Capacity
CCI-000381
Configure the system to provide only organization-defined mission essential capabilities.
2
Rule
Severity: Medium
Firefox must be configured to disable the installation of extensions.
1
Rule
Severity: Medium
Firefox autoplay must be disabled.
1
Rule
Severity: Medium
Enabled Firefox Cryptomining protection
1
Rule
Severity: Medium
Disable Firefox deprecated ciphers
2
Rule
Severity: Medium
Firefox must be configured to disable form fill assistance.
1
Rule
Severity: Medium
Disable Firefox Pocket
1
Rule
Severity: Medium
Disable Firefox Studies
2
Rule
Severity: Medium
Firefox must be configured so that DNS over HTTPS is disabled.
2
Rule
Severity: Medium
Firefox encrypted media extensions must be disabled.
1
Rule
Severity: Medium
Enabled Firefox Enhanced Tracking Protection
1
Rule
Severity: Medium
Disabled Firefox Extension Recommendations
2
Rule
Severity: Medium
Firefox must be configured to not automatically update installed add-ons and plugins.
2
Rule
Severity: Medium
Firefox feedback reporting must be disabled.
1
Rule
Severity: Medium
Enabled Firefox Fingerprinting Protection
1
Rule
Severity: Medium
Disable JavaScript's Raise Or Lower Windows Capability
1
Rule
Severity: Medium
Disable JavaScript's Moving Or Resizing Windows Capability
1
Rule
Severity: Medium
Disable Firefox network prediction
2
Rule
Severity: Medium
Firefox must be configured to not delete data upon shutdown.
1
Rule
Severity: Medium
The Firefox New Tab page must not show Top Sites, Sponsored Top sites, Pocket Recommendations, Sponsored Pocket Stories, Searches, Highlights, or Snippets.
2
Rule
Severity: Medium
Firefox must be configured to not use a password store with or without a master password.
1
Rule
Severity: Medium
Enable Firefox Pop-up Blocker
2
Rule
Severity: Medium
Firefox private browsing must be disabled.
2
Rule
Severity: Medium
Firefox search suggestions must be disabled.
1
Rule
Severity: Medium
Disable Installed Search Plugins Update Checking
2
Rule
Severity: Medium
Firefox accounts must be disabled.
1
Rule
Severity: Medium
Disable Firefox Telemetry
2
Rule
Severity: Medium
Firefox must not recommend extensions as the user is using the browser.
8
Rule
Severity: Low
Uninstall abrt-addon-ccpp Package
8
Rule
Severity: Low
Uninstall abrt-addon-kerneloops Package
5
Rule
Severity: Low
Uninstall abrt-addon-python Package
8
Rule
Severity: Low
Uninstall abrt-cli Package
8
Rule
Severity: Low
Uninstall abrt-plugin-logger Package
8
Rule
Severity: Low
Uninstall abrt-plugin-rhtsupport Package
8
Rule
Severity: Low
Uninstall abrt-plugin-sosreport Package
11
Rule
Severity: Medium
Uninstall gssproxy Package
8
Rule
Severity: Low
Uninstall libreport-plugin-logger Package
8
Rule
Severity: Low
Uninstall libreport-plugin-rhtsupport Package
22
Rule
Severity: Medium
Disable SCTP Support
29
Rule
Severity: Low
Disable TIPC Support
29
Rule
Severity: Medium
Disable the uvcvideo module
16
Rule
Severity: Medium
Disable At Service (atd)
11
Rule
Severity: Medium
Disable ATM Support
11
Rule
Severity: Medium
Disable CAN Support
11
Rule
Severity: Low
Disable IEEE 1394 (FireWire) Support
18
Rule
Severity: Low
Disable Mounting of cramfs
8
Rule
Severity: Medium
Uninstall Automatic Bug Reporting Tool (abrt)
5
Rule
Severity: Low
Disable Network Console (netconsole)
13
Rule
Severity: Medium
Disable Odd Job Daemon (oddjobd)
16
Rule
Severity: High
Uninstall vsftpd Package
14
Rule
Severity: Medium
Uninstall Sendmail Package
14
Rule
Severity: High
Uninstall ypserv Package
16
Rule
Severity: High
Uninstall rsh-server Package
15
Rule
Severity: High
Uninstall telnet-server Package
4
Rule
Severity: Low
Uninstall python3-abrt-addon Package
7
Rule
Severity: Low
Enable Kernel Page-Table Isolation (KPTI)
8
Rule
Severity: Low
Disable chrony daemon from acting as server
8
Rule
Severity: Low
Disable network management of chrony daemon
1
Rule
Severity: Medium
Uninstall abrt-libs Package
1
Rule
Severity: Medium
Uninstall abrt-server-info-page Package
1
Rule
Severity: Medium
The A10 Networks ADC must not have unnecessary scripts installed.
1
Rule
Severity: Medium
The A10 Networks ADC must use DNS Proxy mode when Global Server Load Balancing is used.
2
Rule
Severity: Medium
AAA Services must be configured to disable non-essential modules.
1
Rule
Severity: Medium
Adobe Acrobat Pro DC Continuous PDF file attachments must be blocked.
1
Rule
Severity: Low
Adobe Acrobat Pro DC Continuous access to unknown websites must be restricted.
1
Rule
Severity: Low
Adobe Acrobat Pro DC Continuous access to websites must be blocked.
1
Rule
Severity: Medium
Adobe Acrobat Pro DC Continuous must be configured to block Flash Content.
1
Rule
Severity: Medium
The Adobe Acrobat Pro DC Continuous Send and Track plugin for Outlook must be disabled.
1
Rule
Severity: Medium
Adobe Acrobat Pro DC Continuous must disable the ability to store files on Acrobat.com.
1
Rule
Severity: Medium
Adobe Acrobat Pro DC Continuous Cloud Synchronization must be disabled.
1
Rule
Severity: Low
Adobe Acrobat Pro DC Continuous Repair Installation must be disabled.
1
Rule
Severity: Low
Adobe Acrobat Pro DC Continuous third-party web connectors must be disabled.
1
Rule
Severity: Low
Adobe Acrobat Pro DC Continuous Webmail must be disabled.
1
Rule
Severity: Low
The Adobe Acrobat Pro DC Continuous Welcome Screen must be disabled.
1
Rule
Severity: Low
Adobe Acrobat Pro DC Continuous SharePoint and Office365 access must be disabled.
1
Rule
Severity: Low
Adobe Reader DC must disable the Adobe Send and Track plugin for Outlook.
1
Rule
Severity: Medium
Adobe Reader DC must disable all service access to Document Cloud Services.
1
Rule
Severity: Medium
Adobe Reader DC must disable Cloud Synchronization.
1
Rule
Severity: Low
Adobe Reader DC must disable the Adobe Repair Installation.
1
Rule
Severity: Medium
Adobe Reader DC must disable 3rd Party Web Connectors.
1
Rule
Severity: Low
Adobe Reader DC must disable Acrobat Upsell.
1
Rule
Severity: Low
Adobe Reader DC must disable Adobe Send for Signature.
1
Rule
Severity: Medium
Adobe Reader DC must disable access to Webmail.
1
Rule
Severity: Medium
Adobe Reader DC must disable Online SharePoint Access.
1
Rule
Severity: Low
Adobe Reader DC must disable the Adobe Welcome Screen.
1
Rule
Severity: Low
Adobe Reader DC must disable Service Upgrades.
8
Rule
Severity: Medium
The Apache web server must not perform user management for hosted applications.
4
Rule
Severity: Medium
The Apache web server must only contain services and functions necessary for operation.
4
Rule
Severity: Medium
The Apache web server must not be a proxy server.
4
Rule
Severity: High
The Apache web server must provide install options to exclude the installation of documentation, sample code, example applications, and tutorials.
4
Rule
Severity: High
Apache web server application directories, libraries, and configuration files must only be accessible to privileged users.
8
Rule
Severity: Medium
The Apache web server must have resource mappings set to disable the serving of certain file types.
6
Rule
Severity: Medium
The Apache web server must allow the mappings to unused and vulnerable scripts to be removed.
4
Rule
Severity: Medium
The Apache web server must have Web Distributed Authoring (WebDAV) disabled.
4
Rule
Severity: Medium
Users and scripts running on behalf of users must be contained to the document root or home directory tree of the Apache web server.
2
Rule
Severity: Medium
The ALG must not have unnecessary services and functions enabled.
2
Rule
Severity: Medium
The ALG must be configured to remove or disable unrelated or unneeded application proxy services.
1
Rule
Severity: Medium
The Arista Multilayer Switch must be configured to disable non-essential capabilities.
2
Rule
Severity: Low
The Arista router must be configured to have all non-essential capabilities disabled.
2
Rule
Severity: Medium
The application server must adhere to the principles of least functionality by providing only essential capabilities.
3
Rule
Severity: Medium
The application must be configured to disable non-essential capabilities.
1
Rule
Severity: Medium
The CA API Gateway must not have unnecessary services and functions enabled.
1
Rule
Severity: Medium
The CA API Gateway must be configured to remove or disable unrelated or unneeded application proxy services.
2
Rule
Severity: Low
The EMPDEMO databases, database objects, and applications must be removed.
2
Rule
Severity: Low
Default demonstration and sample databases, database objects, and applications must be removed.
2
Rule
Severity: Low
IDMS components that cannot be uninstalled must be disabled.
2
Rule
Severity: Medium
The Central Log Server must be configured to disable non-essential capabilities.
1
Rule
Severity: Medium
Citrix Delivery Controller must be configured to disable non-essential capabilities.
1
Rule
Severity: Medium
Delivery Controller must be configured to disable non-essential capabilities.
1
Rule
Severity: Medium
TCP socket binding for all Docker Engine - Enterprise nodes in a Universal Control Plane (UCP) cluster must be disabled.
1
Rule
Severity: Medium
LDAP integration in Docker Enterprise must be configured.
1
Rule
Severity: Medium
The insecure registry capability in the Docker Engine - Enterprise component of Docker Enterprise must be disabled.
1
Rule
Severity: Medium
On Linux, a non-AUFS storage driver in the Docker Engine - Enterprise component of Docker Enterprise must be used.
1
Rule
Severity: Medium
The userland proxy capability in the Docker Engine - Enterprise component of Docker Enterprise must be disabled.
1
Rule
Severity: Medium
Experimental features in the Docker Engine - Enterprise component of Docker Enterprise must be disabled.
1
Rule
Severity: Medium
The Docker Enterprise self-signed certificates in Universal Control Plane (UCP) must be replaced with DoD trusted, signed certificates.
1
Rule
Severity: Medium
The Docker Enterprise self-signed certificates in Docker Trusted Registry (DTR) must be replaced with DoD trusted, signed certificates.
1
Rule
Severity: Medium
The option in Universal Control Plane (UCP) allowing users and administrators to schedule containers on all nodes, including UCP managers and Docker Trusted Registry (DTR) nodes must be disabled in Docker Enterprise.
1
Rule
Severity: Medium
The Create repository on push option in Docker Trusted Registry (DTR) must be disabled in Docker Enterprise.
1
Rule
Severity: Medium
Periodic data usage and analytics reporting in Universal Control Plane (UCP) must be disabled in Docker Enterprise.
1
Rule
Severity: Medium
Periodic data usage and analytics reporting in Docker Trusted Registry (DTR) must be disabled in Docker Enterprise.
1
Rule
Severity: Medium
An appropriate AppArmor profile must be enabled on Ubuntu systems for Docker Enterprise.
1
Rule
Severity: Medium
SELinux security options must be set on Red Hat or CentOS systems for Docker Enterprise.
1
Rule
Severity: Medium
Linux Kernel capabilities must be restricted within containers as defined in the System Security Plan (SSP) for Docker Enterprise.
1
Rule
Severity: Medium
Privileged Linux containers must not be used for Docker Enterprise.
1
Rule
Severity: Medium
SSH must not run within Linux containers for Docker Enterprise.
1
Rule
Severity: Medium
Only required ports must be open on the containers in Docker Enterprise.
1
Rule
Severity: High
Docker Enterprise hosts network namespace must not be shared.
1
Rule
Severity: Medium
Memory usage for all containers must be limited in Docker Enterprise.
1
Rule
Severity: Low
Docker Enterprise CPU priority must be set appropriately on all containers.
1
Rule
Severity: High
All Docker Enterprise containers root filesystem must be mounted as read only.
1
Rule
Severity: High
Docker Enterprise host devices must not be directly exposed to containers.
1
Rule
Severity: Medium
Mount propagation mode must not set to shared in Docker Enterprise.
1
Rule
Severity: Medium
The Docker Enterprise hosts UTS namespace must not be shared.
1
Rule
Severity: High
The Docker Enterprise default seccomp profile must not be disabled.
1
Rule
Severity: High
Docker Enterprise exec commands must not be used with privileged option.
1
Rule
Severity: Medium
Docker Enterprise exec commands must not be used with the user option.
1
Rule
Severity: Medium
cgroup usage must be confirmed in Docker Enterprise.
1
Rule
Severity: High
All Docker Enterprise containers must be restricted from acquiring additional privileges.
1
Rule
Severity: High
The Docker Enterprise hosts user namespace must not be shared.
1
Rule
Severity: High
The Docker Enterprise socket must not be mounted inside any containers.
2
Rule
Severity: Medium
The firewall must disable or remove unnecessary network services and functions that are not used as part of its role in the architecture.
1
Rule
Severity: Medium
The FortiGate firewall must disable or remove unnecessary network services and functions that are not used as part of its role in the architecture.
2
Rule
Severity: Medium
Google Android 12 must be configured to disable developer modes.
4
Rule
Severity: Medium
Google Android 13 must be configured to disable developer modes.
2
Rule
Severity: Medium
The HP FlexFabric Switch must be configured to disable non-essential capabilities.
1
Rule
Severity: High
The storage system in a hardened configuration must be configured to disable the Remote Copy feature, unless needed.
12
Rule
Severity: Medium
Default demonstration and sample databases, database objects, and applications must be removed.
15
Rule
Severity: Medium
Unused database components, DBMS software, and database objects must be removed.
1
Rule
Severity: Medium
Unused database components which are integrated in DB2 and cannot be uninstalled must be disabled.
19
Rule
Severity: Medium
Access to external executables must be disabled or restricted.
1
Rule
Severity: Medium
The IBM Aspera Platform must not have unnecessary services and functions enabled.
1
Rule
Severity: Medium
The WebSphere Application Server process must not be started from the command line with the -password option.
1
Rule
Severity: Medium
The WebSphere Application Server files must be owned by the non-root WebSphere user ID.
1
Rule
Severity: Low
The WebSphere Application Server sample applications must be removed.
1
Rule
Severity: Low
The WebSphere Application Server must remove JREs left by web server and plug-in installers for web servers and plugins running in the DMZ.
1
Rule
Severity: Medium
The WebSphere Application Server must be run as a non-admin user.
1
Rule
Severity: Medium
The WebSphere Application Server must disable JSP class reloading.
1
Rule
Severity: Medium
IBM z/VM must be configured to disable non-essential capabilities.
2
Rule
Severity: Medium
The IDPS must be configured to remove or disable non-essential features, functions, and services of the IDPS application.
2
Rule
Severity: Medium
The IDPS must be configured to remove or disable non-essential capabilities which are not required for operation or not related to IDPS functionality (e.g., DNS, email client or server, FTP server, or web server).
2
Rule
Severity: High
JBoss process owner interactive access must be restricted.
2
Rule
Severity: Medium
Google Analytics must be disabled in EAP Console.
2
Rule
Severity: High
JBoss process owner execution permissions must be limited.
2
Rule
Severity: Medium
JBoss QuickStarts must be removed.
2
Rule
Severity: Medium
Remote access to JMX subsystem must be disabled.
2
Rule
Severity: Low
Welcome Web Application must be disabled.
2
Rule
Severity: Medium
Any unapproved applications must be removed.
2
Rule
Severity: Low
The Juniper router must be configured to have all non-essential capabilities disabled.
2
Rule
Severity: Medium
The Juniper SRX Services Gateway Firewall must disable or remove unnecessary network services and functions that are not used as part of its role in the architecture.
2
Rule
Severity: Medium
The Juniper SRX Services Gateway Firewall must not be configured as an NTP server since providing this network service is unrelated to the role as a firewall.
2
Rule
Severity: Medium
The Juniper SRX Services Gateway Firewall must not be configured as a DNS proxy since providing this network service is unrelated to the role as a Firewall.
2
Rule
Severity: Medium
The Juniper SRX Services Gateway Firewall must not be configured as a DHCP server since providing this network service is unrelated to the role as a Firewall.
1
Rule
Severity: Medium
The layer 2 switch must be configured to disable non-essential capabilities.
2
Rule
Severity: Medium
The Juniper SRX Services Gateway must disable or remove unnecessary network services and functions that are not used as part of its role in the architecture.
2
Rule
Severity: Medium
The Mainframe Product must be configured to disable non-essential capabilities.
5
Rule
Severity: Medium
The Save commands default file format must be configured.
4
Rule
Severity: Medium
Trust access for VBA must be disallowed.
6
Rule
Severity: Medium
Warning Bar settings for VBA macros must be configured.
13
Rule
Severity: Medium
Warning Bar settings for VBA macros must be configured.
1
Rule
Severity: Medium
The Default file format must be set.
2
Rule
Severity: Medium
Database functionality configurations must be displayed to the user.
1
Rule
Severity: Medium
Microsoft Android 11 must be configured to disable trust agents. Note: This requirement is not applicable (NA) for specific biometric authentication factors included in the product's Common Criteria evaluation.
2
Rule
Severity: Medium
Microsoft Android 11 must be configured to disable developer modes.
1
Rule
Severity: Medium
Motorola Solutions Android 11 must be configured to disable trust agents.
Note: This requirement is not applicable (NA) for specific biometric authentication factors included in the product's Common Criteria evaluation.
1
Rule
Severity: Medium
Motorola Solutions Android 11 must be configured to disable developer modes.
1
Rule
Severity: Medium
Motorola Solutions Android 11 must be configured to disable USB mass storage mode.
1
Rule
Severity: Low
Motorola Solutions Android 11 must allow only the Administrator (EMM) to perform the following management function: Enable/disable location services.
1
Rule
Severity: Medium
Firefox must be configured to not automatically check for updated versions of installed search plugins.
1
Rule
Severity: Medium
Firefox must be configured to block pop-up windows.
1
Rule
Severity: Medium
Firefox must be configured to prevent JavaScript from moving or resizing windows.
1
Rule
Severity: Medium
Firefox must be configured to prevent JavaScript from raising or lowering windows.
1
Rule
Severity: Medium
Background submission of information to Mozilla must be disabled.
1
Rule
Severity: Low
Firefox autoplay must be disabled.
1
Rule
Severity: Medium
Firefox network prediction must be disabled.
1
Rule
Severity: Medium
Firefox fingerprinting protection must be enabled.
1
Rule
Severity: Medium
Firefox cryptomining protection must be enabled.
1
Rule
Severity: Medium
Firefox Enhanced Tracking Protection must be enabled.
1
Rule
Severity: Medium
Firefox extension recommendations must be disabled.
1
Rule
Severity: Medium
Firefox deprecated ciphers must be disabled.
1
Rule
Severity: Medium
The Firefox New Tab page must not show Top Sites, Sponsored Top Sites, Pocket Recommendations, Sponsored Pocket Stories, Searches, Highlights, or Snippets.
1
Rule
Severity: Medium
Pocket must be disabled.
1
Rule
Severity: Medium
Firefox Studies must be disabled.
7
Rule
Severity: Medium
Trust access for VBA must be disallowed.
1
Rule
Severity: Low
The Save commands default file format must be configured.
1
Rule
Severity: Medium
Microsoft Android 11 must be configured to disable trust agents.
Note: This requirement is not applicable (NA) for specific biometric authentication factors included in the product's Common Criteria evaluation.
2
Rule
Severity: Medium
Azure SQL Database default demonstration and sample databases, database objects, and applications must be removed.
3
Rule
Severity: Medium
Save files default format must be configured.
2
Rule
Severity: Medium
Background processing must be disabled.
2
Rule
Severity: Medium
The ability of sites to show pop-ups must be disabled.
2
Rule
Severity: Medium
The default search provider must be set to use an encrypted connection.
2
Rule
Severity: Low
Data Synchronization must be disabled.
2
Rule
Severity: Medium
Network prediction must be disabled.
4
Rule
Severity: Medium
Search suggestions must be disabled.
2
Rule
Severity: Medium
Importing of autofill form data must be disabled.
2
Rule
Severity: Low
Importing of browser settings must be disabled.
2
Rule
Severity: Medium
Importing of cookies must be disabled.
2
Rule
Severity: Medium
Importing of extensions must be disabled.
2
Rule
Severity: Medium
Importing of browsing history must be disabled.
2
Rule
Severity: Medium
Importing of home page settings must be disabled.
2
Rule
Severity: Medium
Importing of open tabs must be disabled.
2
Rule
Severity: Medium
Importing of payment info must be disabled.
4
Rule
Severity: Medium
Importing of saved passwords must be disabled.
2
Rule
Severity: Medium
Importing of search engine settings must be disabled.
2
Rule
Severity: Medium
Importing of shortcuts must be disabled.
3
Rule
Severity: Medium
Autoplay must be disabled.
4
Rule
Severity: Medium
WebUSB must be disabled.
4
Rule
Severity: Medium
Google Cast must be disabled.
4
Rule
Severity: Medium
Web Bluetooth API must be disabled.
2
Rule
Severity: Medium
Autofill for Credit Cards must be disabled.
2
Rule
Severity: Medium
Autofill for addresses must be disabled.
2
Rule
Severity: Medium
Personalization of ads, search, and news by sending browsing history to Microsoft must be disabled.
2
Rule
Severity: Medium
Site tracking of a user’s location must be disabled.
2
Rule
Severity: Low
Edge development tools must be disabled.
2
Rule
Severity: Low
Download restrictions must be configured.
2
Rule
Severity: Medium
Extensions installation must be blocklisted by default.
2
Rule
Severity: Medium
Site isolation for every site must be enabled.
2
Rule
Severity: Medium
Microsoft Defender SmartScreen must be enabled.
2
Rule
Severity: Medium
Microsoft Defender SmartScreen must be configured to block potentially unwanted apps.
2
Rule
Severity: Low
The download location prompt must be configured.
2
Rule
Severity: Medium
The collections feature must be disabled.
2
Rule
Severity: Medium
The Share Experience feature must be disabled.
2
Rule
Severity: Medium
Guest mode must be disabled.
2
Rule
Severity: Medium
Use of the QUIC protocol must be disabled.
2
Rule
Severity: Low
The list of domains media autoplay allows must be allowlisted if used.
3
Rule
Severity: Medium
The Save commands default file format must be configured.
1
Rule
Severity: Medium
Exchange must have Send Fatal Errors to Microsoft disabled.
5
Rule
Severity: Medium
Exchange must not send Customer Experience reports to Microsoft.
1
Rule
Severity: Medium
Exchange IMAP4 service must be disabled.
1
Rule
Severity: Medium
Exchange POP3 service must be disabled.
1
Rule
Severity: Low
Exchange must have the Public Folder virtual directory removed if not in use by the site.
1
Rule
Severity: Low
Exchange must have the Microsoft Active Sync directory removed.
8
Rule
Severity: Medium
Exchange Send Fatal Errors to Microsoft must be disabled.
1
Rule
Severity: Medium
The Exchange IMAP4 service must be disabled.
1
Rule
Severity: Medium
The Exchange POP3 service must be disabled.
2
Rule
Severity: Medium
The Opt-In Wizard must be disabled.
2
Rule
Severity: Medium
The Customer Experience Improvement Program for Office must be disabled.
2
Rule
Severity: Medium
Automatic receiving of small updates to improve reliability must be disallowed.
2
Rule
Severity: Medium
The Internet Fax Feature must be disabled.
2
Rule
Severity: Medium
Online content options must be configured for offline content availability.
1
Rule
Severity: Medium
The video informing a user about signing into Office365 must be disabled.
1
Rule
Severity: Medium
The first-run prompt to sign into Office365 must be disabled.
1
Rule
Severity: Medium
The ability to sign into Office365 must be disabled.
1
Rule
Severity: Medium
The ability to automatically hyperlink screenshots within Word, PowerPoint, Excel and Outlook must be disabled.
1
Rule
Severity: Medium
The prompt to save to OneDrive (formerly SkyDrive) must be disabled.
1
Rule
Severity: Medium
Office Presentation Service must be removed as an option for presenting PowerPoint and Word online.
1
Rule
Severity: Medium
The Office Feedback tool must be disabled.
1
Rule
Severity: Medium
Roaming settings must be stored locally and not synchronized to the Microsoft Office roaming settings web service.
1
Rule
Severity: Medium
The ability of the Office Telemetry Agent to periodically upload telemetry data to a shared folder must be disabled.
1
Rule
Severity: Medium
The Office Telemetry Agent and Office applications must be configured to collect telemetry data.
2
Rule
Severity: Medium
Folders in non-default stores, set as folder home pages, must be disallowed.
1
Rule
Severity: Medium
Internet calendar integration in Outlook must be disabled.
2
Rule
Severity: Medium
Office Presentation Service must be removed as an option for presenting PowerPoint and Word online.
1
Rule
Severity: Medium
Microsoft passport Service for content must be disallowed.
1
Rule
Severity: Medium
Hyperlinks to web templates in File | New and task panes must be disabled.
1
Rule
Severity: Medium
Office Live Workspace Integration must be off.
1
Rule
Severity: Medium
The use of personal accounts for OneDrive synchronization must be disabled.
1
Rule
Severity: Medium
Do not include Internet Calendar Integration in Outlook must be enforced.
2
Rule
Severity: Medium
RSS feed synchronization with Common Feed List must be disallowed.
2
Rule
Severity: Medium
RSS Feeds must be disallowed.
1
Rule
Severity: Medium
Dragging Unicode eMail messages to file system must be disallowed.
2
Rule
Severity: Medium
User Entries to Server List must be disallowed.
3
Rule
Severity: Medium
Automatically downloading enclosures on RSS must be disallowed.
1
Rule
Severity: Medium
Dragging Unicode email messages to file system must be disallowed.
1
Rule
Severity: Medium
The use of the weather bar in Outlook must be disabled
1
Rule
Severity: Medium
Internet calendar integration in Outlook must be disabled.
1
Rule
Severity: Medium
User Entries to Server List must be disallowed.
1
Rule
Severity: Low
SQL Server default account [sa] must have its name changed.
1
Rule
Severity: Medium
SQL Server must have the publicly available Northwind sample database removed.
1
Rule
Severity: Medium
SQL Server must have the publicly available pubs sample database removed.
1
Rule
Severity: Medium
SQL Server must have the publicly available AdventureWorks sample database removed.
1
Rule
Severity: Medium
SQL Server must have the SQL Server Data Tools (SSDT) software component removed if it is unused.
1
Rule
Severity: Medium
SQL Server must have the SQL Server Reporting Services (SSRS) software component removed if it is unused.
1
Rule
Severity: Medium
SQL Server must have the SQL Server Integration Services (SSIS) software component removed if it is unused.
1
Rule
Severity: Medium
SQL Server must have the SQL Server Analysis Services (SSAS) software component removed if it is unused.
1
Rule
Severity: Medium
SQL Server must have the SQL Server Distributed Replay Client software component removed if it is unused.
1
Rule
Severity: Medium
SQL Server must have the SQL Server Distributed Replay Controller software component removed if it is unused.
1
Rule
Severity: Medium
SQL Server must have the Full-Text Search software component removed if it is unused.
1
Rule
Severity: Medium
SQL Server must have the Master Data Services software component removed if it is unused.
1
Rule
Severity: Medium
SQL Server must have the SQL Server Replication software component removed if it is unused.
1
Rule
Severity: Medium
SQL Server must have the Data Quality Client software component removed if it is unused.
1
Rule
Severity: Medium
SQL Server must have the Data Quality Services software component removed if it is unused.
1
Rule
Severity: Medium
SQL Server must have the Client Tools SDK software component removed if it is unused.
1
Rule
Severity: Medium
SQL Server must have the Management Tools software component removed if it is unused.
1
Rule
Severity: Medium
SQL Server must have the Filestream feature disabled if it is unused.
3
Rule
Severity: Medium
Unused database components that are integrated in SQL Server and cannot be uninstalled must be disabled.
1
Rule
Severity: Medium
The SQL Server default account [sa] must be disabled.
3
Rule
Severity: Medium
Access to xp_cmdshell must be disabled, unless specifically required and approved.
1
Rule
Severity: Medium
Nutanix AOS must not have the rsh-server package installed.
1
Rule
Severity: Medium
Nutanix AOS must not have the ypserv package installed.
1
Rule
Severity: Medium
Nutanix AOS must not have the telnet-server package installed.
1
Rule
Severity: Medium
OHS must have the LoadModule file_cache_module directive disabled.
1
Rule
Severity: Low
OHS must have the LoadModule vhost_alias_module directive disabled.
1
Rule
Severity: Medium
OHS must have the LoadModule env_module directive disabled.
1
Rule
Severity: Low
OHS must have the LoadModule mime_magic_module directive disabled.
1
Rule
Severity: Low
OHS must have the LoadModule negotiation_module directive disabled.
1
Rule
Severity: Low
OHS must not have the LanguagePriority directive enabled.
1
Rule
Severity: Low
OHS must not have the ForceLanguagePriority directive enabled.
1
Rule
Severity: Medium
OHS must have the LoadModule status_module directive disabled.
1
Rule
Severity: Medium
OHS must have the LoadModule info_module directive disabled.
1
Rule
Severity: Medium
OHS must have the LoadModule include_module directive disabled.
1
Rule
Severity: Medium
OHS must have the LoadModule autoindex_module directive disabled.
1
Rule
Severity: Medium
OHS must have the IndexOptions directive disabled.
1
Rule
Severity: Medium
OHS must have the AddIconByEncoding directive disabled.
1
Rule
Severity: Medium
OHS must have the AddIconByType directive disabled.
1
Rule
Severity: Medium
OHS must have the AddIcon directive disabled.
1
Rule
Severity: Medium
OHS must have the DefaultIcon directive disabled.
1
Rule
Severity: Medium
OHS must have the ReadmeName directive disabled.
1
Rule
Severity: Medium
OHS must have the HeaderName directive disabled.
1
Rule
Severity: Medium
OHS must have the IndexIgnore directive disabled.
1
Rule
Severity: Low
OHS must have the LoadModule dir_module directive disabled.
1
Rule
Severity: Low
OHS must have the DirectoryIndex directive disabled.
2
Rule
Severity: Medium
OHS must have the LoadModule cgi_module directive disabled.
1
Rule
Severity: Medium
OHS must have the LoadModule fastcgi_module disabled.
1
Rule
Severity: Medium
OHS must have the LoadModule cgid_module directive disabled for mpm workers.
1
Rule
Severity: Low
OHS must have the IfModule cgid_module directive disabled.
1
Rule
Severity: Low
OHS must have the LoadModule mpm_winnt_module directive disabled.
1
Rule
Severity: Medium
OHS must have the ScriptAlias directive for CGI scripts disabled.
1
Rule
Severity: Medium
OHS must have the ScriptSock directive disabled.
2
Rule
Severity: Medium
OHS must have the cgi-bin directory disabled.
2
Rule
Severity: Medium
OHS must have directives pertaining to certain scripting languages removed from virtual hosts.
1
Rule
Severity: Low
OHS must have the LoadModule asis_module directive disabled.
1
Rule
Severity: Low
OHS must have the LoadModule imagemap_module directive disabled.
1
Rule
Severity: Medium
OHS must have the LoadModule actions_module directive disabled.
1
Rule
Severity: Low
OHS must have the LoadModule speling_module directive disabled.
1
Rule
Severity: Medium
OHS must have the LoadModule userdir_module directive disabled.
1
Rule
Severity: Medium
OHS must have the AliasMatch directive pertaining to the OHS manuals disabled.
1
Rule
Severity: Medium
OHS must have the Directory directive pointing to the OHS manuals disabled.
1
Rule
Severity: Medium
OHS must have the LoadModule auth_basic_module directive disabled.
1
Rule
Severity: Medium
OHS must have the LoadModule authz_user_module directive disabled.
1
Rule
Severity: Medium
OHS must have the LoadModule authn_file_module directive disabled.
1
Rule
Severity: Medium
OHS must have the LoadModule authn_anon_module directive disabled.
2
Rule
Severity: Medium
OHS must have the LoadModule proxy_module directive disabled.
2
Rule
Severity: Medium
OHS must have the LoadModule proxy_http_module directive disabled.
2
Rule
Severity: Medium
OHS must have the LoadModule proxy_ftp_module directive disabled.
2
Rule
Severity: Medium
OHS must have the LoadModule proxy_connect_module directive disabled.
2
Rule
Severity: Medium
OHS must have the LoadModule proxy_balancer_module directive disabled.
1
Rule
Severity: Low
OHS must have the LoadModule cern_meta_module directive disabled.
1
Rule
Severity: Low
OHS must have the LoadModule expires_module directive disabled.
1
Rule
Severity: Low
OHS must have the LoadModule usertrack_module directive disabled.
1
Rule
Severity: Low
OHS must have the LoadModule uniqueid_module directive disabled.
1
Rule
Severity: Medium
OHS must have the LoadModule setenvif_module directive disabled.
1
Rule
Severity: Medium
OHS must have the BrowserMatch directive disabled.
1
Rule
Severity: Medium
OHS must have the LoadModule dumpio_module directive disabled.
1
Rule
Severity: Low
OHS must have the IfModule dumpio_module directive disabled.
1
Rule
Severity: Medium
OHS must have the Alias /icons/ directive disabled.
1
Rule
Severity: Medium
OHS must have the path to the icons directory disabled.
1
Rule
Severity: Low
OHS must have the IfModule mpm_winnt_module directive disabled.
1
Rule
Severity: Low
OHS must disable the directive pointing to the directory containing the OHS manuals.
1
Rule
Severity: Medium
OHS must have the AliasMatch directive disabled for the OHS manuals.
1
Rule
Severity: Medium
OHS must have the AddHandler directive disabled.
1
Rule
Severity: Medium
OHS must have the LoadModule cgid_module directive disabled.
1
Rule
Severity: Medium
OHS must have the IfModule cgid_module directive disabled for the OHS server, virtual host, and directory configuration.
1
Rule
Severity: Low
OHS must have the LoadModule cgi_module directive disabled within the IfModule mpm_winnt_module directive.
1
Rule
Severity: Medium
OHS must have the ScriptAlias /cgi-bin/ directive within a IfModule alias_module directive disabled.
1
Rule
Severity: Medium
OHS must have the ScriptSock directive within a IfModule cgid_module directive disabled.
1
Rule
Severity: Medium
OHS must have resource mappings set to disable the serving of certain file types.
1
Rule
Severity: Medium
Users and scripts running on behalf of users must be contained to the document root or home directory tree of OHS.
1
Rule
Severity: Medium
If WebLogic is not in use with OHS, OHS must have the include mod_wl_ohs.conf directive disabled at the server level.
1
Rule
Severity: Medium
If mod_plsql is not in use with OHS, OHS must have the include moduleconf/* directive disabled.
1
Rule
Severity: Medium
Oracle WebLogic must adhere to the principles of least functionality by providing only essential capabilities.
2
Rule
Severity: High
Prisma Cloud Compute Cloud Native Network Firewall (CNNF) automatically monitors layer 4 (TCP) intercontainer communications. Enforcement policies must be created.
2
Rule
Severity: High
Prisma Cloud Compute host compliance baseline policies must be set.
2
Rule
Severity: Medium
Images stored within the container registry must contain only images to be run as containers within the container platform.
2
Rule
Severity: High
Prisma Cloud Compute must be configured to scan images that have not been instantiated as containers.
2
Rule
Severity: Low
The router must be configured to have all non-essential capabilities disabled.
1
Rule
Severity: Medium
The Riverbed Optimization System (RiOS) must not have unrelated or unnecessary services enabled on the host.
1
Rule
Severity: Medium
Riverbed Optimization System (RiOS) must not have unnecessary services and functions enabled.
2
Rule
Severity: Medium
The SDN controller must be configured to disable non-essential capabilities.
1
Rule
Severity: Medium
The SEL-2740S must be configured to permit the allowed and necessary ports, functions, protocols, and services.
2
Rule
Severity: Medium
Samsung Android must be configured to disable trust agents.
NOTE: This requirement is not applicable (NA) for specific biometric authentication factors included in the product Common Criteria evaluation.
2
Rule
Severity: Medium
Samsung Android must be configured to disable Face Recognition.
NOTE: This requirement is not applicable (NA) for specific biometric authentication factors included in the product Common Criteria evaluation.
12
Rule
Severity: Medium
Samsung Android must be configured to disable developer modes.
2
Rule
Severity: Medium
Samsung Android must be configured to disable USB mass storage mode.
4
Rule
Severity: Medium
When Splunk Enterprise is distributed over multiple servers, each server must be configured to disable non-essential capabilities.
1
Rule
Severity: Medium
Symantec ProxySG must not have unnecessary services and functions enabled.
1
Rule
Severity: Medium
Symantec ProxySG must be configured to remove or disable unrelated or unneeded application proxy services.
1
Rule
Severity: Medium
The SMS must be configured to remove or disable non-essential capabilities on SMS and TPS which are not required for operation or not related to IDPS functionality (e.g., web server, SSH, telnet, and TAXII).
2
Rule
Severity: Medium
The UEM server must be configured to disable non-essential capabilities.
1
Rule
Severity: Low
The NSX-T Tier-1 Gateway must be configured to have the DHCP service disabled if not in use.
1
Rule
Severity: Low
The NSX-T Tier-0 Gateway must be configured to have the DHCP service disabled if not in use.
1
Rule
Severity: Low
The NSX-T Tier-0 Gateway must be configured to have routing protocols disabled if not in use.
1
Rule
Severity: Low
The NSX-T Tier-0 Gateway must be configured to have multicast disabled if not in use.
1
Rule
Severity: Low
The NSX-T Tier-1 Gateway must be configured to have multicast disabled if not in use.
2
Rule
Severity: Medium
The Apache web server must have Multipurpose Internet Mail Extensions (MIME) that invoke operating system shell programs disabled.
2
Rule
Severity: Medium
The Apache web server must allow mappings to unused and vulnerable scripts to be removed.
2
Rule
Severity: Medium
Stack tracing must be disabled.
2
Rule
Severity: Medium
The shutdown port must be disabled.
2
Rule
Severity: Medium
Unapproved connectors must be disabled.
2
Rule
Severity: Low
DefaultServlet debug parameter must be disabled.
2
Rule
Severity: Low
DefaultServlet directory listings parameter must be disabled.
2
Rule
Severity: Medium
The deployXML attribute must be set to false in hosted environments.
2
Rule
Severity: Medium
Autodeploy must be disabled.
2
Rule
Severity: Low
xpoweredBy attribute must be disabled.
2
Rule
Severity: Low
Example applications must be removed.
2
Rule
Severity: Low
Tomcat default ROOT web application must be removed.
2
Rule
Severity: Low
Documentation must be removed.
3
Rule
Severity: Medium
Apple iOS/iPadOS 16 must implement the management setting: Encrypt iTunes backups/Encrypt local backup.
7
Rule
Severity: High
iPhone and iPad must have the latest available iOS/iPadOS operating system installed.
1
Rule
Severity: Low
Apple iOS/iPadOS 16 must implement the management setting: force Apple Watch wrist detection.
3
Rule
Severity: Medium
Apple iOS/iPadOS 16 users must complete required training.
2
Rule
Severity: Low
Apple iOS/iPadOS 17 must implement the management setting: not allow automatic completion of Safari browser passcodes.
3
Rule
Severity: Medium
Apple iOS/iPadOS 17 must implement the management setting: Encrypt backups/Encrypt local backup.
2
Rule
Severity: Low
Apple iOS/iPadOS 17 must implement the management setting: not allow use of Handoff.
2
Rule
Severity: Low
Apple iOS/iPadOS 17 must implement the management setting: not allow use of iPhone widgets on Mac.
3
Rule
Severity: Low
Apple iOS/iPadOS 17 must implement the management setting: force Apple Watch wrist detection.
3
Rule
Severity: Medium
Apple iOS/iPadOS 17 users must complete required training.
2
Rule
Severity: Low
Apple iOS/iPadOS 16 must implement the management setting: Not allow automatic completion of Safari browser passcodes.
2
Rule
Severity: Low
Apple iOS/iPadOS 16 must implement the management setting: not allow use of Handoff.
2
Rule
Severity: Medium
Apple iOS/iPadOS 16 must implement the management setting: Disable Allow Shared Albums.
2
Rule
Severity: Low
Apple iOS/iPadOS 16 must implement the management setting: Force Apple Watch wrist detection.
4
Rule
Severity: Medium
The macOS system must be configured to disable SMB File Sharing unless it is required.
4
Rule
Severity: Medium
The macOS system must be configured to disable the Network File System (NFS) daemon unless it is required.
4
Rule
Severity: Medium
The macOS system must be configured to disable Location Services.
4
Rule
Severity: Medium
The macOS system must be configured to disable Bonjour multicast advertising.
4
Rule
Severity: Medium
The macOS system must be configured to disable the UUCP service.
4
Rule
Severity: Medium
The macOS system must be configured to disable Internet Sharing.
4
Rule
Severity: Medium
The macOS system must be configured to disable Web Sharing.
4
Rule
Severity: Low
The macOS system must be configured to disable AirDrop.
4
Rule
Severity: Low
The macOS system must be configured to disable the iCloud Calendar services.
4
Rule
Severity: Low
The macOS system must be configured to disable the iCloud Reminders services.
4
Rule
Severity: Low
The macOS system must be configured to disable iCloud Address Book services.
1
Rule
Severity: Low
The macOS system must be configured to disable the Mail iCloud services.
4
Rule
Severity: Low
The macOS system must be configured to disable the iCloud Notes services.
4
Rule
Severity: Medium
The macOS system must cover or disable the built-in or attached camera when not in use.
4
Rule
Severity: Medium
The macOS system must be configured to disable Siri and dictation.
4
Rule
Severity: Medium
The macOS system must be configured to disable the system preference pane for Internet Accounts.
4
Rule
Severity: Medium
The macOS system must be configured to disable the Cloud Setup services.
4
Rule
Severity: Medium
The macOS system must be configured to disable the Privacy Setup services.
4
Rule
Severity: Medium
The macOS system must be configured to disable the Cloud Storage Setup services.
4
Rule
Severity: Medium
The macOS system must be configured to disable the Siri Setup services.
6
Rule
Severity: Medium
The macOS system must disable iCloud Keychain synchronization.
1
Rule
Severity: Medium
The macOS system must disable iCloud document synchronization.
1
Rule
Severity: Medium
The macOS system must disable iCloud bookmark synchronization.
1
Rule
Severity: Medium
The macOS system must disable iCloud photo library.
1
Rule
Severity: Medium
The macOS system must be configured to disable the system preference pane for TouchID.
4
Rule
Severity: Medium
The macOS system must be configured to disable the system preference pane for Wallet and ApplePay.
4
Rule
Severity: Medium
The macOS system must be configured to disable the system preference pane for Siri.
4
Rule
Severity: Medium
The macOS system must be configured to disable prompts to configure Touch ID.
4
Rule
Severity: Low
The macOS system must be configured to disable prompts to configure ScreenTime.
1
Rule
Severity: Medium
The macOS system must be configured to disable promts to configure Unlock with Watch.
1
Rule
Severity: Low
The macOS system must be configured to prevent activity continuation between Apple Devices.
1
Rule
Severity: Medium
The macOS system must be configured to prevent password proximity sharing requests from nearby Apple Devices.
4
Rule
Severity: Medium
The macOS system must be configured to prevent users from erasing all system content and settings.
3
Rule
Severity: Low
The macOS system must be configured to disable the iCloud Mail services.
5
Rule
Severity: Medium
The macOS system must disable iCloud Document synchronization.
3
Rule
Severity: Medium
The macOS system must disable iCloud Bookmark synchronization.
3
Rule
Severity: Medium
The macOS system must disable the iCloud Photo Library.
3
Rule
Severity: Medium
The macOS system must be configured to disable the system preference pane for TouchID and Password.
3
Rule
Severity: Medium
The macOS system must be configured to disable prompts to configure Unlock with Watch.
3
Rule
Severity: Low
The macOS system must be configured to prevent activity continuation between Apple devices.
3
Rule
Severity: Medium
The macOS system must be configured to prevent password proximity sharing requests from nearby Apple devices.
3
Rule
Severity: Medium
The macOS system must disable Location Services.
3
Rule
Severity: Medium
The macOS system must disable Bonjour multicast.
3
Rule
Severity: Medium
The macOS system must disable Internet Sharing.
3
Rule
Severity: Medium
The macOS system must disable AirDrop.
3
Rule
Severity: Medium
The macOS system must disable FaceTime.app.
3
Rule
Severity: Medium
The macOS system must disable the iCloud Calendar services.
3
Rule
Severity: Medium
The macOS system must disable iCloud Reminders.
3
Rule
Severity: Medium
The macOS system must disable iCloud Address Book.
3
Rule
Severity: Medium
The macOS system must disable iCloud Mail.
3
Rule
Severity: Medium
The macOS system must disable iCloud Notes.
3
Rule
Severity: Medium
The macOS system must disable the camera.
3
Rule
Severity: Medium
The macOS system must disable Siri.
3
Rule
Severity: Medium
The macOS system must disable Apple ID setup during Setup Assistant.
3
Rule
Severity: Medium
The macOS system must disable Privacy Setup services during Setup Assistant.
2
Rule
Severity: Medium
The macOS system must disable iCloud Storage Setup during Setup Assistant.
3
Rule
Severity: Medium
The macOS system must disable Siri Setup during Setup Assistant.
3
Rule
Severity: Medium
The macOS system must disable iCloud Bookmarks.
3
Rule
Severity: Medium
The macOS system must disable iCloud Photo Library.
2
Rule
Severity: Medium
The macOS system must disable the TouchID System Settings pane.
3
Rule
Severity: Medium
The macOS system must disable the System Settings pane for Wallet and Apple Pay.
3
Rule
Severity: Medium
The macOS system must disable the system settings pane for Siri.
1
Rule
Severity: High
The Ubuntu operating system must not have the Network Information Service (NIS) package installed.
3
Rule
Severity: High
The Ubuntu operating system must not have the rsh-server package installed.
3
Rule
Severity: Medium
The macOS system must disable Airplay Receiver.
2
Rule
Severity: Medium
The macOS system must disable Bluetooth sharing.
2
Rule
Severity: Medium
The macOS system must disable AppleID and Internet Account modifications.
3
Rule
Severity: Medium
The macOS system must disable CD/DVD Sharing.
2
Rule
Severity: Medium
The macOS system must disable content caching service.
2
Rule
Severity: Medium
The macOS system must disable iCloud desktop and document folder synchronization.
3
Rule
Severity: Medium
The macOS system must disable iCloud Game Center.
3
Rule
Severity: Medium
The macOS system must disable iCloud Private Relay.
3
Rule
Severity: Medium
The macOS system must disable Find My service.
2
Rule
Severity: Medium
The macOS system must disable password autofill.
2
Rule
Severity: Medium
The macOS system must disable personalized advertising.
3
Rule
Severity: Medium
The macOS system must disable sending Siri and Dictation information to Apple.
2
Rule
Severity: Medium
The macOS system must enforce on device dictation.
2
Rule
Severity: Medium
The macOS system must disable dictation.
3
Rule
Severity: Medium
The macOS system must disable Printer Sharing.
3
Rule
Severity: Medium
The macOS system must disable Remote Management.
2
Rule
Severity: Medium
The macOS system must disable the Bluetooth system settings pane.
3
Rule
Severity: Medium
The macOS system must disable the iCloud Freeform services.
2
Rule
Severity: Medium
The macOS system must disable TouchID prompt during Setup Assistant.
2
Rule
Severity: Medium
The macOS system must disable Screen Time prompt during Setup Assistant.
3
Rule
Severity: Medium
The macOS system must disable Unlock with Apple Watch during Setup Assistant.
3
Rule
Severity: Medium
The macOS system must disable Handoff.
3
Rule
Severity: Medium
The macOS system must disable proximity-based password sharing requests.
3
Rule
Severity: Medium
The macOS system must disable Erase Content and Settings.
2
Rule
Severity: Medium
The Cisco ASA must be configured to disable or remove unnecessary network services and functions that are not used as part of its role in the architecture.
4
Rule
Severity: Medium
Unused database components, PostgreSQL software, and database objects must be removed.
3
Rule
Severity: Medium
Unused database components that are integrated in PostgreSQL and cannot be uninstalled must be disabled.
2
Rule
Severity: Low
The Cisco router must be configured to have all non-essential capabilities disabled.
1
Rule
Severity: Low
The Cisco switch must be configured to have all non-essential capabilities disabled.
2
Rule
Severity: Medium
The container platform must be configured with only essential configurations.
2
Rule
Severity: Medium
The container platform registry must contain only container images for those capabilities being offered by the container platform.
3
Rule
Severity: Medium
Default, demonstration and sample databases, database objects, and applications must be removed.
3
Rule
Severity: Medium
Unused database components, EDB Postgres Advanced Server software, and database objects must be removed.
3
Rule
Severity: Medium
Unused database components which are integrated in the EDB Postgres Advanced Server and cannot be uninstalled must be disabled.
5
Rule
Severity: Medium
Unused database components that are integrated in the DBMS and cannot be uninstalled must be disabled.
2
Rule
Severity: Medium
Sites ability to show pop-ups must be disabled.
2
Rule
Severity: Medium
The default search providers name must be set.
2
Rule
Severity: Medium
The default search provider URL must be set to perform encrypted searches.
2
Rule
Severity: Medium
Default search provider must be enabled.
2
Rule
Severity: Medium
The Password Manager must be disabled.
2
Rule
Severity: Medium
The URL protocol schema javascript must be disabled.
2
Rule
Severity: Medium
Metrics reporting to Google must be disabled.
4
Rule
Severity: Medium
Google Android 14 must be configured to disable developer modes.
4
Rule
Severity: Low
Google Android 14 must be configured to disable all Bluetooth profiles except for HSP (Headset Profile), HFP (Hands-Free Profile), SPP (Serial Port Profile), A2DP (Advanced Audio Distribution Profile), AVRCP (Audio/Video Remote Control Profile), and PBAP (Phone Book Access Profile).
2
Rule
Severity: Medium
The operating system must be configured to disable non-essential capabilities.
2
Rule
Severity: Medium
The HPE 3PAR OS must be configured to disable nonessential web-services.
2
Rule
Severity: Medium
The HPE 3PAR OS must be configured to disable nonessential Common Information Model services.
2
Rule
Severity: Medium
The HPE 3PAR OS must be configured to disable nonessential VASA VVol services.
2
Rule
Severity: Medium
The HPE 3PAR OS must be configured to disable nonessential Remote Copy services.
2
Rule
Severity: Medium
The AIX qdaemon must be disabled if local or remote printing is not required.
2
Rule
Severity: Medium
If AIX system does not act as a remote print server for other servers, the lpd daemon must be disabled.
2
Rule
Severity: Medium
If AIX system does not support either local or remote printing, the piobe service must be disabled.
2
Rule
Severity: Medium
If there are no X11 clients that require CDE on AIX, the dt service must be disabled.
2
Rule
Severity: Medium
If NFS is not required on AIX, the NFS daemon must be disabled.
2
Rule
Severity: Medium
If sendmail is not required on AIX, the sendmail service must be disabled.
2
Rule
Severity: Medium
If SNMP is not required on AIX, the snmpd service must be disabled.
2
Rule
Severity: Medium
The AIX DHCP client must be disabled.
2
Rule
Severity: Medium
If DHCP is not enabled in the network on AIX, the dhcprd daemon must be disabled.
2
Rule
Severity: Medium
If IPv6 is not utilized on AIX server, the autoconf6 daemon must be disabled.
2
Rule
Severity: Medium
If AIX server is not functioning as a network router, the gated daemon must be disabled.
2
Rule
Severity: Medium
If AIX server is not functioning as a multicast router, the mrouted daemon must be disabled.
2
Rule
Severity: Medium
If AIX server is not functioning as a DNS server, the named daemon must be disabled.
2
Rule
Severity: Medium
If AIX server is not functioning as a network router, the routed daemon must be disabled.
2
Rule
Severity: Medium
If rwhod is not required on AIX, the rwhod daemon must be disabled.
2
Rule
Severity: Medium
The timed daemon must be disabled on AIX.
2
Rule
Severity: Medium
If AIX server does not host an SNMP agent, the dpid2 daemon must be disabled.
2
Rule
Severity: Medium
If SNMP is not required on AIX, the snmpmibd daemon must be disabled.
2
Rule
Severity: Medium
The aixmibd daemon must be disabled on AIX.
2
Rule
Severity: Medium
The ndpd-host daemon must be disabled on AIX.
2
Rule
Severity: Medium
The ndpd-router must be disabled on AIX.
2
Rule
Severity: Medium
The daytime daemon must be disabled on AIX.
2
Rule
Severity: Medium
The cmsd daemon must be disabled on AIX.
2
Rule
Severity: Medium
The ttdbserver daemon must be disabled on AIX.
2
Rule
Severity: Medium
The uucp (UNIX to UNIX Copy Program) daemon must be disabled on AIX.
2
Rule
Severity: Medium
The time daemon must be disabled on AIX.
2
Rule
Severity: Medium
The talk daemon must be disabled on AIX.
2
Rule
Severity: High
The ntalk daemon must be disabled on AIX.
2
Rule
Severity: Medium
The chargen daemon must be disabled on AIX.
2
Rule
Severity: Medium
The discard daemon must be disabled on AIX.
2
Rule
Severity: Medium
The dtspc daemon must be disabled on AIX.
2
Rule
Severity: Medium
The pcnfsd daemon must be disabled on AIX.
2
Rule
Severity: Medium
The rstatd daemon must be disabled on AIX.
2
Rule
Severity: Medium
The rusersd daemon must be disabled on AIX.
2
Rule
Severity: Medium
The sprayd daemon must be disabled on AIX.
2
Rule
Severity: Medium
The klogin daemon must be disabled on AIX.
2
Rule
Severity: Medium
The kshell daemon must be disabled on AIX.
2
Rule
Severity: Medium
The rquotad daemon must be disabled on AIX.
2
Rule
Severity: Medium
The tftp daemon must be disabled on AIX.
2
Rule
Severity: Medium
The imap2 service must be disabled on AIX.
2
Rule
Severity: Medium
The pop3 daemon must be disabled on AIX.
2
Rule
Severity: Medium
The finger daemon must be disabled on AIX.
2
Rule
Severity: Medium
The instsrv daemon must be disabled on AIX.
2
Rule
Severity: Medium
The echo daemon must be disabled on AIX.
2
Rule
Severity: Medium
The Internet Network News (INN) server must be disabled on AIX.
2
Rule
Severity: Medium
If DHCP server is not required on AIX, the DHCP server must be disabled.
2
Rule
Severity: Medium
The rwalld daemon must be disabled on AIX.
2
Rule
Severity: Medium
IBM z/OS Inapplicable PPT entries must be invalidated.
4
Rule
Severity: Medium
IBM z/OS must not have inaccessible APF libraries defined.
6
Rule
Severity: Medium
IBM z/OS LNKAUTH=APFTAB must be specified in the IEASYSxx member(s) in the currently active parmlib data set(s).
4
Rule
Severity: Medium
Duplicated IBM z/OS sensitive utilities and/or programs must not exist in APF libraries.
2
Rule
Severity: Medium
IBM zOS inapplicable PPT entries must be invalidated.
2
Rule
Severity: Low
IBM z/OS must not have duplicated sensitive utilities and/or programs existing in APF libraries.
2
Rule
Severity: Medium
IBM z/OS must not have Inaccessible APF libraries defined.
2
Rule
Severity: Medium
IBM z/OS inapplicable PPT entries must be invalidated.
2
Rule
Severity: Low
The Juniper router must be configured to have all nonessential capabilities disabled.
2
Rule
Severity: Medium
Kubernetes Controller Manager must disable profiling.
4
Rule
Severity: Medium
Unused database components that are integrated in MongoDB and cannot be uninstalled must be disabled.
3
Rule
Severity: Medium
The Exchange Internet Message Access Protocol 4 (IMAP4) service must be disabled.
3
Rule
Severity: Medium
The Exchange Post Office Protocol 3 (POP3) service must be disabled.
4
Rule
Severity: Medium
Exchange must not send customer experience reports to Microsoft.
1
Rule
Severity: Medium
The Java permissions must be disallowed (Internet zone).
1
Rule
Severity: Medium
Functionality to drag and drop or copy and paste files must be disallowed (Internet zone).
1
Rule
Severity: Medium
Launching programs and files in IFRAME must be disallowed (Internet zone).
1
Rule
Severity: Medium
Clipboard operations via script must be disallowed (Internet zone).
1
Rule
Severity: Medium
Java permissions must be configured with High Safety (Intranet zone).
1
Rule
Severity: Medium
Java permissions must be configured with High Safety (Trusted Sites zone).
1
Rule
Severity: Medium
Run once selection for running outdated ActiveX controls must be disabled.
1
Rule
Severity: Medium
Enabling outdated ActiveX controls for Internet Explorer must be blocked.
1
Rule
Severity: Medium
Use of the Tabular Data Control (TDC) ActiveX control must be disabled for the Internet Zone.
1
Rule
Severity: Medium
Use of the Tabular Data Control (TDC) ActiveX control must be disabled for the Restricted Sites Zone.
1
Rule
Severity: Medium
File downloads must be disallowed (Restricted Sites zone).
1
Rule
Severity: Medium
Java permissions must be disallowed (Restricted Sites zone).
1
Rule
Severity: Medium
Functionality to drag and drop or copy and paste files must be disallowed (Restricted Sites zone).
1
Rule
Severity: Medium
Launching programs and files in IFRAME must be disallowed (Restricted Sites zone).
1
Rule
Severity: Medium
Active scripting must be disallowed (Restricted Sites Zone).
1
Rule
Severity: Medium
Clipboard operations via script must be disallowed (Restricted Sites zone).
1
Rule
Severity: Medium
Internet Explorer must be set to disallow users to add/delete sites.
1
Rule
Severity: Medium
Script-initiated windows without size or position constraints must be disallowed (Internet zone).
1
Rule
Severity: Medium
Script-initiated windows without size or position constraints must be disallowed (Restricted Sites zone).
1
Rule
Severity: Medium
Scriptlets must be disallowed (Internet zone).
1
Rule
Severity: Medium
Automatic prompting for file downloads must be disallowed (Internet zone).
1
Rule
Severity: Medium
Java permissions must be disallowed (Local Machine zone).
1
Rule
Severity: Medium
Java permissions must be disallowed (Locked Down Local Machine zone).
1
Rule
Severity: Medium
Java permissions must be disallowed (Locked Down Intranet zone).
1
Rule
Severity: Medium
Java permissions must be disallowed (Locked Down Trusted Sites zone).
1
Rule
Severity: Medium
Java permissions must be disallowed (Locked Down Restricted Sites zone).
1
Rule
Severity: Medium
Pop-up Blocker must be enforced (Internet zone).
1
Rule
Severity: Medium
Pop-up Blocker must be enforced (Restricted Sites zone).
1
Rule
Severity: Medium
Allow binary and script behaviors must be disallowed (Restricted Sites zone).
1
Rule
Severity: Medium
Automatic prompting for file downloads must be disallowed (Restricted Sites zone).
1
Rule
Severity: Medium
Internet Explorer Processes for MK protocol must be enforced (Reserved).
1
Rule
Severity: Medium
Internet Explorer Processes for MK protocol must be enforced (Explorer).
1
Rule
Severity: Medium
Internet Explorer Processes for MK protocol must be enforced (iexplore).
1
Rule
Severity: Medium
Internet Explorer Processes for Restrict File Download must be enforced (Reserved).
1
Rule
Severity: Medium
Internet Explorer Processes for Restrict File Download must be enforced (Explorer).
1
Rule
Severity: Medium
Internet Explorer Processes for Restrict File Download must be enforced (iexplore).
1
Rule
Severity: Medium
Internet Explorer Processes for restricting pop-up windows must be enforced (Reserved).
1
Rule
Severity: Medium
Internet Explorer Processes for restricting pop-up windows must be enforced (Explorer).
1
Rule
Severity: Medium
Internet Explorer Processes for restricting pop-up windows must be enforced (iexplore).
1
Rule
Severity: Medium
Scripting of Java applets must be disallowed (Restricted Sites zone).
1
Rule
Severity: Medium
AutoComplete feature for forms must be disallowed.
1
Rule
Severity: Medium
Crash Detection management must be enforced.
1
Rule
Severity: Medium
Turn on the auto-complete feature for user names and passwords on forms must be disabled.
1
Rule
Severity: Medium
Scripting of Internet Explorer WebBrowser control property must be disallowed (Internet zone).
1
Rule
Severity: Medium
When uploading files to a server, the local directory path must be excluded (Internet zone).
1
Rule
Severity: Medium
Internet Explorer Processes for Notification Bars must be enforced (Reserved).
2
Rule
Severity: Medium
The IIS 10.0 website must have Multipurpose Internet Mail Extensions (MIME) that invoke OS shell programs disabled.
2
Rule
Severity: Medium
Mappings to unused and vulnerable scripts on the IIS 10.0 website must be removed.
2
Rule
Severity: Medium
The IIS 10.0 website must have resource mappings set to disable the serving of certain file types.
2
Rule
Severity: Medium
The IIS 10.0 website must have Web Distributed Authoring and Versioning (WebDAV) disabled.
2
Rule
Severity: Medium
Interactive scripts on the IIS 10.0 web server must be located in unique and designated folders.
2
Rule
Severity: Medium
Interactive scripts on the IIS 10.0 web server must have restrictive access controls.
2
Rule
Severity: Medium
Backup interactive scripts on the IIS 10.0 server must be removed.
3
Rule
Severity: Medium
VBA Macros not digitally signed must be blocked in Access.
3
Rule
Severity: Medium
The Office client must be prevented from polling the SharePoint Server for published links.
3
Rule
Severity: Medium
VBA Macros not digitally signed must be blocked in Excel.
1
Rule
Severity: Medium
Internet Explorer Processes for Notification Bars must be enforced (Explorer).
1
Rule
Severity: Medium
Internet Explorer Processes for Notification Bars must be enforced (iexplore).
1
Rule
Severity: Medium
Cross-Site Scripting Filter must be enforced (Internet zone).
1
Rule
Severity: Medium
Scripting of Internet Explorer WebBrowser Control must be disallowed (Restricted Sites zone).
1
Rule
Severity: Medium
When uploading files to a server, the local directory path must be excluded (Restricted Sites zone).
1
Rule
Severity: Medium
Cross-Site Scripting Filter property must be enforced (Restricted Sites zone).
1
Rule
Severity: Medium
Status bar updates via script must be disallowed (Internet zone).
1
Rule
Severity: Medium
Scriptlets must be disallowed (Restricted Sites zone).
1
Rule
Severity: Medium
Status bar updates via script must be disallowed (Restricted Sites zone).
2
Rule
Severity: Medium
The IIS 10.0 web server must not perform user management for hosted applications.
2
Rule
Severity: Medium
The IIS 10.0 web server must only contain functions necessary for operation.
2
Rule
Severity: Medium
The IIS 10.0 web server must not be both a website server and a proxy server.
2
Rule
Severity: High
All IIS 10.0 web server sample code, example applications, and tutorials must be removed from a production IIS 10.0 server.
2
Rule
Severity: Medium
The accounts created by uninstalled features (i.e., tools, utilities, specific, etc.) must be deleted from the IIS 10.0 server.
2
Rule
Severity: Medium
The IIS 10.0 web server must be reviewed on a regular basis to remove any Operating System features, utility programs, plug-ins, and modules not necessary for operation.
2
Rule
Severity: Medium
The IIS 10.0 web server must have Multipurpose Internet Mail Extensions (MIME) that invoke OS shell programs disabled.
2
Rule
Severity: Medium
The IIS 10.0 web server must have Web Distributed Authoring and Versioning (WebDAV) disabled.
2
Rule
Severity: Medium
An IIS Server configured to be a SMTP relay must require authentication.
2
Rule
Severity: Medium
Only authorized user accounts must be allowed to create or run virtual machines on Windows 10 systems.
3
Rule
Severity: Medium
VBA Macros not digitally signed must be blocked in Project.
3
Rule
Severity: Medium
VBA Macros not digitally signed must be blocked in PowerPoint.
3
Rule
Severity: Medium
VBA Macros not digitally signed must be blocked in Visio.
3
Rule
Severity: Medium
VBA Macros not digitally signed must be blocked in Word.
2
Rule
Severity: Medium
Access to CLR code must be disabled or restricted, unless specifically required and approved.
2
Rule
Severity: Medium
Access to Non-Standard extended stored procedures must be disabled or restricted, unless specifically required and approved.
2
Rule
Severity: Medium
Access to linked servers must be disabled or restricted, unless specifically required and approved.
2
Rule
Severity: Medium
SQL Server default account [sa] must have its name changed.
2
Rule
Severity: Medium
SQL Server execute permissions to access the registry must be revoked, unless specifically required and approved.
2
Rule
Severity: Medium
Filestream must be disabled, unless specifically required and approved.
2
Rule
Severity: Medium
Ole Automation Procedures feature must be disabled, unless specifically required and approved.
2
Rule
Severity: Medium
SQL Server User Options feature must be disabled, unless specifically required and approved.
2
Rule
Severity: Medium
Remote Access feature must be disabled, unless specifically required and approved.
2
Rule
Severity: Medium
Hadoop Connectivity feature must be disabled, unless specifically required and approved.
2
Rule
Severity: Medium
Allow Polybase Export feature must be disabled, unless specifically required and approved.
2
Rule
Severity: Medium
Remote Data Archive feature must be disabled, unless specifically required and approved.
2
Rule
Severity: Medium
SQL Server External Scripts Enabled feature must be disabled, unless specifically required and approved.
2
Rule
Severity: Medium
SQL Server Replication Xps feature must be disabled, unless specifically required and approved.
4
Rule
Severity: High
Internet Information System (IIS) or its subcomponents must not be installed on a workstation.
4
Rule
Severity: Medium
Simple TCP/IP Services must not be installed on the system.
4
Rule
Severity: Medium
The Windows PowerShell 2.0 feature must be disabled on the system.
4
Rule
Severity: Medium
The Server Message Block (SMB) v1 protocol must be disabled on the system.
6
Rule
Severity: Medium
The Server Message Block (SMB) v1 protocol must be disabled on the SMB server.
6
Rule
Severity: Medium
The Server Message Block (SMB) v1 protocol must be disabled on the SMB client.
2
Rule
Severity: Medium
The Secondary Logon service must be disabled on Windows 10.
4
Rule
Severity: Medium
Bluetooth must be turned off unless approved by the organization.
4
Rule
Severity: Medium
Bluetooth must be turned off when not in use.
4
Rule
Severity: Medium
Camera access from the lock screen must be disabled.
2
Rule
Severity: Medium
Windows 10 must cover or disable the built-in or attached camera when not in use.
6
Rule
Severity: Medium
The display of slide shows on the lock screen must be disabled.
4
Rule
Severity: Medium
WDigest Authentication must be disabled.
4
Rule
Severity: Medium
Run as different user must be removed from context menus.
4
Rule
Severity: Medium
Internet connection sharing must be disabled.
6
Rule
Severity: Medium
Downloading print driver packages over HTTP must be prevented.
4
Rule
Severity: Medium
Web publishing and online ordering wizards must be prevented from downloading a list of providers.
6
Rule
Severity: Medium
Printing over HTTP must be prevented.
6
Rule
Severity: Medium
The network selection user interface (UI) must not be displayed on the logon screen.
6
Rule
Severity: Medium
Local users on domain-joined computers must not be enumerated.
6
Rule
Severity: Low
The Application Compatibility Program Inventory must be prevented from collecting data and sending the information to Microsoft.
4
Rule
Severity: Low
Microsoft consumer experiences must be turned off.
2
Rule
Severity: Medium
The Windows Defender SmartScreen for Explorer must be enabled.
2
Rule
Severity: Medium
Windows 10 must be configured to disable Windows Game Recording and Broadcasting.
6
Rule
Severity: Medium
Basic authentication for RSS feeds over HTTP must not be used.
6
Rule
Severity: Medium
Indexing of encrypted files must be turned off.
2
Rule
Severity: Medium
The convenience PIN for Windows 10 must be disabled.
2
Rule
Severity: Medium
Windows Ink Workspace must be configured to disallow access above the lock.
2
Rule
Severity: Low
Windows 10 should be configured to prevent users from receiving suggestions for third-party or additional applications.
4
Rule
Severity: Low
Toast notifications to the lock screen must be turned off.
2
Rule
Severity: Medium
Windows 10 must not have portproxy enabled or in use.
2
Rule
Severity: Medium
The Secondary Logon service must be disabled on Windows 11.
2
Rule
Severity: Medium
Windows 11 must cover or disable the built-in or attached camera when not in use.
2
Rule
Severity: Medium
The Microsoft Defender SmartScreen for Explorer must be enabled.
2
Rule
Severity: Medium
Windows 11 must be configured to disable Windows Game Recording and Broadcasting.
2
Rule
Severity: Medium
The convenience PIN for Windows 11 must be disabled.
2
Rule
Severity: Low
Windows 11 must be configured to prevent users from receiving suggestions for third-party or additional applications.
2
Rule
Severity: Medium
Windows 11 must not have portproxy enabled or in use.
2
Rule
Severity: Medium
The roles and features required by the system must be documented.
2
Rule
Severity: Medium
The Fax Server role must not be installed.
2
Rule
Severity: Medium
The Peer Name Resolution Protocol must not be installed.
2
Rule
Severity: Medium
Simple TCP/IP Services must not be installed.
2
Rule
Severity: Medium
The TFTP Client must not be installed.
2
Rule
Severity: Medium
The Server Message Block (SMB) v1 protocol must be uninstalled.
2
Rule
Severity: Medium
Windows PowerShell 2.0 must not be installed.
2
Rule
Severity: Medium
WDigest Authentication must be disabled on Windows Server 2016.
2
Rule
Severity: Medium
Windows Server 2016 Windows SmartScreen must be enabled.
2
Rule
Severity: Medium
Domain controllers must run on a machine dedicated to that function.
2
Rule
Severity: Medium
Windows Server 2019 must have the roles and features required by the system documented.
2
Rule
Severity: Medium
Windows Server 2019 must not have the Fax Server role installed.
2
Rule
Severity: Medium
Windows Server 2019 must not have the Peer Name Resolution Protocol installed.
2
Rule
Severity: Medium
Windows Server 2019 must not have Simple TCP/IP Services installed.
2
Rule
Severity: Medium
Windows Server 2019 must not have the TFTP Client installed.
2
Rule
Severity: Medium
Windows Server 2019 must not have the Server Message Block (SMB) v1 protocol installed.
2
Rule
Severity: Medium
Windows Server 2019 must have the Server Message Block (SMB) v1 protocol disabled on the SMB server.
2
Rule
Severity: Medium
Windows Server 2019 must have the Server Message Block (SMB) v1 protocol disabled on the SMB client.
2
Rule
Severity: Medium
Windows Server 2019 must not have Windows PowerShell 2.0 installed.
2
Rule
Severity: Medium
Windows Server 2019 must prevent the display of slide shows on the lock screen.
2
Rule
Severity: Medium
Windows Server 2019 must have WDigest Authentication disabled.
2
Rule
Severity: Medium
Windows Server 2019 downloading print driver packages over HTTP must be turned off.
2
Rule
Severity: Medium
Windows Server 2019 printing over HTTP must be turned off.
2
Rule
Severity: Medium
Windows Server 2019 network selection user interface (UI) must not be displayed on the logon screen.
2
Rule
Severity: Low
Windows Server 2019 Application Compatibility Program Inventory must be prevented from collecting data and sending the information to Microsoft.
2
Rule
Severity: Medium
Windows Server 2019 Windows Defender SmartScreen must be enabled.
2
Rule
Severity: Medium
Windows Server 2019 must disable Basic authentication for RSS feeds over HTTP.
2
Rule
Severity: Medium
Windows Server 2019 must prevent Indexing of encrypted files.
2
Rule
Severity: Medium
Windows Server 2019 domain controllers must run on a machine dedicated to that function.
2
Rule
Severity: Medium
Windows Server 2019 local users on domain-joined member servers must not be enumerated.
2
Rule
Severity: Medium
Windows Server 2022 must have the roles and features required by the system documented.
2
Rule
Severity: Medium
Windows Server 2022 must not have the Fax Server role installed.
2
Rule
Severity: Medium
Windows Server 2022 must not have the Peer Name Resolution Protocol installed.
2
Rule
Severity: Medium
Windows Server 2022 must not have Simple TCP/IP Services installed.
2
Rule
Severity: Medium
Windows Server 2022 must not have the TFTP Client installed.
2
Rule
Severity: Medium
Windows Server 2022 must not the Server Message Block (SMB) v1 protocol installed.
2
Rule
Severity: Medium
Windows Server 2022 must have the Server Message Block (SMB) v1 protocol disabled on the SMB server.
2
Rule
Severity: Medium
Windows Server 2022 must have the Server Message Block (SMB) v1 protocol disabled on the SMB client.
2
Rule
Severity: Medium
Windows Server 2022 must not have Windows PowerShell 2.0 installed.
2
Rule
Severity: Medium
Windows Server 2022 must prevent the display of slide shows on the lock screen.
2
Rule
Severity: Medium
Windows Server 2022 must have WDigest Authentication disabled.
2
Rule
Severity: Medium
Windows Server 2022 downloading print driver packages over HTTP must be turned off.
2
Rule
Severity: Medium
Windows Server 2022 printing over HTTP must be turned off.
2
Rule
Severity: Medium
Windows Server 2022 network selection user interface (UI) must not be displayed on the logon screen.
2
Rule
Severity: Low
Windows Server 2022 Application Compatibility Program Inventory must be prevented from collecting data and sending the information to Microsoft.
2
Rule
Severity: Medium
Windows Server 2022 Microsoft Defender antivirus SmartScreen must be enabled.
2
Rule
Severity: Medium
Windows Server 2022 must disable Basic authentication for RSS feeds over HTTP.
2
Rule
Severity: Medium
Windows Server 2022 must prevent Indexing of encrypted files.
2
Rule
Severity: Medium
Windows Server 2022 domain controllers must run on a machine dedicated to that function.
2
Rule
Severity: Medium
Windows Server 2022 local users on domain-joined member servers must not be enumerated.
1
Rule
Severity: Medium
Use of external executables must be authorized.
3
Rule
Severity: Medium
OS accounts utilized to run external procedures called by the DBMS must have limited privileges.
2
Rule
Severity: Medium
Use of external executables must be authorized.
2
Rule
Severity: High
The Oracle Linux operating system must not have the rsh-server package installed.
2
Rule
Severity: High
The Oracle Linux operating system must not have the ypserv package installed.
2
Rule
Severity: High
The Oracle Linux operating system must not have the telnet-server package installed.
2
Rule
Severity: Low
OL 8 must disable the chrony daemon from acting as a server.
2
Rule
Severity: Low
OL 8 must disable network management of the chrony daemon.
2
Rule
Severity: High
OL 8 must not have the telnet-server package installed.
2
Rule
Severity: Medium
OL 8 must not have any automated bug reporting tools installed.
2
Rule
Severity: Medium
OL 8 must not have the sendmail package installed.
2
Rule
Severity: Low
OL 8 must enable mitigations against processor-based vulnerabilities.
2
Rule
Severity: High
OL 8 must not have the rsh-server package installed.
2
Rule
Severity: Medium
OL 8 must cover or disable the built-in or attached camera when not in use.
2
Rule
Severity: Low
OL 8 must disable the transparent inter-process communication (TIPC) protocol.
2
Rule
Severity: Low
OL 8 must disable mounting of cramfs.
2
Rule
Severity: Low
OL 8 must disable IEEE 1394 (FireWire) Support.
2
Rule
Severity: Medium
Unused database components, MySQL Database Server 8.0 software, and database objects must be removed.
2
Rule
Severity: Medium
Unused database components which are integrated in the MySQL Database Server 8.0 and cannot be uninstalled must be disabled.
2
Rule
Severity: Medium
The Palo Alto Networks security platform must only enable User-ID on trusted zones.
2
Rule
Severity: Medium
The Palo Alto Networks security platform must disable WMI probing if it is not used.
2
Rule
Severity: Medium
The Palo Alto Networks security platform must not enable the DNS proxy.
1
Rule
Severity: Medium
Unused database components which are integrated in PostgreSQL and cannot be uninstalled must be disabled.
2
Rule
Severity: Medium
Unused database components that are integrated in Redis Enterprise DBMS and cannot be uninstalled must be disabled.
2
Rule
Severity: Medium
Rancher RKE2 must be configured with only essential configurations.
2
Rule
Severity: Medium
OpenShift must contain only container images for those capabilities being offered by the container platform.
2
Rule
Severity: High
Red Hat Enterprise Linux CoreOS (RHCOS) must disable SSHD service.
2
Rule
Severity: Medium
Red Hat Enterprise Linux CoreOS (RHCOS) must disable USB Storage kernel module.
2
Rule
Severity: Medium
Red Hat Enterprise Linux CoreOS (RHCOS) must use USBGuard for hosts that include a USB Controller.
2
Rule
Severity: Medium
All Automation Controller NGINX front-end web servers must not perform user management for hosted applications.
2
Rule
Severity: Medium
All Automation Controller NGINX web servers must not be a proxy server for any process other than the Automation Controller application.
2
Rule
Severity: Medium
All Automation Controller NGINX webserver accounts not utilized by installed features (i.e., tools, utilities, specific services, etc.) must not be created and must be deleted when the web server feature is uninstalled.
2
Rule
Severity: Medium
All Automation Controller NGINX web servers must have Multipurpose Internet Mail Extensions (MIME) that invoke OS shell programs disabled.
2
Rule
Severity: Medium
All Automation Controller NGINX web servers must have Web Distributed Authoring (WebDAV) disabled.
2
Rule
Severity: Low
All Automation Controller NGINX web servers must protect system resources and privileged operations from hosted applications.
1
Rule
Severity: High
The Red Hat Enterprise Linux operating system must not have the rsh-server package installed.
1
Rule
Severity: High
The Red Hat Enterprise Linux operating system must not have the ypserv package installed.
1
Rule
Severity: High
The Red Hat Enterprise Linux operating system must not have the telnet-server package installed.
2
Rule
Severity: Low
RHEL 8 must disable the chrony daemon from acting as a server.
2
Rule
Severity: Low
RHEL 8 must disable network management of the chrony daemon.
2
Rule
Severity: High
RHEL 8 must not have the telnet-server package installed.
2
Rule
Severity: Medium
RHEL 8 must not have any automated bug reporting tools installed.
2
Rule
Severity: Medium
RHEL 8 must not have the sendmail package installed.
2
Rule
Severity: Low
RHEL 8 must enable mitigations against processor-based vulnerabilities.
2
Rule
Severity: High
RHEL 8 must not have the rsh-server package installed.
2
Rule
Severity: Medium
RHEL 8 must cover or disable the built-in or attached camera when not in use.
2
Rule
Severity: Low
RHEL 8 must disable the asynchronous transfer mode (ATM) protocol.
2
Rule
Severity: Low
RHEL 8 must disable the controller area network (CAN) protocol.
2
Rule
Severity: Low
RHEL 8 must disable the stream control transmission protocol (SCTP).
2
Rule
Severity: Low
RHEL 8 must disable the transparent inter-process communication (TIPC) protocol.
2
Rule
Severity: Low
RHEL 8 must disable mounting of cramfs.
2
Rule
Severity: Low
RHEL 8 must disable IEEE 1394 (FireWire) Support.
2
Rule
Severity: Medium
The gssproxy package must not be installed unless mission essential on RHEL 8.
2
Rule
Severity: Low
RHEL 9 must enable mitigations against processor-based vulnerabilities.
2
Rule
Severity: Medium
RHEL 9 must be configured to disable the Asynchronous Transfer Mode kernel module.
2
Rule
Severity: Medium
RHEL 9 must be configured to disable the Controller Area Network kernel module.
2
Rule
Severity: Medium
RHEL 9 must be configured to disable the FireWire kernel module.
2
Rule
Severity: Medium
RHEL 9 must disable the Stream Control Transmission Protocol (SCTP) kernel module.
2
Rule
Severity: Medium
RHEL 9 must disable the Transparent Inter Process Communication (TIPC) kernel module.
2
Rule
Severity: High
RHEL 9 must not have a File Transfer Protocol (FTP) server package installed.
2
Rule
Severity: Medium
RHEL 9 must not have the sendmail package installed.
2
Rule
Severity: Medium
RHEL 9 must not have the nfs-utils package installed.
2
Rule
Severity: Medium
RHEL 9 must not have the ypserv package installed.
2
Rule
Severity: Medium
RHEL 9 must not have the rsh-server package installed.
2
Rule
Severity: Medium
RHEL 9 must not have the telnet-server package installed.
2
Rule
Severity: Medium
RHEL 9 must not have the gssproxy package installed.
2
Rule
Severity: Medium
RHEL 9 must not have the iprutils package installed.
2
Rule
Severity: Medium
RHEL 9 must not have the tuned package installed.
2
Rule
Severity: Low
RHEL 9 must disable mounting of cramfs.
2
Rule
Severity: Low
RHEL 9 must disable the chrony daemon from acting as a server.
2
Rule
Severity: Low
RHEL 9 must disable network management of the chrony daemon.
2
Rule
Severity: Medium
The SUSE operating system must not have the telnet-server package installed.
2
Rule
Severity: Medium
The SUSE operating system must not have the vsftpd package installed if not required for operational support.
2
Rule
Severity: Medium
RHEL 9 Bluetooth must be disabled.
2
Rule
Severity: High
The SUSE operating system must not have the vsftpd package installed if not required for operational support.
2
Rule
Severity: High
The SUSE operating system must not have the telnet-server package installed.
4
Rule
Severity: Medium
The operating system must be configured to provide essential capabilities.
2
Rule
Severity: Medium
The VMM must be configured to disable non-essential capabilities.
4
Rule
Severity: Low
Samsung Android must be configured to disable all Bluetooth profiles except for HSP (Headset Profile), HFP (Hands-Free Profile), SPP (Serial Port Profile), A2DP (Advanced Audio Distribution Profile), AVRCP (Audio/Video Remote Control Profile), and PBAP (Phone Book Access Profile).
1
Rule
Severity: Medium
The ESXi host must disable the Managed Object Browser (MOB).
4
Rule
Severity: Medium
The ESXi host must be configured to disable nonessential capabilities by disabling Secure Shell (SSH).
1
Rule
Severity: Medium
The ESXi host must disable ESXi Shell unless needed for diagnostics or troubleshooting.
1
Rule
Severity: Medium
VAMI must only load allowed server modules.
1
Rule
Severity: Medium
VAMI must have Multipurpose Internet Mail Extensions (MIME) that invoke operating system shell programs disabled.
1
Rule
Severity: Medium
VAMI must explicitly disable Multipurpose Internet Mail Extensions (MIME) mime mappings based on "Content-Type".
1
Rule
Severity: Medium
VAMI must remove all mappings to unused scripts.
1
Rule
Severity: Medium
VAMI must have resource mappings set to disable the serving of certain file types.
1
Rule
Severity: Medium
VAMI must not have the Web Distributed Authoring (WebDAV) servlet installed.
1
Rule
Severity: Medium
VAMI must prevent hosted applications from exhausting system resources.
1
Rule
Severity: Medium
Performance Charts must not be configured with unsupported realms.
1
Rule
Severity: Medium
Performance Charts must be configured to limit access to internal packages.
1
Rule
Severity: Medium
Performance Charts must have Multipurpose Internet Mail Extensions (MIMEs) that invoke operating system shell programs disabled.
1
Rule
Severity: Medium
Performance Charts must have mappings set for Java servlet pages.
1
Rule
Severity: Medium
Performance Charts must not have the Web Distributed Authoring (WebDAV) servlet installed.
1
Rule
Severity: Medium
Performance Charts must be configured with memory leak protection.
1
Rule
Severity: Medium
Performance Charts must not have any symbolic links in the web content directory tree.
4
Rule
Severity: Medium
vCenter Server plugins must be verified.
1
Rule
Severity: Medium
ESX Agent Manager must only run one webapp.
1
Rule
Severity: Medium
ESX Agent Manager must not be configured with unsupported realms.
1
Rule
Severity: Medium
ESX Agent Manager must be configured to limit access to internal packages.
1
Rule
Severity: Medium
ESX Agent Manager must have Multipurpose Internet Mail Extensions (MIMEs) that invoke operating system shell programs disabled.
1
Rule
Severity: Medium
ESX Agent Manager must have mappings set for Java servlet pages.
1
Rule
Severity: Medium
ESX Agent Manager must not have the Web Distributed Authoring (WebDAV) servlet installed.
1
Rule
Severity: Medium
ESX Agent Manager must be configured with memory leak protection.
1
Rule
Severity: Medium
ESX Agent Manager must not have any symbolic links in the web content directory tree.
1
Rule
Severity: Medium
Lookup Service must not be configured with the "UserDatabaseRealm" enabled.
1
Rule
Severity: Medium
Lookup Service must be configured to limit access to internal packages.
1
Rule
Severity: Medium
Lookup Service must have Multipurpose Internet Mail Extensions (MIMEs) that invoke operating system shell programs disabled.
1
Rule
Severity: Medium
Lookup Service must have mappings set for Java servlet pages.
1
Rule
Severity: Medium
Lookup Service must not have the Web Distributed Authoring (WebDAV) servlet installed.
1
Rule
Severity: Medium
Lookup Service must be configured with memory leak protection.
1
Rule
Severity: Medium
Lookup Service must not have any symbolic links in the web content directory tree.
3
Rule
Severity: Medium
The ESXi host must be configured to disable nonessential capabilities by disabling the Managed Object Browser (MOB).
3
Rule
Severity: Medium
The ESXi host must be configured to disable nonessential capabilities by disabling the ESXi shell.
3
Rule
Severity: Medium
The vCenter ESX Agent Manager service must disable stack tracing.
1
Rule
Severity: Medium
The Security Token Service must only run one webapp.
1
Rule
Severity: Medium
The Security Token Service must not be configured with unused realms.
1
Rule
Severity: Medium
The Security Token Service must be configured to limit access to internal packages.
1
Rule
Severity: Medium
The Security Token Service must have Multipurpose Internet Mail Extensions (MIME) that invoke operating system shell programs disabled.
1
Rule
Severity: Medium
The Security Token Service must have mappings set for Java servlet pages.
1
Rule
Severity: Medium
The Security Token Service must not have the Web Distributed Authoring (WebDAV) servlet installed.
1
Rule
Severity: Medium
The Security Token Service must be configured with memory leak protection.
1
Rule
Severity: Medium
The Security Token Service must not have any symbolic links in the web content directory tree.
3
Rule
Severity: Medium
The vCenter ESX Agent Manager service shutdown port must be disabled.
3
Rule
Severity: Medium
The vCenter ESX Agent Manager service debug parameter must be disabled.
3
Rule
Severity: Medium
The vCenter ESX Agent Manager service directory listings parameter must be disabled.
3
Rule
Severity: Medium
The vCenter ESX Agent Manager service deployXML attribute must be disabled.
3
Rule
Severity: Medium
The vCenter ESX Agent Manager service must have Autodeploy disabled.
3
Rule
Severity: Medium
The vCenter ESX Agent Manager service xpoweredBy attribute must be disabled.
3
Rule
Severity: Medium
The vCenter ESX Agent Manager service example applications must be removed.
3
Rule
Severity: Medium
The vCenter ESX Agent Manager service default ROOT web application must be removed.
3
Rule
Severity: Medium
The vCenter ESX Agent Manager service default documentation must be removed.
3
Rule
Severity: Medium
The vCenter ESX Agent Manager service manager webapp must be removed.
3
Rule
Severity: Medium
The vCenter ESX Agent Manager service host-manager webapp must be removed.
3
Rule
Severity: Medium
The vCenter Lookup service must disable stack tracing.
3
Rule
Severity: Medium
The vCenter Lookup service shutdown port must be disabled.
3
Rule
Severity: Medium
The vCenter Lookup service debug parameter must be disabled.
3
Rule
Severity: Medium
The vCenter Lookup service directory listings parameter must be disabled.
3
Rule
Severity: Medium
The vCenter Lookup service deployXML attribute must be disabled.
3
Rule
Severity: Medium
The vCenter Lookup service must have Autodeploy disabled.
3
Rule
Severity: Medium
The vCenter Lookup service xpoweredBy attribute must be disabled.
3
Rule
Severity: Medium
The vCenter Lookup service example applications must be removed.
3
Rule
Severity: Medium
The vCenter Lookup service default ROOT web application must be removed.
3
Rule
Severity: Medium
The vCenter Lookup service default documentation must be removed.
3
Rule
Severity: Medium
The vCenter Lookup service manager webapp must be removed.
3
Rule
Severity: Medium
The vCenter Lookup service host-manager webapp must be removed.
1
Rule
Severity: Medium
vSphere UI must not be configured with the "UserDatabaseRealm" enabled.
1
Rule
Severity: Medium
vSphere UI must be configured to limit access to internal packages.
1
Rule
Severity: Medium
vSphere UI must have Multipurpose Internet Mail Extensions (MIME) that invoke operating system shell programs disabled.
1
Rule
Severity: Medium
vSphere UI must have mappings set for Java servlet pages.
1
Rule
Severity: Medium
vSphere UI must not have the Web Distributed Authoring (WebDAV) servlet installed.
1
Rule
Severity: Medium
vSphere UI must be configured with memory leak protection.
1
Rule
Severity: Medium
vSphere UI must not have any symbolic links in the web content directory tree.
3
Rule
Severity: Medium
The vCenter Perfcharts service must disable stack tracing.
3
Rule
Severity: Medium
The vCenter Perfcharts service shutdown port must be disabled.
3
Rule
Severity: Medium
The vCenter Perfcharts service debug parameter must be disabled.
3
Rule
Severity: Medium
The vCenter Perfcharts service directory listings parameter must be disabled.
3
Rule
Severity: Medium
The vCenter Perfcharts service deployXML attribute must be disabled.
3
Rule
Severity: Medium
The vCenter Perfcharts service must have Autodeploy disabled.
3
Rule
Severity: Medium
The vCenter Perfcharts service xpoweredBy attribute must be disabled.
3
Rule
Severity: Medium
The vCenter Perfcharts service example applications must be removed.
3
Rule
Severity: Medium
The vCenter Perfcharts service default documentation must be removed.
3
Rule
Severity: Medium
The vCenter Perfcharts service manager webapp must be removed.
3
Rule
Severity: Medium
The vCenter Perfcharts service host-manager webapp must be removed.
3
Rule
Severity: Medium
The Photon operating system must disable unnecessary kernel modules.
3
Rule
Severity: Medium
The vCenter PostgreSQL service must not load unused database components, software, and database objects.
3
Rule
Severity: Medium
The vCenter STS service must disable stack tracing.
3
Rule
Severity: Medium
The vCenter STS service shutdown port must be disabled.
3
Rule
Severity: Medium
The vCenter STS service debug parameter must be disabled.
3
Rule
Severity: Medium
The vCenter STS service directory listings parameter must be disabled.
3
Rule
Severity: Medium
The vCenter STS service must have Autodeploy disabled.
3
Rule
Severity: Medium
The vCenter STS service xpoweredBy attribute must be disabled.
3
Rule
Severity: Medium
The vCenter STS service example applications must be removed.
3
Rule
Severity: Medium
The vCenter STS service default ROOT web application must be removed.
3
Rule
Severity: Medium
The vCenter STS service default documentation must be removed.
3
Rule
Severity: Medium
The vCenter STS service manager webapp must be removed.
3
Rule
Severity: Medium
The vCenter STS service host-manager webapp must be removed.
3
Rule
Severity: Medium
The vCenter UI service must disable stack tracing.
3
Rule
Severity: Medium
The vCenter UI service shutdown port must be disabled.
3
Rule
Severity: Medium
The vCenter UI service debug parameter must be disabled.
3
Rule
Severity: Medium
The vCenter UI service directory listings parameter must be disabled.
3
Rule
Severity: Medium
The vCenter UI service deployXML attribute must be disabled.
3
Rule
Severity: Medium
The vCenter UI service must have Autodeploy disabled.
3
Rule
Severity: Medium
The vCenter UI service xpoweredBy attribute must be disabled.
3
Rule
Severity: Medium
The vCenter UI service example applications must be removed.
3
Rule
Severity: Medium
The vCenter UI service default ROOT web application must be removed.
3
Rule
Severity: Medium
The vCenter UI service default documentation must be removed.
3
Rule
Severity: Medium
The vCenter UI service manager webapp must be removed.
3
Rule
Severity: Medium
The vCenter UI service host-manager webapp must be removed.
3
Rule
Severity: Medium
The vCenter VAMI service must explicitly disable Multipurpose Internet Mail Extensions (MIME) mime mappings based on "Content-Type".
3
Rule
Severity: Medium
The vCenter VAMI service must have resource mappings set to disable the serving of certain file types.
3
Rule
Severity: Medium
The vCenter VAMI service must have Web Distributed Authoring (WebDAV) disabled.
3
Rule
Severity: Medium
The vCenter VAMI service must protect system resources and privileged operations from hosted applications.
2
Rule
Severity: Medium
The web server must not perform user management for hosted applications.
2
Rule
Severity: Medium
The web server must only contain services and functions necessary for operation.
2
Rule
Severity: Medium
The web server must not be a proxy server.
2
Rule
Severity: Medium
The web server must provide install options to exclude the installation of documentation, sample code, example applications, and tutorials.
2
Rule
Severity: Medium
Web server accounts not utilized by installed features (i.e., tools, utilities, specific services, etc.) must not be created and must be deleted when the web server feature is uninstalled.
2
Rule
Severity: Medium
The web server must provide install options to exclude installation of utility programs, services, plug-ins, and modules not necessary for operation.
2
Rule
Severity: Medium
The web server must have Multipurpose Internet Mail Extensions (MIME) that invoke OS shell programs disabled.
2
Rule
Severity: Medium
The web server must allow the mappings to unused and vulnerable scripts to be removed.
2
Rule
Severity: Medium
The web server must have resource mappings set to disable the serving of certain file types.
2
Rule
Severity: Medium
The web server must have Web Distributed Authoring (WebDAV) disabled.
2
Rule
Severity: Medium
The web server must protect system resources and privileged operations from hosted applications.
2
Rule
Severity: Medium
Users and scripts running on behalf of users must be contained to the document root or home directory tree of the web server.
1
Rule
Severity: Medium
Zebra Android 11 must be configured to disable trust agents.
1
Rule
Severity: Medium
Zebra Android 11 must be configured to disable developer modes.
1
Rule
Severity: Medium
Zebra Android 11 must be configured to disable USB mass storage mode.
1
Rule
Severity: Low
Zebra Android 11 must allow only the Administrator (EMM) to perform the following management function: Enable/disable location services.
1
Rule
Severity: Medium
The BIG-IP Core implementation must be configured so that only functions, ports, protocols, and/or services that are documented for the server/application for which the virtual servers are providing connectivity.
1
Rule
Severity: Medium
The BIG-IP Core implementation must be configured to remove or disable any functions, ports, protocols, and/or services that are not documented as required.
1
Rule
Severity: Medium
The macOS system must disable iCloud storage setup during Setup Assistant.
1
Rule
Severity: Medium
The macOS system must disable iCloud Keychain Sync.
1
Rule
Severity: Medium
The macOS system must disable iCloud Document Sync.
1
Rule
Severity: Medium
The macOS system must disable Bluetooth Sharing.
1
Rule
Severity: Medium
The macOS system must disable AppleID and internet Account Modification.
1
Rule
Severity: Medium
The macOS system must disable Content Caching service.
1
Rule
Severity: Medium
The macOS system must disable iCloud Desktop and Document folder sync.
1
Rule
Severity: Medium
The macOS system must disable Personalized Advertising.
1
Rule
Severity: Medium
The macOS system must enforce On Device Dictation.
1
Rule
Severity: Medium
The macOS system must disable Dictation.
1
Rule
Severity: Medium
The macOS system must disable the Bluetooth System Settings pane.
1
Rule
Severity: Medium
The macOS system must disable the TouchID prompt during Setup Assistant.
1
Rule
Severity: Medium
The macOS system must disable the Screen Time prompt during Setup Assistant.
1
Rule
Severity: Medium
The macOS system must disable Genmoji.
1
Rule
Severity: Medium
The macOS system must disable Apple Intelligence Image Generation.
1
Rule
Severity: Medium
The macOS system must disable Apple Intelligence Writing Tools.
1
Rule
Severity: Medium
The macOS system must disable sending audio recordings and transcripts to Apple.
1
Rule
Severity: Medium
The macOS system must disable sending search data from Spotlight to Apple.
1
Rule
Severity: High
Ubuntu 22.04 LTS must not have the "rsh-server" package installed.
1
Rule
Severity: Medium
The Enterprise Voice, Video, and Messaging Endpoint must be configured to disable or remove nonessential capabilities.
1
Rule
Severity: High
The F5 BIG-IP appliance must be configured to prohibit or restrict the use of unnecessary or prohibited functions, ports, protocols, and/or services, including those defined in the PPSM CAL and vulnerability assessments.
1
Rule
Severity: Medium
The Enterprise Voice, Video, and Messaging Session Manager must be configured to disable nonessential capabilities.
2
Rule
Severity: Medium
Google Android 15 must be configured to disable developer modes.
2
Rule
Severity: Low
Google Android 15 must be configured to disable all Bluetooth profiles except for HSP (Headset Profile), HFP (Hands-Free Profile), SPP (Serial Port Profile), A2DP (Advanced Audio Distribution Profile), AVRCP (Audio/Video Remote Control Profile), and PBAP (Phone Book Access Profile).
1
Rule
Severity: Medium
User-managed resources must be created in dedicated namespaces.
1
Rule
Severity: Medium
MSR's self-signed certificates must be replaced with DOD trusted, signed certificates.
1
Rule
Severity: Medium
Allowing users and administrators to schedule containers on all nodes must be disabled.
1
Rule
Severity: Medium
MKE telemetry must be disabled.
1
Rule
Severity: Medium
MSR telemetry must be disabled.
1
Rule
Severity: Medium
For MKE's deployed on an Ubuntu host operating system, the AppArmor profile must be enabled.
1
Rule
Severity: Medium
If MKE is deployed on a Red Hat or CentOS system, SELinux security must be enabled.
1
Rule
Severity: Medium
The Docker socket must not be mounted inside any containers.
1
Rule
Severity: Medium
Linux Kernel capabilities must be restricted within containers.
1
Rule
Severity: Medium
Incoming container traffic must be bound to a specific host interface.
1
Rule
Severity: Medium
CPU priority must be set appropriately on all containers.
1
Rule
Severity: Medium
MKE's self-signed certificates must be replaced with DOD trusted, signed certificates.
1
Rule
Severity: Medium
The "Create repository on push" option in MSR must be disabled.
1
Rule
Severity: Medium
AutoplayAllowed must be set to disabled.
1
Rule
Severity: Medium
A website's ability to query for payment methods must be disabled.
1
Rule
Severity: Medium
Suggestions of similar web pages in the event of a navigation error must be disabled.
1
Rule
Severity: Medium
User feedback must be disabled.
1
Rule
Severity: Medium
Relaunch notification must be required.
1
Rule
Severity: Medium
Visual Search must be disabled.
1
Rule
Severity: Medium
Copilot must be disabled.
1
Rule
Severity: Medium
FriendlyURLs must be disabled.
1
Rule
Severity: Medium
The Request Smuggling filter must be enabled.
1
Rule
Severity: High
SLEM 5 must not have the telnet-server package installed.
1
Rule
Severity: Medium
The SMS must be configured to remove or disable nonessential capabilities on SMS and TPS, which are not required for operation or not related to IDPS functionality.
1
Rule
Severity: Medium
TOSS must not have the rsh-server package installed.
1
Rule
Severity: Medium
TOSS must cover or disable the built-in or attached camera when not in use.
1
Rule
Severity: Medium
TOSS must disable IEEE 1394 (FireWire) Support.
1
Rule
Severity: Medium
TOSS must disable mounting of cramfs.
1
Rule
Severity: Medium
TOSS must disable network management of the chrony daemon.
1
Rule
Severity: Medium
TOSS must disable the asynchronous transfer mode (ATM) protocol.
1
Rule
Severity: Medium
TOSS must disable the controller area network (CAN) protocol.
1
Rule
Severity: Medium
TOSS must disable the stream control transmission (SCTP) protocol.
1
Rule
Severity: Medium
TOSS must disable the transparent inter-process communication (TIPC) protocol.
1
Rule
Severity: Medium
TOSS must not have any automated bug reporting tools installed.
1
Rule
Severity: Medium
TOSS must not have the sendmail package installed.
1
Rule
Severity: Medium
TOSS must not have the telnet-server package installed.
1
Rule
Severity: Info
The NSX Tier-0 Gateway router must be configured to have the Dynamic Host Configuration Protocol (DHCP) service disabled if not in use.
1
Rule
Severity: Info
The NSX Tier-0 Gateway router must be configured to have routing protocols disabled if not in use.
1
Rule
Severity: Info
The NSX Tier-0 Gateway router must be configured to have multicast disabled if not in use.
1
Rule
Severity: Info
The NSX Tier-1 Gateway router must be configured to have the DHCP service disabled if not in use.
1
Rule
Severity: Info
The NSX Tier-1 Gateway router must be configured to have multicast disabled if not in use.
1
Rule
Severity: Medium
The vCenter STS service deployXML attribute must be disabled.
1
Rule
Severity: Low
Apple iOS/iPadOS 18 must implement the management setting: not allow automatic completion of Safari browser passcodes.
1
Rule
Severity: Medium
Apple iOS/iPadOS 18 must implement the management setting: encrypt backups/Encrypt local backup.
1
Rule
Severity: Low
Apple iOS/iPadOS 18 must implement the management setting: not allow use of Handoff.
1
Rule
Severity: Low
Apple iOS/iPadOS 18 must implement the management setting: not allow use of iPhone widgets on Mac.
1
Rule
Severity: Low
Apple iOS/iPadOS 18 must implement the management setting: force Apple Watch wrist detection.
1
Rule
Severity: Medium
Apple iOS/iPadOS 18 users must complete required training.
Patternfly
PatternFly elements
The content of the drawer really is up to you. It could have form fields, definition lists, text lists, labels, charts, progress bars, etc. Spacing recommendation is 24px margins. You can put tabs in here, and can also make the drawer scrollable.
Modules