CCI-000366
Implement the security configuration settings.
17 rules found Severity: Medium
17 rules found Severity: Medium
23 rules found Severity: Medium
19 rules found Severity: Medium
31 rules found Severity: Medium
6 rules found Severity: Medium
18 rules found Severity: Medium
18 rules found Severity: Medium
18 rules found Severity: Medium
26 rules found Severity: Medium
20 rules found Severity: Medium
27 rules found Severity: Medium
23 rules found Severity: Medium
26 rules found Severity: Medium
29 rules found Severity: Medium
28 rules found Severity: Medium
29 rules found Severity: Medium
28 rules found Severity: Medium
28 rules found Severity: Medium
27 rules found Severity: Medium
27 rules found Severity: Medium
30 rules found Severity: Medium
30 rules found Severity: Medium
19 rules found Severity: Medium
12 rules found Severity: Medium
15 rules found Severity: Medium
1 rule found Severity: Medium
1 rule found Severity: Medium
If the Data Owner requires it, the A10 Networks ADC must be configured to perform CCN Mask, SSN Mask, and PCRE Mask Request checks.
1 rule found Severity: Medium
1 rule found Severity: Medium
The A10 Networks ADC must be configured to synchronize internal information system clocks with the primary and secondary time sources located in different geographic regions using redundant authoritative time sources.
1 rule found Severity: Medium
The A10 Networks ADC must use DoD-approved PKI rather than proprietary or self-signed device certificates.
1 rule found Severity: Medium
The A10 Networks ADC must use automated mechanisms to alert security personnel to threats identified by authoritative sources (e.g., CTOs) and IAW CJCSM 6510.01B.
1 rule found Severity: Medium
1 rule found Severity: Medium
Kona Site Defender that provides intermediary services for HTTP must inspect inbound and outbound HTTP traffic for protocol compliance and protocol anomalies.
1 rule found Severity: Medium
Upon successful login, the Akamai Luna Portal must notify the administrator of the date and time of the last login.
1 rule found Severity: Medium
1 rule found Severity: Medium
The Akamai Luna Portal must employ Security Assertion Markup Language (SAML) to automate central management of administrators.
1 rule found Severity: High
The Akamai Luna Portal must employ Single Sign On (SSO) with Security Assertion Markup Language (SAML) integration to verify authentication settings.
1 rule found Severity: High
Apple iOS/iPadOS 15 must [selection: wipe protected data, wipe sensitive data] upon unenrollment from MDM.
1 rule found Severity: Medium
Apple iOS/iPadOS 15 must [selection: remove Enterprise application, remove all noncore applications (any nonfactory-installed application)] upon unenrollment from MDM.
1 rule found Severity: Medium
Apple iOS/iPadOS 15 must be configured to not allow passwords that include more than two repeating or sequential characters.
1 rule found Severity: Medium
Apple iOS/iPadOS 15 must be configured to enforce an application installation policy by specifying one or more authorized application repositories, including [selection: DoD-approved commercial app repository, MDM server, mobile application store].
1 rule found Severity: Medium
Apple iOS/iPadOS 15 must not include applications with the following characteristics: access to Siri when the device is locked.
1 rule found Severity: Medium
Apple iOS/iPadOS 15 allow list must be configured to not include applications with the following characteristics: voice dialing application if available when MD is locked.
1 rule found Severity: Medium
Apple iOS/iPadOS 15 allowlist must be configured to not include applications with the following characteristics: - back up MD data to non-DoD cloud servers (including user and application access to cloud backup services);- transmit MD diagnostic data to non-DoD servers; - allows synchronization of data or applications between devices associated with user; and - allows unencrypted (or encrypted but not FIPS 140-2 validated) data sharing with other MDs or printers.
1 rule found Severity: Medium
Apple iOS/iPadOS 15 must be configured to [selection: wipe protected data, wipe sensitive data] upon unenrollment from MDM.
1 rule found Severity: Medium
Apple iOS/iPadOS 15 must be configured to [selection: remove Enterprise applications, remove all noncore applications (any nonfactory installed application)] upon unenrollment from MDM.
1 rule found Severity: Medium
Apple iOS/iPadOS 15 must require a valid password be successfully entered before the mobile device data is unencrypted.
1 rule found Severity: High
1 rule found Severity: Low
Apple iOS/iPadOS 15 must implement the management setting: not allow automatic completion of Safari browser passcodes.
1 rule found Severity: Low
Apple iOS/iPadOS 15 must implement the management setting: Encrypt iTunes backups/Encrypt local backup.
1 rule found Severity: Medium
1 rule found Severity: Low
Apple iOS/iPadOS 15 must implement the management setting: require the user to enter a password when connecting to an AirPlay-enabled device for the first time.
1 rule found Severity: Low
1 rule found Severity: Medium
1 rule found Severity: Medium
5 rules found Severity: High
1 rule found Severity: Medium
Apple iOS/iPadOS 15 must implement the management setting: not allow messages in an ActiveSync Exchange account to be forwarded or moved to other accounts in the Apple iOS/iPadOS 15 Mail app.
1 rule found Severity: Medium
Apple iOS/iPadOS 15 must implement the management setting: Treat AirDrop as an unmanaged destination.
1 rule found Severity: Medium
Apple iOS/iPadOS 15 must implement the management setting: not have any Family Members in Family Sharing.
1 rule found Severity: Low
1 rule found Severity: Medium
1 rule found Severity: Low
2 rules found Severity: Medium
1 rule found Severity: Medium
1 rule found Severity: Low
1 rule found Severity: Low
1 rule found Severity: Low
1 rule found Severity: Medium
1 rule found Severity: Medium
Apple iOS/iPadOS 15 must disable "Allow USB drive access in Files app" if the Authorizing Official (AO) has not approved the use of DoD-approved USB storage drives with iOS/iPadOS devices.
1 rule found Severity: Medium
The Apple iOS must be configured to disable automatic transfer of diagnostic data to an external device other than an MDM service with which the device has enrolled.
1 rule found Severity: Low
Apple iOS must implement the management setting: not allow a user to remove Apple iOS configuration profiles that enforce DoD security requirements.
1 rule found Severity: Medium
1 rule found Severity: Medium
1 rule found Severity: Medium
1 rule found Severity: Medium
1 rule found Severity: Medium
The Arista Multilayer Switch must activate a system alert message, send an alarm, and/or automatically shut down when a component failure is detected.
1 rule found Severity: Medium
The Arista Multilayer Switch must be configured to synchronize internal information system clocks with the primary and secondary time sources located in different geographic regions using redundant authoritative time sources.
1 rule found Severity: Medium
The Arista Multilayer Switch must protect the audit records of nonlocal accesses to privileged accounts and the execution of privileged functions.
1 rule found Severity: Medium
1 rule found Severity: High
The Arista Multilayer Switch must support organizational requirements to conduct backups of system-level information contained in the information system when changes occur or weekly, whichever is sooner.
1 rule found Severity: Low
1 rule found Severity: Low
The Arista Multilayer Switch must enforce information flow control using explicit security attributes (for example, IP addresses, port numbers, protocol, Autonomous System, or interface) on information, source, and destination objects.
1 rule found Severity: Medium
The Arista Multilayer Switch must enable neighbor router authentication for control plane protocols except RIP.
1 rule found Severity: Medium
The BlackBerry UEM server must [selection: invoke platform-provided functionality, implement functionality] to generate an audit record of the following auditable events: c. [selection: Commands issued to the MDM Agent].
1 rule found Severity: Low
The BlackBerry UEM server must be configured to communicate the following commands to the MDM Agent: read audit logs kept by the MD.
1 rule found Severity: Medium
The BlackBerry UEM server must be configured to have at least one user in the following Administrator roles: Server primary administrator, security configuration administrator, device user group administrator, or auditor.
1 rule found Severity: Medium
The BlackBerry Enterprise Mobility Server (BEMS) must be configured to have at least one user in the following Administrator roles: Server primary administrator, auditor.
1 rule found Severity: Medium
If the BlackBerry Connect service is installed on the BlackBerry Enterprise Mobility Server (BEMS), it must be configured to enable the Web Proxy.
1 rule found Severity: Medium
If the BlackBerry Presence service is installed on the BlackBerry Enterprise Mobility Server (BEMS), it must be configured with the whitelisting control to limit presence subscriptions to only single domain/tenant.
1 rule found Severity: Low
If the BlackBerry Docs service is installed on the BlackBerry Enterprise Mobility Server (BEMS), it must be configured to enable the proxy server authentication type (if a proxy is used).
1 rule found Severity: Medium
1 rule found Severity: Medium
The CA API Gateway must activate a system alert message, send an alarm, and/or automatically shut down when a component failure is detected.
1 rule found Severity: Medium
The CA API Gateway must transmit organization-defined access authorization information using organization-defined security safeguards to organization-defined information systems which enforce access control decisions.
1 rule found Severity: Medium
The CA API Gateway must be configured to synchronize internal information system clocks with the primary and secondary time sources located in different geographic regions using redundant authoritative time sources.
1 rule found Severity: Low
1 rule found Severity: Medium
The CA API Gateway must employ automated mechanisms to assist in the tracking of security incidents.
1 rule found Severity: Medium
The CA API Gateway must employ automated mechanisms to detect the addition of unauthorized components or devices.
1 rule found Severity: Medium
The CA API Gateway that provides intermediary services for FTP must inspect inbound and outbound FTP communications traffic for protocol compliance and protocol anomalies.
1 rule found Severity: Medium
The CA API Gateway that provides intermediary services for HTTP must inspect inbound and outbound HTTP traffic for protocol compliance and protocol anomalies.
1 rule found Severity: Medium
Citrix Delivery Controller must be configured in accordance with the security configuration settings based on DoD security configuration or implementation guidance, including STIGs, NSA configuration guides, CTOs, and DTMs.
1 rule found Severity: Medium
Delivery Controller must be configured in accordance with the security configuration settings based on DoD security configuration or implementation guidance, including STIGs, NSA configuration guides, CTOs, and DTMs.
1 rule found Severity: Medium
When implemented for protection of the database tier, the DBN-6300 must be logically connected for maximum database traffic visibility.
1 rule found Severity: Medium
When implemented for discovery protection against unidentified or rogue databases, the DBN-6300 must provide a catalog of all visible databases and database services.
1 rule found Severity: Medium
1 rule found Severity: Medium
1 rule found Severity: Medium
The DBN-6300 must activate a system alert message, send an alarm, and/or automatically shut down when a component failure is detected.
1 rule found Severity: Medium
The DBN-6300 must be configured to send log data to a syslog server for the purpose of forwarding alerts to the administrators and the ISSO.
1 rule found Severity: High
Accounts for device management must be configured on the authentication server and not the network device itself, except for the account of last resort.
1 rule found Severity: Medium
The DBN-6300 must obtain its public key certificates from an appropriate certificate policy through an approved service provider.
1 rule found Severity: Medium
1 rule found Severity: Medium
1 rule found Severity: Medium
1 rule found Severity: High
1 rule found Severity: Medium
1 rule found Severity: High
1 rule found Severity: Medium
1 rule found Severity: High
1 rule found Severity: Medium
1 rule found Severity: High
1 rule found Severity: Medium
Docker Enterprise TLS certificate authority (CA) certificate file ownership must be set to root:root.
1 rule found Severity: High
Docker Enterprise TLS certificate authority (CA) certificate file permissions must be set to 444 or more restrictive.
1 rule found Severity: Medium
1 rule found Severity: High
1 rule found Severity: Medium
1 rule found Severity: Medium
1 rule found Severity: High
1 rule found Severity: High
1 rule found Severity: High
1 rule found Severity: High
1 rule found Severity: High
The FortiGate device must synchronize internal information system clocks using redundant authoritative time sources.
1 rule found Severity: Medium
The FortiGate device must enforce access restrictions associated with changes to the system components.
1 rule found Severity: Medium
The FortiGate device must be running an operating system release that is currently supported by the vendor.
1 rule found Severity: High
1 rule found Severity: Medium
The FortiGate device must conduct backups of system-level information contained in the information system when changes occur.
1 rule found Severity: Medium
The FortiGate device must support organizational requirements to conduct backups of information system documentation, including security-related documentation, when changes occur or weekly, whichever is sooner.
1 rule found Severity: Medium
FortiGate devices performing maintenance functions must restrict use of these functions to authorized personnel only.
1 rule found Severity: Medium
The FortiGate device must use DoD-approved Certificate Authorities (CAs) for public key certificates.
1 rule found Severity: Medium
The FortiGate firewall must be configured to inspect all inbound and outbound traffic at the application layer.
1 rule found Severity: Medium
The FortiGate firewall must be configured to restrict it from accepting outbound packets that contain an illegitimate address in the source address field via an egress filter or by enabling Unicast Reverse Path Forwarding (uRPF).
1 rule found Severity: Medium
1 rule found Severity: Medium
1 rule found Severity: Low
CounterACT must support organizational requirements to conduct backups of system-level information contained in the information system when changes occur or weekly, whichever is sooner.
1 rule found Severity: Medium
CounterACT must support organizational requirements to conduct backups of information system documentation, including security-related documentation, when changes occur or weekly, whichever is sooner.
1 rule found Severity: Low
CounterACT must obtain its public key certificates from an appropriate certificate policy through an approved service provider.
2 rules found Severity: Medium
CounterACT must enable Threat Protection notifications to alert security personnel to Cyber events detected by a CounterACT IAW CJCSM 6510.01B.
1 rule found Severity: Medium
CounterACT appliances performing maintenance functions must restrict use of these functions to authorized personal only.
1 rule found Severity: High
1 rule found Severity: Medium
CounterACT must be configured to synchronize internal information system clocks with the organizations primary and secondary NTP servers.
1 rule found Severity: Medium
The network device must be configured to use a centralized authentication server to authenticate privileged users for remote and nonlocal access for device management.
1 rule found Severity: Low
Administrative accounts for device management must be configured on the authentication server and not the network device itself (except for the account of last resort).
1 rule found Severity: Medium
Google Android 12 must be configured to not allow passwords that include more than two repeating or sequential characters.
2 rules found Severity: Medium
Google Android 12 must be configured to enforce an application installation policy by specifying one or more authorized application repositories, including [selection: DoD-approved commercial app repository, MDM server, mobile application store].
2 rules found Severity: Medium
Google Android 12 allowlist must be configured to not include applications with the following characteristics: 1. Back up mobile device (MD) data to non-DoD cloud servers (including user and application access to cloud backup services);2. Transmit MD diagnostic data to non-DoD servers;3. Voice assistant application if available when MD is locked;4. Voice dialing application if available when MD is locked;5. Allows synchronization of data or applications between devices associated with user; and6. Allows unencrypted (or encrypted but not FIPS 140-2 validated) data sharing with other MDs or printers.
2 rules found Severity: Medium
Google Android 12 must be configured to disable Bluetooth or configured via User Based Enforcement (UBE) to allow Bluetooth for only Headset Profile (HSP), Hands-Free Profile (HFP), and Serial Port Profile (SPP).
2 rules found Severity: Low
2 rules found Severity: Medium
2 rules found Severity: Medium
2 rules found Severity: Medium
Google Android 12 work profile must be configured to disable automatic completion of work space Internet browser text input.
2 rules found Severity: Medium
2 rules found Severity: Medium
2 rules found Severity: High
2 rules found Severity: Low
2 rules found Severity: Low
Google Android 12 must allow only the administrator (EMM) to install/remove DoD root and intermediate PKI certificates.
2 rules found Severity: Medium
The Google Android 12 Work Profile must be configured to prevent users from adding personal email accounts to the work email app.
1 rule found Severity: Medium
Google Android 12 must be provisioned as a fully managed device and configured to create a work profile.
1 rule found Severity: Medium
1 rule found Severity: Medium
The HP FlexFabric Switch must implement Rapid STP where VLANs span multiple switches with redundant links.
1 rule found Severity: Medium
The HP FlexFabric Switch must enable Device Link Detection Protocol (DLDP) to protect against one-way connections.
1 rule found Severity: Medium
1 rule found Severity: Medium
1 rule found Severity: Medium
1 rule found Severity: Medium
The HP FlexFabric Switch must have the default VLAN pruned from all trunk ports that do not require it.
1 rule found Severity: Medium
1 rule found Severity: Medium
The HP FlexFabric Switch must have all user-facing or untrusted ports configured as access switch ports.
1 rule found Severity: Medium
The HP FlexFabric Switch must have the native VLAN assigned to a VLAN ID other than the default VLAN ID for all 802.1q trunk links.
1 rule found Severity: Medium
1 rule found Severity: Medium
Upon successful logon, the HP FlexFabric Switch must notify the administrator of the date and time of the last logon.
1 rule found Severity: Medium
Upon successful logon, the HP FlexFabric Switch must notify the administrator of the number of unsuccessful logon attempts since the last successful logon.
1 rule found Severity: Medium
If the HP FlexFabric Switch uses role-based access control, the HP FlexFabric Switch must enforce organization-defined role-based access control policies over defined subjects and objects.
1 rule found Severity: Medium
The HP FlexFabric Switch must notify the administrator, upon successful logon (access), of the location of last logon (terminal or IP address) in addition to the date and time of the last logon (access).
1 rule found Severity: Medium
The HP FlexFabric Switch must be configured to synchronize internal information system clocks with the primary and secondary time sources located in different geographic regions using redundant authoritative time sources.
1 rule found Severity: Medium
If the HP FlexFabric Switch uses mandatory access control, the HP FlexFabric Switch must enforce organization-defined mandatory access control policies over all subjects and objects.
1 rule found Severity: Medium
The HP FlexFabric Switch must notify the administrator of the number of successful logon attempts occurring during an organization-defined time period.
1 rule found Severity: Medium
The HP FlexFabric Switch must generate audit log events for a locally developed list of auditable events.
1 rule found Severity: Medium
The HP FlexFabric Switch must enforce access restrictions associated with changes to the system components.
1 rule found Severity: Medium
The HP FlexFabric Switch must support organizational requirements to conduct backups of system level information contained in the information system when changes occur or weekly, whichever is sooner.
1 rule found Severity: Low
The HP FlexFabric Switch must employ automated mechanisms to assist in the tracking of security incidents.
1 rule found Severity: Medium
The HP FlexFabric Switch must obtain its public key certificates from an appropriate certificate policy through an approved service provider.
1 rule found Severity: Medium
1 rule found Severity: Medium
The HP FlexFabric Switch must have a local account that will only be used as an account of last resort with full access to the network device.
1 rule found Severity: High
The HP FlexFabric switch must be configured to utilize an authentication server for the purpose of authenticating privilege users, managing accounts, and to centrally verify authentication settings and Personal Identity Verification (PIV) credentials.
1 rule found Severity: Medium
The HP FlexFabric switch must be configured to send log data to a syslog server for the purpose of forwarding alerts to the administrators and the ISSO.
1 rule found Severity: Medium
The HP FlexFabric switch must be configured to send SNMP traps and notifications to the SNMP manager for the purpose of sending alarms and notifying appropriate personnel as required by specific events.
1 rule found Severity: Medium
DoD-approved encryption must be implemented to protect the confidentiality and integrity of remote access sessions, information during preparation for transmission, information during reception, and information during transmission in addition to enforcing replay-resistant authentication mechanisms for network access to privileged accounts.
1 rule found Severity: High
SNMP must be changed from default settings and must be configured on the storage system to provide alerts of critical events that impact system security.
1 rule found Severity: Medium
1 rule found Severity: Medium
The SNMP service on the storage system must require the use of a FIPS 140-2 approved cryptographic hash algorithm as part of its authentication and integrity methods.
1 rule found Severity: Medium
The storage system must only be operated in conjunction with an LDAP server in a trusted environment if an Active Directory server is not available.
1 rule found Severity: High
The storage system must only be operated in conjunction with an Active Directory server in a trusted environment if an LDAP server is not available.
1 rule found Severity: High
If the HYCU Server or Web UI uses discretionary access control, the network device must enforce organization-defined discretionary access control policies over defined subjects and objects.
1 rule found Severity: Medium
The HYCU VM console and HYCU Web UI must be configured to use an authentication server for authenticating users prior to granting access to protect against an individual (or process acting on behalf of an individual) falsely denying having performed organization-defined requirements.
1 rule found Severity: High
1 rule found Severity: Medium
The HYCU server must be configured to conduct backups of system-level information when changes occur and to offload audit records onto a different system or media.
1 rule found Severity: Medium
The HYCU server must be configured to synchronize internal information system clocks using redundant authoritative time sources.
1 rule found Severity: Medium
1 rule found Severity: High
The HYCU server must back up audit records at least every seven days onto a different system or system component than the system or component being audited.
1 rule found Severity: Medium
The HYCU server must obtain its public key certificates from an appropriate certificate policy through an approved service provider.
1 rule found Severity: Medium
3 rules found Severity: Medium
Recursion must be disabled on Infoblox DNS servers that are configured as authoritative name servers.
1 rule found Severity: Medium
The validity period for the Resource Record Signatures (RRSIGs) covering a zone's DNSKEY RRSet must be no less than two days and no more than one week.
2 rules found Severity: Medium
The Infoblox DNS server must be configured so that each name server (NS) record in a zone file points to an active name server authoritative for the domain specified in that record.
1 rule found Severity: Medium
5 rules found Severity: Medium
4 rules found Severity: Medium
1 rule found Severity: Medium
1 rule found Severity: High
For zones split between the external and internal sides of a network, the resource records (RRs) for the external hosts must be separate from the RRs for the internal hosts.
2 rules found Severity: Medium
In a split DNS configuration, where separate name servers are used between the external and internal networks, the external name server must be configured to not be reachable from inside resolvers.
4 rules found Severity: Medium
In a split DNS configuration, where separate name servers are used between the external and internal networks, the internal name server must be configured to not be reachable from outside resolvers.
5 rules found Severity: Medium
Primary authoritative name servers must be configured to only receive zone transfer requests from specified secondary name servers.
6 rules found Severity: Medium
1 rule found Severity: Medium
3 rules found Severity: Medium
The IP address for hidden master authoritative name servers must not appear in the name servers set in the zone database.
3 rules found Severity: Medium
1 rule found Severity: Medium
1 rule found Severity: Medium
The private keys corresponding to both the Zone Signing Key (ZSK) and the Key Signing Key (KSK) must not be kept on the DNSSEC-aware primary authoritative name server when the name server does not support dynamic updates.
1 rule found Severity: High
3 rules found Severity: Medium
The Infoblox system must use the security configuration settings based on DoD security configuration or implementation guidance, including STIGs, NSA configuration guides, CTOs, and DTMs.
1 rule found Severity: Medium
1 rule found Severity: High
1 rule found Severity: Medium
1 rule found Severity: Medium
The Infoblox system must be configured in accordance with the security configuration settings based on DoD security configuration or implementation guidance, including STIGs, NSA configuration guides, CTOs, and DTMs.
2 rules found Severity: Medium
1 rule found Severity: Medium
An Infoblox DNS server must strongly bind the identity of the DNS server with the DNS information using DNSSEC.
2 rules found Severity: Medium
The Infoblox system must provide the means for authorized individuals to determine the identity of the source of the DNS server-provided information.
1 rule found Severity: Medium
The Infoblox system must validate the binding of the other DNS servers' identity to the DNS information for a server-to-server transaction (e.g., zone transfer).
1 rule found Severity: Medium
The Infoblox system must send a notification in the event of an error when validating the binding of another DNS server’s identity to the DNS information.
1 rule found Severity: Medium
The Infoblox DNS server must provide data origin artifacts for internal name/address resolution queries.
1 rule found Severity: Medium
The Infoblox DNS server must provide data integrity protection artifacts for internal name/address resolution queries.
1 rule found Severity: Medium
1 rule found Severity: Medium
The Infoblox DNS server implementation must follow procedures to re-role a secondary name server as the master name server should the master name server permanently lose functionality.
1 rule found Severity: Medium
The DataPower Gateway must activate a system alert message, send an alarm, and/or automatically shut down when a component failure is detected.
1 rule found Severity: Medium
1 rule found Severity: Medium
If the DataPower Gateway uses role-based access control, the DataPower Gateway must enforce role-based access control policies over defined subjects and objects.
1 rule found Severity: Medium
The DataPower Gateway must be configured to synchronize internal information system clocks with the primary and secondary time sources located in different geographic regions using redundant authoritative time sources.
1 rule found Severity: Medium
The DataPower Gateway must use automated mechanisms to alert security personnel to threats identified by authoritative sources (e.g., CTOs) and in accordance with CJCSM 6510.01B.
1 rule found Severity: Medium
The DataPower Gateway must generate audit log events for a locally developed list of auditable events.
1 rule found Severity: Medium
1 rule found Severity: Medium
1 rule found Severity: Medium
1 rule found Severity: Medium
The DataPower Gateway must support organizational requirements to conduct backups of system level information contained in the information system when changes occur or weekly, whichever is sooner.
1 rule found Severity: Medium
The DataPower Gateway must employ automated mechanisms to assist in the tracking of security incidents.
1 rule found Severity: Medium
The DataPower Gateway must obtain its public key certificates from an appropriate certificate policy through an approved service provider.
1 rule found Severity: Medium
The MaaS360 MDM server must be configured to have at least one user in the following Administrator roles: Server primary administrator, security configuration administrator, device user group administrator, auditor.
1 rule found Severity: Medium
The MaaS360 MDM server must be configured to enable all required audit events (if function is not automatically implemented during MDM/MAS server install): a. Failure to push a new application on a managed mobile device.
1 rule found Severity: Low
The MaaS360 server must be configured to enable all required audit events (if function is not automatically implemented during MDM/MAS server install): b. Failure to update an existing application on a managed mobile device.
1 rule found Severity: Low
The MQ Appliance network device must notify the administrator of changes to access and/or privilege parameters of the administrator account that occurred since the last logon.
1 rule found Severity: Medium
The MQ Appliance network device must activate a system alert message, send an alarm, and/or automatically shut down when a component failure is detected.
1 rule found Severity: Medium
The MQ Appliance network device must notify the administrator, upon successful logon (access), of the location of last logon (terminal or IP address) in addition to the result, date and time of the last logon (access).
1 rule found Severity: Medium
The MQ Appliance network device must be configured to synchronize internal information system clocks with the primary and secondary time sources located in different geographic regions using redundant authoritative time sources.
1 rule found Severity: Medium
The MQ Appliance network device must use automated mechanisms to alert security personnel to threats identified by authoritative sources (e.g., CTOs) and in association with CJCSM 6510.01B.
1 rule found Severity: Medium
Administrative accounts for device management must be configured on the authentication server and not the MQ Appliance network device itself (except for the emergency administration account).
1 rule found Severity: Medium
Access to the MQ Appliance network device must employ automated mechanisms to centrally apply authentication settings.
1 rule found Severity: Medium
The MQ Appliance network device must support organizational requirements to conduct backups of system level information contained in the information system when changes occur or weekly, whichever is sooner.
1 rule found Severity: Medium
The MQ Appliance network device must obtain its public key certificates from an appropriate certificate policy through an approved service provider.
1 rule found Severity: Medium
SSH CLI access to the MQ Appliance management interface must be restricted to approved management workstations.
1 rule found Severity: Medium
1 rule found Severity: Medium
1 rule found Severity: Medium
1 rule found Severity: Medium
1 rule found Severity: Medium
1 rule found Severity: Medium
1 rule found Severity: Medium
1 rule found Severity: Medium
1 rule found Severity: Medium
1 rule found Severity: Medium
The IBM z/VM system administrator must develop routines and processes for the proper configuration and maintenance of Software.
1 rule found Severity: Medium
1 rule found Severity: Medium
The IBM z/VM System administrator must develop routines and processes for notification in the event of audit failure.
1 rule found Severity: Medium
The IBM z/VM system administrator must develop procedures maintaining information system operation in the event of anomalies.
1 rule found Severity: Medium
IBM z/VM system administrator must develop procedures to manually control temporary, interactive, and emergency accounts.
1 rule found Severity: Medium
IBM z/VM must have access to an audit reduction tool that allows for central data review and analysis.
1 rule found Severity: Medium
The IBM z/VM system administrator must develop and perform a procedure to validate the correct operation of security functions.
1 rule found Severity: Medium
1 rule found Severity: Medium
1 rule found Severity: Medium
1 rule found Severity: Medium
1 rule found Severity: Medium
1 rule found Severity: Medium
The IBM z/VM DOMAINSEARCH statement in the TCPIP DATA file must be configured with proper domain names for name resolution.
1 rule found Severity: Medium
The Infoblox system must be configured to activate a notification to the system administrator when a component failure is detected.
1 rule found Severity: Medium
The Infoblox system must be configured to provide the means for authorized individuals to determine the identity of the source of the DNS server-provided information.
1 rule found Severity: Medium
The Infoblox system must be configured to validate the binding of the other DNS servers identity to the DNS information for a server-to-server transaction (e.g., zone transfer).
1 rule found Severity: Medium
Recursion must be disabled on Infoblox DNS servers which are configured as authoritative name servers.
1 rule found Severity: Medium
A DNS server implementation must provide data origin artifacts for internal name/address resolution queries.
2 rules found Severity: Medium
A DNS server implementation must provide data integrity protection artifacts for internal name/address resolution queries.
2 rules found Severity: Medium
The DNS server implementation must follow procedures to re-role a secondary name server as the master name server should the master name server permanently lose functionality.
2 rules found Severity: Medium
1 rule found Severity: Medium
The Infoblox system must ensure each NS record in a zone file points to an active name server authoritative for the domain specified in that record.
1 rule found Severity: Medium
3 rules found Severity: Medium
1 rule found Severity: High
For zones split between the external and internal sides of a network, the RRs for the external hosts must be separate from the RRs for the internal hosts.
3 rules found Severity: Medium
The DNS implementation must enforce a Discretionary Access Control (DAC) policy that limits propagation of access rights.
2 rules found Severity: Medium
1 rule found Severity: Medium
The platform on which the name server software is hosted must be configured to respond to DNS traffic only.
3 rules found Severity: Medium
The platform on which the name server software is hosted must be configured to send outgoing DNS messages from a random port.
2 rules found Severity: Medium
The private keys corresponding to both the ZSK and the KSK must not be kept on the DNSSEC-aware primary authoritative name server when the name server does not support dynamic updates.
2 rules found Severity: Medium
The Infoblox system must be configured to display the appropriate security classification information.
1 rule found Severity: Low
1 rule found Severity: Low
1 rule found Severity: High
1 rule found Severity: Medium
The Ivanti MobileIron Core server must be configured in accordance with the security configuration settings based on DoD security configuration or implementation guidance, including STIGs, NSA configuration guides, CTOs, and DTMs.
1 rule found Severity: Medium
MobileIron Sentry must be configured to synchronize internal information system clocks using redundant authoritative time sources.
1 rule found Severity: Medium
MobileIron Sentry must enforce access restrictions associated with changes to the system components.
1 rule found Severity: Low
MobileIron Sentry must be configured to conduct backups of system level information contained in the information system when changes occur.
1 rule found Severity: Low
MobileIron Sentry must obtain its public key certificates from an appropriate certificate policy through an approved service provider.
1 rule found Severity: Medium
MobileIron Sentry must be running an operating system release that is currently supported by MobileIron.
1 rule found Severity: High
The ISEC7 EMM Suite must be configured to leverage the enterprise directory service accounts and groups for ISEC7 EMM Suite server admin identification and authentication.
1 rule found Severity: Medium
1 rule found Severity: Medium
The ISEC7 EMM Suite, Tomcat installation, and ISEC7 Suite monitor must be configured to use the Windows Trust Store for the storage of digital certificates and keys.
1 rule found Severity: Medium
2 rules found Severity: Medium
The Sentry must be configured to prohibit or restrict the use of functions, ports, protocols, and/or services, as defined in the PPSM CAL and vulnerability assessments.
2 rules found Severity: Medium
The MobileIron Core v10 server must be configured to have at least one user in the following Administrator roles: Server primary administrator, security configuration administrator, device user group administrator, auditor.
1 rule found Severity: Medium
Microsoft Android 11 must be configured to not allow passwords that include more than two repeating or sequential characters.
2 rules found Severity: Medium
Microsoft Android 11 must be configured to enforce an application installation policy by specifying one or more authorized application repositories, including [selection: DOD-approved commercial app repository, EMM server, mobile application store].
2 rules found Severity: Medium
Microsoft Android 11 allow list must be configured to not include applications with the following characteristics: - Back up MD data to non-DOD cloud servers (including user and application access to cloud backup services);- Transmit MD diagnostic data to non-DOD servers;- Voice assistant application if available when MD is locked;- Voice dialing application if available when MD is locked;- Allows synchronization of data or applications between devices associated with user; and- Allows unencrypted (or encrypted but not FIPS 140-2/FIPS 140-3 validated) data sharing with other MDs or printers.
1 rule found Severity: Medium
Microsoft Android 11 must be configured to disable Bluetooth or configured via User Based Enforcement (UBE) to allow Bluetooth for only Headset Profile (HSP), HandsFree Profile (HFP), and Serial Port Profile (SPP).
2 rules found Severity: Low
Microsoft Android 11 must be configured to disable trust agents. Note: This requirement is not applicable (NA) for specific biometric authentication factors included in the product's Common Criteria evaluation.
1 rule found Severity: Medium
2 rules found Severity: Medium
2 rules found Severity: Medium
Microsoft Android 11 must allow only the administrator (EMM) to install/remove DOD root and intermediate PKI certificates.
2 rules found Severity: Medium
The Microsoft Android 11 Work Profile must be configured to prevent users from adding personal email accounts to the work email app.
2 rules found Severity: Medium
Microsoft Android 11 Work Profile must be configured to enforce the system application disable list.
2 rules found Severity: Medium
Microsoft Android 11 must be provisioned as a fully managed device and configured to create a work profile.
1 rule found Severity: Medium
Microsoft Android 11 Work Profile must be configured to disable automatic completion of work space internet browser text input.
2 rules found Severity: Medium
2 rules found Severity: Medium
2 rules found Severity: Medium
Microsoft Android 11 devices must have the latest available Microsoft Android 11 operating system installed.
2 rules found Severity: High
2 rules found Severity: Low
2 rules found Severity: Low
Motorola Solutions Android 11 must be configured to not allow passwords that include more than two repeating or sequential characters.
1 rule found Severity: Medium
Motorola Solutions Android 11 must be configured to enforce an application installation policy by specifying one or more authorized application repositories, including [selection: DoD-approved commercial app repository, EMM server, mobile application store].
1 rule found Severity: Medium
Motorola Solutions Android 11 must be configured to enforce an application installation policy by specifying an application allow list that restricts applications by the following characteristics: [selection: list of digital signatures, cryptographic hash values, names, application version].
1 rule found Severity: Medium
Motorola Solutions Android 11 allow list must be configured to not include applications with the following characteristics: - Back up MD data to non-DoD cloud servers (including user and application access to cloud backup services); - Transmit MD diagnostic data to non-DoD servers; - Voice assistant application if available when MD is locked; - Voice dialing application if available when MD is locked; - Allows synchronization of data or applications between devices associated with user; and - Allows unencrypted (or encrypted but not FIPS 140-2 validated) data sharing with other MDs or printers.
1 rule found Severity: Medium
Motorola Solutions Android 11 must be configured to disable Bluetooth or configured via User Based Enforcement (UBE) to allow Bluetooth for only Headset Profile (HSP), HandsFree Profile (HFP), and Serial Port Profile (SPP).
1 rule found Severity: Low
Motorola Solutions Android 11 must be configured to disable trust agents. Note: This requirement is not applicable (NA) for specific biometric authentication factors included in the product's Common Criteria evaluation.
1 rule found Severity: Medium
Motorola Solutions Android 11 must allow only the Administrator (EMM) to perform the following management function: Enable/disable location services.
1 rule found Severity: Low
1 rule found Severity: Medium
1 rule found Severity: Medium
1 rule found Severity: Medium
Motorola Solutions Android 11 must allow only the administrator (EMM) to install/remove DoD root and intermediate PKI certificates.
1 rule found Severity: Medium
Motorola Solutions Android 11 work profile must be configured to enforce the system application disable list.
1 rule found Severity: Medium
1 rule found Severity: Medium
Motorola Solutions Android 11 devices must have the latest available Motorola Solutions Android 11 operating system installed.
1 rule found Severity: High
Motorola Solutions Android 11 devices must be configured to disable the use of third-party keyboards.
1 rule found Severity: Low
Microsoft Android 11 allow list must be configured to not include applications with the following characteristics: - Back up MD data to non-DOD cloud servers (including user and application access to cloud backup services); - Transmit MD diagnostic data to non-DOD servers; - Voice assistant application if available when MD is locked; - Voice dialing application if available when MD is locked; - Allows synchronization of data or applications between devices associated with user; and - Allows unencrypted (or encrypted but not FIPS 140-2/FIPS 140-3 validated) data sharing with other MDs or printers.
1 rule found Severity: Medium
Microsoft Android 11 must be configured to disable trust agents. Note: This requirement is not applicable (NA) for specific biometric authentication factors included in the product's Common Criteria evaluation.
1 rule found Severity: Medium
Exchange must be configured in accordance with the security configuration settings based on DoD security configuration or implementation guidance, including STIGs, NSA configuration guides, CTOs, and DTMs.
1 rule found Severity: Medium
2 rules found Severity: Medium
2 rules found Severity: Medium
2 rules found Severity: Medium
2 rules found Severity: Medium
1 rule found Severity: Medium
1 rule found Severity: Medium
1 rule found Severity: Medium
The Office Telemetry Agent must be configured to obfuscate the file name, file path, and title of Office documents before uploading telemetry data to the shared folder.
1 rule found Severity: Medium
2 rules found Severity: Medium
1 rule found Severity: Medium
2 rules found Severity: Medium
2 rules found Severity: Medium
3 rules found Severity: Medium
2 rules found Severity: Medium
2 rules found Severity: Medium
2 rules found Severity: Medium
3 rules found Severity: Medium
2 rules found Severity: Medium
1 rule found Severity: Medium
1 rule found Severity: Medium
1 rule found Severity: Medium
Automatically configure user profile based on Active Directory primary SMTP address must be enforced.
1 rule found Severity: Medium
2 rules found Severity: Medium
Outlook must be configured not to prompt users to choose security settings if default settings fail.
3 rules found Severity: Medium
2 rules found Severity: Medium
3 rules found Severity: Medium
Text in Outlook that represents Internet and network paths must not be automatically turned into hyperlinks.
2 rules found Severity: Medium
1 rule found Severity: Medium
1 rule found Severity: Medium
1 rule found Severity: Medium
1 rule found Severity: Medium
1 rule found Severity: Medium
1 rule found Severity: Medium
Text in Outlook that represents internet and network paths must not be automatically turned into hyperlinks.
1 rule found Severity: Medium
1 rule found Severity: Medium
1 rule found Severity: Medium
The Microsoft SCOM server must back up audit records at least every seven days onto a different system or system component than the system or component being audited.
1 rule found Severity: Medium
The Microsoft SCOM server must be running Windows operating system that supports modern security features such as virtualization based security.
1 rule found Severity: High
If a certificate is used for the SCOM web console, this certificate must be generated by a DoD CA or CA approved by the organization.
1 rule found Severity: Low
1 rule found Severity: Low
Forwarders on an authoritative Windows 2012 DNS Server, if enabled for external resolution, must only forward to either an internal, non-AD-integrated DNS server or to the DoD Enterprise Recursive Services (ERS).
1 rule found Severity: Medium
The Windows 2012 DNS Server with a caching name server role must restrict recursive query responses to only the IP addresses and IP address ranges of known supported clients.
1 rule found Severity: Medium
The Windows 2012 DNS Server with a caching name server role must be secured against pollution by ensuring the authenticity and integrity of queried records.
1 rule found Severity: Medium
The Windows 2012 DNS Server must implement cryptographic mechanisms to detect changes to information during transmission unless otherwise protected by alternative physical safeguards, such as, at a minimum, a Protected Distribution System (PDS).
1 rule found Severity: Medium
The validity period for the RRSIGs covering a zones DNSKEY RRSet must be no less than two days and no more than one week.
2 rules found Severity: Medium
The Windows 2012 DNS Servers zone files must have NS records that point to active name servers authoritative for the domain specified in that record.
1 rule found Severity: High
1 rule found Severity: High
2 rules found Severity: Medium
The Windows 2012 DNS Servers zone database files must not be accessible for edit/write by users and/or processes other than the Windows 2012 DNS Server service account and/or the DNS database administrator.
1 rule found Severity: Medium
1 rule found Severity: Medium
The Windows 2012 DNS Server authoritative for local zones must only point root hints to the DNS servers that host the internal root domain.
1 rule found Severity: Medium
The Windows 2012 DNS Servers zone files must not include resource records that resolve to a fully qualified domain name residing in another zone.
1 rule found Severity: Medium
The Windows 2012 DNS Servers zone files must not include CNAME records pointing to a zone with lesser security for more than six months.
1 rule found Severity: Medium
1 rule found Severity: Medium
1 rule found Severity: Medium
The Windows 2012 DNS Servers IP address must be statically defined and configured locally on the server.
1 rule found Severity: Medium
The Windows 2012 DNS Server must return data information in responses to internal name/address resolution queries.
1 rule found Severity: Medium
The Windows 2012 DNS Server must use DNSSEC data within queries to confirm data origin to DNS resolvers.
1 rule found Severity: Medium
The Windows 2012 DNS Server must, when a component failure is detected, activate a notification to the system administrator.
1 rule found Severity: Medium
The Windows 2012 DNS Server must perform verification of the correct operation of security functions: upon system start-up and/or restart; upon command by a user with privileged access; and/or every 30 days.
1 rule found Severity: Medium
The Windows 2012 DNS Server must be configured to record, and make available to authorized personnel, who added/modified/deleted DNS zone information.
1 rule found Severity: Medium
The Windows 2012 DNS Server must, in the event of an error validating another DNS servers identity, send notification to the DNS administrator.
1 rule found Severity: Medium
The Windows 2012 DNS Server logging criteria must only be configured by the ISSM or individuals appointed by the ISSM.
1 rule found Severity: Medium
The validity period for the RRSIGs covering the DS RR for a zones delegated children must be no less than two days and no more than one week.
1 rule found Severity: Medium
2 rules found Severity: Medium
2 rules found Severity: Medium
1 rule found Severity: Medium
Nutanix AOS must enforce a delay of at least four seconds between logon prompts following a failed logon attempt.
1 rule found Severity: Medium
Nutanix AOS must define default permissions for all authenticated users in such a way that the user can only read and modify their own files.
1 rule found Severity: Low
1 rule found Severity: Medium
Nutanix AOS must be configured so that all local interactive user home directories have mode "0750" or less permissive.
1 rule found Severity: Medium
The Node Manager account password associated with the installation of OHS must be in accordance with DoD guidance for length, complexity, etc.
1 rule found Severity: Medium
The SecureListener property of the Node Manager configured to support OHS must be enabled for secure communication.
1 rule found Severity: Medium
The ListenAddress property of the Node Manager configured to support OHS must match the CN of the certificate used by Node Manager.
1 rule found Severity: Medium
The AuthenticationEnabled property of the Node Manager configured to support OHS must be configured to enforce authentication.
1 rule found Severity: Medium
The KeyStores property of the Node Manager configured to support OHS must be configured for secure communication.
1 rule found Severity: Medium
The CustomIdentityKeyStoreFileName property of the Node Manager configured to support OHS must be configured for secure communication.
1 rule found Severity: Medium
The CustomIdentityKeyStorePassPhrase property of the Node Manager configured to support OHS must be configured for secure communication.
1 rule found Severity: Medium
The CustomIdentityAlias property of the Node Manager configured to support OHS must be configured for secure communication.
1 rule found Severity: Medium
The CustomIdentityPrivateKeyPassPhrase property of the Node Manager configured to support OHS must be configured for secure communication.
1 rule found Severity: Medium
The listen-address element defined within the config.xml of the OHS Standalone domain that supports OHS must be configured for secure communication.
1 rule found Severity: Medium
The listen-port element defined within the config.xml of the OHS Standalone Domain must be configured for secure communication.
1 rule found Severity: Medium
The WLST_PROPERTIES environment variable defined for the OHS WebLogic Scripting Tool must be updated to reference an appropriate trust store so that it can communicate with the Node Manager supporting OHS.
1 rule found Severity: Medium
The WLST_PROPERTIES environment variable defined for the Fusion Middleware WebLogic Scripting Tool must be updated to reference an appropriate trust store so that it can communicate with the Node Manager supporting OHS.
1 rule found Severity: Medium
1 rule found Severity: Medium
1 rule found Severity: Medium
1 rule found Severity: Medium
All accounts installed with the web server software and tools must have passwords assigned and default passwords changed.
2 rules found Severity: Medium
1 rule found Severity: Medium
A public OHS installation, if hosted on the NIPRNet, must be isolated in an accredited DoD DMZ Extension.
1 rule found Severity: Medium
1 rule found Severity: Medium
1 rule found Severity: Medium
1 rule found Severity: Low
1 rule found Severity: Medium
1 rule found Severity: Low
1 rule found Severity: Medium
1 rule found Severity: Medium
1 rule found Severity: High
1 rule found Severity: Medium
1 rule found Severity: Medium
Remote authors or content providers must have all files scanned for viruses and malicious code before uploading files to the Document Root directory.
1 rule found Severity: Medium
1 rule found Severity: Medium
1 rule found Severity: Low
1 rule found Severity: High
Oracle WebLogic must enforce the organization-defined time period during which the limit of consecutive invalid access attempts by a user is counted.
1 rule found Severity: Medium
Oracle WebLogic must automatically lock accounts when the maximum number of unsuccessful login attempts is exceeded for an organization-defined time period or until the account is unlocked by an administrator.
1 rule found Severity: Medium
Oracle WebLogic must utilize automated mechanisms to prevent program execution on the information system.
1 rule found Severity: Low
Oracle WebLogic must utilize NSA-approved cryptography when protecting classified compartmentalized data.
1 rule found Severity: Medium
Oracle WebLogic must be integrated with a tool to monitor audit subsystem failure notification information that is sent out (e.g., the recipients of the message and the nature of the failure).
1 rule found Severity: Medium
1 rule found Severity: Medium
1 rule found Severity: Medium
Riverbed Optimization System (RiOS) must be configured to synchronize internal information system clocks with the primary and secondary time sources located in different geographic regions using redundant authoritative time sources.
1 rule found Severity: Medium
Riverbed Optimization System (RiOS) must enable the password authentication control policy to ensure password complexity controls and other password policy requirements are enforced.
1 rule found Severity: Medium
Riverbed Optimization System (RiOS) must employ automated mechanisms to centrally manage authentication settings.
1 rule found Severity: Medium
Riverbed Optimization System (RiOS) must employ automated mechanisms to centrally apply authentication settings.
1 rule found Severity: Medium
Riverbed Optimization System (RiOS) must employ automated mechanisms to centrally verify authentication settings.
1 rule found Severity: Medium
Riverbed Optimization System (RiOS) must back up the system configuration files when configuration changes are made to the device.
1 rule found Severity: Medium
Riverbed Optimization System (RiOS) performing maintenance functions must restrict use of these functions to authorized personnel only.
1 rule found Severity: Medium
Riverbed Optimization System (RiOS) must obtain its public key certificates from an appropriate certificate policy through an approved service provider.
1 rule found Severity: Medium
Riverbed Optimization System (RiOS) must generate an alert that can be sent to security personnel when threats identified by authoritative sources (e.g., CTOs) and IAW with CJCSM 6510.01B occur.
1 rule found Severity: Medium
Southbound API control plane traffic must traverse an out-of-band path or be encrypted using a FIPS-validated cryptographic module.
1 rule found Severity: High
Northbound API traffic must traverse an out-of-band path or be encrypted using a FIPS-validated cryptographic module.
1 rule found Severity: High
Southbound API management plane traffic for provisioning and configuring virtual network elements within the SDN infrastructure must traverse an out-of-band path or be encrypted using a using a FIPS-validated cryptographic module.
1 rule found Severity: Medium
Southbound API management plane traffic for configuring SDN parameters on physical network elements must be encrypted using a FIPS-validated cryptographic module.
1 rule found Severity: Medium
Physical SDN controllers and servers hosting SDN applications must reside within the management network with multiple paths that are secured by a firewall to inspect all ingress traffic.
1 rule found Severity: Medium
SDN-enabled routers and switches must provide link state information to the SDN controller to create new forwarding decisions for the network elements.
1 rule found Severity: Low
Quality of service (QoS) must be implemented on the underlying IP network to provide preferred treatment for traffic between the SDN controllers and SDN-enabled switches and hypervisors.
1 rule found Severity: Low
SDN controllers must be deployed as clusters and on separate physical hosts to eliminate single point of failure.
1 rule found Severity: Medium
1 rule found Severity: Low
SDN-enabled routers and switches must rate limit the amount of unknown data plane packets that are punted to the SDN controller.
1 rule found Severity: Low
All Virtual Extensible Local Area Network (VXLAN) enabled switches must be configured with the appropriate VXLAN network identifier (VNI) to ensure VMs can send and receive all associated traffic for their Layer 2 domain.
1 rule found Severity: Medium
Virtual Extensible Local Area Network (VXLAN) identifiers must be mapped to the appropriate VLAN identifiers.
1 rule found Severity: Medium
The proper multicast group for each Virtual Extensible Local Area Network (VXLAN) identifier must be mapped to the appropriate virtual tunnel endpoint (VTEP) so the VTEP will join the associated multicast groups.
1 rule found Severity: Medium
1 rule found Severity: Low
A secondary IP address must be specified for the virtual tunnel endpoint (VTEP) loopback interface when Virtual Extensible Local Area Network (VXLAN) enabled switches are deployed as a multi-chassis configuration.
1 rule found Severity: Low
Two or more edge gateways must be deployed connecting the network virtualization platform (NVP) and the physical network.
1 rule found Severity: Low
The virtual edge gateways must be deployed with routing adjacencies established with two or more physical routers.
1 rule found Severity: Low
1 rule found Severity: Medium
1 rule found Severity: Medium
The SEL-2740S must be configured with backup flows for all host and switch flows to ensure proper failover scheme is in place for the network.
1 rule found Severity: Medium
The SEL-2740S must be configured to forward only frames from allowed network-connected endpoint devices.
1 rule found Severity: Medium
The SEL-2740S must be configured to maintain internal system clocks with a backup authoritative time server.
1 rule found Severity: Medium
The SEL-2740S must be adopted by OTSDN Controller(s) and obtain its public key certificates from an appropriate certificate policy through an approved service provider.
1 rule found Severity: Medium
The SEL-2740S must be configured to send log data to a syslog server for the purpose of forwarding alerts to the administrators and the ISSO.
1 rule found Severity: Medium
1 rule found Severity: Medium
Samsung Android must be configured to not allow passwords that include more than two repeating or sequential characters.
2 rules found Severity: Medium
Samsung Android must be configured to enforce an application installation policy by specifying one or more authorized application repositories, including DoD-approved commercial app repository, management tool server, or mobile application store.
4 rules found Severity: Medium
Samsung Android Work Environment must be configured to enforce an application installation policy by specifying an application allowlist that restricts applications by the following characteristics: names.
2 rules found Severity: Medium
The Samsung Android Work Environment allowlist must be configured to not include applications with the following characteristics: - back up MD data to non-DoD cloud servers (including user and application access to cloud backup services); - transmit MD diagnostic data to non-DoD servers; - voice assistant application if available when MD is locked; - voice dialing application if available when MD is locked; - allows synchronization of data or applications between devices associated with user; and - allows unencrypted (or encrypted but not FIPS 140-2 validated) data sharing with other MDs or printers.
2 rules found Severity: Medium
Samsung Android must be configured to disable all Bluetooth profiles except for HSP (Headset Profile), HFP (HandsFree Profile), SPP (Serial Port Profile), A2DP (Advanced Audio Distribution Profile), AVRCP (Audio/Video Remote Control Profile), and PBAP (Phone Book Access Profile).
2 rules found Severity: Low
Samsung Android must be configured to not display the following (Work Environment) notifications when the device is locked: all notifications.
2 rules found Severity: Medium
Samsung Android must be configured to disable trust agents. NOTE: This requirement is not applicable (NA) for specific biometric authentication factors included in the product Common Criteria evaluation.
2 rules found Severity: Medium
Samsung Android must be configured to disable Face Recognition. NOTE: This requirement is not applicable (NA) for specific biometric authentication factors included in the product Common Criteria evaluation.
2 rules found Severity: Medium
Samsung Android Work Environment must be configured to disable exceptions to the access control policy that prevents application processes, groups of application processes from accessing all, private data stored by other application processes, groups of application processes. - Disable Move files to personal
2 rules found Severity: Medium
Samsung Android Work Environment must be configured to disable exceptions to the access control policy that prevents application processes, groups of application processes from accessing all, private data stored by other application processes, groups of application processes. - Disable Copy and Paste data
2 rules found Severity: Medium
Samsung Android Work Environment must be configured to disable exceptions to the access control policy that prevents application processes, groups of application processes from accessing all, private data stored by other application processes, groups of application processes. - Disable Sync Calendar to personal
2 rules found Severity: Medium
1 rule found Severity: Medium
The Samsung Android Work Environment must be configured to prevent users from adding personal email accounts to the work email app.
2 rules found Severity: Medium
Samsung Android Personal Environment must be configured to enforce the system application disable list.
2 rules found Severity: Medium
2 rules found Severity: Medium
2 rules found Severity: Medium
Samsung Android must be configured to enforce a USB host mode exception list. NOTE: This configuration allows DeX mode (with input devices), which is DoD-approved for use.
2 rules found Severity: Medium
2 rules found Severity: Medium
2 rules found Severity: Medium
2 rules found Severity: Medium
Samsung Android Work Environment must have the DoD root and intermediate PKI certificates installed.
2 rules found Severity: Medium
1 rule found Severity: Medium
1 rule found Severity: Medium
Samsung Android Work Environment must allow only the Administrator (management tool) to perform the following management function: install/remove DoD root and intermediate PKI certificates.
2 rules found Severity: Medium
The Samsung Android device must have the latest available Samsung Android operating system (OS) installed.
11 rules found Severity: High
The Samsung SDS EMM must be configured to communicate the following commands to the MDM Agent: read audit logs kept by the MD.
1 rule found Severity: Medium
The Samsung SDS EMM must be configured to have at least one user in the following Administrator roles: Server primary administrator, security configuration administrator, device user group administrator, auditor.
1 rule found Severity: Medium
The reverse proxy Symantec ProxySG providing intermediary services for FTP must inspect inbound FTP communications traffic for protocol compliance and protocol anomalies.
1 rule found Severity: Medium
Symantec ProxySG providing intermediary services for FTP must inspect outbound FTP communications traffic for protocol compliance and protocol anomalies.
1 rule found Severity: Medium
Symantec ProxySG providing intermediary services for HTTP must inspect inbound HTTP traffic for protocol compliance and protocol anomalies.
1 rule found Severity: Medium
Symantec ProxySG providing intermediary services for HTTP must inspect outbound HTTP traffic for protocol compliance and protocol anomalies.
1 rule found Severity: Medium
2 rules found Severity: Medium
The Tanium Client Deployment Tool (CDT) must not be configured to use the psexec method of deployment.
2 rules found Severity: Medium
2 rules found Severity: Medium
4 rules found Severity: Medium
2 rules found Severity: Medium
3 rules found Severity: Medium
Symantec ProxySG must be configured to synchronize internal information system clocks with the primary and secondary time sources located in different geographic regions using redundant authoritative time sources.
1 rule found Severity: Medium
1 rule found Severity: Medium
Accounts for device management must be configured on the authentication server and not on Symantec ProxySG itself, except for the account of last resort.
1 rule found Severity: Medium
Symantec ProxySG must use Role-Based Access Control (RBAC) to assign privileges to users for access to files and functions.
1 rule found Severity: Medium
1 rule found Severity: Medium
Symantec ProxySG must support organizational requirements to conduct backups of system level information contained in the ProxySG when changes occur or weekly, whichever is sooner.
1 rule found Severity: Medium
Symantec ProxySG must obtain its public key certificates from an appropriate certificate policy through an approved service provider.
1 rule found Severity: Medium
Symantec ProxySG must configure the maintenance and health monitoring to send an alarm when a critical condition occurs for a component.
1 rule found Severity: Medium
2 rules found Severity: Medium
2 rules found Severity: Medium
1 rule found Severity: Medium
1 rule found Severity: Medium
1 rule found Severity: Medium
1 rule found Severity: Medium
The NSX-T Manager must be configured to synchronize internal information system clocks using redundant authoritative time sources.
1 rule found Severity: Medium
The NSX-T Manager must generate log records for the info level to capture the DoD-required auditable events.
1 rule found Severity: Medium
The NSX-T Manager must integrate with either VMware Identity Manager (vIDM) or VMware Workspace ONE Access.
1 rule found Severity: High
1 rule found Severity: Medium
The NSX-T Manager must support organizational requirements to conduct backups of information system documentation, including security-related documentation, when changes occur or weekly, whichever is sooner.
1 rule found Severity: Medium
The NSX-T Manager must obtain its public key certificates from an approved DoD certificate authority.
1 rule found Severity: Medium
1 rule found Severity: High
1 rule found Severity: Medium
1 rule found Severity: Medium
1 rule found Severity: Medium
1 rule found Severity: Medium
1 rule found Severity: Medium
The Horizon Connection Server Instant Clone domain account must be configured with limited permissions.
1 rule found Severity: Medium
The Horizon Connection Server must be configured in accordance with the security configuration settings based on DoD security configuration or implementation guidance, including STIGs, NSA configuration guides, CTOs, and DTMs.
1 rule found Severity: Medium
1 rule found Severity: Medium
1 rule found Severity: Medium
1 rule found Severity: Medium
1 rule found Severity: Medium
1 rule found Severity: Medium
The NSX-T Tier-0 Gateway Firewall must configure SpoofGuard to block outbound IP packets that contain illegitimate packet attributes.
1 rule found Severity: Medium
The NSX-T Tier-0 Gateway must be configured to implement message authentication for all control plane protocols.
1 rule found Severity: Medium
The NSX-T Tier-0 Gateway must be configured to use a unique key for each autonomous system (AS) with which it peers.
1 rule found Severity: Medium
The NSX-T Tier-0 Gateway must be configured to use its loopback address as the source address for iBGP peering sessions.
1 rule found Severity: Low
The Workspace ONE UEM server must be configured with an enterprise certificate for signing policies (if function is not automatically implemented during Workspace ONE UEM server install).
1 rule found Severity: Medium
The Workspace ONE UEM server must be configured to have at least one user in the following Administrator roles: Server primary administrator, security configuration administrator, device user group administrator, or auditor.
1 rule found Severity: Medium
Apple iOS/iPadOS 16 must not allow backup to remote systems (managed applications data stored in iCloud).
2 rules found Severity: Medium
2 rules found Severity: Medium
Apple iOS/iPadOS 16 must be configured to not allow passwords that include more than four repeating or sequential characters.
2 rules found Severity: Medium
Apple iOS/iPadOS 16 must be configured to enforce an application installation policy by specifying one or more authorized application repositories, including [selection: DOD-approved commercial app repository, MDM server, mobile application store].
1 rule found Severity: Medium
The Apple iOS/iPadOS 16 allow list must be configured to not include applications with the following characteristics: - backs up MD data to non-DOD cloud servers (including user and application access to cloud backup services); - transmits MD diagnostic data to non-DOD servers; - allows synchronization of data or applications between devices associated with user; and - allows unencrypted (or encrypted but not FIPS 140-2/FIPS 140-3 validated) data sharing with other MDs or printers.
1 rule found Severity: Medium
1 rule found Severity: Medium
Apple iOS/iPadOS 16 must implement the management setting: Encrypt iTunes backups/Encrypt local backup.
2 rules found Severity: Medium
Apple iOS/iPadOS 16 must implement the management setting: not allow messages in an ActiveSync Exchange account to be forwarded or moved to other accounts in the Apple iOS/iPadOS 16 Mail app.
2 rules found Severity: Medium
Apple iOS/iPadOS 16 must implement the management setting: Treat AirDrop as an unmanaged destination.
2 rules found Severity: Medium
2 rules found Severity: Low
2 rules found Severity: Low
2 rules found Severity: Medium
The EMM system supporting the iOS/iPadOS 16 BYOAD must be configured to initiate autonomous monitoring, compliance, and validation prior to granting the BYOAD access to DOD information and IT resources.
1 rule found Severity: Medium
The EMM system supporting the iOS/iPadOS 16 BYOAD must be configured to detect if the BYOAD native security controls are disabled.
1 rule found Severity: Medium
The EMM system supporting the iOS/iPadOS 16 BYOAD must be configured to detect if known malicious, blocked, or prohibited applications are installed on the BYOAD (DOD-managed segment only).
1 rule found Severity: Medium
The EMM system supporting the iOS/iPadOS 16 BYOAD must be configured to detect if the BYOAD is configured to access nonapproved third-party applications stores (DOD-managed segment only).
1 rule found Severity: Medium
1 rule found Severity: Medium
The iOS/iPadOS 16 BYOAD must be configured to either disable access to DOD data, IT systems, and user accounts or wipe managed data and apps if the EMM system detects native security controls are disabled.
1 rule found Severity: Medium
The iOS/iPadOS 16 BYOAD must be configured to either disable access to DOD data, IT systems, and user accounts or wipe managed data and apps if the EMM system detects the BYOAD device has known malicious, blocked, or prohibited applications or is configured to access nonapproved managed third-party applications stores.
1 rule found Severity: Medium
The iOS/iPadOS 16 BYOAD must be configured so that managed data and apps are removed if the device is no longer receiving security or software updates.
1 rule found Severity: Medium
The iOS/iPadOS 16 BYOAD must be configured to protect users' privacy, personal information, and applications.
1 rule found Severity: Low
The EMM system supporting the iOS/iPadOS 16 BYOAD must be configured to only wipe managed data and apps and not unmanaged data and apps when the user's access is revoked or terminated, the user no longer has the need to access DOD data or IT, or the user reports a registered device as lost, stolen, or showing indicators of compromise.
1 rule found Severity: Low
The EMM system supporting the iOS/iPadOS 16 BYOAD must be NIAP validated (included on the NIAP list of compliant products or products in evaluation) unless the DOD CIO has granted an approved Exception to Policy (E2P).
1 rule found Severity: High
The User Agreement must include a description of what personal data and information is being monitored, collected, or managed by the EMM system or deployed agents or tools.
4 rules found Severity: Low
2 rules found Severity: High
1 rule found Severity: Medium
2 rules found Severity: Medium
The macOS system must set permissions on user home directories to prevent users from having access to read or modify another user's files.
2 rules found Severity: Medium
2 rules found Severity: Medium
The macOS system must be configured with a firmware password to prevent access to single user mode and booting from alternative media.
2 rules found Severity: Medium
2 rules found Severity: Medium
2 rules found Severity: Medium
2 rules found Severity: Medium
The macOS system must be configured with the sudoers file configured to authenticate users on a per -tty basis.
1 rule found Severity: High
1 rule found Severity: Medium
The macOS system logon window must be configured to prompt for username and password, rather than show a list of users.
1 rule found Severity: Low
2 rules found Severity: Low
CylancePROTECT Mobile malware detection must be configured with the following compliance actions for system apps (Android only): -Prompt for compliance: Immediate enforcement action. -Prevent the user from accessing work resources and apps on the device while it is out of compliance. -Prevent the user from accessing BlackBerry Dynamics apps while the device is out of compliance.
1 rule found Severity: Medium
CylancePROTECT Mobile malware detection must be configured with the following compliance actions for nonsystem apps (Android only): -Prompt for compliance: Immediate enforcement action. -Prevent the user from accessing work resources and apps on the device while it is out of compliance. -Prevent the user from accessing BlackBerry Dynamics apps while the device is out of compliance.
1 rule found Severity: Medium
CylancePROTECT Mobile must be configured with the following compliance action when a compliance event occurs: -Notify Administrator (send event notification).
1 rule found Severity: Medium
CylancePROTECT Mobile must be configured with the following compliance actions when sideloaded apps are detected: -Prompt for compliance: Immediate enforcement action. -Prevent the user from accessing work resources and apps on the device while it is out of compliance. -Prevent the user from accessing BlackBerry Dynamics apps while the device is out of compliance.
1 rule found Severity: Medium
CylancePROTECT Mobile must be configured with the following safe browsing controls for BlackBerry Dynamics apps: -Block all unsafe URLs -Select one of the following for "scanning option": "Cloud scanning" or "On device scanning". -Disable "Allow users to override blocked resources and enable access to the requested domain".
1 rule found Severity: Medium
CylancePROTECT Mobile must be configured with the following compliance actions when insecure networks are detected for mobile devices: -Block device from network connection and insecure Wi-Fi access points. -Block access to BlackBerry Dynamics apps.
1 rule found Severity: Medium
CylancePROTECT Mobile must be configured with the following compliance actions for integrity violations with BlackBerry Dynamics apps on iOS devices: -Prompt for compliance: Immediate enforcement action -Prevent the user from accessing BlackBerry Dynamics apps while the device is out of compliance.
1 rule found Severity: Medium
CylancePROTECT Mobile must be configured with the following Android security patch compliance and hardware certificate attestation controls: -"Android hardware attestation frequency" = 6 hours -"Device grace period" = 0 hours -"Challenge frequency for noncompliant devices" = 6 hours.
1 rule found Severity: Medium
CylancePROTECT Mobile must be configured with the following compliance actions when an Android device fails security patch compliance and attestation: -Prompt behavior: Immediate enforcement action. -Enforcement action for device: Select either "Untrust", "Delete only work data" or "Delete all data". -Enforcement action for BlackBerry Dynamics apps: Select either "Do not allow BlackBerry Dynamics apps to run" or "Delete BlackBerry Dynamics apps data".
1 rule found Severity: Medium
CylancePROTECT Mobile must be configured with the following compliance actions when a hardware attestation failure occurs (Android only): -Prompt for compliance: Immediate enforcement action. -Enforcement action for BlackBerry Dynamics apps: Do not allow BlackBerry Dynamics apps to run.
1 rule found Severity: Medium
CylancePROTECT Mobile must be configured with the following compliance actions when a hardware attestation certificate failure occurs (Android only): -Minimum security level required: "Trusted Environment" or "StrongBox" -Prompt behavior: "Immediate enforcement action". -Enforcement action for BlackBerry Dynamics apps: "Do not allow BlackBerry Dynamics apps to run".
1 rule found Severity: Medium
CylancePROTECT Mobile must be configured with the following compliance actions when a hardware attestation boot state failure occurs (Android only): -Prompt behavior: "Immediate enforcement action". -Enforcement action for BlackBerry Dynamics apps: "Do not allow BlackBerry Dynamics apps to run".
1 rule found Severity: Medium
CylancePROTECT Mobile must be configured to disable anonymous data collection by BlackBerry for both iOS and Android devices.
1 rule found Severity: Medium
1 rule found Severity: Medium
The Ubuntu operating system must enforce a delay of at least 4 seconds between logon prompts following a failed logon attempt.
2 rules found Severity: Low
2 rules found Severity: Medium
The Ubuntu Operating system must be configured so that when passwords are changed or new passwords are established, pwquality must be used.
1 rule found Severity: Medium
The Ubuntu Operating system must disable the x86 Ctrl-Alt-Delete key sequence if a graphical user interface is installed.
1 rule found Severity: High
1 rule found Severity: High
1 rule found Severity: High
The Ubuntu operating system default filesystem permissions must be defined in such a way that all authenticated users can only read and modify their own files.
1 rule found Severity: Medium
1 rule found Severity: Medium
The Ubuntu operating system must be configured so that remote X connections are disabled, unless to fulfill documented and validated mission requirements.
1 rule found Severity: Medium
The Ubuntu operating system SSH daemon must prevent remote hosts from connecting to the proxy display.
2 rules found Severity: Medium
1 rule found Severity: Medium
1 rule found Severity: Medium
All local interactive user home directories must be group-owned by the home directory owners primary group.
1 rule found Severity: Medium
2 rules found Severity: High
2 rules found Severity: High
MongoDB must be configured in accordance with the security configuration settings based on DoD security configuration and implementation guidance, including STIGs, NSA configuration guides, CTOs, DTMs, and IAVMs.
2 rules found Severity: Medium
1 rule found Severity: Medium
1 rule found Severity: Medium
1 rule found Severity: Medium
.NET Framework-reliant components not signed with Authenticode must be disallowed to run (Restricted Sites Zone).
1 rule found Severity: Medium
.NET Framework-reliant components signed with Authenticode must be disallowed to run (Restricted Sites Zone).
1 rule found Severity: Medium
1 rule found Severity: Medium
1 rule found Severity: Medium
.NET Framework-reliant components not signed with Authenticode must be disallowed to run (Internet zone).
1 rule found Severity: Medium
.NET Framework-reliant components signed with Authenticode must be disallowed to run (Internet zone).
1 rule found Severity: Medium
When Enhanced Protected Mode is enabled, ActiveX controls must be disallowed to run in Protected Mode.
1 rule found Severity: Medium
The network device must be running an operating system release that is currently supported by the vendor.
4 rules found Severity: High
The network device must be configured to use an authentication server to authenticate users prior to granting administrative access.
4 rules found Severity: High
4 rules found Severity: Medium
The network device must be configured to synchronize internal information system clocks using redundant authoritative time sources.
4 rules found Severity: Medium
2 rules found Severity: Medium
A minimum of two Oracle control files must be defined and configured to be stored on separate, archived disks (physical or virtual) or archived partitions on a RAID device.
2 rules found Severity: Low
A minimum of two Oracle redo log groups/files must be defined and configured to be stored on separate, archived physical disks or archived directories on a RAID device.
2 rules found Severity: Medium
The Oracle WITH GRANT OPTION privilege must not be granted to non-DBA or non-Application administrator user accounts.
2 rules found Severity: Medium
1 rule found Severity: Medium
DoD Components providing guest WLAN access (internet access only) must use separate WLAN or logical segmentation of the enterprise WLAN (e.g., separate service set identifier [SSID] and virtual LAN) or DoD network.
1 rule found Severity: Medium
The Oracle password file ownership and permissions should be limited and the REMOTE_LOGIN_PASSWORDFILE parameter must be set to EXCLUSIVE or NONE.
2 rules found Severity: Medium
System privileges granted using the WITH ADMIN OPTION must not be granted to unauthorized user accounts.
2 rules found Severity: Medium
2 rules found Severity: Medium
2 rules found Severity: High
2 rules found Severity: Medium
2 rules found Severity: Medium
Connections by mid-tier web and application systems to the Oracle DBMS from a DMZ or external network must be encrypted.
1 rule found Severity: Medium
Database job/batch queues must be reviewed regularly to detect unauthorized database job submissions.
2 rules found Severity: Medium
Sensitive information from production database exports must be modified before being imported into a development database.
1 rule found Severity: Medium
Only authorized system accounts must have the SYSTEM tablespace specified as the default tablespace.
2 rules found Severity: Medium
2 rules found Severity: Medium
The directories assigned to the LOG_ARCHIVE_DEST* parameters must be protected from unauthorized access.
2 rules found Severity: Medium
2 rules found Severity: Medium
Application object owner accounts must be disabled when not performing installation or maintenance actions.
1 rule found Severity: Medium
DBMS production application and data directories must be protected from developers on shared production/development DBMS host systems.
2 rules found Severity: Medium
The directory assigned to the AUDIT_FILE_DEST parameter must be protected from unauthorized access and must be stored in a dedicated directory or disk partition separate from software or other application files.
2 rules found Severity: Medium
2 rules found Severity: Medium
2 rules found Severity: Medium
2 rules found Severity: Medium
The /diag subdirectory under the directory assigned to the DIAGNOSTIC_DEST parameter must be protected from unauthorized access.
2 rules found Severity: Medium
2 rules found Severity: Medium
1 rule found Severity: Medium
DBA OS accounts must be granted only those host system privileges necessary for the administration of the DBMS.
2 rules found Severity: High
The DBMS must provide a mechanism to automatically identify accounts designated as temporary or emergency accounts.
2 rules found Severity: Medium
The DBMS must provide a mechanism to automatically terminate accounts designated as temporary or emergency accounts after an organization-defined time period.
1 rule found Severity: Medium
2 rules found Severity: Medium
The DBMS must be protected from unauthorized access by developers on shared production/development host systems.
2 rules found Severity: Medium
1 rule found Severity: Medium
The DBMS must specify an account lockout duration that is greater than or equal to the organization-approved minimum.
1 rule found Severity: Medium
The DBMS must have the capability to limit the number of failed login attempts based upon an organization-defined number of consecutive invalid attempts occurring within an organization-defined time period.
1 rule found Severity: Medium
2 rules found Severity: Medium
2 rules found Severity: Medium
DBMS passwords must not be stored in compiled, encoded, or encrypted batch jobs or compiled, encoded, or encrypted application source code.
2 rules found Severity: Medium
The DBMS must employ cryptographic mechanisms to protect the integrity and confidentiality of non-local maintenance and diagnostic communications.
1 rule found Severity: Medium
The DBMS must employ strong identification and authentication techniques when establishing non-local maintenance and diagnostic sessions.
1 rule found Severity: Medium
2 rules found Severity: Medium
The DBMS must automatically terminate emergency accounts after an organization-defined time period for each type of account.
2 rules found Severity: Medium
The DBMS must support taking organization-defined list of least disruptive actions to terminate suspicious events.
1 rule found Severity: Medium
WLAN SSIDs must be changed from the manufacturer's default to a pseudo random word that does not identify the unit, base, organization, etc.
3 rules found Severity: Low
Wireless access points and bridges must be placed in dedicated subnets outside the enclave's perimeter.
2 rules found Severity: Medium
The Red Hat Enterprise Linux operating system must not allow accounts configured with blank or null passwords.
1 rule found Severity: High
The Red Hat Enterprise Linux operating system must be configured so that the delay between logon prompts following a failed console logon attempt is at least four seconds.
1 rule found Severity: Medium
The Red Hat Enterprise Linux operating system must not allow an unattended or automatic logon to the system via a graphical user interface.
1 rule found Severity: High
1 rule found Severity: High
The Red Hat Enterprise Linux operating system must not allow users to override SSH environment variables.
1 rule found Severity: Medium
The Red Hat Enterprise Linux operating system must not allow a non-certificate trusted host SSH logon to the system.
1 rule found Severity: Medium
1 rule found Severity: Medium
The Red Hat Enterprise Linux operating system must disable the file system automounter unless required.
1 rule found Severity: Medium
The Red Hat Enterprise Linux operating system must be configured so that the x86 Ctrl-Alt-Delete key sequence is disabled on the command line.
1 rule found Severity: High
The Red Hat Enterprise Linux operating system must be configured so that the x86 Ctrl-Alt-Delete key sequence is disabled in the Graphical User Interface.
1 rule found Severity: High
The Red Hat Enterprise Linux operating system must define default permissions for all authenticated users in such a way that the user can only read and modify their own files.
1 rule found Severity: Medium
1 rule found Severity: High
The Red Hat Enterprise Linux operating system security patches and updates must be installed and up to date.
1 rule found Severity: Medium
1 rule found Severity: Medium
The Red Hat Enterprise Linux operating system must be configured so that the root account must be the only account having unrestricted access to the system.
1 rule found Severity: High
The Red Hat Enterprise Linux operating system must be configured so that all local interactive user accounts, upon creation, are assigned a home directory.
1 rule found Severity: Medium
The Red Hat Enterprise Linux operating system must be configured so that all local interactive users have a home directory assigned and defined in the /etc/passwd file.
1 rule found Severity: Medium
The Red Hat Enterprise Linux operating system must be configured so that all local interactive user home directories have mode 0750 or less permissive.
1 rule found Severity: Medium
The Red Hat Enterprise Linux operating system must be configured so that all local interactive user home directories are owned by their respective users.
1 rule found Severity: Medium
The Red Hat Enterprise Linux operating system must be configured so that all local interactive user home directories are group-owned by the home directory owners primary group.
1 rule found Severity: Medium
The Red Hat Enterprise Linux operating system must be configured so that all files and directories contained in local interactive user home directories have a valid owner.
1 rule found Severity: Medium
The Red Hat Enterprise Linux operating system must be configured so that all files and directories contained in local interactive user home directories are group-owned by a group of which the home directory owner is a member.
1 rule found Severity: Medium
The Red Hat Enterprise Linux operating system must be configured so that all files and directories contained in local interactive user home directories have a mode of 0750 or less permissive.
1 rule found Severity: Medium
The Red Hat Enterprise Linux operating system must be configured so that all local initialization files for interactive users are owned by the home directory user or root.
1 rule found Severity: Medium
The Red Hat Enterprise Linux operating system must be configured so that all local initialization files for local interactive users are be group-owned by the users primary group or root.
1 rule found Severity: Medium
The Red Hat Enterprise Linux operating system must be configured so that all local initialization files have mode 0740 or less permissive.
1 rule found Severity: Medium
The Red Hat Enterprise Linux operating system must be configured so that all local interactive user initialization files executable search paths contain only paths that resolve to the users home directory.
1 rule found Severity: Medium
The Red Hat Enterprise Linux operating system must be configured so that local initialization files do not execute world-writable programs.
1 rule found Severity: Medium
The Red Hat Enterprise Linux operating system must be configured so that file systems containing user home directories are mounted to prevent files with the setuid and setgid bit set from being executed.
1 rule found Severity: Medium
The Red Hat Enterprise Linux operating system must prevent files with the setuid and setgid bit set from being executed on file systems that are used with removable media.
1 rule found Severity: Medium
The Red Hat Enterprise Linux operating system must prevent files with the setuid and setgid bit set from being executed on file systems that are being imported via Network File System (NFS).
1 rule found Severity: Medium
The Red Hat Enterprise Linux operating system must prevent binary files from being executed on file systems that are being imported via Network File System (NFS).
1 rule found Severity: Medium
The Red Hat Enterprise Linux operating system must be configured so that all world-writable directories are group-owned by root, sys, bin, or an application group.
1 rule found Severity: Medium
1 rule found Severity: Medium
The Red Hat Enterprise Linux operating system must be configured so that the cron.allow file, if it exists, is owned by root.
1 rule found Severity: Medium
The Red Hat Enterprise Linux operating system must be configured so that the cron.allow file, if it exists, is group-owned by root.
1 rule found Severity: Medium
1 rule found Severity: Medium
The Red Hat Enterprise Linux operating system must be configured so that a separate file system is used for user home directories (such as /home or an equivalent).
1 rule found Severity: Low
1 rule found Severity: Low
The Red Hat Enterprise Linux operating system must use a separate file system for the system audit data path.
1 rule found Severity: Low
The Red Hat Enterprise Linux operating system must use a separate file system for /tmp (or equivalent).
1 rule found Severity: Low
The Red Hat Enterprise Linux operating system must be configured so that the file integrity tool is configured to verify Access Control Lists (ACLs).
1 rule found Severity: Low
The Red Hat Enterprise Linux operating system must be configured so that the file integrity tool is configured to verify extended attributes.
1 rule found Severity: Low
The Red Hat Enterprise Linux operating system must use a file integrity tool that is configured to use FIPS 140-2 approved cryptographic hashes for validating file contents and directories.
1 rule found Severity: Medium
1 rule found Severity: Medium
The Red Hat Enterprise Linux 7 operating system must implement DoD-approved encryption to protect the confidentiality of SSH connections.
1 rule found Severity: Medium
1 rule found Severity: Medium
The Red Hat Enterprise Linux operating system must be configured so that the SSH daemon does not allow authentication using RSA rhosts authentication.
1 rule found Severity: Medium
The Red Hat Enterprise Linux operating system must be configured so that the SSH daemon does not allow authentication using rhosts authentication.
1 rule found Severity: Medium
The Red Hat Enterprise Linux operating system must not permit direct logons to the root account using remote access via SSH.
1 rule found Severity: Medium
The Red Hat Enterprise Linux operating system must be configured so that the SSH daemon does not allow authentication using known hosts authentication.
1 rule found Severity: Medium
The Red Hat Enterprise Linux operating system must be configured so that the SSH daemon is configured to only use the SSHv2 protocol.
1 rule found Severity: High
The Red Hat Enterprise Linux operating system must be configured so that the SSH public host key files have mode 0644 or less permissive.
1 rule found Severity: Medium
The Red Hat Enterprise Linux operating system must be configured so that the SSH private host key files have mode 0640 or less permissive.
1 rule found Severity: Medium
The Red Hat Enterprise Linux operating system must be configured so that the SSH daemon performs strict mode checking of home directory configuration files.
1 rule found Severity: Medium
The Red Hat Enterprise Linux operating system must be configured so that the SSH daemon uses privilege separation.
1 rule found Severity: Medium
The Red Hat Enterprise Linux operating system must be configured so that the SSH daemon does not allow compression or only allows compression after successful authentication.
1 rule found Severity: Medium
1 rule found Severity: Medium
1 rule found Severity: High
1 rule found Severity: High
For Red Hat Enterprise Linux operating systems using DNS resolution, at least two name servers must be configured.
1 rule found Severity: Low
The Red Hat Enterprise Linux operating system must not forward Internet Protocol version 4 (IPv4) source-routed packets.
1 rule found Severity: Medium
The Red Hat Enterprise Linux operating system must use a reverse-path filter for IPv4 network traffic when possible on all interfaces.
1 rule found Severity: Medium
The Red Hat Enterprise Linux operating system must use a reverse-path filter for IPv4 network traffic when possible by default.
1 rule found Severity: Medium
The Red Hat Enterprise Linux operating system must not forward Internet Protocol version 4 (IPv4) source-routed packets by default.
1 rule found Severity: Medium
The Red Hat Enterprise Linux operating system must not respond to Internet Protocol version 4 (IPv4) Internet Control Message Protocol (ICMP) echoes sent to a broadcast address.
1 rule found Severity: Medium
The Red Hat Enterprise Linux operating system must prevent Internet Protocol version 4 (IPv4) Internet Control Message Protocol (ICMP) redirect messages from being accepted.
1 rule found Severity: Medium
The Red Hat Enterprise Linux operating system must ignore Internet Protocol version 4 (IPv4) Internet Control Message Protocol (ICMP) redirect messages.
1 rule found Severity: Medium
The Red Hat Enterprise Linux operating system must not allow interfaces to perform Internet Protocol version 4 (IPv4) Internet Control Message Protocol (ICMP) redirects by default.
1 rule found Severity: Medium
The Red Hat Enterprise Linux operating system must not send Internet Protocol version 4 (IPv4) Internet Control Message Protocol (ICMP) redirects.
1 rule found Severity: Medium
Network interfaces configured on the Red Hat Enterprise Linux operating system must not be in promiscuous mode.
1 rule found Severity: Medium
The Red Hat Enterprise Linux operating system must be configured to prevent unrestricted mail relaying.
1 rule found Severity: Medium
The Red Hat Enterprise Linux operating system must not have a File Transfer Protocol (FTP) server package installed unless needed.
1 rule found Severity: High
The Red Hat Enterprise Linux operating system must be configured so that remote X connections are disabled except to fulfill documented and validated mission requirements.
1 rule found Severity: Medium
The Red Hat Enterprise Linux operating system must be configured so that if the Trivial File Transfer Protocol (TFTP) server is required, the TFTP daemon is configured to operate in secure mode.
1 rule found Severity: Medium
The Red Hat Enterprise Linux operating system must not have a graphical display manager installed unless approved.
1 rule found Severity: Medium
The Red Hat Enterprise Linux operating system must not be performing packet forwarding unless the system is a router.
1 rule found Severity: Medium
The Red Hat Enterprise Linux operating system must be configured so that the Network File System (NFS) is configured to use RPCSEC_GSS.
1 rule found Severity: Medium
SNMP community strings on the Red Hat Enterprise Linux operating system must be changed from the default.
1 rule found Severity: High
The Red Hat Enterprise Linux operating system access control program must be configured to grant or deny system access to specific hosts and services.
1 rule found Severity: Medium
1 rule found Severity: Medium
1 rule found Severity: Medium
The Red Hat Enterprise Linux operating system must implement the Endpoint Security for Linux Threat Prevention tool.
1 rule found Severity: Medium
1 rule found Severity: High
The Red Hat Enterprise Linux operating system must disable the graphical user interface automounter unless required.
1 rule found Severity: Medium
The Red Hat Enterprise Linux operating system must be configured so that all world-writable directories are owned by root, sys, bin, or an application user.
1 rule found Severity: Medium
The Red Hat Enterprise Linux operating system SSH daemon must prevent remote hosts from connecting to the proxy display.
1 rule found Severity: Medium
The Red Hat Enterprise Linux operating system must restrict privilege elevation to authorized personnel.
1 rule found Severity: Medium
The Red Hat Enterprise Linux operating system must not have accounts configured with blank or null passwords.
1 rule found Severity: High
The Red Hat Enterprise Linux operating system must specify the default "include" directory for the /etc/sudoers file.
1 rule found Severity: Medium
The Red Hat Enterprise Linux operating system must disable the login screen user list for graphical user interfaces.
1 rule found Severity: Medium
Samsung Android must be configured to not allow passwords that include more than four repeating or sequential characters.
4 rules found Severity: Medium
Samsung Android must be configured to disable all Bluetooth profiles except for HSP (Headset Profile), HFP (Hands-Free Profile), SPP (Serial Port Profile), A2DP (Advanced Audio Distribution Profile), AVRCP (Audio/Video Remote Control Profile), and PBAP (Phone Book Access Profile).
4 rules found Severity: Low
8 rules found Severity: Medium
1 rule found Severity: Medium
Samsung Android must be configured to not allow installation of applications with the following characteristics: - back up MD data to non-DoD cloud servers (including user and application access to cloud backup services);- transmit MD diagnostic data to non-DoD servers; - voice assistant application if available when MD is locked; - voice dialing application if available when MD is locked; - allows synchronization of data or applications between devices associated with user; and - allows unencrypted (or encrypted but not FIPS 140-2 validated) data sharing with other MDs or printers.
1 rule found Severity: Medium
Samsung Android must be configured to prevent users from adding personal email accounts to the work email app.
3 rules found Severity: Medium
Samsung Android must allow only the Administrator (management tool) to perform the following management function: install/remove DoD root and intermediate PKI certificates.
1 rule found Severity: Medium
1 rule found Severity: Medium
Samsung Android's Work profile must be configured to not allow installation of applications with the following characteristics: - back up MD data to non-DoD cloud servers (including user and application access to cloud backup services);- transmit MD diagnostic data to non-DoD servers; - voice assistant application if available when MD is locked; - voice dialing application if available when MD is locked; - allows synchronization of data or applications between devices associated with user; and - allows unencrypted (or encrypted but not FIPS 140-2 validated) data sharing with other MDs or printers.
1 rule found Severity: Medium
3 rules found Severity: Medium
Samsung Android's Work profile must be configured to prevent users from adding personal email accounts to the work email app.
4 rules found Severity: Medium
Samsung Android's Work profile must allow only the Administrator (management tool) to perform the following management function: install/remove DoD root and intermediate PKI certificates.
1 rule found Severity: Medium
1 rule found Severity: Low
Zebra Android 11 must be configured to not allow passwords that include more than four repeating or sequential characters.
1 rule found Severity: Medium
Zebra Android 11 must be configured to enforce an application installation policy by specifying one or more authorized application repositories, including [selection: DoD-approved commercial app repository, EMM server, mobile application store].
1 rule found Severity: Medium
Zebra Android 11 must be configured to enforce an application installation policy by specifying an application allow list that restricts applications by the following characteristics: [selection: list of digital signatures, cryptographic hash values, names, application version].
1 rule found Severity: Medium
Zebra Android 11 allow list must be configured to not include applications with the following characteristics: - back up MD data to non-DoD cloud servers (including user and application access to cloud backup services); - transmit MD diagnostic data to non-DoD servers; - voice assistant application if available when MD is locked; - voice dialing application if available when MD is locked; - allows synchronization of data or applications between devices associated with user; and - allows unencrypted (or encrypted but not FIPS 140-2 validated) data sharing with other MDs or printers.
1 rule found Severity: Medium
Zebra Android 11 must be configured to disable Bluetooth or configured via User Based Enforcement (UBE) to allow Bluetooth for only Headset Profile (HSP), HandsFree Profile (HFP), and Serial Port Profile (SPP).
1 rule found Severity: Low
Zebra Android 11 must be configured to not display the following (work profile) notifications when the device is locked: [selection: - email notifications - calendar appointments - contact associated with phone call notification - text message notification - other application-based notifications - all notifications].
1 rule found Severity: Medium
Zebra Android 11 must allow only the Administrator (EMM) to perform the following management function: Enable/disable location services.
1 rule found Severity: Low
1 rule found Severity: Medium
1 rule found Severity: Medium
Zebra Android 11 must allow only the administrator (EMM) to install/remove DoD root and intermediate PKI certificates.
1 rule found Severity: Medium
1 rule found Severity: Medium
Zebra Android 11 work profile must be configured to disable automatic completion of work space internet browser text input.
1 rule found Severity: Medium
1 rule found Severity: Medium
1 rule found Severity: Medium
Zebra Android 11 devices must have the latest available Zebra Android 11 operating system installed.
1 rule found Severity: High
1 rule found Severity: Low
1 rule found Severity: Low
The EDB Postgres Advanced Server must be configured in accordance with the security configuration settings based on DoD security configuration and implementation guidance, including STIGs, NSA configuration guides, CTOs, DTMs, and IAVMs.
1 rule found Severity: Medium
The BIG-IP APM module access policy profile must be configured to display an explicit logoff message to users, indicating the reliable termination of authenticated communications sessions when disconnecting from virtual servers.
1 rule found Severity: Medium
The BIG-IP appliance must be configured to enforce organization-defined role-based access control policies over defined subjects and objects.
1 rule found Severity: Medium
The BIG-IP appliance must be configured to synchronize internal information system clocks with the primary and secondary time sources located in different geographic regions using redundant authoritative time sources.
1 rule found Severity: Medium
The BIG-IP appliance must be configured in accordance with the security configuration settings based on DoD security configuration or implementation guidance, including STIGs, NSA configuration guides, CTOs, and DTMs.
1 rule found Severity: Medium
The BIG-IP appliance must be configured to employ automated mechanisms to centrally manage authentication settings.
1 rule found Severity: Medium
The BIG-IP appliance must create backups of system-level information contained in the information system when changes occur or weekly, whichever is sooner.
1 rule found Severity: Low
The BIG-IP appliance must be configured to create backups of information system documentation, including security-related documentation, when changes occur or weekly, whichever is sooner.
1 rule found Severity: Medium
The BIG-IP appliance must be configured to obtain its public key certificates from an appropriate certificate policy through a DoD-approved service provider.
1 rule found Severity: Medium
The F5 BIG-IP must ensure SSH is disabled for root user logon to prevent remote access using the root account.
1 rule found Severity: Medium
1 rule found Severity: Medium
1 rule found Severity: Medium
The BIG-IP appliance must automatically disable accounts after a 35-day period of account inactivity.
1 rule found Severity: Medium
Upon successful logon, the BIG-IP appliance must be configured to notify the administrator of the date and time of the last logon.
1 rule found Severity: Medium
Upon successful logon, the BIG-IP appliance must be configured to notify the administrator of the number of unsuccessful logon attempts since the last successful logon.
1 rule found Severity: Medium
The BIG-IP appliance must be configured to alert the ISSO and SA (at a minimum) in the event of an audit processing failure.
1 rule found Severity: Low
The BIG-IP appliance must be configured to protect audit information from any type of unauthorized read access.
1 rule found Severity: Medium
The BIG-IP appliance must be configured to use NIAP evaluated cryptographic mechanisms to protect the integrity of audit information at rest.
1 rule found Severity: Medium
The BIG-IP appliance must be configured to uniquely identify and authenticate organizational administrators (or processes acting on behalf of organizational administrators).
1 rule found Severity: High
The BIG-IP appliance must be configured to prohibit password reuse for a minimum of five generations.
1 rule found Severity: Medium
1 rule found Severity: Medium
1 rule found Severity: Medium
The BIG-IP appliance must be configured to automatically remove or disable emergency accounts after 72 hours.
1 rule found Severity: Medium
The application must be configured to reveal error messages only to authorized individuals (ISSO, ISSM, and SA).
1 rule found Severity: Medium
The BIG-IP appliance must be configured to activate a system alert message, send an alarm, and/or automatically shut down when a component failure is detected.
1 rule found Severity: Medium
The BIG-IP appliance must be configured to generate alerts that can be forwarded to the administrators and Information System Security Officer (ISSO) when accounts are created.
1 rule found Severity: Medium
The BIG-IP appliance must be configured to generate alerts that can be forwarded to the administrators and Information System Security Officer (ISSO) when accounts are modified.
1 rule found Severity: Medium
The BIG-IP appliance must be configured to generate alerts that can be forwarded to the administrators and Information System Security Officer (ISSO) when accounts are disabled.
1 rule found Severity: Medium
The BIG-IP appliance must be configured to generate alerts that can be forwarded to the administrators and Information System Security Officer (ISSO) when accounts are removed.
1 rule found Severity: Medium
The BIG-IP appliance must be configured to generate an immediate alert for account-enabling actions.
1 rule found Severity: Medium
The BIG-IP appliance must be configured to transmit access authorization information using approved security safeguards to authorized information systems that enforce access control decisions.
1 rule found Severity: Medium
The BIG-IP appliance must be configured to automatically lock the account until the locked account is released by an administrator when three unsuccessful logon attempts in 15 minutes are exceeded.
1 rule found Severity: Medium
The BIG-IP appliance must be configured to notify the administrator, upon successful logon (access), of the location of last logon (terminal or IP address) in addition to the date and time of the last logon (access).
1 rule found Severity: Low
The BIG-IP appliance must be configured to generate an immediate alert when allocated audit record storage volume reaches 75% of repository maximum audit record storage capacity.
1 rule found Severity: Low
The BIG-IP appliance must be configured to implement automated security responses if baseline configurations are changed in an unauthorized manner.
1 rule found Severity: Medium
1 rule found Severity: Medium
The BIG-IP appliance must be configured to allow the use of a temporary password for system logons with an immediate change to a permanent password.
1 rule found Severity: Medium
The BIG-IP appliance must be configured to notify the administrator of the number of successful logon attempts occurring during an organization-defined time period.
1 rule found Severity: Low
The BIG-IP appliance must be configured to use automated mechanisms to alert security personnel to threats identified by authoritative sources (e.g., CTOs) and IAW with CJCSM 6510.01B.
1 rule found Severity: Medium
The BIG-IP appliance must be configured to employ automated mechanisms to centrally apply authentication settings.
1 rule found Severity: Medium
The BIG-IP appliance must be configured to employ automated mechanisms to centrally verify authentication settings.
1 rule found Severity: Medium
The BIG-IP appliance must be configured to employ automated mechanisms to assist in the tracking of security incidents.
1 rule found Severity: Medium
The BIG-IP Core implementation must be configured to inspect for protocol compliance and protocol anomalies in inbound SMTP and Extended SMTP communications traffic to virtual servers.
1 rule found Severity: Medium
The BIG-IP Core implementation must be configured to inspect for protocol compliance and protocol anomalies in inbound FTP and FTPS communications traffic to virtual servers.
1 rule found Severity: Medium
The BIG-IP Core implementation must be configured to inspect for protocol compliance and protocol anomalies in inbound HTTP and HTTPS traffic to virtual servers.
1 rule found Severity: Medium
The BIG-IP Core implementation must automatically terminate a user session for a user connected to virtual servers when organization-defined conditions or trigger events occur that require a session disconnect.
1 rule found Severity: Medium
The BIG-IP Core must display an explicit logoff message to users indicating the reliable termination of authenticated communications sessions when providing access to virtual servers.
1 rule found Severity: Medium
The EMM system supporting the iOS/iPadOS 17 BYOAD must be configured for autonomous monitoring, compliance, and validation to ensure security/configuration settings of mobile devices do not deviate from the approved configuration baseline.
1 rule found Severity: Medium
The EMM system supporting the iOS/iPadOS 17 BYOAD must be configured to initiate autonomous monitoring, compliance, and validation prior to granting the BYOAD access to DOD information and IT resources.
1 rule found Severity: Medium
The EMM system supporting the iOS/iPadOS 17 BYOAD must be configured to detect if the BYOAD native security controls are disabled.
1 rule found Severity: Medium
The EMM system supporting the iOS/iPadOS 17 BYOAD must be configured to detect if known malicious, blocked, or prohibited applications are installed on the BYOAD (DOD-managed segment only).
1 rule found Severity: Medium
The EMM system supporting the iOS/iPadOS 17 BYOAD must be configured to detect if the BYOAD is configured to access nonapproved third-party applications stores (DOD-managed segment only).
1 rule found Severity: Medium
1 rule found Severity: Medium
The iOS/iPadOS 17 BYOAD must be configured to either disable access to DOD data, IT systems, and user accounts or wipe managed data and apps if the EMM system detects native security controls are disabled.
1 rule found Severity: Medium
The iOS/iPadOS 17 BYOAD must be configured to either disable access to DOD data, IT systems, and user accounts or wipe managed data and apps if the EMM system detects the BYOAD device has known malicious, blocked, or prohibited applications or is configured to access nonapproved managed third-party applications stores.
1 rule found Severity: Medium
The iOS/iPadOS 17 BYOAD must be configured so that managed data and apps are removed if the device is no longer receiving security or software updates.
1 rule found Severity: Medium
The iOS/iPadOS 17 BYOAD must be configured to protect users' privacy, personal information, and applications.
1 rule found Severity: Low
The EMM system supporting the iOS/iPadOS 17 BYOAD must be configured to only wipe managed data and apps and not unmanaged data and apps when the user's access is revoked or terminated, the user no longer has the need to access DOD data or IT, or the user reports a registered device as lost, stolen, or showing indicators of compromise.
1 rule found Severity: Low
The EMM system supporting the iOS/iPadOS 17 BYOAD must be NIAP validated (included on the NIAP list of compliant products or products in evaluation) unless the DOD CIO has granted an approved Exception to Policy (E2P).
1 rule found Severity: High
Apple iOS/iPadOS 17 must not allow backup to remote systems (managed applications data stored in iCloud).
2 rules found Severity: Medium
2 rules found Severity: Medium
Apple iOS/iPadOS 17 must be configured to enforce an application installation policy by specifying one or more authorized application repositories, including [selection: DOD-approved commercial app repository, MDM server, mobile application store].
2 rules found Severity: Medium
Apple iOS/iPadOS 17 allow list must be configured to not include applications with the following characteristics: - backs up MD data to non-DOD cloud servers (including user and application access to cloud backup services); - transmits MD diagnostic data to non-DOD servers; - allows synchronization of data or applications between devices associated with user; and - allows unencrypted (or encrypted but not FIPS 140-2/FIPS 140-3 validated) data sharing with other MDs or printers.
1 rule found Severity: Medium
Apple iOS/iPadOS 17 must be configured to [selection: wipe protected data, wipe sensitive data] upon unenrollment from MDM.
2 rules found Severity: Medium
Apple iOS/iPadOS 17 must be configured to [selection: remove Enterprise applications, remove all noncore applications (any nonfactory installed application)] upon unenrollment from MDM.
1 rule found Severity: Medium
2 rules found Severity: Medium
Apple iOS/iPadOS 17 must implement the management setting: not allow messages in an ActiveSync Exchange account to be forwarded or moved to other accounts in the Apple iOS/iPadOS 17 Mail app.
2 rules found Severity: Medium
Apple iOS/iPadOS 17 must implement the management setting: Treat AirDrop as an unmanaged destination.
2 rules found Severity: Medium
2 rules found Severity: Low
2 rules found Severity: Low
2 rules found Severity: Medium
2 rules found Severity: Medium
Apple iOS/iPadOS 16 must allow the Administrator (MDM) to perform the following management function: enable/disable VPN protection across the device and [selection: other methods].
1 rule found Severity: Low
Apple iOS/iPadOS 16 must not allow backup to remote systems (iCloud document and data synchronization).
1 rule found Severity: Medium
1 rule found Severity: Medium
1 rule found Severity: Medium
Apple iOS/iPadOS 16 must not allow backup to remote systems (iCloud Photo Sharing, also known as Shared Photo Streams).
1 rule found Severity: Medium
Apple iOS/iPadOS 16 must [selection: wipe protected data, wipe sensitive data] upon unenrollment from MDM.
1 rule found Severity: Medium
Apple iOS/iPadOS 16 must [selection: remove Enterprise application, remove all noncore applications (any nonfactory-installed application)] upon unenrollment from MDM.
1 rule found Severity: Medium
Apple iOS/iPadOS 16 must be configured to enforce an application installation policy by specifying one or more authorized application repositories, including [selection: DoD-approved commercial app repository, MDM server, mobile application store].
1 rule found Severity: Medium
Apple iOS/iPadOS 16 must not include applications with the following characteristics: access to Siri when the device is locked.
1 rule found Severity: Medium
Apple iOS/iPadOS 16 allow list must be configured to not include applications with the following characteristics: allow voice dialing when MD is locked.
1 rule found Severity: Medium
Apple iOS/iPadOS 16 allowlist must be configured to not include applications with the following characteristics: - Backs up MD data to non-DoD cloud servers (including user and application access to cloud backup services); - Transmits MD diagnostic data to non-DoD servers; - Allows synchronization of data or applications between devices associated with user; and - Allows unencrypted (or encrypted but not FIPS 140-2/FIPS 140-3 validated) data sharing with other MDs or printers.
1 rule found Severity: Medium
Apple iOS/iPadOS 16 must be configured to [selection: wipe protected data, wipe sensitive data] upon unenrollment from MDM.
1 rule found Severity: Medium
Apple iOS/iPadOS 16 must be configured to [selection: remove Enterprise applications, remove all noncore applications (any nonfactory installed application)] upon unenrollment from MDM.
1 rule found Severity: Medium
1 rule found Severity: Low
Apple iOS/iPadOS 16 must implement the management setting: Not allow automatic completion of Safari browser passcodes.
1 rule found Severity: Low
1 rule found Severity: Low
1 rule found Severity: Medium
Apple iOS/iPadOS 16 must implement the management setting: Not have any Family Members in Family Sharing.
1 rule found Severity: Low
1 rule found Severity: Medium
1 rule found Severity: Low
1 rule found Severity: Medium
1 rule found Severity: Medium
Apple iOS/iPadOS 16 must disable "Allow USB drive access in Files app" if the authorizing official (AO) has not approved the use of DoD-approved USB storage drives with iOS/iPadOS devices.
1 rule found Severity: Medium
Apple iOS must implement the management setting: Not allow a user to remove Apple iOS configuration profiles that enforce DoD security requirements.
1 rule found Severity: Medium
1 rule found Severity: Medium
1 rule found Severity: Medium
1 rule found Severity: Medium
Apple iOS/iPadOS 17 must allow the Administrator (MDM) to perform the following management function: enable/disable VPN protection across the device and [selection: other methods].
1 rule found Severity: Low
Apple iOS/iPadOS 17 must be configured to enforce a passcode reuse prohibition of at least two generations.
1 rule found Severity: High
Apple iOS/iPadOS 17 must not include applications with the following characteristics: access to Siri when the device is locked.
1 rule found Severity: Medium
Apple iOS/iPadOS 17 allow list must be configured to not include applications with the following characteristics: - backs up MD data to non-DOD cloud servers (including user and application access to cloud backup services);- transmits MD diagnostic data to non-DOD servers;- allows synchronization of data or applications between devices associated with user; and- allows unencrypted (or encrypted but not FIPS 140-2/FIPS 140-3 validated) data sharing with other MDs or printers.
1 rule found Severity: Medium
Apple iOS/iPadOS 17 must be configured to [selection: remove Enterprise applications, remove all noncore applications (any nonfactory-installed application)] upon unenrollment from MDM.
1 rule found Severity: Medium
1 rule found Severity: Low
Apple iOS/iPadOS 17 must implement the management setting: not allow automatic completion of Safari browser passcodes.
1 rule found Severity: Low
1 rule found Severity: Low
1 rule found Severity: Low
1 rule found Severity: Medium
Apple iOS/iPadOS 17 must implement the management setting: not have any Family Members in Family Sharing.
1 rule found Severity: Low
1 rule found Severity: Medium
1 rule found Severity: Low
1 rule found Severity: Medium
Apple iOS/iPadOS 17 must implement the management setting: approved Apple Watches must be managed by an MDM.
1 rule found Severity: Medium
1 rule found Severity: Medium
The macOS system must be configured with dedicated user accounts to decrypt the hard disk upon startup.
1 rule found Severity: Medium
1 rule found Severity: Medium
Apple iOS must implement the management setting: not allow a user to remove Apple iOS configuration profiles that enforce DOD security requirements.
2 rules found Severity: Medium
1 rule found Severity: Medium
1 rule found Severity: Medium
1 rule found Severity: Medium
Apple iOS/iPadOS 17 must not allow backup to remote systems (iCloud document and data synchronization).
1 rule found Severity: Medium
1 rule found Severity: Medium
1 rule found Severity: Medium
Apple iOS/iPadOS 17 must not allow backup to remote systems (iCloud Photo Sharing, also known as Shared Stream or Shared Photo Stream).
1 rule found Severity: Medium
Apple iOS/iPadOS 17 must disable "Allow USB drive access in Files app" if the authorizing official (AO) has not approved the use of DOD-approved USB storage drives with iOS/iPadOS devices.
1 rule found Severity: Medium
1 rule found Severity: Medium
1 rule found Severity: Medium
1 rule found Severity: Medium
1 rule found Severity: Low
The Arista MLS layer 2 Arista MLS switch must implement Rapid STP where VLANs span multiple switches with redundant links.
1 rule found Severity: Medium
The Arista MLS layer 2 switch must enable Unidirectional Link Detection (UDLD) to protect against one-way connections.
1 rule found Severity: Medium
1 rule found Severity: Medium
The Arista network device must be running an operating system release that is currently supported by the vendor.
1 rule found Severity: High
The MPLS router must be configured to synchronize IGP and LDP to minimize packet loss when an IGP adjacency is established prior to LDP peers completing label exchange.
2 rules found Severity: Low
The Arista router must be configured to advertise a hop limit of at least 32 in Router Advertisement messages for IPv6 stateless auto-configuration deployments.
1 rule found Severity: Low
1 rule found Severity: Medium
The Arista perimeter router must be configured to suppress Router Advertisements on all external IPv6-enabled interfaces.
1 rule found Severity: Medium
1 rule found Severity: High
The platform on which the name server software is hosted must only run processes and services needed to support the BIND 9.x implementation.
1 rule found Severity: Medium
The host running a BIND 9.X implementation must implement a set of firewall rules that restrict traffic on the DNS interface.
1 rule found Severity: Medium
The host running a BIND 9.x implementation must use a dedicated management interface in order to separate management traffic from DNS specific traffic.
1 rule found Severity: Medium
The host running a BIND 9.x implementation must use an interface that is configured to process only DNS traffic.
1 rule found Severity: Medium
In the event of an error when validating the binding of other DNS servers identity to the BIND 9.x information, when anomalies in the operation of the signed zone transfers are discovered, for the success and failure of start and stop of the name server service or daemon, and for the success and failure of all name server events, a BIND 9.x server implementation must generate a log entry.
1 rule found Severity: Low
1 rule found Severity: Medium
The master servers in a BIND 9.x implementation must notify authorized secondary name servers when zone files are updated.
1 rule found Severity: Low
The secondary name servers in a BIND 9.x implementation must be configured to initiate zone update notifications to other authoritative zone name servers.
1 rule found Severity: Low
On the BIND 9.x server the platform on which the name server software is hosted must be configured to send outgoing DNS messages from a random port.
1 rule found Severity: Low
1 rule found Severity: Medium
On the BIND 9.x server the private keys corresponding to both the ZSK and the KSK must not be kept on the BIND 9.x DNSSEC-aware primary authoritative name server when the name server does not support dynamic updates.
1 rule found Severity: Medium
The two files generated by the BIND 9.x server dnssec-keygen program must be owned by the root account, or deleted, after they have been copied to the key file in the name server.
1 rule found Severity: Medium
The two files generated by the BIND 9.x server dnssec-keygen program must be group owned by the server administrator account, or deleted, after they have been copied to the key file in the name server.
1 rule found Severity: Medium
Permissions assigned to the dnssec-keygen keys used with the BIND 9.x implementation must enforce read-only access to the key owner and deny access to all other users.
1 rule found Severity: Medium
1 rule found Severity: Medium
The core BIND 9.x server files must be group owned by a group designated for DNS administration only.
1 rule found Severity: Medium
The permissions assigned to the core BIND 9.x server files must be set to utilize the least privilege possible.
1 rule found Severity: Medium
On a BIND 9.x server for zones split between the external and internal sides of a network, the RRs for the external hosts must be separate from the RRs for the internal hosts.
1 rule found Severity: Medium
On a BIND 9.x server in a split DNS configuration, where separate name servers are used between the external and internal networks, the external name server must be configured to not be reachable from inside resolvers.
1 rule found Severity: Medium
On a BIND 9.x server in a split DNS configuration, where separate name servers are used between the external and internal networks, the internal name server must be configured to not be reachable from outside resolvers.
1 rule found Severity: Medium
1 rule found Severity: High
On the BIND 9.x server the IP address for hidden master authoritative name servers must not appear in the name servers set in the zone database.
1 rule found Severity: Medium
A BIND 9.x implementation operating in a split DNS configuration must be approved by the organizations Authorizing Official.
1 rule found Severity: High
On the BIND 9.x server the private key corresponding to the ZSK, stored on name servers accepting dynamic updates, must be owned by root.
1 rule found Severity: Medium
On the BIND 9.x server the private key corresponding to the ZSK, stored on name servers accepting dynamic updates, must be group owned by root.
1 rule found Severity: Medium
A BIND 9.x server implementation must enforce approved authorizations for controlling the flow of information between authoritative name servers and specified secondary name servers based on DNSSEC policies.
1 rule found Severity: Medium
A BIND 9.x server validity period for the RRSIGs covering a zones DNSKEY RRSet must be no less than two days and no more than one week.
1 rule found Severity: Medium
Every NS record in a zone file on a BIND 9.x server must point to an active name server and that name server must be authoritative for the domain specified in that record.
1 rule found Severity: Medium
On a BIND 9.x server all authoritative name servers for a zone must be located on different network segments.
1 rule found Severity: Medium
On a BIND 9.x server all authoritative name servers for a zone must have the same version of zone information.
1 rule found Severity: Medium
On a BIND 9.x server all root name servers listed in the local root zone file hosted on a BIND 9.x authoritative name server must be valid for that zone.
1 rule found Severity: Low
On a BIND 9.x server all root name servers listed in the local root zone file hosted on a BIND 9.x authoritative name server must be empty or removed.
1 rule found Severity: Low
On the BIND 9.x server a zone file must not include resource records that resolve to a fully qualified domain name residing in another zone.
1 rule found Severity: Medium
On the BIND 9.x server CNAME records must not point to a zone with lesser security for more than six months.
1 rule found Severity: Low
The BIND 9.x server implementation must prohibit the forwarding of queries to servers controlled by organizations outside of the U.S. Government.
1 rule found Severity: Medium
The Ubuntu operating system default filesystem permissions must be defined in such a way that all authenticated users can read and modify only their own files.
1 rule found Severity: Medium
1 rule found Severity: High
The Ubuntu operating system must be configured so that remote X connections are disabled, unless to fulfill documented and validated mission requirements.
1 rule found Severity: High
The Ubuntu operating system must be configured so that when passwords are changed or new passwords are established, pwquality must be used.
1 rule found Severity: Medium
1 rule found Severity: Medium
The Ubuntu operating system must disable the x86 Ctrl-Alt-Delete key sequence if a graphical user interface is installed.
1 rule found Severity: High
1 rule found Severity: High
1 rule found Severity: Medium
The Cisco ASA must be configured to inspect all inbound and outbound traffic at the application layer.
1 rule found Severity: Medium
The Cisco ASA must be configured to inspect all inbound and outbound IPv6 traffic for unknown or out-of-order extension headers.
1 rule found Severity: Medium
The Cisco ASA must be configured to restrict it from accepting outbound packets that contain an illegitimate address in the source address field via an egress filter or by enabling Unicast Reverse Path Forwarding (uRPF).
1 rule found Severity: Medium
The Cisco ASA must be configured to use Internet Key Exchange (IKE) for all IPsec security associations.
1 rule found Severity: High
3 rules found Severity: Low
3 rules found Severity: Low
1 rule found Severity: Medium
The Cisco switch must enable Unidirectional Link Detection (UDLD) to protect against one-way connections.
3 rules found Severity: Medium
The Cisco switch must be configured to support organizational requirements to conduct backups of the configuration when changes occur.
3 rules found Severity: Medium
3 rules found Severity: High
3 rules found Severity: Medium
The Cisco router must be configured to obtain its public key certificates from an appropriate certificate policy through an approved service provider.
1 rule found Severity: Medium
3 rules found Severity: High
The Cisco MPLS router must be configured to synchronize IGP and LDP to minimize packet loss when an IGP adjacency is established prior to LDP peers completing label exchange.
2 rules found Severity: Low
3 rules found Severity: Medium
The Cisco PE router providing Virtual Private LAN Services (VPLS) must be configured to have all attachment circuits defined to the virtual forwarding instance (VFI) with the globally unique VPN ID assigned for each customer VLAN.
2 rules found Severity: High
The Cisco PE router must be configured to enforce the split-horizon rule for all pseudowires within a Virtual Private LAN Services (VPLS) bridge domain.
2 rules found Severity: Low
The Cisco BGP router must be configured to use a unique key for each autonomous system (AS) that it peers with.
1 rule found Severity: Medium
3 rules found Severity: Medium
The Cisco router must be configured to advertise a hop limit of at least 32 in Router Advertisement messages for IPv6 stateless auto-configuration deployments.
3 rules found Severity: Low
The Cisco BGP switch must be configured to use a unique key for each autonomous system (AS) that it peers with.
2 rules found Severity: Medium
The Cisco BGP switch must be configured to use its loopback address as the source address for iBGP peering sessions.
1 rule found Severity: Low
The Cisco MPLS switch must be configured to use its loopback address as the source address for LDP peering sessions.
1 rule found Severity: Low
The Cisco MPLS switch must be configured to synchronize Interior Gateway Protocol (IGP) and LDP to minimize packet loss when an IGP adjacency is established prior to LDP peers completing label exchange.
2 rules found Severity: Low
2 rules found Severity: Medium
The Cisco PE switch must be configured to have each Virtual Routing and Forwarding (VRF) instance bound to the appropriate physical or logical interfaces to maintain traffic separation between all MPLS L3VPNs.
1 rule found Severity: High
The Cisco PE switch must be configured to have each Virtual Routing and Forwarding (VRF) instance with the appropriate Route Target (RT).
1 rule found Severity: High
The Cisco PE switch must be configured to have each VRF with the appropriate Route Distinguisher (RD).
1 rule found Severity: Medium
The Cisco PE switch providing MPLS Virtual Private Wire Service (VPWS) must be configured to have the appropriate virtual circuit identification (VC ID) for each attachment circuit.
1 rule found Severity: High
The Cisco PE switch providing Virtual Private LAN Services (VPLS) must be configured to have all attachment circuits defined to the virtual forwarding instance (VFI) with the globally unique VPN ID assigned for each customer VLAN.
1 rule found Severity: High
The Cisco PE switch must be configured to enforce the split-horizon rule for all pseudowires within a Virtual Private LAN Services (VPLS) bridge domain.
1 rule found Severity: Low
The Cisco Multicast Source Discovery Protocol (MSDP) switch must be configured to use a loopback address as the source address when originating MSDP traffic.
1 rule found Severity: Low
2 rules found Severity: Medium
The Cisco switch must be configured to advertise a hop limit of at least 32 in Switch Advertisement messages for IPv6 stateless auto-configuration deployments.
3 rules found Severity: Low
3 rules found Severity: Medium
The Cisco perimeter switch must be configured to suppress Router Advertisements on all external IPv6-enabled interfaces.
3 rules found Severity: Medium
3 rules found Severity: Medium
The Cisco perimeter router must be configured to suppress Router Advertisements on all external IPv6-enabled interfaces.
3 rules found Severity: Medium
The Cisco ISE must be configured to synchronize internal information system clocks using redundant authoritative time sources.
1 rule found Severity: Medium
The Cisco ISE must enforce access restrictions associated with changes to the firmware, OS, and hardware components.
1 rule found Severity: Medium
The Cisco ISE must perform continuous detection and tracking of endpoint devices attached to the network. This is required for compliance with C2C Step 1.
1 rule found Severity: Medium
The Cisco ISE must enforce posture status assessment for posture required clients defined in the NAC System Security Plan (SSP). This is required for compliance with C2C Step 3.
1 rule found Severity: High
The Cisco ISE must have a posture policy for posture required clients defined in the NAC System Security Plan (SSP). This is required for compliance with C2C Step 2.
1 rule found Severity: High
The Cisco ISE must be configured to use an external authentication server to authenticate administrators prior to granting administrative access.
1 rule found Severity: Medium
The Cisco ISE must be running an operating system release that is currently supported by the vendor.
1 rule found Severity: Medium
1 rule found Severity: Medium
The Cisco ISE must conduct configuration and operational backups when changes are made or must schedule backups weekly, at a minimum.
1 rule found Severity: Low
1 rule found Severity: Medium
The DNS server implementation must, when a component failure is detected, activate a notification to the system administrator.
1 rule found Severity: Medium
The DNS server implementation must strongly bind the identity of the DNS server with the DNS information.
1 rule found Severity: Medium
The DNS server implementation must provide the means for authorized individuals to determine the identity of the source of the DNS server-provided information.
1 rule found Severity: Medium
The DNS server implementation must validate the binding of the other DNS servers identity to the DNS information for a server-to-server transaction (e.g., zone transfer).
1 rule found Severity: Medium
In the event of an error when validating the binding of another DNS servers identity to the DNS information, the DNS server implementation must log the event and send notification to the DNS administrator.
1 rule found Severity: Medium
1 rule found Severity: Medium
The salt value for zones signed using NSEC3 RRs must be changed every time the zone is completely re-signed.
1 rule found Severity: Medium
The DNS implementation must ensure each NS record in a zone file points to an active name server authoritative for the domain specified in that record.
1 rule found Severity: Medium
The two files generated by the dnssec-keygen program must be made accessible only to the server administrator account, or deleted, after they have been copied to the key file in the name server.
1 rule found Severity: Medium
1 rule found Severity: Medium
1 rule found Severity: Medium
The private key corresponding to the ZSK, stored on name servers accepting dynamic updates, must have appropriate directory/file-level access control list-based or cryptography-based protections.
1 rule found Severity: Medium
A zone file must not include resource records that resolve to a fully qualified domain name residing in another zone.
1 rule found Severity: Medium
The DNS server implementation must be configured in accordance with the security configuration settings based on DoD security configuration or implementation guidance, including STIGs, NSA configuration guides, CTOs, and DTMs.
1 rule found Severity: Medium
The Enterprise Voice, Video, and Messaging Endpoint must be configured to apply 802.1Q VLAN tags to signaling and media traffic.
1 rule found Severity: Medium
The Enterprise Voice, Video, and Messaging Endpoint must notify the user, upon successful logon (access) to the network element, of the date and time of the last logon (access).
1 rule found Severity: Medium
The Enterprise Voice, Video, and Messaging Endpoint must notify the user, upon successful logon (access), of the number of unsuccessful logon (access) attempts since the last successful logon (access).
1 rule found Severity: Medium
The Enterprise Voice, Video, and Messaging Endpoint must provide an explicit indication of current participants in all Videoconference (VC)-based and IP-based online meetings and conferences.
1 rule found Severity: Medium
The Enterprise Voice, Video, and Messaging Endpoint must be configured in accordance with the security configuration settings based on DOD security configuration or implementation guidance, including STIGs, NSA configuration guides, CTOs, and DTMs.
1 rule found Severity: Medium
The Enterprise Voice, Video, and Messaging Endpoint must be configured with a firmware release supported by the vendor.
1 rule found Severity: High
The Enterprise Voice, Video, and Messaging Endpoint must be configured to dynamically implement configuration file changes.
1 rule found Severity: Medium
The Enterprise Voice, Video, and Messaging Endpoint must be configured to disable any auto answer features.
1 rule found Severity: Medium
The F5 BIG-IP appliance that provides intermediary services for SMTP must inspect inbound and outbound SMTP and Extended SMTP communications traffic for protocol compliance and protocol anomalies.
1 rule found Severity: Medium
The F5 BIG-IP appliance that intermediary services for FTP must inspect inbound and outbound FTP communications traffic for protocol compliance and protocol anomalies.
1 rule found Severity: Medium
The F5 BIG-IP appliance that provides intermediary services for HTTP must inspect inbound and outbound HTTP traffic for protocol compliance and protocol anomalies.
1 rule found Severity: Medium
The F5 BIG-IP must be configured to identify and authenticate all endpoint devices or peers before establishing a connection.
1 rule found Severity: Medium
The F5 BIG-IP appliance providing remote access intermediary services must disable split-tunneling for remote clients' VPNs.
1 rule found Severity: Medium
The F5 BIG-IP appliance providing remote access intermediary services must be configured to route sessions to an IDPS for inspection.
1 rule found Severity: Medium
1 rule found Severity: Medium
1 rule found Severity: Medium
The validity period for the RRSIGs covering a zone's DNSKEY RRSet must be no less than two days and no more than one week.
1 rule found Severity: Medium
1 rule found Severity: Medium
The digital signature algorithm used for DNSSEC-enabled zones must be set to use RSA/SHA256 or RSA/SHA512.
1 rule found Severity: High
The F5 BIG-IP DNS server implementation must validate the binding of the other DNS server's identity to the DNS information for a server-to-server transaction (e.g., zone transfer).
1 rule found Severity: Medium
The Enterprise Voice, Video, and Messaging Session Manager supporting Command and Control (C2) communications must associate multilevel precedence and preemption (MLPP) attributes when exchanged between unified capabilities (UC) systems.
1 rule found Severity: Medium
The Enterprise Voice, Video, and Messaging Session Manager supporting Command and Control (C2) communications must validate the integrity of transmitted multilevel precedence and preemption (MLPP) attributes.
1 rule found Severity: Medium
The Enterprise Voice, Video, and Messaging Session Manager must be configured to enforce changes to privileges of Voice Video Endpoint user access.
1 rule found Severity: Medium
The Enterprise Voice, Video, and Messaging Session Manager must be configured to enforce changes to privileges of Voice Video Endpoint device access.
1 rule found Severity: Medium
The Enterprise Voice, Video, and Messaging Session Manager must be configured to provide an indication of current participants in all calls, meetings, and conferences.
1 rule found Severity: Medium
The Enterprise Voice, Video, and Messaging Session Manager supporting Command and Control (C2) communications must associate multilevel precedence and preemption (MLPP) attributes when exchanged between unified capabilities (UC) system components.
1 rule found Severity: Medium
The Enterprise Voice, Video, and Messaging Session Manager must be configured to limit and reserve bandwidth based on priority of the traffic type.
1 rule found Severity: Medium
The Enterprise Voice, Video, and Messaging Session Manager must be configured to use the organization authoritative time source (NTP) to maintain system time.
1 rule found Severity: Medium
The Enterprise Voice, Video, and Messaging Session Manager must be configured in accordance with the security configuration settings based on DOD security configuration or implementation guidance, including STIGs, NSA configuration guides, CTOs, and DTMs.
1 rule found Severity: Medium
The F5 BIG-IP appliance must be configured to use TCP when sending log records to the central audit server.
1 rule found Severity: Medium
The F5 BIG-IP appliance must be configured to restrict itself from accepting outbound packets that contain an illegitimate address in the source address field via an egress filter or by enabling Unicast Reverse Path Forwarding (uRPF).
1 rule found Severity: Medium
The F5 BIG-IP appliance must employ filters that prevent or limit the effects of all types of commonly known denial-of-service (DoS) attacks, including flooding, packet sweeps, and unauthorized port scanning.
1 rule found Severity: High
The F5 BIG-IP appliance must be configured to inspect all inbound and outbound traffic at the application layer.
1 rule found Severity: Medium
The F5 BIG-IP appliance must be configured to assign appropriate user roles or access levels to authenticated users.
1 rule found Severity: High
The F5 BIG-IP appliance must be configured to audit the execution of privileged functions such as accounts additions and changes.
1 rule found Severity: Medium
The F5 BIG-IP appliance must be configured to synchronize internal information system clocks using redundant authoritative time sources.
1 rule found Severity: Medium
The F5 BIG-IP appliance must be configured to use at least two authentication servers to authenticate administrative users.
1 rule found Severity: High
The F5 BIG-IP appliance must be running an operating system release that is currently supported by the vendor.
1 rule found Severity: High
The F5 BIG-IP appliance must obtain its public key certificates from an appropriate certificate policy through an approved service provider.
1 rule found Severity: Medium
The F5 BIG-IP appliance must conduct backups of the configuration at a weekly or organization-defined frequency and store on a separate device.
1 rule found Severity: Medium
The F5 BIG-IP appliance IPsec VPN Gateway must use Internet Key Exchange (IKE) for IPsec VPN Security Associations (SAs).
1 rule found Severity: High
The Enterprise Voice, Video, and Messaging Session Manager must be configured to apply 802.1Q VLAN tags to signaling and media traffic.
1 rule found Severity: Medium
The Enterprise Voice, Video, and Messaging Session Manager must be configured to use a voice or video VLAN, separate from all other VLANs.
1 rule found Severity: Medium
The EMM system supporting the Google Android 13 BYOAD must be configured for autonomous monitoring, compliance, and validation to ensure security/configuration settings of mobile devices do not deviate from the approved configuration baseline.
1 rule found Severity: Medium
The EMM system supporting the Google Android 13 BYOAD must be configured to initiate autonomous monitoring, compliance, and validation prior to granting the Google Android 13 BYOAD access to DOD information and IT resources.
1 rule found Severity: Medium
The EMM system supporting the Google Android 13 BYOAD must be configured to detect if the Google Android 13 BYOAD native security controls are disabled.
1 rule found Severity: Medium
The EMM system supporting the Google Android 13 BYOAD must be configured to detect if known malicious applications, blocked, or prohibited applications are installed on the Google Android 13 BYOAD (DOD-managed segment only).
1 rule found Severity: Medium
The EMM detection/monitoring system must use continuous monitoring of enrolled Google Android 13 BYOAD.
1 rule found Severity: Medium
The Google Android 13 BYOAD must be configured to either disable access to DOD data and IT systems and user accounts or wipe the work profile if the EMM system detects native security controls are disabled.
1 rule found Severity: Medium
The Google Android 13 BYOAD must be configured to either disable access to DOD data and IT systems and user accounts or wipe the work profile if the EMM system detects the Google Android 13 BYOAD device has known malicious, blocked, or prohibited applications, or configured to access nonapproved third-party applications stores in the work profile.
1 rule found Severity: Medium
The Google Android 13 BYOAD must be configured so that the work profile is removed if the device is no longer receiving security or software updates.
1 rule found Severity: Medium
The EMM system supporting the Google Android 13 BYOAD must be NIAP validated (included on the NIAP list of compliant products or products in evaluation) unless the DOD CIO has granted an Approved Exception to Policy (E2P).
1 rule found Severity: High
Google Android 14 must be configured to enforce an application installation policy by specifying one or more authorized application repositories.
1 rule found Severity: Medium
Google Android 14 allowlist must be configured to not include applications with the following characteristics (work profile only): 1. Back up mobile device (MD) data to non-DOD cloud servers (including user and application access to cloud backup services); 2. Transmit MD diagnostic data to non-DOD servers; 3. Voice assistant application if available when MD is locked; 4. Voice dialing application if available when MD is locked; 5. Allows synchronization of data or applications between devices associated with user; and 6. Allows unencrypted (or encrypted but not FIPS 140-3 validated) data sharing with other MDs or printers. 7. Apps which backup their own data to a remote system.
1 rule found Severity: Medium
Google Android 14 must have the DOD root and intermediate PKI certificates installed (work profile only).
1 rule found Severity: Medium
The Google Android 14 work profile must be configured to prevent users from adding personal email accounts to the work email app.
2 rules found Severity: Medium
The Google Android 14 work profile must be configured to enforce the system application disable list (work profile only).
1 rule found Severity: Medium
Google Android 14 must be provisioned as a BYOAD device (Android work profile for employee-owned devices [BYOD]).
1 rule found Severity: Medium
The Google Android 14 work profile must be configured to disable automatic completion of workspace internet browser text input.
2 rules found Severity: Medium
2 rules found Severity: Medium
1 rule found Severity: Medium
Android 14 devices must be configured to disable the use of third-party keyboards (work profile only).
1 rule found Severity: Medium
The Google Android 14 must allow only the administrator (EMM) to install/remove DOD root and intermediate PKI certificates (work profile).
1 rule found Severity: Medium
Google Android 13 must be configured to enforce an application installation policy by specifying one or more authorized application repositories.
1 rule found Severity: Medium
Google Android 13 allowlist must be configured to not include applications with the following characteristics (work profile only): 1. Back up mobile device (MD) data to non-DOD cloud servers (including user and application access to cloud backup services); 2. Transmit MD diagnostic data to non-DOD servers; 3. Voice assistant application if available when MD is locked; 4. Voice dialing application if available when MD is locked; 5. Allows synchronization of data or applications between devices associated with user; and 6. Allows unencrypted (or encrypted but not FIPS 140-2 validated) data sharing with other MDs or printers.
1 rule found Severity: Medium
Google Android 13 must have the DOD root and intermediate PKI certificates installed (work profile only).
1 rule found Severity: Medium
The Google Android 13 work profile must be configured to prevent users from adding personal email accounts to the work email app.
2 rules found Severity: Medium
The Google Android 13 work profile must be configured to enforce the system application disable list (work profile only).
1 rule found Severity: Medium
Google Android 13 must be provisioned as a BYOAD device (Android work profile for employee-owned devices [BYOD]).
1 rule found Severity: Medium
The Google Android 13 work profile must be configured to disable automatic completion of workspace internet browser text input.
1 rule found Severity: Medium
2 rules found Severity: Medium
3 rules found Severity: High
Android 13 devices must be configured to disable the use of third-party keyboards (work profile only).
1 rule found Severity: Low
The Google Android 13 must allow only the administrator (EMM) to install/remove DOD root and intermediate PKI certificates (work profile).
1 rule found Severity: Medium
The EMM system supporting the Google Android 14 BYOAD must be configured for autonomous monitoring, compliance, and validation to ensure security/configuration settings of mobile devices do not deviate from the approved configuration baseline.
1 rule found Severity: Medium
The EMM system supporting the Google Android 14 BYOAD must be configured to initiate autonomous monitoring, compliance, and validation prior to granting the Google Android 14 BYOAD access to DOD information and IT resources.
1 rule found Severity: Medium
The EMM system supporting the Google Android 14 BYOAD must be configured to detect if the Google Android 14 BYOAD native security controls are disabled.
1 rule found Severity: Medium
The EMM system supporting the Google Android 14 BYOAD must be configured to detect if known malicious applications, blocked, or prohibited applications are installed on the Google Android 14 BYOAD (DOD-managed segment only).
1 rule found Severity: Medium
The EMM detection/monitoring system must use continuous monitoring of enrolled Google Android 14 BYOAD.
1 rule found Severity: Medium
The Google Android 14 BYOAD must be configured to either disable access to DOD data and IT systems and user accounts or wipe the work profile if the EMM system detects that native security controls are disabled.
1 rule found Severity: Medium
The Google Android 14 BYOAD must be configured to either disable access to DOD data and IT systems and user accounts or wipe the work profile if the EMM system detects the Google Android 14 BYOAD device has known malicious, blocked, or prohibited applications, or configured to access nonapproved third-party applications stores in the work profile.
1 rule found Severity: Medium
The Google Android 14 BYOAD must be configured so that the work profile is removed if the device is no longer receiving security or software updates.
1 rule found Severity: Medium
The EMM system supporting the Google Android 14 BYOAD must be NIAP validated (included on the NIAP list of compliant products or products in evaluation) unless the DOD CIO has granted an Approved Exception to Policy (E2P).
1 rule found Severity: Medium
The User Agreement must include a description of what personal data and information is being monitored, collected, or managed by the EMM system or deployed agents or tools.
1 rule found Severity: Medium
SSMC must enforce a delay of at least four seconds between logon prompts following a failed logon attempt.
1 rule found Severity: Medium
The HPE Nimble must be configured to use an authentication server for the purpose of authenticating users prior to granting administrative access.
1 rule found Severity: High
The HPE Nimble must obtain its public key certificates from an appropriate certificate policy through an approved service provider.
1 rule found Severity: Medium
The HPE Nimble must be running an operating system release that is currently supported by the vendor.
1 rule found Severity: High
The HPE Nimble must be configured to synchronize internal information system clocks using an authoritative time source.
1 rule found Severity: Medium
The HPE 3PAR OS must be configured to restrict the encryption algorithms and protocols to comply with DOD-approved encryption to protect the confidentiality and integrity of remote access sessions.
1 rule found Severity: High
1 rule found Severity: Medium
1 rule found Severity: Medium
AIX administrative accounts must not run a web browser, except as needed for local service administration.
1 rule found Severity: Medium
AIX default system accounts (with the exception of root) must not be listed in the cron.allow file or must be included in the cron.deny file, if cron.allow does not exist.
1 rule found Severity: Medium
1 rule found Severity: Medium
The Group Identifiers (GIDs) reserved for AIX system accounts must not be assigned to non-system accounts as their primary group GID.
1 rule found Severity: Medium
1 rule found Severity: Medium
1 rule found Severity: Medium
The AIX /etc/passwd, /etc/security/passwd, and/or /etc/group files must not contain a plus (+) without defining entries for NIS+ netgroups or LDAP netgroups.
1 rule found Severity: Medium
1 rule found Severity: Medium
The password hashes stored on AIX system must have been generated using a FIPS 140-2 approved cryptographic hashing algorithm.
1 rule found Severity: Medium
If SNMP service is enabled on AIX, the default SNMP password must not be used in the /etc/snmpd.conf config file.
1 rule found Severity: Medium
1 rule found Severity: Medium
AIX removable media, remote file systems, and any file system not containing approved device files must be mounted with the nodev option.
1 rule found Severity: Medium
AIX must be configured with a default gateway for IPv4 if the system uses IPv4, unless the system is a router.
1 rule found Severity: Medium
1 rule found Severity: Medium
AIX must be configured with a default gateway for IPv6 if the system uses IPv6 unless the system is a router.
1 rule found Severity: Medium
1 rule found Severity: Medium
The manufacturer’s default passwords must be changed for all Hardware Management Console (HMC) Management software.
1 rule found Severity: High
Connection to the Internet for IBM remote support must be in compliance with the Remote Access STIGs.
1 rule found Severity: High
Connection to the Internet for IBM remote support must be in compliance with mitigations specified in the Ports and Protocols and Services Management (PPSM) requirements.
1 rule found Severity: High
1 rule found Severity: Medium
1 rule found Severity: Medium
All AIX interactive users home directories must be group-owned by the home directory owner primary group.
1 rule found Severity: Medium
All files and directories contained in users home directories on AIX must be group-owned by a group in which the home directory owner is a member.
1 rule found Severity: Medium
1 rule found Severity: Medium
1 rule found Severity: Medium
1 rule found Severity: Medium
All AIX shells referenced in passwd file must be listed in /etc/shells file, except any shells specified for the purpose of preventing logins.
1 rule found Severity: Medium
AIX SSH daemon must be configured to only use Message Authentication Codes (MACs) employing FIPS 140-2 approved cryptographic hash algorithms.
1 rule found Severity: Medium
1 rule found Severity: Medium
1 rule found Severity: Medium
If AIX SSH daemon is required, the SSH daemon must only listen on the approved listening IP addresses.
1 rule found Severity: Medium
1 rule found Severity: Medium
1 rule found Severity: Medium
The AIX syslog daemon must not accept remote messages unless it is a syslog server documented using site-defined procedures.
1 rule found Severity: Medium
1 rule found Severity: Medium
1 rule found Severity: Medium
AIX must enforce a delay of at least 4 seconds between login prompts following a failed login attempt.
1 rule found Severity: Medium
1 rule found Severity: Medium
All AIX Group Identifiers (GIDs) referenced in the /etc/passwd file must be defined in the /etc/group file.
1 rule found Severity: Medium
1 rule found Severity: Medium
1 rule found Severity: Medium
1 rule found Severity: Medium
AIX public directories must be the only world-writable directories and world-writable files must be located only in public directories.
1 rule found Severity: Medium
1 rule found Severity: Low
1 rule found Severity: Medium
1 rule found Severity: Medium
1 rule found Severity: Medium
The AIX systems access control program must be configured to grant or deny system access to specific hosts.
1 rule found Severity: Medium
1 rule found Severity: Medium
1 rule found Severity: Medium
The global initialization file lists of preloaded libraries must contain only absolute paths on AIX.
1 rule found Severity: Medium
1 rule found Severity: Medium
1 rule found Severity: Medium
1 rule found Severity: Medium
1 rule found Severity: Medium
1 rule found Severity: Medium
AIX must define default permissions for all authenticated users in such a way that the user can only read and modify their own files.
1 rule found Severity: Medium
1 rule found Severity: Medium
All AIX interactive users must be assigned a home directory in the passwd file and the directory must exist.
1 rule found Severity: Medium
1 rule found Severity: Medium
The AIX operating system must be configured to use Multi Factor Authentication for remote connections.
1 rule found Severity: Medium
1 rule found Severity: Medium
1 rule found Severity: Medium
AIX must employ a deny-all, allow-by-exception firewall policy for allowing connections to other systems.
1 rule found Severity: Medium
1 rule found Severity: Medium
1 rule found Severity: Medium
1 rule found Severity: Medium
1 rule found Severity: Medium
1 rule found Severity: Medium
The ISEC7 SPHERE must be configured to leverage the enterprise directory service accounts and groups for ISEC7 SPHERE server admin identification and authentication.
1 rule found Severity: Medium
1 rule found Severity: Medium
The ISEC7 SPHERE, Tomcat installation, and ISEC7 Suite monitor must be configured to use the Windows Trust Store for the storage of digital certificates and keys.
1 rule found Severity: Medium
1 rule found Severity: High
The ICS must be configured to synchronize internal information system clocks using redundant authoritative time sources.
1 rule found Severity: Medium
The ICS must be configured to obtain its public key certificates from an appropriate certificate policy through an approved service provider.
1 rule found Severity: Medium
The ICS must be configured to support organizational requirements to conduct weekly backups of information system documentation, including security-related documentation.
1 rule found Severity: Medium
The ICS must be configured to run an operating system release that is currently supported by Ivanti.
1 rule found Severity: High
The ICS must be configured to conduct backups of system level information contained in the information system when changes occur.
1 rule found Severity: Medium
The ICS, when utilizing PKI-based authentication, must be configured to validate certificates by constructing a certification path (which includes status information) to an accepted trust anchor.
1 rule found Severity: Medium
The Ivanti EPMM server must be configured in accordance with the security configuration settings based on DoD security configuration or implementation guidance, including STIGs, NSA configuration guides, CTOs, and DTMs.
1 rule found Severity: Medium
The Jamf Pro EMM server must be configured with an enterprise certificate for signing policies (if function is not automatically implemented during Jamf Pro EMM server install).
1 rule found Severity: Medium
The Jamf Pro EMM server must be configured to have at least one user in the following Administrator roles: Server primary administrator, security configuration administrator, device user group administrator, auditor.
1 rule found Severity: Medium
1 rule found Severity: Medium
Sentry must be configured to synchronize internal information system clocks using redundant authoritative time sources.
1 rule found Severity: Medium
1 rule found Severity: Low
Sentry must be configured to conduct backups of system level information contained in the information system when changes occur.
1 rule found Severity: Low
Sentry must obtain its public key certificates from an appropriate certificate policy through an approved service provider.
1 rule found Severity: Medium
1 rule found Severity: High
The Juniper EX switch must be configured to enable Storm Control on all host-facing access interfaces.
1 rule found Severity: Low
1 rule found Severity: Low
If STP is used, the Juniper EX switch must be configured to implement Rapid STP, or Multiple STP, where VLANs span multiple switches with redundant links.
1 rule found Severity: Medium
The Juniper EX switch must be configured to verify two-way connectivity on all interswitch trunked interfaces.
1 rule found Severity: Medium
The Juniper EX switch must be configured to prune the default VLAN from all trunked interfaces that do not require it.
1 rule found Severity: Medium
The Juniper EX switch must be configured to set all user-facing or untrusted ports as access interfaces.
1 rule found Severity: Medium
The Juniper EX switch must not have a native VLAN ID assigned, or have a unique native VLAN ID, for all 802.1q trunk links.
1 rule found Severity: Medium
The Juniper EX switch must not have any access interfaces assigned to a VLAN configured as native for any trunked interface.
1 rule found Severity: Low
The Juniper EX switch must be configured to enforce organization-defined role-based access control policies over defined subjects and objects.
1 rule found Severity: Medium
1 rule found Severity: Medium
The Juniper EX switch must be configured to generate log records for a locally developed list of auditable events.
1 rule found Severity: Medium
The Juniper EX switch must be configured to enforce access restrictions associated with changes to the system components.
1 rule found Severity: Medium
The Juniper EX switch must be configured to use an authentication server for the purpose of authenticating users prior to granting administrative access.
1 rule found Severity: High
The Juniper EX switch must be configured to conduct backups of system level information contained in the information system when changes occur.
1 rule found Severity: Medium
The Juniper EX switch must be configured to obtain its public key certificates from an appropriate certificate policy through an approved service provider.
1 rule found Severity: Medium
The Juniper EX switch must be configured with an operating system release that is currently supported by the vendor.
1 rule found Severity: High
The Juniper router must be configured to implement message authentication for all control plane protocols.
2 rules found Severity: Medium
The Juniper BGP router must be configured to use a unique key for each autonomous system (AS) that it peers with.
2 rules found Severity: Medium
The Juniper router must be configured to use keys with a duration not exceeding 180 days for authenticating routing protocol messages.
2 rules found Severity: Medium
The Juniper BGP router must be configured to use its loopback address as the source address for iBGP peering sessions.
1 rule found Severity: Low
The Juniper MPLS router must be configured to use its loopback address as the source address for LDP peering sessions.
1 rule found Severity: Low
The Juniper MPLS router must be configured to synchronize IGP and LDP to minimize packet loss when an IGP adjacency is established prior to LDP peers completing label exchange.
2 rules found Severity: Low
2 rules found Severity: Medium
The Juniper PE router must be configured to have each Virtual Routing and Forwarding (VRF) instance bound to the appropriate physical or logical interfaces to maintain traffic separation between all MPLS L3VPNs.
1 rule found Severity: High
The Juniper PE router must be configured to have each Virtual Routing and Forwarding (VRF) instance with the appropriate Route Target (RT).
1 rule found Severity: High
The Juniper PE router must be configured to have each VRF with the appropriate Route Distinguisher (RD).
1 rule found Severity: Medium
The Juniper PE router providing MPLS Virtual Private Wire Service (VPWS) must be configured to have the appropriate virtual circuit identification (VC ID) for each attachment circuit.
1 rule found Severity: High
The Juniper PE router providing Virtual Private LAN Services (VPLS) must be configured to have all attachment circuits defined to the virtual forwarding instance (VFI) with the globally unique VPN ID assigned for each customer VLAN.
1 rule found Severity: High
The Juniper PE router must be configured to enforce the split-horizon rule for all pseudowires within a Virtual Private LAN Services (VPLS) bridge domain.
1 rule found Severity: Low
The Juniper Multicast Source Discovery Protocol (MSDP) router must be configured to use its loopback address as the source address when originating MSDP traffic.
1 rule found Severity: Low
The Juniper router must be configured to advertise a hop limit of at least 32 in Router Advertisement messages for IPv6 stateless auto-configuration deployments.
1 rule found Severity: Low
2 rules found Severity: Medium
The Juniper perimeter router must be configured to suppress Router Advertisements on all external IPv6-enabled interfaces.
2 rules found Severity: Medium
The Juniper router must be configured in accordance with the security configuration settings based on DoD security configuration or implementation guidance, including STIGs, NSA configuration guides, CTOs, and DTMs.
1 rule found Severity: Medium
1 rule found Severity: Low
1 rule found Severity: Low
The layer 2 switch must implement Rapid STP where VLANs span multiple switches with redundant links.
1 rule found Severity: Medium
The layer 2 switch must enable Unidirectional Link Detection (UDLD) to protect against one-way connections.
1 rule found Severity: Medium
1 rule found Severity: Medium
1 rule found Severity: Medium
1 rule found Severity: Medium
1 rule found Severity: Medium
1 rule found Severity: Medium
The Kubernetes Kubelet certificate authority file must have file permissions set to 644 or more restrictive.
1 rule found Severity: Medium
1 rule found Severity: Medium
1 rule found Severity: Medium
1 rule found Severity: Medium
1 rule found Severity: Medium
1 rule found Severity: Medium
1 rule found Severity: Medium
1 rule found Severity: Medium
1 rule found Severity: Medium
The layer 2 switch must have the native VLAN assigned to an ID other than the default VLAN for all 802.1q trunk links.
1 rule found Severity: Medium
1 rule found Severity: Low
The layer 2 switch must be configured in accordance with the security configuration settings based on DoD security configuration or implementation guidance, including STIGs, NSA configuration guides, CTOs, and DTMs.
1 rule found Severity: Medium
MarkLogic Server must be configured in accordance with the security configuration settings based on DoD security configuration and implementation guidance, including STIGs, NSA configuration guides, CTOs, DTMs, and IAVMs.
1 rule found Severity: Medium
MongoDB must be configured in accordance with the security configuration settings based on DOD security configuration and implementation guidance, including STIGs, NSA configuration guides, CTOs, DTMs, and IAVMs.
1 rule found Severity: Medium
All accounts installed with the IIS 10.0 web server software and tools must have passwords assigned and default passwords changed.
1 rule found Severity: High
1 rule found Severity: Medium
1 rule found Severity: Medium
1 rule found Severity: Low
The maximum number of requests an application pool can process for each IIS 10.0 website must be explicitly set.
1 rule found Severity: Medium
1 rule found Severity: Medium
1 rule found Severity: Medium
1 rule found Severity: Medium
The required DoD banner page must be displayed to authenticated users accessing a DoD private website.
1 rule found Severity: Medium
1 rule found Severity: Medium
Windows 11 must employ automated mechanisms to determine the state of system components with regard to flaw remediation using the following frequency: Continuously, where ESS is used; 30 days, for any additional internal network scans not covered by ESS; and annually, for external scans by Computer Network Defense Service Provider (CNDSP).
1 rule found Severity: Medium
2 rules found Severity: Medium
2 rules found Severity: Medium
1 rule found Severity: Medium
Inbound exceptions to the firewall on Windows 11 domain workstations must only allow authorized remote management hosts.
1 rule found Severity: Medium
1 rule found Severity: Medium
2 rules found Severity: Medium
Administrative accounts must not be used with applications that access the internet, such as web browsers, or with potential internet sources, such as email.
1 rule found Severity: High
The system must be configured to prevent Internet Control Message Protocol (ICMP) redirects from overriding Open Shortest Path First (OSPF) generated routes.
2 rules found Severity: Low
Hardened UNC Paths must be defined to require mutual authentication and integrity for at least the \\*\SYSVOL and \\*\NETLOGON shares.
1 rule found Severity: Medium
Connections to non-domain networks when connected to a domain authenticated network must be blocked.
2 rules found Severity: Medium
Windows 11 must be configured to enable Remote host allows delegation of non-exportable credentials.
1 rule found Severity: Medium
Virtualization-based Security must be enabled on Windows 11 with the platform security level configured to Secure Boot or Secure Boot with DMA Protection.
1 rule found Severity: Medium
2 rules found Severity: Medium
3 rules found Severity: Medium
2 rules found Severity: Medium
2 rules found Severity: Low
1 rule found Severity: Medium
1 rule found Severity: Medium
2 rules found Severity: Medium
1 rule found Severity: Medium
3 rules found Severity: Medium
Automatically signing in the last interactive user after a system-initiated restart must be disabled.
3 rules found Severity: Medium
2 rules found Severity: Medium
2 rules found Severity: Low
3 rules found Severity: Medium
The system must be configured to prevent anonymous users from having the same rights as the Everyone group.
2 rules found Severity: Medium
The LanMan authentication level must be set to send NTLMv2 response only, and to refuse LM and NTLM.
2 rules found Severity: High
2 rules found Severity: Medium
The system must be configured to meet the minimum session security requirement for NTLM SSP based clients.
2 rules found Severity: Medium
The system must be configured to meet the minimum session security requirement for NTLM SSP based servers.
2 rules found Severity: Medium
Windows 11 systems must use either Group Policy or an approved Mobile Device Management (MDM) product to enforce STIG compliance.
1 rule found Severity: Medium
1 rule found Severity: Low
Site IT resources designated as high value by the Authorizing Official (AO) must be remotely managed only via a Windows privileged access workstation (PAW).
1 rule found Severity: Medium
Administrative accounts of all high-value IT resources must be assigned to a specific administrative tier in Active Directory to separate highly privileged administrative accounts from less privileged administrative accounts.
1 rule found Severity: Medium
1 rule found Severity: Medium
All high-value IT resources must be assigned to a specific administrative tier to separate highly sensitive resources from less sensitive resources.
1 rule found Severity: Medium
The Windows PAW must be configured with a vendor-supported version of Windows 11 and applicable security patches that are DOD approved.
1 rule found Severity: Medium
1 rule found Severity: Medium
The Windows PAW must be configured so that all non-administrative-related applications and functions are blocked or removed from the PAW platform, including but not limited to email, Internet browsing, and line-of-business applications.
1 rule found Severity: Medium
Device Guard Code Integrity Policy must be used on the Windows PAW to restrict applications that can run on the system (Device Guard Code Integrity Policy).
1 rule found Severity: Medium
Device Guard Code Integrity Policy must be used on the Windows PAW to restrict applications that can run on the system (Device Guard User Mode Code Integrity).
1 rule found Severity: Medium
Windows PAWs must be restricted to only allow groups used to manage high-value IT resources and members of the local Administrators group to log on locally.
1 rule found Severity: Medium
The domain must be configured to restrict privileged administrator accounts from logging on to lower-tier hosts.
1 rule found Severity: Medium
PAWs used to manage Active Directory must only allow groups specifically designated to manage Active Directory, such as Enterprise and Domain Admins and members of the local Administrators group, to log on locally.
1 rule found Severity: Medium
The Windows PAW must use a trusted channel for all connections between a PAW and IT resources managed from the PAW.
1 rule found Severity: High
If several Windows PAWs are set up in virtual machines (VMs) on a host server, the host server must only contain PAW VMs.
1 rule found Severity: Medium
The Windows PAW must be configured so that all inbound ports and services to a PAW are blocked except as needed for monitoring, scanning, and management tools or when the inbound communication is a response to an outbound connection request.
1 rule found Severity: Medium
The Windows PAW must be configured so that all outbound connections to the Internet from a PAW are blocked.
1 rule found Severity: Medium
The local Administrators group on the Windows PAW must only include groups with accounts specifically designated to administer the PAW.
1 rule found Severity: Medium
Local privileged groups (excluding Administrators) on the Windows PAW must be restricted to include no members.
1 rule found Severity: Medium
1 rule found Severity: Medium
If several PAWs are set up in virtual machines (VMs) on a host server, domain administrative accounts used to manage high-value IT resources must not have access to the VM host operating system (OS) (only domain administrative accounts designated to manage PAWs should be able to access the VM host OS).
1 rule found Severity: Medium
Users with Administrative privileges must have separate accounts for administrative duties and normal operational tasks.
1 rule found Severity: High
Administrative accounts must not be used with applications that access the Internet, such as web browsers, or with potential Internet sources, such as email.
2 rules found Severity: High
Members of the Backup Operators group must have separate accounts for backup duties and normal operational tasks.
1 rule found Severity: Medium
Manually managed application account passwords must be changed at least annually or when a system administrator with knowledge of the password leaves the organization.
1 rule found Severity: Medium
Windows Server 2016 domain-joined systems must have a Trusted Platform Module (TPM) enabled and ready for use.
1 rule found Severity: Medium
1 rule found Severity: Medium
1 rule found Severity: Medium
1 rule found Severity: Medium
Windows 2016 systems must have Unified Extensible Firmware Interface (UEFI) firmware and be configured to run in UEFI mode, not Legacy BIOS.
1 rule found Severity: Low
Internet Protocol version 6 (IPv6) source routing must be configured to the highest protection level to prevent IP source routing.
1 rule found Severity: Low
Source routing must be configured to the highest protection level to prevent Internet Protocol (IP) source routing.
1 rule found Severity: Low
Windows Server 2016 must be configured to prevent Internet Control Message Protocol (ICMP) redirects from overriding Open Shortest Path First (OSPF)-generated routes.
1 rule found Severity: Low
Hardened UNC paths must be defined to require mutual authentication and integrity for at least the \\*\SYSVOL and \\*\NETLOGON shares.
2 rules found Severity: Medium
Windows Server 2016 virtualization-based security must be enabled with the platform security level configured to Secure Boot or Secure Boot with DMA Protection.
1 rule found Severity: Medium
Early Launch Antimalware, Boot-Start Driver Initialization Policy must prevent boot drivers identified as bad.
1 rule found Severity: Medium
1 rule found Severity: Medium
1 rule found Severity: Medium
1 rule found Severity: Low
Directory data (outside the root DSE) of a non-public directory must be configured to prevent anonymous access.
1 rule found Severity: High
1 rule found Severity: Medium
3 rules found Severity: Medium
1 rule found Severity: High
1 rule found Severity: High
1 rule found Severity: Medium
1 rule found Severity: High
Windows Server 2016 must be configured to prevent anonymous users from having the same permissions as the Everyone group.
1 rule found Severity: Medium
Services using Local System that use Negotiate when reverting to NTLM authentication must use the computer identity instead of authenticating anonymously.
1 rule found Severity: Medium
The LAN Manager authentication level must be set to send NTLMv2 response only and to refuse LM and NTLM.
1 rule found Severity: High
1 rule found Severity: Medium
Session security for NTLM SSP-based clients must be configured to require NTLMv2 session security and 128-bit encryption.
1 rule found Severity: Medium
Session security for NTLM SSP-based servers must be configured to require NTLMv2 session security and 128-bit encryption.
1 rule found Severity: Medium
1 rule found Severity: Medium
The Windows DNS Server must be configured to record who added/modified/deleted DNS zone information.
1 rule found Severity: Medium
The Windows DNS Server must notify the DNS administrator in the event of an error validating another DNS server's identity.
1 rule found Severity: Medium
1 rule found Severity: Medium
The Windows DNS Server must prohibit recursion on authoritative name servers for which forwarders have not been configured for external queries.
1 rule found Severity: Medium
Forwarders on an authoritative Windows DNS Server, if enabled for external resolution, must forward only to an internal, non-Active Directory (AD)-integrated DNS server or to the DOD Enterprise Recursive Services (ERS).
1 rule found Severity: Medium
The Windows DNS Server with a caching name server role must restrict recursive query responses to only the IP addresses and IP address ranges of known supported clients.
1 rule found Severity: High
The Windows DNS Server's zone files must have NS records that point to active name servers authoritative for the domain specified in that record.
1 rule found Severity: High
1 rule found Severity: High
1 rule found Severity: Medium
In a split DNS configuration between the external and internal networks, the external name server must be configured to not be reachable from inside resolvers.
1 rule found Severity: Medium
The Windows DNS Servers zone database files must not be accessible for edit/write by users and/or processes other than the Windows DNS Server service account and/or the DNS database administrator.
1 rule found Severity: Medium
1 rule found Severity: Medium
The Windows DNS Server authoritative for local zones must only point root hints to the DNS servers that host the internal root domain.
1 rule found Severity: Medium
The Windows DNS Servers zone files must not include resource records that resolve to a fully qualified domain name residing in another zone.
1 rule found Severity: Medium
The Windows DNS Server's zone files must not include CNAME records pointing to a zone with lesser security for more than six months.
1 rule found Severity: Medium
1 rule found Severity: Medium
1 rule found Severity: Medium
The Windows DNS Server must provide its identity with returned DNS information by enabling DNSSEC and TSIG/SIG(0).
1 rule found Severity: Medium
The salt value for zones signed using NSEC3 resource records (RRs) must be changed every time the zone is completely re-signed.
1 rule found Severity: Medium
The Windows DNS Server's IP address must be statically defined and configured locally on the server.
1 rule found Severity: Medium
The Windows DNS Server must return data information in response to internal name/address resolution queries.
1 rule found Severity: Medium
1 rule found Severity: Medium
The Windows DNS Server must follow procedures to re-role a secondary name server as the primary name server if the primary name server permanently loses functionality.
1 rule found Severity: Medium
The Windows DNS Server must, when a component failure is detected, activate a notification to the system administrator.
1 rule found Severity: Medium
The private keys corresponding to both the zone signing key (ZSK) and the key signing key (KSK) must not be kept on the DNSSEC-aware primary authoritative name server when the name server does not support dynamic updates.
1 rule found Severity: Medium
If the network device uses role-based access control, the network device must enforce organization-defined role-based access control policies over defined subjects and objects.
1 rule found Severity: Medium
Network devices performing maintenance functions must restrict use of these functions to authorized personnel only.
1 rule found Severity: Medium
If the network device uses mandatory access control, the network device must enforce organization-defined mandatory access control policies over all subjects and objects.
1 rule found Severity: Medium
1 rule found Severity: Medium
The network device must enforce access restrictions associated with changes to the system components.
1 rule found Severity: Medium
The network device must be configured to conduct backups of system level information contained in the information system when changes occur.
1 rule found Severity: Medium
The network device must support organizational requirements to conduct backups of information system documentation, including security-related documentation, when changes occur or weekly, whichever is sooner.
1 rule found Severity: Medium
The network device must obtain its public key certificates from an appropriate certificate policy through an approved service provider.
1 rule found Severity: Medium
The network device must be running an operating system release that is currently supported by the vendor.
1 rule found Severity: High
The network device must be configured in accordance with the security configuration settings based on DoD security configuration or implementation guidance, including STIGs, NSA configuration guides, CTOs, and DTMs.
1 rule found Severity: Medium
Sensor traffic in transit must be protected at all times via an Out-of-Band (OOB) network or an encrypted tunnel between site locations.
1 rule found Severity: Medium
Intrusion Detection and Prevention System (IDPS) traffic between the sensor and the security management or sensor data collection servers must traverse a dedicated Virtual Local Area Network (VLAN) logically separating IDPS traffic from all other enclave traffic.
1 rule found Severity: Medium
Products collecting baselines for anomaly-based detection must have their baselines rebuilt based on changes to mission requirements such as Information Operations Conditions (INFOCON) levels and when the traffic patterns are expected to change significantly.
1 rule found Severity: Low
If a Secure File Transfer Protocol (SFTP) server is used to provide updates to the sensors, the server must be configured to allow read-only access to the files within the directory on which the signature packs are placed.
1 rule found Severity: Medium
If an automated scheduler is used to provide updates to the sensors, an account on the file server must be defined that will provide access to the signatures only to the sensors.
1 rule found Severity: Medium
The Intrusion Detection and Prevention System (IDPS) configuration must be backed up before applying software or signature updates, or when making changes to the configuration.
1 rule found Severity: Low
The Intrusion Detection and Prevention System (IDPS) file checksums provided by the vendor must be compared and verified with checksums computed from CD or downloaded files.
1 rule found Severity: Low
The organization must establish weekly data backup procedures for the network Intrusion Detection and Prevention System (IDPS) data.
1 rule found Severity: Medium
The Intrusion Detection and Prevention System (IDPS) software and signatures must be updated when updates are provided by the vendor.
1 rule found Severity: Low
The organization must ensure all switches and associated cross-connect hardware are kept in a secure Intermediate Distribution Frame (IDF) or an enclosed cabinet that is kept locked.
1 rule found Severity: Medium
All global address ranges used on unclassified and classified networks must be properly registered with the DoD Network Information Center (NIC).
1 rule found Severity: Medium
Network Address Translation (NAT) and private IP address space must not be deployed within the SIPRNet enclave.
1 rule found Severity: Medium
1 rule found Severity: Medium
1 rule found Severity: Low
1 rule found Severity: Medium
An Out-of-Band (OOB) management network must be deployed or 24x7 personnel must have console access for device management.
1 rule found Severity: Medium
All Releasable Local Area Network (REL LAN) environments must be documented in the System Security Authorization Agreement (SSAA).
1 rule found Severity: Medium
1 rule found Severity: Medium
Enabling a connection that extends DISN IP network connectivity (e.g., NIPRNet and SIPRNet) to any DoD Vendor, Foreign, or Federal Mission Partner enclave or network without a signed DoD CIO approved sponsorship memo is prohibited. For classified connectivity it must be to a DSS approved contractor facility or DoD Component approved foreign government facility.
1 rule found Severity: High
Command and Control (C2) and non-C2 exceptions of SIPRNet must be documented in the enclaves accreditation package and an Authority to Connect (ATC) or Interim ATC amending the connection approval received prior to implementation.
1 rule found Severity: Medium
VPN gateways used to create IP tunnels to transport classified traffic across an unclassified IP network must comply with appropriate physical security protection standards for processing classified information.
1 rule found Severity: Medium
Rapid Spanning Tree Protocol (STP) must be implemented at the access and distribution layers where Virtual Local Area Networks (VLANs) span multiple switches.
1 rule found Severity: Low
First-hop redundancy services must be configured to delay any preempt to provide enough time for the Internet Gateway Protocol (IGP) to stabilize.
1 rule found Severity: Low
1 rule found Severity: High
The Oracle Linux operating system must be configured so that the delay between logon prompts following a failed console logon attempt is at least four seconds.
1 rule found Severity: Medium
The Oracle Linux operating system must not allow an unattended or automatic logon to the system via a graphical user interface.
1 rule found Severity: High
1 rule found Severity: High
1 rule found Severity: Medium
The Oracle Linux operating system must not allow a non-certificate trusted host SSH logon to the system.
1 rule found Severity: Medium
1 rule found Severity: Medium
The Oracle Linux operating system must be configured so that the x86 Ctrl-Alt-Delete key sequence is disabled on the command line.
1 rule found Severity: High
The Oracle Linux operating system must define default permissions for all authenticated users in such a way that the user can only read and modify their own files.
1 rule found Severity: Medium
1 rule found Severity: Medium
The Oracle Linux operating system must be configured so that the root account must be the only account having unrestricted access to the system.
1 rule found Severity: High
The Oracle Linux operating system must be configured so that all files and directories have a valid owner.
1 rule found Severity: Medium
The Oracle Linux operating system must be configured so that all files and directories have a valid group owner.
1 rule found Severity: Medium
The Oracle Linux operating system must be configured so that all local interactive user accounts, upon creation, are assigned a home directory.
1 rule found Severity: Medium
The Oracle Linux operating system must be configured so that all local interactive users have a home directory assigned and defined in the /etc/passwd file.
1 rule found Severity: Medium
The Oracle Linux operating system must be configured so that all local interactive user home directories have mode 0750 or less permissive.
1 rule found Severity: Medium
The Oracle Linux operating system must be configured so that all local interactive user home directories are owned by their respective users.
1 rule found Severity: Medium
The Oracle Linux operating system must be configured so that all local interactive user home directories are group-owned by the home directory owners primary group.
1 rule found Severity: Medium
The Oracle Linux operating system must be configured so that all files and directories contained in local interactive user home directories have a valid owner.
1 rule found Severity: Medium
The Oracle Linux operating system must be configured so that all files and directories contained in local interactive user home directories are group-owned by a group of which the home directory owner is a member.
1 rule found Severity: Medium
The Oracle Linux operating system must be configured so that all files and directories contained in local interactive user home directories have a mode of 0750 or less permissive.
1 rule found Severity: Medium
The Oracle Linux operating system must be configured so that all local initialization files for interactive users are owned by the home directory user or root.
1 rule found Severity: Medium
The Oracle Linux operating system must be configured so that all local initialization files for local interactive users are be group-owned by the users primary group or root.
1 rule found Severity: Medium
The Oracle Linux operating system must be configured so that all local initialization files have mode 0740 or less permissive.
1 rule found Severity: Medium
The Oracle Linux operating system must be configured so that all local interactive user initialization files executable search paths contain only paths that resolve to the users home directory.
1 rule found Severity: Medium
The Oracle Linux operating system must be configured so that local initialization files do not execute world-writable programs.
1 rule found Severity: Medium
The Oracle Linux operating system must be configured so that all system device files are correctly labeled to prevent unauthorized modification.
1 rule found Severity: Medium
The Oracle Linux operating system must be configured so that file systems containing user home directories are mounted to prevent files with the setuid and setgid bit set from being executed.
1 rule found Severity: Medium
The Oracle Linux operating system must prevent files with the setuid and setgid bit set from being executed on file systems that are used with removable media.
1 rule found Severity: Medium
The Oracle Linux operating system must prevent files with the setuid and setgid bit set from being executed on file systems that are being imported via Network File System (NFS).
1 rule found Severity: Medium
The Oracle Linux operating system must prevent binary files from being executed on file systems that are being imported via Network File System (NFS).
1 rule found Severity: Medium
The Oracle Linux operating system must be configured so that all world-writable directories are group-owned by root, sys, bin, or an application group.
1 rule found Severity: Medium
The Oracle Linux operating system must set the umask value to 077 for all local interactive user accounts.
1 rule found Severity: Medium
The Oracle Linux operating system must be configured so that the cron.allow file, if it exists, is owned by root.
1 rule found Severity: Medium
The Oracle Linux operating system must be configured so that the cron.allow file, if it exists, is group-owned by root.
1 rule found Severity: Medium
1 rule found Severity: Medium
The Oracle Linux operating system must be configured so that a separate file system is used for user home directories (such as /home or an equivalent).
1 rule found Severity: Low
1 rule found Severity: Low
1 rule found Severity: Low
The Oracle Linux operating system must be configured so that the file integrity tool is configured to verify Access Control Lists (ACLs).
1 rule found Severity: Low
The Oracle Linux operating system must be configured so that the file integrity tool is configured to verify extended attributes.
1 rule found Severity: Low
The Oracle Linux operating system must use a file integrity tool that is configured to use FIPS 140-2 approved cryptographic hashes for validating file contents and directories.
1 rule found Severity: Medium
1 rule found Severity: Medium
The Oracle Linux operating system must be configured so that the rsyslog daemon does not accept log messages from other servers unless the server is being used for log aggregation.
1 rule found Severity: Medium
The Oracle Linux operating system must be configured so that the SSH daemon does not allow authentication using RSA rhosts authentication.
1 rule found Severity: Medium
The Oracle Linux operating system must be configured so that the SSH daemon does not allow authentication using rhosts authentication.
1 rule found Severity: Medium
The Oracle Linux operating system must not permit direct logons to the root account using remote access via SSH.
1 rule found Severity: Medium
The Oracle Linux operating system must be configured so that the SSH daemon does not allow authentication using known hosts authentication.
1 rule found Severity: Medium
The Oracle Linux operating system must be configured so that the SSH public host key files have mode 0644 or less permissive.
1 rule found Severity: Medium
The Oracle Linux operating system must be configured so the SSH private host key files have mode 0640 or less permissive.
1 rule found Severity: Medium
The Oracle Linux operating system must be configured so that the SSH daemon performs strict mode checking of home directory configuration files.
1 rule found Severity: Medium
The Oracle Linux operating system must be configured so that the SSH daemon uses privilege separation.
1 rule found Severity: Medium
The Oracle Linux operating system must be configured so that the SSH daemon does not allow compression or only allows compression after successful authentication.
1 rule found Severity: Medium
1 rule found Severity: Medium
For Oracle Linux operating systems using DNS resolution, at least two name servers must be configured.
1 rule found Severity: Low
The Oracle Linux operating system must not forward Internet Protocol version 4 (IPv4) source-routed packets.
1 rule found Severity: Medium
The Oracle Linux operating system must use a reverse-path filter for IPv4 network traffic when possible on all interfaces.
1 rule found Severity: Medium
The Oracle Linux operating system must use a reverse-path filter for IPv4 network traffic when possible by default.
1 rule found Severity: Medium
The Oracle Linux operating system must not forward Internet Protocol version 4 (IPv4) source-routed packets by default.
1 rule found Severity: Medium
The Oracle Linux operating system must not respond to Internet Protocol version 4 (IPv4) Internet Control Message Protocol (ICMP) echoes sent to a broadcast address.
1 rule found Severity: Medium
The Oracle Linux operating system must prevent Internet Protocol version 4 (IPv4) Internet Control Message Protocol (ICMP) redirect messages from being accepted.
1 rule found Severity: Medium
The Oracle Linux operating system must ignore Internet Protocol version 4 (IPv4) Internet Control Message Protocol (ICMP) redirect messages.
1 rule found Severity: Medium
The Oracle Linux operating system must not allow interfaces to perform Internet Protocol version 4 (IPv4) Internet Control Message Protocol (ICMP) redirects by default.
1 rule found Severity: Medium
The Oracle Linux operating system must not send Internet Protocol version 4 (IPv4) Internet Control Message Protocol (ICMP) redirects.
1 rule found Severity: Medium
1 rule found Severity: Medium
1 rule found Severity: Medium
The Oracle Linux operating system must not have a File Transfer Protocol (FTP) server package installed unless needed.
1 rule found Severity: High
The Oracle Linux operating system must not have the Trivial File Transfer Protocol (TFTP) server package installed if not required for operational support.
1 rule found Severity: High
The Oracle Linux operating system must be configured so that remote X connections are disabled, unless to fulfill documented and validated mission requirements.
1 rule found Severity: Medium
The Oracle Linux operating system must be configured so that if the Trivial File Transfer Protocol (TFTP) server is required, the TFTP daemon is configured to operate in secure mode.
1 rule found Severity: Medium
The Oracle Linux operating system must not have a graphical display manager installed unless approved.
1 rule found Severity: Medium
The Oracle Linux operating system must not be performing packet forwarding unless the system is a router.
1 rule found Severity: Medium
The Oracle Linux operating system must be configured so that the Network File System (NFS) is configured to use RPCSEC_GSS.
1 rule found Severity: Medium
1 rule found Severity: High
The Oracle Linux operating system access control program must be configured to grant or deny system access to specific hosts and services.
1 rule found Severity: Medium
1 rule found Severity: Medium
1 rule found Severity: Medium
The Oracle Linux operating system must be configured so the x86 Ctrl-Alt-Delete key sequence is disabled in the Graphical User Interface.
1 rule found Severity: High
The Oracle Linux operating system must be configured so that all world-writable directories are owned by root, sys, bin, or an application user.
1 rule found Severity: Medium
The Oracle Linux operating system must disable the graphical user interface automounter unless required.
1 rule found Severity: Medium
The Oracle Linux operating system SSH daemon must prevent remote hosts from connecting to the proxy display.
1 rule found Severity: Medium
1 rule found Severity: Medium
1 rule found Severity: High
The Oracle Linux operating system must specify the default "include" directory for the /etc/sudoers file.
1 rule found Severity: Medium
The Oracle Linux operating system must disable the login screen user list for graphical user interfaces.
1 rule found Severity: Medium
The MySQL Database Server 8.0 must be configured in accordance with the security configuration settings based on DoD security configuration and implementation guidance, including STIGs, NSA configuration guides, CTOs, DTMs, and IAVMs.
1 rule found Severity: Medium
The Riverbed NetProfiler must be configured to authenticate each administrator prior to authorizing privileges based on roles.
1 rule found Severity: High
The Riverbed NetProfiler must be configured to synchronize internal information system clocks using redundant authoritative time sources.
1 rule found Severity: Medium
The Riverbed NetProfiler must be configured to use an authentication server to authenticate users prior to granting administrative access.
1 rule found Severity: High
The Riverbed NetProfiler must be configured to obtain its public key certificates from an appropriate certificate policy through an approved service provider.
1 rule found Severity: Medium
The Riverbed NetProfiler must be configured to run an operating system release that is currently supported by the vendor.
1 rule found Severity: High
The Riverbed NetProfiler must be configured to conduct backups of system-level information and system documentation, including security-related documentation, when changes occur or weekly, whichever is sooner.
1 rule found Severity: Low
Redis Enterprise DBMS must be configured in accordance with the security configuration settings based on DoD security configuration and implementation guidance, including STIGs, NSA configuration guides, CTOs, DTMs, and IAVMs.
1 rule found Severity: Medium
Rancher MCM must allocate audit record storage and generate audit records associated with events, users, and groups.
1 rule found Severity: Medium
All accounts installed with the Automation Controller NGINX web server's software and tools must have passwords assigned and default passwords changed.
1 rule found Severity: Medium
The BGP router must be configured to use its loopback address as the source address for iBGP peering sessions.
1 rule found Severity: Low
The MPLS router must be configured to use its loopback address as the source address for LDP peering sessions.
1 rule found Severity: Low
The PE router must be configured to have each Virtual Routing and Forwarding (VRF) instance bound to the appropriate physical or logical interfaces to maintain traffic separation between all MPLS L3VPNs.
1 rule found Severity: High
The PE router must be configured to have each Virtual Routing and Forwarding (VRF) instance with the appropriate Route Target (RT).
1 rule found Severity: High
1 rule found Severity: Medium
The PE router providing MPLS Virtual Private Wire Service (VPWS) must be configured to have the appropriate virtual circuit identification (VC ID) for each attachment circuit.
1 rule found Severity: High
The PE router providing Virtual Private LAN Services (VPLS) must be configured to have all attachment circuits defined to the virtual forwarding instance (VFI) with the globally unique VPN ID assigned for each customer VLAN.
1 rule found Severity: High
The PE router must be configured to enforce the split-horizon rule for all pseudowires within a Virtual Private LAN Services (VPLS) bridge domain.
1 rule found Severity: Low
The Multicast Source Discovery Protocol (MSDP) router must be configured to use its loopback address as the source address when originating MSDP traffic.
1 rule found Severity: Low
The router must be configured in accordance with the security configuration settings based on DoD security configuration or implementation guidance, including STIGs, NSA configuration guides, CTOs, and DTMs.
1 rule found Severity: Medium
The router must be configured to advertise a hop limit of at least 32 in Router Advertisement messages for IPv6 stateless auto-configuration deployments.
1 rule found Severity: Low
1 rule found Severity: Medium
The perimeter router must be configured to suppress Router Advertisements on all external IPv6-enabled interfaces.
1 rule found Severity: Medium
1 rule found Severity: Medium
The SDN Controller must be configured to notify the forwarding device to either drop the packet or make an entry in the flow table for a received packet that does not match any flow table entries.
1 rule found Severity: Medium
1 rule found Severity: Medium
The SDN controller must be configured to enable multi-tenant virtual networks to be fully isolated from one another.
1 rule found Severity: Medium
The SDN controller must be configured in accordance with the security configuration settings based on DoD security configuration or implementation guidance, including STIGs, NSA configuration guides, CTOs, and DTMs.
1 rule found Severity: Medium
1 rule found Severity: Medium
A separate file system must be used for SLEM 5 user home directories (such as /home or an equivalent).
1 rule found Severity: Medium
1 rule found Severity: Medium
SLEM 5 file systems that are being imported via Network File System (NFS) must be mounted to prevent files with the setuid and setgid bit set from being executed.
1 rule found Severity: Medium
SLEM 5 file systems that are being imported via Network File System (NFS) must be mounted to prevent binary files from being executed.
1 rule found Severity: Medium
SLEM 5 file systems that are used with removable media must be mounted to prevent files with the setuid and setgid bit set from being executed.
1 rule found Severity: Medium
SLEM 5 file systems that contain user home directories must be mounted to prevent files with the setuid and setgid bit set from being executed.
1 rule found Severity: Medium
1 rule found Severity: Medium
1 rule found Severity: Medium
1 rule found Severity: Medium
1 rule found Severity: Medium
All SLEM 5 local interactive user home directories must be group-owned by the home directory owner's primary group.
1 rule found Severity: Medium
All SLEM 5 world-writable directories must be group-owned by root, sys, bin, or an application group.
1 rule found Severity: Medium
SLEM 5 must be configured to prohibit or restrict the use of functions, ports, protocols, and/or services as defined in the Ports, Protocols, and Services Management (PPSM) Category Assignments List (CAL) and vulnerability assessments.
1 rule found Severity: Medium
1 rule found Severity: Medium
1 rule found Severity: Medium
1 rule found Severity: Medium
SLEM 5 must prevent Internet Protocol version 4 (IPv4) Internet Control Message Protocol (ICMP) redirect messages from being accepted.
1 rule found Severity: Medium
SLEM 5 must not allow interfaces to accept Internet Protocol version 4 (IPv4) Internet Control Message Protocol (ICMP) redirect messages by default.
1 rule found Severity: Medium
SLEM 5 must not send Internet Protocol version 4 (IPv4) Internet Control Message Protocol (ICMP) redirects.
1 rule found Severity: Medium
SLEM 5 must not allow interfaces to send Internet Protocol version 4 (IPv4) Internet Control Message Protocol (ICMP) redirect messages by default.
1 rule found Severity: Medium
SLEM 5 must not be performing Internet Protocol version 4 (IPv4) packet forwarding unless the system is a router.
1 rule found Severity: Medium
1 rule found Severity: Medium
1 rule found Severity: Medium
SLEM 5 must prevent Internet Protocol version 6 (IPv6) Internet Control Message Protocol (ICMP) redirect messages from being accepted.
1 rule found Severity: Medium
SLEM 5 must not allow interfaces to accept Internet Protocol version 6 (IPv6) Internet Control Message Protocol (ICMP) redirect messages by default.
1 rule found Severity: Medium
SLEM 5 must not be performing Internet Protocol version 6 (IPv6) packet forwarding unless the system is a router.
1 rule found Severity: Medium
SLEM 5 must not be performing Internet Protocol version 6 (IPv6) packet forwarding by default unless the system is a router.
1 rule found Severity: Medium
SLEM 5 SSH daemon must disable forwarded remote X connections for interactive users, unless to fulfill documented and validated mission requirements.
1 rule found Severity: Medium
1 rule found Severity: Medium
1 rule found Severity: Medium
1 rule found Severity: Medium
1 rule found Severity: High
1 rule found Severity: Medium
SLEM 5 default permissions must be defined in such a way that all authenticated users can only read and modify their own files.
1 rule found Severity: Medium
SLEM 5 shadow password suite must be configured to enforce a delay of at least five seconds between logon prompts following a failed logon attempt.
1 rule found Severity: Medium
1 rule found Severity: Medium
1 rule found Severity: Medium
All SLEM 5 local interactive user initialization files executable search paths must contain only paths that resolve to the users' home directory.
1 rule found Severity: Medium
1 rule found Severity: Medium
1 rule found Severity: High
1 rule found Severity: Medium
SLEM 5 must enforce a delay of at least five seconds between logon prompts following a failed logon attempt via pluggable authentication modules (PAM).
1 rule found Severity: Medium
1 rule found Severity: Medium
1 rule found Severity: Medium
SLEM 5 must be configured to not overwrite Pluggable Authentication Modules (PAM) configuration on package changes.
1 rule found Severity: Medium
1 rule found Severity: Medium
1 rule found Severity: Medium
Splunk Enterprise must be configured to notify the System Administrator (SA) and Information System Security Officer (ISSO), at a minimum, when an attack is detected on multiple devices and hosts within its scope of coverage.
1 rule found Severity: Medium
1 rule found Severity: Low
Splunk Enterprise must be configured to retain the identity of the original source host or device where the event occurred as part of the log record.
1 rule found Severity: Medium
Splunk Enterprise must be configured with a report to notify the System Administrator (SA) and Information System Security Officer (ISSO), at a minimum, when an attack is detected on multiple devices and hosts within its scope of coverage.
1 rule found Severity: Medium
Analysis, viewing, and indexing functions, services, and applications used as part of Splunk Enterprise must be configured to comply with DoD-trusted path and access requirements.
1 rule found Severity: Medium
The EMM system supporting the Samsung Android 14 BYOAD must be configured for autonomous monitoring, compliance, and validation to ensure security/configuration settings of mobile devices do not deviate from the approved configuration baseline.
1 rule found Severity: Medium
The EMM system supporting the Samsung Android 14 BYOAD must be configured to initiate autonomous monitoring, compliance, and validation prior to granting the Samsung Android 14 BYOAD access to DOD information and IT resources.
1 rule found Severity: Medium
The EMM system supporting the Samsung Android 14 BYOAD must be configured to detect if the Samsung Android 14 BYOAD native security controls are disabled.
1 rule found Severity: Medium
The EMM system supporting the Samsung Android 14 BYOAD must be configured to detect if known malicious applications, blocked, or prohibited applications are installed on the Samsung Android 14 BYOAD (DOD-managed segment only).
1 rule found Severity: Medium
The EMM detection/monitoring system must use continuous monitoring of enrolled Samsung Android 14 BYOAD.
1 rule found Severity: Medium
The Samsung Android 14 BYOAD must be configured to either disable access to DOD data and IT systems and user accounts or wipe the work profile if the EMM system detects native security controls are disabled.
1 rule found Severity: Medium
The Samsung Android 14 BYOAD must be configured to either disable access to DOD data and IT systems and user accounts or wipe the work profile if the EMM system detects the Samsung Android 14 BYOAD device has known malicious, blocked, or prohibited applications, or configured to access nonapproved third-party applications stores in the work profile.
1 rule found Severity: Medium
The Samsung Android 14 BYOAD must be configured so that the work profile is removed if the device is no longer receiving security or software updates.
1 rule found Severity: Medium
The EMM system supporting the Samsung Android 14 BYOAD must be NIAP validated (included on the NIAP list of compliant products or products in evaluation) unless the DOD CIO has granted an Approved Exception to Policy (E2P).
1 rule found Severity: High
5 rules found Severity: Medium
Samsung Android's Work profile must be configured to not allow installation of applications with the following characteristics: - Back up MD data to non-DOD cloud servers (including user and application access to cloud backup services); - Transmit MD diagnostic data to non-DOD servers; - Voice assistant application if available when MD is locked; - Voice dialing application if available when MD is locked; - Allows synchronization of data or applications between devices associated with user; and - Allows unencrypted (or encrypted but not FIPS 140-3 validated) data sharing with other MDs or printers. - Apps which backup their own data to a remote system.
1 rule found Severity: Medium
Samsung Android's Work profile must allow only the Administrator (management tool) to perform the following management function: Install/remove DOD root and intermediate PKI certificates.
3 rules found Severity: Medium
Samsung Android must be configured to enforce an application installation policy by specifying one or more authorized application repositories, including DOD-approved commercial app repository, management tool server, or mobile application store.
7 rules found Severity: Medium
1 rule found Severity: Low
The Samsung Android device must be configured to enable Certificate Revocation List (CRL) status checking.
5 rules found Severity: Medium
The Samsung Android device work profile must be configured to enforce the system application disable list.
5 rules found Severity: Medium
The Samsung Android device work profile must be configured to disable automatic completion of workspace internet browser text input.
2 rules found Severity: Medium
3 rules found Severity: Medium
5 rules found Severity: Low
1 rule found Severity: Medium
Tanium endpoint files must be excluded from host-based intrusion prevention system (HIPS) intervention.
1 rule found Severity: Medium
The TippingPoint SMS must be configured to synchronize internal information system clocks using redundant authoritative time sources.
1 rule found Severity: Medium
The TippingPoint SMS must be configured to use an authentication server for the purpose of authenticating users prior to granting administrative access and to enforce access restrictions.
1 rule found Severity: High
The TippingPoint SMS must be configured to conduct backups of system level information contained in the information system when changes occur.
1 rule found Severity: Medium
The TippingPoint SMS must support organizational requirements to conduct backups of information system documentation, including security-related documentation, when changes occur or weekly, whichever is sooner.
1 rule found Severity: Medium
The TippingPoint SMS must obtain its public key certificates from an appropriate certificate policy through an approved service provider.
1 rule found Severity: Medium
The TippingPoint SMS must be running an operating system release that is currently supported by the vendor.
1 rule found Severity: Medium
The TippingPoint SMS must be configured to send log data to at least two central log servers for the purpose of forwarding alerts to the administrators and the information system security officer (ISSO).
1 rule found Severity: High
The process by which the Solidcore client Command Line Interface (CLI) Access Password is made available to administrators when needed must be documented in the organizations written policy.
1 rule found Severity: Medium
1 rule found Severity: Medium
For TOSS systems using Domain Name Servers (DNS) resolution, at least two name servers must be configured.
1 rule found Severity: Medium
1 rule found Severity: High
1 rule found Severity: High
1 rule found Severity: Medium
1 rule found Severity: Medium
The TOSS SSH daemon must not allow compression or must only allow compression after successful authentication.
1 rule found Severity: Medium
The TOSS SSH daemon must not allow Kerberos authentication, except to fulfill documented and validated mission requirements.
1 rule found Severity: Medium
1 rule found Severity: Medium
All TOSS local interactive user home directories must be group-owned by the home directory owner's primary group.
1 rule found Severity: Medium
1 rule found Severity: Medium
The x86 Ctrl-Alt-Delete key sequence in TOSS must be disabled if a graphical user interface is installed.
1 rule found Severity: High
1 rule found Severity: Medium
1 rule found Severity: Medium
TOSS must define default permissions for all authenticated users in such a way that the user can only read and modify their own files.
1 rule found Severity: Medium
1 rule found Severity: Medium
1 rule found Severity: Medium
1 rule found Severity: Medium
1 rule found Severity: Medium
1 rule found Severity: Medium
TOSS must enforce a delay of at least four seconds between logon prompts following a failed logon attempt.
1 rule found Severity: Medium
A File Transfer Protocol (FTP) server package must not be installed unless mission essential on TOSS.
1 rule found Severity: High
If the Trivial File Transfer Protocol (TFTP) server is required, the TOSS TFTP daemon must be configured to operate in secure mode.
1 rule found Severity: Medium
1 rule found Severity: Medium
1 rule found Severity: Low
1 rule found Severity: Low
1 rule found Severity: Medium
1 rule found Severity: Medium
1 rule found Severity: Medium
1 rule found Severity: Medium
1 rule found Severity: Medium
1 rule found Severity: Medium
TOSS must have the packages required to use the hardware random number generator entropy gatherer service.
1 rule found Severity: Low
1 rule found Severity: Medium
1 rule found Severity: Medium
1 rule found Severity: Medium
TOSS must not allow interfaces to perform Internet Control Message Protocol (ICMP) redirects by default.
1 rule found Severity: Medium
TOSS must not respond to Internet Control Message Protocol (ICMP) echoes sent to a broadcast address.
1 rule found Severity: Medium
1 rule found Severity: Medium
TOSS must prevent IPv4 Internet Control Message Protocol (ICMP) redirect messages from being accepted.
1 rule found Severity: Medium
TOSS must prevent IPv6 Internet Control Message Protocol (ICMP) redirect messages from being accepted.
1 rule found Severity: Medium
The web server must be configured in accordance with the security configuration settings based on DoD security configuration or implementation guidance, including STIGs, NSA configuration guides, CTOs, and DTMs.
1 rule found Severity: Medium
Membership to the Enterprise Admins group must be restricted to accounts used only to manage the Active Directory Forest.
1 rule found Severity: High
Membership to the Domain Admins group must be restricted to accounts used only to manage the Active Directory domain and domain controllers.
1 rule found Severity: High
1 rule found Severity: Medium
1 rule found Severity: Medium
Separate smart cards must be used for Enterprise Admin (EA) and Domain Admin (DA) accounts from smart cards used for other accounts.
1 rule found Severity: Medium
Separate domain accounts must be used to manage public facing servers from any domain accounts used to manage internal servers.
1 rule found Severity: Medium
All accounts, privileged and unprivileged, that require smart cards must have the underlying NT hash rotated at least every 60 days.
1 rule found Severity: Medium
User accounts with domain level administrative privileges must be members of the Protected Users group in domains with a domain functional level of Windows 2012 R2 or higher.
1 rule found Severity: Medium
Domain-joined systems (excluding domain controllers) must not be configured for unconstrained delegation.
1 rule found Severity: Medium
1 rule found Severity: Medium
1 rule found Severity: Medium
1 rule found Severity: Medium
Interconnections between DoD directory services of different classification levels must use a cross-domain solution that is approved for use with inter-classification trusts.
1 rule found Severity: High
A controlled interface must have interconnections among DoD information systems operating between DoD and non-DoD systems or networks.
1 rule found Severity: High
Membership in the Group Policy Creator Owners and Incoming Forest Trust Builders groups must be limited.
1 rule found Severity: Medium
User accounts with delegated authority must be removed from Windows built-in administrative groups or remove the delegated authority from the accounts.
1 rule found Severity: Low
Read-only Domain Controller (RODC) architecture and configuration must comply with directory services requirements.
1 rule found Severity: Medium
1 rule found Severity: Medium
1 rule found Severity: Medium
Active Directory data must be backed up daily for systems with a Risk Management Framework categorization for Availability of moderate or high. Systems with a categorization of low must be backed up weekly.
1 rule found Severity: Medium
Accounts from outside directories that are not part of the same organization or are not subject to the same security policies must be removed from all highly privileged groups.
1 rule found Severity: Medium
1 rule found Severity: Medium
Active Directory implementation information must be added to the organization contingency plan where the Risk Management Framework categorization for Availability is moderate or high.
1 rule found Severity: Low
Active Directory must be supported by multiple domain controllers where the Risk Management Framework categorization for Availability is moderate or high.
1 rule found Severity: Medium
The impact of CPCON changes on the cross-directory authentication configuration must be considered and procedures documented.
1 rule found Severity: Low
Windows Server domain controllers must have Kerberos logging enabled with servers hosting Active Directory Certificate Services (AD CS).
1 rule found Severity: Medium
1 rule found Severity: Medium
1 rule found Severity: Low
Windows Server hosting Active Directory Certificate Services (AD CS) must enforce Certificate Authority (CA) certificate management approval for certificate requests.
1 rule found Severity: High
Windows Server running Active Directory Certificate Services (AD CS) must be managed by a PAW tier 0.
1 rule found Severity: High
11 rules found Severity: High
Firewalld Must Employ a Deny-all, Allow-by-exception Policy for Allowing Connections to Other Systems
7 rules found Severity: Medium
1 rule found Severity: Medium
NixOS must enforce a delay of at least four seconds between login prompts following a failed login attempt.
1 rule found Severity: Medium
1 rule found Severity: High
NixOS must define default permissions for all authenticated users in such a way that the user can only read and modify their own files.
1 rule found Severity: Medium
The account used to run the Apache web server must not have a valid login shell and password defined.
1 rule found Severity: High
The Apache web server must be configured in accordance with the security configuration settings based on DoD security configuration or implementation guidance, including STIGs, NSA configuration guides, CTOs, and DTMs.
4 rules found Severity: Low
1 rule found Severity: Medium
All accounts installed with the Apache web server software and tools must have passwords assigned and default passwords changed.
1 rule found Severity: High
The Apache web server must alert the ISSO and SA (at a minimum) in the event of an audit processing failure.
1 rule found Severity: Medium
AAA Services must be configured to use their loopback or OOB management interface address as the source address when originating NTP traffic.
1 rule found Severity: Low
AAA Services used for 802.1x must be configured to use secure Extensible Authentication Protocol (EAP), such as EAP-TLS, EAP-TTLS, and PEAP.
1 rule found Severity: Medium
AAA Services used to authenticate privileged users for device management must be configured to connect to the management network.
1 rule found Severity: Medium
AAA Services must be configured to use a unique shared secret for communication (i.e. RADIUS, TACACS+) with clients requesting authentication services.
1 rule found Severity: Medium
1 rule found Severity: Medium
AAA Services must be configured to place non-authenticated network access requests in the Unauthorized VLAN or the Guest VLAN with limited access.
1 rule found Severity: Medium
AAA Services must be configured in accordance with the security configuration settings based on DoD security configuration or implementation guidance, including STIGs, NSA configuration guides, CTOs, and DTMs.
1 rule found Severity: Medium
Apple iOS/iPadOS 18 must be configured to enforce an application installation policy by specifying one or more authorized application repositories, including [selection: DOD-approved commercial app repository, MDM server, mobile application store].
1 rule found Severity: Medium
1 rule found Severity: Medium
1 rule found Severity: Medium
1 rule found Severity: Low
1 rule found Severity: Low
1 rule found Severity: Medium
1 rule found Severity: Medium
Apple iOS/iPadOS 18 must implement the management setting: approved Apple Watches must be managed by an MDM.
1 rule found Severity: Medium
1 rule found Severity: Medium
1 rule found Severity: Medium
1 rule found Severity: Medium
1 rule found Severity: Medium
1 rule found Severity: Medium
1 rule found Severity: Medium
1 rule found Severity: Medium
Apple iOS/iPadOS 18 must disable ChatGPT and other external AI app connections in Apple Intelligence.
1 rule found Severity: Medium
1 rule found Severity: Medium
1 rule found Severity: Medium
1 rule found Severity: High
The macOS system must enforce installation of XProtect Remediator and Gatekeeper updates automatically.
2 rules found Severity: Medium
The ALG that is part of a CDS must allow privileged administrators to enable/disable all security policy filters used to enforce information flow control.
1 rule found Severity: Medium
The ALG that is part of a CDS must allow privileged administrators to configure and make changes to all security policy filters that are used to enforce information flow control.
1 rule found Severity: Medium
The ALG that is part of a CDS must enforce dynamic traffic flow control based on organization-defined policies.
1 rule found Severity: Medium
The ALG that is part of a CDS must enforce organization-defined one-way information flows using hardware mechanisms.
1 rule found Severity: Medium
The ALG that is part of a CDS must enforce information flow control using organization-defined security policy filters as a basis for flow control decisions for organization-defined information flows.
1 rule found Severity: Medium
The ALG that is part of a CDS must enforce information flow control based on organization-defined metadata.
1 rule found Severity: Medium
The ALG that is part of a CDS must block the transfer of data with malformed security attribute metadata structures.
1 rule found Severity: Medium
The ALG that is part of a CDS must decompose information into organization-defined, policy-relevant subcomponents for submission to policy enforcement mechanisms before transferring information between different security domains.
1 rule found Severity: Medium
The ALG that is part of a CDS, when transferring information between different security domains, must implement organization-defined security policy filters requiring fully enumerated formats that restrict data structure and content.
1 rule found Severity: Medium
The ALG that is part of a CDS, when transferring information between different security domains, must examine the information for the presence of organization-defined unsanctioned information.
1 rule found Severity: Medium
1 rule found Severity: Medium
The application server must be configured in accordance with the security configuration settings based on DoD security configuration or implementation guidance, including STIGs, NSA configuration guides, CTOs, and DTMs.
1 rule found Severity: Medium
The ALG that is part of a CDS must prohibit the transfer of unsanctioned information in accordance with the security policy when transferring information between different security domains.
1 rule found Severity: Medium
The ALG that is part of a CDS must use source and destination security attributes associated with organization-defined information, source, and/or destination objects to enforce organization-defined information flow control policies as a basis for flow control decisions.
1 rule found Severity: Medium
The ALG that is part of a CDS, when transferring information between different security domains, must use organization-defined data type identifiers to validate data essential for information flow decisions.
1 rule found Severity: Medium
The ALG that is part of a CDS must uniquely identify and authenticate source by organization, system, application, and/or individual for information transfer.
1 rule found Severity: Medium
The ALG that is part of a CDS must uniquely identify and authenticate destination by organization, system, application, and/or individual for information transfer.
1 rule found Severity: Medium
The ALG that is part of a CDS, when transferring information between different security domains, must apply the same security policy filtering to metadata as it applies to data payloads.
1 rule found Severity: Medium
The ALG that is part of a CDS must enforce the use of human reviews for organization-defined information flows under organization-defined conditions.
1 rule found Severity: Medium
The ALG must be configured in accordance with the security configuration settings based on DoD security policy and technology-specific security best practices.
1 rule found Severity: Medium
The ALG that provides intermediary services for SMTP must inspect inbound and outbound SMTP and Extended SMTP communications traffic for protocol compliance and protocol anomalies.
1 rule found Severity: Medium
The ALG that intermediary services for FTP must inspect inbound and outbound FTP communications traffic for protocol compliance and protocol anomalies.
1 rule found Severity: Medium
The ALG that provides intermediary services for HTTP must inspect inbound and outbound HTTP traffic for protocol compliance and protocol anomalies.
1 rule found Severity: Medium
The application must have a process, feature or function that prevents removal or disabling of emergency accounts.
1 rule found Severity: Low
The application must allow the use of a temporary password for system logons with an immediate change to a permanent password.
1 rule found Severity: Medium
1 rule found Severity: Low
Ubuntu 22.04 LTS must be configured so that remote X connections are disabled, unless to fulfill documented and validated mission requirements.
1 rule found Severity: High
1 rule found Severity: Medium
Ubuntu 22.04 LTS must disable the x86 Ctrl-Alt-Delete key sequence if a graphical user interface is installed.
1 rule found Severity: High
Ubuntu 22.04 LTS must enforce a delay of at least four seconds between logon prompts following a failed logon attempt.
1 rule found Severity: Low
Ubuntu 22.04 LTS default filesystem permissions must be defined in such a way that all authenticated users can read and modify only their own files.
1 rule found Severity: Medium
1 rule found Severity: Medium
Ubuntu 22.04 LTS must be configured so that when passwords are changed or new passwords are established, pwquality must be used.
1 rule found Severity: Medium
1 rule found Severity: High
1 rule found Severity: High
Execution flow diagrams and design documents must be created to show how deadlock and recursion issues in web services are being mitigated.
1 rule found Severity: Medium
1 rule found Severity: Medium
The Central Log Server must be configured to retain the identity of the original source host or device where the event occurred as part of the log record.
1 rule found Severity: Medium
The Central Log Server that aggregates log records from hosts and devices must be configured to use TCP for transmission.
1 rule found Severity: Medium
The Central Log Server must be configured to notify the System Administrator (SA) and Information System Security Officer (ISSO), at a minimum, when an attack is detected on multiple devices and hosts within its scope of coverage.
1 rule found Severity: Medium
The Central Log Server must be configured to automatically create trouble tickets for organization-defined threats and events of interest as they are detected in real time (within seconds).
1 rule found Severity: Medium
For devices and hosts within the scope of coverage, the Central Log Server must be configured to automatically aggregate events that indicate account actions.
1 rule found Severity: Medium
The Central Log Server must be configured with the organization-defined severity or criticality levels of each event that is being sent from individual devices or hosts.
1 rule found Severity: Medium
Analysis, viewing, and indexing functions, services, and applications used as part of the Central Log Server must be configured to comply with DoD-trusted path and access requirements.
1 rule found Severity: Medium
The Central Log Server must be configured so changes made to the level and type of log records stored in the centralized repository must take effect immediately without the need to reboot or restart the application.
1 rule found Severity: Low
The Cisco switch must implement Rapid Spanning Tree Protocol (STP) where VLANs span multiple switches with redundant links.
1 rule found Severity: Medium
The Cisco MPLS router must be configured to synchronize Interior Gateway Protocol (IGP) and LDP to minimize packet loss when an IGP adjacency is established prior to LDP peers completing label exchange.
1 rule found Severity: Low
The Cisco switch must be configured to implement message authentication for all control plane protocols.
1 rule found Severity: Medium
The Cisco switch must be configured to use keys with a duration not exceeding 180 days for authenticating routing protocol messages.
1 rule found Severity: Medium
1 rule found Severity: Medium
1 rule found Severity: Medium
1 rule found Severity: Medium
1 rule found Severity: Medium
AlmaLinux OS 9 must disable the ability of a user to accidentally press Ctrl-Alt-Del and cause a system to shut down or reboot.
1 rule found Severity: Medium
AlmaLinux OS 9 must prevent a user from overriding the Ctrl-Alt-Del sequence settings for the graphical user interface.
1 rule found Severity: Medium
1 rule found Severity: Medium
1 rule found Severity: Medium
AlmaLinux OS 9 /etc/group- file must have mode 0644 or less permissive to prevent unauthorized access.
1 rule found Severity: Medium
AlmaLinux OS 9 /etc/group file must have mode 0644 or less permissive to prevent unauthorized access.
1 rule found Severity: Medium
1 rule found Severity: Medium
AlmaLinux OS 9 /etc/gshadow- file must have mode 0000 or less permissive to prevent unauthorized access.
1 rule found Severity: Medium
AlmaLinux OS 9 /etc/gshadow file must have mode 0000 or less permissive to prevent unauthorized access.
1 rule found Severity: Medium
1 rule found Severity: Medium
1 rule found Severity: Medium
1 rule found Severity: Medium
All AlmaLinux OS 9 local interactive user home directories defined in the /etc/passwd file must exist.
1 rule found Severity: Medium
All AlmaLinux OS 9 local interactive user home directories must be group-owned by the home directory owner's primary group.
1 rule found Severity: Medium
AlmaLinux OS 9 must prevent code from being executed on file systems that contain user home directories.
1 rule found Severity: Medium
1 rule found Severity: Medium
All AlmaLinux OS 9 local interactive users must have a home directory assigned in the /etc/passwd file.
1 rule found Severity: Medium
Executable search paths within the initialization files of all local interactive AlmaLinux OS 9 users must only contain paths that resolve to the system default or the users home directory.
1 rule found Severity: Medium
1 rule found Severity: Medium
1 rule found Severity: High
AlmaLinux OS 9 must enforce a delay of at least four seconds between logon prompts following a failed logon attempt.
1 rule found Severity: Medium
1 rule found Severity: Medium
AlmaLinux OS 9 /etc/passwd- file must have mode 0644 or less permissive to prevent unauthorized access.
1 rule found Severity: Medium
AlmaLinux OS 9 /etc/passwd file must have mode 0644 or less permissive to prevent unauthorized access.
1 rule found Severity: Medium
AlmaLinux OS 9 /etc/shadow- file must have mode 0000 or less permissive to prevent unauthorized access.
1 rule found Severity: Medium
1 rule found Severity: Medium
1 rule found Severity: Medium
1 rule found Severity: Medium
1 rule found Severity: Medium
AlmaLinux OS 9 must define default permissions for all authenticated users in such a way that the user can only read and modify their own files.
1 rule found Severity: Medium
1 rule found Severity: Medium
AlmaLinux OS 9 must be configured so that the file integrity tool verifies Access Control Lists (ACLs).
1 rule found Severity: Medium
AlmaLinux OS 9 must use a file integrity tool that is configured to use FIPS 140-3-approved cryptographic hashes for validating file contents and directories.
1 rule found Severity: Medium
1 rule found Severity: Medium
1 rule found Severity: Medium
1 rule found Severity: Medium
The Cisco multicast Designated switch (DR) must be configured to set the shortest-path tree (SPT) threshold to infinity to minimalize source-group (S, G) state within the multicast topology where Any Source Multicast (ASM) is deployed.
1 rule found Severity: Medium
The Mission owner must obtain Authorizing Official (AO) authorization for each cloud service offering (CSO) implemented in support of production or development environments prior to operational use.
1 rule found Severity: Medium
The Mission Owner must select and configure an Impact Level 2 FedRAMP authorized cloud service offering (CSO) when hosting unclassified, publicly releasable DOD information.
1 rule found Severity: Medium
The Mission Owner must select and configure an Impact Level 4/5 cloud service offering (CSO) listed in the DISA Provisional Authorization (PA) DOD Cloud Catalog when hosting Controlled Unclassified Information (CUI).
1 rule found Severity: High
The Mission Owner must select and configure an Impact Level 5 cloud service offering (CSO) listed in the DISA Provisional Authorization (PA) DOD Cloud Catalog when hosting Unclassified National Security Information (U-NSI).
1 rule found Severity: High
The Mission Owners must select and configure a cloud service offering (CSO) listed in the DISA Provisional Authorization (PA) DOD Cloud Catalog at Level 6 when hosting classified DOD information.
1 rule found Severity: High
The Mission Owner must add all applicable compensating controls and requirements in the Service Level Agreement (SLA)/contract with the cloud service provider (CSP) or third-party provider.
1 rule found Severity: Medium
1 rule found Severity: Medium
AlmaLinux OS 9 firewall must employ a deny-all, allow-by-exception policy for allowing connections to other systems.
1 rule found Severity: Medium
AlmaLinux OS 9 must limit the number of bogus Internet Control Message Protocol (ICMP) response errors logs.
1 rule found Severity: Medium
AlmaLinux OS 9 must not respond to Internet Control Message Protocol (ICMP) echoes sent to a broadcast address.
1 rule found Severity: Medium
1 rule found Severity: Medium
1 rule found Severity: Medium
1 rule found Severity: Medium
AlmaLinux OS 9 SSH daemon must not allow compression or must only allow compression after successful authentication.
1 rule found Severity: Medium
1 rule found Severity: Medium
1 rule found Severity: Medium
1 rule found Severity: Medium
1 rule found Severity: Medium
1 rule found Severity: Medium
1 rule found Severity: Medium
AlmaLinux OS 9 SSH daemon must display the date and time of the last successful account logon upon an SSH logon.
1 rule found Severity: Medium
1 rule found Severity: Medium
1 rule found Severity: Medium
If the Trivial File Transfer Protocol (TFTP) server is required, the TFTP daemon must be configured to operate in secure mode.
1 rule found Severity: Medium
AlmaLinux OS 9 must enable hardening for the Berkeley Packet Filter (BPF) just-in-time (JIT) compiler.
1 rule found Severity: Medium
AlmaLinux OS 9 must be configured so that all system device files are correctly labeled to prevent unauthorized modification.
1 rule found Severity: Medium
1 rule found Severity: Medium
1 rule found Severity: Medium
AlmaLinux OS 9 must prevent a user from overriding the disable-restart-buttons setting for the graphical user interface.
1 rule found Severity: Medium
1 rule found Severity: Medium
AlmaLinux OS 9 must prevent code from being executed on file systems that are used with removable media.
1 rule found Severity: Medium
AlmaLinux OS 9 must prevent files with the setuid and setgid bit set from being executed on file systems that are used with removable media.
1 rule found Severity: Medium
AlmaLinux OS 9 must prevent special devices on file systems that are imported via Network File System (NFS).
1 rule found Severity: Medium
AlmaLinux OS 9 must prevent code execution on file systems that are imported via Network File System (NFS).
1 rule found Severity: Medium
AlmaLinux OS 9 must prevent files with the setuid and setgid bit set from being executed on file systems that are imported via Network File System (NFS).
1 rule found Severity: Medium
1 rule found Severity: Medium
AlmaLinux OS 9 systems using Domain Name Servers (DNS) resolution must have at least two name servers configured.
1 rule found Severity: Medium
1 rule found Severity: Medium
1 rule found Severity: Medium
AlmaLinux OS 9 must be configured so that the cryptographic hashes of system files match vendor values.
1 rule found Severity: Medium
1 rule found Severity: Medium
1 rule found Severity: Medium
1 rule found Severity: Medium
1 rule found Severity: Medium
1 rule found Severity: Medium
1 rule found Severity: Medium
1 rule found Severity: Medium
1 rule found Severity: Medium
AlmaLinux OS 9 must be configured so that the rsyslog daemon does not accept log messages from other servers unless the server is being used for log aggregation.
1 rule found Severity: Medium
AlmaLinux OS 9 must prevent files with the setuid and setgid bit set from being executed on file systems that contain user home directories.
1 rule found Severity: Medium
The container platform must provide the configuration for organization-identified individuals or roles to change the auditing to be performed on all components, based on all selectable event criteria within organization-defined time thresholds.
1 rule found Severity: Medium
Container platform components must be configured in accordance with the security configuration settings based on DoD security configuration or implementation guidance, including SRGs, STIGs, NSA configuration guides, CTOs, and DTMs.
1 rule found Severity: Medium
1 rule found Severity: Medium
The container platform must continuously scan components, containers, and images for vulnerabilities.
1 rule found Severity: Medium
1 rule found Severity: Low
1 rule found Severity: Low
The Dell OS10 Switch must implement Rapid Spanning Tree Protocol (STP) where VLANs span multiple switches with redundant links.
1 rule found Severity: Medium
The Dell OS10 Switch must enable Far-End Failure Detection (FEFD) to protect against one-way connections.
1 rule found Severity: Medium
1 rule found Severity: Medium
1 rule found Severity: Medium
1 rule found Severity: Medium
1 rule found Severity: Medium
The Dell OS10 Switch must have all user-facing or untrusted ports configured as access switch ports.
1 rule found Severity: Medium
1 rule found Severity: Low
The Dell OS10 Switch must implement physically or logically separate subnetworks to isolate organization-defined critical system components and functions.
1 rule found Severity: Medium
The DBMS must be configured in accordance with the security configuration settings based on DoD security configuration and implementation guidance, including STIGs, NSA configuration guides, CTOs, DTMs, and IAVMs.
1 rule found Severity: Medium
1 rule found Severity: Medium
The firewall must be configured to inspect all inbound and outbound traffic at the application layer.
1 rule found Severity: Medium
The firewall must be configured to inspect all inbound and outbound IPv6 traffic for unknown or out-of-order extension headers.
1 rule found Severity: Medium
The Dell OS10 Switch must prevent nonprivileged users from executing privileged functions to include disabling, circumventing, or altering implemented security safeguards/countermeasures.
1 rule found Severity: High
1 rule found Severity: Medium
The Dell OS10 Switch must enforce access restrictions associated with changes to the system components.
1 rule found Severity: Medium
The Dell OS10 Switch must obtain its public key certificates from an appropriate certificate policy through an approved service provider.
1 rule found Severity: Medium
The Dell OS10 Switch must be running an operating system release that is currently supported by Dell.
1 rule found Severity: High
The Dell OS10 BGP router must be configured to use its loopback address as the source address for iBGP peering sessions.
1 rule found Severity: Low
The Dell OS10 Router must be configured to advertise a hop limit of at least 32 in Router Advertisement messages for IPv6 stateless auto-configuration deployments.
1 rule found Severity: Low
1 rule found Severity: Medium
The Dell OS10 Router must be configured to suppress Router Advertisements on all external IPv6-enabled interfaces.
1 rule found Severity: Medium
Forescout must perform continuous detection and tracking of endpoint devices attached to the network. This is required for compliance with C2C Step 1.
1 rule found Severity: Medium
Google Android 13 must be configured to not allow passwords that include more than four repeating or sequential characters.
2 rules found Severity: Medium
Google Android 13 must be configured to enforce an application installation policy by specifying one or more authorized application repositories, including [selection: DOD-approved commercial app repository, MDM server, mobile application store].
2 rules found Severity: Medium
Google Android 13 allowlist must be configured to not include applications with the following characteristics: 1. Back up mobile device (MD) data to non-DOD cloud servers (including user and application access to cloud backup services); 2. Transmit MD diagnostic data to non-DOD servers; 3. Voice assistant application if available when MD is locked; 4. Voice dialing application if available when MD is locked; 5. Allows synchronization of data or applications between devices associated with user; and 6. Allows unencrypted (or encrypted but not FIPS 140-2 validated) data sharing with other MDs or printers.
2 rules found Severity: Medium
Google Android 13 must be configured to disable Bluetooth or configured via User Based Enforcement (UBE) to allow Bluetooth for only Headset Profile (HSP), Hands-Free Profile (HFP), and Serial Port Profile (SPP).
2 rules found Severity: Low
The firewall must be configured to restrict it from accepting outbound packets that contain an illegitimate address in the source address field via an egress filter or by enabling Unicast Reverse Path Forwarding (uRPF).
1 rule found Severity: Medium
Forescout must be configured to synchronize internal information system clocks using redundant authoritative time sources.
1 rule found Severity: Medium
Forescout must enforce access restrictions associated with changes to the firmware, OS, USB port, and console port.
1 rule found Severity: Medium
Forescout must be configured to use an authentication server for the purpose of authenticating users prior to granting administrative access.
1 rule found Severity: Medium
1 rule found Severity: Medium
If the network device uses role-based access control, Forescout must enforce organization-defined, role-based access control policies over defined subjects and objects.
1 rule found Severity: Medium
1 rule found Severity: Medium
Forescout must be configured to conduct backups of system-level information contained in the information system when changes occur.
1 rule found Severity: Medium
Forescout must support organizational requirements to conduct backups of information system documentation, including security-related documentation, when changes occur or weekly, whichever is sooner.
1 rule found Severity: Medium
Forescout must obtain its public key certificates from an appropriate certificate policy through an approved service provider.
1 rule found Severity: Medium
2 rules found Severity: Medium
2 rules found Severity: Medium
The Google Android 13 work profile must be configured to enforce the system application disable list.
2 rules found Severity: Medium
Google Android 13 must be provisioned as a fully managed device and configured to create a work profile.
1 rule found Severity: Medium
The Google Android 13 work profile must be configured to disable automatic completion of work space internet browser text input.
1 rule found Severity: Medium
2 rules found Severity: Medium
4 rules found Severity: Low
4 rules found Severity: Low
The Google Android 13 must allow only the administrator (EMM) to install/remove DOD root and intermediate PKI certificates.
2 rules found Severity: Medium
Google Android 14 must be configured to enforce an application installation policy by specifying one or more authorized application repositories, including [selection: DOD-approved commercial app repository, MDM server, mobile application store].
2 rules found Severity: Medium
Google Android 14 allowlist must be configured to not include applications with the following characteristics: - Back up mobile device (MD) data to non-DOD cloud servers (including user and application access to cloud backup services); - Transmit MD diagnostic data to non-DOD servers; - Voice assistant application if available when MD is locked; - Voice dialing application if available when MD is locked; - Allows synchronization of data or applications between devices associated with user; and - Allows unencrypted (or encrypted but not FIPS 140-2/140-3 validated) data sharing with other MDs or printers.
2 rules found Severity: Medium
2 rules found Severity: Medium
2 rules found Severity: Medium
The Google Android 14 work profile must be configured to enforce the system application disable list.
2 rules found Severity: Medium
2 rules found Severity: Medium
2 rules found Severity: High
2 rules found Severity: Low
2 rules found Severity: Low
The Google Android 14 must allow only the administrator (EMM) to install/remove DOD root and intermediate PKI certificates.
2 rules found Severity: Medium
Google Android 15 must be configured to enforce an application installation policy by specifying one or more authorized application repositories, including [selection: DOD-approved commercial app repository, MDM server, mobile application store].
2 rules found Severity: Medium
Google Android 15 must be configured to enforce a password for Wi-Fi and Bluetooth hotspot, if approved for use by the approving authority (AO). If not approved for use, Wi-Fi and Bluetooth hotspot must be disabled.
1 rule found Severity: Medium
2 rules found Severity: Medium
The Google Android 15 work profile must be configured to enforce the system application disable list.
2 rules found Severity: Medium
The Google Android 15 work profile must be configured to disable automatic completion of workspace internet browser text input.
2 rules found Severity: Medium
2 rules found Severity: Medium
2 rules found Severity: Medium
2 rules found Severity: High
2 rules found Severity: Low
1 rule found Severity: Low
Google Android 15 must be configured to enforce a password for Wi-Fi and Bluetooth hotspot, if approved for use by the authorizing official (AO). If not approved for use, Wi-Fi and Bluetooth hotspot must be disabled.
1 rule found Severity: Medium
The Google Android 15 work profile must be configured to prevent users from adding personal email accounts to the work email app.
1 rule found Severity: Medium
Google Android 15 must be provisioned as a fully managed device and configured to create a work profile.
1 rule found Severity: Medium
Google Android 14 must be provisioned as a fully managed device and configured to create a work profile.
1 rule found Severity: Medium
1 rule found Severity: Low
1 rule found Severity: Medium
AOS must be configured to synchronize internal information system clocks using redundant authoritative time sources.
1 rule found Severity: Medium
1 rule found Severity: Medium
AOS must be configured to conduct backups of system-level information contained in the information system when changes occur.
1 rule found Severity: Medium
AOS must support organizational requirements to conduct backups of information system documentation, including security-related documentation, when changes occur or weekly, whichever is sooner.
1 rule found Severity: Medium
AOS must obtain its public key certificates from an appropriate certificate policy through an approved service provider.
1 rule found Severity: Medium
If the HYCU virtual appliance uses role-based access control, it must enforce organization-defined role-based access control policies over defined subjects and objects.
1 rule found Severity: Medium
The HYCU virtual appliance must generate log records for a locally developed list of auditable events.
1 rule found Severity: Medium
The HYCU virtual appliance must support organizational requirements to conduct backups of information system documentation, including security-related documentation, when changes occur or weekly, whichever is sooner.
1 rule found Severity: Medium
The HYCU virtual appliance must off-load audit records onto a different system or media than the system being audited.
1 rule found Severity: Medium
The operating system must enforce dual authorization for movement and/or deletion of all audit information, when such movement or deletion is not part of an authorized automatic process.
1 rule found Severity: Medium
1 rule found Severity: Medium
The operating system must enforce a delay of at least 4 seconds between logon prompts following a failed logon attempt.
1 rule found Severity: Medium
The operating system must be configured in accordance with the security configuration settings based on DoD security configuration or implementation guidance, including STIGs, NSA configuration guides, CTOs, and DTMs.
1 rule found Severity: Medium
The operating system must define default permissions for all authenticated users in such a way that the user can only read and modify their own files.
1 rule found Severity: Medium
1 rule found Severity: High
The operating system must limit the ability of non-privileged users to grant other users direct access to the contents of their home directories/folders.
1 rule found Severity: Medium
1 rule found Severity: Medium
1 rule found Severity: High
The HYCU virtual appliance must obtain its public key certificates from an appropriate certificate policy through an approved service provider.
1 rule found Severity: Medium
AOS, when used as an IPsec VPN Gateway, must use Internet Key Exchange (IKE) for IPsec VPN security associations (SAs).
1 rule found Severity: High
1 rule found Severity: Medium
AOS wireless local area network (WLAN) service set identifiers (SSIDs) must be changed from the manufacturer's default to a pseudo random word that does not identify the unit, base, organization, etc.
1 rule found Severity: Low
1 rule found Severity: Medium
The IDPS must be configured in accordance with the security configuration settings based on DoD security policy and technology-specific security best practices.
1 rule found Severity: Medium
1 rule found Severity: Medium
1 rule found Severity: Medium
IBM z/OS procedures must restrict ACF2 LOGONIDs with the READALL attribute to auditors and/or authorized users.
1 rule found Severity: Medium
IBM z/OS must have the RULEVLD and RSRCVLD attributes specified for LOGONIDs with the SECURITY attribute.
1 rule found Severity: Medium
1 rule found Severity: Medium
1 rule found Severity: Medium
IBM z/OS batch jobs with restricted ACF2 LOGONIDs must have the PGM(xxxxxxxx) and SUBAUTH attributes or the SOURCE(xxxxxxxx) attribute assigned to the corresponding LOGONIDs.
1 rule found Severity: Medium
1 rule found Severity: Medium
1 rule found Severity: Medium
1 rule found Severity: Medium
ACF2 LOGONIDs with the NON-CNCL attribute specified in the associated LOGONID record must be listed as trusted and must be specifically approved.
1 rule found Severity: Medium
1 rule found Severity: Medium
ACF2 LOGONIDs associated with started tasks that have the MUSASS attribute and the requirement to submit jobs on behalf of its users must have the JOBFROM attribute as required.
1 rule found Severity: Medium
1 rule found Severity: Medium
ACF2 BACKUP GSO record must be defined with a TIME value specifies greater than 00 unless the database is shared and backed up on another system.
1 rule found Severity: Medium
ACF2 APPLDEF GSO record if used must have supporting documentation indicating the reason it was used.
1 rule found Severity: Low
2 rules found Severity: Medium
1 rule found Severity: Medium
1 rule found Severity: Medium
IBM z/OS Policy Agent must employ a deny-all, allow-by-exception firewall policy for allowing connections to other systems.
1 rule found Severity: Medium
1 rule found Severity: Medium
1 rule found Severity: Medium
3 rules found Severity: Medium
3 rules found Severity: Medium
1 rule found Severity: Medium
2 rules found Severity: Medium
3 rules found Severity: Medium
IBM z/OS TCPIP.DATA configuration statement must contain the DOMAINORIGIN or DOMAIN specified for each TCP/IP defined.
1 rule found Severity: Medium
IBM z/OS FTP.DATA configuration statements for the FTP Server must be specified in accordance with requirements.
3 rules found Severity: Medium
3 rules found Severity: Medium
IBM z/OS RJE workstations and NJE nodes must be controlled in accordance with security requirements.
1 rule found Severity: Medium
The IBM z/OS Policy Agent must employ a deny-all, allow-by-exception firewall policy for allowing connections to other systems.
1 rule found Severity: Medium
2 rules found Severity: Medium
IBM z/OS default profiles must be defined in the corresponding FACILITY Class Profile for classified systems.
1 rule found Severity: Medium
1 rule found Severity: Medium
The IBM z/OS TCPIP.DATA configuration statement must contain the DOMAINORIGIN or DOMAIN specified for each TCP/IP defined.
2 rules found Severity: Medium
The Juniper router must be configured to generate log records for a locally developed list of auditable events.
1 rule found Severity: Medium
The Juniper router must be configured to support organizational requirements to conduct backups of the configuration when changes occur.
1 rule found Severity: Medium
The Juniper router must be configured with a master password that is used to generate encrypted keys for shared secrets.
1 rule found Severity: Medium
1 rule found Severity: High
1 rule found Severity: Medium
1 rule found Severity: Medium
1 rule found Severity: Medium
1 rule found Severity: Medium
The IBM z/OS Policy Agent must be configured to deny-all, allow-by-exception firewall policy for allowing connections to other systems.
1 rule found Severity: Medium
IBM z/OS must configure system wait times to protect resource availability based on site priorities.
1 rule found Severity: Medium
1 rule found Severity: Medium
IBM z/OS Default profiles must not be defined in TSS OMVS UNIX security parameters for classified systems.
1 rule found Severity: Medium
1 rule found Severity: Medium
If the loopback interface is used, the Juniper SRX Services Gateway must protect the loopback interface with firewall filters for known attacks that may exploit this interface.
1 rule found Severity: Medium
1 rule found Severity: Low
The Juniper SRX Services Gateway must be configured to synchronize internal information system clocks with the primary and secondary NTP servers for the network.
1 rule found Severity: Medium
The Juniper SRX Services Gateway must be configured to use an authentication server to centrally manage authentication and logon settings for remote and nonlocal access.
1 rule found Severity: Medium
The Juniper SRX Services Gateway must use DOD-approved PKI rather than proprietary or self-signed device certificates.
1 rule found Severity: Medium
1 rule found Severity: Medium
The Juniper Networks SRX Series Gateway IDPS must either forward the traffic from inbound connections to be more deeply inspected for malicious code and Layer 7 threats, or the Antivirus and Unified Threat Management (UTM) license must be installed, active, and policies and rules configured.
1 rule found Severity: Medium
The Juniper SRX Services Gateway must be configured to use Junos 12.1 X46 or later to meet the minimum required version for DoD.
1 rule found Severity: Medium
The Juniper SRX Services Gateway must automatically terminate a network administrator session after organization-defined conditions or trigger events requiring session disconnect.
1 rule found Severity: Medium
For local accounts, the Juniper SRX Services Gateway must generate an alert message to the management console and generate a log event record that can be forwarded to the ISSO and designated system administrators when local accounts are created.
1 rule found Severity: Medium
The Juniper SRX Services Gateway must generate an alert message to the management console and generate a log event record that can be forwarded to the ISSO and designated system administrators when the local accounts (i.e., the account of last resort or root account) are modified.
1 rule found Severity: Medium
The Juniper SRX Services Gateway must generate an alert message to the management console and generate a log event record that can be forwarded to the ISSO and designated system administrators when accounts are disabled.
1 rule found Severity: Medium
The Juniper SRX Services Gateway must generate alerts to the management console and generate a log record that can be forwarded to the ISSO and designated system administrators when the local accounts (i.e., the account of last resort or root account) are deleted.
1 rule found Severity: Medium
The Juniper SRX Services Gateway must generate an immediate alert message to the management console for account enabling actions.
1 rule found Severity: Medium
The Juniper SRX Services Gateway must allow only the information system security manager (ISSM) (or administrators/roles appointed by the ISSM) to select which auditable events are to be generated and forwarded to the syslog and/or local logs.
1 rule found Severity: Low
For local logging, the Juniper SRX Services Gateway must generate a message to the system management console when a log processing failure occurs.
1 rule found Severity: Low
In the event that communications with the events server is lost, the Juniper SRX Services Gateway must continue to queue log records locally.
1 rule found Severity: Medium
The Juniper SRX Services Gateway must be configured to use an authentication server to centrally apply authentication and logon settings for remote and nonlocal access for device management.
1 rule found Severity: Medium
The Juniper SRX Services Gateway must be configured to use a centralized authentication server to authenticate privileged users for remote and nonlocal access for device management.
1 rule found Severity: High
1 rule found Severity: Low
The Juniper SRX Services Gateway must detect the addition of components and issue a priority 1 alert to the ISSM and SA, at a minimum.
1 rule found Severity: Low
The Juniper SRX Services Gateway must generate an alarm or send an alert message to the management console when a component failure is detected.
1 rule found Severity: Medium
The Juniper SRX Services Gateway must reveal log messages or management console alerts only to the ISSO, ISSM, and SA roles).
1 rule found Severity: Medium
The Mainframe Product must be configured in accordance with the security configuration settings based on DoD security configuration or implementation guidance, including STIGs, NSA configuration guides, CTOs, and DTMs.
1 rule found Severity: Medium
The Juniper SRX Services Gateway VPN must use Internet Key Exchange (IKE) for IPsec VPN Security Associations (SAs).
1 rule found Severity: High
If IDPS inspection is performed separately from the Juniper SRX Services Gateway VPN device, the VPN must route sessions to an IDPS for inspection.
1 rule found Severity: Medium
The Juniper SRX Services Gateway VPN must not accept certificates that have been revoked when using PKI for authentication.
1 rule found Severity: High
1 rule found Severity: Medium
1 rule found Severity: Medium
.Net applications that invoke NetFx40_LegacySecurityPolicy must apply previous versions of .NET STIG guidance.
1 rule found Severity: Low
Exchange must be configured in accordance with the security configuration settings based on DOD security configuration or implementation guidance, including STIGs, NSA configuration guides, CTOs, and DTMs.
1 rule found Severity: Medium
1 rule found Severity: Medium
1 rule found Severity: Medium
1 rule found Severity: Medium
1 rule found Severity: Medium
1 rule found Severity: Medium
The Office Telemetry Agent must be configured to obfuscate the file name, file path, and title of Office documents before uploading telemetry data to the shared folder.
1 rule found Severity: Medium
1 rule found Severity: Medium
SharePoint must identify data type, specification, and usage when transferring information between different security domains so policy restrictions may be applied.
1 rule found Severity: Medium
SharePoint must reject or delay, as defined by the organization, network traffic generated above configurable traffic volume thresholds.
1 rule found Severity: Medium
The application must be configured in accordance with the security configuration settings based on DoD security configuration or implementation guidance, including STIGs, NSA configuration guides, CTOs, and DTMs.
1 rule found Severity: Medium
1 rule found Severity: Medium
1 rule found Severity: Medium
1 rule found Severity: Medium
1 rule found Severity: Medium
1 rule found Severity: Medium
1 rule found Severity: Medium
1 rule found Severity: Medium
1 rule found Severity: Medium
1 rule found Severity: Medium
The SharePoint farm service account (database access account) must be configured with minimum privileges in Active Directory (AD).
1 rule found Severity: Medium
The SharePoint farm service account (database access account) must be configured with minimum privileges on the SQL server.
1 rule found Severity: Medium
1 rule found Severity: Medium
1 rule found Severity: Medium
A secondary SharePoint site collection administrator must be defined when creating a new site collection.
1 rule found Severity: Low
SharePoint-specific malware (i.e. anti-virus) protection software must be integrated and configured.
1 rule found Severity: Medium
1 rule found Severity: Medium
The SharePoint farm service account (database access account) must be configured with the minimum privileges for the local server.
1 rule found Severity: Medium
1 rule found Severity: Medium
Windows 10 domain-joined systems must have a Trusted Platform Module (TPM) enabled and ready for use.
1 rule found Severity: Medium
Windows 10 systems must have Unified Extensible Firmware Interface (UEFI) firmware and be configured to run in UEFI mode, not Legacy BIOS.
1 rule found Severity: Medium
Windows 10 must employ automated mechanisms to determine the state of system components with regard to flaw remediation using the following frequency: Continuously, where ESS is used; 30 days, for any additional internal network scans not covered by ESS; and annually, for external scans by Computer Network Defense Service Provider (CNDSP).
1 rule found Severity: Medium
1 rule found Severity: Medium
Inbound exceptions to the firewall on Windows 10 domain workstations must only allow authorized remote management hosts.
1 rule found Severity: Medium
1 rule found Severity: Medium
1 rule found Severity: Medium
1 rule found Severity: Low
If the SQL Server Browser Service is specifically required and approved, SQL instances must be hidden.
1 rule found Severity: Low
1 rule found Severity: Medium
Windows 10 must be configured to enable Remote host allows delegation of non-exportable credentials.
1 rule found Severity: Medium
Virtualization Based Security must be enabled on Windows 10 with the platform security level configured to Secure Boot or Secure Boot with DMA Protection.
1 rule found Severity: Medium
1 rule found Severity: Medium
If Enhanced diagnostic data is enabled it must be limited to the minimum required to support Windows Analytics.
1 rule found Severity: Medium
Users must not be allowed to ignore Windows Defender SmartScreen filter warnings for malicious websites in Microsoft Edge.
1 rule found Severity: Medium
Users must not be allowed to ignore Windows Defender SmartScreen filter warnings for unverified files in Microsoft Edge.
1 rule found Severity: Medium
1 rule found Severity: Medium
Windows Server 2019 must employ automated mechanisms to determine the state of system components with regard to flaw remediation using the following frequency: continuously, where Endpoint Security Solution (ESS) is used; 30 days, for any additional internal network scans not covered by ESS; and annually, for external scans by Computer Network Defense Service Provider (CNDSP).
1 rule found Severity: Medium
1 rule found Severity: Medium
1 rule found Severity: Medium
Windows 10 systems must use either Group Policy or an approved Mobile Device Management (MDM) product to enforce STIG compliance.
1 rule found Severity: Medium
Windows Server 2022 users with Administrative privileges must have separate accounts for administrative duties and normal operational tasks.
1 rule found Severity: Medium
Windows Server 2022 administrative accounts must not be used with applications that access the internet, such as web browsers, or with potential internet sources, such as email.
1 rule found Severity: High
Windows Server 2022 members of the Backup Operators group must have separate accounts for backup duties and normal operational tasks.
1 rule found Severity: Medium
Windows Server 2022 manually managed application account passwords must be changed at least annually or when a system administrator with knowledge of the password leaves the organization.
1 rule found Severity: Medium
Windows Server 2022 domain-joined systems must have a Trusted Platform Module (TPM) enabled and ready for use.
1 rule found Severity: Medium
1 rule found Severity: Medium
1 rule found Severity: Medium
1 rule found Severity: Medium
1 rule found Severity: Medium
Windows Server 2022 must employ automated mechanisms to determine the state of system components with regard to flaw remediation using the following frequency: continuously, where Endpoint Security Solution (ESS) is used; 30 days, for any additional internal network scans not covered by ESS; and annually, for external scans by Computer Network Defense Service Provider (CNDSP).
1 rule found Severity: Medium
1 rule found Severity: Medium
1 rule found Severity: Medium
1 rule found Severity: Medium
Windows Server 2022 systems must have Unified Extensible Firmware Interface (UEFI) firmware and be configured to run in UEFI mode, not Legacy BIOS.
1 rule found Severity: Medium
Windows Server 2019 users with Administrative privileges must have separate accounts for administrative duties and normal operational tasks.
1 rule found Severity: High
Windows Server 2019 administrative accounts must not be used with applications that access the Internet, such as web browsers, or with potential Internet sources, such as email.
1 rule found Severity: High
Windows Server 2019 members of the Backup Operators group must have separate accounts for backup duties and normal operational tasks.
1 rule found Severity: Medium
Windows Server 2019 manually managed application account passwords must be changed at least annually or when a system administrator with knowledge of the password leaves the organization.
1 rule found Severity: Medium
Windows Server 2019 domain-joined systems must have a Trusted Platform Module (TPM) enabled and ready for use.
1 rule found Severity: Medium
1 rule found Severity: Medium
1 rule found Severity: Medium
1 rule found Severity: Medium
1 rule found Severity: Medium
1 rule found Severity: Medium
Windows Server 2019 systems must have Unified Extensible Firmware Interface (UEFI) firmware and be configured to run in UEFI mode, not Legacy BIOS.
1 rule found Severity: Low
Windows Server 2019 Internet Protocol version 6 (IPv6) source routing must be configured to the highest protection level to prevent IP source routing.
1 rule found Severity: Low
Windows Server 2019 source routing must be configured to the highest protection level to prevent Internet Protocol (IP) source routing.
1 rule found Severity: Low
Windows Server 2019 must be configured to prevent Internet Control Message Protocol (ICMP) redirects from overriding Open Shortest Path First (OSPF)-generated routes.
1 rule found Severity: Low
1 rule found Severity: Medium
Windows Server 2019 hardened Universal Naming Convention (UNC) paths must be defined to require mutual authentication and integrity for at least the \\*\SYSVOL and \\*\NETLOGON shares.
1 rule found Severity: Medium
Windows Server 2019 must be configured to enable Remote host allows delegation of non-exportable credentials.
1 rule found Severity: Medium
Windows Server 2019 virtualization-based security must be enabled with the platform security level configured to Secure Boot or Secure Boot with DMA Protection.
1 rule found Severity: Medium
Windows Server 2019 Early Launch Antimalware, Boot-Start Driver Initialization Policy must prevent boot drivers identified as bad.
1 rule found Severity: Medium
1 rule found Severity: Medium
Windows Server 2019 users must be prompted to authenticate when the system wakes from sleep (on battery).
1 rule found Severity: Medium
Windows Server 2019 users must be prompted to authenticate when the system wakes from sleep (plugged in).
1 rule found Severity: Medium
1 rule found Severity: Medium
1 rule found Severity: Low
1 rule found Severity: Low
1 rule found Severity: Medium
1 rule found Severity: Medium
1 rule found Severity: Medium
Windows Server 2019 directory data (outside the root DSE) of a non-public directory must be configured to prevent anonymous access.
1 rule found Severity: High
Windows Server 2019 domain controllers must be configured to allow reset of machine account passwords.
1 rule found Severity: Medium
Windows Server 2019 must limit the caching of logon credentials to four or less on domain-joined member servers.
1 rule found Severity: Medium
1 rule found Severity: High
Windows Server 2019 must prevent local accounts with blank passwords from being used from the network.
1 rule found Severity: High
Windows Server 2019 maximum age for machine account passwords must be configured to 30 days or less.
1 rule found Severity: Medium
Windows Server 2019 Smart Card removal option must be configured to Force Logoff or Lock Workstation.
1 rule found Severity: Medium
Windows Server 2019 must not allow anonymous enumeration of Security Account Manager (SAM) accounts.
1 rule found Severity: High
Windows Server 2019 must be configured to prevent anonymous users from having the same permissions as the Everyone group.
1 rule found Severity: Medium
Windows Server 2019 services using Local System that use Negotiate when reverting to NTLM authentication must use the computer identity instead of authenticating anonymously.
1 rule found Severity: Medium
1 rule found Severity: Medium
1 rule found Severity: Medium
Windows Server 2019 LAN Manager authentication level must be configured to send NTLMv2 response only and to refuse LM and NTLM.
1 rule found Severity: High
1 rule found Severity: Medium
Windows Server 2019 session security for NTLM SSP-based clients must be configured to require NTLMv2 session security and 128-bit encryption.
1 rule found Severity: Medium
Windows Server 2019 session security for NTLM SSP-based servers must be configured to require NTLMv2 session security and 128-bit encryption.
1 rule found Severity: Medium
1 rule found Severity: Low
1 rule found Severity: Medium
Windows Server 2019 must disable automatically signing in the last interactive user after a system-initiated restart.
1 rule found Severity: Medium
1 rule found Severity: Medium
Connections by mid-tier web and application systems to the Oracle DBMS from a DMZ or external network must be encrypted.
1 rule found Severity: Medium
Sensitive information from production database exports must be modified before import to a development database.
1 rule found Severity: Medium
The DBMS data files, transaction logs and audit files must be stored in dedicated directories or disk partitions separate from software or other application files.
1 rule found Severity: Medium
Windows Server 2022 Internet Protocol version 6 (IPv6) source routing must be configured to the highest protection level to prevent IP source routing.
1 rule found Severity: Low
Windows Server 2022 source routing must be configured to the highest protection level to prevent Internet Protocol (IP) source routing.
1 rule found Severity: Low
Windows Server 2022 must be configured to prevent Internet Control Message Protocol (ICMP) redirects from overriding Open Shortest Path First (OSPF)-generated routes.
1 rule found Severity: Low
1 rule found Severity: Medium
Windows Server 2022 hardened Universal Naming Convention (UNC) paths must be defined to require mutual authentication and integrity for at least the \\*\SYSVOL and \\*\NETLOGON shares.
1 rule found Severity: Medium
Windows Server 2022 must be configured to enable Remote host allows delegation of nonexportable credentials.
1 rule found Severity: Medium
Windows Server 2022 virtualization-based security must be enabled with the platform security level configured to Secure Boot or Secure Boot with DMA Protection.
1 rule found Severity: Medium
Windows Server 2022 Early Launch Antimalware, Boot-Start Driver Initialization Policy must prevent boot drivers identified as bad.
1 rule found Severity: Medium
1 rule found Severity: Medium
Windows Server 2022 users must be prompted to authenticate when the system wakes from sleep (on battery).
1 rule found Severity: Medium
Windows Server 2022 users must be prompted to authenticate when the system wakes from sleep (plugged in).
1 rule found Severity: Medium
Windows Server 2022 Diagnostic Data must be configured to send "required diagnostic data" or "optional diagnostic data".
1 rule found Severity: Medium
1 rule found Severity: Low
1 rule found Severity: Low
1 rule found Severity: Medium
1 rule found Severity: Medium
1 rule found Severity: Medium
Windows Server 2022 must disable automatically signing in the last interactive user after a system-initiated restart.
1 rule found Severity: Medium
Windows Server 2022 directory data (outside the root DSE) of a nonpublic directory must be configured to prevent anonymous access.
1 rule found Severity: High
Windows Server 2022 domain controllers must be configured to allow reset of machine account passwords.
1 rule found Severity: Medium
Windows Server 2022 must limit the caching of logon credentials to four or less on domain-joined member servers.
1 rule found Severity: Medium
1 rule found Severity: High
Windows Server 2022 must prevent local accounts with blank passwords from being used from the network.
1 rule found Severity: High
Windows Server 2022 maximum age for machine account passwords must be configured to 30 days or less.
1 rule found Severity: Medium
Applications must obscure feedback of authentication information during the authentication process to protect the information from possible exploitation/use by unauthorized individuals.
1 rule found Severity: High
When using command-line tools such as Oracle SQL*Plus, which can accept a plain-text password, users must use an alternative logon method that does not expose the password.
1 rule found Severity: High
The DBMS must allocate audit record storage capacity in accordance with organization-defined audit record storage requirements.
1 rule found Severity: Medium
The DBMS must provide a mechanism to automatically remove or disable temporary user accounts after 72 hours.
1 rule found Severity: Medium
1 rule found Severity: Medium
1 rule found Severity: Medium
Windows Server 2022 Smart Card removal option must be configured to Force Logoff or Lock Workstation.
1 rule found Severity: Medium
Windows Server 2022 must not allow anonymous enumeration of Security Account Manager (SAM) accounts.
1 rule found Severity: High
Windows Server 2022 must be configured to prevent anonymous users from having the same permissions as the Everyone group.
1 rule found Severity: Medium
Windows Server 2022 services using Local System that use Negotiate when reverting to NTLM authentication must use the computer identity instead of authenticating anonymously.
1 rule found Severity: Medium
1 rule found Severity: Medium
1 rule found Severity: Medium
Windows Server 2022 LAN Manager authentication level must be configured to send NTLMv2 response only and to refuse LM and NTLM.
1 rule found Severity: High
1 rule found Severity: Medium
Windows Server 2022 session security for NTLM SSP-based clients must be configured to require NTLMv2 session security and 128-bit encryption.
1 rule found Severity: Medium
Windows Server 2022 session security for NTLM SSP-based servers must be configured to require NTLMv2 session security and 128-bit encryption.
1 rule found Severity: Medium
1 rule found Severity: Low
1 rule found Severity: Medium
1 rule found Severity: Medium
1 rule found Severity: Medium
1 rule found Severity: Medium
1 rule found Severity: Low
OL 8 must have the packages required to use the hardware random number generator entropy gatherer service.
1 rule found Severity: Low
1 rule found Severity: Medium
1 rule found Severity: Medium
1 rule found Severity: Medium
1 rule found Severity: Medium
The OL 8 SSH daemon must not allow Kerberos authentication, except to fulfill documented and validated mission requirements.
1 rule found Severity: Medium
The OL 8 SSH daemon must not allow GSSAPI authentication, except to fulfill documented and validated mission requirements.
1 rule found Severity: Medium
OL 8 must prevent files with the setuid and setgid bit set from being executed on file systems that contain user home directories.
1 rule found Severity: Medium
OL 8 must prevent files with the setuid and setgid bit set from being executed on the /boot directory.
1 rule found Severity: Medium
OL 8 must prevent files with the setuid and setgid bit set from being executed on the /boot/efi directory.
1 rule found Severity: Medium
1 rule found Severity: Medium
OL 8 file systems must not interpret character or block special devices from untrusted file systems.
1 rule found Severity: Medium
OL 8 must prevent files with the setuid and setgid bit set from being executed on file systems that are used with removable media.
1 rule found Severity: Medium
1 rule found Severity: Medium
1 rule found Severity: Medium
OL 8 must prevent files with the setuid and setgid bit set from being executed on file systems that are imported via Network File System (NFS).
1 rule found Severity: Medium
1 rule found Severity: Medium
For OL 8 systems using Domain Name Servers (DNS) resolution, at least two name servers must be configured.
1 rule found Severity: Medium
Executable search paths within the initialization files of all local interactive OL 8 users must only contain paths that resolve to the system default or the user's home directory.
1 rule found Severity: Medium
1 rule found Severity: Medium
1 rule found Severity: Medium
1 rule found Severity: Medium
1 rule found Severity: Medium
1 rule found Severity: Medium
All OL 8 local interactive user home directories must be group-owned by the home directory owner's primary group.
1 rule found Severity: Medium
OL 8 must be configured so that all files and directories contained in local interactive user home directories are group-owned by a group of which the home directory owner is a member.
1 rule found Severity: Medium
1 rule found Severity: Medium
1 rule found Severity: Medium
1 rule found Severity: Medium
A separate OL 8 filesystem must be used for user home directories (such as "/home" or an equivalent).
1 rule found Severity: Medium
1 rule found Severity: High
1 rule found Severity: Medium
The configuration integrity of the container platform must be ensured and vulnerabilities policies must be configured.
1 rule found Severity: High
The Palo Alto Networks security platform must inspect inbound and outbound SMTP and Extended SMTP communications traffic (if authorized) for protocol compliance and protocol anomalies.
1 rule found Severity: Medium
The Palo Alto Networks security platform must inspect inbound and outbound FTP and FTPS communications traffic (if authorized) for protocol compliance and protocol anomalies.
1 rule found Severity: Medium
The Palo Alto Networks security platform must inspect inbound and outbound HTTP traffic (if authorized) for protocol compliance and protocol anomalies.
1 rule found Severity: Medium
1 rule found Severity: Medium
1 rule found Severity: Medium
OL 8 must enforce a delay of at least four seconds between logon prompts following a failed logon attempt.
1 rule found Severity: Medium
OL 8 default permissions must be defined in such a way that all authenticated users can read and modify only their own files.
1 rule found Severity: Medium
1 rule found Severity: Medium
Rancher RKE2 components must be configured in accordance with the security configuration settings based on DOD security configuration or implementation guidance, including SRGs, STIGs, NSA configuration guides, CTOs, and DTMs.
1 rule found Severity: Medium
OpenShift must generate audit records for all DOD-defined auditable events within all components in the platform.
1 rule found Severity: Medium
1 rule found Severity: Medium
1 rule found Severity: Medium
1 rule found Severity: Medium
OL 8 must not have the asynchronous transfer mode (ATM) kernel module installed if not required for operational support.
1 rule found Severity: Medium
OL 8 must not have the Controller Area Network (CAN) kernel module installed if not required for operational support.
1 rule found Severity: Medium
OL 8 must not have the stream control transmission protocol (SCTP) kernel module installed if not required for operational support.
1 rule found Severity: Medium
The x86 Ctrl-Alt-Delete key sequence in OL 8 must be disabled if a graphical user interface is installed.
1 rule found Severity: High
The Trivial File Transfer Protocol (TFTP) server package must not be installed if not required for OL 8 operational support.
1 rule found Severity: High
1 rule found Severity: High
OL 8 must prevent IPv4 Internet Control Message Protocol (ICMP) redirect messages from being accepted.
1 rule found Severity: Medium
OL 8 must prevent IPv6 Internet Control Message Protocol (ICMP) redirect messages from being accepted.
1 rule found Severity: Medium
1 rule found Severity: Medium
The Palo Alto Networks security platform must uniquely identify and authenticate organizational administrators (or processes acting on behalf of organizational administrators).
1 rule found Severity: Medium
Administrators in the role of Security Administrator, Cryptographic Administrator, or Audit Administrator must not also have the role of Audit Administrator.
1 rule found Severity: Medium
The Palo Alto Networks security platform must automatically lock the account until the locked account is released by an administrator when three unsuccessful logon attempts in 15 minutes are exceeded.
1 rule found Severity: Medium
The Palo Alto Networks security platform must generate an immediate alert when allocated audit record storage volume reaches 75% of repository maximum audit record storage capacity.
1 rule found Severity: Low
The Palo Alto Networks security platform must compare internal information system clocks at least every 24 hours with an authoritative time server.
1 rule found Severity: Low
The Palo Alto Networks security platform must synchronize internal information system clocks to the authoritative time source when the time difference is greater than one second.
1 rule found Severity: Low
The Palo Alto Networks security platform must be configured to synchronize internal information system clocks with the primary and secondary time sources located in different geographic regions using redundant authoritative time sources.
1 rule found Severity: Medium
The Palo Alto Networks security platform must accept and verify Personal Identity Verification (PIV) credentials.
1 rule found Severity: Medium
The Palo Alto Networks security platform must use automated mechanisms to alert security personnel to threats identified by authoritative sources (e.g., CTOs) and IAW CJCSM 6510.01B.
1 rule found Severity: Medium
1 rule found Severity: Medium
The Palo Alto Networks security platform must use DoD-approved PKI rather than proprietary or self-signed device certificates.
1 rule found Severity: Medium
1 rule found Severity: Medium
1 rule found Severity: High
The Palo Alto Networks security platform must generate an audit log record when the Data Plane CPU utilization is 100%.
1 rule found Severity: Medium
1 rule found Severity: Medium
OL 8 must not respond to Internet Control Message Protocol (ICMP) echoes sent to a broadcast address.
1 rule found Severity: Medium
1 rule found Severity: Medium
1 rule found Severity: Medium
OL 8 must not allow interfaces to perform Internet Control Message Protocol (ICMP) redirects by default.
1 rule found Severity: Medium
1 rule found Severity: Medium
1 rule found Severity: Medium
1 rule found Severity: Medium
1 rule found Severity: Medium
1 rule found Severity: Low
1 rule found Severity: Low
1 rule found Severity: Medium
OL 8 remote X connections for interactive users must be disabled unless to fulfill documented and validated mission requirements.
1 rule found Severity: Medium
1 rule found Severity: Medium
If the Trivial File Transfer Protocol (TFTP) server is required, the OL 8 TFTP daemon must be configured to operate in secure mode.
1 rule found Severity: Medium
A File Transfer Protocol (FTP) server package must not be installed unless mission essential on OL 8.
1 rule found Severity: High
1 rule found Severity: Medium
1 rule found Severity: Medium
1 rule found Severity: Medium
1 rule found Severity: High
1 rule found Severity: Medium
1 rule found Severity: Medium
OL 8 systems below version 8.4 must ensure the password complexity module in the system-auth file is configured for three retries or less.
1 rule found Severity: Medium
OL 8 systems below version 8.4 must ensure the password complexity module in the password-auth file is configured for three retries or less.
1 rule found Severity: Medium
OL 8 systems, version 8.4 and above, must ensure the password complexity module is configured for three retries or less.
1 rule found Severity: Medium
1 rule found Severity: Medium
1 rule found Severity: Medium
1 rule found Severity: Medium
1 rule found Severity: Medium
1 rule found Severity: Low
1 rule found Severity: Medium
1 rule found Severity: Medium
1 rule found Severity: Low
1 rule found Severity: Medium
1 rule found Severity: Medium
1 rule found Severity: Medium
1 rule found Severity: Medium
The RHEL 8 SSH daemon must not allow Kerberos authentication, except to fulfill documented and validated mission requirements.
1 rule found Severity: Medium
RHEL 8 must prevent files with the setuid and setgid bit set from being executed on file systems that contain user home directories.
1 rule found Severity: Medium
RHEL 8 must prevent files with the setuid and setgid bit set from being executed on the /boot directory.
1 rule found Severity: Medium
1 rule found Severity: Medium
1 rule found Severity: Medium
1 rule found Severity: Medium
RHEL 8 must prevent files with the setuid and setgid bit set from being executed on file systems that are used with removable media.
1 rule found Severity: Medium
RHEL 8 must prevent code from being executed on file systems that are imported via Network File System (NFS).
1 rule found Severity: Medium
RHEL 8 must prevent special devices on file systems that are imported via Network File System (NFS).
1 rule found Severity: Medium
RHEL 8 must prevent files with the setuid and setgid bit set from being executed on file systems that are imported via Network File System (NFS).
1 rule found Severity: Medium
1 rule found Severity: Medium
For RHEL 8 systems using Domain Name Servers (DNS) resolution, at least two name servers must be configured.
1 rule found Severity: Medium
Executable search paths within the initialization files of all local interactive RHEL 8 users must only contain paths that resolve to the system default or the users home directory.
1 rule found Severity: Medium
1 rule found Severity: Medium
All RHEL 8 world-writable directories must be group-owned by root, sys, bin, or an application group.
1 rule found Severity: Medium
1 rule found Severity: Medium
1 rule found Severity: Medium
All RHEL 8 local interactive user home directories must be group-owned by the home directory owner’s primary group.
1 rule found Severity: Medium
1 rule found Severity: Medium
1 rule found Severity: Medium
1 rule found Severity: Medium
A separate RHEL 8 filesystem must be used for user home directories (such as /home or an equivalent).
1 rule found Severity: Medium
1 rule found Severity: High
1 rule found Severity: Medium
1 rule found Severity: High
1 rule found Severity: Medium
A separate RHEL 9 file system must be used for user home directories (such as /home or an equivalent).
1 rule found Severity: Medium
1 rule found Severity: Medium
RHEL 9 must prevent special devices on file systems that are imported via Network File System (NFS).
1 rule found Severity: Medium
RHEL 9 must prevent code from being executed on file systems that are imported via Network File System (NFS).
1 rule found Severity: Medium
RHEL 9 must prevent files with the setuid and setgid bit set from being executed on file systems that are imported via Network File System (NFS).
1 rule found Severity: Medium
1 rule found Severity: Medium
1 rule found Severity: Medium
RHEL 9 must prevent files with the setuid and setgid bit set from being executed on file systems that are used with removable media.
1 rule found Severity: Medium
1 rule found Severity: Medium
1 rule found Severity: Medium
1 rule found Severity: Medium
1 rule found Severity: Medium
1 rule found Severity: Medium
1 rule found Severity: Medium
1 rule found Severity: Medium
1 rule found Severity: Medium
1 rule found Severity: Medium
1 rule found Severity: Medium
1 rule found Severity: Medium
RHEL 9 must be configured so that all system device files are correctly labeled to prevent unauthorized modification.
1 rule found Severity: Medium
1 rule found Severity: Medium
RHEL 8 must enforce a delay of at least four seconds between logon prompts following a failed logon attempt.
1 rule found Severity: Medium
RHEL 8 must define default permissions for all authenticated users in such a way that the user can only read and modify their own files.
1 rule found Severity: Medium
1 rule found Severity: Medium
1 rule found Severity: Medium
1 rule found Severity: Medium
1 rule found Severity: Medium
A RHEL 9 firewall must employ a deny-all, allow-by-exception policy for allowing connections to other systems.
1 rule found Severity: Medium
1 rule found Severity: Medium
RHEL 9 systems using Domain Name Servers (DNS) resolution must have at least two name servers configured.
1 rule found Severity: Medium
RHEL 9 must ignore Internet Protocol version 4 (IPv4) Internet Control Message Protocol (ICMP) redirect messages.
1 rule found Severity: Medium
1 rule found Severity: Medium
RHEL 9 must prevent IPv4 Internet Control Message Protocol (ICMP) redirect messages from being accepted.
1 rule found Severity: Medium
1 rule found Severity: Medium
RHEL 9 must not respond to Internet Control Message Protocol (ICMP) echoes sent to a broadcast address.
1 rule found Severity: Medium
RHEL 9 must limit the number of bogus Internet Control Message Protocol (ICMP) response errors logs.
1 rule found Severity: Medium
1 rule found Severity: Medium
RHEL 9 must not allow interfaces to perform Internet Control Message Protocol (ICMP) redirects by default.
1 rule found Severity: Medium
1 rule found Severity: Medium
1 rule found Severity: Medium
1 rule found Severity: Medium
1 rule found Severity: Medium
RHEL 9 must prevent IPv6 Internet Control Message Protocol (ICMP) redirect messages from being accepted.
1 rule found Severity: Medium
1 rule found Severity: Medium
1 rule found Severity: Medium
1 rule found Severity: Medium
1 rule found Severity: Medium
RHEL 9 SSH daemon must not allow compression or must only allow compression after successful authentication.
1 rule found Severity: Medium
1 rule found Severity: Medium
1 rule found Severity: Medium
RHEL 9 SSH daemon must display the date and time of the last successful account logon upon an SSH logon.
1 rule found Severity: Medium
1 rule found Severity: Medium
The x86 Ctrl-Alt-Delete key sequence in RHEL 8 must be disabled if a graphical user interface is installed.
1 rule found Severity: High
1 rule found Severity: High
The Trivial File Transfer Protocol (TFTP) server package must not be installed if not required for RHEL 8 operational support.
1 rule found Severity: High
1 rule found Severity: High
RHEL 8 must prevent IPv6 Internet Control Message Protocol (ICMP) redirect messages from being accepted.
1 rule found Severity: Medium
1 rule found Severity: Medium
RHEL 8 must not respond to Internet Control Message Protocol (ICMP) echoes sent to a broadcast address.
1 rule found Severity: Medium
1 rule found Severity: Medium
1 rule found Severity: Medium
RHEL 8 must not allow interfaces to perform Internet Control Message Protocol (ICMP) redirects by default.
1 rule found Severity: Medium
1 rule found Severity: Medium
1 rule found Severity: Medium
1 rule found Severity: Low
1 rule found Severity: Low
1 rule found Severity: Medium
RHEL 8 remote X connections for interactive users must be disabled unless to fulfill documented and validated mission requirements.
1 rule found Severity: Medium
1 rule found Severity: Medium
If the Trivial File Transfer Protocol (TFTP) server is required, the RHEL 8 TFTP daemon must be configured to operate in secure mode.
1 rule found Severity: Medium
A File Transfer Protocol (FTP) server package must not be installed unless mission essential on RHEL 8.
1 rule found Severity: High
1 rule found Severity: Medium
1 rule found Severity: Medium
RHEL 8 must have the packages required to use the hardware random number generator entropy gatherer service.
1 rule found Severity: Low
The RHEL 8 SSH daemon must not allow GSSAPI authentication, except to fulfill documented and validated mission requirements.
1 rule found Severity: Medium
RHEL 8 must prevent files with the setuid and setgid bit set from being executed on the /boot/efi directory.
1 rule found Severity: Medium
1 rule found Severity: Medium
RHEL 8 must be configured so that all files and directories contained in local interactive user home directories are group-owned by a group of which the home directory owner is a member.
1 rule found Severity: Medium
1 rule found Severity: Medium
1 rule found Severity: High
RHEL 8 must prevent IPv4 Internet Control Message Protocol (ICMP) redirect messages from being accepted.
1 rule found Severity: Medium
1 rule found Severity: Medium
1 rule found Severity: Medium
1 rule found Severity: Medium
1 rule found Severity: High
1 rule found Severity: Medium
1 rule found Severity: Medium
RHEL 8 systems below version 8.4 must ensure the password complexity module in the system-auth file is configured for three retries or less.
1 rule found Severity: Medium
RHEL 8 systems below version 8.4 must ensure the password complexity module in the password-auth file is configured for three retries or less.
1 rule found Severity: Medium
RHEL 8 systems, version 8.4 and above, must ensure the password complexity module is configured for three retries or less.
1 rule found Severity: Medium
1 rule found Severity: Medium
1 rule found Severity: High
1 rule found Severity: Medium
RHEL 9 must prevent a user from overriding the disable-restart-buttons setting for the graphical user interface.
1 rule found Severity: Medium
RHEL 9 must disable the ability of a user to accidentally press Ctrl-Alt-Del and cause a system to shut down or reboot.
1 rule found Severity: Medium
RHEL 9 must prevent a user from overriding the Ctrl-Alt-Del sequence settings for the graphical user interface.
1 rule found Severity: Medium
1 rule found Severity: Medium
1 rule found Severity: Medium
1 rule found Severity: Medium
Executable search paths within the initialization files of all local interactive RHEL 9 users must only contain paths that resolve to the system default or the users home directory.
1 rule found Severity: Medium
1 rule found Severity: Medium
1 rule found Severity: Medium
All RHEL 9 local interactive user home directories must be group-owned by the home directory owner's primary group.
1 rule found Severity: Medium
1 rule found Severity: High
1 rule found Severity: Medium
RHEL 9 must enforce a delay of at least four seconds between logon prompts following a failed logon attempt.
1 rule found Severity: Medium
RHEL 9 must define default permissions for all authenticated users in such a way that the user can only read and modify their own files.
1 rule found Severity: Medium
1 rule found Severity: Medium
1 rule found Severity: Low
1 rule found Severity: Medium
1 rule found Severity: Medium
1 rule found Severity: Medium
RHEL 9 must use a file integrity tool that is configured to use FIPS 140-3-approved cryptographic hashes for validating file contents and directories.
1 rule found Severity: Medium
1 rule found Severity: Low
1 rule found Severity: Low
RHEL 9 must be configured so that the rsyslog daemon does not accept log messages from other servers unless the server is being used for log aggregation.
1 rule found Severity: Medium
The SUSE operating system must enforce a delay of at least four (4) seconds between logon prompts following a failed logon attempt.
1 rule found Severity: Medium
1 rule found Severity: Medium
2 rules found Severity: Medium
The SUSE operating system must enforce a delay of at least four seconds between logon prompts following a failed logon attempt.
3 rules found Severity: Medium
The SUSE operating system must not allow unattended or automatic logon via the graphical user interface.
1 rule found Severity: High
The SUSE operating system file integrity tool must be configured to verify Access Control Lists (ACLs).
2 rules found Severity: Low
2 rules found Severity: Low
1 rule found Severity: Medium
2 rules found Severity: High
The SUSE operating system must disable the x86 Ctrl-Alt-Delete key sequence for Graphical User Interfaces.
2 rules found Severity: High
The SUSE operating system default permissions must be defined in such a way that all authenticated users can only read and modify their own files.
2 rules found Severity: Medium
The SUSE operating system root account must be the only account having unrestricted access to the system.
1 rule found Severity: High
All SUSE operating system local interactive users must have a home directory assigned in the /etc/passwd file.
2 rules found Severity: Medium
All SUSE operating system local interactive user accounts, upon creation, must be assigned a home directory.
2 rules found Severity: Medium
All SUSE operating system local interactive user home directories defined in the /etc/passwd file must exist.
2 rules found Severity: Medium
All SUSE operating system local interactive user home directories must have mode 0750 or less permissive.
2 rules found Severity: Medium
All SUSE operating system local interactive user home directories must be group-owned by the home directory owners primary group.
1 rule found Severity: Medium
2 rules found Severity: Medium
All SUSE operating system local interactive user initialization files executable search paths must contain only paths that resolve to the users home directory.
2 rules found Severity: Medium
2 rules found Severity: Medium
SUSE operating system file systems that contain user home directories must be mounted to prevent files with the setuid and setgid bit set from being executed.
2 rules found Severity: Medium
SUSE operating system file systems that are used with removable media must be mounted to prevent files with the setuid and setgid bit set from being executed.
2 rules found Severity: Medium
SUSE operating system file systems that are being imported via Network File System (NFS) must be mounted to prevent files with the setuid and setgid bit set from being executed.
2 rules found Severity: Medium
SUSE operating system file systems that are being imported via Network File System (NFS) must be mounted to prevent binary files from being executed.
2 rules found Severity: Medium
All SUSE operating system world-writable directories must be group-owned by root, sys, bin, or an application group.
2 rules found Severity: Medium
2 rules found Severity: Medium
A separate file system must be used for SUSE operating system user home directories (such as /home or an equivalent).
2 rules found Severity: Low
2 rules found Severity: Low
The SUSE operating system must be configured to not overwrite Pluggable Authentication Modules (PAM) configuration on package changes.
2 rules found Severity: Medium
RHEL 9 must produce audit records containing information to establish the identity of any individual or process associated with the event.
1 rule found Severity: Medium
SUSE operating system audit records must contain information to establish what type of events occurred, the source of events, where events occurred, and the outcome of events.
1 rule found Severity: Medium
1 rule found Severity: Medium
The SUSE operating system must implement DoD-approved encryption to protect the confidentiality of SSH remote connections.
1 rule found Severity: Medium
The SUSE operating system SSH daemon must be configured to not allow authentication using known hosts authentication.
2 rules found Severity: Medium
2 rules found Severity: Medium
2 rules found Severity: Medium
The SUSE operating system SSH daemon must perform strict mode checking of home directory configuration files.
2 rules found Severity: Medium
The SUSE operating system SSH daemon must not allow compression or must only allow compression after successful authentication.
1 rule found Severity: Medium
The SUSE operating system SSH daemon must disable forwarded remote X connections for interactive users, unless to fulfill documented and validated mission requirements.
2 rules found Severity: Medium
The SUSE operating system must not forward Internet Protocol version 4 (IPv4) source-routed packets.
2 rules found Severity: Medium
The SUSE operating system must not forward Internet Protocol version 6 (IPv6) source-routed packets.
2 rules found Severity: Medium
The SUSE operating system must not forward Internet Protocol version 4 (IPv4) source-routed packets by default.
2 rules found Severity: Medium
The SUSE operating system must not respond to Internet Protocol version 4 (IPv4) Internet Control Message Protocol (ICMP) echoes sent to a broadcast address.
1 rule found Severity: Medium
The SUSE operating system must prevent Internet Protocol version 4 (IPv4) Internet Control Message Protocol (ICMP) redirect messages from being accepted.
2 rules found Severity: Medium
The SUSE operating system must not allow interfaces to accept Internet Protocol version 4 (IPv4) Internet Control Message Protocol (ICMP) redirect messages by default.
2 rules found Severity: Medium
The SUSE operating system must not allow interfaces to accept Internet Protocol version 6 (IPv6) Internet Control Message Protocol (ICMP) redirect messages by default.
2 rules found Severity: Medium
The SUSE operating system must not allow interfaces to send Internet Protocol version 4 (IPv4) Internet Control Message Protocol (ICMP) redirect messages by default.
2 rules found Severity: Medium
The SUSE operating system must not send Internet Protocol version 4 (IPv4) Internet Control Message Protocol (ICMP) redirects.
2 rules found Severity: Medium
The SUSE operating system must not be performing Internet Protocol version 4 (IPv4) packet forwarding unless the system is a router.
2 rules found Severity: Medium
The SUSE operating system must not have network interfaces in promiscuous mode unless approved and documented.
2 rules found Severity: Medium
The SUSE operating system SSH daemon must prevent remote hosts from connecting to the proxy display.
1 rule found Severity: Medium
2 rules found Severity: Medium
2 rules found Severity: Medium
The SUSE operating system must not forward Internet Protocol version 6 (IPv6) source-routed packets by default.
2 rules found Severity: Medium
The SUSE operating system must prevent Internet Protocol version 6 (IPv6) Internet Control Message Protocol (ICMP) redirect messages from being accepted.
2 rules found Severity: Medium
The SUSE operating system must not be performing Internet Protocol version 6 (IPv6) packet forwarding unless the system is a router.
2 rules found Severity: Medium
The SUSE operating system must not be performing Internet Protocol version 6 (IPv6) packet forwarding by default unless the system is a router.
2 rules found Severity: Medium
2 rules found Severity: Medium
2 rules found Severity: High
The operating system must ensure unauthorized, security-relevant configuration changes detected are tracked.
2 rules found Severity: Medium
2 rules found Severity: Medium
2 rules found Severity: Low
2 rules found Severity: Low
2 rules found Severity: Medium
2 rules found Severity: Medium
The SUSE operating system root account must be the only account with unrestricted access to the system.
1 rule found Severity: High
The SUSE operating system must use the invoking user's password for privilege escalation when using "sudo".
1 rule found Severity: Medium
1 rule found Severity: High
2 rules found Severity: Medium
2 rules found Severity: Medium
2 rules found Severity: Medium
2 rules found Severity: Medium
2 rules found Severity: Medium
2 rules found Severity: Medium
2 rules found Severity: Medium
The graphical login service provides the capability of logging into the system using an X-Windows type interface from the console. If graphical login access for the console is required, the service must be in local-only mode.
2 rules found Severity: Medium
TCP Wrappers must be enabled and configured per site policy to only allow access by approved hosts and services.
2 rules found Severity: Medium
2 rules found Severity: Low
2 rules found Severity: Medium
2 rules found Severity: Medium
2 rules found Severity: Low
1 rule found Severity: Medium
1 rule found Severity: Medium
2 rules found Severity: Medium
2 rules found Severity: High
2 rules found Severity: Medium
2 rules found Severity: Medium
2 rules found Severity: High
The operating system must prevent remote devices that have established a non-remote connection with the system from communicating outside of the communication path with resources in external networks.
2 rules found Severity: Medium
2 rules found Severity: Medium
The boundary protection system (firewall) must be configured to deny network traffic by default and must allow network traffic by exception (i.e., deny all, permit by exception).
2 rules found Severity: Medium
2 rules found Severity: Low
The operating system must prevent internal users from sending out packets which attempt to manipulate or spoof invalid IP addresses.
2 rules found Severity: Medium
1 rule found Severity: High
All SUSE operating system local interactive user home directories must be group-owned by the home directory owner's primary group.
1 rule found Severity: Medium
The operating system must use cryptographic mechanisms to protect and restrict access to information on portable digital media.
2 rules found Severity: Medium
2 rules found Severity: Low
2 rules found Severity: Medium
The operator must document all file system objects that have non-standard access control list settings.
2 rules found Severity: Medium
2 rules found Severity: Medium
2 rules found Severity: Medium
2 rules found Severity: Medium
2 rules found Severity: Medium
2 rules found Severity: Medium
1 rule found Severity: Low
2 rules found Severity: Medium
2 rules found Severity: High
A file integrity baseline must be created, maintained, and reviewed at least weekly to determine if unauthorized changes have been made to important system files located in the root file system.
2 rules found Severity: Medium
2 rules found Severity: Medium
The operating system must conduct backups of user-level information contained in the operating system per organization-defined frequency to conduct backups consistent with recovery time and recovery point objectives.
2 rules found Severity: Medium
The operating system must conduct backups of system-level information contained in the information system per organization-defined frequency to conduct backups that are consistent with recovery time and recovery point objectives.
2 rules found Severity: Medium
The operating system must conduct backups of operating system documentation including security-related documentation per organization-defined frequency to conduct backups that is consistent with recovery time and recovery point objectives.
2 rules found Severity: Medium
The operating system must employ PKI solutions at workstations, servers, or mobile computing devices on the network to create, manage, distribute, use, store, and revoke digital certificates.
2 rules found Severity: Medium
The operating system must employ malicious code protection mechanisms at workstations, servers, or mobile computing devices on the network to detect and eradicate malicious code transported by electronic mail, electronic mail attachments, web accesses, removable media, or other common means.
2 rules found Severity: Medium
All manual editing of system-relevant files shall be done using the pfedit command, which logs changes made to the files.
2 rules found Severity: Low
The /etc/zones directory, and its contents, must have the vendor default owner, group, and permissions.
2 rules found Severity: Low
2 rules found Severity: Low
2 rules found Severity: Medium
The operating system must monitor for unauthorized connections of mobile devices to organizational information systems.
2 rules found Severity: Medium
2 rules found Severity: Medium
The SUSE operating system must not allow unattended or automatic logon via the graphical user interface (GUI).
1 rule found Severity: High
1 rule found Severity: High
2 rules found Severity: Medium
Samsung Android's Work environment must be configured to prevent users from adding personal email accounts to the work email app.
2 rules found Severity: Medium
4 rules found Severity: Low
4 rules found Severity: Medium
2 rules found Severity: Medium
Samsung Android must be configured to not allow installation of applications with the following characteristics: - Back up MD data to non-DOD cloud servers (including user and application access to cloud backup services); - Transmit MD diagnostic data to non-DOD servers; - Voice assistant application if available when MD is locked; - Voice dialing application if available when MD is locked; - Allows synchronization of data or applications between devices associated with user; and - Allows unencrypted (or encrypted but not FIPS 140-2 validated) data sharing with other MDs or printers.
2 rules found Severity: Medium
Samsung Android must allow only the Administrator (management tool) to perform the following management function: Install/remove DOD root and intermediate PKI certificates.
2 rules found Severity: Medium
The Samsung Android device must be provisioned as a fully managed device and configured to create a work profile.
2 rules found Severity: Medium
System BIOS or system controllers supporting password protection must have administrator accounts/passwords configured, and no others. (Intel)
1 rule found Severity: Low
The system must require authentication before allowing modification of the boot devices or menus. Secure the GRUB Menu (Intel).
1 rule found Severity: Low
1 rule found Severity: Medium
The UEM Agent must perform the following functions: -enroll in management -configure whether users can unenroll from management -configure periodicity of reachability events.
1 rule found Severity: Medium
The UEM Agent must be configured to perform one of the following actions upon an attempt to unenroll the mobile device from management: -prevent the unenrollment from occurring -wipe the device to factory default settings -wipe the work profile with all associated applications and data.
1 rule found Severity: Medium
Samsung Android's Work profile must be configured to not allow installation of applications with the following characteristics: - Back up MD data to non-DOD cloud servers (including user and application access to cloud backup services); - Transmit MD diagnostic data to non-DOD servers; - Voice assistant application if available when MD is locked; - Voice dialing application if available when MD is locked; - Allows synchronization of data or applications between devices associated with user; and - Allows unencrypted (or encrypted but not FIPS 140-2 validated) data sharing with other MDs or printers.
2 rules found Severity: Medium
The Samsung Android device work profile must be configured to disable automatic completion of work space internet browser text input.
1 rule found Severity: Medium
1 rule found Severity: Medium
The UEM server must be configured in accordance with the security configuration settings based on DoD security configuration or implementation guidance, including STIGs, NSA configuration guides, CTOs, and DTMs.
1 rule found Severity: Medium
The UEM server must be configured to allow authorized administrators to read all audit data from audit records on the server.
1 rule found Severity: Medium
1 rule found Severity: Low
1 rule found Severity: Medium
The NSX Manager must obtain its public key certificates from an appropriate certificate policy through an approved service provider.
1 rule found Severity: Medium
The VMM must enforce dual authorization for movement and/or deletion of all audit information, when such movement or deletion is not part of an authorized automatic process.
1 rule found Severity: Medium
1 rule found Severity: High
1 rule found Severity: Medium
The NSX Tier-0 Gateway Firewall must be configured to send traffic log entries to a central log server.
1 rule found Severity: Medium
3 rules found Severity: Medium
1 rule found Severity: Low
3 rules found Severity: Medium
The ESXi host Secure Shell (SSH) daemon must perform strict mode checking of home directory configuration files.
1 rule found Severity: Medium
The ESXi host Secure Shell (SSH) daemon must not allow compression or must only allow compression after successful authentication.
1 rule found Severity: Medium
3 rules found Severity: Low
1 rule found Severity: Medium
3 rules found Severity: Low
3 rules found Severity: Low
1 rule found Severity: Medium
The ESXi host must enable bidirectional Challenge-Handshake Authentication Protocol (CHAP) authentication for Internet Small Computer Systems Interface (iSCSI) traffic.
1 rule found Severity: Medium
3 rules found Severity: Low
3 rules found Severity: Medium
3 rules found Severity: Medium
The ESXi host must enable Bridge Protocol Data Units (BPDU) filter on the host to prevent being locked out of physical switch ports with Portfast and BPDU Guard enabled.
3 rules found Severity: Medium
1 rule found Severity: Medium
All port groups on standard switches must be configured to reject guest Media Access Control (MAC) address changes.
1 rule found Severity: High
1 rule found Severity: Medium
1 rule found Severity: Medium
All port groups on standard switches must be configured to a value other than that of the native virtual local area network (VLAN).
1 rule found Severity: Medium
All port groups on standard switches must not be configured to virtual local area network (VLAN) 4095 unless Virtual Guest Tagging (VGT) is required.
1 rule found Severity: Medium
All port groups on standard switches must not be configured to virtual local area network (VLAN) values reserved by upstream physical switches.
1 rule found Severity: Medium
The ESXi host must not provide root/administrator-level access to Common Information Model (CIM)-based hardware monitoring tools or other third-party applications.
1 rule found Severity: Medium
3 rules found Severity: Medium
3 rules found Severity: Medium
3 rules found Severity: Medium
3 rules found Severity: Medium
3 rules found Severity: Medium
3 rules found Severity: Medium
3 rules found Severity: Medium
The VMM must be configured in accordance with the security configuration settings based on DoD security configuration or implementation guidance, including STIGs, NSA configuration guides, CTOs, and DTMs.
1 rule found Severity: Medium
The NSX Tier-0 Gateway router must be configured to implement message authentication for all control plane protocols.
1 rule found Severity: High
The NSX Tier-0 Gateway router must be configured to use its loopback address as the source address for Internal Border Gateway Protocol (IBGP) peering sessions.
1 rule found Severity: Low
The NSX Tier-0 Gateway router must be configured to advertise a hop limit of at least 32 in Router Advertisement messages for IPv6 stateless auto-configuration deployments.
1 rule found Severity: Low
The NSX Tier-0 Gateway router must be configured to use encryption for border gateway protocol (BGP) routing protocol authentication.
1 rule found Severity: High
The NSX Tier-1 Gateway firewall must be configured to send traffic log entries to a central audit server.
1 rule found Severity: Medium
1 rule found Severity: Medium
The NSX Tier-1 Gateway router must be configured to advertise a hop limit of at least 32 in Router Advertisement messages for IPv6 stateless auto-configuration deployments.
1 rule found Severity: Low
1 rule found Severity: Medium
1 rule found Severity: Medium
The NSX Distributed Firewall must configure SpoofGuard to restrict it from accepting outbound packets that contain an illegitimate address in the source address.
1 rule found Severity: Medium
The NSX Distributed Firewall must configure an IP Discovery profile to disable trust on every use method.
1 rule found Severity: High
2 rules found Severity: Medium
2 rules found Severity: Medium
The ESXi host must configure virtual switch security policies to reject Media Access Control (MAC) address changes.
2 rules found Severity: High
2 rules found Severity: Medium
2 rules found Severity: Medium
2 rules found Severity: Medium
The ESXi host when using Host Profiles and/or Auto Deploy must use the vSphere Authentication Proxy to protect passwords when adding themselves to Active Directory.
2 rules found Severity: Medium
2 rules found Severity: Medium
2 rules found Severity: Medium
2 rules found Severity: Medium
1 rule found Severity: Medium
The Photon operating system must enforce a delay of at least four seconds between logon prompts following a failed logon attempt.
3 rules found Severity: Medium
3 rules found Severity: Medium
The Photon operating system must create a home directory for all new local interactive user accounts.
3 rules found Severity: Medium
The Photon operating system must configure sshd to disallow Generic Security Service Application Program Interface (GSSAPI) authentication.
1 rule found Severity: Medium
1 rule found Severity: Medium
1 rule found Severity: Medium
The Photon operating system must configure sshd to perform strict mode checking of home directory configuration files.
1 rule found Severity: Medium
1 rule found Severity: Medium
1 rule found Severity: Medium
The Photon operating system must configure sshd to disallow compression of the encrypted session stream.
1 rule found Severity: Medium
The Photon operating system must configure sshd to display the last login immediately after authentication.
1 rule found Severity: Medium
1 rule found Severity: Medium
1 rule found Severity: Medium
The Photon operating system must configure sshd to limit the number of allowed login attempts per connection.
1 rule found Severity: Medium
The Photon operating system must be configured so the x86 Ctrl-Alt-Delete key sequence is disabled on the command line.
1 rule found Severity: Medium
The Photon operating system must be configured so the "/etc/skel" default scripts are protected from unauthorized modification.
1 rule found Severity: Medium
The Photon operating system must be configured so the "/root" path is protected from unauthorized access.
1 rule found Severity: Medium
The Photon operating system must be configured so that all global initialization scripts are protected from unauthorized modification.
1 rule found Severity: Medium
The Photon operating system must be configured so that all system startup scripts are protected from unauthorized modification.
1 rule found Severity: Medium
The Photon operating system must be configured so that all files have a valid owner and group owner.
1 rule found Severity: Medium
The Photon operating system must be configured so the "/etc/cron.allow" file is protected from unauthorized modification.
1 rule found Severity: Medium
The Photon operating system must be configured so that all cron jobs are protected from unauthorized modification.
1 rule found Severity: Medium
The Photon operating system must be configured so that all cron paths are protected from unauthorized modification.
1 rule found Severity: Medium
3 rules found Severity: Medium
The Photon operating system must not respond to IPv4 Internet Control Message Protocol (ICMP) echoes sent to a broadcast address.
3 rules found Severity: Medium
The Photon operating system must prevent IPv4 Internet Control Message Protocol (ICMP) redirect messages from being accepted.
3 rules found Severity: Medium
3 rules found Severity: Medium
2 rules found Severity: Medium
3 rules found Severity: Medium
The vCenter Server must set the distributed port group Media Access Control (MAC) Address Change policy to "Reject".
3 rules found Severity: Medium
3 rules found Severity: Medium
3 rules found Severity: Medium
The vCenter Server must configure all port groups to a value other than that of the native virtual local area network (VLAN).
3 rules found Severity: Medium
The vCenter Server must not configure VLAN Trunking unless Virtual Guest Tagging (VGT) is required and authorized.
3 rules found Severity: Medium
The vCenter Server must not configure all port groups to virtual local area network (VLAN) values reserved by upstream physical switches.
3 rules found Severity: Medium
3 rules found Severity: Medium
3 rules found Severity: Medium
The vCenter Server must be isolated from the public internet but must still allow for patch notification and delivery.
2 rules found Severity: Low
3 rules found Severity: Medium
The vCenter Server must protect the confidentiality and integrity of transmitted information by isolating Internet Protocol (IP)-based storage traffic.
3 rules found Severity: Medium
The vCenter Server must disable or restrict the connectivity between vSAN Health Check and public Hardware Compatibility List (HCL) by use of an external proxy server.
3 rules found Severity: Medium
3 rules found Severity: Medium
2 rules found Severity: Medium
3 rules found Severity: Medium
3 rules found Severity: Medium
The vCenter Server must have Mutual Challenge Handshake Authentication Protocol (CHAP) configured for vSAN Internet Small Computer System Interface (iSCSI) targets.
3 rules found Severity: Medium
The vCenter Server must have new Key Encryption Keys (KEKs) reissued at regular intervals for vSAN encrypted datastore(s).
3 rules found Severity: Medium
The vCenter Server must use secure Lightweight Directory Access Protocol (LDAPS) when adding an LDAP identity source.
3 rules found Severity: Medium
The vCenter Server must limit membership to the "SystemConfiguration.BashShellAdministrators" Single Sign-On (SSO) group.
3 rules found Severity: Medium
3 rules found Severity: Medium
3 rules found Severity: Medium
2 rules found Severity: Medium
2 rules found Severity: Medium
2 rules found Severity: Medium
2 rules found Severity: Medium
2 rules found Severity: Medium
2 rules found Severity: Medium
2 rules found Severity: Medium
2 rules found Severity: Medium
The Photon operating system must prevent IPv4 Internet Control Message Protocol (ICMP) secure redirect messages from being accepted.
3 rules found Severity: Medium
3 rules found Severity: Medium
3 rules found Severity: Medium
3 rules found Severity: Medium
1 rule found Severity: Medium
1 rule found Severity: Medium
The Photon operating system must be configured to protect the Secure Shell (SSH) public host key from unauthorized modification.
3 rules found Severity: Medium
The Photon operating system must be configured to protect the Secure Shell ( SSH) private host key from unauthorized access.
1 rule found Severity: Medium
3 rules found Severity: Medium
The Photon operating system must protect all boot configuration files from unauthorized modification.
1 rule found Severity: Medium
1 rule found Severity: Medium
1 rule found Severity: Medium
1 rule found Severity: Medium
1 rule found Severity: Medium
1 rule found Severity: Medium
1 rule found Severity: Medium
2 rules found Severity: Medium
2 rules found Severity: Medium
2 rules found Severity: Medium
2 rules found Severity: Medium
1 rule found Severity: Low
2 rules found Severity: Medium
2 rules found Severity: Medium
2 rules found Severity: Medium
The Photon operating system must enforce a delay of at least four seconds between logon prompts following a failed logon attempt in login.defs.
2 rules found Severity: Medium
The vCenter Server must be isolated from the public internet but must still allow for patch notification and delivery.
1 rule found Severity: Medium
1 rule found Severity: Low
The vCenter Server must use a limited privilege account when adding a Lightweight Directory Access Protocol (LDAP) identity source.
1 rule found Severity: Medium
1 rule found Severity: Medium
1 rule found Severity: Medium
1 rule found Severity: Medium
1 rule found Severity: Medium
1 rule found Severity: Low
1 rule found Severity: Medium
1 rule found Severity: Medium
1 rule found Severity: Medium
1 rule found Severity: Medium
Informational messages from the virtual machine to the VMX file must be limited on the virtual machine (VM).
1 rule found Severity: Low
Unauthorized removal, connection, and modification of devices must be prevented on the virtual machine (VM).
1 rule found Severity: Medium
1 rule found Severity: Medium
Access to virtual machines (VMs) through the "dvfilter" network Application Programming Interface (API) must be controlled.
1 rule found Severity: Low
1 rule found Severity: Low
The virtual machine (VM) guest operating system must be locked when the last console connection is closed.
1 rule found Severity: Medium
1 rule found Severity: Low
1 rule found Severity: Medium
1 rule found Severity: Medium
1 rule found Severity: Medium
The IPsec VPN Gateway must use Internet Key Exchange (IKE) for IPsec VPN Security Associations (SAs).
1 rule found Severity: High
The Photon operating system must define default permissions for all authenticated users in such a way that the user can only read and modify their own files.
2 rules found Severity: Medium
2 rules found Severity: High
The Photon operating system must configure Secure Shell (SSH) to disallow authentication with an empty password.
2 rules found Severity: High
The Photon operating system must configure Secure Shell (SSH) to disable user environment processing.
2 rules found Severity: High
The Photon operating system must configure Secure Shell (SSH) to disallow Generic Security Service Application Program Interface (GSSAPI) authentication.
2 rules found Severity: Medium
2 rules found Severity: Medium
The Photon operating system must configure Secure Shell (SSH) to perform strict mode checking of home directory configuration files.
2 rules found Severity: Medium
2 rules found Severity: Medium
The Photon operating system must configure Secure Shell (SSH) to disallow compression of the encrypted session stream.
2 rules found Severity: Medium
The Photon operating system must configure Secure Shell (SSH) to display the last login immediately after authentication.
2 rules found Severity: Medium
The Photon operating system must configure Secure Shell (SSH) to ignore user-specific trusted hosts lists.
2 rules found Severity: Medium
The Photon operating system must configure Secure Shell (SSH) to ignore user-specific known_host files.
2 rules found Severity: Medium
The Photon operating system must configure Secure Shell (SSH) to limit the number of allowed login attempts per connection.
2 rules found Severity: Medium
2 rules found Severity: Medium
2 rules found Severity: Medium
The Photon operating system must be configured so that the x86 Ctrl-Alt-Delete key sequence is disabled on the command line.
2 rules found Severity: Medium
The Photon operating system must be configured to protect the Secure Shell (SSH) private host key from unauthorized access.
2 rules found Severity: Medium
The Photon operating system must generate audit records for all access and modifications to the opasswd file.
2 rules found Severity: Medium
2 rules found Severity: Medium
Zebra Android 13 must be configured to enforce an application installation policy by specifying one or more authorized application repositories, including [selection: DOD-approved commercial app repository, MDM server, mobile application store].
2 rules found Severity: Medium
2 rules found Severity: Medium
The Zebra Android 13 work profile must be configured to prevent users from adding personal email accounts to the work email app.
2 rules found Severity: Medium
2 rules found Severity: Medium
2 rules found Severity: Medium
2 rules found Severity: High
1 rule found Severity: Medium
The Zebra Android 13 work profile must be configured to enforce the system application disable list.
1 rule found Severity: Medium
Zebra Android 13 must be provisioned as a fully managed device and configured to create a work profile.
1 rule found Severity: Medium
The Zebra Android 13 work profile must be configured to disable automatic completion of workspace internet browser text input.
1 rule found Severity: Medium
2 rules found Severity: Low
2 rules found Severity: Medium
2 rules found Severity: Medium
Virtual machines (VMs) must disable access through the "dvfilter" network Application Programming Interface (API).
2 rules found Severity: Low
2 rules found Severity: Medium
2 rules found Severity: Medium
2 rules found Severity: Medium
2 rules found Severity: Medium
2 rules found Severity: Medium
The vCenter VAMI service must be configured to hide the server type and version in client responses.
2 rules found Severity: Medium
2 rules found Severity: Medium
2 rules found Severity: Medium
1 rule found Severity: Medium
All hardware components of the FEPs are not placed in secure locations where they cannot be stolen, damaged, or disturbed
3 rules found Severity: Medium
A documented procedure is not available instructing how to load and dump the FEP NCP (Network Control Program).
3 rules found Severity: Medium
An active log is not available to keep track of all hardware upgrades and software changes made to the FEP (Front End Processor).
3 rules found Severity: Medium
1 rule found Severity: Medium
1 rule found Severity: Medium
3 rules found Severity: Medium
1 rule found Severity: Medium
Apple iOS/iPadOS 15 must provide the capability for the Administrator (MDM) to perform the following management function: enable/disable VPN protection across the device and [selection: other methods].
1 rule found Severity: Low
The Arista Multilayer Switch must have a local infrequently used account to be used as an account of last resort with full access to the network device.
1 rule found Severity: High
1 rule found Severity: High
1 rule found Severity: Medium
The MobileIron Core v10 server must be able to limit user enrollment of devices that do not have required OS type and version.
1 rule found Severity: Medium
The Samsung SDS EMM must implement functionality to generate an audit record of the following auditable events: c. [selection: Commands issued to the MDM Agent].
1 rule found Severity: Low
NSX-T Manager must restrict the use of configuration, administration, and the execution of privileged commands to authorized personnel based on organization-defined roles.
1 rule found Severity: High
Apple iOS/iPadOS 16 must allow the administrator (MDM) to perform the following management function: enable/disable VPN protection across the device.
1 rule found Severity: Medium
1 rule found Severity: Medium
1 rule found Severity: Medium
The Enterprise System Connection (ESCON) Director (ESCD) Application Console must be located in a secure location
1 rule found Severity: High
When the Jamf Pro EMM server cannot establish a connection to determine the validity of a certificate, the server must not have the option to accept the certificate.
1 rule found Severity: Medium
The Windows 2012 DNS Server must prohibit recursion on authoritative name servers for which forwarders have not been configured for external queries.
1 rule found Severity: Medium
The EMM system supporting the iOS/iPadOS 16 BYOAD must be configured for autonomous monitoring, compliance, and validation to ensure security/configuration settings of mobile devices do not deviate from the approved configuration baseline.
1 rule found Severity: Medium
Apple iOS/iPadOS 17 must allow the administrator (MDM) to perform the following management function: enable/disable VPN protection across the device.
1 rule found Severity: Low
1 rule found Severity: Low