Capacity
CCI-000366
Implement the security configuration settings.
19
Rule
Severity: High
Verify File Hashes with RPM
29
Rule
Severity: Medium
Install the Host Intrusion Prevention System (HIPS) Module
10
Rule
Severity: Medium
Configure AIDE to Use FIPS 140-2 for Validating Hashes
13
Rule
Severity: Low
Configure AIDE to Verify Access Control Lists (ACLs)
13
Rule
Severity: Low
Configure AIDE to Verify Extended Attributes
27
Rule
Severity: Low
Ensure /home Located On Separate Partition
27
Rule
Severity: Low
Ensure /tmp Located On Separate Partition
27
Rule
Severity: Low
Ensure /var Located On Separate Partition
27
Rule
Severity: Low
Ensure /var/log Located On Separate Partition
27
Rule
Severity: Low
Ensure /var/log/audit Located On Separate Partition
15
Rule
Severity: High
The Installed Operating System Is Vendor Supported
9
Rule
Severity: High
Install Virus Scanning Software
5
Rule
Severity: Medium
Enable nails Service
8
Rule
Severity: High
Install McAfee Virus Scanning Software
21
Rule
Severity: Medium
Ensure Software Patches Installed
5
Rule
Severity: Medium
Virus Scanning Software Definitions Are Updated
12
Rule
Severity: Medium
Install McAfee Endpoint Security for Linux (ENSL)
10
Rule
Severity: Medium
Ensure McAfee Endpoint Security for Linux (ENSL) is running
7
Rule
Severity: Medium
Install the Asset Configuration Compliance Module (ACCM)
7
Rule
Severity: Medium
Install the Policy Auditor (PA) Module
19
Rule
Severity: Medium
Ensure PAM Enforces Password Requirements - Authentication Retry Prompts Permitted Per-Session
11
Rule
Severity: High
Disable the GNOME3 Login Restart and Shutdown Buttons
11
Rule
Severity: High
Disable GDM Automatic Login
8
Rule
Severity: High
Disable GDM Guest Login
11
Rule
Severity: Medium
Disable GNOME3 Automounting
12
Rule
Severity: Medium
Disable GNOME3 Automount Opening
12
Rule
Severity: Low
Disable GNOME3 Automount running
12
Rule
Severity: Medium
Require Encryption for Remote Access in GNOME3
29
Rule
Severity: High
Prevent Login to Accounts With Empty Password
29
Rule
Severity: High
Ensure There Are No Accounts With Blank or Null Passwords
13
Rule
Severity: High
Disable Ctrl-Alt-Del Reboot Key Sequence in GNOME3
30
Rule
Severity: High
Verify Only Root Has UID 0
21
Rule
Severity: Medium
Ensure that System Accounts Do Not Run a Shell Upon Login
13
Rule
Severity: Medium
The operating system must restrict privilege elevation to authorized personnel
12
Rule
Severity: Medium
Ensure sudo only includes the default configuration directory
13
Rule
Severity: Medium
Ensure invoking users password for privilege escalation when using sudo
12
Rule
Severity: Low
Install rng-tools Package
30
Rule
Severity: Medium
Ensure the Logon Failure Delay is Set Correctly in login.defs
19
Rule
Severity: Medium
All Interactive User Home Directories Must Be Group-Owned By The Primary Group
16
Rule
Severity: Medium
All Interactive User Home Directories Must Be Owned By The Primary User
11
Rule
Severity: Medium
Uninstall gssproxy Package
11
Rule
Severity: Medium
Uninstall iprutils Package
11
Rule
Severity: Medium
Uninstall tuned Package
27
Rule
Severity: Medium
Ensure that Root's Path Does Not Include World or Group-Writable Directories
27
Rule
Severity: Unknown
Ensure that Root's Path Does Not Include Relative Paths or Null Directories
20
Rule
Severity: Medium
Ensure the Default Bash Umask is Set Correctly
27
Rule
Severity: Medium
Ensure the Default Umask is Set Correctly in login.defs
27
Rule
Severity: Medium
Ensure the Default Umask is Set Correctly in /etc/profile
30
Rule
Severity: Medium
Enable auditd Service
8
Rule
Severity: Medium
Install pam_pwquality Package
11
Rule
Severity: Medium
Ensure PAM password complexity module is enabled in password-auth
11
Rule
Severity: Medium
Ensure PAM password complexity module is enabled in system-auth
15
Rule
Severity: Medium
Disable debug-shell SystemD Service
15
Rule
Severity: High
Disable Ctrl-Alt-Del Burst Action
17
Rule
Severity: High
Disable Ctrl-Alt-Del Reboot Activation
13
Rule
Severity: Medium
Only Authorized Local User Accounts Exist on Operating System
23
Rule
Severity: Medium
Ensure auditd Collects File Deletion Events by User
29
Rule
Severity: Medium
Ensure auditd Collects File Deletion Events by User - rename
29
Rule
Severity: Medium
Ensure auditd Collects File Deletion Events by User - renameat
29
Rule
Severity: Medium
Ensure auditd Collects File Deletion Events by User - rmdir
29
Rule
Severity: Medium
Ensure auditd Collects File Deletion Events by User - unlink
29
Rule
Severity: Medium
Ensure auditd Collects File Deletion Events by User - unlinkat
14
Rule
Severity: Medium
Ensure Home Directories are Created for New Users
12
Rule
Severity: Medium
User Initialization Files Must Be Group-Owned By The Primary Group
15
Rule
Severity: Medium
User Initialization Files Must Not Run World-Writable Programs
12
Rule
Severity: Medium
User Initialization Files Must Be Owned By the Primary User
13
Rule
Severity: Medium
Ensure that Users Path Contains Only Local Directories
13
Rule
Severity: Medium
All Interactive Users Must Have A Home Directory Defined
17
Rule
Severity: Medium
All Interactive Users Home Directories Must Exist
10
Rule
Severity: Medium
All User Files and Directories In The Home Directory Must Be Group-Owned By The Primary Group
10
Rule
Severity: Medium
All User Files and Directories In The Home Directory Must Have a Valid Owner
10
Rule
Severity: Medium
All User Files and Directories In The Home Directory Must Have Mode 0750 Or Less Permissive
13
Rule
Severity: Medium
Ensure All User Initialization Files Have Mode 0740 Or Less Permissive
16
Rule
Severity: Medium
All Interactive User Home Directories Must Have mode 0750 Or Less Permissive
13
Rule
Severity: Medium
Ensure the Default C Shell Umask is Set Correctly
14
Rule
Severity: Medium
Ensure the Default Umask is Set Correctly For Interactive Users
29
Rule
Severity: Medium
Include Local Events in Audit Logs
29
Rule
Severity: Low
Resolve information before writing to audit logs
27
Rule
Severity: Medium
Ensure rsyslog is Installed
28
Rule
Severity: Medium
Enable rsyslog Service
29
Rule
Severity: Medium
Ensure logrotate is Installed
29
Rule
Severity: Medium
Ensure Logrotate Runs Periodically
27
Rule
Severity: Medium
Ensure Logs Sent To Remote Host
21
Rule
Severity: Medium
Verify firewalld Enabled
18
Rule
Severity: Medium
Configure Accepting Router Advertisements on All IPv6 Interfaces
20
Rule
Severity: Medium
Disable Accepting ICMP Redirects for All IPv6 Interfaces
20
Rule
Severity: Medium
Disable Kernel Parameter for Accepting Source-Routed Packets on all IPv6 Interfaces
19
Rule
Severity: Medium
Disable Kernel Parameter for IPv6 Forwarding
19
Rule
Severity: Medium
Disable Accepting Router Advertisements on all IPv6 Interfaces by Default
19
Rule
Severity: Medium
Disable Kernel Parameter for Accepting ICMP Redirects by Default on IPv6 Interfaces
22
Rule
Severity: Medium
Disable Kernel Parameter for Accepting Source-Routed Packets on IPv6 Interfaces by Default
20
Rule
Severity: Medium
Disable Accepting ICMP Redirects for All IPv4 Interfaces
20
Rule
Severity: Medium
Disable Kernel Parameter for Accepting Source-Routed Packets on all IPv4 Interfaces
22
Rule
Severity: Medium
Enable Kernel Parameter to Use Reverse Path Filtering on all IPv4 Interfaces
21
Rule
Severity: Medium
Disable Kernel Parameter for Accepting ICMP Redirects by Default on IPv4 Interfaces
20
Rule
Severity: Medium
Disable Kernel Parameter for Accepting Source-Routed Packets on IPv4 Interfaces by Default
20
Rule
Severity: Medium
Enable Kernel Parameter to Use Reverse Path Filtering on all IPv4 Interfaces by Default
22
Rule
Severity: Medium
Enable Kernel Parameter to Ignore ICMP Broadcast Echo Requests on IPv4 Interfaces
22
Rule
Severity: Medium
Enable Kernel Parameter to Use TCP Syncookies on Network Interfaces
22
Rule
Severity: Medium
Disable Kernel Parameter for Sending ICMP Redirects on all IPv4 Interfaces
22
Rule
Severity: Medium
Disable Kernel Parameter for Sending ICMP Redirects on all IPv4 Interfaces by Default
22
Rule
Severity: Medium
Disable Kernel Parameter for IP Forwarding on IPv4 Interfaces
22
Rule
Severity: Medium
Disable SCTP Support
22
Rule
Severity: Medium
Ensure All Files Are Owned by a Group
23
Rule
Severity: Medium
Disable the Automounter
29
Rule
Severity: Medium
Disable core dump backtraces
29
Rule
Severity: Medium
Disable storing core dump
21
Rule
Severity: Medium
Disable Core Dumps for All Users
30
Rule
Severity: Medium
Restrict Exposed Kernel Pointer Addresses Access
30
Rule
Severity: Medium
Enable Randomized Layout of Virtual Address Space
20
Rule
Severity: Medium
Disable Avahi Server Software
22
Rule
Severity: Medium
Verify Group Who Owns /etc/cron.allow file
22
Rule
Severity: Medium
Verify User Who Owns /etc/cron.allow file
13
Rule
Severity: Medium
Disable DHCP Service
22
Rule
Severity: Low
Uninstall bind Package
13
Rule
Severity: Medium
Disable named Service
29
Rule
Severity: Medium
fapolicyd Must be Configured to Limit Access to Users Home Folders
29
Rule
Severity: Medium
Configure System to Forward All Mail For The Root Account
29
Rule
Severity: Medium
Verify Permissions on SSH Server Private *_key Key Files
29
Rule
Severity: Medium
Verify Permissions on SSH Server Public *.pub Key Files
30
Rule
Severity: Medium
Disable Host-Based Authentication
29
Rule
Severity: High
Allow Only SSH Protocol 2
29
Rule
Severity: Medium
Disable Compression Or Set Compression to delayed
30
Rule
Severity: High
Disable SSH Access via Empty Passwords
29
Rule
Severity: Medium
Disable GSSAPI Authentication
29
Rule
Severity: Medium
Disable Kerberos Authentication
30
Rule
Severity: Medium
Disable SSH Support for .rhosts Files
12
Rule
Severity: Medium
Ensure rsyslog-gnutls is installed
29
Rule
Severity: Medium
Disable SSH Support for Rhosts RSA Authentication
30
Rule
Severity: Medium
Disable SSH Root Login
30
Rule
Severity: Medium
Disable SSH Support for User Known Hosts
30
Rule
Severity: Medium
Disable X11 Forwarding
30
Rule
Severity: Medium
Do Not Allow SSH Environment Options
29
Rule
Severity: Medium
Enable Use of Strict Mode Checking
13
Rule
Severity: Medium
Ensure cron Is Logging To Rsyslog
29
Rule
Severity: High
Enable Encrypted X11 Forwarding
29
Rule
Severity: Medium
Enable Use of Privilege Separation
11
Rule
Severity: Medium
Enable logrotate Timer
16
Rule
Severity: Medium
Ensure rsyslog Does Not Accept Remote Messages Unless Acting As Log Server
11
Rule
Severity: Medium
Configure Multiple DNS Servers in /etc/resolv.conf
5
Rule
Severity: Medium
Disable Client Dynamic DNS Updates
14
Rule
Severity: Medium
Ensure System is Not Acting as a Network Sniffer
14
Rule
Severity: Medium
Set Default firewalld Zone for Incoming Packets
8
Rule
Severity: Unknown
Manually Assign IPv6 Router Address
9
Rule
Severity: Unknown
Use Privacy Extensions for Address
8
Rule
Severity: Unknown
Manually Assign Global IPv6 Address
9
Rule
Severity: Medium
Disable Kernel Parameter for IPv4 Forwarding on all IPv4 Interfaces
11
Rule
Severity: Medium
Disable ATM Support
11
Rule
Severity: Medium
Disable CAN Support
14
Rule
Severity: Medium
Ensure All World-Writable Directories Are Owned by root User
9
Rule
Severity: Medium
Ensure All World-Writable Directories Are Owned by a System Account
11
Rule
Severity: Medium
Ensure All World-Writable Directories Are Group Owned by a System Account
18
Rule
Severity: Medium
Ensure All Files Are Owned by a User
19
Rule
Severity: Medium
Disable Modprobe Loading of USB Storage Driver
14
Rule
Severity: Medium
Add nosuid Option to /boot
14
Rule
Severity: Medium
Add noexec Option to /home
16
Rule
Severity: Medium
Add nosuid Option to /home
14
Rule
Severity: Medium
Add nodev Option to Non-Root Local Partitions
17
Rule
Severity: Medium
Add nodev Option to Removable Media Partitions
17
Rule
Severity: Medium
Add noexec Option to Removable Media Partitions
16
Rule
Severity: Medium
Add nosuid Option to Removable Media Partitions
14
Rule
Severity: Medium
Restrict usage of ptrace to descendant processes
11
Rule
Severity: Medium
Ensure No Device Files are Unlabeled by SELinux
9
Rule
Severity: Medium
Uninstall avahi-autoipd Server Package
11
Rule
Severity: Medium
Uninstall avahi Server Package
15
Rule
Severity: Medium
Disable KDump Kernel Crash Analyzer (kdump)
5
Rule
Severity: Unknown
Disable DHCP Client in ifcfg
15
Rule
Severity: Medium
Uninstall DHCP Server Package
16
Rule
Severity: High
Uninstall vsftpd Package
14
Rule
Severity: Low
Uninstall openldap-servers Package
10
Rule
Severity: Medium
Prevent Unrestricted Mail Relaying
10
Rule
Severity: Medium
Mount Remote Filesystems with Kerberos Security
11
Rule
Severity: Medium
Mount Remote Filesystems with nodev
13
Rule
Severity: Medium
Mount Remote Filesystems with noexec
13
Rule
Severity: Medium
Mount Remote Filesystems with nosuid
12
Rule
Severity: Medium
Use Kerberos Security on All Exports
4
Rule
Severity: Medium
Install tcp_wrappers Package
13
Rule
Severity: High
Remove Host-Based Authentication Files
13
Rule
Severity: High
Remove User Host-Based Authentication Files
15
Rule
Severity: High
Uninstall tftp-server Package
11
Rule
Severity: Medium
Ensure tftp Daemon Uses Secure Mode
10
Rule
Severity: Low
Uninstall quagga Package
9
Rule
Severity: Medium
Disable Quagga Service
11
Rule
Severity: High
Ensure Default SNMP Password Is Not Used
18
Rule
Severity: Medium
Use Only FIPS 140-2 Validated Ciphers
13
Rule
Severity: Medium
Prevent remote hosts from connecting to the proxy display
18
Rule
Severity: Medium
Remove the X Windows Package Group
13
Rule
Severity: Medium
Disable graphical user interface
14
Rule
Severity: Medium
Disable X Windows Startup By Setting Default Target
12
Rule
Severity: Medium
Ensure PAM Enforces Password Requirements - Prevent the Use of Dictionary Words
7
Rule
Severity: Medium
Ensure PAM Enforces Password Requirements - Enforce for root User
5
Rule
Severity: Medium
Add nosuid Option to /boot/efi
8
Rule
Severity: Medium
Disable storing core dumps
10
Rule
Severity: Medium
Disable Access to Network bpf() Syscall From Unprivileged Processes
8
Rule
Severity: Medium
Harden the operation of the BPF just-in-time compiler
8
Rule
Severity: Medium
Disable the use of user namespaces
8
Rule
Severity: Medium
Disable acquiring, saving, and processing core dumps
8
Rule
Severity: Low
Enable the Hardware RNG Entropy Gatherer Service
6
Rule
Severity: Low
SSH server uses strong entropy to seed
2
Rule
Severity: Medium
Grant Or Deny System Access To Specific Hosts And Services
1
Rule
Severity: Medium
System Must Avoid Meltdown and Spectre Exploit Vulnerabilities in Modern Processors
2
Rule
Severity: High
Disable GDM Unattended or Automatic Login
2
Rule
Severity: Medium
The PAM configuration should not be changed automatically
4
Rule
Severity: Medium
Enforce Delay After Failed Logon Attempts
2
Rule
Severity: Medium
Set Password Retry Limit
2
Rule
Severity: Medium
Remove Default Configuration to Disable Syscall Auditing
1
Rule
Severity: Medium
Ensure PAM Enforces Password Requirements - Enforcing
2
Rule
Severity: Medium
Disable Kernel Parameter for IPv6 Forwarding by default
2
Rule
Severity: Medium
Uninstall DHCP Client Package
1
Rule
Severity: Medium
The A10 Networks ADC, when used for load balancing web servers, must deploy the WAF in active mode.
1
Rule
Severity: Medium
If the Data Owner requires it, the A10 Networks ADC must be configured to perform CCN Mask, SSN Mask, and PCRE Mask Request checks.
1
Rule
Severity: Medium
The A10 Networks ADC must protect against TCP SYN floods by using TCP SYN Cookies.
1
Rule
Severity: High
The A10 Networks ADC must be a FIPS-compliant version.
1
Rule
Severity: Medium
The A10 Networks ADC must be configured to synchronize internal information system clocks with the primary and secondary time sources located in different geographic regions using redundant authoritative time sources.
1
Rule
Severity: Medium
The A10 Networks ADC must use DoD-approved PKI rather than proprietary or self-signed device certificates.
1
Rule
Severity: Medium
The A10 Networks ADC must use automated mechanisms to alert security personnel to threats identified by authoritative sources (e.g., CTOs) and IAW CJCSM 6510.01B.
1
Rule
Severity: Medium
The A10 Networks ADC must employ centrally managed authentication server(s).
1
Rule
Severity: Low
AAA Services must be configured to use at least two NTP servers to synchronize time.
1
Rule
Severity: Medium
AAA Services must be configured to authenticate all NTP messages received from NTP servers and peers.
2
Rule
Severity: Low
AAA Services must be configured to use their loopback or OOB management interface address as the source address when originating NTP traffic.
2
Rule
Severity: Medium
AAA Services used for 802.1x must be configured to use secure Extensible Authentication Protocol (EAP), such as EAP-TLS, EAP-TTLS, and PEAP.
2
Rule
Severity: Medium
AAA Services must not be configured with shared accounts.
2
Rule
Severity: Medium
AAA Services used to authenticate privileged users for device management must be configured to connect to the management network.
2
Rule
Severity: Medium
AAA Services must be configured to use a unique shared secret for communication (i.e. RADIUS, TACACS+) with clients requesting authentication services.
2
Rule
Severity: Medium
AAA Services must be configured to use IP segments separate from production VLAN IP segments.
2
Rule
Severity: Medium
AAA Services must be configured to place non-authenticated network access requests in the Unauthorized VLAN or the Guest VLAN with limited access.
2
Rule
Severity: Medium
AAA Services must be configured in accordance with the security configuration settings based on DoD security configuration or implementation guidance, including STIGs, NSA configuration guides, CTOs, and DTMs.
2
Rule
Severity: High
Membership to the Enterprise Admins group must be restricted to accounts used only to manage the Active Directory Forest.
2
Rule
Severity: High
Membership to the Domain Admins group must be restricted to accounts used only to manage the Active Directory domain and domain controllers.
2
Rule
Severity: Medium
Administrators must have separate accounts specifically for managing domain member servers.
2
Rule
Severity: Medium
Administrators must have separate accounts specifically for managing domain workstations.
2
Rule
Severity: High
Delegation of privileged accounts must be prohibited.
2
Rule
Severity: Medium
Separate smart cards must be used for Enterprise Admin (EA) and Domain Admin (DA) accounts from smart cards used for other accounts.
2
Rule
Severity: Medium
Separate domain accounts must be used to manage public facing servers from any domain accounts used to manage internal servers.
2
Rule
Severity: Medium
Domain controllers must be blocked from Internet access.
2
Rule
Severity: Medium
User accounts with domain level administrative privileges must be members of the Protected Users group in domains with a domain functional level of Windows 2012 R2 or higher.
2
Rule
Severity: Medium
Domain-joined systems (excluding domain controllers) must not be configured for unconstrained delegation.
2
Rule
Severity: Medium
The Directory Service Restore Mode (DSRM) password must be changed at least annually.
2
Rule
Severity: Medium
The domain functional level must be at a Windows Server version still supported by Microsoft.
2
Rule
Severity: Medium
Access to need-to-know information must be restricted to an authorized community of interest.
2
Rule
Severity: High
Interconnections between DoD directory services of different classification levels must use a cross-domain solution that is approved for use with inter-classification trusts.
2
Rule
Severity: High
A controlled interface must have interconnections among DoD information systems operating between DoD and non-DoD systems or networks.
2
Rule
Severity: Medium
Membership in the Group Policy Creator Owners and Incoming Forest Trust Builders groups must be limited.
2
Rule
Severity: Low
User accounts with delegated authority must be removed from Windows built-in administrative groups or remove the delegated authority from the accounts.
2
Rule
Severity: Medium
Read-only Domain Controller (RODC) architecture and configuration must comply with directory services requirements.
2
Rule
Severity: Medium
Usage of administrative accounts must be monitored for suspicious and anomalous activity.
2
Rule
Severity: Medium
Systems must be monitored for attempts to use local accounts to log on remotely from other systems.
2
Rule
Severity: Medium
Systems must be monitored for remote desktop logons.
2
Rule
Severity: Medium
Active Directory data must be backed up daily for systems with a Risk Management Framework categorization for Availability of moderate or high. Systems with a categorization of low must be backed up weekly.
2
Rule
Severity: Low
Each cross-directory authentication configuration must be documented.
2
Rule
Severity: Medium
Accounts from outside directories that are not part of the same organization or are not subject to the same security policies must be removed from all highly privileged groups.
2
Rule
Severity: Medium
Inter-site replication must be enabled and configured to occur at least daily.
2
Rule
Severity: Low
Active Directory implementation information must be added to the organization contingency plan where the Risk Management Framework categorization for Availability is moderate or high.
2
Rule
Severity: Medium
Active Directory must be supported by multiple domain controllers where the Risk Management Framework categorization for Availability is moderate or high.
1
Rule
Severity: Low
The impact of INFOCON changes on the cross-directory authentication configuration must be considered and procedures documented.
2
Rule
Severity: Low
Changes to the AD schema must be subject to a documented configuration management process.
2
Rule
Severity: Medium
Anonymous Access to AD forest data above the rootDSE level must be disabled.
1
Rule
Severity: Medium
Membership to the Schema Admins group must be limited.
1
Rule
Severity: Medium
Kona Site Defender that provides intermediary services for HTTP must inspect inbound and outbound HTTP traffic for protocol compliance and protocol anomalies.
1
Rule
Severity: Medium
Upon successful login, the Akamai Luna Portal must notify the administrator of the date and time of the last login.
1
Rule
Severity: Medium
The Akamai Luna Portal must notify the administrator of the number of successful login attempts.
1
Rule
Severity: High
The Akamai Luna Portal must employ Security Assertion Markup Language (SAML) to automate central management of administrators.
1
Rule
Severity: High
The Akamai Luna Portal must employ Single Sign On (SSO) with Security Assertion Markup Language (SAML) integration to verify authentication settings.
2
Rule
Severity: Medium
System logging must be enabled.
8
Rule
Severity: Low
The Apache web server must be configured in accordance with the security configuration settings based on DoD security configuration or implementation guidance, including STIGs, NSA configuration guides, CTOs, and DTMs.
2
Rule
Severity: High
All accounts installed with the Apache web server software and tools must have passwords assigned and default passwords changed.
4
Rule
Severity: High
The Apache web server software must be a vendor-supported version.
2
Rule
Severity: Medium
The Apache web server must alert the ISSO and SA (at a minimum) in the event of an audit processing failure.
1
Rule
Severity: Medium
Apple iOS/iPadOS 15 must [selection: wipe protected data, wipe sensitive data] upon unenrollment from MDM.
1
Rule
Severity: Medium
Apple iOS/iPadOS 15 must [selection: remove Enterprise application, remove all noncore applications (any nonfactory-installed application)] upon unenrollment from MDM.
1
Rule
Severity: Medium
Apple iOS/iPadOS 15 must be configured to not allow passwords that include more than two repeating or sequential characters.
1
Rule
Severity: Medium
Apple iOS/iPadOS 15 must be configured to enforce an application installation policy by specifying one or more authorized application repositories, including [selection: DoD-approved commercial app repository, MDM server, mobile application store].
1
Rule
Severity: Medium
Apple iOS/iPadOS 15 must not include applications with the following characteristics: access to Siri when the device is locked.
1
Rule
Severity: Medium
Apple iOS/iPadOS 15 allow list must be configured to not include applications with the following characteristics: voice dialing application if available when MD is locked.
1
Rule
Severity: Medium
Apple iOS/iPadOS 15 allowlist must be configured to not include applications with the following characteristics: - back up MD data to non-DoD cloud servers (including user and application access to cloud backup services);- transmit MD diagnostic data to non-DoD servers; - allows synchronization of data or applications between devices associated with user; and - allows unencrypted (or encrypted but not FIPS 140-2 validated) data sharing with other MDs or printers.
1
Rule
Severity: Medium
Apple iOS/iPadOS 15 must be configured to disable multiuser modes.
1
Rule
Severity: Medium
Apple iOS/iPadOS 15 must be configured to [selection: wipe protected data, wipe sensitive data] upon unenrollment from MDM.
1
Rule
Severity: Medium
Apple iOS/iPadOS 15 must be configured to [selection: remove Enterprise applications, remove all noncore applications (any nonfactory installed application)] upon unenrollment from MDM.
1
Rule
Severity: High
Apple iOS/iPadOS 15 must require a valid password be successfully entered before the mobile device data is unencrypted.
1
Rule
Severity: Low
Apple iOS/iPadOS 15 must implement the management setting: limit Ad Tracking.
1
Rule
Severity: Low
Apple iOS/iPadOS 15 must implement the management setting: not allow automatic completion of Safari browser passcodes.
1
Rule
Severity: Medium
Apple iOS/iPadOS 15 must implement the management setting: Encrypt iTunes backups/Encrypt local backup.
1
Rule
Severity: Low
Apple iOS/iPadOS 15 must implement the management setting: not allow use of Handoff.
1
Rule
Severity: Low
Apple iOS/iPadOS 15 must implement the management setting: require the user to enter a password when connecting to an AirPlay-enabled device for the first time.
1
Rule
Severity: Medium
Apple iOS/iPadOS 15 must implement the management setting: Disable Allow MailDrop.
1
Rule
Severity: Medium
Apple iOS/iPadOS 15 must implement the management setting: Disable Allow Shared Albums.
7
Rule
Severity: High
iPhone and iPad must have the latest available iOS/iPadOS operating system installed.
1
Rule
Severity: Medium
Apple iOS/iPadOS 15 must implement the management setting: use SSL for Exchange ActiveSync.
1
Rule
Severity: Medium
Apple iOS/iPadOS 15 must implement the management setting: not allow messages in an ActiveSync Exchange account to be forwarded or moved to other accounts in the Apple iOS/iPadOS 15 Mail app.
1
Rule
Severity: Medium
Apple iOS/iPadOS 15 must implement the management setting: Treat AirDrop as an unmanaged destination.
1
Rule
Severity: Low
Apple iOS/iPadOS 15 must implement the management setting: not have any Family Members in Family Sharing.
1
Rule
Severity: Medium
Apple iOS/iPadOS 15 must implement the management setting: not share location data through iCloud.
1
Rule
Severity: Low
Apple iOS/iPadOS 15 must implement the management setting: force Apple Watch wrist detection.
1
Rule
Severity: Medium
Apple iOS/iPadOS 15 users must complete required training.
2
Rule
Severity: Medium
A managed photo app must be used to take and store work-related photos.
1
Rule
Severity: Medium
Apple iOS/iPadOS 15 must implement the management setting: enable USB Restricted Mode.
1
Rule
Severity: Low
Apple iOS/iPadOS 15 must not allow managed apps to write contacts to unmanaged contacts accounts.
1
Rule
Severity: Low
Apple iOS/iPadOS 15 must not allow unmanaged apps to read contacts from managed contacts accounts.
1
Rule
Severity: Low
Apple iOS/iPadOS 15 must implement the management setting: disable AirDrop.
1
Rule
Severity: Medium
Apple iOS/iPadOS 15 must implement the management setting: disable paired Apple Watch.
1
Rule
Severity: Medium
Apple iOS/iPadOS 15 must disable Password AutoFill in browsers and applications.
1
Rule
Severity: Medium
Apple iOS/iPadOS 15 must disable allow setting up new nearby devices.
1
Rule
Severity: Medium
Apple iOS/iPadOS 15 must disable password proximity requests.
1
Rule
Severity: Medium
Apple iOS/iPadOS 15 must disable password sharing.
1
Rule
Severity: Low
Apple iOS/iPadOS 15 must disable Find My Friends in the Find My app.
1
Rule
Severity: Medium
The Apple iOS/iPadOS 15 must be supervised by the MDM.
1
Rule
Severity: Medium
Apple iOS/iPadOS 15 must disable "Allow USB drive access in Files app" if the Authorizing Official (AO) has not approved the use of DoD-approved USB storage drives with iOS/iPadOS devices.
1
Rule
Severity: Low
The Apple iOS must be configured to disable automatic transfer of diagnostic data to an external device other than an MDM service with which the device has enrolled.
1
Rule
Severity: Medium
Apple iOS must implement the management setting: not allow a user to remove Apple iOS configuration profiles that enforce DoD security requirements.
1
Rule
Severity: Medium
Apple iOS/iPadOS 15 must disable "Allow network drive access in Files access".
1
Rule
Severity: Medium
Apple iOS/iPadOS 15 must disable connections to Siri servers for the purpose of dictation.
1
Rule
Severity: Medium
Apple iOS/iPadOS 15 must disable connections to Siri servers for the purpose of translation.
1
Rule
Severity: Medium
Apple iOS/iPadOS 15 must disable copy/paste of data from managed to unmanaged applications.
2
Rule
Severity: Medium
The ALG must be configured in accordance with the security configuration settings based on DoD security policy and technology-specific security best practices.
2
Rule
Severity: Medium
The ALG that provides intermediary services for SMTP must inspect inbound and outbound SMTP and Extended SMTP communications traffic for protocol compliance and protocol anomalies.
2
Rule
Severity: Medium
The ALG that intermediary services for FTP must inspect inbound and outbound FTP communications traffic for protocol compliance and protocol anomalies.
2
Rule
Severity: Medium
The ALG that provides intermediary services for HTTP must inspect inbound and outbound HTTP traffic for protocol compliance and protocol anomalies.
2
Rule
Severity: Medium
The ALG that is part of a CDS must use source and destination security attributes associated with organization-defined information, source, and/or destination objects to enforce organization-defined information flow control policies as a basis for flow control decisions.
2
Rule
Severity: Medium
The ALG that is part of a CDS must allow privileged administrators to enable/disable all security policy filters used to enforce information flow control.
2
Rule
Severity: Medium
The ALG that is part of a CDS must allow privileged administrators to configure and make changes to all security policy filters that are used to enforce information flow control.
2
Rule
Severity: Medium
The ALG that is part of a CDS, when transferring information between different security domains, must use organization-defined data type identifiers to validate data essential for information flow decisions.
2
Rule
Severity: Medium
The ALG that is part of a CDS must decompose information into organization-defined, policy-relevant subcomponents for submission to policy enforcement mechanisms before transferring information between different security domains.
2
Rule
Severity: Medium
The ALG that is part of a CDS, when transferring information between different security domains, must implement organization-defined security policy filters requiring fully enumerated formats that restrict data structure and content.
2
Rule
Severity: Medium
The ALG that is part of a CDS, when transferring information between different security domains, must examine the information for the presence of organization-defined unsanctioned information.
2
Rule
Severity: Medium
The ALG that is part of a CDS must prohibit the transfer of unsanctioned information in accordance with the security policy when transferring information between different security domains.
2
Rule
Severity: Medium
The ALG that is part of a CDS must uniquely identify and authenticate source by organization, system, application, and/or individual for information transfer.
2
Rule
Severity: Medium
The ALG that is part of a CDS must uniquely identify and authenticate destination by organization, system, application, and/or individual for information transfer.
1
Rule
Severity: Medium
The ALG that is part of a CDS must bind security attributes to information using organization-defined binding techniques to facilitate information flow policy enforcement.
2
Rule
Severity: Medium
The ALG that is part of a CDS, when transferring information between different security domains, must apply the same security policy filtering to metadata as it applies to data payloads.
2
Rule
Severity: Medium
The ALG that is part of a CDS must enforce dynamic traffic flow control based on organization-defined policies.
2
Rule
Severity: Medium
The ALG that is part of a CDS must enforce information flow control based on organization-defined metadata.
2
Rule
Severity: Medium
The ALG that is part of a CDS must block the transfer of data with malformed security attribute metadata structures.
2
Rule
Severity: Medium
The ALG that is part of a CDS must enforce organization-defined one-way information flows using hardware mechanisms.
2
Rule
Severity: Medium
The ALG that is part of a CDS must enforce information flow control using organization-defined security policy filters as a basis for flow control decisions for organization-defined information flows.
2
Rule
Severity: Medium
The ALG that is part of a CDS must enforce the use of human reviews for organization-defined information flows under organization-defined conditions.
1
Rule
Severity: Medium
The Arista Multilayer Switch must activate a system alert message, send an alarm, and/or automatically shut down when a component failure is detected.
1
Rule
Severity: Medium
The Arista Multilayer Switch must be configured to synchronize internal information system clocks with the primary and secondary time sources located in different geographic regions using redundant authoritative time sources.
1
Rule
Severity: Medium
The Arista Multilayer Switch must protect the audit records of nonlocal accesses to privileged accounts and the execution of privileged functions.
1
Rule
Severity: High
The Arista Multilayer Switch must employ AAA service to centrally manage authentication settings.
1
Rule
Severity: Low
The Arista Multilayer Switch must support organizational requirements to conduct backups of system-level information contained in the information system when changes occur or weekly, whichever is sooner.
1
Rule
Severity: Low
The Arista Multilayer Switch must be updated to one of the minimum approved versions of EOS.
1
Rule
Severity: Medium
The Arista Multilayer Switch must enforce information flow control using explicit security attributes (for example, IP addresses, port numbers, protocol, Autonomous System, or interface) on information, source, and destination objects.
1
Rule
Severity: Medium
The Arista Multilayer Switch must enable neighbor router authentication for control plane protocols except RIP.
2
Rule
Severity: Medium
The application server must be configured in accordance with the security configuration settings based on DoD security configuration or implementation guidance, including STIGs, NSA configuration guides, CTOs, and DTMs.
2
Rule
Severity: Low
The Arista MLS layer 2 switch must have IGMP or MLD Snooping configured on all VLANs.
2
Rule
Severity: Medium
The Arista MLS layer 2 Arista MLS switch must implement Rapid STP where VLANs span multiple switches with redundant links.
2
Rule
Severity: Medium
The Arista MLS layer 2 switch must enable Unidirectional Link Detection (UDLD) to protect against one-way connections.
2
Rule
Severity: Medium
The Arista MLS layer 2 switch must have all trunk links enabled statically.
1
Rule
Severity: Medium
The Arista MLS layer 2 switch must have all disabled switch ports assigned to an unused VLAN.
1
Rule
Severity: Medium
The Arista MLS layer 2 switch must not have the default VLAN assigned to any host-facing switch ports.
1
Rule
Severity: Medium
The Arista MLS layer 2 switch must have the default VLAN pruned from all trunk ports that do not require it.
1
Rule
Severity: Medium
The Arista MLS layer 2 switch must not use the default VLAN for management traffic.
1
Rule
Severity: Medium
The Arista MLS layer 2 switch must have all user-facing or untrusted ports configured as access switch ports.
1
Rule
Severity: Medium
The Arista MLS layer 2 switch must have the native VLAN assigned to an ID other than the default VLAN for all 802.1q trunk links.
1
Rule
Severity: Low
The Arista MLS layer 2 switch must not have any switch ports assigned to the native VLAN.
2
Rule
Severity: High
The Arista network device must be running an operating system release that is currently supported by the vendor.
2
Rule
Severity: Low
The application must have a process, feature or function that prevents removal or disabling of emergency accounts.
1
Rule
Severity: Low
The Arista BGP router must be configured to use its loopback address as the source address for iBGP peering sessions.
3
Rule
Severity: Low
The MPLS router must be configured to use its loopback address as the source address for LDP peering sessions.
4
Rule
Severity: Low
The MPLS router must be configured to synchronize IGP and LDP to minimize packet loss when an IGP adjacency is established prior to LDP peers completing label exchange.
2
Rule
Severity: Medium
The MPLS router must be configured to have TTL propagation disabled.
3
Rule
Severity: High
The PE router must be configured to have each Virtual Routing and Forwarding (VRF) instance bound to the appropriate physical or logical interfaces to maintain traffic separation between all MPLS L3VPNs.
3
Rule
Severity: High
The PE router must be configured to have each Virtual Routing and Forwarding (VRF) instance with the appropriate Route Target (RT).
3
Rule
Severity: Medium
The PE router must be configured to have each VRF with the appropriate Route Distinguisher (RD).
3
Rule
Severity: High
The PE router providing MPLS Virtual Private Wire Service (VPWS) must be configured to have the appropriate virtual circuit identification (VC ID) for each attachment circuit.
1
Rule
Severity: Low
The Arista Multicast Source Discovery Protocol (MSDP) router must be configured to use its loopback address as the source address when originating MSDP traffic.
2
Rule
Severity: Low
The Arista router must be configured to advertise a hop limit of at least 32 in Router Advertisement messages for IPv6 stateless auto-configuration deployments.
2
Rule
Severity: Medium
The Arista router must not be configured to use IPv6 Site Local Unicast addresses.
2
Rule
Severity: Medium
The Arista perimeter router must be configured to suppress Router Advertisements on all external IPv6-enabled interfaces.
2
Rule
Severity: Medium
An application vulnerability assessment must be conducted.
2
Rule
Severity: Medium
The application must not be vulnerable to race conditions.
2
Rule
Severity: Medium
Execution flow diagrams and design documents must be created to show how deadlock and recursion issues in web services are being mitigated.
1
Rule
Severity: Low
The BlackBerry UEM server must [selection: invoke platform-provided functionality, implement functionality] to generate an audit record of the following auditable events: c. [selection: Commands issued to the MDM Agent].
1
Rule
Severity: Medium
The BlackBerry UEM server must be configured to communicate the following commands to the MDM Agent: read audit logs kept by the MD.
1
Rule
Severity: Medium
The BlackBerry UEM server must be configured to have at least one user in the following Administrator roles: Server primary administrator, security configuration administrator, device user group administrator, or auditor.
1
Rule
Severity: High
The BlackBerry UEM server must be maintained at a supported version.
1
Rule
Severity: Medium
The BlackBerry Enterprise Mobility Server (BEMS) must be configured to have at least one user in the following Administrator roles: Server primary administrator, auditor.
1
Rule
Severity: Medium
If the BlackBerry Connect service is installed on the BlackBerry Enterprise Mobility Server (BEMS), it must be configured to enable the Web Proxy.
1
Rule
Severity: Low
If the BlackBerry Presence service is installed on the BlackBerry Enterprise Mobility Server (BEMS), it must be configured with the whitelisting control to limit presence subscriptions to only single domain/tenant.
1
Rule
Severity: Medium
If the BlackBerry Docs service is installed on the BlackBerry Enterprise Mobility Server (BEMS), it must be configured to enable the proxy server authentication type (if a proxy is used).
2
Rule
Severity: High
A BIND 9.x server implementation must be operating on a Current-Stable version as defined by ISC.
2
Rule
Severity: Medium
The platform on which the name server software is hosted must only run processes and services needed to support the BIND 9.x implementation.
2
Rule
Severity: Medium
The BIND 9.x server software must run with restricted privileges.
2
Rule
Severity: Medium
The host running a BIND 9.X implementation must implement a set of firewall rules that restrict traffic on the DNS interface.
2
Rule
Severity: Medium
The host running a BIND 9.x implementation must use a dedicated management interface in order to separate management traffic from DNS specific traffic.
2
Rule
Severity: Medium
The host running a BIND 9.x implementation must use an interface that is configured to process only DNS traffic.
2
Rule
Severity: Low
In the event of an error when validating the binding of other DNS servers identity to the BIND 9.x information, when anomalies in the operation of the signed zone transfers are discovered, for the success and failure of start and stop of the name server service or daemon, and for the success and failure of all name server events, a BIND 9.x server implementation must generate a log entry.
2
Rule
Severity: Medium
A BIND 9.x server implementation must prohibit recursion on authoritative name servers.
2
Rule
Severity: Low
The master servers in a BIND 9.x implementation must notify authorized secondary name servers when zone files are updated.
2
Rule
Severity: Low
The secondary name servers in a BIND 9.x implementation must be configured to initiate zone update notifications to other authoritative zone name servers.
2
Rule
Severity: Low
On the BIND 9.x server the platform on which the name server software is hosted must be configured to send outgoing DNS messages from a random port.
2
Rule
Severity: Medium
The BIND 9.X implementation must not utilize a TSIG or DNSSEC key for more than one year.
2
Rule
Severity: Medium
On the BIND 9.x server the private keys corresponding to both the ZSK and the KSK must not be kept on the BIND 9.x DNSSEC-aware primary authoritative name server when the name server does not support dynamic updates.
2
Rule
Severity: Medium
The two files generated by the BIND 9.x server dnssec-keygen program must be owned by the root account, or deleted, after they have been copied to the key file in the name server.
2
Rule
Severity: Medium
The two files generated by the BIND 9.x server dnssec-keygen program must be group owned by the server administrator account, or deleted, after they have been copied to the key file in the name server.
2
Rule
Severity: Medium
Permissions assigned to the dnssec-keygen keys used with the BIND 9.x implementation must enforce read-only access to the key owner and deny access to all other users.
2
Rule
Severity: Medium
The core BIND 9.x server files must be owned by the root or BIND 9.x process account.
2
Rule
Severity: Medium
The core BIND 9.x server files must be group owned by a group designated for DNS administration only.
2
Rule
Severity: Medium
The permissions assigned to the core BIND 9.x server files must be set to utilize the least privilege possible.
2
Rule
Severity: Medium
On a BIND 9.x server for zones split between the external and internal sides of a network, the RRs for the external hosts must be separate from the RRs for the internal hosts.
2
Rule
Severity: Medium
On a BIND 9.x server in a split DNS configuration, where separate name servers are used between the external and internal networks, the external name server must be configured to not be reachable from inside resolvers.
2
Rule
Severity: Medium
On a BIND 9.x server in a split DNS configuration, where separate name servers are used between the external and internal networks, the internal name server must be configured to not be reachable from outside resolvers.
2
Rule
Severity: High
A BIND 9.x server implementation must implement internal/external role separation.
2
Rule
Severity: Medium
On the BIND 9.x server the IP address for hidden master authoritative name servers must not appear in the name servers set in the zone database.
2
Rule
Severity: High
A BIND 9.x implementation operating in a split DNS configuration must be approved by the organizations Authorizing Official.
2
Rule
Severity: Medium
On the BIND 9.x server the private key corresponding to the ZSK, stored on name servers accepting dynamic updates, must be owned by root.
2
Rule
Severity: Medium
On the BIND 9.x server the private key corresponding to the ZSK, stored on name servers accepting dynamic updates, must be group owned by root.
2
Rule
Severity: Medium
A BIND 9.x server implementation must enforce approved authorizations for controlling the flow of information between authoritative name servers and specified secondary name servers based on DNSSEC policies.
2
Rule
Severity: Medium
A BIND 9.x server validity period for the RRSIGs covering a zones DNSKEY RRSet must be no less than two days and no more than one week.
2
Rule
Severity: Medium
A BIND 9.x server NSEC3 must be used for all internal DNS zones.
2
Rule
Severity: Medium
Every NS record in a zone file on a BIND 9.x server must point to an active name server and that name server must be authoritative for the domain specified in that record.
2
Rule
Severity: Medium
On a BIND 9.x server all authoritative name servers for a zone must be located on different network segments.
2
Rule
Severity: Medium
On a BIND 9.x server all authoritative name servers for a zone must have the same version of zone information.
2
Rule
Severity: Low
On a BIND 9.x server all root name servers listed in the local root zone file hosted on a BIND 9.x authoritative name server must be valid for that zone.
2
Rule
Severity: Low
On a BIND 9.x server all root name servers listed in the local root zone file hosted on a BIND 9.x authoritative name server must be empty or removed.
2
Rule
Severity: Medium
On the BIND 9.x server a zone file must not include resource records that resolve to a fully qualified domain name residing in another zone.
2
Rule
Severity: Low
On the BIND 9.x server CNAME records must not point to a zone with lesser security for more than six months.
2
Rule
Severity: Medium
The BIND 9.x server implementation must prohibit the forwarding of queries to servers controlled by organizations outside of the U.S. Government.
1
Rule
Severity: Medium
The CA API Gateway must employ RADIUS + LDAPS or LDAPS to centrally manage authentication settings.
1
Rule
Severity: Medium
The CA API Gateway must activate a system alert message, send an alarm, and/or automatically shut down when a component failure is detected.
1
Rule
Severity: Medium
The CA API Gateway must transmit organization-defined access authorization information using organization-defined security safeguards to organization-defined information systems which enforce access control decisions.
1
Rule
Severity: Low
The CA API Gateway must be configured to synchronize internal information system clocks with the primary and secondary time sources located in different geographic regions using redundant authoritative time sources.
1
Rule
Severity: Medium
The CA API Gateway must generate audit log events for a locally developed list of auditable events.
1
Rule
Severity: Medium
The CA API Gateway must employ automated mechanisms to assist in the tracking of security incidents.
1
Rule
Severity: Medium
The CA API Gateway must employ automated mechanisms to detect the addition of unauthorized components or devices.
1
Rule
Severity: Medium
The CA API Gateway that provides intermediary services for FTP must inspect inbound and outbound FTP communications traffic for protocol compliance and protocol anomalies.
1
Rule
Severity: Medium
The CA API Gateway that provides intermediary services for HTTP must inspect inbound and outbound HTTP traffic for protocol compliance and protocol anomalies.
2
Rule
Severity: Medium
The Central Log Server must be configured to retain the identity of the original source host or device where the event occurred as part of the log record.
2
Rule
Severity: Medium
The Central Log Server that aggregates log records from hosts and devices must be configured to use TCP for transmission.
2
Rule
Severity: Medium
The Central Log Server must be configured to notify the System Administrator (SA) and Information System Security Officer (ISSO), at a minimum, when an attack is detected on multiple devices and hosts within its scope of coverage.
2
Rule
Severity: Medium
The Central Log Server must be configured to automatically create trouble tickets for organization-defined threats and events of interest as they are detected in real time (within seconds).
2
Rule
Severity: Medium
For devices and hosts within the scope of coverage, the Central Log Server must be configured to automatically aggregate events that indicate account actions.
2
Rule
Severity: Medium
The Central Log Server must be configured with the organization-defined severity or criticality levels of each event that is being sent from individual devices or hosts.
2
Rule
Severity: Medium
Analysis, viewing, and indexing functions, services, and applications used as part of the Central Log Server must be configured to comply with DoD-trusted path and access requirements.
2
Rule
Severity: Low
The Central Log Server must be configured so changes made to the level and type of log records stored in the centralized repository must take effect immediately without the need to reboot or restart the application.
1
Rule
Severity: Medium
Citrix Delivery Controller must be configured in accordance with the security configuration settings based on DoD security configuration or implementation guidance, including STIGs, NSA configuration guides, CTOs, and DTMs.
1
Rule
Severity: Medium
Delivery Controller must be configured in accordance with the security configuration settings based on DoD security configuration or implementation guidance, including STIGs, NSA configuration guides, CTOs, and DTMs.
1
Rule
Severity: Medium
When implemented for protection of the database tier, the DBN-6300 must be logically connected for maximum database traffic visibility.
1
Rule
Severity: Medium
When implemented for discovery protection against unidentified or rogue databases, the DBN-6300 must provide a catalog of all visible databases and database services.
1
Rule
Severity: Medium
The DBN-6300 must be compliant with at least one IETF Internet standard authentication protocol.
1
Rule
Severity: Medium
The DBN-6300 must generate audit log events for a locally developed list of auditable events.
1
Rule
Severity: Medium
The DBN-6300 must activate a system alert message, send an alarm, and/or automatically shut down when a component failure is detected.
1
Rule
Severity: High
The DBN-6300 must be configured to send log data to a syslog server for the purpose of forwarding alerts to the administrators and the ISSO.
1
Rule
Severity: Medium
Accounts for device management must be configured on the authentication server and not the network device itself, except for the account of last resort.
1
Rule
Severity: Medium
The DBN-6300 must obtain its public key certificates from an appropriate certificate policy through an approved service provider.
1
Rule
Severity: Medium
Docker Swarm must have the minimum number of manager nodes.
1
Rule
Severity: Medium
Docker Enterprise Swarm manager auto-lock key must be rotated periodically.
1
Rule
Severity: Medium
Docker Enterprise node certificates must be rotated as defined in the System Security Plan (SSP).
1
Rule
Severity: High
Docker Enterprise docker.service file ownership must be set to root:root.
1
Rule
Severity: Medium
Docker Enterprise docker.service file permissions must be set to 644 or more restrictive.
1
Rule
Severity: High
Docker Enterprise docker.socket file ownership must be set to root:root.
1
Rule
Severity: Medium
Docker Enterprise docker.socket file permissions must be set to 644 or more restrictive.
1
Rule
Severity: High
Docker Enterprise /etc/docker directory ownership must be set to root:root.
1
Rule
Severity: Medium
Docker Enterprise /etc/docker directory permissions must be set to 755 or more restrictive.
1
Rule
Severity: High
Docker Enterprise registry certificate file ownership must be set to root:root.
1
Rule
Severity: Medium
Docker Enterprise registry certificate file permissions must be set to 444 or more restrictive.
1
Rule
Severity: High
Docker Enterprise TLS certificate authority (CA) certificate file ownership must be set to root:root.
1
Rule
Severity: Medium
Docker Enterprise TLS certificate authority (CA) certificate file permissions must be set to 444 or more restrictive.
1
Rule
Severity: High
Docker Enterprise server certificate file ownership must be set to root:root.
1
Rule
Severity: Medium
Docker Enterprise server certificate file permissions must be set to 444 or more restrictive.
1
Rule
Severity: Medium
Docker Enterprise server certificate key file ownership must be set to root:root.
1
Rule
Severity: High
Docker Enterprise server certificate key file permissions must be set to 400.
1
Rule
Severity: High
Docker Enterprise socket file ownership must be set to root:docker.
1
Rule
Severity: High
Docker Enterprise socket file permissions must be set to 660 or more restrictive.
1
Rule
Severity: High
Docker Enterprise daemon.json file ownership must be set to root:root.
1
Rule
Severity: High
Docker Enterprise daemon.json file permissions must be set to 644 or more restrictive.
1
Rule
Severity: High
Docker Enterprise /etc/default/docker file ownership must be set to root:root.
1
Rule
Severity: High
Docker Enterprise /etc/default/docker file permissions must be set to 644 or more restrictive.
2
Rule
Severity: Medium
The DNS server implementation must, when a component failure is detected, activate a notification to the system administrator.
2
Rule
Severity: Medium
The DNS server implementation must strongly bind the identity of the DNS server with the DNS information.
2
Rule
Severity: Medium
The DNS server implementation must provide the means for authorized individuals to determine the identity of the source of the DNS server-provided information.
2
Rule
Severity: Medium
The DNS server implementation must validate the binding of the other DNS servers identity to the DNS information for a server-to-server transaction (e.g., zone transfer).
2
Rule
Severity: Medium
In the event of an error when validating the binding of another DNS servers identity to the DNS information, the DNS server implementation must log the event and send notification to the DNS administrator.
2
Rule
Severity: Medium
The DNS implementation must prohibit recursion on authoritative name servers.
3
Rule
Severity: Medium
A DNS server implementation must provide data origin artifacts for internal name/address resolution queries.
3
Rule
Severity: Medium
A DNS server implementation must provide data integrity protection artifacts for internal name/address resolution queries.
3
Rule
Severity: Medium
The DNS server implementation must follow procedures to re-role a secondary name server as the master name server should the master name server permanently lose functionality.
2
Rule
Severity: Medium
The salt value for zones signed using NSEC3 RRs must be changed every time the zone is completely re-signed.
3
Rule
Severity: Medium
The validity period for the RRSIGs covering a zones DNSKEY RRSet must be no less than two days and no more than one week.
6
Rule
Severity: Medium
NSEC3 must be used for all internal DNS zones.
2
Rule
Severity: Medium
The DNS implementation must ensure each NS record in a zone file points to an active name server authoritative for the domain specified in that record.
2
Rule
Severity: Medium
The two files generated by the dnssec-keygen program must be made accessible only to the server administrator account, or deleted, after they have been copied to the key file in the name server.
7
Rule
Severity: Medium
All authoritative name servers for a zone must be located on different network segments.
6
Rule
Severity: Medium
All authoritative name servers for a zone must have the same version of zone information.
4
Rule
Severity: Medium
An authoritative name server must be configured to enable DNSSEC Resource Records.
3
Rule
Severity: Medium
Digital signature algorithm used for DNSSEC-enabled zones must be FIPS-compatible.
4
Rule
Severity: Medium
For zones split between the external and internal sides of a network, the RRs for the external hosts must be separate from the RRs for the internal hosts.
5
Rule
Severity: Medium
In a split DNS configuration, where separate name servers are used between the external and internal networks, the external name server must be configured to not be reachable from inside resolvers.
7
Rule
Severity: Medium
In a split DNS configuration, where separate name servers are used between the external and internal networks, the internal name server must be configured to not be reachable from outside resolvers.
8
Rule
Severity: Medium
Primary authoritative name servers must be configured to only receive zone transfer requests from specified secondary name servers.
2
Rule
Severity: Medium
The DNS implementation must be conformant to the IETF DNS specification.
3
Rule
Severity: Medium
The DNS implementation must enforce a Discretionary Access Control (DAC) policy that limits propagation of access rights.
4
Rule
Severity: Medium
The DNS implementation must implement internal/external role separation.
2
Rule
Severity: Medium
The DNS must utilize valid root name servers in the local root zone file.
3
Rule
Severity: Medium
The DNS name server software must be at the latest version.
4
Rule
Severity: Medium
The DNS Name Server software must run with restricted privileges.
4
Rule
Severity: Medium
The IP address for hidden master authoritative name servers must not appear in the name servers set in the zone database.
4
Rule
Severity: Medium
The platform on which the name server software is hosted must be configured to respond to DNS traffic only.
3
Rule
Severity: Medium
The platform on which the name server software is hosted must be configured to send outgoing DNS messages from a random port.
2
Rule
Severity: Medium
The private key corresponding to the ZSK, stored on name servers accepting dynamic updates, must have appropriate directory/file-level access control list-based or cryptography-based protections.
3
Rule
Severity: Medium
The private keys corresponding to both the ZSK and the KSK must not be kept on the DNSSEC-aware primary authoritative name server when the name server does not support dynamic updates.
2
Rule
Severity: Medium
A zone file must not include resource records that resolve to a fully qualified domain name residing in another zone.
4
Rule
Severity: Medium
CNAME records must not point to a zone with lesser security for more than six months.
2
Rule
Severity: Medium
The DNS server implementation must be configured in accordance with the security configuration settings based on DoD security configuration or implementation guidance, including STIGs, NSA configuration guides, CTOs, and DTMs.
4
Rule
Severity: Medium
All authoritative name servers for a zone must be geographically disbursed.
2
Rule
Severity: Medium
The firewall must be configured to use TCP when sending log records to the central audit server.
2
Rule
Severity: Medium
The firewall must be configured to inspect all inbound and outbound traffic at the application layer.
2
Rule
Severity: Medium
The firewall must be configured to inspect all inbound and outbound IPv6 traffic for unknown or out-of-order extension headers.
2
Rule
Severity: Medium
The firewall must be configured to restrict it from accepting outbound packets that contain an illegitimate address in the source address field via an egress filter or by enabling Unicast Reverse Path Forwarding (uRPF).
1
Rule
Severity: Medium
The FortiGate device must synchronize internal information system clocks using redundant authoritative time sources.
1
Rule
Severity: Medium
The FortiGate device must enforce access restrictions associated with changes to the system components.
1
Rule
Severity: Medium
The FortiGate device must use LDAP for authentication.
1
Rule
Severity: High
The FortiGate device must be running an operating system release that is currently supported by the vendor.
1
Rule
Severity: Medium
The FortiGate device must generate log records for a locally developed list of auditable events.
1
Rule
Severity: Medium
The FortiGate device must conduct backups of system-level information contained in the information system when changes occur.
1
Rule
Severity: Medium
The FortiGate device must support organizational requirements to conduct backups of information system documentation, including security-related documentation, when changes occur or weekly, whichever is sooner.
1
Rule
Severity: Medium
FortiGate devices performing maintenance functions must restrict use of these functions to authorized personnel only.
1
Rule
Severity: Medium
The FortiGate device must use DoD-approved Certificate Authorities (CAs) for public key certificates.
1
Rule
Severity: Medium
The FortiGate firewall must be configured to inspect all inbound and outbound traffic at the application layer.
1
Rule
Severity: Medium
The FortiGate firewall must be configured to restrict it from accepting outbound packets that contain an illegitimate address in the source address field via an egress filter or by enabling Unicast Reverse Path Forwarding (uRPF).
1
Rule
Severity: Medium
CounterACT must enforce access restrictions associated with changes to the system components.
1
Rule
Severity: Low
CounterACT must generate audit log events for a locally developed list of auditable events.
1
Rule
Severity: Medium
CounterACT must support organizational requirements to conduct backups of system-level information contained in the information system when changes occur or weekly, whichever is sooner.
1
Rule
Severity: Low
CounterACT must support organizational requirements to conduct backups of information system documentation, including security-related documentation, when changes occur or weekly, whichever is sooner.
2
Rule
Severity: Medium
CounterACT must obtain its public key certificates from an appropriate certificate policy through an approved service provider.
1
Rule
Severity: Medium
CounterACT must enable Threat Protection notifications to alert security personnel to Cyber events detected by a CounterACT IAW CJCSM 6510.01B.
1
Rule
Severity: High
CounterACT appliances performing maintenance functions must restrict use of these functions to authorized personal only.
1
Rule
Severity: Medium
CounterACT must employ automated mechanisms to centrally apply authentication settings.
1
Rule
Severity: Medium
CounterACT must be configured to synchronize internal information system clocks with the organizations primary and secondary NTP servers.
1
Rule
Severity: Low
The network device must be configured to use a centralized authentication server to authenticate privileged users for remote and nonlocal access for device management.
1
Rule
Severity: Medium
Administrative accounts for device management must be configured on the authentication server and not the network device itself (except for the account of last resort).
2
Rule
Severity: Medium
Forescout must be configured to synchronize internal information system clocks using redundant authoritative time sources.
2
Rule
Severity: Medium
Forescout must enforce access restrictions associated with changes to the firmware, OS, USB port, and console port.
2
Rule
Severity: Medium
Forescout must be configured to use an authentication server for the purpose of authenticating users prior to granting administrative access.
2
Rule
Severity: Medium
Forescout must be running an operating system release that is currently supported by the vendor.
2
Rule
Severity: Medium
If the network device uses role-based access control, Forescout must enforce organization-defined, role-based access control policies over defined subjects and objects.
2
Rule
Severity: Medium
Forescout must generate log records for a locally developed list of auditable events.
2
Rule
Severity: Medium
Forescout must be configured to conduct backups of system-level information contained in the information system when changes occur.
2
Rule
Severity: Medium
Forescout must support organizational requirements to conduct backups of information system documentation, including security-related documentation, when changes occur or weekly, whichever is sooner.
2
Rule
Severity: Medium
Forescout must obtain its public key certificates from an appropriate certificate policy through an approved service provider.
2
Rule
Severity: Medium
Google Android 12 must be configured to not allow passwords that include more than two repeating or sequential characters.
2
Rule
Severity: Medium
Google Android 12 must be configured to enforce an application installation policy by specifying one or more authorized application repositories, including [selection: DoD-approved commercial app repository, MDM server, mobile application store].
2
Rule
Severity: Medium
Google Android 12 allowlist must be configured to not include applications with the following characteristics: 1. Back up mobile device (MD) data to non-DoD cloud servers (including user and application access to cloud backup services);2. Transmit MD diagnostic data to non-DoD servers;3. Voice assistant application if available when MD is locked;4. Voice dialing application if available when MD is locked;5. Allows synchronization of data or applications between devices associated with user; and6. Allows unencrypted (or encrypted but not FIPS 140-2 validated) data sharing with other MDs or printers.
2
Rule
Severity: Medium
Forescout must perform continuous detection and tracking of endpoint devices attached to the network. This is required for compliance with C2C Step 1.
4
Rule
Severity: Medium
Google Android 13 must be configured to not allow passwords that include more than four repeating or sequential characters.
4
Rule
Severity: Medium
Google Android 13 must be configured to enforce an application installation policy by specifying one or more authorized application repositories, including [selection: DOD-approved commercial app repository, MDM server, mobile application store].
4
Rule
Severity: Medium
Google Android 13 allowlist must be configured to not include applications with the following characteristics:
1. Back up mobile device (MD) data to non-DOD cloud servers (including user and application access to cloud backup services);
2. Transmit MD diagnostic data to non-DOD servers;
3. Voice assistant application if available when MD is locked;
4. Voice dialing application if available when MD is locked;
5. Allows synchronization of data or applications between devices associated with user; and
6. Allows unencrypted (or encrypted but not FIPS 140-2 validated) data sharing with other MDs or printers.
4
Rule
Severity: Medium
Google Android 13 must be configured to disable multiuser modes.
4
Rule
Severity: Low
Google Android 13 must be configured to disable Bluetooth or configured via User Based Enforcement (UBE) to allow Bluetooth for only Headset Profile (HSP), Hands-Free Profile (HFP), and Serial Port Profile (SPP).
6
Rule
Severity: Medium
Google Android 13 users must complete required training.
4
Rule
Severity: Medium
Google Android 13 must be configured to enforce that Wi-Fi Sharing is disabled.
4
Rule
Severity: Medium
Google Android 13 must have the DOD root and intermediate PKI certificates installed.
4
Rule
Severity: Medium
The Google Android 13 work profile must be configured to enforce the system application disable list.
4
Rule
Severity: Medium
Google Android 13 must be configured to disallow configuration of date and time.
6
Rule
Severity: High
Android 13 devices must have the latest available Google Android 13 operating system installed.
4
Rule
Severity: Low
Android 13 devices must be configured to disable the use of third-party keyboards.
4
Rule
Severity: Low
Android 13 devices must be configured to enable Common Criteria Mode (CC Mode).
4
Rule
Severity: Medium
The Google Android 13 must allow only the administrator (EMM) to install/remove DOD root and intermediate PKI certificates.
2
Rule
Severity: Medium
Google Android 12 must be configured to disable multiuser modes.
2
Rule
Severity: Low
Google Android 12 must be configured to disable Bluetooth or configured via User Based Enforcement (UBE) to allow Bluetooth for only Headset Profile (HSP), Hands-Free Profile (HFP), and Serial Port Profile (SPP).
2
Rule
Severity: Medium
Google Android 12 users must complete required training.
2
Rule
Severity: Medium
Google Android 12 must be configured to enforce that Wi-Fi Sharing is disabled.
2
Rule
Severity: Medium
Google Android 12 must have the DoD root and intermediate PKI certificates installed.
2
Rule
Severity: Medium
Google Android 12 work profile must be configured to enforce the system application disable list.
2
Rule
Severity: Medium
Google Android 12 work profile must be configured to disable automatic completion of work space Internet browser text input.
2
Rule
Severity: Medium
Google Android 12 must be configured to disallow configuration of date and time.
2
Rule
Severity: High
Android 12 devices must have the latest available Google Android 12 operating system installed.
2
Rule
Severity: Low
Android 12 devices must be configured to disable the use of third-party keyboards.
2
Rule
Severity: Low
Android 12 devices must be configured to enable Common Criteria Mode (CC Mode).
2
Rule
Severity: Medium
Google Android 12 must allow only the administrator (EMM) to install/remove DoD root and intermediate PKI certificates.
1
Rule
Severity: Medium
The Google Android 12 Work Profile must be configured to prevent users from adding personal email accounts to the work email app.
1
Rule
Severity: Medium
Google Android 12 must be provisioned as a fully managed device and configured to create a work profile.
1
Rule
Severity: Medium
Google Android 12 Work Profile must be configured to disable the autofill services.
4
Rule
Severity: Medium
The Google Android 13 work profile must be configured to prevent users from adding personal email accounts to the work email app.
2
Rule
Severity: Medium
Google Android 13 must be provisioned as a fully managed device and configured to create a work profile.
2
Rule
Severity: Medium
The Google Android 13 work profile must be configured to disable automatic completion of work space internet browser text input.
4
Rule
Severity: Medium
The Google Android 13 work profile must be configured to disable the autofill services.
1
Rule
Severity: Medium
The HP FlexFabric Switch must implement Rapid STP where VLANs span multiple switches with redundant links.
1
Rule
Severity: Medium
The HP FlexFabric Switch must enable Device Link Detection Protocol (DLDP) to protect against one-way connections.
1
Rule
Severity: Medium
The HP FlexFabric Switch must have all trunk links enabled statically.
1
Rule
Severity: Medium
The HP FlexFabric Switch must have all disabled switch ports assigned an unused VLAN.
1
Rule
Severity: Medium
The HP FlexFabric Switch must not have the default VLAN assigned to any host-facing switch ports.
1
Rule
Severity: Medium
The HP FlexFabric Switch must have the default VLAN pruned from all trunk ports that do not require it.
1
Rule
Severity: Medium
The HP FlexFabric Switch must not use the default VLAN for management traffic.
1
Rule
Severity: Medium
The HP FlexFabric Switch must have all user-facing or untrusted ports configured as access switch ports.
1
Rule
Severity: Medium
The HP FlexFabric Switch must have the native VLAN assigned to a VLAN ID other than the default VLAN ID for all 802.1q trunk links.
1
Rule
Severity: Medium
The HP FlexFabric Switch must not have any access switch ports assigned to the native VLAN.
1
Rule
Severity: Medium
Upon successful logon, the HP FlexFabric Switch must notify the administrator of the date and time of the last logon.
1
Rule
Severity: Medium
Upon successful logon, the HP FlexFabric Switch must notify the administrator of the number of unsuccessful logon attempts since the last successful logon.
1
Rule
Severity: Medium
If the HP FlexFabric Switch uses role-based access control, the HP FlexFabric Switch must enforce organization-defined role-based access control policies over defined subjects and objects.
1
Rule
Severity: Medium
The HP FlexFabric Switch must notify the administrator, upon successful logon (access), of the location of last logon (terminal or IP address) in addition to the date and time of the last logon (access).
1
Rule
Severity: Medium
The HP FlexFabric Switch must be configured to synchronize internal information system clocks with the primary and secondary time sources located in different geographic regions using redundant authoritative time sources.
1
Rule
Severity: Medium
If the HP FlexFabric Switch uses mandatory access control, the HP FlexFabric Switch must enforce organization-defined mandatory access control policies over all subjects and objects.
1
Rule
Severity: Medium
The HP FlexFabric Switch must notify the administrator of the number of successful logon attempts occurring during an organization-defined time period.
1
Rule
Severity: Medium
The HP FlexFabric Switch must generate audit log events for a locally developed list of auditable events.
1
Rule
Severity: Medium
The HP FlexFabric Switch must enforce access restrictions associated with changes to the system components.
1
Rule
Severity: Low
The HP FlexFabric Switch must support organizational requirements to conduct backups of system level information contained in the information system when changes occur or weekly, whichever is sooner.
1
Rule
Severity: Medium
The HP FlexFabric Switch must employ automated mechanisms to assist in the tracking of security incidents.
1
Rule
Severity: Medium
The HP FlexFabric Switch must obtain its public key certificates from an appropriate certificate policy through an approved service provider.
1
Rule
Severity: Medium
The HP FlexFabric Switch must enable neighbor authentication for all control plane protocols.
1
Rule
Severity: High
The HP FlexFabric Switch must have a local account that will only be used as an account of last resort with full access to the network device.
1
Rule
Severity: Medium
The HP FlexFabric switch must be configured to utilize an authentication server for the purpose of authenticating privilege users, managing accounts, and to centrally verify authentication settings and Personal Identity Verification (PIV) credentials.
1
Rule
Severity: Medium
The HP FlexFabric switch must be configured to send log data to a syslog server for the purpose of forwarding alerts to the administrators and the ISSO.
1
Rule
Severity: Medium
The HP FlexFabric switch must be configured to send SNMP traps and notifications to the SNMP manager for the purpose of sending alarms and notifying appropriate personnel as required by specific events.
1
Rule
Severity: Medium
The CIM service must be disabled, unless needed.
1
Rule
Severity: High
DoD-approved encryption must be implemented to protect the confidentiality and integrity of remote access sessions, information during preparation for transmission, information during reception, and information during transmission in addition to enforcing replay-resistant authentication mechanisms for network access to privileged accounts.
1
Rule
Severity: Medium
SNMP must be changed from default settings and must be configured on the storage system to provide alerts of critical events that impact system security.
1
Rule
Severity: Medium
The SNMP service on the storage system must use only SNMPv3 or its successors.
1
Rule
Severity: Medium
The SNMP service on the storage system must require the use of a FIPS 140-2 approved cryptographic hash algorithm as part of its authentication and integrity methods.
1
Rule
Severity: High
The storage system must only be operated in conjunction with an LDAP server in a trusted environment if an Active Directory server is not available.
1
Rule
Severity: High
The storage system must only be operated in conjunction with an Active Directory server in a trusted environment if an LDAP server is not available.
1
Rule
Severity: Medium
If the HYCU Server or Web UI uses discretionary access control, the network device must enforce organization-defined discretionary access control policies over defined subjects and objects.
1
Rule
Severity: Medium
The HYCU VM/server must be configured to disable SSH.
1
Rule
Severity: High
The HYCU VM console and HYCU Web UI must be configured to use an authentication server for authenticating users prior to granting access to protect against an individual (or process acting on behalf of an individual) falsely denying having performed organization-defined requirements.
1
Rule
Severity: Medium
The HYCU server must generate audit records for privileged activities or other system-level access.
1
Rule
Severity: Medium
The HYCU server must be configured to conduct backups of system-level information when changes occur and to offload audit records onto a different system or media.
1
Rule
Severity: Medium
The HYCU server must be configured to synchronize internal information system clocks using redundant authoritative time sources.
1
Rule
Severity: High
The HYCU appliance must be running a release that is currently supported by the vendor.
1
Rule
Severity: Medium
The HYCU server must back up audit records at least every seven days onto a different system or system component than the system or component being audited.
1
Rule
Severity: Medium
The HYCU server must obtain its public key certificates from an appropriate certificate policy through an approved service provider.
1
Rule
Severity: Medium
Recursion must be disabled on Infoblox DNS servers that are configured as authoritative name servers.
3
Rule
Severity: Medium
The validity period for the Resource Record Signatures (RRSIGs) covering a zone's DNSKEY RRSet must be no less than two days and no more than one week.
1
Rule
Severity: Medium
NSEC3 must be used for all DNSSEC signed zones.
1
Rule
Severity: Medium
The Infoblox DNS server must be configured so that each name server (NS) record in a zone file points to an active name server authoritative for the domain specified in that record.
1
Rule
Severity: Medium
An authoritative name server must be configured to enable DNSSEC resource records.
1
Rule
Severity: High
The digital signature algorithm used for DNSSEC-enabled zones must be FIPS compatible.
3
Rule
Severity: Medium
For zones split between the external and internal sides of a network, the resource records (RRs) for the external hosts must be separate from the RRs for the internal hosts.
1
Rule
Severity: Medium
The Infoblox system must use a security policy that limits the propagation of access rights.
1
Rule
Severity: Medium
The Infoblox DNS server must use current and valid root name servers.
2
Rule
Severity: Medium
The Infoblox NIOS version must be at the appropriate version.
1
Rule
Severity: Medium
The Infoblox system must be configured to respond to DNS traffic only.
1
Rule
Severity: Medium
The Infoblox DNS server must send outgoing DNS messages from a random port.
1
Rule
Severity: High
The private keys corresponding to both the Zone Signing Key (ZSK) and the Key Signing Key (KSK) must not be kept on the DNSSEC-aware primary authoritative name server when the name server does not support dynamic updates.
1
Rule
Severity: Medium
The Infoblox system must use the security configuration settings based on DoD security configuration or implementation guidance, including STIGs, NSA configuration guides, CTOs, and DTMs.
1
Rule
Severity: High
A secure out-of-band (OOB) network must be used for management of Infoblox Grid Members.
1
Rule
Severity: High
Infoblox systems must enforce current DoD password restrictions.
2
Rule
Severity: Medium
Infoblox Grid configuration must be backed up on a regular basis.
1
Rule
Severity: Medium
The Infoblox system must display the approved DoD notice and consent banner.
1
Rule
Severity: Medium
The Infoblox system must display the appropriate security classification information.
2
Rule
Severity: Medium
The Infoblox system must be configured in accordance with the security configuration settings based on DoD security configuration or implementation guidance, including STIGs, NSA configuration guides, CTOs, and DTMs.
1
Rule
Severity: Medium
The Infoblox system must present only approved TLS and SSL cipher suites.
2
Rule
Severity: Medium
An Infoblox DNS server must strongly bind the identity of the DNS server with the DNS information using DNSSEC.
1
Rule
Severity: Medium
The Infoblox system must provide the means for authorized individuals to determine the identity of the source of the DNS server-provided information.
1
Rule
Severity: Medium
The Infoblox system must validate the binding of the other DNS servers' identity to the DNS information for a server-to-server transaction (e.g., zone transfer).
1
Rule
Severity: Medium
The Infoblox system must send a notification in the event of an error when validating the binding of another DNS server’s identity to the DNS information.
1
Rule
Severity: Medium
The Infoblox DNS server must provide data origin artifacts for internal name/address resolution queries.
1
Rule
Severity: Medium
The Infoblox DNS server must provide data integrity protection artifacts for internal name/address resolution queries.
1
Rule
Severity: Medium
The Infoblox system must notify the system administrator when a component failure is detected.
1
Rule
Severity: Medium
The Infoblox DNS server implementation must follow procedures to re-role a secondary name server as the master name server should the master name server permanently lose functionality.
1
Rule
Severity: Medium
The DataPower Gateway must activate a system alert message, send an alarm, and/or automatically shut down when a component failure is detected.
1
Rule
Severity: Medium
The DataPower Gateway must be compliant with at least one IETF standard authentication protocol.
1
Rule
Severity: Medium
If the DataPower Gateway uses role-based access control, the DataPower Gateway must enforce role-based access control policies over defined subjects and objects.
1
Rule
Severity: Medium
The DataPower Gateway must be configured to synchronize internal information system clocks with the primary and secondary time sources located in different geographic regions using redundant authoritative time sources.
1
Rule
Severity: Medium
The DataPower Gateway must use automated mechanisms to alert security personnel to threats identified by authoritative sources (e.g., CTOs) and in accordance with CJCSM 6510.01B.
1
Rule
Severity: Medium
The DataPower Gateway must generate audit log events for a locally developed list of auditable events.
1
Rule
Severity: Medium
The DataPower Gateway must employ automated mechanisms to centrally manage authentication settings.
1
Rule
Severity: Medium
The DataPower Gateway must employ automated mechanisms to centrally apply authentication settings.
1
Rule
Severity: Medium
The DataPower Gateway must employ automated mechanisms to centrally verify authentication settings.
1
Rule
Severity: Medium
The DataPower Gateway must support organizational requirements to conduct backups of system level information contained in the information system when changes occur or weekly, whichever is sooner.
1
Rule
Severity: Medium
The DataPower Gateway must employ automated mechanisms to assist in the tracking of security incidents.
1
Rule
Severity: Medium
The DataPower Gateway must obtain its public key certificates from an appropriate certificate policy through an approved service provider.
1
Rule
Severity: Low
Initial Program Load (IPL) Procedures must exists for each partition defined to the system.
1
Rule
Severity: Low
Power On Reset (POR) Procedures must be documented for each system.
1
Rule
Severity: Low
System shutdown procedures documentation must exist for each partition defined to the system.
1
Rule
Severity: Medium
Backup of critical data for the HMC and its components must be documented and tracked
1
Rule
Severity: Medium
The MaaS360 MDM server must be configured to have at least one user in the following Administrator roles: Server primary administrator, security configuration administrator, device user group administrator, auditor.
1
Rule
Severity: Low
The MaaS360 MDM server must be configured to enable all required audit events (if function is not automatically implemented during MDM/MAS server install): a. Failure to push a new application on a managed mobile device.
1
Rule
Severity: Low
The MaaS360 server must be configured to enable all required audit events (if function is not automatically implemented during MDM/MAS server install): b. Failure to update an existing application on a managed mobile device.
1
Rule
Severity: Medium
The MQ Appliance network device must notify the administrator of changes to access and/or privilege parameters of the administrator account that occurred since the last logon.
1
Rule
Severity: Medium
The MQ Appliance network device must activate a system alert message, send an alarm, and/or automatically shut down when a component failure is detected.
1
Rule
Severity: Medium
The MQ Appliance network device must notify the administrator, upon successful logon (access), of the location of last logon (terminal or IP address) in addition to the result, date and time of the last logon (access).
1
Rule
Severity: Medium
The MQ Appliance network device must be configured to synchronize internal information system clocks with the primary and secondary time sources located in different geographic regions using redundant authoritative time sources.
1
Rule
Severity: Medium
The MQ Appliance network device must use automated mechanisms to alert security personnel to threats identified by authoritative sources (e.g., CTOs) and in association with CJCSM 6510.01B.
1
Rule
Severity: Medium
Administrative accounts for device management must be configured on the authentication server and not the MQ Appliance network device itself (except for the emergency administration account).
1
Rule
Severity: Medium
Access to the MQ Appliance network device must employ automated mechanisms to centrally apply authentication settings.
1
Rule
Severity: Medium
The MQ Appliance network device must support organizational requirements to conduct backups of system level information contained in the information system when changes occur or weekly, whichever is sooner.
1
Rule
Severity: Medium
The MQ Appliance network device must obtain its public key certificates from an appropriate certificate policy through an approved service provider.
1
Rule
Severity: Medium
SSH CLI access to the MQ Appliance management interface must be restricted to approved management workstations.
1
Rule
Severity: Medium
IBM zVM CA VM:Secure product PASSWORD user exit must be in use.
1
Rule
Severity: Medium
CA VM:Secure product Config Delay LOG option must be set to 0.
1
Rule
Severity: Medium
CA VM:Secure product NORULE record in the SECURITY CONFIG file must be configured to REJECT.
1
Rule
Severity: Medium
CA VM:Secure product SECURITY CONFIG file must be restricted to appropriate personnel.
1
Rule
Severity: Medium
CA VM:Secure product VMXRPI configuration file must be restricted to authorized personnel.
1
Rule
Severity: Medium
CA VM:Secure product DASD CONFIG file must be restricted to appropriate personnel.
1
Rule
Severity: Medium
CA VM:Secure product AUTHORIZ CONFIG file must be restricted to appropriate personnel.
1
Rule
Severity: Medium
CA VM:Secure product CONFIG file must be restricted to appropriate personnel.
1
Rule
Severity: Medium
CA VM:Secure Product SFS configuration file must be restricted to appropriate personnel.
1
Rule
Severity: Medium
CA VM:Secure product Rules Facility must be restricted to appropriate personnel.
1
Rule
Severity: Medium
IBM z/VM must employ a Session manager.
1
Rule
Severity: Medium
The IBM z/VM System administrator must develop a notification routine for account management.
1
Rule
Severity: Medium
The IBM z/VM system administrator must develop routines and processes for the proper configuration and maintenance of Software.
1
Rule
Severity: Medium
IBM z/VM must be protected by an external firewall that has a deny-all, allow-by-exception policy.
1
Rule
Severity: Medium
The IBM z/VM System administrator must develop routines and processes for notification in the event of audit failure.
1
Rule
Severity: Medium
The IBM z/VM system administrator must develop procedures maintaining information system operation in the event of anomalies.
1
Rule
Severity: Medium
IBM z/VM system administrator must develop procedures to manually control temporary, interactive, and emergency accounts.
1
Rule
Severity: Medium
IBM z/VM must have access to an audit reduction tool that allows for central data review and analysis.
1
Rule
Severity: Medium
The IBM z/VM system administrator must develop and perform a procedure to validate the correct operation of security functions.
1
Rule
Severity: Medium
IBM z/VM must employ Clock synchronization software.
1
Rule
Severity: Medium
The IBM z/VM systems requiring data at rest must employ IBMs DS8000 for full disk encryption.
1
Rule
Severity: Medium
The IBM z/VM TCP/IP NSLOOKUP statement for UFT servers must be properly configured.
1
Rule
Severity: Medium
The IBM z/VM TCP/IP DOMAINLOOKUP statement must be properly configured.
1
Rule
Severity: Medium
The IBM z/VM TCP/IP NSINTERADDR statement must be present in the TCPIP DATA configuration.
1
Rule
Severity: Medium
The IBM z/VM CHECKSUM statement must be included in the TCP/IP configuration file.
1
Rule
Severity: Medium
The IBM z/VM DOMAINSEARCH statement in the TCPIP DATA file must be configured with proper domain names for name resolution.
2
Rule
Severity: Medium
The IDPS must be configured in accordance with the security configuration settings based on DoD security policy and technology-specific security best practices.
1
Rule
Severity: Medium
The Infoblox system must be configured to activate a notification to the system administrator when a component failure is detected.
1
Rule
Severity: Medium
The Infoblox system must be configured to provide the means for authorized individuals to determine the identity of the source of the DNS server-provided information.
1
Rule
Severity: Medium
The Infoblox system must be configured to validate the binding of the other DNS servers identity to the DNS information for a server-to-server transaction (e.g., zone transfer).
1
Rule
Severity: Medium
Recursion must be disabled on Infoblox DNS servers which are configured as authoritative name servers.
1
Rule
Severity: Medium
The Zone Signing Key (ZSK) rollover interval must be configured to less than two months.
1
Rule
Severity: Medium
The Infoblox system must ensure each NS record in a zone file points to an active name server authoritative for the domain specified in that record.
1
Rule
Severity: High
Digital signature algorithm used for DNSSEC-enabled zones must be FIPS-compatible.
1
Rule
Severity: Medium
The Infoblox system must utilize valid root name servers in the local root zone file.
1
Rule
Severity: Low
The Infoblox system must be configured to display the appropriate security classification information.
1
Rule
Severity: Low
The Infoblox system must be configured with the approved DoD notice and consent banner.
1
Rule
Severity: High
Infoblox systems must be configured with current DoD password restrictions.
1
Rule
Severity: Medium
A secure Out Of Band (OOB) network must be utilized for management of Infoblox Grid Members.
1
Rule
Severity: Medium
The Ivanti MobileIron Core server must be configured in accordance with the security configuration settings based on DoD security configuration or implementation guidance, including STIGs, NSA configuration guides, CTOs, and DTMs.
1
Rule
Severity: Medium
MobileIron Sentry must be configured to synchronize internal information system clocks using redundant authoritative time sources.
1
Rule
Severity: Low
MobileIron Sentry must enforce access restrictions associated with changes to the system components.
1
Rule
Severity: Low
MobileIron Sentry must be configured to conduct backups of system level information contained in the information system when changes occur.
1
Rule
Severity: Medium
MobileIron Sentry must obtain its public key certificates from an appropriate certificate policy through an approved service provider.
1
Rule
Severity: High
MobileIron Sentry must be running an operating system release that is currently supported by MobileIron.
2
Rule
Severity: Medium
The ISEC7 EMM Suite must be configured to leverage the enterprise directory service accounts and groups for ISEC7 EMM Suite server admin identification and authentication.
2
Rule
Severity: Medium
The ISEC7 EMM Suite must configure the timeout for the console to be 15 minutes or less.
2
Rule
Severity: Medium
The ISEC7 EMM Suite, Tomcat installation, and ISEC7 Suite monitor must be configured to use the Windows Trust Store for the storage of digital certificates and keys.
3
Rule
Severity: Medium
The LockOutRealm must be configured with a login lockout time of 15 minutes.
2
Rule
Severity: Medium
The Sentry must be configured to prohibit or restrict the use of functions, ports, protocols, and/or services, as defined in the PPSM CAL and vulnerability assessments.
1
Rule
Severity: Medium
When the Jamf Pro EMM server cannot establish a connection to determine the validity of a certificate, the server must not have the option to accept the certificate.
2
Rule
Severity: Medium
The Jamf Pro EMM server must be configured with an enterprise certificate for signing policies (if function is not automatically implemented during Jamf Pro EMM server install).
2
Rule
Severity: Medium
The Jamf Pro EMM server must be configured to have at least one user in the following Administrator roles: Server primary administrator, security configuration administrator, device user group administrator, auditor.
2
Rule
Severity: High
Jamf Pro EMM must be maintained at a supported version.
2
Rule
Severity: Medium
Separate MySQL user accounts with limited privileges must be created within Jamf Pro EMM.
2
Rule
Severity: Medium
MySQL database backups must be scheduled in Jamf Pro EMM.
1
Rule
Severity: Medium
The Jamf Pro EMM server must configure the MDM Agent/platform to enable the DOD required device enrollment restrictions allowed for enrollment [specific device model].
2
Rule
Severity: Medium
The JBoss server must be configured to bind the management interfaces to only management networks.
1
Rule
Severity: Medium
The Juniper router must be configured to synchronize its clock with the primary and secondary time sources using redundant authoritative time sources.
2
Rule
Severity: Medium
The Juniper router must be configured to generate log records for a locally developed list of auditable events.
2
Rule
Severity: Medium
The Juniper router must be configured to support organizational requirements to conduct backups of the configuration when changes occur.
1
Rule
Severity: Medium
The Juniper router must be configured to obtain its public key certificates from an appropriate certificate policy through an approved service provider.
2
Rule
Severity: Medium
The Juniper router must be configured with a master password that is used to generate encrypted keys for shared secrets.
2
Rule
Severity: High
The Juniper router must be running a Junos release that is currently supported by Juniper Networks.
4
Rule
Severity: Medium
The Juniper router must be configured to implement message authentication for all control plane protocols.
4
Rule
Severity: Medium
The Juniper router must be configured to use keys with a duration not exceeding 180 days for authenticating routing protocol messages.
4
Rule
Severity: Medium
The Juniper BGP router must be configured to use a unique key for each autonomous system (AS) that it peers with.
3
Rule
Severity: Low
The Juniper BGP router must be configured to use its loopback address as the source address for iBGP peering sessions.
3
Rule
Severity: Low
The Juniper MPLS router must be configured to use its loopback address as the source address for LDP peering sessions.
4
Rule
Severity: Low
The Juniper MPLS router must be configured to synchronize IGP and LDP to minimize packet loss when an IGP adjacency is established prior to LDP peers completing label exchange.
4
Rule
Severity: Medium
The Juniper MPLS router must be configured to have TTL Propagation disabled.
3
Rule
Severity: High
The Juniper PE router must be configured to have each Virtual Routing and Forwarding (VRF) instance bound to the appropriate physical or logical interfaces to maintain traffic separation between all MPLS L3VPNs.
3
Rule
Severity: High
The Juniper PE router must be configured to have each Virtual Routing and Forwarding (VRF) instance with the appropriate Route Target (RT).
3
Rule
Severity: Medium
The Juniper PE router must be configured to have each VRF with the appropriate Route Distinguisher (RD).
3
Rule
Severity: High
The Juniper PE router providing MPLS Virtual Private Wire Service (VPWS) must be configured to have the appropriate virtual circuit identification (VC ID) for each attachment circuit.
1
Rule
Severity: High
The Juniper PE router providing Virtual Private LAN Services (VPLS) must be configured to have all attachment circuits defined to the routing instance with the globally unique VPLS ID assigned for each customer VLAN.
3
Rule
Severity: Low
The Juniper Multicast Source Discovery Protocol (MSDP) router must be configured to use its loopback address as the source address when originating MSDP traffic.
4
Rule
Severity: Medium
The Juniper perimeter router must be configured to suppress Router Advertisements on all external IPv6-enabled interfaces.
4
Rule
Severity: Medium
The Juniper router must not be configured to use IPv6 Site Local Unicast addresses.
2
Rule
Severity: Medium
The Juniper Networks SRX Series Gateway IDPS must have only active Juniper Networks licenses.
2
Rule
Severity: Medium
The Juniper Networks SRX Series Gateway IDPS must either forward the traffic from inbound connections to be more deeply inspected for malicious code and Layer 7 threats, or the Antivirus and Unified Threat Management (UTM) license must be installed, active, and policies and rules configured.
2
Rule
Severity: Medium
If the loopback interface is used, the Juniper SRX Services Gateway must protect the loopback interface with firewall filters for known attacks that may exploit this interface.
2
Rule
Severity: Low
The Juniper SRX Services Gateway must have the number of rollbacks set to 5 or more.
2
Rule
Severity: Medium
The Juniper SRX Services Gateway must be configured to synchronize internal information system clocks with the primary and secondary NTP servers for the network.
2
Rule
Severity: Medium
The Juniper SRX Services Gateway must be configured to use an authentication server to centrally manage authentication and logon settings for remote and nonlocal access.
1
Rule
Severity: Medium
The Juniper SRX Services Gateway must use DoD-approved PKI rather than proprietary or self-signed device certificates.
2
Rule
Severity: Medium
The Juniper SRX Services Gateway must be configured to use Junos 12.1 X46 or later to meet the minimum required version for DoD.
2
Rule
Severity: Medium
The Juniper SRX Services Gateway must automatically terminate a network administrator session after organization-defined conditions or trigger events requiring session disconnect.
2
Rule
Severity: Medium
For local accounts, the Juniper SRX Services Gateway must generate an alert message to the management console and generate a log event record that can be forwarded to the ISSO and designated system administrators when local accounts are created.
2
Rule
Severity: Medium
The Juniper SRX Services Gateway must generate an alert message to the management console and generate a log event record that can be forwarded to the ISSO and designated system administrators when the local accounts (i.e., the account of last resort or root account) are modified.
2
Rule
Severity: Medium
The Juniper SRX Services Gateway must generate an alert message to the management console and generate a log event record that can be forwarded to the ISSO and designated system administrators when accounts are disabled.
2
Rule
Severity: Medium
The Juniper SRX Services Gateway must generate alerts to the management console and generate a log record that can be forwarded to the ISSO and designated system administrators when the local accounts (i.e., the account of last resort or root account) are deleted.
2
Rule
Severity: Medium
The Juniper SRX Services Gateway must generate an immediate alert message to the management console for account enabling actions.
1
Rule
Severity: Low
The Juniper SRX Services Gateway must allow only the ISSM (or administrators/roles appointed by the ISSM) to select which auditable events are to be generated and forwarded to the syslog and/or local logs.
2
Rule
Severity: Low
For local logging, the Juniper SRX Services Gateway must generate a message to the system management console when a log processing failure occurs.
2
Rule
Severity: Medium
In the event that communications with the events server is lost, the Juniper SRX Services Gateway must continue to queue log records locally.
2
Rule
Severity: Medium
The Juniper SRX Services Gateway must be configured to use an authentication server to centrally apply authentication and logon settings for remote and nonlocal access for device management.
2
Rule
Severity: High
The Juniper SRX Services Gateway must be configured to use a centralized authentication server to authenticate privileged users for remote and nonlocal access for device management.
2
Rule
Severity: Low
The Juniper SRX Services Gateway must specify the order in which authentication servers are used.
2
Rule
Severity: Low
The Juniper SRX Services Gateway must detect the addition of components and issue a priority 1 alert to the ISSM and SA, at a minimum.
2
Rule
Severity: Medium
The Juniper SRX Services Gateway must generate an alarm or send an alert message to the management console when a component failure is detected.
2
Rule
Severity: Medium
The Juniper SRX Services Gateway must reveal log messages or management console alerts only to the ISSO, ISSM, and SA roles).
2
Rule
Severity: Low
The layer 2 switch must have Storm Control configured on all host-facing switch ports.
2
Rule
Severity: High
The Juniper SRX Services Gateway VPN must use Internet Key Exchange (IKE) for IPsec VPN Security Associations (SAs).
2
Rule
Severity: Medium
If IDPS inspection is performed separately from the Juniper SRX Services Gateway VPN device, the VPN must route sessions to an IDPS for inspection.
2
Rule
Severity: High
The Juniper SRX Services Gateway VPN must not accept certificates that have been revoked when using PKI for authentication.
2
Rule
Severity: Medium
The Juniper SRX Services Gateway VPN must specify Perfect Forward Secrecy (PFS).
2
Rule
Severity: Medium
The Juniper SRX Services Gateway VPN must use Encapsulating Security Payload (ESP) in tunnel mode.
2
Rule
Severity: Low
The layer 2 switch must have IGMP or MLD Snooping configured on all VLANs
2
Rule
Severity: Medium
The layer 2 switch must implement Rapid STP where VLANs span multiple switches with redundant links.
2
Rule
Severity: Medium
The layer 2 switch must enable Unidirectional Link Detection (UDLD) to protect against one-way connections.
2
Rule
Severity: Medium
The layer 2 switch must have all trunk links enabled statically.
2
Rule
Severity: Medium
The layer 2 switch must have all disabled switch ports assigned to an unused VLAN.
2
Rule
Severity: Medium
The layer 2 switch must not have the default VLAN assigned to any host-facing switch ports.
2
Rule
Severity: Medium
The layer 2 switch must have the default VLAN pruned from all trunk ports that do not require it.
2
Rule
Severity: Medium
The layer 2 switch must not use the default VLAN for management traffic.
2
Rule
Severity: Medium
The layer 2 switch must have all user-facing or untrusted ports configured as access switch ports.
2
Rule
Severity: Medium
The layer 2 switch must have the native VLAN assigned to an ID other than the default VLAN for all 802.1q trunk links.
2
Rule
Severity: Low
The layer 2 switch must not have any switch ports assigned to the native VLAN.
2
Rule
Severity: Medium
The layer 2 switch must be configured in accordance with the security configuration settings based on DoD security configuration or implementation guidance, including STIGs, NSA configuration guides, CTOs, and DTMs.
2
Rule
Severity: Medium
The Mainframe Product must be configured in accordance with the security configuration settings based on DoD security configuration or implementation guidance, including STIGs, NSA configuration guides, CTOs, and DTMs.
1
Rule
Severity: Medium
The MobileIron Core v10 server must be configured to have at least one user in the following Administrator roles: Server primary administrator, security configuration administrator, device user group administrator, auditor.
1
Rule
Severity: Medium
Prompts to convert older databases must be enforced.
2
Rule
Severity: Medium
Microsoft Android 11 must be configured to not allow passwords that include more than two repeating or sequential characters.
2
Rule
Severity: Medium
Microsoft Android 11 must be configured to enforce an application installation policy by specifying one or more authorized application repositories, including [selection: DOD-approved commercial app repository, EMM server, mobile application store].
1
Rule
Severity: Medium
Microsoft Android 11 allow list must be configured to not include applications with the following characteristics: - Back up MD data to non-DOD cloud servers (including user and application access to cloud backup services);- Transmit MD diagnostic data to non-DOD servers;- Voice assistant application if available when MD is locked;- Voice dialing application if available when MD is locked;- Allows synchronization of data or applications between devices associated with user; and- Allows unencrypted (or encrypted but not FIPS 140-2/FIPS 140-3 validated) data sharing with other MDs or printers.
2
Rule
Severity: Low
Microsoft Android 11 must be configured to disable Bluetooth or configured via User Based Enforcement (UBE) to allow Bluetooth for only Headset Profile (HSP), HandsFree Profile (HFP), and Serial Port Profile (SPP).
1
Rule
Severity: Medium
Microsoft Android 11 must be configured to disable trust agents. Note: This requirement is not applicable (NA) for specific biometric authentication factors included in the product's Common Criteria evaluation.
2
Rule
Severity: Medium
Microsoft Android 11 must be configured to disable multi-user modes.
2
Rule
Severity: Medium
Microsoft Android 11 must be configured to enable audit logging.
2
Rule
Severity: Medium
Microsoft Android 11 users must complete required training.
2
Rule
Severity: Medium
Microsoft Android 11 must be configured to enforce that Wi-Fi Sharing is disabled.
2
Rule
Severity: Medium
Microsoft Android 11 must have the DOD root and intermediate PKI certificates installed.
2
Rule
Severity: Medium
Microsoft Android 11 must allow only the administrator (EMM) to install/remove DOD root and intermediate PKI certificates.
2
Rule
Severity: Medium
The Microsoft Android 11 Work Profile must be configured to prevent users from adding personal email accounts to the work email app.
2
Rule
Severity: Medium
Microsoft Android 11 Work Profile must be configured to enforce the system application disable list.
1
Rule
Severity: Medium
Microsoft Android 11 must be provisioned as a fully managed device and configured to create a work profile.
2
Rule
Severity: Medium
Microsoft Android 11 Work Profile must be configured to disable automatic completion of work space internet browser text input.
2
Rule
Severity: Medium
Microsoft Android 11 Work Profile must be configured to disable the autofill services.
2
Rule
Severity: Medium
Microsoft Android 11 must be configured to disallow configuration of date and time.
2
Rule
Severity: High
Microsoft Android 11 devices must have the latest available Microsoft Android 11 operating system installed.
2
Rule
Severity: Low
Microsoft Android 11 devices must be configured to disable the use of third-party keyboards.
2
Rule
Severity: Low
Microsoft Android 11 devices must be configured to enable Common Criteria Mode (CC Mode).
1
Rule
Severity: Medium
Motorola Solutions Android 11 must be configured to not allow passwords that include more than two repeating or sequential characters.
1
Rule
Severity: Medium
Motorola Solutions Android 11 must be configured to enforce an application installation policy by specifying one or more authorized application repositories, including [selection: DoD-approved commercial app repository, EMM server, mobile application store].
1
Rule
Severity: Medium
Motorola Solutions Android 11 must be configured to enforce an application installation policy by specifying an application allow list that restricts applications by the following characteristics: [selection: list of digital signatures, cryptographic hash values, names, application version].
1
Rule
Severity: Medium
Motorola Solutions Android 11 allow list must be configured to not include applications with the following characteristics:
- Back up MD data to non-DoD cloud servers (including user and application access to cloud backup services);
- Transmit MD diagnostic data to non-DoD servers;
- Voice assistant application if available when MD is locked;
- Voice dialing application if available when MD is locked;
- Allows synchronization of data or applications between devices associated with user; and
- Allows unencrypted (or encrypted but not FIPS 140-2 validated) data sharing with other MDs or printers.
1
Rule
Severity: Low
Motorola Solutions Android 11 must be configured to disable Bluetooth or configured via User Based Enforcement (UBE) to allow Bluetooth for only Headset Profile (HSP), HandsFree Profile (HFP), and Serial Port Profile (SPP).
1
Rule
Severity: Medium
Motorola Solutions Android 11 must be configured to disable trust agents.
Note: This requirement is not applicable (NA) for specific biometric authentication factors included in the product's Common Criteria evaluation.
1
Rule
Severity: Low
Motorola Solutions Android 11 must allow only the Administrator (EMM) to perform the following management function: Enable/disable location services.
1
Rule
Severity: Medium
Motorola Solutions Android 11 must be configured to enable audit logging.
1
Rule
Severity: Medium
Motorola Solutions Android 11 users must complete required training.
1
Rule
Severity: Medium
Motorola Solutions Android 11 must be configured to enforce that Wi-Fi Sharing is disabled.
1
Rule
Severity: Medium
Motorola Solutions Android 11 must have the DoD root and intermediate PKI certificates installed.
1
Rule
Severity: Medium
Motorola Solutions Android 11 must allow only the administrator (EMM) to install/remove DoD root and intermediate PKI certificates.
1
Rule
Severity: Medium
Motorola Solutions Android 11 work profile must be configured to enforce the system application disable list.
1
Rule
Severity: Medium
Motorola Solutions Android 11 must be configured to disallow configuration of date and time.
1
Rule
Severity: High
Motorola Solutions Android 11 devices must have the latest available Motorola Solutions Android 11 operating system installed.
1
Rule
Severity: Low
Motorola Solutions Android 11 devices must be configured to disable the use of third-party keyboards.
1
Rule
Severity: Low
Prompts to convert older databases must be enforced.
1
Rule
Severity: Medium
Microsoft Android 11 allow list must be configured to not include applications with the following characteristics:
- Back up MD data to non-DOD cloud servers (including user and application access to cloud backup services);
- Transmit MD diagnostic data to non-DOD servers;
- Voice assistant application if available when MD is locked;
- Voice dialing application if available when MD is locked;
- Allows synchronization of data or applications between devices associated with user; and
- Allows unencrypted (or encrypted but not FIPS 140-2/FIPS 140-3 validated) data sharing with other MDs or printers.
1
Rule
Severity: Medium
Microsoft Android 11 must be configured to disable trust agents.
Note: This requirement is not applicable (NA) for specific biometric authentication factors included in the product's Common Criteria evaluation.
2
Rule
Severity: Medium
Automatic republish to web pages must be disallowed.
1
Rule
Severity: Medium
AutoRepublish Warning Alert must be provided.
1
Rule
Severity: Medium
Corrupt workbook options must be disallowed.
1
Rule
Severity: Medium
The AutoRepublish warning alert must be provided.
1
Rule
Severity: Medium
Exchange must be configured in accordance with the security configuration settings based on DoD security configuration or implementation guidance, including STIGs, NSA configuration guides, CTOs, and DTMs.
1
Rule
Severity: Low
Exchange Public Folder Stores must mount at startup.
2
Rule
Severity: Medium
Offline Mode capability to cache queries for offline mode must be configured.
2
Rule
Severity: Medium
The InfoPath APTCA Assembly Allowable List must be enforced.
2
Rule
Severity: Medium
The Help Improve Proofing Tools feature for Office must be configured.
2
Rule
Severity: Medium
A mix of policy and user locations for Office Products must be disallowed.
2
Rule
Severity: Medium
Smart Documents use of Manifests in Office must be disallowed.
2
Rule
Severity: Medium
Legacy format signatures must be enabled.
2
Rule
Severity: Medium
External Signature Services Menu for Office must be suppressed.
2
Rule
Severity: Medium
Inclusion of document properties for PDF and XPS output must be disallowed.
1
Rule
Severity: Medium
Blogging entries created from inside Office products must be configured for SharePoint only.
1
Rule
Severity: Medium
The Enable Updates and Disable Updates options in the UI must be hidden from users.
1
Rule
Severity: Medium
When using the Office Feedback tool, the ability to include a screenshot must be disabled.
1
Rule
Severity: Medium
The ability to run unsecure Office apps must be disabled.
1
Rule
Severity: Medium
The Office Telemetry Agent must be configured to obfuscate the file name, file path, and title of Office documents before uploading telemetry data to the shared folder.
2
Rule
Severity: Medium
Permit download of content from safe zones must be configured.
2
Rule
Severity: Medium
Access restriction settings for published calendars must be configured.
1
Rule
Severity: Medium
Recipients of sent email must be unable to be added to the safe senders list.
1
Rule
Severity: Medium
IE Trusted Zones assumed trusted must be blocked.
1
Rule
Severity: Medium
Trusted add-ins behavior for email must be configured.
2
Rule
Severity: Medium
Disabling download full text of articles as HTML must be configured.
1
Rule
Severity: Medium
Hyperlinks in suspected phishing email messages must be disallowed.
2
Rule
Severity: Medium
Junk Mail UI must be configured.
2
Rule
Severity: Medium
Internet with Safe Zones for Picture Download must be disabled.
2
Rule
Severity: Medium
Intranet with Safe Zones for automatic picture downloads must be configured.
1
Rule
Severity: Medium
External content and pictures in HTML email must be displayed.
2
Rule
Severity: Medium
Attachments using generated name for secure temporary folders must be configured.
3
Rule
Severity: Medium
Automatic download content for email in Safe Senders list must be disallowed.
2
Rule
Severity: Medium
Outlook must be enforced as the default email, calendar, and contacts program.
2
Rule
Severity: Medium
Outlook Security Mode must be configured to use Group Policy settings.
2
Rule
Severity: Medium
Publishing to a Web Distributed and Authoring (DAV) server must be prevented.
3
Rule
Severity: Medium
Publishing calendars to Office Online must be prevented.
3
Rule
Severity: Medium
Read EMail as plain text must be enforced.
3
Rule
Severity: Medium
Read signed email as plain text must be enforced.
3
Rule
Severity: Medium
Level of calendar details that a user can publish must be restricted.
2
Rule
Severity: Medium
Upload method for publishing calendars to Office Online must be restricted.
2
Rule
Severity: Medium
Automatic sending s/Mime receipt requests must be disallowed.
2
Rule
Severity: Medium
The Help Improve Proofing Tools feature for Office must be configured.
2
Rule
Severity: Medium
A mix of policy and user locations for Office Products must be disallowed.
2
Rule
Severity: Medium
Smart Documents use of Manifests in Office must be disallowed.
2
Rule
Severity: Medium
Inclusion of document properties for PDF and XPS output must be disallowed.
2
Rule
Severity: Medium
When using the Office Feedback tool, the ability to include a screenshot must be disabled.
2
Rule
Severity: Medium
The ability to run unsecure Office web add-ins and Catalogs must be disabled.
2
Rule
Severity: Medium
The Office Telemetry Agent must be configured to obfuscate the file name, file path, and title of Office documents before uploading telemetry data to the shared folder.
2
Rule
Severity: Medium
The ability to send personal information to Office must be disabled.
1
Rule
Severity: Medium
Blogging entries created from inside Office products must be configured for Sharepoint only.
1
Rule
Severity: Medium
Upload of document templates to Office Online must be prevented.
1
Rule
Severity: Medium
Key Usage Filtering must be allowed.
1
Rule
Severity: Medium
OneDrive must only allow synchronizing of accounts for DoD organization instances.
1
Rule
Severity: Medium
Recipients of sent email must be unable to be added to the safe sender's list.
1
Rule
Severity: Medium
IE Trusted Zones assumed 'trusted' must be blocked.
1
Rule
Severity: Medium
Trusted add-ins behavior for eMail must be configured.
1
Rule
Severity: Medium
Hyperlinks in suspected phishing e-mail messages must be disallowed.
1
Rule
Severity: Medium
External content and pictures in HTML eMail must be displayed.
1
Rule
Severity: Medium
Automatically configure user profile based on Active Directory primary SMTP address must be enforced.
1
Rule
Severity: Medium
All signed messages as clear signed messages must be configured.
1
Rule
Severity: Medium
Trust EMail from senders in receiver's contact list must be enforced.
2
Rule
Severity: Medium
Outlook Rich Text options must be set for converting to plain text format.
2
Rule
Severity: Medium
Default message format must be set to use Plain Text.
3
Rule
Severity: Medium
Outlook must be configured not to prompt users to choose security settings if default settings fail.
2
Rule
Severity: Medium
Replies or forwards to signed/encrypted messages must be signed/encrypted.
3
Rule
Severity: Medium
Check e-mail addresses against addresses of certificates being used must be disallowed.
2
Rule
Severity: Medium
Text in Outlook that represents Internet and network paths must not be automatically turned into hyperlinks.
1
Rule
Severity: Medium
Send all signed messages as clear signed messages must be configured.
1
Rule
Severity: Medium
Trust EMail from senders in receivers contact list must be enforced.
1
Rule
Severity: Medium
Replies or forwards to signed/encrypted messages must be signed/encrypted.
1
Rule
Severity: Medium
Publishing to a Web Distributed and Authoring (DAV) server must be prevented.
1
Rule
Severity: Medium
Access restriction settings for published calendars must be configured.
1
Rule
Severity: Medium
Outlook Security Mode must be configured to use Group Policy settings.
1
Rule
Severity: Medium
Trusted add-ins behavior for email must be configured.
1
Rule
Severity: Medium
Send all signed messages as clear signed messages must be configured.
1
Rule
Severity: Medium
Automatic sending s/Mime receipt requests must be disallowed.
1
Rule
Severity: Medium
External content and pictures in HTML email must be displayed.
1
Rule
Severity: Medium
Permit download of content from safe zones must be configured.
1
Rule
Severity: Medium
IE Trusted Zones assumed trusted must be blocked.
1
Rule
Severity: Medium
Internet with Safe Zones for Picture Download must be disabled.
1
Rule
Severity: Medium
Intranet with Safe Zones for automatic picture downloads must be configured.
1
Rule
Severity: Medium
Hyperlinks in suspected phishing email messages must be disallowed.
1
Rule
Severity: Medium
Disabling download full text of articles as HTML must be configured.
1
Rule
Severity: Medium
The default message format must be set to use Plain Text.
1
Rule
Severity: Medium
Outlook Rich Text options must be set for converting to plain text format.
1
Rule
Severity: Medium
Text in Outlook that represents internet and network paths must not be automatically turned into hyperlinks.
2
Rule
Severity: Medium
Hidden markup options must be visible.
1
Rule
Severity: Medium
The configuration for Slide Update with counterparts must be disallowed.
1
Rule
Severity: Medium
The configuration for Slide Update with counterparts must be disallowed.
1
Rule
Severity: Medium
The Microsoft SCOM server must back up audit records at least every seven days onto a different system or system component than the system or component being audited.
1
Rule
Severity: High
The Microsoft SCOM server must be running Windows operating system that supports modern security features such as virtualization based security.
1
Rule
Severity: Low
SCOM unsealed management packs must be backed up regularly.
1
Rule
Severity: Low
If a certificate is used for the SCOM web console, this certificate must be generated by a DoD CA or CA approved by the organization.
1
Rule
Severity: Medium
SharePoint must maintain and support the use of security attributes with stored information.
1
Rule
Severity: Medium
SharePoint must identify data type, specification, and usage when transferring information between different security domains so policy restrictions may be applied.
1
Rule
Severity: Medium
SharePoint must reject or delay, as defined by the organization, network traffic generated above configurable traffic volume thresholds.
1
Rule
Severity: Medium
The SharePoint farm service account (database access account) must be configured with minimum privileges in Active Directory (AD).
1
Rule
Severity: Medium
The SharePoint farm service account (database access account) must be configured with minimum privileges on the SQL server.
1
Rule
Severity: Medium
The SharePoint setup account must be configured with the minimum privileges in Active Directory.
1
Rule
Severity: Medium
The SharePoint setup account must be configured with the minimum privileges on the SQL server.
1
Rule
Severity: Medium
The SharePoint setup account must be configured with the minimum privileges for the local server.
1
Rule
Severity: Low
A secondary SharePoint site collection administrator must be defined when creating a new site collection.
1
Rule
Severity: Medium
SharePoint-specific malware (i.e. anti-virus) protection software must be integrated and configured.
1
Rule
Severity: Medium
SharePoint server access to the Online Web Part Gallery must be configured for limited access.
1
Rule
Severity: Medium
The SharePoint farm service account (database access account) must be configured with the minimum privileges for the local server.
1
Rule
Severity: Low
The SQL Server Browser service must be disabled if its use is not necessary..
1
Rule
Severity: Medium
Forwarders on an authoritative Windows 2012 DNS Server, if enabled for external resolution, must only forward to either an internal, non-AD-integrated DNS server or to the DoD Enterprise Recursive Services (ERS).
1
Rule
Severity: Medium
The Windows 2012 DNS Server with a caching name server role must restrict recursive query responses to only the IP addresses and IP address ranges of known supported clients.
1
Rule
Severity: Medium
The Windows 2012 DNS Server with a caching name server role must be secured against pollution by ensuring the authenticity and integrity of queried records.
1
Rule
Severity: Medium
The Windows 2012 DNS Server must implement cryptographic mechanisms to detect changes to information during transmission unless otherwise protected by alternative physical safeguards, such as, at a minimum, a Protected Distribution System (PDS).
1
Rule
Severity: High
The Windows 2012 DNS Servers zone files must have NS records that point to active name servers authoritative for the domain specified in that record.
1
Rule
Severity: High
The Windows 2012 DNS Server must be configured to enable DNSSEC Resource Records.
1
Rule
Severity: Medium
The Windows 2012 DNS Servers zone database files must not be accessible for edit/write by users and/or processes other than the Windows 2012 DNS Server service account and/or the DNS database administrator.
1
Rule
Severity: Medium
The Windows 2012 DNS Server must implement internal/external role separation.
1
Rule
Severity: Medium
The Windows 2012 DNS Server authoritative for local zones must only point root hints to the DNS servers that host the internal root domain.
1
Rule
Severity: Medium
The Windows 2012 DNS Servers zone files must not include resource records that resolve to a fully qualified domain name residing in another zone.
1
Rule
Severity: Medium
The Windows 2012 DNS Servers zone files must not include CNAME records pointing to a zone with lesser security for more than six months.
1
Rule
Severity: Medium
Non-routable IPv6 link-local scope addresses must not be configured in any zone.
1
Rule
Severity: Medium
AAAA addresses must not be configured in a zone for hosts that are not IPv6-aware.
1
Rule
Severity: Medium
The Windows 2012 DNS Servers IP address must be statically defined and configured locally on the server.
1
Rule
Severity: Medium
The Windows 2012 DNS Server must return data information in responses to internal name/address resolution queries.
1
Rule
Severity: Medium
The Windows 2012 DNS Server must use DNSSEC data within queries to confirm data origin to DNS resolvers.
1
Rule
Severity: Medium
The Windows 2012 DNS Server must, when a component failure is detected, activate a notification to the system administrator.
1
Rule
Severity: Medium
The Windows 2012 DNS Server must perform verification of the correct operation of security functions: upon system start-up and/or restart; upon command by a user with privileged access; and/or every 30 days.
1
Rule
Severity: Medium
The Windows 2012 DNS Server must be configured to record, and make available to authorized personnel, who added/modified/deleted DNS zone information.
1
Rule
Severity: Medium
The Windows 2012 DNS Server must, in the event of an error validating another DNS servers identity, send notification to the DNS administrator.
1
Rule
Severity: Medium
The Windows 2012 DNS Server logging criteria must only be configured by the ISSM or individuals appointed by the ISSM.
1
Rule
Severity: Medium
The validity period for the RRSIGs covering the DS RR for a zones delegated children must be no less than two days and no more than one week.
3
Rule
Severity: Medium
The Windows DNS name servers for a zone must be geographically dispersed.
2
Rule
Severity: Medium
A warning before printing that the document contains tracking changes must be provided.
1
Rule
Severity: Medium
Word must be configured to warn when opening a document with custom XML markup.
2
Rule
Severity: Medium
If the network device uses role-based access control, the network device must enforce organization-defined role-based access control policies over defined subjects and objects.
5
Rule
Severity: Medium
The network device must be configured to synchronize internal information system clocks using redundant authoritative time sources.
2
Rule
Severity: Medium
Network devices performing maintenance functions must restrict use of these functions to authorized personnel only.
2
Rule
Severity: Medium
If the network device uses mandatory access control, the network device must enforce organization-defined mandatory access control policies over all subjects and objects.
2
Rule
Severity: Medium
The network device must generate log records for a locally developed list of auditable events
2
Rule
Severity: Medium
The network device must enforce access restrictions associated with changes to the system components.
2
Rule
Severity: Medium
The network device must be configured to conduct backups of system level information contained in the information system when changes occur.
2
Rule
Severity: Medium
The network device must support organizational requirements to conduct backups of information system documentation, including security-related documentation, when changes occur or weekly, whichever is sooner.
2
Rule
Severity: Medium
The network device must obtain its public key certificates from an appropriate certificate policy through an approved service provider.
2
Rule
Severity: High
The network device must be running an operating system release that is currently supported by the vendor.
2
Rule
Severity: Medium
The network device must be configured in accordance with the security configuration settings based on DoD security configuration or implementation guidance, including STIGs, NSA configuration guides, CTOs, and DTMs.
1
Rule
Severity: Medium
Nutanix AOS must prevent the use of dictionary words for passwords.
1
Rule
Severity: Medium
Nutanix AOS must enforce a delay of at least four seconds between logon prompts following a failed logon attempt.
1
Rule
Severity: Medium
Nutanix AOS must be configured to run SCMA daily.
1
Rule
Severity: Low
Nutanix AOS must define default permissions for all authenticated users in such a way that the user can only read and modify their own files.
1
Rule
Severity: Medium
Nutanix AOS must not allow an unattended or automatic logon to the system.
1
Rule
Severity: Medium
Nutanix AOS must be configured so that all local interactive user home directories have mode "0750" or less permissive.
1
Rule
Severity: Medium
Nutanix AOS must enable an application firewall, if available.
1
Rule
Severity: Medium
The Node Manager account password associated with the installation of OHS must be in accordance with DoD guidance for length, complexity, etc.
1
Rule
Severity: Medium
OHS must have Entity tags (ETags) disabled.
1
Rule
Severity: Medium
The SecureListener property of the Node Manager configured to support OHS must be enabled for secure communication.
1
Rule
Severity: Medium
The ListenAddress property of the Node Manager configured to support OHS must match the CN of the certificate used by Node Manager.
1
Rule
Severity: Medium
The AuthenticationEnabled property of the Node Manager configured to support OHS must be configured to enforce authentication.
1
Rule
Severity: Medium
The KeyStores property of the Node Manager configured to support OHS must be configured for secure communication.
1
Rule
Severity: Medium
The CustomIdentityKeyStoreFileName property of the Node Manager configured to support OHS must be configured for secure communication.
1
Rule
Severity: Medium
The CustomIdentityKeyStorePassPhrase property of the Node Manager configured to support OHS must be configured for secure communication.
1
Rule
Severity: Medium
The CustomIdentityAlias property of the Node Manager configured to support OHS must be configured for secure communication.
1
Rule
Severity: Medium
The CustomIdentityPrivateKeyPassPhrase property of the Node Manager configured to support OHS must be configured for secure communication.
1
Rule
Severity: Medium
The listen-address element defined within the config.xml of the OHS Standalone domain that supports OHS must be configured for secure communication.
1
Rule
Severity: Medium
The listen-port element defined within the config.xml of the OHS Standalone Domain must be configured for secure communication.
1
Rule
Severity: Medium
The WLST_PROPERTIES environment variable defined for the OHS WebLogic Scripting Tool must be updated to reference an appropriate trust store so that it can communicate with the Node Manager supporting OHS.
1
Rule
Severity: Medium
The WLST_PROPERTIES environment variable defined for the Fusion Middleware WebLogic Scripting Tool must be updated to reference an appropriate trust store so that it can communicate with the Node Manager supporting OHS.
1
Rule
Severity: Medium
OHS must limit access to the Dynamic Monitoring Service (DMS).
1
Rule
Severity: Medium
OHS must have the AllowOverride directive set properly.
1
Rule
Severity: Medium
OHS must be set to evaluate deny directives first when considering whether to serve a file.
1
Rule
Severity: Medium
OHS must deny all access by default when considering whether to serve a file.
1
Rule
Severity: Medium
The OHS instance installation must not contain an .htaccess file.
1
Rule
Severity: Medium
The OHS instance configuration must not reference directories that contain an .htaccess file.
1
Rule
Severity: Low
OHS must have the HostnameLookups directive enabled.
1
Rule
Severity: Medium
OHS must have the ServerAdmin directive set properly.
1
Rule
Severity: Medium
OHS must restrict access methods.
1
Rule
Severity: Medium
The OHS htdocs directory must not contain any default files.
1
Rule
Severity: Medium
OHS must have the SSLSessionCacheTimeout directive set properly.
1
Rule
Severity: Low
OHS must have the RewriteEngine directive enabled.
1
Rule
Severity: Low
OHS must have the RewriteOptions directive set properly.
1
Rule
Severity: Low
OHS must have the RewriteLogLevel directive set to the proper log level.
1
Rule
Severity: Low
OHS must have the RewriteLog directive set properly.
3
Rule
Severity: Medium
All accounts installed with the web server software and tools must have passwords assigned and default passwords changed.
1
Rule
Severity: Medium
A production OHS Installation must prohibit the installation of a compiler.
1
Rule
Severity: Medium
A public OHS installation, if hosted on the NIPRNet, must be isolated in an accredited DoD DMZ Extension.
1
Rule
Severity: Medium
A private OHS installation must be located on a separate controlled access subnet.
1
Rule
Severity: High
The version of the OHS installation must be vendor-supported.
1
Rule
Severity: Medium
OHS must be certified with accompanying Fusion Middleware products.
1
Rule
Severity: Medium
OHS tools must be restricted to the web manager and the web managers designees.
1
Rule
Severity: Low
All utility programs, not necessary for operations, must be removed or disabled.
1
Rule
Severity: Medium
The OHS htpasswd files (if present) must reflect proper ownership and permissions.
1
Rule
Severity: Medium
A public OHS installation must limit email to outbound only.
1
Rule
Severity: Low
OHS content and configuration files must be part of a routine backup program.
1
Rule
Severity: Medium
OHS must be segregated from other services.
1
Rule
Severity: Medium
OHS must have all applicable patches (i.e., CPUs) applied/documented (OEM).
1
Rule
Severity: Medium
A private OHS list of CAs in a trust hierarchy must lead to an authorized DoD PKI Root CA.
1
Rule
Severity: Medium
OHS must have the ScoreBoardFile directive disabled.
1
Rule
Severity: Medium
The OHS document root directory must not be on a network share.
1
Rule
Severity: Medium
The OHS server root directory must not be on a network share.
1
Rule
Severity: High
Symbolic links must not be used in the web content directory tree.
1
Rule
Severity: High
OHS administration must be performed over a secure path or at the local console.
1
Rule
Severity: Medium
OHS must not contain any robots.txt files.
1
Rule
Severity: Medium
OHS must prohibit anonymous FTP user access to interactive scripts.
1
Rule
Severity: Medium
The OHS DocumentRoot directory must be in a separate partition from the OHS ServerRoot directory.
1
Rule
Severity: Medium
The OHS DocumentRoot directory must be on a separate partition from OS root partition.
1
Rule
Severity: Medium
Remote authors or content providers must have all files scanned for viruses and malicious code before uploading files to the Document Root directory.
1
Rule
Severity: Medium
A public OHS server must use TLS if authentication is required to host web sites.
1
Rule
Severity: Low
OHS hosted web sites must utilize ports, protocols, and services according to PPSM guidelines.
1
Rule
Severity: High
OHS must not have the directive PlsqlDatabasePassword set in clear text.
1
Rule
Severity: Medium
Oracle WebLogic must enforce the organization-defined time period during which the limit of consecutive invalid access attempts by a user is counted.
1
Rule
Severity: Medium
Oracle WebLogic must automatically lock accounts when the maximum number of unsuccessful login attempts is exceeded for an organization-defined time period or until the account is unlocked by an administrator.
1
Rule
Severity: Low
Oracle WebLogic must utilize automated mechanisms to prevent program execution on the information system.
1
Rule
Severity: Medium
Oracle WebLogic must utilize NSA-approved cryptography when protecting classified compartmentalized data.
2
Rule
Severity: Medium
Prisma Cloud Compute must be configured to send events to the hosts' syslog.
2
Rule
Severity: High
The configuration integrity of the container platform must be ensured and vulnerabilities policies must be configured.
1
Rule
Severity: Medium
Oracle WebLogic must be integrated with a tool to monitor audit subsystem failure notification information that is sent out (e.g., the recipients of the message and the nature of the failure).
1
Rule
Severity: Medium
Oracle WebLogic must be managed through a centralized enterprise tool.
1
Rule
Severity: Medium
Oracle WebLogic must be integrated with a tool to implement multi-factor user authentication.
2
Rule
Severity: High
The Riverbed NetProfiler must be configured to authenticate each administrator prior to authorizing privileges based on roles.
2
Rule
Severity: Medium
The Riverbed NetProfiler must be configured to synchronize internal information system clocks using redundant authoritative time sources.
2
Rule
Severity: High
The Riverbed NetProfiler must be configured to use an authentication server to authenticate users prior to granting administrative access.
2
Rule
Severity: Medium
The Riverbed NetProfiler must be configured to obtain its public key certificates from an appropriate certificate policy through an approved service provider.
2
Rule
Severity: High
The Riverbed NetProfiler must be configured to run an operating system release that is currently supported by the vendor.
2
Rule
Severity: Low
The Riverbed NetProfiler must be configured to conduct backups of system-level information and system documentation, including security-related documentation, when changes occur or weekly, whichever is sooner.
2
Rule
Severity: Medium
Rancher MCM must allocate audit record storage and generate audit records associated with events, users, and groups.
1
Rule
Severity: Medium
The multicast Designated Router (DR) must be configured to increase the shortest-path tree (SPT) threshold or set it to infinity to minimalize source-group (S, G) state within the multicast topology where Any Source Multicast (ASM) is deployed.
2
Rule
Severity: Low
The BGP router must be configured to use its loopback address as the source address for iBGP peering sessions.
2
Rule
Severity: Medium
The MPLS router must be configured to have TTL Propagation disabled.
2
Rule
Severity: High
The PE router providing Virtual Private LAN Services (VPLS) must be configured to have all attachment circuits defined to the virtual forwarding instance (VFI) with the globally unique VPN ID assigned for each customer VLAN.
2
Rule
Severity: Low
The PE router must be configured to enforce the split-horizon rule for all pseudowires within a Virtual Private LAN Services (VPLS) bridge domain.
2
Rule
Severity: Low
The Multicast Source Discovery Protocol (MSDP) router must be configured to use its loopback address as the source address when originating MSDP traffic.
2
Rule
Severity: Medium
The router must be configured in accordance with the security configuration settings based on DoD security configuration or implementation guidance, including STIGs, NSA configuration guides, CTOs, and DTMs.
1
Rule
Severity: Medium
The router must be configured to implement message authentication for all control plane protocols.
1
Rule
Severity: Medium
The BGP router must be configured to use a unique key for each autonomous system (AS) that it peers with.
1
Rule
Severity: Medium
The router must be configured to use keys with a duration not exceeding 180 days for authenticating routing protocol messages.
2
Rule
Severity: Low
The router must be configured to advertise a hop limit of at least 32 in Router Advertisement messages for IPv6 stateless auto-configuration deployments.
2
Rule
Severity: Medium
The router must not be configured to use IPv6 Site Local Unicast addresses.
2
Rule
Severity: Medium
The perimeter router must be configured to suppress Router Advertisements on all external IPv6-enabled interfaces.
1
Rule
Severity: Medium
Riverbed Optimization System (RiOS) must be configured to synchronize internal information system clocks with the primary and secondary time sources located in different geographic regions using redundant authoritative time sources.
1
Rule
Severity: Medium
Riverbed Optimization System (RiOS) must enable the password authentication control policy to ensure password complexity controls and other password policy requirements are enforced.
1
Rule
Severity: Medium
Riverbed Optimization System (RiOS) must employ automated mechanisms to centrally manage authentication settings.
1
Rule
Severity: Medium
Riverbed Optimization System (RiOS) must employ automated mechanisms to centrally apply authentication settings.
1
Rule
Severity: Medium
Riverbed Optimization System (RiOS) must employ automated mechanisms to centrally verify authentication settings.
1
Rule
Severity: Medium
Riverbed Optimization System (RiOS) must back up the system configuration files when configuration changes are made to the device.
1
Rule
Severity: Medium
Riverbed Optimization System (RiOS) performing maintenance functions must restrict use of these functions to authorized personnel only.
1
Rule
Severity: Medium
Riverbed Optimization System (RiOS) must obtain its public key certificates from an appropriate certificate policy through an approved service provider.
1
Rule
Severity: Medium
Riverbed Optimization System (RiOS) must generate an alert that can be sent to security personnel when threats identified by authoritative sources (e.g., CTOs) and IAW with CJCSM 6510.01B occur.
2
Rule
Severity: Medium
The SDN controller must be configured to be deployed as a cluster and on separate physical hosts.
2
Rule
Severity: Medium
The SDN Controller must be configured to notify the forwarding device to either drop the packet or make an entry in the flow table for a received packet that does not match any flow table entries.
2
Rule
Severity: Medium
SDN controller must be configured to forward traffic based on security requirements.
2
Rule
Severity: Medium
The SDN controller must be configured to enable multi-tenant virtual networks to be fully isolated from one another.
2
Rule
Severity: Medium
The SDN controller must be configured in accordance with the security configuration settings based on DoD security configuration or implementation guidance, including STIGs, NSA configuration guides, CTOs, and DTMs.
1
Rule
Severity: High
Southbound API control plane traffic must traverse an out-of-band path or be encrypted using a FIPS-validated cryptographic module.
1
Rule
Severity: High
Northbound API traffic must traverse an out-of-band path or be encrypted using a FIPS-validated cryptographic module.
1
Rule
Severity: Medium
Southbound API management plane traffic for provisioning and configuring virtual network elements within the SDN infrastructure must traverse an out-of-band path or be encrypted using a using a FIPS-validated cryptographic module.
1
Rule
Severity: Medium
Southbound API management plane traffic for configuring SDN parameters on physical network elements must be encrypted using a FIPS-validated cryptographic module.
1
Rule
Severity: Medium
Physical SDN controllers and servers hosting SDN applications must reside within the management network with multiple paths that are secured by a firewall to inspect all ingress traffic.
1
Rule
Severity: Low
SDN-enabled routers and switches must provide link state information to the SDN controller to create new forwarding decisions for the network elements.
1
Rule
Severity: Low
Quality of service (QoS) must be implemented on the underlying IP network to provide preferred treatment for traffic between the SDN controllers and SDN-enabled switches and hypervisors.
1
Rule
Severity: Medium
SDN controllers must be deployed as clusters and on separate physical hosts to eliminate single point of failure.
1
Rule
Severity: Low
Physical devices hosting an SDN controller must be connected to two switches for high-availability.
1
Rule
Severity: Low
SDN-enabled routers and switches must rate limit the amount of unknown data plane packets that are punted to the SDN controller.
1
Rule
Severity: Medium
All Virtual Extensible Local Area Network (VXLAN) enabled switches must be configured with the appropriate VXLAN network identifier (VNI) to ensure VMs can send and receive all associated traffic for their Layer 2 domain.
1
Rule
Severity: Medium
Virtual Extensible Local Area Network (VXLAN) identifiers must be mapped to the appropriate VLAN identifiers.
1
Rule
Severity: Medium
The proper multicast group for each Virtual Extensible Local Area Network (VXLAN) identifier must be mapped to the appropriate virtual tunnel endpoint (VTEP) so the VTEP will join the associated multicast groups.
1
Rule
Severity: Low
The virtual tunnel endpoint (VTEP) must be dual-homed to two physical network nodes.
1
Rule
Severity: Low
A secondary IP address must be specified for the virtual tunnel endpoint (VTEP) loopback interface when Virtual Extensible Local Area Network (VXLAN) enabled switches are deployed as a multi-chassis configuration.
1
Rule
Severity: Low
Two or more edge gateways must be deployed connecting the network virtualization platform (NVP) and the physical network.
1
Rule
Severity: Low
Virtual edge gateways must be deployed across multiple hypervisor hosts.
1
Rule
Severity: Low
The virtual edge gateways must be deployed with routing adjacencies established with two or more physical routers.
1
Rule
Severity: Medium
The SEL-2740S must be configured to mitigate the risk of ARP cache poisoning attacks.
1
Rule
Severity: Medium
The SEL-2740S must be configured to capture all packets without flow rule match criteria.
1
Rule
Severity: Medium
The SEL-2740S must be configured with backup flows for all host and switch flows to ensure proper failover scheme is in place for the network.
1
Rule
Severity: Medium
The SEL-2740S must be configured to forward only frames from allowed network-connected endpoint devices.
1
Rule
Severity: Medium
The SEL-2740S must be configured to maintain internal system clocks with a backup authoritative time server.
1
Rule
Severity: Medium
The SEL-2740S must be adopted by OTSDN Controller(s) and obtain its public key certificates from an appropriate certificate policy through an approved service provider.
1
Rule
Severity: Medium
The SEL-2740S must be configured to send log data to a syslog server for the purpose of forwarding alerts to the administrators and the ISSO.
1
Rule
Severity: Medium
The SEL-2740S must employ automated mechanisms to assist in the tracking of security incidents.
2
Rule
Severity: Medium
Samsung Android must be configured to not allow passwords that include more than two repeating or sequential characters.
4
Rule
Severity: Medium
Samsung Android must be configured to enforce an application installation policy by specifying one or more authorized application repositories, including DoD-approved commercial app repository, management tool server, or mobile application store.
2
Rule
Severity: Medium
Samsung Android Work Environment must be configured to enforce an application installation policy by specifying an application allowlist that restricts applications by the following characteristics: names.
2
Rule
Severity: Medium
The Samsung Android Work Environment allowlist must be configured to not include applications with the following characteristics:
- back up MD data to non-DoD cloud servers (including user and application access to cloud backup services);
- transmit MD diagnostic data to non-DoD servers;
- voice assistant application if available when MD is locked;
- voice dialing application if available when MD is locked;
- allows synchronization of data or applications between devices associated with user; and
- allows unencrypted (or encrypted but not FIPS 140-2 validated) data sharing with other MDs or printers.
2
Rule
Severity: Low
Samsung Android must be configured to disable all Bluetooth profiles except for HSP (Headset Profile), HFP (HandsFree Profile), SPP (Serial Port Profile), A2DP (Advanced Audio Distribution Profile), AVRCP (Audio/Video Remote Control Profile), and PBAP (Phone Book Access Profile).
2
Rule
Severity: Medium
Samsung Android must be configured to not display the following (Work Environment) notifications when the device is locked: all notifications.
2
Rule
Severity: Medium
Samsung Android must be configured to disable trust agents.
NOTE: This requirement is not applicable (NA) for specific biometric authentication factors included in the product Common Criteria evaluation.
2
Rule
Severity: Medium
Samsung Android must be configured to disable Face Recognition.
NOTE: This requirement is not applicable (NA) for specific biometric authentication factors included in the product Common Criteria evaluation.
2
Rule
Severity: Medium
Samsung Android Work Environment must be configured to disable exceptions to the access control policy that prevents application processes, groups of application processes from accessing all, private data stored by other application processes, groups of application processes.
- Disable Move files to personal
2
Rule
Severity: Medium
Samsung Android Work Environment must be configured to disable exceptions to the access control policy that prevents application processes, groups of application processes from accessing all, private data stored by other application processes, groups of application processes.
- Disable Copy and Paste data
2
Rule
Severity: Medium
Samsung Android Work Environment must be configured to disable exceptions to the access control policy that prevents application processes, groups of application processes from accessing all, private data stored by other application processes, groups of application processes.
- Disable Sync Calendar to personal
1
Rule
Severity: Medium
Samsung Android must be configured to disable multi-user modes (tablets only).
2
Rule
Severity: Medium
The Samsung Android Work Environment must be configured to prevent users from adding personal email accounts to the work email app.
2
Rule
Severity: Medium
Samsung Android Personal Environment must be configured to enforce the system application disable list.
2
Rule
Severity: Medium
Samsung Android Work Environment must be configured to enforce the system application disable list.
6
Rule
Severity: Medium
Samsung Android must be configured to enable audit logging.
2
Rule
Severity: Medium
Samsung Android must be enrolled as a COPE/COBO device.
13
Rule
Severity: Medium
Samsung Android device users must complete required training.
2
Rule
Severity: Low
Samsung Android must be configured to enable Knox CC Mode.
2
Rule
Severity: Medium
Samsung Android must be configured to disallow configuration of Date Time.
2
Rule
Severity: Medium
Samsung Android must be configured to enforce a USB host mode exception list.
NOTE: This configuration allows DeX mode (with input devices), which is DoD-approved for use.
2
Rule
Severity: Medium
Samsung Android Work Environment must be configured to enforce that Share Via List is disabled.
2
Rule
Severity: Medium
Samsung Android must be configured to disallow outgoing beam.
2
Rule
Severity: Medium
Samsung Android Work Environment must be configured to enforce that Wi-Fi Sharing is disabled.
2
Rule
Severity: Medium
Samsung Android Work Environment must be configured to enable Certificate Revocation checking.
2
Rule
Severity: Medium
Samsung Android Work Environment must have the DoD root and intermediate PKI certificates installed.
4
Rule
Severity: Medium
Splunk Enterprise must use TCP for data transmission.
2
Rule
Severity: Medium
Splunk Enterprise must be configured to notify the System Administrator (SA) and Information System Security Officer (ISSO), at a minimum, when an attack is detected on multiple devices and hosts within its scope of coverage.
2
Rule
Severity: Low
Splunk Enterprise forwarders must be configured with Indexer Acknowledgement enabled.
1
Rule
Severity: Medium
Samsung Android Work Environment must be configured to enable audit logging.
1
Rule
Severity: Medium
Samsung Android Work Environment must be configured to disable the autofill services.
2
Rule
Severity: Medium
Samsung Android Work Environment must allow only the Administrator (management tool) to perform the following management function: install/remove DoD root and intermediate PKI certificates.
13
Rule
Severity: High
The Samsung Android device must have the latest available Samsung Android operating system (OS) installed.
1
Rule
Severity: Medium
The Samsung SDS EMM must be configured to communicate the following commands to the MDM Agent: read audit logs kept by the MD.
1
Rule
Severity: Medium
The Samsung SDS EMM must be configured to have at least one user in the following Administrator roles: Server primary administrator, security configuration administrator, device user group administrator, auditor.
1
Rule
Severity: High
The Samsung SDS EMM server must be maintained at a supported version.
1
Rule
Severity: Medium
The reverse proxy Symantec ProxySG providing intermediary services for FTP must inspect inbound FTP communications traffic for protocol compliance and protocol anomalies.
1
Rule
Severity: Medium
Symantec ProxySG providing intermediary services for FTP must inspect outbound FTP communications traffic for protocol compliance and protocol anomalies.
1
Rule
Severity: Medium
Symantec ProxySG providing intermediary services for HTTP must inspect inbound HTTP traffic for protocol compliance and protocol anomalies.
1
Rule
Severity: Medium
Symantec ProxySG providing intermediary services for HTTP must inspect outbound HTTP traffic for protocol compliance and protocol anomalies.
4
Rule
Severity: Medium
Samsung Android must be enrolled as a COBO device.
6
Rule
Severity: Medium
Samsung Android must be configured to not allow passwords that include more than four repeating or sequential characters.
6
Rule
Severity: Low
Samsung Android must be configured to disable all Bluetooth profiles except for HSP (Headset Profile), HFP (Hands-Free Profile), SPP (Serial Port Profile), A2DP (Advanced Audio Distribution Profile), AVRCP (Audio/Video Remote Control Profile), and PBAP (Phone Book Access Profile).
10
Rule
Severity: Medium
Samsung Android must be configured to disallow configuration of the device's date and time.
4
Rule
Severity: Medium
Samsung Android must have the DOD root and intermediate PKI certificates installed.
4
Rule
Severity: Medium
Samsung Android must be configured to not allow installation of applications with the following characteristics:
- Back up MD data to non-DOD cloud servers (including user and application access to cloud backup services);
- Transmit MD diagnostic data to non-DOD servers;
- Voice assistant application if available when MD is locked;
- Voice dialing application if available when MD is locked;
- Allows synchronization of data or applications between devices associated with user; and
- Allows unencrypted (or encrypted but not FIPS 140-2 validated) data sharing with other MDs or printers.
5
Rule
Severity: Medium
Samsung Android must be configured to prevent users from adding personal email accounts to the work email app.
4
Rule
Severity: Medium
Samsung Android must allow only the Administrator (management tool) to perform the following management function: Install/remove DOD root and intermediate PKI certificates.
9
Rule
Severity: Medium
Samsung Android must be configured to enforce an application installation policy by specifying one or more authorized application repositories, including DOD-approved commercial app repository, management tool server, or mobile application store.
4
Rule
Severity: Low
Samsung Android must be configured to enable Common Criteria (CC) mode.
4
Rule
Severity: Medium
Samsung Android must be enrolled as a COPE device.
5
Rule
Severity: Medium
Samsung Android's Work profile must have the DOD root and intermediate PKI certificates installed.
4
Rule
Severity: Medium
Samsung Android's Work profile must be configured to not allow installation of applications with the following characteristics:
- Back up MD data to non-DOD cloud servers (including user and application access to cloud backup services);
- Transmit MD diagnostic data to non-DOD servers;
- Voice assistant application if available when MD is locked;
- Voice dialing application if available when MD is locked;
- Allows synchronization of data or applications between devices associated with user; and
- Allows unencrypted (or encrypted but not FIPS 140-2 validated) data sharing with other MDs or printers.
5
Rule
Severity: Medium
Samsung Android's Work profile must be configured to enable audit logging.
6
Rule
Severity: Medium
Samsung Android's Work profile must be configured to prevent users from adding personal email accounts to the work email app.
5
Rule
Severity: Medium
Samsung Android's Work profile must allow only the Administrator (management tool) to perform the following management function: Install/remove DOD root and intermediate PKI certificates.
4
Rule
Severity: Low
Samsung Android's Work profile must be configured to enable Common Criteria (CC) mode.
2
Rule
Severity: Medium
Tanium endpoint files must be excluded from on-access antivirus actions.
2
Rule
Severity: Medium
The Tanium Client Deployment Tool (CDT) must not be configured to use the psexec method of deployment.
2
Rule
Severity: Medium
Tanium endpoint files must be protected from file encryption actions.
4
Rule
Severity: Medium
Tanium endpoint files must be excluded from host-based intrusion prevention intervention.
2
Rule
Severity: Medium
Tanium Server files must be excluded from on-access antivirus actions.
2
Rule
Severity: Medium
Tanium Server files must be protected from file encryption actions.
4
Rule
Severity: Medium
Tanium Server files must be excluded from host-based intrusion prevention intervention.
1
Rule
Severity: Medium
Symantec ProxySG must be configured to synchronize internal information system clocks with the primary and secondary time sources located in different geographic regions using redundant authoritative time sources.
1
Rule
Severity: Medium
Symantec ProxySG must employ automated mechanisms to centrally verify authentication settings.
1
Rule
Severity: Medium
Accounts for device management must be configured on the authentication server and not on Symantec ProxySG itself, except for the account of last resort.
1
Rule
Severity: Medium
Symantec ProxySG must use Role-Based Access Control (RBAC) to assign privileges to users for access to files and functions.
1
Rule
Severity: Medium
Symantec ProxySG must employ automated mechanisms to centrally apply authentication settings.
1
Rule
Severity: Medium
Symantec ProxySG must support organizational requirements to conduct backups of system level information contained in the ProxySG when changes occur or weekly, whichever is sooner.
1
Rule
Severity: Medium
Symantec ProxySG must obtain its public key certificates from an appropriate certificate policy through an approved service provider.
1
Rule
Severity: Medium
Symantec ProxySG must configure the maintenance and health monitoring to send an alarm when a critical condition occurs for a component.
2
Rule
Severity: Medium
Tanium Client processes must be excluded from On-Access scan.
2
Rule
Severity: Medium
Tanium Server processes must be excluded from On-Access scan.
2
Rule
Severity: Medium
Tanium Client directory and subsequent files must be excluded from On-Access scan.
2
Rule
Severity: Medium
Tanium endpoint files must be excluded from host-based intrusion prevention system (HIPS) intervention.
2
Rule
Severity: Medium
Tanium Client processes must be excluded from on-access scan.
2
Rule
Severity: Medium
Tanium Client directory and subsequent files must be excluded from on-access scan.
2
Rule
Severity: Medium
Tanium Server directory and subsequent files must be excluded from On-Access scan.
2
Rule
Severity: Medium
The TippingPoint SMS must be configured to synchronize internal information system clocks using redundant authoritative time sources.
2
Rule
Severity: High
The TippingPoint SMS must be configured to use an authentication server for the purpose of authenticating users prior to granting administrative access and to enforce access restrictions.
2
Rule
Severity: Medium
The TippingPoint SMS must be configured to conduct backups of system level information contained in the information system when changes occur.
2
Rule
Severity: Medium
The TippingPoint SMS must support organizational requirements to conduct backups of information system documentation, including security-related documentation, when changes occur or weekly, whichever is sooner.
2
Rule
Severity: Medium
The TippingPoint SMS must obtain its public key certificates from an appropriate certificate policy through an approved service provider.
2
Rule
Severity: Medium
Tanium Server directory and subsequent files must be excluded from on-access scan.
2
Rule
Severity: Medium
Tanium Server processes must be excluded from on-access scan.
2
Rule
Severity: Medium
The UEM Agent must record the reference identifier of the UEM Server during the enrollment process.
2
Rule
Severity: Medium
The UEM Agent must perform the following functions:
-enroll in management
-configure whether users can unenroll from management
-configure periodicity of reachability events.
2
Rule
Severity: Medium
The UEM Agent must be configured to perform one of the following actions upon an attempt to unenroll the mobile device from management:
-prevent the unenrollment from occurring
-wipe the device to factory default settings
-wipe the work profile with all associated applications and data.
2
Rule
Severity: Medium
The TippingPoint SMS must be running an operating system release that is currently supported by the vendor.
1
Rule
Severity: High
The TippingPoint SMS must automatically generate audit records for account changes and actions with containing information needed for analysis of the event that occurred on the SMS and TPS.
1
Rule
Severity: Medium
The Horizon Agent must only run allowed scripts on user connect.
1
Rule
Severity: Medium
The Horizon Agent must only run allowed scripts on user disconnect.
1
Rule
Severity: Medium
The Horizon Agent must only run allowed scripts on user reconnect.
1
Rule
Severity: Medium
The Horizon Agent must check the entire chain when validating certificates.
1
Rule
Severity: Medium
The Horizon Agent must set an idle timeout.
1
Rule
Severity: Medium
The Horizon Agent must block server to client clipboard actions for Blast.
1
Rule
Severity: Medium
The Horizon Agent must block server to client clipboard actions for PCoIP.
1
Rule
Severity: Medium
The Horizon Agent must not allow file transfers through HTML Access.
1
Rule
Severity: Medium
The Horizon Agent must not allow drag and drop for Blast.
1
Rule
Severity: Medium
The Horizon Agent must not allow drag and drop for PCoIP.
1
Rule
Severity: Medium
The Horizon Agent must audit clipboard actions for Blast.
1
Rule
Severity: Medium
The Horizon Agent must audit clipboard actions for PCoIP.
1
Rule
Severity: Medium
The Horizon Agent desktops must not allow client drive redirection.
1
Rule
Severity: Medium
The Horizon Agent must block USB mass storage.
1
Rule
Severity: Medium
The Horizon Client must not connect to servers without fully verifying the server certificate.
1
Rule
Severity: Medium
The Horizon Client must not show the Log in as current user option.
2
Rule
Severity: Medium
The UEM server must be configured in accordance with the security configuration settings based on DoD security configuration or implementation guidance, including STIGs, NSA configuration guides, CTOs, and DTMs.
2
Rule
Severity: Medium
The UEM server must be configured to allow authorized administrators to read all audit data from audit records on the server.
1
Rule
Severity: Medium
The NSX-T Manager must be configured to synchronize internal information system clocks using redundant authoritative time sources.
1
Rule
Severity: Medium
The NSX-T Manager must generate log records for the info level to capture the DoD-required auditable events.
1
Rule
Severity: High
The NSX-T Manager must integrate with either VMware Identity Manager (vIDM) or VMware Workspace ONE Access.
1
Rule
Severity: Medium
The NSX-T Manager must be configured to conduct backups on an organizationally defined schedule.
1
Rule
Severity: Medium
The NSX-T Manager must support organizational requirements to conduct backups of information system documentation, including security-related documentation, when changes occur or weekly, whichever is sooner.
1
Rule
Severity: Medium
The NSX-T Manager must obtain its public key certificates from an approved DoD certificate authority.
1
Rule
Severity: High
The NSX-T Manager must be running a release that is currently supported by the vendor.
1
Rule
Severity: Medium
The Horizon Client must not ignore certificate revocation problems.
1
Rule
Severity: Medium
The Horizon Client must require TLS connections.
1
Rule
Severity: Medium
The Horizon Client must use approved ciphers.
1
Rule
Severity: Medium
The Horizon Client must not allow command line credentials.
1
Rule
Severity: Medium
The Horizon Connection Server must reauthenticate users after a network interruption.
1
Rule
Severity: Medium
The Horizon Connection Server must disconnect users after a maximum of ten hours.
1
Rule
Severity: Medium
The Horizon Connection Server must disconnect applications after two hours of idle time.
1
Rule
Severity: Medium
The Horizon Connection Server must discard SSO credentials after 15 minutes.
1
Rule
Severity: Medium
The Horizon Connection Server must not accept pass-through client credentials.
1
Rule
Severity: Medium
The Horizon Connection Server must require DoD PKI for client logins.
1
Rule
Severity: Medium
The Horizon Connection Server must backup its configuration daily.
1
Rule
Severity: Medium
The Horizon Connection Server Instant Clone domain account must be configured with limited permissions.
1
Rule
Severity: Medium
The Horizon Connection Server must be configured in accordance with the security configuration settings based on DoD security configuration or implementation guidance, including STIGs, NSA configuration guides, CTOs, and DTMs.
1
Rule
Severity: Medium
The Horizon Connection Server must have X-Frame-Options enabled.
1
Rule
Severity: Medium
The Horizon Connection Server must have Origin Checking enabled.
1
Rule
Severity: Medium
The Horizon Connection Server must enable the Content Security Policy.
1
Rule
Severity: Medium
The Horizon Connection Server must enable the proper Content Security Policy directives.
1
Rule
Severity: Medium
The PCoIP Secure Gateway must be configured with a DoD-issued TLS certificate.
1
Rule
Severity: Medium
The Horizon Connection Server must not allow unauthenticated access.
1
Rule
Severity: Medium
The Horizon Connection Server must require CAC reauthentication after user idle timeouts.
1
Rule
Severity: Medium
The Horizon Connection Server must be configured to restrict USB passthrough access.
1
Rule
Severity: Medium
The Horizon Connection Server must prevent MIME type sniffing.
1
Rule
Severity: Medium
The NSX-T Controller cluster must be on separate physical hosts.
1
Rule
Severity: Medium
The NSX-T Tier-0 Gateway Firewall must configure SpoofGuard to block outbound IP packets that contain illegitimate packet attributes.
1
Rule
Severity: Medium
The NSX-T Tier-0 Gateway must be configured to implement message authentication for all control plane protocols.
1
Rule
Severity: Medium
The NSX-T Tier-0 Gateway must be configured to use a unique key for each autonomous system (AS) with which it peers.
1
Rule
Severity: Low
The NSX-T Tier-0 Gateway must be configured to use its loopback address as the source address for iBGP peering sessions.
1
Rule
Severity: Medium
The Workspace ONE UEM server must be configured with an enterprise certificate for signing policies (if function is not automatically implemented during Workspace ONE UEM server install).
1
Rule
Severity: Medium
The Workspace ONE UEM server must be configured to have at least one user in the following Administrator roles: Server primary administrator, security configuration administrator, device user group administrator, or auditor.
1
Rule
Severity: High
The Workspace ONE UEM server must be maintained at a supported version.
2
Rule
Severity: High
The IPsec VPN Gateway must use Internet Key Exchange (IKE) for IPsec VPN Security Associations (SAs).
1
Rule
Severity: High
The VPN Gateway must not accept certificates that have been revoked when using PKI for authentication.
2
Rule
Severity: Medium
The Apache web server must have system logging enabled.
2
Rule
Severity: High
The account used to run the Apache web server must not have a valid login shell and password defined.
2
Rule
Severity: Medium
The Apache web server htpasswd files (if present) must reflect proper ownership and permissions.
2
Rule
Severity: Low
STRICT_SERVLET_COMPLIANCE must be set to true.
2
Rule
Severity: Low
RECYCLE_FACADES must be set to true.
2
Rule
Severity: Medium
ALLOW_BACKSLASH must be set to false.
2
Rule
Severity: Medium
ENFORCE_ENCODING_IN_GET_WRITER must be set to true.
2
Rule
Severity: Medium
Tomcat users in a management role must be approved by the ISSO.
2
Rule
Severity: Low
Hosted applications must be documented in the system security plan.
2
Rule
Severity: Low
Connectors must be approved by the ISSO.
2
Rule
Severity: Low
Connector address attribute must be set.
3
Rule
Severity: Medium
Apple iOS/iPadOS 16 must not allow backup to remote systems (managed applications data stored in iCloud).
3
Rule
Severity: Medium
Apple iOS/iPadOS 16 must not allow backup to remote systems (enterprise books).
3
Rule
Severity: Medium
Apple iOS/iPadOS 16 must be configured to not allow passwords that include more than four repeating or sequential characters.
1
Rule
Severity: Medium
Apple iOS/iPadOS 16 must be configured to enforce an application installation policy by specifying one or more authorized application repositories, including [selection: DOD-approved commercial app repository, MDM server, mobile application store].
1
Rule
Severity: Medium
The Apple iOS/iPadOS 16 allow list must be configured to not include applications with the following characteristics:
- backs up MD data to non-DOD cloud servers (including user and application access to cloud backup services);
- transmits MD diagnostic data to non-DOD servers;
- allows synchronization of data or applications between devices associated with user; and
- allows unencrypted (or encrypted but not FIPS 140-2/FIPS 140-3 validated) data sharing with other MDs or printers.
1
Rule
Severity: Medium
Apple iOS/iPadOS 16 must be configured to wipe enterprise data and apps upon unenrollment from MDM.
3
Rule
Severity: Medium
Apple iOS/iPadOS 16 must implement the management setting: Encrypt iTunes backups/Encrypt local backup.
3
Rule
Severity: Medium
Apple iOS/iPadOS 16 must implement the management setting: not allow messages in an ActiveSync Exchange account to be forwarded or moved to other accounts in the Apple iOS/iPadOS 16 Mail app.
3
Rule
Severity: Medium
Apple iOS/iPadOS 16 must implement the management setting: Treat AirDrop as an unmanaged destination.
3
Rule
Severity: Medium
Apple iOS/iPadOS 16 users must complete required training.
3
Rule
Severity: Low
Apple iOS/iPadOS 16 must not allow managed apps to write contacts to unmanaged contacts accounts.
3
Rule
Severity: Low
Apple iOS/iPadOS 16 must not allow unmanaged apps to read contacts from managed contacts accounts.
3
Rule
Severity: Medium
Apple iOS/iPadOS 16 must disable copy/paste of data from managed to unmanaged applications.
1
Rule
Severity: Medium
The EMM system supporting the iOS/iPadOS 16 BYOAD must be configured to initiate autonomous monitoring, compliance, and validation prior to granting the BYOAD access to DOD information and IT resources.
1
Rule
Severity: Medium
The EMM system supporting the iOS/iPadOS 16 BYOAD must be configured to detect if the BYOAD native security controls are disabled.
1
Rule
Severity: Medium
The EMM system supporting the iOS/iPadOS 16 BYOAD must be configured to detect if known malicious, blocked, or prohibited applications are installed on the BYOAD (DOD-managed segment only).
1
Rule
Severity: Medium
The EMM system supporting the iOS/iPadOS 16 BYOAD must be configured to detect if the BYOAD is configured to access nonapproved third-party applications stores (DOD-managed segment only).
1
Rule
Severity: Medium
The EMM detection/monitoring system must use continuous monitoring of enrolled iOS/iPadOS 16 BYOAD.
1
Rule
Severity: Medium
The iOS/iPadOS 16 BYOAD must be configured to either disable access to DOD data, IT systems, and user accounts or wipe managed data and apps if the EMM system detects native security controls are disabled.
1
Rule
Severity: Medium
The iOS/iPadOS 16 BYOAD must be configured to either disable access to DOD data, IT systems, and user accounts or wipe managed data and apps if the EMM system detects the BYOAD device has known malicious, blocked, or prohibited applications or is configured to access nonapproved managed third-party applications stores.
1
Rule
Severity: Medium
The iOS/iPadOS 16 BYOAD must be configured so that managed data and apps are removed if the device is no longer receiving security or software updates.
1
Rule
Severity: Low
The iOS/iPadOS 16 BYOAD must be configured to protect users' privacy, personal information, and applications.
1
Rule
Severity: Low
The EMM system supporting the iOS/iPadOS 16 BYOAD must be configured to only wipe managed data and apps and not unmanaged data and apps when the user's access is revoked or terminated, the user no longer has the need to access DOD data or IT, or the user reports a registered device as lost, stolen, or showing indicators of compromise.
1
Rule
Severity: High
The EMM system supporting the iOS/iPadOS 16 BYOAD must be NIAP validated (included on the NIAP list of compliant products or products in evaluation) unless the DOD CIO has granted an approved Exception to Policy (E2P).
5
Rule
Severity: Low
The User Agreement must include a description of what personal data and information is being monitored, collected, or managed by the EMM system or deployed agents or tools.
5
Rule
Severity: High
The mobile device used for BYOAD must be NIAP validated.
1
Rule
Severity: Medium
Apple iOS/iPadOS 17 must [selection: wipe protected data, wipe sensitive data] upon unenrollment from MDM.
1
Rule
Severity: Medium
Apple iOS/iPadOS 17 must [selection: remove Enterprise application, remove all noncore applications (any nonfactory-installed application)] upon unenrollment from MDM.
3
Rule
Severity: Medium
Apple iOS/iPadOS 17 must be configured to enforce an application installation policy by specifying one or more authorized application repositories, including [selection: DOD-approved commercial app repository, MDM server, mobile application store].
2
Rule
Severity: Medium
Apple iOS/iPadOS 17 must not include applications with the following characteristics: access to Siri when the device is locked.
2
Rule
Severity: Medium
Apple iOS/iPadOS 17 allow list must be configured to not include applications with the following characteristics: - backs up MD data to non-DOD cloud servers (including user and application access to cloud backup services);- transmits MD diagnostic data to non-DOD servers;- allows synchronization of data or applications between devices associated with user; and- allows unencrypted (or encrypted but not FIPS 140-2/FIPS 140-3 validated) data sharing with other MDs or printers.
2
Rule
Severity: Medium
Apple iPadOS 17 must be configured to disable multiuser modes.
3
Rule
Severity: Medium
Apple iOS/iPadOS 17 must be configured to [selection: wipe protected data, wipe sensitive data] upon unenrollment from MDM.
2
Rule
Severity: Medium
Apple iOS/iPadOS 17 must be configured to [selection: remove Enterprise applications, remove all noncore applications (any nonfactory-installed application)] upon unenrollment from MDM.
2
Rule
Severity: Low
Apple iOS/iPadOS 17 must implement the management setting: limit Ad Tracking.
2
Rule
Severity: Low
Apple iOS/iPadOS 17 must implement the management setting: not allow automatic completion of Safari browser passcodes.
3
Rule
Severity: Medium
Apple iOS/iPadOS 17 must implement the management setting: Encrypt backups/Encrypt local backup.
2
Rule
Severity: Low
Apple iOS/iPadOS 17 must implement the management setting: not allow use of Handoff.
2
Rule
Severity: Low
Apple iOS/iPadOS 17 must implement the management setting: not allow use of iPhone widgets on Mac.
2
Rule
Severity: Medium
Apple iOS/iPadOS 17 must implement the management setting: Disable Allow MailDrop.
3
Rule
Severity: Medium
Apple iOS/iPadOS 17 must implement the management setting: not allow messages in an ActiveSync Exchange account to be forwarded or moved to other accounts in the Apple iOS/iPadOS 17 Mail app.
3
Rule
Severity: Medium
Apple iOS/iPadOS 17 must implement the management setting: Treat AirDrop as an unmanaged destination.
2
Rule
Severity: Low
Apple iOS/iPadOS 17 must implement the management setting: not have any Family Members in Family Sharing.
3
Rule
Severity: Medium
Apple iOS/iPadOS 17 users must complete required training.
2
Rule
Severity: Medium
Apple iOS/iPadOS 17 must implement the management setting: enable USB Restricted Mode.
3
Rule
Severity: Low
Apple iOS/iPadOS 17 must not allow managed apps to write contacts to unmanaged contacts accounts.
3
Rule
Severity: Low
Apple iOS/iPadOS 17 must not allow unmanaged apps to read contacts from managed contacts accounts.
2
Rule
Severity: Low
Apple iOS/iPadOS 17 must implement the management setting: disable AirDrop.
2
Rule
Severity: Medium
Apple iOS/iPadOS 17 must implement the management setting: disable paired Apple Watch.
2
Rule
Severity: Medium
Apple iOS/iPadOS 17 must implement the management setting: approved Apple Watches must be managed by an MDM.
2
Rule
Severity: Medium
Apple iOS/iPadOS 17 must disable "Password AutoFill" in browsers and applications.
2
Rule
Severity: Medium
Apple iOS/iPadOS 17 must disable allow setting up new nearby devices.
2
Rule
Severity: Medium
Apple iOS/iPadOS 17 must disable password proximity requests.
2
Rule
Severity: Medium
Apple iOS/iPadOS 17 must disable password sharing.
2
Rule
Severity: Low
Apple iOS/iPadOS 17 must disable "Find My Friends" in the "Find My" app.
2
Rule
Severity: Medium
The Apple iOS/iPadOS 17 must be supervised by the MDM.
3
Rule
Severity: Medium
Apple iOS must implement the management setting: not allow a user to remove Apple iOS configuration profiles that enforce DOD security requirements.
2
Rule
Severity: Medium
Apple iOS/iPadOS 17 must disable "Allow network drive access in Files access".
2
Rule
Severity: Medium
Apple iOS/iPadOS 17 must disable connections to Siri servers for the purpose of dictation.
2
Rule
Severity: Medium
Apple iOS/iPadOS 17 must disable connections to Siri servers for the purpose of translation.
3
Rule
Severity: Medium
Apple iOS/iPadOS 17 must disable copy/paste of data from managed to unmanaged applications.
3
Rule
Severity: Medium
Apple iOS/iPadOS 17 must have DOD root and intermediate PKI certificates installed.
2
Rule
Severity: Medium
Apple iOS/iPadOS 17 must not allow backup to remote systems (iCloud document and data synchronization).
2
Rule
Severity: Medium
Apple iOS/iPadOS 17 must not allow backup to remote systems (iCloud Keychain).
2
Rule
Severity: Medium
Apple iOS/iPadOS 17 must not allow backup to remote systems (Cloud Photo Library).
2
Rule
Severity: Low
Apple iOS/iPadOS 16 must allow the Administrator (MDM) to perform the following management function: enable/disable VPN protection across the device and [selection: other methods].
2
Rule
Severity: Medium
Apple iOS/iPadOS 16 must not allow backup to remote systems (iCloud document and data synchronization).
2
Rule
Severity: Medium
Apple iOS/iPadOS 16 must not allow backup to remote systems (iCloud Keychain).
2
Rule
Severity: Medium
Apple iOS/iPadOS 16 must not allow backup to remote systems (My Photo Stream).
2
Rule
Severity: Medium
Apple iOS/iPadOS 16 must not allow backup to remote systems (iCloud Photo Sharing, also known as Shared Photo Streams).
2
Rule
Severity: Medium
Apple iOS/iPadOS 16 must [selection: wipe protected data, wipe sensitive data] upon unenrollment from MDM.
2
Rule
Severity: Medium
Apple iOS/iPadOS 16 must [selection: remove Enterprise application, remove all noncore applications (any nonfactory-installed application)] upon unenrollment from MDM.
2
Rule
Severity: Medium
Apple iOS/iPadOS 16 must be configured to enforce an application installation policy by specifying one or more authorized application repositories, including [selection: DoD-approved commercial app repository, MDM server, mobile application store].
2
Rule
Severity: Medium
Apple iOS/iPadOS 16 must not include applications with the following characteristics: access to Siri when the device is locked.
2
Rule
Severity: Medium
Apple iOS/iPadOS 16 allow list must be configured to not include applications with the following characteristics: allow voice dialing when MD is locked.
2
Rule
Severity: Medium
Apple iOS/iPadOS 16 allowlist must be configured to not include applications with the following characteristics: - Backs up MD data to non-DoD cloud servers (including user and application access to cloud backup services); - Transmits MD diagnostic data to non-DoD servers; - Allows synchronization of data or applications between devices associated with user; and - Allows unencrypted (or encrypted but not FIPS 140-2/FIPS 140-3 validated) data sharing with other MDs or printers.
2
Rule
Severity: Medium
Apple iOS/iPadOS 16 must be configured to disable multiuser modes.
2
Rule
Severity: Medium
Apple iOS/iPadOS 16 must be configured to [selection: wipe protected data, wipe sensitive data] upon unenrollment from MDM.
2
Rule
Severity: Medium
Apple iOS/iPadOS 16 must be configured to [selection: remove Enterprise applications, remove all noncore applications (any nonfactory installed application)] upon unenrollment from MDM.
2
Rule
Severity: Low
Apple iOS/iPadOS 16 must implement the management setting: limit Ad Tracking.
2
Rule
Severity: Low
Apple iOS/iPadOS 16 must implement the management setting: Not allow automatic completion of Safari browser passcodes.
2
Rule
Severity: Low
Apple iOS/iPadOS 16 must implement the management setting: not allow use of Handoff.
2
Rule
Severity: Medium
Apple iOS/iPadOS 16 must implement the management setting: Disable Allow MailDrop.
2
Rule
Severity: Low
Apple iOS/iPadOS 16 must implement the management setting: Not have any Family Members in Family Sharing.
2
Rule
Severity: Medium
Apple iOS/iPadOS 16 must implement the management setting: Enable USB Restricted Mode.
2
Rule
Severity: Low
Apple iOS/iPadOS 16 must implement the management setting: Disable AirDrop.
2
Rule
Severity: Medium
Apple iOS/iPadOS 16 must implement the management setting: Disable paired Apple Watch.
2
Rule
Severity: Medium
Apple iOS/iPadOS 16 must disable Password AutoFill in browsers and applications.
2
Rule
Severity: Medium
Apple iOS/iPadOS 16 must disable allow setting up new nearby devices.
2
Rule
Severity: Medium
Apple iOS/iPadOS 16 must disable password proximity requests.
2
Rule
Severity: Medium
Apple iOS/iPadOS 16 must disable password sharing.
2
Rule
Severity: Low
Apple iOS/iPadOS 16 must disable Find My Friends in the Find My app.
2
Rule
Severity: Medium
The Apple iOS/iPadOS 16 must be supervised by the MDM.
2
Rule
Severity: Medium
Apple iOS/iPadOS 16 must disable "Allow USB drive access in Files app" if the authorizing official (AO) has not approved the use of DoD-approved USB storage drives with iOS/iPadOS devices.
2
Rule
Severity: Medium
Apple iOS must implement the management setting: Not allow a user to remove Apple iOS configuration profiles that enforce DoD security requirements.
2
Rule
Severity: Medium
Apple iOS/iPadOS 16 must disable "Allow network drive access in Files access".
2
Rule
Severity: Medium
Apple iOS/iPadOS 16 must disable connections to Siri servers for the purpose of dictation.
2
Rule
Severity: Medium
Apple iOS/iPadOS 16 must disable connections to Siri servers for the purpose of translation.
4
Rule
Severity: High
The macOS system must be integrated into a directory services infrastructure.
2
Rule
Severity: Medium
Apple iOS/iPadOS 17 must not allow backup to remote systems (iCloud Photo Sharing, also known as Shared Stream or Shared Photo Stream).
3
Rule
Severity: Medium
Apple iOS/iPadOS 17 must not allow backup to remote systems (managed applications data stored in iCloud).
3
Rule
Severity: Medium
Apple iOS/iPadOS 17 must not allow backup to remote systems (enterprise books).
2
Rule
Severity: Medium
Apple iOS/iPadOS 17 must disable "Allow USB drive access in Files app" if the authorizing official (AO) has not approved the use of DOD-approved USB storage drives with iOS/iPadOS devices.
3
Rule
Severity: Medium
The macOS system must be configured with dedicated user accounts to decrypt the hard disk upon startup.
3
Rule
Severity: Medium
The macOS system must be configured to disable password forwarding for FileVault.
4
Rule
Severity: Medium
The macOS system must disable the Screen Sharing feature.
1
Rule
Severity: Medium
The macOS system must allow only applications that have a valid digital signature to run.
4
Rule
Severity: Medium
The macOS system must not allow an unattended or automatic logon to the system.
4
Rule
Severity: Medium
The macOS system must set permissions on user home directories to prevent users from having access to read or modify another user's files.
4
Rule
Severity: High
The macOS system must use an approved antivirus program.
4
Rule
Severity: Medium
The macOS system must be configured to prevent displaying password hints.
4
Rule
Severity: Medium
The macOS system must be configured with a firmware password to prevent access to single user mode and booting from alternative media.
4
Rule
Severity: Medium
The macOS system must be configured so that the login command requires smart card authentication.
4
Rule
Severity: Medium
The macOS system must be configured so that the su command requires smart card authentication.
4
Rule
Severity: Medium
The macOS system must be configured so that the sudo command requires smart card authentication.
1
Rule
Severity: High
The macOS system must be configured with the sudoers file configured to authenticate users on a per -tty basis.
4
Rule
Severity: Medium
The macOS Application Firewall must be enabled.
1
Rule
Severity: Medium
The macOS system must restrict the ability to utilize external writeable media devices.
1
Rule
Severity: Low
The macOS system logon window must be configured to prompt for username and password, rather than show a list of users.
4
Rule
Severity: Low
The macOS system must restrict the ability of individuals to write to external optical media.
1
Rule
Severity: Medium
The macOS system must be integrated into a directory services infrastructure.
3
Rule
Severity: Medium
The macOS system must only allow applications with a valid digital signature to run.
3
Rule
Severity: Medium
The macOS system must restrict the ability of individuals to use USB storage devices.
3
Rule
Severity: Medium
The macOS system logon window must be configured to prompt for username and password.
1
Rule
Severity: Medium
CylancePROTECT Mobile malware detection must be configured with the following compliance actions for system apps (Android only):
-Prompt for compliance: Immediate enforcement action.
-Prevent the user from accessing work resources and apps on the device while it is out of compliance.
-Prevent the user from accessing BlackBerry Dynamics apps while the device is out of compliance.
1
Rule
Severity: Medium
CylancePROTECT Mobile malware detection must be configured with the following compliance actions for nonsystem apps (Android only):
-Prompt for compliance: Immediate enforcement action.
-Prevent the user from accessing work resources and apps on the device while it is out of compliance.
-Prevent the user from accessing BlackBerry Dynamics apps while the device is out of compliance.
1
Rule
Severity: Medium
CylancePROTECT Mobile must be configured with the following compliance action when a compliance event occurs:
-Notify Administrator (send event notification).
1
Rule
Severity: Medium
CylancePROTECT Mobile must be configured with the following compliance actions when sideloaded apps are detected:
-Prompt for compliance: Immediate enforcement action.
-Prevent the user from accessing work resources and apps on the device while it is out of compliance.
-Prevent the user from accessing BlackBerry Dynamics apps while the device is out of compliance.
1
Rule
Severity: Medium
CylancePROTECT Mobile must be configured with the following safe browsing controls for BlackBerry Dynamics apps:
-Block all unsafe URLs
-Select one of the following for "scanning option": "Cloud scanning" or "On device scanning".
-Disable "Allow users to override blocked resources and enable access to the requested domain".
1
Rule
Severity: Medium
CylancePROTECT Mobile must be configured with the following compliance actions when insecure networks are detected for mobile devices:
-Block device from network connection and insecure Wi-Fi access points.
-Block access to BlackBerry Dynamics apps.
1
Rule
Severity: Medium
CylancePROTECT Mobile must be configured with the following compliance actions for integrity violations with BlackBerry Dynamics apps on iOS devices:
-Prompt for compliance: Immediate enforcement action
-Prevent the user from accessing BlackBerry Dynamics apps while the device is out of compliance.
1
Rule
Severity: Medium
CylancePROTECT Mobile must be configured with the following Android security patch compliance and hardware certificate attestation controls:
-"Android hardware attestation frequency" = 6 hours
-"Device grace period" = 0 hours
-"Challenge frequency for noncompliant devices" = 6 hours.
1
Rule
Severity: Medium
CylancePROTECT Mobile must be configured with the following compliance actions when an Android device fails security patch compliance and attestation:
-Prompt behavior: Immediate enforcement action.
-Enforcement action for device: Select either "Untrust", "Delete only work data" or "Delete all data".
-Enforcement action for BlackBerry Dynamics apps: Select either "Do not allow BlackBerry Dynamics apps to run" or "Delete BlackBerry Dynamics apps data".
1
Rule
Severity: Medium
CylancePROTECT Mobile must be configured with the following compliance actions when a hardware attestation failure occurs (Android only):
-Prompt for compliance: Immediate enforcement action.
-Enforcement action for BlackBerry Dynamics apps: Do not allow BlackBerry Dynamics apps to run.
1
Rule
Severity: Medium
CylancePROTECT Mobile must be configured with the following compliance actions when a hardware attestation certificate failure occurs (Android only):
-Minimum security level required: "Trusted Environment" or "StrongBox"
-Prompt behavior: "Immediate enforcement action".
-Enforcement action for BlackBerry Dynamics apps: "Do not allow BlackBerry Dynamics apps to run".
1
Rule
Severity: Medium
CylancePROTECT Mobile must be configured with the following compliance actions when a hardware attestation boot state failure occurs (Android only):
-Prompt behavior: "Immediate enforcement action".
-Enforcement action for BlackBerry Dynamics apps: "Do not allow BlackBerry Dynamics apps to run".
1
Rule
Severity: Medium
CylancePROTECT Mobile must be configured to disable anonymous data collection by BlackBerry for both iOS and Android devices.
1
Rule
Severity: Medium
CylancePROTECT Mobile must be configured to enable SMS text message scanning (iOS only).
3
Rule
Severity: Low
The Ubuntu operating system must enforce a delay of at least 4 seconds between logon prompts following a failed logon attempt.
2
Rule
Severity: Medium
The macOS system must disable unattended or automatic log on to the system.
2
Rule
Severity: Medium
The macOS system must secure user's home folders.
3
Rule
Severity: Medium
The macOS system must enable firmware password.
2
Rule
Severity: Medium
The macOS system must enable the application firewall.
2
Rule
Severity: Medium
The macOS system must enforce enrollment in mobile device management.
2
Rule
Severity: Medium
The macOS system must enable recovery lock.
3
Rule
Severity: Medium
The macOS system must enforce installation of XProtect Remediator and Gatekeeper updates automatically.
3
Rule
Severity: Medium
The Ubuntu operating system must prevent the use of dictionary words for passwords.
1
Rule
Severity: Medium
The Ubuntu Operating system must be configured so that when passwords are changed or new passwords are established, pwquality must be used.
1
Rule
Severity: High
The Ubuntu Operating system must disable the x86 Ctrl-Alt-Delete key sequence if a graphical user interface is installed.
1
Rule
Severity: High
The Ubuntu Operating system must disable the x86 Ctrl-Alt-Delete key sequence.
1
Rule
Severity: High
The Ubuntu operating system must not allow unattended or automatic login via ssh.
1
Rule
Severity: Medium
The Ubuntu operating system default filesystem permissions must be defined in such a way that all authenticated users can only read and modify their own files.
1
Rule
Severity: Medium
The Ubuntu operating system must enable and run the uncomplicated firewall(ufw).
1
Rule
Severity: Medium
The Ubuntu operating system must be configured so that remote X connections are disabled, unless to fulfill documented and validated mission requirements.
3
Rule
Severity: Medium
The Ubuntu operating system SSH daemon must prevent remote hosts from connecting to the proxy display.
1
Rule
Severity: Medium
All local interactive user home directories defined in the /etc/passwd file must exist.
1
Rule
Severity: Medium
All local interactive user home directories must have mode 0750 or less permissive.
1
Rule
Severity: Medium
All local interactive user home directories must be group-owned by the home directory owners primary group.
3
Rule
Severity: High
The Ubuntu operating system must not have accounts configured with blank or null passwords.
3
Rule
Severity: High
The Ubuntu operating system must not allow accounts configured with blank or null passwords.
2
Rule
Severity: Medium
The Ubuntu operating system default filesystem permissions must be defined in such a way that all authenticated users can read and modify only their own files.
2
Rule
Severity: High
The Ubuntu operating system must not allow unattended or automatic login via SSH.
2
Rule
Severity: High
The Ubuntu operating system must be configured so that remote X connections are disabled, unless to fulfill documented and validated mission requirements.
2
Rule
Severity: Medium
The Ubuntu operating system must be configured so that when passwords are changed or new passwords are established, pwquality must be used.
2
Rule
Severity: Medium
The Ubuntu operating system must have an application firewall enabled.
2
Rule
Severity: High
The Ubuntu operating system must disable the x86 Ctrl-Alt-Delete key sequence if a graphical user interface is installed.
2
Rule
Severity: High
The Ubuntu operating system must disable the x86 Ctrl-Alt-Delete key sequence.
2
Rule
Severity: Medium
The Cisco ASA must be configured to use TCP when sending log records to the central audit server.
2
Rule
Severity: Medium
The Cisco ASA must be configured to inspect all inbound and outbound traffic at the application layer.
2
Rule
Severity: Medium
The Cisco ASA must be configured to inspect all inbound and outbound IPv6 traffic for unknown or out-of-order extension headers.
2
Rule
Severity: Medium
The Cisco ASA must be configured to restrict it from accepting outbound packets that contain an illegitimate address in the source address field via an egress filter or by enabling Unicast Reverse Path Forwarding (uRPF).
1
Rule
Severity: High
The Cisco ASA must be configured to not accept certificates that have been revoked when using PKI for authentication.
2
Rule
Severity: High
The Cisco ASA must be configured to use Internet Key Exchange (IKE) for all IPsec security associations.
3
Rule
Severity: Low
The Cisco BGP router must be configured to use its loopback address as the source address for iBGP peering sessions.
3
Rule
Severity: Low
The Cisco MPLS router must be configured to use its loopback address as the source address for LDP peering sessions.
4
Rule
Severity: Low
The Cisco MPLS router must be configured to synchronize IGP and LDP to minimize packet loss when an IGP adjacency is established prior to LDP peers completing label exchange.
6
Rule
Severity: Medium
The Cisco MPLS router must be configured to have TTL Propagation disabled.
3
Rule
Severity: High
The Cisco PE router must be configured to have each Virtual Routing and Forwarding (VRF) instance bound to the appropriate physical or logical interfaces to maintain traffic separation between all MPLS L3VPNs.
3
Rule
Severity: High
The Cisco PE router must be configured to have each Virtual Routing and Forwarding (VRF) instance with the appropriate Route Target (RT).
3
Rule
Severity: Medium
The Cisco PE router must be configured to have each VRF with the appropriate Route Distinguisher (RD).
2
Rule
Severity: High
The Cisco PE router providing MPLS Virtual Private Wire Service (VPWS) must be configured to have the appropriate virtual circuit identification (VC ID) for each attachment circuit.
6
Rule
Severity: Medium
The Cisco router must be configured to back up the configuration when changes occur.
4
Rule
Severity: Medium
The Cisco router must be configured to obtain its public key certificates from an appropriate certificate policy through an approved service provider.
6
Rule
Severity: High
The Cisco router must be running an IOS release that is currently supported by Cisco Systems.
3
Rule
Severity: Low
The Cisco Multicast Source Discovery Protocol (MSDP) router must be configured to use a loopback address as the source address when originating MSDP traffic.
6
Rule
Severity: Medium
The Cisco router must be configured to have Cisco Express Forwarding enabled.
6
Rule
Severity: Low
The Cisco router must be configured to advertise a hop limit of at least 32 in Router Advertisement messages for IPv6 stateless auto-configuration deployments.
6
Rule
Severity: Medium
The Cisco router must not be configured to use IPv6 Site Local Unicast addresses.
6
Rule
Severity: Medium
The Cisco perimeter router must be configured to suppress Router Advertisements on all external IPv6-enabled interfaces.
6
Rule
Severity: Low
The Cisco switch must have Storm Control configured on all host-facing switchports.
6
Rule
Severity: Low
The Cisco switch must have IGMP or MLD Snooping configured on all VLANs.
2
Rule
Severity: Medium
The Cisco switch must implement Rapid Spanning Tree Protocol (STP) where VLANs span multiple switches with redundant links.
6
Rule
Severity: Medium
The Cisco switch must enable Unidirectional Link Detection (UDLD) to protect against one-way connections.
4
Rule
Severity: Medium
The Cisco switch must have all trunk links enabled statically.
3
Rule
Severity: Medium
The Cisco switch must have all disabled switch ports assigned to an unused VLAN.
3
Rule
Severity: Medium
The Cisco switch must not have the default VLAN assigned to any host-facing switch ports.
3
Rule
Severity: Medium
The Cisco switch must have the default VLAN pruned from all trunk ports that do not require it.
3
Rule
Severity: Medium
The Cisco switch must not use the default VLAN for management traffic.
3
Rule
Severity: Medium
The Cisco switch must have all user-facing or untrusted ports configured as access switch ports.
3
Rule
Severity: Medium
The Cisco switch must have the native VLAN assigned to an ID other than the default VLAN for all 802.1q trunk links.
3
Rule
Severity: Low
The Cisco switch must not have any switchports assigned to the native VLAN.
4
Rule
Severity: Medium
The Cisco switch must be configured to have Cisco Express Forwarding enabled.
6
Rule
Severity: Low
The Cisco switch must be configured to advertise a hop limit of at least 32 in Switch Advertisement messages for IPv6 stateless auto-configuration deployments.
6
Rule
Severity: Medium
The Cisco switch must not be configured to use IPv6 Site Local Unicast addresses.
6
Rule
Severity: Medium
The Cisco perimeter switch must be configured to suppress Router Advertisements on all external IPv6-enabled interfaces.
2
Rule
Severity: Medium
The Cisco switch must implement Rapid STP where VLANs span multiple switches with redundant links.
6
Rule
Severity: Medium
The Cisco switch must be configured to support organizational requirements to conduct backups of the configuration when changes occur.
3
Rule
Severity: Medium
The Cisco switch must be configured to obtain its public key certificates from an appropriate certificate policy through an approved service provider.
6
Rule
Severity: High
The Cisco switch must be running an IOS release that is currently supported by Cisco Systems.
2
Rule
Severity: Low
The Cisco MPLS router must be configured to synchronize Interior Gateway Protocol (IGP) and LDP to minimize packet loss when an IGP adjacency is established prior to LDP peers completing label exchange.
1
Rule
Severity: Medium
The Cisco router must be configured to synchronize its clock with the primary and secondary time sources using redundant authoritative time sources.
2
Rule
Severity: Medium
The Cisco ISE must be configured to synchronize internal information system clocks using redundant authoritative time sources.
2
Rule
Severity: Medium
The Cisco ISE must enforce access restrictions associated with changes to the firmware, OS, and hardware components.
2
Rule
Severity: Medium
The Cisco ISE must be configured to use an external authentication server to authenticate administrators prior to granting administrative access.
2
Rule
Severity: Medium
The Cisco ISE must be running an operating system release that is currently supported by the vendor.
2
Rule
Severity: Medium
The Cisco ISE must generate log records for a locally developed list of auditable events.
1
Rule
Severity: Medium
The Cisco ISE must be configured to conduct backups of system level information contained in the information system when changes occur.
1
Rule
Severity: Low
The Cisco ISE must conduct backups of information system documentation, including security-related configuration files when changes occur or weekly, whichever is sooner.
2
Rule
Severity: Medium
The Cisco ISE must use DoD-approved PKI rather than proprietary or self-signed device certificates.
4
Rule
Severity: High
The Cisco PE router providing Virtual Private LAN Services (VPLS) must be configured to have all attachment circuits defined to the virtual forwarding instance (VFI) with the globally unique VPN ID assigned for each customer VLAN.
4
Rule
Severity: Low
The Cisco PE router must be configured to enforce the split-horizon rule for all pseudowires within a Virtual Private LAN Services (VPLS) bridge domain.
4
Rule
Severity: Medium
The Cisco BGP switch must be configured to use a unique key for each autonomous system (AS) that it peers with.
3
Rule
Severity: Low
The Cisco BGP switch must be configured to use its loopback address as the source address for iBGP peering sessions.
3
Rule
Severity: Low
The Cisco MPLS switch must be configured to use its loopback address as the source address for LDP peering sessions.
4
Rule
Severity: Low
The Cisco MPLS switch must be configured to synchronize Interior Gateway Protocol (IGP) and LDP to minimize packet loss when an IGP adjacency is established prior to LDP peers completing label exchange.
4
Rule
Severity: Medium
The Cisco MPLS switch must be configured to have TTL Propagation disabled.
3
Rule
Severity: High
The Cisco PE switch must be configured to have each Virtual Routing and Forwarding (VRF) instance bound to the appropriate physical or logical interfaces to maintain traffic separation between all MPLS L3VPNs.
3
Rule
Severity: High
The Cisco PE switch must be configured to have each Virtual Routing and Forwarding (VRF) instance with the appropriate Route Target (RT).
3
Rule
Severity: Medium
The Cisco PE switch must be configured to have each VRF with the appropriate Route Distinguisher (RD).
3
Rule
Severity: High
The Cisco PE switch providing MPLS Virtual Private Wire Service (VPWS) must be configured to have the appropriate virtual circuit identification (VC ID) for each attachment circuit.
3
Rule
Severity: High
The Cisco PE switch providing Virtual Private LAN Services (VPLS) must be configured to have all attachment circuits defined to the virtual forwarding instance (VFI) with the globally unique VPN ID assigned for each customer VLAN.
2
Rule
Severity: Low
The Cisco PE switch must be configured to enforce the split-horizon rule for all pseudowires within a Virtual Private LAN Services (VPLS) bridge domain.
3
Rule
Severity: Low
The Cisco Multicast Source Discovery Protocol (MSDP) switch must be configured to use a loopback address as the source address when originating MSDP traffic.
1
Rule
Severity: High
The Cisco PE router providing MPLS Virtual Private Wire Service (VPWS) must be configured to have the appropriate pseudowire ID for each attachment circuit.
2
Rule
Severity: Medium
The Cisco BGP router must be configured to use a unique key for each autonomous system (AS) that it peers with.
2
Rule
Severity: Medium
The Cisco ISE must perform continuous detection and tracking of endpoint devices attached to the network. This is required for compliance with C2C Step 1.
2
Rule
Severity: High
The Cisco ISE must enforce posture status assessment for posture required clients defined in the NAC System Security Plan (SSP). This is required for compliance with C2C Step 3.
2
Rule
Severity: High
The Cisco ISE must have a posture policy for posture required clients defined in the NAC System Security Plan (SSP). This is required for compliance with C2C Step 2.
1
Rule
Severity: Medium
The Cisco switch must be configured to synchronize its clock with the primary and secondary time sources using redundant authoritative time sources.
2
Rule
Severity: Medium
The Cisco switch must be configured to implement message authentication for all control plane protocols.
2
Rule
Severity: Medium
The Cisco switch must be configured to use keys with a duration not exceeding 180 days for authenticating routing protocol messages.
2
Rule
Severity: Medium
The Cisco multicast Designated switch (DR) must be configured to set the shortest-path tree (SPT) threshold to infinity to minimalize source-group (S, G) state within the multicast topology where Any Source Multicast (ASM) is deployed.
2
Rule
Severity: Medium
The container platform must provide the configuration for organization-identified individuals or roles to change the auditing to be performed on all components, based on all selectable event criteria within organization-defined time thresholds.
2
Rule
Severity: Medium
Container platform components must be configured in accordance with the security configuration settings based on DoD security configuration or implementation guidance, including SRGs, STIGs, NSA configuration guides, CTOs, and DTMs.
2
Rule
Severity: Medium
The container platform must be able to store and instantiate industry standard container images.
2
Rule
Severity: Medium
The container platform must continuously scan components, containers, and images for vulnerabilities.
2
Rule
Severity: Medium
The DBMS must be configured in accordance with the security configuration settings based on DoD security configuration and implementation guidance, including STIGs, NSA configuration guides, CTOs, DTMs, and IAVMs.
2
Rule
Severity: Medium
Google Android 13 must be configured to enforce an application installation policy by specifying one or more authorized application repositories.
2
Rule
Severity: Medium
Google Android 13 allowlist must be configured to not include applications with the following characteristics (work profile only):
1. Back up mobile device (MD) data to non-DOD cloud servers (including user and application access to cloud backup services);
2. Transmit MD diagnostic data to non-DOD servers;
3. Voice assistant application if available when MD is locked;
4. Voice dialing application if available when MD is locked;
5. Allows synchronization of data or applications between devices associated with user; and
6. Allows unencrypted (or encrypted but not FIPS 140-2 validated) data sharing with other MDs or printers.
2
Rule
Severity: Medium
Google Android 13 must have the DOD root and intermediate PKI certificates installed (work profile only).
2
Rule
Severity: Medium
The Google Android 13 work profile must be configured to enforce the system application disable list (work profile only).
2
Rule
Severity: Medium
Google Android 13 must be provisioned as a BYOAD device (Android work profile for employee-owned devices [BYOD]).
2
Rule
Severity: Medium
The Google Android 13 work profile must be configured to disable automatic completion of workspace internet browser text input.
2
Rule
Severity: Medium
The EMM system supporting the Google Android 13 BYOAD must be configured for autonomous monitoring, compliance, and validation to ensure security/configuration settings of mobile devices do not deviate from the approved configuration baseline.
2
Rule
Severity: Medium
The EMM system supporting the Google Android 13 BYOAD must be configured to initiate autonomous monitoring, compliance, and validation prior to granting the Google Android 13 BYOAD access to DOD information and IT resources.
2
Rule
Severity: Medium
The EMM system supporting the Google Android 13 BYOAD must be configured to detect if the Google Android 13 BYOAD native security controls are disabled.
2
Rule
Severity: Medium
The EMM system supporting the Google Android 13 BYOAD must be configured to detect if known malicious applications, blocked, or prohibited applications are installed on the Google Android 13 BYOAD (DOD-managed segment only).
2
Rule
Severity: Medium
The EMM detection/monitoring system must use continuous monitoring of enrolled Google Android 13 BYOAD.
2
Rule
Severity: Medium
The Google Android 13 BYOAD must be configured to either disable access to DOD data and IT systems and user accounts or wipe the work profile if the EMM system detects native security controls are disabled.
2
Rule
Severity: Medium
The Google Android 13 BYOAD must be configured to either disable access to DOD data and IT systems and user accounts or wipe the work profile if the EMM system detects the Google Android 13 BYOAD device has known malicious, blocked, or prohibited applications, or configured to access nonapproved third-party applications stores in the work profile.
2
Rule
Severity: Medium
The Google Android 13 BYOAD must be configured so that the work profile is removed if the device is no longer receiving security or software updates.
2
Rule
Severity: High
The EMM system supporting the Google Android 13 BYOAD must be NIAP validated (included on the NIAP list of compliant products or products in evaluation) unless the DOD CIO has granted an Approved Exception to Policy (E2P).
2
Rule
Severity: Medium
Network prediction must be disabled.
2
Rule
Severity: High
The HPE Nimble must be configured to use an authentication server for the purpose of authenticating users prior to granting administrative access.
2
Rule
Severity: Medium
The HPE Nimble must obtain its public key certificates from an appropriate certificate policy through an approved service provider.
2
Rule
Severity: High
The HPE Nimble must be running an operating system release that is currently supported by the vendor.
2
Rule
Severity: Medium
The HPE Nimble must be configured to synchronize internal information system clocks using an authoritative time source.
2
Rule
Severity: Low
Android 13 devices must be configured to disable the use of third-party keyboards (work profile only).
2
Rule
Severity: Medium
The Google Android 13 must allow only the administrator (EMM) to install/remove DOD root and intermediate PKI certificates (work profile).
4
Rule
Severity: Medium
Google Android 14 must be configured to enforce an application installation policy by specifying one or more authorized application repositories, including [selection: DOD-approved commercial app repository, MDM server, mobile application store].
4
Rule
Severity: Medium
Google Android 14 allowlist must be configured to not include applications with the following characteristics:
- Back up mobile device (MD) data to non-DOD cloud servers (including user and application access to cloud backup services);
- Transmit MD diagnostic data to non-DOD servers;
- Voice assistant application if available when MD is locked;
- Voice dialing application if available when MD is locked;
- Allows synchronization of data or applications between devices associated with user; and
- Allows unencrypted (or encrypted but not FIPS 140-2/140-3 validated) data sharing with other MDs or printers.
4
Rule
Severity: Medium
Google Android 14 must be configured to disable multiuser modes.
5
Rule
Severity: Medium
Google Android 14 users must complete required training.
4
Rule
Severity: Medium
Google Android 14 must be configured to enforce that Wi-Fi Sharing is disabled.
4
Rule
Severity: Medium
Google Android 14 must have the DOD root and intermediate PKI certificates installed.
4
Rule
Severity: Medium
The Google Android 14 work profile must be configured to enforce the system application disable list.
4
Rule
Severity: Medium
Google Android 14 must be configured to disallow configuration of date and time.
4
Rule
Severity: High
Android 14 devices must have the latest available Google Android 14 operating system installed.
4
Rule
Severity: Low
Android 14 devices must be configured to disable the use of third-party keyboards.
4
Rule
Severity: Low
Android 14 devices must be configured to enable Common Criteria Mode (CC Mode).
4
Rule
Severity: Medium
The Google Android 14 must allow only the administrator (EMM) to install/remove DOD root and intermediate PKI certificates.
3
Rule
Severity: Medium
The Google Android 14 work profile must be configured to prevent users from adding personal email accounts to the work email app.
2
Rule
Severity: Medium
Google Android 14 must be provisioned as a fully managed device and configured to create a work profile.
3
Rule
Severity: Medium
The Google Android 14 work profile must be configured to disable automatic completion of workspace internet browser text input.
3
Rule
Severity: Medium
The Google Android 14 work profile must be configured to disable the autofill services.
2
Rule
Severity: Medium
The operating system must enforce dual authorization for movement and/or deletion of all audit information, when such movement or deletion is not part of an authorized automatic process.
2
Rule
Severity: Medium
The operating system must prevent the use of dictionary words for passwords.
2
Rule
Severity: Medium
The operating system must enforce a delay of at least 4 seconds between logon prompts following a failed logon attempt.
2
Rule
Severity: Medium
The operating system must be configured in accordance with the security configuration settings based on DoD security configuration or implementation guidance, including STIGs, NSA configuration guides, CTOs, and DTMs.
2
Rule
Severity: Medium
The operating system must define default permissions for all authenticated users in such a way that the user can only read and modify their own files.
2
Rule
Severity: High
The operating system must not allow an unattended or automatic logon to the system.
2
Rule
Severity: Medium
The operating system must limit the ability of non-privileged users to grant other users direct access to the contents of their home directories/folders.
2
Rule
Severity: Medium
The operating system must enable an application firewall, if available.
2
Rule
Severity: Medium
SSMC must enforce a delay of at least four seconds between logon prompts following a failed logon attempt.
2
Rule
Severity: High
The HPE 3PAR OS must be configured to restrict the encryption algorithms and protocols to comply with DOD-approved encryption to protect the confidentiality and integrity of remote access sessions.
2
Rule
Severity: Medium
AIX system must prevent the root account from directly logging in except from the system console.
2
Rule
Severity: Medium
All AIX public directories must be owned by root or an application account.
2
Rule
Severity: Medium
AIX administrative accounts must not run a web browser, except as needed for local service administration.
2
Rule
Severity: Medium
AIX default system accounts (with the exception of root) must not be listed in the cron.allow file or must be included in the cron.deny file, if cron.allow does not exist.
2
Rule
Severity: Medium
The AIX root account must not have world-writable directories in its executable search path.
2
Rule
Severity: Medium
The Group Identifiers (GIDs) reserved for AIX system accounts must not be assigned to non-system accounts as their primary group GID.
2
Rule
Severity: Medium
UIDs reserved for system accounts must not be assigned to non-system accounts on AIX systems.
2
Rule
Severity: Medium
The AIX root accounts list of preloaded libraries must be empty.
2
Rule
Severity: High
AIX must not have accounts configured with blank or null passwords.
2
Rule
Severity: Medium
The AIX root accounts home directory (other than /) must have mode 0700.
2
Rule
Severity: Medium
The AIX root accounts home directory must not have an extended ACL.
2
Rule
Severity: Medium
The AIX /etc/passwd, /etc/security/passwd, and/or /etc/group files must not contain a plus (+) without defining entries for NIS+ netgroups or LDAP netgroups.
2
Rule
Severity: Medium
All AIX NFS anonymous UIDs and GIDs must be configured to values without permissions.
2
Rule
Severity: Medium
AIX nosuid option must be enabled on all NFS client mounts.
2
Rule
Severity: Medium
AIX must prevent the use of dictionary words for passwords.
2
Rule
Severity: Medium
The password hashes stored on AIX system must have been generated using a FIPS 140-2 approved cryptographic hashing algorithm.
2
Rule
Severity: Medium
If SNMP service is enabled on AIX, the default SNMP password must not be used in the /etc/snmpd.conf config file.
2
Rule
Severity: Medium
AIX must require passwords to contain no more than three consecutive repeating characters.
2
Rule
Severity: Medium
AIX removable media, remote file systems, and any file system not containing approved device files must be mounted with the nodev option.
2
Rule
Severity: Medium
AIX audit logs must be rotated daily.
2
Rule
Severity: Medium
AIX must be configured with a default gateway for IPv4 if the system uses IPv4, unless the system is a router.
2
Rule
Severity: Medium
IP forwarding for IPv4 must not be enabled on AIX unless the system is a router.
2
Rule
Severity: Medium
AIX must be configured with a default gateway for IPv6 if the system uses IPv6 unless the system is a router.
2
Rule
Severity: Medium
AIX must not have IP forwarding for IPv6 enabled unless the system is an IPv6 router.
2
Rule
Severity: Medium
The inetd.conf file on AIX must be owned by root.
2
Rule
Severity: Medium
AIX cron and crontab directories must be owned by root or bin.
2
Rule
Severity: Medium
AIX audio devices must be group-owned by root, sys, bin, or system.
2
Rule
Severity: Medium
AIX time synchronization configuration file must be owned by root.
2
Rule
Severity: Medium
AIX time synchronization configuration file must be group-owned by bin, or system.
2
Rule
Severity: Medium
The AIX /etc/group file must be owned by root.
2
Rule
Severity: Medium
The AIX /etc/group file must be group-owned by security.
2
Rule
Severity: Medium
All AIX interactive users home directories must be owned by their respective users.
2
Rule
Severity: Medium
All AIX interactive users home directories must be group-owned by the home directory owner primary group.
2
Rule
Severity: Medium
All files and directories contained in users home directories on AIX must be group-owned by a group in which the home directory owner is a member.
2
Rule
Severity: Medium
Samba packages must be removed from AIX.
2
Rule
Severity: Medium
AIX time synchronization configuration file must have mode 0640 or less permissive.
2
Rule
Severity: Medium
The AIX /etc/group file must have mode 0644 or less permissive.
2
Rule
Severity: Medium
AIX must encrypt user data at rest using AIX Encrypted File System (EFS) if it is required.
2
Rule
Severity: Medium
On AIX, the SSH server must not permit root logins using remote access programs.
2
Rule
Severity: Medium
All AIX shells referenced in passwd file must be listed in /etc/shells file, except any shells specified for the purpose of preventing logins.
2
Rule
Severity: Medium
AIX SSH daemon must be configured to only use Message Authentication Codes (MACs) employing FIPS 140-2 approved cryptographic hash algorithms.
2
Rule
Severity: Medium
The AIX SSH daemon must be configured for IP filtering.
2
Rule
Severity: Medium
The AIX SSH daemon must not allow compression.
2
Rule
Severity: Medium
AIX must turn on SSH daemon privilege separation.
2
Rule
Severity: Medium
AIX must turn on SSH daemon reverse name checking.
2
Rule
Severity: Medium
AIX SSH daemon must perform strict mode checking of home directory configuration files.
2
Rule
Severity: Medium
AIX must turn off X11 forwarding for the SSH daemon.
2
Rule
Severity: Medium
AIX must turn off TCP forwarding for the SSH daemon.
2
Rule
Severity: Medium
The AIX SSH daemon must be configured to disable empty passwords.
2
Rule
Severity: Medium
The AIX SSH daemon must be configured to disable user .rhosts files.
2
Rule
Severity: Medium
The AIX SSH daemon must be configured to not use host-based authentication.
2
Rule
Severity: Medium
The AIX SSH daemon must not allow RhostsRSAAuthentication.
2
Rule
Severity: Medium
If AIX SSH daemon is required, the SSH daemon must only listen on the approved listening IP addresses.
2
Rule
Severity: Medium
AIX system must require authentication upon booting into single-user and maintenance modes.
2
Rule
Severity: Medium
AIX must implement a remote syslog server that is documented using site-defined procedures.
2
Rule
Severity: Medium
The AIX syslog daemon must not accept remote messages unless it is a syslog server documented using site-defined procedures.
2
Rule
Severity: Medium
AIX passwd.nntp file must have mode 0600 or less permissive.
2
Rule
Severity: Medium
The AIX /etc/group file must not have an extended ACL.
2
Rule
Severity: Medium
The AIX ldd command must be disabled.
2
Rule
Severity: Medium
AIX NFS server must be configured to restrict file system access to local hosts.
2
Rule
Severity: Medium
All AIX users home directories must have mode 0750 or less permissive.
2
Rule
Severity: Medium
The AIX user home directories must not have extended ACLs.
2
Rule
Severity: Medium
AIX must enforce a delay of at least 4 seconds between login prompts following a failed login attempt.
2
Rule
Severity: Medium
AIX system must restrict the ability to switch to the root user to members of a defined group.
2
Rule
Severity: Medium
All AIX Group Identifiers (GIDs) referenced in the /etc/passwd file must be defined in the /etc/group file.
2
Rule
Severity: Medium
All AIX files and directories must have a valid owner.
2
Rule
Severity: Medium
The sticky bit must be set on all public directories on AIX systems.
2
Rule
Severity: Medium
The AIX global initialization files must contain the mesg -n or mesg n commands.
2
Rule
Severity: Medium
The AIX hosts.lpd file must not contain a + character.
2
Rule
Severity: Medium
AIX sendmail logging must not be set to less than nine in the sendmail.cf file.
2
Rule
Severity: Medium
AIX run control scripts executable search paths must contain only absolute paths.
2
Rule
Severity: Medium
The AIX DHCP client must be disabled.
2
Rule
Severity: Medium
AIX process core dumps must be disabled.
2
Rule
Severity: Medium
AIX kernel core dumps must be disabled unless needed.
2
Rule
Severity: Medium
AIX must set Stack Execution Disable (SED) system wide mode to all.
2
Rule
Severity: Medium
The /etc/shells file must exist on AIX systems.
2
Rule
Severity: Medium
AIX public directories must be the only world-writable directories and world-writable files must be located only in public directories.
2
Rule
Severity: Medium
AIX must be configured to only boot from the system boot device.
2
Rule
Severity: Medium
AIX must not use removable media as the boot loader.
2
Rule
Severity: Low
If the AIX host is running an SMTP service, the SMTP greeting must not provide version information.
2
Rule
Severity: Low
AIX must contain no .forward files.
2
Rule
Severity: Medium
The sendmail server must have the debug feature disabled on AIX systems.
2
Rule
Severity: Medium
SMTP service must not have the EXPN or VRFY features active on AIX systems.
2
Rule
Severity: Medium
All global initialization file executable search paths must contain only absolute paths.
2
Rule
Severity: Medium
The SMTP service HELP command must not be enabled on AIX.
2
Rule
Severity: Medium
NIS maps must be protected through hard-to-guess domain names on AIX.
2
Rule
Severity: Medium
The AIX systems access control program must be configured to grant or deny system access to specific hosts.
2
Rule
Severity: Medium
All AIX files and directories must have a valid group owner.
2
Rule
Severity: Medium
AIX control scripts library search paths must contain only absolute paths.
2
Rule
Severity: Medium
The control script lists of preloaded libraries must contain only absolute paths on AIX systems.
2
Rule
Severity: Medium
The global initialization file lists of preloaded libraries must contain only absolute paths on AIX.
2
Rule
Severity: Medium
The local initialization file library search paths must contain only absolute paths on AIX.
2
Rule
Severity: Medium
The local initialization file lists of preloaded libraries must contain only absolute paths on AIX.
2
Rule
Severity: Medium
AIX package management tool must be used daily to verify system software.
2
Rule
Severity: Medium
The AIX DHCP client must not send dynamic DNS updates.
2
Rule
Severity: Medium
AIX must not run any routing protocol daemons unless the system is a router.
2
Rule
Severity: Medium
AIX must not process ICMP timestamp requests.
2
Rule
Severity: Medium
AIX must not respond to ICMPv6 echo requests sent to a broadcast address.
2
Rule
Severity: Medium
AIX must define default permissions for all authenticated users in such a way that the user can only read and modify their own files.
2
Rule
Severity: Medium
There must be no .rhosts, .shosts, hosts.equiv, or shosts.equiv files on the AIX system.
2
Rule
Severity: Medium
The .rhosts file must not be supported in AIX PAM.
2
Rule
Severity: Medium
The AIX root user home directory must not be the root directory (/).
2
Rule
Severity: Medium
The EXITS GSO record value must specify the module names of site written ACF2 exit routines.
2
Rule
Severity: Medium
The CA-ACF2 LOGONID with the REFRESH attribute must have procedures for utilization.
2
Rule
Severity: Medium
IBM z/OS TSO GSO record values must be set to the values specified.
2
Rule
Severity: Medium
IBM z/OS procedures must restrict ACF2 LOGONIDs with the READALL attribute to auditors and/or authorized users.
2
Rule
Severity: Medium
IBM z/OS must have the RULEVLD and RSRCVLD attributes specified for LOGONIDs with the SECURITY attribute.
2
Rule
Severity: Medium
IBM z/OS LOGONIDs with the AUDIT or CONSULT attribute must be properly scoped.
2
Rule
Severity: Medium
IBM z/OS LOGONID with the ACCTPRIV attribute must be restricted to the ISSO.
2
Rule
Severity: Medium
IBM z/OS batch jobs with restricted ACF2 LOGONIDs must have the PGM(xxxxxxxx) and SUBAUTH attributes or the SOURCE(xxxxxxxx) attribute assigned to the corresponding LOGONIDs.
2
Rule
Severity: Medium
CA-ACF2 RULEOPTS GSO record values must be set to the values specified.
2
Rule
Severity: Medium
The CA-ACF2 GSO OPTS record value must be properly specified.
2
Rule
Severity: Medium
CA-ACF2 must prevent the use of dictionary words for passwords.
2
Rule
Severity: Medium
CA-ACF2 database must be on a separate physical volume from its backup and recovery data sets.
2
Rule
Severity: Medium
CA-ACF2 database must be backed up on a scheduled basis.
2
Rule
Severity: Medium
ACF2 REFRESH attribute must be restricted to security administrators' LOGON ID only.
2
Rule
Severity: Medium
ACF2 maintenance LOGONIDs must have corresponding GSO MAINT records.
2
Rule
Severity: Medium
ACF2 LOGONIDs with the NON-CNCL attribute specified in the associated LOGONID record must be listed as trusted and must be specifically approved.
2
Rule
Severity: Medium
ACF2 LOGONIDs with the ACCOUNT, LEADER, or SECURITY attribute must be properly scoped.
2
Rule
Severity: Medium
ACF2 LOGONIDs associated with started tasks that have the MUSASS attribute and the requirement to submit jobs on behalf of its users must have the JOBFROM attribute as required.
2
Rule
Severity: Medium
ACF2 emergency LOGONIDS with the REFRESH attribute must have the SUSPEND attribute specified.
2
Rule
Severity: Medium
ACF2 BACKUP GSO record must be defined with a TIME value specifies greater than 00 unless the database is shared and backed up on another system.
2
Rule
Severity: Low
ACF2 APPLDEF GSO record if used must have supporting documentation indicating the reason it was used.
2
Rule
Severity: Medium
All AIX interactive users must be assigned a home directory in the passwd file and the directory must exist.
2
Rule
Severity: Medium
The AIX operating system must be configured to authenticate using Multi Factor Authentication.
2
Rule
Severity: Medium
The AIX operating system must be configured to use Multi Factor Authentication for remote connections.
2
Rule
Severity: Medium
AIX must have the have the PowerSC Multi Factor Authentication Product configured.
2
Rule
Severity: Medium
The AIX operating system must be configured to use a valid server_ca.pem file.
2
Rule
Severity: Medium
AIX must employ a deny-all, allow-by-exception firewall policy for allowing connections to other systems.
2
Rule
Severity: Medium
The AIX /etc/hosts file must be owned by root.
2
Rule
Severity: Medium
The AIX /etc/hosts file must be group-owned by system.
2
Rule
Severity: Medium
The AIX /etc/hosts file must have a mode of 0640 or less permissive.
2
Rule
Severity: Medium
AIX cron and crontab directories must have a mode of 0640 or less permissive.
2
Rule
Severity: Medium
The AIX /etc/syslog.conf file must be owned by root.
2
Rule
Severity: Medium
The AIX /etc/syslog.conf file must be group-owned by system.
2
Rule
Severity: Medium
The AIX /etc/syslog.conf file must have a mode of 0640 or less permissive.
2
Rule
Severity: Medium
The inetd.conf file on AIX must be group owned by the "system" group.
2
Rule
Severity: Medium
The AIX /etc/inetd.conf file must have a mode of 0640 or less permissive.
2
Rule
Severity: Medium
The AIX /var/spool/cron/atjobs directory must be owned by root or bin.
2
Rule
Severity: Medium
The AIX /var/spool/cron/atjobs directory must be group-owned by cron.
2
Rule
Severity: Medium
The AIX /var/spool/cron/atjobs directory must have a mode of 0640 or less permissive.
2
Rule
Severity: Medium
The AIX cron and crontab directories must be group-owned by cron.
1
Rule
Severity: Medium
The CA-TSS NEWPW control options must be properly set.
4
Rule
Severity: Medium
IBM z/OS FTP Control cards must be properly stored in a secure PDS file.
6
Rule
Severity: Medium
IBM z/OS PASSWORD data set and OS passwords must not be used.
2
Rule
Severity: Medium
IBM z/OS must configure system waittimes to protect resource availability based on site priorities.
2
Rule
Severity: Medium
IBM z/OS Emergency LOGONIDs must be properly defined.
2
Rule
Severity: Medium
IBM z/OS DFSMS control data sets must reside on separate storage volumes.
2
Rule
Severity: Medium
IBM z/OS Policy Agent must employ a deny-all, allow-by-exception firewall policy for allowing connections to other systems.
6
Rule
Severity: Medium
IBM z/OS using DFSMS must properly specify SYS(x).PARMLIB(IGDSMSxx), SMS parameter settings.
6
Rule
Severity: Medium
IBM z/OS Configuration files for the TCP/IP stack must be properly specified.
2
Rule
Severity: Medium
IBM z/OS VTAM session setup controls for the TN3270 Telnet Server must be properly specified.
6
Rule
Severity: Medium
IBM z/OS UNIX OMVS parameters in PARMLIB must be properly specified.
4
Rule
Severity: Medium
IBM z/OS UNIX HFS MapName files security parameters must be properly specified.
6
Rule
Severity: Medium
IBM z/OS UNIX BPXPRMxx security parameters in PARMLIB must be properly specified.
2
Rule
Severity: Medium
IBM z/OS TCPIP.DATA configuration statement must contain the DOMAINORIGIN or DOMAIN specified for each TCP/IP defined.
6
Rule
Severity: Medium
IBM z/OS FTP.DATA configuration statements for the FTP Server must be specified in accordance with requirements.
6
Rule
Severity: Medium
IBM Integrated Crypto Service Facility (ICSF) Configuration parameters must be correctly specified.
2
Rule
Severity: High
IBM RACF must define WARN = NO on all profiles.
2
Rule
Severity: High
The IBM RACF PROTECTALL SETROPTS value specified must be properly set.
2
Rule
Severity: Medium
The IBM RACF GRPLIST SETROPTS value must be set to ACTIVE.
2
Rule
Severity: Medium
The IBM RACF RETPD SETROPTS value specified must be properly set.
2
Rule
Severity: Medium
IBM z/OS Started tasks must be properly defined to CA-TSS.
2
Rule
Severity: Medium
The CA-TSS CANCEL Control Option must not be specified.
2
Rule
Severity: Medium
The CA-TSS HPBPW Control Option must be set to three days maximum.
2
Rule
Severity: Medium
The CA-TSS INSTDATA Control Option must be set to 0.
2
Rule
Severity: Medium
The CA-TSS OPTIONS Control Option must include option 4 at a minimum.
2
Rule
Severity: Medium
CA-TSS TEMPDS Control Option must be set to YES.
2
Rule
Severity: Medium
The number of CA-TSS control ACIDs must be justified and properly assigned.
2
Rule
Severity: Medium
The number of CA-TSS ACIDs with MISC9 authority must be justified.
2
Rule
Severity: Medium
The CA-TSS LUUPDONCE Control Option value specified must be set to NO.
2
Rule
Severity: Medium
The CA-TSS Automatic Data Set Protection (ADSP) Control Option must be set to NO.
2
Rule
Severity: Medium
CA-TSS RECOVER Control Option must be set to ON.
2
Rule
Severity: Medium
The IBM RACF TAPEDSN SETROPTS value specified must be properly set.
2
Rule
Severity: Medium
The IBM RACF WHEN(PROGRAM) SETROPTS value specified must be active.
2
Rule
Severity: Medium
IBM RACF use of the AUDITOR privilege must be justified.
2
Rule
Severity: Medium
The IBM RACF database must be on a separate physical volume from its backup and recovery datasets.
2
Rule
Severity: Medium
The IBM RACF database must be backed up on a scheduled basis.
2
Rule
Severity: Medium
IBM z/OS Batch job user IDs must be properly defined.
2
Rule
Severity: Medium
IBM RACF use of the RACF SPECIAL Attribute must be justified.
2
Rule
Severity: Medium
IBM RACF assignment of the RACF OPERATIONS attribute to individual userids must be fully justified.
1
Rule
Severity: Medium
IBM RACF exit ICHPWX01 must be installed and properly configured.
2
Rule
Severity: Medium
IBM z/OS RJE workstations and NJE nodes must be controlled in accordance with security requirements.
2
Rule
Severity: Medium
The IBM z/OS Policy Agent must employ a deny-all, allow-by-exception firewall policy for allowing connections to other systems.
2
Rule
Severity: Medium
The CA-TSS database must be on a separate physical volume from its backup and recovery data sets.
2
Rule
Severity: Medium
The CA-TSS database must be backed up on a scheduled basis.
2
Rule
Severity: Medium
The IBM z/OS Policy Agent must be configured to deny-all, allow-by-exception firewall policy for allowing connections to other systems.
2
Rule
Severity: Medium
IBM z/OS must configure system wait times to protect resource availability based on site priorities.
2
Rule
Severity: Medium
IBM z/OS DFSMS control data sets must be properly protected.
4
Rule
Severity: Medium
IBM z/OS VTAM session setup controls for the TN3270 Telnet server must be properly specified.
2
Rule
Severity: Medium
IBM z/OS UNIX HFS MapName file security parameters must be properly specified.
2
Rule
Severity: Medium
IBM z/OS default profiles must be defined in the corresponding FACILITY Class Profile for classified systems.
2
Rule
Severity: Medium
IBM z/OS UNIX Telnet server Startup parameters must be properly specified.
4
Rule
Severity: Medium
The IBM z/OS TCPIP.DATA configuration statement must contain the DOMAINORIGIN or DOMAIN specified for each TCP/IP defined.
2
Rule
Severity: Medium
IBM z/OS Default profiles must not be defined in TSS OMVS UNIX security parameters for classified systems.
2
Rule
Severity: Medium
The IBM z/OS UNIX Telnet server Startup parameters must be properly specified.
2
Rule
Severity: Medium
The ICS, when utilizing PKI-based authentication, must be configured to validate certificates by constructing a certification path (which includes status information) to an accepted trust anchor.
2
Rule
Severity: Low
The Juniper EX switch must be configured to enable Storm Control on all host-facing access interfaces.
2
Rule
Severity: Low
The Juniper EX switch must be configured to enable IGMP or MLD Snooping on all VLANs.
2
Rule
Severity: Medium
If STP is used, the Juniper EX switch must be configured to implement Rapid STP, or Multiple STP, where VLANs span multiple switches with redundant links.
2
Rule
Severity: Medium
The Juniper EX switch must be configured to verify two-way connectivity on all interswitch trunked interfaces.
1
Rule
Severity: Medium
The Juniper EX switch must be configured to assign all disabled access interfaces to an unused VLAN.
1
Rule
Severity: Medium
The Juniper EX switch must not be configured with VLANs used for L2 control traffic assigned to any host-facing access interface.
2
Rule
Severity: Medium
The Juniper EX switch must be configured to prune the default VLAN from all trunked interfaces that do not require it.
1
Rule
Severity: Medium
The Juniper EX switch must not use the default VLAN for management traffic.
2
Rule
Severity: Medium
The Juniper EX switch must be configured to set all user-facing or untrusted ports as access interfaces.
2
Rule
Severity: Medium
The Juniper EX switch must not have a native VLAN ID assigned, or have a unique native VLAN ID, for all 802.1q trunk links.
2
Rule
Severity: Low
The Juniper EX switch must not have any access interfaces assigned to a VLAN configured as native for any trunked interface.
2
Rule
Severity: High
The ICS must be configured to prevent nonprivileged users from executing privileged functions.
2
Rule
Severity: Medium
The ICS must be configured to synchronize internal information system clocks using redundant authoritative time sources.
2
Rule
Severity: Medium
The ICS must be configured to obtain its public key certificates from an appropriate certificate policy through an approved service provider.
2
Rule
Severity: Medium
The ICS must be configured to support organizational requirements to conduct weekly backups of information system documentation, including security-related documentation.
2
Rule
Severity: High
The ICS must be configured to run an operating system release that is currently supported by Ivanti.
2
Rule
Severity: Medium
The ICS must be configured to conduct backups of system level information contained in the information system when changes occur.
2
Rule
Severity: Medium
The Juniper EX switch must be configured to enforce organization-defined role-based access control policies over defined subjects and objects.
1
Rule
Severity: Medium
The Juniper EX switch must be configured to synchronize internal information system clocks using redundant authoritative time sources.
1
Rule
Severity: Medium
The Juniper EX switch must be configured in accordance with the security configuration settings based on DoD security configuration or implementation guidance, including STIGs, NSA configuration guides, CTOs, and DTMs.
2
Rule
Severity: Medium
The Juniper EX switch must be configured to generate log records for a locally developed list of auditable events.
2
Rule
Severity: Medium
The Juniper EX switch must be configured to enforce access restrictions associated with changes to the system components.
2
Rule
Severity: High
The Juniper EX switch must be configured to use an authentication server for the purpose of authenticating users prior to granting administrative access.
2
Rule
Severity: Medium
The Juniper EX switch must be configured to conduct backups of system level information contained in the information system when changes occur.
2
Rule
Severity: Medium
The Juniper EX switch must be configured to obtain its public key certificates from an appropriate certificate policy through an approved service provider.
2
Rule
Severity: High
The Juniper EX switch must be configured with an operating system release that is currently supported by the vendor.
2
Rule
Severity: High
User-managed resources must be created in dedicated namespaces.
2
Rule
Severity: Medium
The Kubernetes manifest files must have least privileges.
2
Rule
Severity: High
The Juniper PE router providing Virtual Private LAN Services (VPLS) must be configured to have all attachment circuits defined to the virtual forwarding instance (VFI) with the globally unique VPN ID assigned for each customer VLAN.
2
Rule
Severity: Low
The Juniper PE router must be configured to enforce the split-horizon rule for all pseudowires within a Virtual Private LAN Services (VPLS) bridge domain.
2
Rule
Severity: Low
The Juniper router must be configured to advertise a hop limit of at least 32 in Router Advertisement messages for IPv6 stateless auto-configuration deployments.
2
Rule
Severity: Medium
The Juniper router must be configured in accordance with the security configuration settings based on DoD security configuration or implementation guidance, including STIGs, NSA configuration guides, CTOs, and DTMs.
2
Rule
Severity: Medium
The Kubernetes component manifests must be owned by root.
2
Rule
Severity: Medium
The Kubernetes component etcd must be owned by etcd.
2
Rule
Severity: Medium
The Kubernetes conf files must be owned by root.
2
Rule
Severity: Medium
The Kubernetes Kube Proxy kubeconfig must have file permissions set to 644 or more restrictive.
2
Rule
Severity: Medium
The Kubernetes Kube Proxy kubeconfig must be owned by root.
2
Rule
Severity: Medium
The Kubernetes Kubelet certificate authority file must have file permissions set to 644 or more restrictive.
2
Rule
Severity: Medium
The Kubernetes Kubelet certificate authority must be owned by root.
2
Rule
Severity: Medium
The Kubernetes component PKI must be owned by root.
2
Rule
Severity: Medium
The Kubernetes kubelet KubeConfig must have file permissions set to 644 or more restrictive.
2
Rule
Severity: Medium
The Kubernetes kubelet KubeConfig file must be owned by root.
2
Rule
Severity: Medium
The Kubernetes kubeadm.conf must be owned by root.
2
Rule
Severity: Medium
The Kubernetes kubeadm.conf must have file permissions set to 644 or more restrictive.
2
Rule
Severity: Medium
The Kubernetes kubelet config must have file permissions set to 644 or more restrictive.
2
Rule
Severity: Medium
The Kubernetes kubelet config must be owned by root.
2
Rule
Severity: Medium
The Kubernetes etcd must have file permissions set to 644 or more restrictive.
2
Rule
Severity: Medium
The Kubernetes admin kubeconfig must have file permissions set to 644 or more restrictive.
2
Rule
Severity: Medium
Kubernetes API Server audit logs must be enabled.
2
Rule
Severity: Medium
The Kubernetes API Server must be set to audit log max size.
2
Rule
Severity: Medium
The Kubernetes API Server must be set to audit log maximum backup.
2
Rule
Severity: Medium
The Kubernetes API Server audit log retention must be set.
2
Rule
Severity: Medium
The Kubernetes API Server audit log path must be set.
2
Rule
Severity: Medium
The Kubernetes PKI CRT must have file permissions set to 644 or more restrictive.
2
Rule
Severity: Medium
The Kubernetes PKI keys must have file permissions set to 600 or more restrictive.
2
Rule
Severity: Medium
MarkLogic Server must be configured in accordance with the security configuration settings based on DoD security configuration and implementation guidance, including STIGs, NSA configuration guides, CTOs, DTMs, and IAVMs.
2
Rule
Severity: Medium
MongoDB must be configured in accordance with the security configuration settings based on DoD security configuration and implementation guidance, including STIGs, NSA configuration guides, CTOs, DTMs, and IAVMs.
2
Rule
Severity: Medium
.Net Framework versions installed on the system must be supported.
2
Rule
Severity: Low
.Net applications that invoke NetFx40_LegacySecurityPolicy must apply previous versions of .NET STIG guidance.
2
Rule
Severity: Low
.NET default proxy settings must be reviewed and approved.
2
Rule
Severity: Medium
MariaDB must be configured in accordance with the security configuration settings based on DoD security configuration and implementation guidance, including STIGs, NSA configuration guides, CTOs, DTMs, and IAVMs.
1
Rule
Severity: Medium
The application must be configured in accordance with the security configuration settings based on DoD security configuration or implementation guidance, including STIGs, NSA configuration guides, CTOs, and DTMs.
1
Rule
Severity: Medium
ActiveX controls and plug-ins must be disallowed (Restricted Sites zone).
1
Rule
Severity: Medium
The Allow META REFRESH property must be disallowed (Restricted Sites zone).
1
Rule
Severity: Medium
Internet Explorer must be configured to disallow users to change policies.
1
Rule
Severity: Medium
Internet Explorer must be configured to use machine settings.
1
Rule
Severity: Medium
Security checking features must be enforced.
1
Rule
Severity: Medium
All network paths (UNCs) for Intranet sites must be disallowed.
1
Rule
Severity: Medium
XAML files must be disallowed (Internet zone).
1
Rule
Severity: Medium
XAML files must be disallowed (Restricted Sites zone).
1
Rule
Severity: Medium
.NET Framework-reliant components not signed with Authenticode must be disallowed to run (Restricted Sites Zone).
1
Rule
Severity: Medium
.NET Framework-reliant components signed with Authenticode must be disallowed to run (Restricted Sites Zone).
1
Rule
Severity: Medium
Security Warning for unsafe files must be set to prompt (Internet zone).
2
Rule
Severity: Medium
Exchange must be configured in accordance with the security configuration settings based on DOD security configuration or implementation guidance, including STIGs, NSA configuration guides, CTOs, and DTMs.
2
Rule
Severity: Medium
The IIS 10.0 website must have a unique application pool.
2
Rule
Severity: Medium
The maximum number of requests an application pool can process for each IIS 10.0 website must be explicitly set.
2
Rule
Severity: Medium
The application pool for each IIS 10.0 website must have a recycle time explicitly set.
2
Rule
Severity: Medium
The application pools rapid fail protection for each IIS 10.0 website must be enabled.
2
Rule
Severity: Medium
The application pools rapid fail protection settings for each IIS 10.0 website must be managed.
2
Rule
Severity: Medium
The required DoD banner page must be displayed to authenticated users accessing a DoD private website.
3
Rule
Severity: Medium
Custom user interface (UI) code must be blocked from loading in all Office applications.
3
Rule
Severity: Medium
Office applications must not load XML expansion packs with Smart Documents.
3
Rule
Severity: Medium
The Local Machine Zone Lockdown Security must be enabled in all Office programs.
3
Rule
Severity: Medium
AutoRepublish in Excel must be disabled.
3
Rule
Severity: Medium
AutoRepublish warning alert in Excel must be enabled.
3
Rule
Severity: Medium
File extensions must be enabled to match file types in Excel.
1
Rule
Severity: Medium
Security Warning for unsafe files must be disallowed (Restricted Sites zone).
1
Rule
Severity: Medium
.NET Framework-reliant components not signed with Authenticode must be disallowed to run (Internet zone).
1
Rule
Severity: Medium
.NET Framework-reliant components signed with Authenticode must be disallowed to run (Internet zone).
1
Rule
Severity: Medium
When Enhanced Protected Mode is enabled, ActiveX controls must be disallowed to run in Protected Mode.
2
Rule
Severity: High
All accounts installed with the IIS 10.0 web server software and tools must have passwords assigned and default passwords changed.
2
Rule
Severity: Medium
Unspecified file extensions on a production IIS 10.0 web server must be removed.
2
Rule
Severity: Medium
The IIS 10.0 web server must have a global authorization rule configured to restrict access.
2
Rule
Severity: Low
The IIS 10.0 web server must enable HTTP Strict Transport Security (HSTS).
1
Rule
Severity: Medium
Domain-joined systems must use Windows 10 Enterprise Edition 64-bit version.
2
Rule
Severity: Medium
Windows 10 domain-joined systems must have a Trusted Platform Module (TPM) enabled and ready for use.
2
Rule
Severity: Medium
Windows 10 systems must have Unified Extensible Firmware Interface (UEFI) firmware and be configured to run in UEFI mode, not Legacy BIOS.
2
Rule
Severity: Low
Secure Boot must be enabled on Windows 10 systems.
2
Rule
Severity: High
Windows 10 systems must be maintained at a supported servicing level.
2
Rule
Severity: High
The Windows 10 system must use an anti-virus program.
4
Rule
Severity: Medium
Alternate operating systems must not be permitted on the same system.
4
Rule
Severity: Medium
Only accounts responsible for the backup operations must be members of the Backup Operators group.
3
Rule
Severity: Medium
Files dragged from an Outlook e-mail to the file system must be created in ANSI format.
3
Rule
Severity: Medium
The junk email protection level must be set to No Automatic Filtering.
3
Rule
Severity: Medium
Internet must not be included in Safe Zone for picture download in Outlook.
3
Rule
Severity: Medium
The Publish to Global Address List (GAL) button must be disabled in Outlook.
3
Rule
Severity: Medium
The Outlook Security Mode must be enabled to always use the Outlook Security Group Policy.
3
Rule
Severity: Medium
Outlook must be configured to not allow hyperlinks in suspected phishing messages.
2
Rule
Severity: Medium
SQL Server must configure Customer Feedback and Error Reporting.
2
Rule
Severity: Medium
SQL Server must configure SQL Server Usage and Error Reporting Auditing.
2
Rule
Severity: Medium
SQL Server Mirroring endpoint must utilize AES encryption.
2
Rule
Severity: Medium
SQL Server Service Broker endpoint must utilize AES encryption.
2
Rule
Severity: Low
The SQL Server Browser service must be disabled unless specifically required and approved.
2
Rule
Severity: Low
If the SQL Server Browser Service is specifically required and approved, SQL instances must be hidden.
2
Rule
Severity: Low
Administrators of high-value IT resources must complete required training.
2
Rule
Severity: Medium
Site IT resources designated as high value by the Authorizing Official (AO) must be remotely managed only via a Windows privileged access workstation (PAW).
2
Rule
Severity: Medium
Administrative accounts of all high-value IT resources must be assigned to a specific administrative tier in Active Directory to separate highly privileged administrative accounts from less privileged administrative accounts.
2
Rule
Severity: Medium
A Windows PAW must only be used to manage high-value IT resources assigned to the same tier.
2
Rule
Severity: Medium
All high-value IT resources must be assigned to a specific administrative tier to separate highly sensitive resources from less sensitive resources.
2
Rule
Severity: Medium
The Windows PAW must be configured with a vendor-supported version of Windows 11 and applicable security patches that are DOD approved.
2
Rule
Severity: Medium
A Windows update service must be available to provide software updates for the PAW platform.
2
Rule
Severity: Medium
The Windows PAW must be configured so that all non-administrative-related applications and functions are blocked or removed from the PAW platform, including but not limited to email, Internet browsing, and line-of-business applications.
2
Rule
Severity: Medium
Device Guard Code Integrity Policy must be used on the Windows PAW to restrict applications that can run on the system (Device Guard Code Integrity Policy).
2
Rule
Severity: Medium
Device Guard Code Integrity Policy must be used on the Windows PAW to restrict applications that can run on the system (Device Guard User Mode Code Integrity).
2
Rule
Severity: Medium
Windows PAWs must be restricted to only allow groups used to manage high-value IT resources and members of the local Administrators group to log on locally.
2
Rule
Severity: Medium
The domain must be configured to restrict privileged administrator accounts from logging on to lower-tier hosts.
2
Rule
Severity: Medium
PAWs used to manage Active Directory must only allow groups specifically designated to manage Active Directory, such as Enterprise and Domain Admins and members of the local Administrators group, to log on locally.
2
Rule
Severity: High
The Windows PAW must use a trusted channel for all connections between a PAW and IT resources managed from the PAW.
2
Rule
Severity: Medium
If several Windows PAWs are set up in virtual machines (VMs) on a host server, the host server must only contain PAW VMs.
2
Rule
Severity: Medium
The Windows PAW must be configured so that all inbound ports and services to a PAW are blocked except as needed for monitoring, scanning, and management tools or when the inbound communication is a response to an outbound connection request.
2
Rule
Severity: Medium
The Windows PAW must be configured so that all outbound connections to the Internet from a PAW are blocked.
2
Rule
Severity: Medium
The local Administrators group on the Windows PAW must only include groups with accounts specifically designated to administer the PAW.
2
Rule
Severity: Medium
Local privileged groups (excluding Administrators) on the Windows PAW must be restricted to include no members.
2
Rule
Severity: Medium
Restricted remote administration must be enabled for high-value systems.
2
Rule
Severity: Medium
If several PAWs are set up in virtual machines (VMs) on a host server, domain administrative accounts used to manage high-value IT resources must not have access to the VM host operating system (OS) (only domain administrative accounts designated to manage PAWs should be able to access the VM host OS).
4
Rule
Severity: High
The network device must be running an operating system release that is currently supported by the vendor.
4
Rule
Severity: High
The network device must be configured to use an authentication server to authenticate users prior to granting administrative access.
4
Rule
Severity: Medium
The network device must be configured with both an ingress and egress ACL.
2
Rule
Severity: Medium
Access to default accounts used to support replication must be restricted to authorized DBAs.
3
Rule
Severity: Medium
Oracle instance names must not contain Oracle version numbers.
3
Rule
Severity: Medium
Fixed user and public database links must be authorized for use.
3
Rule
Severity: Low
A minimum of two Oracle control files must be defined and configured to be stored on separate, archived disks (physical or virtual) or archived partitions on a RAID device.
3
Rule
Severity: Medium
A minimum of two Oracle redo log groups/files must be defined and configured to be stored on separate, archived physical disks or archived directories on a RAID device.
3
Rule
Severity: Medium
The Oracle WITH GRANT OPTION privilege must not be granted to non-DBA or non-Application administrator user accounts.
1
Rule
Severity: Medium
Execute permission must be revoked from PUBLIC for restricted Oracle packages.
3
Rule
Severity: High
The Oracle REMOTE_OS_AUTHENT parameter must be set to FALSE.
3
Rule
Severity: High
The Oracle REMOTE_OS_ROLES parameter must be set to FALSE.
4
Rule
Severity: Low
Standard local user accounts must not exist on a system in a domain.
2
Rule
Severity: Medium
Software certificate installation files must be removed from Windows 10.
6
Rule
Severity: Medium
A host-based firewall must be installed and enabled on the system.
2
Rule
Severity: Medium
Inbound exceptions to the firewall on Windows 10 domain workstations must only allow authorized remote management hosts.
2
Rule
Severity: Medium
Orphaned security identifiers (SIDs) must be removed from user rights on Windows 10.
4
Rule
Severity: Medium
The system must notify the user when a Bluetooth device attempts to connect.
4
Rule
Severity: High
Administrative accounts must not be used with applications that access the Internet, such as web browsers, or with potential Internet sources, such as email.
4
Rule
Severity: Medium
IPv6 source routing must be configured to highest protection.
4
Rule
Severity: Medium
The system must be configured to prevent IP source routing.
4
Rule
Severity: Low
The system must be configured to prevent Internet Control Message Protocol (ICMP) redirects from overriding Open Shortest Path First (OSPF) generated routes.
6
Rule
Severity: Medium
Insecure logons to an SMB server must be disabled.
2
Rule
Severity: Medium
Simultaneous connections to the internet or a Windows domain must be limited.
4
Rule
Severity: Medium
Connections to non-domain networks when connected to a domain authenticated network must be blocked.
4
Rule
Severity: Medium
Wi-Fi Sense must be disabled.
2
Rule
Severity: Medium
Windows 10 must be configured to enable Remote host allows delegation of non-exportable credentials.
1
Rule
Severity: Low
Virtualization Based Security must be enabled on Windows 10 with the platform security level configured to Secure Boot or Secure Boot with DMA Protection.
2
Rule
Severity: High
Credential Guard must be running on Windows 10 domain-joined systems.
4
Rule
Severity: Medium
Early Launch Antimalware, Boot-Start Driver Initialization Policy must prevent boot drivers.
6
Rule
Severity: Medium
Group Policy objects must be reprocessed even if they have not changed.
4
Rule
Severity: Medium
Systems must at least attempt device authentication using certificates.
4
Rule
Severity: Low
The setting to allow Microsoft accounts to be optional for modern style apps must be enabled.
2
Rule
Severity: Medium
Enhanced anti-spoofing for facial recognition must be enabled on Window 10.
2
Rule
Severity: Medium
If Enhanced diagnostic data is enabled it must be limited to the minimum required to support Windows Analytics.
2
Rule
Severity: Medium
Windows Telemetry must not be configured to Full.
4
Rule
Severity: Low
Windows Update must not obtain updates from other PCs on the internet.
6
Rule
Severity: Medium
File Explorer shell protocol must run in protected mode.
2
Rule
Severity: Medium
Users must not be allowed to ignore Windows Defender SmartScreen filter warnings for malicious websites in Microsoft Edge.
2
Rule
Severity: Medium
Users must not be allowed to ignore Windows Defender SmartScreen filter warnings for unverified files in Microsoft Edge.
2
Rule
Severity: Medium
Windows 10 must be configured to prevent certificate error overrides in Microsoft Edge.
2
Rule
Severity: Medium
The password manager function in the Edge browser must be disabled.
2
Rule
Severity: Medium
The Windows Defender SmartScreen filter for Microsoft Edge must be enabled.
4
Rule
Severity: Medium
The use of a hardware security device with Windows Hello for Business must be enabled.
2
Rule
Severity: Medium
Windows 10 must be configured to require a minimum pin length of six characters or greater.
6
Rule
Severity: Medium
Attachments must be prevented from being downloaded from RSS feeds.
6
Rule
Severity: Medium
Users must be notified if a web-based program attempts to install software.
6
Rule
Severity: Medium
Automatically signing in the last interactive user after a system-initiated restart must be disabled.
1
Rule
Severity: Medium
The Windows Explorer Preview pane must be disabled for Windows 10.
4
Rule
Severity: Medium
Local accounts with blank passwords must be restricted to prevent access from the network.
4
Rule
Severity: Medium
The built-in administrator account must be renamed.
4
Rule
Severity: Medium
The built-in guest account must be renamed.
4
Rule
Severity: Low
The computer account password must not be prevented from being reset.
4
Rule
Severity: Low
The maximum age for machine account passwords must be configured to 30 days or less.
4
Rule
Severity: Low
Caching of logon credentials must be limited.
6
Rule
Severity: Medium
The Smart Card removal option must be configured to Force Logoff or Lock Workstation.
6
Rule
Severity: High
Anonymous SID/Name translation must not be allowed.
4
Rule
Severity: High
Anonymous enumeration of SAM accounts must not be allowed.
4
Rule
Severity: Medium
The system must be configured to prevent anonymous users from having the same rights as the Everyone group.
6
Rule
Severity: Medium
NTLM must be prevented from falling back to a Null session.
6
Rule
Severity: Medium
PKU2U authentication using online identities must be prevented.
4
Rule
Severity: High
The LanMan authentication level must be set to send NTLMv2 response only, and to refuse LM and NTLM.
4
Rule
Severity: Medium
The system must be configured to the required LDAP client signing level.
4
Rule
Severity: Medium
The system must be configured to meet the minimum session security requirement for NTLM SSP based clients.
4
Rule
Severity: Medium
The system must be configured to meet the minimum session security requirement for NTLM SSP based servers.
4
Rule
Severity: Low
The default permissions of global system objects must be increased.
6
Rule
Severity: Medium
Zone information must be preserved when saving attachments.
4
Rule
Severity: Medium
Hardened UNC paths must be defined to require mutual authentication and integrity for at least the \\*\SYSVOL and \\*\NETLOGON shares.
2
Rule
Severity: Low
Virtualization-based protection of code integrity must be enabled.
2
Rule
Severity: Medium
Internet Explorer must be disabled for Windows 10.
2
Rule
Severity: Medium
Domain-joined systems must use Windows 11 Enterprise Edition 64-bit version.
2
Rule
Severity: High
Windows 11 systems must be maintained at a supported servicing level.
2
Rule
Severity: High
The Windows 11 system must use an antivirus program.
2
Rule
Severity: Medium
Software certificate installation files must be removed from Windows 11.
2
Rule
Severity: Medium
Inbound exceptions to the firewall on Windows 11 domain workstations must only allow authorized remote management hosts.
2
Rule
Severity: Medium
Orphaned security identifiers (SIDs) must be removed from user rights on Windows 11.
2
Rule
Severity: High
Administrative accounts must not be used with applications that access the internet, such as web browsers, or with potential internet sources, such as email.
2
Rule
Severity: Medium
Hardened UNC Paths must be defined to require mutual authentication and integrity for at least the \\*\SYSVOL and \\*\NETLOGON shares.
2
Rule
Severity: Medium
Windows 11 must be configured to enable Remote host allows delegation of non-exportable credentials.
2
Rule
Severity: Medium
Virtualization-based Security must be enabled on Windows 11 with the platform security level configured to Secure Boot or Secure Boot with DMA Protection.
2
Rule
Severity: High
Credential Guard must be running on Windows 11 domain-joined systems.
2
Rule
Severity: Medium
Virtualization-based protection of code integrity must be enabled.
2
Rule
Severity: Medium
Enhanced anti-spoofing for facial recognition must be enabled on Windows 11.
2
Rule
Severity: Medium
Enhanced diagnostic data must be limited to the minimum required to support Windows Analytics.
2
Rule
Severity: Medium
Windows 11 must be configured to require a minimum pin length of six characters or greater.
2
Rule
Severity: Medium
Internet Explorer must be disabled for Windows 11.
2
Rule
Severity: High
Users with Administrative privileges must have separate accounts for administrative duties and normal operational tasks.
2
Rule
Severity: Medium
Members of the Backup Operators group must have separate accounts for backup duties and normal operational tasks.
2
Rule
Severity: Medium
Manually managed application account passwords must be changed at least annually or when a system administrator with knowledge of the password leaves the organization.
2
Rule
Severity: Medium
Windows Server 2016 domain-joined systems must have a Trusted Platform Module (TPM) enabled and ready for use.
2
Rule
Severity: High
Systems must be maintained at a supported servicing level.
2
Rule
Severity: High
The Windows Server 2016 system must use an anti-virus program.
2
Rule
Severity: Medium
Servers must have a host-based intrusion detection or prevention system.
2
Rule
Severity: Medium
Software certificate installation files must be removed from Windows Server 2016.
2
Rule
Severity: Medium
FTP servers must be configured to prevent anonymous logons.
2
Rule
Severity: Medium
FTP servers must be configured to prevent access to the system drive.
2
Rule
Severity: Medium
Orphaned security identifiers (SIDs) must be removed from user rights on Windows 2016.
2
Rule
Severity: Low
Secure Boot must be enabled on Windows Server 2016 systems.
2
Rule
Severity: Low
Windows 2016 systems must have Unified Extensible Firmware Interface (UEFI) firmware and be configured to run in UEFI mode, not Legacy BIOS.
2
Rule
Severity: Low
Internet Protocol version 6 (IPv6) source routing must be configured to the highest protection level to prevent IP source routing.
2
Rule
Severity: Low
Source routing must be configured to the highest protection level to prevent Internet Protocol (IP) source routing.
2
Rule
Severity: Low
Windows Server 2016 must be configured to prevent Internet Control Message Protocol (ICMP) redirects from overriding Open Shortest Path First (OSPF)-generated routes.
2
Rule
Severity: Medium
Windows Server 2016 virtualization-based security must be enabled with the platform security level configured to Secure Boot or Secure Boot with DMA Protection.
2
Rule
Severity: Medium
Early Launch Antimalware, Boot-Start Driver Initialization Policy must prevent boot drivers identified as bad.
2
Rule
Severity: Medium
Users must be prompted to authenticate when the system wakes from sleep (on battery).
2
Rule
Severity: Medium
Users must be prompted to authenticate when the system wakes from sleep (plugged in).
2
Rule
Severity: Medium
Windows Telemetry must be configured to Security or Basic.
2
Rule
Severity: Low
Turning off File Explorer heap termination on corruption must be disabled.
2
Rule
Severity: High
Directory data (outside the root DSE) of a non-public directory must be configured to prevent anonymous access.
2
Rule
Severity: Medium
Domain controllers must be configured to allow reset of machine account passwords.
6
Rule
Severity: Medium
The password for the krbtgt account on a domain must be reset at least every 180 days.
2
Rule
Severity: Medium
Caching of logon credentials must be limited.
2
Rule
Severity: High
Windows Server 2016 must be running Credential Guard on domain-joined member servers.
2
Rule
Severity: High
Local accounts with blank passwords must be restricted to prevent access from the network.
2
Rule
Severity: Medium
Windows Server 2016 built-in administrator account must be renamed.
2
Rule
Severity: Medium
Windows Server 2016 built-in guest account must be renamed.
2
Rule
Severity: Medium
The maximum age for machine account passwords must be configured to 30 days or less.
2
Rule
Severity: High
Anonymous enumeration of Security Account Manager (SAM) accounts must not be allowed.
2
Rule
Severity: Medium
Windows Server 2016 must be configured to prevent anonymous users from having the same permissions as the Everyone group.
2
Rule
Severity: Medium
Services using Local System that use Negotiate when reverting to NTLM authentication must use the computer identity instead of authenticating anonymously.
2
Rule
Severity: High
The LAN Manager authentication level must be set to send NTLMv2 response only and to refuse LM and NTLM.
2
Rule
Severity: Medium
Windows Server 2016 must be configured to at least negotiate signing for LDAP client signing.
2
Rule
Severity: Medium
Session security for NTLM SSP-based clients must be configured to require NTLMv2 session security and 128-bit encryption.
2
Rule
Severity: Medium
Session security for NTLM SSP-based servers must be configured to require NTLMv2 session security and 128-bit encryption.
2
Rule
Severity: Low
The default permissions of global system objects must be strengthened.
2
Rule
Severity: Medium
The Windows Explorer Preview pane must be disabled for Windows Server 2016.
2
Rule
Severity: Medium
Windows Server 2019 must be configured to audit logoff successes.
2
Rule
Severity: High
Windows Server 2019 users with Administrative privileges must have separate accounts for administrative duties and normal operational tasks.
2
Rule
Severity: High
Windows Server 2019 administrative accounts must not be used with applications that access the Internet, such as web browsers, or with potential Internet sources, such as email.
2
Rule
Severity: Medium
Windows Server 2019 members of the Backup Operators group must have separate accounts for backup duties and normal operational tasks.
2
Rule
Severity: Medium
Windows Server 2019 manually managed application account passwords must be changed at least annually or when a system administrator with knowledge of the password leaves the organization.
2
Rule
Severity: Medium
Windows Server 2019 domain-joined systems must have a Trusted Platform Module (TPM) enabled and ready for use.
2
Rule
Severity: High
Windows Server 2019 must be maintained at a supported servicing level.
2
Rule
Severity: High
Windows Server 2019 must use an anti-virus program.
2
Rule
Severity: Medium
Windows Server 2019 must have a host-based intrusion detection or prevention system.
2
Rule
Severity: Medium
Windows Server 2019 must have software certificate installation files removed.
2
Rule
Severity: Medium
Windows Server 2019 FTP servers must be configured to prevent anonymous logons.
2
Rule
Severity: Medium
Windows Server 2019 FTP servers must be configured to prevent access to the system drive.
2
Rule
Severity: Medium
Windows Server 2019 must have orphaned security identifiers (SIDs) removed from user rights.
2
Rule
Severity: Low
Windows Server 2019 systems must have Unified Extensible Firmware Interface (UEFI) firmware and be configured to run in UEFI mode, not Legacy BIOS.
2
Rule
Severity: Low
Windows Server 2019 must have Secure Boot enabled.
2
Rule
Severity: Low
Windows Server 2019 Internet Protocol version 6 (IPv6) source routing must be configured to the highest protection level to prevent IP source routing.
2
Rule
Severity: Low
Windows Server 2019 source routing must be configured to the highest protection level to prevent Internet Protocol (IP) source routing.
2
Rule
Severity: Low
Windows Server 2019 must be configured to prevent Internet Control Message Protocol (ICMP) redirects from overriding Open Shortest Path First (OSPF)-generated routes.
2
Rule
Severity: Medium
Windows Server 2019 insecure logons to an SMB server must be disabled.
2
Rule
Severity: Medium
Windows Server 2019 hardened Universal Naming Convention (UNC) paths must be defined to require mutual authentication and integrity for at least the \\*\SYSVOL and \\*\NETLOGON shares.
2
Rule
Severity: Medium
Windows Server 2019 must be configured to enable Remote host allows delegation of non-exportable credentials.
2
Rule
Severity: Medium
Windows Server 2019 virtualization-based security must be enabled with the platform security level configured to Secure Boot or Secure Boot with DMA Protection.
2
Rule
Severity: Medium
Windows Server 2019 Early Launch Antimalware, Boot-Start Driver Initialization Policy must prevent boot drivers identified as bad.
2
Rule
Severity: Medium
Windows Server 2019 group policy objects must be reprocessed even if they have not changed.
2
Rule
Severity: Medium
Windows Server 2019 users must be prompted to authenticate when the system wakes from sleep (on battery).
2
Rule
Severity: Medium
Windows Server 2019 users must be prompted to authenticate when the system wakes from sleep (plugged in).
2
Rule
Severity: Medium
Windows Server 2019 Telemetry must be configured to Security or Basic.
2
Rule
Severity: Low
Windows Server 2019 Windows Update must not obtain updates from other PCs on the Internet.
2
Rule
Severity: Low
Windows Server 2019 Turning off File Explorer heap termination on corruption must be disabled.
2
Rule
Severity: Medium
Windows Server 2019 File Explorer shell protocol must run in protected mode.
2
Rule
Severity: Medium
Windows Server 2019 must prevent attachments from being downloaded from RSS feeds.
2
Rule
Severity: Medium
Windows Server 2019 users must be notified if a web-based program attempts to install software.
2
Rule
Severity: High
Windows Server 2019 directory data (outside the root DSE) of a non-public directory must be configured to prevent anonymous access.
2
Rule
Severity: Medium
Windows Server 2019 domain controllers must be configured to allow reset of machine account passwords.
2
Rule
Severity: Medium
Windows Server 2019 must limit the caching of logon credentials to four or less on domain-joined member servers.
2
Rule
Severity: High
Windows Server 2019 must be running Credential Guard on domain-joined member servers.
2
Rule
Severity: High
Windows Server 2019 must prevent local accounts with blank passwords from being used from the network.
2
Rule
Severity: Medium
Windows Server 2019 built-in administrator account must be renamed.
2
Rule
Severity: Medium
Windows Server 2019 built-in guest account must be renamed.
2
Rule
Severity: Medium
Windows Server 2019 maximum age for machine account passwords must be configured to 30 days or less.
2
Rule
Severity: Medium
Windows Server 2019 Smart Card removal option must be configured to Force Logoff or Lock Workstation.
2
Rule
Severity: High
Windows Server 2019 must not allow anonymous SID/Name translation.
2
Rule
Severity: High
Windows Server 2019 must not allow anonymous enumeration of Security Account Manager (SAM) accounts.
2
Rule
Severity: Medium
Windows Server 2019 must be configured to prevent anonymous users from having the same permissions as the Everyone group.
2
Rule
Severity: Medium
Windows Server 2019 services using Local System that use Negotiate when reverting to NTLM authentication must use the computer identity instead of authenticating anonymously.
2
Rule
Severity: Medium
Windows Server 2019 must prevent NTLM from falling back to a Null session.
2
Rule
Severity: Medium
Windows Server 2019 must prevent PKU2U authentication using online identities.
2
Rule
Severity: High
Windows Server 2019 LAN Manager authentication level must be configured to send NTLMv2 response only and to refuse LM and NTLM.
2
Rule
Severity: Medium
Windows Server 2019 must be configured to at least negotiate signing for LDAP client signing.
2
Rule
Severity: Medium
Windows Server 2019 session security for NTLM SSP-based clients must be configured to require NTLMv2 session security and 128-bit encryption.
2
Rule
Severity: Medium
Windows Server 2019 session security for NTLM SSP-based servers must be configured to require NTLMv2 session security and 128-bit encryption.
2
Rule
Severity: Low
Windows Server 2019 default permissions of global system objects must be strengthened.
2
Rule
Severity: Medium
Windows Server 2019 must preserve zone information when saving attachments.
2
Rule
Severity: Medium
Windows Server 2019 must disable automatically signing in the last interactive user after a system-initiated restart.
2
Rule
Severity: Medium
Windows Server 2019 must have a host-based firewall installed and enabled.
1
Rule
Severity: Medium
The Windows Explorer Preview pane must be disabled for Windows Server 2019.
2
Rule
Severity: High
Windows Server 2022 administrative accounts must not be used with applications that access the internet, such as web browsers, or with potential internet sources, such as email.
2
Rule
Severity: Medium
Windows Server 2022 members of the Backup Operators group must have separate accounts for backup duties and normal operational tasks.
2
Rule
Severity: Medium
Windows Server 2022 manually managed application account passwords must be changed at least annually or when a system administrator with knowledge of the password leaves the organization.
2
Rule
Severity: Medium
Windows Server 2022 domain-joined systems must have a Trusted Platform Module (TPM) enabled and ready for use.
2
Rule
Severity: Medium
Windows Server 2022 must be maintained at a supported servicing level.
2
Rule
Severity: Medium
Windows Server 2022 must use an antivirus program.
2
Rule
Severity: Medium
Windows Server 2022 must have a host-based intrusion detection or prevention system.
2
Rule
Severity: Medium
Windows Server 2022 must have software certificate installation files removed.
2
Rule
Severity: Medium
Windows Server 2022 must have a host-based firewall installed and enabled.
2
Rule
Severity: Medium
Windows Server 2022 FTP servers must be configured to prevent anonymous logons.
2
Rule
Severity: Medium
Windows Server 2022 FTP servers must be configured to prevent access to the system drive.
2
Rule
Severity: Medium
Windows Server 2022 must have orphaned security identifiers (SIDs) removed from user rights.
2
Rule
Severity: Medium
Windows Server 2022 systems must have Unified Extensible Firmware Interface (UEFI) firmware and be configured to run in UEFI mode, not Legacy BIOS.
2
Rule
Severity: Medium
Windows Server 2022 must have Secure Boot enabled.
2
Rule
Severity: Low
Windows Server 2022 Internet Protocol version 6 (IPv6) source routing must be configured to the highest protection level to prevent IP source routing.
2
Rule
Severity: Low
Windows Server 2022 source routing must be configured to the highest protection level to prevent Internet Protocol (IP) source routing.
2
Rule
Severity: Low
Windows Server 2022 must be configured to prevent Internet Control Message Protocol (ICMP) redirects from overriding Open Shortest Path First (OSPF)-generated routes.
2
Rule
Severity: Medium
Windows Server 2022 insecure logons to an SMB server must be disabled.
2
Rule
Severity: Medium
Windows Server 2022 hardened Universal Naming Convention (UNC) paths must be defined to require mutual authentication and integrity for at least the \\*\SYSVOL and \\*\NETLOGON shares.
2
Rule
Severity: Medium
Windows Server 2022 must be configured to enable Remote host allows delegation of nonexportable credentials.
2
Rule
Severity: Medium
Windows Server 2022 virtualization-based security must be enabled with the platform security level configured to Secure Boot or Secure Boot with DMA Protection.
2
Rule
Severity: Medium
Windows Server 2022 Early Launch Antimalware, Boot-Start Driver Initialization Policy must prevent boot drivers identified as bad.
2
Rule
Severity: Medium
Windows Server 2022 group policy objects must be reprocessed even if they have not changed.
2
Rule
Severity: Medium
Windows Server 2022 users must be prompted to authenticate when the system wakes from sleep (on battery).
2
Rule
Severity: Medium
Windows Server 2022 users must be prompted to authenticate when the system wakes from sleep (plugged in).
2
Rule
Severity: Medium
Windows Server 2022 Diagnostic Data must be configured to send "required diagnostic data" or "optional diagnostic data".
2
Rule
Severity: Low
Windows Server 2022 Windows Update must not obtain updates from other PCs on the internet.
2
Rule
Severity: Low
Windows Server 2022 Turning off File Explorer heap termination on corruption must be disabled.
2
Rule
Severity: Medium
Windows Server 2022 File Explorer shell protocol must run in protected mode.
2
Rule
Severity: Medium
Windows Server 2022 must prevent attachments from being downloaded from RSS feeds.
2
Rule
Severity: Medium
Windows Server 2022 users must be notified if a web-based program attempts to install software.
2
Rule
Severity: Medium
Windows Server 2022 must disable automatically signing in the last interactive user after a system-initiated restart.
2
Rule
Severity: High
Windows Server 2022 directory data (outside the root DSE) of a nonpublic directory must be configured to prevent anonymous access.
2
Rule
Severity: Medium
Windows Server 2022 domain controllers must be configured to allow reset of machine account passwords.
2
Rule
Severity: Medium
Windows Server 2022 must limit the caching of logon credentials to four or less on domain-joined member servers.
2
Rule
Severity: High
Windows Server 2022 must be running Credential Guard on domain-joined member servers.
2
Rule
Severity: High
Windows Server 2022 must prevent local accounts with blank passwords from being used from the network.
2
Rule
Severity: Medium
Windows Server 2022 built-in administrator account must be renamed.
2
Rule
Severity: Medium
Windows Server 2022 built-in guest account must be renamed.
2
Rule
Severity: Medium
Windows Server 2022 maximum age for machine account passwords must be configured to 30 days or less.
2
Rule
Severity: Medium
Windows Server 2022 Smart Card removal option must be configured to Force Logoff or Lock Workstation.
2
Rule
Severity: High
Windows Server 2022 must not allow anonymous SID/Name translation.
2
Rule
Severity: High
Windows Server 2022 must not allow anonymous enumeration of Security Account Manager (SAM) accounts.
2
Rule
Severity: Medium
Windows Server 2022 must be configured to prevent anonymous users from having the same permissions as the Everyone group.
2
Rule
Severity: Medium
Windows Server 2022 services using Local System that use Negotiate when reverting to NTLM authentication must use the computer identity instead of authenticating anonymously.
2
Rule
Severity: Medium
Windows Server 2022 must prevent NTLM from falling back to a Null session.
2
Rule
Severity: Medium
Windows Server 2022 must prevent PKU2U authentication using online identities.
2
Rule
Severity: High
Windows Server 2022 LAN Manager authentication level must be configured to send NTLMv2 response only and to refuse LM and NTLM.
2
Rule
Severity: Medium
Windows Server 2022 must be configured to at least negotiate signing for LDAP client signing.
2
Rule
Severity: Medium
Windows Server 2022 session security for NTLM SSP-based clients must be configured to require NTLMv2 session security and 128-bit encryption.
2
Rule
Severity: Medium
Windows Server 2022 session security for NTLM SSP-based servers must be configured to require NTLMv2 session security and 128-bit encryption.
2
Rule
Severity: Low
Windows Server 2022 default permissions of global system objects must be strengthened.
2
Rule
Severity: Medium
Windows Server 2022 must preserve zone information when saving attachments.
2
Rule
Severity: Medium
Sensor traffic in transit must be protected at all times via an Out-of-Band (OOB) network or an encrypted tunnel between site locations.
2
Rule
Severity: Medium
Intrusion Detection and Prevention System (IDPS) traffic between the sensor and the security management or sensor data collection servers must traverse a dedicated Virtual Local Area Network (VLAN) logically separating IDPS traffic from all other enclave traffic.
2
Rule
Severity: Low
Products collecting baselines for anomaly-based detection must have their baselines rebuilt based on changes to mission requirements such as Information Operations Conditions (INFOCON) levels and when the traffic patterns are expected to change significantly.
2
Rule
Severity: Medium
If a Secure File Transfer Protocol (SFTP) server is used to provide updates to the sensors, the server must be configured to allow read-only access to the files within the directory on which the signature packs are placed.
2
Rule
Severity: Medium
If an automated scheduler is used to provide updates to the sensors, an account on the file server must be defined that will provide access to the signatures only to the sensors.
2
Rule
Severity: Low
The Intrusion Detection and Prevention System (IDPS) configuration must be backed up before applying software or signature updates, or when making changes to the configuration.
2
Rule
Severity: Low
The Intrusion Detection and Prevention System (IDPS) file checksums provided by the vendor must be compared and verified with checksums computed from CD or downloaded files.
2
Rule
Severity: Medium
The organization must establish weekly data backup procedures for the network Intrusion Detection and Prevention System (IDPS) data.
2
Rule
Severity: Low
The Intrusion Detection and Prevention System (IDPS) software and signatures must be updated when updates are provided by the vendor.
2
Rule
Severity: Medium
The organization must ensure all switches and associated cross-connect hardware are kept in a secure Intermediate Distribution Frame (IDF) or an enclosed cabinet that is kept locked.
2
Rule
Severity: Medium
All global address ranges used on unclassified and classified networks must be properly registered with the DoD Network Information Center (NIC).
2
Rule
Severity: Medium
Network Address Translation (NAT) and private IP address space must not be deployed within the SIPRNet enclave.
2
Rule
Severity: Medium
All Internet-facing applications must be hosted in a DoD Demilitarized Zone (DMZ) Extension.
2
Rule
Severity: Low
Two Network Time Protocol (NTP) servers must be deployed in the management network.
2
Rule
Severity: Medium
A policy must be implemented to keep Bogon/Martian rulesets up to date.
2
Rule
Severity: Medium
A dedicated management network must be implemented.
2
Rule
Severity: Medium
An Out-of-Band (OOB) management network must be deployed or 24x7 personnel must have console access for device management.
2
Rule
Severity: Medium
All Releasable Local Area Network (REL LAN) environments must be documented in the System Security Authorization Agreement (SSAA).
2
Rule
Severity: Medium
Annual reviews must be performed on all Releasable Local Area Network (REL LAN) environments.
2
Rule
Severity: High
Enabling a connection that extends DISN IP network connectivity (e.g., NIPRNet and SIPRNet) to any DoD Vendor, Foreign, or Federal Mission Partner enclave or network without a signed DoD CIO approved sponsorship memo is prohibited. For classified connectivity it must be to a DSS approved contractor facility or DoD Component approved foreign government facility.
2
Rule
Severity: Medium
Command and Control (C2) and non-C2 exceptions of SIPRNet must be documented in the enclaves accreditation package and an Authority to Connect (ATC) or Interim ATC amending the connection approval received prior to implementation.
2
Rule
Severity: Medium
VPN gateways used to create IP tunnels to transport classified traffic across an unclassified IP network must comply with appropriate physical security protection standards for processing classified information.
2
Rule
Severity: Low
Rapid Spanning Tree Protocol (STP) must be implemented at the access and distribution layers where Virtual Local Area Networks (VLANs) span multiple switches.
2
Rule
Severity: Low
First-hop redundancy services must be configured to delay any preempt to provide enough time for the Internet Gateway Protocol (IGP) to stabilize.
1
Rule
Severity: Medium
DoD Components providing guest WLAN access (internet access only) must use separate WLAN or logical segmentation of the enterprise WLAN (e.g., separate service set identifier [SSID] and virtual LAN) or DoD network.
2
Rule
Severity: High
OL 8 must be a vendor-supported release.
2
Rule
Severity: Medium
OL 8 vendor-packaged system security patches and updates must be installed and up to date.
3
Rule
Severity: Medium
The Oracle SQL92_SECURITY parameter must be set to TRUE.
3
Rule
Severity: Medium
The Oracle password file ownership and permissions should be limited and the REMOTE_LOGIN_PASSWORDFILE parameter must be set to EXCLUSIVE or NONE.
3
Rule
Severity: Medium
System privileges granted using the WITH ADMIN OPTION must not be granted to unauthorized user accounts.
3
Rule
Severity: Medium
System Privileges must not be granted to PUBLIC.
3
Rule
Severity: Medium
Oracle roles granted using the WITH ADMIN OPTION must not be granted to unauthorized accounts.
3
Rule
Severity: Medium
Object permissions granted to PUBLIC must be restricted.
3
Rule
Severity: High
The Oracle Listener must be configured to require administration authentication.
3
Rule
Severity: Medium
Application role permissions must not be assigned to the Oracle PUBLIC role.
3
Rule
Severity: Medium
Oracle application administration roles must be disabled if not required and authorized.
1
Rule
Severity: Medium
Connections by mid-tier web and application systems to the Oracle DBMS from a DMZ or external network must be encrypted.
3
Rule
Severity: Medium
Database job/batch queues must be reviewed regularly to detect unauthorized database job submissions.
3
Rule
Severity: Medium
Unauthorized database links must not be defined and active.
1
Rule
Severity: Medium
Sensitive information from production database exports must be modified before being imported into a development database.
3
Rule
Severity: Medium
Only authorized system accounts must have the SYSTEM tablespace specified as the default tablespace.
3
Rule
Severity: Medium
Application owner accounts must have a dedicated application tablespace.
3
Rule
Severity: Medium
The directories assigned to the LOG_ARCHIVE_DEST* parameters must be protected from unauthorized access.
3
Rule
Severity: Medium
The Oracle _TRACE_FILES_PUBLIC parameter if present must be set to FALSE.
2
Rule
Severity: Medium
Application object owner accounts must be disabled when not performing installation or maintenance actions.
3
Rule
Severity: Medium
DBMS production application and data directories must be protected from developers on shared production/development DBMS host systems.
3
Rule
Severity: Medium
Use of the DBMS installation account must be logged.
3
Rule
Severity: Medium
The directory assigned to the AUDIT_FILE_DEST parameter must be protected from unauthorized access and must be stored in a dedicated directory or disk partition separate from software or other application files.
3
Rule
Severity: Medium
Access to DBMS software files and directories must not be granted to unauthorized users.
3
Rule
Severity: Medium
Replication accounts must not be granted DBA privileges.
3
Rule
Severity: Medium
Network access to the DBMS must be restricted to authorized personnel.
3
Rule
Severity: Medium
Changes to configuration options must be audited.
3
Rule
Severity: Medium
Changes to DBMS security labels must be audited.
3
Rule
Severity: Medium
Remote database or other external access must use fully-qualified names.
3
Rule
Severity: Medium
The /diag subdirectory under the directory assigned to the DIAGNOSTIC_DEST parameter must be protected from unauthorized access.
3
Rule
Severity: Medium
Remote administration must be disabled for the Oracle connection manager.
1
Rule
Severity: Medium
The SQLNet SQLNET.ALLOWED_LOGON_VERSION parameter must be set to a value of 12 or higher.
3
Rule
Severity: High
DBA OS accounts must be granted only those host system privileges necessary for the administration of the DBMS.
3
Rule
Severity: High
DBMS default accounts must be assigned custom passwords.
3
Rule
Severity: Medium
The DBMS must provide a mechanism to automatically identify accounts designated as temporary or emergency accounts.
1
Rule
Severity: Medium
The DBMS must provide a mechanism to automatically terminate accounts designated as temporary or emergency accounts after an organization-defined time period.
3
Rule
Severity: Medium
A single database connection configuration file must not be used to configure all database clients.
3
Rule
Severity: Medium
The DBMS must be protected from unauthorized access by developers on shared production/development host systems.
1
Rule
Severity: Medium
The DBA role must not be assigned excessive or unauthorized privileges.
1
Rule
Severity: Medium
The DBMS must specify an account lockout duration that is greater than or equal to the organization-approved minimum.
1
Rule
Severity: Medium
The DBMS must have the capability to limit the number of failed login attempts based upon an organization-defined number of consecutive invalid attempts occurring within an organization-defined time period.
3
Rule
Severity: Medium
Database backup procedures must be defined, documented, and implemented.
3
Rule
Severity: Medium
Database recovery procedures must be developed, documented, implemented, and periodically tested.
3
Rule
Severity: Medium
The DBMS must disable user accounts after 35 days of inactivity.
3
Rule
Severity: Medium
DBMS passwords must not be stored in compiled, encoded, or encrypted batch jobs or compiled, encoded, or encrypted application source code.
1
Rule
Severity: Medium
The DBMS must employ cryptographic mechanisms to protect the integrity and confidentiality of non-local maintenance and diagnostic communications.
1
Rule
Severity: Medium
The DBMS must employ strong identification and authentication techniques when establishing non-local maintenance and diagnostic sessions.
3
Rule
Severity: Medium
Database data files containing sensitive information must be encrypted.
3
Rule
Severity: Medium
The DBMS must automatically terminate emergency accounts after an organization-defined time period for each type of account.
1
Rule
Severity: Medium
The DBMS must support taking organization-defined list of least disruptive actions to terminate suspicious events.
2
Rule
Severity: Low
WLAN SSIDs must be changed from the manufacturer's default to a pseudo random word that does not identify the unit, base, organization, etc.
2
Rule
Severity: Medium
Wireless access points and bridges must be placed in dedicated subnets outside the enclave's perimeter.
2
Rule
Severity: Medium
Connections by mid-tier web and application systems to the Oracle DBMS from a DMZ or external network must be encrypted.
2
Rule
Severity: Medium
Sensitive information from production database exports must be modified before import to a development database.
2
Rule
Severity: Medium
The DBMS data files, transaction logs and audit files must be stored in dedicated directories or disk partitions separate from software or other application files.
2
Rule
Severity: Medium
Network client connections must be restricted to supported versions.
1
Rule
Severity: Medium
Processes (services, applications, etc.) that connect to the DBMS independently of individual users, must use valid, current DoD approved PKI certificates for authentication to the DBMS.
2
Rule
Severity: High
Applications must obscure feedback of authentication information during the authentication process to protect the information from possible exploitation/use by unauthorized individuals.
2
Rule
Severity: High
When using command-line tools such as Oracle SQL*Plus, which can accept a plain-text password, users must use an alternative logon method that does not expose the password.
2
Rule
Severity: Medium
The DBMS must allocate audit record storage capacity in accordance with organization-defined audit record storage requirements.
2
Rule
Severity: Medium
The DBMS must provide a mechanism to automatically remove or disable temporary user accounts after 72 hours.
2
Rule
Severity: Medium
The DBMS must verify account lockouts persist until reset by an administrator.
2
Rule
Severity: Medium
The DBMS must set the maximum number of consecutive invalid logon attempts to three.
2
Rule
Severity: High
The Oracle Linux operating system must not allow accounts configured with blank or null passwords.
2
Rule
Severity: Medium
The Oracle Linux operating system must be configured so that the delay between logon prompts following a failed console logon attempt is at least four seconds.
2
Rule
Severity: High
The Oracle Linux operating system must not allow an unattended or automatic logon to the system via a graphical user interface.
2
Rule
Severity: High
The Oracle Linux operating system must not allow an unrestricted logon to the system.
2
Rule
Severity: Medium
The Oracle Linux operating system must not allow users to override SSH environment variables.
2
Rule
Severity: Medium
The Oracle Linux operating system must not allow a non-certificate trusted host SSH logon to the system.
2
Rule
Severity: Medium
The Oracle Linux operating system must be configured to disable USB mass storage.
2
Rule
Severity: High
The Oracle Linux operating system must be configured so that the x86 Ctrl-Alt-Delete key sequence is disabled on the command line.
2
Rule
Severity: Medium
The Oracle Linux operating system must define default permissions for all authenticated users in such a way that the user can only read and modify their own files.
2
Rule
Severity: High
The Oracle Linux operating system must be a vendor supported release.
2
Rule
Severity: Medium
The Oracle Linux operating system security patches and updates must be installed and up to date.
2
Rule
Severity: Medium
The Oracle Linux operating system must not have unnecessary accounts.
2
Rule
Severity: High
The Oracle Linux operating system must be configured so that the root account must be the only account having unrestricted access to the system.
2
Rule
Severity: Medium
The Oracle Linux operating system must be configured so that all files and directories have a valid owner.
2
Rule
Severity: Medium
The Oracle Linux operating system must be configured so that all files and directories have a valid group owner.
2
Rule
Severity: Medium
The Oracle Linux operating system must be configured so that all local interactive user accounts, upon creation, are assigned a home directory.
2
Rule
Severity: Medium
The Oracle Linux operating system must be configured so that all local interactive users have a home directory assigned and defined in the /etc/passwd file.
2
Rule
Severity: Medium
The Oracle Linux operating system must be configured so that all local interactive user home directories have mode 0750 or less permissive.
2
Rule
Severity: Medium
The Oracle Linux operating system must be configured so that all local interactive user home directories are owned by their respective users.
2
Rule
Severity: Medium
The Oracle Linux operating system must be configured so that all local interactive user home directories are group-owned by the home directory owners primary group.
2
Rule
Severity: Medium
The Oracle Linux operating system must be configured so that all files and directories contained in local interactive user home directories have a valid owner.
2
Rule
Severity: Medium
The Oracle Linux operating system must be configured so that all files and directories contained in local interactive user home directories are group-owned by a group of which the home directory owner is a member.
2
Rule
Severity: Medium
The Oracle Linux operating system must be configured so that all files and directories contained in local interactive user home directories have a mode of 0750 or less permissive.
2
Rule
Severity: Medium
The Oracle Linux operating system must be configured so that all local initialization files for interactive users are owned by the home directory user or root.
2
Rule
Severity: Medium
The Oracle Linux operating system must be configured so that all local initialization files for local interactive users are be group-owned by the users primary group or root.
2
Rule
Severity: Medium
The Oracle Linux operating system must be configured so that all local initialization files have mode 0740 or less permissive.
2
Rule
Severity: Medium
The Oracle Linux operating system must be configured so that all local interactive user initialization files executable search paths contain only paths that resolve to the users home directory.
2
Rule
Severity: Medium
The Oracle Linux operating system must be configured so that local initialization files do not execute world-writable programs.
2
Rule
Severity: Medium
The Oracle Linux operating system must be configured so that all system device files are correctly labeled to prevent unauthorized modification.
2
Rule
Severity: Medium
The Oracle Linux operating system must be configured so that file systems containing user home directories are mounted to prevent files with the setuid and setgid bit set from being executed.
2
Rule
Severity: Medium
The Oracle Linux operating system must prevent files with the setuid and setgid bit set from being executed on file systems that are used with removable media.
2
Rule
Severity: Medium
The Oracle Linux operating system must prevent files with the setuid and setgid bit set from being executed on file systems that are being imported via Network File System (NFS).
2
Rule
Severity: Medium
The Oracle Linux operating system must prevent binary files from being executed on file systems that are being imported via Network File System (NFS).
2
Rule
Severity: Medium
The Oracle Linux operating system must be configured so that all world-writable directories are group-owned by root, sys, bin, or an application group.
2
Rule
Severity: Medium
The Oracle Linux operating system must set the umask value to 077 for all local interactive user accounts.
2
Rule
Severity: Medium
The Oracle Linux operating system must have cron logging implemented.
2
Rule
Severity: Medium
The Oracle Linux operating system must be configured so that the cron.allow file, if it exists, is owned by root.
2
Rule
Severity: Medium
The Oracle Linux operating system must be configured so that the cron.allow file, if it exists, is group-owned by root.
2
Rule
Severity: Medium
The Oracle Linux operating system must disable Kernel core dumps unless needed.
2
Rule
Severity: Low
The Oracle Linux operating system must be configured so that a separate file system is used for user home directories (such as /home or an equivalent).
2
Rule
Severity: Low
The Oracle Linux operating system must use a separate file system for /var.
2
Rule
Severity: Low
The Oracle Linux operating system must use a separate file system for /tmp (or equivalent).
2
Rule
Severity: Low
The Oracle Linux operating system must be configured so that the file integrity tool is configured to verify Access Control Lists (ACLs).
2
Rule
Severity: Low
The Oracle Linux operating system must be configured so that the file integrity tool is configured to verify extended attributes.
2
Rule
Severity: Medium
The Oracle Linux operating system must use a file integrity tool that is configured to use FIPS 140-2 approved cryptographic hashes for validating file contents and directories.
2
Rule
Severity: Medium
The Oracle Linux operating system must send rsyslog output to a log aggregation server.
2
Rule
Severity: Medium
The Oracle Linux operating system must be configured so that the rsyslog daemon does not accept log messages from other servers unless the server is being used for log aggregation.
2
Rule
Severity: High
The Oracle Linux operating system must use a virus scan program.
2
Rule
Severity: Medium
The Oracle Linux operating system must be configured so that the SSH daemon does not allow authentication using RSA rhosts authentication.
2
Rule
Severity: Medium
The Oracle Linux operating system must be configured so that the SSH daemon does not allow authentication using rhosts authentication.
2
Rule
Severity: Medium
The Oracle Linux operating system must not permit direct logons to the root account using remote access via SSH.
2
Rule
Severity: Medium
The Oracle Linux operating system must be configured so that the SSH daemon does not allow authentication using known hosts authentication.
2
Rule
Severity: Medium
The Oracle Linux operating system must be configured so that the SSH public host key files have mode 0644 or less permissive.
2
Rule
Severity: Medium
The Oracle Linux operating system must be configured so the SSH private host key files have mode 0640 or less permissive.
2
Rule
Severity: Medium
The Oracle Linux operating system must be configured so that the SSH daemon performs strict mode checking of home directory configuration files.
2
Rule
Severity: Medium
The Oracle Linux operating system must be configured so that the SSH daemon uses privilege separation.
2
Rule
Severity: Medium
The Oracle Linux operating system must be configured so that the SSH daemon does not allow compression or only allows compression after successful authentication.
2
Rule
Severity: Medium
The Oracle Linux operating system must enable an application firewall, if available.
2
Rule
Severity: High
The Oracle Linux operating system must not contain .shosts files.
2
Rule
Severity: High
The Oracle Linux operating system must not contain shosts.equiv files.
2
Rule
Severity: Low
For Oracle Linux operating systems using DNS resolution, at least two name servers must be configured.
2
Rule
Severity: Medium
The Oracle Linux operating system must not forward Internet Protocol version 4 (IPv4) source-routed packets.
2
Rule
Severity: Medium
The Oracle Linux operating system must use a reverse-path filter for IPv4 network traffic when possible on all interfaces.
2
Rule
Severity: Medium
The Oracle Linux operating system must use a reverse-path filter for IPv4 network traffic when possible by default.
2
Rule
Severity: Medium
The Oracle Linux operating system must not forward Internet Protocol version 4 (IPv4) source-routed packets by default.
2
Rule
Severity: Medium
The Oracle Linux operating system must not respond to Internet Protocol version 4 (IPv4) Internet Control Message Protocol (ICMP) echoes sent to a broadcast address.
2
Rule
Severity: Medium
The Oracle Linux operating system must prevent Internet Protocol version 4 (IPv4) Internet Control Message Protocol (ICMP) redirect messages from being accepted.
2
Rule
Severity: Medium
The Oracle Linux operating system must ignore Internet Protocol version 4 (IPv4) Internet Control Message Protocol (ICMP) redirect messages.
2
Rule
Severity: Medium
The Oracle Linux operating system must not allow interfaces to perform Internet Protocol version 4 (IPv4) Internet Control Message Protocol (ICMP) redirects by default.
2
Rule
Severity: Medium
The Oracle Linux operating system must not send Internet Protocol version 4 (IPv4) Internet Control Message Protocol (ICMP) redirects.
2
Rule
Severity: Medium
Network interfaces configured on The Oracle Linux operating system must not be in promiscuous mode.
2
Rule
Severity: Medium
The Oracle Linux operating system must be configured to prevent unrestricted mail relaying.
2
Rule
Severity: High
The Oracle Linux operating system must not have a File Transfer Protocol (FTP) server package installed unless needed.
2
Rule
Severity: High
The Oracle Linux operating system must not have the Trivial File Transfer Protocol (TFTP) server package installed if not required for operational support.
2
Rule
Severity: Medium
The Oracle Linux operating system must be configured so that remote X connections are disabled, unless to fulfill documented and validated mission requirements.
2
Rule
Severity: Medium
The Oracle Linux operating system must be configured so that if the Trivial File Transfer Protocol (TFTP) server is required, the TFTP daemon is configured to operate in secure mode.
2
Rule
Severity: Medium
The Oracle Linux operating system must not have a graphical display manager installed unless approved.
2
Rule
Severity: Medium
The Oracle Linux operating system must not be performing packet forwarding unless the system is a router.
2
Rule
Severity: Medium
The Oracle Linux operating system must be configured so that the Network File System (NFS) is configured to use RPCSEC_GSS.
2
Rule
Severity: High
SNMP community strings on the Oracle Linux operating system must be changed from the default.
2
Rule
Severity: Medium
The Oracle Linux operating system access control program must be configured to grant or deny system access to specific hosts and services.
2
Rule
Severity: Medium
The Oracle Linux operating system must not have unauthorized IP tunnels configured.
2
Rule
Severity: Medium
The Oracle Linux operating system must not forward IPv6 source-routed packets.
2
Rule
Severity: High
The Oracle Linux operating system must be configured so the x86 Ctrl-Alt-Delete key sequence is disabled in the Graphical User Interface.
2
Rule
Severity: Medium
The Oracle Linux operating system must be configured so that all world-writable directories are owned by root, sys, bin, or an application user.
2
Rule
Severity: Medium
The Oracle Linux operating system must disable the graphical user interface automounter unless required.
2
Rule
Severity: Medium
The Oracle Linux operating system SSH daemon must prevent remote hosts from connecting to the proxy display.
2
Rule
Severity: Medium
The Oracle Linux operating system must restrict privilege elevation to authorized personnel.
2
Rule
Severity: High
The Oracle Linux operating system must not have accounts configured with blank or null passwords.
2
Rule
Severity: Medium
The Oracle Linux operating system must specify the default "include" directory for the /etc/sudoers file.
2
Rule
Severity: Medium
The Oracle Linux operating system must disable the login screen user list for graphical user interfaces.
2
Rule
Severity: Low
The OL 8 SSH server must be configured to use strong entropy.
2
Rule
Severity: Medium
OL 8 must restrict privilege elevation to authorized personnel.
2
Rule
Severity: Medium
OL 8 must use the invoking user's password for privilege escalation when using "sudo".
2
Rule
Severity: Medium
OL 8 must not let Meltdown and Spectre exploit critical vulnerabilities in modern processors.
2
Rule
Severity: High
There must be no "shosts.equiv" files on the OL 8 operating system.
2
Rule
Severity: High
There must be no ".shosts" files on the OL 8 operating system.
2
Rule
Severity: Low
OL 8 must enable the hardware random number generator entropy gatherer service.
2
Rule
Severity: Low
OL 8 must have the packages required to use the hardware random number generator entropy gatherer service.
2
Rule
Severity: Medium
The OL 8 SSH public host key files must have mode "0644" or less permissive.
2
Rule
Severity: Medium
The OL 8 SSH private host key files must have mode "0640" or less permissive.
2
Rule
Severity: Medium
The OL 8 SSH daemon must perform strict mode checking of home directory configuration files.
2
Rule
Severity: Medium
The OL 8 SSH daemon must not allow authentication using known host's authentication.
2
Rule
Severity: Medium
The OL 8 SSH daemon must not allow Kerberos authentication, except to fulfill documented and validated mission requirements.
2
Rule
Severity: Medium
The OL 8 SSH daemon must not allow GSSAPI authentication, except to fulfill documented and validated mission requirements.
2
Rule
Severity: Low
OL 8 must use a separate file system for "/var".
2
Rule
Severity: Low
OL 8 must use a separate file system for "/var/log".
2
Rule
Severity: Low
OL 8 must use a separate file system for the system audit data path.
2
Rule
Severity: Medium
OL 8 must use a separate file system for "/tmp".
2
Rule
Severity: Medium
OL 8 must use a separate file system for /var/tmp.
2
Rule
Severity: Medium
OL 8 must have the rsyslog service enabled and active.
2
Rule
Severity: Medium
OL 8 must prevent files with the setuid and setgid bit set from being executed on file systems that contain user home directories.
2
Rule
Severity: Medium
OL 8 must prevent files with the setuid and setgid bit set from being executed on the /boot directory.
2
Rule
Severity: Medium
OL 8 must prevent files with the setuid and setgid bit set from being executed on the /boot/efi directory.
2
Rule
Severity: Medium
OL 8 must prevent special devices on non-root local partitions.
2
Rule
Severity: Medium
OL 8 file systems that contain user home directories must not execute binary files.
2
Rule
Severity: Medium
OL 8 file systems must not interpret character or block special devices from untrusted file systems.
2
Rule
Severity: Medium
OL 8 file systems must not execute binary files on removable media.
2
Rule
Severity: Medium
OL 8 must prevent files with the setuid and setgid bit set from being executed on file systems that are used with removable media.
2
Rule
Severity: Medium
OL 8 file systems must not execute binary files that are imported via Network File System (NFS).
2
Rule
Severity: Medium
OL 8 file systems must not interpret character or block special devices that are imported via NFS.
2
Rule
Severity: Medium
OL 8 must prevent files with the setuid and setgid bit set from being executed on file systems that are imported via Network File System (NFS).
2
Rule
Severity: Medium
Local OL 8 initialization files must not execute world-writable programs.
2
Rule
Severity: Medium
OL 8 must disable the "kernel.core_pattern".
2
Rule
Severity: Medium
OL 8 must disable acquiring, saving, and processing core dumps.
2
Rule
Severity: Medium
OL 8 must disable core dumps for all users.
2
Rule
Severity: Medium
OL 8 must disable storing core dumps.
2
Rule
Severity: Medium
OL 8 must disable core dump backtraces.
2
Rule
Severity: Medium
For OL 8 systems using Domain Name Servers (DNS) resolution, at least two name servers must be configured.
2
Rule
Severity: Medium
Executable search paths within the initialization files of all local interactive OL 8 users must only contain paths that resolve to the system default or the user's home directory.
2
Rule
Severity: Medium
All OL 8 world-writable directories must be owned by root, sys, bin, or an application user.
2
Rule
Severity: Medium
All OL 8 world-writable directories must be group-owned by root, sys, bin, or an application group.
2
Rule
Severity: Medium
All OL 8 local interactive users must have a home directory assigned in the "/etc/passwd" file.
2
Rule
Severity: Medium
All OL 8 local interactive user home directories must have mode "0750" or less permissive.
2
Rule
Severity: Medium
All OL 8 local interactive user home directory files must have mode "0750" or less permissive.
2
Rule
Severity: Medium
All OL 8 local interactive user home directories must be group-owned by the home directory owner's primary group.
2
Rule
Severity: Medium
OL 8 must be configured so that all files and directories contained in local interactive user home directories are group-owned by a group of which the home directory owner is a member.
2
Rule
Severity: Medium
All OL 8 local interactive user home directories defined in the "/etc/passwd" file must exist.
2
Rule
Severity: Medium
All OL 8 local interactive user accounts must be assigned a home directory upon creation.
2
Rule
Severity: Medium
All OL 8 local initialization files must have mode "0740" or less permissive.
2
Rule
Severity: Medium
All OL 8 files and directories must have a valid owner.
2
Rule
Severity: Medium
All OL 8 files and directories must have a valid group owner.
2
Rule
Severity: Medium
A separate OL 8 filesystem must be used for user home directories (such as "/home" or an equivalent).
2
Rule
Severity: High
Unattended or automatic logon via the OL 8 graphical user interface must not be allowed.
2
Rule
Severity: High
OL 8 must not allow users to override SSH environment variables.
2
Rule
Severity: Medium
OL 8 must disable the user list at logon for graphical user interfaces.
2
Rule
Severity: Medium
OL 8 must ensure the password complexity module is enabled in the password-auth file.
2
Rule
Severity: Medium
OL 8 must prevent the use of dictionary words for passwords.
2
Rule
Severity: Medium
OL 8 must enforce a delay of at least four seconds between logon prompts following a failed logon attempt.
2
Rule
Severity: Medium
OL 8 must not have unnecessary accounts.
2
Rule
Severity: High
OL 8 must not allow accounts configured with blank or null passwords.
2
Rule
Severity: High
OL 8 must not allow blank or null passwords in the system-auth file.
2
Rule
Severity: High
OL 8 must not allow blank or null passwords in the password-auth file.
2
Rule
Severity: Medium
OL 8 default permissions must be defined in such a way that all authenticated users can read and modify only their own files.
2
Rule
Severity: Medium
OL 8 must set the umask value to 077 for all local interactive user accounts.
2
Rule
Severity: Medium
OL 8 must define default permissions for logon and non-logon shells.
2
Rule
Severity: Medium
Cron logging must be implemented in OL 8.
2
Rule
Severity: Medium
The OL 8 audit system must audit local events.
2
Rule
Severity: Medium
OL 8 must resolve audit information before writing to disk.
2
Rule
Severity: Medium
OL 8 must have the packages required for offloading audit logs installed.
2
Rule
Severity: Medium
OL 8 must have the packages required for encrypting offloaded audit logs installed.
2
Rule
Severity: Medium
OL 8 must not have the asynchronous transfer mode (ATM) kernel module installed if not required for operational support.
2
Rule
Severity: Medium
OL 8 must not have the Controller Area Network (CAN) kernel module installed if not required for operational support.
2
Rule
Severity: Medium
OL 8 must not have the stream control transmission protocol (SCTP) kernel module installed if not required for operational support.
2
Rule
Severity: High
The x86 Ctrl-Alt-Delete key sequence must be disabled on OL 8.
2
Rule
Severity: High
The x86 Ctrl-Alt-Delete key sequence in OL 8 must be disabled if a graphical user interface is installed.
2
Rule
Severity: Medium
OL 8 must disable the systemd Ctrl-Alt-Delete burst key sequence.
2
Rule
Severity: Low
OL 8 must disable the debug-shell systemd service.
2
Rule
Severity: High
The Trivial File Transfer Protocol (TFTP) server package must not be installed if not required for OL 8 operational support.
2
Rule
Severity: High
The root account must be the only account having unrestricted access to the OL 8 system.
2
Rule
Severity: Medium
OL 8 must prevent IPv4 Internet Control Message Protocol (ICMP) redirect messages from being accepted.
2
Rule
Severity: Medium
OL 8 must prevent IPv6 Internet Control Message Protocol (ICMP) redirect messages from being accepted.
2
Rule
Severity: Medium
OL 8 must not send Internet Control Message Protocol (ICMP) redirects.
2
Rule
Severity: Medium
OL 8 must not respond to Internet Control Message Protocol (ICMP) echoes sent to a broadcast address.
2
Rule
Severity: Medium
OL 8 must not forward IPv4 source-routed packets.
2
Rule
Severity: Medium
OL 8 must not forward IPv6 source-routed packets.
2
Rule
Severity: Medium
OL 8 must not forward IPv4 source-routed packets by default.
2
Rule
Severity: Medium
OL 8 must not forward IPv6 source-routed packets by default.
2
Rule
Severity: Medium
OL 8 must not enable IPv6 packet forwarding unless the system is a router.
2
Rule
Severity: Medium
OL 8 must not accept router advertisements on all IPv6 interfaces.
2
Rule
Severity: Medium
OL 8 must not accept router advertisements on all IPv6 interfaces by default.
2
Rule
Severity: Medium
OL 8 must not allow interfaces to perform Internet Control Message Protocol (ICMP) redirects by default.
2
Rule
Severity: Medium
OL 8 must ignore IPv4 Internet Control Message Protocol (ICMP) redirect messages.
2
Rule
Severity: Medium
OL 8 must ignore IPv6 Internet Control Message Protocol (ICMP) redirect messages.
2
Rule
Severity: Medium
OL 8 must disable access to the network "bpf" syscall from unprivileged processes.
2
Rule
Severity: Medium
OL 8 must restrict the use of "ptrace" to descendant processes.
2
Rule
Severity: Medium
OL 8 must restrict exposed kernel pointer addresses access.
2
Rule
Severity: Medium
OL 8 must disable the use of user namespaces.
2
Rule
Severity: Medium
OL 8 must use reverse path filtering on all IPv4 interfaces.
2
Rule
Severity: Medium
OL 8 must enable hardening for the Berkeley Packet Filter Just-in-time compiler.
2
Rule
Severity: Medium
OL 8 must be configured to prevent unrestricted mail relaying.
2
Rule
Severity: Low
The OL 8 file integrity tool must be configured to verify extended attributes.
2
Rule
Severity: Low
The OL 8 file integrity tool must be configured to verify Access Control Lists (ACLs).
2
Rule
Severity: Medium
The graphical display manager must not be installed on OL 8 unless approved.
2
Rule
Severity: Medium
OL 8 network interfaces must not be in promiscuous mode.
2
Rule
Severity: Medium
OL 8 remote X connections for interactive users must be disabled unless to fulfill documented and validated mission requirements.
2
Rule
Severity: Medium
The OL 8 SSH daemon must prevent remote hosts from connecting to the proxy display.
2
Rule
Severity: Medium
If the Trivial File Transfer Protocol (TFTP) server is required, the OL 8 TFTP daemon must be configured to operate in secure mode.
2
Rule
Severity: High
A File Transfer Protocol (FTP) server package must not be installed unless mission essential on OL 8.
2
Rule
Severity: Medium
OL 8 must not have the "gssproxy" package installed if not required for operational support.
2
Rule
Severity: Medium
OL 8 must not have the "iprutils" package installed if not required for operational support.
2
Rule
Severity: Medium
OL 8 must not have the "tuned" package installed if not required for operational support.
2
Rule
Severity: High
The OL 8 operating system must not have accounts configured with blank or null passwords.
2
Rule
Severity: Medium
OL 8 must specify the default "include" directory for the /etc/sudoers file.
2
Rule
Severity: Medium
OL 8 must ensure the password complexity module is enabled in the system-auth file.
2
Rule
Severity: Medium
OL 8 systems below version 8.4 must ensure the password complexity module in the system-auth file is configured for three retries or less.
2
Rule
Severity: Medium
OL 8 systems below version 8.4 must ensure the password complexity module in the password-auth file is configured for three retries or less.
2
Rule
Severity: Medium
OL 8 systems, version 8.4 and above, must ensure the password complexity module is configured for three retries or less.
2
Rule
Severity: Medium
OL 8 must not enable IPv4 packet forwarding unless the system is a router.
2
Rule
Severity: Medium
The graphical display manager must not be the default target on OL 8 unless approved.
2
Rule
Severity: Medium
The MySQL Database Server 8.0 must be configured in accordance with the security configuration settings based on DoD security configuration and implementation guidance, including STIGs, NSA configuration guides, CTOs, DTMs, and IAVMs.
2
Rule
Severity: Medium
The Palo Alto Networks security platform must inspect inbound and outbound SMTP and Extended SMTP communications traffic (if authorized) for protocol compliance and protocol anomalies.
2
Rule
Severity: Medium
The Palo Alto Networks security platform must inspect inbound and outbound FTP and FTPS communications traffic (if authorized) for protocol compliance and protocol anomalies.
2
Rule
Severity: Medium
The Palo Alto Networks security platform must inspect inbound and outbound HTTP traffic (if authorized) for protocol compliance and protocol anomalies.
2
Rule
Severity: Medium
The Palo Alto Networks security platform must uniquely identify and authenticate organizational administrators (or processes acting on behalf of organizational administrators).
2
Rule
Severity: Medium
Administrators in the role of Security Administrator, Cryptographic Administrator, or Audit Administrator must not also have the role of Audit Administrator.
2
Rule
Severity: Medium
The Palo Alto Networks security platform must automatically lock the account until the locked account is released by an administrator when three unsuccessful logon attempts in 15 minutes are exceeded.
2
Rule
Severity: Low
The Palo Alto Networks security platform must generate an immediate alert when allocated audit record storage volume reaches 75% of repository maximum audit record storage capacity.
2
Rule
Severity: Low
The Palo Alto Networks security platform must compare internal information system clocks at least every 24 hours with an authoritative time server.
2
Rule
Severity: Low
The Palo Alto Networks security platform must synchronize internal information system clocks to the authoritative time source when the time difference is greater than one second.
2
Rule
Severity: Medium
The Palo Alto Networks security platform must be configured to synchronize internal information system clocks with the primary and secondary time sources located in different geographic regions using redundant authoritative time sources.
2
Rule
Severity: Medium
The Palo Alto Networks security platform must accept and verify Personal Identity Verification (PIV) credentials.
1
Rule
Severity: Medium
The Palo Alto Networks security platform must allow the use of a temporary password for system logons with an immediate change to a permanent password.
2
Rule
Severity: Medium
The Palo Alto Networks security platform must use automated mechanisms to alert security personnel to threats identified by authoritative sources (e.g., CTOs) and IAW CJCSM 6510.01B.
2
Rule
Severity: Medium
The Palo Alto Networks security platform must employ centrally managed authentication server(s).
2
Rule
Severity: Medium
The Palo Alto Networks security platform must use DoD-approved PKI rather than proprietary or self-signed device certificates.
2
Rule
Severity: Medium
The Palo Alto Networks security platform must not use Password Profiles.
2
Rule
Severity: High
The Palo Alto Networks security platform must not use the default admin account password.
2
Rule
Severity: Medium
The Palo Alto Networks security platform must generate an audit log record when the Data Plane CPU utilization is 100%.
2
Rule
Severity: Medium
Redis Enterprise DBMS must be configured in accordance with the security configuration settings based on DoD security configuration and implementation guidance, including STIGs, NSA configuration guides, CTOs, DTMs, and IAVMs.
2
Rule
Severity: Medium
Rancher RKE2 components must be configured in accordance with the security configuration settings based on DOD security configuration or implementation guidance, including SRGs, STIGs, NSA configuration guides, CTOs, and DTMs.
2
Rule
Severity: Medium
OpenShift must generate audit records for all DOD-defined auditable events within all components in the platform.
2
Rule
Severity: Medium
OpenShift must continuously scan components, containers, and images for vulnerabilities.
2
Rule
Severity: Medium
RHEL 8 vendor packaged system security patches and updates must be installed and up to date.
2
Rule
Severity: Low
RHEL 8 must ensure the SSH server uses strong entropy.
2
Rule
Severity: Medium
All accounts installed with the Automation Controller NGINX web server's software and tools must have passwords assigned and default passwords changed.
1
Rule
Severity: High
The Red Hat Enterprise Linux operating system must not allow accounts configured with blank or null passwords.
1
Rule
Severity: Medium
The Red Hat Enterprise Linux operating system must be configured so that the delay between logon prompts following a failed console logon attempt is at least four seconds.
1
Rule
Severity: High
The Red Hat Enterprise Linux operating system must not allow an unattended or automatic logon to the system via a graphical user interface.
1
Rule
Severity: High
The Red Hat Enterprise Linux operating system must not allow an unrestricted logon to the system.
1
Rule
Severity: Medium
The Red Hat Enterprise Linux operating system must not allow users to override SSH environment variables.
1
Rule
Severity: Medium
The Red Hat Enterprise Linux operating system must not allow a non-certificate trusted host SSH logon to the system.
1
Rule
Severity: Medium
The Red Hat Enterprise Linux operating system must be configured to disable USB mass storage.
1
Rule
Severity: Medium
The Red Hat Enterprise Linux operating system must disable the file system automounter unless required.
1
Rule
Severity: High
The Red Hat Enterprise Linux operating system must be configured so that the x86 Ctrl-Alt-Delete key sequence is disabled on the command line.
1
Rule
Severity: High
The Red Hat Enterprise Linux operating system must be configured so that the x86 Ctrl-Alt-Delete key sequence is disabled in the Graphical User Interface.
1
Rule
Severity: Medium
The Red Hat Enterprise Linux operating system must define default permissions for all authenticated users in such a way that the user can only read and modify their own files.
1
Rule
Severity: High
The Red Hat Enterprise Linux operating system must be a vendor supported release.
1
Rule
Severity: Medium
The Red Hat Enterprise Linux operating system security patches and updates must be installed and up to date.
1
Rule
Severity: Medium
The Red Hat Enterprise Linux operating system must not have unnecessary accounts.
1
Rule
Severity: High
The Red Hat Enterprise Linux operating system must be configured so that the root account must be the only account having unrestricted access to the system.
1
Rule
Severity: Medium
The Red Hat Enterprise Linux operating system must be configured so that all local interactive user accounts, upon creation, are assigned a home directory.
1
Rule
Severity: Medium
The Red Hat Enterprise Linux operating system must be configured so that all local interactive users have a home directory assigned and defined in the /etc/passwd file.
1
Rule
Severity: Medium
The Red Hat Enterprise Linux operating system must be configured so that all local interactive user home directories have mode 0750 or less permissive.
1
Rule
Severity: Medium
The Red Hat Enterprise Linux operating system must be configured so that all local interactive user home directories are owned by their respective users.
1
Rule
Severity: Medium
The Red Hat Enterprise Linux operating system must be configured so that all local interactive user home directories are group-owned by the home directory owners primary group.
1
Rule
Severity: Medium
The Red Hat Enterprise Linux operating system must be configured so that all files and directories contained in local interactive user home directories have a valid owner.
1
Rule
Severity: Medium
The Red Hat Enterprise Linux operating system must be configured so that all files and directories contained in local interactive user home directories are group-owned by a group of which the home directory owner is a member.
1
Rule
Severity: Medium
The Red Hat Enterprise Linux operating system must be configured so that all files and directories contained in local interactive user home directories have a mode of 0750 or less permissive.
1
Rule
Severity: Medium
The Red Hat Enterprise Linux operating system must be configured so that all local initialization files for interactive users are owned by the home directory user or root.
1
Rule
Severity: Medium
The Red Hat Enterprise Linux operating system must be configured so that all local initialization files for local interactive users are be group-owned by the users primary group or root.
1
Rule
Severity: Medium
The Red Hat Enterprise Linux operating system must be configured so that all local initialization files have mode 0740 or less permissive.
1
Rule
Severity: Medium
The Red Hat Enterprise Linux operating system must be configured so that all local interactive user initialization files executable search paths contain only paths that resolve to the users home directory.
1
Rule
Severity: Medium
The Red Hat Enterprise Linux operating system must be configured so that local initialization files do not execute world-writable programs.
1
Rule
Severity: Medium
The Red Hat Enterprise Linux operating system must be configured so that file systems containing user home directories are mounted to prevent files with the setuid and setgid bit set from being executed.
1
Rule
Severity: Medium
The Red Hat Enterprise Linux operating system must prevent files with the setuid and setgid bit set from being executed on file systems that are used with removable media.
1
Rule
Severity: Medium
The Red Hat Enterprise Linux operating system must prevent files with the setuid and setgid bit set from being executed on file systems that are being imported via Network File System (NFS).
1
Rule
Severity: Medium
The Red Hat Enterprise Linux operating system must prevent binary files from being executed on file systems that are being imported via Network File System (NFS).
1
Rule
Severity: Medium
The Red Hat Enterprise Linux operating system must be configured so that all world-writable directories are group-owned by root, sys, bin, or an application group.
1
Rule
Severity: Medium
The Red Hat Enterprise Linux operating system must have cron logging implemented.
1
Rule
Severity: Medium
The Red Hat Enterprise Linux operating system must be configured so that the cron.allow file, if it exists, is owned by root.
1
Rule
Severity: Medium
The Red Hat Enterprise Linux operating system must be configured so that the cron.allow file, if it exists, is group-owned by root.
1
Rule
Severity: Medium
The Red Hat Enterprise Linux operating system must disable Kernel core dumps unless needed.
1
Rule
Severity: Low
The Red Hat Enterprise Linux operating system must be configured so that a separate file system is used for user home directories (such as /home or an equivalent).
1
Rule
Severity: Low
The Red Hat Enterprise Linux operating system must use a separate file system for /var.
1
Rule
Severity: Low
The Red Hat Enterprise Linux operating system must use a separate file system for the system audit data path.
1
Rule
Severity: Low
The Red Hat Enterprise Linux operating system must use a separate file system for /tmp (or equivalent).
1
Rule
Severity: Low
The Red Hat Enterprise Linux operating system must be configured so that the file integrity tool is configured to verify Access Control Lists (ACLs).
1
Rule
Severity: Low
The Red Hat Enterprise Linux operating system must be configured so that the file integrity tool is configured to verify extended attributes.
1
Rule
Severity: Medium
The Red Hat Enterprise Linux operating system must use a file integrity tool that is configured to use FIPS 140-2 approved cryptographic hashes for validating file contents and directories.
2
Rule
Severity: High
There must be no shosts.equiv files on the RHEL 8 operating system.
2
Rule
Severity: High
There must be no .shosts files on the RHEL 8 operating system.
2
Rule
Severity: Low
RHEL 8 must enable the hardware random number generator entropy gatherer service.
2
Rule
Severity: Medium
The RHEL 8 SSH public host key files must have mode 0644 or less permissive.
2
Rule
Severity: Medium
The RHEL 8 SSH private host key files must have mode 0640 or less permissive.
2
Rule
Severity: Medium
The RHEL 8 SSH daemon must perform strict mode checking of home directory configuration files.
2
Rule
Severity: Medium
The RHEL 8 SSH daemon must not allow authentication using known host’s authentication.
2
Rule
Severity: Medium
The RHEL 8 SSH daemon must not allow Kerberos authentication, except to fulfill documented and validated mission requirements.
2
Rule
Severity: Low
RHEL 8 must use a separate file system for /var.
2
Rule
Severity: Low
RHEL 8 must use a separate file system for /var/log.
2
Rule
Severity: Low
RHEL 8 must use a separate file system for the system audit data path.
2
Rule
Severity: Medium
A separate RHEL 8 filesystem must be used for the /tmp directory.
2
Rule
Severity: Medium
The rsyslog service must be running in RHEL 8.
2
Rule
Severity: Medium
RHEL 8 must prevent files with the setuid and setgid bit set from being executed on file systems that contain user home directories.
2
Rule
Severity: Medium
RHEL 8 must prevent files with the setuid and setgid bit set from being executed on the /boot directory.
2
Rule
Severity: Medium
RHEL 8 must prevent special devices on non-root local partitions.
2
Rule
Severity: Medium
RHEL 8 must prevent code from being executed on file systems that contain user home directories.
2
Rule
Severity: Medium
RHEL 8 must prevent special devices on file systems that are used with removable media.
2
Rule
Severity: Medium
RHEL 8 must prevent code from being executed on file systems that are used with removable media.
2
Rule
Severity: Medium
RHEL 8 must prevent files with the setuid and setgid bit set from being executed on file systems that are used with removable media.
2
Rule
Severity: Medium
RHEL 8 must prevent code from being executed on file systems that are imported via Network File System (NFS).
2
Rule
Severity: Medium
RHEL 8 must prevent special devices on file systems that are imported via Network File System (NFS).
2
Rule
Severity: Medium
RHEL 8 must prevent files with the setuid and setgid bit set from being executed on file systems that are imported via Network File System (NFS).
2
Rule
Severity: Medium
Local RHEL 8 initialization files must not execute world-writable programs.
2
Rule
Severity: Medium
RHEL 8 must disable kernel dumps unless needed.
2
Rule
Severity: Medium
RHEL 8 must disable the kernel.core_pattern.
2
Rule
Severity: Medium
RHEL 8 must disable acquiring, saving, and processing core dumps.
2
Rule
Severity: Medium
RHEL 8 must disable core dumps for all users.
2
Rule
Severity: Medium
RHEL 8 must disable storing core dumps.
2
Rule
Severity: Medium
RHEL 8 must disable core dump backtraces.
2
Rule
Severity: Medium
For RHEL 8 systems using Domain Name Servers (DNS) resolution, at least two name servers must be configured.
2
Rule
Severity: Medium
Executable search paths within the initialization files of all local interactive RHEL 8 users must only contain paths that resolve to the system default or the users home directory.
2
Rule
Severity: Medium
All RHEL 8 world-writable directories must be owned by root, sys, bin, or an application user.
2
Rule
Severity: Medium
All RHEL 8 world-writable directories must be group-owned by root, sys, bin, or an application group.
2
Rule
Severity: Medium
All RHEL 8 local interactive users must have a home directory assigned in the /etc/passwd file.
2
Rule
Severity: Medium
All RHEL 8 local interactive user home directories must have mode 0750 or less permissive.
2
Rule
Severity: Medium
All RHEL 8 local interactive user home directories must be group-owned by the home directory owner’s primary group.
2
Rule
Severity: Medium
All RHEL 8 local interactive user home directories defined in the /etc/passwd file must exist.
2
Rule
Severity: Medium
All RHEL 8 local interactive user accounts must be assigned a home directory upon creation.
2
Rule
Severity: Medium
All RHEL 8 local initialization files must have mode 0740 or less permissive.
2
Rule
Severity: Medium
All RHEL 8 local files and directories must have a valid owner.
2
Rule
Severity: Medium
All RHEL 8 local files and directories must have a valid group owner.
2
Rule
Severity: Medium
A separate RHEL 8 filesystem must be used for user home directories (such as /home or an equivalent).
2
Rule
Severity: High
Unattended or automatic logon via the RHEL 8 graphical user interface must not be allowed.
2
Rule
Severity: Medium
RHEL 8 must not allow users to override SSH environment variables.
2
Rule
Severity: Medium
RHEL 8 must ensure the password complexity module is enabled in the password-auth file.
2
Rule
Severity: Medium
RHEL 8 must prevent the use of dictionary words for passwords.
2
Rule
Severity: Medium
RHEL 8 must enforce a delay of at least four seconds between logon prompts following a failed logon attempt.
2
Rule
Severity: Medium
RHEL 8 must not have unnecessary accounts.
2
Rule
Severity: High
RHEL 8 must not allow accounts configured with blank or null passwords.
2
Rule
Severity: Medium
RHEL 8 must define default permissions for all authenticated users in such a way that the user can only read and modify their own files.
2
Rule
Severity: Medium
RHEL 8 must set the umask value to 077 for all local interactive user accounts.
2
Rule
Severity: Medium
RHEL 8 must define default permissions for logon and non-logon shells.
2
Rule
Severity: Medium
Cron logging must be implemented in RHEL 8.
2
Rule
Severity: Medium
The RHEL 8 audit system must audit local events.
2
Rule
Severity: Low
RHEL 8 must resolve audit information before writing to disk.
1
Rule
Severity: Medium
The Red Hat Enterprise Linux operating system must send rsyslog output to a log aggregation server.
1
Rule
Severity: Medium
The Red Hat Enterprise Linux 7 operating system must implement DoD-approved encryption to protect the confidentiality of SSH connections.
1
Rule
Severity: Medium
The Red Hat Enterprise Linux operating system must implement virtual address space randomization.
1
Rule
Severity: Medium
The Red Hat Enterprise Linux operating system must be configured so that the SSH daemon does not allow authentication using RSA rhosts authentication.
1
Rule
Severity: Medium
The Red Hat Enterprise Linux operating system must be configured so that the SSH daemon does not allow authentication using rhosts authentication.
1
Rule
Severity: Medium
The Red Hat Enterprise Linux operating system must not permit direct logons to the root account using remote access via SSH.
1
Rule
Severity: Medium
The Red Hat Enterprise Linux operating system must be configured so that the SSH daemon does not allow authentication using known hosts authentication.
1
Rule
Severity: High
The Red Hat Enterprise Linux operating system must be configured so that the SSH daemon is configured to only use the SSHv2 protocol.
1
Rule
Severity: Medium
The Red Hat Enterprise Linux operating system must be configured so that the SSH public host key files have mode 0644 or less permissive.
1
Rule
Severity: Medium
The Red Hat Enterprise Linux operating system must be configured so that the SSH private host key files have mode 0640 or less permissive.
1
Rule
Severity: Medium
The Red Hat Enterprise Linux operating system must be configured so that the SSH daemon performs strict mode checking of home directory configuration files.
1
Rule
Severity: Medium
The Red Hat Enterprise Linux operating system must be configured so that the SSH daemon uses privilege separation.
1
Rule
Severity: Medium
The Red Hat Enterprise Linux operating system must be configured so that the SSH daemon does not allow compression or only allows compression after successful authentication.
1
Rule
Severity: Medium
The Red Hat Enterprise Linux operating system must enable an application firewall, if available.
1
Rule
Severity: High
The Red Hat Enterprise Linux operating system must not contain .shosts files.
1
Rule
Severity: High
The Red Hat Enterprise Linux operating system must not contain shosts.equiv files.
1
Rule
Severity: Low
For Red Hat Enterprise Linux operating systems using DNS resolution, at least two name servers must be configured.
1
Rule
Severity: Medium
The Red Hat Enterprise Linux operating system must not forward Internet Protocol version 4 (IPv4) source-routed packets.
1
Rule
Severity: Medium
The Red Hat Enterprise Linux operating system must use a reverse-path filter for IPv4 network traffic when possible on all interfaces.
1
Rule
Severity: Medium
The Red Hat Enterprise Linux operating system must use a reverse-path filter for IPv4 network traffic when possible by default.
1
Rule
Severity: Medium
The Red Hat Enterprise Linux operating system must not forward Internet Protocol version 4 (IPv4) source-routed packets by default.
1
Rule
Severity: Medium
The Red Hat Enterprise Linux operating system must not respond to Internet Protocol version 4 (IPv4) Internet Control Message Protocol (ICMP) echoes sent to a broadcast address.
1
Rule
Severity: Medium
The Red Hat Enterprise Linux operating system must prevent Internet Protocol version 4 (IPv4) Internet Control Message Protocol (ICMP) redirect messages from being accepted.
1
Rule
Severity: Medium
The Red Hat Enterprise Linux operating system must ignore Internet Protocol version 4 (IPv4) Internet Control Message Protocol (ICMP) redirect messages.
1
Rule
Severity: Medium
The Red Hat Enterprise Linux operating system must not allow interfaces to perform Internet Protocol version 4 (IPv4) Internet Control Message Protocol (ICMP) redirects by default.
1
Rule
Severity: Medium
The Red Hat Enterprise Linux operating system must not send Internet Protocol version 4 (IPv4) Internet Control Message Protocol (ICMP) redirects.
1
Rule
Severity: Medium
Network interfaces configured on the Red Hat Enterprise Linux operating system must not be in promiscuous mode.
1
Rule
Severity: Medium
The Red Hat Enterprise Linux operating system must be configured to prevent unrestricted mail relaying.
1
Rule
Severity: High
The Red Hat Enterprise Linux operating system must not have a File Transfer Protocol (FTP) server package installed unless needed.
1
Rule
Severity: Medium
The Red Hat Enterprise Linux operating system must be configured so that remote X connections are disabled except to fulfill documented and validated mission requirements.
1
Rule
Severity: Medium
The Red Hat Enterprise Linux operating system must be configured so that if the Trivial File Transfer Protocol (TFTP) server is required, the TFTP daemon is configured to operate in secure mode.
2
Rule
Severity: Medium
RHEL 8 must have the packages required for offloading audit logs installed.
2
Rule
Severity: Medium
RHEL 8 must have the packages required for encrypting offloaded audit logs installed.
2
Rule
Severity: High
The x86 Ctrl-Alt-Delete key sequence must be disabled on RHEL 8.
2
Rule
Severity: High
The x86 Ctrl-Alt-Delete key sequence in RHEL 8 must be disabled if a graphical user interface is installed.
2
Rule
Severity: High
The systemd Ctrl-Alt-Delete burst key sequence in RHEL 8 must be disabled.
2
Rule
Severity: Medium
The debug-shell systemd service must be disabled on RHEL 8.
2
Rule
Severity: High
The Trivial File Transfer Protocol (TFTP) server package must not be installed if not required for RHEL 8 operational support.
2
Rule
Severity: High
The root account must be the only account having unrestricted access to the RHEL 8 system.
2
Rule
Severity: Medium
RHEL 8 must prevent IPv6 Internet Control Message Protocol (ICMP) redirect messages from being accepted.
2
Rule
Severity: Medium
RHEL 8 must not send Internet Control Message Protocol (ICMP) redirects.
2
Rule
Severity: Medium
RHEL 8 must not respond to Internet Control Message Protocol (ICMP) echoes sent to a broadcast address.
2
Rule
Severity: Medium
RHEL 8 must not forward IPv6 source-routed packets.
2
Rule
Severity: Medium
RHEL 8 must not forward IPv6 source-routed packets by default.
2
Rule
Severity: Medium
RHEL 8 must not enable IPv6 packet forwarding unless the system is a router.
2
Rule
Severity: Medium
RHEL 8 must not accept router advertisements on all IPv6 interfaces.
1
Rule
Severity: Medium
The Red Hat Enterprise Linux operating system must not have a graphical display manager installed unless approved.
1
Rule
Severity: Medium
The Red Hat Enterprise Linux operating system must not be performing packet forwarding unless the system is a router.
1
Rule
Severity: Medium
The Red Hat Enterprise Linux operating system must be configured so that the Network File System (NFS) is configured to use RPCSEC_GSS.
1
Rule
Severity: High
SNMP community strings on the Red Hat Enterprise Linux operating system must be changed from the default.
1
Rule
Severity: Medium
The Red Hat Enterprise Linux operating system access control program must be configured to grant or deny system access to specific hosts and services.
1
Rule
Severity: Medium
The Red Hat Enterprise Linux operating system must not have unauthorized IP tunnels configured.
1
Rule
Severity: Medium
The Red Hat Enterprise Linux operating system must not forward IPv6 source-routed packets.
1
Rule
Severity: Medium
The Red Hat Enterprise Linux operating system must implement the Endpoint Security for Linux Threat Prevention tool.
1
Rule
Severity: High
The Red Hat Enterprise Linux operating system must use a virus scan program.
1
Rule
Severity: Medium
The Red Hat Enterprise Linux operating system must disable the graphical user interface automounter unless required.
1
Rule
Severity: Medium
The Red Hat Enterprise Linux operating system must be configured so that all world-writable directories are owned by root, sys, bin, or an application user.
1
Rule
Severity: Medium
The Red Hat Enterprise Linux operating system SSH daemon must prevent remote hosts from connecting to the proxy display.
1
Rule
Severity: Medium
The Red Hat Enterprise Linux operating system must restrict privilege elevation to authorized personnel.
1
Rule
Severity: High
The Red Hat Enterprise Linux operating system must not have accounts configured with blank or null passwords.
1
Rule
Severity: Medium
The Red Hat Enterprise Linux operating system must specify the default "include" directory for the /etc/sudoers file.
1
Rule
Severity: Medium
The Red Hat Enterprise Linux operating system must disable the login screen user list for graphical user interfaces.
2
Rule
Severity: Medium
The SUSE operating system must enforce a delay of at least four (4) seconds between logon prompts following a failed logon attempt.
2
Rule
Severity: Medium
The SUSE operating system must not be configured to allow blank or null passwords.
4
Rule
Severity: Medium
The SUSE operating system must prevent the use of dictionary words for passwords.
6
Rule
Severity: Medium
The SUSE operating system must enforce a delay of at least four seconds between logon prompts following a failed logon attempt.
2
Rule
Severity: High
The SUSE operating system must not allow unattended or automatic logon via the graphical user interface.
4
Rule
Severity: High
There must be no .shosts files on the SUSE operating system.
4
Rule
Severity: High
There must be no shosts.equiv files on the SUSE operating system.
2
Rule
Severity: Medium
RHEL 8 must not accept router advertisements on all IPv6 interfaces by default.
2
Rule
Severity: Medium
RHEL 8 must not allow interfaces to perform Internet Control Message Protocol (ICMP) redirects by default.
2
Rule
Severity: Medium
RHEL 8 must ignore IPv6 Internet Control Message Protocol (ICMP) redirect messages.
2
Rule
Severity: Medium
RHEL 8 must disable access to network bpf syscall from unprivileged processes.
2
Rule
Severity: Medium
RHEL 8 must restrict usage of ptrace to descendant processes.
2
Rule
Severity: Medium
RHEL 8 must restrict exposed kernel pointer addresses access.
2
Rule
Severity: Medium
RHEL 8 must disable the use of user namespaces.
2
Rule
Severity: Medium
RHEL 8 must use reverse path filtering on all IPv4 interfaces.
2
Rule
Severity: Medium
RHEL 8 must be configured to prevent unrestricted mail relaying.
2
Rule
Severity: Low
The RHEL 8 file integrity tool must be configured to verify extended attributes.
2
Rule
Severity: Low
The RHEL 8 file integrity tool must be configured to verify Access Control Lists (ACLs).
2
Rule
Severity: Medium
The graphical display manager must not be installed on RHEL 8 unless approved.
2
Rule
Severity: Medium
RHEL 8 network interfaces must not be in promiscuous mode.
2
Rule
Severity: Medium
RHEL 8 remote X connections for interactive users must be disabled unless to fulfill documented and validated mission requirements.
2
Rule
Severity: Medium
The RHEL 8 SSH daemon must prevent remote hosts from connecting to the proxy display.
2
Rule
Severity: Medium
If the Trivial File Transfer Protocol (TFTP) server is required, the RHEL 8 TFTP daemon must be configured to operate in secure mode.
2
Rule
Severity: High
A File Transfer Protocol (FTP) server package must not be installed unless mission essential on RHEL 8.
2
Rule
Severity: Medium
The iprutils package must not be installed unless mission essential on RHEL 8.
2
Rule
Severity: Medium
The tuned package must not be installed unless mission essential on RHEL 8.
2
Rule
Severity: Medium
RHEL 8 must restrict privilege elevation to authorized personnel.
2
Rule
Severity: Low
RHEL 8 must have the packages required to use the hardware random number generator entropy gatherer service.
2
Rule
Severity: Medium
The RHEL 8 SSH daemon must not allow GSSAPI authentication, except to fulfill documented and validated mission requirements.
2
Rule
Severity: Medium
RHEL 8 must use a separate file system for /var/tmp.
2
Rule
Severity: Medium
RHEL 8 must prevent files with the setuid and setgid bit set from being executed on the /boot/efi directory.
2
Rule
Severity: Medium
All RHEL 8 local interactive user home directory files must have mode 0750 or less permissive.
2
Rule
Severity: Medium
RHEL 8 must be configured so that all files and directories contained in local interactive user home directories are group-owned by a group of which the home directory owner is a member.
2
Rule
Severity: Medium
RHEL 8 must disable the user list at logon for graphical user interfaces.
2
Rule
Severity: High
RHEL 8 must not allow blank or null passwords in the system-auth file.
2
Rule
Severity: High
RHEL 8 must not allow blank or null passwords in the password-auth file.
2
Rule
Severity: Medium
RHEL 8 must prevent IPv4 Internet Control Message Protocol (ICMP) redirect messages from being accepted.
2
Rule
Severity: Medium
RHEL 8 must not forward IPv4 source-routed packets.
2
Rule
Severity: Medium
RHEL 8 must not forward IPv4 source-routed packets by default.
2
Rule
Severity: Medium
RHEL 8 must ignore IPv4 Internet Control Message Protocol (ICMP) redirect messages.
2
Rule
Severity: Medium
RHEL 8 must enable hardening for the Berkeley Packet Filter Just-in-time compiler.
2
Rule
Severity: Medium
RHEL 8 must not enable IPv4 packet forwarding unless the system is a router.
2
Rule
Severity: High
The RHEL 8 operating system must not have accounts configured with blank or null passwords.
2
Rule
Severity: Medium
RHEL 8 must specify the default "include" directory for the /etc/sudoers file.
2
Rule
Severity: Medium
RHEL 8 must ensure the password complexity module is enabled in the system-auth file.
2
Rule
Severity: Medium
RHEL 8 systems below version 8.4 must ensure the password complexity module in the system-auth file is configured for three retries or less.
2
Rule
Severity: Medium
RHEL 8 systems below version 8.4 must ensure the password complexity module in the password-auth file is configured for three retries or less.
2
Rule
Severity: Medium
RHEL 8 systems, version 8.4 and above, must ensure the password complexity module is configured for three retries or less.
2
Rule
Severity: Medium
The graphical display manager must not be the default target on RHEL 8 unless approved.
2
Rule
Severity: High
RHEL 9 must be a vendor-supported release.
2
Rule
Severity: Medium
RHEL 9 vendor packaged system security patches and updates must be installed and up to date.
2
Rule
Severity: Medium
The graphical display manager must not be the default target on RHEL 9 unless approved.
2
Rule
Severity: Low
RHEL 9 must enable the hardware random number generator entropy gatherer service.
2
Rule
Severity: High
The systemd Ctrl-Alt-Delete burst key sequence in RHEL 9 must be disabled.
2
Rule
Severity: High
The x86 Ctrl-Alt-Delete key sequence must be disabled on RHEL 9.
2
Rule
Severity: Medium
RHEL 9 debug-shell systemd service must be disabled.
2
Rule
Severity: Medium
RHEL 9 must disable the ability of systemd to spawn an interactive boot process.
2
Rule
Severity: Medium
RHEL 9 /boot/grub2/grub.cfg file must be group-owned by root.
2
Rule
Severity: Medium
RHEL 9 /boot/grub2/grub.cfg file must be owned by root.
2
Rule
Severity: Medium
RHEL 9 must disable virtual system calls.
2
Rule
Severity: Medium
RHEL 9 must clear the page allocator to prevent use-after-free attacks.
2
Rule
Severity: Medium
RHEL 9 must prevent the loading of a new kernel for later execution.
2
Rule
Severity: Medium
RHEL 9 must restrict exposed kernel pointer addresses access.
2
Rule
Severity: Medium
RHEL 9 must disable the kernel.core_pattern.
2
Rule
Severity: Medium
RHEL 9 must implement address space layout randomization (ASLR) to protect its memory from unauthorized code execution.
2
Rule
Severity: Medium
RHEL 9 must disable access to network bpf system call from nonprivileged processes.
2
Rule
Severity: Medium
RHEL 9 must restrict usage of ptrace to descendant processes.
2
Rule
Severity: Medium
RHEL 9 must disable core dump backtraces.
2
Rule
Severity: Medium
RHEL 9 must disable storing core dumps.
2
Rule
Severity: Medium
RHEL 9 must disable core dumps for all users.
2
Rule
Severity: Medium
RHEL 9 must disable acquiring, saving, and processing core dumps.
2
Rule
Severity: Medium
RHEL 9 must disable the use of user namespaces.
2
Rule
Severity: Medium
The kdump service on RHEL 9 must be disabled.
2
Rule
Severity: Medium
RHEL 9 must be configured so that the cryptographic hashes of system files match vendor values.
2
Rule
Severity: High
RHEL 9 must not have a File Transfer Protocol (FTP) server package installed.
2
Rule
Severity: Medium
RHEL 9 must not have the sendmail package installed.
2
Rule
Severity: Medium
RHEL 9 must not have the gssproxy package installed.
2
Rule
Severity: Medium
RHEL 9 must not have the iprutils package installed.
2
Rule
Severity: Medium
RHEL 9 must not have the tuned package installed.
2
Rule
Severity: High
RHEL 9 must not have a Trivial File Transfer Protocol (TFTP) server package installed.
2
Rule
Severity: Medium
RHEL 9 must not have the quagga package installed.
2
Rule
Severity: Medium
A graphical display manager must not be installed on RHEL 9 unless approved.
2
Rule
Severity: Medium
RHEL 9 must have the gnutls-utils package installed.
2
Rule
Severity: Medium
RHEL 9 must have the nss-tools package installed.
2
Rule
Severity: Medium
RHEL 9 must have the rng-tools package installed.
2
Rule
Severity: Medium
A separate RHEL 9 file system must be used for user home directories (such as /home or an equivalent).
2
Rule
Severity: Medium
RHEL 9 must use a separate file system for /tmp.
2
Rule
Severity: Low
RHEL 9 must use a separate file system for /var.
2
Rule
Severity: Low
RHEL 9 must use a separate file system for /var/log.
2
Rule
Severity: Low
RHEL 9 must use a separate file system for the system audit data path.
2
Rule
Severity: Medium
RHEL 9 must use a separate file system for /var/tmp.
2
Rule
Severity: Medium
RHEL 9 file system automount function must be disabled unless required.
2
Rule
Severity: Medium
RHEL 9 must prevent files with the setuid and setgid bit set from being executed on file systems that contain user home directories.
2
Rule
Severity: Medium
RHEL 9 must prevent code from being executed on file systems that contain user home directories.
1
Rule
Severity: Medium
RHEL 9 must be configured so that the Network File System (NFS) is configured to use RPCSEC_GSS.
2
Rule
Severity: Medium
RHEL 9 must prevent special devices on file systems that are imported via Network File System (NFS).
2
Rule
Severity: Medium
RHEL 9 must prevent code from being executed on file systems that are imported via Network File System (NFS).
2
Rule
Severity: Medium
RHEL 9 must prevent files with the setuid and setgid bit set from being executed on file systems that are imported via Network File System (NFS).
2
Rule
Severity: Medium
RHEL 9 must prevent code from being executed on file systems that are used with removable media.
2
Rule
Severity: Medium
RHEL 9 must prevent special devices on file systems that are used with removable media.
2
Rule
Severity: Medium
RHEL 9 must prevent files with the setuid and setgid bit set from being executed on file systems that are used with removable media.
2
Rule
Severity: Medium
RHEL 9 must prevent files with the setuid and setgid bit set from being executed on the /boot directory.
2
Rule
Severity: Medium
RHEL 9 must prevent files with the setuid and setgid bit set from being executed on the /boot/efi directory.
2
Rule
Severity: Medium
RHEL 9 must prevent special devices on non-root local partitions.
2
Rule
Severity: Medium
RHEL 9 cron configuration directories must have a mode of 0700 or less permissive.
2
Rule
Severity: Medium
All RHEL 9 local initialization files must have mode 0740 or less permissive.
4
Rule
Severity: Low
The SUSE operating system file integrity tool must be configured to verify Access Control Lists (ACLs).
4
Rule
Severity: Low
The SUSE operating system file integrity tool must be configured to verify extended attributes.
2
Rule
Severity: Medium
The SUSE operating system must disable the file system automounter unless required.
4
Rule
Severity: High
The SUSE operating system must disable the x86 Ctrl-Alt-Delete key sequence.
4
Rule
Severity: High
The SUSE operating system must disable the x86 Ctrl-Alt-Delete key sequence for Graphical User Interfaces.
4
Rule
Severity: Medium
The SUSE operating system default permissions must be defined in such a way that all authenticated users can only read and modify their own files.
4
Rule
Severity: Medium
The SUSE operating system must not have unnecessary accounts.
2
Rule
Severity: High
The SUSE operating system root account must be the only account having unrestricted access to the system.
4
Rule
Severity: Medium
All SUSE operating system local interactive users must have a home directory assigned in the /etc/passwd file.
4
Rule
Severity: Medium
All SUSE operating system local interactive user accounts, upon creation, must be assigned a home directory.
4
Rule
Severity: Medium
All SUSE operating system local interactive user home directories defined in the /etc/passwd file must exist.
4
Rule
Severity: Medium
All SUSE operating system local interactive user home directories must have mode 0750 or less permissive.
2
Rule
Severity: Medium
All SUSE operating system local interactive user home directories must be group-owned by the home directory owners primary group.
4
Rule
Severity: Medium
All SUSE operating system local initialization files must have mode 0740 or less permissive.
4
Rule
Severity: Medium
All SUSE operating system local interactive user initialization files executable search paths must contain only paths that resolve to the users home directory.
4
Rule
Severity: Medium
All SUSE operating system local initialization files must not execute world-writable programs.
4
Rule
Severity: Medium
SUSE operating system file systems that contain user home directories must be mounted to prevent files with the setuid and setgid bit set from being executed.
4
Rule
Severity: Medium
SUSE operating system file systems that are used with removable media must be mounted to prevent files with the setuid and setgid bit set from being executed.
4
Rule
Severity: Medium
SUSE operating system file systems that are being imported via Network File System (NFS) must be mounted to prevent files with the setuid and setgid bit set from being executed.
4
Rule
Severity: Medium
SUSE operating system file systems that are being imported via Network File System (NFS) must be mounted to prevent binary files from being executed.
4
Rule
Severity: Medium
All SUSE operating system world-writable directories must be group-owned by root, sys, bin, or an application group.
4
Rule
Severity: Medium
SUSE operating system kernel core dumps must be disabled unless needed.
4
Rule
Severity: Low
A separate file system must be used for SUSE operating system user home directories (such as /home or an equivalent).
4
Rule
Severity: Low
The SUSE operating system must use a separate file system for /var.
4
Rule
Severity: Low
The SUSE operating system must use a separate file system for the system audit data path.
4
Rule
Severity: Medium
The SUSE operating system must be configured to not overwrite Pluggable Authentication Modules (PAM) configuration on package changes.
2
Rule
Severity: Medium
SUSE operating system audit records must contain information to establish what type of events occurred, the source of events, where events occurred, and the outcome of events.
4
Rule
Severity: Medium
The SUSE operating system must not disable syscall auditing.
2
Rule
Severity: Medium
All RHEL 9 local interactive user home directories must have mode 0750 or less permissive.
2
Rule
Severity: Medium
RHEL 9 /etc/group file must have mode 0644 or less permissive to prevent unauthorized access.
2
Rule
Severity: Medium
RHEL 9 /etc/group- file must have mode 0644 or less permissive to prevent unauthorized access.
2
Rule
Severity: Medium
RHEL 9 /etc/gshadow file must have mode 0000 or less permissive to prevent unauthorized access.
2
Rule
Severity: Medium
RHEL 9 /etc/gshadow- file must have mode 0000 or less permissive to prevent unauthorized access.
2
Rule
Severity: Medium
RHEL 9 /etc/passwd file must have mode 0644 or less permissive to prevent unauthorized access.
2
Rule
Severity: Medium
RHEL 9 /etc/passwd- file must have mode 0644 or less permissive to prevent unauthorized access.
2
Rule
Severity: Medium
RHEL 9 /etc/shadow- file must have mode 0000 or less permissive to prevent unauthorized access.
2
Rule
Severity: Medium
RHEL 9 /etc/group file must be owned by root.
2
Rule
Severity: Medium
RHEL 9 /etc/group file must be group-owned by root.
2
Rule
Severity: Medium
RHEL 9 /etc/group- file must be owned by root.
2
Rule
Severity: Medium
RHEL 9 /etc/group- file must be group-owned by root.
2
Rule
Severity: Medium
RHEL 9 /etc/gshadow file must be owned by root.
2
Rule
Severity: Medium
RHEL 9 /etc/gshadow file must be group-owned by root.
2
Rule
Severity: Medium
RHEL 9 /etc/gshadow- file must be owned by root.
2
Rule
Severity: Medium
RHEL 9 /etc/gshadow- file must be group-owned by root.
2
Rule
Severity: Medium
RHEL 9 /etc/passwd file must be owned by root.
2
Rule
Severity: Medium
RHEL 9 /etc/passwd file must be group-owned by root.
2
Rule
Severity: Medium
RHEL 9 /etc/passwd- file must be owned by root.
2
Rule
Severity: Medium
RHEL 9 /etc/passwd- file must be group-owned by root.
2
Rule
Severity: Medium
RHEL 9 /etc/shadow file must be owned by root.
2
Rule
Severity: Medium
RHEL 9 /etc/shadow file must be group-owned by root.
2
Rule
Severity: Medium
RHEL 9 /etc/shadow- file must be owned by root.
2
Rule
Severity: Medium
RHEL 9 /etc/shadow- file must be group-owned by root.
2
Rule
Severity: Medium
RHEL 9 cron configuration files directory must be owned by root.
2
Rule
Severity: Medium
RHEL 9 cron configuration files directory must be group-owned by root.
2
Rule
Severity: Medium
All RHEL 9 world-writable directories must be owned by root, sys, bin, or an application user.
2
Rule
Severity: Medium
All RHEL 9 local files and directories must have a valid group owner.
2
Rule
Severity: Medium
All RHEL 9 local files and directories must have a valid owner.
2
Rule
Severity: Medium
RHEL 9 must be configured so that all system device files are correctly labeled to prevent unauthorized modification.
2
Rule
Severity: Medium
RHEL 9 /etc/crontab file must have mode 0600.
2
Rule
Severity: Medium
RHEL 9 /etc/shadow file must have mode 0000 to prevent unauthorized access.
2
Rule
Severity: Medium
RHEL 9 must have the firewalld package installed.
2
Rule
Severity: Medium
The firewalld service on RHEL 9 must be active.
2
Rule
Severity: Medium
A RHEL 9 firewall must employ a deny-all, allow-by-exception policy for allowing connections to other systems.
2
Rule
Severity: Medium
RHEL 9 network interfaces must not be in promiscuous mode.
2
Rule
Severity: Medium
RHEL 9 must enable hardening for the Berkeley Packet Filter just-in-time compiler.
2
Rule
Severity: Medium
RHEL 9 systems using Domain Name Servers (DNS) resolution must have at least two name servers configured.
1
Rule
Severity: Medium
RHEL 9 must configure a DNS processing mode set be Network Manager.
2
Rule
Severity: Medium
RHEL 9 must not have unauthorized IP tunnels configured.
2
Rule
Severity: Medium
RHEL 9 must be configured to prevent unrestricted mail relaying.
1
Rule
Severity: Medium
If the Trivial File Transfer Protocol (TFTP) server is required, RHEL 9 TFTP daemon must be configured to operate in secure mode.
2
Rule
Severity: Medium
RHEL 9 libreswan package must be installed.
2
Rule
Severity: High
There must be no shosts.equiv files on RHEL 9.
2
Rule
Severity: High
There must be no .shosts files on RHEL 9.
2
Rule
Severity: Medium
RHEL 9 must be configured to use TCP syncookies.
2
Rule
Severity: Medium
RHEL 9 must ignore Internet Protocol version 4 (IPv4) Internet Control Message Protocol (ICMP) redirect messages.
2
Rule
Severity: Medium
RHEL 9 must not forward Internet Protocol version 4 (IPv4) source-routed packets.
2
Rule
Severity: Medium
RHEL 9 must log IPv4 packets with impossible addresses.
2
Rule
Severity: Medium
RHEL 9 must log IPv4 packets with impossible addresses by default.
2
Rule
Severity: Medium
RHEL 9 must use reverse path filtering on all IPv4 interfaces.
2
Rule
Severity: Medium
RHEL 9 must prevent IPv4 Internet Control Message Protocol (ICMP) redirect messages from being accepted.
2
Rule
Severity: Medium
RHEL 9 must not forward IPv4 source-routed packets by default.
2
Rule
Severity: Medium
RHEL 9 must use a reverse-path filter for IPv4 network traffic when possible by default.
2
Rule
Severity: Medium
RHEL 9 must not respond to Internet Control Message Protocol (ICMP) echoes sent to a broadcast address.
2
Rule
Severity: Medium
RHEL 9 must limit the number of bogus Internet Control Message Protocol (ICMP) response errors logs.
2
Rule
Severity: Medium
RHEL 9 must not send Internet Control Message Protocol (ICMP) redirects.
2
Rule
Severity: Medium
RHEL 9 must not allow interfaces to perform Internet Control Message Protocol (ICMP) redirects by default.
2
Rule
Severity: Medium
RHEL 9 must not enable IPv4 packet forwarding unless the system is a router.
2
Rule
Severity: Medium
RHEL 9 must not accept router advertisements on all IPv6 interfaces.
2
Rule
Severity: Medium
RHEL 9 must ignore IPv6 Internet Control Message Protocol (ICMP) redirect messages.
2
Rule
Severity: Medium
RHEL 9 must not forward IPv6 source-routed packets.
2
Rule
Severity: Medium
RHEL 9 must not enable IPv6 packet forwarding unless the system is a router.
2
Rule
Severity: Medium
RHEL 9 must not accept router advertisements on all IPv6 interfaces by default.
2
Rule
Severity: Medium
RHEL 9 must prevent IPv6 Internet Control Message Protocol (ICMP) redirect messages from being accepted.
2
Rule
Severity: Medium
RHEL 9 must not forward IPv6 source-routed packets by default.
2
Rule
Severity: Medium
RHEL 9 must have the openssh-clients package installed.
2
Rule
Severity: High
The SUSE operating system must not allow automatic logon via SSH.
2
Rule
Severity: Medium
The SUSE operating system must not allow users to override SSH environment variables.
2
Rule
Severity: Medium
The SUSE operating system must implement DoD-approved encryption to protect the confidentiality of SSH remote connections.
4
Rule
Severity: Medium
The SUSE operating system SSH daemon must be configured to not allow authentication using known hosts authentication.
4
Rule
Severity: Medium
The SUSE operating system SSH daemon public host key files must have mode 0644 or less permissive.
4
Rule
Severity: Medium
The SUSE operating system SSH daemon private host key files must have mode 0640 or less permissive.
4
Rule
Severity: Medium
The SUSE operating system SSH daemon must perform strict mode checking of home directory configuration files.
2
Rule
Severity: Medium
The SUSE operating system SSH daemon must use privilege separation.
2
Rule
Severity: Medium
The SUSE operating system SSH daemon must not allow compression or must only allow compression after successful authentication.
4
Rule
Severity: Medium
The SUSE operating system SSH daemon must disable forwarded remote X connections for interactive users, unless to fulfill documented and validated mission requirements.
4
Rule
Severity: Medium
The SUSE operating system must not forward Internet Protocol version 4 (IPv4) source-routed packets.
4
Rule
Severity: Medium
The SUSE operating system must not forward Internet Protocol version 6 (IPv6) source-routed packets.
4
Rule
Severity: Medium
The SUSE operating system must not forward Internet Protocol version 4 (IPv4) source-routed packets by default.
2
Rule
Severity: Medium
The SUSE operating system must not respond to Internet Protocol version 4 (IPv4) Internet Control Message Protocol (ICMP) echoes sent to a broadcast address.
4
Rule
Severity: Medium
The SUSE operating system must prevent Internet Protocol version 4 (IPv4) Internet Control Message Protocol (ICMP) redirect messages from being accepted.
4
Rule
Severity: Medium
The SUSE operating system must not allow interfaces to accept Internet Protocol version 4 (IPv4) Internet Control Message Protocol (ICMP) redirect messages by default.
4
Rule
Severity: Medium
The SUSE operating system must not allow interfaces to accept Internet Protocol version 6 (IPv6) Internet Control Message Protocol (ICMP) redirect messages by default.
4
Rule
Severity: Medium
The SUSE operating system must not allow interfaces to send Internet Protocol version 4 (IPv4) Internet Control Message Protocol (ICMP) redirect messages by default.
4
Rule
Severity: Medium
The SUSE operating system must not send Internet Protocol version 4 (IPv4) Internet Control Message Protocol (ICMP) redirects.
4
Rule
Severity: Medium
The SUSE operating system must not be performing Internet Protocol version 4 (IPv4) packet forwarding unless the system is a router.
4
Rule
Severity: Medium
The SUSE operating system must not have network interfaces in promiscuous mode unless approved and documented.
2
Rule
Severity: Medium
The SUSE operating system SSH daemon must prevent remote hosts from connecting to the proxy display.
4
Rule
Severity: Medium
The SUSE operating system must restrict privilege elevation to authorized personnel.
4
Rule
Severity: Medium
The SUSE operating system must not have unnecessary account capabilities.
4
Rule
Severity: Medium
The SUSE operating system must not forward Internet Protocol version 6 (IPv6) source-routed packets by default.
4
Rule
Severity: Medium
The SUSE operating system must prevent Internet Protocol version 6 (IPv6) Internet Control Message Protocol (ICMP) redirect messages from being accepted.
4
Rule
Severity: Medium
The SUSE operating system must not be performing Internet Protocol version 6 (IPv6) packet forwarding unless the system is a router.
4
Rule
Severity: Medium
The SUSE operating system must not be performing Internet Protocol version 6 (IPv6) packet forwarding by default unless the system is a router.
4
Rule
Severity: Medium
The SUSE operating system must specify the default "include" directory for the /etc/sudoers file.
4
Rule
Severity: High
The SUSE operating system must not have accounts configured with blank or null passwords.
2
Rule
Severity: High
RHEL 9 SSHD must not allow blank passwords.
2
Rule
Severity: Medium
RHEL 9 must not permit direct logons to the root account using remote access via SSH.
2
Rule
Severity: Medium
RHEL 9 must not allow a noncertificate trusted host SSH logon to the system.
2
Rule
Severity: Medium
RHEL 9 must not allow users to override SSH environment variables.
2
Rule
Severity: Medium
RHEL 9 SSH server configuration file must be group-owned by root.
2
Rule
Severity: Medium
RHEL 9 SSH server configuration file must be owned by root.
2
Rule
Severity: Medium
RHEL 9 SSH server configuration file must have mode 0600 or less permissive.
2
Rule
Severity: Medium
RHEL 9 SSH private host key files must have mode 0640 or less permissive.
2
Rule
Severity: Medium
RHEL 9 SSH public host key files must have mode 0644 or less permissive.
2
Rule
Severity: Medium
RHEL 9 SSH daemon must not allow compression or must only allow compression after successful authentication.
2
Rule
Severity: Medium
RHEL 9 SSH daemon must not allow GSSAPI authentication.
2
Rule
Severity: Medium
RHEL 9 SSH daemon must not allow Kerberos authentication.
2
Rule
Severity: Medium
RHEL 9 SSH daemon must not allow rhosts authentication.
2
Rule
Severity: Medium
RHEL 9 SSH daemon must not allow known hosts authentication.
2
Rule
Severity: Medium
RHEL 9 SSH daemon must disable remote X connections for interactive users.
2
Rule
Severity: Medium
RHEL 9 SSH daemon must perform strict mode checking of home directory configuration files.
2
Rule
Severity: Medium
RHEL 9 SSH daemon must display the date and time of the last successful account logon upon an SSH logon.
1
Rule
Severity: Medium
RHEL 9 SSH daemon must be configured to use privilege separation.
2
Rule
Severity: Medium
RHEL 9 SSH daemon must prevent remote hosts from connecting to the proxy display.
2
Rule
Severity: Medium
RHEL 9 must disable the graphical user interface automount function unless required.
2
Rule
Severity: Medium
RHEL 9 must prevent a user from overriding the disabling of the graphical user interface automount function.
2
Rule
Severity: Medium
RHEL 9 must prevent a user from overriding the disabling of the graphical user interface autorun function.
2
Rule
Severity: High
RHEL 9 must not allow unattended or automatic logon via the graphical user interface.
2
Rule
Severity: Medium
RHEL 9 effective dconf policy must match the policy keyfiles.
2
Rule
Severity: Medium
RHEL 9 must disable the ability of a user to restart the system from the login screen.
2
Rule
Severity: Medium
RHEL 9 must prevent a user from overriding the disable-restart-buttons setting for the graphical user interface.
2
Rule
Severity: Medium
RHEL 9 must disable the ability of a user to accidentally press Ctrl-Alt-Del and cause a system to shut down or reboot.
2
Rule
Severity: Medium
RHEL 9 must prevent a user from overriding the Ctrl-Alt-Del sequence settings for the graphical user interface.
2
Rule
Severity: Medium
RHEL 9 must disable the user list at logon for graphical user interfaces.
1
Rule
Severity: Medium
RHEL 9 must be configured to disable USB mass storage.
2
Rule
Severity: Medium
All RHEL 9 local interactive user accounts must be assigned a home directory upon creation.
2
Rule
Severity: Medium
RHEL 9 must set the umask value to 077 for all local interactive user accounts.
2
Rule
Severity: Medium
RHEL 9 system accounts must not have an interactive login shell.
2
Rule
Severity: Medium
Executable search paths within the initialization files of all local interactive RHEL 9 users must only contain paths that resolve to the system default or the users home directory.
2
Rule
Severity: Medium
All RHEL 9 local interactive users must have a home directory assigned in the /etc/passwd file.
2
Rule
Severity: Medium
All RHEL 9 local interactive user home directories defined in the /etc/passwd file must exist.
2
Rule
Severity: Medium
All RHEL 9 local interactive user home directories must be group-owned by the home directory owner's primary group.
2
Rule
Severity: Medium
RHEL 9 must not have unauthorized accounts.
2
Rule
Severity: High
The root account must be the only account having unrestricted access to RHEL 9 system.
2
Rule
Severity: Medium
Local RHEL 9 initialization files must not execute world-writable programs.
2
Rule
Severity: Medium
RHEL 9 must enforce a delay of at least four seconds between logon prompts following a failed logon attempt.
2
Rule
Severity: Medium
RHEL 9 must define default permissions for the bash shell.
2
Rule
Severity: Medium
RHEL 9 must define default permissions for the c shell.
2
Rule
Severity: Medium
RHEL 9 must define default permissions for all authenticated users in such a way that the user can only read and modify their own files.
2
Rule
Severity: Medium
RHEL 9 must define default permissions for the system default profile.
2
Rule
Severity: Low
RHEL 9 must display the date and time of the last successful account logon upon logon.
2
Rule
Severity: Medium
RHEL 9 must have policycoreutils package installed.
2
Rule
Severity: Medium
RHEL 9 policycoreutils-python-utils package must be installed.
2
Rule
Severity: Medium
RHEL 9 must use the invoking user's password for privilege escalation when using "sudo".
2
Rule
Severity: Medium
RHEL 9 must restrict privilege elevation to authorized personnel.
2
Rule
Severity: High
RHEL 9 must not allow blank or null passwords.
1
Rule
Severity: Medium
RHEL 9 must ensure the password complexity module is enabled in the password-auth file.
2
Rule
Severity: Medium
RHEL 9 must ensure the password complexity module is enabled in the system-auth file.
1
Rule
Severity: Medium
RHEL 9 must enforce password complexity rules for the root account.
2
Rule
Severity: Medium
RHEL 9 must prevent the use of dictionary words for passwords.
2
Rule
Severity: Medium
RHEL 9 must not have accounts configured with blank or null passwords.
2
Rule
Severity: Medium
RHEL 9 must use a file integrity tool that is configured to use FIPS 140-3-approved cryptographic hashes for validating file contents and directories.
2
Rule
Severity: Low
RHEL 9 must be configured so that the file integrity tool verifies Access Control Lists (ACLs).
2
Rule
Severity: Low
RHEL 9 must be configured so that the file integrity tool verifies extended attributes.
2
Rule
Severity: Medium
RHEL 9 must have the rsyslog package installed.
2
Rule
Severity: Medium
RHEL 9 must have the packages required for encrypting offloaded audit logs installed.
2
Rule
Severity: Medium
The rsyslog service on RHEL 9 must be active.
2
Rule
Severity: Medium
RHEL 9 must be configured so that the rsyslog daemon does not accept log messages from other servers unless the server is being used for log aggregation.
2
Rule
Severity: Medium
RHEL 9 must be configured to forward audit records via TCP to a different system or media from the system being audited via rsyslog.
2
Rule
Severity: Medium
RHEL 9 must use cron logging.
2
Rule
Severity: Medium
RHEL 9 audit system must audit local events.
2
Rule
Severity: Medium
RHEL 9 must produce audit records containing information to establish the identity of any individual or process associated with the event.
2
Rule
Severity: Medium
RHEL 9 must write audit records to disk.
2
Rule
Severity: High
The SUSE operating system root account must be the only account with unrestricted access to the system.
2
Rule
Severity: Medium
The SUSE operating system must use the invoking user's password for privilege escalation when using "sudo".
2
Rule
Severity: High
The SUSE operating system must not be configured to allow blank or null passwords.
2
Rule
Severity: High
The SUSE operating system must disable the systemd Ctrl-Alt-Delete burst key sequence.
2
Rule
Severity: Medium
All SUSE operating system local interactive user home directories must be group-owned by the home directory owner's primary group.
2
Rule
Severity: High
The SUSE operating system must not allow unattended or automatic logon via the graphical user interface (GUI).
2
Rule
Severity: High
The SUSE operating system must not allow unattended or automatic logon via SSH.
4
Rule
Severity: Medium
The audit system must be configured to audit file deletions.
4
Rule
Severity: Medium
The operating system must ensure unauthorized, security-relevant configuration changes detected are tracked.
4
Rule
Severity: Medium
The audit system must be configured to audit all administrative, privileged, and security actions.
4
Rule
Severity: Low
The audit system must be configured to audit failed attempts to access files and programs.
4
Rule
Severity: Low
The auditing system must not define a different auditing level for specific users.
4
Rule
Severity: Medium
The System packages must be up to date with the most recent vendor updates and security fixes.
4
Rule
Severity: Low
The finger daemon package must not be installed.
4
Rule
Severity: Medium
The legacy remote network access utilities daemons must not be installed.
4
Rule
Severity: High
The NIS package must not be installed.
4
Rule
Severity: Low
The pidgin IM client package must not be installed.
4
Rule
Severity: High
The FTP daemon must not be installed unless required.
4
Rule
Severity: High
The TFTP service daemon must not be installed unless required.
4
Rule
Severity: High
The telnet service daemon must not be installed unless required.
4
Rule
Severity: Low
The UUCP service daemon must not be installed unless required.
4
Rule
Severity: Medium
The rpcbind service must be configured for local only services unless organizationally defined.
4
Rule
Severity: Medium
The VNC server package must not be installed unless required.
4
Rule
Severity: Medium
All run control scripts must have mode 0755 or less permissive.
4
Rule
Severity: Medium
All run control scripts must have no extended ACLs.
4
Rule
Severity: Medium
Run control scripts executable search paths must contain only authorized paths.
4
Rule
Severity: Medium
Run control scripts library search paths must contain only authorized paths.
4
Rule
Severity: Medium
Run control scripts lists of preloaded libraries must contain only authorized paths.
4
Rule
Severity: Medium
Run control scripts must not execute world writable programs or scripts.
4
Rule
Severity: Medium
All system start-up files must be owned by root.
4
Rule
Severity: Medium
All system start-up files must be group-owned by root, sys, or bin.
4
Rule
Severity: Medium
System start-up files must only execute programs owned by a privileged UID or an application.
4
Rule
Severity: Medium
Any X Windows host must write .Xauthority files.
4
Rule
Severity: Medium
All .Xauthority files must have mode 0600 or less permissive.
4
Rule
Severity: Medium
The .Xauthority files must not have extended ACLs.
4
Rule
Severity: High
X displays must not be exported to the world.
4
Rule
Severity: Medium
.Xauthority or X*.hosts (or equivalent) file(s) must be used to restrict access to the X server.
4
Rule
Severity: Medium
The .Xauthority utility must only permit access to authorized hosts.
4
Rule
Severity: Medium
X Window System connections that are not required must be disabled.
4
Rule
Severity: Medium
The graphical login service provides the capability of logging into the system using an X-Windows type interface from the console. If graphical login access for the console is required, the service must be in local-only mode.
4
Rule
Severity: Low
Generic Security Services (GSS) must be disabled.
4
Rule
Severity: Low
Systems services that are not required must be disabled.
4
Rule
Severity: Medium
TCP Wrappers must be enabled and configured per site policy to only allow access by approved hosts and services.
4
Rule
Severity: Low
The system must require passwords to contain no more than three consecutive repeating characters.
4
Rule
Severity: Medium
The system must not have accounts configured with blank or null passwords.
4
Rule
Severity: Medium
The delay between login prompts following a failed login attempt must be at least 4 seconds.
4
Rule
Severity: Medium
The system must prevent the use of dictionary words for passwords.
4
Rule
Severity: Medium
The default umask for system and users must be 077.
4
Rule
Severity: Low
The default umask for FTP users must be 077.
4
Rule
Severity: Low
The value mesg n must be configured as the default setting for all users.
4
Rule
Severity: Medium
Login services for serial ports must be disabled.
2
Rule
Severity: Medium
Access to a domain console via telnet must be restricted to the local host.
2
Rule
Severity: Medium
Access to a logical domain console must be restricted to authorized users.
4
Rule
Severity: Medium
The nobody access for RPC encryption key storage service must be disabled.
4
Rule
Severity: Medium
X11 forwarding for SSH must be disabled.
4
Rule
Severity: Low
Consecutive login attempts for SSH must be limited to 3.
4
Rule
Severity: Medium
The rhost-based authentication for SSH must be disabled.
4
Rule
Severity: Medium
Direct root account login must not be permitted for SSH access.
4
Rule
Severity: High
Login must not be permitted with empty/null passwords for SSH.
4
Rule
Severity: Medium
Host-based authentication for login-based services must be disabled.
4
Rule
Severity: Medium
The use of FTP must be restricted.
4
Rule
Severity: High
The system must not allow autologin capabilities from the GNOME desktop.
4
Rule
Severity: Medium
Unauthorized use of the at or cron capabilities must not be permitted.
4
Rule
Severity: Medium
Logins to the root account must be restricted to the system console only.
4
Rule
Severity: High
The operating system must not allow logins for users with blank passwords.
4
Rule
Severity: Medium
The operating system must prevent remote devices that have established a non-remote connection with the system from communicating outside of the communication path with resources in external networks.
4
Rule
Severity: Low
The system must disable directed broadcast packet forwarding.
4
Rule
Severity: Low
The system must not respond to ICMP timestamp requests.
4
Rule
Severity: Low
The system must not respond to ICMP broadcast timestamp requests.
4
Rule
Severity: Low
The system must not respond to ICMP broadcast netmask requests.
4
Rule
Severity: Medium
The system must not respond to broadcast ICMP echo requests.
4
Rule
Severity: Low
The system must not respond to multicast echo requests.
4
Rule
Severity: Low
The system must ignore ICMP redirect messages.
4
Rule
Severity: Medium
The system must set strict multihoming.
4
Rule
Severity: Low
The system must disable ICMP redirect messages.
4
Rule
Severity: Low
The system must disable TCP reverse IP source routing.
4
Rule
Severity: Medium
The system must set maximum number of half-open TCP connections to 4096.
4
Rule
Severity: Low
The system must set maximum number of incoming connections to 1024.
4
Rule
Severity: Medium
The system must disable network routing unless required.
4
Rule
Severity: Low
The system must implement TCP Wrappers.
4
Rule
Severity: Medium
The boundary protection system (firewall) must be configured to deny network traffic by default and must allow network traffic by exception (i.e., deny all, permit by exception).
4
Rule
Severity: Low
The system must prevent local applications from generating source-routed packets.
4
Rule
Severity: Medium
The operating system must prevent internal users from sending out packets which attempt to manipulate or spoof invalid IP addresses.
4
Rule
Severity: Medium
The operating system must use cryptographic mechanisms to protect and restrict access to information on portable digital media.
4
Rule
Severity: Medium
The sticky bit must be set on all world writable directories.
4
Rule
Severity: Medium
Permissions on user home directories must be 750 or less permissive.
4
Rule
Severity: Medium
Permissions on user . (hidden) files must be 750 or less permissive.
4
Rule
Severity: Medium
Permissions on user .netrc files must be 750 or less permissive.
4
Rule
Severity: High
There must be no user .rhosts files.
4
Rule
Severity: Medium
Groups assigned to users must exist in the /etc/group file.
4
Rule
Severity: Low
Users must have a valid home directory assignment.
4
Rule
Severity: Low
All user accounts must be configured to use a home directory that exists.
4
Rule
Severity: Medium
All home directories must be owned by the respective user assigned to it in /etc/passwd.
4
Rule
Severity: Medium
Duplicate Group IDs (GIDs) must not exist for multiple groups.
4
Rule
Severity: Medium
Reserved UIDs 0-99 must only be used by system accounts.
4
Rule
Severity: Medium
Duplicate user names must not exist.
4
Rule
Severity: Medium
Duplicate group names must not exist.
4
Rule
Severity: Medium
User .netrc files must not exist.
4
Rule
Severity: Medium
The system must not allow users to configure .forward files.
4
Rule
Severity: Medium
World-writable files must not exist.
4
Rule
Severity: Low
All valid SUID/SGID files must be documented.
4
Rule
Severity: Medium
The operating system must have no unowned files.
4
Rule
Severity: Low
The operating system must have no files with extended attributes.
4
Rule
Severity: Medium
The root account must be the only account with GID of 0.
4
Rule
Severity: Medium
The operator must document all file system objects that have non-standard access control list settings.
4
Rule
Severity: High
The operating system must be a supported release.
4
Rule
Severity: Medium
The system must implement non-executable program stacks.
4
Rule
Severity: Low
Address Space Layout Randomization (ASLR) must be enabled.
4
Rule
Severity: Medium
Process core dumps must be disabled unless needed.
4
Rule
Severity: Medium
The system must be configured to store any process core dumps in a specific, centralized directory.
4
Rule
Severity: Medium
The centralized process core dump data directory must be owned by root.
4
Rule
Severity: Medium
The centralized process core dump data directory must be group-owned by root, bin, or sys.
4
Rule
Severity: Medium
The centralized process core dump data directory must have mode 0700 or less permissive.
4
Rule
Severity: Medium
Kernel core dumps must be disabled unless needed.
4
Rule
Severity: Medium
The kernel core dump data directory must be owned by root.
4
Rule
Severity: Medium
The kernel core dump data directory must be group-owned by root.
4
Rule
Severity: Medium
The kernel core dump data directory must have mode 0700 or less permissive.
2
Rule
Severity: Low
The system must require passwords to change the boot device settings. (SPARC)
4
Rule
Severity: Medium
The operating system must implement transaction recovery for transaction-based systems.
4
Rule
Severity: High
SNMP communities, users, and passphrases must be changed from the default.
4
Rule
Severity: Medium
A file integrity baseline must be created, maintained, and reviewed at least weekly to determine if unauthorized changes have been made to important system files located in the root file system.
4
Rule
Severity: Medium
Direct logins must not be permitted to shared, default, application, or utility accounts.
4
Rule
Severity: Low
The system must not have any unnecessary accounts.
4
Rule
Severity: Medium
The operating system must conduct backups of user-level information contained in the operating system per organization-defined frequency to conduct backups consistent with recovery time and recovery point objectives.
4
Rule
Severity: Medium
The operating system must conduct backups of system-level information contained in the information system per organization-defined frequency to conduct backups that are consistent with recovery time and recovery point objectives.
4
Rule
Severity: Medium
The operating system must conduct backups of operating system documentation including security-related documentation per organization-defined frequency to conduct backups that is consistent with recovery time and recovery point objectives.
4
Rule
Severity: Medium
The operating system must employ PKI solutions at workstations, servers, or mobile computing devices on the network to create, manage, distribute, use, store, and revoke digital certificates.
4
Rule
Severity: Medium
The operating system must employ malicious code protection mechanisms at workstations, servers, or mobile computing devices on the network to detect and eradicate malicious code transported by electronic mail, electronic mail attachments, web accesses, removable media, or other common means.
2
Rule
Severity: Medium
The operating system must have malicious code protection mechanisms at system entry and exit points to detect and eradicate malicious code transported by electronic mail, electronic mail attachments, web accesses, removable media, or other common means.
4
Rule
Severity: Low
All manual editing of system-relevant files shall be done using the pfedit command, which logs changes made to the files.
4
Rule
Severity: Low
The /etc/zones directory, and its contents, must have the vendor default owner, group, and permissions.
4
Rule
Severity: Low
The limitpriv zone option must be set to the vendor default or less permissive.
4
Rule
Severity: Medium
The systems physical devices must not be assigned to non-global zones.
4
Rule
Severity: Low
The audit system must identify in which zone an event occurred.
4
Rule
Severity: Low
The audit system must maintain a central audit trail for all zones.
4
Rule
Severity: Medium
The operating system must monitor for unauthorized connections of mobile devices to organizational information systems.
4
Rule
Severity: Medium
The sshd server must bind the X11 forwarding server to the loopback address.
2
Rule
Severity: Medium
Splunk Enterprise must be configured to retain the identity of the original source host or device where the event occurred as part of the log record.
2
Rule
Severity: Medium
Splunk Enterprise must be configured with a report to notify the System Administrator (SA) and Information System Security Officer (ISSO), at a minimum, when an attack is detected on multiple devices and hosts within its scope of coverage.
2
Rule
Severity: Medium
Analysis, viewing, and indexing functions, services, and applications used as part of Splunk Enterprise must be configured to comply with DoD-trusted path and access requirements.
1
Rule
Severity: Medium
Samsung Android must have the DoD root and intermediate PKI certificates installed.
1
Rule
Severity: Medium
Samsung Android must be configured to not allow installation of applications with the following characteristics: - back up MD data to non-DoD cloud servers (including user and application access to cloud backup services);- transmit MD diagnostic data to non-DoD servers; - voice assistant application if available when MD is locked; - voice dialing application if available when MD is locked; - allows synchronization of data or applications between devices associated with user; and - allows unencrypted (or encrypted but not FIPS 140-2 validated) data sharing with other MDs or printers.
1
Rule
Severity: Medium
Samsung Android must allow only the Administrator (management tool) to perform the following management function: install/remove DoD root and intermediate PKI certificates.
1
Rule
Severity: Low
Samsung Android must be configured to enable Common Criteria (CC) Mode.
1
Rule
Severity: Medium
Samsung Android's Work profile must have the DoD root and intermediate PKI certificates installed.
1
Rule
Severity: Medium
Samsung Android's Work profile must be configured to not allow installation of applications with the following characteristics: - back up MD data to non-DoD cloud servers (including user and application access to cloud backup services);- transmit MD diagnostic data to non-DoD servers; - voice assistant application if available when MD is locked; - voice dialing application if available when MD is locked; - allows synchronization of data or applications between devices associated with user; and - allows unencrypted (or encrypted but not FIPS 140-2 validated) data sharing with other MDs or printers.
1
Rule
Severity: Medium
Samsung Android's Work profile must allow only the Administrator (management tool) to perform the following management function: install/remove DoD root and intermediate PKI certificates.
1
Rule
Severity: Low
Samsung Android's Work profile must be configured to enable Common Criteria (CC) Mode.
2
Rule
Severity: Low
System BIOS or system controllers supporting password protection must have administrator accounts/passwords configured, and no others. (Intel)
2
Rule
Severity: Low
The system must require authentication before allowing modification of the boot devices or menus. Secure the GRUB Menu (Intel).
5
Rule
Severity: Medium
The Samsung Android device must be configured to enable Certificate Revocation List (CRL) status checking.
4
Rule
Severity: Medium
The Samsung Android device must be configured to enforce that Wi-Fi Sharing is disabled.
5
Rule
Severity: Medium
The Samsung Android device work profile must be configured to enforce the system application disable list.
5
Rule
Severity: Low
The Samsung Android device must be configured to disable the use of third-party keyboards.
2
Rule
Severity: Medium
The Samsung Android device must be provisioned as a fully managed device and configured to create a work profile.
2
Rule
Severity: Medium
The Samsung Android device work profile must be configured to disable automatic completion of work space internet browser text input.
3
Rule
Severity: Medium
The Samsung Android device work profile must be configured to disable the autofill services.
2
Rule
Severity: Medium
The VMM must enforce dual authorization for movement and/or deletion of all audit information, when such movement or deletion is not part of an authorized automatic process.
2
Rule
Severity: Medium
The VMM must be configured in accordance with the security configuration settings based on DoD security configuration or implementation guidance, including STIGs, NSA configuration guides, CTOs, and DTMs.
1
Rule
Severity: Medium
The ESXi host must verify the DCUI.Access list.
1
Rule
Severity: Medium
The ESXi host must verify the exception users list for lockdown mode.
4
Rule
Severity: Medium
The ESXi host Secure Shell (SSH) daemon must not allow host-based authentication.
1
Rule
Severity: Low
The ESXi host Secure Shell (SSH) daemon must not allow authentication using an empty password.
4
Rule
Severity: Medium
The ESXi host Secure Shell (SSH) daemon must not permit user environment settings.
1
Rule
Severity: Medium
The ESXi host Secure Shell (SSH) daemon must perform strict mode checking of home directory configuration files.
1
Rule
Severity: Medium
The ESXi host Secure Shell (SSH) daemon must not allow compression or must only allow compression after successful authentication.
4
Rule
Severity: Low
The ESXi host Secure Shell (SSH) daemon must be configured to not allow gateway ports.
1
Rule
Severity: Medium
The ESXi host Secure Shell (SSH) daemon must be configured to not allow X11 forwarding.
4
Rule
Severity: Medium
The ESXi host Secure Shell (SSH) daemon must not permit tunnels.
4
Rule
Severity: Low
The ESXi host Secure Shell (SSH) daemon must set a timeout count on idle sessions.
4
Rule
Severity: Low
The ESXi host Secure Shell (SSH) daemon must set a timeout interval on idle sessions.
1
Rule
Severity: Medium
Simple Network Management Protocol (SNMP) must be configured properly on the ESXi host.
1
Rule
Severity: Medium
The ESXi host must enable bidirectional Challenge-Handshake Authentication Protocol (CHAP) authentication for Internet Small Computer Systems Interface (iSCSI) traffic.
4
Rule
Severity: Low
The ESXi host must disable Inter-Virtual Machine (VM) Transparent Page Sharing.
4
Rule
Severity: Medium
The ESXi host must configure the firewall to restrict access to services running on the host.
4
Rule
Severity: Medium
The ESXi host must configure the firewall to block network traffic by default.
4
Rule
Severity: Medium
The ESXi host must enable Bridge Protocol Data Units (BPDU) filter on the host to prevent being locked out of physical switch ports with Portfast and BPDU Guard enabled.
1
Rule
Severity: Medium
All port groups on standard switches must be configured to reject forged transmits.
1
Rule
Severity: High
All port groups on standard switches must be configured to reject guest Media Access Control (MAC) address changes.
1
Rule
Severity: Medium
All port groups on standard switches must be configured to reject guest promiscuous mode requests.
1
Rule
Severity: Medium
Use of the dvFilter network application programming interfaces (APIs) must be restricted.
1
Rule
Severity: Medium
All port groups on standard switches must be configured to a value other than that of the native virtual local area network (VLAN).
1
Rule
Severity: Medium
All port groups on standard switches must not be configured to virtual local area network (VLAN) 4095 unless Virtual Guest Tagging (VGT) is required.
1
Rule
Severity: Medium
All port groups on standard switches must not be configured to virtual local area network (VLAN) values reserved by upstream physical switches.
1
Rule
Severity: Medium
The ESXi host must not provide root/administrator-level access to Common Information Model (CIM)-based hardware monitoring tools or other third-party applications.
4
Rule
Severity: High
The ESXi host must have all security patches and updates installed.
1
Rule
Severity: Medium
The ESXi host must enable Secure Boot.
4
Rule
Severity: Medium
The ESXi host must use DOD-approved certificates.
4
Rule
Severity: Medium
The ESXi host must not suppress warnings that the local or remote shell sessions are enabled.
4
Rule
Severity: Medium
The ESXi host must not suppress warnings about unmitigated hyperthreading vulnerabilities.
4
Rule
Severity: Medium
The ESXi host Secure Shell (SSH) daemon must disable port forwarding.
4
Rule
Severity: Medium
The ESXi host OpenSLP service must be disabled.
4
Rule
Severity: Medium
The ESXi host must enable audit logging.
4
Rule
Severity: Medium
The ESXi host must enable strict x509 verification for SSL syslog endpoints.
4
Rule
Severity: Medium
The ESXi host must verify certificates for SSL syslog endpoints.
4
Rule
Severity: Medium
The ESXi host must enable volatile key destruction.
4
Rule
Severity: Medium
The ESXi host must configure a session timeout for the vSphere API.
1
Rule
Severity: Medium
The ESXi Host Client must be configured with a session timeout.
4
Rule
Severity: Medium
The ESXi host must be configured with an appropriate maximum password age.
4
Rule
Severity: Medium
The ESXi host must not be configured to override virtual machine (VM) configurations.
4
Rule
Severity: Medium
The ESXi host must not be configured to override virtual machine (VM) logger settings.
4
Rule
Severity: Medium
The ESXi host must require TPM-based configuration encryption.
4
Rule
Severity: Medium
The ESXi Common Information Model (CIM) service must be disabled.
1
Rule
Severity: Medium
VAMI must force clients to select the most secure cipher.
1
Rule
Severity: Medium
VAMI must disable client-initiated Transport Layer Security (TLS) renegotiation.
1
Rule
Severity: Medium
Performance Charts default servlet must be set to "readonly".
1
Rule
Severity: Medium
ESX Agent Manager default servlet must be set to "readonly".
3
Rule
Severity: Medium
The ESXi host DCUI.Access list must be verified.
3
Rule
Severity: Medium
The ESXi host lockdown mode exception users list must be verified.
3
Rule
Severity: Medium
The ESXi host must disable Simple Network Management Protocol (SNMP) v1 and v2c.
3
Rule
Severity: Medium
The ESXi host must configure virtual switch security policies to reject forged transmits.
3
Rule
Severity: High
The ESXi host must configure virtual switch security policies to reject Media Access Control (MAC) address changes.
3
Rule
Severity: Medium
The ESXi host must configure virtual switch security policies to reject promiscuous mode requests.
3
Rule
Severity: Medium
The ESXi host must restrict use of the dvFilter network application programming interface (API).
3
Rule
Severity: Medium
The ESXi host must restrict the use of Virtual Guest Tagging (VGT) on standard switches.
3
Rule
Severity: Medium
The ESXi host when using Host Profiles and/or Auto Deploy must use the vSphere Authentication Proxy to protect passwords when adding themselves to Active Directory.
3
Rule
Severity: Medium
The ESXi host must not use the default Active Directory ESX Admin group.
3
Rule
Severity: Medium
The ESXi host must enforce the exclusive running of executables from approved VIBs.
3
Rule
Severity: Medium
The ESXi host must use sufficient entropy for cryptographic operations.
3
Rule
Severity: Medium
The ESXi host must not enable log filtering.
1
Rule
Severity: Medium
The Photon operating system must use the "pam_cracklib" module.
1
Rule
Severity: Medium
The Photon operating system must set the "FAIL_DELAY" parameter.
4
Rule
Severity: Medium
The Photon operating system must enforce a delay of at least four seconds between logon prompts following a failed logon attempt.
4
Rule
Severity: Medium
The Photon operating system must ensure audit events are flushed to disk at proper intervals.
4
Rule
Severity: Medium
The Photon operating system must create a home directory for all new local interactive user accounts.
4
Rule
Severity: Medium
The Photon operating system must disable the debug-shell service.
1
Rule
Severity: Medium
The Photon operating system must configure sshd to disallow Generic Security Service Application Program Interface (GSSAPI) authentication.
1
Rule
Severity: Medium
The Photon operating system must configure sshd to disable environment processing.
1
Rule
Severity: Medium
The Photon operating system must configure sshd to disable X11 forwarding.
1
Rule
Severity: Medium
The Photon operating system must configure sshd to perform strict mode checking of home directory configuration files.
1
Rule
Severity: Medium
The Photon operating system must configure sshd to disallow Kerberos authentication.
1
Rule
Severity: Medium
The Photon operating system must configure sshd to disallow authentication with an empty password.
1
Rule
Severity: Medium
The Photon operating system must configure sshd to disallow compression of the encrypted session stream.
1
Rule
Severity: Medium
The Photon operating system must configure sshd to display the last login immediately after authentication.
1
Rule
Severity: Medium
The Photon operating system must configure sshd to ignore user-specific trusted hosts lists.
1
Rule
Severity: Medium
The Photon operating system must configure sshd to ignore user-specific "known_host" files.
1
Rule
Severity: Medium
The Photon operating system must configure sshd to limit the number of allowed login attempts per connection.
1
Rule
Severity: Medium
The Photon operating system must be configured so the x86 Ctrl-Alt-Delete key sequence is disabled on the command line.
1
Rule
Severity: Medium
The Photon operating system must be configured so the "/etc/skel" default scripts are protected from unauthorized modification.
1
Rule
Severity: Medium
The Photon operating system must be configured so the "/root" path is protected from unauthorized access.
1
Rule
Severity: Medium
The Photon operating system must be configured so that all global initialization scripts are protected from unauthorized modification.
1
Rule
Severity: Medium
The Photon operating system must be configured so that all system startup scripts are protected from unauthorized modification.
1
Rule
Severity: Medium
The Photon operating system must be configured so that all files have a valid owner and group owner.
1
Rule
Severity: Medium
The Photon operating system must be configured so the "/etc/cron.allow" file is protected from unauthorized modification.
1
Rule
Severity: Medium
The Photon operating system must be configured so that all cron jobs are protected from unauthorized modification.
1
Rule
Severity: Medium
The Photon operating system must be configured so that all cron paths are protected from unauthorized modification.
4
Rule
Severity: Medium
The Photon operating system must not forward IPv4 or IPv6 source-routed packets.
4
Rule
Severity: Medium
The Photon operating system must not respond to IPv4 Internet Control Message Protocol (ICMP) echoes sent to a broadcast address.
4
Rule
Severity: Medium
The Photon operating system must prevent IPv4 Internet Control Message Protocol (ICMP) redirect messages from being accepted.
4
Rule
Severity: Medium
The Photon operating system must prevent IPv4 Internet Control Message Protocol (ICMP) secure redirect messages from being accepted.
4
Rule
Severity: Medium
The Photon operating system must not send IPv4 Internet Control Message Protocol (ICMP) redirects.
4
Rule
Severity: Medium
The Photon operating system must log IPv4 packets with impossible addresses.
4
Rule
Severity: Medium
The Photon operating system must use a reverse-path filter for IPv4 network traffic.
1
Rule
Severity: Medium
The Photon operating system must not perform multicast packet forwarding.
4
Rule
Severity: Medium
The Photon operating system must not perform IPv4 packet forwarding.
1
Rule
Severity: Medium
The Photon operating system must send Transmission Control Protocol (TCP) timestamps.
4
Rule
Severity: Medium
The Photon operating system must be configured to protect the Secure Shell (SSH) public host key from unauthorized modification.
1
Rule
Severity: Medium
The Photon operating system must be configured to protect the Secure Shell ( SSH) private host key from unauthorized access.
4
Rule
Severity: Medium
The Photon operating system must enforce password complexity on the root account.
1
Rule
Severity: Medium
The Photon operating system must protect all boot configuration files from unauthorized modification.
1
Rule
Severity: Medium
The Photon operating system must protect sshd configuration from unauthorized access.
1
Rule
Severity: Medium
The Photon operating system must protect all "sysctl" configuration files from unauthorized access.
1
Rule
Severity: Medium
The Photon operating system must set the "umask" parameter correctly.
1
Rule
Severity: Medium
The Photon operating system must configure sshd to disallow HostbasedAuthentication.
1
Rule
Severity: Medium
The Photon operating system must configure sshd to restrict AllowTcpForwarding.
1
Rule
Severity: Medium
The Photon operating system must configure sshd to restrict LoginGraceTime.
1
Rule
Severity: Medium
The Photon operating system must disable systemd fallback Domain Name System (DNS).
4
Rule
Severity: Medium
The vCenter Server must disable the Customer Experience Improvement Program (CEIP).
3
Rule
Severity: Medium
The vCenter Server must disable the distributed virtual switch health check.
4
Rule
Severity: Medium
The vCenter Server must set the distributed port group Forged Transmits policy to "Reject".
4
Rule
Severity: Medium
The vCenter Server must set the distributed port group Media Access Control (MAC) Address Change policy to "Reject".
4
Rule
Severity: Medium
The vCenter Server must set the distributed port group Promiscuous Mode policy to "Reject".
4
Rule
Severity: Medium
The vCenter Server must only send NetFlow traffic to authorized collectors.
4
Rule
Severity: Medium
The vCenter Server must configure all port groups to a value other than that of the native virtual local area network (VLAN).
4
Rule
Severity: Medium
The vCenter Server must not configure VLAN Trunking unless Virtual Guest Tagging (VGT) is required and authorized.
4
Rule
Severity: Medium
The vCenter Server must not configure all port groups to virtual local area network (VLAN) values reserved by upstream physical switches.
4
Rule
Severity: Medium
The vCenter Server must configure the "vpxuser" auto-password to be changed every 30 days.
4
Rule
Severity: Medium
The vCenter Server must configure the "vpxuser" password to meet length policy.
3
Rule
Severity: Low
The vCenter Server must be isolated from the public internet but must still allow for patch notification and delivery.
4
Rule
Severity: Medium
The vCenter Server must use unique service accounts when applications connect to vCenter.
4
Rule
Severity: Medium
The vCenter Server must protect the confidentiality and integrity of transmitted information by isolating Internet Protocol (IP)-based storage traffic.
4
Rule
Severity: Medium
The vCenter Server must disable or restrict the connectivity between vSAN Health Check and public Hardware Compatibility List (HCL) by use of an external proxy server.
4
Rule
Severity: Medium
The vCenter Server must configure the vSAN Datastore name to a unique name.
3
Rule
Severity: Medium
The vCenter Server must disable Username/Password and Windows Integrated Authentication.
4
Rule
Severity: Medium
The vCenter Server must restrict access to the default roles with cryptographic permissions.
4
Rule
Severity: Medium
The vCenter Server must restrict access to cryptographic permissions.
4
Rule
Severity: Medium
The vCenter Server must have Mutual Challenge Handshake Authentication Protocol (CHAP) configured for vSAN Internet Small Computer System Interface (iSCSI) targets.
4
Rule
Severity: Medium
The vCenter Server must have new Key Encryption Keys (KEKs) reissued at regular intervals for vSAN encrypted datastore(s).
4
Rule
Severity: Medium
The vCenter Server must use secure Lightweight Directory Access Protocol (LDAPS) when adding an LDAP identity source.
4
Rule
Severity: Medium
The vCenter Server must limit membership to the "SystemConfiguration.BashShellAdministrators" Single Sign-On (SSO) group.
4
Rule
Severity: Medium
The vCenter Server must limit membership to the "TrustedAdmins" Single Sign-On (SSO) group.
4
Rule
Severity: Medium
The vCenter server configuration must be backed up on a regular basis.
3
Rule
Severity: Medium
The vCenter server must have task and event retention set to at least 30 days.
3
Rule
Severity: Medium
The vCenter server Native Key Provider must be backed up with a strong password.
3
Rule
Severity: Medium
The vCenter server must require authentication for published content libraries.
3
Rule
Severity: Medium
The vCenter server must enable the OVF security policy for content libraries.
3
Rule
Severity: Medium
The vCenter Server must separate authentication and authorization for administrators.
3
Rule
Severity: Low
The vCenter Server must disable CDP/LLDP on distributed switches.
3
Rule
Severity: Medium
The vCenter Server must remove unauthorized port mirroring sessions on distributed switches.
3
Rule
Severity: Medium
The vCenter Server must not override port group settings at the port level on distributed switches.
3
Rule
Severity: Medium
The vCenter Server must reset port configuration when virtual machines are disconnected.
3
Rule
Severity: Medium
The vCenter Server must disable Secure Shell (SSH) access.
3
Rule
Severity: Medium
The vCenter Server must enable data in transit encryption for vSAN.
1
Rule
Severity: Medium
The Security Token Service default servlet must be set to "readonly".
1
Rule
Severity: Low
The vCenter Server must disable the distributed virtual switch health check.
3
Rule
Severity: Medium
The vCenter ESX Agent Manager service must enable STRICT_SERVLET_COMPLIANCE.
3
Rule
Severity: Medium
The vCenter ESX Agent Manager service must disable "ALLOW_BACKSLASH".
3
Rule
Severity: Medium
The vCenter ESX Agent Manager service must enable "ENFORCE_ENCODING_IN_GET_WRITER".
3
Rule
Severity: Medium
The vCenter Lookup service must enable "STRICT_SERVLET_COMPLIANCE".
3
Rule
Severity: Medium
The vCenter Lookup service must disable "ALLOW_BACKSLASH".
3
Rule
Severity: Medium
The vCenter Lookup service must enable "ENFORCE_ENCODING_IN_GET_WRITER".
1
Rule
Severity: Medium
The vSphere UI default servlet must be set to "readonly".
3
Rule
Severity: Medium
The vCenter Perfcharts service must enable "STRICT_SERVLET_COMPLIANCE".
3
Rule
Severity: Medium
The vCenter Perfcharts service must disable "ALLOW_BACKSLASH".
3
Rule
Severity: Medium
The vCenter Perfcharts service must enable "ENFORCE_ENCODING_IN_GET_WRITER".
1
Rule
Severity: Medium
The vCenter Server must be isolated from the public internet but must still allow for patch notification and delivery.
1
Rule
Severity: Low
The vCenter Server must disable Username/Password and Windows Integrated Authentication.
1
Rule
Severity: Medium
The vCenter Server must use a limited privilege account when adding a Lightweight Directory Access Protocol (LDAP) identity source.
1
Rule
Severity: Medium
vCenter task and event retention must be set to at least 30 days.
1
Rule
Severity: Medium
vCenter Native Key Providers must be backed up with a strong password.
1
Rule
Severity: Low
Copy operations must be disabled on the virtual machine (VM).
1
Rule
Severity: Low
Drag and drop operations must be disabled on the virtual machine (VM).
1
Rule
Severity: Low
Paste operations must be disabled on the virtual machine (VM).
1
Rule
Severity: Medium
Virtual disk shrinking must be disabled on the virtual machine (VM).
1
Rule
Severity: Medium
Virtual disk wiping must be disabled on the virtual machine (VM).
1
Rule
Severity: Medium
Independent, nonpersistent disks must not be used on the virtual machine (VM).
1
Rule
Severity: Medium
Host Guest File System (HGFS) file transfers must be disabled on the virtual machine (VM).
1
Rule
Severity: Medium
Unauthorized floppy devices must be disconnected on the virtual machine (VM).
1
Rule
Severity: Low
Unauthorized CD/DVD devices must be disconnected on the virtual machine (VM).
1
Rule
Severity: Medium
Unauthorized parallel devices must be disconnected on the virtual machine (VM).
1
Rule
Severity: Medium
Unauthorized serial devices must be disconnected on the virtual machine (VM).
1
Rule
Severity: Medium
Unauthorized USB devices must be disconnected on the virtual machine (VM).
1
Rule
Severity: Medium
Console connection sharing must be limited on the virtual machine (VM).
1
Rule
Severity: Low
Informational messages from the virtual machine to the VMX file must be limited on the virtual machine (VM).
1
Rule
Severity: Medium
Unauthorized removal, connection, and modification of devices must be prevented on the virtual machine (VM).
1
Rule
Severity: Medium
The virtual machine (VM) must not be able to obtain host information from the hypervisor.
1
Rule
Severity: Low
Shared salt values must be disabled on the virtual machine (VM).
1
Rule
Severity: Low
Access to virtual machines (VMs) through the "dvfilter" network Application Programming Interface (API) must be controlled.
1
Rule
Severity: Low
System administrators must use templates to deploy virtual machines (VMs) whenever possible.
1
Rule
Severity: Medium
Use of the virtual machine (VM) console must be minimized.
1
Rule
Severity: Medium
The virtual machine (VM) guest operating system must be locked when the last console connection is closed.
1
Rule
Severity: Low
All 3D features on the virtual machine (VM) must be disabled when not required.
1
Rule
Severity: Medium
Encryption must be enabled for vMotion on the virtual machine (VM).
1
Rule
Severity: Medium
Logging must be enabled on the virtual machine (VM).
1
Rule
Severity: Medium
Log size must be configured properly on the virtual machine (VM).
1
Rule
Severity: Medium
Log retention must be configured properly on the virtual machine (VM).
1
Rule
Severity: Medium
DirectPath I/O must be disabled on the virtual machine (VM) when not required.
1
Rule
Severity: Medium
Encryption must be enabled for Fault Tolerance on the virtual machine (VM).
3
Rule
Severity: Medium
The Photon operating system must prevent the use of dictionary words for passwords.
3
Rule
Severity: Medium
The Photon operating system must enforce a delay of at least four seconds between logon prompts following a failed logon attempt in login.defs.
3
Rule
Severity: Medium
The Photon operating system must define default permissions for all authenticated users in such a way that the user can only read and modify their own files.
3
Rule
Severity: High
The Photon operating system must configure Secure Shell (SSH) to disallow HostbasedAuthentication.
3
Rule
Severity: High
The Photon operating system must configure Secure Shell (SSH) to disallow authentication with an empty password.
3
Rule
Severity: High
The Photon operating system must configure Secure Shell (SSH) to disable user environment processing.
3
Rule
Severity: Medium
The Photon operating system must configure Secure Shell (SSH) to disallow Generic Security Service Application Program Interface (GSSAPI) authentication.
3
Rule
Severity: Medium
The Photon operating system must configure Secure Shell (SSH) to disable X11 forwarding.
3
Rule
Severity: Medium
The Photon operating system must configure Secure Shell (SSH) to perform strict mode checking of home directory configuration files.
3
Rule
Severity: Medium
The Photon operating system must configure Secure Shell (SSH) to disallow Kerberos authentication.
3
Rule
Severity: Medium
The Photon operating system must configure Secure Shell (SSH) to disallow compression of the encrypted session stream.
3
Rule
Severity: Medium
The Photon operating system must configure Secure Shell (SSH) to display the last login immediately after authentication.
3
Rule
Severity: Medium
The Photon operating system must configure Secure Shell (SSH) to ignore user-specific trusted hosts lists.
3
Rule
Severity: Medium
The Photon operating system must configure Secure Shell (SSH) to ignore user-specific known_host files.
3
Rule
Severity: Medium
The Photon operating system must configure Secure Shell (SSH) to limit the number of allowed login attempts per connection.
3
Rule
Severity: Medium
The Photon operating system must configure Secure Shell (SSH) to restrict AllowTcpForwarding.
3
Rule
Severity: Medium
The Photon operating system must configure Secure Shell (SSH) to restrict LoginGraceTime.
3
Rule
Severity: Medium
The Photon operating system must be configured so that the x86 Ctrl-Alt-Delete key sequence is disabled on the command line.
3
Rule
Severity: Medium
The Photon operating system must send TCP timestamps.
3
Rule
Severity: Medium
The Photon operating system must be configured to protect the Secure Shell (SSH) private host key from unauthorized access.
3
Rule
Severity: Medium
The Photon operating system must disable systemd fallback DNS.
3
Rule
Severity: Medium
The Photon operating system must generate audit records for all access and modifications to the opasswd file.
3
Rule
Severity: Medium
The Photon operating system must enable the rsyslog service.
3
Rule
Severity: Medium
The Photon operating system must enable hardlink access control protection in the kernel.
3
Rule
Severity: Medium
The Photon operating system must restrict core dumps.
3
Rule
Severity: Medium
The vCenter STS service must disable "ALLOW_BACKSLASH".
3
Rule
Severity: Medium
The vCenter STS service must enable "ENFORCE_ENCODING_IN_GET_WRITER".
3
Rule
Severity: Medium
The vCenter UI service must enable "STRICT_SERVLET_COMPLIANCE".
3
Rule
Severity: Medium
The vCenter UI service must disable "ALLOW_BACKSLASH".
3
Rule
Severity: Medium
The vCenter UI service must enable "ENFORCE_ENCODING_IN_GET_WRITER".
2
Rule
Severity: Medium
The vCenter VAMI service must enable honoring the SSL cipher order.
3
Rule
Severity: Medium
The vCenter VAMI service must disable client initiated TLS renegotiation.
3
Rule
Severity: Medium
The vCenter VAMI service must be configured to hide the server type and version in client responses.
3
Rule
Severity: Medium
The vCenter VAMI service must implement HTTP Strict Transport Security (HSTS).
3
Rule
Severity: Medium
The vCenter VAMI service must implement prevent rendering inside a frame or iframe on another site.
3
Rule
Severity: Medium
The vCenter VAMI service must protect against MIME sniffing.
3
Rule
Severity: Medium
The vCenter VAMI service must enable Content Security Policy.
3
Rule
Severity: Low
Virtual machines (VMs) must have drag and drop operations disabled.
3
Rule
Severity: Low
Virtual machines (VMs) must have paste operations disabled.
3
Rule
Severity: Medium
Virtual machines (VMs) must have virtual disk shrinking disabled.
3
Rule
Severity: Medium
Virtual machines (VMs) must have virtual disk wiping disabled.
3
Rule
Severity: Medium
Virtual machines (VMs) must limit console sharing.
3
Rule
Severity: Low
Virtual machines (VMs) must limit informational messages from the virtual machine to the VMX file.
3
Rule
Severity: Medium
Virtual machines (VMs) must prevent unauthorized removal, connection, and modification of devices.
3
Rule
Severity: Medium
Virtual machines (VMs) must not be able to obtain host information from the hypervisor.
3
Rule
Severity: Low
Virtual machines (VMs) must have shared salt values disabled.
3
Rule
Severity: Low
Virtual machines (VMs) must disable access through the "dvfilter" network Application Programming Interface (API).
3
Rule
Severity: Medium
Virtual machines (VMs) must be configured to lock when the last console connection is closed.
3
Rule
Severity: Low
Virtual machines (VMs) must disable 3D features when not required.
3
Rule
Severity: Medium
Virtual machines (VMs) must enable encryption for vMotion.
3
Rule
Severity: Medium
Virtual machines (VMs) must enable encryption for Fault Tolerance.
3
Rule
Severity: Medium
Virtual machines (VMs) must configure log size.
3
Rule
Severity: Medium
Virtual machines (VMs) must configure log retention.
3
Rule
Severity: Medium
Virtual machines (VMs) must enable logging.
3
Rule
Severity: Medium
Virtual machines (VMs) must not use independent, nonpersistent disks.
3
Rule
Severity: Medium
Virtual machines (VMs) must remove unneeded floppy devices.
3
Rule
Severity: Low
Virtual machines (VMs) must remove unneeded CD/DVD devices.
3
Rule
Severity: Medium
Virtual machines (VMs) must remove unneeded parallel devices.
3
Rule
Severity: Medium
Virtual machines (VMs) must remove unneeded serial devices.
3
Rule
Severity: Medium
Virtual machines (VMs) must remove unneeded USB devices.
3
Rule
Severity: Medium
Virtual machines (VMs) must disable DirectPath I/O devices when not required.
2
Rule
Severity: Medium
The web server must be configured in accordance with the security configuration settings based on DoD security configuration or implementation guidance, including STIGs, NSA configuration guides, CTOs, and DTMs.
1
Rule
Severity: Medium
Zebra Android 11 must be configured to not allow passwords that include more than four repeating or sequential characters.
1
Rule
Severity: Medium
Zebra Android 11 must be configured to enforce an application installation policy by specifying one or more authorized application repositories, including [selection: DoD-approved commercial app repository, EMM server, mobile application store].
1
Rule
Severity: Medium
Zebra Android 11 must be configured to enforce an application installation policy by specifying an application allow list that restricts applications by the following characteristics: [selection: list of digital signatures, cryptographic hash values, names, application version].
1
Rule
Severity: Medium
Zebra Android 11 allow list must be configured to not include applications with the following characteristics:
- back up MD data to non-DoD cloud servers (including user and application access to cloud backup services);
- transmit MD diagnostic data to non-DoD servers;
- voice assistant application if available when MD is locked;
- voice dialing application if available when MD is locked;
- allows synchronization of data or applications between devices associated with user; and
- allows unencrypted (or encrypted but not FIPS 140-2 validated) data sharing with other MDs or printers.
1
Rule
Severity: Low
Zebra Android 11 must be configured to disable Bluetooth or configured via User Based Enforcement (UBE) to allow Bluetooth for only Headset Profile (HSP), HandsFree Profile (HFP), and Serial Port Profile (SPP).
1
Rule
Severity: Medium
Zebra Android 11 must be configured to not display the following (work profile) notifications when the device is locked: [selection:
- email notifications
- calendar appointments
- contact associated with phone call notification
- text message notification
- other application-based notifications
- all notifications].
1
Rule
Severity: Medium
Zebra Android 11 must be configured to disable trust agents.
1
Rule
Severity: Medium
Zebra Android 11 must be configured to disable multi-user modes.
1
Rule
Severity: Low
Zebra Android 11 must allow only the Administrator (EMM) to perform the following management function: Enable/disable location services.
1
Rule
Severity: Medium
Zebra Android 11 must be configured to enable audit logging.
1
Rule
Severity: Medium
Zebra Android 11 users must complete required training.
1
Rule
Severity: Medium
Zebra Android 11 must be configured to enforce that Wi-Fi Sharing is disabled.
1
Rule
Severity: Medium
Zebra Android 11 must have the DoD root and intermediate PKI certificates installed.
1
Rule
Severity: Medium
Zebra Android 11 must allow only the administrator (EMM) to install/remove DoD root and intermediate PKI certificates.
1
Rule
Severity: Medium
Zebra Android 11 work profile must be configured to enforce the system application disable list.
1
Rule
Severity: Medium
Zebra Android 11 work profile must be configured to disable automatic completion of work space internet browser text input.
1
Rule
Severity: Medium
Zebra Android 11 Work Profile must be configured to disable the autofill services.
1
Rule
Severity: Medium
Zebra Android 11 must be configured to disallow configuration of date and time.
1
Rule
Severity: High
Zebra Android 11 devices must have the latest available Zebra Android 11 operating system installed.
1
Rule
Severity: Low
Zebra Android 11 devices must be configured to disable the use of third-party keyboards.
1
Rule
Severity: Low
Zebra Android 11 devices must be configured to enable Common Criteria Mode (CC Mode).
6
Rule
Severity: Medium
CICS System Initialization Table (SIT) parameter values must be specified in accordance with proper security requirements.
2
Rule
Severity: Medium
CICS startup JCL statement is not specified in accordance with the proper security requirements.
2
Rule
Severity: Medium
Key ACF2/CICS parameters must be properly coded.
2
Rule
Severity: Medium
Sensitive CICS transactions are not protected in accordance with the proper security requirements.
6
Rule
Severity: Medium
Production WebSphere MQ Remotes must utilize Certified Name Filters (CNF).
2
Rule
Severity: Medium
The Windows DNS Server must be configured to record who added/modified/deleted DNS zone information.
2
Rule
Severity: Medium
The Windows DNS Server must notify the DNS administrator in the event of an error validating another DNS server's identity.
2
Rule
Severity: Medium
The "Manage auditing and security log" user right must be assigned only to authorized personnel.
2
Rule
Severity: Medium
The Windows DNS Server must prohibit recursion on authoritative name servers for which forwarders have not been configured for external queries.
2
Rule
Severity: Medium
Forwarders on an authoritative Windows DNS Server, if enabled for external resolution, must forward only to an internal, non-Active Directory (AD)-integrated DNS server or to the DOD Enterprise Recursive Services (ERS).
2
Rule
Severity: High
The Windows DNS Server with a caching name server role must restrict recursive query responses to only the IP addresses and IP address ranges of known supported clients.
1
Rule
Severity: Medium
The EDB Postgres Advanced Server password file must not be used.
1
Rule
Severity: Medium
The EDB Postgres Advanced Server must be configured in accordance with the security configuration settings based on DoD security configuration and implementation guidance, including STIGs, NSA configuration guides, CTOs, DTMs, and IAVMs.
2
Rule
Severity: High
The Windows DNS Server's zone files must have NS records that point to active name servers authoritative for the domain specified in that record.
2
Rule
Severity: High
The Windows DNS Server must be configured to enable DNSSEC Resource Records (RRs).
2
Rule
Severity: Medium
The digital signature algorithm used for DNSSEC-enabled zones must be FIPS-compatible.
2
Rule
Severity: Medium
In a split DNS configuration between the external and internal networks, the external name server must be configured to not be reachable from inside resolvers.
2
Rule
Severity: Medium
The Windows DNS Servers zone database files must not be accessible for edit/write by users and/or processes other than the Windows DNS Server service account and/or the DNS database administrator.
2
Rule
Severity: Medium
The Windows DNS Server must implement internal/external role separation.
2
Rule
Severity: Medium
The Windows DNS Server authoritative for local zones must only point root hints to the DNS servers that host the internal root domain.
2
Rule
Severity: Medium
The Windows DNS Servers zone files must not include resource records that resolve to a fully qualified domain name residing in another zone.
2
Rule
Severity: Medium
The Windows DNS Server's zone files must not include CNAME records pointing to a zone with lesser security for more than six months.
2
Rule
Severity: Medium
Nonroutable IPv6 link-local scope addresses must not be configured in any zone.
1
Rule
Severity: Medium
AAAA addresses must not be configured in a zone for hosts that are not IPv6 aware.
2
Rule
Severity: Medium
The Windows DNS Server must provide its identity with returned DNS information by enabling DNSSEC and TSIG/SIG(0).
2
Rule
Severity: Medium
The salt value for zones signed using NSEC3 resource records (RRs) must be changed every time the zone is completely re-signed.
2
Rule
Severity: Medium
The Windows DNS Server's IP address must be statically defined and configured locally on the server.
2
Rule
Severity: Medium
The Windows DNS Server must return data information in response to internal name/address resolution queries.
2
Rule
Severity: Medium
The Windows DNS Server must use DNSSEC data within queries to confirm data origin to DNS resolvers.
2
Rule
Severity: Medium
The Windows DNS Server must follow procedures to re-role a secondary name server as the primary name server if the primary name server permanently loses functionality.
2
Rule
Severity: Medium
The Windows DNS Server must, when a component failure is detected, activate a notification to the system administrator.
2
Rule
Severity: Medium
The private keys corresponding to both the zone signing key (ZSK) and the key signing key (KSK) must not be kept on the DNSSEC-aware primary authoritative name server when the name server does not support dynamic updates.
2
Rule
Severity: Medium
Control options for the Top Secret CICS facilities must meet minimum requirements.
1
Rule
Severity: Medium
The BIG-IP APM module access policy profile must be configured to display an explicit logoff message to users, indicating the reliable termination of authenticated communications sessions when disconnecting from virtual servers.
1
Rule
Severity: Medium
The BIG-IP appliance must be configured to enforce organization-defined role-based access control policies over defined subjects and objects.
1
Rule
Severity: Medium
The BIG-IP appliance must be configured to synchronize internal information system clocks with the primary and secondary time sources located in different geographic regions using redundant authoritative time sources.
1
Rule
Severity: Medium
The BIG-IP appliance must be configured in accordance with the security configuration settings based on DoD security configuration or implementation guidance, including STIGs, NSA configuration guides, CTOs, and DTMs.
1
Rule
Severity: Medium
The BIG-IP appliance must be configured to employ automated mechanisms to centrally manage authentication settings.
1
Rule
Severity: Low
The BIG-IP appliance must create backups of system-level information contained in the information system when changes occur or weekly, whichever is sooner.
1
Rule
Severity: Medium
The BIG-IP appliance must be configured to create backups of information system documentation, including security-related documentation, when changes occur or weekly, whichever is sooner.
1
Rule
Severity: Medium
The BIG-IP appliance must be configured to obtain its public key certificates from an appropriate certificate policy through a DoD-approved service provider.
1
Rule
Severity: Medium
The F5 BIG-IP must ensure SSH is disabled for root user logon to prevent remote access using the root account.
1
Rule
Severity: Medium
The BIG-IP appliance must provide automated support for account management functions.
1
Rule
Severity: Medium
The BIG-IP appliance must automatically remove or disable temporary user accounts after 72 hours.
1
Rule
Severity: Medium
The BIG-IP appliance must automatically disable accounts after a 35-day period of account inactivity.
1
Rule
Severity: Medium
Upon successful logon, the BIG-IP appliance must be configured to notify the administrator of the date and time of the last logon.
1
Rule
Severity: Medium
Upon successful logon, the BIG-IP appliance must be configured to notify the administrator of the number of unsuccessful logon attempts since the last successful logon.
1
Rule
Severity: Low
The BIG-IP appliance must be configured to alert the ISSO and SA (at a minimum) in the event of an audit processing failure.
1
Rule
Severity: Medium
The BIG-IP appliance must be configured to protect audit information from any type of unauthorized read access.
1
Rule
Severity: Medium
The BIG-IP appliance must be configured to use NIAP evaluated cryptographic mechanisms to protect the integrity of audit information at rest.
1
Rule
Severity: High
The BIG-IP appliance must be configured to uniquely identify and authenticate organizational administrators (or processes acting on behalf of organizational administrators).
1
Rule
Severity: Medium
The BIG-IP appliance must be configured to prohibit password reuse for a minimum of five generations.
1
Rule
Severity: Medium
The BIG-IP appliance must be configured to enforce 24 hours/1 day as the minimum password lifetime.
1
Rule
Severity: Medium
The BIG-IP appliance must be configured to enforce a 60-day maximum password lifetime restriction.
1
Rule
Severity: Medium
The BIG-IP appliance must be configured to automatically remove or disable emergency accounts after 72 hours.
1
Rule
Severity: Medium
The application must be configured to reveal error messages only to authorized individuals (ISSO, ISSM, and SA).
1
Rule
Severity: Medium
The BIG-IP appliance must be configured to activate a system alert message, send an alarm, and/or automatically shut down when a component failure is detected.
1
Rule
Severity: Medium
The BIG-IP appliance must be configured to generate alerts that can be forwarded to the administrators and Information System Security Officer (ISSO) when accounts are created.
1
Rule
Severity: Medium
The BIG-IP appliance must be configured to generate alerts that can be forwarded to the administrators and Information System Security Officer (ISSO) when accounts are modified.
1
Rule
Severity: Medium
The BIG-IP appliance must be configured to generate alerts that can be forwarded to the administrators and Information System Security Officer (ISSO) when accounts are disabled.
1
Rule
Severity: Medium
The BIG-IP appliance must be configured to generate alerts that can be forwarded to the administrators and Information System Security Officer (ISSO) when accounts are removed.
1
Rule
Severity: Medium
The BIG-IP appliance must be configured to generate an immediate alert for account-enabling actions.
1
Rule
Severity: Medium
The BIG-IP appliance must be configured to transmit access authorization information using approved security safeguards to authorized information systems that enforce access control decisions.
1
Rule
Severity: Medium
The BIG-IP appliance must be configured to automatically lock the account until the locked account is released by an administrator when three unsuccessful logon attempts in 15 minutes are exceeded.
1
Rule
Severity: Low
The BIG-IP appliance must be configured to notify the administrator, upon successful logon (access), of the location of last logon (terminal or IP address) in addition to the date and time of the last logon (access).
1
Rule
Severity: Low
The BIG-IP appliance must be configured to generate an immediate alert when allocated audit record storage volume reaches 75% of repository maximum audit record storage capacity.
1
Rule
Severity: Medium
The BIG-IP appliance must be configured to implement automated security responses if baseline configurations are changed in an unauthorized manner.
1
Rule
Severity: Medium
The BIG-IP appliance must be configured to dynamically manage user accounts.
1
Rule
Severity: Medium
The BIG-IP appliance must be configured to allow the use of a temporary password for system logons with an immediate change to a permanent password.
1
Rule
Severity: Low
The BIG-IP appliance must be configured to notify the administrator of the number of successful logon attempts occurring during an organization-defined time period.
1
Rule
Severity: Medium
The BIG-IP appliance must be configured to use automated mechanisms to alert security personnel to threats identified by authoritative sources (e.g., CTOs) and IAW with CJCSM 6510.01B.
1
Rule
Severity: Medium
The BIG-IP appliance must be configured to employ automated mechanisms to centrally apply authentication settings.
1
Rule
Severity: Medium
The BIG-IP appliance must be configured to employ automated mechanisms to centrally verify authentication settings.
1
Rule
Severity: Medium
The BIG-IP appliance must be configured to employ automated mechanisms to assist in the tracking of security incidents.
1
Rule
Severity: Medium
The BIG-IP Core implementation must be configured to inspect for protocol compliance and protocol anomalies in inbound SMTP and Extended SMTP communications traffic to virtual servers.
1
Rule
Severity: Medium
The BIG-IP Core implementation must be configured to inspect for protocol compliance and protocol anomalies in inbound FTP and FTPS communications traffic to virtual servers.
1
Rule
Severity: Medium
The BIG-IP Core implementation must be configured to inspect for protocol compliance and protocol anomalies in inbound HTTP and HTTPS traffic to virtual servers.
1
Rule
Severity: Medium
The BIG-IP Core implementation must automatically terminate a user session for a user connected to virtual servers when organization-defined conditions or trigger events occur that require a session disconnect.
1
Rule
Severity: Medium
The BIG-IP Core must display an explicit logoff message to users indicating the reliable termination of authenticated communications sessions when providing access to virtual servers.
8
Rule
Severity: Low
Uninstall 389-ds-base Package
2
Rule
Severity: Medium
NetworkManager DNS Mode Must Be Must Configured
2
Rule
Severity: Medium
Verify Group Who Owns cron.deny
2
Rule
Severity: Medium
Verify Owner on cron.deny
1
Rule
Severity: Medium
The EMM system supporting the iOS/iPadOS 17 BYOAD must be configured for autonomous monitoring, compliance, and validation to ensure security/configuration settings of mobile devices do not deviate from the approved configuration baseline.
1
Rule
Severity: Medium
The EMM system supporting the iOS/iPadOS 17 BYOAD must be configured to initiate autonomous monitoring, compliance, and validation prior to granting the BYOAD access to DOD information and IT resources.
1
Rule
Severity: Medium
The EMM system supporting the iOS/iPadOS 17 BYOAD must be configured to detect if the BYOAD native security controls are disabled.
1
Rule
Severity: Medium
The EMM system supporting the iOS/iPadOS 17 BYOAD must be configured to detect if known malicious, blocked, or prohibited applications are installed on the BYOAD (DOD-managed segment only).
1
Rule
Severity: Medium
The EMM system supporting the iOS/iPadOS 17 BYOAD must be configured to detect if the BYOAD is configured to access nonapproved third-party applications stores (DOD-managed segment only).
1
Rule
Severity: Medium
The EMM detection/monitoring system must use continuous monitoring of enrolled iOS/iPadOS 17 BYOAD.
1
Rule
Severity: Medium
The iOS/iPadOS 17 BYOAD must be configured to either disable access to DOD data, IT systems, and user accounts or wipe managed data and apps if the EMM system detects native security controls are disabled.
1
Rule
Severity: Medium
The iOS/iPadOS 17 BYOAD must be configured to either disable access to DOD data, IT systems, and user accounts or wipe managed data and apps if the EMM system detects the BYOAD device has known malicious, blocked, or prohibited applications or is configured to access nonapproved managed third-party applications stores.
1
Rule
Severity: Medium
The iOS/iPadOS 17 BYOAD must be configured so that managed data and apps are removed if the device is no longer receiving security or software updates.
1
Rule
Severity: Low
The iOS/iPadOS 17 BYOAD must be configured to protect users' privacy, personal information, and applications.
1
Rule
Severity: Low
The EMM system supporting the iOS/iPadOS 17 BYOAD must be configured to only wipe managed data and apps and not unmanaged data and apps when the user's access is revoked or terminated, the user no longer has the need to access DOD data or IT, or the user reports a registered device as lost, stolen, or showing indicators of compromise.
1
Rule
Severity: High
The EMM system supporting the iOS/iPadOS 17 BYOAD must be NIAP validated (included on the NIAP list of compliant products or products in evaluation) unless the DOD CIO has granted an approved Exception to Policy (E2P).
1
Rule
Severity: Medium
Apple iOS/iPadOS 17 allow list must be configured to not include applications with the following characteristics:
- backs up MD data to non-DOD cloud servers (including user and application access to cloud backup services);
- transmits MD diagnostic data to non-DOD servers;
- allows synchronization of data or applications between devices associated with user; and
- allows unencrypted (or encrypted but not FIPS 140-2/FIPS 140-3 validated) data sharing with other MDs or printers.
1
Rule
Severity: Medium
Apple iOS/iPadOS 17 must be configured to [selection: remove Enterprise applications, remove all noncore applications (any nonfactory installed application)] upon unenrollment from MDM.
1
Rule
Severity: Low
Apple iOS/iPadOS 17 must allow the Administrator (MDM) to perform the following management function: enable/disable VPN protection across the device and [selection: other methods].
1
Rule
Severity: High
Apple iOS/iPadOS 17 must be configured to enforce a passcode reuse prohibition of at least two generations.
1
Rule
Severity: High
The macOS system must disable unattended or automatic login to the system.
1
Rule
Severity: Medium
The macOS system must secure users' home folders.
1
Rule
Severity: Medium
The macOS system must enable macOS Application Firewall.
1
Rule
Severity: Medium
The macOS system must enforce enrollment in Mobile Device Management (MDM).
1
Rule
Severity: Medium
The macOS system must enable Recovery Lock.
1
Rule
Severity: Medium
The application must allow the use of a temporary password for system logons with an immediate change to a permanent password.
1
Rule
Severity: High
Ubuntu 22.04 LTS must disable the x86 Ctrl-Alt-Delete key sequence.
1
Rule
Severity: Medium
Ubuntu 22.04 LTS must have the "libpam-pwquality" package installed.
1
Rule
Severity: Low
Ubuntu 22.04 LTS must have the "chrony" package installed.
1
Rule
Severity: Low
Ubuntu 22.04 LTS must not have the "systemd-timesyncd" package installed.
1
Rule
Severity: Low
Ubuntu 22.04 LTS must not have the "ntp" package installed.
1
Rule
Severity: Medium
Ubuntu 22.04 LTS must have an application firewall enabled.
1
Rule
Severity: High
Ubuntu 22.04 LTS must not allow unattended or automatic login via SSH.
1
Rule
Severity: High
Ubuntu 22.04 LTS must be configured so that remote X connections are disabled, unless to fulfill documented and validated mission requirements.
1
Rule
Severity: Medium
Ubuntu 22.04 LTS SSH daemon must prevent remote hosts from connecting to the proxy display.
1
Rule
Severity: High
Ubuntu 22.04 LTS must disable the x86 Ctrl-Alt-Delete key sequence if a graphical user interface is installed.
1
Rule
Severity: Low
Ubuntu 22.04 LTS must enforce a delay of at least four seconds between logon prompts following a failed logon attempt.
1
Rule
Severity: Low
Ubuntu 22.04 LTS must display the date and time of the last successful account logon upon logon.
1
Rule
Severity: Medium
Ubuntu 22.04 LTS default filesystem permissions must be defined in such a way that all authenticated users can read and modify only their own files.
1
Rule
Severity: Medium
Ubuntu 22.04 LTS must prevent the use of dictionary words for passwords.
1
Rule
Severity: Medium
Ubuntu 22.04 LTS must be configured so that when passwords are changed or new passwords are established, pwquality must be used.
1
Rule
Severity: High
Ubuntu 22.04 LTS must not allow accounts configured with blank or null passwords.
1
Rule
Severity: High
Ubuntu 22.04 LTS must not have accounts configured with blank or null passwords.
1
Rule
Severity: Medium
Ubuntu 22.04 LTS must generate audit records for all events that affect the systemd journal files.
1
Rule
Severity: Low
The Cisco ISE must conduct configuration and operational backups when changes are made or must schedule backups weekly, at a minimum.
1
Rule
Severity: Medium
The Mission owner must obtain Authorizing Official (AO) authorization for each cloud service offering (CSO) implemented in support of production or development environments prior to operational use.
1
Rule
Severity: Medium
The Mission Owner must select and configure an Impact Level 2 FedRAMP authorized cloud service offering (CSO) when hosting unclassified, publicly releasable DOD information.
1
Rule
Severity: High
The Mission Owner must select and configure an Impact Level 4/5 cloud service offering (CSO) listed in the DISA Provisional Authorization (PA) DOD Cloud Catalog when hosting Controlled Unclassified Information (CUI).
1
Rule
Severity: High
The Mission Owner must select and configure an Impact Level 5 cloud service offering (CSO) listed in the DISA Provisional Authorization (PA) DOD Cloud Catalog when hosting Unclassified National Security Information (U-NSI).
1
Rule
Severity: High
The Mission Owners must select and configure a cloud service offering (CSO) listed in the DISA Provisional Authorization (PA) DOD Cloud Catalog at Level 6 when hosting classified DOD information.
1
Rule
Severity: Medium
The Mission Owner must add all applicable compensating controls and requirements in the Service Level Agreement (SLA)/contract with the cloud service provider (CSP) or third-party provider.
1
Rule
Severity: Medium
The Enterprise Voice, Video, and Messaging Endpoint must be configured to apply 802.1Q VLAN tags to signaling and media traffic.
1
Rule
Severity: Medium
The Enterprise Voice, Video, and Messaging Endpoint must notify the user, upon successful logon (access) to the network element, of the date and time of the last logon (access).
1
Rule
Severity: Medium
The Enterprise Voice, Video, and Messaging Endpoint must notify the user, upon successful logon (access), of the number of unsuccessful logon (access) attempts since the last successful logon (access).
1
Rule
Severity: Medium
The Enterprise Voice, Video, and Messaging Endpoint must provide an explicit indication of current participants in all Videoconference (VC)-based and IP-based online meetings and conferences.
1
Rule
Severity: Medium
The Enterprise Voice, Video, and Messaging Endpoint must be configured in accordance with the security configuration settings based on DOD security configuration or implementation guidance, including STIGs, NSA configuration guides, CTOs, and DTMs.
1
Rule
Severity: High
The Enterprise Voice, Video, and Messaging Endpoint must be configured with a firmware release supported by the vendor.
1
Rule
Severity: Medium
The Enterprise Voice, Video, and Messaging Endpoint must be configured to dynamically implement configuration file changes.
1
Rule
Severity: Medium
The Enterprise Voice, Video, and Messaging Endpoint must be configured to disable any auto answer features.
1
Rule
Severity: Medium
The F5 BIG-IP appliance that provides intermediary services for SMTP must inspect inbound and outbound SMTP and Extended SMTP communications traffic for protocol compliance and protocol anomalies.
1
Rule
Severity: Medium
The F5 BIG-IP appliance that intermediary services for FTP must inspect inbound and outbound FTP communications traffic for protocol compliance and protocol anomalies.
1
Rule
Severity: Medium
The F5 BIG-IP appliance that provides intermediary services for HTTP must inspect inbound and outbound HTTP traffic for protocol compliance and protocol anomalies.
1
Rule
Severity: Medium
The F5 BIG-IP must be configured to identify and authenticate all endpoint devices or peers before establishing a connection.
1
Rule
Severity: Medium
The F5 BIG-IP appliance providing remote access intermediary services must disable split-tunneling for remote clients' VPNs.
1
Rule
Severity: Medium
The F5 BIG-IP appliance providing remote access intermediary services must be configured to route sessions to an IDPS for inspection.
1
Rule
Severity: Medium
The VPN Gateway must use Always On VPN connections for remote computing.
1
Rule
Severity: Medium
The F5 BIG-IP DNS implementation must prohibit recursion on authoritative name servers.
1
Rule
Severity: Medium
The validity period for the RRSIGs covering a zone's DNSKEY RRSet must be no less than two days and no more than one week.
1
Rule
Severity: Medium
The F5 BIG-IP DNS must use valid root name servers in the local root zone file.
1
Rule
Severity: High
The digital signature algorithm used for DNSSEC-enabled zones must be set to use RSA/SHA256 or RSA/SHA512.
1
Rule
Severity: Medium
The F5 BIG-IP DNS server implementation must validate the binding of the other DNS server's identity to the DNS information for a server-to-server transaction (e.g., zone transfer).
1
Rule
Severity: Medium
The Enterprise Voice, Video, and Messaging Session Manager supporting Command and Control (C2) communications must associate multilevel precedence and preemption (MLPP) attributes when exchanged between unified capabilities (UC) systems.
1
Rule
Severity: Medium
The Enterprise Voice, Video, and Messaging Session Manager supporting Command and Control (C2) communications must validate the integrity of transmitted multilevel precedence and preemption (MLPP) attributes.
1
Rule
Severity: Medium
The Enterprise Voice, Video, and Messaging Session Manager must be configured to enforce changes to privileges of Voice Video Endpoint user access.
1
Rule
Severity: Medium
The Enterprise Voice, Video, and Messaging Session Manager must be configured to enforce changes to privileges of Voice Video Endpoint device access.
1
Rule
Severity: Medium
The Enterprise Voice, Video, and Messaging Session Manager must be configured to provide an indication of current participants in all calls, meetings, and conferences.
1
Rule
Severity: Medium
The Enterprise Voice, Video, and Messaging Session Manager supporting Command and Control (C2) communications must associate multilevel precedence and preemption (MLPP) attributes when exchanged between unified capabilities (UC) system components.
1
Rule
Severity: Medium
The Enterprise Voice, Video, and Messaging Session Manager must be configured to limit and reserve bandwidth based on priority of the traffic type.
1
Rule
Severity: Medium
The Enterprise Voice, Video, and Messaging Session Manager must be configured to use the organization authoritative time source (NTP) to maintain system time.
1
Rule
Severity: Medium
The Enterprise Voice, Video, and Messaging Session Manager must be configured in accordance with the security configuration settings based on DOD security configuration or implementation guidance, including STIGs, NSA configuration guides, CTOs, and DTMs.
1
Rule
Severity: Medium
The F5 BIG-IP appliance must be configured to use TCP when sending log records to the central audit server.
1
Rule
Severity: Medium
The F5 BIG-IP appliance must be configured to restrict itself from accepting outbound packets that contain an illegitimate address in the source address field via an egress filter or by enabling Unicast Reverse Path Forwarding (uRPF).
1
Rule
Severity: High
The F5 BIG-IP appliance must employ filters that prevent or limit the effects of all types of commonly known denial-of-service (DoS) attacks, including flooding, packet sweeps, and unauthorized port scanning.
1
Rule
Severity: Medium
The F5 BIG-IP appliance must be configured to inspect all inbound and outbound traffic at the application layer.
1
Rule
Severity: High
The F5 BIG-IP appliance must be configured to assign appropriate user roles or access levels to authenticated users.
1
Rule
Severity: Medium
The F5 BIG-IP appliance must be configured to audit the execution of privileged functions such as accounts additions and changes.
1
Rule
Severity: Medium
The F5 BIG-IP appliance must be configured to synchronize internal information system clocks using redundant authoritative time sources.
1
Rule
Severity: High
The F5 BIG-IP appliance must be configured to use at least two authentication servers to authenticate administrative users.
1
Rule
Severity: High
The F5 BIG-IP appliance must be running an operating system release that is currently supported by the vendor.
1
Rule
Severity: Medium
The F5 BIG-IP appliance must obtain its public key certificates from an appropriate certificate policy through an approved service provider.
1
Rule
Severity: Medium
The F5 BIG-IP appliance must conduct backups of the configuration at a weekly or organization-defined frequency and store on a separate device.
1
Rule
Severity: High
The F5 BIG-IP appliance IPsec VPN Gateway must use Internet Key Exchange (IKE) for IPsec VPN Security Associations (SAs).
1
Rule
Severity: Medium
The Enterprise Voice, Video, and Messaging Session Manager must be configured to apply 802.1Q VLAN tags to signaling and media traffic.
1
Rule
Severity: Medium
The Enterprise Voice, Video, and Messaging Session Manager must be configured to use a voice or video VLAN, separate from all other VLANs.
1
Rule
Severity: Medium
Google Android 14 must be configured to enforce an application installation policy by specifying one or more authorized application repositories.
1
Rule
Severity: Medium
Google Android 14 allowlist must be configured to not include applications with the following characteristics (work profile only):
1. Back up mobile device (MD) data to non-DOD cloud servers (including user and application access to cloud backup services);
2. Transmit MD diagnostic data to non-DOD servers;
3. Voice assistant application if available when MD is locked;
4. Voice dialing application if available when MD is locked;
5. Allows synchronization of data or applications between devices associated with user; and
6. Allows unencrypted (or encrypted but not FIPS 140-3 validated) data sharing with other MDs or printers.
7. Apps which backup their own data to a remote system.
1
Rule
Severity: Medium
Google Android 14 must have the DOD root and intermediate PKI certificates installed (work profile only).
1
Rule
Severity: Medium
The Google Android 14 work profile must be configured to enforce the system application disable list (work profile only).
1
Rule
Severity: Medium
Google Android 14 must be provisioned as a BYOAD device (Android work profile for employee-owned devices [BYOD]).
1
Rule
Severity: Medium
Android 14 devices must have the latest available Google Android 14 operating system installed.
1
Rule
Severity: Medium
Android 14 devices must be configured to disable the use of third-party keyboards (work profile only).
1
Rule
Severity: Medium
The Google Android 14 must allow only the administrator (EMM) to install/remove DOD root and intermediate PKI certificates (work profile).
1
Rule
Severity: Medium
The EMM system supporting the Google Android 14 BYOAD must be configured for autonomous monitoring, compliance, and validation to ensure security/configuration settings of mobile devices do not deviate from the approved configuration baseline.
1
Rule
Severity: Medium
The EMM system supporting the Google Android 14 BYOAD must be configured to initiate autonomous monitoring, compliance, and validation prior to granting the Google Android 14 BYOAD access to DOD information and IT resources.
1
Rule
Severity: Medium
The EMM system supporting the Google Android 14 BYOAD must be configured to detect if the Google Android 14 BYOAD native security controls are disabled.
1
Rule
Severity: Medium
The EMM system supporting the Google Android 14 BYOAD must be configured to detect if known malicious applications, blocked, or prohibited applications are installed on the Google Android 14 BYOAD (DOD-managed segment only).
1
Rule
Severity: Medium
The EMM detection/monitoring system must use continuous monitoring of enrolled Google Android 14 BYOAD.
1
Rule
Severity: Medium
The Google Android 14 BYOAD must be configured to either disable access to DOD data and IT systems and user accounts or wipe the work profile if the EMM system detects that native security controls are disabled.
1
Rule
Severity: Medium
The Google Android 14 BYOAD must be configured to either disable access to DOD data and IT systems and user accounts or wipe the work profile if the EMM system detects the Google Android 14 BYOAD device has known malicious, blocked, or prohibited applications, or configured to access nonapproved third-party applications stores in the work profile.
1
Rule
Severity: Medium
The Google Android 14 BYOAD must be configured so that the work profile is removed if the device is no longer receiving security or software updates.
1
Rule
Severity: Medium
The EMM system supporting the Google Android 14 BYOAD must be NIAP validated (included on the NIAP list of compliant products or products in evaluation) unless the DOD CIO has granted an Approved Exception to Policy (E2P).
1
Rule
Severity: Medium
The User Agreement must include a description of what personal data and information is being monitored, collected, or managed by the EMM system or deployed agents or tools.
1
Rule
Severity: Medium
The mobile device used for BYOAD must be NIAP validated.
2
Rule
Severity: Medium
Google Android 15 must be configured to enforce an application installation policy by specifying one or more authorized application repositories, including [selection: DOD-approved commercial app repository, MDM server, mobile application store].
2
Rule
Severity: Medium
Google Android 15 users must complete required training.
2
Rule
Severity: Medium
Google Android 15 must be configured to disable Wi-Fi Sharing.
1
Rule
Severity: Medium
Google Android 15 must be configured to enforce a password for Wi-Fi and Bluetooth hotspot, if approved for use by the approving authority (AO). If not approved for use, Wi-Fi and Bluetooth hotspot must be disabled.
2
Rule
Severity: Medium
Google Android 15 must have the DOD root and intermediate PKI certificates installed.
2
Rule
Severity: Medium
The Google Android 15 work profile must be configured to enforce the system application disable list.
2
Rule
Severity: Medium
The Google Android 15 work profile must be configured to disable automatic completion of workspace internet browser text input.
2
Rule
Severity: Medium
The Google Android 15 work profile must be configured to disable the autofill services.
2
Rule
Severity: Medium
Google Android 15 must be configured to disallow configuration of date and time.
2
Rule
Severity: High
Android 15 devices must have the latest available Google Android 15 operating system installed.
2
Rule
Severity: Low
Android 15 devices must be configured to disable the use of third-party keyboards.
1
Rule
Severity: Low
Android 15 devices must be configured to enable Common Criteria Mode (CC Mode).
1
Rule
Severity: Medium
Google Android 15 must be configured to enforce a password for Wi-Fi and Bluetooth hotspot, if approved for use by the authorizing official (AO). If not approved for use, Wi-Fi and Bluetooth hotspot must be disabled.
1
Rule
Severity: Medium
The Google Android 15 work profile must be configured to prevent users from adding personal email accounts to the work email app.
1
Rule
Severity: Medium
Google Android 15 must be provisioned as a fully managed device and configured to create a work profile.
1
Rule
Severity: Low
Android 15 devices must be configured to enable Common Criteria (CC) Mode.
1
Rule
Severity: Medium
Unauthorized partitions must not exist on the system complex.
1
Rule
Severity: High
The Hardware Management Console must be located in a secure location.
1
Rule
Severity: High
The manufacturer’s default passwords must be changed for all Hardware Management Console (HMC) Management software.
1
Rule
Severity: High
Connection to the Internet for IBM remote support must be in compliance with the Remote Access STIGs.
1
Rule
Severity: High
Connection to the Internet for IBM remote support must be in compliance with mitigations specified in the Ports and Protocols and Services Management (PPSM) requirements.
1
Rule
Severity: Medium
XFACILIT class, or alternate class if specified in module CKRSITE, must be active.
1
Rule
Severity: Medium
The ISEC7 SPHERE must be configured to leverage the enterprise directory service accounts and groups for ISEC7 SPHERE server admin identification and authentication.
1
Rule
Severity: Medium
The ISEC7 SPHERE must configure the timeout for the console to be 15 minutes or less.
1
Rule
Severity: Medium
The ISEC7 SPHERE, Tomcat installation, and ISEC7 Suite monitor must be configured to use the Windows Trust Store for the storage of digital certificates and keys.
1
Rule
Severity: Medium
The Ivanti EPMM server must be configured in accordance with the security configuration settings based on DoD security configuration or implementation guidance, including STIGs, NSA configuration guides, CTOs, and DTMs.
1
Rule
Severity: Medium
Sentry must be configured to synchronize internal information system clocks using redundant authoritative time sources.
1
Rule
Severity: Low
Sentry must enforce access restrictions associated with changes to the system components.
1
Rule
Severity: Low
Sentry must be configured to conduct backups of system level information contained in the information system when changes occur.
1
Rule
Severity: Medium
Sentry must obtain its public key certificates from an appropriate certificate policy through an approved service provider.
1
Rule
Severity: High
Sentry must be running an operating system release that is currently supported by MobileIron.
1
Rule
Severity: Medium
The Juniper SRX Services Gateway must use DOD-approved PKI rather than proprietary or self-signed device certificates.
1
Rule
Severity: Low
The Juniper SRX Services Gateway must allow only the information system security manager (ISSM) (or administrators/roles appointed by the ISSM) to select which auditable events are to be generated and forwarded to the syslog and/or local logs.
1
Rule
Severity: High
Only required ports must be open on containers in MKE.
1
Rule
Severity: Medium
Vulnerability scanning must be enabled for all repositories in MSR.
1
Rule
Severity: Medium
MongoDB must be configured in accordance with the security configuration settings based on DOD security configuration and implementation guidance, including STIGs, NSA configuration guides, CTOs, DTMs, and IAVMs.
1
Rule
Severity: Medium
Windows 10 must employ automated mechanisms to determine the state of system components with regard to flaw remediation using the following frequency: Continuously, where ESS is used; 30 days, for any additional internal network scans not covered by ESS; and annually, for external scans by Computer Network Defense Service Provider (CNDSP).
1
Rule
Severity: Medium
Windows 11 must employ automated mechanisms to determine the state of system components with regard to flaw remediation using the following frequency: Continuously, where ESS is used; 30 days, for any additional internal network scans not covered by ESS; and annually, for external scans by Computer Network Defense Service Provider (CNDSP).
1
Rule
Severity: Medium
The built-in Microsoft password complexity filter must be enabled.
1
Rule
Severity: Medium
Virtualization Based Security must be enabled on Windows 10 with the platform security level configured to Secure Boot or Secure Boot with DMA Protection.
1
Rule
Severity: Medium
Windows 10 systems must use either Group Policy or an approved Mobile Device Management (MDM) product to enforce STIG compliance.
1
Rule
Severity: Medium
Windows 11 systems must use either Group Policy or an approved Mobile Device Management (MDM) product to enforce STIG compliance.
1
Rule
Severity: Medium
Windows Server 2019 Active Directory user accounts, including administrators, must be configured to require the use of a Common Access Card (CAC), Personal Identity Verification (PIV)-compliant hardware token, or Alternate Logon Token (ALT) for user authentication.
1
Rule
Severity: Medium
Windows Server 2019 Kerberos user logon restrictions must be enforced.
1
Rule
Severity: Medium
Windows Server 2019 must employ automated mechanisms to determine the state of system components with regard to flaw remediation using the following frequency: continuously, where Endpoint Security Solution (ESS) is used; 30 days, for any additional internal network scans not covered by ESS; and annually, for external scans by Computer Network Defense Service Provider (CNDSP).
1
Rule
Severity: Medium
AAAA addresses must not be configured in a zone for hosts that are not dual stack.
1
Rule
Severity: Medium
Windows Server 2022 must employ automated mechanisms to determine the state of system components with regard to flaw remediation using the following frequency: continuously, where Endpoint Security Solution (ESS) is used; 30 days, for any additional internal network scans not covered by ESS; and annually, for external scans by Computer Network Defense Service Provider (CNDSP).
1
Rule
Severity: Medium
RHEL 9 must configure a DNS processing mode in Network Manager.
1
Rule
Severity: High
SLEM 5 must disable the x86 Ctrl-Alt-Delete key sequence.
1
Rule
Severity: Medium
SLEM 5 kernel core dumps must be disabled unless needed.
1
Rule
Severity: Medium
Vendor-packaged SLEM 5 security patches and updates must be installed and up to date.
1
Rule
Severity: Medium
A separate file system must be used for SLEM 5 user home directories (such as /home or an equivalent).
1
Rule
Severity: Medium
SLEM 5 must use a separate file system for /var.
1
Rule
Severity: Medium
SLEM 5 must use a separate file system for the system audit data path.
1
Rule
Severity: Medium
SLEM 5 file systems that are being imported via Network File System (NFS) must be mounted to prevent files with the setuid and setgid bit set from being executed.
1
Rule
Severity: Medium
SLEM 5 file systems that are being imported via Network File System (NFS) must be mounted to prevent binary files from being executed.
1
Rule
Severity: Medium
SLEM 5 file systems that are used with removable media must be mounted to prevent files with the setuid and setgid bit set from being executed.
1
Rule
Severity: Medium
SLEM 5 file systems that contain user home directories must be mounted to prevent files with the setuid and setgid bit set from being executed.
1
Rule
Severity: Medium
All SLEM 5 local interactive user home directories must have mode 750 or less permissive.
1
Rule
Severity: Medium
All SLEM 5 local initialization files must have mode 740 or less permissive.
1
Rule
Severity: Medium
SLEM 5 SSH daemon public host key files must have mode 644 or less permissive.
1
Rule
Severity: Medium
SLEM 5 SSH daemon private host key files must have mode 640 or less permissive.
1
Rule
Severity: Medium
All SLEM 5 files and directories must have a valid owner.
1
Rule
Severity: Medium
All SLEM 5 files and directories must have a valid group owner.
1
Rule
Severity: Medium
All SLEM 5 local interactive user home directories must be group-owned by the home directory owner's primary group.
1
Rule
Severity: Medium
All SLEM 5 world-writable directories must be group-owned by root, sys, bin, or an application group.
1
Rule
Severity: Medium
SLEM 5 must be configured to prohibit or restrict the use of functions, ports, protocols, and/or services as defined in the Ports, Protocols, and Services Management (PPSM) Category Assignments List (CAL) and vulnerability assessments.
1
Rule
Severity: Medium
SLEM 5 must not have network interfaces in promiscuous mode unless approved and documented.
1
Rule
Severity: Medium
SLEM 5 must not forward Internet Protocol version 4 (IPv4) source-routed packets.
1
Rule
Severity: Medium
SLEM 5 must not forward Internet Protocol version 4 (IPv4) source-routed packets by default.
1
Rule
Severity: Medium
SLEM 5 must prevent Internet Protocol version 4 (IPv4) Internet Control Message Protocol (ICMP) redirect messages from being accepted.
1
Rule
Severity: Medium
SLEM 5 must not allow interfaces to accept Internet Protocol version 4 (IPv4) Internet Control Message Protocol (ICMP) redirect messages by default.
1
Rule
Severity: Medium
SLEM 5 must not send Internet Protocol version 4 (IPv4) Internet Control Message Protocol (ICMP) redirects.
1
Rule
Severity: Medium
SLEM 5 must not allow interfaces to send Internet Protocol version 4 (IPv4) Internet Control Message Protocol (ICMP) redirect messages by default.
1
Rule
Severity: Medium
SLEM 5 must not be performing Internet Protocol version 4 (IPv4) packet forwarding unless the system is a router.
1
Rule
Severity: Medium
SLEM 5 must not forward Internet Protocol version 6 (IPv6) source-routed packets.
1
Rule
Severity: Medium
SLEM 5 must not forward Internet Protocol version 6 (IPv6) source-routed packets by default.
1
Rule
Severity: Medium
SLEM 5 must prevent Internet Protocol version 6 (IPv6) Internet Control Message Protocol (ICMP) redirect messages from being accepted.
1
Rule
Severity: Medium
SLEM 5 must not allow interfaces to accept Internet Protocol version 6 (IPv6) Internet Control Message Protocol (ICMP) redirect messages by default.
1
Rule
Severity: Medium
SLEM 5 must not be performing Internet Protocol version 6 (IPv6) packet forwarding unless the system is a router.
1
Rule
Severity: Medium
SLEM 5 must not be performing Internet Protocol version 6 (IPv6) packet forwarding by default unless the system is a router.
1
Rule
Severity: High
SLEM 5 must not allow unattended or automatic logon via SSH.
1
Rule
Severity: Medium
SLEM 5 SSH daemon must disable forwarded remote X connections for interactive users, unless to fulfill documented and validated mission requirements.
1
Rule
Severity: Medium
SLEM 5 must display the date and time of the last successful account logon upon an SSH logon.
1
Rule
Severity: Medium
SLEM 5 SSH daemon must be configured to not allow authentication using known hosts authentication.
1
Rule
Severity: Medium
SLEM 5 SSH daemon must perform strict mode checking of home directory configuration files.
1
Rule
Severity: High
There must be no .shosts files on SLEM 5.
1
Rule
Severity: High
There must be no shosts.equiv files on SLEM 5.
1
Rule
Severity: High
SLEM 5 must not allow unattended or automatic logon via the graphical user interface (GUI).
1
Rule
Severity: Medium
All SLEM 5 local interactive user accounts, upon creation, must be assigned a home directory.
1
Rule
Severity: Medium
SLEM 5 default permissions must be defined in such a way that all authenticated users can only read and modify their own files.
1
Rule
Severity: Medium
SLEM 5 shadow password suite must be configured to enforce a delay of at least five seconds between logon prompts following a failed logon attempt.
1
Rule
Severity: Medium
All SLEM 5 local interactive users must have a home directory assigned in the /etc/passwd file.
1
Rule
Severity: Medium
All SLEM 5 local interactive user home directories defined in the /etc/passwd file must exist.
1
Rule
Severity: Medium
All SLEM 5 local interactive user initialization files executable search paths must contain only paths that resolve to the users' home directory.
1
Rule
Severity: Medium
All SLEM 5 local initialization files must not execute world-writable programs.
1
Rule
Severity: Medium
SLEM 5 must not have unnecessary accounts.
1
Rule
Severity: Medium
SLEM 5 must not have unnecessary account capabilities.
1
Rule
Severity: High
SLEM 5 root account must be the only account with unrestricted access to the system.
1
Rule
Severity: Medium
SLEM 5 must display the date and time of the last successful account logon upon logon.
1
Rule
Severity: Medium
SLEM 5 must enforce a delay of at least five seconds between logon prompts following a failed logon attempt via pluggable authentication modules (PAM).
1
Rule
Severity: Medium
SLEM 5 must use the invoking user's password for privilege escalation when using "sudo".
1
Rule
Severity: Medium
SLEM 5 must restrict privilege elevation to authorized personnel.
1
Rule
Severity: Medium
SLEM 5 must specify the default "include" directory for the /etc/sudoers file.
1
Rule
Severity: Medium
SLEM 5 must prevent the use of dictionary words for passwords.
1
Rule
Severity: High
SLEM 5 must not be configured to allow blank or null passwords.
1
Rule
Severity: High
SLEM 5 must not have accounts configured with blank or null passwords.
1
Rule
Severity: Medium
SLEM 5 must be configured to not overwrite Pluggable Authentication Modules (PAM) configuration on package changes.
1
Rule
Severity: Medium
SLEM 5 file integrity tool must be configured to verify Access Control Lists (ACLs).
1
Rule
Severity: Medium
SLEM 5 file integrity tool must be configured to verify extended attributes.
1
Rule
Severity: Medium
SLEM 5 must not disable syscall auditing.
1
Rule
Severity: Medium
The EMM system supporting the Samsung Android 14 BYOAD must be configured for autonomous monitoring, compliance, and validation to ensure security/configuration settings of mobile devices do not deviate from the approved configuration baseline.
1
Rule
Severity: Medium
The EMM system supporting the Samsung Android 14 BYOAD must be configured to initiate autonomous monitoring, compliance, and validation prior to granting the Samsung Android 14 BYOAD access to DOD information and IT resources.
1
Rule
Severity: Medium
The EMM system supporting the Samsung Android 14 BYOAD must be configured to detect if the Samsung Android 14 BYOAD native security controls are disabled.
1
Rule
Severity: Medium
The EMM system supporting the Samsung Android 14 BYOAD must be configured to detect if known malicious applications, blocked, or prohibited applications are installed on the Samsung Android 14 BYOAD (DOD-managed segment only).
1
Rule
Severity: Medium
The EMM detection/monitoring system must use continuous monitoring of enrolled Samsung Android 14 BYOAD.
1
Rule
Severity: Medium
The Samsung Android 14 BYOAD must be configured to either disable access to DOD data and IT systems and user accounts or wipe the work profile if the EMM system detects native security controls are disabled.
1
Rule
Severity: Medium
The Samsung Android 14 BYOAD must be configured to either disable access to DOD data and IT systems and user accounts or wipe the work profile if the EMM system detects the Samsung Android 14 BYOAD device has known malicious, blocked, or prohibited applications, or configured to access nonapproved third-party applications stores in the work profile.
1
Rule
Severity: Medium
The Samsung Android 14 BYOAD must be configured so that the work profile is removed if the device is no longer receiving security or software updates.
1
Rule
Severity: High
The EMM system supporting the Samsung Android 14 BYOAD must be NIAP validated (included on the NIAP list of compliant products or products in evaluation) unless the DOD CIO has granted an Approved Exception to Policy (E2P).
1
Rule
Severity: Medium
Samsung Android's Work profile must be configured to not allow installation of applications with the following characteristics:
- Back up MD data to non-DOD cloud servers (including user and application access to cloud backup services);
- Transmit MD diagnostic data to non-DOD servers;
- Voice assistant application if available when MD is locked;
- Voice dialing application if available when MD is locked;
- Allows synchronization of data or applications between devices associated with user; and
- Allows unencrypted (or encrypted but not FIPS 140-3 validated) data sharing with other MDs or printers.
- Apps which backup their own data to a remote system.
1
Rule
Severity: Low
Samsung Android 14 must prohibit DOD VPN profiles in the Personal Profile.
1
Rule
Severity: Medium
The Samsung Android device work profile must be configured to disable automatic completion of workspace internet browser text input.
1
Rule
Severity: High
The TippingPoint SMS must be configured to send log data to at least two central log servers for the purpose of forwarding alerts to the administrators and the information system security officer (ISSO).
1
Rule
Severity: Medium
The process by which the Solidcore client Command Line Interface (CLI) Access Password is made available to administrators when needed must be documented in the organizations written policy.
1
Rule
Severity: Medium
For TOSS systems using Domain Name Servers (DNS) resolution, at least two name servers must be configured.
1
Rule
Severity: Medium
The debug-shell systemd service must be disabled on TOSS.
1
Rule
Severity: High
The root account must be the only account having unrestricted access to the TOSS system.
1
Rule
Severity: High
The systemd Ctrl-Alt-Delete burst key sequence in TOSS must be disabled.
1
Rule
Severity: Medium
There must be no ".shosts" files on The TOSS operating system.
1
Rule
Severity: High
TOSS must not allow blank or null passwords in the system-auth file.
1
Rule
Severity: Medium
TOSS must not be performing packet forwarding unless the system is a router.
1
Rule
Severity: Medium
The TOSS SSH daemon must not allow authentication using known host's authentication.
1
Rule
Severity: Medium
The TOSS SSH daemon must not allow compression or must only allow compression after successful authentication.
1
Rule
Severity: Medium
The TOSS SSH daemon must not allow Kerberos authentication, except to fulfill documented and validated mission requirements.
1
Rule
Severity: High
TOSS must not allow an unattended or automatic logon to the system.
1
Rule
Severity: Medium
All TOSS local interactive user accounts must be assigned a home directory upon creation.
1
Rule
Severity: Medium
All TOSS local interactive user home directories must be group-owned by the home directory owner's primary group.
1
Rule
Severity: Medium
All TOSS local interactive users must have a home directory assigned in the /etc/passwd file.
1
Rule
Severity: High
The x86 Ctrl-Alt-Delete key sequence in TOSS must be disabled if a graphical user interface is installed.
1
Rule
Severity: Medium
TOSS must disable the user list at logon for graphical user interfaces.
1
Rule
Severity: Medium
TOSS must display the date and time of the last successful account logon upon an SSH logon.
1
Rule
Severity: High
TOSS must not allow accounts configured with blank or null passwords.
1
Rule
Severity: Medium
TOSS must not have unnecessary accounts.
1
Rule
Severity: Medium
TOSS must define default permissions for all authenticated users in such a way that the user can only read and modify their own files.
1
Rule
Severity: Medium
All TOSS local interactive user home directories must have mode 0770 or less permissive.
1
Rule
Severity: Medium
All TOSS local interactive user home directories must be owned by root.
1
Rule
Severity: Medium
All TOSS local interactive user home directories must be owned by the user's primary group.
1
Rule
Severity: Medium
The auditd service must be running in TOSS.
1
Rule
Severity: Low
TOSS must resolve audit information before writing to disk.
1
Rule
Severity: Medium
TOSS must have the packages required for offloading audit logs installed.
1
Rule
Severity: Medium
TOSS must have the packages required for encrypting offloaded audit logs installed.
1
Rule
Severity: Medium
The NSX Distributed Firewall must be configured to inspect traffic at the application layer.
1
Rule
Severity: Medium
The NSX Distributed Firewall must configure SpoofGuard to restrict it from accepting outbound packets that contain an illegitimate address in the source address.
1
Rule
Severity: High
The NSX Distributed Firewall must configure an IP Discovery profile to disable trust on every use methods.
1
Rule
Severity: Info
The NSX Manager must not provide environment information to third parties.
1
Rule
Severity: Medium
The NSX Manager must be configured to conduct backups on an organizationally defined schedule.
1
Rule
Severity: Medium
The NSX Manager must obtain its public key certificates from an appropriate certificate policy through an approved service provider.
1
Rule
Severity: High
The NSX Manager must be running a release that is currently supported by the vendor.
1
Rule
Severity: Medium
The NSX Manager must disable SSH.
1
Rule
Severity: Medium
The NSX Manager must disable SNMP v2.
1
Rule
Severity: Medium
The NSX Manager must enable the global FIPS compliance mode for load balancers.
1
Rule
Severity: Medium
The NSX Manager must be configured as a cluster.
1
Rule
Severity: Medium
The NSX Managers must be deployed on separate physical hosts.
1
Rule
Severity: Medium
The NSX Tier-0 Gateway Firewall must be configured to send traffic log entries to a central audit server.
1
Rule
Severity: High
The NSX Tier-0 Gateway router must be configured to implement message authentication for all control plane protocols.
1
Rule
Severity: Info
The NSX Tier-0 Gateway router must be configured to use its loopback address as the source address for Internal Border Gateway Protocol (IBGP) peering sessions.
1
Rule
Severity: Info
The NSX Tier-0 Gateway router must be configured to advertise a hop limit of at least 32 in Router Advertisement messages for IPv6 stateless auto-configuration deployments.
1
Rule
Severity: High
The NSX Tier-0 Gateway router must be configured to use encryption for border gateway protocol (BGP) routing protocol authentication.
1
Rule
Severity: Medium
TOSS must prevent the use of dictionary words for passwords.
1
Rule
Severity: Medium
TOSS must enforce a delay of at least four seconds between logon prompts following a failed logon attempt.
1
Rule
Severity: High
A File Transfer Protocol (FTP) server package must not be installed unless mission essential on TOSS.
1
Rule
Severity: Medium
All TOSS local files and directories must have a valid group owner.
1
Rule
Severity: Medium
All TOSS local files and directories must have a valid owner.
1
Rule
Severity: Medium
Cron logging must be implemented in TOSS.
1
Rule
Severity: Medium
If the Trivial File Transfer Protocol (TFTP) server is required, the TOSS TFTP daemon must be configured to operate in secure mode.
1
Rule
Severity: Medium
The graphical display manager must not be installed on TOSS unless approved.
1
Rule
Severity: Low
The TOSS file integrity tool must be configured to verify Access Control Lists (ACLs).
1
Rule
Severity: Low
The TOSS file integrity tool must be configured to verify extended attributes.
1
Rule
Severity: Medium
The TOSS SSH daemon must perform strict mode checking of home directory configuration files.
1
Rule
Severity: Medium
The TOSS SSH private host key files must have mode 0600 or less permissive.
1
Rule
Severity: Medium
The TOSS SSH public host key files must have mode 0644 or less permissive.
1
Rule
Severity: High
The x86 Ctrl-Alt-Delete key sequence must be disabled on TOSS.
1
Rule
Severity: High
TOSS must be a vendor-supported release.
1
Rule
Severity: Medium
TOSS must be configured to prevent unrestricted mail relaying.
1
Rule
Severity: Medium
TOSS must define default permissions for logon and non-logon shells.
1
Rule
Severity: Medium
TOSS must disable access to network bpf syscall from unprivileged processes.
1
Rule
Severity: Medium
TOSS must enable hardening for the Berkeley Packet Filter Just-in-time compiler.
1
Rule
Severity: Medium
TOSS must enable the hardware random number generator entropy gatherer service.
1
Rule
Severity: Low
TOSS must ensure the SSH server uses strong entropy.
1
Rule
Severity: Low
TOSS must have the packages required to use the hardware random number generator entropy gatherer service.
1
Rule
Severity: Medium
TOSS must ignore IPv4 Internet Control Message Protocol (ICMP) redirect messages.
1
Rule
Severity: Medium
TOSS must ignore IPv6 Internet Control Message Protocol (ICMP) redirect messages.
1
Rule
Severity: Medium
TOSS must not accept router advertisements on all IPv6 interfaces by default.
1
Rule
Severity: Medium
TOSS must not accept router advertisements on all IPv6 interfaces.
1
Rule
Severity: High
TOSS must not allow blank or null passwords in the password-auth file.
1
Rule
Severity: Medium
TOSS must not allow interfaces to perform Internet Control Message Protocol (ICMP) redirects by default.
1
Rule
Severity: Medium
TOSS must not forward IPv4 source-routed packets by default.
1
Rule
Severity: Medium
TOSS must not forward IPv4 source-routed packets.
1
Rule
Severity: Medium
TOSS must not forward IPv6 source-routed packets by default.
1
Rule
Severity: Medium
TOSS must not forward IPv6 source-routed packets.
1
Rule
Severity: Medium
TOSS must not respond to Internet Control Message Protocol (ICMP) echoes sent to a broadcast address.
1
Rule
Severity: Medium
TOSS must not send Internet Control Message Protocol (ICMP) redirects.
1
Rule
Severity: Medium
TOSS must prevent IPv4 Internet Control Message Protocol (ICMP) redirect messages from being accepted.
1
Rule
Severity: Medium
TOSS must prevent IPv6 Internet Control Message Protocol (ICMP) redirect messages from being accepted.
1
Rule
Severity: Medium
TOSS must restrict exposed kernel pointer addresses access.
1
Rule
Severity: Medium
TOSS must restrict privilege elevation to authorized personnel.
1
Rule
Severity: Medium
TOSS must use reverse path filtering on all IPv4 interfaces.
1
Rule
Severity: Medium
TOSS network interfaces must not be in promiscuous mode.
1
Rule
Severity: Medium
The NSX Tier-1 Gateway firewall must be configured to send traffic log entries to a central audit server.
1
Rule
Severity: Medium
The NSX Tier-1 Gateway firewall must be configured to inspect traffic at the application layer.
1
Rule
Severity: Medium
The ESXi host must disable key persistence.
1
Rule
Severity: Medium
The ESXi host must deny shell access for the dcui account.
1
Rule
Severity: Medium
The ESXi host must disable virtual hardware management network interfaces.
1
Rule
Severity: Info
The NSX Tier-1 Gateway router must be configured to advertise a hop limit of at least 32 in Router Advertisement messages for IPv6 stateless auto-configuration deployments.
1
Rule
Severity: Medium
The vCenter Server must disable accounts used for Integrated Windows Authentication (IWA).
1
Rule
Severity: Medium
The Photon operating system must not allow empty passwords.
1
Rule
Severity: Medium
All accounts, privileged and unprivileged, that require smart cards must have the underlying NT hash rotated at least every 60 days.
1
Rule
Severity: Low
The impact of CPCON changes on the cross-directory authentication configuration must be considered and procedures documented.
1
Rule
Severity: Medium
Windows Server domain controllers must have Kerberos logging enabled with servers hosting Active Directory Certificate Services (AD CS).
1
Rule
Severity: High
Windows Server hosting Active Directory Certificate Services (AD CS) must enforce Certificate Authority (CA) certificate management approval for certificate requests.
1
Rule
Severity: High
Windows Server running Active Directory Certificate Services (AD CS) must be managed by a PAW tier 0.
1
Rule
Severity: Medium
Apple iOS/iPadOS 18 must be configured to enforce an application installation policy by specifying one or more authorized application repositories, including [selection: DOD-approved commercial app repository, MDM server, mobile application store].
1
Rule
Severity: Medium
Apple iOS/iPadOS 18 must implement the management setting: disable Allow MailDrop.
1
Rule
Severity: Medium
Apple iOS/iPadOS 18 must implement the management setting: enable USB Restricted Mode.
1
Rule
Severity: Low
Apple iOS/iPadOS 18 must not allow managed apps to write contacts to unmanaged contacts accounts.
1
Rule
Severity: Low
Apple iOS/iPadOS 18 must not allow unmanaged apps to read contacts from managed contacts accounts.
1
Rule
Severity: Medium
Apple iOS/iPadOS 18 must implement the management setting: disable AirDrop.
1
Rule
Severity: Medium
Apple iOS/iPadOS 18 must implement the management setting: disable paired Apple Watch.
1
Rule
Severity: Medium
Apple iOS/iPadOS 18 must implement the management setting: approved Apple Watches must be managed by an MDM.
1
Rule
Severity: Medium
Apple iOS/iPadOS 18 must disable "Password AutoFill" in browsers and applications.
1
Rule
Severity: Medium
Apple iOS/iPadOS 18 must disable "Allow setting up new nearby devices".
1
Rule
Severity: Medium
Apple iOS/iPadOS 18 must disable password proximity requests.
1
Rule
Severity: Medium
Apple iOS/iPadOS 18 must disable password sharing.
1
Rule
Severity: Low
Apple iOS/iPadOS 18 must disable "Find My Friends" in the "Find My" app.
1
Rule
Severity: Medium
The Apple iOS/iPadOS 18 must be supervised by the MDM.
1
Rule
Severity: Medium
Apple iOS/iPadOS 18 must disable "Allow network drive access in Files access".
1
Rule
Severity: Medium
Apple iOS/iPadOS 18 must disable connections to Siri servers for the purpose of dictation.
1
Rule
Severity: Medium
Apple iOS/iPadOS 18 must disable connections to Siri servers for the purpose of translation.
1
Rule
Severity: Medium
Apple iOS/iPadOS 18 must disable copy/paste of data from managed to unmanaged applications.
1
Rule
Severity: Medium
Apple iOS/iPadOS 18 must disable the installation of alternative marketplace apps.
1
Rule
Severity: Medium
Apple iOS/iPadOS 18 must disable app installation from a website.
1
Rule
Severity: Medium
Apple iOS/iPadOS 18 must disable ChatGPT connection for Apple Intelligence.
1
Rule
Severity: Medium
Apple iOS/iPadOS 18 must disable the download of iOS/iPadOS beta updates.
1
Rule
Severity: Medium
The UEM server must be configured to have at least one user in defined administrator roles.
Patternfly
PatternFly elements
The content of the drawer really is up to you. It could have form fields, definition lists, text lists, labels, charts, progress bars, etc. Spacing recommendation is 24px margins. You can put tabs in here, and can also make the drawer scrollable.
Modules