CCI-000213
Enforce approved authorizations for logical access to information and system resources in accordance with applicable access control policies.
The BlackBerry Enterprise Mobility Server (BEMS) must be configured to have at least one user in the following Administrator roles: Server primary administrator, auditor.
1 rule found Severity: Medium
1 rule found Severity: Medium
A policy set using the built-in role-based access control (RBAC) capabilities in the Universal Control Plane (UCP) component of Docker Enterprise must be configured.
1 rule found Severity: Medium
A policy set using the built-in role-based access control (RBAC) capabilities in the Docker Trusted Registry (DTR) component of Docker Enterprise must be set.
1 rule found Severity: Medium
1 rule found Severity: Medium
The HP FlexFabric Switch must enforce the assigned privilege level for each administrator and authorizations for access to all commands relative to the privilege level in accordance with applicable policy for the device.
1 rule found Severity: High
The HYCU 4.1 Application must enforce the assigned privilege level for each administrator and authorizations for access to all commands relative to the privilege level in accordance with applicable policy for the device.
1 rule found Severity: High
The DataPower Gateway must enforce the assigned privilege level for each administrator and authorizations for access to all commands relative to the privilege level in accordance with applicable policy for the device.
1 rule found Severity: Medium
DB2 must enforce approved authorizations for logical access to information and system resources in accordance with applicable access control policies.
1 rule found Severity: Medium
1 rule found Severity: Medium
1 rule found Severity: Medium
1 rule found Severity: Medium
The IBM Aspera High-Speed Transfer Endpoint must restrict users from using transfer services by default.
1 rule found Severity: Medium
The IBM Aspera High-Speed Transfer Endpoint must restrict users read, write, and browse permissions by default.
1 rule found Severity: Medium
1 rule found Severity: Medium
The IBM Aspera High-Speed Transfer Server must restrict users from using transfer services by default.
1 rule found Severity: Medium
The IBM Aspera High-Speed Transfer Server must restrict users read, write, and browse permissions by default.
1 rule found Severity: Medium
The WebSphere Application Server users in a local user registry group must be authorized for that group.
1 rule found Severity: Medium
1 rule found Severity: Medium
1 rule found Severity: Medium
1 rule found Severity: Medium
The Sentry must enforce approved authorizations for logical access to information and system resources by enabling identity-based, role-based, and/or attribute-based security policies. These controls are enabled in MobileIron UEM (MobileIron Core) and applied by the Sentry for conditional access enforcement.
2 rules found Severity: Medium
2 rules found Severity: Medium
1 rule found Severity: Medium
1 rule found Severity: Medium
1 rule found Severity: Medium
1 rule found Severity: High
1 rule found Severity: High
1 rule found Severity: Medium
1 rule found Severity: Medium
The Microsoft SCOM administration console must only be installed on Management Servers and hardened Privileged Access Workstations.
1 rule found Severity: Low
The Microsoft SCOM Service Accounts and Run As accounts must not be granted enterprise or domain level administrative privileges.
1 rule found Severity: High
SQL Server must enforce approved authorizations for logical access to information and database-level system resources in accordance with applicable access control policies.
1 rule found Severity: Medium
SQL Server must enforce approved authorizations for logical access to server-level system resources in accordance with applicable access control policies.
1 rule found Severity: Medium
1 rule found Severity: Medium
Riverbed Optimization System (RiOS) must enforce the assigned privilege level for each administrator and authorizations for access to all commands relative to the privilege level in accordance with applicable policy for the device.
1 rule found Severity: Medium
Innoslate must enforce approved authorizations for logical access to information and system resources in accordance with applicable access control policies.
1 rule found Severity: Medium
Symantec ProxySG must implement security policies that enforce approved authorizations for logical access to information and system resources by employing identity-based, role-based, and/or attribute-based security policies.
1 rule found Severity: High
Tanium Computer Groups must be used to restrict console users from affecting changes to unauthorized computers.
4 rules found Severity: Medium
1 rule found Severity: Medium
Role-based system access must be configured to least privileged access to Tanium Server functions through the Tanium interface.
2 rules found Severity: High
2 rules found Severity: Medium
Documentation identifying Tanium console users and their respective Computer Group rights must be maintained.
5 rules found Severity: Medium
Tanium console users Computer Group rights must be validated against the documentation for Computer Group rights.
2 rules found Severity: Medium
The Tanium Action Approval feature must be enabled for two person integrity when deploying actions to endpoints.
1 rule found Severity: Medium
1 rule found Severity: High
Symantec ProxySG must configure Web Management Console access restrictions to authorized IP address/ranges.
1 rule found Severity: High
Documentation identifying Tanium console users, their respective functional roles, and computer groups must be maintained.
1 rule found Severity: Medium
The Tanium Action Approval feature must be enabled for two-person integrity when deploying actions to endpoints.
4 rules found Severity: Medium
Documentation identifying Tanium console users, their respective User Groups, Computer Groups, and Roles must be maintained.
3 rules found Severity: Medium
The Tanium application must be configured to use Tanium User Groups in a manner consistent with the model outlined within the environment's system documentation.
2 rules found Severity: Medium
The Horizon Connection Server administrators must be limited in terms of quantity, scope, and permissions.
1 rule found Severity: Medium
The BYOAD and DOD enterprise must be configured to limit access to only enterprise corporate-owned IT resources approved by the authorizing official (AO).
1 rule found Severity: High
1 rule found Severity: Medium
Ubuntu operating systems booted with United Extensible Firmware Interface (UEFI) implemented must require authentication upon booting into single-user mode and maintenance.
1 rule found Severity: High
MongoDB must enforce approved authorizations for logical access to information and system resources in accordance with applicable access control policies.
3 rules found Severity: High
The network device must enforce the assigned privilege level for each administrator and authorizations for access to all commands relative to the privilege level in accordance with applicable policy for the device.
4 rules found Severity: High
The DBMS must enforce approved authorizations for logical access to the system in accordance with applicable policy.
1 rule found Severity: Medium
1 rule found Severity: Medium
PostgreSQL must enforce approved authorizations for logical access to information and system resources in accordance with applicable access control policies.
3 rules found Severity: High
The Red Hat Enterprise Linux operating system must require authentication upon booting into single-user and maintenance modes.
1 rule found Severity: Medium
Red Hat Enterprise Linux operating systems version 7.2 or newer with a Basic Input/Output System (BIOS) must require authentication upon booting into single-user and maintenance modes.
1 rule found Severity: High
Red Hat Enterprise Linux operating systems version 7.2 or newer using Unified Extensible Firmware Interface (UEFI) must require authentication upon booting into single-user and maintenance modes.
1 rule found Severity: High
Red Hat Enterprise Linux operating systems version 7.2 or newer booted with a BIOS must have a unique name for the grub superusers account when booting into single-user and maintenance modes.
1 rule found Severity: Medium
Red Hat Enterprise Linux operating systems version 7.2 or newer booted with United Extensible Firmware Interface (UEFI) must have a unique name for the grub superusers account when booting into single-user mode and maintenance.
1 rule found Severity: Medium
The EDB Postgres Advanced Server must enforce approved authorizations for logical access to information and system resources in accordance with applicable access control policies.
2 rules found Severity: High
The BIG-IP APM module must enforce approved authorizations for logical access to information and system resources by employing identity-based, role-based, and/or attribute-based security policies.
1 rule found Severity: Medium
The F5 BIG-IP appliance must enforce approved authorizations for logical access to resources by explicitly configuring assigned resources with an authorization list.
1 rule found Severity: Medium
The BIG-IP appliance must be configured to enforce the assigned privilege level for each administrator and authorizations for access to all commands relative to the privilege level in accordance with applicable policy for the device.
1 rule found Severity: High
The BIG-IP Core implementation must be configured to enforce approved authorizations for logical access to information and system resources by employing identity-based, role-based, and/or attribute-based security policies.
1 rule found Severity: Medium
The BYOAD and DOD enterprise must be configured to limit access to only enterprise IT resources approved by the authorizing official (AO).
1 rule found Severity: High
1 rule found Severity: Medium
IDMS must enforce applicable access control policies, even after a user successfully signs on to CV.
1 rule found Severity: High
1 rule found Severity: Medium
1 rule found Severity: Medium
1 rule found Severity: Medium
1 rule found Severity: Medium
1 rule found Severity: Medium
1 rule found Severity: Medium
1 rule found Severity: Medium
1 rule found Severity: Medium
Ubuntu operating systems when booted must require authentication upon booting into single-user and maintenance modes.
1 rule found Severity: High
The Cisco ISE must enforce approved access by employing authorization policies with specific attributes; such as resource groups, device type, certificate attributes, or any other attributes that are specific to a group of endpoints, and/or mission conditions as defined in the site's Cisco ISE System Security Plan (SSP). This is required for compliance with C2C Step 4.
1 rule found Severity: High
The Cisco ISE must be configured to profile endpoints connecting to the network. This is required for compliance with C2C Step 4.
1 rule found Severity: High
The Cisco ISE must verify host-based firewall software is running on posture required clients defined in the NAC System Security Plan (SSP) prior to granting trusted network access. This is required for compliance with C2C Step 4.
1 rule found Severity: High
The Cisco ISE must verify anti-malware software is installed and up to date on posture required clients defined in the NAC System Security Plan (SSP) prior to granting trusted network access. This is required for compliance with C2C Step 4.
1 rule found Severity: High
The Cisco ISE must verify host-based IDS/IPS software is authorized and running on posture required clients defined in the NAC System Security Plan (SSP) prior to granting trusted network access. This is required for compliance with C2C Step 4.
1 rule found Severity: High
For endpoints that require automated remediation, the Cisco ISE must be configured to redirect endpoints to a logically separate VLAN for remediation services. This is required for compliance with C2C Step 4.
1 rule found Severity: Medium
The Cisco ISE must be configured to notify the user before proceeding with remediation of the user's endpoint device when automated remediation is used. This is required for compliance with C2C Step 3.
1 rule found Severity: Low
The Cisco ISE must be configured so that all endpoints that are allowed to bypass policy assessment are approved by the Information System Security Manager (ISSM) and documented in the System Security Plan (SSP). This is This is required for compliance with C2C Step 1.
1 rule found Severity: Medium
The Cisco ISE must send an alert to the Information System Security Manager (ISSM) and System Administrator (SA), at a minimum, when security issues are found that put the network at risk. This is required for compliance with C2C Step 2.
1 rule found Severity: Medium
When endpoints fail the policy assessment, the Cisco ISE must create a record with sufficient detail suitable for forwarding to a remediation server for automated remediation or sending to the user for manual remediation. This is required for compliance with C2C Step 3.
1 rule found Severity: Medium
The Cisco ISE must place client machines on the blacklist and terminate the agent connection when critical security issues are found that put the network at risk. This is required for compliance with C2C Step 4.
1 rule found Severity: Medium
The Cisco ISE must be configured so client machines do not communicate with other network devices in the DMZ or subnet except as needed to perform an access client assessment or to identify themselves. This is required for compliance with C2C Step 2.
1 rule found Severity: Medium
The Cisco ISE must deny or restrict access for endpoints that fail required posture checks. This is required for compliance with C2C Step 4.
1 rule found Severity: Medium
The Enterprise Voice, Video, and Messaging Endpoint must be configured to prevent the configuration or display of configuration settings without the use of a PIN or password.
1 rule found Severity: Medium
The Enterprise Voice, Video, and Messaging Endpoint must be configured to register with an Enterprise Voice, Video, and Messaging Session Manager.
1 rule found Severity: High
The F5 BIG-IP appliance providing user access control intermediary services must enforce approved authorizations for logical access to information and system resources by employing identity-based, role-based, and/or attribute-based security policies.
1 rule found Severity: High
The Enterprise Voice, Video, and Messaging Session Manager must disable (prevent) auto-registration of Voice Video Endpoints.
1 rule found Severity: High
The F5 BIG-IP appliance must be configured to assign appropriate user roles or access levels to authenticated users.
1 rule found Severity: High
The Google Android 13 BYOAD and DOD enterprise must be configured to limit access to only AO-approved, corporate-owned enterprise IT resources.
1 rule found Severity: High
The Google Android 14 BYOAD and DOD enterprise must be configured to limit access to only AO-approved, corporate-owned enterprise IT resources.
1 rule found Severity: Medium
On Classified Systems, Logical Partition must be restricted with read/write access to only its own IOCDS.
1 rule found Severity: Medium
Processor Resource/Systems Manager (PR/SM) must not allow unrestricted issuing of control program commands.
1 rule found Severity: Medium
On Classified Systems the Processor Resource/Systems Manager (PR/SM) must not allow access to system complex data.
1 rule found Severity: Medium
1 rule found Severity: High
Predefined task roles to the Hardware Management Console (HMC) must be specified to limit capabilities of individual users.
1 rule found Severity: Medium
AIX must turn on enhanced Role-Based Access Control (RBAC) to isolate security functions from nonsecurity functions, to grant system privileges to other operating system admins, and prohibit user installation of system software without explicit privileged status.
1 rule found Severity: Medium
1 rule found Severity: High
The Juniper EX switch must be configured to assign appropriate user roles or access levels to authenticated users.
1 rule found Severity: High
1 rule found Severity: High
1 rule found Severity: Medium
1 rule found Severity: High
1 rule found Severity: High
1 rule found Severity: Medium
Least privilege access and need to know must be required to access MKE runtime and instantiate container images.
1 rule found Severity: High
MarkLogic Server must enforce approved authorizations for logical access to information and system resources in accordance with applicable access control policies.
1 rule found Severity: High
Azure SQL Database must enforce approved authorizations for logical access to server information and system resources in accordance with applicable access control policies.
1 rule found Severity: High
Access to web administration tools must be restricted to the web manager and the web managers designees.
1 rule found Severity: Medium
The "Access this computer from the network" user right must only be assigned to the Administrators and Remote Desktop Users groups.
1 rule found Severity: Medium
1 rule found Severity: Medium
The "Deny access to this computer from the network" user right on workstations must be configured to prevent access from highly privileged domain accounts and local accounts on domain systems and unauthenticated access on all systems.
1 rule found Severity: Medium
The "Deny log on as a batch job" user right on domain-joined workstations must be configured to prevent access from highly privileged domain accounts.
2 rules found Severity: Medium
The "Deny log on as a service" user right on Windows 11 domain-joined workstations must be configured to prevent access from highly privileged domain accounts.
1 rule found Severity: Medium
The "Deny log on locally" user right on workstations must be configured to prevent access from highly privileged domain accounts on domain systems and unauthenticated access on all systems.
1 rule found Severity: Medium
The "Deny log on through Remote Desktop Services" user right on Windows 11 workstations must be configured to prevent access from highly privileged domain accounts and local accounts on domain systems and unauthenticated access on all systems.
1 rule found Severity: Medium
1 rule found Severity: Low
The Access this computer from the network user right must only be assigned to the Administrators, Authenticated Users, and Enterprise Domain Controllers groups on domain controllers.
1 rule found Severity: Medium
The Allow log on through Remote Desktop Services user right must only be assigned to the Administrators group.
1 rule found Severity: Medium
The Deny access to this computer from the network user right on domain controllers must be configured to prevent unauthenticated access.
1 rule found Severity: Medium
The Deny log on as a batch job user right on domain controllers must be configured to prevent unauthenticated access.
1 rule found Severity: Medium
The Deny log on as a service user right must be configured to include no accounts or groups (blank) on domain controllers.
1 rule found Severity: Medium
The Deny log on locally user right on domain controllers must be configured to prevent unauthenticated access.
1 rule found Severity: Medium
The "Access this computer from the network" user right must only be assigned to the Administrators and Authenticated Users groups on member servers.
1 rule found Severity: Medium
The "Deny access to this computer from the network" user right on member servers must be configured to prevent access from highly privileged domain accounts and local accounts on domain systems and from unauthenticated access on all systems.
1 rule found Severity: Medium
The "Deny log on as a batch job" user right on member servers must be configured to prevent access from highly privileged domain accounts on domain systems and from unauthenticated access on all systems.
1 rule found Severity: Medium
The "Deny log on as a service" user right on member servers must be configured to prevent access from highly privileged domain accounts on domain systems. No other groups or accounts must be assigned this right.
1 rule found Severity: Medium
The "Deny log on locally" user right on member servers must be configured to prevent access from highly privileged domain accounts on domain systems and from unauthenticated access on all systems.
1 rule found Severity: Medium
1 rule found Severity: Medium
The network device must be configured to assign appropriate user roles or access levels to authenticated users.
1 rule found Severity: High
1 rule found Severity: High
The Oracle Linux operating system must require authentication upon booting into single-user and maintenance modes.
1 rule found Severity: Medium
Oracle Linux operating systems version 7.2 or newer with a Basic Input/Output System (BIOS) must require authentication upon booting into single-user and maintenance modes.
1 rule found Severity: High
Oracle Linux operating systems version 7.2 or newer using Unified Extensible Firmware Interface (UEFI) must require authentication upon booting into single-user and maintenance modes.
1 rule found Severity: High
Oracle Linux operating systems version 7.2 or newer booted with a BIOS must have a unique name for the grub superusers account when booting into single-user and maintenance modes.
1 rule found Severity: Medium
Oracle Linux operating systems version 7.2 or newer booted with United Extensible Firmware Interface (UEFI) must have a unique name for the grub superusers account when booting into single-user mode and maintenance.
1 rule found Severity: Medium
The MySQL Database Server 8.0 must enforce approved authorizations for logical access to information and system resources in accordance with applicable access control policies.
1 rule found Severity: High
The Riverbed NetProfiler must be configured to authenticate each administrator prior to authorizing privileges based on roles.
1 rule found Severity: High
Redis Enterprise DBMS must enforce approved authorizations for logical access to information and system resources in accordance with applicable access control policies.
1 rule found Severity: High
Rancher MCM must generate audit records for all DoD-defined auditable events within all components in the platform.
1 rule found Severity: Medium
The SDN controller must be configured to enforce approved authorizations for access to system resources in accordance with applicable access control policies.
1 rule found Severity: Medium
SLEM 5 with a basic input/output system (BIOS) must require authentication upon booting into single-user and maintenance modes.
1 rule found Severity: High
SLEM 5 with Unified Extensible Firmware Interface (UEFI) implemented must require authentication upon booting into single-user mode and maintenance.
1 rule found Severity: High
The Samsung Android 14 BYOAD and DOD enterprise must be configured to limit access to only AO-approved, corporate-owned enterprise IT resources.
1 rule found Severity: High
Tanium Computer Groups must be used to restrict console users from effecting changes to unauthorized computers.
1 rule found Severity: Medium
The Tanium application must be configured to use Tanium User Groups in a manner consistent with the model outlined in the environment's system documentation.
1 rule found Severity: Medium
The TippingPoint SMS must be configured to use an authentication server for the purpose of authenticating users prior to granting administrative access and to enforce access restrictions.
1 rule found Severity: High
1 rule found Severity: Medium
The web server must enforce approved authorizations for logical access to hosted applications and resources in accordance with applicable access control policies.
1 rule found Severity: Medium
1 rule found Severity: Medium
The Apache web server must use encryption strength in accordance with the categorization of data hosted by the Apache web server when remote connections are provided.
2 rules found Severity: Medium
An Apache web server must maintain the confidentiality of controlled information during transmission through the use of an approved TLS version.
1 rule found Severity: High
2 rules found Severity: Medium
1 rule found Severity: Medium
1 rule found Severity: High
The ALG must enforce approved authorizations for logical access to information and system resources by employing identity-based, role-based, and/or attribute-based security policies.
1 rule found Severity: Medium
The application server must enforce approved authorizations for logical access to information and system resources in accordance with applicable access control policies.
1 rule found Severity: Medium
Ubuntu 22.04 LTS, when booted, must require authentication upon booting into single-user and maintenance modes.
1 rule found Severity: High
The application must enforce approved authorizations for logical access to information and system resources in accordance with applicable access control policies.
1 rule found Severity: High
The Central Log Server must be configured to enforce approved authorizations for logical access to information and system resources in accordance with applicable access control policies.
1 rule found Severity: High
AlmaLinux OS 9 must require a unique superuser's name upon booting into single-user and maintenance modes.
1 rule found Severity: Medium
1 rule found Severity: Medium
1 rule found Severity: Medium
1 rule found Severity: Medium
1 rule found Severity: Medium
The DBMS must enforce approved authorizations for logical access to information and system resources in accordance with applicable access control policies.
1 rule found Severity: High
The Dell OS10 Switch must be configured to assign appropriate user roles or access levels to authenticated users.
1 rule found Severity: High
Forescout must enforce approved access by employing admissions assessment filters that include, at a minimum, device attributes such as type, IP address, resource group, and/or mission conditions as defined in Forescout System Security Plan (SSP). This is required for compliance with C2C Step 4.
1 rule found Severity: High
Endpoint policy assessment must proceed after the endpoint attempting access has been identified using an approved identification method such as IP address. This is required for compliance with C2C Step 2.
1 rule found Severity: High
For endpoints that require automated remediation, Forescout must be configured to logically separate endpoints from the trusted network traffic during remediation. This is required for compliance with C2C Step 4.
1 rule found Severity: High
If a device requesting access fails Forescout policy assessment, Forescout must communicate with other components and the switch to either terminate the session or isolate the device from the trusted network for remediation. This is required for compliance with C2C Step 3.
1 rule found Severity: High
Forescout must be configured to notify the user before proceeding with remediation of the user's endpoint device when automated remediation is used. This is required for compliance with C2C Step 3.
1 rule found Severity: Medium
Forescout must be configured so that all client machines are assessed by Forescout with exceptions that are allowed to bypass Forescout based on account or account type, as approved by the information system security manager (ISSM) and documented in the System Security Plan (SSP). This is required for compliance with C2C Step 1.
1 rule found Severity: High
Forescout appliance must not be configured to implement a DHCP layer 3 method for separation or device authorization. This is required for compliance with C2C Step 2.
1 rule found Severity: High
When devices fail the policy assessment, Forescout must create a record with sufficient detail suitable for forwarding to a remediation server for automated remediation or sending to the user for manual remediation. This is required for compliance with C2C Step 3.
1 rule found Severity: Medium
Forescout must place client machines on a blacklist or terminate network communications on devices when critical security issues are found that put the network at risk. This is required for compliance with C2C Step 4.
1 rule found Severity: High
Forescout must be configured so client machines do not communicate with other network devices in the DMZ or subnet except as needed to perform a client assessment or to identify itself. This is required for compliance with C2C Step 2.
1 rule found Severity: Medium
Forescout must enforce the revocation of endpoint access authorizations when devices are removed from an authorization group. This is required for compliance with C2C Step 4.
1 rule found Severity: Medium
Forescout must enforce the revocation of endpoint access authorizations at the next compliance assessment interval based on changes to the compliance assessment security policy. This is required for compliance with C2C Step 4.
1 rule found Severity: Medium
Forescout must deny or restrict access for endpoints that fail critical endpoint security checks. This is required for compliance with C2C Step 4.
1 rule found Severity: Medium
The operating system must enforce approved authorizations for logical access to information and system resources in accordance with applicable access control policies.
1 rule found Severity: Medium
1 rule found Severity: High
The HYCU virtual appliance must enforce the assigned privilege level for each administrator and authorizations for access to all commands relative to the privilege level in accordance with applicable policy for the device.
1 rule found Severity: High
1 rule found Severity: Medium
The number of ACF2 users granted the special privilege OPERATOR must be kept to a strictly controlled minimum.
1 rule found Severity: Low
1 rule found Severity: Low
1 rule found Severity: Medium
2 rules found Severity: Medium
CA-ACF2 NJE GSO record value must indicate validation options that apply to jobs submitted through a network job entry subsystem (JES2, JES3, RSCS).
1 rule found Severity: Medium
CA-ACF2 must protect Memory and privileged program dumps in accordance with proper security requirements.
1 rule found Severity: Medium
CA-ACF2 must properly define users that have access to the CONSOLE resource in the TSOAUTH resource class.
1 rule found Severity: Medium
1 rule found Severity: Medium
1 rule found Severity: Medium
1 rule found Severity: Medium
1 rule found Severity: Medium
CA-ACF2 must limit access to System page data sets (i.e., PLPA, COMMON, and LOCALx) to system programmers.
1 rule found Severity: Medium
3 rules found Severity: High
1 rule found Severity: High
CA-ACF2 must limit Write or greater access to SYS1.UADS To system programmers only and read and update access must be limited to system programmer personnel and/or security personnel.
1 rule found Severity: High
1 rule found Severity: High
3 rules found Severity: Medium
1 rule found Severity: High
1 rule found Severity: High
1 rule found Severity: High
IBM RACF must limit Write or greater access to libraries that contain PPT modules to system programmers only.
1 rule found Severity: Low
IBM RACF must protect memory and privileged program dumps in accordance with proper security requirements.
1 rule found Severity: Medium
IBM RACF must properly define users that have access to the CONSOLE resource in the TSOAUTH resource class.
1 rule found Severity: Medium
1 rule found Severity: Medium
1 rule found Severity: Medium
1 rule found Severity: Medium
1 rule found Severity: Medium
1 rule found Severity: High
IBM RACF must limit Write or greater access to SYS1.UADS to system programmers only, and WRITE or greater access must be limited to system programmer personnel and/or security personnel.
1 rule found Severity: High
1 rule found Severity: Medium
IBM RACF must limit WRITE or greater access to System backup files to system programmers and/or batch jobs that perform DASD backups.
1 rule found Severity: Medium
1 rule found Severity: High
CA-ACF2 must limit Write or greater access to Libraries containing EXIT modules to system programmers only.
1 rule found Severity: High
CA-ACF2 must limit Write and Allocate access to all APF-authorized libraries to system programmers only.
1 rule found Severity: High
1 rule found Severity: High
1 rule found Severity: Medium
CA-ACF2 must limit Write and allocate access to all system-level product installation libraries to system programmers only.
1 rule found Severity: Medium
1 rule found Severity: High
CA-ACF2 must limit access to data sets used to back up and/or dump SMF collection files to appropriate users and/or batch jobs that perform SMF dump processing.
1 rule found Severity: Medium
CA-ACF2 must limit Write and allocate access to the JES2 System data sets (e.g., Spool, Checkpoint, and Initialization parameters) to system programmers only.
1 rule found Severity: Medium
CA-ACF2 must limit Write or greater access to libraries that contain PPT modules to system programmers only.
1 rule found Severity: Low
IBM z/OS permission bits and user audit bits for HFS objects that are part of the FTP Server component must be properly configured.
1 rule found Severity: Medium
IBM z/OS JESTRACE and/or SYSLOG resources must be protected in accordance with security requirements.
3 rules found Severity: Medium
3 rules found Severity: Medium
3 rules found Severity: Medium
3 rules found Severity: Medium
3 rules found Severity: Medium
1 rule found Severity: Medium
IBM z/OS JES2 output devices must be controlled in accordance with the proper security requirements.
3 rules found Severity: Medium
3 rules found Severity: Medium
2 rules found Severity: Medium
IBM z/OS special privileges must be assigned on an as-needed basis to LOGONIDs associated with STCs and LOGONIDs that need to execute TSO in batch.
1 rule found Severity: Medium
IBM z/OS SMF collection files (i.e., SYS1.MANx) access must be limited to appropriate users and/or batch jobs that perform SMF dump processing.
1 rule found Severity: Medium
IBM z/OS permission bits and user audit bits for HFS objects that are part of the Syslog daemon component must be configured properly.
2 rules found Severity: Medium
1 rule found Severity: Medium
1 rule found Severity: High
1 rule found Severity: High
1 rule found Severity: High
2 rules found Severity: High
1 rule found Severity: High
IBM RACF must limit Write or greater access to libraries containing EXIT modules to system programmers only.
1 rule found Severity: High
IBM RACF must limit WRITE or greater access to all system-level product installation libraries to system programmers.
1 rule found Severity: Medium
1 rule found Severity: Medium
IBM RACF must limit WRITE or greater access to all APF-authorized libraries to system programmers only.
1 rule found Severity: High
1 rule found Severity: High
1 rule found Severity: High
IBM RACF must limit access to data sets used to back up and/or dump SMF collection files to appropriate users and/or batch jobs that perform SMF dump processing.
1 rule found Severity: Medium
1 rule found Severity: High
IBM RACF must limit access to System page data sets (i.e., PLPA, COMMON, and LOCALx) to system programmers.
1 rule found Severity: Medium
IBM RACF must limit WRITE or greater access to the JES2 System data sets (e.g., Spool, Checkpoint, and Initialization parameters) to system programmers only.
1 rule found Severity: Medium
IBM z/OS must limit access for SMF collection files (i.e., SYS1.MANx) to appropriate users and/or batch jobs that perform SMF dump processing.
2 rules found Severity: Medium
IBM RACF permission bits and user audit bits for HFS objects that are part of the FTP server component must be properly configured.
1 rule found Severity: Medium
IBM z/OS DFSMS resource class(es) must be defined to the GSO CLASMAP record in accordance with security requirements.
1 rule found Severity: Medium
3 rules found Severity: Medium
3 rules found Severity: Medium
IBM z/OS DFMSM resource class(es)must be defined to the GSO SAFDEF record in accordance with security requirements.
1 rule found Severity: Medium
3 rules found Severity: Medium
IBM z/OS permission bits and user audit bits for HFS objects that are part of the Base TCP/IP component must be configured properly.
2 rules found Severity: Medium
3 rules found Severity: Medium
1 rule found Severity: High
3 rules found Severity: Medium
3 rules found Severity: Medium
3 rules found Severity: Medium
1 rule found Severity: Medium
3 rules found Severity: Medium
2 rules found Severity: Medium
2 rules found Severity: Medium
3 rules found Severity: Medium
3 rules found Severity: Medium
3 rules found Severity: Medium
1 rule found Severity: Medium
2 rules found Severity: Medium
2 rules found Severity: Medium
1 rule found Severity: Medium
1 rule found Severity: Medium
2 rules found Severity: Medium
1 rule found Severity: Medium
IBM z/OS permission bits and user audit bits for HFS objects that are part of the Syslog daemon component must be properly configured.
1 rule found Severity: Medium
IBM z/OS permission bits and user audit bits for HFS objects that are part of the Base TCP/IP component must be properly configured.
1 rule found Severity: Medium
1 rule found Severity: Medium
1 rule found Severity: High
1 rule found Severity: Medium
1 rule found Severity: Medium
1 rule found Severity: Medium
1 rule found Severity: Medium
1 rule found Severity: Medium
1 rule found Severity: Medium
2 rules found Severity: Medium
CA-TSS Security control ACIDs must be limited to the administrative authorities authorized and that require these privileges to perform their job duties.
1 rule found Severity: High
The number of CA-TSS ACIDs possessing the tape Bypass Label Processing (BLP) privilege must be limited.
1 rule found Severity: Medium
1 rule found Severity: High
1 rule found Severity: High
1 rule found Severity: High
CA-TSS must limit WRITE or greater access to all APF-authorized libraries to system programmers only.
1 rule found Severity: High
1 rule found Severity: High
1 rule found Severity: High
CA-TSS must limit Write or greater access to libraries that contain PPT modules to system programmers only.
1 rule found Severity: Low
1 rule found Severity: Medium
1 rule found Severity: High
1 rule found Severity: Medium
CA-TSS must limit WRITE or greater access to all system-level product installation libraries to system programmers only.
1 rule found Severity: Medium
CA-TSS must limit WRITE or greater access to the JES2 System data sets (e.g., Spool, Checkpoint, and Initialization parameters) to system programmers only.
1 rule found Severity: Medium
CA-TSS must limit Write or greater access to SYS1.UADS to system programmers only, and Read and Update access must be limited to system programmer personnel and/or security personnel.
1 rule found Severity: High
CA-TSS must limit access to data sets used to back up and/or dump SMF collection files to appropriate users and/or batch jobs that perform SMF dump processing.
1 rule found Severity: Medium
1 rule found Severity: Medium
CA-TSS WRITE or Greater access to System backup files must be limited to system programmers and/or batch jobs that perform DASD backups.
1 rule found Severity: Medium
CA-TSS must limit access to System page data sets (i.e., PLPA, COMMON, and LOCALx) to system programmers only.
1 rule found Severity: Medium
CA-TSS must limit WRITE or greater access to libraries containing EXIT modules to system programmers only.
1 rule found Severity: High
CA-TSS must limit all system PROCLIB data sets to system programmers only and appropriate authorized users.
1 rule found Severity: High
CA-TSS must protect memory and privileged program dumps in accordance with proper security requirements.
1 rule found Severity: Medium
CA-TSS must properly define users that have access to the CONSOLE resource in the TSOAUTH resource class.
1 rule found Severity: Medium
1 rule found Severity: Medium
1 rule found Severity: Medium
1 rule found Severity: Medium
1 rule found Severity: High
1 rule found Severity: Medium
Data set masking characters allowing access to all data sets must be properly restricted in the CA-TSS security database.
1 rule found Severity: Medium
IBM z/OS DASD Volume access greater than CREATE found in the CA-TSS database must be limited to authorized information technology personnel requiring access to perform their job duties.
1 rule found Severity: High
CA-TSS permission bits and user audit bits for HFS objects that are part of the FTP server component must be properly configured.
1 rule found Severity: Medium
1 rule found Severity: Medium
1 rule found Severity: Medium
For User Role Firewalls, the Juniper SRX Services Gateway Firewall must employ user attribute-based security policies to enforce approved authorizations for logical access to information and system resources.
1 rule found Severity: Medium
1 rule found Severity: High
1 rule found Severity: Medium
1 rule found Severity: Medium
1 rule found Severity: Medium
1 rule found Severity: Medium
The Juniper SRX Services Gateway must enforce the assigned privilege level for each administrator and authorizations for access to all commands by assigning a login class to all AAA-authenticated users.
1 rule found Severity: Medium
The Mainframe Product must enforce approved authorizations for logical access to sensitive information and system resources in accordance with applicable access control policies.
1 rule found Severity: Medium
The Mainframe Product must enforce approved authorizations for security administrator access to sensitive information and system resources in accordance with applicable access control policies.
1 rule found Severity: Medium
The Mainframe Product must enforce approved authorizations for system programmer access to sensitive information and system resources in accordance with applicable access control policies.
1 rule found Severity: Medium
MariaDB must enforce approved authorizations for logical access to information and system resources in accordance with applicable access control policies.
1 rule found Severity: High
1 rule found Severity: Medium
SQL Server must enforce approved authorizations for logical access to information and system resources in accordance with applicable access control policies.
2 rules found Severity: High
1 rule found Severity: High
Windows Server 2019 non-administrative accounts or groups must only have print permissions on printer shares.
1 rule found Severity: Low
Windows Server 2019 Access this computer from the network user right must only be assigned to the Administrators, Authenticated Users, and Enterprise Domain Controllers groups on domain controllers.
1 rule found Severity: Medium
Windows Server 2019 Allow log on through Remote Desktop Services user right must only be assigned to the Administrators group on domain controllers.
1 rule found Severity: Medium
Windows Server 2019 Deny access to this computer from the network user right on domain controllers must be configured to prevent unauthenticated access.
1 rule found Severity: Medium
Windows Server 2019 Deny log on as a batch job user right on domain controllers must be configured to prevent unauthenticated access.
1 rule found Severity: Medium
Windows Server 2019 Deny log on as a service user right must be configured to include no accounts or groups (blank) on domain controllers.
1 rule found Severity: Medium
Windows Server 2019 Deny log on locally user right on domain controllers must be configured to prevent unauthenticated access.
1 rule found Severity: Medium
Windows Server 2019 "Access this computer from the network" user right must only be assigned to the Administrators and Authenticated Users groups on domain-joined member servers and standalone or nondomain-joined systems.
1 rule found Severity: Medium
Windows Server 2019 "Deny access to this computer from the network" user right on domain-joined member servers must be configured to prevent access from highly privileged domain accounts and local accounts and from unauthenticated access on all systems.
1 rule found Severity: Medium
Windows Server 2019 "Deny log on as a batch job" user right on domain-joined member servers must be configured to prevent access from highly privileged domain accounts and from unauthenticated access on all systems.
1 rule found Severity: Medium
Windows Server 2019 "Deny log on as a service" user right on domain-joined member servers must be configured to prevent access from highly privileged domain accounts. No other groups or accounts must be assigned this right.
1 rule found Severity: Medium
Windows Server 2019 "Deny log on locally" user right on domain-joined member servers must be configured to prevent access from highly privileged domain accounts and from unauthenticated access on all systems.
1 rule found Severity: Medium
Windows Server 2019 Allow log on locally user right must only be assigned to the Administrators group.
1 rule found Severity: Medium
The Access this computer from the network user right must only be assigned to the Administrators and Remote Desktop Users groups.
1 rule found Severity: Medium
1 rule found Severity: Medium
The Deny access to this computer from the network user right on workstations must be configured to prevent access from highly privileged domain accounts and local accounts on domain systems and unauthenticated access on all systems.
1 rule found Severity: Medium
The Deny log on as a service user right on Windows 10 domain-joined workstations must be configured to prevent access from highly privileged domain accounts.
1 rule found Severity: Medium
The Deny log on locally user right on workstations must be configured to prevent access from highly privileged domain accounts on domain systems and unauthenticated access on all systems.
1 rule found Severity: Medium
The Deny log on through Remote Desktop Services user right on Windows 10 workstations must at a minimum be configured to prevent access from highly privileged domain accounts and local accounts on domain systems and unauthenticated access on all systems.
1 rule found Severity: Medium
1 rule found Severity: High
Windows Server 2022 nonadministrative accounts or groups must only have print permissions on printer shares.
1 rule found Severity: Low
1 rule found Severity: Medium
1 rule found Severity: Medium
The DBMS must enforce approved authorizations for logical access to the system in accordance with applicable policy.
1 rule found Severity: High
Windows Server 2022 Access this computer from the network user right must only be assigned to the Administrators, Authenticated Users, and Enterprise Domain Controllers groups on domain controllers.
1 rule found Severity: Medium
Windows Server 2022 Allow log on through Remote Desktop Services user right must only be assigned to the Administrators group on domain controllers.
1 rule found Severity: Medium
Windows Server 2022 Deny access to this computer from the network user right on domain controllers must be configured to prevent unauthenticated access.
1 rule found Severity: Medium
Windows Server 2022 Deny log on as a batch job user right on domain controllers must be configured to prevent unauthenticated access.
1 rule found Severity: Medium
Windows Server 2022 Deny log on as a service user right must be configured to include no accounts or groups (blank) on domain controllers.
1 rule found Severity: Medium
Windows Server 2022 Deny log on locally user right on domain controllers must be configured to prevent unauthenticated access.
1 rule found Severity: Medium
Windows Server 2022 Access this computer from the network user right must only be assigned to the Administrators and Authenticated Users groups on domain-joined member servers and standalone or nondomain-joined systems.
1 rule found Severity: Medium
Windows Server 2022 Deny access to this computer from the network user right on domain-joined member servers must be configured to prevent access from highly privileged domain accounts and local accounts and from unauthenticated access on all systems.
1 rule found Severity: Medium
Windows Server 2022 Deny log on as a batch job user right on domain-joined member servers must be configured to prevent access from highly privileged domain accounts and from unauthenticated access on all systems.
1 rule found Severity: Medium
Windows Server 2022 Deny log on as a service user right on domain-joined member servers must be configured to prevent access from highly privileged domain accounts. No other groups or accounts must be assigned this right.
1 rule found Severity: Medium
Windows Server 2022 Deny log on locally user right on domain-joined member servers must be configured to prevent access from highly privileged domain accounts and from unauthenticated access on all systems.
1 rule found Severity: Medium
Windows Server 2022 Allow log on locally user right must only be assigned to the Administrators group.
1 rule found Severity: Medium
1 rule found Severity: Medium
1 rule found Severity: Medium
Access to Prisma Cloud Compute must be managed based on user need and least privileged using external identity providers for authentication and grouping to role-based assignments when possible.
1 rule found Severity: Medium
Users requiring access to Prisma Cloud Compute's Credential Store must be assigned and accessed by the appropriate role holders.
1 rule found Severity: Medium
OL 8 operating systems booted with United Extensible Firmware Interface (UEFI) must require authentication upon booting into single-user mode and maintenance.
1 rule found Severity: High
OL 8 operating systems booted with United Extensible Firmware Interface (UEFI) must have a unique name for the grub superusers account when booting into single-user mode and maintenance.
1 rule found Severity: Medium
OL 8 operating systems booted with a BIOS must have a unique name for the grub superusers account when booting into single-user and maintenance modes.
1 rule found Severity: Medium
OL 8 operating systems booted with a BIOS must require authentication upon booting into single-user and maintenance modes.
1 rule found Severity: High
1 rule found Severity: Medium
1 rule found Severity: Medium
RHEL 8 operating systems booted with United Extensible Firmware Interface (UEFI) must require authentication upon booting into single-user mode and maintenance.
1 rule found Severity: High
RHEL 8 operating systems booted with a BIOS must require authentication upon booting into single-user and maintenance modes.
1 rule found Severity: High
1 rule found Severity: Medium
1 rule found Severity: High
RHEL 8 operating systems booted with United Extensible Firmware Interface (UEFI) must require a unique superusers name upon booting into single-user mode and maintenance.
1 rule found Severity: Medium
RHEL 8 operating systems booted with a BIOS must require a unique superusers name upon booting into single-user and maintenance modes.
1 rule found Severity: Medium
1 rule found Severity: Medium
SUSE operating systems with a basic input/output system (BIOS) must require authentication upon booting into single-user and maintenance modes.
1 rule found Severity: Medium
SUSE operating systems with Unified Extensible Firmware Interface (UEFI) implemented must require authentication upon booting into single-user mode and maintenance.
1 rule found Severity: Medium
SUSE operating systems with a basic input/output system (BIOS) must require authentication upon booting into single-user and maintenance modes.
1 rule found Severity: High
SUSE operating systems with Unified Extensible Firmware Interface (UEFI) implemented must require authentication upon booting into single-user mode and maintenance.
1 rule found Severity: High
The NSX Manager must assign users/accounts to organization-defined roles configured with approved authorizations.
1 rule found Severity: High
The VMM must enforce approved authorizations for logical access to information and system resources in accordance with applicable access control policies.
1 rule found Severity: Medium
The Photon operating system must require authentication upon booting into single-user and maintenance modes.
1 rule found Severity: High
2 rules found Severity: Medium
2 rules found Severity: Medium
The vCenter ESX Agent Manager service DefaultServlet must be set to "readonly" for "PUT" and "DELETE" commands.
2 rules found Severity: Medium
The vCenter Lookup service DefaultServlet must be set to "readonly" for "PUT" and "DELETE" commands.
2 rules found Severity: Medium
2 rules found Severity: Medium
The vCenter Perfcharts service DefaultServlet must be set to "readonly" for "PUT" and "DELETE" commands.
2 rules found Severity: Medium
The Photon operating system must require authentication upon booting into single-user and maintenance modes.
2 rules found Severity: Medium
2 rules found Severity: Medium
2 rules found Severity: Medium
2 rules found Severity: Medium
3 rules found Severity: Medium
3 rules found Severity: Medium
3 rules found Severity: Medium
3 rules found Severity: Medium
2 rules found Severity: Medium
4 rules found Severity: Medium
3 rules found Severity: Medium
A password control is not in place to restrict access to the service subsystem via the operator consoles (local and/or remote) and a key-lock switch is not used to protect the modem supporting the remote console of the service subsystem.
3 rules found Severity: Medium
3 rules found Severity: Medium
3 rules found Severity: Medium
3 rules found Severity: Medium
3 rules found Severity: Medium
3 rules found Severity: Medium
IBM System Display and Search Facility (SDSF) HASPINDX data set identified in the INDEX parameter must be properly protected.
3 rules found Severity: Medium
1 rule found Severity: Medium
3 rules found Severity: Medium
HFS objects for the WebSphere Application Server are not protected in accordance with the proper security requirements.
3 rules found Severity: Medium
The CBIND Resource(s) for the WebSphere Application Server is(are) not protected in accordance with security requirements.
2 rules found Severity: Medium
WebSphere MQ all update and alter access to MQSeries/WebSphere MQ product and system data sets are not properly restricted.
3 rules found Severity: Medium
1 rule found Severity: High
1 rule found Severity: Medium
WebSphere MQ queue resource defined to the MQQUEUE or MXQUEUE resource class must be protected in accordance with security requirements.
1 rule found Severity: Medium
2 rules found Severity: Medium
2 rules found Severity: Medium
WebSphere MQ alternate user resources defined to the appropriate resource class must be protected in accordance with security requirements.
1 rule found Severity: Medium
WebSphere MQ context resources defined to the appropriate resource class must be protected in accordance with security requirements.
1 rule found Severity: Medium
WebSphere MQ command resources defined to MQCMDS resource class are not protected in accordance with security requirements.
3 rules found Severity: Medium
WebSphere MQ RESLEVEL resources in the appropriate ADMIN resource class must be protected in accordance with security requirements.
3 rules found Severity: Medium
1 rule found Severity: Medium
1 rule found Severity: Medium
1 rule found Severity: Medium
1 rule found Severity: Medium
The CBIND Resource Class for the WebSphere Application Server is not configured in accordance with security requirements.
1 rule found Severity: Medium
1 rule found Severity: Medium
1 rule found Severity: High
WebSphere MQ MQ Connection Class resource definitions must be protected in accordance with security.
1 rule found Severity: Medium
WebSphere MQ MQQUEUE (Queue) resource profiles defined to the appropriate class must be protected in accordance with security requirements.
1 rule found Severity: Medium
WebSphere MQ Process resource profiles defined in the appropriate Class must be protected in accordance with security requirements.
1 rule found Severity: Medium
WebSphere MQ Namelist resource profiles defined in the appropriate class must be protected in accordance with security requirements.
1 rule found Severity: Medium
WebSphere MQ Alternate User resources defined to appropriate ADMIN resource class must be protected in accordance with security requirements.
1 rule found Severity: Medium
WebSphere MQ context resources defined to the appropriate ADMIN resource class must be protected in accordance with security requirements.
2 rules found Severity: Medium
1 rule found Severity: High
WebSphere MQ queue resource defined to the appropriate resource class must be protected in accordance with security requirements.
1 rule found Severity: Medium
WebSphere MQ alternate user resources defined to appropriate ADMIN resource class must be protected in accordance with security requirements.
1 rule found Severity: Medium
The CA API Gateway must enforce approved authorizations for logical access to information and system resources by employing identity-based, role-based, and/or attribute-based security policies.
1 rule found Severity: Medium
1 rule found Severity: Medium
The DataPower Gateway must enforce approved authorizations for logical access to information and system resources by employing identity-based, role-based, and/or attribute-based security policies.
1 rule found Severity: Medium
1 rule found Severity: Medium
NSX-T Manager must restrict the use of configuration, administration, and the execution of privileged commands to authorized personnel based on organization-defined roles.
1 rule found Severity: High
Ubuntu operating systems booted with a BIOS must require authentication upon booting into single-user and maintenance modes.
1 rule found Severity: High
The Enterprise Voice, Video, and Messaging Endpoint must not be configured with any vendor default accounts, PINs, or passwords to access configuration settings.
1 rule found Severity: Medium
Rancher MCM must use a centralized user management solution to support account management functions. For accounts using password authentication, the container platform must use FIPS-validated SHA-2 or later protocol to protect the integrity of the password authentication process.
1 rule found Severity: High