operating systems version 7.2 or newer booted with United Extensible Firmware Interface (UEFI) must have a unique name for the grub superusers account when booting into single-user mode and maintenance.
2
Rule
Severity: High
OL 8 operating systems booted with United Extensible Firmware Interface (UEFI) must require authentication upon booting into single-user mode and maintenance.
2
Rule
Severity: Medium
OL 8 operating systems booted with United Extensible Firmware Interface (UEFI) must have a unique name for the grub superusers account when booting into single-user mode and maintenance.
2
Rule
Severity: Medium
OL 8 operating systems booted with a BIOS must have a unique name for the grub superusers account when booting into single-user and maintenance modes.
2
Rule
Severity: High
OL 8 operating systems booted with a BIOS must require authentication upon booting into single-user and maintenance modes.
2
Rule
Severity: Medium
OL 8 operating systems must require authentication upon booting into rescue mode.
2
Rule
Severity: Medium
OL 8 operating systems must require authentication upon booting into emergency mode.
2
Rule
Severity: High
The MySQL Database Server 8.0 must enforce approved authorizations for logical access to information and system resources in accordance with applicable access control policies.
2
Rule
Severity: High
Redis Enterprise DBMS must enforce approved authorizations for logical access to information and system resources in accordance with applicable access control policies.
2
Rule
Severity: Medium
The Kubernetes Kubelet must have anonymous authentication disabled.
2
Rule
Severity: High
The Kubernetes Kubelet must have the read-only port flag disabled.
2
Rule
Severity: High
OpenShift RBAC access controls must be enforced.
2
Rule
Severity: High
RHEL 8 operating systems booted with United Extensible Firmware Interface (UEFI) must require authentication upon booting into single-user mode and maintenance.
2
Rule
Severity: High
RHEL 8 operating systems booted with a BIOS must require authentication upon booting into single-user and maintenance modes.
2
Rule
Severity: Medium
RHEL 8 operating systems must require authentication upon booting into rescue mode.
1
Rule
Severity: Medium
The Red Hat Enterprise Linux operating system must require authentication upon booting into single-user and maintenance modes.
1
Rule
Severity: High
Red Hat Enterprise Linux operating systems version 7.2 or newer with a Basic Input/Output System (BIOS) must require authentication upon booting into single-user and maintenance modes.
1
Rule
Severity: High
Red Hat Enterprise Linux operating systems version 7.2 or newer using Unified Extensible Firmware Interface (UEFI) must require authentication upon booting into single-user and maintenance modes.
1
Rule
Severity: Medium
Red Hat Enterprise Linux operating systems version 7.2 or newer booted with a BIOS must have a unique name for the grub superusers account when booting into single-user and maintenance modes.
1
Rule
Severity: Medium
Red Hat Enterprise Linux operating systems version 7.2 or newer booted with United Extensible Firmware Interface (UEFI) must have a unique name for the grub superusers account when booting into single-user mode and maintenance.
2
Rule
Severity: Medium
SUSE operating systems with a basic input/output system (BIOS) must require authentication upon booting into single-user and maintenance modes.
2
Rule
Severity: Medium
SUSE operating systems with Unified Extensible Firmware Interface (UEFI) implemented must require authentication upon booting into single-user mode and maintenance.
2
Rule
Severity: Medium
RHEL 8 operating systems booted with United Extensible Firmware Interface (UEFI) must require a unique superusers name upon booting into single-user mode and maintenance.
2
Rule
Severity: Medium
RHEL 8 operating systems booted with a BIOS must require a unique superusers name upon booting into single-user and maintenance modes.
2
Rule
Severity: Medium
RHEL 8 operating systems must require authentication upon booting into emergency mode.
2
Rule
Severity: Medium
RHEL 9 must require a boot loader superuser password.
2
Rule
Severity: High
RHEL 9 must require a unique superusers name upon booting into single-user and maintenance modes.
2
Rule
Severity: High
SUSE operating systems with a basic input/output system (BIOS) must require authentication upon booting into single-user and maintenance modes.
2
Rule
Severity: High
SUSE operating systems with Unified Extensible Firmware Interface (UEFI) implemented must require authentication upon booting into single-user mode and maintenance.
2
Rule
Severity: Medium
RHEL 9 must require authentication to access emergency mode.
2
Rule
Severity: Medium
RHEL 9 must require authentication to access single-user mode.
2
Rule
Severity: Medium
The VMM must enforce approved authorizations for logical access to information and system resources in accordance with applicable access control policies.
1
Rule
Severity: High
The Photon operating system must require authentication upon booting into single-user and maintenance modes.
3
Rule
Severity: Medium
The vCenter ESX Agent Manager service cookies must have secure flag set.
3
Rule
Severity: Medium
The vCenter ESX Agent Manager service cookies must have the "http-only" flag set.
3
Rule
Severity: Medium
The vCenter ESX Agent Manager service DefaultServlet must be set to "readonly" for "PUT" and "DELETE" commands.
3
Rule
Severity: Medium
The vCenter Lookup service cookies must have secure flag set.
3
Rule
Severity: Medium
The vCenter Lookup service cookies must have "http-only" flag set.
3
Rule
Severity: Medium
The vCenter Lookup service DefaultServlet must be set to "readonly" for "PUT" and "DELETE" commands.
3
Rule
Severity: Medium
The vCenter Perfcharts service cookies must have secure flag set.
3
Rule
Severity: Medium
The vCenter Perfcharts service cookies must have "http-only" flag set.
3
Rule
Severity: Medium
The vCenter Perfcharts service DefaultServlet must be set to "readonly" for "PUT" and "DELETE" commands.
3
Rule
Severity: Medium
The Photon operating system must require authentication upon booting into single-user and maintenance modes.
6
Rule
Severity: Medium
BMC CONTROL-D installation data sets will be properly protected.
6
Rule
Severity: Medium
BMC CONTROL-D user data sets must be properly protected.
4
Rule
Severity: Medium
BMC CONTROL-M/Restart installation data sets will be properly protected.
6
Rule
Severity: Medium
BMC CONTROL-M/Restart Archived Sysout data sets must be properly protected.
6
Rule
Severity: Medium
BMC CONTROL-O installation data sets will be properly protected.
6
Rule
Severity: Medium
BMC IOA installation data sets will be properly protected.
6
Rule
Severity: Medium
BMC IOA User data sets will be properly protected.
4
Rule
Severity: Medium
BMC MAINVIEW for z/OS installation data sets are not properly protected.
2
Rule
Severity: Medium
CA Common Services installation data sets will be properly protected.
4
Rule
Severity: Medium
Catalog Solution Install data sets are not properly protected.
6
Rule
Severity: Medium
BMC CONTROL-M installation data sets will be properly protected.
6
Rule
Severity: Medium
BMC CONTROL-M User data sets will be properly protected.
2
Rule
Severity: Medium
BMC CONTROL-M/Restart installation data sets will be not properly protected.
3
Rule
Severity: Medium
The vCenter STS service cookies must have secure flag set.
3
Rule
Severity: Medium
The vCenter STS service cookies must have "http-only" flag set.
3
Rule
Severity: Medium
The vCenter STS service DefaultServlet must be set to "readonly" for "PUT" and "DELETE" commands.
3
Rule
Severity: Medium
The vCenter UI service cookies must have secure flag set.
3
Rule
Severity: Medium
The vCenter UI service cookies must have "http-only" flag set.
3
Rule
Severity: Medium
The vCenter UI service DefaultServlet must be set to "readonly" for "PUT" and "DELETE" commands.
2
Rule
Severity: Medium
The web server must enforce approved authorizations for logical access to hosted applications and resources in accordance with applicable access control policies.
2
Rule
Severity: Medium
BMC CONTROL-M security exits are not installed or configured properly.
2
Rule
Severity: Medium
BMC CONTROL-M configuration/parameter values must be specified properly.
6
Rule
Severity: Medium
CA 1 Tape Management installation data sets must be properly protected.
4
Rule
Severity: Medium
CA MICS Resource Management installation data sets must be properly protected.
8
Rule
Severity: Medium
CA MICS Resource Management User data sets must be properly protected.
6
Rule
Severity: Medium
CA MIM Resource Sharing installation data sets will be properly protected.
6
Rule
Severity: Medium
CL/SuperSession Install data sets must be properly protected.
6
Rule
Severity: Medium
Compuware Abend-AID installation data sets will be properly protected.
6
Rule
Severity: Medium
Compuware Abend-AID user data sets must be properly protected.
6
Rule
Severity: Medium
Fast Dump Restore (FDR) install data sets are not properly protected.
6
Rule
Severity: Medium
A password control is not in place to restrict access to the service subsystem via the operator consoles (local and/or remote) and a key-lock switch is not used to protect the modem supporting the remote console of the service subsystem.
6
Rule
Severity: Medium
Sensitive CICS transactions are not protected in accordance with security requirements.
6
Rule
Severity: Medium
IBM System Display and Search Facility (SDSF) installation data sets will be properly protected.
4
Rule
Severity: Medium
IBM System Display and Search Facility (SDSF) HASPINDX data set identified in the INDEX parameter must be properly protected.
4
Rule
Severity: Medium
CA VTAPE installation data sets are not properly protected.
4
Rule
Severity: Medium
Quest NC-Pass installation data sets will be properly protected.
6
Rule
Severity: Medium
Transparent Data Migration Facility (TDMF) installation data sets will be not properly protected.
6
Rule
Severity: Medium
HFS objects for the WebSphere Application Server are not protected in accordance with the proper security requirements.
4
Rule
Severity: Medium
The CBIND Resource(s) for the WebSphere Application Server is(are) not protected in accordance with security requirements.
6
Rule
Severity: Medium
WebSphere MQ all update and alter access to MQSeries/WebSphere MQ product and system data sets are not properly restricted.
2
Rule
Severity: Medium
WebSphere MQ resource classes are not properly activated.
2
Rule
Severity: High
Websphere MQ switch profiles must be properly defined to the MQADMIN class.
2
Rule
Severity: Medium
WebSphere MQ MQCONN Class resources must be protected in accordance with security.
4
Rule
Severity: Medium
WebSphere MQ queue resource defined to the MQQUEUE resource class are not protected in accordance with security requirements.
4
Rule
Severity: Medium
WebSphere MQ Process resources are not protected in accordance with security requirements.
4
Rule
Severity: Medium
WebSphere MQ Namelist resources are not protected in accordance with security requirements.
4
Rule
Severity: Medium
WebSphere MQ alternate user resources defined to MQADMIN resource class are not protected in accordance with security requirements.
6
Rule
Severity: Medium
WebSphere MQ context resources defined to the MQADMIN resource class are not protected in accordance with security requirements.
6
Rule
Severity: Medium
WebSphere MQ command resources defined to MQCMDS resource class are not protected in accordance with security requirements.
2
Rule
Severity: Medium
WebSphere MQ RESLEVEL resources in the MQADMIN resource class are not protected in accordance with security requirements.
6
Rule
Severity: Medium
NetView install data sets are not properly protected.
2
Rule
Severity: Medium
Catalog Solutions Install data sets are not properly protected.
6
Rule
Severity: Medium
SRRAUDIT installation data sets must be properly protected.
4
Rule
Severity: Medium
ROSCOE Install data sets are not properly protected.
2
Rule
Severity: Medium
External RACF Classes are not active for CICS transaction checking.
2
Rule
Severity: Medium
CICS regions are improperly protected to prevent unauthorized propagation of the region userid.
4
Rule
Severity: Medium
Tivoli Asset Discovery for z/OS (TADz) Install data sets are not properly protected.
2
Rule
Severity: Medium
Vanguard Security Solutions (VSS) User data sets are not properly protected.
2
Rule
Severity: Medium
The CBIND Resource Class for the WebSphere Application Server is not configured in accordance with security requirements.
2
Rule
Severity: Medium
WebSphere MQ resource classes are not properly actived for security checking by the ACP.
2
Rule
Severity: High
WebSphere MQ switch profiles must be properly defined to the MQADMIN class.
2
Rule
Severity: Medium
WebSphere MQ MQCONN Class (Connection) resource definitions must be protected in accordance with security.
2
Rule
Severity: Medium
WebSphere MQ MQQUEUE (Queue) resource profiles defined to the MQQUEUE class are not protected in accordance with security requirements.
2
Rule
Severity: Medium
WebSphere MQ Process resource profiles defined in the MQPROC Class are not protected in accordance with security requirements.
2
Rule
Severity: Medium
WebSphere MQ Namelist resource profiles defined in the MQNLIST Class are not protected in accordance with security requirements.
2
Rule
Severity: Medium
WebSphere MQ Alternate User resources defined to MQADMIN resource class are not protected in accordance with security requirements.
4
Rule
Severity: Medium
WebSphere MQ RESLEVEL resources in the MQADMIN resource class are not protected in accordance with security requirements.
2
Rule
Severity: Medium
CICS userids are not defined and/or controlled in accordance with proper security requirements.
1
Rule
Severity: Medium
The BIG-IP APM module must enforce approved authorizations for logical access to information and system resources by employing identity-based, role-based, and/or attribute-based security policies.
2
Rule
Severity: Medium
WebSphere MQ security class(es) is(are) defined improperly.
2
Rule
Severity: High
Websphere MQ switch profiles must be properly defined to the MQADMIN class.
2
Rule
Severity: Medium
WebSphere MQ MQCONN Class resources must be protected properly.
1
Rule
Severity: Medium
The F5 BIG-IP appliance must enforce approved authorizations for logical access to resources by explicitly configuring assigned resources with an authorization list.
1
Rule
Severity: High
The BIG-IP appliance must be configured to enforce the assigned privilege level for each administrator and authorizations for access to all commands relative to the privilege level in accordance with applicable policy for the device.
1
Rule
Severity: Medium
The BIG-IP Core implementation must be configured to enforce approved authorizations for logical access to information and system resources by employing identity-based, role-based, and/or attribute-based security policies.
1
Rule
Severity: High
The BYOAD and DOD enterprise must be configured to limit access to only enterprise IT resources approved by the authorizing official (AO).
1
Rule
Severity: Medium
The iOS/iPadOS 17 BYOAD must be deployed in Device Enrollment mode or User Enrollment mode.
1
Rule
Severity: Medium
The macOS system must disable FileVault automatic login.
1
Rule
Severity: Medium
The macOS system must disable Server Message Block (SMB) sharing.
1
Rule
Severity: Medium
The macOS system must disable Network File System (NFS) service.
1
Rule
Severity: Medium
The macOS system must disable Unix-to-Unix Copy Protocol (UUCP) service.
1
Rule
Severity: High
The macOS system must disable Trivial File Transfer Protocol (TFTP) service.
1
Rule
Severity: Medium
The macOS system must disable Bluetooth Sharing.
1
Rule
Severity: High
Ubuntu 22.04 LTS, when booted, must require authentication upon booting into single-user and maintenance modes.
1
Rule
Severity: High
The Central Log Server must be configured to enforce approved authorizations for logical access to information and system resources in accordance with applicable access control policies.
1
Rule
Severity: Medium
The Cisco ISE must deny or restrict access for endpoints that fail required posture checks. This is required for compliance with C2C Step 4.
1
Rule
Severity: Medium
The Enterprise Voice, Video, and Messaging Endpoint must be configured to prevent the configuration or display of configuration settings without the use of a PIN or password.
1
Rule
Severity: High
The Enterprise Voice, Video, and Messaging Endpoint must be configured to register with an Enterprise Voice, Video, and Messaging Session Manager.
1
Rule
Severity: High
The F5 BIG-IP appliance providing user access control intermediary services must enforce approved authorizations for logical access to information and system resources by employing identity-based, role-based, and/or attribute-based security policies.
1
Rule
Severity: High
The Enterprise Voice, Video, and Messaging Session Manager must disable (prevent) auto-registration of Voice Video Endpoints.
1
Rule
Severity: High
The F5 BIG-IP appliance must be configured to assign appropriate user roles or access levels to authenticated users.
1
Rule
Severity: High
For endpoints that require automated remediation, Forescout must be configured to logically separate endpoints from the trusted network traffic during remediation. This is required for compliance with C2C Step 4.
1
Rule
Severity: Medium
Forescout must enforce the revocation of endpoint access authorizations when devices are removed from an authorization group. This is required for compliance with C2C Step 4.
1
Rule
Severity: Medium
Forescout must enforce the revocation of endpoint access authorizations at the next compliance assessment interval based on changes to the compliance assessment security policy. This is required for compliance with C2C Step 4.
1
Rule
Severity: Medium
Forescout must deny or restrict access for endpoints that fail critical endpoint security checks. This is required for compliance with C2C Step 4.
1
Rule
Severity: Medium
The Google Android 14 BYOAD and DOD enterprise must be configured to limit access to only AO-approved, corporate-owned enterprise IT resources.
1
Rule
Severity: Medium
Processor Resource/Systems Manager (PR/SM) must not allow unrestricted issuing of control program commands.
1
Rule
Severity: High
Least privilege access and need to know must be required to access MKE runtime and instantiate container images.
1
Rule
Severity: Medium
SSH must not run within Linux containers.
1
Rule
Severity: Medium
Swarm Secrets or Kubernetes Secrets must be used.
1
Rule
Severity: Medium
Access to Prisma Cloud Compute must be managed based on user need and least privileged using external identity providers for authentication and grouping to role-based assignments when possible.
1
Rule
Severity: Medium
The SDN controller must be configured to enforce approved authorizations for access to system resources in accordance with applicable access control policies.
1
Rule
Severity: High
SLEM 5 with a basic input/output system (BIOS) must require authentication upon booting into single-user and maintenance modes.
1
Rule
Severity: High
SLEM 5 with Unified Extensible Firmware Interface (UEFI) implemented must require authentication upon booting into single-user mode and maintenance.
1
Rule
Severity: High
The Samsung Android 14 BYOAD and DOD enterprise must be configured to limit access to only AO-approved, corporate-owned enterprise IT resources.
1
Rule
Severity: Medium
TOSS must require authentication upon booting into emergency or rescue modes.
1
Rule
Severity: High
The NSX Manager must assign users/accounts to organization-defined roles configured with approved authorizations.
Patternfly
PatternFly elements
The content of the drawer really is up to you. It could have form fields, definition lists, text lists, labels, charts, progress bars, etc. Spacing recommendation is 24px margins. You can put tabs in here, and can also make the drawer scrollable.
Modules